H3C S5100-SI Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Switch
  5. H3C S5100-SI
  6. Operation manual
H3C S5100-SI Operation Manual

H3C S5100-SI Operation Manual

Ethernet switches
Hide thumbs Also See for H3C S5100-SI:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
Table of Contents

Advertisement

Quick Links

Download this manual
H3C S5100-SI/EI Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 20100115-C-1.05
Product Version: Release 220X series

Advertisement

Table of Contents
loading

Related Manuals for H3C H3C S5100-SI

Summary of Contents for H3C H3C S5100-SI

  • Page 1 H3C S5100-SI/EI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Manual Version: 20100115-C-1.05 Product Version: Release 220X series...
  • Page 2 Copyright © 2007-2010, Hangzhou H3C Technologies Co., Ltd. and its licensors All Rights Reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. Trademarks H3C, , Aolynk,...

  • Page 3: Table Of Contents

    About This Manual Organization H3C S5100-SI/EI Series Ethernet Switches Operation Manual is organized as follows: Part Contents Introduces the characteristics and implementations of the 0 Product Overview Ethernet switch. Introduces the ways to log into an Ethernet switch and CLI 1 Login related configuration.
  • Page 4 Part Contents 25 Multicast Introduces IGMP snooping and the related configuration. 26 NTP Introduces NTP and the related configuration. 27 SSH Introduces SSH2.0 and the related configuration. 28 File System Management Introduces basic configuration for file system management. Introduces basic configuration for FTP, SFTP and TFTP, and 29 FTP-SFTP-TFTP the applications.

  • Page 5: Related Documentation

    Means a complementary description. Means techniques helpful for you to make configuration with ease. Related Documentation In addition to this manual, each H3C S5100-SI/EI Series Ethernet Switches documentation set includes the following: Manual Description H3C S5100-SI/EI Series Ethernet Switches It provides information for the system installation.
  • Page 6 Documentation Feedback You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.
  • Page 7 Table of Contents 1 Obtaining the Documentation ··················································································································1-1 CD-ROM ·················································································································································1-1 H3C Website ···········································································································································1-1 Software Release Notes ·························································································································1-1 2 Correspondence Between Documentation and Software ·····································································2-1 Manual List··············································································································································2-1 Software Version·····································································································································2-1 3 Product Overview ······································································································································3-1 4 Networking Applications ··························································································································4-1 Convergence Layer Devices···················································································································4-1 Access Layer Devices·····························································································································4-1 Data Center Access ································································································································4-2...

  • Page 8: Obtaining The Documentation

    Obtaining the Documentation H3C Technologies Co., Ltd. provides various ways for you to obtain documentation, through which you can obtain the product documentations and those concerning newly added new features. The documentations are available in one of the following ways: CD-ROMs shipped with the devices H3C website Software release notes...

  • Page 9: Correspondence Between Documentation And Software

    H3C S5100-SI/EI Series Ethernet Switches Command Manual-Release 220X Series Software Version H3C S5100-SI/EI Series Ethernet Switches Operation Manual-Release 220X Series and H3C S5100-SI/EI Series Ethernet Switches Command Manual-Release 220X Series are for the software version of Release2200, Release2201 and Release2203P08 of the S5100-SI/EI series products.
  • Page 10 Software Added and Modified Features Compared With The Manual Version Earlier Version The tx-period-value argument of dot1x timer Modified 14-802.1x and tx-period command ranges from 1 to 120, features System Guard instead of 10 to 120(in seconds). The S5100-EI series Ethernet switches do not Deleted 17-IP Address and support to specify a secondary IP address of an...

  • Page 11: Product Overview

    For the convenience of users, units of Mega bps/1000 Mega bps in the following chapters are simplified as M/G. H3C S5100-SI/EI Series Ethernet Switches (hereinafter referred to as S5100-SI/EI series) are Gigabit Ethernet switching products developed by H3C Technologies Co., Ltd. H3C S5100-SI/EI series provide a variety of service features and powerful QACL functions.
  • Page 12 Table 3-2 Mapping relations between the ports forming the Combo port 10/100/1000Base-T autosensing Model 1000Base-X SFP port Ethernet port S5100-16P-SI S5100-16P-EI S5100-16P-PWR-EI S5100-24P-SI S5100-24P-EI S5100-26C-EI S5100-26C-PWR-EI S5100-48P-SI S5100-48P-EI S5100-50C-EI S5100-50C-PWR-EI...

  • Page 13: Networking Applications

    Networking Applications S5100-SI/EI series Gigabit Ethernet switches are designed as convergence layer switches or access layer switches for enterprise networks and metropolitan area networks (MANs). S5100-SI/EI series provide 24 or 48 autosensing Gigabit Ethernet ports for connecting downstream devices. In addition, S5100-26C-EI and S5100-50C-EI also provide two 10GE extension slots to support flexible networking by means of optional XFP interface cards / XENPAK optical modules / dedicated stack cards for Gigabit Ethernet to the desktop (GTTD) access of enterprise networks, user access and convergence of carrier networks, and connection of data center server clusters.

  • Page 14: Data Center Access

    Figure 4-2 Application of S5100-EI series in the access layer Data Center Access In the networking of a data center, S5100-EI series are deployed on the core network to provide 10GE/GE access core network functions. The server cluster can be connected to the core network at the Gigabit Ethernet rate through S5100-EI series switches.

  • Page 15: Login

    Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 Relationship Between a User and a User Interface ········································································1-2 User Interface Index ························································································································1-2 Common User Interface Configuration····························································································1-2 2 Logging In Through the Console Port·····································································································2-1 Introduction ·············································································································································2-1...
  • Page 16 Switch Configuration························································································································4-2 Modem Connection Establishment ·········································································································4-2 5 CLI Configuration ······································································································································5-1 Introduction to the CLI·····························································································································5-1 Command Hierarchy ·······························································································································5-1 Command Level and User Privilege Level ······················································································5-1 Modifying the Command Level········································································································5-2 Switching User Level ·······················································································································5-3 CLI Views ················································································································································5-4 CLI Features ···········································································································································5-7 Online Help······································································································································5-7 Terminal Display······························································································································5-9 Command History····························································································································5-9 Error Prompts ··································································································································5-9...

  • Page 17: Logging In To An Ethernet Switch

    Logging In to an Ethernet Switch Go to these sections for information you are interested in: Logging In to an Ethernet Switch Introduction to the User Interface Logging In to an Ethernet Switch To manage or configure an S5100-SI/EI Ethernet switch, you can log in to it in one of the following three methods: Command Line Interface Web-based Network Management Interface...

  • Page 18: Relationship Between A User And A User Interface

    Table 1-1 Description on user interface User interface Applicable user Port used Remarks Each switch can Users logging in through the Console port accommodate one AUX console port user. Each switch can Telnet users and SSH users Ethernet port accommodate up to five VTY users.
  • Page 19 To do… Use the command… Remarks Optional Lock the current user Available in user view lock interface A user interface is not locked by default. Specify to send messages Optional to all user interfaces/a send { all | number | type number } Available in user view specified user interface Optional...

  • Page 20: Logging In Through The Console Port

    Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Setting Up a Login Environment for Login Through the Console Port Console Port Login Configuration Console Port Login Configuration with Authentication Mode Being None Console Port Login Configuration with Authentication Mode Being Password Console Port Login Configuration with Authentication Mode Being Scheme Introduction...
  • Page 21 Figure 2-1 Diagram for connecting to the console port of a switch If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through...
  • Page 22 Figure 2-2 Create a connection Figure 2-3 Specify the port used to establish the connection Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after you press the Enter key, as shown in Figure 2-5.

  • Page 23: Console Port Login Configuration

    Figure 2-5 HyperTerminal CLI You can then configure the switch or check the information about the switch by executing the corresponding commands. You can also acquire help by typing the ? character. Refer to related parts in this manual for information about the commands used for configuring the switch. Console Port Login Configuration Common Configuration Table 2-2 Common configuration of console port login...
  • Page 24 Configuration Remarks Optional Set history command buffer By default, the history command buffer can contain up size to 10 commands. Optional Set the timeout time of a user interface The default timeout time is 10 minutes. The change to console port configuration takes effect immediately, so the connection may be disconnected when you log in through a console port and then configure this console port.

  • Page 25: Console Port Login Configurations For Different Authentication Modes

    To do… Use the command… Remarks Optional By default, the screen can contain up Set the maximum number of screen-length to 24 lines. lines the screen can contain screen-length You can use the screen-length 0 command to disable the function to display information in pages.

  • Page 26: Console Port Login Configuration With Authentication Mode Being None

    Changes made to the authentication mode for console port login takes effect after you quit the command-line interface and then log in again. Console Port Login Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure console port login with the authentication mode being none: To do…...

  • Page 27: Console Port Login Configuration With Authentication Mode Being Password

    Network diagram GE1/0/1 Ethernet Configuration PC running Telnet Figure 2-6 Network diagram for AUX user interface configuration (with the authentication mode being none) Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate users logging in through the console port.

  • Page 28: Configuration Example

    To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 — view Required By default, users logging in to a switch Configure to authenticate authentication-mode through the console port are not users using the local password authenticated;...

  • Page 29: Console Port Login Configuration With Authentication Mode Being Scheme

    # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface.

  • Page 30: Configuration Example

    To do… Use the command… Remarks Enter the Optional default ISP domain domain-name By default, the local AAA scheme domain view is applied. If you specify to apply the local scheme { local | none | AAA scheme, you need to Specify the AAA radius-scheme perform the configuration...
  • Page 31 Set the authentication password of the local user to 123456 (in plain text). Set the service type of the local user to Terminal and the command level to 2. Configure to authenticate the users in the scheme mode. The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines.
  • Page 32 [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.

  • Page 33: Logging In Through Telnet

    Logging In Through Telnet Go to these sections for information you are interested in: Introduction Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password Introduction S5100-SI/EI series Ethernet switches support Telnet. You can manage and maintain a switch remotely by Telnetting to the switch.
  • Page 34 Configuration Description Optional Configure the protocols the By default, Telnet and SSH protocol are user interface supports supported. Optional Set the commands to be executed automatically after By default, no command is executed a user log in to the user automatically after a user logs into the VTY user interface successfully interface.

  • Page 35: Telnet Configurations For Different Authentication Modes

    To do… Use the command… Remarks Optional The default history command Set the history command buffer history-command buffer size is 10, that is, the history size max-size value command buffer of a user can store up to 10 commands by default.

  • Page 36: Telnet Configuration With Authentication Mode Being None

    To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.

  • Page 37: Telnet Configuration With Authentication Mode Being Password

    Network diagram Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0.

  • Page 38: Configuration Example

    Configuration Example Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. Authenticate users using the local password. Set the local password to 123456 (in plain text).

  • Page 39: Telnet Configuration With Authentication Mode Being Scheme

    Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty —...

  • Page 40: Configuration Example

    Refer to the AAA part of this manual for information about AAA, RADIUS, and HWTACACS. Configuration Example Network requirements Assume current user logins through the console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. Configure the local user name as guest.

  • Page 41: Telnetting To A Switch

    # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 Telnetting to a Switch Telnetting to a Switch from a Terminal...
  • Page 42 Connect your PC/terminal and the Switch to an Ethernet, as shown in Figure 3-6. Make sure the port through which the switch is connected to the Ethernet belongs to VLAN 1 and the route between your PC and VLAN-interface 1 is reachable. Workstation Ethernet Switch Ethernet port...

  • Page 43: Telnetting To Another Switch From The Current Switch

    Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.

  • Page 44: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.

  • Page 45: Switch Configuration

    You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 46 Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Figure 4-1 Establish the connection by using modems Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 47 Figure 4-2 Create a connection Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch.
  • Page 48 If you perform no AUX user-related configuration on the switch, the commands of level 3 are available to modem users. Refer to the CLI part for information about command level.

  • Page 49: Cli Configuration

    CLI Configuration When configuring CLI, go to these sections for information you are interested in: Introduction to the CLI Command Hierarchy CLI Views CLI Features Introduction to the CLI A command line interface (CLI) is a user interface to interact with a switch. Through the CLI on a switch, a user can enter commands to configure the switch and check output information to verify the configuration.

  • Page 50: Modifying The Command Level

    System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level. These commands can be used to provide network services directly. Manage level (level 3): Commands at this level are associated with the basic operation modules and support modules of the system.

  • Page 51: Switching User Level

    It is recommended not to change the level of a command arbitrarily, for it may cause inconvenience to maintenance and operation. When you change the level of a command with multiple keywords, you should input the keywords one by one in the order they appear in the command syntax. Otherwise, your configuration will not take effect.

  • Page 52: Cli Views

    Switching to a specific user level Table 5-2 Switch to a specific user level Operation Command Remarks Required Switch to a specified user level super [ level ] Execute this command in user view. If no user level is specified in the super password command or the super command, level 3 is used by default.
  • Page 53 Table 5-3 CLI views View Available operation Prompt example Enter method Quit method Display operation Execute the Enter user view status and statistical quit command User view <Sysname> once logging into information of the to log out of the the switch. switch switch.
  • Page 54 View Available operation Prompt example Enter method Quit method Execute the sftp SFTP client Configure SFTP client sftp-client> command in Execute the view parameters system view. quit command to return to Execute the stp system view. MST region Configure MST region [Sysname-mst-re region-configurati Execute the...

  • Page 55: Cli Features

    View Available operation Prompt example Enter method Quit method Execute the Configure HWTACACS [Sysname-hwtac hwtacacs scheme HWTACACS view acs-a123] command in parameters system view. Configure PoE profile Execute the parameters PoE profile [Sysname-poe-pr poe-profile Only S5100-PWR-EI view ofile-a123] command in series switches system view.
  • Page 56 User view commands: backup Backup current configuration boot Set boot option Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file List files on a file system display Display current system information <Other information is omitted>...

  • Page 57: Terminal Display

    Terminal Display The CLI provides the screen splitting feature to have display output suspended when the screen is full. When display output pauses, you can perform the following operations as needed (see Table 5-4). Table 5-4 Display-related operations Operation Function Stop the display output and execution of the Press <Ctrl+C>...

  • Page 58: Command Edit

    Table 5-5 Common error messages Error message Remarks The command does not exist. The keyword does not exist. Unrecognized command The parameter type is wrong. The parameter value is out of range. Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many.

  • Page 59: Introduction

    Logging In Through the Web-based Network Management Interface Go to these sections for information you are interested in: Introduction Establishing an HTTP Connection Configuring the Login Banner Enabling/Disabling the WEB Server Introduction An S5100-SI/EI Ethernet switch has a Web server built in. It enables you to log in to an S5100-SI/EI Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 60: Configuring The Login Banner

    [Sysname-luser-admin] password simple admin Establish an HTTP connection between your PC and the switch, as shown in Figure 6-1. Figure 6-1 Establish an HTTP connection between your PC and the switch Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar.

  • Page 61: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 62 To do… Use the command… Remarks Required Enable the Web server ip http shutdown By default, the Web server is enabled. Disable the Web server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

  • Page 63: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a Network Management Station (NMS), and then configure and manage the switch through the agent software on the switch. Simple Network Management Protocol (SNMP) is applied between the NMS and the agent.

  • Page 64: Configuring Source Ip Address For Telnet Service Packets

    Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: Overview Configuring Source IP Address for Telnet Service Packets Displaying Source IP Address Configuration Overview You can configure source IP address or source interface for the Telnet server and Telnet client. This provides a way to manage services and enhances security.

  • Page 65: Displaying Source Ip Address Configuration

    Operation Command Description Specify a source interface for telnet-server source-interface Optional Telnet server interface-type interface-number Specify source IP address for telnet source-ip ip-address Optional Telnet client Specify a source interface for telnet source-interface interface-type Optional Telnet client interface-number To perform the configurations listed in Table 8-1 Table 8-2, make sure that:...

  • Page 66: User Control

    User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in...

  • Page 67: Controlling Telnet Users By Acl

    If no ACL is configured on the VTY user interface, users are not controlled when establishing a Telnet connection using this user interface. If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet connection match the ACL rule configured on the VTY user interface, the connection will be permitted or denied according to the ACL rule;...

  • Page 68: Configuration Example

    To do… Use the command… Remarks Apply a Required basic or advanced acl acl-number { inbound | Use either command ACL to outbound } Apply an The inbound keyword specifies to control ACL to filter the users trying to Telnet to Telnet users control the current switch.

  • Page 69: Prerequisites

    Defining an ACL Applying the ACL to control users accessing the switch through SNMP To control whether an NMS can manage the switch, you can use this function. Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).

  • Page 70: Controlling Web Users By Source Ip Address

    Network diagram 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Figure 9-2 Network diagram for controlling SNMP users using ACLs Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch.

  • Page 71: Logging Out A Web User

    To do… Use the command… Remarks As for the acl number Create a basic ACL or enter acl number acl-number command, the config keyword basic ACL view [ match-order { config | auto } ] is specified by default. rule [ rule-id ] { deny | permit } Define rules for the ACL Required [ rule-string ]...
  • Page 72 # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [Sysname] ip http acl 2030...

  • Page 73: Configuration File Management

    Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-3 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Switch Configuration······································································································1-5...

  • Page 74: Configuration File Management

    Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.

  • Page 75: Configuration Task List

    When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file.

  • Page 76: Erasing The Startup Configuration File

    When you use the save safely command to save the configuration file, if the switch reboots or the power fails during the saving process, the switch initializes itself in the following two conditions when it starts up next time: If a configuration file with the extension .cfg exists in the Flash, the switch uses the configuration file to initialize itself when it starts up next time.

  • Page 77: Specifying A Configuration File For Next Startup

    You may need to erase the configuration file for one of these reasons: After you upgrade software, the old configuration file does not match the new software. The startup configuration file is corrupted or not the one you needed. The following two situations exist: While the reset saved-configuration [ main ] command erases the configuration file with main attribute, it only erases the main attribute of a configuration file having both main and backup attribute.

  • Page 78: Vlan

    The configuration file must use .cfg as its extension name and the startup configuration file must be saved at the root directory of the switch. If you select to skip the current configuration file to boot the device in the Boot ROM menu, it takes effect only once.
  • Page 79 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Fundamentals ·······················································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-4 Link Types of Ethernet Ports ···········································································································1-5 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-5 Protocol-Based VLAN ·····························································································································1-6 Introduction to Protocol-Based VLAN······························································································1-6...

  • Page 80: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN Protocol-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.

  • Page 81: Advantages Of Vlans

    Figure 1-1 A VLAN implementation Advantages of VLANs Compared with traditional Ethernet technology, VLAN technology delivers the following benefits: Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2.
  • Page 82 Figure 1-3 Format of VLAN tag A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the H3C series Ethernet switches, the default TPID is 0x8100.

  • Page 83: Vlan Interface

    VLAN are forwarded according to the MAC address forwarding table for the VLAN. Currently, the H3C S5100-SI/EI series Ethernet switches adopt the IVL mode only. For more information about the MAC address forwarding table, refer to the “MAC Address Forwarding Table Management”...

  • Page 84: Link Types Of Ethernet Ports

    Ports on Ethernet switches have the three link types: access, trunk, and hybrid. For the three types of ports, the process of being added into a VLAN and the way of forwarding packets are different. Port-based VLANs are easy to implement and manage and applicable to hosts with relatively fixed positions.

  • Page 85: Protocol-Based Vlan

    Table 1-1 Packet processing of an access port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the VLAN ID is just the default VLAN Receive the packet and tag Strip the tag from the ID, receive the packet.

  • Page 86: Encapsulation Format Of Ethernet Data

    Encapsulation Format of Ethernet Data This section introduces the common encapsulation formats of Ethernet data for you to understand the procedure for the switch to identify the packet protocols. Ethernet II and 802.2/802.3 encapsulation There are two encapsulation types of Ethernet packets: Ethernet II defined by RFC 894 and 802.2/802.3 defined by RFC 1042.
  • Page 87 Figure 1-7 802.2 LLC encapsulation format The DSAP field and the SSAP field in the 802.2 LLC encapsulation are used to identify the upper layer protocol. For example, if the two fields are both 0xE0, the upper layer protocol is IPX protocol. 802.2 Sub-Network Access Protocol (SNAP) encapsulation: encapsulates packets according to the 802.3 standard packet format, including the length, DSAP, SSAP, control, organizationally unique identifier (OUI), and protocol-ID (PID) fields.

  • Page 88: Procedure For The Switch To Judge Packet Protocol

    Procedure for the Switch to Judge Packet Protocol Figure 1-9 Protocol identification procedure Receive Receive packets packets Invalid packets Invalid packets Ethernet II Ethernet II Type(Length) Type(Length) that cannot be that cannot be 0x0600 to 0xFFFF 0x0600 to 0xFFFF 0x05DD to 0x05FF 0x05DD to 0x05FF encapsulation encapsulation...

  • Page 89: Implementation Of Protocol-Based Vlan

    Implementation of Protocol-Based VLAN S5100-SI/EI series Ethernet switches assign the packet to the specific VLAN by matching the packet with the protocol template. The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates: The standard template adopts the RFC-defined packet encapsulation formats and values of some specific fields as the matching criteria.

  • Page 90: Vlan Configuration

    VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN Configuring a Protocol-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required...

  • Page 91: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.

  • Page 92: Displaying Vlan Configuration

    To do... Use the command... Remarks Optional By default, the VLAN interface is enabled. Disable the VLAN shutdown In this case, the VLAN interface’s status is interface determined by the status of the ports in the VLAN, that is, if all ports of the VLAN are down, the VLAN interface is down (disabled);...

  • Page 93: Assigning An Ethernet Port To A Vlan

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Required port link-type { access | Configure the port link type The link type of an Ethernet port is hybrid | trunk } access by default. To change the link type of a port from trunk to hybrid or vice versa, you need to set the link type to access first.

  • Page 94: Configuring The Default Vlan For A Port

    Use the To do… Remarks command… Assign the specified Required access port or ports to port interface-list By default, all ports belong to VLAN 1. the current VLAN Configuring the Default VLAN for a Port Because an access port can belong to its default VLAN only, there is no need for you to configure the default VLAN for an access port.
  • Page 95 The devices within each VLAN can communicate with each other but that in different VLANs cannot communicate with each other directly. Network diagram Figure 2-1 Network diagram for VLAN configuration Configuration procedure Configure Switch A. # Create VLAN 101, specify its descriptive string as “DMZ”, and add GigabitEthernet1/0/1 to VLAN 101. <SwitchA>...

  • Page 96: Configuring A Protocol-Based Vlan

    # Configure GigabitEthernet1/0/3 of Switch A. [SwitchA] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 101 [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 201 # Configure GigabitEthernet1/0/10 of Switch B. [SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 101 [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 201 Configuring a Protocol-Based VLAN...

  • Page 97: Associating A Port With A Protocol-Based Vlan

    Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure.

  • Page 98: Displaying Protocol-Based Vlan Configuration

    Displaying Protocol-Based VLAN Configuration To do... Use the command... Remarks Display the information about the display vlan [ vlan-id [ to vlan-id ] | all | protocol-based VLAN dynamic | static] Display the protocol information and display protocol-vlan vlan { vlan-id [ to protocol indexes configured on the Available in vlan-id ] | all }...
  • Page 99 [Sysname] vlan 200 [Sysname-vlan200] port GigabitEthernet 1/0/12 # Configure protocol templates for VLAN 200 and VLAN 100, matching AppleTalk protocol and IP protocol respectively. [Sysname-vlan200] protocol-vlan at [Sysname-vlan200] quit [Sysname] vlan 100 [Sysname-vlan100] protocol-vlan ip # To ensure the normal operation of IP network, you need to configure a user-defined protocol template for VLAN 100 to match the ARP protocol (assume Ethernet II encapsulation is adopted here).
  • Page 100 transmission by matching the corresponding protocol templates, so as to realize the normal communication between workstations and servers. 2-11...
  • Page 101 Table of Contents 1 Management VLAN Configuration ···········································································································1-1 Introduction to Management VLAN·········································································································1-1 Management VLAN ·························································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Management VLAN Configuration ··········································································································1-2 Prerequisites····································································································································1-2 Configuring the Management VLAN································································································1-2 Configuration Example ····················································································································1-3 Displaying and Maintaining management VLAN configuration·······························································1-4...

  • Page 102: Management Vlan Configuration

    Management VLAN Configuration Introduction to Management VLAN Management VLAN To manage an Ethernet switch remotely through Telnet or the built-in Web server, the switch need to be assigned an IP address, and make sure that a route exists between the user and the switch. As for an H3C series Layer 2 Ethernet switch, only the management VLAN interface can be assigned an IP address.

  • Page 103: Management Vlan Configuration

    If no default route exists and the destination address of the packet is not in the routing table, the packet is discarded, and an ICMP destination unreachable message is returned to the source. The default route can be configured through a static route and exists in the routing table as a route destined to the network 0.0.0.0 (with the mask 0.0.0.0).

  • Page 104: Configuration Example

    Configuration Example Network requirements For a user to manage Switch A remotely through Telnet, these requirements are to be met: Switch A has an IP address, and the remote Telnet user is reachable. You need to configure the switch as follows: Assigning an IP address to the management VLAN interface on Switch A Configuring the default route Network diagram...

  • Page 105: Displaying And Maintaining Management Vlan Configuration

    [Sysname-Vlan-interface10] ip address 1.1.1.1 255.255.255.0 [Sysname-Vlan-interface10] quit # Configure the default route. [Sysname] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 Displaying and Maintaining management VLAN configuration Table 1-2 Displaying and Maintaining management VLAN configuration Operation Command Remarks Display the IP-related display ip interface [ brief ] information about a [ Vlan-interface [ vlan-id ] ] management VLAN interface...
  • Page 106 Table of Contents 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How S5100-EI Series Switches Identify Voice Traffic·····································································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-4 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6 Voice VLAN Configuration ······················································································································1-6 Configuration Prerequisites ·············································································································1-6...

  • Page 107: Voice Vlan Configuration

    Voice VLAN Configuration The contents of this chapter are only applicable to the S5100-EI series among S5100-SI/EI series switches. When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are VLANs configured specially for voice traffic.
  • Page 108 Voice VLAN configuration Failover call routing Following describes the way an IP phone acquires an IP address. Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission.

  • Page 109: How S5100-Ei Series Switches Identify Voice Traffic

    After receiving the DHCP request, DHCP Server 2 residing in the voice VLAN assigns a new IP address to the IP phone and sends a tagged response message to the IP phone. After the IP phone receives the tagged response message, it sends voice data packets tagged with the voice VLAN tag to communicate with the voice gateway.

  • Page 110: Setting The Voice Traffic Transmission Priority

    Setting the Voice Traffic Transmission Priority In order to improve transmission quality of voice traffic, the switch by default re-marks the priority of the traffic in the voice VLAN as follows: Set the CoS (802.1p) priority to 6. Set the DSCP value to 46. Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode.
  • Page 111 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk Tagged a voice VLAN, and the access port permits the traffic of...

  • Page 112: Security Mode Of Voice Vlan

    Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN Port type Supported or not assignment mode Access Not supported Supported Make sure the default VLAN of the port exists and is not a Trunk voice VLAN, and the access port permits the traffic of the Automatic...
  • Page 113 To do… Use the command… Remarks Optional voice vlan mac-address oui By default, the switch Set an OUI address that can be mask oui-mask [ description determines the voice traffic identified by the voice VLAN text ] according to the default OUI address.

  • Page 114: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in manual voice VLAN assignment mode: To do… Use the command… Remarks — Enter system view system-view Optional voice vlan mac-address Set an OUI address that can be identified Without this address,...

  • Page 115: Displaying And Maintaining Voice Vlan

    The voice VLAN function can be enabled for only one VLAN at one time. If the Link Aggregation Control Protocol (LACP) is enabled on a port, voice VLAN feature cannot be enabled on it. Voice VLAN function can be enabled only for the static VLAN. A dynamic VLAN cannot be configured as a voice VLAN.

  • Page 116: Voice Vlan Configuration Example

    Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Mode) Network requirements Create a voice VLAN and configure it to operate in automatic mode to enable the port to which an IP phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN.

  • Page 117: Voice Vlan Configuration Example (Manual Mode)

    # Configure GigabitEthernet 1/0/1 as a hybrid port. [DeviceA-GigabitEthernet1/0/1] port link-type hybrid # Configure VLAN 6 as the default VLAN of GigabitEthernet 1/0/1, and configure GigabitEthernet 1/0/1 to permit packets with the tag of VLAN 6. [DeviceA-GigabitEthernet1/0/1] port hybrid pvid vlan 6 [DeviceA-GigabitEthernet1/0/1] port hybrid vlan 6 tagged # Enable the voice VLAN function on GigabitEthernet 1/0/1.
  • Page 118 # Configure GigabitEthernet 1/0/1 to operate in manual mode. [DeviceA] interface GigabitEthernet 1/0/1 [DeviceA-GigabitEthernet1/0/1] undo voice vlan mode auto # Configure GigabitEthernet 1/0/1 as a hybrid port. [DeviceA-GigabitEthernet1/0/1] port link-type hybrid # Configure the voice VLAN as the default VLAN of GigabitEthernet 1/0/1, and add the voice VLAN to the list of untagged VLANs whose traffic is permitted by the port.
  • Page 119 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 GVRP Configuration Tasks ·············································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-6 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...

  • Page 120: Gvrp Configuration

    GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example Introduction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol (GARP).
  • Page 121 GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
  • Page 122 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two Message parts: Attribute Type and —...

  • Page 123: Gvrp

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.

  • Page 124: Configuring Gvrp Timers

    To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.

  • Page 125: Configuring Gvrp Port Registration Mode

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of Hold 10 centiseconds the Join timer. You can change the threshold by changing the timeout time of the Join timer.

  • Page 126: Gvrp Configuration Example

    To do … Use the command … Remarks Display the settings of the display garp timer [ interface GARP timers interface-list ] display gvrp statistics Display GVRP statistics [ interface interface-list ] Display the global GVRP status display gvrp status reset garp statistics Clear GARP statistics [ interface interface-list ]...
  • Page 127 # Configure GigabitEthernet1/0/2 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan all # Enable GVRP on GigabitEthernet1/0/2. [SwitchA-GigabitEthernet1/0/2] gvrp [SwitchA-GigabitEthernet1/0/2] quit # Configure GigabitEthernet1/0/3 to be a trunk port and to permit the packets of all the VLANs.
  • Page 128 The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s). The following dynamic VLANs exist: Configure GigabitEthernet1/0/1 on Switch E to operate in fixed GVRP registration mode and display the VLAN information dynamically registered on Switch A, Switch B, and Switch E.
  • Page 129 1-10...
  • Page 130 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Initially Configuring a Port ···············································································································1-2 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Enabling Flow Control on a Port······································································································1-4 Duplicating the Configuration of a Port to Other Ports ····································································1-4 Configuring Loopback Detection for an Ethernet Port·····································································1-5 Enabling Loopback Test··················································································································1-6 Enabling the System to Test Connected Cable ··············································································1-6...

  • Page 131: Port Basic Configuration

    Port Basic Configuration Ethernet Port Configuration Combo Port Configuration A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface. For a Combo port, the electrical port and the corresponding optical port are TX-SFP multiplexed.

  • Page 132: Initially Configuring A Port

    Initially Configuring a Port Follow these steps to initially configure a port: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional By default, the port is enabled. Enable the Ethernet port undo shutdown Use the shutdown command to disable the port.

  • Page 133: Limiting Traffic On Individual Ports

    If you expect that 10 Mbps and 1000 Mbps are the available auto-negotiation speeds of the port, you just need to configure speed auto 10 1000. Follow these steps to configure auto-negotiation speeds for a port: To do... Use the command... Remarks Enter system view —...

  • Page 134: Enabling Flow Control On A Port

    Enabling Flow Control on a Port Flow control is enabled on both the local and peer switches. If congestion occurs on the local switch: The local switch sends a message to notify the peer switch of stopping sending packets to itself or reducing the sending rate temporarily.

  • Page 135: Link Aggregation

    Configuring Loopback Detection for an Ethernet Port Loopback detection is used to monitor if loopback occurs on a switch port. After you enable loopback detection on Ethernet ports, the switch can monitor if external loopback occurs on them. If there is a loopback port found, the switch will put it under control. If loopback is found on an access port, the system disables the port, sends a Trap message to the client and removes the corresponding MAC forwarding entry.

  • Page 136: Enabling Loopback Test

    Enabling Loopback Test You can configure the Ethernet port to run loopback test to check if it operates normally. The port running loopback test cannot forward data packets normally. The loopback test terminates automatically after a specific period. Follow these steps to enable loopback test: To do...

  • Page 137: Configuring The Interval To Perform Statistical Analysis On Port Traffic

    Optical port (including Combo optical port) does not support VCT (virtual-cable-test) function. Combo electrical port supports VCT function only when it is in UP condition (using undo shutdown command), normal Ethernet electrical port always supports this function. Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the interval to perform statistical analysis on the traffic of a port.

  • Page 138: Configuring A Port Group

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Disable a port from generating undo enable log updown By default, UP/Down log output UP/Down log is enabled. Configuration examples # In the default conditions, where UP/DOWN log output is enabled, execute the shutdown command or the undo shutdown command on GigabitEthernet 1/0/1.

  • Page 139: Displaying And Maintaining Basic Port Configuration

    Only S5100-EI Series Ethernet Switches support Port Group feature. A port can not be added to a port group if it has been added to an aggregation group, and vice versa. Displaying and Maintaining Basic Port Configuration To do... Use the command... Remarks Display port configuration display interface [ interface-type |...
  • Page 140 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Consistency Considerations for the Ports in Aggregation·······························································1-1 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-4 Aggregation Group Categories ···············································································································1-5 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6...

  • Page 141: Link Aggregation Configuration

    Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link Aggregation Configuration Example Overview Introduction to Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group.

  • Page 142: Link Aggregation Classification

    Table 1-1 Consistency considerations for ports in an aggregation Category Considerations State of port-level STP (enabled or disabled) Attribute of the link (point-to-point or otherwise) connected to the port Port path cost STP priority STP packet format Loop protection Root protection Port type (whether the port is an edge port) Rate limiting Priority marking...

  • Page 143: Static Lacp Aggregation Group

    In a manual aggregation group, the system sets the ports to selected or unselected state according to the following rules. Among the ports in an aggregation group that are in up state, the system determines the mater port with one of the following settings being the highest (in descending order) as the master port: full duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed.

  • Page 144: Dynamic Lacp Aggregation Group

    There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of the selected ports in an aggregation group exceeds the maximum number supported by the device, those with lower port numbers operate as the selected ports, and others as unselected ports. Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LACP aggregation group is automatically created and removed by the system.

  • Page 145: Aggregation Group Categories

    Aggregation Group Categories Depending on whether or not load sharing is implemented, aggregation groups can be load-sharing or non-load-sharing aggregation groups. When load sharing is implemented, For IP packets, the system will implement load-sharing based on source IP address and destination IP address;...

  • Page 146: Link Aggregation Configuration

    Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group.

  • Page 147: Configuring A Static Lacp Aggregation Group

    If the aggregation group you are creating already exists but contains no port, its type will change to the type you set. If the aggregation group you are creating already exists and contains ports, the possible type changes may be: changing from dynamic or static to manual, and changing from dynamic to static; and no other kinds of type change can occur.

  • Page 148: Configuring A Dynamic Lacp Aggregation Group

    Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP-enabled ports. The adding and removing of ports to/from a dynamic aggregation group are automatically accomplished by LACP. You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system, because, only when LACP is enabled on those ports at both ends, can the two parties reach agreement in adding/removing ports to/from dynamic aggregation groups.

  • Page 149: Displaying And Maintaining Link Aggregation Configuration

    If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost. Displaying and Maintaining Link Aggregation Configuration To do…...
  • Page 150 Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname> system-view [Sysname] link-aggregation group 1 mode manual # Add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 1.
  • Page 151 [Sysname-GigabitEthernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on). 1-11...

  • Page 152: Port Isolation

    Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation Configuration ········································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 153: Port Isolation Configuration

    Port Isolation Configuration When configuring port isolation, go to these sections for information you are interested in: Port Isolation Overview Port Isolation Configuration Displaying and Maintaining Port Isolation Configuration Port Isolation Configuration Example Port Isolation Overview With the port isolation feature, you can add the ports to be controlled into an isolation group to isolate the Layer 2 and Layer 3 data between each port in the isolation group.

  • Page 154: Port Isolation Configuration Example

    When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
  • Page 155 Configuration procedure # Add GigabitEthernet1/0/2, GigabitEthernet1/0/3, and GigabitEthernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface GigabitEthernet1/0/2 [Sysname-GigabitEthernet1/0/2] port isolate [Sysname-GigabitEthernet1/0/2] quit [Sysname] interface GigabitEthernet1/0/3 [Sysname-GigabitEthernet1/0/3] port isolate [Sysname-GigabitEthernet1/0/3] quit [Sysname] interface GigabitEthernet1/0/4 [Sysname-GigabitEthernet1/0/4] port isolate [Sysname-GigabitEthernet1/0/4] quit [Sysname] quit...
  • Page 156 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-1 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-4 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Ignoring the Authorization Information from the RADIUS Server····················································1-8 Configuring Security MAC Addresses ·····························································································1-8...

  • Page 157: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Example Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
  • Page 158 Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the In this mode, access to the port is not NTK nor the intrusion noRestriction restricted. protection feature is triggered. In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses.
  • Page 159 MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user In any of these modes, the can pass through the port. device triggers the NTK In this mode, only one 802.1x-authenticated and Intrusion Protection...

  • Page 160: Port Security Configuration Task List

    This mode is similar to the macAddressElseUs macAddressElseUserLoginSecure mode, erLoginSecureExt except that there can be more than one 802.1x-authenticated user on the port. In this mode, a port firstly performs MAC authentication for a user and then performs 802.1x authentication for the user if the user passes MAC authentication.

  • Page 161: Setting The Maximum Number Of Mac Addresses Allowed On A Port

    Enabling Port Security Follow these steps to enable port security: To do... Use the command... Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default Enabling port security resets the following configurations on the ports to the defaults (shown in parentheses below): 802.1x (disabled), port access control method (macbased), and port access control mode (auto) MAC authentication (disabled)

  • Page 162: Setting The Port Security Mode

    Setting the Port Security Mode Follow these steps to set the port security mode: To do... Use the command... Remarks Enter system view system-view — Optional In userLoginWithOUI mode, a Set the OUI value for user port-security oui OUI-value port supports one 802.1x user authentication index index-value plus one user whose source...

  • Page 163: Configuring Port Security Features

    Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK feature: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required port-security ntk-mode { ntkonly | By default, NTK is disabled on Configure the NTK feature ntk-withbroadcasts |...

  • Page 164: Ignoring The Authorization Information From The Radius Server

    If you configure the NTK feature and execute the port-security intrusion-mode blockmac command on the same port, the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port; that is, the NTK feature configured will not take effect on the packets whose destination MAC address is illegal.

  • Page 165: Displaying And Maintaining Port Security Configuration

    If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses; If the amount of security MAC addresses reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from autolearn to secure.

  • Page 166: Port Security Configuration Example

    Port Security Configuration Example Port Security Configuration Example Network requirements Implement access user restrictions through the following configuration on GigabitEthernet 1/0/1 of the switch. Allow a maximum of 80 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as security MAC addresses.

  • Page 167: Port Binding Configuration

    Port Binding Configuration When configuring port binding, go to these sections for information you are interested in: Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example Port Binding Overview Introduction Port binding enables the network administrator to bind the MAC address and IP address of a user to a specific port.

  • Page 168: Port Binding Configuration Example

    Port Binding Configuration Example Port Binding Configuration Example Network requirements It is required to bind the MAC and IP addresses of Host A to GigabitEthernet 1/0/1 on Switch A, so as to prevent malicious users from using the IP address they steal from Host A to access the network. Network diagram Figure 2-1 Network diagram for port binding configuration Configuration procedure...
  • Page 169 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Fundamentals·······························································································································1-2 DLDP packets··································································································································1-2 DLDP Status····································································································································1-4 DLDP Timers ···································································································································1-4 DLDP Operating Mode ····················································································································1-5 DLDP Implementation ·····················································································································1-6 DLDP Neighbor State ······················································································································1-7 Link Auto-recovery Mechanism ·······································································································1-7 DLDP Configuration ································································································································1-8 Performing Basic DLDP Configuration ····························································································1-8 Resetting DLDP State ·····················································································································1-9 Displaying and Maintaining DLDP·································································································1-10 DLDP Configuration Example ···············································································································1-10...

  • Page 170: Dldp Configuration

    DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Fundamentals DLDP Configuration DLDP Configuration Example Overview Device link detection protocol (DLDP) is an H3C technology for dealing with unidirectional links that may occur in a network. If two switches, A and B, are connected via a pair of optical fiber cables, one used for sending from A to B, the other sending from B to A, it is a bidirectional link (two-way link).

  • Page 171: Dldp Fundamentals

    Figure 1-2 Fiber broken or not connected Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.
  • Page 172 DLDP packet type Function Advertisement packet with the RSY flag set to 1. RSY advertisement RSY-Advertisement packets are sent to request synchronizing the neighbor information when packets (referred to as neighbor information is not locally available or a neighbor information RSY packets hereafter) entry ages out.

  • Page 173: Dldp Status

    DLDP Status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is cleared All neighbors communicate normally in both directions, or DLDP...

  • Page 174: Dldp Operating Mode

    Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode, if no packet is received from the neighbor when the entry Entry aging timer aging timer expires, DLDP sends an advertisement packet with an RSY tag,...

  • Page 175: Dldp Implementation

    In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can be detected. In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in Figure 1-1). The other refers to fiber pairs with one fiber not connected or disconnected (as shown in Figure 1-2).

  • Page 176: Dldp Neighbor State

    Packet type Processing procedure Sends echo packets Creates the neighbor entry if it does not exist on the local containing both device. Probe packet neighbor and its own Resets the aging timer of the entry if the neighbor entry information to the already exists on the local device.

  • Page 177: Dldp Configuration

    means that the unidirectional link is restored to a bidirectional link), it is brought up by DLDP. The detailed process is as follows. A port in the DLDP down state sends a recover probe packet every 2 seconds. Recover probe packets carry only the local port information.

  • Page 178: Resetting Dldp State

    To do … Use the command … Remarks Optional. dldp work-mode Set the DLDP operating mode By default, DLDP works in { enhance | normal } normal mode. Note the following when performing basic DLDP configuration. DLDP can detect unidirectional links only after the links are connected. Therefore, before enabling DLDP, make sure that optical fibers or copper twisted pairs are connected.

  • Page 179: Displaying And Maintaining Dldp

    To do … Use the command … Remarks system-view Reset DLDP state for all the ports shut down by DLDP dldp reset Select either of the two. interface interface-type Reset the DLDP state for a port interface-number shut down by DLDP dldp reset Displaying and Maintaining DLDP To do …...
  • Page 180 [SwitchA] interface gigabitethernet 1/0/50 [SwitchA-GigabitEthernet1/0/50] duplex full [SwitchA-GigabitEthernet1/0/50] speed 1000 [SwitchA-GigabitEthernet1/0/50] quit [SwitchA] interface gigabitethernet 1/0/51 [SwitchA-GigabitEthernet1/0/51] duplex full [SwitchA-GigabitEthernet1/0/51] speed 1000 [SwitchA-GigabitEthernet1/0/51] quit # Enable DLDP globally [SwitchA] dldp enable # Set the interval between sending DLDP packets to 15 seconds. [SwitchA] dldp interval 15 # Configure DLDP to work in enhanced mode [SwitchA] dldp work-mode enhance...
  • Page 181 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to MAC Address Table ································································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-3 Configuring MAC Address Table Management ······················································································1-4 Configuration Task List····················································································································1-4 Configuring a MAC Address Entry ··································································································1-5 Setting the Aging Time of MAC Address Entries ············································································1-6 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-6 Disabling MAC Address learning for a VLAN ··················································································1-7...

  • Page 182: Mac Address Table Management

    MAC Address Table Management This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to the part related to multicast protocol. Overview Introduction to MAC Address Table An Ethernet switch is mainly used to forward packets at the data link layer, that is, transmit the packets to the corresponding ports according to the destination MAC address of the packets.
  • Page 183 Figure 1-1 MAC address learning diagram (1) Figure 1-2 MAC address table entry of the switch (1) After learning the MAC address of User A, the switch starts to forward the packet. Because there is no MAC address and port information of User B in the existing MAC address table, the switch forwards the packet to all ports except GigabitEthernet 1/0/1 to ensure that User B can receive the packet.

  • Page 184: Managing Mac Address Table

    Figure 1-4 MAC address learning diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet, the switch unicasts the packet instead of broadcasting it to User A through GigabitEthernet 1/0/1, because MAC-A is already in the MAC address table. Figure 1-5 MAC address table entries of the switch (2) After this interaction, the switch directly unicasts the communication packets between User A and User B based on the corresponding MAC address table entries.

  • Page 185: Configuring Mac Address Table Management

    Aging timer only takes effect on dynamic MAC address entries. Entries in a MAC address table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods: Static MAC address entry: Also known as permanent MAC address entry. This type of MAC address entries are added/removed manually and can not age out by themselves.

  • Page 186: Configuring A Mac Address Entry

    Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). You can add a MAC address entry in either system view or Ethernet port view. Adding a MAC address entry in system view Table 1-3 Add a MAC address entry in system view Operation...

  • Page 187: Setting The Aging Time Of Mac Address Entries

    Setting the Aging Time of MAC Address Entries Setting aging time properly helps effective utilization of MAC address aging. The aging time that is too long or too short affects the performance of the switch. If the aging time is too long, excessive invalid MAC address entries maintained by the switch may fill up the MAC address table.

  • Page 188: Disabling Mac Address Learning For A Vlan

    Operation Command Description Required Set the maximum number of mac-address max-mac-count By default, the number of the MAC addresses the port can count MAC addresses a port can learn learn is not limited. Disabling MAC Address learning for a VLAN You can disable a switch from learning MAC addresses in specific VLANs to improve stability and security for the users belong to these VLANs and prevent unauthorized accesses.

  • Page 189: Adding A Static Mac Address Entry Manually

    Configuration Example Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through GigabitEthernet 1/0/2. To prevent the switch from broadcasting packets destined for the server, it is required to add the MAC address of the server to the MAC address table of the switch, which then forwards packets destined for the server through GigabitEthernet 1/0/2.
  • Page 190 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ······················································································1-10 Multiple Spanning Tree Protocol Overview ···················································································1-10 MSTP Implementation on Switches ······························································································1-14 Protocols and Standards ···············································································································1-15 MSTP Configuration Task List ··············································································································1-15 Configuring Root Bridge························································································································1-17 Configuring an MST Region ··········································································································1-17 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-20...
  • Page 191 Introduction····································································································································1-39 Configuring Digest Snooping·········································································································1-40 Configuring Rapid Transition ················································································································1-41 Introduction····································································································································1-41 Configuring Rapid Transition·········································································································1-43 Configuring VLAN-VPN Tunnel·············································································································1-44 Introduction····································································································································1-44 Configuring VLAN-VPN tunnel ······································································································1-44 MSTP Maintenance Configuration ········································································································1-45 Introduction····································································································································1-45 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-45 Configuration Example ··················································································································1-45 Enabling Trap Messages Conforming to 802.1d Standard···································································1-46 Displaying and Maintaining MSTP ········································································································1-46 MSTP Configuration Example···············································································································1-47 VLAN-VPN Tunnel Configuration Example ··························································································1-49...

  • Page 192: Mstp Configuration

    MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example...
  • Page 193 STP identifies the network topology by transmitting BPDUs between STP compliant network devices, typically switches and routers. BPDUs contain sufficient information for the network devices to complete the spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any.
  • Page 194 Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. Bridge ID A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device.
  • Page 195 Port ID A port ID used on an H3C device consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on H3C devices is 128. You can use commands to configure port priorities.
  • Page 196 Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
  • Page 197 Step Description Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPDU for each of the rest ports. The root bridge ID is replaced with that of the configuration BPDU of the root port.
  • Page 198 The following table shows the initial state of each device. Table 1-4 Initial state of each device Device Port name BPDU of port {0, 0, 0, AP1} Device A {0, 0, 0, AP2} {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2}...
  • Page 199 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 200 Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.

  • Page 201: Rapid Spanning Tree Protocol Overview

    For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
  • Page 202 MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
  • Page 203 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
  • Page 204 A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.

  • Page 205: Mstp Implementation On Switches

    Forwarding state. Ports in this state can forward user packets and receive/send BPDU packets. Learning state. Ports in this state can receive/send BPDU packets but do not forward user packets. Discarding state. Ports in this state can only receive BPDU packets. Port roles and port states are not mutually dependent.

  • Page 206: Mstp Configuration Task List

    In addition to the basic MSTP functions, H3C series switches also provide the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard BPDU packet drop Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol IEEE 802.1w: rapid spanning tree protocol...
  • Page 207 Task Remarks Configuring the Timeout Time Factor Optional Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter...

  • Page 208: Configuring Root Bridge

    Configuring Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Required Configure the name of the MST region-name name The default MST region name of a region...

  • Page 209: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    MSTP-enabled switches are in the same region only when they have the same format selector (a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The H3C series support only the MST region name, VLAN-to-instance mapping table, and revision level.
  • Page 210 Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do... Use the command... Remarks Enter system view — system-view stp [ instance instance-id ] root Specify the current switch as...

  • Page 211: Configuring The Bridge Priority Of The Current Switch

    Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different MSTIs.

  • Page 212: Configuring The Mstp Operation Mode

    To do... Use the command... Remarks Required By default, a port recognizes and sends Configure how a port stp interface interface-list MSTP packets in the automatic mode. recognizes and sends compliance { auto | dot1s | That is, it determines the format of MSTP packets legacy } packets to be sent according to the...

  • Page 213: Configuring The Maximum Hop Count Of An Mst Region

    To do... Use the command... Remarks Enter system view — system-view Required Configure the MSTP operation An MSTP-enabled switch stp mode { stp | rstp | mstp } mode operates in the MSTP mode by default. Configuration example # Specify the MSTP operation mode as STP-compatible. <Sysname>...

  • Page 214: Configuring The Network Diameter Of The Switched Network

    Configuring the Network Diameter of the Switched Network In a switched network, any two switches can communicate with each other through a specific path made up of multiple switches. The network diameter of a network is measured by the number of switches;...
  • Page 215 To do... Use the command... Remarks Required Configure the max age stp timer max-age The max age parameter defaults to parameter centiseconds 2,000 centiseconds (namely, 20 seconds). All switches in a switched network adopt the three time-related parameters configured on the CIST root bridge.

  • Page 216: Configuring The Timeout Time Factor

    Configuring the Timeout Time Factor When the network topology is stable, a non-root-bridge switch regularly forwards BPDUs received from the root bridge to its neighboring devices at the interval specified by the hello time parameter to check for link failures. Normally, a switch regards its upstream switch faulty if the former does not receive any BPDU from the latter in a period three times of the hello time and then initiates the spanning tree recalculation process.

  • Page 217: Configuring The Current Port As An Edge Port

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Configure the maximum The maximum transmitting rate stp transmit-limit packetnum transmitting rate of all Ethernet ports on a switch defaults to 10. As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources.

  • Page 218: Setting The Link Type Of A Port To P2P

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Configure the port as an edge By default, all the Ethernet stp edged-port enable port ports of a switch are non-edge ports. On a switch with BPDU guard disabled, an edge port becomes a non-edge port again once it receives a BPDU from another port.

  • Page 219: Enabling Mstp

    Setting the Link Type of a Port to P2P in Ethernet port view Follow these steps to specify whether the link connected to a port is point-to-point link in Ethernet port view: To do... Use the command... Remarks Enter system view —...

  • Page 220: Configuring Leaf Nodes

    Use the To do... Remarks command... Optional By default, MSTP is enabled on all ports after you enable MSTP in system view. stp interface Disable MSTP on interface-list To enable a switch to operate more flexibly, you can specified ports disable disable MSTP on specific ports.

  • Page 221: Configuring How A Port Recognizes And Sends Mstp Packets

    Configuring How a Port Recognizes and Sends MSTP Packets Refer to Configuring How a Port Recognizes and Sends MSTP Packets. Configuring the Timeout Time Factor Refer to Configuring the Timeout Time Factor. Configuring the Maximum Transmitting Rate on the Current Port Refer to Configuring the Maximum Transmitting Rate on the Current Port.
  • Page 222 Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard Half-duplex/Full-duplex 200,000 Aggregated link 2 ports 100,000 100 Mbps Aggregated link 3 ports 66,666 Aggregated link 4 ports 50,000 Full-duplex 20,000 Aggregated link 2 ports 10,000 1,000 Mbps Aggregated link 3 ports 6,666 Aggregated link 4 ports 5,000...

  • Page 223: Configuring Port Priority

    Changing the path cost of a port may change the role of the port and put it in state transition. Executing the stp cost command with the instance-id argument being 0 sets the path cost on the CIST for the port. Configuration example (A) # Configure the path cost of GigabitEthernet 1/0/1 in MSTI 1 to be 2,000.

  • Page 224: Setting The Link Type Of A Port To P2P

    Configure port priority in Ethernet port view Follow these steps to configure port priority in Ethernet port view: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required. Configure port priority for the stp [ instance instance-id ] port port priority priority...

  • Page 225: Configuration Prerequisites

    Configuration Prerequisites MSTP runs normally on the switch. Configuration Procedure You can perform the mCheck operation in the following two ways. Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in system view: To do... Use the command...

  • Page 226: Configuring Root Guard

    Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this type of attacks by utilizing the BPDU guard function. With this function enabled on a switch, the switch shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator.

  • Page 227: Configuring Loop Guard

    You are recommended to enable root guard on the designated ports of a root bridge. Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions enabled on a port, any of the other two functions cannot take effect even if you have configured it on the port.

  • Page 228: Configuring Tc-Bpdu Attack Guard

    period, the switch selects a new root port; the original root port becomes a designated port; and the blocked ports turns to the forwarding state. This may cause loops in the network. The loop guard function suppresses loops. With this function enabled, if link congestions or unidirectional link failures occur, both the root port and the blocked ports become designated ports and turn to the discarding state.

  • Page 229: Configuring Bpdu Dropping

    default) regardless of the number of the TC-BPDUs it receives. Such a mechanism prevents a switch from being busy in removing the MAC address table and ARP entries. You can use the stp tc-protection threshold command to set the maximum times for a switch to remove the MAC address table and ARP entries in a specific period.

  • Page 230: Configuring Digest Snooping

    Configuration Prerequisites MSTP runs normally on the switch. Configuration procedure Follow these steps to configure BPDU dropping: To do... Use the command... Remarks Enter system view — system-view Enter Ethernet port view — interface interface-name Required Enable BPDU dropping bpdu-drop any BPDU dropping is disabled by default.
  • Page 231 Configuring Digest Snooping Configure the digest snooping feature on a switch to enable it to communicate with other switches adopting proprietary protocols to calculate configuration digests in the same MST region through MSTIs. Configuration prerequisites The switch to be configured is connected to another manufacturer's switch adopting a proprietary spanning tree protocol.

  • Page 232: Configuring Rapid Transition

    When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.
  • Page 233 Figure 1-6 The RSTP rapid transition mechanism Upstream switch Downstream switch Proposal for rapid transition Root port blocks other non- edge ports, changes to forwarding state and sends Agreement to upstream device Designated port Root port changes to Designated port forwarding state Figure 1-7 The MSTP rapid transition mechanism Upstream switch...

  • Page 234: Configuring Rapid Transition

    Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8, a H3C series switch is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.

  • Page 235: Configuring Vlan-Vpn Tunnel

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks, through which spanning trees can be generated across these customer networks and are independent of those of the service provider network.

  • Page 236: Mstp Maintenance Configuration

    To do... Use the command... Remarks Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function is tunnel function globally disabled by default. Make sure that you enter the Ethernet port view of the port for which you interface interface-type Enter Ethernet port view want to enable the VLAN-VPN tunnel interface-number...

  • Page 237: Enabling Trap Messages Conforming To 802.1D Standard

    # Enable log/trap output for the ports of all instances. <Sysname> system-view [Sysname] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard A switch sends trap messages conforming to 802.1d standard to the network management device in the following two cases: The switch becomes the root bridge of an instance.

  • Page 238: Mstp Configuration Example

    MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be forwarded along different MSTIs. The detailed configurations are as follows: All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively.
  • Page 239 # Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30...

  • Page 240: Vlan-Vpn Tunnel Configuration Example

    VLAN-VPN Tunnel Configuration Example Network requirements S5100 switches operate as the access devices of the service provider network, that is, Switch C and Switch D in the network diagram. Switch A and Switch B are the access devices for the customer networks. Switch C and Switch D are connected to each other through the configured trunk ports of the switches.
  • Page 241 [Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/1 [Sysname-Vlan10] quit # Enable the VLAN VPN function on GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] vlan-vpn enable [Sysname-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port.
  • Page 242 Table of Contents 1 802.1x Configuration ···································································································· 1-1 Introduction to 802.1x ································································································· 1-1 Architecture of 802.1x Authentication ···································································· 1-1 The Mechanism of an 802.1x Authentication System ·············································· 1-3 Encapsulation of EAPoL Messages ······································································· 1-4 802.1x Authentication Procedure··········································································· 1-6 Timers Used in 802.1x ·························································································· 1-9 802.1x Implementation on an S5100-SI/EI Series Switch ·····································...
  • Page 243 Configuring the System-Guard Feature········································································ 4-1 Configuring the System-Guard Feature ································································· 4-1 Displaying and Maintaining System-Guard ··································································· 4-2...

  • Page 244: 802.1X Configuration

    802.1x Configuration When configuring 802.1x, go to these sections for information you are interested in: Introduction to 802.1x Introduction to 802.1x Configuration Basic 802.1x Configuration Advanced 802.1x Configuration Displaying and Maintaining 802.1x Configuration Configuration Example Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs.
  • Page 245 Figure 1-1 Architecture of 802.1x authentication The supplicant system is an entity residing at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN segment. The supplicant system is usually a user terminal device. An 802.1x authentication is triggered when a user launches client program on the supplicant system.

  • Page 246: The Mechanism Of An 802.1X Authentication System

    The uncontrolled port can always send and receive packets. It mainly serves to forward EAPoL packets to ensure that a supplicant system can send and receive authentication requests. The controlled port can be used to pass service packets when it is in authorized state. It is blocked when not in authorized state.

  • Page 247: Encapsulation Of Eapol Messages

    Encapsulation of EAPoL Messages The format of an EAPoL packet EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol packets to be transmitted between supplicant systems and authenticator systems through LANs, EAP protocol packets are encapsulated in EAPoL format. The following figure illustrates the structure of an EAPoL packet.
  • Page 248 The format of an EAP packet For an EAPoL packet with the value of the Type field being EAP-packet, its Packet body field is an EAP packet, whose format is illustrated in Figure 1-4. Figure 1-4 The format of an EAP packet In an EAP packet: The Code field indicates the EAP packet type, which can be Request, Response, Success, or Failure.

  • Page 249: 802.1X Authentication Procedure

    Message-authenticator field. Otherwise, the packet is regarded as invalid and is discarded. Figure 1-7 The format of an Message-authenticator field 802.1x Authentication Procedure A H3C S5100-SI/EI series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. EAP relay mode This mode is defined in 802.1x.
  • Page 250 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity) RADIUS Access -Challenge EAP- Request / MD5 challenge ( EAP- Request / MD5 challenge) RADIUS Access - Request EAP- Response / MD5 challenge...
  • Page 251 The RADIUS server compares the received encrypted password (contained in a RADIUS access-request packet) with the locally-encrypted password. If the two match, it will then send feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated.

  • Page 252: Timers Used In 802.1X

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant RADIUS EAPOL Authenticator system RADIUS server system PAE EAPOL- Start EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access - Accept ( CHAP-Success) EAP- Success Port...

  • Page 253: 802.1X Implementation On An S5100-Si/Ei Series Switch

    Re-authentication timer (reauth-period). The switch initiates 802.1x re-authentication at the interval set by the re-authentication timer. RADIUS server timer (server-timeout). This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, the switch sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out.
  • Page 254 Supplicant systems logging on through IE proxies Whether or not a supplicant system logs in through more than one network adapters (that is, whether or not more than one network adapters are active in a supplicant system when the supplicant system logs in). In response to any of the three cases, a switch can optionally take the following measures: Only disconnects the supplicant system but sends no Trap packets.
  • Page 255 The guest VLAN function The guest VLAN function enables supplicant systems that are not authenticated to access network resources in a restrained way. The guest VLAN function enables supplicant systems that do not have 802.1x client installed to access specific network resources. It also enables supplicant systems that are not authenticated to upgrade their 802.1x client programs.

  • Page 256: Introduction To 802.1X Configuration

    Figure 1-10 802.1x re-authentication Internet Switch RADIUS Server 802.1x re-authentication can be enabled in one of the following two ways: The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1.

  • Page 257: Basic 802.1X Configuration

    Figure 1-11 802.1x configuration Local Local authentication authentication ISP domain ISP domain 802.1x 802.1x AAA scheme AAA scheme configuration configuration configuration configuration RADIUS RADIUS scheme scheme 802.1x users use domain names to associate with the ISP domains configured on switches Configure the AAA scheme (a local authentication scheme or a RADIUS scheme) to be adopted in the ISP domain.
  • Page 258 To do… Use the command… Remarks quit dot1x port-control { authorized-force | In system unauthorized-force | view auto } [ interface interface-list ] Set port access Optional interface interface-type control interface-number By default, an 802.1x-enabled mode for port operates in the auto mode. specified dot1x port-control In port...

  • Page 259: Timer And Maximum User Number Configuration

    802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. The settings of 802.1x and MAC address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on MAC address learning on the port and vice versa.

  • Page 260: Advanced 802.1X Configuration

    To do… Use the command... Remarks Optional The settings of 802.1x timers dot1x timer are as follows. { handshake-period handshake-period-value: handshake-period-value | 15 seconds quiet-period quiet-period-value: quiet-period-value | seconds server-timeout Set 802.1x timers server-timeout-value: 100 server-timeout-value | seconds supp-timeout supp-timeout-value | supp-timeout-value: tx-period tx-period-value | seconds...

  • Page 261: Configuring Client Version Checking

    To do... Use the command... Remarks Required dot1x Enable proxy checking By default, the 802.1x proxy supp-proxy-check function globally checking function is globally { logoff | trap } disabled. dot1x supp-proxy-check In system { logoff | trap } view [ interface interface-list ] Required Enable proxy...

  • Page 262: Enabling Dhcp-Triggered Authentication

    To do... Use the command... Remarks Optional Set the client version dot1x timer ver-period By default, the timer is set to checking period timer ver-period-value 30 seconds. As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports.

  • Page 263: Configuring 802.1X Re-Authentication

    The guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one guest VLAN can be configured for each switch. The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication. This is because the switch does not send authentication packets in that case.

  • Page 264: Displaying And Maintaining 802.1X Configuration

    During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
  • Page 265 another packet to the RADIUS servers again if it sends a packet to the RADIUS server and does not receive response for 5 seconds, with the maximum number of retries of 5. And the switch sends a real-time accounting packet to the RADIUS servers once in every 15 minutes.
  • Page 266 [Sysname-radius-radius1] primary accounting 10.11.1.2 # Assign IP addresses to the secondary authentication and accounting RADIUS server. [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages.

  • Page 267: Quick Ead Deployment Configuration

    In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the H3C S5100-SI/EI series provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment.

  • Page 268: Configuring Quick Ead Deployment

    HTTP redirection In the HTTP redirection approach, when the terminal users that have not passed 802.1x authentication access the Internet through Internet Explorer, they are redirected to a predefined URL for EAD client download. The two functions ensure that all the users without an EAD client have downloaded and installed one from the specified server themselves before they can access the Internet, thus decreasing the complexity and effort that EAD client deployment may involve.
  • Page 269 You must configure the URL for HTTP redirection before configuring a free IP range. A URL must start with http:// and the segment where the URL resides must be in the free IP range. Otherwise, the redirection function cannot take effect. You must disable the DHCP-triggered authentication function of 802.1x before configuring a free IP range.

  • Page 270: Displaying And Maintaining Quick Ead Deployment

    Displaying and Maintaining Quick EAD Deployment To do... Use the command... Remarks Display configuration display dot1x [ sessions | information about quick statistics ] [ interface Available in any view EAD deployment interface-list ] Quick EAD Deployment Configuration Example Network requirements A user connects to the switch directly.

  • Page 271: Troubleshooting

    Configuration procedure Before enabling quick EAD deployment, be sure that: The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch. # Configure the URL for HTTP redirection. <Sysname>...

  • Page 272: Habp Configuration

    HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.

  • Page 273: Habp Client Configuration

    To do... Use the command... Remarks Required By default, a switch operates as an Configure the HABP client after you enable HABP current switch to be habp server vlan vlan-id on the switch. If you want to use the an HABP server switch as a management switch, you need to configure the switch to be an HABP server.

  • Page 274: System-Guard Configuration

    System-Guard Configuration System-Guard Overview At first, you must determine whether the CPU is under attack to implement system guard for the CPU. You should not determine whether the CPU is under attack just according to whether congestion occurs in a queue. Instead, you must do that in the following ways: According to the number of packets processed in the CPU in a time range.
  • Page 275 Displaying and Maintaining System-Guard After the above configuration, execute the display command in any view to display the running status of the system-guard feature, and to verify the configuration. Table 4-2 Display and maintain system-guard Operation Command Display the record of detected attacks display system-guard attack-record Display the state of the system-guard feature display system-guard state...
  • Page 276 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-2 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-2 Introduction to RADIUS ···················································································································1-2 Introduction to HWTACACS ············································································································1-7 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3 Configuring Dynamic VLAN Assignment·························································································2-6...
  • Page 277 AAA Configuration Examples················································································································2-27 Remote RADIUS Authentication of Telnet/SSH Users ·································································2-27 Local Authentication of FTP/Telnet Users·····················································································2-28 HWTACACS Authentication and Authorization of Telnet Users ···················································2-30 Troubleshooting AAA ····························································································································2-31 Troubleshooting RADIUS Configuration························································································2-31 Troubleshooting HWTACACS Configuration ················································································2-31 3 EAD Configuration·····································································································································3-1 Introduction to EAD ·································································································································3-1 Typical Network Application of EAD ·······································································································3-1 EAD Configuration ··································································································································3-2 EAD Configuration Example ···················································································································3-3...

  • Page 278: Aaa Overview

    AAA Overview Introduction to AAA AAA is the acronym for the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure these three functions to implement network security management. Authentication: Defines what users can access the network, Authorization: Defines what services can be available to the users who can access the network, Accounting: Defines how to charge the users who are using network resources.

  • Page 279: Accounting

    Accounting AAA supports the following accounting methods: None accounting: No accounting is performed for users. Remote accounting: User accounting is performed on a remote RADIUS or TACACS server. Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@"...
  • Page 280 Clients: This database stores information about RADIUS clients (such as shared key). Dictionary: The information stored in this database is used to interpret the attributes and attribute values in the RADIUS protocol. Figure 1-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service.
  • Page 281 The RADIUS server compares the received user information with that in the Users database to authenticate the user. If the authentication succeeds, the RADIUS server sends back to the RADIUS client an authentication response (Access-Accept), which contains the user’s authorization information. If the authentication fails, the server returns an Access-Reject response. The RADIUS client accepts or denies the user depending on the received authentication result.
  • Page 282 Code Message type Message description Direction: server->client. The server transmits this message to the client if any Access-Reject attribute value carried in the Access-Request message is unacceptable (that is, the user fails the authentication). Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting Accounting-Request (whether to start or to end the accounting is determined...
  • Page 283 Type field Type field Attribute type Attribute type value value Service-Type Idle-Timeout Framed-Protocol Termination-Action Framed-IP-Address Called-Station-Id Framed-IP-Netmask Calling-Station-Id Framed-Routing NAS-Identifier Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type...

  • Page 284: Introduction To Hwtacacs

    Introduction to HWTACACS What is HWTACACS Huawei Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492). Similar to the RADIUS protocol, it implements AAA for different types of users (such as PPP, VPDN, and terminal users) through communicating with TACACS server in client-server mode.
  • Page 285 Figure 1-6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username.
  • Page 286 After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. 10) The TACACS client sends an accounting start request to the TACACS server. 11) The TACACS server returns an accounting response, indicating that it has received the accounting start request.

  • Page 287: Aaa Configuration

    AAA Configuration AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined AAA scheme for an ISP domain): Task Remarks...

  • Page 288: Creating An Isp Domain And Configuring Its Attributes

    Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting Configuring an AAA Scheme for an ISP schemes respectively. Domain configuration You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication.

  • Page 289: Configuring An Aaa Scheme For An Isp Domain

    To do… Use the command… Remarks Optional Set the accounting-optional By default, the accounting optional switch accounting-optional switch is off. Optional messenger time { enable limit Set the messenger function By default, the messenger interval | disable } function is disabled. Optional Set the self-service server self-service-url { disable |...
  • Page 290 To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain Required scheme { local | none | radius-scheme Configure an AAA scheme for radius-scheme-name [ local ] | By default, an ISP the ISP domain...
  • Page 291 Authentication: RADIUS, local, or HWTACACS. Follow these steps to configure separate AAA schemes: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter its view, or enter the view Required domain isp-name of an existing ISP domain authentication Optional { radius-scheme...

  • Page 292: Configuring Dynamic Vlan Assignment

    Configuring Dynamic VLAN Assignment The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access. Currently, the switch supports the following two types of assigned VLAN IDs: integer and string.

  • Page 293: Configuring The Attributes Of A Local User

    Configuring the Attributes of a Local User When local scheme is chosen as the AAA scheme, you should create local users on the switch and configure the relevant attributes. The local users are users set on the switch, with each user uniquely identified by a username. To make a user who is requesting network service pass local authentication, you should add an entry in the local user database on the switch for the user.

  • Page 294: Mac Address Authentication

    The following characters are not allowed in the user-name string: /:*?<>. And you cannot input more than one “@” in the string. After the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display a user password in plain text by using the password command.
  • Page 295 Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client): Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring Ignorance of Assigned RADIUS Authorization Optional Attributes Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional...

  • Page 296: Creating A Radius Scheme

    Task Remarks Configuring the RADIUS — Refer to the configuration of the RADIUS client client The RADIUS service configuration is performed on a RADIUS scheme basis. In an actual network environment, you can either use a single RADIUS server or two RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme.

  • Page 297: Configuring Radius Authentication/Authorization Servers

    Configuring RADIUS Authentication/Authorization Servers Follow these steps to configure RADIUS authentication/authorization servers: To do… Use the command… Remarks Enter system view — system-view Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system"...

  • Page 298: Configuring Radius Accounting Servers

    As shown in Figure 2-1, NAS 1 and NAS 2 are connected to the same RADIUS server for authentication. For easy management, the RADIUS server issues the same authorization attributes to all the users. However, users attached to NAS 1 need these attributes while users attached to NAS 2 do not want to use the assigned Attribute 28, idle-timeout.
  • Page 299 To do… Use the command… Remarks Required Create a RADIUS radius scheme By default, a RADIUS scheme named scheme and enter its radius-scheme-name "system" has already been created in view the system. Required Set the IP address and By default, the IP address and UDP port port number of the primary accounting number of the primary accounting server...

  • Page 300: Configuring Shared Keys For Radius Messages

    Configuring Shared Keys for RADIUS Messages Both RADIUS client and server adopt MD5 algorithm to encrypt RADIUS messages before they are exchanged between the two parties. The two parties verify the validity of the RADIUS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key.

  • Page 301: Configuring The Type Of Radius Servers To Be Supported

    Configuring the Type of RADIUS Servers to be Supported Follow these steps to configure the type of RADIUS servers to be supported: To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name...

  • Page 302: Configuring The Attributes Of Data To Be Sent To Radius Servers

    Follow these steps to set the status of RADIUS servers: To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system.

  • Page 303: Configuring The Local Radius Server

    To do… Use the command… Remarks address is set; and the IP System view address of the corresponding outbound interface is used as radius nas-ip ip-address the source IP address. Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@”...

  • Page 304: Configuring Timers For Radius Servers

    adopt local RADIUS server function, port number authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.

  • Page 305: Enabling Sending Trap Message When A Radius Server Goes Down

    To do… Use the command… Remarks Optional Set the response timeout time timer response-timeout By default, the response of RADIUS servers seconds timeout time of RADIUS servers is three seconds. Optional Set the time that the switch waits before it try to By default, the switch waits five re-communicate with primary timer quiet minutes...
  • Page 306 online when the user re-logs into the network before the CAMS performs online user detection, and the user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem.

  • Page 307: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Complete the following tasks to configure HWTACACS: Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...

  • Page 308: Configuring Tacacs Authorization Servers

    To do… Use the command… Remarks Required Set the IP address and port By default, the IP address of primary authentication number of the primary the primary authentication ip-address [ port ] TACACS authentication server server is 0.0.0.0, and the port number is 0.

  • Page 309: Configuring Tacacs Accounting Servers

    You are not allowed to configure the same IP address for both primary and secondary authorization servers. If you do this, the system will prompt that the configuration fails. You can remove a server only when it is not used by any active TCP connection for sending authorization messages.

  • Page 310: Configuring The Attributes Of Data To Be Sent To Tacacs Servers

    The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties. The two parties verify the validity of the HWTACACS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key.

  • Page 311: Configuring The Timers Regarding Tacacs Servers

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Where, isp-name after the “@” or “.” character represents the ISP domain name. If the TACACS server does not accept the usernames that carry ISP domain names, it is necessary to remove domain names from usernames before they are sent to TACACS server.

  • Page 312: Displaying And Maintaining Aaa Configuration

    Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific display domain [ isp-name ] or all ISP domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip Display information about user Available in...

  • Page 313: Aaa Configuration Examples

    To do… Use the command… Remarks Display buffered display stop-accounting-buffer non-response hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name Clear HWTACACS message reset hwtacacs statistics { accounting | statistics authentication | authorization | all } Available in user reset stop-accounting-buffer view Delete buffered non-response hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name...

  • Page 314: Local Authentication Of Ftp/Telnet Users

    Network diagram Figure 2-2 Remote RADIUS authentication of Telnet users RADIUS server 10.110.91.164/16 Internet Telnet user Configuration procedure # Enter system view. <Sysname> system-view # Adopt AAA authentication for Telnet users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure an ISP domain.
  • Page 315 The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 2-3, you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally.

  • Page 316: Hwtacacs Authentication And Authorization Of Telnet Users

    Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in Remote RADIUS Authentication of Telnet/SSH Users. Enable the local RADIUS server function, set the IP address and shared key for the network access server to 127.0.0.1 and aabbcc, respectively.

  • Page 317: Troubleshooting Aaa

    [Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol prescribes how the switch and the RADIUS server of the ISP exchange user information with each other.

  • Page 318: Ead Configuration

    EAD Configuration Only the S5100-EI series switches support the EAD configuration. Introduction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints.

  • Page 319: Ead Configuration

    Figure 3-1 Typical network application of EAD After a client passes the authentication, the security Client (software installed on the client PC) interacts with the security policy server to check the security status of the client. If the client is not compliant with the security standard, the security policy server issues an ACL to the switch, which then inhibits the client from accessing any parts of the network except for the virus/patch server.

  • Page 320: Ead Configuration Example

    EAD Configuration Example Network requirements Figure 3-2: A user is connected to GigabitEthernet 1/0/1 on the switch. The user adopts 802.1x client supporting EAD extended function. You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users.
  • Page 321 [Sysname-radius-cams] accounting optional [Sysname-radius-cams] key authentication expert [Sysname-radius-cams] server-type extended # Configure the IP address of the security policy server. [Sysname-radius-cams] security-policy-server 10.110.91.166 # Associate the domain with the RADIUS scheme. [Sysname-radius-cams] quit [Sysname] domain system [Sysname-isp-system] radius-scheme cams...
  • Page 322 Table of Contents 1 MAC Address Authentication Configuration ··························································································1-1 MAC Address Authentication Overview ··································································································1-1 Performing MAC Address Authentication on a RADIUS Server ·····················································1-1 Performing MAC Address Authentication Locally ···········································································1-1 Related Concepts····································································································································1-2 MAC Address Authentication Timers ······························································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Address Authentication Functions ····································································1-2 MAC Address Authentication Enhanced Function Configuration ···························································1-4 MAC Address Authentication Enhanced Function Configuration Task List ····································1-4 Configuring a Guest VLAN ··············································································································1-4...

  • Page 323: Mac Address Authentication Configuration

    MAC Address Authentication Configuration When configuring MAC address authentication, go to these sections for information you are interested: MAC Address Authentication Overview Related Concepts Configuring Basic MAC Address Authentication Functions MAC Address Authentication Enhanced Function Configuration Displaying and Maintaining MAC Address Authentication Configuration MAC Address Authentication Configuration Examples MAC Address Authentication Overview MAC address authentication provides a way for authenticating users based on ports and MAC...

  • Page 324: Related Concepts

    used depends on your configuration). Hyphens must or must not be included depending on the format configured with mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. In fixed mode, all users’ MAC addresses are automatically mapped to the configured local passwords and usernames.
  • Page 325 quit Optional Set the user name in mac-authentication authmode By default, the MAC MAC address mode usernameasmacaddress [ usernameformat address of a user is for MAC address { with-hyphen | without-hyphen } { lowercase | used as the user authentication uppercase } | fixedpassword password ] name.

  • Page 326: Mac Address Authentication Enhanced Function Configuration

    MAC Address Authentication Enhanced Function Configuration MAC Address Authentication Enhanced Function Configuration Task List Complete the following tasks to configure MAC address authentication enhanced function: Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Authentication Users Optional Allowed to Access a Port Configuring a Guest VLAN...
  • Page 327 After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally.

  • Page 328: Configuring The Maximum Number Of Mac Address Authentication Users Allowed To Access A Port

    If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.

  • Page 329: Displaying And Maintaining Mac Address Authentication Configuration

    If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
  • Page 330 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to lan-access.
  • Page 331 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ······················································································································1-2 Subnetting and Masking ··················································································································1-2 Protocols and Standards ·················································································································1-3 Configuring IP Addresses ·······················································································································1-3 Displaying IP Addressing Configuration··································································································1-4 VLAN Interface IP Address Configuration Examples··············································································1-4 IP Address Configuration Example I ·······························································································1-4 IP Address Configuration Example II ······························································································1-5 2 IP Performance Optimization Configuration···························································································2-1...

  • Page 332: Ip Addressing Configuration

    IP Addressing Configuration The term IP address used throughout this chapter refers to IPv4 address. For details about IPv6 address, refer to IPv6 Management. When configuring IP addressing, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration VLAN Interface IP Address Configuration Examples...

  • Page 333: Special Ip Addresses

    Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test.

  • Page 334: Protocols And Standards

    Figure 1-2 Subnet a Class B network In the absence of subnetting, some special addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts. The same is true for subnetting.

  • Page 335: Displaying Ip Addressing Configuration

    You may assign an interface multiple IP addresses, one primary and multiple secondaries, to connect multiple logical subnets on the same physical subnet. Follow these steps to configure an IP address for an interface: To do… Use the command… Remarks Enter system view system-view ––...

  • Page 336: Ip Address Configuration Example Ii

    Network diagram Figure 1-3 Network diagram for IP address configuration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 IP Address Configuration Example II Network requirements As shown in Figure 1-4, a port in VLAN 1 on a S5100-SI is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.
  • Page 337 [S5100-SI] interface Vlan-interface 1 [S5100-SI-Vlan-interface1] ip address 172.16.1.1 255.255.255.0 [S5100-SI-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the PCs attached to the subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to the subnet 172.16.2.0/24. # Ping a host on the subnet 172.16.1.0/24 from the S5100-SI to check the connectivity.

  • Page 338: Ip Performance Optimization Configuration

    IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: IP Performance Overview Configuring IP Performance Optimization Displaying and Maintaining IP Performance Optimization Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you can adjust the IP parameters to achieve best network performance.

  • Page 339: Disabling Sending Of Icmp Error Packets

    synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created. finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started.

  • Page 340: Displaying And Maintaining Ip Performance Optimization Configuration

    If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” ICMP error packet to the source. When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable”...
  • Page 341 To do… Use the command… Remarks Display the current socket display ip socket [ socktype information of the system sock-type ] [ task-id socket-id ] Display the forwarding display fib information base (FIB) entries display fib ip_address1 Display the FIB entries [ { mask1 | mask-length1 } matching the destination IP [ ip_address2 { mask2 |...
  • Page 342 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-1 IP Address Assignment Policy ········································································································1-1 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-2 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Relay Agent Configuration ············································································································1-1 Introduction to DHCP Relay Agent ·········································································································1-1 Usage of DHCP Relay Agent ··········································································································1-1 DHCP Relay Agent Fundamentals··································································································1-1...

  • Page 343: Dhcp Overview

    DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.

  • Page 344: Obtaining Ip Addresses Dynamically

    Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently. Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period.

  • Page 345: Dhcp Packet Format

    By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client.

  • Page 346: Protocol Specification

    sname: Name of the DHCP server. file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client. option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server. Protocol Specification Protocol specifications related to DHCP include: RFC2131: Dynamic Host Configuration Protocol...

  • Page 347: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.

  • Page 348: Option 82 Support On Dhcp Relay Agent

    Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent.

  • Page 349: Configuring The Dhcp Relay Agent

    sub-option 2: Padded with the bridge MAC address of the DHCP relay agent device that received the client’s request. Figure 2-2 Padding contents for sub-option 1 of Option 82 Figure 2-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly.

  • Page 350: Correlating A Dhcp Server Group With A Relay Agent Interface

    Task Remarks Correlating a DHCP Server Group with a Relay Agent Interface Required Configuring DHCP Relay Agent Security Functions Optional Configuring the DHCP Relay Agent to Support Option 82 Optional Correlating a DHCP Server Group with a Relay Agent Interface To enhance reliability, you can set multiple DHCP servers on the same network.
  • Page 351 user end and the MAC address of the user end do not match any entries (including the entries dynamically tracked by the DHCP relay agent and the manually configured static entries) in the user address table on the DHCP relay agent. Follow these steps to configure address checking: To do…...
  • Page 352 With the unauthorized DHCP server detection enabled, the relay agent will log all DHCP servers, including authorized ones, and each server is recorded only once until such information is removed and is recorded again. The administrator needs to find unauthorized DHCP servers from the system log information.

  • Page 353: Displaying And Maintaining Dhcp Relay Agent Configuration

    Displaying and Maintaining DHCP Relay Agent Configuration To do… Use the command… Remarks Display the information about a specified display dhcp-server groupNo DHCP server group Display the information about the DHCP Available in any display dhcp-server interface server group to which a specified VLAN Vlan-interface vlan-id view interface is mapped...

  • Page 354: Troubleshooting Dhcp Relay Agent Configuration

    You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server. The DHCP server configurations vary with different DHCP server devices, so the configurations are omitted. The DHCP relay agent and DHCP server must be reachable to each other. Troubleshooting DHCP Relay Agent Configuration Symptom A client fails to obtain configuration information through a DHCP relay agent.

  • Page 355: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Displaying DHCP Snooping Configuration DHCP Snooping Configuration Examples DHCP Snooping Overview Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses the DHCP clients obtained from DHCP servers and the MAC addresses of the DHCP clients.

  • Page 356: Introduction To Dhcp-Snooping Option 82

    Figure 3-1 Typical network diagram for DHCP snooping application DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: DHCP-REQUEST packet DHCP-ACK packet Introduction to DHCP-Snooping Option 82 Introduction to Option 82...
  • Page 357 sub-options (with the default padding contents). That is, the circuit ID or remote ID sub-option defines the type and length of a circuit ID or remote ID. The remote ID type field and circuit ID type field are determined by the option storage format. They are both set to 0 in the case of HEX format and to 1 in the case of ASCII format.
  • Page 358 Handling policy Sub-option configuration The DHCP Snooping device will… Forward the packet without changing Keep — Option 82. Forward the packet after replacing the original Option 82 with the default content. The storage format of Option 82 content is Neither of the two the one specified with the dhcp-snooping sub-options is configured information format command or the...

  • Page 359: Introduction To Ip Filtering

    Introduction to IP Filtering A denial-of-service (DoS) attack means an attempt of an attacker sending a large number of forged address requests with different source IP addresses to the server so that the network cannot work normally. The specific effects are as follows: The resources on the server are exhausted, so the server does not respond to other requests.

  • Page 360: Configuring Dhcp Snooping To Support Option 82

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Required Specify the current port as a By default, after DHCP dhcp-snooping trust trusted port snooping is enabled, all ports of a switch are untrusted ports. If an S5100-SI/EI Ethernet switch is enabled with DHCP snooping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP.
  • Page 361 To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP-snooping Option dhcp-snooping information 82 support enable Disabled by default. Configuring a handling policy for DHCP packets with Option 82 Follow these steps to configure a handling policy for DHCP packets with Option 82: To do…...
  • Page 362 To do… Use the command… Remarks Enter system view system-view — Optional Configure a storage format for dhcp-snooping information the Option 82 field format { hex | ascii } By default, the format is hex. The dhcp-snooping information format command applies only to the default content of the Option 82 field.
  • Page 363 In Ethernet port view, the remote ID takes effect only on the current interface. You can configure Option 82 as any customized character string in the ASCII format for different VLANs. That is to say, you can add different configuration rules for packets from different VLANs. Follow these steps to configure the remote ID sub-option in Option 82: To do…...

  • Page 364: Configuring Ip Filtering

    Configuring IP Filtering Follow these steps to configure IP filtering: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required ip check source ip-address Enable IP filtering By default, this function is [ mac-address ] disabled.

  • Page 365: Dhcp Snooping Configuration Examples

    DHCP Snooping Configuration Examples DHCP-Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 3-6 , GigabitEthernet 1/0/5 of the switch is connected to the DHCP server, and GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 are respectively connected to Client A, Client B, and Client C.

  • Page 366: Ip Filtering Configuration Example

    # Set the circuit ID sub-option in DHCP packets from VLAN 1 to abcd on GigabitEthernet 1/0/3. [Switch] interface GigabitEthernet1/0/3 [Switch-GigabitEthernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd IP Filtering Configuration Example Network requirements As shown in Figure 3-7, GigabitEthernet 1/0/1 of the S5100-SI/EI switch is connected to the DHCP server and GigabitEthernet 1/0/2 is connected to Host A.
  • Page 367 # Enable IP filtering on GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 to filter packets based on the source IP addresses/MAC addresses. [Switch] interface GigabitEthernet1/0/2 [Switch-GigabitEthernet1/0/2] ip check source ip-address mac-address [Switch-GigabitEthernet1/0/2] quit [Switch] interface GigabitEthernet1/0/3 [Switch-GigabitEthernet1/0/3] ip check source ip-address mac-address [Switch-GigabitEthernet1/0/3] quit [Switch] interface GigabitEthernet1/0/4 [Switch-GigabitEthernet1/0/4] ip check source ip-address mac-address...

  • Page 368: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to these sections for information you are interested in: Introduction to DHCP Client Introduction to BOOTP Client Configuring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management.

  • Page 369: Displaying Dhcp/Bootp Client Configuration

    To do… Use the command… Remarks Enter system view system-view — interface vlan-interface Enter VLAN interface view — vlan-id Required Configure the VLAN interface ip address { bootp-alloc | By default, no IP address is to obtain IP address through dhcp-alloc } configured for the VLAN DHCP or BOOTP...

  • Page 370: Dhcp/Bootp Client Configuration Example

    DHCP/BOOTP Client Configuration Example DHCP Client Configuration Example Network requirements Using DHCP, VLAN-interface 1 of Switch A is connected to the LAN to obtain an IP address from the DHCP server. Network diagram Figure 4-1 A DHCP network Client WINS server DHCP server Vlan-int1 DNS server...
  • Page 371 Table of Contents 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 ACL Matching Order························································································································1-1 Ways to Apply an ACL on a Switch·································································································1-2 Types of ACLs Supported by S5100 Series Ethernet Switches ·····················································1-3 ACL Configuration···································································································································1-3 Configuring Time Range··················································································································1-3 Configuring Basic ACL ····················································································································1-5 Configuring Advanced ACL ·············································································································1-6 Configuring Layer 2 ACL ·················································································································1-7 ACL Assignment ·····································································································································1-8 Assigning an ACL Globally··············································································································1-9...

  • Page 372: Acl Matching Order

    ACL Configuration ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management. Filtering data packets can prevent a network from being accessed by unauthorized users efficiently while controlling network traffic and saving network resources.

  • Page 373: Ways To Apply An Acl On A Switch

    Depth-first match order for rules of an advanced ACL Protocol range: A rule which has specified the types of the protocols carried by IP is prior to others. Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority.

  • Page 374: Acl Configuration

    When an ACL is directly applied to hardware for packet filtering, the switch will permit packets if the packets do not match the ACL. When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web login users, the switch will deny packets if the packets do not match the ACL.
  • Page 375 Configuration Procedure Table 1-1 Configure a time range Operation Command Description Enter system view system-view — time-range time-name { start-time to end-time days-of-the-week [ from start-time start-date ] [ to Create a time range Required end-time end-date ] | from start-time start-date [ to end-time end-date ] | to end-time end-date } Note that: If only a periodic time section is defined in a time range, the time range is active only when the...

  • Page 376: Configuring Basic Acl

    Configuring Basic ACL A basic ACL filters packets based on their source IP addresses. A basic ACL can be numbered from 2000 to 2999. Configuration Prerequisites To configure a time range-based basic ACL rule, you need to create the corresponding time range first.

  • Page 377: Configuring Advanced Acl

    Acl's step is 1 rule 0 deny source 192.168.0.1 0 Configuring Advanced ACL An advanced ACL can filter packets by their source and destination IP addresses, the protocols carried by IP, and protocol-specific features such as TCP/UDP source and destination ports, ICMP message type and message code.

  • Page 378: Configuring Layer 2 Acl

    The content of a modified or created rule cannot be identical with the content of any existing rules; otherwise the rule modification or creation will fail, and the system prompts that the rule already exists. If the ACL is created with the auto keyword specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered.

  • Page 379: Acl Assignment

    Operation Command Description Optional Assign a description description text string to the ACL No description by default Note that: You can modify any existent rule of the Layer2 ACL and the unmodified part of the ACL remains. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.

  • Page 380: Assigning An Acl Globally

    ACLs assigned globally take precedence over those that are assigned to VLANs. That is, when a packet matches a rule of a globally assigned ACL and a rule of an ACL assigned to a VLAN, the device will perform the action defined in the rule of the globally assigned ACL if the actions defined in the two rules conflict.

  • Page 381: Assigning An Acl To A Port Group

    Configuration procedure Table 1-6 Assign an ACL to a VLAN Operation Command Description — Enter system view system-view Required packet-filter vlan vlan-id Apply an ACL to a VLAN For description on the acl-rule argument, inbound acl-rule refer to ACL Command. An ACL assigned to a VLAN takes effect only for the packets tagged with 802.1Q header.

  • Page 382: Assigning An Acl To A Port

    As S5100-SI series switches do not support port group configuration, they do not support ACL application on port groups. After an ACL is assigned to a port group, it will be automatically assigned to the ports that are subsequently added to the port group. Configuration example # Apply ACL 2000 to port group 1 to filter the inbound packets on all the ports in the port group.

  • Page 383: Displaying Acl Configuration

    Displaying ACL Configuration After the above configuration, you can execute the display commands in any view to view the ACL running information and verify the configuration. Table 1-9 Display ACL configuration Operation Command Description Display a configured ACL or display acl { all | acl-number } all the ACLs Display a time range or all display time-range { all | time-name }...

  • Page 384: Example For Controlling Web Login Users By Source Ip

    Example for Controlling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source IP address of 10.110.100.46 to log in to the switch through HTTP. Network diagram Figure 1-2 Network diagram for controlling Web login users by source IP Internet Switch 10.110.100.46...

  • Page 385: Advanced Acl Configuration Example

    Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter packets with the source IP address of 10.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [Sysname-acl-basic-2000] quit # Apply ACL 2000 on GigabitEthernet 1/0/1.

  • Page 386: Layer 2 Acl Configuration Example

    Layer 2 ACL Configuration Example Network requirements PC 1 and PC 2 connect to the switch through GigabitEthernet 1/0/1. PC1’s MAC address is 0011-0011-0011. Apply an ACL to filter packets with the source MAC address of 0011-0011-0011 and the destination MAC address of 0011-0011-0012 from 8:00 to 18:00 everyday. Network diagram Figure 1-5 Network diagram for Layer 2 ACL Configuration procedure...
  • Page 387 Network diagram Figure 1-6 Network diagram for applying an ACL to a VLAN Database server 192.168.1.2 GE1/0/1 GE1/0/3 GE1/0/2 VLAN 10 PC 1 PC 2 PC 3 Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 in working days. <Sysname>...
  • Page 388 Table of Contents 1 QoS Configuration ········································································································ 1-1 Overview ···················································································································· 1-1 Introduction to QoS ······························································································ 1-1 Traditional Packet Forwarding Services ································································· 1-1 New Requirements from Emerging Applications ····················································· 1-1 Major Traffic Control Technologies ········································································ 1-2 QoS Features Supported by the S5100 Series Ethernet Switches ································· 1-3 Introduction to QoS Features ······················································································...
  • Page 389 2 QoS Profile Configuration ···························································································· 2-1 Overview ···················································································································· 2-1 Introduction to QoS Profile ··················································································· 2-1 QoS Profile Application Mode ··············································································· 2-1 QoS Profile Configuration ··························································································· 2-2 Configuring a QoS Profile ····················································································· 2-2 Applying a QoS Profile ························································································· 2-3 Displaying and Maintaining QoS Profile Configuration ··········································· 2-4 Configuration Example ································································································...

  • Page 390: Qos Configuration

    QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Features Supported by the S5100 Series Ethernet Switches Introduction to QoS Features QoS Configuration QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs.

  • Page 391: Major Traffic Control Technologies

    regional branches together with VPN technologies to carry out operational applications, for instance, to access the database of the company or to monitor remote devices through Telnet. These new applications have one thing in common, that is, they all have special requirements for bandwidth, delay, and jitter.

  • Page 392: Qos Features Supported By The S5100 Series Ethernet Switches

    Congestion management handles resource competition during network congestion. Generally, it assigns packets to queues first, and then forwards the packets by using a scheduling algorithm. Congestion management is usually applied in the outbound direction of a port. Congestion avoidance monitors the use of network resources and drops packets actively when congestion reaches a certain degree.

  • Page 393: Introduction To Qos Features

    QoS Feature Description Reference For information about priority trust mode, refer to Priority You can configure the following Trust Mode. QoS actions for traffic separately information about as required on the S5100 series: specifying priority for protocol Priority trust mode packets, refer Protocol...
  • Page 394 Figure 1-2 DS field and ToS byte As shown in Figure 1-2, the ToS field of the IP header contains eight bits: the first three bits (0 to 2) represent IP precedence from 0 to 7 and the subsequent four bits (3 to 6) represent a ToS value from 0 to 15.
  • Page 395 Best Effort (BE) class: This class is a special CS class that does not provide any assurance. AF traffic exceeding the limit is degraded to the BE class. Currently, all IP network traffic belongs to this class by default. Table 1-3 Description on DSCP values DSCP value (decimal) DSCP value (binary) Description...
  • Page 396 Figure 1-3 An Ethernet frame with an 802.1q tag header As shown in Figure 1-3, each host supporting the 802.1q protocol adds a 4-byte 802.1q tag header after the source address field of the former Ethernet frame header when sending packets.
  • Page 397 Local precedence is a locally significant precedence that the switch assigns to a packet. A local precedence value corresponds to one hardware output queue on the egress port. Packets with the highest local precedence are processed preferentially. As local precedence is used only for internal queuing, a packet does not carry it after leaving the queue.
  • Page 398 Figure 1-5 Assign precedence to received packets in different trust modes Trusting port priority In this mode, the switch replaces the 802.1p precedence value of the received packet with the port priority, looks up the 802.1p-precedence-to-other-precedence mapping table for the set of precedence values corresponding to the port priority of the receiving port and assigns the matching precedence value set to the packet.
  • Page 399 Trusted priority type Description 1) The switch looks up the DSCP-precedence-to-other-prece dence mapping table for the set of precedence values cor responding to the DSCP value of the packet. 2) When configuring the switch to trust the DSCP precedence of packets, you can further configure the switch to process each received packet in one of the following modes: In the default mode, deliver the packet with its original 802.1p precedence value unchanged.
  • Page 400 802.1p precedence Target local precedence Target DSCP value value value Table 1-8 The default DSCP -to-other-precedence mapping table of S5100-EI series switches Target local Target drop Target 802.1p DSCP values precedence value precedence value precedence value 0 to 7 8 to 15 16 to 23 24 to 31 32 to 39...

  • Page 401: Protocol Priority

    Table 1-10 The default DSCP-precedence-to-DSCP-precedence mapping table of S5100-SI/EI series switches DSCP value Target DSCP value Protocol Priority Protocol packets generated by your switch carry their own priority. You can set a new IP precedence or DSCP value for the locally generated traffic of a particular protocol to implement QoS.
  • Page 402 Token bucket A token bucket can be considered as a container holding a certain number of tokens. The system puts tokens into the bucket at a set rate. When the token bucket is full, the extra tokens will overflow. Figure 1-6 Evaluate the traffic with the token bucket Put tokens in the bucket at the set rate Packets to be sent through this port...
  • Page 403 Traffic policing A typical application of traffic policing is to supervise the specification of certain traffic entering a network and limit it within a reasonable range, or to "discipline" the exceeding traffic. In this way, the network resources and the interests of the carrier are protected. For example, you can limit the bandwidth for HTTP packets to less than 50% of the total.

  • Page 404: Line Rate

    For example, Device A sends packets to Device B. Device B performs traffic policing on packets from Device A and drops the packets exceeding the limit. To avoid unnecessary packet loss, you can perform traffic shaping for the packets destined for Device B on the outgoing interface of Device A.
  • Page 405 1) SP queuing Figure 1-8 Diagram for SP queuing SP queuing is specially designed for mission-critical applications. The key feature of mission-critical applications is that they require preferential service to reduce the response delay when congestion occurs. Assume that there are eight output queues on the port and SP queuing classifies the eight output queues on the port into eight classes, which are queue 7, queue 6, queue 5, queue 4, queue 3, queue 2, queue 1, and queue 0 in the descending order of priority.
  • Page 406 Figure 1-9 Diagram for WRR queuing WRR queuing schedules all the queues in turn and ensure that all of them can be served for a certain time by assigning each queue a weight representing a certain amount of resources. Assume there are eight output queues on the port. WRR assigns queues 7 through 0 the weights w7, w6, w5, w4, w3, w2, w1, and w0.

  • Page 407: Queue Scheduling

    SDWRR: schedules the two queues in turn in such a way that packets identical to one weight are dequeued from queue 0 first and then from queue 1. The procedure is repeated until the scheduling for one queue is over. Then, SDWRR schedules the queue with remaining weights to dequeue the number of packets identical to the remaining weights.

  • Page 408: Configuring Priority Trust Mode

    Task Remarks Configuring Priority Trust Mode Optional Configuring Priority Mapping Optional Setting the Priority of Protocol Packets Optional Configuring Priority Marking Optional Configuring Traffic Policing Optional Configuring Traffic Shaping Optional Configuring Line Rate Optional Configuring Traffic Redirecting Optional Configuring VLAN Mapping Optional Configuring Queue Scheduling Optional...

  • Page 409: Configuring Priority Mapping

    To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port interface interface-type — view interface-number Required Configure to trust priority-trust cos [ automap ] By default, port priority is 802.1p precedence trusted. 3) Configuring a port to trust DSCP value of traffic Follow these steps to configure a port to trust DSCP value of traffic: To do…...
  • Page 410 Configuration prerequisites The target CoS-precedence-to-other-precedence, DSCP-precedence-to-other-precedenc e, and DSCP-precedence-to-DSCP-precedence mapping tables have been determined. Configuration procedures 1) Configuring the CoS-precedence-to-other-precedence mapping table Follow these steps to configure the CoS-precedence-to-other-precedence mapping table: To do… Use the command… Remarks Enter system view system-view —...
  • Page 411 To do… Use the command… Remarks Enter system view system-view — Configure DSCP-precedence-to-lo qos dscp-local-precedence-map Required cal-precedence dscp-list : local-precedence mapping table Required Configure Only the H3C DSCP-precedence-to-dr qos dscp-drop-precedence-map S5100-EI series op-precedence mapping dscp-list : drop-precedence switches support table this configuration.
  • Page 412 [Sysname] qos dscp-local-precedence-map 8 9 10 11 12 13 14 15 : 3 [Sysname] qos dscp-local-precedence-map 16 17 18 19 20 21 22 23 : 4 [Sysname] qos dscp-local-precedence-map 24 25 26 27 28 29 30 31 : 1 [Sysname] qos dscp-local-precedence-map 32 33 34 35 36 37 38 39 : 7 [Sysname] qos dscp-local-precedence-map 40 41 42 43 44 45 46 47 : 0 [Sysname] qos dscp-local-precedence-map 48 49 50 51 52 53 54 55 : 5 [Sysname] qos dscp-local-precedence-map 56 57 58 59 60 61 62 63 : 6...

  • Page 413: Setting The Priority Of Protocol Packets

    34 : 35 : 36 : 37 : 38 : 39 : 40 : 41 : 42 : 43 : 44 : 45 : 46 : 47 : 48 : 49 : 50 : 51 : 52 : 53 : 54 : 55 : 56 :...

  • Page 414: Configuring Priority Marking

    To do… Use the command… Remarks Required protocol-priority You can modify the IP precedence protocol-type Set the priority of the values or DSCP values of the protocol-type specific type of corresponding protocol packets. { ip-precedence protocol packets On an S5100-SI/EI switch, you can ip-precedence | dscp set the priority for protocol packets of dscp-value }...
  • Page 415 The type and value of the precedence to be marked for the packets matching the ACL rules have been determined. Configuration procedures You can configure marking a priority for the incoming packets matching the specific ACL rules globally, in a VLAN, in a port group, or on a port. 1) Configuring priority marking globally Follow these steps to configure marking a priority for the incoming packets matching the specific ACL rules globally:...

  • Page 416: Configuring Traffic Policing

    To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Mark a priority for the incoming packets traffic-priority inbound acl-rule { dscp Required matching the specific dscp-value | cos cos-value } ACL rules User-defined traffic classification rules configured for priority marking in the global scope or for a VLAN take precedence over the default rules used for processing protocol packets.
  • Page 417 This feature is available only for the H3C S5100-EI series switches. Configuration prerequisites The ACL rules used for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules. The rate limit for traffic policing and the actions for the packets exceeding the rate limit have been determined.
  • Page 418 Follow these steps to configure traffic policing for the incoming packets matching the specific ACL rules in a port group: To do… Use the command… Remarks Enter system system-view — view Enter port group port-group group-id — view traffic-limit inbound acl-rule target-rate Required Configure traffic [ conform con-action ] [ exceed...

  • Page 419: Configuring Traffic Shaping

    <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] interface GigabitEthernet1/0/1 [Sysname-GigabitEthernet1/0/1] traffic-limit inbound ip-group 2000 128 exceed remark-dscp 56 2) Method II: configure traffic policing for VLAN 2 <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-limit vlan 2 inbound ip-group 2000 128 exceed remark-dscp 56...

  • Page 420: Configuring Line Rate

    Refer to Line Rate for information about line rate. This feature is applicable to only the H3C S5100-SI series switches. Configuration prerequisites The port where line rate is to be configured has been determined. The target rate and the direction (inbound or outbound) of line rate have been determined.

  • Page 421: Configuring Traffic Redirecting

    To do… Use the command… Remarks Required line-rate { inbound | Configure line rate outbound } target-rate Disabled by default. Configuration example # Configure line rate for the incoming packets on GigabitEthernet 1/0/1, with the rate limit being 1024 kbps. <Sysname>...
  • Page 422 To do… Use the command… Remarks Enter system view system-view — traffic-redirect vlan vlan-id inbound Configure traffic acl-rule interface interface-type Required redirecting interface-number 3) Configuring traffic redirecting for a port group Follow these steps to configure traffic redirecting for the incoming packets in a port group: To do…...

  • Page 423: Configuring Vlan Mapping

    Configuration examples # Redirect all the incoming packets from network segment 10.1.1.0/24 to GigabitEthernet 1/0/7 (assume that GigabitEthernet 1/0/1 belongs to VLAN 2 and is connected to network segment 10.1.1.0/24). 1) Method I: configure traffic redirecting for port GigabitEthernet 1/0/1 <Sysname>...

  • Page 424: Configuring Queue Scheduling

    To do… Use the command… Remarks Enter Ethernet port interface interface-type — view interface-number Required traffic-remark-vlanid By default, VLAN mapping is not configured. inbound acl-rule remark-vlan Configure VLAN vlan-id [ all-packet | The S5100-EI series switches mapping tagged-packet | do not support the all-packet untagged-packet ] keyword or the tagged-packet keyword.
  • Page 425 2) Configuring SDWRR queuing Follow these steps to configure SDWRR queuing: To do… Use the command… Remarks Enter system view system-view — For S5100-EI series switches: queue-scheduler wrr { group1 { queue-id Required queue-weight } &<1-8> | group2 { queue-id queue-weight } &<1-8>...

  • Page 426: Configuring Traffic Accounting

    and 40; using SP for scheduling queue 6 and queue 7. Display queue scheduling configuration information after the configuration. <Sysname> system-view [Sysname] queue-scheduler wrr group1 3 20 4 20 5 30 group2 0 20 1 20 2 40 [Sysname] display queue-scheduler QID: scheduling-group weight...
  • Page 427 To do… Use the command… Remarks Clear statistics of the packets reset traffic-statistic Optional matching a specific ACL rule inbound acl-rule 2) Configuring traffic accounting for a VLAN Follow these steps to collect/clear statistics about the incoming ACL matching packets in a VLAN: To do…...

  • Page 428: Enabling The Burst Function

    To do… Use the command… Remarks Clear statistics about reset traffic-statistic inbound incoming ACL matching Optional acl-rule packets User-defined traffic classification rules configured for traffic accounting in the global scope or for a VLAN take precedence over the default rules used for processing protocol packets. The device will collect traffic statistics preferentially, which may affect device management implemented through Telnet and so on.

  • Page 429: Configuring Traffic Mirroring

    To do… Use the command… Remarks Enter system view system-view — Required Enable the burst burst-mode enable function Disabled by default Configuration example # Enable the burst function on an S5100-EI series switch. <Sysname> system-view [Sysname] burst-mode enable Configuring Traffic Mirroring Refer to Traffic Mirroring for information about traffic mirroring.
  • Page 430 To do… Use the command… Remarks Mirror incoming ACL mirrored-to inbound matching packets to the Required acl-rule monitor-interface monitor port 2) Configuring traffic mirroring for a VLAN Follow these steps to configure traffic mirroring for a VLAN: To do… Use the command… Remarks Enter system view system-view...
  • Page 431 To do… Use the command… Remarks Configure the port as the monitor-port Required monitor port Return to system view quit — interface interface-type Enter Ethernet port view — interface-number Mirror incoming ACL mirrored-to inbound matching packets on the Required acl-rule monitor-interface port to the monitor port User-defined traffic classification rules configured for traffic mirroring in the global scope or for a VLAN take precedence over the default rules used for processing protocol packets.

  • Page 432: Displaying And Maintaining Qos

    Displaying and Maintaining QoS To do… Use the command… Remarks Display protocol packet display protocol-priority Available in any view priority configuration Display the display qos CoS-precedence-to-Drop-p cos-drop-precedence-ma Available in any view recedence mapping Display the display qos CoS-precedence-to-DSCP- Available in any view cos-dscp-map precedence mapping Display the...

  • Page 433: Qos Configuration Examples

    To do… Use the command… Remarks display qos-interface Display priority marking { interface-type configuration of a port or all Available in any view interface-number | unit-id } the ports traffic-priority display qos-interface Display traffic redirecting { interface-type configuration of a port or all Available in any view interface-number | unit-id } the ports...
  • Page 434 Configure traffic policing to satisfy the following requirements: Set the maximum rate of outbound IP packets sourced from the marketing department to 64 kbps. Drop the packets exceeding the rate limit. Set the maximum rate of outbound IP packets sourced from the R&D department to 128 kbps.

  • Page 435: Priority Marking And Queue Scheduling Configuration Example

    Priority Marking and Queue Scheduling Configuration Example Network requirements As shown in Figure 1-11, an enterprise network connects all the departments through an Ethernet switch. Clients PC 1 through PC 3 are connected to GigabitEthernet 1/0/1 of the switch; clients PC 4 through PC 6 are connected to GigabitEthernet 1/0/3 of the switch. Server 1 (the database server), Server 2 (the mail server), and Server 3 (the file server) are connected to GigabitEthernet 1/0/2 of the switch.

  • Page 436: Vlan Mapping Configuration Example

    [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] traffic-priority inbound ip-group 3000 rule 0 cos [Sysname-GigabitEthernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 cos [Sysname-GigabitEthernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 cos [Sysname-GigabitEthernet1/0/2] quit 3) Configure queue scheduling # Apply SP queuing. [Sysname] undo queue-scheduler VLAN Mapping Configuration Example Network requirements As shown in...
  • Page 437 Figure 1-12 Network diagram for VLAN mapping configuration VLAN100 VLAN200 SwitchB GE1/0/15 GE1/0/16 GE1/0/17 Public Network VLAN500/600 GE1/0/10 GE1/0/11 GE1/0/12 SwitchA VLAN100 VLAN200 Configuration procedure # Create CVLANs VLAN 100 and VLAN 200 and SVLANs VLAN 500 and VLAN 600 on Switch A.
  • Page 438 [SwitchA] interface GigabitEthernet 1/0/12 [SwitchA-GigabitEthernet1/0/12] port link-type trunk [SwitchA-GigabitEthernet1/0/12] port trunk pvid vlan 200 [SwitchA-GigabitEthernet1/0/12] port trunk permit vlan 200 600 [SwitchA-GigabitEthernet1/0/12] quit # Configure GigabitEthernet 1/0/10 of Switch A as a trunk port, and assign it to VLAN 100, VLAN 200, VLAN 500, and VLAN 600.

  • Page 439: Traffic Mirroring And Traffic Redirecting Configuration Example

    [SwitchA-GigabitEthernet1/0/10] traffic-remark-vlanid inbound link-group 4002 remark-vlan 100 [SwitchA-GigabitEthernet1/0/10] traffic-remark-vlanid inbound link-group 4003 remark-vlan 200 [SwitchA-GigabitEthernet1/0/10] quit Perform the same VLAN mapping configuration on Switch B. The detailed configuration procedure is similar to that of Switch A and thus is omitted here. Traffic Mirroring and Traffic Redirecting Configuration Example Network requirements A company uses a switch to interconnect all the departments.
  • Page 440 Configuration procedure # Create a time range trname covering the period from 8:00 to 18:00 during working days. <Switch> system-view [Switch] time-range trname 8:00 to 18:00 working-day 1) Configure a policy for the traffic of the marketing department # Create basic ACL 2000 to permit the traffic of the hosts in the marketing department during the specified time range.

  • Page 441: Qos Profile Configuration

    QoS Profile Configuration When configuring a QoS profile, go to these sections for information you are interested in: Overview QoS Profile Configuration Configuration Example This feature is available only on the H3C S5100-EI series switches. Overview Introduction to QoS Profile A QoS profile is a set of QoS configurations.

  • Page 442: Qos Profile Configuration

    The switch generates a new QoS profile by adding user source MAC address information to the traffic classification rule defined in the existing QoS profile and then applies the new QoS profile to the port the user is connected to. Port-based QoS profile application The switch directly applies the QoS profile to the port the user is connected to.

  • Page 443: Applying A Qos Profile

    Configuration procedure Follow these steps to configure a QoS profile: To do… Use the command… Remarks Enter system view — system-view Required Create a QoS profile If the specified QoS and enter QoS profile qos-profile profile-name profile already exists, you view enter the QoS profile view directly.

  • Page 444: Displaying And Maintaining Qos Profile Configuration

    To do… Use the command… Remarks Specify the Optional port-based qos-profile port-based User-based by default mode 802.1x authentication mode is MAC-based, dynamic QoS profile Configure application mode must the dynamic configured QoS profile user-based. Specify the application undo qos-profile user-based mode 802.1x port-based...

  • Page 445: Configuration Example

    Configuration Example QoS Profile Configuration Example Network requirements All departments of a company are interconnected through a switch. The 802.1x protocol is used to authenticate users and control their access to network resources. As shown in Figure 2-1, a user name is someone, and the authentication password is hello. It is connected to GigabitEthernet 1/0/1 of the switch and belongs to the test.net domain.
  • Page 446 # Configure the switch to delete the user domain name from the user name and then send the user name to the RADIUS sever. [Sysname-radius-radius1] user-name-format without-domain [Sysname-radius-radius1] quit # Create the user domain test.net and specify radius1 as its RADIUS server group. [Sysname] domain test.net [Sysname-isp-test.net] radius-scheme radius1 [Sysname-isp-test.net] quit...
  • Page 447 Table of Contents 1 Mirroring Configuration································································································ 1-1 Mirroring Overview······································································································ 1-1 Local Port Mirroring ······························································································ 1-2 Remote Port Mirroring ·························································································· 1-2 MAC-Based Mirroring ··························································································· 1-3 VLAN-Based Mirroring ·························································································· 1-4 Traffic Mirroring ···································································································· 1-4 Mirroring Configuration ······························································································· 1-4 Configuring Local Port Mirroring············································································ 1-4 Configuring Remote Port Mirroring ········································································...

  • Page 448: Mirroring Configuration

    Mirroring Configuration When configuring mirroring, go to these sections for information you are interested in: Mirroring Overview Mirroring Configuration Displaying Port Mirroring Mirroring Configuration Examples Mirroring Overview Mirroring is to duplicate packets from a port to another port connected with a data monitoring device for network monitoring and diagnosis.

  • Page 449: Local Port Mirroring

    Local Port Mirroring In local port mirroring, packets passing through one or more source ports of a device are copied to the destination port on the same device for packet analysis and monitoring. In this case, the source ports and the destination port must be located on the same device. Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device.

  • Page 450: Mac-Based Mirroring

    Table 1-1 describes how the ports on various switches are involved in the mirroring operation. Table 1-1 Ports involved in the mirroring operation Switch Ports involved Function Port monitored. It copies packets to the reflector port through local port Source port mirroring.

  • Page 451: Qos-Qos Profile

    Packets with the destination MAC address matching the specified MAC address. Compared with port mirroring, MAC-based mirroring is more precise and it can be used to monitor packets of specific device in the network. VLAN-Based Mirroring With VLAN-based mirroring configured, a device mirrors packets received on all ports in the specified VLAN to the destination port.

  • Page 452: Configuring Remote Port Mirroring

    Configuration procedure Table 1-2 Follow these steps to configure port mirroring: To do… Use the command… Remarks Enter system view — system-view Create a port mirroring mirroring-group group-id Required group local mirroring-group group-id In system mirroring-port Use either approach view mirroring-port-list { both | inbound | outbound } Configure...
  • Page 453 The source port, the reflector port, and the remote-probe VLAN are determined. Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. The direction of the packets to be monitored is determined. 2) Configuration procedure Table 1-3 Follow these steps to perform configurations on the source switch: To do…...
  • Page 454 port and cannot be configured with the functions like VLAN-VPN, port loopback detection, port security, and so on. You cannot modify the duplex mode, port rate, and MDI attribute of a reflector port. Only an existing static VLAN can be configured as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it to a normal VLAN first.

  • Page 455: Configuring Mac-Based Mirroring

    Table 1-5 Follow these steps to configure remote port mirroring on the destination switch: To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter vlan-id is the ID of the vlan vlan-id VLAN view remote-probe VLAN.

  • Page 456: Configuring Vlan-Based Mirroring

    The MAC address specified for MAC-based mirroring must be a static MAC address existing in the MAC address table. You can configure MAC-based mirroring for a remote source mirroring group to implement the MAC-based remote mirroring function. Configuration prerequisites The MAC address to be matched is determined. The destination port is determined.

  • Page 457: Displaying Port Mirroring

    You can configure VLAN-based mirroring for a remote source mirroring group to implement the VLAN-based remote mirroring function. Configuration prerequisites The VLAN to be monitored is determined. The destination port is determined. Configuration procedure Table 1-7 Follow these steps to configure VLAN-Based mirroring: To do…...

  • Page 458: Mirroring Configuration Examples

    Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through S5100 Ethernet switches: Research and Development (R&D) department is connected to Switch C through GigabitEthernet 1/0/1. Marketing department is connected to Switch C through GigabitEthernet 1/0/2. Data detection device is connected to Switch C through GigabitEthernet 1/0/3 The administrator wants to monitor the packets received on and sent from the R&D department and the marketing department through the data detection device.

  • Page 459: Remote Port Mirroring Configuration Example

    [Sysname] mirroring-group 1 monitor-port GigabitEthernet 1/0/3 # Display configuration information about local mirroring group 1. [Sysname] display mirroring-group 1 mirroring-group 1: type: local status: active mirroring port: GigabitEthernet1/0/1 both GigabitEthernet1/0/2 both mirroring mac: mirroring vlan: monitor port: GigabitEthernet1/0/3 After the configurations, you can monitor all packets received on and sent from the R&D department and the marketing department on the data detection device.

  • Page 460: Network Diagram

    Network diagram Figure 1-4 Network diagram for remote port mirroring Configuration procedure 1) Configure the source switch (Switch A) # Create remote source mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit...
  • Page 461 GigabitEthernet1/0/2 inbound mirroring mac: mirroring vlan: reflector port: GigabitEthernet1/0/4 remote-probe vlan: 10 2) Configure the intermediate switch (Switch B) # Configure VLAN 10 as the remote-probe VLAN. <Sysname> system-view [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure GigabitEthernet 1/0/1 as the trunk port, allowing packets of VLAN 10 to pass. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type trunk [Sysname-GigabitEthernet1/0/1] port trunk permit vlan 10...
  • Page 462 type: remote-destination status: active monitor port: GigabitEthernet1/0/2 remote-probe vlan: 10 After the configurations, you can monitor all packets sent from Department 1 and 2 on the data detection device. 1-15...
  • Page 463 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-3 ARP Process ···································································································································1-3 Introduction to ARP Attack Detection ······························································································1-4 Introduction to Gratuitous ARP········································································································1-5 Configuring ARP ·····································································································································1-5 Configuring ARP Basic Functions ···································································································1-5 Configuring ARP Attack Detection ··································································································1-6 Configuring Gratuitous ARP····················································································································1-7 Displaying and Debugging ARP··············································································································1-7...

  • Page 464: Arp Configuration

    ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP ARP Configuration Examples Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer.
  • Page 465 Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits) Hardware address of the sender Hardware address of the sender IP address of the sender...

  • Page 466: Arp Table

    Value Description IEEE802.X ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored.

  • Page 467: Introduction To Arp Attack Detection

    Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A. After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding.

  • Page 468: Introduction To Gratuitous Arp

    the manual configured IP binding table, the switch will forward the ARP packet; if not, the switch discards the ARP packet. With trusted ports configured, ARP packets coming from the trusted ports will not be checked, while those from other ports will be checked through the DHCP snooping table or the manually configured IP binding table.

  • Page 469: Configuring Arp Attack Detection

    Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically. As for the arp static command, the value of the vlan-id argument must be the ID of an existing VLAN, and the port identified by the interface-type and interface-number arguments must belong to the VLAN.

  • Page 470: Configuring Gratuitous Arp

    When most clients acquire IP addresses through DHCP and some clients use static IP addresses, you need to enable DHCP snooping and configure static IP binding entries on the switch. These functions can cooperate with ARP attack detection to check the validity of packets. For more information about DHCP snooping, refer to DHCP Operation in this manual.

  • Page 471: Arp Configuration Examples

    To do… Use the command… Remarks Display the statistics about the display arp detection untrusted ARP packets statistics interface dropped by the specified port interface-type interface-number Display the setting of the ARP display arp timer aging aging timer reset arp [ dynamic | static | Clear specific ARP entries Available in user view interface interface-type...
  • Page 472 Network diagram Figure 1-4 ARP attack detection and packet rate limit configuration Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify GigabitEthernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port. [SwitchA] interface GigabitEthernet1/0/1 [SwitchA-GigabitEthernet1/0/1] dhcp-snooping trust [SwitchA-GigabitEthernet1/0/1] arp detection trust...
  • Page 473 Table of Contents 1 Stack ···························································································································································1-1 Stack Function Overview ························································································································1-1 The Main Switch of a Stack·············································································································1-1 The Slave Switches of a Stack········································································································1-1 Creating a Stack ······························································································································1-1 Main Switch Configuration ······················································································································1-2 Configuring the IP Address Pool and Creating the Stack ·······························································1-2 Switching to Slave Switch View·······································································································1-3 Slave Switch Configuration ·····················································································································1-3 Displaying and Debugging a Stack ·········································································································1-3...

  • Page 474: Stack

    Stack The S5100-SI/EI series can use GE SFP transceivers to establish a stack. Among the S5100-SI/EI series, models with 10GE slots can also establish a stack through 10GE stack ports. Stack Function Overview A stack is a management domain formed by a group of Ethernet switches interconnected through their stack ports.

  • Page 475: Main Switch Configuration

    Connect the intended main switch and slave switches through stack modules and dedicated stack cables. (Refer to H3C S5100 Series Ethernet Switches Installation Manual for the information about stack modules and stack cables.) Configure the IP address pool for the stack and enable the stack function. The main switch then automatically adds the switches connected to its stack ports to the stack.

  • Page 476: Switching To Slave Switch View

    Make sure the IP addresses in the IP address pool of a stack are successive so that they can be assigned successively. For example, the IP addresses in an IP address pool with its start IP address something like 223.255.255.254 are not successive. In this case, errors may occur when adding a switch to the stack.

  • Page 477: Stack Configuration Example

    Table 1-4 Display and maintain stack configurations Operation Command Description Optional The display command can be executed in any view. When being executed with the members keyword not specified, this command Display the stack displays the main switch and the number of display stacking status information on switches in the stack.
  • Page 478 Configuration procedure # Configure the IP address pool for the stack on Switch A. <Sysname> system-view [Sysname] stacking ip-pool 129.10.1.15 3 # Create the stack on switch A. [Sysname] stacking enable [stack_0.Sysname] quit <stack_0.Sysname> # Display the information about the stack on switch A. <stack_0.Sysname>...
  • Page 479 # Switch back to Switch A. <stack_1.Sysname> quit <stack_0.Sysname> # Switch to Switch C (a slave switch). <stack_0.Sysname> stacking 2 <stack_2.Sysname> # Switch back to Switch A. <stack_2.Sysname> quit <stack_0.Sysname>...

  • Page 480: Cluster

    Cluster Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way. Cluster management is implemented through Huawei group management protocol (HGMP). HGMP version 2 (HGMPv2) is used at present. A switch in a cluster plays one of the following three roles: Management device Member device...

  • Page 481: Roles In A Cluster

    you can configure and manage all the member devices through the management device without the need to log onto them one by one. It provides the topology discovery and display function, which assists in monitoring and maintaining the network. It allows you to configure and upgrade multiple switches at the same time. It enables you to manage your remotely devices conveniently regardless of network topology and physical distance.

  • Page 482: How A Cluster Works

    Figure 2-2 State machine of cluster role A candidate device becomes a management device when you create a cluster on it. Note that a cluster must have one (and only one) management device. On becoming a management device, the device collects network topology information and tries to discover and determine candidate devices, which can then be added to the cluster through configurations.
  • Page 483 The management device adds the candidate devices to the cluster or removes member devices from the cluster according to the candidate device information collected through NTDP. Introduction to NDP NDP is a protocol used to discover adjacent devices and provide information about them. NDP operates on the data link layer, and therefore it supports different network layer protocols.
  • Page 484 device busy processing of the NTDP topology collection responses. To avoid such cases, the following methods can be used to control the NTDP topology collection request advertisement speed. Configuring the devices not to forward the NTDP topology collection request immediately after they receive an NTDP topology collection request.
  • Page 485 To create a cluster, you need to determine the device to operate as the management device first. The management device discovers and determines candidate devices through NDP and NTDP, and adds them to the cluster. You can also add candidate devices to a cluster manually. After a candidate device is added to a cluster, the management device assigns a member number and a private IP address (used for cluster management) to it.
  • Page 486 Additionally, on the management device, you can configure the FTP server, TFTP server, logging host and SNMP host to be shared by the whole cluster. When a member device in the cluster communicates with an external server, the member device first transmits data to the management device, which then forwards the data to the external server.

  • Page 487: Cluster Configuration Tasks

    Determine whether the destination MAC address or destination IP address is used to trace a device in the cluster If you use the tracemac command to trace the device by its MAC address, the switch will query its MAC address table according to the MAC address and VLAN ID in the command to find out the port connected with the downstream switch.

  • Page 488: Configuring The Management Device

    Configuration task Remarks Configuring the Cluster Synchronization Function Configuring the Management Device Management device configuration tasks Table 2-3 Management device configuration tasks Operation Description Enabling NDP globally and on specific ports Required Configuring NDP-related parameters Optional Enabling NTDP globally and on a specific port Required Configuring NTDP-related parameters Optional...
  • Page 489 Operation Command Description ndp enable interface In system view port-list Enable NDP Enter Use either approach. interface interface-type on specified Ethernet interface-number By default, NDP is Ethernet port view In Ethernet enabled on a port. ports port view Enable NDP on the ndp enable port Configuring NDP-related parameters...
  • Page 490 Operation Command Description Optional Configure the device forward delay of topology collection ntdp timer hop-delay time By default, the device forward requests delay is 200 ms. Optional Configure the port forward delay of topology collection ntdp timer port-delay time By default, the port forward requests delay is 20 ms.
  • Page 491 Operation Command Description Required Configure a multicast MAC By default, the cluster multicast cluster-mac H-H-H address for the cluster MAC address is 0180-C200-000A. Optional Set the interval for the cluster-mac syn-interval By default, the interval to send management device to send time-interval multicast packets is one multicast packets...

  • Page 492: Configuring Member Devices

    Operation Command Description Optional Configure a shared FTP server By default, the management ftp-server ip-address for the cluster device acts as the shared FTP server. Optional Configure a shared TFTP tftp-server ip-address By default, no shared TFTP server for the cluster server is configured.
  • Page 493 Operation Description Enabling the cluster function Required Accessing the shared FTP/TFTP server from a member device Optional To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S5100 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.

  • Page 494: Managing A Cluster Through The Management Device

    Enabling NTDP globally and on a specific port Table 2-15 Enable NTDP globally and a specific port Operation Command Description Enter system view system-view — Enable NTDP globally Required ntdp enable interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port ntdp enable Required Enabling the cluster function...

  • Page 495: Configuring The Enhanced Cluster Features

    Operation Command Description add-member Add a candidate device to the [ member-number ] Optional cluster mac-address H-H-H [ password password ] Remove a member device from delete-member Optional the cluster member-number reboot member Reboot a specified member { member-number | Optional device mac-address H-H-H }...
  • Page 496 To ensure stability and security of the cluster, you can use the blacklist to restrict the devices to be added to the cluster. After you add the MAC address of the device that you need to restrict into the cluster blacklist, even if the cluster function is enabled on this device and the device is normally connected to the current cluster, this device cannot join the cluster and participate in the unified management and configuration of the cluster.

  • Page 497: Snmp-Rmon

    Operation Command Description Display the information about all the devices in the base cluster display cluster base-members topology Configure cluster device blacklist Perform the following configuration on the management device. Table 2-21 Configure the cluster device blacklist Operation Command Description Enter system view system-view —...
  • Page 498 NDP and NTDP have been enabled on the management device and member devices, and NDP- and NTDP-related parameters have been configured. A cluster is established, and you can manage the member devices through the management device. Configuration procedure Perform the following operations on the management device to synchronize SNMP configurations: To do…...
  • Page 499 The MIB view name is mib_a, which includes all objects of the subtree org The SNMPv3 user is user_a, which belongs to the group group_a. # Create a community with the name of read_a, allowing read-only access right using this community name.
  • Page 500 snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user v3 user_a group_a undo snmp-agent trap enable standard Configuration file content on a member device (only the SNMP-related information is displayed) <test_2.Sysname>...

  • Page 501: Displaying And Maintaining Cluster Configuration

    Perform the above operations on the management device of the cluster. Creating a public local user is equal to executing these configurations on both the management device and the member devices (refer to the AAA Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices.

  • Page 502: Cluster Configuration Example

    Cluster Configuration Example Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: An S5100 series switch serves as the management device. The rest are member devices. Serving as the management device, the S5100 switch manages the two member devices. The configuration for the cluster is as follows: The two member devices connect to the management device through GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3.
  • Page 503 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/1] quit # Enable the cluster function. [Sysname] cluster enable Configure the management device # Add port GigabitEthernet 1/0/1 to VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] port GigabitEthernet 1/0/1 [Sysname-vlan2] quit # Specify the management VLAN to VLAN 2. Create Vlan-interface 2 and configure the IP address of VLAN-interface 2 as 163.172.55.1.
  • Page 504 # Set the topology collection range to 2 hops. [Sysname] ntdp hop 2 # Set the member device forward delay for topology collection requests to 150 ms. [Sysname] ntdp timer hop-delay 150 # Set the member port forward delay for topology collection requests to 15 ms. [Sysname] ntdp timer port-delay 15 # Set the interval to collect topology information to 3 minutes.

  • Page 505: Enhanced Cluster Feature Configuration Example

    After completing the above configuration, you can execute the cluster switch-to { member-number | mac-address H-H-H } command on the management device to switch to member device view to maintain and manage a member device. After that, you can execute the cluster switch-to administrator command to return to management device view.
  • Page 506 [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology. [aaa_0.Sysname-cluster] topology accept all save-to local-flash 2-27...
  • Page 507 Table of Contents 1 SNMP Configuration.......................... 1-1 1.1 SNMP Overview..........................1-1 1.1.1 SNMP Operation Mechanism....................1-1 1.1.2 SNMP Versions ........................1-1 1.1.3 Supported MIBs........................1-2 1.2 Configuring Basic SNMP Functions....................1-2 1.3 Configuring Trap-Related Functions ....................1-4 1.3.1 Configuring Basic Trap Functions ..................1-4 1.3.2 Configuring Extended Trap Function..................

  • Page 508: Snmp Configuration

    SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management Displaying SNMP SNMP Configuration Example 1.1 SNMP Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.

  • Page 509: 1.2 Configuring Basic Snmp Functions

    accesses made by SNMP NMS to SNMP agent. You can perform the following community name-related configuration. Specifying MIB view that a community can access. Set the permission for a community to access an MIB object to be read-only or read-write. Communities with read-only permissions can only query the switch information, while those with read-write permission can configure the switch as well.
  • Page 510 Required By default, the contact snmp-agent sys-info contact information for system Set system information, and specify sys-contact location maintenance is "Hangzhou to enable SNMPv1 or SNMPv2c on sys-location version H3C Technologies Co., the switch }* | Ltd.", the system location is "Hangzhou China", and the SNMP version is SNMPv3.

  • Page 511: 1.3 Configuring Trap-Related Functions

    snmp agent usm user v3 user-name group-name cipher authentication mode Set an SNMP group Required auth-password privacy mode des56 ] ] [ aes128 priv-password acl-number Optional snmp-agent calculate-password Encrypt a plain-text password plain-password mode md5 | This command is used if to generate a cipher-text one local-engineid | password in cipher-text is...

  • Page 512: 1.3.2 Configuring Extended Trap Function

    snmp-agent trap enable configuration flash Enable the switch to send standard authentication coldstart linkdown traps to NMS ]* | linkup warmstart system Enter port view or Optional interface interface-type interface-number interface view By default, a port is enabled to send Enable Enable the port all types of traps.

  • Page 513: 1.5 Displaying Snmp

    Note: When SNMP logging is enabled on a device, SNMP logs are output to the information center of the device. With the output destinations of the information center set, the output destinations of SNMP logs will be decided. The severity level of SNMP logs is informational, that is, the logs are taken as general prompt information of the device.
  • Page 514 2. Network diagram 图1-2 Network diagram for SNMP configuration 3. Network procedure # Enable SNMP agent, and set the SNMPv1 and SNMPv2c community names. <Sysname> system-view [Sysname] snmp-agent [Sysname] snmp-agent sys-info version all [Sysname] snmp-agent community read public [Sysname] snmp-agent community write private # Set the access right of the NMS to the MIB of the SNMP agent.
  • Page 515 4. Configuring the NMS The S5100-SI/EI series Ethernet switches support H3C’s QuidView NMS. SNMPv3 adopts user name and password authentication. When you use H3C’s QuidView NMS, you need to set user names and choose the security level in [Quidview Authentication Parameter]. For each security level, you need to set authorization mode, authorization password, encryption mode, encryption password, and so on.

  • Page 516: Rmon Configuration

    (instead of all the information in the RMON MIB): alarm group, event group, history group, and statistics group. An H3C S5100-SI/EI Ethernet switch implements RMON in the second way. With an RMON agent embedded in, an S5100-SI/EI Ethernet switch can serve as a network device with the RMON...

  • Page 517: 2.1.2 Commonly Used Rmon Groups

    probe function. Through the RMON-capable SNMP agents running on the Ethernet switch, an NMS can obtain the information about the total traffic, error statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks.

  • Page 518: 2.2 Rmon Configuration

    With the history data management function, you can configure network devices to collect history data, sample and store data of a specific port periodically. 5. Statistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created.

  • Page 519: 2.3 Displaying Rmon

    Note: The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
  • Page 520 # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by GigabitEthernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
  • Page 521 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-2 Roles in Multicast ····························································································································1-3 Common Notations in Multicast·······································································································1-4 Advantages and Applications of Multicast·······················································································1-4 Multicast Models ·····································································································································1-5 Multicast Architecture······························································································································1-5 Multicast Protocols ··························································································································1-9...

  • Page 523: Multicast Overview

    Multicast Overview Multicast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network. In addition, highly bandwidth- and time-critical services, such as e-commerce, Web conferencing, online auctions, video on demand (VoD), and tele-education have come into being.

  • Page 524: Information Transmission In The Broadcast Mode

    Information Transmission in the Broadcast Mode When you broadcast traffic, the system transmits information to all users on a network. Any user on the network can receive the information, no matter if the information is needed or not. shows information transmission in broadcast mode.

  • Page 525: Roles In Multicast

    Figure 1-3 Information transmission in the multicast mode Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for the multicast group Host E Assume that Hosts B, D and E need the information. To transmit the information to the right users, it is necessary to group Hosts B, D and E into a receiver set.

  • Page 526: Common Notations In Multicast

    Table 1-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission A TV station transmits a TV program A multicast source sends multicast data to through a television channel. a multicast group. A user tunes the TV set to the channel. A receiver joins the multicast group.

  • Page 527: Multicast Models

    Database and financial applications (stock), and so on. Any point-to-multiple-point data application. Multicast Models Based on the multicast source processing modes, there are three multicast models: Any-Source Multicast (ASM) Source-Filtered Multicast (SFM) Source-Specific Multicast (SSM) ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group;...
  • Page 528 Addressing mechanism: Information is sent from a multicast source to a group of receivers through multicast addresses. Host registration: A receiving host joins and leaves a multicast group dynamically using the membership registration mechanism. Multicast routing: A router or switch transports packets from a multicast source to receivers by building a multicast distribution tree with multicast routes.
  • Page 529 Table 1-2 Range and description of Class D IP addresses Class D address range Description Reserved multicast addresses (IP addresses for permanent multicast groups). The IP address 224.0.0.0 224.0.0.0 to 224.0.0.255 is reserved. Other IP addresses can be used by routing protocols.
  • Page 530 Like having reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the network segment 239.0.0.0/8 for multicast. These are administratively scoped addresses. With the administratively scoped addresses, you can define the range of multicast domains flexibly to isolate IP addresses between different multicast domains, so that the same multicast address can be used in different multicast domains without causing collisions.

  • Page 531: Multicast Protocols

    Multicast Protocols Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.

  • Page 532: Multicast Packet Forwarding Mechanism

    An intra-domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an autonomous system (AS) so as to deliver multicast data to receivers. Among a variety of mature intra-domain multicast routing protocols, protocol independent multicast (PIM) is a popular one.

  • Page 533: Implementation Of The Rpf Mechanism

    need to forward multicast packets received on one incoming interface to multiple outgoing interfaces. Compared with a unicast model, a multicast model is more complex in the following aspects. In the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast.
  • Page 534 corresponding routing entry is the RPF interface and the next hop is the RPF neighbor. The router considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source. Assume that unicast routes exist in the network, as shown in Figure 1-7.

  • Page 535: Igmp Snooping Configuration

    IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.

  • Page 536: Work Mechanism Of Igmp Snooping

    Figure 2-2 IGMP Snooping related ports Receiver Router A Switch A Eth1/0/1 Eth1/0/2 Host A Eth1/0/3 Host B Receiver Eth1/0/1 Source Eth1/0/2 Host C Switch B Router port Member port Multicast packets Host D Ports involved in IGMP Snooping, as shown in Figure 2-2, are described as follows: Router port: A router port is a port on the Layer 3 multicast device (DR or IGMP querier) side of the...
  • Page 537 When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers on the local subnet to find out whether active multicast group members exist on the subnet. Upon receiving an IGMP general query, the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port: If the receiving port is a router port existing in its router port list, the switch resets the aging timer of this router port.

  • Page 538: Igmp Snooping Configuration

    immediately delete the forwarding entry corresponding to that port from the forwarding table; instead, it resets the aging timer of the member port. Upon receiving the IGMP leave message from a host, the IGMP querier resolves from the message the address of the multicast group that the host just left and sends an IGMP group-specific query to that multicast group through the port that received the leave message.

  • Page 539: Enabling Igmp Snooping

    Enabling IGMP Snooping Table 2-3 Enable IGMP Snooping Operation Command Remarks Enter system view system-view — Required Enable IGMP Snooping igmp-snooping enable By default, IGMP Snooping is globally disabled globally. Enter VLAN view vlan vlan-id — Required Enable IGMP Snooping on the igmp-snooping enable By default, IGMP Snooping is VLAN...

  • Page 540: Configuring Timers

    Before configuring related IGMP Snooping functions, you must enable IGMP Snooping in the specified VLAN. Different multicast group addresses should be configured for different multicast sources because IGMPv3 Snooping cannot distinguish multicast data from different sources to the same multicast group.

  • Page 541: Configuring A Multicast Group Filter

    Enabling fast leave processing in Ethernet port view Table 2-7 Enable fast leave processing in Ethernet view Operation Command Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Enable fast leave processing igmp-snooping fast-leave By default, the fast leave for specific VLANs [ vlan vlan-list ]...

  • Page 542: Configuring The Maximum Number Of Multicast Groups On A Port

    Configuring a multicast group filter in Ethernet port view Table 2-9 Configure a multicast group filter in Ethernet port view Operation Command Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional Configure a multicast group igmp-snooping group-policy No group filter is configured by filter...

  • Page 543: Configuring Igmp Querier

    To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.

  • Page 544: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    Suppressing Flooding of Unknown Multicast Traffic in a VLAN With IGMP Snooping enabled in a VLAN, multicast traffic for unknown multicast groups is flooded within the VLAN by default. This wastes network bandwidth and affects multicast forwarding efficiency. With the unknown multicast flooding suppression function enabled, when receiving a multicast packet for an unknown multicast group, an IGMP Snooping switch creates a nonflooding entry and relays the packet to router ports only, instead of flooding the packet within the VLAN.

  • Page 545: Configuring A Static Router Port

    Operation Command Remarks interface vlan-interface Enter VLAN interface view — interface-number Required Configure specified port(s) as multicast static-group By default, no port is configured static member port(s) of a group-address interface as a static multicast group multicast group in the VLAN interface-list member port.

  • Page 546: Configuring A Vlan Tag For Query Messages

    When an Ethernet port is configured as a simulated member host, the switch sends an IGMP report through this port. Meanwhile, the switch sends the same IGMP report to itself and establishes a corresponding IGMP entry based on this report. When receiving an IGMP general query, the simulated host responds with an IGMP report.

  • Page 547: Configuring Multicast Vlan

    Operation Command Remarks Required By default, no VLAN tag is Configure a VLAN tag for query igmp-snooping configured for general and messages vlan-mapping vlan vlan-id group-specific query messages sent or forwarded by IGMP Snooping. It is not recommended to configure this function while the multicast VLAN function is in effect. Configuring Multicast VLAN In traditional multicast implementations, when users in different VLANs listen to the same multicast group, the multicast data is copied on the multicast router for each VLAN that contains receivers.
  • Page 548 Operation Command Remarks port hybrid vlan vlan-id-list Required { tagged | untagged } The multicast VLAN defined on Specify the VLANs to be the Layer 2 switch must be allowed to pass the Ethernet included, and the port must be port configured to forward tagged port trunk permit vlan vlan-list...

  • Page 549: Displaying And Maintaining Igmp Snooping

    One port can belong to only one multicast VLAN. The port connected to a user terminal must be a hybrid port. The multicast member ports must be in the same VLAN with the router port. Otherwise, the multicast member port cannot receive multicast packets. If a router port is in a multicast VLAN, the router port must be configured as a trunk port or a hybrid port that allows tagged packets to pass for the multicast VLAN.
  • Page 550 Network diagram Figure 2-3 Network diagram for IGMP Snooping configuration Receiver Host A Source Receiver VLAN100 GE1/0/4 GE1/0/1 GE1/0/2 1.1.1.2/24 10.1.1.1/24 GE1/0/1 GE1/0/3 Router A Switch A Host B GE1/0/2 1.1.1.1/24 IGMP querier Multicast packets Host C Configuration procedure Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure 2-3.

  • Page 551: Configuring Multicast Vlan

    <SwitchA> display igmp-snooping group vlan100 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): GigabitEthernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.1.1.1 Static host port(s): Dynamic host port(s): GigabitEthernet1/0/3...
  • Page 552 Device Device description Networking description VLAN 2 contains GigabitEthernet 1/0/1 and VLAN 3 contains GigabitEthernet 1/0/2. The default VLANs of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are VLAN 2 and VLAN 3 respectively. VLAN 10 contains GigabitEthernet 1/0/10, GigabitEthernet 1/0/1, and GigabitEthernet Switch B Layer 2 switch 1/0/2.
  • Page 553 [SwitchA-Vlan-interface20] ip address 168.10.1.1 255.255.255.0 [SwitchA-Vlan-interface20] pim dm [SwitchA-Vlan-interface20] quit # Configure VLAN 10. [SwitchA] vlan 10 [SwitchA-vlan10] quit # Define GigabitEthernet 1/0/10 as a hybrid port, add the port to VLAN 10, and configure the port to forward tagged packets for VLAN 10. [SwitchA] interface GigabitEthernet 1/0/10 [SwitchA-GigabitEthernet1/0/10] port link-type hybrid [SwitchA-GigabitEthernet1/0/10] port hybrid vlan 10 tagged...

  • Page 554: Troubleshooting Igmp Snooping

    [SwitchB-GigabitEthernet1/0/2] quit Troubleshooting IGMP Snooping Symptom: Multicast function does not work on the switch. Solution: Possible reasons are: IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping. If IGMP Snooping is disabled, check whether it is disabled globally or in the specific VLAN. If it is disabled globally, use the igmp-snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time.

  • Page 555: Common Multicast Configuration

    Common Multicast Configuration Common Multicast Configuration Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol. Alternatively, you can statically bind a port to a multicast MAC address entry by configuring a multicast MAC address entry manually.

  • Page 556: Displaying Common Multicast Configuration

    If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
  • Page 557 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-4 NTP Configuration Task List ···················································································································1-6 Configuring NTP Implementation Modes ································································································1-6 Configuring NTP Server/Client Mode ······························································································1-7 Configuring the NTP Symmetric Peer Mode ···················································································1-7 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 558: Ntp Configuration

    NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Examples Introduction to NTP Network Time Protocol (NTP) is a time synchronization protocol defined in RFC 1305.

  • Page 559: Implementation Principle Of Ntp

    Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control (see section Configuring Access Control Right) and MD5 encrypted authentication (see section Configuring NTP Authentication) Sending protocol packets in unicast, multicast, or broadcast mode The clock stratum determines the accuracy, which ranges from 1 to 16.
  • Page 560 Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...

  • Page 561: Ntp Implementation Modes

    NTP Implementation Modes According to the network structure and the position of the local Ethernet switch in the network, the local Ethernet switch can work in multiple NTP modes to synchronize the clock. Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer...
  • Page 562 Figure 1-4 Broadcast mode Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on H3C S5100-SI/EI series Ethernet switches. Table 1-1 NTP implementation modes on H3C S5100-SI/EI series Ethernet switches NTP implementation mode...

  • Page 563: Ntp Configuration Task List

    NTP messages through the VLAN interface configured on the switch. When an H3C S5100-SI/EI Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer.

  • Page 564: Configuring Ntp Server/Client Mode

    UDP port 123 is opened only when the NTP feature is enabled. UDP port 123 is closed as the NTP feature is disabled. These functions are implemented as follows: Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time.

  • Page 565: Configuring Ntp Broadcast Mode

    255.255.255.255. The switches working in the NTP broadcast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S5100-SI/EI series Ethernet switch can work as a broadcast server or a broadcast client. Refer to...

  • Page 566: Configuring Ntp Multicast Mode

    NTP multicast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S5100-SI/EI series Ethernet switch can work as a multicast server or a multicast client. Refer to Configuring a switch to work in the multicast server mode for configuring a switch to work in the NTP multicast server mode.

  • Page 567: Configuring Access Control Right

    A multicast server can synchronize multicast clients only after its clock has been synchronized. An S5100-SI/EI series switch working in the multicast server mode supports up to 1,024 multicast clients. Configuring a switch to work in the multicast server mode Follow these steps to configure a switch to work in the NTP multicast server mode: To do…...

  • Page 568: Configuration Prerequisites

    From the highest NTP service access-control right to the lowest one are peer, server, synchronization, and query. When a device receives an NTP request, it will perform an access-control right match in this order and use the first matched right. Configuration Prerequisites Prior to configuring the NTP service access-control right to the local switch for peer devices, you need to create and configure an ACL associated with the access-control right.

  • Page 569: Configuration Prerequisites

    Configuration Prerequisites NTP authentication configuration involves: Configuring NTP authentication on the client Configuring NTP authentication on the server Observe the following principles when configuring NTP authentication: If the NTP authentication function is not enabled on the client, the clock of the client can be synchronized to a server no matter whether the NTP authentication function is enabled on the server (assuming that other related configurations are properly performed).
  • Page 570 NTP authentication requires that the authentication keys configured for the server and the client be the same. Besides, the authentication keys must be trusted keys. Otherwise, the clock of the client cannot be synchronized with that of the server. Configuring NTP authentication on the server Follow these steps to configure NTP authentication on the server: To do…...

  • Page 571: Configuring Optional Ntp Parameters

    The procedure for configuring NTP authentication on the server is the same as that on the client. Besides, the client and the server must be configured with the same authentication key. In NTP server mode and NTP peer mode, you need to associate the specified key with the corresponding NTP server (symmetric-active peer) on the client (symmetric-passive peer).

  • Page 572: Displaying Ntp Configuration

    In the server/client mode, for example, when you carry out a command to synchronize the time to a server, the system will create a static association, and the server will just respond passively upon the receipt of a message, rather than creating an association (static or dynamic). In the symmetric mode, static associations will be created at the symmetric-active peer side, and dynamic associations will be created at the symmetric-passive peer side;...

  • Page 573: Configuration Examples

    Configuration Examples Configuring NTP Server/Client Mode Network requirements The local clock of Device A (a switch) is to be used as a master clock, with the stratum level of 2. Device A is used as the NTP server of Device B (an S5100-SI/EI Ethernet switch) Configure Device B to work in the client mode, and then Device A will automatically work in the server mode.

  • Page 574: Configuring Ntp Symmetric Peer Mode

    Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The above output information indicates that Device B is synchronized to Device A, and the stratum level of its clock is 3, one level lower than that of Device A. # View the information about NTP sessions of Device B.

  • Page 575: Configuring Ntp Broadcast Mode

    # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration. Device B works in symmetric active mode, while Device C works in symmetric passive mode. Because the stratum level of the local clock of Device B is 1, and that of Device C is 3, the clock of Device C is synchronized to that of Device View the status of Device C after the clock synchronization.
  • Page 576 Network diagram Figure 1-8 Network diagram for the NTP broadcast mode configuration Vlan-int2 3.0.1.31/24 Device C Vlan-int2 1.0.1.31/24 Device A Device B Vlan-int2 3.0.1.32/24 Device D Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as the broadcast server, which sends broadcast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server Configure Device A.

  • Page 577: Configuring Ntp Multicast Mode

    Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with the clock stratum level of 3, one level lower than that of Device C. # View the information about the NTP sessions of Device D and you can see that a connection is established between Device D and Device C.

  • Page 578: Configuring Ntp Server/Client Mode With Authentication

    [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D). # Enter system view. <DeviceA> system-view # Set Device A as a multicast client to listen to multicast messages through VLAN-interface 2. [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-service multicast-client After the above configurations, Device A and Device D respectively listen to multicast messages through their own VLAN-interface 2, and Device C advertises multicast messages through...
  • Page 579 Network diagram Figure 1-10 Network diagram for NTP server/client mode with authentication configuration Configuration procedure Configure Device B. # Enter system view. <DeviceB> system-view # Set Device A as the NTP server. [DeviceB] ntp-service unicast-server 1.0.1.11 # Enable the NTP authentication function. [DeviceB] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey.
  • Page 580 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that the clock of Device B is synchronized to that of Device A, with a clock stratum level of 3, one stratum level lower than that Device A.
  • Page 581 Table of Contents 1 SSH Configuration ·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 SSH Operating Process ··················································································································1-2 SSH Server and Client ····························································································································1-4 Configuring the SSH Server····················································································································1-5 1.1.1 Configuring the User Interfaces for SSH Clients····································································1-6 Configuring the SSH Management Functions·················································································1-7 Configuring the SSH Server to Be Compatible with SSH1 Clients ·················································1-8 Configuring Key Pairs······················································································································1-8 Creating an SSH User and Specifying an Authentication Type ······················································1-9...

  • Page 582: Ssh Configuration

    SSH Configuration When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments, allowing for secure access to the Command Line Interface (CLI) of a switch for configuration and management.

  • Page 583: Ssh Operating Process

    The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key.
  • Page 584 Currently, the switch that serves as an SSH server supports two SSH versions: SSH2 and SSH1, and the switch that serves as an SSH client supports only SSH2. Unless otherwise noted, SSH refers to SSH2 throughout this document. Version negotiation The server opens port 22 to listen to connection requests from clients.

  • Page 585: Ssh Server And Client

    The server starts to authenticate the user. If authentication fails, the server sends an authentication failure message to the client, which contains the list of methods used for a new authentication process. The client selects an authentication type from the method list to perform authentication again. The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit.

  • Page 586: Configuring The Ssh Server

    Figure 1-2 Network diagram for SSH connections Configure the devices accordingly This document describes two cases: The H3C switch acts as the SSH server to cooperate with software that supports the SSH client functions. The H3C switch acts as the SSH server to cooperate with another H3C switch that acts as an SSH client.

  • Page 587: Configuring The User Interfaces For Ssh Clients

    Table 1-2 Complete the following tasks to configure the SSH server: Task Remarks Configuring the User Interfaces for Required SSH Clients Preparation Configuring the SSH Management Optional Functions Optional This task determines which SSH Configuring the SSH Server to Be Version versions the server should support.

  • Page 588: Configuring The Ssh Management Functions

    Enter user interface view of one user-interface vty first-number — or more user interfaces [ last-number ] Required Configure the authentication authentication-mode scheme By default, the user interface mode as scheme [ command-authorization ] authentication mode is password. Optional Specify the supported protocol inbound { all |ssh } By default, both Telnet and protocol(s)

  • Page 589: Configuring The Ssh Server To Be Compatible With Ssh1 Clients

    Optional Specify a source IP address for ssh-server source-ip By default, no source IP address the SSH server ip-address is configured. Optional ssh-server source-interface Specify a source interface for interface-type By default, no source interface is the SSH server interface-number configured.

  • Page 590: Creating An Ssh User And Specifying An Authentication Type

    Table 1-5 Follow these steps to create key pairs: To do... Use the command... Remarks Enter system view system-view — Generate an RSA public-key local create rsa Required key pairs Generate key By default, no key pair(s) Generate a DSA pairs are generated.
  • Page 591 remote authentication, the user information is saved on an authentication server (such as a RADIUS server) and authentication is implemented through the cooperation of the SSH server and the authentication server. For AAA details, refer to AAA Operation. Publickey authentication Publickey authentication provides more secure SSH connections than password authentication does.

  • Page 592: Specifying A Service Type For An Ssh User On The Server

    For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local user name, so that there is no need to configure a local user in AAA. If the default authentication type for SSH users is password and local AAA authentication is adopted, you need not use the ssh user command to create an SSH user.

  • Page 593: Configuring The Public Key Of A Client On The Server

    Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users. With the publickey authentication mode configured for an SSH client, you must configure the client’s RSA or DSA host public key(s) on the server for authentication.

  • Page 594: Exporting The Host Public Key To A File

    This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication. Table 1-9 Follow these steps to assign a public key for an SSH user: To do...

  • Page 595: Configuring The Ssh Client

    With the filename argument specified, you can export the RSA or DSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format.
  • Page 596 Opening an SSH connection with publickey Required for publickey authentication; authentication unnecessary for password authentication For putty, it is recommended to use PuTTY release 0.53; PuTTY release 0.58 is also supported. For OpenSSH, it is recommended to use OpenSSH_3.1p1; OpenSSH_4.2p1 is also supported. Any other version or other client, please be careful to use.
  • Page 597 Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating process is stopped. Figure 1-4 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key.
  • Page 598 Figure 1-5 Generate the client keys (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private”...
  • Page 599 Figure 1-7 Generate the client keys (5) Specifying the IP address of the Server Launch PuTTY.exe. The following window appears. Figure 1-8 SSH client configuration interface 1 1-18...
  • Page 600 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure 1-8, select SSH under Protocol.

  • Page 601: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    Opening an SSH connection with publickey authentication If a user needs to be authenticated with a public key, the corresponding private key file must be specified. A private key file is not required for password-only authentication. From the category on the left of the window, select Connection/SSH/Auth. The following window appears.
  • Page 602 Configuring the SSH client for publickey authentication When the authentication mode is publickey, you need to configure the RSA or DSA public key of the client on the server: To generate a key pair on the client, refer to Configuring Key Pairs.
  • Page 603 With first-time authentication enabled, an SSH client that is not configured with the SSH server's host public key saves the host public key sent by the server without authenticating the server. Attackers may exploit the vulnerability to initiate man-in-middle attacks by acting as an SSH server. Therefore, it is recommended to disable first-time authentication unless you are sure that the SSH server is reliable.

  • Page 604: Displaying And Maintaining Ssh Configuration

    When logging into the SSH server using public key authentication, an SSH client needs to read its local private key for authentication. As two algorithms (RSA or DSA) are available, the identity-key keyword must be used to specify one algorithm in order to get the correct private key. Displaying and Maintaining SSH Configuration To do...

  • Page 605: Ssh Configuration Examples

    Generate RSA key pairs rsa local-key-pair create public-key local create rsa Destroy RSA key pairs rsa local-key-pair destroy public-key local destroy rsa Enter public key view rsa peer-public-key keyname public-key peer keyname Import RSA public key from rsa peer-public-key keyname public-key peer keyname public key file import sshkey filename...
  • Page 606 Network diagram Figure 1-11 Switch acts as server for local password authentication Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <Switch>...
  • Page 607 # Configure the SSH client software to establish a connection to the SSH server. Take SSH client software Putty (version 0.58) as an example: Run PuTTY.exe to enter the following configuration interface. Figure 1-12 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select SSH under Connection.

  • Page 608: When Switch Acts As Server For Password And Radius Authentication

    Figure 1-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-13, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
  • Page 609 Network diagram Figure 1-14 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management >...
  • Page 610 # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: Add a user named hello, and specify the password. Select SSH as the service type.
  • Page 611 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 612 Figure 1-15 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-16 appears.

  • Page 613: When Switch Acts As Server For Password And Hwtacacs Authentication

    authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server. You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in  . When Switch Acts as Server for Password and HWTACACS Authentication Network requirements As shown in...
  • Page 614 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit...

  • Page 615: When Switch Acts As Server For Publickey Authentication

    From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-19 appears. Figure 1-19 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password.
  • Page 616 Configuration procedure Under the publickey authentication mode, either the RSA or DSA public key can be generated for the server to authenticate the client. Here takes the RSA public key as an example. Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 617 # Import the client’s public key named Switch001 from file public. [Switch] public-key peer Switch001 import sshkey public # Assign the public key Switch001 to client client001. [Switch] ssh user client001 assign publickey Switch001 Configure the SSH client (taking PuTTY version 0.58 as an example) # Generate an RSA key pair.
  • Page 618 Figure 1-22 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-23 Generate a client key pair (3) 1-37...
  • Page 619 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (private.ppk in this case). Figure 1-24 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client.
  • Page 620 Figure 1-26 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 1-27 SSH client configuration interface (3) 1-39...

  • Page 621: When Switch Acts As Client For Password Authentication

    Click Browse to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-27, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in...

  • Page 622: When Switch Acts As Client For Publickey Authentication

    [SwitchB] local-user client001 [SwitchB-luser-client001] password simple abc [SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-client001] quit # Configure the authentication type of user client001 as password. [SwitchB] ssh user client001 authentication-type password Configure Switch A # Create a VLAN interface on the switch and assign an IP address, which serves as the SSH client’s address in an SSH connection.
  • Page 623 Configuration procedure In public key authentication, you can use either RSA or DSA public key. Here takes the DSA public key as an example. Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 624 # Import the client public key pair named Switch001 from the file Switch001. [SwitchB] public-key peer Switch001 import sshkey Switch001 # Assign the public key Switch001 to user client001. [SwitchB] ssh user client001 assign publickey Switch001 Configure Switch A # Create a VLAN interface on the switch and assign an IP address, which serves as the SSH client’s address in an SSH connection.

  • Page 625: When Switch Acts As Client And First-Time Authentication Is Not Supported

    When Switch Acts as Client and First-Time Authentication is not Supported Network requirements As shown in Figure 1-30, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name is client001 and the SSH server’s IP address is 10.165.87.136.
  • Page 626 Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP. For details, refer to the following “Configure Switch A”.
  • Page 627 When first-time authentication is not supported, you must first generate a DSA key pair on the server and save the key pair in a file named Switch002, and then upload the file to the SSH client through FTP or TFTP. For details, refer to the above part “Configure Switch B”. # Import the public key pair named Switch002 from the file Switch002.
  • Page 628 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Tasks·····································································································1-1 Directory Operations························································································································1-1 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-3 File System Configuration Example ································································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Configuring File Attributes ···············································································································1-6...

  • Page 629: File System Configuration

    File System Management Configuration File System Configuration Introduction to File System To facilitate management on the switch memory, S5100-SI/EI series Ethernet switches provide the file system function, allowing you to access and manage the files and directories. You can create, remove, copy or delete a file through command lines, and you can manage files using directories.

  • Page 630: File Operations

    Table 1-2 Directory operations To do… Use the command… Remarks Create a directory mkdir directory Optional Delete a directory Optional rmdir directory Display the current work directory Optional Display the information about specific dir [ /all ] [ file-url ] Optional directories and files Enter a specified directory...

  • Page 631: Flash Memory Operations

    To do… Use the command… Remarks Enter system view system-view — Optional Execute the specified batch file execute filename This command should be executed in system view. For deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored.

  • Page 632: File System Configuration Example

    Table 1-5 Configuration on prompt mode of file system To do… Use the command… Remarks Enter system view system-view — Required Configure the prompt mode of file prompt { alert | quiet } By default, the prompt mode of the the file system file system is alert.

  • Page 633: File Attribute Configuration

    (*b) -with both main and backup attribute <Sysname> dir unit1>flash:/test/ Directory of unit1>flash:/test/ -rw- 1235 Apr 05 2000 01:51:34 test.cfg -rw- 1235 Apr 05 2000 01:56:44 1.cfg 7239 KB total (3585 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attributes...

  • Page 634: Configuring File Attributes

    with the main attribute in the Flash memory will lose its main attribute. This circumstance also applies to the file with the backup attribute in the Flash memory. File operations and file attribute operations are independent. For example, if you delete a file with the main attribute from the Flash memory, the other files in the flash memory will not possess the main attribute.
  • Page 635 The configuration of the main or backup attribute of a Web file takes effect immediately without restarting the switch. After upgrading a Web file, you need to specify the new Web file in the Boot menu after restarting the switch or specify a new Web file by using the boot web-package command. Otherwise, Web server cannot function normally.
  • Page 636 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-2 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-6 Configuration Example: A Switch Operating as an FTP Server······················································1-9 FTP Banner Display Configuration Example·················································································1-11 FTP Configuration: A Switch Operating as an FTP Client ····························································1-12...

  • Page 637: Introduction To Ftp And Sftp

    FTP-based file transmission is performed in the following two modes: Binary mode for program file transfer ASCII mode for text file transfer An H3C S5100-SI/EI series Ethernet switch can act as an FTP client or the FTP server in FTP-employed data transmission:...

  • Page 638: Ftp Configuration

    Table 1-1 Roles that an H3C S5100-SI/EI series Ethernet switch acts as in FTP Item Description Remarks An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients. You FTP server can log in to a switch operating as an FTP server by running an FTP client program on your PC to access files on the FTP server.
  • Page 639 Disabled by default. Only one user can access an H3C S5100-SI/EI series Ethernet switch at a given time when the latter operates as an FTP server. Operating as an FTP server, an H3C S5100-SI/EI series Ethernet switch cannot receive a file whose size exceeds its storage space.
  • Page 640 Follow these steps to configure connection idle time: To do… Use the command… Remarks Enter system view system-view — Optional Configure the connection idle time ftp timeout minutes for the FTP server 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
  • Page 641 Required server With an H3C S5100-SI/EI series Ethernet switch acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the S5100-SI/EI Ethernet switch will disconnect the user after the data transmission is completed.

  • Page 642: Ftp Configuration: A Switch Operating As An Ftp Client

    Figure 1-2 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks Enter system view system-view — Configure a login banner header login text Required Use either command or both. Configure a shell banner header shell text By default, no banner is...
  • Page 643 To do… Use the command… Remarks ftp [ cluster | remote-server Enter FTP client view — [ port-number ] ] Specify to transfer files in ASCII ascii Use either command. characters By default, files are transferred Specify to transfer files in in ASCII characters.
  • Page 644 To do… Use the command… Remarks Download a remote file from get remotefile [ localfile ] the FTP server Upload a local file to the remote put localfile [ remotefile ] FTP server Rename a file on the remote rename remote-source server remote-dest Log in with the specified user...

  • Page 645: Configuration Example: A Switch Operating As An Ftp Server

    The specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. The value of the ip-address argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. The source interface/source IP address set for one connection is prior to the fixed source interface/source IP address set for each connection.
  • Page 646 [Sysname] ftp server enable [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp Configure the PC (FTP client) Run an FTP client application on the PC to connect to the FTP server. Upload the application named switch.bin to the root directory of the Flash memory of the FTP server, and download the configuration file named config.cfg from the FTP server.

  • Page 647: Ftp Banner Display Configuration Example

    If available space on the Flash memory of the switch is not enough to hold the file to be uploaded, you need to delete files not in use from the Flash memory to make room for the file, and then upload the file again.

  • Page 648: Ftp Configuration: A Switch Operating As An Ftp Client

    Network diagram Figure 1-4 Network diagram for FTP banner display configuration Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. For detailed configuration of other network requirements, see section Configuration Example: A Switch Operating as an FTP Server.
  • Page 649 Network diagram Figure 1-5 Network diagram for FTP configurations: a switch operating as an FTP client Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello.

  • Page 650: Sftp Configuration

    [ftp] get switch.bin # Execute the quit command to terminate the FTP connection and return to user view. [ftp] quit <Sysname> # After downloading the file, use the boot boot-loader command to specify the downloaded file (switch.bin) to be the application for next startup, and then restart the switch. Thus the switch application is upgraded.

  • Page 651: Sftp Configuration: A Switch Operating As An Sftp Client

    10 minutes by default. Supported SFTP client software An H3C S5100-SI/EI series Ethernet switch operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP. SFTP client software supports the following operations: logging in to a device; uploading a file;...
  • Page 652 To do… Use the command… Remarks sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | Enter SFTP client view Required aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } |...

  • Page 653: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 654 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
  • Page 655 sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx...
  • Page 656 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public.

  • Page 657: Tftp Configuration

    TFTP server, and receives acknowledgement packets from the TFTP server. An H3C S5100-SI/EI series Ethernet switch can act as a TFTP client only. When you download a file that is larger than the free space of the switch’s flash memory:...

  • Page 658: Tftp Configuration: A Switch Operating As A Tftp Client

    Task Remarks Basic configurations on a TFTP client — TFTP Configuration: A Switch Specifying the source interface or source IP Operating as a TFTP Client Optional address for an FTP client TFTP server configuration For details, see the corresponding manual —...

  • Page 659: Tftp Configuration Example

    To do… Use the command… Remarks default. Specify an IP address as the source IP address a TFTP tftp source-ip ip-address client uses every time it connects to a TFTP server Display the source IP address Optional used by a TFTP client every display tftp source-ip Available in any time it connects to a TFTP...
  • Page 660 Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
  • Page 661 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-7 Information Center Configuration Task List·····················································································1-7 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-8 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ························································1-10 Setting to Output System Information to a Log Host·····································································1-11...

  • Page 662: Information Center

    Information Center When configuring information center, go to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
  • Page 663 Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output.
  • Page 664 Outputting system information by source module The system information can be classified by source module and then filtered. Some module names and description are shown in Table 1-3. Table 1-3 Source module name list Module name Description 8021X 802.1X module Access control list module ADBM Address base module...

  • Page 665: System Information Format

    Module name Description SYSMIB System MIB module HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module Virtual type terminal module XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output directions.
  • Page 666 Note: If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host.
  • Page 667 time zone to the time stamp of the output information, so that you can know the standard time when the information center processing each piece of information. That is, you can know the Greenwich standard time of each switch in the network based on the UTC record in the time stamp. To add UTC time zone to the time stamp in the information center output information, you must: Set the local time zone Set the time stamp format in the output destination of the information center to date...

  • Page 668: Information Center Configuration

    Source This field indicates the source of the information, such as the source IP address of the log sender. This field is optional and is displayed only when the output destination is the log host. Context This field provides the content of the system information. Information Center Configuration Information Center Configuration Task List Complete the following tasks to configure information center:...

  • Page 669: Configuring To Display The Time Stamp With The Utc Time Zone

    If the system information is output before you input any information following the current command line prompt, the system does not echo any command line prompt after the system information output. In the interaction mode, you are prompted for some information input. If the input is interrupted by system output, no system prompt (except the Y/N string) will be echoed after the output, but your input will be displayed in a new line.
  • Page 670 To do… Use the command… Remarks Optional info-center console By default, the switch uses Enable system information channel { channel-number | information channel 0 to output output to the console channel-name } log/debugging/trap information to the console. info-center source { modu-name | default } Optional Configure the output rules channel { channel-number |...

  • Page 671: Setting To Output System Information To A Monitor Terminal

    Follow these steps to enable the system information display on the console: To do… Use the command… Remarks Optional Enable the debugging/log/trap terminal monitor information terminal display function Enabled by default. Optional Enable debugging information terminal debugging terminal display function Disabled by default.

  • Page 672: Setting To Output System Information To A Log Host

    To do… Use the command… Remarks Optional By default, the time stamp info-center timestamp { log | Set the format of time stamp in format of the log and trap trap | debugging } { boot | the output information output information is date, and date | none } that of the debugging output...

  • Page 673: Setting To Output System Information To The Trap Buffer

    To do… Use the command… Remarks Enter system view system-view — Optional Enable the information info-center enable center Enabled by default. Required info-center loghost By default, the switch does not output Enable system host-ip-addr [ channel information to the log host. information output to a { channel-number | After you configure the switch to...

  • Page 674: Setting To Output System Information To The Log Buffer

    To do… Use the command… Remarks info-center source { modu-name | default } Optional Configure the output rules channel { channel-number | Refer to Table 1-4 for the default of system information channel-name } [ { log | trap | output rules of system information.

  • Page 675: Displaying And Maintaining Information Center

    To do… Use the command… Remarks info-center source Optional { modu-name | default } Configure the output rules of channel { channel-number | Refer to Table 1-4 for the system information channel-name } [ { log | trap | default output rules of system debug } { level severity | state information.

  • Page 676: Information Center Configuration Examples

    Information Center Configuration Examples Log Output to a UNIX Log Host Network requirements The switch sends the following log information to the Unix log host whose IP address is 202.38.1.10: the log information of the two modules ARP and IP, with severity higher than “informational”. Network diagram Figure 1-1 Network diagram for log output to a Unix log host Network...

  • Page 677: Log Output To A Linux Log Host

    When you edit the file “/etc/syslog.conf”, note that: A note must start in a new line, starting with a “#” sign. In each pair, a tab should be used as a separator instead of a space. No space is allowed at the end of a file name. The device name (facility) and received log information severity level specified in the file “/etc/syslog.conf”...
  • Page 678 <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [Switch] info-center loghost 202.38.1.10 facility local7 [Switch] info-center source default channel loghost log level errors debug state off trap state off Configure the log host:...

  • Page 679: Log Output To The Console

    Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to the Console Network requirements The switch sends the following information to the console: the log information of the two modules ARP and IP, with severity higher than “informational”.
  • Page 680 Network diagram Figure 1-4 Network diagram Configuration procedure # Name the local time zone z8 and configure it to be eight hours ahead of UTC time. <Switch> clock timezone z8 add 08:00:00 # Set the time stamp format of the log information to be output to the log host to date. <Switch>...
  • Page 681 Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-1 BOOT Menu ····································································································································1-2 Loading by XModem through Console Port ····················································································1-3 Loading by TFTP through Ethernet Port ·························································································1-7 Loading by FTP through Ethernet Port····························································································1-9 Remote Boot ROM and Software Loading ···························································································1-11 Remote Loading Using FTP ··········································································································1-11 Remote Loading Using TFTP········································································································1-15...

  • Page 682: Introduction To Loading Approaches

    Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.

  • Page 683: Boot Menu

    The loading process of the Boot ROM software is the same as that of the host software, except that during the former process, you should press “6” or <Ctrl+U> and <Enter> after entering the BOOT menu and the system gives different prompts. The following text mainly describes the Boot ROM loading process.

  • Page 684: Loading By Xmodem Through Console Port

    1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9.
  • Page 685 5. 115200 0. Return Enter your choice (0-5): Step 3: Choose an appropriate baudrate for downloading. For example, if you press 5, the baudrate 115200 bps is chosen and the system displays the following information: Download baudrate is 115200 bps Please change the terminal's baudrate to 115200 bps and select XMODEM protocol Press enter key when ready If you have chosen 9600 bps as the download baudrate, you need not modify the HyperTerminal’s...
  • Page 686 Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3. Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
  • Page 687 Step 7: Choose [Transfer/Send File] in HyperTerminal, and click <Browse> in pop-up dialog box, as shown in Figure 1-4. Select the software file that you need to load to the switch, and set the protocol to XModem. Figure 1-4 Send file dialog box Step 8: Click <Send>.

  • Page 688: Loading By Tftp Through Ethernet Port

    If the HyperTerminal’s baudrate is not reset to 9600 bps, the system prompts "Your baudrate should be set to 9600 bps again! Press enter key when ready". You need not reset the HyperTerminal’s baudrate and can skip the last step if you have chosen 9600 bps.
  • Page 689 Loading the Boot ROM Figure 1-6 Local loading using TFTP Step 1: As shown in Figure 1-6, connect the switch through an Ethernet port to the TFTP server, and connect the switch through the Console port to the configuration PC. You can use one PC as both the configuration device and the TFTP server.

  • Page 690: Loading By Ftp Through Ethernet Port

    Step 6: Enter Y to start file downloading or N to return to the Boot ROM update menu. If you enter Y, the system begins to download and update the Boot ROM. Upon completion, the system displays the following information: Loading........done Bootrom updating..done! Loading host software...
  • Page 691 You can use one computer as both configuration device and FTP server. Step 2: Run the FTP server program on the FTP server, configure an FTP user name and password, and copy the program file to the specified FTP directory. Step 3: Run the HyperTerminal program on the configuration PC.

  • Page 692: Remote Boot Rom And Software Loading

    The subsequent steps are the same as those for loading the Boot ROM, except for that the system gives the prompt for host software loading instead of Boot ROM loading. When loading the Boot ROM and host software using FTP through BOOT menu, you are recommended to use the PC directly connected to the device as FTP server to promote upgrading reliability.
  • Page 693 When using different FTP server software on PC, different information will be output to the switch. Step 2: Update the Boot ROM program on the switch. <Sysname> boot bootrom switch.btm This will update BootRom file on unit 1. Continue? [Y/N] y Upgrading BOOTROM, please wait...
  • Page 694 Step 1: As shown in Figure 1-9, connect the switch through an Ethernet port to the PC (whose IP address is 10.1.1.1) Step 2: Configure the IP address of VLAN-interface 1 on the switch to 192.168.0.28, and subnet mask to 255.255.255.0. You can configure the IP address for any VLAN on the switch for FTP transmission.
  • Page 695 Figure 1-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in 0, to log on to the FTP server. Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13.

  • Page 696: Remote Loading Using Tftp

    Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...

  • Page 697: Basic System Configuration And Debugging

    Basic System Configuration and Debugging When configuring basic system configuration and debugging, go to these sections for information you are interested in: Basic System Configuration Displaying the System Status Debugging the System Basic System Configuration Perform the following basic system configuration: To do…...

  • Page 698: Displaying The System Status

    Displaying the System Status To do… Use the command… Remarks Display the current date and time of the display clock system Available in Display the version of the system display version any view Display the information about users logging display users [ all ] onto the switch Debugging the System Enabling/Disabling System Debugging...

  • Page 699: Displaying Debugging Status

    Displaying debugging information on the terminal is the most commonly used way to output debugging information. You can also output debugging information to other directions. For details, refer to Information Center Operation. You can use the following commands to enable the two switches. Follow these steps to enable debugging and terminal display for a specific module: To do…...

  • Page 700: Network Connectivity Test

    Network Connectivity Test When configuring network connectivity test, go to these sections for information you are interested in: ping tracert Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. To do…...

  • Page 702: Device Management

    Device Management When configuring device management, go to these sections for information you are interested in: Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time monitoring of the running status of the system Specify the APP to be used at the next reboot...

  • Page 703: Scheduling A Reboot On The Switch

    Use the following command to reboot the Ethernet switch: To do… Use the command… Remarks Reboot the Ethernet switch reboot [ unit unit-id ] Available in user view Scheduling a Reboot on the Switch After you schedule a reboot on the switch, the switch will reboot at the specified time. Follow these steps to schedule a reboot on the switch: To do…...

  • Page 704: Specifying The App To Be Used At Reboot

    Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots. Use the following command to specify the APP to be used at reboot: To do…...
  • Page 705 For pluggable transceivers supported by S5100-SI/EI series Ethernet switches, refer to H3C S5100-SI/EI Series Ethernet Switches Installation Manual. Identifying pluggable transceivers As pluggable transceivers are of various types and from different vendors, you can perform the following configurations to identify main parameters of the pluggable transceivers, including transceiver type, connector type, central wavelength of the laser sent, transfer distance and vendor name or vendor name specified.

  • Page 706: Displaying The Device Management Configuration

    Displaying the Device Management Configuration To do… Use the command… Remarks Display the APP to be adopted at display boot-loader [ unit unit-id ] next startup Display the module type and display device [ manuinfo | unit operating status of each board unit-id ] Display CPU usage of a switch display cpu [ unit unit-id ]...
  • Page 707 Network diagram Figure 4-1 Network diagram for FTP configuration Configuration procedure Configure the following FTP server–related parameters on the PC: an FTP user with the username as switch and password as hello, who is authorized with the read-write right on the directory Switch on the PC.
  • Page 708 Execute the get command to download the switch.bin and boot.btm files on the FTP server to the Flash memory of the switch. [ftp] get switch.bin [ftp] get boot.btm Execute the quit command to terminate the FTP connection and return to user view. [ftp] quit <Sysname>...
  • Page 709 Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·········································································································1-2 Adjusting the TPID Values of VLAN-VPN Packets ·········································································1-2 VLAN-VPN Configuration························································································································1-3 Configuration Task List····················································································································1-3 Enabling the VLAN-VPN Feature for a Port ····················································································1-3 TPID Adjusting Configuration ··········································································································1-3 Displaying VLAN-VPN Configuration ······································································································1-4 VLAN-VPN Configuration Example·········································································································1-4 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN·············1-4...

  • Page 710: Vlan-Vpn Configuration

    VLAN-VPN Configuration VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network. With VPN, you can specify to process packets on the client or the access end of the service provider in specific ways, establish dedicated tunnels for user traffic on public network devices, and thus improve data security.

  • Page 711: Implementation Of Vlan-Vpn

    The VLAN-VPN feature provides you with the following benefits: Saves public network VLAN ID resource. You can have VLAN IDs of your own, which is independent of public network VLAN IDs. Provides simple Layer 2 VPN solutions for small-sized MANs or intranets. Implementation of VLAN-VPN With the VLAN-VPN feature enabled, no matter whether or not a received packet already carries a VLAN tag, the switch will tag the received packet with the default VLAN tag of the receiving port and add...

  • Page 712: Vlan-Vpn Configuration

    Protocol type Value 802.1x 0x888E VLAN-VPN Configuration Configuration Task List Table 1-2 VLAN-VPN configuration tasks Task Remarks Enabling the VLAN-VPN Feature for a Port Required TPID Adjusting Configuration Optional Enabling the VLAN-VPN Feature for a Port Configuration Prerequisites The port is not a VLAN-VPN uplink port. The port is not a remote mirror reflection port.

  • Page 713: Displaying Vlan-Vpn Configuration

    Operation Command Description Required Do not set the TPID value to any of the protocol type values Set the TPID value globally vlan-vpn tpid value listed in Table 1-1. For H3C series switches, the TPID defaults to 0x8100. interface interface-type Enter Ethernet port view —...
  • Page 714 PC users and PC servers are in VLAN 100 created in the private network, while terminal users and terminal servers are in VLAN 200, which is also created in the private network. The VLAN VPN connection is established in VLAN 1040 of the public network. Switches of other vendors’...
  • Page 715 # Enable the VLAN-VPN feature on GigabitEthernet 1/0/21 of Switch B and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag. <SwitchB> system-view [SwitchB] vlan 1040 [SwitchB-vlan1040] port GigabitEthernet 1/0/21 [SwitchB-vlan1040] quit [SwitchB] interface GigabitEthernet 1/0/21 [SwitchB-GigabitEthernet1/0/21] vlan-vpn enable # Set the global TPID value of Switch B to 0x9200 and configure GigabitEthernet1/0/22 as a VLAN VPN...
  • Page 716 packet is removed before the packet is forwarded, which restores the packet to a packet tagged with only the private VLAN tag and enables it to be forwarded to its destination networks. It is the same case when a packet travels from Switch B to Switch A.

  • Page 717: Selective Qinq Configuration

    Selective QinQ Configuration The contents of this chapter are only applicable to the S5100-EI series among S5100-SI/EI series switches. Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature. With the selective QinQ feature, you can configure inner-to-outer VLAN tag mapping, according to which you can add different outer VLAN tags to the packets with different inner VLAN tags.

  • Page 718: Selective Qinq Configuration

    In this implementation, Switch A is an access device of the service provider. The users connecting to it include common customers (in VLAN 8 to VLAN 100), VIPs (in VLAN 101 to VLAN 200), and IP telephone users (in VLAN 201 to VLAN 300). Packets of all these users are forwarded by Switch A to the public network.

  • Page 719: Selective Qinq Configuration Example

    Operation Command Description Required Configure to add outer By default, the feature of adding VLAN tags to the packets raw-vlan-id inbound vlan-id-list an outer VLAN tag to the packets with the specific inner with the specific inner VLAN tags VLAN tags is disabled.
  • Page 720 Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users, for the purpose of using QoS policies to guarantee higher priority for voice traffic. To reduce broadcast packets in the network, enable the inter-VLAN MAC address replicating feature for selective QinQ.
  • Page 721 # Configure GigabitEthernet 1/0/3 as a hybrid port and configure VLAN 5 as its default VLAN. Configure GigabitEthernet1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type hybrid [SwitchA-GigabitEthernet1/0/3] port hybrid pvid vlan 5 [SwitchA-GigabitEthernet1/0/3] port hybrid vlan 5 1000 1200 untagged # Enable the VLAN-VPN feature on GigabitEthernet 1/0/3.
  • Page 722 # Configure GigabitEthernet 1/0/13 as a hybrid port and configure VLAN 13 as its default VLAN . Configure GigabitEthernet 1/0/13 to remove VLAN tags when forwarding packets of VLAN 13 and VLAN 1200. [SwitchB] interface GigabitEthernet 1/0/13 [SwitchB-GigabitEthernet1/0/13] port link-type hybrid [SwitchB-GigabitEthernet1/0/13] port hybrid pvid vlan 13 [SwitchB-GigabitEthernet1/0/13] port hybrid vlan 13 1200 untagged After the above configuration, Switch B can forward packets of VLAN 1000 and VLAN 1200 to the...
  • Page 723 Table of Contents 1 HWPing Configuration ······························································································································1-1 HWPing Overview ···································································································································1-1 Introduction to HWPing····················································································································1-1 Test Types Supported by HWPing ··································································································1-2 HWPing Test Parameters················································································································1-2 HWPing Configuration·····························································································································1-4 HWPing Server Configuration ·········································································································1-4 HWPing Client Configuration···········································································································1-4 Displaying HWPing Configuration ·································································································1-15 HWPing Configuration Examples··········································································································1-15 ICMP Test······································································································································1-15 DHCP Test ····································································································································1-17 FTP Test········································································································································1-18 HTTP Test ·····································································································································1-20...

  • Page 724: Hwping Configuration

    HWPing Configuration When configuring HWPing, go to these sections for information you are interested in: HWPing Overview HWPing Configuration HWPing Configuration Examples HWPing Overview Introduction to HWPing HWPing (pronounced Hua’Wei Ping) is a network diagnostic tool. It is used to test the performance of various protocols running in networks.

  • Page 725: Test Types Supported By Hwping

    Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Description ICMP test DHCP test FTP test For these types of tests, you need to configure the HWPing client and corresponding servers. HTTP test DNS test SNMP test Jitter test These types of tests need the cooperation of the HWPing...
  • Page 726 Test parameter Description You can use HWPing to test a variety of protocols, see Table 1-1 details. To perform a type of test, you must first create a test group of this Test type (test-type) type. One test group can be of only one HWPing test type. If you modify the test type of a test group using the test-type command, the parameter settings, test results, and history records of the original test type will be all cleared.

  • Page 727: Hwping Server Configuration

    Test parameter Description A HWPing test will generate a Trap message no matter whether the test successes or not. You can use the Trap switch to enable or disable the output of trap messages. Trap You can set the number of consecutive failed HWPing tests before Trap output.
  • Page 728 Configuring ICMP test on HWPing client Follow these steps to configure ICMP test on HWPing client: To do… Use the command… Remarks Enter system view system-view — Required Enable the HWPing hwping-agent enable By default, the HWPing client function is client function disabled.
  • Page 729 To do… Use the command… Remarks Required Enable the HWPing hwping-agent enable By default, the HWPing client function is client function disabled. Required Create a HWPing test hwping administrator-name group and enter its view operation-tag By default, no test group is configured. Required source-interface You can only configure a VLAN interface...
  • Page 730 To do… Use the command… Remarks Required Configure the test type test-type ftp By default, the test type is ICMP. Optional Configure the number count times of probes per test By default, each test makes one probe. Configure the Optional maximum number of history-records number history records that can...
  • Page 731 To do… Use the command… Remarks Required You can configure an IP address or a Configure the destination-ip ip-address host name. destination IP address By default, no destination address is configured. Required when you use the destination-ip command to configure the destination address as the host Configure dns-server dns-server ip-address...
  • Page 732 To do… Use the command… Remarks Enter system view system-view — Required Enable the HWPing client hwping-agent enable By default, the HWPing client function function is disabled. Required Create a HWPing test group hwping administrator-name By default, no test group is and enter its view operation-tag configured.
  • Page 733 To do… Use the command… Remarks Optional Configure the type of service tos value By default, the service type is zero. Optional Configure the number of test packets that will be sent in each jitter-packetnum number By default, each jitter probe will jitter probe send 10 packets.
  • Page 734 To do… Use the command… Remarks Optional By default, the automatic test Configure the automatic test frequency interval interval is zero seconds, interval indicating no automatic test will be made. Optional Configure the probe timeout timeout time By default, a probe times out in time three seconds.
  • Page 735 To do… Use the command… Remarks Optional Configure the source source-port port-number port By default, no source port is specified. Required test-type { tcpprivate | Configure the test type tcppublic } By default, the test type is ICMP. Optional Configure the number count times of probes per test By default, one probe is made per time.
  • Page 736 To do… Use the command… Remarks Required in a Udpprivate test A Udppublic test is a UDP connection test on port 7. Use the hwping-server udpecho ip-address 7 command on the server to configure the listening service destination-port Configure the port;...
  • Page 737 To do… Use the command… Remarks Required Enable the HWPing client hwping-agent enable By default, the HWPing client function function is disabled. Required Create a HWPing test group hwping administrator-name By default, no test group is and enter its view operation- tag configured.

  • Page 738: Displaying Hwping Configuration

    ICMP Test Network requirements An H3C S5100-SI/EI series Ethernet switch serves as the HWPing client. A HWPing ICMP test between the switch and another switch uses ICMP to test the round trip time (RTT) for packets generated by the HWPing client to travel to and back from the destination switch.
  • Page 739 Configuration procedure Configure HWPing Client (Switch A): # Enable the HWPing client. <Sysname> system-view [Sysname] hwping-agent enable # Create a HWPing test group, setting the administrator name to administrator and test tag to ICMP. [Sysname] hwping administrator icmp # Configure the test type as icmp. [Sysname-hwping-administrator-icmp] test-type icmp # Configure the destination IP address as 10.2.2.2.

  • Page 740: Dhcp Test

    DHCP Test Network requirements Both the HWPing client and the DHCP server are H3C S5100-SI/EI series Ethernet switches. Perform a HWPing DHCP test between the two switches to test the time required for the HWPing client to obtain an IP address from the DHCP server.

  • Page 741: Ftp Test

    FTP Test Network requirements Both the HWPing client and the FTP server are H3C S5100-SI/EI series Ethernet switches. Perform a HWPing FTP test between the two switches to test the connectivity to the specified FTP server and the time required to upload a file to the server after the connection is established. Both the username and password used to log in to the FTP server are admin.
  • Page 742 Network diagram Figure 1-4 Network diagram for the FTP test Configuration procedure Configure FTP Server (Switch B): Configure FTP server on Switch B. For specific configuration of FTP server, refer to the FTP-SFTP-TFTP part of the manual. Configure HWPing Client (Switch A): # Enable the HWPing client.

  • Page 743: Http Test

    HTTP Test Network requirements An H3C S5100-SI/EI series Ethernet switch serves as the HWPing client, and a PC serves as the HTTP server. Perform a HWPing HTTP test between the switch and the HTTP server to test the connectivity and the time required to download a file from the HTTP server after the connection to the server is established.
  • Page 744 Network diagram Figure 1-5 Network diagram for the HTTP test Configuration procedure Configure HTTP Server: Use Windows 2003 Server as the HTTP server. For HTTP server configuration, refer to the related instruction on Windows 2003 Server configuration. Configure HWPing Client (Switch A): # Enable the HWPing client.

  • Page 745: Jitter Test

    Jitter Test Network requirements Both the HWPing client and the HWPing server are H3C S5100-SI/EI series Ethernet switches. Perform a HWPing jitter test between the two switches to test the delay jitter of the UDP packets exchanged between this end (HWPing client) and the specified destination end (HWPing server).
  • Page 746 Network diagram Figure 1-6 Network diagram for the Jitter test Configuration procedure Configure HWPing Server (Switch B): # Enable the HWPing server and configure the IP address and port to listen on. <Sysname> system-view [Sysname] hwping-server enable [Sysname] hwping-server udpecho 10.2.2.2 9000 Configure HWPing Client (Switch A): # Enable the HWPing client.

  • Page 747: Snmp Test

    SNMP Test Network requirements Both the HWPing client and the SNMP Agent are H3C S5100-SI/EI series Ethernet switches. Perform HWPing SNMP tests between the two switches to test the time required from Switch A sends an SNMP query message to Switch B (SNMP Agent) to it receives a response from Switch B.
  • Page 748 Network diagram Figure 1-7 Network diagram for the SNMP test Configuration procedure Configure SNMP Agent (Switch B): # Start SNMP agent and set SNMP version to V2C, read-only community name to public, and read-write community name to private. <Sysname> system-view [Sysname] snmp-agent [Sysname] snmp-agent sys-info version v2c [Sysname] snmp-agent community read public...

  • Page 749: Tcp Test (Tcpprivate Test) On The Specified Ports

    TCP Test (Tcpprivate Test) on the Specified Ports Network requirements Both the HWPing client and the HWPing server are H3C S5100-SI/EI series Ethernet switches. Perform a HWPing Tcpprivate test to test time required to establish a TCP connection between this end (Switch A) and the specified destination end (Switch B), with the port number set to 8000.
  • Page 750 Configuration procedure Configure HWPing Server (Switch B): # Enable the HWPing server and configure the IP address and port to listen on. <Sysname> system-view [Sysname] hwping-server enable [Sysname] hwping-server tcpconnect 10.2.2.2 8000 Configure HWPing Client (Switch A): # Enable the HWPing client. <Sysname>...

  • Page 751: Udp Test (Udpprivate Test) On The Specified Ports

    UDP Test (Udpprivate Test) on the Specified Ports Network requirements Both the HWPing client and the HWPing server are H3C S5100-SI/EI series Ethernet switches. Perform a HWPing Udpprivate test on the specified ports between the two switches to test the RTT of UDP packets between this end (HWPing client) and the specified destination end (HWPing server).

  • Page 752: Dns Test

    DNS Test Network requirements An H3C S5100-SI/EI series Ethernet switch serves as the HWPing client, and a PC serves as the DNS server. Perform a HWPing DNS test between the switch and the DNS server to test the time required from the client sends a DNS request to it receives a resolution result from the DNS server.
  • Page 753 Network diagram Figure 1-10 Network diagram for the DNS test Configuration procedure Configure DNS Server: Use Windows 2003 Server as the DNS server. For DNS server configuration, refer to the related instruction on Windows 2003 Server configuration. Configure HWPing Client (Switch A) # Enable the HWPing client.
  • Page 754 Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 Dns result: DNS Resolve Current Time: 10 DNS Resolve Min Time: 6 DNS Resolve Times: 10 DNS Resolve Max Time: 10 DNS Resolve Timeout Times: 0...
  • Page 755 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 Configuring Domain Name Resolution····································································································1-2 Configuring Static Domain Name Resolution ··················································································1-2 Configuring Dynamic Domain Name Resolution·············································································1-3 Displaying and Maintaining DNS ············································································································1-3 DNS Configuration Examples ·················································································································1-4 Static Domain Name Resolution Configuration Example································································1-4 Dynamic Domain Name Resolution Configuration Example···························································1-4 Troubleshooting DNS······························································································································1-6...

  • Page 756: Dns Configuration

    DNS Configuration When configuring DNS, go to these sections for information you are interested in: DNS Overview Configuring Domain Name Resolution Displaying and Maintaining DNS DNS Configuration Examples Troubleshooting DNS Note: This chapter covers only IPv4 DNS configuration. For details about IPv6 DNS, refer to IPv6 Management Operation.

  • Page 757: Configuring Domain Name Resolution

    The DNS client performs the next operation according to the result. Figure 1-1 Dynamic domain name resolution Figure 1-1 shows the relationship between user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client run on the same device, while the DNS server and the DNS client usually run on different devices.

  • Page 758: Displaying And Maintaining Dns

    Note: The IP address you assign to a host name last time will overwrite the previous one if there is any. You may create up to 50 static mappings between domain names and IP addresses. Configuring Dynamic Domain Name Resolution Follow these steps to configure dynamic domain name resolution: To do…...

  • Page 759: Dns Configuration Examples

    DNS Configuration Examples Static Domain Name Resolution Configuration Example Network requirements The switch uses static domain name resolution to access host 10.1.1.2 through domain name host.com. Network diagram Figure 1-2 Network diagram for static DNS configuration Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. <Sysname>...
  • Page 760 Network diagram Figure 1-3 Network diagram for dynamic DNS configuration IP network 2.1.1.2/16 1.1.1/16 2.1.1.1 3.1.1.1/ 16 host . com Switch DNS server Host DNS client Configuration procedure Note: Before doing the following configuration, make sure that: The routes between the DNS server, Switch, and Host are reachable. Necessary configurations are done on the devices.

  • Page 761: Troubleshooting Dns

    0.00% packet loss round-trip min/avg/max = 4/4/5 ms Troubleshooting DNS Symptom After enabling the dynamic domain name resolution, the user cannot get the correct IP address. Solution Use the display dns dynamic-host command to check that the specified domain name is in the cache.
  • Page 762 Table of Contents 1 Smart Link Configuration ·························································································································1-1 Smart Link Overview ·······························································································································1-1 Basic Concepts in Smart Link ·········································································································1-1 Operating Mechanism of Smart Link ·······························································································1-3 Configuring Smart Link····························································································································1-3 Configuration Task List····················································································································1-3 Configuring a Smart Link Device·····································································································1-4 Configuring Associated Devices······································································································1-5 Precautions······································································································································1-5 Displaying and Maintaining Smart Link···································································································1-6 Smart Link Configuration Example ·········································································································1-6 Implementing Link Redundancy Backup ·························································································1-6 2 Monitor Link Configuration ······················································································································2-1...

  • Page 763: Smart Link Overview

    Smart Link Configuration When configuring smart link, go to these sections for information you are interested in: Smart Link Overview Configuring Smart Link Displaying and Maintaining Smart Link Smart Link Configuration Example Smart Link Overview As shown in Figure 1-1, dual-uplink networking is widely applied currently. Usually, Spanning Tree Protocol (STP) is used to implement link redundancy backup in the network.
  • Page 764 Master port The master port can be either an Ethernet port or a manually-configured or static LACP aggregation group. For example, you can configure GigabitEthernet 1/0/1 of switch A in Figure 1-1 as the master port through the command line. Slave port The slave port can be either an Ethernet port or a manually-configured or static LACP aggregation group.

  • Page 765: Configuring Smart Link

    Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operating mechanism As shown in Figure 1-2, GigabitEthernet 1/0/1 on Switch A is active and GigabitEthernet 1/0/2 on Switch A is blocked. When the link connected to GigabitEthernet 1/0/1 fails, GigabitEthernet 1/0/1 is blocked automatically, and the state of GigabitEthernet 1/0/2 turns to active state.

  • Page 766: Configuring A Smart Link Device

    Task Remarks Create a smart link group Configuring a Smart Link Add member ports to the smart link group Required Device Enable the function of sending flush messages in the specified control VLAN Enable the function of processing flush Configuring Associated messages received from the specified control Required Devices...

  • Page 767: Configuring Associated Devices

    To do… Use the command… Remarks Optional Enable the function of sending flush enable control-vlan By default, no control VLAN for flush messages in the specified vlan-id sending flush messages is control VLAN specified. Configuring Associated Devices An associated device mentioned in this document refers to a device that supports Smart Link and locally configured to process flush messages received from the specified control VLAN so as to work with the corresponding Smart Link device.

  • Page 768: Displaying And Maintaining Smart Link

    Network requirements As shown in Figure 1-3, Switch A is an H3C S5100-SI/EI series Ethernet switch. Switch C, Switch D and Switch E support Smart Link. Configure Smart Link feature to provide remote PCs with reliable access to the server.
  • Page 769 Network diagram Figure 1-3 Network diagram for Smart Link configuration Configuration procedure Configure a smart link group on Switch A and configure member ports for it. Enable the function of sending flush messages in Control VLAN 1. # Enter system view. <switchA>...
  • Page 770 <SwitchC> system-view # Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1/0/2. <SwitchC> smart-link flush enable control-vlan 1 port GigabitEthernet 1/0/2 Enable the function of processing flush messages received from VLAN 1 on Switch D. # Enter system view.

  • Page 771: Introduction To Monitor Link

    Monitor Link Configuration When configuring Monitor Link, go to these sections for information you are interested in: Introduction to Monitor Link Configuring Monitor Link Displaying Monitor Link Configuration Monitor Link Configuration Example Introduction to Monitor Link Overview Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is used to monitor uplink and to perfect the backup function of Smart Link.

  • Page 772: How Monitor Link Works

    How Monitor Link Works Figure 2-2 Network diagram for a monitor link group implementation As shown in Figure 2-2, the devices Switch C and Switch D are connected to the uplink device Switch E. Switch C is configured with a monitor link group, where GigabitEthernet 1/0/1 is the uplink port, while GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 are the downlink ports.

  • Page 773: Configuring Monitor Link

    Configuring Monitor Link Before configuring a monitor link group, you must create a monitor link group and configure member ports for it. A monitor link group consists of an uplink port and one or multiple downlink ports. The uplink port can be a manually-configured or static LACP link aggregation group, an Ethernet port, or a smart link group.

  • Page 774: Configuring A Downlink Port

    To do… Use the command… Remarks Monitor link port interface-type group view interface-number uplink Configure the specified Ethernet port quit as the uplink port of the interface interface-type Ethernet port monitor link interface-number view group port monitor-link group group-id uplink Configuring a Downlink Port Follow these steps to configure a downlink port: To do…...

  • Page 775: Displaying Monitor Link Configuration

    Displaying Monitor Link Configuration To do… Use the command… Remarks Display the information about display monitor-link group Available in any view. one or all monitor link groups { group-id | all } Monitor Link Configuration Example Implementing Collaboration Between Smart Link and Monitor Link Network requirements As shown in Figure...
  • Page 776 [SwitchA-GigabitEthernet1/0/1] stp disable [SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] stp disable # Return to system view. [SwitchA-GigabitEthernet1/0/2] quit # Create smart link group 1 and enter smart link group view. [SwitchA] smart-link group 1 # Configure GigabitEthernet 1/0/1 as the master port of the smart link group and GigabitEthernet 1/0/2 as the slave port.
  • Page 777 Table of Contents 1 IPv6 Configuration·····································································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-3 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-6 Introduction to IPv6 DNS ·················································································································1-8 Protocols and Standards ·················································································································1-8 IPv6 Configuration Task List ···················································································································1-9 Configuring an IPv6 Unicast Address······························································································1-9 Configuring IPv6 NDP ···················································································································1-11 Configuring a Static IPv6 Route ····································································································1-12 Configuring IPv6 TCP Properties ··································································································1-13...

  • Page 778: Ipv6 Configuration

    The term “router” in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. H3C S5100-SI/EI Series Ethernet Switches support IPv6 management features, but do not support IPv6 forwarding and related features.
  • Page 779 Figure 1-1 Comparison between IPv4 header format and IPv6 header format Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long. IPv6 can provide 3.4 x 10 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses.

  • Page 780: Introduction To Ipv6 Address

    Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented by a group of Internet Control Message Protocol Version 6 (ICMPv6) messages. The IPv6 neighbor discovery protocol manages message exchange between neighbor nodes (nodes on the same link). The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP), Internet Control Message Protocol Version 4 (ICMPv4), and ICMPv4 redirect messages to provide a series of other functions.
  • Page 781 Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. Anycast address: An identifier for a set of interfaces (typically belonging to different nodes).A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the nearest one, according to the routing protocols’...
  • Page 782 Unassigned address: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but may not use it as a destination IPv6 address. Multicast address Multicast addresses listed in Table 1-2...

  • Page 783: Introduction To Ipv6 Neighbor Discovery Protocol

    H3C S5100-SI/EI Series Ethernet Switches do not support the RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, H3C S5100-SI/EI Series Ethernet Switches support the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection.
  • Page 784 Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighbor nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolution procedure is as follows: Node A multicasts an NS message.

  • Page 785: Introduction To Ipv6 Dns

    Figure 1-4 Duplicate address detection The duplicate address detection procedure is as follows: Node A sends an NS message whose source address is the unassigned address :: and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected.

  • Page 786: Ipv6 Configuration Task List

    RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture RFC 3596: DNS Extensions to Support IP Version 6 IPv6 Configuration Task List Complete the following tasks to configure IPv6: Task Remarks Configuring an IPv6 Unicast Address Required Configuring IPv6 NDP Optional Configuring a Static IPv6 Route Optional...
  • Page 787 IPv6 unicast addresses can be configured for only one VLAN interface on an H3C S5100-SI/EI Ethernet switch. The total number of global unicast addresses and site-local addresses on the VLAN interface can be up to four.

  • Page 788: Configuring Ipv6 Ndp

    Configuring IPv6 NDP Configuring a static neighbor entry The IPv6 address of a neighbor node can be resolved into a link-layer address dynamically through NS and NA messages or statically through manual configuration. You can configure a static neighbor entry in two ways: Mapping a VLAN interface to an IPv6 address and a link-layer address Mapping a port in a VLAN to an IPv6 address and a link-layer address If you configure a static neighbor entry in the second way, make sure the corresponding VLAN interface...

  • Page 789: Configuring A Static Ipv6 Route

    Follow these steps to configure the attempts to send an NS message for duplicate address detection: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter VLAN interface view — interface-number Optional Configure the attempts to send 1 by default.

  • Page 790: Configuring Ipv6 Tcp Properties

    To do… Use the command… Remarks ipv6 route-static ipv6-address Required prefix-length [ interface-type Configure a static IPv6 route By default, no static IPv6 route interface-number] is configured. nexthop-address Configuring IPv6 TCP Properties The IPv6 TCP properties you can configure include: synwait timer: When a SYN packet is sent, the synwait timer is triggered.

  • Page 791: Configuring The Hop Limit Of Icmpv6 Reply Packets

    To do… Use the command… Remarks Enter system view system-view — Optional By default, the capacity of a Configure the maximum token bucket is 10 and the ipv6 icmp-error { bucket number of IPv6 ICMP error update period to 100 bucket-size | ratelimit packets sent within a specified milliseconds.

  • Page 792: Displaying And Maintaining Ipv6

    To do… Use the command… Remarks Enter system view system-view — Required Enable the dynamic domain dns resolve name resolution function Disabled by default. Required If the IPv6 address of the DNS dns server ipv6 ipv6-address server is a link-local address, Configure an IPv6 DNS server [ interface-type the interface-type and...
  • Page 793 To do… Use the command… Remarks Display information about the display ipv6 route-table routing table [ verbose ] display ipv6 socket Display information related to a [ socktype socket-type ] specified socket [ task-id socket-id ] Display the statistics of IPv6 packets and IPv6 ICMP display ipv6 statistics packets...

  • Page 794: Ipv6 Configuration Example

    IPv6 Configuration Example IPv6 Unicast Address Configuration Network requirements Two switches are directly connected through two Ethernet ports. The Ethernet ports belong to VLAN 2. Different types of IPv6 addresses are configured for the interface VLAN-interface 2 on each switch to verify the connectivity between the two switches.
  • Page 795 Global unicast address(es): 2001::20F:E2FF:FE49:8048, subnet is 2001::/64 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF49:8048 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display the brief IPv6 information of the interface on Switch B.
  • Page 796 Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- FE80::20F:E2FF:FE00:1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 60/66/80 ms...
  • Page 797 0.00% packet loss round-trip min/avg/max = 50/60/70 ms 1-20...

  • Page 798: Ipv6 Application Configuration

    IPv6 Application Configuration Example Troubleshooting IPv6 Application Introduction to IPv6 Application IPv6 are supporting more and more applications. Most of IPv6 applications are the same as those of IPv4. The applications supported on H3C S5100-SI/EI Series Ethernet Switches are: Ping Traceroute TFTP...

  • Page 799: Ipv6 Traceroute

    IPv6 Traceroute The traceroute ipv6 command is used to record the route of IPv6 packets from source to destination, so as to check whether the link is available and determine the point of failure. Figure 2-1 Traceroute process Figure 2-1 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1.

  • Page 800: Ipv6 Telnet

    To do… Use the command… Remarks tftp ipv6 remote-system [ -i interface-type Required Download/Upload files from interface-number ] { get | put } TFTP server Available in user view source-filename [ destination-filename ] When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local address.

  • Page 801: Ipv6 Application Configuration Example

    Network requirements Figure 2-3, SWA, SWB, and SWC are three switches, among which SWA is an H3C S5100-SI/EI Ethernet switch, SWB and SWC are two switches supporting IPv6 forwarding. In a LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively.

  • Page 802: Troubleshooting Ipv6 Application

    bytes=56 Sequence=1 hop limit=64 time = 110 ms Reply from 3003::1 bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms...

  • Page 803: Unable To Run Traceroute

    Solution Check that the IPv6 addresses are configured correctly. Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link-layer protocol between them are up. Use the display ipv6 route-table command to verify that the destination is reachable. Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determine whether it is due to the timeout limit is too small.
  • Page 804 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by S5100-SI/EI························································································1-1 PoE Configuration ···································································································································1-3 PoE Configuration Tasks·················································································································1-3 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-4 Setting PoE Management Mode and PoE Priority of a Port····························································1-4 Setting the PoE Mode on a Port······································································································1-5 Configuring the PD Compatibility Detection Function ·····································································1-5...

  • Page 805: Poe Configuration

    PoE Configuration PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled devices use twisted pairs through electrical ports to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously. Advantages of PoE Reliability: The centralized power supply provides backup convenience, unified management, and safety.
  • Page 806 Maximum Number of power Total Input electrical Maximum provided by Maximum Switch power ports each PoE output supply supplying distance electrical power power port S5100-16P-PWR-EI AC input 125 W DC input 400 W S5100-26C-PWR-EI AC input 370 W DC input 800 W S5100-50C-PWR-EI AC input...

  • Page 807: Poe Configuration Tasks

    When you use the PoE-enabled S5100-SI/EI switch to supply power, the PDs need no external power supply. If a remote PD has an external power supply, the PoE-enabled S5100-SI/EI switch and the external power supply will backup each other for the PD. Only the Ethernet electrical ports of the PoE-enabled S5100-SI/EI switch support the PoE feature.

  • Page 808: Setting The Maximum Output Power On A Port

    By default, the PoE function on a port is enabled by the default configuration file when the device is delivered. If you delete the default configuration file without specifying another one, the PoE function on a port will be disabled after you restart the device. Setting the Maximum Output Power on a Port The maximum power that can be supplied by each Ethernet electrical port of a PoE-enabled S5100-SI/EI switch to its PD is 15,400 mW.

  • Page 809: Setting The Poe Mode On A Port

    Table 1-6 Set the PoE management mode and PoE priority of a port Operation Command Description Enter system view system-view — Required Set the PoE management poe power-management mode for the switch { auto | manual } auto by default. interface interface-type Enter Ethernet port view —...

  • Page 810: Configuring Poe Over-Temperature Protection On The Switch

    Configuring PoE Over-Temperature Protection on the Switch When the internal temperature of the switch exceeds the PoE protection temperature, the switch disables the PoE feature on all ports for self-protection; When the internal temperature of the switch drops below the PoE restoration temperature, the switch restores the PoE settings on all ports. Table 1-2shows the PoE protection and restoration temperatures of switches.

  • Page 811: Poe Configuration Example

    Table 1-11 Display PoE configuration Operation Command Description Display the PoE status of a specific port display poe interface or all ports of the switch [ interface-type interface-number ] Display the PoE power information of a display poe interface power specific port or all ports of the switch [ interface-type interface-number ] Available in any...
  • Page 812 # Enable the PoE feature on GigabitEthernet 1/0/1, and set the PoE maximum output power of GigabitEthernet 1/0/1 to 12,000 mW. [SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] poe enable [SwitchA-GigabitEthernet1/0/1] poe max-power 12000 [SwitchA-GigabitEthernet1/0/1] quit # Enable the PoE feature on GigabitEthernet 1/0/2, and set the PoE maximum output power of GigabitEthernet 1/0/2 to 2500 mW.

  • Page 813: Poe Profile Configuration

    PoE Profile Configuration Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, S5100-SI/EI series Ethernet switches provide the PoE profile features. A PoE profile is a set of PoE configurations, including multiple PoE features. Features of PoE profile: Various PoE profiles can be created.

  • Page 814: Displaying Poe Profile Configuration

    Operation Command Description Enter interface interface-type Ethernet interface-number port view Ethernet Apply the port view existing PoE apply poe-profile profile to the profile-name port Note the following during the configuration: When the apply poe-profile command is used to apply a PoE profile to a port, some PoE features in the PoE profile can be applied successfully while some cannot.
  • Page 815 The maximum power for GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5 ports is 3,000 mW, whereas the maximum power for GigabitEthernet 1/0/6 through GigabitEthernet 1/0/10 is 15,400 Based on the above requirements, two PoE profiles are made for users of group A. Apply PoE profile 1 for GigabitEthernet 1/0/1 through GigabitEthernet 1/0/5;...
  • Page 816 poe priority critical # Create Profile2, and enter PoE profile view. [SwitchA] poe-profile Profile2 # In Profile2, add the PoE policy configuration applicable to GigabitEthernet 1/0/6 through GigabitEthernet 1/0/10 ports for users of group A. [SwitchA-poe-profile-Profile2] poe enable [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit...
  • Page 817 Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper·································································································1-3 UDP Helper Configuration Example ·······································································································1-3 Cross-Network Computer Search Through UDP Helper·································································1-3...

  • Page 818: Udp Helper Configuration

    UDP Helper Configuration The contents of this chapter are only applicable to the S5100-EI series among S5100 series switches. When configuring UDP helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Example Introduction to UDP Helper...

  • Page 819: Configuring Udp Helper

    Table 1-1 List of default UDP ports Protocol UDP port number DNS (Domain Name System) NetBIOS-DS (NetBIOS Datagram Service) NetBIOS-NS (NetBIOS Name Service) TACACS (Terminal Access Controller Access Control System) TFTP (Trivial File Transfer Protocol) Time Service Configuring UDP Helper Follow these steps to configure UDP Helper: To do…...

  • Page 820: Displaying And Maintaining Udp Helper

    Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UDP broadcast display udp-helper server relay forwarding information of [ interface vlan-interface Available in any view a specified VLAN interface on vlan-id ] the switch Clear statistics about packets reset udp-helper packet Available in user view forwarded by UDP Helper...
  • Page 821 Table of Contents 1 Access Management Configuration ········································································································1-1 Access Management Overview ··············································································································1-1 Configuring Access Management ···········································································································1-2 Access Management Configuration Examples ·······················································································1-2 Access Management Configuration Example ·················································································1-2 Combining Access Management with Port Isolation ·······································································1-3...

  • Page 822: Access Management Configuration

    Access Management Configuration When configuring access management, go to these sections for information you are interested in: Access Management Overview Configuring Access Management Access Management Configuration Examples Access Management Overview Normally, client PCs in a network are connected to switches operating on the network access layer (also referred to as access switches) through Layer 2 switches;...

  • Page 823: Configuring Access Management

    Configuring Access Management Follow these steps to configure access management: To do… Use the command… Remarks Enter system view system-view — Required Enable access am enable By default, the system disables the management function access management function. Required Enable access am trap enable By default, access management trap is management trap...

  • Page 824: Combining Access Management With Port Isolation

    Disable the PCs that are not of Organization 1 (PC 2 and PC 3) from accessing the external network through GigabitEthernet 1/0/1 of Switch A. Network diagram Figure 1-2 Network diagram for access management configuration Configuration procedure Perform the following configuration on Switch A. # Enable access management.
  • Page 825 Allow the PCs of Organization 2 to access the external network through GigabitEthernet 1/0/2 of Switch A. GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 belong to VLAN 1. The IP address of VLAN-interface 1 is 202.10.20.200/24. PCs of Organization 1 are isolated from those of Organization 2 on Layer 2. Network diagram Figure 1-3 Network diagram for combining access management and port isolation Configuration procedure...
  • Page 826 # Configure the access management IP address pool on GigabitEthernet 1/0/2. [Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] am ip-pool 202.10.20.25 26 202.10.20.55 11 # Add GigabitEthernet 1/0/2 to the port isolation group. [Sysname-GigabitEthernet1/0/2] port isolate [Sysname-GigabitEthernet1/0/2] quit...
  • Page 827 Table of Contents 1 Acronyms ···················································································································································1-1...
  • Page 828 Acronyms Authentication, Authorization and Accounting Area Border Router Access Control List Address Resolution Protocol Autonomous System ASBR Autonomous System Border Router Backup Designated Router Committed Access Rate Command Line Interface Class of Service DHCP Dynamic Host Configuration Protocol Designated Router Distance Vector Routing Algorithm Exterior Gateway Protocol File Transfer Protocol...
  • Page 829 Internet Protocol Link State Advertisement LSDB Link State DataBase Medium Access Control Management Information Base NBMA Non Broadcast MultiAccess Network Information Center Network Management System NVRAM Nonvolatile RAM OSPF Open Shortest Path First Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Independent Multicast-Sparse Mode Power over Ethernet...
  • Page 830 VLAN Virtual LAN Video On Demand Weighted Round Robin eXchange Identification eXpandable Resilient Networking...

This manual is also suitable for:

H3c s5100-ei

Table of Contents