ONTENTS BOUT UIDE How This Guide is Organized Intended Readership Conventions Related Documentation ETTING TARTED Product Overview Stacking Overview Brief Introduction Typical Networking Topology Product Features Logging In to the Switch Setting up Configuration Environment Through the Console Port Setting up Configuration Environment Through Telnet Setting up Configuration Environment Through a Dial-up Modem Command Line Interface Command Line View...
Page 4
VLAN O PERATION VLAN Configuration VLAN Overview Configuring a VLAN Displaying and Debugging VLAN VLAN Configuration Example One VLAN Configuration Example Two Voice VLAN Configuration Introduction to Voice VLAN Voice VLAN Configuration Displaying and Debugging of Voice VLAN Voice VLAN Configuration Example Configuring Voice VLAN with a PC Downstream from Phone Key Details for Proper Setup Step By Step Description...
Page 5
DHCP Relay Configuration Example One DHCP Relay Configuration Example Two Troubleshooting DHCP Relay Configuration Access Management Configuration Access Management Overview Configuring Access Management Displaying and Debugging Access Management Access Management Configuration Example Access Management via the Web UDP Helper Configuration Overview of UDP Helper UDP Helper Configuration Displaying and Debugging UDP Helper Configuration...
Page 6
Basic ACL Configuration Example Link ACL Configuration Example QoS Configuration QoS Configuration Setting Port Priority Configuring Trust Packet Priority Setting Port Mirroring Configuring Traffic Mirroring Setting Traffic Limit Setting Line Limit Configuring WRED Operation Displaying and Debugging QoS Configuration QoS Configuration Example Port Mirroring Configuration Example ACL Control Configuration TELNET/SSH User ACL Configuration...
Page 7
Configuration BPDU Forwarding Mechanism in STP Implement RSTP on the Switch RSTP Configuration Enable/Disable RSTP on a Switch Enable/Disable RSTP on a Port Configure RSTP Operating Mode Configure the STP-Ignore attribute of VLANs on a Switch Set Priority of a Specified Bridge Specify the Switch as Primary or Secondary Root Bridge Set Forward Delay of a Specified Bridge Set Hello Time of the Specified Bridge...
Page 8
Setting the Timers of the RADIUS Server Displaying and Debugging AAA and RADIUS Protocol AAA and RADIUS Protocol Configuration Example Configuring the Switch 4500 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting Problem Diagnosis 3Com-User-Access-Level YSTEM ANAGEMENT File System Overview Directory Operation File Operation...
Page 9
Erasing Configuration Files from Flash Memory Configuring the Name of the Configuration File Used for the Next Startup. FTP Overview Enabling/Disabling FTP Server Configuring the FTP Server Authentication and Authorization Configuring the Running Parameters of FTP Server Displaying and Debugging FTP Server Introduction to FTP Client FTP Server Configuration Example TFTP Overview...
Page 10
ping Introduction to Remote-ping Remote-ping Configuration Introduction to Remote-ping Configuration Configuring Remote-ping Configuration Example Logging Function Introduction to Info-center Info-Center Configuration Sending the Information to Loghost Sending the Information to Control Terminal Sending the Information to Telnet Terminal or Dumb Terminal Sending the Information to the Log Buffer Sending the Information to the Trap Buffer Sending the Information to SNMP Network Management...
Page 11
Adding/Deleting an Entry to/from the Extended RMON Alarm Table Adding/Deleting an Entry to/from the Statistics Table Displaying and Debugging RMON RMON Configuration Example NTP C ONFIGURATION Overview Applications of NTP Implementation Principle of NTP NTP Implementation Modes Configuring NTP Implementation Modes Configuration Prerequisites Configuration Procedure Configuring Access Control Right...
Page 12
WITCH WITH ISCO ECURE Cisco Secure ACS (TACACS+) and the 3Com Switch 4500 Setting Up the Cisco Secure ACS (TACACS+) Server Adding a 3Com Switch 4500 as a RADIUS Client Adding a User for Network Login Adding a User for Switch Login...
BOUT UIDE This guide provides information about configuring your network using the commands supported on the 3Com ® Switch 4500. How This Guide is The Switch 4500 Configuration Guide consists of the following chapters: Organized Getting Started — Details the main features and configurations of the Switch ■...
BOUT UIDE Conventions This guide uses the following conventions: Table 1 Icons Icon Notice Type Description Information note Information that describes important features or instructions. Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device. Warning Information that alerts you to potential personal injury.
Related Documentation Related The 3Com Switch 4500 Getting Started Guide provides information about Documentation installation. The 3Com Switch 4500 Command Reference Guide provides all the information you need to use the configuration commands.
ETTING TARTED This chapter covers the following topics: Product Overview ■ Stacking Overview ■ Product Features ■ Logging In to the Switch ■ Command Line Interface ■ User Interface Configuration ■ Product Overview Table 3 lists the models in the Switch 4500 family Table 3 Models in the Switch 4500 family Power...
Stacking Overview Brief Introduction With the 3Com Switch 4500, up to eight units can be operated together as a single larger logical unit to simplify administration. This is called stacking. Stacking allows you to add ports in a site or location incrementally, without adding complexity to the management of the switch.
Logging In to the Switch Table 4 Function Features Features Description Security features Multi-level user management and password protect 802.1X authentication Packet filtering Quality of Service (QoS) Traffic classification Bandwidth control Priority Queues of different priority on the port Management and Command line interface configuration Maintenance Configuration through console port...
Page 20
1: G HAPTER ETTING TARTED Databit = 8 ■ Parity check = none ■ Stopbit = 1 ■ Flow control = none ■ Terminal type = VT100 ■ Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...
Logging In to the Switch Figure 5 Setting Communication Parameters 3 The Switch is powered on and it displays self-test information. Press < Enter> to show the command line prompt such as <4500> 4 Enter a command to configure the Switch or view the operation state. Enter a view online help.
Page 22
1: G HAPTER ETTING TARTED Figure 6 Setting up the Configuration Environment through Telnet Workstation Workstation Ethernet port Ethernet port Ethernet Ethernet Serv er Serv er Workstation Workstation PC ( for configuri n g the switch PC ( for configuri n g the switch via Telnet ) via Telnet ) 3 Run Telnet on the PC and enter the IP address of the VLAN connected to the...
Logging In to the Switch Figure 8 Providing Telnet Client Service Telnet Server Telnet Client 1 Authenticate the Telnet user through the console port on the Telnet Server (a Switch) before login. By default, the password is required to authenticate Telnet users and to enable them to log on to the Switch.
Page 24
The Modem configuration commands and outputs may be different according to different Modems. For details, refer to the User Guide of the Modem. 3Com recommends that the transmission rate on the console port must lower than that of Modem, otherwise packets may be lost.
Page 25
Logging In to the Switch Figure 10 Setting the Dialed Number Figure 11 Dialing on the Remote PC 5 Enter the preset login password on the remote terminal emulator and wait for the prompt . Then you can configure and manage the Switch. Enter to view <4500>...
1: G HAPTER ETTING TARTED Command Line The Switch 4500 Family provides a series of configuration commands and Interface command line interfaces for configuring and managing the Switch. The command line interface has the following characteristics: Local configuration through the console port. ■...
Page 27
Command Line Interface To prevent unauthorized users from illegal intrusion, the user will be identified when switching from a lower level to a higher level with the super level command. User ID authentication is performed when users at lower level become users at a higher level.
Page 28
1: G HAPTER ETTING TARTED Table 5 Features of Command Views Command view Function Prompt Command to enter Command to exit User View Show the basic This is the view you are in quit disconnects <4500> information about after connecting to the to the Switch operation and Switch...
Page 29
[4500-radius-1] Group View parameters in System View System View return returns to User View ISP Domain Configure ISP Enter domain 3Com.net in quit returns to [4500-isp-3Com.net] View domain System View System View parameters return returns to User View...
1: G HAPTER ETTING TARTED Features and Functions Command Line Help of Command Line The command line interface provides full and partial online help. You can get help information through the online help commands, which are described below: 1 Enter in any view to get all the commands in that view.
Page 31
Command Line Interface command buffer is defaulted as 10. That is, the command line interface stores 10 history commands for each user. The operations are shown in Table Table 7 Retrieving History Command Operation Result Display history command Display history command by display user inputting history-command...
1: G HAPTER ETTING TARTED Table 9 Editing Functions Function <Tab> Press <Tab> after typing an incomplete keyword and the system will display partial help: If the keyword matching the one entered is unique, the system will replace it with the complete keyword and display it in a new line;...
User Interface Configuration User Interface Tasks for configuring the user interface are described in the following sections: Configuration Entering User Interface View ■ Configuring the User Interface-Supported Protocol ■ Configuring the Attributes of AUX (Console) Port ■ Configuring the Terminal Attributes ■...
Page 34
1: G HAPTER ETTING TARTED Perform the following configurations in User Interface (AUX user interface only) View. Configuring the Transmission Speed on the AUX (Console) Port Table 12 Configuring the Transmission Speed on the AUX (Console) Port Operation Command Configure the transmission speed on the AUX speed speed_value (console) port Restore the default transmission speed on the AUX...
Page 35
User Interface Configuration Configuring the Terminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length, and history command buffer size. Perform the following configuration in User Interface View. Perform the lock command in User View.
Page 36
1: G HAPTER ETTING TARTED Setting the Screen Length If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently.
Page 37
In the following example, local username and password authentication are configured. Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and 3Com respectively. [4500-ui-vty0]authentication-mode scheme [4500-ui-vty0]quit...
Page 38
1: G HAPTER ETTING TARTED Table 24 Setting the Command Level used after a User Logs In Operation Command Restore the default undo service-type { ftp [ ftp-directory ] command level used after lan-access | { ssh | telnet | terminal }* } a user logs in By default, the specified logged-in user can access the commands at Level 1.
User Interface Configuration Configuring Redirection send command The following command can be used for sending messages between user interfaces. Perform the following configuration in User View. Table 27 Configuring to Send Messages Between Different User Interfaces Operation Command Configuring to send messages between send { all | number | type number } different user interfaces.
Page 40
1: G HAPTER ETTING TARTED Table 29 Displaying and Debugging User Interface Operation Command Display the user application display users [ all ] information of the user interface Display the physical attributes and display user-interface [ type number | some configurations of the user number ] [ summary ] interface...
PERATION This chapter covers the following topics: Ethernet Port Configuration ■ Link Aggregation Configuration ■ Ethernet Port Configuration Ethernet Port Overview The following features are found in the Ethernet ports of the Switch 4500 10/100BASE-T Ethernet ports support MDI/MDI-X auto-sensing. They can ■...
Page 42
2: P HAPTER PERATION Entering Ethernet Port View Before configuring an Ethernet port, enter Ethernet Port View. Perform the following configuration in System View. Table 30 Entering Ethernet Port View Operation Command Enter Ethernet Port View interface { interface_type interface_num | interface_name } Enabling/Disabling an Ethernet Port Use the following command to disable or enable the port.
Page 43
Ethernet Port Configuration Note that 10/100BASE-T Ethernet ports support full duplex, half duplex and auto-negotiation, which can be set as required. Gigabit Ethernet ports support full duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaults to auto (auto-negotiation) mode.
Page 44
2: P HAPTER PERATION Perform the following configuration in Ethernet Port View. Table 36 Enabling/Disabling Flow Control for an Ethernet Port Operation Command Enable Ethernet port flow control flow-control Disable Ethernet port flow control undo flow-control By default, Ethernet port flow control is disabled. Setting the Ethernet Port Suppression Ratio Use the following commands to restrict broadcast/multicast/unicast traffic.
Page 45
For the Switch 4500 26-Port and Switch 4500 26-Port PWR, ■ GigabitEthernet1/0/25 and GigabitEthernet1/0/26 ports can be configured as a stack port;...
Page 46
2: P HAPTER PERATION port, you can configure to tag some VLAN packets, based on which the packets can be processed differently. Setting the Default VLAN ID for the Ethernet Port Because the access port can only be included in one VLAN, its default VLAN is the one to which it belongs.
Ethernet Port Configuration Table 41 Setting Loopback Detection for the Ethernet Port Operation Command Set the external loopback detection interval of loopback-detection the port (System View) interval-time time Restore the default external loopback detection undo loopback-detection interval of the port (System View) interval-time Configure that the system performs loopback loopback-detection per-vlan...
2: P HAPTER PERATION Enter the command in Ethernet Port View to check whether the loopback Ethernet port works normally. In the process of the loopback test, the port cannot forward any packets. The loop test will finish automatically after a short time. Table 43 Displaying and Debugging Ethernet Port Operation Command...
Link Aggregation Configuration Networking Diagram Figure 12 Configuring the Default VLAN for a Trunk Port Switch A Switch B Configuration Procedure The following configurations are used for Switch A. Configure Switch B in the similar way. 1 Enter the Ethernet Port View of Ethernet1/0/1. [4500]interface ethernet1/0/1 2 Set the Ethernet1/0/1 as a trunk port and allow VLAN 2, 6 through 50, and 100 to pass through.
Page 50
VLAN types, and default VLAN ID. The port setting includes port link type. The Switch 4500 26-Port can support up to 14 aggregation groups, the Switch 4500 50-Port can support up to 26 aggregation groups. Each group can have a maximum of eight 100 Mbps Ethernet ports or four Gigabit SFP ports.
Page 51
Link Aggregation Configuration with the minimum port number serves as the master port, while others as sub-ports. In a manual aggregation group, the system sets the ports to active or inactive state by using these rules: The system sets the port with the highest priority to active state, and others to ■...
Page 52
2: P HAPTER PERATION systems as well as under manual control through direct manipulation of the state variables of Link Aggregation (for example, keys) by a network manager. Dynamic LACP aggregation can be established even for a single port, as is called single port aggregation.
Link Aggregation Configuration A load sharing aggregation group may contain several selected ports, but a non-load sharing aggregation group can only have one selected port, while others are standby ports. Selection criteria of selected ports vary for different types of aggregation groups.
Page 54
2: P HAPTER PERATION aggregation group: when you delete a manual aggregation group, all its member ports are disaggregated; when you delete a static or dynamic LACP aggregation group, its member ports form one or several dynamic LACP aggregation groups. Perform the following configuration in System View.
Page 55
Link Aggregation Configuration port with 802.1X enabled. ■ You must delete the aggregation group, instead of the port, if the manual or ■ static LACP aggregation group contains only one port. Setting/Deleting the Aggregation Group Descriptor Perform the following configuration in System View. Table 47 Setting/Deleting the Aggregation Group Descriptor Operation Command...
2: P HAPTER PERATION Perform the following configuration in Ethernet Port View. Table 49 Configuring Port Priority Operation Command Configure port priority lacp port-priority port_priority_value Restore the default port priority undo lacp port-priority By default, port priority is 32768. Displaying and After the above configuration, enter the command in any view to display display...
Page 57
Link Aggregation Configuration Networking Diagram Figure 13 Networking for Link Aggregation Switch A Link aggregation Switch B Configuration Procedure The following only lists the configuration for Switch A; configure Switch B similarly. 1 Manual link aggregation a Create manual aggregation group 1. [4500]link-aggregation group 1 mode manual b Add Ethernet ports Ethernet1/0/1 to Ethernet1/0/3 into aggregation group 1.
VLAN O PERATION This chapter covers the following topics: VLAN Configuration ■ Voice VLAN Configuration ■ VLAN Configuration VLAN Overview A virtual local area network (VLAN) creates logical groups of LAN devices into segments to implement virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions.
Page 60
3: VLAN O HAPTER PERATION Table 51 Creating/Deleting a VLAN Operation Command Delete the specified VLAN undo vlan { vlan_id [ to vlan_id ] | all } Note that the default VLAN, namely VLAN 1, cannot be deleted. Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN.
VLAN Configuration Table 54 Specifying/Removing the VLAN Interface Operation Command Remove the specified VLAN interface undo interface vlan-interface vlan_id Create a VLAN first before creating an interface for it. For this configuration task, takes the VLAN ID. vlan_id Shutting Down/Enabling the VLAN Interface Use the following command to shut down/enable a VLAN interface.
Voice VLAN Configuration Voice VLAN Configuration Introduction to Voice Voice VLAN is specially designed for users’ voice flow, and it distributes different VLAN port precedence in different cases. The system uses the source MAC of the traffic traveling through the port to identify the IP Phone data flow.
Page 64
3: VLAN O HAPTER PERATION Setting/Removing the OUI Address Learned by Voice VLAN ■ Enabling/Disabling Voice VLAN Security Mode ■ Enabling/Disabling Voice VLAN Auto Mode ■ Setting the Aging Time of Voice VLAN ■ If you change the status of Voice VLAN security mode, you must first enable Voice VLAN features globally.
Page 65
Voice VLAN Configuration There are four default OUI addresses after the system starts. Table 61 Default OUI Addresses Description 00:E0:BB 3Com phone 00:03:6B Cisco phone 00:E0:75 Polycom phone 00:D0:1E Pingtel phone Enabling/Disabling Voice VLAN Security Mode In security mode, the system can filter out the traffic whose source MAC is not OUI within the Voice VLAN, while the other VLANs are not influenced.
3: VLAN O HAPTER PERATION Perform the following configuration in System View. Table 64 Configuring the Aging Time of Voice VLAN Operation command Set the aging time of Voice VLAN voice vlan aging minutes Restore the default aging time undo voice vlan aging The default aging time is 1440 minutes.
Configuring Voice VLAN with a PC Downstream from Phone [4500 -Ethernet1/0/2]quit [4500]undo voice vlan mode auto [4500]voice vlan mac_address 0011-2200-0000 mask ffff-ff00-0000 description private [4500]voice vlan 2 enable [4500]voice vlan aging 100 Configuring Voice VLAN with a PC A common configuration for voice enabled networks is to place a PC downstream Downstream from from a VoIP phone.
Ensure phones are not pre-configured with a static IP address ■ If used in a 3Com NBX network, be sure NBX Call processor is set to "Standard ■ IP." Likewise, ensure the NBX Call Processor default Gateway is set to the VLAN interface IP address.
Configuring Voice VLAN with a PC Downstream from Phone Figure 19 DHCP Scopes 2 Connect the NBX call processor (IP address is 10.10.11.192/24), 3Com NBX phones (2102PE) 1 and 2 to Port 11, 6 or 7, and 9 on the Switch, respectively.
Page 70
3: VLAN O HAPTER PERATION level 2 local-user monitor service-type ssh telnet terminal level 1 acl number 4999 rule 0 deny dest 0000-0000-0000 ffff-ffff-ffff vlan 1 igmp-snooping enable vlan 5 <--------------- Create Data Vlan 5 vlan 50 <--------------- Create voice Vlan 50 interface Vlan-interface1 ip address dhcp-alloc rip version 2 multicast...
Page 71
Configuring Voice VLAN with a PC Downstream from Phone interface Ethernet1/0/6 poe enable stp edged-port enable port link-type hybrid<--------------- Setup for Hybrid ports port hybrid vlan 5 untagged undo port hybrid vlan 1 port hybrid pvid vlan 5 broadcast-suppression PPS 3000 priority trust voice vlan enable packet-filter inbound link-group 4999 rule 0...
OWER OVER THERNET ONFIGURATION This chapter covers the following topics: PoE Overview ■ PoE Configuration ■ PoE Overview The Switch 4500 26 Port PWR and Switch 4500 50 Port PWR support Power over Ethernet (PoE). This feature uses twisted pairs to provide -44 through -62 VDC power to remote powered devices (PDs), such as IP Phones, WLAN APs, Network Cameras, and so on.
4: P HAPTER OWER OVER THERNET ONFIGURATION When using the PWR switches to supply power to remote PDs, the PDs need ■ not have any external power supply. If a remote PD has an external power supply, the PWR switches and the ■...
PoE Configuration Setting the Maximum The maximum power that can be supplied by an Ethernet port of the Switch 4500 Power Output on a Port 26-Port PWR and Switch 4500 50-Port PWR to its PD is 15400 mW. In practice, you can set the maximum power on a port depending on the actual power of the PD, with a range from 1000 to 15400 mW and in the increment of 100 mW.
4: P HAPTER OWER OVER THERNET ONFIGURATION Table 69 Setting the Power Supply Management Mode on the Switch Operation Command Set the power supply management mode on the poe power-management auto Switch to auto Set the power supply management mode on the poe power-management manual Switch to manual Restore the default power supply management mode...
PoE Configuration Upgrading the PSE The online upgrading of PSE processing software can update the processing Processing Software software or repair the software if it is damaged. After upgrading files are Online downloaded, you can use the following command to perform online upgrading on the PSE processing software.
Page 80
4: P HAPTER OWER OVER THERNET ONFIGURATION to guarantee the power feeding to the PD that will be connected to the Ethernet1/0/24 even when the Switch 4500 PWR is in full load. Network Diagram Figure 20 PoE Remote Power Supply Configuration Procedure Update the PSE processing software online.
ETWORK ROTOCOL PERATION This chapter covers the following topics: IP Address Configuration ■ ARP Configuration ■ DHCP Configuration ■ Access Management Configuration ■ UDP Helper Configuration ■ IP Performance Configuration ■ IP Address Configuration IP Address Overview IP Address Classification and Indications An IP address is a 32-bit address allocated to the devices which access the Internet.
Page 82
5: N HAPTER ETWORK ROTOCOL PERATION The IP address is in dotted decimal format. Each IP address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, for example, 10.110.50.101. When using IP addresses, note that some of them are reserved for special uses, and are seldom used.
IP Address Configuration A mask is a 32-bit number corresponding to an IP address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the IP address into two parts: subnet address and host address.
5: N HAPTER ETWORK ROTOCOL PERATION The IP address configuration is described in the following sections: Configuring the Hostname and Host IP Address ■ Configuring the IP Address of the VLAN Interface ■ Configuring the Hostname and Host IP Address The host name is corresponded to the IP address by using this command.
ARP Configuration IP Address Networking Requirements Configuration Example Configure the IP address as 129.2.2.1 and subnet mask as 255.255.255.0 for VLAN interface 1 of the Switch. Networking Diagram Figure 23 IP Address Configuration Networking C o n s o l e c a b l e S w i t c h Configuration Procedure 1 Enter VLAN interface 1.
5: N HAPTER ETWORK ROTOCOL PERATION dynamic ARP mapping entry is not in use for a specified period of time, the host will remove it from the ARP mapping table so as to save the memory space and shorten the interval for Switch to search ARP mapping table. Suppose there are two hosts on the same network segment: Host A and Host B.
Page 87
ARP Configuration Table 79 Manually Adding/Deleting Static ARP Mapping Entries Operation Command Manually add a static ARP arp static ip_address mac_address vlan_id mapping entry (Ethernet Port View) Manually delete a static ARP undo arp ip_address mapping entry (System View or Ethernet Port View) By default, the ARP mapping table is empty and the address mapping is obtained through dynamic ARP.
5: N HAPTER ETWORK ROTOCOL PERATION By default, this feature is enabled. Displaying and After the above configuration, enter the command in any view to display display Debugging ARP the running of the ARP configuration, and to verify the effect of the configuration. Enter the command in User View to debug ARP configuration.
Page 89
DHCP Configuration Figure 24 Typical DHCP Application. DHCP Client DHCP Client DHCP Server DHCP Client DHCP Client To obtain valid dynamic IP addresses, the DHCP client exchanges different types of information with the server at different stages. One of the following three situations may occur: A DHCP client logs into the network for the first time ■...
Page 90
5: N HAPTER ETWORK ROTOCOL PERATION If the requested IP address becomes unavailable (for example, having been ■ allocated to another client), the DHCP server returns the DHCP_NAK message. After receiving the DHCP_NAK message, the client sends the DHCP_Discover message to request another new IP address. A DHCP client extends its IP lease period ■...
DHCP Configuration The DHCP server determines a correct configuration based on the information ■ from the client and returns the configuration information back to the client through DHCP relay. In fact, several such interactions may be needed to complete a DHCP relay configuration.
5: N HAPTER ETWORK ROTOCOL PERATION Configuring the DHCP Server Group for the VLAN Interfaces Perform the following configuration in VLAN Interface View. Table 85 Configuring the DHCP Server Group Corresponding to VLAN Interfaces Operation Command Configure DHCP server group corresponding to VLAN dhcp-server groupNo interfaces Delete DHCP server group...
DHCP Configuration Networking Diagram Figure 26 Configuring DHCP Relay DHCP client DHCP client DHCP Server 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Switch ( DHCP Relay ) Configuration Procedure 1 Create a DHCP server group that will use two DHCP servers (a master and an optional backup) and assign it the IP addresses of the two DHCP servers (the first IP address is the master).
5: N HAPTER ETWORK ROTOCOL PERATION Networking Diagram Figure 27 Networking Diagram of Configuration DHCP Relay DHCP client DHCP client DHCP Server 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Switch ( DHCP Relay ) Configuration Procedure 1 Configure the group number of DHCP Server as 1 and the IP address as 202.38.1.2.
Access Management Configuration in User View and then use the debugging dhcp-relay terminal debugging command to output the debugging information to the console. In this way, you can view the detailed information of all DHCP packets on the console as they apply for the IP address, and so locate the problem.
Page 96
5: N HAPTER ETWORK ROTOCOL PERATION Table 88 Configuring the Access Management IP Address Pool Based on the Port Operation Command Cancel part or all of the IP addresses in the access undo am ip-pool { all | management IP address pool of the port address_list } By default, the IP address pools for access management on the port are null and all the packets are permitted.
Access Management Configuration Enabling/Disabling Access Management Trap You can enable the access management trap function using the following commands. When this function is enabled, the trap information of access management is delivered to the console for the purpose of monitoring. Perform the following configuration in System View.
5: N HAPTER ETWORK ROTOCOL PERATION 2 Configure the IP address pool for access management on port 1. [4500]interface ethernet1/0/1 [4500-Ethernet1/0/1]am ip-pool 202.10.20.1 20 3 Add port 1 into isolation group. [4500-Ethernet1/0/1]port isolate 4 Configure the IP address pool for access management on port 2 [4500-Ethernet1/0/1]interface ethernt1/0/2 [4500-Ethernet1/0/2]am ip-pool 202.10.20.21 30 5 Add port 2 into isolation group.
UDP Helper Configuration UDP Helper UDP Helper configuration includes: Configuration Enabling/Disabling UDP Helper Function ■ Configuring UDP Port with Replay Function ■ Configuring the Relay Destination Server for Broadcast Packet ■ Enabling/Disabling UDP Helper Function When the UDP Helper function is enabled, you can configure the UDP ports where UDP function is required and the relay function is enabled at UDP ports 69, 53, 37, 137, 138, and 49.
5: N HAPTER ETWORK ROTOCOL PERATION For example, the command is equivalent to the udp-helper port 53 command in function. udp-helper port dns The default UDP ports are not displayed when using the ■ display command. But its ID is displayed after its relay current-configuration function is disabled.
IP Performance Configuration Networking Diagram Figure 29 Networking for UDP Helper Configuration Serv er 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Sw itch ( UDP Helper ) Configuration Procedure 1 Enable UDP Helper function. [4500]udp-helper enable 2 Set to relay-forward the broadcast packets with destination UDP port 55. [4500]udp-helper port 55 3 Set the IP address of the destination server corresponding to VLAN interface 2 as 202.38.1.2.
Page 103
IP Performance Configuration Use the command to output the debugging information ■ terminal debugging to the console. Use the command to enable the UDP debugging to ■ debugging udp packet trace the UDP packet. The following are the UDP packet formats: UDP output packet: Source IP address:202.38.160.1 Source port:1024...
IP R OUTING ROTOCOL PERATION IP Routing Protocol Routers select an appropriate path through a network for an IP packet according Overview to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submits the packet to the destination host.
6: IP R HAPTER OUTING ROTOCOL PERATION the optimal route. For example, routing through three LAN route segments may be much faster than routing through two WAN route segments. Configuring the IP Routing Protocol is described in the following sections: Selecting Routes Through the Routing Table ■...
IP Routing Protocol Overview In a complicated Internet configuration, as shown in Figure 31, the number in each network is the network address. The router R8 is connected to three networks, so it has three IP addresses and three physical ports. Its routing table is shown in Figure 2.
6: IP R HAPTER OUTING ROTOCOL PERATION Supporting Load Sharing and Route Backup I. Load sharing The Switch 4500 supports multi-route mode, allowing the user to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached via multiple different paths, whose precedences are equal.
Static Routes The following routes are static routes: Reachable route — The IP packet is sent to the next hop towards the ■ destination. This is a common type of static route. Unreachable route — When a static route to a destination has the reject ■...
Page 110
6: IP R HAPTER OUTING ROTOCOL PERATION The parameters are explained as follows: IP address and mask ■ The IP address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be replaced by the mask-length which refers to the digits of the consecutive 1s in the mask.
Static Routes Displaying and Debugging Static Routes After you configure static and default routes, execute the command in display any view to display the static route configuration, and to verify the effect of the configuration. Table 103 Displaying and debugging the routing table Operation Command View routing table summary...
Next hop address — The address of the next router that an IP packet will pass ■ through for reaching the destination. Interface — The interface through which the IP packet should be forwarded. ■ Cost — The cost for the router to reach the destination, which should be an ■...
Page 114
6: IP R HAPTER OUTING ROTOCOL PERATION After RIP is disabled, the interface-related features also become invalid. The RIP configuration tasks are described in the following sections: Enabling RIP and Entering the RIP View ■ Enabling RIP on a Specified Network ■...
Page 115
By default, RIP does not send messages to unicast addresses. 3Com does not recommend the use of this command, because the destination address does not need to receive two copies of the same message at the same time.
Page 116
6: IP R HAPTER OUTING ROTOCOL PERATION By default, the interface receives and sends the RIP-1 packets. It transmits packets in multicast mode when the interface RIP version is set to RIP-2. Configuring RIP Timers As stipulated in RFC1058, RIP is controlled by three timers: period update, timeout, and garbage-collection: Period update is triggered periodically to send all RIP routes to all neighbors.
Page 117
Perform the following configurations in RIP View. Table 109 Configuring Zero Field Check of the Interface Packets Operation Command Configure zero field check on the RIP-1 packet checkzero Disable zero field check on the RIP-1 packet undo checkzero Specifying the Operating State of the Interface In the Interface View, you can specify whether RIP update packets are sent and received on the interface.
Page 118
6: IP R HAPTER OUTING ROTOCOL PERATION Enabling RIP-2 Route Aggregation Route aggregation means that different subnet routes in the same natural network can be aggregated into one natural mask route for transmission when they are sent to other networks. Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table.
Page 119
generation of routing loops, but in some special cases, split horizon must be disabled to obtain correct advertising at the cost of efficiency. Disabling split horizon has no effect on P2P connected links but is applicable on the Ethernet. Perform the following configuration in Interface View: Table 114 Configuring Split Horizon Operation Command...
Page 120
6: IP R HAPTER OUTING ROTOCOL PERATION Setting the RIP Preference Each routing protocol has its own preference by which the routing policy selects the optimal route from the routes of different protocols. The greater the preference value, the lower the preference. The preference of RIP can be set manually.
Configuring RIP to Filter the Received Routes Table 119 Configuring RIP to Filter the Received Routes Operation Command Filter the received routing information filter-policy gateway distributed by the specified address ip_prefix_name import Cancel filtering of the received routing undo filter-policy gateway information distributed by the specified ip_prefix_name [ gateway address...
IP Routing Policy 3 Configure RIP on Switch C [Switch C]rip [Switch C-rip]network 117.102.0.0 [Switch C-rip]network 110.11.2.0 Troubleshooting RIP The Switch 4500 cannot receive the update packets when the physical connection to the peer routing device is normal. RIP does not operate on the corresponding interface (for example, the ■...
6: IP R HAPTER OUTING ROTOCOL PERATION the route is permitted by a single node in the route-policy, the route passes the matching test of the route policy without attempting the test of the next node. The access control list (ACL) used by the route policy can be divided into three types: advanced ACL, basic ACL and interface ACL.
Page 125
IP Routing Policy Perform the following configurations in System View. Table 122 Defining a route-policy Operation Command Enter Route Policy View route-policy route_policy_name { permit | deny } node { node_number } Remove the specified route-policy undo route-policy route_policy_name [ permit | deny | node node_number ] parameter specifies that if a route satisfies all the clauses of...
Page 126
6: IP R HAPTER OUTING ROTOCOL PERATION Table 123 Defining if-match Conditions Operation Command Cancel the matched next-hop of undo if-match ip next-hop ip-prefix the routing information set by the address prefix list Match the routing cost of the if-match cost cost routing information Cancel the matched routing cost of undo if-match cost...
IP Routing Policy Perform the following configurations in System View. Table 125 Defining Prefix-list Operation Command Define a Prefix-list ip ip-prefix ip_prefix_name [ index index_number ] { permit | deny } network len [ greater-equal greater_equal ] [ less-equal less_equal ] Remove a Prefix-list undo ip ip-prefix ip_prefix_name [ index index_number | permit | deny ]...
6: IP R HAPTER OUTING ROTOCOL PERATION Networking diagram Figure 34 Filtering the received routing information static 20.0.0.0/8 area 0 30.0.0.0/8 Rout er ID:1.1.1.1 Router ID:2.2.2.2 40.0.0.0/8 Vlan-interface100 Vlan-interface200 10.0.0.1/8 Vlan-interface100 12.0.0.1/8 10.0.0.2/8 Switch A Swit ch B Configuration procedure 1 Configure Switch A: a Configure the IP address of VLAN interface.
IP Routing Policy Troubleshooting Routing Routing information filtering cannot be implemented in normal operation of the Protocols routing protocol Check for the following faults: The if-match mode of at least one node of the Route Policy should be the ■ mode.
Page 130
6: IP R HAPTER OUTING ROTOCOL PERATION...
ACL C ONFIGURATION This chapter covers the following topics: Brief Introduction to ACL ■ QoS Configuration ■ ACL Control Configuration ■ Brief Introduction to A series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, the Switch can permit or deny them to pass through according to the defined policy.
7: ACL C HAPTER ONFIGURATION The depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255 specifies a network segment, 129.102.0.1 through 129.102.255.255.
Page 133
Brief Introduction to ACL If ACL is used to filter or classify the data transmitted by the hardware of the ■ Switch, the match order defined in the acl command will not be effective. If ACL is used to filter or classify the data treated by the software of the Switch, the match order of ACL’s sub-rules will be effective.
Page 134
7: ACL C HAPTER ONFIGURATION Operation Command Delete a sub-item from the ACL undo rule rule_id [ source | destination | (from Advanced ACL View) source-port | destination-port | icmp-type | precedence | tos | dscp | fragment | vpn-instance ]* Delete one ACL or all the ACL undo acl { number acl_number | all } (from System View)
1 Define the work time range Define time range from 8:00 to 18:00. [4500]time-range 3Com 8:00 to 18:00 working-day 2 Define the ACL to access the payment server. a Enter the numbered advanced ACL, number as 3000. [4500]acl number 3000 match-order config b Define the rules for other department to access the payment server.
Enter the number basic ACL, number as 2000. [4500]acl number 2000 b Define the rules for packet which source IP is 10.1.1.1. [4500-acl-basic-2000]rule 1 deny source 10.1.1.1 0 time-range 3Com 3 Activate ACL. Activate the ACL 2000. [4500-GigabitEthernet1/0/50]packet-filter inbound ip-group 2000...
1 Define the time range Define time range from 8:00 to 18:00. [4500]time-range 3Com 8:00 to 18:00 daily 2 Define the ACL for the packet whose source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303. a Enter the numbered link ACL, number as 4000.
Page 139
QoS Configuration Packet Filter Packet filter is used to filter traffic. For example, the operation “deny” discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through. With the complex traffic classification rules, the Switch enables the filtering of various information carried in Layer 2 traffic to discard the useless, unreliable or doubtful traffic, thereby enhancing network security.
7: ACL C HAPTER ONFIGURATION QoS Configuration The process of traffic based QoS: 1 Identify the traffic by ACL 2 Perform the QoS operation to the traffic. The configuration steps of traffic based QoS: 1 Define the ACL 2 Configure the QoS operation If QoS is not based on traffic, you need not define ACL first.
QoS Configuration Setting Port Mirroring Port mirroring means duplicating data on the monitored port to the designated mirror port, for purpose of data analysis and supervision. The Switch supports one monitor port and multiple mirroring ports. If several Switches form a Fabric, multiple mirroring ports and only one monitor port and one mirroring port can be configured in the Fabric.
Page 142
7: ACL C HAPTER ONFIGURATION Only one monitor port can be configured on one Switch. If a group of Switches form a Fabric, only one monitor port can be configured on one Fabric. 2 Configure traffic mirroring Perform the following configuration in the Ethernet Port View. Table 141 Configuring Traffic Mirroring Operation Command...
7: ACL C HAPTER ONFIGURATION Perform the following configuration in the Ethernet Port View. Table 148 Configuring WRED Operation Operation Command Configure WRED Operation wred queue_index qstart probability Cancel the configuration of WRED undo wred queue_index Operation For details about the command, refer to the Command Reference Guide. Displaying and You can use the command in any view to see the QoS operation and to...
QoS Configuration Networking Diagram Figure 38 QoS Configuration Example Wage server 129.110.1.2 GE2/0/1 Switch To switch Configuration Procedure Only the commands concerning QoS/ACL configuration are listed here. 1 Define outbound traffic for the wage server. a Enter numbered advanced ACL view. [4500]acl number 3000 b Define the traffic-of-pay server rule in the advanced ACL 3000.
7: ACL C HAPTER ONFIGURATION Networking Diagram Figure 39 QoS Configuration Example E3/0/1 E3/0/8 Server E3/0/2 Configuration Procedure Define port mirroring, with monitoring port being Ethernet3/0/8. [4500-Ethernet3/0/8]monitor-port [4500-Ethernet3/0/1]mirroring-port both ACL Control The Switch provides three modes for users to access devices remotely: Configuration TELNET access ■...
Page 147
ACL Control Configuration Configuration Tasks Table 150 lists the commands that you can execute to configure TELNET or SSH user ACL. Table 150 Commands for Configuring TELNET/SSH User ACL In This View Type This Command Description Enter system system-view view Define ACLs and Required.
Page 148
7: ACL C HAPTER ONFIGURATION ACLs, the incoming/outgoing calls are restricted on the basis of source MAC addresses. As a result, when you use the rules for L2 ACLs, only the source MAC and the corresponding mask, and the time-range keyword take effect. When you control telnet and SSH users on the basis of L2 ACLs, only the ■...
Page 149
ACL Control Configuration Basic ACL Configuration Example Configuration Prerequisites Only the TELNET users, whose IP addresses are 10.110.100.52 and 10.110.100.46, are allowed to access switches. Figure 41 Source IP Control Over TELNET User Accessing Switch Configuration Steps # Define basic ACLs. <4500>system-view System View: return to User View with Ctrl+Z.
7: ACL C HAPTER ONFIGURATION ACL Control Over Users The Switch supports remote management through network management Accessing Switches by software. Network management users can access switches by simple network SNMP management protocol (SNMP). The ACL control over these users can filter illegal network management users so that the illegal users cannot log into this Switch.
Page 151
ACL Control Configuration Table 151 Commands for Controlling ACL Access via SNMP Type This Command Description Use ACLs, and Use ACLs when SNMP community snmp-agent community control users configuring the name is a feature of { read | write } accessing switches SNMP community SNMP V1 and SNMP...
7: ACL C HAPTER ONFIGURATION Figure 42 ACL Control Over SNMP Users of the Switch Configuration Steps # Define basic ACLs and rules. <4500>system-view System View: return to User View with Ctrl+Z. [4500] acl number 2000 match-order config [4500-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [4500-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [4500-acl-basic-2000] rule 3 deny source any [4500-acl-basic-2000] quit...
Page 153
ACL Control Configuration Calling ACL to Control HTTP Users To control the Web network management users with ACL, call the defined ACL. You can use the following commands to call an ACL. Perform the following configuration in System View. Table 152 Calling ACL to Control HTTP Users Operation Command Call an ACL to control the WEB NM users.
IGMP S NOOPING IGMP Snooping IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast Overview control mechanism running on Layer 2 (the link layer) of the switch. It is used for multicast group management and control. When receiving IGMP messages transmitted between the host and router, the Switch 4500 uses IGMP Snooping to analyze the information carried in the IGMP messages.
Page 156
8: IGMP S HAPTER NOOPING Figure 45 Multicast packet transmission when IGMP Snooping runs Video stream Internet / Intranet Multicast router Video stream VOD Server Layer 2 Ethernet Switch Switch 4500 Video stream Video stream Video stream Multicast group member Non-multicast Non-multicast group member...
Page 157
IGMP Snooping Overview Figure 46 Implementing IGMP Snooping In te rn e t A ro u te r ru n n in g IG M P IG M P p a c k e ts Switch 4500 running A E th e rn e t S w itc h IGMP Snooping ru n n in g IG M P S n o o p in g IG M P p a c k e ts...
8: IGMP S HAPTER NOOPING Table 154 IGMP Snooping Terminology Term Meaning IGMP specific query message Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member. When received IGMP specific query message, the switch only transmits the specific query message to the IP multicast group which is queried.
Configuring IGMP Snooping Perform the following configuration in System View and VLAN View. Table 155 Enabling/Disabling IGMP Snooping Operation Command Enable/disable IGMP Snooping igmp-snooping { enable | disable } Although layer 2 and layer 3 multicast protocols can run together, they cannot run on the same VLAN or its corresponding VLAN interface at the same time.
8: IGMP S HAPTER NOOPING Perform the following configuration in system view. Table 158 Configuring aging time of the multicast member Operation Command Configure aging time of the igmp-snooping host-aging-time seconds multicast member Restore the default setting undo igmp-snooping host-aging-time By default, the aging time of the multicast member is 260 seconds.
IGMP Snooping Fault Diagnosis and Troubleshooting Networking Diagram Figure 47 IGMP Snooping configuration network In te rn e t R o u te r M u ltic a s t S w itc h Configuration Procedure Enable IGMP Snooping globally. [4500]igmp-snooping enable Enable IGMP Snooping on VLAN 10.
Page 162
8: IGMP S HAPTER NOOPING Diagnosis 3: Multicast forwarding table set up on the bottom layer is wrong. 1 Enable IGMP Snooping group in user view and then input the command display to check if MAC multicast forwarding table in the bottom igmp-snooping group layer and that created by IGMP Snooping is consistent.
TACKING This chapter covers the following topics: Introduction to Stacking ■ Configuring a Stack ■ Stack Configuration Example ■ Introduction to Several Switch 4500 units can be interconnected to create a “stack”, in which Stacking each Switch is a unit. The ports used to interconnect all the units are called stacking ports, while the other ports that are used to connect the stack to users are called user ports.
9: S HAPTER TACKING Device Configuration Default Settings Comment Set unit IDs for the The unit ID of a Make sure that you have set Switches Switch is set to 1 different unit IDs to different Switches, so that the stack can operate normally after all the Switches are interconnected.
} enable Only the Gigabit combo ports can be used to interconnect the Switch units to form a stack. In the 3Com switch operating system, the term "fabric" is used as a general expression for stack. Setting Unit Names for...
Switches Note: “XRN” is a proprietary 3Com technology for enterprise-level stacking on our Switch 5500-EI switches. Because the Switch 4500 shares its operating system with the Switch 5500 family, the XRN terminology is referred to when setting authentication mode.
Stack Configuration Example Stack Configuration Networking Requirements Example Configure unit ID, unit name, stack name, and authentication mode for four Switches, and interconnect them to form a stack. The configuration details are as follows: Unit IDs: 1, 2, 3, 4 ■...
Page 168
9: S HAPTER TACKING Configure Switch D: [4500]change unit-id 1 to auto-numbering [4500]fabric-port gigabitethernet4/0/51 enable [4500]fabric-port gigabitethernet4/0/52 enable [4500]sysname hello [hello]xrn-fabric authentication-mode simple welcome In the example, it is assumed that the system will automatically change the unit ■ IDs of Switch B, Switch C and Switch D to 2, 3 and 4 after you choose auto-numbering for unit-id.
RSTP C ONFIGURATION This chapter covers the following topics: STP Overview ■ RSTP Configuration ■ RSTP Configuration Example ■ STP Overview Spanning Tree Protocol (STP) is applied in loop networks to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.
Page 170
10: RSTP C HAPTER ONFIGURATION What are the Designated Bridge and Designated Port? Figure 50 Designated Bridge and Designated Port Switch A Switch C Switch B For a Switch, the designated bridge is a Switch in charge of forwarding BPDU to the local Switch via a port called the designated port.
Page 171
STP Overview in the figure above, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively. 1 Initial state When initialized, each port of the Switches will generate the configuration BPDU taking itself as the root with a root path cost as 0, designated bridge IDs as their own Switch IDs and the designated ports as their ports.
Page 172
10: RSTP C HAPTER ONFIGURATION The comparison process of each Switch is as follows. Switch A: ■ AP1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU.
STP Overview CP2 will receive the updated configuration BPDU, {0, 5, 1, BP2}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, BP2}. Meanwhile, CP1 receives the configuration BPDU from Switch A but its configuration BPDU will not be updated and retain {0, 0, 0, AP2}.
10: RSTP C HAPTER ONFIGURATION designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state. Implement RSTP on the The Switch implements the Rapid Spanning Tree Protocol (RSTP), an enhanced Switch form of STP.
RSTP Configuration RSTP Configuration The configuration of RSTP changes with the position of the Switch in the network, as discussed below. Figure 53 Configuring STP Switch A and Switch B: Root Switch C and Switch D: Switch E, Switch F and Switch bridge and backup root Intermediate Switches in the G: Switches directly...
Page 176
10: RSTP C HAPTER ONFIGURATION Device Configuration Default Value Note Configure the The Bridge A Switch can be made the root bridge by Bridge preference of a specifying its Bridge preference to 0. preference of a Switch is 32768. Switch Specify Forward Forward Delay fixes The other Switches copies the...
Page 177
RSTP Configuration Device Configuration Default Value Note Configure the The Switch, if has In a stable network, it is recommended to timeout time not received any set the timeout time factor to 5, 6, or 7. factor of a Hello packet from Then the Switch will not consider the Switch the upstream...
10: RSTP C HAPTER ONFIGURATION Device Configuration Default Value Note Configure the The Switch, if has In a stable network, it is recommended to timeout time not received any set the timeout time factor to 5, 6, or 7. factor of a Hello packet from Then the Switch will not consider the Switch...
RSTP Configuration Operation Command Restore RSTP to the default value undo stp Only after the RSTP is enabled on the Switch can other configurations take effect. By default, RSTP is enabled. Enable/Disable RSTP on You can use the following command to enable/disable the RSTP on the designated a Port port.
10: RSTP C HAPTER ONFIGURATION consequent blocking by configuring the STP-Ignore attribute on the appropriate Switch. Once an STP-Ignored VLAN is configured, the packets of this VLAN will be forwarded on any Switch port, with no restriction from the calculated STP path. You can configure the STP-Ignore attribute on a Switch by using the following commands.
You can configure more than one secondary root for a spanning tree through specifying the secondary STI root on two or more Switches. Generally, 3Com recommends designating one primary root and two or more secondary roots for a spanning tree.
10: RSTP C HAPTER ONFIGURATION that if the Forward Delay is configured too short, occasional path redundancy may occur. If the Forward Delay is configured too long, restoring the network connection may take a long time. It is recommended to use the default setting. By default, the bridge Forward Delay is 15 seconds.
RSTP Configuration You can use the following command to set the multiple value of hello time of a specified bridge. Perform the following configurations in System View. Table 179 Set Timeout Factor of the Bridge Operation Command Set the multiple value of hello time of a specified bridge stp timeout-factor number Restore the default multiple value of hello time undo stp timeout-factor...
10: RSTP C HAPTER ONFIGURATION Ethernet port is not connected with any Ethernet port of other bridges, this port should be set as an EdgePort. If a specified port connected to a port of any other bridge is configured as an edge port, RSTP will automatically detect and reconfigure it as a non-EdgePort.
RSTP Configuration Operation Command Restore the default standard to be used undo stp pathcost-standard By default, the Switch calculates the default Path Cost of a port by the IEEE 802.1t standard. Set the Priority of a The port priority is an important basis to decide if the port can be a root port. In Specified Port the calculation of the spanning tree, the port with the highest priority will be selected as the root assuming all other conditions are the same.
10: RSTP C HAPTER ONFIGURATION link. Note that, for an aggregated port, only the master port can be configured to connect with the point-to-point link. After auto-negotiation, the port working in full duplex can also be configured to connect with such a link. You can manually configure the active Ethernet port to connect with the point-to-point link.
RSTP Configuration again. In this case, the former root port will turn into a BPDU specified port and the former blocked ports will enter into a forwarding state, as a result, a link loop will be generated. The security functions can control the generation of loops. After it is enabled, the root port cannot be changed, the blocked port will remain in “Discarding”...
10: RSTP C HAPTER ONFIGURATION Table 188 Display and Debug RSTP Operation Command Display RSTP configuration information about display stp [ interface the local Switch and the specified ports interface_list ] Display the list of STP-Ignored VLANs display stp ignored-vlan Clear RSTP statistics information reset stp [ interface interface_list ]...
Page 189
RSTP Configuration Example however, be careful and do not disable those involved. (The following configuration takes GigabitEthernet 1/0/25 as an example.) [4500]interface gigabitethernet 1/0/25 [4500-GigabitEthernet1/0/25]stp disable c To configure Switch A as a root, you can either configure the Bridge priority of it as 0 or simply use the command to specify it as the root.
Page 190
10: RSTP C HAPTER ONFIGURATION c Configure Switch C and Switch B to serve as standby of each other and sets the Bridge priority of Switch C to 8192. [4500]stp priority 8192 d Enable the Root protection function on every designated port. [4500]interface Ethernet 1/0/1 [4500-Ethernet1/0/1]stp root-protection [4500]interface Ethernet 1/0/2...
802.1X C ONFIGURATION This chapter covers the following topics: IEEE 802.1X Overview ■ Configuring 802.1X ■ AAA and RADIUS Protocol Configuration ■ For information on setting up a RADIUS server and RADIUS client refer to Appendix For details on how to authenticate the Switch 4500 with a Cisco Secure ACS server with TACACS+, refer to Appendix IEEE 802.1X Overview...
11: 802.1X C HAPTER ONFIGURATION provided by 3Com (or by Microsoft Windows XP). The 802.1X Authentication Server system normally stays in the carrier's AAA center. Authenticator and Authentication Server exchange information through EAP (Extensible Authentication Protocol) frames. The user and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1X.
Configuring 802.1X The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator. Although 802.1X provides user ID authentication, 802.1X itself is not enough to implement the scheme. The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication to assist 802.1X to implement the user ID authentication.
11: 802.1X C HAPTER ONFIGURATION this command is used in Ethernet port view, the parameter interface-list cannot be input and 802.1X can only be enabled on the current port.. Perform the following configurations in System View or Ethernet Port View. Table 189 Enabling/Disabling 802.1X Operation Command...
Configuring 802.1X Checking the Users that The following commands are used for checking the users that log on the Switch Log on the Switch via via proxy. Proxy Perform the following configurations in System View or Ethernet Port View. Table 192 Checking the Users that Log on the Switch via Proxy Operation Command Enable the check for...
11: 802.1X C HAPTER ONFIGURATION Configuring the The following commands can be used to configure the authentication method for Authentication Method 802.1X user. Three methods are available: PAP authentication (the RADIUS server for 802.1X User must support PAP authentication), CHAP authentication (the RADIUS server must support CHAP authentication), EAP relay authentication (the Switch sends authentication information to the RADIUS server in the form of EAP packets directly and the RADIUS server must support EAP authentication).
Configuring 802.1X will consider the user having logged off and set the user as logoff state if system doesn't receive the response from user for consecutive N times. : Handshake period. The value ranges from 1 to 1024 in handshake-period-value units of second and defaults to 15.
11: 802.1X C HAPTER ONFIGURATION Operation Command Disable a quiet-period timer undo dot1x quiet-period By default, the quiet-period timer is disabled. Displaying and After the above configuration, execute command in any view to display display Debugging 802.1X the running of the VLAN configuration, and to verify the effect of the configuration.
Page 199
Configuring 802.1X RADIUS server every 15 minutes. The system is instructed to transmit the user name to the RADIUS server after removing the user domain name. The user name of the local 802.1X access user is and the password is localuser (input in plain text).
11: 802.1X C HAPTER ONFIGURATION 7 Set the encryption key when the system exchanges packets with the accounting RADIUS server. [4500-radius-radius1]key accounting money 8 Set the timeouts and times for the system to retransmit packets to the RADIUS server. [4500-radius-radius1]timer 5 [4500-radius-radius1]retry 5 9 Set the interval for the system to transmit real-time accounting packets to the RADIUS server.
Centralized MAC Address Authentication Centralized MAC Centralized MAC address authentication configuration includes: Address Authentication Enabling MAC address authentication both globally and on the port ■ Configuration Configuring domain name used by the MAC address authentication user ■ Configuring centralized MAC address authentication timers ■...
11: 802.1X C HAPTER ONFIGURATION Configuring the User If you configure the centralized MAC address authentication mode to be fixed Name and Password for mode, you need to configure the user name and password for fixed mode. Fixed Mode Table 203 Configure the user name and password for fixed mode Operation Command Description...
Centralized MAC Address Authentication By default, the offline-detect time is 300 seconds; quiet time is 60 seconds; and the server-timeout time is 100 seconds. Displaying and After the above configuration, perform the command in any view, you display Debugging Centralized can view the centralized MAC address authentication running state and check the MAC Address configuration result.
11: 802.1X C HAPTER ONFIGURATION 2 Add local access user. a Set the user name and password. [SW4500]local-user 00e0fc010101 [SW4500-luser-00e0fc010101]password simple 00e0fc010101 b Set the service type of the user to lan-access. [SW4500-luser-00e0fc010101]service-type lan-access 3 Enable the MAC address authentication globally. [SW4500]mac-authentication 4 Configure the ISP domain used by the user.
AAA and RADIUS Protocol Configuration receiving a user’s request from NAS, the RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS. Here, NAS controls users and corresponding connections, while the RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS.
11: 802.1X C HAPTER ONFIGURATION Disconnecting a user by force ■ Among the above configuration tasks, creating ISP domain is compulsory, otherwise the user attributes cannot be distinguished. The other tasks are optional. You can configure them at requirements. Creating/Deleting an ISP What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a Domain group of users belonging to the same ISP.
Page 207
AAA and RADIUS Protocol Configuration information of the commands of setting RADIUS scheme, refer to the following Configuring RADIUS section of this chapter. Local authentication — if you use the local scheme, you can only implement ■ authentication and authorization at local without RADIUS server. None —...
11: 802.1X C HAPTER ONFIGURATION Operation Command Disable the idle-cut function idle-cut disable By default, the idle-cut function is disabled. Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if the RADIUS accounting server fails when the is configured, the user can still use the network resource, accounting optional otherwise, the user will be disconnected.
AAA and RADIUS Protocol Configuration Configuring Self-Service The self-service-url enable command can be used to configure self-service server Server URL uniform resource locator (URL). This command must be incorporated with a RADIUS server (such as a CAMS) that supports self-service. Self-service means that users can manage their accounts and card numbers by themselves.
Page 210
11: 802.1X C HAPTER ONFIGURATION Setting the Password Display Mode Perform the following configurations in System View. Table 217 Setting the Password Display Mode of Local Users Operation Command Set the password display mode of local-user password-display-mode { local users cipher-force | auto } Cancel the configuration of undo local-user...
AAA and RADIUS Protocol Configuration However, the user-privilege level is a global value for all service types. Entering the following two commands will result in the user having a level of 3 for all service types. In this case both telnet and SSH: [4500-SI-luser-adminpwd]service-type telnet level 1 [4500-SI-luser-adminpwd]service-type ssh level 3 You can use either...
11: 802.1X C HAPTER ONFIGURATION Configuring the Local RADIUS Authentication Server ■ Configuring Source Address for RADIUS Packets Sent by NAS ■ Setting the Timers of the RADIUS Server ■ Among the above tasks, creating the RADIUS scheme and setting the IP address of the RADIUS server are required, while other tasks are optional and can be performed as per your requirements.
AAA and RADIUS Protocol Configuration Operation Command Set IP address and port number of secondary secondary authentication RADIUS authentication/authorization server. ip_address [ port_number ] Restore IP address and port number of second undo secondary authentication RADIUS authentication/authorization server to the default values. By default, as for the newly created RADIUS scheme, the IP address of the primary authentication server is 0.0.0.0, and the UDP port number of this server is 1812;...
Page 214
11: 802.1X C HAPTER ONFIGURATION RADIUS protocol uses different UDP ports to receive/transmit authentication/authorization and accounting packets, you need to set two different ports accordingly. Suggested by RFC2138/2139, authentication/authorization port number is 1812 and accounting port number is 1813. However, you may use values other than the suggested ones. (Especially for some earlier RADIUS Servers, authentication/authorization port number is often set to 1645 and accounting port number is 1646.) The RADIUS service port settings on the Switch 4500 units are supposed to be...
AAA and RADIUS Protocol Configuration Perform the following configurations in RADIUS Scheme View. Table 224 Enabling/Disabling the Stopping Accounting Request Buffer Operation Command Enable stopping accounting request buffer stop-accounting-buffer enable Disable stopping accounting request buffer undo stop-accounting-buffer enable By default, the stopping accounting request will be saved in the buffer. Setting the Maximum Retransmitting Times of Stopping Accounting Request Use this command to set the maximum number of retransmission times that the...
Restore the default RADIUS accounting packet key undo key accounting By default, the keys of RADIUS authentication/authorization and accounting packets are all “3com”. Setting Retransmission Since RADIUS protocol uses UDP packets to carry the data, the communication Times of RADIUS process is not reliable.
AAA and RADIUS Protocol Configuration When the primary and secondary servers are both , NAS will send active block the packets to the primary server only. Perform the following configurations in RADIUS Scheme View. Table 230 Setting the RADIUS Server State Operation Command Set the state of primary RADIUS server...
By default, the IP address of the local RADIUS authentication server is 127.0.0.1 and the password is 3com. 1) When using local RADIUS server function of 3com, remember the number of the UDP port used for authentication is 1645 and that for accounting is 1646.
Page 219
NAS and RADIUS that are required. When there are a large amount of users (more than 1000, inclusive), 3Com suggests a larger value. The following table recommends the ratio of value to the number of users.
11: 802.1X C HAPTER ONFIGURATION Table 238 Configure the RADIUS Server Response Timer Operation Command Configure the RADIUS server response timer timer response-timeout seconds Restore the default value of the interval undo timer response-timeout By default, the response timeout timer for the RADIUS server is set to three seconds.
AAA and RADIUS Protocol Configuration Operation Command Enable debugging of local RADIUS scheme debugging local-server { all | error | event | packet } Disable debugging of local RADIUS scheme undo debugging local-server { all | error | event | packet } AAA and RADIUS For the hybrid configuration example of AAA/RADIUS protocol and 802.1X Protocol Configuration...
2 Method 2: Using Local RADIUS authentication server. Local server method is similar to remote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authentication password to 3com, the UDP port number of the authentication server to 1645.
Page 223
AAA and RADIUS Protocol Configuration Domain and RADIUS Scheme Creation The Switch 4500 can have 1 or more domains created on it. A domain on the Switch 4500 is similar to a windows domain. By default, there is one domain created called "system".
Page 224
11: 802.1X C HAPTER ONFIGURATION Once enabled globally, the network login needs to be enabled on a per port basis. This can be done in one of two ways: To enable dot1x on one port, enter the interface of the port and enable dot1x ■...
Page 225
AAA and RADIUS Protocol Configuration the end of the username. This states the user is a member of the local domain, and as a result uses the local RADIUS server. Based on the steps in section Domain and RADIUS Scheme Creation to login using the external RADIUS server defined, you need to login as user@domain, for example, joe@demo.
11: 802.1X C HAPTER ONFIGURATION AAA and RADIUS The RADIUS protocol of the TCP/IP protocol suite is located on the application Protocol Fault Diagnosis layer. It mainly specifies how to exchange user information between NAS and and Troubleshooting RADIUS server of ISP. So it is likely to be invalid. Fault One: User Authentication/Authorization Always Fails Troubleshooting: The username may not be in the...
RADIUS debugging, enter the command: ■ <4500-xx> debugging radius packet 3Com-User-Access-Level This determines the Access level a user will have with Switch login. This can be administrator, manager , monitor or visitor. You may need to add the return list attributes to a dictionary file using the...
YSTEM ANAGEMENT File System Overview The Switch provides a flash file system for efficient management of the storage devices such as flash memory. The file system offers file access and directory management, including creating the file system, creating, deleting, modifying and renaming a file or a directory, and opening a file.
12: F HAPTER YSTEM ANAGEMENT system use the command. Using this command delete /unreserved file-url will ensure that space is made available on the flash file system for additional information. To ensure that all deleted files have been removed from the system use the command, this will prompt for removal of all files in reset recycle-bin...
Configuring File Management Table 244 File System Operation Operation Command Set the file system prompt mode. file prompt { alert | quiet } Configuring File The management module of the configuration file provides a user-friendly Management operation interface. It saves the configuration of the Switch in the text format of command line to record the whole configuration process.
12: F HAPTER YSTEM ANAGEMENT The configuration files are displayed in their corresponding saving formats. Saving the Use the command to save the current-configuration in the Flash Memory, save Current-configuration and the configurations will become the saved-configuration when the system is powered on for the next time.
FTP Overview Table 249 Display the Information of the File used at Startup Operation Command Display the information of the file used at startup display startup FTP Overview FTP is a common way to transmit files on the Internet and IP network. Before the World Wide Web (WWW), files were transmitted in the command line mode and FTP was the most popular application.
12: F HAPTER YSTEM ANAGEMENT Device Configuration Default Description Log into the Switch from FTP client. The prerequisite for normal FTP function is that the Switch and PC are reachable. Enabling/Disabling FTP You can use the following commands to enable/disable the FTP server on the Server Switch.
FTP Overview Table 254 Configure FTP Server Connection Timeout Operation Command Configure FTP server connection timeouts ftp timeout minute Restoring the default FTP server connection timeouts undo ftp timeout By default, the FTP server connection timeout is 30 minutes. Displaying and After the above configuration, execute command in all views to display display...
Page 236
12: F HAPTER YSTEM ANAGEMENT Networking Diagram Figure 61 Networking for FTP Configuration Network Network Switch Switch Switch Configuration Procedure 1 Configure the FTP server parameters on the PC: a user named as Switch, password hello, read and write authority over the Switch directory on the PC. 2 Configure the Switch Log into the Switch (locally through the Console port or remotely using Telnet).
TFTP Overview FTP Server Configuration Networking Requirement Example The Switch serves as FTP server and the remote PC as FTP client. The configuration on FTP server: Configure a FTP user named as Switch, with password hello and with read and write authority over the flash root directory on the PC. The IP address of a VLAN interface on the Switch is 1.1.1.1, and that of the PC is 2.2.2.2.
12: F HAPTER YSTEM ANAGEMENT when there is no complicated interaction between the clients and server. TFTP is implemented on the basis of UDP. TFTP transmission is originated from the client end. To download a file, the client sends a request to the TFTP server and then receives data from it and sends an acknowledgement to it.
TFTP Overview Table 258 Upload Files by means of TFTP Operation Command Upload files by means of TFTP tftp tftp-server put source-file [ dest-file ] TFTP Client Networking Requirement Configuration Example The Switch serves as TFTP client and the remote PC as TFTP server. Authorized TFTP directory is set on the TFTP server.
Page 240
12: F HAPTER YSTEM ANAGEMENT 7 Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch. <4500> boot boot-loader switch.app <4500> reboot...
MAC Address Table Management Overview A Switch maintains a MAC address table for fast forwarding packets. A table entry includes the MAC address of a device and the port ID of the Switch connected to it. The dynamic entries (not configured manually) are learned by the Switch. The Switch learns a MAC address in the following way: after receiving a data frame from a port (assumed as port A), the Switch analyzes its source MAC address (assumed as MAC_SOURCE) and considers that the packets destined at...
13: MAC Address Table Management HAPTER You can configure (add or modify) the MAC address entries manually according to the actual networking environment. The entries can be static ones or dynamic ones. MAC Address Table MAC address table management includes: Configuration Set MAC Address Table Entries ■...
Displaying MAC Address Table Table 260 Set the MAC Address Aging Time for the System Operation Command Set the dynamic MAC address aging time mac-address timer { aging age | no-aging } Restore the default MAC address aging time undo mac-address timer aging In addition, this command takes effect on all the ports.
13: MAC Address Table Management HAPTER Operation Command Display the aging time of dynamic display mac-address aging-time address table entries MAC Address Table Management Display Example Networking The user logs into the Switch via the Console port to display the MAC address Requirements table.
MAC Address Table Management Display Example MAC Address Table Networking Requirements Management The user logs into the Switch via the Console port to configure the address table Configuration Example management. It is required to set the address aging time to 500s and add a static address 00e0-fc35-dc71 to Ethernet1/0/2 in vlan1.
EVICE ANAGEMENT Overview With the device management function, the Switch can display the current running state and event debugging information about the unit, thereby implementing the maintenance and management of the state and communication of the physical devices. In addition, there is a command available for rebooting the system, when some function failure occurs.
Displaying and Debugging Device Management Table 265 Designate the APP Adopted when Booting the Switch Next Time Operation Command Designate the APP adopted when booting boot boot-loader file-url the Switch next time Upgrading BootROM You can use this command to upgrade the BootROM with the BootROM program in the Flash Memory.
Page 248
14: D HAPTER EVICE ANAGEMENT Networking Diagram Figure 68 Networking for FTP Configuration Network Network Switch Switch Switch Configuration Procedure 1 Configure FTP server parameters on the PC. Define a user named as Switch password , read and write authority over the Switch directory on the PC. hello 2 Configure the Switch The Switch has been configured with a Telnet user named as...
Page 249
Device Management Configuration Example Upgrading BOOTROM, please wait... Upgrade BOOTROM succeeded! 8 Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch. <4500> boot boot-loader switch.app <4500>display boot-loader The app to boot at the next time is: flash:/Switch.app The app to boot of board 0 at this time is: flash:/PLAT.APP <4500>...
YSTEM AINTENANCE AND EBUGGING Basic System Configuration Setting the System Perform the operation of command in the System View. sysname Name for the Switch Table 268 Set the Name for the Switch Operation Command Set the Switch system name sysname sysname Restore Switch system name to default value undo sysname Setting the System Clock Perform the operation of...
15: S HAPTER YSTEM AINTENANCE AND EBUGGING Displaying the State commands can be classified as follows according to their functions. display and Information of Commands for displaying the system configuration information ■ the System Commands for displaying the system running state ■...
Page 253
System Debugging Figure 69 illustrates the relationship between two Switches. Figure 69 Debug Output Debugging information Protocol debugging switch Screen output switch You can use the following commands to control the above-mentioned debugging. Perform the following operations in User View. Table 273 Enable/Disable the Debugging Operation Command...
15: S HAPTER YSTEM AINTENANCE AND EBUGGING information, ensuring the consistency of logging, debugging and trap information in a fabric. After the synchronization of the whole fabric, a great deal of terminal display is generated. You are recommended not to enable the information synchronization switch of the whole fabric.
Page 255
Testing Tools for Network Connection Table 276 Test Periodically if the IP address is Reachable Operation Command Configure the IP address end-station polling ip-address requiring periodical testing ip-address Delete the IP address requiring undo end-station polling ip-address periodical testing ip-address The Switch can ping an IP address every one minute to test if it is reachable.
15: S HAPTER YSTEM AINTENANCE AND EBUGGING Introduction to Remote-ping is a network diagnostic tool used to test the performance of Remote-ping protocols (only ICMP by far) operating on network. It is an enhanced alternative to the ping command. Remote-ping test group is a set of remote-ping test parameters. A test group contains several test parameters and is uniquely identified by an administrator name plus a test tag.
Remote-ping Configuration Remote-ping This section contains information on remote-ping. Configuration Introduction to The configuration tasks for remote-ping include: Remote-ping Enabling remote-ping Client Configuration ■ Creating test group ■ Configuring test parameters ■ The test parameters that you can configure include: Destination IP address ■...
15: S HAPTER YSTEM AINTENANCE AND EBUGGING Table 277 Configure Remote-ping (continued) Operation Command Description Configure the test Configure destination-ip ip-address Required parameters By default, no destination IP destination IP address is configured. address of the test Configure test-type type Optional the type of By default, the test type is...
Logging Function 5 Display the test results. [S5500-remote-ping-administrator-icmp] display remote-ping results administrator icmp [S5500-remote-ping-administrator-icmp] display remote-ping history administrator icmp Logging Function Introduction to The Info-center serves as an information center of the system software modules. Info-center The logging system is responsible for most of the information outputs, and it also makes detailed classification to filter the information efficiently.
Page 260
15: S HAPTER YSTEM AINTENANCE AND EBUGGING " " is the time field, " " is from 00 to 23, " " and " " are from 00 to hh:mm:ss " " is the year field. yyyy If changed to boot format, it represents the milliseconds from system booting. Generally, the data are so large that two 32 bits integers are used, and separated with a dot '.'.
Page 261
Logging Function Module name Description FTPS FTP server module High availability module HTTPD HTTP server module IFNET Interface management module IGSP IGMP snooping module IP module Inter-process communication module IPMC IP multicast module L2INF Interface management module LACL LAN switch ACL module LQOS LAN switch QoS module Local server module...
15: S HAPTER YSTEM AINTENANCE AND EBUGGING level represented by “emergencies” is 1, and that represented by ”debugging” is 8. Therefore, when the threshold of the severity level is “debugging”, the system will output all the information. Definition of severity in logging information is as follows. Table 279 Info-Center-Defined Severity Severity Description...
Page 263
Logging Function The information can be classified in terms of the source modules and the ■ information can be filtered in accordance with the modules. The output language can be selected between Chinese and English. ■ 1 Sending the information to the control terminal. Table 281 Sending the Information to the Control Terminal.
Page 264
15: S HAPTER YSTEM AINTENANCE AND EBUGGING Table 283 Sending the Information to Log Buffer Device Configuration Default Value Configuration Description Enable info-center By default, Other configurations are valid info-center is only if the info-center is enabled. enabled. Set the information output You can configure the size of the direction to logbuffer log buffer at the same time.
Logging Function Figure 72 Turn on/off the Information Synchronization Switch in Fabric Configuration Device Configuration Default Value Description Enable info-center By default, info-center is Other configurations are enabled. valid only if the info-center is enabled. Switch Set the information By default, Switches of master This configuration can output direction to log in Fabric, debugging and trap...
15: S HAPTER YSTEM AINTENANCE AND EBUGGING Table 287 Defining information source Operation Command Define information source info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* Cancel the configuration of undo info-center source {...
Page 267
Logging Function Table 289 Enable/disable info-center Operation Command Enable info-center info-center enable Disable info-center undo info-center enable Info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 Configuring to output information to the control terminal.
15: S HAPTER YSTEM AINTENANCE AND EBUGGING You can use the following commands to configure log information, debugging information and the time-stamp output format of trap information. Perform the following operation in System View: Table 292 Configuring the Output Format of Time-stamp Operation Command Configure the output format of...
Page 269
Logging Function Table 295 Configuring to Output Information to Telnet Terminal or Dumb Terminal Operation Command Output information to Telnet terminal or dumb info-center monitor channel { terminal channel-number | channel-name } Cancel the configuration of outputting undo info-center monitor information to Telnet terminal or dumb terminal channel 3 Configuring information source on the Switch...
15: S HAPTER YSTEM AINTENANCE AND EBUGGING Operation Command Output time-stamp is disabled undo info-center timestamp { log | trap | debugging } 4 Enabling terminal display function To view the output information at the Telnet terminal or dumb terminal, you must first enable the corresponding log, debugging and trap information functions at the Switch.
Page 271
Logging Function Table 300 Configuring to Output Information to Log Buffer Operation Command Output information to log buffer info-center logbuffer [ channel { channel-number | channel-name } ] [ size buffersize ] Cancel the configuration of undo info-center logbuffer [ channel | outputting information to log buffer size ] 3 Configuring the information source on the Switch...
15: S HAPTER YSTEM AINTENANCE AND EBUGGING Sending the Information To send information to the trap buffer, follow the steps below: to the Trap Buffer 1 Enabling info-center Perform the following operation in System View. Table 303 Enabling/Disabling Info-center Operation Command Enable info-center info-center enable...
Logging Function is no specific configuration record for a module in the channel, use the default one. If you want to view the debugging information of some modules on the Switch, you must select as the information type when configuring information debugging source, meantime using the command to turn on the debugging...
Page 274
15: S HAPTER YSTEM AINTENANCE AND EBUGGING Table 309 Defining Information Source Operation Command Define information info-center source { modu-name | default } source channel { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* ] Cancel the configuration undo info-center source { modu-name | default } of information source...
Logging Function The Switch provides a command to turn on/off the synchronization Switch in every Switch. If the synchronization Switch of a Switch is turned off, it does not send information to other Switches but still receives information from others. 1 Enable info-center Perform the following operation in System View.
Page 276
[3com] info-center source arp channel loghost log level informational [3com] info-center source ip channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost. The following example is performed on SunOS 4.0 and the operation on Unix operation system produced by other manufactures is generally the same to the operation on SunOS 4.0.
Figure 75 Schematic diagram of configuration Network Network Switch Switch Switch Configuration steps # Enabling info-center [3com] info-center enable # Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output...
English; set all the modules are allowed output information. [3com] info-center loghost 202.38.1.10 facility local7 language english [3com] info-center source default channel loghost log level informational Configuration on the loghost This configuration is performed on the loghost. a Perform the following command as the super user (root).
Page 279
Logging Function The information with the severity level above informational will be sent to the ■ loghost The output language is English ■ The modules that allowed to output information are ARP and IP ■ Networking Diagram Figure 76 Schematic Diagram of Configuration console console console...
Page 280
15: S HAPTER YSTEM AINTENANCE AND EBUGGING...
Overview SNMP C ONFIGURATION Overview The Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes.
16: SNMP C HAPTER ONFIGURATION Figure 77 Architecture of the MIB Tree The MIB (Management Information Base) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers {1.2.1.1}.
Configuring SNMP Set SNMP System Information ■ Set the Engine ID of a Local or Remote Device ■ Set/Delete an SNMP Group ■ Set the Source Address of Trap ■ Add/Delete a User to/from an SNMP Group ■ Create/Update View Information or Deleting a View ■...
16: SNMP C HAPTER ONFIGURATION Setting the Destination You can use the following commands to set or delete the destination address of Address of Trap the trap. Perform the following configuration in System View. Table 317 Set the Destination Address of Trap Operation Command Set the destination...
Configuring SNMP Table 320 Set the Engine ID of a Local or Remote Device Operation Command Set the engine ID of the device snmp-agent local-engineid engineid Restore the default engine ID of the device. undo snmp-agent local-engineid By default, the engine ID is expressed as enterprise No. + device information. The device information can be IP address, MAC address, or user-defined text.
16: SNMP C HAPTER ONFIGURATION Creating/Updating View You can use the following commands to create, update the information of views Information or Deleting or delete a view. a View Perform the following configuration in System View. Table 324 Create/Update View Information or Deleting a View Operation Command Create/Update view information...
Table 328 Disp Operation Command lay and Debug Display the statistics information about display snmp-agent statistics SNMP SNMP packets Display the engine ID of the active device display snmp-agent { local-engineid | remote-engineid } Operation Command Display the group name, the security display snmp-agent group [ mode, the states for all types of views, group-name ]...
Page 288
[4500]snmp-agent target-host trap address udp-domain 129.102.149.23 udp-port 5000 params securityname public Configure Network Management System The Switch supports 3Com Network Director. Users can query and configure the Switch through the network management system. For more information, refer to the network management user documentation.
SNMP Configuration Example Reading Usmusr Table Networking Requirements Configuration Example ViewDefault view should be reconfigured if you use SNMP V3 to read the usmusr table. The snmpVacmMIB and snmpUsmMIB should be included in ViewDefault view. Networking Diagram Figure 79 SNMP configuration example 129.102.0.1 129.102.149.23 Ethernet...
RMON C ONFIGURATION Overview Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the most widely used Network Management standards.
17: RMON C HAPTER ONFIGURATION Add/Delete an Entry to/from the History Control terminal ■ Add/Delete an Entry to/from the extended RMON alarm table ■ Add/Delete an Entry to/from the Statistics table ■ Adding/Deleting an RMON alarm management can monitor the specified alarm variables such as the Entry to/from the Alarm statistics on a port.
Displaying and Debugging RMON Table 331 Add/Delete an Entry to/from the History Control Terminal Operation Command Add an entry to the history rmon history entry-number buckets number control terminal. interval sampling-interval [ owner text-string ] Delete an entry from the undo rmon history entry-number history control terminal.
Overview NTP C ONFIGURATION Overview Network time protocol (NTP) is a time synchronization protocol defined in RFC1305. It is used for time synchronization between a set of distributed time servers and clients. NTP transmits packets through UDP port 123. NTP is intended for time synchronization between all devices that have clocks in a network so that the clocks of all devices can keep consistent.
18: NTP C HAPTER ONFIGURATION The local clock of an Switch 4500 cannot operate as a reference clock. It can ■ serve as a NTP server only after synchronized. Implementation Figure 81 shows the implementation principle of NTP. Principle of NTP Ethernet switch A (LS_A) is connected to Ethernet switch B (LS_B) through Ethernet ports.
Overview When receiving a response packet, LS_A inserts a new timestamp 10:00:03 am ■ ) into it. At this time, LS_A has enough information to calculate the following two parameters: Delay for an NTP packet to make a round trip between LS_A and LS_B: ■...
Page 298
18: NTP C HAPTER ONFIGURATION Figure 84 Broadcast Mode Client Server Network Network Network Network Initiates a client/server mode Broadcasts clock synchronization request after receiving the first packets periodically broadcast packet Works in the server Client/server mode request mode automatically and Obtains the delay between the sends response packets Response packet...
Configuring NTP Implementation Modes NTP implementation mode Configuration on the Switch 4500 Family Multicast mode Configure the local Switch 4500 Ethernet switch to ■ operate in NTP multicast server mode. In this mode, the local switch sends multicast NTP packets through the VLAN interface configured on the switch.
Page 300
18: NTP C HAPTER ONFIGURATION Operation Command Description Configure the switch to Optional ntp-service operate in the NTP broadcast-client By default, no Ethernet switch broadcast client mode operates in NTP broadcast client mode. Configure the switch to Optional ntp-service operate in NTP broadcast broadcast-server [ By default, no Ethernet switch server mode...
Configuring Access Control Right NTP broadcast server mode When a Switch 4500 operates in NTP broadcast server mode, it broadcasts clock synchronization packets periodically. The devices in NTP broadcast client mode will respond to these packets and start the clock synchronization process. NTP multicast server mode When a Switch 4500 operates in NTP multicast server mode, it multicasts clock synchronization packets periodically.
18: NTP C HAPTER ONFIGURATION enabled on the server (assuming that other related configurations are performed). You need to couple the NTP authentication with a trusted key. ■ Configurations on the server and the client must be consistent. ■ The client with the NTP authentication function enabled is only synchronized to ■...
Configuring Optional NTP Parameters Operation Command Description Configure an NTP ntp-service Required authentication key authentication-keyid By default, no NTP authentication key-id key is configured. authentication-mode md5 value Configure the specified key ntp-service reliable Required to be a trusted key authentication-keyid By default, no trusted key-id authentication key is configured.
18: NTP C HAPTER ONFIGURATION Dynamic connections can be established when a switch operates in passive peer mode, NTP broadcast client mode, or NTP multicast client mode. In other modes, the connections established are static. Displaying and After the performing the above configurations, you can execute display Debugging NTP commands in any view to display the switch’s running status and verify the effect of the configuration.
Configuration Examples Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Set Switch1 to the NTP server of the Switch 4500. <4500>...
Page 306
18: NTP C HAPTER ONFIGURATION Figure 86 Network diagram for NTP peer mode configuration Switch2 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.32/24 3.0.1.32/24 3.0.1.32/24 3.0.1.32/24 3.0.1.33/24 3.0.1.33/24 3.0.1.33/24 3.0.1.33/24 Switch3 SW4500 Configuration procedure 1 Configure the Switch 4500. # Set Switch2 to the NTP server. <SW4500>...
Configuration Examples # View the information about the NTP sessions of the SW4500 Ethernet switch (you can see that a connection is established between the SW4500 Ethernet switch and Switch3). [SW4500] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [2]3.0.1.32...
18: NTP C HAPTER ONFIGURATION # Enter system view. <SW4500-2> system-view [SW4500-2] # Enter Vlan-interface2 view. [SW4500-2] interface Vlan-interface 2 [SW4500-2-Vlan-interface2] # Set SW4500-2 to a broadcast client. [SW4500-2-Vlan-interface2] ntp-service broadcast-client After the above configurations, SW4500-1 and SW4500-2 will listen to broadcast packets through their own Vlan-interface2, and Switch3 will send broadcast packets through Vlan-interface2.
18: NTP C HAPTER ONFIGURATION from Switch3, while SW4500-1 is synchronized to Switch3 after receiving multicast packets from Switch3. View the status of SW4500-1 after synchronization. [SW4500-1] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 250.0000 Hz Actual frequency: 249.9992 Hz Clock precision: 2^19...
Page 311
Configuration Examples # Enable the NTP authentication function. [SW4500] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [SW4500] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key as a trusted key. [SW4500] ntp-service reliable authentication-keyid 42 [SW4500] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 After the above configurations, SW4500 is ready to synchronize with Switch1.
SSH Terminal Service SSH T ERMINAL ERVICES This section contains information for SSH Terminal Services. SSH Terminal Service Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely using an insecure network environment. A Switch can connect to multiple SSH clients.
Page 314
19: SSH T HAPTER ERMINAL ERVICES Figure 91 Establish an SSH channel through a WAN Workstation Workstation Local switch Local Ethernet Local Ethernet Laptop Laptop Workstation Server Server SSH client Remote Ethernet Remote Ethernet Remote switch SSH server Laptop Laptop Server Server To establish an SSH authentication secure connection, the server and the client...
Page 315
SSH Terminal Service 3 Authentication mode negotiation: The client sends its username information to the server. ■ The server initiates a procedure to authenticate the user. If the server is ■ configured not to authenticate the user, the process proceeds to session request phase directly.
19: SSH T HAPTER ERMINAL ERVICES SSH Server SSH server configuration tasks are described in the following sections: Configuration Table 343 SSH server configuration Configuration Item Command View Description Configure the VTY user Optional protocol protocol the interface view inbound current user interface supports Generate an RSA...
Page 317
SSH Terminal Service CAUTION: If the supported protocol configured in the user interface is SSH, make sure to configure the authentication mode for logging into the user interface to authentication-mode scheme (using AAA authentication mode). If the authentication mode is configured as authentication-mode password or authentication-mode none, the configuration of protocol inbound ssh will fail, and vice versa.
Page 318
19: SSH T HAPTER ERMINAL ERVICES By default, no login authentication mode is specified, that is, SSH users are unable to log in. 4 Configuring the authentication timeout Use this configuration task to set the authentication timeout of SSH connections. Perform the following configuration in system view.
Page 319
SSH Terminal Service Table 350 Pubic key configuration Operation Command Enter the public key view rsa peer-public-key key-name Exit the public view and return to the peer-public-key end system view The configuration commands are applicable to the environments where the server employs RSA authentication on SSH users.
19: SSH T HAPTER ERMINAL ERVICES Operation Command Cancel the corresponding relationship undo ssh user username assign rsa-key between the user and the public key 11 Configuring the server compatibility mode Use this configuration task to set whether the server should be compatible with the SSH 1.x client.
Page 321
SSH Terminal Service Figure 92 Generating the client key (1) While generating the key pair, you must move the mouse continuously. The mouse should be restricted off the green process bar in the blue box of Figure Otherwise, the process bar does not move and the key pair cannot be generated.
Page 322
19: SSH T HAPTER ERMINAL ERVICES Figure 93 Generating the client key (2) After the key pair is generated, click "Save public key" and enter the file name (public for here) to save the key pair.
Page 323
SSH Terminal Service Figure 94 Generating the client key (3) Likewise, to save a private key, click "Save private key" and a warning window pops up to prompt you whether to save a private key without any precautions. Click "Yes" and enter a name (private for here) to save the private key. Figure 95 Generating the client key (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click "Browse"...
Page 324
19: SSH T HAPTER ERMINAL ERVICES Figure 96 Generating the client key (5) Specifying the IP address of the server Launch PuTTY.exe and the following window appears.
Page 325
SSH Terminal Service Figure 97 FiSSH client interface 1 In the [Host Name (or IP address)] text box, enter the IP address of the server, for example, 10.110.28.10. Note that the IP address can be the IP address of any interface on the server that has SSH in the state of up and a route to the client.
Page 326
19: SSH T HAPTER ERMINAL ERVICES Figure 98 SSH client interface 2 In the [Protocol options] field, select [2] from the [Preferred SSH protocol version] section. Open an SSH Connection with RSA If the client needs to use RSA authentication, you must specify the RSA private key file.
Page 327
SSH Terminal Service Figure 99 Figure 8-10 SSH client interface 3 Click <Browse…> to bring up the file selection window, navigate to the private key file and click <OK>.
19: SSH T HAPTER ERMINAL ERVICES Open an SSH Connection with Password 1 Click <Open>. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 100.
SSH server SSH client Configuration procedure 1 Generate the RSA key. [3Com] rsa local-key-pair create Note: If the configuration for generating the local key has already been completed, skip this step. 2 Set the user login authentication mode. The following shows the configuration methods for both password authentication and RSA public key authentication.
[3Com-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [3Com-rsa-key-code] public-key-code end [3Com-rsa-public-key] peer-public-key end [3Com] ssh user client002 assign rsa-key 3com002 5 Start the SSH client software on the terminal preserving the RSA private key, and perform the corresponding configurations to establish the SSH connection. SSH Client Configuration...
[3Com-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [3Com-rsa-key-code] public-key-code end [3Com-rsa-public-key] peer-public-key end [3Com] ssh client 10.165.87.136 assign rsa-key hello CAUTION: Before logging into the SSH server, the SSH client (except for the software Putty and Openssh) must configure the public key of the server.
19: SSH T HAPTER ERMINAL ERVICES Table 360 Configure the service type to be used Operation Command Configure the service type to be used ssh user username service-type { stelnet | sftp | all } Restore the default service type undo ssh user username service-type By default, the service type is stelnet.
Page 335
SFTP Service Table 362 SFTP client configuration Configuration Item Command View Description Start the SFTP client System view Required sftp Shut down the SFTP client SFTP client view Optional exit quit SFTP directory Change the SFTP client view Optional operations current directory Return to the...
A secure SSH connection has been established between Switch A and Switch B; ■ Switch A is used as the SFTP server, and its IP address is 10.111.27.91; ■ Switch B is used as the SFTP client; ■ An SFTP user is configured with the username 8040 and password 3com. ■...
Page 338
# Start the SFTP server. [3Com] sftp-server enable # Specify the service type as SFTP. [3Com] ssh user 8040 service-type sftp 2 Configure Switch A as the client. # Establish a connection with the remote SFTP server and enter the SFTP client view.
ASSWORD ONTROL ONFIGURATION PERATIONS Introduction to The password control feature is designed to manage the following passwords: Password Control Telnet passwords: passwords used by the users who log in the switch through ■ Configuration Telnet. SSH passwords: passwords used by the users who log in the switch through ■...
Page 342
20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Table 368 Functions Provided by Password Control Function Description Application History password The password configured and once Telnet, SSH, super, and FTP recording used by a user is called a history (old) passwords. password.
Password Control Configuration Table 368 Functions Provided by Password Control Function Description Application User blacklist If the maximum attempt times is exceeded, the user cannot log in the switch and is added to the blacklist by the switch. All users in the blacklist are not allowed to log in the switch.
20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS minimum password length (if available), the enable/disable state of history password recording, the procession mode for login attempt failures, and the time when the password history was last cleared. If all the password attempts of a user fail, the system adds the user to the blacklist. You can execute the display password-control blacklist command in any view to check the names and the IP addresses of such users.
Password Control Configuration CAUTION: After the user updates the password successfully, the switch saves the old password in a readable file in the flash memory. CAUTION: The switch does not provide the alert function for super passwords. CAUTION: The switch does not provide the alert function for FTP passwords. And when a FTP user logs in with a wrong password, the system just inform the user of the password error, it does not allow the user to change the password.
20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS CAUTION: When updating a password, do not reuse one of the recorded history passwords, or else, the system will give a prompt to reset a password. The system administrator can perform the following operations to manually remove history password records.
Password Control Configuration Table 374 Configure Login Attempts Limitation and Failure Procession Mode Operation Command Description Display the information about You can execute the display display one or all users added in the command in any view password-control blacklist blacklist [ username username | ipaddress ip-address ]...
20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS If a password authentication is completed without timing out, the user will log in the switch normally. Table 376 Configuring the Timeout for User Password Authentication Operation Command Description Enter system view system-view Configure the timeout time of By default, it is 60 seconds.
Password Control Configuration Example Configuration Procedure # Configure the system login password. <4500>system-view System View: return to User View with Ctrl+Z. [4500]local-user test New local user added. [4500-luser-test]password Password:********** confirm:********** # Change the system login password to 0123456789. [4500-luser-test]password Password:********** Confirm :********** Updating the password file ,please wait ...
Page 350
20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS...
However, if the password recovery mechanism is disabled and the user configurable bootrom password is lost, there is no recovery mechanism available. In this instance, the Switch will need to be returned to 3Com for repair. The following commands are all executed from the Bootrom directly via the console.
A: P PPENDIX ASSWORD ECOVERY ROCESS Bootrom Interface During the initial boot phase of the Switch (when directly connected via the console), various messages are displayed and the following prompt is shown with a five second countdown timer: Press Ctrl-B to enter Boot Menu... 4 Before the countdown reaches 0 enter <CTRL>B.
If the user configured bootrom password is lost, a fixed, unit unique password can be provided by 3Com Technical Support to bypass the lost password. Please ensure that the Switch is registered with 3Com promptly as the unit unique password will only be supplied to the registered owner of the Switch.
This option allows the user to disable the fixed, unit unique password recovery mechanism. If this is disabled and the bootrom password recovery is lost then a recovery will not be possible. In this instance, the Switch will need to be returned to 3Com for repair.
■ The remainder of this section describes how to setup a RADIUS server using these products. Microsoft IAS RADIUS, Funk RADIUS and FreeRADIUS are not 3Com products and are not supported by 3Com. Configuring Microsoft 3Com has successfully installed and tested Microsoft IAS RADIUS running on a IAS RADIUS Windows server in a network with Switch 4500 deployed.
Page 356
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP and Computers window, right-click Domain and choose Properties, select Change Mode. c Add a user that is allowed to use the network. Go to Active Directory Users and Computers, from the left hand window right-click the Users folder and choose New >...
Page 357
Setting Up a RADIUS Server e The password for the user must be set to be stored in reversible encryption. Right-click the user account and select Properties. Select the Account tab, check the box labeled Store password using reversible encryption. f Now re-enter the password for the account, right-click the user account and select Reset Password…...
Page 358
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP In the Certificate Authority Type window select Enterprise root CA Enter information to identify the Certificate Authority on the CA Identifying Information window. Enter the storage location on the Data Storage Location window. To complete the installation and set up of the certificates server, the wizard will require the Install CD for Microsoft Windows 2000 Server.
Page 359
Setting Up a RADIUS Server 5 Configure a Certificate Authority a Go to Programs > Administrative Tools > Certification Authority and right-click Policy Settings under your Certificate Authority server. b Select New > Certificate to Issue c Select Authenticated Session and select OK. d Go to Programs >...
Page 360
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP e Select the Group Policy tab, and ensure that the Default Domain Policy is highlighted. Click Edit to launch the Group Policy editor. f Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies, and right-click Automatic Certificate Request Settings.
Page 361
Setting Up a RADIUS Server Open up a command prompt (Start > Run, enter ). Enter secedit . The command may take a few minutes to /refreshpolicy machine_policy take effect. 6 Setup the Internet Authentication Service (IAS) RADIUS Server a Go to Programs > Administrative Tools > Internet Authentication Service, right-click Clients, and Select New Client.
Page 362
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP h Select Grant remote access permission, and select Next Click on Edit Profile... and select the Authentication tab. Ensure Extensible Authentication Protocol is selected, and Smart Card or other Certificate is set. Deselect any other authentication methods listed.
Page 363
Setting Up a RADIUS Server b Select the Dial-in tab from the client Properties window. Select Allow access. Click OK. c Click OK to confirm. 8 Configure the Switch 4500 for RADUIS access and client authentication see Chapter 11 “802.1X Configuration”.
Page 364
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP d Select Advanced request and click Next > e Select the first option and click Next > f Either copy the settings from the screenshot below or choose different key options.
Page 365
Setting Up a RADIUS Server followed by this warning message, select Yes and then OK The PKCS #10 file is now saved to the local drive. h To generate a portable certificate using PKCS #10, click the Home hyperlink at the top right of the CA Webpage.
Page 366
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Paste the copied information into the Saved Request field as shown below. Select Authenticated Session from the Certificate Template selector and click Submit > m Download the certificate and certification path. Click on the Download CA Certificate hyperlink to save the certificate.
Page 367
Setting Up a RADIUS Server o Click Install Certificate to launch the certificate import wizard p Leave the settings on the next screen as is, click Next > followed by Finish and OK. This will install the certificate, q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder.
Page 368
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP s Click Copy to File to save the certificate. This action is actually already performed with the Advanced Request, but this is an alternative way to save the certificate. Click Next when the wizard is launched. Save the certificate using DER x.509 encoding, select DER encoded binary followed by Next.
Page 369
Setting Up a RADIUS Server u Select the user that becomes the IEEE 802.1X client. Right-click on the user and select Name mappings. Select Add v Select the certificate that you have just exported and click Open. Click OK w In the Security Identity Mapping screen, click OK to close it. x Close the Active Directory Users and Domains management tool.
Page 370
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP b Create a new remote access policy under IAS and name it Switch Login. Select Next>.. c Specify Switch Login to match the users in the switch access group, select Next >...
Page 371
Setting Up a RADIUS Server e Use the Edit button to change the Service-Type to Administrative. f Add a Vendor specific attribute to indicate the access level that should be provided:...
Page 372
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP The Value 010600000003 indicates admin privileges for the Switch. 01 at the end indicates monitor and 02 indicates manager access. On the Switch 4500, 00 indicates visitor level. 11 Configure the RADIUS client. Refer to section Setting Up the RADIUS Client information on setting up the client.
Page 373
Setting Up a RADIUS Server Follow these steps to set up auto VLAN and QoS for use by Microsoft IAS: 1 Define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group. Go to Programs > Administrative Tools > Active Directory Users and Computers a For example, to create one group that will represent VLAN 4 select the Users folder from the domain (see below),...
Page 374
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP d Go to Programs > Administrative Tools > Internet Authentication Service. and select Remote Access Policies. Select the policy that you configured earlier, right-click and select Properties. e Click Add to add policy membership. f Select the Windows-Groups attribute type, and select Add and Add again...
Page 375
Setting Up a RADIUS Server g Select the VLAN group that you have just created and click Add and then OK to confirm. h Click OK again to return you to the Security Policy properties. Click Edit Profile... and select the Advanced tab. Click Add. Refer to Table 379 Table 381 for the RADIUS attributes to add to the profile.
Page 376
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Table 379 Summary of auto VLAN attributes Table 380 For Auto VLAN Return String Comment Tunnel-Medium-type Tunnel-Private-Group-ID VLAN value Tunnel-Type VLAN Table 381 Summary of QoS attributes Table 382 For Auto QoS Return String Comment Filter-id...
Page 377
Setting Up a RADIUS Server m Select the Tunnel-Pvt-Group-ID entry and click Add. n Click Add, ensure that the Attribute value is set to 4 (Attribute value in string format), and click OK. This value represents the VLAN ID. o Click OK again on the Multivalued Attribute Information screen to return to the Add Attributes screen.
For troubleshooting, you can use the Event Viewer on both the workstation and the RADIUS server. Configuring Funk 3Com has successfully installed and tested Funk RADIUS running on a Windows RADIUS server in a network with Switch 4500 deployed. Download the Funk Steel-Belted RADIUS Server application from www.funk.com...
Page 379
Setting Up a RADIUS Server To configure Funk RADIUS as a RADIUS server for networks with the Switch 4500, follow these steps: 1 Open file and remove the ";" before the eap.ini \radius\service MD5-Challenge Line. This enables the MD5-challenge 2 Open file and change the log level to 5.
Page 380
Funk RADIUS is now ready to run. If you intend to use auto VLAN and QoS, you will need to create VLAN and QoS profiles on the 3Com Switch 4500 and follow the instructions in Configuring Auto VLAN and QoS for Funk RADIUS.
Page 381
Setting Up a RADIUS Server Passwords are case sensitive. 6 Enter the shared secret to encrypt the authentication data. The shared secret must be identical on the Switch 4500 and the RADIUS Server a Select RAS Clients from the left hand list, enter a Client name , the IP address and the Shared secret.
Page 382
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Configuring Auto VLAN and QoS for Funk RADIUS To set up auto VLAN and QoS using Funk RADIUS, follow these steps: 1 Edit the dictionary file so that Return list attributes from the Funk radius.dct RADIUS server are returned to the Switch 4500.
The following example shows the User name HOMER with the correct Return list Attributes inserted, The VLANs and QoS profiles must also be created on the 3Com Switch 4500. Configuring FreeRADIUS 3Com has successfully installed and tested FreeRADIUS running on Solaris 2.6 and RedHat Linux servers in networks with the Switch 4500 deployed.
Add an entry for Switch Login. For example user-name Auth-Type = System, 3Com-User-Access-Level = Administrator This indicates that the server should return the 3Com vendor specific attribute in the Access-Accept message for that user. 3Com-User-Access-Level b Add an entry for Network Login. For example user-name Auth-Type := Local, User-Password == "password"...
Setting Up the RADIUS Client Windows 2000 Built-in Windows 2000 requires Service Pack 3 and the IEEE 802.1X client patch for Client Windows 2000. 1 Downloaded the patches if required from: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&Famil yID=6B78EDBE-D3CA-4880-929F-453C695B9637 2 After the updates have been installed, start the Wireless Authentication Service in Component Services on the Windows 2000 workstation (set the service to startup type Automatic).
Page 386
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Follow these steps to install the Aegis client: 1 Registering the Aegis Client. When using the Aegis client for the first time, a license key will be requested. To obtain a valid license key, complete an online form on the Meetinghouse website giving the System ID.
Page 387
Setting Up the RADIUS Client d Click OK to finish the configuration. e Restart the client either by rebooting, or stopping and re-starting the service. f Click the OK button, then return to the Aegis Client main interface. To restart the client, press the button with the red-cross.
Page 388
B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP...
3Com Switch 4500 contain a Cisco Secure ACS server with TACACS+ to provide centralized control over network and management access, can also deploy the 3Com Switch 4500 on their network. Although 3Com does not directly support the proprietary TACACS+ protocol, 3Com Switches can still be authenticated in networks which use TACACS+ and Cisco Secure ACS.
1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients. 3 Enter the details of the 3Com Switch. Spaces are not permitted in the AAA Client Host name. An example is shown below...
Page 391
Setting Up the Cisco Secure ACS (TACACS+) Server 5 Select Interface Configuration from the left hand side. 6 Select RADIUS (IETF) from the list under Interface Configuration. 7 Check the RADIUS attributes that you wish to install. If you want to use auto VLAN and QoS, ensure that you have the following options selected for both the User and Group: Filter-ID ■...
C: A 4500 PPENDIX UTHENTICATING THE WITCH WITH ISCO ECURE 8 Select Submit. 9 Repeat steps 1 to 8 for each Switch 4500 on your network. When all of the Switch 4500s have been added as clients to the Cisco Secure ACS server, restart the Secure ACS server by selecting System Configuration from the left hand side, then select Service Control and click Restart.
The User can now access the network through Network Login. Adding a User for Adding a user for switch login is slightly more complex, as 3Com specific RADIUS Switch Login attributes need to be returned to the 3Com Switch 4500. These RADIUS attributes define the access level of the user to the management interface.
Page 394
Once complete, log into the Secure ACS server again and complete steps 2 and 3. 2 To use the new RADIUS attributes, a client needs to be a user of RADIUS (3Com) attributes. Select Network Configuration from the left hand side and select an existing device or add a new device.
Page 395
Setting Up the Cisco Secure ACS (TACACS+) Server 3 Select Submit+Restart The IETF attributes will still be available to the device, the 3Com attributes are simply appended to them. 4 Select Interface Configuration, followed by RADIUS (3Com) a Ensure that the 3Com-User-Access-Level option is selected for both User and...
Page 396
6 In the RADIUS (3Com) Attribute box , check 3Com-User-Access-Level and select Administrator from the pull down list, see below: 7 Select Submit.