Download  Print this page

3Com Switch 4500 26-Port Configuration Manual

Switch 4500 family 26-port, 50-port, pwr 26-port, pwr 50-port.
Hide thumbs
   

Advertisement

®
3Com
Switch 4500 Family

Configuration Guide

Switch 4500 26-Port
Switch 4500 50-Port
Switch 4500 PWR 26-Port
Switch 4500 PWR 50-Port
www.3Com.com
Part No. 10015033, Rev. AB
Published: January 2007

Advertisement

   Related Manuals for 3Com Switch 4500 26-Port

   Summary of Contents for 3Com Switch 4500 26-Port

  • Page 1: Configuration Guide

    ® 3Com Switch 4500 Family Configuration Guide Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port www.3Com.com Part No. 10015033, Rev. AB Published: January 2007...
  • Page 2 LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.
  • Page 3: Table Of Contents

    ONTENTS BOUT UIDE How This Guide is Organized Intended Readership Conventions Related Documentation ETTING TARTED Product Overview Stacking Overview Brief Introduction Typical Networking Topology Product Features Logging In to the Switch Setting up Configuration Environment Through the Console Port Setting up Configuration Environment Through Telnet Setting up Configuration Environment Through a Dial-up Modem Command Line Interface Command Line View...
  • Page 4 VLAN O PERATION VLAN Configuration VLAN Overview Configuring a VLAN Displaying and Debugging VLAN VLAN Configuration Example One VLAN Configuration Example Two Voice VLAN Configuration Introduction to Voice VLAN Voice VLAN Configuration Displaying and Debugging of Voice VLAN Voice VLAN Configuration Example Configuring Voice VLAN with a PC Downstream from Phone Key Details for Proper Setup Step By Step Description...
  • Page 5 DHCP Relay Configuration Example One DHCP Relay Configuration Example Two Troubleshooting DHCP Relay Configuration Access Management Configuration Access Management Overview Configuring Access Management Displaying and Debugging Access Management Access Management Configuration Example Access Management via the Web UDP Helper Configuration Overview of UDP Helper UDP Helper Configuration Displaying and Debugging UDP Helper Configuration...
  • Page 6 Basic ACL Configuration Example Link ACL Configuration Example QoS Configuration QoS Configuration Setting Port Priority Configuring Trust Packet Priority Setting Port Mirroring Configuring Traffic Mirroring Setting Traffic Limit Setting Line Limit Configuring WRED Operation Displaying and Debugging QoS Configuration QoS Configuration Example Port Mirroring Configuration Example ACL Control Configuration TELNET/SSH User ACL Configuration...
  • Page 7 Configuration BPDU Forwarding Mechanism in STP Implement RSTP on the Switch RSTP Configuration Enable/Disable RSTP on a Switch Enable/Disable RSTP on a Port Configure RSTP Operating Mode Configure the STP-Ignore attribute of VLANs on a Switch Set Priority of a Specified Bridge Specify the Switch as Primary or Secondary Root Bridge Set Forward Delay of a Specified Bridge Set Hello Time of the Specified Bridge...
  • Page 8 Setting the Timers of the RADIUS Server Displaying and Debugging AAA and RADIUS Protocol AAA and RADIUS Protocol Configuration Example Configuring the Switch 4500 AAA and RADIUS Protocol Fault Diagnosis and Troubleshooting Problem Diagnosis 3Com-User-Access-Level YSTEM ANAGEMENT File System Overview Directory Operation File Operation...
  • Page 9 Erasing Configuration Files from Flash Memory Configuring the Name of the Configuration File Used for the Next Startup. FTP Overview Enabling/Disabling FTP Server Configuring the FTP Server Authentication and Authorization Configuring the Running Parameters of FTP Server Displaying and Debugging FTP Server Introduction to FTP Client FTP Server Configuration Example TFTP Overview...
  • Page 10 ping Introduction to Remote-ping Remote-ping Configuration Introduction to Remote-ping Configuration Configuring Remote-ping Configuration Example Logging Function Introduction to Info-center Info-Center Configuration Sending the Information to Loghost Sending the Information to Control Terminal Sending the Information to Telnet Terminal or Dumb Terminal Sending the Information to the Log Buffer Sending the Information to the Trap Buffer Sending the Information to SNMP Network Management...
  • Page 11 Adding/Deleting an Entry to/from the Extended RMON Alarm Table Adding/Deleting an Entry to/from the Statistics Table Displaying and Debugging RMON RMON Configuration Example NTP C ONFIGURATION Overview Applications of NTP Implementation Principle of NTP NTP Implementation Modes Configuring NTP Implementation Modes Configuration Prerequisites Configuration Procedure Configuring Access Control Right...
  • Page 12 WITCH WITH ISCO ECURE Cisco Secure ACS (TACACS+) and the 3Com Switch 4500 Setting Up the Cisco Secure ACS (TACACS+) Server Adding a 3Com Switch 4500 as a RADIUS Client Adding a User for Network Login Adding a User for Switch Login...
  • Page 13: About This Guide

    BOUT UIDE This guide provides information about configuring your network using the commands supported on the 3Com ® Switch 4500. How This Guide is The Switch 4500 Configuration Guide consists of the following chapters: Organized Getting Started — Details the main features and configurations of the Switch ■...
  • Page 14: Conventions

    BOUT UIDE Conventions This guide uses the following conventions: Table 1 Icons Icon Notice Type Description Information note Information that describes important features or instructions. Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device. Warning Information that alerts you to potential personal injury.
  • Page 15: Related Documentation

    Related Documentation Related The 3Com Switch 4500 Getting Started Guide provides information about Documentation installation. The 3Com Switch 4500 Command Reference Guide provides all the information you need to use the configuration commands.
  • Page 16 BOUT UIDE...
  • Page 17: Getting Started

    ETTING TARTED This chapter covers the following topics: Product Overview ■ Stacking Overview ■ Product Features ■ Logging In to the Switch ■ Command Line Interface ■ User Interface Configuration ■ Product Overview Table 3 lists the models in the Switch 4500 family Table 3 Models in the Switch 4500 family Power...
  • Page 18: Stacking Overview

    Stacking Overview Brief Introduction With the 3Com Switch 4500, up to eight units can be operated together as a single larger logical unit to simplify administration. This is called stacking. Stacking allows you to add ports in a site or location incrementally, without adding complexity to the management of the switch.
  • Page 19: Logging In To The Switch

    Logging In to the Switch Table 4 Function Features Features Description Security features Multi-level user management and password protect 802.1X authentication Packet filtering Quality of Service (QoS) Traffic classification Bandwidth control Priority Queues of different priority on the port Management and Command line interface configuration Maintenance Configuration through console port...
  • Page 20 1: G HAPTER ETTING TARTED Databit = 8 ■ Parity check = none ■ Stopbit = 1 ■ Flow control = none ■ Terminal type = VT100 ■ Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...
  • Page 21: Setting Up Configuration Environment Through Telnet

    Logging In to the Switch Figure 5 Setting Communication Parameters 3 The Switch is powered on and it displays self-test information. Press < Enter> to show the command line prompt such as <4500> 4 Enter a command to configure the Switch or view the operation state. Enter a view online help.
  • Page 22 1: G HAPTER ETTING TARTED Figure 6 Setting up the Configuration Environment through Telnet Workstation Workstation Ethernet port Ethernet port Ethernet Ethernet Serv er Serv er Workstation Workstation PC ( for configuri n g the switch PC ( for configuri n g the switch via Telnet ) via Telnet ) 3 Run Telnet on the PC and enter the IP address of the VLAN connected to the...
  • Page 23: Setting Up Configuration Environment Through A Dial-up Modem

    Logging In to the Switch Figure 8 Providing Telnet Client Service Telnet Server Telnet Client 1 Authenticate the Telnet user through the console port on the Telnet Server (a Switch) before login. By default, the password is required to authenticate Telnet users and to enable them to log on to the Switch.
  • Page 24 The Modem configuration commands and outputs may be different according to different Modems. For details, refer to the User Guide of the Modem. 3Com recommends that the transmission rate on the console port must lower than that of Modem, otherwise packets may be lost.
  • Page 25 Logging In to the Switch Figure 10 Setting the Dialed Number Figure 11 Dialing on the Remote PC 5 Enter the preset login password on the remote terminal emulator and wait for the prompt . Then you can configure and manage the Switch. Enter to view <4500>...
  • Page 26: Command Line Interface

    1: G HAPTER ETTING TARTED Command Line The Switch 4500 Family provides a series of configuration commands and Interface command line interfaces for configuring and managing the Switch. The command line interface has the following characteristics: Local configuration through the console port. ■...
  • Page 27 Command Line Interface To prevent unauthorized users from illegal intrusion, the user will be identified when switching from a lower level to a higher level with the super level command. User ID authentication is performed when users at lower level become users at a higher level.
  • Page 28 1: G HAPTER ETTING TARTED Table 5 Features of Command Views Command view Function Prompt Command to enter Command to exit User View Show the basic This is the view you are in quit disconnects <4500> information about after connecting to the to the Switch operation and Switch...
  • Page 29 [4500-radius-1] Group View parameters in System View System View return returns to User View ISP Domain Configure ISP Enter domain 3Com.net in quit returns to [4500-isp-3Com.net] View domain System View System View parameters return returns to User View...
  • Page 30: Features And Functions Of Command Line

    1: G HAPTER ETTING TARTED Features and Functions Command Line Help of Command Line The command line interface provides full and partial online help. You can get help information through the online help commands, which are described below: 1 Enter in any view to get all the commands in that view.
  • Page 31 Command Line Interface command buffer is defaulted as 10. That is, the command line interface stores 10 history commands for each user. The operations are shown in Table Table 7 Retrieving History Command Operation Result Display history command Display history command by display user inputting history-command...
  • Page 32: User Interface Configuration

    1: G HAPTER ETTING TARTED Table 9 Editing Functions Function <Tab> Press <Tab> after typing an incomplete keyword and the system will display partial help: If the keyword matching the one entered is unique, the system will replace it with the complete keyword and display it in a new line;...
  • Page 33: User Interface Configuration

    User Interface Configuration User Interface Tasks for configuring the user interface are described in the following sections: Configuration Entering User Interface View ■ Configuring the User Interface-Supported Protocol ■ Configuring the Attributes of AUX (Console) Port ■ Configuring the Terminal Attributes ■...
  • Page 34 1: G HAPTER ETTING TARTED Perform the following configurations in User Interface (AUX user interface only) View. Configuring the Transmission Speed on the AUX (Console) Port Table 12 Configuring the Transmission Speed on the AUX (Console) Port Operation Command Configure the transmission speed on the AUX speed speed_value (console) port Restore the default transmission speed on the AUX...
  • Page 35 User Interface Configuration Configuring the Terminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length, and history command buffer size. Perform the following configuration in User Interface View. Perform the lock command in User View.
  • Page 36 1: G HAPTER ETTING TARTED Setting the Screen Length If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently.
  • Page 37 In the following example, local username and password authentication are configured. Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and 3Com respectively. [4500-ui-vty0]authentication-mode scheme [4500-ui-vty0]quit...
  • Page 38 1: G HAPTER ETTING TARTED Table 24 Setting the Command Level used after a User Logs In Operation Command Restore the default undo service-type { ftp [ ftp-directory ] command level used after lan-access | { ssh | telnet | terminal }* } a user logs in By default, the specified logged-in user can access the commands at Level 1.
  • Page 39: Displaying And Debugging User Interface

    User Interface Configuration Configuring Redirection send command The following command can be used for sending messages between user interfaces. Perform the following configuration in User View. Table 27 Configuring to Send Messages Between Different User Interfaces Operation Command Configuring to send messages between send { all | number | type number } different user interfaces.
  • Page 40 1: G HAPTER ETTING TARTED Table 29 Displaying and Debugging User Interface Operation Command Display the user application display users [ all ] information of the user interface Display the physical attributes and display user-interface [ type number | some configurations of the user number ] [ summary ] interface...
  • Page 41: Port

    PERATION This chapter covers the following topics: Ethernet Port Configuration ■ Link Aggregation Configuration ■ Ethernet Port Configuration Ethernet Port Overview The following features are found in the Ethernet ports of the Switch 4500 10/100BASE-T Ethernet ports support MDI/MDI-X auto-sensing. They can ■...
  • Page 42 2: P HAPTER PERATION Entering Ethernet Port View Before configuring an Ethernet port, enter Ethernet Port View. Perform the following configuration in System View. Table 30 Entering Ethernet Port View Operation Command Enter Ethernet Port View interface { interface_type interface_num | interface_name } Enabling/Disabling an Ethernet Port Use the following command to disable or enable the port.
  • Page 43 Ethernet Port Configuration Note that 10/100BASE-T Ethernet ports support full duplex, half duplex and auto-negotiation, which can be set as required. Gigabit Ethernet ports support full duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaults to auto (auto-negotiation) mode.
  • Page 44 2: P HAPTER PERATION Perform the following configuration in Ethernet Port View. Table 36 Enabling/Disabling Flow Control for an Ethernet Port Operation Command Enable Ethernet port flow control flow-control Disable Ethernet port flow control undo flow-control By default, Ethernet port flow control is disabled. Setting the Ethernet Port Suppression Ratio Use the following commands to restrict broadcast/multicast/unicast traffic.
  • Page 45 For the Switch 4500 26-Port and Switch 4500 26-Port PWR, ■ GigabitEthernet1/0/25 and GigabitEthernet1/0/26 ports can be configured as a stack port;...
  • Page 46 2: P HAPTER PERATION port, you can configure to tag some VLAN packets, based on which the packets can be processed differently. Setting the Default VLAN ID for the Ethernet Port Because the access port can only be included in one VLAN, its default VLAN is the one to which it belongs.
  • Page 47: Displaying And Debugging Ethernet Port

    Ethernet Port Configuration Table 41 Setting Loopback Detection for the Ethernet Port Operation Command Set the external loopback detection interval of loopback-detection the port (System View) interval-time time Restore the default external loopback detection undo loopback-detection interval of the port (System View) interval-time Configure that the system performs loopback loopback-detection per-vlan...
  • Page 48: Ethernet Port Configuration Example

    2: P HAPTER PERATION Enter the command in Ethernet Port View to check whether the loopback Ethernet port works normally. In the process of the loopback test, the port cannot forward any packets. The loop test will finish automatically after a short time. Table 43 Displaying and Debugging Ethernet Port Operation Command...
  • Page 49: Ethernet Port Troubleshooting

    Link Aggregation Configuration Networking Diagram Figure 12 Configuring the Default VLAN for a Trunk Port Switch A Switch B Configuration Procedure The following configurations are used for Switch A. Configure Switch B in the similar way. 1 Enter the Ethernet Port View of Ethernet1/0/1. [4500]interface ethernet1/0/1 2 Set the Ethernet1/0/1 as a trunk port and allow VLAN 2, 6 through 50, and 100 to pass through.
  • Page 50 VLAN types, and default VLAN ID. The port setting includes port link type. The Switch 4500 26-Port can support up to 14 aggregation groups, the Switch 4500 50-Port can support up to 26 aggregation groups. Each group can have a maximum of eight 100 Mbps Ethernet ports or four Gigabit SFP ports.
  • Page 51 Link Aggregation Configuration with the minimum port number serves as the master port, while others as sub-ports. In a manual aggregation group, the system sets the ports to active or inactive state by using these rules: The system sets the port with the highest priority to active state, and others to ■...
  • Page 52 2: P HAPTER PERATION systems as well as under manual control through direct manipulation of the state variables of Link Aggregation (for example, keys) by a network manager. Dynamic LACP aggregation can be established even for a single port, as is called single port aggregation.
  • Page 53: Link Aggregation Configuration

    Link Aggregation Configuration A load sharing aggregation group may contain several selected ports, but a non-load sharing aggregation group can only have one selected port, while others are standby ports. Selection criteria of selected ports vary for different types of aggregation groups.
  • Page 54 2: P HAPTER PERATION aggregation group: when you delete a manual aggregation group, all its member ports are disaggregated; when you delete a static or dynamic LACP aggregation group, its member ports form one or several dynamic LACP aggregation groups. Perform the following configuration in System View.
  • Page 55 Link Aggregation Configuration port with 802.1X enabled. ■ You must delete the aggregation group, instead of the port, if the manual or ■ static LACP aggregation group contains only one port. Setting/Deleting the Aggregation Group Descriptor Perform the following configuration in System View. Table 47 Setting/Deleting the Aggregation Group Descriptor Operation Command...
  • Page 56: Displaying And Debugging Link Aggregation

    2: P HAPTER PERATION Perform the following configuration in Ethernet Port View. Table 49 Configuring Port Priority Operation Command Configure port priority lacp port-priority port_priority_value Restore the default port priority undo lacp port-priority By default, port priority is 32768. Displaying and After the above configuration, enter the command in any view to display display...
  • Page 57 Link Aggregation Configuration Networking Diagram Figure 13 Networking for Link Aggregation Switch A Link aggregation Switch B Configuration Procedure The following only lists the configuration for Switch A; configure Switch B similarly. 1 Manual link aggregation a Create manual aggregation group 1. [4500]link-aggregation group 1 mode manual b Add Ethernet ports Ethernet1/0/1 to Ethernet1/0/3 into aggregation group 1.
  • Page 58 2: P HAPTER PERATION...
  • Page 59: Vlan Operation

    VLAN O PERATION This chapter covers the following topics: VLAN Configuration ■ Voice VLAN Configuration ■ VLAN Configuration VLAN Overview A virtual local area network (VLAN) creates logical groups of LAN devices into segments to implement virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions.
  • Page 60 3: VLAN O HAPTER PERATION Table 51 Creating/Deleting a VLAN Operation Command Delete the specified VLAN undo vlan { vlan_id [ to vlan_id ] | all } Note that the default VLAN, namely VLAN 1, cannot be deleted. Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN.
  • Page 61: Displaying And Debugging Vlan

    VLAN Configuration Table 54 Specifying/Removing the VLAN Interface Operation Command Remove the specified VLAN interface undo interface vlan-interface vlan_id Create a VLAN first before creating an interface for it. For this configuration task, takes the VLAN ID. vlan_id Shutting Down/Enabling the VLAN Interface Use the following command to shut down/enable a VLAN interface.
  • Page 62: Vlan Configuration Example Two

    3: VLAN O HAPTER PERATION Networking Diagram Figure 14 VLAN Configuration Example Switch Switch Switch Switch E1/0/1 E1/0/1 E1/0/2 E1/0/2 E1/0/3 E1/0/3 E1/0/4 E1/0/4 VLAN2 VLAN2 VLAN3 VLAN3 VLAN3 VLAN3 Configuration Procedure 1 Create VLAN 2 and enter its view. [4500]vlan 2 2 Add Ethernet1/0/1 and Ethernet1/0/2 to VLAN2.
  • Page 63: Voice Vlan Configuration

    Voice VLAN Configuration Voice VLAN Configuration Introduction to Voice Voice VLAN is specially designed for users’ voice flow, and it distributes different VLAN port precedence in different cases. The system uses the source MAC of the traffic traveling through the port to identify the IP Phone data flow.
  • Page 64 3: VLAN O HAPTER PERATION Setting/Removing the OUI Address Learned by Voice VLAN ■ Enabling/Disabling Voice VLAN Security Mode ■ Enabling/Disabling Voice VLAN Auto Mode ■ Setting the Aging Time of Voice VLAN ■ If you change the status of Voice VLAN security mode, you must first enable Voice VLAN features globally.
  • Page 65 Voice VLAN Configuration There are four default OUI addresses after the system starts. Table 61 Default OUI Addresses Description 00:E0:BB 3Com phone 00:03:6B Cisco phone 00:E0:75 Polycom phone 00:D0:1E Pingtel phone Enabling/Disabling Voice VLAN Security Mode In security mode, the system can filter out the traffic whose source MAC is not OUI within the Voice VLAN, while the other VLANs are not influenced.
  • Page 66: Displaying And Debugging Of Voice Vlan

    3: VLAN O HAPTER PERATION Perform the following configuration in System View. Table 64 Configuring the Aging Time of Voice VLAN Operation command Set the aging time of Voice VLAN voice vlan aging minutes Restore the default aging time undo voice vlan aging The default aging time is 1440 minutes.
  • Page 67: Configuring Voice Vlan With A Pc Downstream From Phone

    Configuring Voice VLAN with a PC Downstream from Phone [4500 -Ethernet1/0/2]quit [4500]undo voice vlan mode auto [4500]voice vlan mac_address 0011-2200-0000 mask ffff-ff00-0000 description private [4500]voice vlan 2 enable [4500]voice vlan aging 100 Configuring Voice VLAN with a PC A common configuration for voice enabled networks is to place a PC downstream Downstream from from a VoIP phone.
  • Page 68: Step By Step Description

    Ensure phones are not pre-configured with a static IP address ■ If used in a 3Com NBX network, be sure NBX Call processor is set to "Standard ■ IP." Likewise, ensure the NBX Call Processor default Gateway is set to the VLAN interface IP address.
  • Page 69: Voice Vlan In Auto Mode

    Configuring Voice VLAN with a PC Downstream from Phone Figure 19 DHCP Scopes 2 Connect the NBX call processor (IP address is 10.10.11.192/24), 3Com NBX phones (2102PE) 1 and 2 to Port 11, 6 or 7, and 9 on the Switch, respectively.
  • Page 70 3: VLAN O HAPTER PERATION level 2 local-user monitor service-type ssh telnet terminal level 1 acl number 4999 rule 0 deny dest 0000-0000-0000 ffff-ffff-ffff vlan 1 igmp-snooping enable vlan 5 <--------------- Create Data Vlan 5 vlan 50 <--------------- Create voice Vlan 50 interface Vlan-interface1 ip address dhcp-alloc rip version 2 multicast...
  • Page 71 Configuring Voice VLAN with a PC Downstream from Phone interface Ethernet1/0/6 poe enable stp edged-port enable port link-type hybrid<--------------- Setup for Hybrid ports port hybrid vlan 5 untagged undo port hybrid vlan 1 port hybrid pvid vlan 5 broadcast-suppression PPS 3000 priority trust voice vlan enable packet-filter inbound link-group 4999 rule 0...
  • Page 72 3: VLAN O HAPTER PERATION stp edged-port enable broadcast-suppression PPS 3000 priority trust packet-filter inbound link-group 4999 rule 0 interface Ethernet1/0/14 poe enable stp edged-port enable broadcast-suppression PPS 3000 priority trust packet-filter inbound link-group 4999 rule 0 interface Ethernet1/0/15 poe enable stp edged-port enable broadcast-suppression PPS 3000 priority trust...
  • Page 73: Voice Vlan In Manual Mode

    Configuring Voice VLAN with a PC Downstream from Phone packet-filter inbound link-group 4999 rule 0 interface Ethernet1/0/23 poe enable stp edged-port enable broadcast-suppression PPS 3000 priority trust packet-filter inbound link-group 4999 rule 0 interface Ethernet1/0/24 poe enable stp edged-port enable broadcast-suppression PPS 3000 priority trust packet-filter inbound link-group 4999 rule 0...
  • Page 74 3: VLAN O HAPTER PERATION undo port hybrid vlan 1 port hybrid pvid vlan 5 broadcast-suppression PPS 3000 priority trust voice vlan enable packet-filter inbound link-group 4999 rule 0 interface Ethernet1/0/7 poe enable stp edged-port enable port link-type trunk-<-------------- Setup for Trunk ports undo port trunk permit vlan 1 port trunk permit vlan 5 50 port trunk pvid vlan 5...
  • Page 75: Power Over Ethernet Configuration

    OWER OVER THERNET ONFIGURATION This chapter covers the following topics: PoE Overview ■ PoE Configuration ■ PoE Overview The Switch 4500 26 Port PWR and Switch 4500 50 Port PWR support Power over Ethernet (PoE). This feature uses twisted pairs to provide -44 through -62 VDC power to remote powered devices (PDs), such as IP Phones, WLAN APs, Network Cameras, and so on.
  • Page 76: Poe Configuration

    4: P HAPTER OWER OVER THERNET ONFIGURATION When using the PWR switches to supply power to remote PDs, the PDs need ■ not have any external power supply. If a remote PD has an external power supply, the PWR switches and the ■...
  • Page 77: Setting The Maximum Power Output On A Port

    PoE Configuration Setting the Maximum The maximum power that can be supplied by an Ethernet port of the Switch 4500 Power Output on a Port 26-Port PWR and Switch 4500 50-Port PWR to its PD is 15400 mW. In practice, you can set the maximum power on a port depending on the actual power of the PD, with a range from 1000 to 15400 mW and in the increment of 100 mW.
  • Page 78: Setting The Poe Mode On A Port

    4: P HAPTER OWER OVER THERNET ONFIGURATION Table 69 Setting the Power Supply Management Mode on the Switch Operation Command Set the power supply management mode on the poe power-management auto Switch to auto Set the power supply management mode on the poe power-management manual Switch to manual Restore the default power supply management mode...
  • Page 79: Upgrading The Pse Processing Software Online

    PoE Configuration Upgrading the PSE The online upgrading of PSE processing software can update the processing Processing Software software or repair the software if it is damaged. After upgrading files are Online downloaded, you can use the following command to perform online upgrading on the PSE processing software.
  • Page 80 4: P HAPTER OWER OVER THERNET ONFIGURATION to guarantee the power feeding to the PD that will be connected to the Ethernet1/0/24 even when the Switch 4500 PWR is in full load. Network Diagram Figure 20 PoE Remote Power Supply Configuration Procedure Update the PSE processing software online.
  • Page 81: Network Protocol Operation

    ETWORK ROTOCOL PERATION This chapter covers the following topics: IP Address Configuration ■ ARP Configuration ■ DHCP Configuration ■ Access Management Configuration ■ UDP Helper Configuration ■ IP Performance Configuration ■ IP Address Configuration IP Address Overview IP Address Classification and Indications An IP address is a 32-bit address allocated to the devices which access the Internet.
  • Page 82 5: N HAPTER ETWORK ROTOCOL PERATION The IP address is in dotted decimal format. Each IP address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, for example, 10.110.50.101. When using IP addresses, note that some of them are reserved for special uses, and are seldom used.
  • Page 83: Configuring Ip Address

    IP Address Configuration A mask is a 32-bit number corresponding to an IP address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the IP address into two parts: subnet address and host address.
  • Page 84: Displaying And Debugging Ip Address

    5: N HAPTER ETWORK ROTOCOL PERATION The IP address configuration is described in the following sections: Configuring the Hostname and Host IP Address ■ Configuring the IP Address of the VLAN Interface ■ Configuring the Hostname and Host IP Address The host name is corresponded to the IP address by using this command.
  • Page 85: Ip Address Configuration Example

    ARP Configuration IP Address Networking Requirements Configuration Example Configure the IP address as 129.2.2.1 and subnet mask as 255.255.255.0 for VLAN interface 1 of the Switch. Networking Diagram Figure 23 IP Address Configuration Networking C o n s o l e c a b l e S w i t c h Configuration Procedure 1 Enter VLAN interface 1.
  • Page 86: Configuring Arp

    5: N HAPTER ETWORK ROTOCOL PERATION dynamic ARP mapping entry is not in use for a specified period of time, the host will remove it from the ARP mapping table so as to save the memory space and shorten the interval for Switch to search ARP mapping table. Suppose there are two hosts on the same network segment: Host A and Host B.
  • Page 87 ARP Configuration Table 79 Manually Adding/Deleting Static ARP Mapping Entries Operation Command Manually add a static ARP arp static ip_address mac_address vlan_id mapping entry (Ethernet Port View) Manually delete a static ARP undo arp ip_address mapping entry (System View or Ethernet Port View) By default, the ARP mapping table is empty and the address mapping is obtained through dynamic ARP.
  • Page 88: Displaying And Debugging Arp

    5: N HAPTER ETWORK ROTOCOL PERATION By default, this feature is enabled. Displaying and After the above configuration, enter the command in any view to display display Debugging ARP the running of the ARP configuration, and to verify the effect of the configuration. Enter the command in User View to debug ARP configuration.
  • Page 89 DHCP Configuration Figure 24 Typical DHCP Application. DHCP Client DHCP Client DHCP Server DHCP Client DHCP Client To obtain valid dynamic IP addresses, the DHCP client exchanges different types of information with the server at different stages. One of the following three situations may occur: A DHCP client logs into the network for the first time ■...
  • Page 90 5: N HAPTER ETWORK ROTOCOL PERATION If the requested IP address becomes unavailable (for example, having been ■ allocated to another client), the DHCP server returns the DHCP_NAK message. After receiving the DHCP_NAK message, the client sends the DHCP_Discover message to request another new IP address. A DHCP client extends its IP lease period ■...
  • Page 91: Dhcp Client Configuration

    DHCP Configuration The DHCP server determines a correct configuration based on the information ■ from the client and returns the configuration information back to the client through DHCP relay. In fact, several such interactions may be needed to complete a DHCP relay configuration.
  • Page 92: Displaying And Debugging Dhcp Configuration

    5: N HAPTER ETWORK ROTOCOL PERATION Configuring the DHCP Server Group for the VLAN Interfaces Perform the following configuration in VLAN Interface View. Table 85 Configuring the DHCP Server Group Corresponding to VLAN Interfaces Operation Command Configure DHCP server group corresponding to VLAN dhcp-server groupNo interfaces Delete DHCP server group...
  • Page 93: Dhcp Relay Configuration Example Two

    DHCP Configuration Networking Diagram Figure 26 Configuring DHCP Relay DHCP client DHCP client DHCP Server 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Switch ( DHCP Relay ) Configuration Procedure 1 Create a DHCP server group that will use two DHCP servers (a master and an optional backup) and assign it the IP addresses of the two DHCP servers (the first IP address is the master).
  • Page 94: Troubleshooting Dhcp Relay Configuration

    5: N HAPTER ETWORK ROTOCOL PERATION Networking Diagram Figure 27 Networking Diagram of Configuration DHCP Relay DHCP client DHCP client DHCP Server 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Switch ( DHCP Relay ) Configuration Procedure 1 Configure the group number of DHCP Server as 1 and the IP address as 202.38.1.2.
  • Page 95: Access Management Configuration

    Access Management Configuration in User View and then use the debugging dhcp-relay terminal debugging command to output the debugging information to the console. In this way, you can view the detailed information of all DHCP packets on the console as they apply for the IP address, and so locate the problem.
  • Page 96 5: N HAPTER ETWORK ROTOCOL PERATION Table 88 Configuring the Access Management IP Address Pool Based on the Port Operation Command Cancel part or all of the IP addresses in the access undo am ip-pool { all | management IP address pool of the port address_list } By default, the IP address pools for access management on the port are null and all the packets are permitted.
  • Page 97: Displaying And Debugging Access Management

    Access Management Configuration Enabling/Disabling Access Management Trap You can enable the access management trap function using the following commands. When this function is enabled, the trap information of access management is delivered to the console for the purpose of monitoring. Perform the following configuration in System View.
  • Page 98: Access Management Via The Web

    5: N HAPTER ETWORK ROTOCOL PERATION 2 Configure the IP address pool for access management on port 1. [4500]interface ethernet1/0/1 [4500-Ethernet1/0/1]am ip-pool 202.10.20.1 20 3 Add port 1 into isolation group. [4500-Ethernet1/0/1]port isolate 4 Configure the IP address pool for access management on port 2 [4500-Ethernet1/0/1]interface ethernt1/0/2 [4500-Ethernet1/0/2]am ip-pool 202.10.20.21 30 5 Add port 2 into isolation group.
  • Page 99: Udp Helper Configuration

    UDP Helper Configuration UDP Helper UDP Helper configuration includes: Configuration Enabling/Disabling UDP Helper Function ■ Configuring UDP Port with Replay Function ■ Configuring the Relay Destination Server for Broadcast Packet ■ Enabling/Disabling UDP Helper Function When the UDP Helper function is enabled, you can configure the UDP ports where UDP function is required and the relay function is enabled at UDP ports 69, 53, 37, 137, 138, and 49.
  • Page 100: Displaying And Debugging Udp Helper Configuration

    5: N HAPTER ETWORK ROTOCOL PERATION For example, the command is equivalent to the udp-helper port 53 command in function. udp-helper port dns The default UDP ports are not displayed when using the ■ display command. But its ID is displayed after its relay current-configuration function is disabled.
  • Page 101: Ip Performance Configuration

    IP Performance Configuration Networking Diagram Figure 29 Networking for UDP Helper Configuration Serv er 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Sw itch ( UDP Helper ) Configuration Procedure 1 Enable UDP Helper function. [4500]udp-helper enable 2 Set to relay-forward the broadcast packets with destination UDP port 55. [4500]udp-helper port 55 3 Set the IP address of the destination server corresponding to VLAN interface 2 as 202.38.1.2.
  • Page 102: Displaying And Debugging Ip Performance

    5: N HAPTER ETWORK ROTOCOL PERATION Table 97 Configuring TCP Attributes Operation Command Restore synwait timer undo tcp timer syn-timeout Configure FIN_WAIT_2 timer in TCP tcp timer fin-timeout time_value Restore FIN_WAIT_2 timer undo tcp timer fin-timeout Configure the Socket receiving/sending tcp window window_size buffer size of TCP Restore the socket receiving/sending buffer...
  • Page 103 IP Performance Configuration Use the command to output the debugging information ■ terminal debugging to the console. Use the command to enable the UDP debugging to ■ debugging udp packet trace the UDP packet. The following are the UDP packet formats: UDP output packet: Source IP address:202.38.160.1 Source port:1024...
  • Page 104 5: N HAPTER ETWORK ROTOCOL PERATION...
  • Page 105: Ip Routing Protocol Operation

    IP R OUTING ROTOCOL PERATION IP Routing Protocol Routers select an appropriate path through a network for an IP packet according Overview to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submits the packet to the destination host.
  • Page 106: Selecting Routes Through The Routing Table

    6: IP R HAPTER OUTING ROTOCOL PERATION the optimal route. For example, routing through three LAN route segments may be much faster than routing through two WAN route segments. Configuring the IP Routing Protocol is described in the following sections: Selecting Routes Through the Routing Table ■...
  • Page 107: Routing Management Policy

    IP Routing Protocol Overview In a complicated Internet configuration, as shown in Figure 31, the number in each network is the network address. The router R8 is connected to three networks, so it has three IP addresses and three physical ports. Its routing table is shown in Figure 2.
  • Page 108: Static Routes

    6: IP R HAPTER OUTING ROTOCOL PERATION Supporting Load Sharing and Route Backup I. Load sharing The Switch 4500 supports multi-route mode, allowing the user to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached via multiple different paths, whose precedences are equal.
  • Page 109: Configuring Static Routes

    Static Routes The following routes are static routes: Reachable route — The IP packet is sent to the next hop towards the ■ destination. This is a common type of static route. Unreachable route — When a static route to a destination has the reject ■...
  • Page 110 6: IP R HAPTER OUTING ROTOCOL PERATION The parameters are explained as follows: IP address and mask ■ The IP address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be replaced by the mask-length which refers to the digits of the consecutive 1s in the mask.
  • Page 111: Example: Typical Static Route Configuration

    Static Routes Displaying and Debugging Static Routes After you configure static and default routes, execute the command in display any view to display the static route configuration, and to verify the effect of the configuration. Table 103 Displaying and debugging the routing table Operation Command View routing table summary...
  • Page 112: Troubleshooting Static Routes

    6: IP R HAPTER OUTING ROTOCOL PERATION [Switch A]ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 2 Configure the static route for Ethernet Switch B [Switch B]ip route-static 1.1.2.0 255.255.255.0 1.1.3.1 [Switch B]ip route-static 1.1.5.0 255.255.255.0 1.1.3.1 [Switch B]ip route-static 1.1.1.0 255.255.255.0 1.1.3.1 3 Configure the static route for Ethernet Switch C [Switch C]ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [Switch C]ip route-static 1.1.4.0 255.255.255.0 1.1.3.2...
  • Page 113: Configuring Rip

    Next hop address — The address of the next router that an IP packet will pass ■ through for reaching the destination. Interface — The interface through which the IP packet should be forwarded. ■ Cost — The cost for the router to reach the destination, which should be an ■...
  • Page 114 6: IP R HAPTER OUTING ROTOCOL PERATION After RIP is disabled, the interface-related features also become invalid. The RIP configuration tasks are described in the following sections: Enabling RIP and Entering the RIP View ■ Enabling RIP on a Specified Network ■...
  • Page 115 By default, RIP does not send messages to unicast addresses. 3Com does not recommend the use of this command, because the destination address does not need to receive two copies of the same message at the same time.
  • Page 116 6: IP R HAPTER OUTING ROTOCOL PERATION By default, the interface receives and sends the RIP-1 packets. It transmits packets in multicast mode when the interface RIP version is set to RIP-2. Configuring RIP Timers As stipulated in RFC1058, RIP is controlled by three timers: period update, timeout, and garbage-collection: Period update is triggered periodically to send all RIP routes to all neighbors.
  • Page 117 Perform the following configurations in RIP View. Table 109 Configuring Zero Field Check of the Interface Packets Operation Command Configure zero field check on the RIP-1 packet checkzero Disable zero field check on the RIP-1 packet undo checkzero Specifying the Operating State of the Interface In the Interface View, you can specify whether RIP update packets are sent and received on the interface.
  • Page 118 6: IP R HAPTER OUTING ROTOCOL PERATION Enabling RIP-2 Route Aggregation Route aggregation means that different subnet routes in the same natural network can be aggregated into one natural mask route for transmission when they are sent to other networks. Route aggregation can be performed to reduce the routing traffic on the network as well as to reduce the size of the routing table.
  • Page 119 generation of routing loops, but in some special cases, split horizon must be disabled to obtain correct advertising at the cost of efficiency. Disabling split horizon has no effect on P2P connected links but is applicable on the Ethernet. Perform the following configuration in Interface View: Table 114 Configuring Split Horizon Operation Command...
  • Page 120 6: IP R HAPTER OUTING ROTOCOL PERATION Setting the RIP Preference Each routing protocol has its own preference by which the routing policy selects the optimal route from the routes of different protocols. The greater the preference value, the lower the preference. The preference of RIP can be set manually.
  • Page 121: Displaying And Debugging Rip

    Configuring RIP to Filter the Received Routes Table 119 Configuring RIP to Filter the Received Routes Operation Command Filter the received routing information filter-policy gateway distributed by the specified address ip_prefix_name import Cancel filtering of the received routing undo filter-policy gateway information distributed by the specified ip_prefix_name [ gateway address...
  • Page 122: Example: Typical Rip Configuration

    6: IP R HAPTER OUTING ROTOCOL PERATION Table 121 Displaying and Debugging RIP Operation Command Enable the debugging of RIP receiving packet debugging rip receive Disable the debugging of RIP receiving packet undo debugging rip receive Enable the debugging of RIP sending packet debugging rip send Disable the debugging of RIP sending packet undo debugging rip send...
  • Page 123: Troubleshooting Rip

    IP Routing Policy 3 Configure RIP on Switch C [Switch C]rip [Switch C-rip]network 117.102.0.0 [Switch C-rip]network 110.11.2.0 Troubleshooting RIP The Switch 4500 cannot receive the update packets when the physical connection to the peer routing device is normal. RIP does not operate on the corresponding interface (for example, the ■...
  • Page 124: Configuring An Ip Routing Policy

    6: IP R HAPTER OUTING ROTOCOL PERATION the route is permitted by a single node in the route-policy, the route passes the matching test of the route policy without attempting the test of the next node. The access control list (ACL) used by the route policy can be divided into three types: advanced ACL, basic ACL and interface ACL.
  • Page 125 IP Routing Policy Perform the following configurations in System View. Table 122 Defining a route-policy Operation Command Enter Route Policy View route-policy route_policy_name { permit | deny } node { node_number } Remove the specified route-policy undo route-policy route_policy_name [ permit | deny | node node_number ] parameter specifies that if a route satisfies all the clauses of...
  • Page 126 6: IP R HAPTER OUTING ROTOCOL PERATION Table 123 Defining if-match Conditions Operation Command Cancel the matched next-hop of undo if-match ip next-hop ip-prefix the routing information set by the address prefix list Match the routing cost of the if-match cost cost routing information Cancel the matched routing cost of undo if-match cost...
  • Page 127: Displaying And Debugging The Routing Policy

    IP Routing Policy Perform the following configurations in System View. Table 125 Defining Prefix-list Operation Command Define a Prefix-list ip ip-prefix ip_prefix_name [ index index_number ] { permit | deny } network len [ greater-equal greater_equal ] [ less-equal less_equal ] Remove a Prefix-list undo ip ip-prefix ip_prefix_name [ index index_number | permit | deny ]...
  • Page 128: Configuration Procedure

    6: IP R HAPTER OUTING ROTOCOL PERATION Networking diagram Figure 34 Filtering the received routing information static 20.0.0.0/8 area 0 30.0.0.0/8 Rout er ID:1.1.1.1 Router ID:2.2.2.2 40.0.0.0/8 Vlan-interface100 Vlan-interface200 10.0.0.1/8 Vlan-interface100 12.0.0.1/8 10.0.0.2/8 Switch A Swit ch B Configuration procedure 1 Configure Switch A: a Configure the IP address of VLAN interface.
  • Page 129: Troubleshooting Routing Protocols

    IP Routing Policy Troubleshooting Routing Routing information filtering cannot be implemented in normal operation of the Protocols routing protocol Check for the following faults: The if-match mode of at least one node of the Route Policy should be the ■ mode.
  • Page 130 6: IP R HAPTER OUTING ROTOCOL PERATION...
  • Page 131: Acl Configuration

    ACL C ONFIGURATION This chapter covers the following topics: Brief Introduction to ACL ■ QoS Configuration ■ ACL Control Configuration ■ Brief Introduction to A series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, the Switch can permit or deny them to pass through according to the defined policy.
  • Page 132: Acl Supported By The Switch

    7: ACL C HAPTER ONFIGURATION The depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255 specifies a network segment, 129.102.0.1 through 129.102.255.255.
  • Page 133 Brief Introduction to ACL If ACL is used to filter or classify the data transmitted by the hardware of the ■ Switch, the match order defined in the acl command will not be effective. If ACL is used to filter or classify the data treated by the software of the Switch, the match order of ACL’s sub-rules will be effective.
  • Page 134 7: ACL C HAPTER ONFIGURATION Operation Command Delete a sub-item from the ACL undo rule rule_id [ source | destination | (from Advanced ACL View) source-port | destination-port | icmp-type | precedence | tos | dscp | fragment | vpn-instance ]* Delete one ACL or all the ACL undo acl { number acl_number | all } (from System View)
  • Page 135: Activating Acl

    Brief Introduction to ACL Table 131 Defining the User-defined ACL Operation Command Enter user-defined ACL view (from System acl number acl_number [ View) match-order { config | auto } ] Add a sub-item to the ACL (from rule [ rule_id ] { permit | deny User-defined ACL View) } { rule_string rule_mask offset }&<1-8>...
  • Page 136: Advanced Acl Configuration Example

    1 Define the work time range Define time range from 8:00 to 18:00. [4500]time-range 3Com 8:00 to 18:00 working-day 2 Define the ACL to access the payment server. a Enter the numbered advanced ACL, number as 3000. [4500]acl number 3000 match-order config b Define the rules for other department to access the payment server.
  • Page 137: Basic Acl Configuration Example

    Enter the number basic ACL, number as 2000. [4500]acl number 2000 b Define the rules for packet which source IP is 10.1.1.1. [4500-acl-basic-2000]rule 1 deny source 10.1.1.1 0 time-range 3Com 3 Activate ACL. Activate the ACL 2000. [4500-GigabitEthernet1/0/50]packet-filter inbound ip-group 2000...
  • Page 138: Qos Configuration

    1 Define the time range Define time range from 8:00 to 18:00. [4500]time-range 3Com 8:00 to 18:00 daily 2 Define the ACL for the packet whose source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303. a Enter the numbered link ACL, number as 4000.
  • Page 139 QoS Configuration Packet Filter Packet filter is used to filter traffic. For example, the operation “deny” discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through. With the complex traffic classification rules, the Switch enables the filtering of various information carried in Layer 2 traffic to discard the useless, unreliable or doubtful traffic, thereby enhancing network security.
  • Page 140: Qos Configuration

    7: ACL C HAPTER ONFIGURATION QoS Configuration The process of traffic based QoS: 1 Identify the traffic by ACL 2 Perform the QoS operation to the traffic. The configuration steps of traffic based QoS: 1 Define the ACL 2 Configure the QoS operation If QoS is not based on traffic, you need not define ACL first.
  • Page 141: Setting Port Mirroring

    QoS Configuration Setting Port Mirroring Port mirroring means duplicating data on the monitored port to the designated mirror port, for purpose of data analysis and supervision. The Switch supports one monitor port and multiple mirroring ports. If several Switches form a Fabric, multiple mirroring ports and only one monitor port and one mirroring port can be configured in the Fabric.
  • Page 142 7: ACL C HAPTER ONFIGURATION Only one monitor port can be configured on one Switch. If a group of Switches form a Fabric, only one monitor port can be configured on one Fabric. 2 Configure traffic mirroring Perform the following configuration in the Ethernet Port View. Table 141 Configuring Traffic Mirroring Operation Command...
  • Page 143: Setting Traffic Limit

    QoS Configuration Table 145 Map Configuration Operation Command Configure “COS qos cos-local-precedence-map ->Local-precedence” map cos0_map_local_prec cos1_map_local_prec cos2_map_local_prec cos3_map_local_prec cos4-map-local-prec cos5_map_local-prec cos6_map_local_prec cos7_map_local_prec Restore its default value undo qos cos-local-precedence-map By default, the Switch uses the default mapping relationship. Setting Traffic Limit Traffic limit refers to rate limit based on traffic.
  • Page 144: Displaying And Debugging Qos Configuration

    7: ACL C HAPTER ONFIGURATION Perform the following configuration in the Ethernet Port View. Table 148 Configuring WRED Operation Operation Command Configure WRED Operation wred queue_index qstart probability Cancel the configuration of WRED undo wred queue_index Operation For details about the command, refer to the Command Reference Guide. Displaying and You can use the command in any view to see the QoS operation and to...
  • Page 145: Port Mirroring Configuration Example

    QoS Configuration Networking Diagram Figure 38 QoS Configuration Example Wage server 129.110.1.2 GE2/0/1 Switch To switch Configuration Procedure Only the commands concerning QoS/ACL configuration are listed here. 1 Define outbound traffic for the wage server. a Enter numbered advanced ACL view. [4500]acl number 3000 b Define the traffic-of-pay server rule in the advanced ACL 3000.
  • Page 146: Acl Control Configuration

    7: ACL C HAPTER ONFIGURATION Networking Diagram Figure 39 QoS Configuration Example E3/0/1 E3/0/8 Server E3/0/2 Configuration Procedure Define port mirroring, with monitoring port being Ethernet3/0/8. [4500-Ethernet3/0/8]monitor-port [4500-Ethernet3/0/1]mirroring-port both ACL Control The Switch provides three modes for users to access devices remotely: Configuration TELNET access ■...
  • Page 147 ACL Control Configuration Configuration Tasks Table 150 lists the commands that you can execute to configure TELNET or SSH user ACL. Table 150 Commands for Configuring TELNET/SSH User ACL In This View Type This Command Description Enter system system-view view Define ACLs and Required.
  • Page 148 7: ACL C HAPTER ONFIGURATION ACLs, the incoming/outgoing calls are restricted on the basis of source MAC addresses. As a result, when you use the rules for L2 ACLs, only the source MAC and the corresponding mask, and the time-range keyword take effect. When you control telnet and SSH users on the basis of L2 ACLs, only the ■...
  • Page 149 ACL Control Configuration Basic ACL Configuration Example Configuration Prerequisites Only the TELNET users, whose IP addresses are 10.110.100.52 and 10.110.100.46, are allowed to access switches. Figure 41 Source IP Control Over TELNET User Accessing Switch Configuration Steps # Define basic ACLs. <4500>system-view System View: return to User View with Ctrl+Z.
  • Page 150: Acl Control Over Users Accessing Switches By Snmp

    7: ACL C HAPTER ONFIGURATION ACL Control Over Users The Switch supports remote management through network management Accessing Switches by software. Network management users can access switches by simple network SNMP management protocol (SNMP). The ACL control over these users can filter illegal network management users so that the illegal users cannot log into this Switch.
  • Page 151 ACL Control Configuration Table 151 Commands for Controlling ACL Access via SNMP Type This Command Description Use ACLs, and Use ACLs when SNMP community snmp-agent community control users configuring the name is a feature of { read | write } accessing switches SNMP community SNMP V1 and SNMP...
  • Page 152: Configuring Acl Control For Http Users

    7: ACL C HAPTER ONFIGURATION Figure 42 ACL Control Over SNMP Users of the Switch Configuration Steps # Define basic ACLs and rules. <4500>system-view System View: return to User View with Ctrl+Z. [4500] acl number 2000 match-order config [4500-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [4500-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [4500-acl-basic-2000] rule 3 deny source any [4500-acl-basic-2000] quit...
  • Page 153 ACL Control Configuration Calling ACL to Control HTTP Users To control the Web network management users with ACL, call the defined ACL. You can use the following commands to call an ACL. Perform the following configuration in System View. Table 152 Calling ACL to Control HTTP Users Operation Command Call an ACL to control the WEB NM users.
  • Page 154 7: ACL C HAPTER ONFIGURATION...
  • Page 155: Igmp Snooping

    IGMP S NOOPING IGMP Snooping IGMP Snooping (Internet Group Management Protocol Snooping) is a multicast Overview control mechanism running on Layer 2 (the link layer) of the switch. It is used for multicast group management and control. When receiving IGMP messages transmitted between the host and router, the Switch 4500 uses IGMP Snooping to analyze the information carried in the IGMP messages.
  • Page 156 8: IGMP S HAPTER NOOPING Figure 45 Multicast packet transmission when IGMP Snooping runs Video stream Internet / Intranet Multicast router Video stream VOD Server Layer 2 Ethernet Switch Switch 4500 Video stream Video stream Video stream Multicast group member Non-multicast Non-multicast group member...
  • Page 157 IGMP Snooping Overview Figure 46 Implementing IGMP Snooping In te rn e t A ro u te r ru n n in g IG M P IG M P p a c k e ts Switch 4500 running A E th e rn e t S w itc h IGMP Snooping ru n n in g IG M P S n o o p in g IG M P p a c k e ts...
  • Page 158: Configuring Igmp Snooping

    8: IGMP S HAPTER NOOPING Table 154 IGMP Snooping Terminology Term Meaning IGMP specific query message Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member. When received IGMP specific query message, the switch only transmits the specific query message to the IP multicast group which is queried.
  • Page 159: Configuring Router Port Aging Time

    Configuring IGMP Snooping Perform the following configuration in System View and VLAN View. Table 155 Enabling/Disabling IGMP Snooping Operation Command Enable/disable IGMP Snooping igmp-snooping { enable | disable } Although layer 2 and layer 3 multicast protocols can run together, they cannot run on the same VLAN or its corresponding VLAN interface at the same time.
  • Page 160: Displaying And Debugging Igmp Snooping

    8: IGMP S HAPTER NOOPING Perform the following configuration in system view. Table 158 Configuring aging time of the multicast member Operation Command Configure aging time of the igmp-snooping host-aging-time seconds multicast member Restore the default setting undo igmp-snooping host-aging-time By default, the aging time of the multicast member is 260 seconds.
  • Page 161: Igmp Snooping Fault Diagnosis And Troubleshooting

    IGMP Snooping Fault Diagnosis and Troubleshooting Networking Diagram Figure 47 IGMP Snooping configuration network In te rn e t R o u te r M u ltic a s t S w itc h Configuration Procedure Enable IGMP Snooping globally. [4500]igmp-snooping enable Enable IGMP Snooping on VLAN 10.
  • Page 162 8: IGMP S HAPTER NOOPING Diagnosis 3: Multicast forwarding table set up on the bottom layer is wrong. 1 Enable IGMP Snooping group in user view and then input the command display to check if MAC multicast forwarding table in the bottom igmp-snooping group layer and that created by IGMP Snooping is consistent.
  • Page 163: Stacking

    TACKING This chapter covers the following topics: Introduction to Stacking ■ Configuring a Stack ■ Stack Configuration Example ■ Introduction to Several Switch 4500 units can be interconnected to create a “stack”, in which Stacking each Switch is a unit. The ports used to interconnect all the units are called stacking ports, while the other ports that are used to connect the stack to users are called user ports.
  • Page 164: Specifying The Stacking Vlan Of The Switch

    9: S HAPTER TACKING Device Configuration Default Settings Comment Set unit IDs for the The unit ID of a Make sure that you have set Switches Switch is set to 1 different unit IDs to different Switches, so that the stack can operate normally after all the Switches are interconnected.
  • Page 165: Saving The Unit Id Of Each Unit In The Stack

    } enable Only the Gigabit combo ports can be used to interconnect the Switch units to form a stack. In the 3Com switch operating system, the term "fabric" is used as a general expression for stack. Setting Unit Names for...
  • Page 166: Setting An Xrn Authentication Mode For Switches

    Switches Note: “XRN” is a proprietary 3Com technology for enterprise-level stacking on our Switch 5500-EI switches. Because the Switch 4500 shares its operating system with the Switch 5500 family, the XRN terminology is referred to when setting authentication mode.
  • Page 167: Stack Configuration Example

    Stack Configuration Example Stack Configuration Networking Requirements Example Configure unit ID, unit name, stack name, and authentication mode for four Switches, and interconnect them to form a stack. The configuration details are as follows: Unit IDs: 1, 2, 3, 4 ■...
  • Page 168 9: S HAPTER TACKING Configure Switch D: [4500]change unit-id 1 to auto-numbering [4500]fabric-port gigabitethernet4/0/51 enable [4500]fabric-port gigabitethernet4/0/52 enable [4500]sysname hello [hello]xrn-fabric authentication-mode simple welcome In the example, it is assumed that the system will automatically change the unit ■ IDs of Switch B, Switch C and Switch D to 2, 3 and 4 after you choose auto-numbering for unit-id.
  • Page 169: Rstp Configuration

    RSTP C ONFIGURATION This chapter covers the following topics: STP Overview ■ RSTP Configuration ■ RSTP Configuration Example ■ STP Overview Spanning Tree Protocol (STP) is applied in loop networks to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.
  • Page 170 10: RSTP C HAPTER ONFIGURATION What are the Designated Bridge and Designated Port? Figure 50 Designated Bridge and Designated Port Switch A Switch C Switch B For a Switch, the designated bridge is a Switch in charge of forwarding BPDU to the local Switch via a port called the designated port.
  • Page 171 STP Overview in the figure above, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively. 1 Initial state When initialized, each port of the Switches will generate the configuration BPDU taking itself as the root with a root path cost as 0, designated bridge IDs as their own Switch IDs and the designated ports as their ports.
  • Page 172 10: RSTP C HAPTER ONFIGURATION The comparison process of each Switch is as follows. Switch A: ■ AP1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU.
  • Page 173: Configuration Bpdu Forwarding Mechanism In Stp

    STP Overview CP2 will receive the updated configuration BPDU, {0, 5, 1, BP2}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, BP2}. Meanwhile, CP1 receives the configuration BPDU from Switch A but its configuration BPDU will not be updated and retain {0, 0, 0, AP2}.
  • Page 174: Implement Rstp On The Switch

    10: RSTP C HAPTER ONFIGURATION designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state. Implement RSTP on the The Switch implements the Rapid Spanning Tree Protocol (RSTP), an enhanced Switch form of STP.
  • Page 175: Rstp Configuration

    RSTP Configuration RSTP Configuration The configuration of RSTP changes with the position of the Switch in the network, as discussed below. Figure 53 Configuring STP Switch A and Switch B: Root Switch C and Switch D: Switch E, Switch F and Switch bridge and backup root Intermediate Switches in the G: Switches directly...
  • Page 176 10: RSTP C HAPTER ONFIGURATION Device Configuration Default Value Note Configure the The Bridge A Switch can be made the root bridge by Bridge preference of a specifying its Bridge preference to 0. preference of a Switch is 32768. Switch Specify Forward Forward Delay fixes The other Switches copies the...
  • Page 177 RSTP Configuration Device Configuration Default Value Note Configure the The Switch, if has In a stable network, it is recommended to timeout time not received any set the timeout time factor to 5, 6, or 7. factor of a Hello packet from Then the Switch will not consider the Switch the upstream...
  • Page 178: Enable/disable Rstp On A Switch

    10: RSTP C HAPTER ONFIGURATION Device Configuration Default Value Note Configure the The Switch, if has In a stable network, it is recommended to timeout time not received any set the timeout time factor to 5, 6, or 7. factor of a Hello packet from Then the Switch will not consider the Switch...
  • Page 179: Enable/disable Rstp On A Port

    RSTP Configuration Operation Command Restore RSTP to the default value undo stp Only after the RSTP is enabled on the Switch can other configurations take effect. By default, RSTP is enabled. Enable/Disable RSTP on You can use the following command to enable/disable the RSTP on the designated a Port port.
  • Page 180: Set Priority Of A Specified Bridge

    10: RSTP C HAPTER ONFIGURATION consequent blocking by configuring the STP-Ignore attribute on the appropriate Switch. Once an STP-Ignored VLAN is configured, the packets of this VLAN will be forwarded on any Switch port, with no restriction from the calculated STP path. You can configure the STP-Ignore attribute on a Switch by using the following commands.
  • Page 181: Set Forward Delay Of A Specified Bridge

    You can configure more than one secondary root for a spanning tree through specifying the secondary STI root on two or more Switches. Generally, 3Com recommends designating one primary root and two or more secondary roots for a spanning tree.
  • Page 182: Set Hello Time Of The Specified Bridge

    10: RSTP C HAPTER ONFIGURATION that if the Forward Delay is configured too short, occasional path redundancy may occur. If the Forward Delay is configured too long, restoring the network connection may take a long time. It is recommended to use the default setting. By default, the bridge Forward Delay is 15 seconds.
  • Page 183: Specifying The Maximum Transmission Rate Of Stp Packets On A Port

    RSTP Configuration You can use the following command to set the multiple value of hello time of a specified bridge. Perform the following configurations in System View. Table 179 Set Timeout Factor of the Bridge Operation Command Set the multiple value of hello time of a specified bridge stp timeout-factor number Restore the default multiple value of hello time undo stp timeout-factor...
  • Page 184: Specifying The Path Cost On A Port

    10: RSTP C HAPTER ONFIGURATION Ethernet port is not connected with any Ethernet port of other bridges, this port should be set as an EdgePort. If a specified port connected to a port of any other bridge is configured as an edge port, RSTP will automatically detect and reconfigure it as a non-EdgePort.
  • Page 185: Set The Priority Of A Specified Port

    RSTP Configuration Operation Command Restore the default standard to be used undo stp pathcost-standard By default, the Switch calculates the default Path Cost of a port by the IEEE 802.1t standard. Set the Priority of a The port priority is an important basis to decide if the port can be a root port. In Specified Port the calculation of the spanning tree, the port with the highest priority will be selected as the root assuming all other conditions are the same.
  • Page 186: Set Mcheck Of The Specified Port

    10: RSTP C HAPTER ONFIGURATION link. Note that, for an aggregated port, only the master port can be configured to connect with the point-to-point link. After auto-negotiation, the port working in full duplex can also be configured to connect with such a link. You can manually configure the active Ethernet port to connect with the point-to-point link.
  • Page 187: Display And Debug Rstp

    RSTP Configuration again. In this case, the former root port will turn into a BPDU specified port and the former blocked ports will enter into a forwarding state, as a result, a link loop will be generated. The security functions can control the generation of loops. After it is enabled, the root port cannot be changed, the blocked port will remain in “Discarding”...
  • Page 188: Rstp Configuration Example

    10: RSTP C HAPTER ONFIGURATION Table 188 Display and Debug RSTP Operation Command Display RSTP configuration information about display stp [ interface the local Switch and the specified ports interface_list ] Display the list of STP-Ignored VLANs display stp ignored-vlan Clear RSTP statistics information reset stp [ interface interface_list ]...
  • Page 189 RSTP Configuration Example however, be careful and do not disable those involved. (The following configuration takes GigabitEthernet 1/0/25 as an example.) [4500]interface gigabitethernet 1/0/25 [4500-GigabitEthernet1/0/25]stp disable c To configure Switch A as a root, you can either configure the Bridge priority of it as 0 or simply use the command to specify it as the root.
  • Page 190 10: RSTP C HAPTER ONFIGURATION c Configure Switch C and Switch B to serve as standby of each other and sets the Bridge priority of Switch C to 8192. [4500]stp priority 8192 d Enable the Root protection function on every designated port. [4500]interface Ethernet 1/0/1 [4500-Ethernet1/0/1]stp root-protection [4500]interface Ethernet 1/0/2...
  • Page 191: Configuration

    802.1X C ONFIGURATION This chapter covers the following topics: IEEE 802.1X Overview ■ Configuring 802.1X ■ AAA and RADIUS Protocol Configuration ■ For information on setting up a RADIUS server and RADIUS client refer to Appendix For details on how to authenticate the Switch 4500 with a Cisco Secure ACS server with TACACS+, refer to Appendix IEEE 802.1X Overview...
  • Page 192: Authentication Process

    11: 802.1X C HAPTER ONFIGURATION provided by 3Com (or by Microsoft Windows XP). The 802.1X Authentication Server system normally stays in the carrier's AAA center. Authenticator and Authentication Server exchange information through EAP (Extensible Authentication Protocol) frames. The user and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1X.
  • Page 193: Implementing 802.1x On The Switch

    Configuring 802.1X The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator. Although 802.1X provides user ID authentication, 802.1X itself is not enough to implement the scheme. The administrator of the access device should configure the AAA scheme by selecting RADIUS or local authentication to assist 802.1X to implement the user ID authentication.
  • Page 194: Setting The Port Access Control Mode

    11: 802.1X C HAPTER ONFIGURATION this command is used in Ethernet port view, the parameter interface-list cannot be input and 802.1X can only be enabled on the current port.. Perform the following configurations in System View or Ethernet Port View. Table 189 Enabling/Disabling 802.1X Operation Command...
  • Page 195: Checking The Users That Log On The Switch Via Proxy

    Configuring 802.1X Checking the Users that The following commands are used for checking the users that log on the Switch Log on the Switch via via proxy. Proxy Perform the following configurations in System View or Ethernet Port View. Table 192 Checking the Users that Log on the Switch via Proxy Operation Command Enable the check for...
  • Page 196: Configuring The Authentication Method For 802.1x User

    11: 802.1X C HAPTER ONFIGURATION Configuring the The following commands can be used to configure the authentication method for Authentication Method 802.1X user. Three methods are available: PAP authentication (the RADIUS server for 802.1X User must support PAP authentication), CHAP authentication (the RADIUS server must support CHAP authentication), EAP relay authentication (the Switch sends authentication information to the RADIUS server in the form of EAP packets directly and the RADIUS server must support EAP authentication).
  • Page 197: Enabling/disabling A Quiet-period Timer

    Configuring 802.1X will consider the user having logged off and set the user as logoff state if system doesn't receive the response from user for consecutive N times. : Handshake period. The value ranges from 1 to 1024 in handshake-period-value units of second and defaults to 15.
  • Page 198: Displaying And Debugging 802.1x

    11: 802.1X C HAPTER ONFIGURATION Operation Command Disable a quiet-period timer undo dot1x quiet-period By default, the quiet-period timer is disabled. Displaying and After the above configuration, execute command in any view to display display Debugging 802.1X the running of the VLAN configuration, and to verify the effect of the configuration.
  • Page 199 Configuring 802.1X RADIUS server every 15 minutes. The system is instructed to transmit the user name to the RADIUS server after removing the user domain name. The user name of the local 802.1X access user is and the password is localuser (input in plain text).
  • Page 200: Centralized Mac Address Authentication

    11: 802.1X C HAPTER ONFIGURATION 7 Set the encryption key when the system exchanges packets with the accounting RADIUS server. [4500-radius-radius1]key accounting money 8 Set the timeouts and times for the system to retransmit packets to the RADIUS server. [4500-radius-radius1]timer 5 [4500-radius-radius1]retry 5 9 Set the interval for the system to transmit real-time accounting packets to the RADIUS server.
  • Page 201: Centralized Mac Address Authentication Configuration

    Centralized MAC Address Authentication Centralized MAC Centralized MAC address authentication configuration includes: Address Authentication Enabling MAC address authentication both globally and on the port ■ Configuration Configuring domain name used by the MAC address authentication user ■ Configuring centralized MAC address authentication timers ■...
  • Page 202: Configuring The User Name And Password For Fixed Mode

    11: 802.1X C HAPTER ONFIGURATION Configuring the User If you configure the centralized MAC address authentication mode to be fixed Name and Password for mode, you need to configure the user name and password for fixed mode. Fixed Mode Table 203 Configure the user name and password for fixed mode Operation Command Description...
  • Page 203: Displaying And Debugging Centralized Mac Address Authentication

    Centralized MAC Address Authentication By default, the offline-detect time is 300 seconds; quiet time is 60 seconds; and the server-timeout time is 100 seconds. Displaying and After the above configuration, perform the command in any view, you display Debugging Centralized can view the centralized MAC address authentication running state and check the MAC Address configuration result.
  • Page 204: Aaa And Radius Protocol Configuration

    11: 802.1X C HAPTER ONFIGURATION 2 Add local access user. a Set the user name and password. [SW4500]local-user 00e0fc010101 [SW4500-luser-00e0fc010101]password simple 00e0fc010101 b Set the service type of the user to lan-access. [SW4500-luser-00e0fc010101]service-type lan-access 3 Enable the MAC address authentication globally. [SW4500]mac-authentication 4 Configure the ISP domain used by the user.
  • Page 205: Implementing Aaa/radius On The Ethernet Switch

    AAA and RADIUS Protocol Configuration receiving a user’s request from NAS, the RADIUS server performs AAA through user database query and update and returns the configuration information and accounting data to NAS. Here, NAS controls users and corresponding connections, while the RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS.
  • Page 206: Creating/deleting An Isp Domain

    11: 802.1X C HAPTER ONFIGURATION Disconnecting a user by force ■ Among the above configuration tasks, creating ISP domain is compulsory, otherwise the user attributes cannot be distinguished. The other tasks are optional. You can configure them at requirements. Creating/Deleting an ISP What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a Domain group of users belonging to the same ISP.
  • Page 207 AAA and RADIUS Protocol Configuration information of the commands of setting RADIUS scheme, refer to the following Configuring RADIUS section of this chapter. Local authentication — if you use the local scheme, you can only implement ■ authentication and authorization at local without RADIUS server. None —...
  • Page 208: Enabling/disabling The Messenger Alert

    11: 802.1X C HAPTER ONFIGURATION Operation Command Disable the idle-cut function idle-cut disable By default, the idle-cut function is disabled. Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if the RADIUS accounting server fails when the is configured, the user can still use the network resource, accounting optional otherwise, the user will be disconnected.
  • Page 209: Configuring Self-service Server Url

    AAA and RADIUS Protocol Configuration Configuring Self-Service The self-service-url enable command can be used to configure self-service server Server URL uniform resource locator (URL). This command must be incorporated with a RADIUS server (such as a CAMS) that supports self-service. Self-service means that users can manage their accounts and card numbers by themselves.
  • Page 210 11: 802.1X C HAPTER ONFIGURATION Setting the Password Display Mode Perform the following configurations in System View. Table 217 Setting the Password Display Mode of Local Users Operation Command Set the password display mode of local-user password-display-mode { local users cipher-force | auto } Cancel the configuration of undo local-user...
  • Page 211: Disconnecting A User By Force

    AAA and RADIUS Protocol Configuration However, the user-privilege level is a global value for all service types. Entering the following two commands will result in the user having a level of 3 for all service types. In this case both telnet and SSH: [4500-SI-luser-adminpwd]service-type telnet level 1 [4500-SI-luser-adminpwd]service-type ssh level 3 You can use either...
  • Page 212: Creating/deleting A Radius Scheme

    11: 802.1X C HAPTER ONFIGURATION Configuring the Local RADIUS Authentication Server ■ Configuring Source Address for RADIUS Packets Sent by NAS ■ Setting the Timers of the RADIUS Server ■ Among the above tasks, creating the RADIUS scheme and setting the IP address of the RADIUS server are required, while other tasks are optional and can be performed as per your requirements.
  • Page 213: Configuring Radius Accounting Servers And The Related Attributes

    AAA and RADIUS Protocol Configuration Operation Command Set IP address and port number of secondary secondary authentication RADIUS authentication/authorization server. ip_address [ port_number ] Restore IP address and port number of second undo secondary authentication RADIUS authentication/authorization server to the default values. By default, as for the newly created RADIUS scheme, the IP address of the primary authentication server is 0.0.0.0, and the UDP port number of this server is 1812;...
  • Page 214 11: 802.1X C HAPTER ONFIGURATION RADIUS protocol uses different UDP ports to receive/transmit authentication/authorization and accounting packets, you need to set two different ports accordingly. Suggested by RFC2138/2139, authentication/authorization port number is 1812 and accounting port number is 1813. However, you may use values other than the suggested ones. (Especially for some earlier RADIUS Servers, authentication/authorization port number is often set to 1645 and accounting port number is 1646.) The RADIUS service port settings on the Switch 4500 units are supposed to be...
  • Page 215: Setting The Radius Packet Encryption Key

    AAA and RADIUS Protocol Configuration Perform the following configurations in RADIUS Scheme View. Table 224 Enabling/Disabling the Stopping Accounting Request Buffer Operation Command Enable stopping accounting request buffer stop-accounting-buffer enable Disable stopping accounting request buffer undo stop-accounting-buffer enable By default, the stopping accounting request will be saved in the buffer. Setting the Maximum Retransmitting Times of Stopping Accounting Request Use this command to set the maximum number of retransmission times that the...
  • Page 216: Setting Retransmission Times Of Radius Request Packet

    Restore the default RADIUS accounting packet key undo key accounting By default, the keys of RADIUS authentication/authorization and accounting packets are all “3com”. Setting Retransmission Since RADIUS protocol uses UDP packets to carry the data, the communication Times of RADIUS process is not reliable.
  • Page 217: Setting The Username Format Transmitted To The Radius Server

    AAA and RADIUS Protocol Configuration When the primary and secondary servers are both , NAS will send active block the packets to the primary server only. Perform the following configurations in RADIUS Scheme View. Table 230 Setting the RADIUS Server State Operation Command Set the state of primary RADIUS server...
  • Page 218: Configuring The Local Radius Authentication Server

    By default, the IP address of the local RADIUS authentication server is 127.0.0.1 and the password is 3com. 1) When using local RADIUS server function of 3com, remember the number of the UDP port used for authentication is 1645 and that for accounting is 1646.
  • Page 219 NAS and RADIUS that are required. When there are a large amount of users (more than 1000, inclusive), 3Com suggests a larger value. The following table recommends the ratio of value to the number of users.
  • Page 220: Displaying And Debugging Aaa And Radius Protocol

    11: 802.1X C HAPTER ONFIGURATION Table 238 Configure the RADIUS Server Response Timer Operation Command Configure the RADIUS server response timer timer response-timeout seconds Restore the default value of the interval undo timer response-timeout By default, the response timeout timer for the RADIUS server is set to three seconds.
  • Page 221: Aaa And Radius Protocol Configuration Example

    AAA and RADIUS Protocol Configuration Operation Command Enable debugging of local RADIUS scheme debugging local-server { all | error | event | packet } Disable debugging of local RADIUS scheme undo debugging local-server { all | error | event | packet } AAA and RADIUS For the hybrid configuration example of AAA/RADIUS protocol and 802.1X Protocol Configuration...
  • Page 222: Configuring The Switch 4500

    2 Method 2: Using Local RADIUS authentication server. Local server method is similar to remote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authentication password to 3com, the UDP port number of the authentication server to 1645.
  • Page 223 AAA and RADIUS Protocol Configuration Domain and RADIUS Scheme Creation The Switch 4500 can have 1 or more domains created on it. A domain on the Switch 4500 is similar to a windows domain. By default, there is one domain created called "system".
  • Page 224 11: 802.1X C HAPTER ONFIGURATION Once enabled globally, the network login needs to be enabled on a per port basis. This can be done in one of two ways: To enable dot1x on one port, enter the interface of the port and enable dot1x ■...
  • Page 225 AAA and RADIUS Protocol Configuration the end of the username. This states the user is a member of the local domain, and as a result uses the local RADIUS server. Based on the steps in section Domain and RADIUS Scheme Creation to login using the external RADIUS server defined, you need to login as user@domain, for example, joe@demo.
  • Page 226: Aaa And Radius Protocol Fault Diagnosis And Troubleshooting

    11: 802.1X C HAPTER ONFIGURATION AAA and RADIUS The RADIUS protocol of the TCP/IP protocol suite is located on the application Protocol Fault Diagnosis layer. It mainly specifies how to exchange user information between NAS and and Troubleshooting RADIUS server of ISP. So it is likely to be invalid. Fault One: User Authentication/Authorization Always Fails Troubleshooting: The username may not be in the...
  • Page 227: Problem Diagnosis

    RADIUS debugging, enter the command: ■ <4500-xx> debugging radius packet 3Com-User-Access-Level This determines the Access level a user will have with Switch login. This can be administrator, manager , monitor or visitor. You may need to add the return list attributes to a dictionary file using the...
  • Page 228 11: 802.1X C HAPTER ONFIGURATION...
  • Page 229: File System

    YSTEM ANAGEMENT File System Overview The Switch provides a flash file system for efficient management of the storage devices such as flash memory. The file system offers file access and directory management, including creating the file system, creating, deleting, modifying and renaming a file or a directory, and opening a file.
  • Page 230: Storage Device Operation

    12: F HAPTER YSTEM ANAGEMENT system use the command. Using this command delete /unreserved file-url will ensure that space is made available on the flash file system for additional information. To ensure that all deleted files have been removed from the system use the command, this will prompt for removal of all files in reset recycle-bin...
  • Page 231: Configuring File Management

    Configuring File Management Table 244 File System Operation Operation Command Set the file system prompt mode. file prompt { alert | quiet } Configuring File The management module of the configuration file provides a user-friendly Management operation interface. It saves the configuration of the Switch in the text format of command line to record the whole configuration process.
  • Page 232: Saving The Current-configuration

    12: F HAPTER YSTEM ANAGEMENT The configuration files are displayed in their corresponding saving formats. Saving the Use the command to save the current-configuration in the Flash Memory, save Current-configuration and the configurations will become the saved-configuration when the system is powered on for the next time.
  • Page 233: Ftp Overview

    FTP Overview Table 249 Display the Information of the File used at Startup Operation Command Display the information of the file used at startup display startup FTP Overview FTP is a common way to transmit files on the Internet and IP network. Before the World Wide Web (WWW), files were transmitted in the command line mode and FTP was the most popular application.
  • Page 234: Enabling/disabling Ftp Server

    12: F HAPTER YSTEM ANAGEMENT Device Configuration Default Description Log into the Switch from FTP client. The prerequisite for normal FTP function is that the Switch and PC are reachable. Enabling/Disabling FTP You can use the following commands to enable/disable the FTP server on the Server Switch.
  • Page 235: Displaying And Debugging Ftp Server

    FTP Overview Table 254 Configure FTP Server Connection Timeout Operation Command Configure FTP server connection timeouts ftp timeout minute Restoring the default FTP server connection timeouts undo ftp timeout By default, the FTP server connection timeout is 30 minutes. Displaying and After the above configuration, execute command in all views to display display...
  • Page 236 12: F HAPTER YSTEM ANAGEMENT Networking Diagram Figure 61 Networking for FTP Configuration Network Network Switch Switch Switch Configuration Procedure 1 Configure the FTP server parameters on the PC: a user named as Switch, password hello, read and write authority over the Switch directory on the PC. 2 Configure the Switch Log into the Switch (locally through the Console port or remotely using Telnet).
  • Page 237: Ftp Server Configuration Example

    TFTP Overview FTP Server Configuration Networking Requirement Example The Switch serves as FTP server and the remote PC as FTP client. The configuration on FTP server: Configure a FTP user named as Switch, with password hello and with read and write authority over the flash root directory on the PC. The IP address of a VLAN interface on the Switch is 1.1.1.1, and that of the PC is 2.2.2.2.
  • Page 238: Downloading Files By Means Of Tftp

    12: F HAPTER YSTEM ANAGEMENT when there is no complicated interaction between the clients and server. TFTP is implemented on the basis of UDP. TFTP transmission is originated from the client end. To download a file, the client sends a request to the TFTP server and then receives data from it and sends an acknowledgement to it.
  • Page 239: Tftp Client Configuration Example

    TFTP Overview Table 258 Upload Files by means of TFTP Operation Command Upload files by means of TFTP tftp tftp-server put source-file [ dest-file ] TFTP Client Networking Requirement Configuration Example The Switch serves as TFTP client and the remote PC as TFTP server. Authorized TFTP directory is set on the TFTP server.
  • Page 240 12: F HAPTER YSTEM ANAGEMENT 7 Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch. <4500> boot boot-loader switch.app <4500> reboot...
  • Page 241: Mac Address Table Management

    MAC Address Table Management Overview A Switch maintains a MAC address table for fast forwarding packets. A table entry includes the MAC address of a device and the port ID of the Switch connected to it. The dynamic entries (not configured manually) are learned by the Switch. The Switch learns a MAC address in the following way: after receiving a data frame from a port (assumed as port A), the Switch analyzes its source MAC address (assumed as MAC_SOURCE) and considers that the packets destined at...
  • Page 242: Mac Address Table Configuration

    13: MAC Address Table Management HAPTER You can configure (add or modify) the MAC address entries manually according to the actual networking environment. The entries can be static ones or dynamic ones. MAC Address Table MAC address table management includes: Configuration Set MAC Address Table Entries ■...
  • Page 243: Setting The Max Count Of Mac Addresses Learned By A Port

    Displaying MAC Address Table Table 260 Set the MAC Address Aging Time for the System Operation Command Set the dynamic MAC address aging time mac-address timer { aging age | no-aging } Restore the default MAC address aging time undo mac-address timer aging In addition, this command takes effect on all the ports.
  • Page 244: Mac Address Table Management Display Example

    13: MAC Address Table Management HAPTER Operation Command Display the aging time of dynamic display mac-address aging-time address table entries MAC Address Table Management Display Example Networking The user logs into the Switch via the Console port to display the MAC address Requirements table.
  • Page 245: Mac Address Table Management Configuration Example

    MAC Address Table Management Display Example MAC Address Table Networking Requirements Management The user logs into the Switch via the Console port to configure the address table Configuration Example management. It is required to set the address aging time to 500s and add a static address 00e0-fc35-dc71 to Ethernet1/0/2 in vlan1.
  • Page 246: Device Management

    EVICE ANAGEMENT Overview With the device management function, the Switch can display the current running state and event debugging information about the unit, thereby implementing the maintenance and management of the state and communication of the physical devices. In addition, there is a command available for rebooting the system, when some function failure occurs.
  • Page 247: Upgrading Bootrom

    Displaying and Debugging Device Management Table 265 Designate the APP Adopted when Booting the Switch Next Time Operation Command Designate the APP adopted when booting boot boot-loader file-url the Switch next time Upgrading BootROM You can use this command to upgrade the BootROM with the BootROM program in the Flash Memory.
  • Page 248 14: D HAPTER EVICE ANAGEMENT Networking Diagram Figure 68 Networking for FTP Configuration Network Network Switch Switch Switch Configuration Procedure 1 Configure FTP server parameters on the PC. Define a user named as Switch password , read and write authority over the Switch directory on the PC. hello 2 Configure the Switch The Switch has been configured with a Telnet user named as...
  • Page 249 Device Management Configuration Example Upgrading BOOTROM, please wait... Upgrade BOOTROM succeeded! 8 Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch. <4500> boot boot-loader switch.app <4500>display boot-loader The app to boot at the next time is: flash:/Switch.app The app to boot of board 0 at this time is: flash:/PLAT.APP <4500>...
  • Page 250 14: D HAPTER EVICE ANAGEMENT...
  • Page 251: System

    YSTEM AINTENANCE AND EBUGGING Basic System Configuration Setting the System Perform the operation of command in the System View. sysname Name for the Switch Table 268 Set the Name for the Switch Operation Command Set the Switch system name sysname sysname Restore Switch system name to default value undo sysname Setting the System Clock Perform the operation of...
  • Page 252: Displaying The State And Information Of The System

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING Displaying the State commands can be classified as follows according to their functions. display and Information of Commands for displaying the system configuration information ■ the System Commands for displaying the system running state ■...
  • Page 253 System Debugging Figure 69 illustrates the relationship between two Switches. Figure 69 Debug Output Debugging information Protocol debugging switch Screen output switch You can use the following commands to control the above-mentioned debugging. Perform the following operations in User View. Table 273 Enable/Disable the Debugging Operation Command...
  • Page 254: Display Diagnostic Information

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING information, ensuring the consistency of logging, debugging and trap information in a fabric. After the synchronization of the whole fabric, a great deal of terminal display is generated. You are recommended not to enable the information synchronization switch of the whole fabric.
  • Page 255 Testing Tools for Network Connection Table 276 Test Periodically if the IP address is Reachable Operation Command Configure the IP address end-station polling ip-address requiring periodical testing ip-address Delete the IP address requiring undo end-station polling ip-address periodical testing ip-address The Switch can ping an IP address every one minute to test if it is reachable.
  • Page 256: Introduction To Remote-ping

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING Introduction to Remote-ping is a network diagnostic tool used to test the performance of Remote-ping protocols (only ICMP by far) operating on network. It is an enhanced alternative to the ping command. Remote-ping test group is a set of remote-ping test parameters. A test group contains several test parameters and is uniquely identified by an administrator name plus a test tag.
  • Page 257: Remote-ping Configuration

    Remote-ping Configuration Remote-ping This section contains information on remote-ping. Configuration Introduction to The configuration tasks for remote-ping include: Remote-ping Enabling remote-ping Client Configuration ■ Creating test group ■ Configuring test parameters ■ The test parameters that you can configure include: Destination IP address ■...
  • Page 258: Configuration Example

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING Table 277 Configure Remote-ping (continued) Operation Command Description Configure the test Configure destination-ip ip-address Required parameters By default, no destination IP destination IP address is configured. address of the test Configure test-type type Optional the type of By default, the test type is...
  • Page 259: Logging Function

    Logging Function 5 Display the test results. [S5500-remote-ping-administrator-icmp] display remote-ping results administrator icmp [S5500-remote-ping-administrator-icmp] display remote-ping history administrator icmp Logging Function Introduction to The Info-center serves as an information center of the system software modules. Info-center The logging system is responsible for most of the information outputs, and it also makes detailed classification to filter the information efficiently.
  • Page 260 15: S HAPTER YSTEM AINTENANCE AND EBUGGING " " is the time field, " " is from 00 to 23, " " and " " are from 00 to hh:mm:ss " " is the year field. yyyy If changed to boot format, it represents the milliseconds from system booting. Generally, the data are so large that two 32 bits integers are used, and separated with a dot '.'.
  • Page 261 Logging Function Module name Description FTPS FTP server module High availability module HTTPD HTTP server module IFNET Interface management module IGSP IGMP snooping module IP module Inter-process communication module IPMC IP multicast module L2INF Interface management module LACL LAN switch ACL module LQOS LAN switch QoS module Local server module...
  • Page 262: Info-center Configuration

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING level represented by “emergencies” is 1, and that represented by ”debugging” is 8. Therefore, when the threshold of the severity level is “debugging”, the system will output all the information. Definition of severity in logging information is as follows. Table 279 Info-Center-Defined Severity Severity Description...
  • Page 263 Logging Function The information can be classified in terms of the source modules and the ■ information can be filtered in accordance with the modules. The output language can be selected between Chinese and English. ■ 1 Sending the information to the control terminal. Table 281 Sending the Information to the Control Terminal.
  • Page 264 15: S HAPTER YSTEM AINTENANCE AND EBUGGING Table 283 Sending the Information to Log Buffer Device Configuration Default Value Configuration Description Enable info-center By default, Other configurations are valid info-center is only if the info-center is enabled. enabled. Set the information output You can configure the size of the direction to logbuffer log buffer at the same time.
  • Page 265: Sending The Information To Loghost

    Logging Function Figure 72 Turn on/off the Information Synchronization Switch in Fabric Configuration Device Configuration Default Value Description Enable info-center By default, info-center is Other configurations are enabled. valid only if the info-center is enabled. Switch Set the information By default, Switches of master This configuration can output direction to log in Fabric, debugging and trap...
  • Page 266: Sending The Information To Control Terminal

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING Table 287 Defining information source Operation Command Define information source info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* Cancel the configuration of undo info-center source {...
  • Page 267 Logging Function Table 289 Enable/disable info-center Operation Command Enable info-center info-center enable Disable info-center undo info-center enable Info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 Configuring to output information to the control terminal.
  • Page 268: Sending The Information To Telnet Terminal Or Dumb Terminal

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING You can use the following commands to configure log information, debugging information and the time-stamp output format of trap information. Perform the following operation in System View: Table 292 Configuring the Output Format of Time-stamp Operation Command Configure the output format of...
  • Page 269 Logging Function Table 295 Configuring to Output Information to Telnet Terminal or Dumb Terminal Operation Command Output information to Telnet terminal or dumb info-center monitor channel { terminal channel-number | channel-name } Cancel the configuration of outputting undo info-center monitor information to Telnet terminal or dumb terminal channel 3 Configuring information source on the Switch...
  • Page 270: Sending The Information To The Log Buffer

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING Operation Command Output time-stamp is disabled undo info-center timestamp { log | trap | debugging } 4 Enabling terminal display function To view the output information at the Telnet terminal or dumb terminal, you must first enable the corresponding log, debugging and trap information functions at the Switch.
  • Page 271 Logging Function Table 300 Configuring to Output Information to Log Buffer Operation Command Output information to log buffer info-center logbuffer [ channel { channel-number | channel-name } ] [ size buffersize ] Cancel the configuration of undo info-center logbuffer [ channel | outputting information to log buffer size ] 3 Configuring the information source on the Switch...
  • Page 272: Sending The Information To The Trap Buffer

    15: S HAPTER YSTEM AINTENANCE AND EBUGGING Sending the Information To send information to the trap buffer, follow the steps below: to the Trap Buffer 1 Enabling info-center Perform the following operation in System View. Table 303 Enabling/Disabling Info-center Operation Command Enable info-center info-center enable...
  • Page 273: Sending The Information To Snmp Network Management

    Logging Function is no specific configuration record for a module in the channel, use the default one. If you want to view the debugging information of some modules on the Switch, you must select as the information type when configuring information debugging source, meantime using the command to turn on the debugging...
  • Page 274 15: S HAPTER YSTEM AINTENANCE AND EBUGGING Table 309 Defining Information Source Operation Command Define information info-center source { modu-name | default } source channel { channel-number | channel-name } [ { log | trap | debug }* { level severity | state state }* ] Cancel the configuration undo info-center source { modu-name | default } of information source...
  • Page 275: Configuration Examples Of Sending Logs To Unix Loghost

    Logging Function The Switch provides a command to turn on/off the synchronization Switch in every Switch. If the synchronization Switch of a Switch is turned off, it does not send information to other Switches but still receives information from others. 1 Enable info-center Perform the following operation in System View.
  • Page 276 [3com] info-center source arp channel loghost log level informational [3com] info-center source ip channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost. The following example is performed on SunOS 4.0 and the operation on Unix operation system produced by other manufactures is generally the same to the operation on SunOS 4.0.
  • Page 277: Configuration Examples Of Sending Log To Linux Loghost

    Figure 75 Schematic diagram of configuration Network Network Switch Switch Switch Configuration steps # Enabling info-center [3com] info-center enable # Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output...
  • Page 278: Configuration Examples Of Sending Log To Control Terminal

    English; set all the modules are allowed output information. [3com] info-center loghost 202.38.1.10 facility local7 language english [3com] info-center source default channel loghost log level informational Configuration on the loghost This configuration is performed on the loghost. a Perform the following command as the super user (root).
  • Page 279 Logging Function The information with the severity level above informational will be sent to the ■ loghost The output language is English ■ The modules that allowed to output information are ARP and IP ■ Networking Diagram Figure 76 Schematic Diagram of Configuration console console console...
  • Page 280 15: S HAPTER YSTEM AINTENANCE AND EBUGGING...
  • Page 281: Snmp Configuration

    Overview SNMP C ONFIGURATION Overview The Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes.
  • Page 282: Configuring Snmp

    16: SNMP C HAPTER ONFIGURATION Figure 77 Architecture of the MIB Tree The MIB (Management Information Base) is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device. In the above figure, the managed object B can be uniquely specified by a string of numbers {1.2.1.1}.
  • Page 283: Setting Community Name

    Configuring SNMP Set SNMP System Information ■ Set the Engine ID of a Local or Remote Device ■ Set/Delete an SNMP Group ■ Set the Source Address of Trap ■ Add/Delete a User to/from an SNMP Group ■ Create/Update View Information or Deleting a View ■...
  • Page 284: Setting The Destination Address Of Trap

    16: SNMP C HAPTER ONFIGURATION Setting the Destination You can use the following commands to set or delete the destination address of Address of Trap the trap. Perform the following configuration in System View. Table 317 Set the Destination Address of Trap Operation Command Set the destination...
  • Page 285: Setting/deleting An Snmp Group

    Configuring SNMP Table 320 Set the Engine ID of a Local or Remote Device Operation Command Set the engine ID of the device snmp-agent local-engineid engineid Restore the default engine ID of the device. undo snmp-agent local-engineid By default, the engine ID is expressed as enterprise No. + device information. The device information can be IP address, MAC address, or user-defined text.
  • Page 286: Creating/updating View Information Or Deleting A View

    16: SNMP C HAPTER ONFIGURATION Creating/Updating View You can use the following commands to create, update the information of views Information or Deleting or delete a view. a View Perform the following configuration in System View. Table 324 Create/Update View Information or Deleting a View Operation Command Create/Update view information...
  • Page 287: Snmp Configuration Example

    Table 328 Disp Operation Command lay and Debug Display the statistics information about display snmp-agent statistics SNMP SNMP packets Display the engine ID of the active device display snmp-agent { local-engineid | remote-engineid } Operation Command Display the group name, the security display snmp-agent group [ mode, the states for all types of views, group-name ]...
  • Page 288 [4500]snmp-agent target-host trap address udp-domain 129.102.149.23 udp-port 5000 params securityname public Configure Network Management System The Switch supports 3Com Network Director. Users can query and configure the Switch through the network management system. For more information, refer to the network management user documentation.
  • Page 289: Reading Usmusr Table Configuration Example

    SNMP Configuration Example Reading Usmusr Table Networking Requirements Configuration Example ViewDefault view should be reconfigured if you use SNMP V3 to read the usmusr table. The snmpVacmMIB and snmpUsmMIB should be included in ViewDefault view. Networking Diagram Figure 79 SNMP configuration example 129.102.0.1 129.102.149.23 Ethernet...
  • Page 290 16: SNMP C HAPTER ONFIGURATION View name:ViewDefault MIB Subtree:snmpModules.18 Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active...
  • Page 291: Rmon C

    RMON C ONFIGURATION Overview Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the most widely used Network Management standards.
  • Page 292: Adding/deleting An Entry To/from The Alarm Table

    17: RMON C HAPTER ONFIGURATION Add/Delete an Entry to/from the History Control terminal ■ Add/Delete an Entry to/from the extended RMON alarm table ■ Add/Delete an Entry to/from the Statistics table ■ Adding/Deleting an RMON alarm management can monitor the specified alarm variables such as the Entry to/from the Alarm statistics on a port.
  • Page 293: Adding/deleting An Entry To/from The Extended Rmon Alarm Table

    Displaying and Debugging RMON Table 331 Add/Delete an Entry to/from the History Control Terminal Operation Command Add an entry to the history rmon history entry-number buckets number control terminal. interval sampling-interval [ owner text-string ] Delete an entry from the undo rmon history entry-number history control terminal.
  • Page 294: Rmon Configuration Example

    1 Configure RMON. [4500-Ethernet1/0/1]rmon statistics 1 owner 3com-rmon 2 View the configurations in User View. <4500> display rmon statistics Ethernet 1/0/1 Statistics entry 1 owned by 3com-rmon is VALID. Gathers statistics of interface Ethernet1/0/1. Received: octets : 270149,packets : 1954...
  • Page 295: Ntp Configuration

    Overview NTP C ONFIGURATION Overview Network time protocol (NTP) is a time synchronization protocol defined in RFC1305. It is used for time synchronization between a set of distributed time servers and clients. NTP transmits packets through UDP port 123. NTP is intended for time synchronization between all devices that have clocks in a network so that the clocks of all devices can keep consistent.
  • Page 296: Implementation Principle Of Ntp

    18: NTP C HAPTER ONFIGURATION The local clock of an Switch 4500 cannot operate as a reference clock. It can ■ serve as a NTP server only after synchronized. Implementation Figure 81 shows the implementation principle of NTP. Principle of NTP Ethernet switch A (LS_A) is connected to Ethernet switch B (LS_B) through Ethernet ports.
  • Page 297: Ntp Implementation Modes

    Overview When receiving a response packet, LS_A inserts a new timestamp 10:00:03 am ■ ) into it. At this time, LS_A has enough information to calculate the following two parameters: Delay for an NTP packet to make a round trip between LS_A and LS_B: ■...
  • Page 298 18: NTP C HAPTER ONFIGURATION Figure 84 Broadcast Mode Client Server Network Network Network Network Initiates a client/server mode Broadcasts clock synchronization request after receiving the first packets periodically broadcast packet Works in the server Client/server mode request mode automatically and Obtains the delay between the sends response packets Response packet...
  • Page 299: Configuring Ntp Implementation Modes

    Configuring NTP Implementation Modes NTP implementation mode Configuration on the Switch 4500 Family Multicast mode Configure the local Switch 4500 Ethernet switch to ■ operate in NTP multicast server mode. In this mode, the local switch sends multicast NTP packets through the VLAN interface configured on the switch.
  • Page 300 18: NTP C HAPTER ONFIGURATION Operation Command Description Configure the switch to Optional ntp-service operate in the NTP broadcast-client By default, no Ethernet switch broadcast client mode operates in NTP broadcast client mode. Configure the switch to Optional ntp-service operate in NTP broadcast broadcast-server [ By default, no Ethernet switch server mode...
  • Page 301: Configuring Access Control Right

    Configuring Access Control Right NTP broadcast server mode When a Switch 4500 operates in NTP broadcast server mode, it broadcasts clock synchronization packets periodically. The devices in NTP broadcast client mode will respond to these packets and start the clock synchronization process. NTP multicast server mode When a Switch 4500 operates in NTP multicast server mode, it multicasts clock synchronization packets periodically.
  • Page 302: Configuration Procedure

    18: NTP C HAPTER ONFIGURATION enabled on the server (assuming that other related configurations are performed). You need to couple the NTP authentication with a trusted key. ■ Configurations on the server and the client must be consistent. ■ The client with the NTP authentication function enabled is only synchronized to ■...
  • Page 303: Configuring Optional Ntp Parameters

    Configuring Optional NTP Parameters Operation Command Description Configure an NTP ntp-service Required authentication key authentication-keyid By default, no NTP authentication key-id key is configured. authentication-mode md5 value Configure the specified key ntp-service reliable Required to be a trusted key authentication-keyid By default, no trusted key-id authentication key is configured.
  • Page 304: Displaying And Debugging Ntp

    18: NTP C HAPTER ONFIGURATION Dynamic connections can be established when a switch operates in passive peer mode, NTP broadcast client mode, or NTP multicast client mode. In other modes, the connections established are static. Displaying and After the performing the above configurations, you can execute display Debugging NTP commands in any view to display the switch’s running status and verify the effect of the configuration.
  • Page 305: Configuring Ntp Peer Mode

    Configuration Examples Clock precision: 2^7 Clock offset: 0.0000 ms Root delay: 0.00 ms Root dispersion: 0.00 ms Peer dispersion: 0.00 ms Reference time: 00:00:00.000 UTC Jan 1 1900 (00000000.00000000) # Set Switch1 to the NTP server of the Switch 4500. <4500>...
  • Page 306 18: NTP C HAPTER ONFIGURATION Figure 86 Network diagram for NTP peer mode configuration Switch2 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.32/24 3.0.1.32/24 3.0.1.32/24 3.0.1.32/24 3.0.1.33/24 3.0.1.33/24 3.0.1.33/24 3.0.1.33/24 Switch3 SW4500 Configuration procedure 1 Configure the Switch 4500. # Set Switch2 to the NTP server. <SW4500>...
  • Page 307: Configuring Ntp Broadcast Mode

    Configuration Examples # View the information about the NTP sessions of the SW4500 Ethernet switch (you can see that a connection is established between the SW4500 Ethernet switch and Switch3). [SW4500] display ntp-service sessions source reference stra reach poll now offset delay disper ************************************************************************** [2]3.0.1.32...
  • Page 308: Configuring Ntp Multicast Mode

    18: NTP C HAPTER ONFIGURATION # Enter system view. <SW4500-2> system-view [SW4500-2] # Enter Vlan-interface2 view. [SW4500-2] interface Vlan-interface 2 [SW4500-2-Vlan-interface2] # Set SW4500-2 to a broadcast client. [SW4500-2-Vlan-interface2] ntp-service broadcast-client After the above configurations, SW4500-1 and SW4500-2 will listen to broadcast packets through their own Vlan-interface2, and Switch3 will send broadcast packets through Vlan-interface2.
  • Page 309 Network Figure 88 Network diagram for NTP multicast mode configuration diagram 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 3.0.1.31/24 Vlan-interface 2 Switch 3 1.0.1.31/24 1.0.1.31/24 1.0.1.31/24 1.0.1.31/24 1.0.1.31/24 1.0.1.31/24 1.0.1.31/24 1.0.1.31/24 Vlan-interface 2 Vlan-interface 2 Vlan Switch 4 SW4500 3.0.1.32/24 3.0.1.32/24 3.0.1.32/24 3.0.1.32/24...
  • Page 310: Configuring Ntp Server Mode With Authentication

    18: NTP C HAPTER ONFIGURATION from Switch3, while SW4500-1 is synchronized to Switch3 after receiving multicast packets from Switch3. View the status of SW4500-1 after synchronization. [SW4500-1] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 250.0000 Hz Actual frequency: 249.9992 Hz Clock precision: 2^19...
  • Page 311 Configuration Examples # Enable the NTP authentication function. [SW4500] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [SW4500] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key as a trusted key. [SW4500] ntp-service reliable authentication-keyid 42 [SW4500] ntp-service unicast-server 1.0.1.11 authentication-keyid 42 After the above configurations, SW4500 is ready to synchronize with Switch1.
  • Page 312 18: NTP C HAPTER ONFIGURATION...
  • Page 313: Ssh Terminal Services

    SSH Terminal Service SSH T ERMINAL ERVICES This section contains information for SSH Terminal Services. SSH Terminal Service Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely using an insecure network environment. A Switch can connect to multiple SSH clients.
  • Page 314 19: SSH T HAPTER ERMINAL ERVICES Figure 91 Establish an SSH channel through a WAN Workstation Workstation Local switch Local Ethernet Local Ethernet Laptop Laptop Workstation Server Server SSH client Remote Ethernet Remote Ethernet Remote switch SSH server Laptop Laptop Server Server To establish an SSH authentication secure connection, the server and the client...
  • Page 315 SSH Terminal Service 3 Authentication mode negotiation: The client sends its username information to the server. ■ The server initiates a procedure to authenticate the user. If the server is ■ configured not to authenticate the user, the process proceeds to session request phase directly.
  • Page 316: Ssh Server Configuration

    19: SSH T HAPTER ERMINAL ERVICES SSH Server SSH server configuration tasks are described in the following sections: Configuration Table 343 SSH server configuration Configuration Item Command View Description Configure the VTY user Optional protocol protocol the interface view inbound current user interface supports Generate an RSA...
  • Page 317 SSH Terminal Service CAUTION: If the supported protocol configured in the user interface is SSH, make sure to configure the authentication mode for logging into the user interface to authentication-mode scheme (using AAA authentication mode). If the authentication mode is configured as authentication-mode password or authentication-mode none, the configuration of protocol inbound ssh will fail, and vice versa.
  • Page 318 19: SSH T HAPTER ERMINAL ERVICES By default, no login authentication mode is specified, that is, SSH users are unable to log in. 4 Configuring the authentication timeout Use this configuration task to set the authentication timeout of SSH connections. Perform the following configuration in system view.
  • Page 319 SSH Terminal Service Table 350 Pubic key configuration Operation Command Enter the public key view rsa peer-public-key key-name Exit the public view and return to the peer-public-key end system view The configuration commands are applicable to the environments where the server employs RSA authentication on SSH users.
  • Page 320: Ssh Client Configuration

    19: SSH T HAPTER ERMINAL ERVICES Operation Command Cancel the corresponding relationship undo ssh user username assign rsa-key between the user and the public key 11 Configuring the server compatibility mode Use this configuration task to set whether the server should be compatible with the SSH 1.x client.
  • Page 321 SSH Terminal Service Figure 92 Generating the client key (1) While generating the key pair, you must move the mouse continuously. The mouse should be restricted off the green process bar in the blue box of Figure Otherwise, the process bar does not move and the key pair cannot be generated.
  • Page 322 19: SSH T HAPTER ERMINAL ERVICES Figure 93 Generating the client key (2) After the key pair is generated, click "Save public key" and enter the file name (public for here) to save the key pair.
  • Page 323 SSH Terminal Service Figure 94 Generating the client key (3) Likewise, to save a private key, click "Save private key" and a warning window pops up to prompt you whether to save a private key without any precautions. Click "Yes" and enter a name (private for here) to save the private key. Figure 95 Generating the client key (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click "Browse"...
  • Page 324 19: SSH T HAPTER ERMINAL ERVICES Figure 96 Generating the client key (5) Specifying the IP address of the server Launch PuTTY.exe and the following window appears.
  • Page 325 SSH Terminal Service Figure 97 FiSSH client interface 1 In the [Host Name (or IP address)] text box, enter the IP address of the server, for example, 10.110.28.10. Note that the IP address can be the IP address of any interface on the server that has SSH in the state of up and a route to the client.
  • Page 326 19: SSH T HAPTER ERMINAL ERVICES Figure 98 SSH client interface 2 In the [Protocol options] field, select [2] from the [Preferred SSH protocol version] section. Open an SSH Connection with RSA If the client needs to use RSA authentication, you must specify the RSA private key file.
  • Page 327 SSH Terminal Service Figure 99 Figure 8-10 SSH client interface 3 Click <Browse…> to bring up the file selection window, navigate to the private key file and click <OK>.
  • Page 328: Configuring The Device As An Ssh Client

    19: SSH T HAPTER ERMINAL ERVICES Open an SSH Connection with Password 1 Click <Open>. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 100.
  • Page 329: Displaying And Debugging Ssh

    SSH Terminal Service Table 356 Start the SSH client Operation Command Start the SSH client ssh2 { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | 3des | aes128 } ] [ prefer_stoc_cipher { des | 3des | aes128 } ] [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5...
  • Page 330: Ssh Server Configuration Example

    SSH server SSH client Configuration procedure 1 Generate the RSA key. [3Com] rsa local-key-pair create Note: If the configuration for generating the local key has already been completed, skip this step. 2 Set the user login authentication mode. The following shows the configuration methods for both password authentication and RSA public key authentication.
  • Page 331: Ssh Client Configuration Example

    [3Com-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [3Com-rsa-key-code] public-key-code end [3Com-rsa-public-key] peer-public-key end [3Com] ssh user client002 assign rsa-key 3com002 5 Start the SSH client software on the terminal preserving the RSA private key, and perform the corresponding configurations to establish the SSH connection. SSH Client Configuration...
  • Page 332: Encryption Algorithm

    [3Com-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [3Com-rsa-key-code] public-key-code end [3Com-rsa-public-key] peer-public-key end [3Com] ssh client 10.165.87.136 assign rsa-key hello CAUTION: Before logging into the SSH server, the SSH client (except for the software Putty and Openssh) must configure the public key of the server.
  • Page 333: Sftp Service

    ********************************************************* <3Com> Employ RSA public key authentication mode, and start using the corresponding encryption algorithm configured. [3Com] ssh2 10.165.87.136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_stoc_cipher 3des perfer_ctos_hmac md5 perfer_stoc_hmac Please input the username: client003 Trying 10.165.87.136... Press CTRL+K to abort Connected to 10.165.87.136...
  • Page 334: Sftp Client Configuration

    19: SSH T HAPTER ERMINAL ERVICES Table 360 Configure the service type to be used Operation Command Configure the service type to be used ssh user username service-type { stelnet | sftp | all } Restore the default service type undo ssh user username service-type By default, the service type is stelnet.
  • Page 335 SFTP Service Table 362 SFTP client configuration Configuration Item Command View Description Start the SFTP client System view Required sftp Shut down the SFTP client SFTP client view Optional exit quit SFTP directory Change the SFTP client view Optional operations current directory Return to the...
  • Page 336 19: SSH T HAPTER ERMINAL ERVICES Table 363 Start the SFTP client Operation Command Start the SFTP client sftp { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | 3des | aes128 } ] [ prefer_stoc_cipher { des | 3des | aes128 } ] [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] [...
  • Page 337: Sftp Configuration Example

    A secure SSH connection has been established between Switch A and Switch B; ■ Switch A is used as the SFTP server, and its IP address is 10.111.27.91; ■ Switch B is used as the SFTP client; ■ An SFTP user is configured with the username 8040 and password 3com. ■...
  • Page 338 # Start the SFTP server. [3Com] sftp-server enable # Specify the service type as SFTP. [3Com] ssh user 8040 service-type sftp 2 Configure Switch A as the client. # Establish a connection with the remote SFTP server and enter the SFTP client view.
  • Page 339 0 Sep 01 06:22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk sftp-client> # Exit SFTP. sftp-client> quit <3Com>...
  • Page 340 19: SSH T HAPTER ERMINAL ERVICES...
  • Page 341: Password Control Configuration Operations

    ASSWORD ONTROL ONFIGURATION PERATIONS Introduction to The password control feature is designed to manage the following passwords: Password Control Telnet passwords: passwords used by the users who log in the switch through ■ Configuration Telnet. SSH passwords: passwords used by the users who log in the switch through ■...
  • Page 342 20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS Table 368 Functions Provided by Password Control Function Description Application History password The password configured and once Telnet, SSH, super, and FTP recording used by a user is called a history (old) passwords. password.
  • Page 343: Password Control Configuration

    Password Control Configuration Table 368 Functions Provided by Password Control Function Description Application User blacklist If the maximum attempt times is exceeded, the user cannot log in the switch and is added to the blacklist by the switch. All users in the blacklist are not allowed to log in the switch.
  • Page 344: Configuring Password Aging

    20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS minimum password length (if available), the enable/disable state of history password recording, the procession mode for login attempt failures, and the time when the password history was last cleared. If all the password attempts of a user fail, the system adds the user to the blacklist. You can execute the display password-control blacklist command in any view to check the names and the IP addresses of such users.
  • Page 345: Configuring The Minimum Password Length

    Password Control Configuration CAUTION: After the user updates the password successfully, the switch saves the old password in a readable file in the flash memory. CAUTION: The switch does not provide the alert function for super passwords. CAUTION: The switch does not provide the alert function for FTP passwords. And when a FTP user logs in with a wrong password, the system just inform the user of the password error, it does not allow the user to change the password.
  • Page 346: Configuring User Login Password In Encryption Mode

    20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS CAUTION: When updating a password, do not reuse one of the recorded history passwords, or else, the system will give a prompt to reset a password. The system administrator can perform the following operations to manually remove history password records.
  • Page 347: Configuring The Timeout For User Password Authentication

    Password Control Configuration Table 374 Configure Login Attempts Limitation and Failure Procession Mode Operation Command Description Display the information about You can execute the display display one or all users added in the command in any view password-control blacklist blacklist [ username username | ipaddress ip-address ]...
  • Page 348: Displaying Password Control

    20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS If a password authentication is completed without timing out, the user will log in the switch normally. Table 376 Configuring the Timeout for User Password Authentication Operation Command Description Enter system view system-view Configure the timeout time of By default, it is 60 seconds.
  • Page 349: Configuration Procedure

    Password Control Configuration Example Configuration Procedure # Configure the system login password. <4500>system-view System View: return to User View with Ctrl+Z. [4500]local-user test New local user added. [4500-luser-test]password Password:********** confirm:********** # Change the system login password to 0123456789. [4500-luser-test]password Password:********** Confirm :********** Updating the password file ,please wait ...
  • Page 350 20: P HAPTER ASSWORD ONTROL ONFIGURATION PERATIONS...
  • Page 351: Password Recovery Process

    However, if the password recovery mechanism is disabled and the user configurable bootrom password is lost, there is no recovery mechanism available. In this instance, the Switch will need to be returned to 3Com for repair. The following commands are all executed from the Bootrom directly via the console.
  • Page 352: Bootrom Interface

    A: P PPENDIX ASSWORD ECOVERY ROCESS Bootrom Interface During the initial boot phase of the Switch (when directly connected via the console), various messages are displayed and the following prompt is shown with a five second countdown timer: Press Ctrl-B to enter Boot Menu... 4 Before the countdown reaches 0 enter <CTRL>B.
  • Page 353: Skipping The Current Configuration File

    If the user configured bootrom password is lost, a fixed, unit unique password can be provided by 3Com Technical Support to bypass the lost password. Please ensure that the Switch is registered with 3Com promptly as the unit unique password will only be supplied to the registered owner of the Switch.
  • Page 354: Bootrom Password Recovery

    This option allows the user to disable the fixed, unit unique password recovery mechanism. If this is disabled and the bootrom password recovery is lost then a recovery will not be possible. In this instance, the Switch will need to be returned to 3Com for repair.
  • Page 355: Setting Up A Radius Server

    ■ The remainder of this section describes how to setup a RADIUS server using these products. Microsoft IAS RADIUS, Funk RADIUS and FreeRADIUS are not 3Com products and are not supported by 3Com. Configuring Microsoft 3Com has successfully installed and tested Microsoft IAS RADIUS running on a IAS RADIUS Windows server in a network with Switch 4500 deployed.
  • Page 356 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP and Computers window, right-click Domain and choose Properties, select Change Mode. c Add a user that is allowed to use the network. Go to Active Directory Users and Computers, from the left hand window right-click the Users folder and choose New >...
  • Page 357 Setting Up a RADIUS Server e The password for the user must be set to be stored in reversible encryption. Right-click the user account and select Properties. Select the Account tab, check the box labeled Store password using reversible encryption. f Now re-enter the password for the account, right-click the user account and select Reset Password…...
  • Page 358 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP In the Certificate Authority Type window select Enterprise root CA Enter information to identify the Certificate Authority on the CA Identifying Information window. Enter the storage location on the Data Storage Location window. To complete the installation and set up of the certificates server, the wizard will require the Install CD for Microsoft Windows 2000 Server.
  • Page 359 Setting Up a RADIUS Server 5 Configure a Certificate Authority a Go to Programs > Administrative Tools > Certification Authority and right-click Policy Settings under your Certificate Authority server. b Select New > Certificate to Issue c Select Authenticated Session and select OK. d Go to Programs >...
  • Page 360 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP e Select the Group Policy tab, and ensure that the Default Domain Policy is highlighted. Click Edit to launch the Group Policy editor. f Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies, and right-click Automatic Certificate Request Settings.
  • Page 361 Setting Up a RADIUS Server Open up a command prompt (Start > Run, enter ). Enter secedit . The command may take a few minutes to /refreshpolicy machine_policy take effect. 6 Setup the Internet Authentication Service (IAS) RADIUS Server a Go to Programs > Administrative Tools > Internet Authentication Service, right-click Clients, and Select New Client.
  • Page 362 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP h Select Grant remote access permission, and select Next Click on Edit Profile... and select the Authentication tab. Ensure Extensible Authentication Protocol is selected, and Smart Card or other Certificate is set. Deselect any other authentication methods listed.
  • Page 363 Setting Up a RADIUS Server b Select the Dial-in tab from the client Properties window. Select Allow access. Click OK. c Click OK to confirm. 8 Configure the Switch 4500 for RADUIS access and client authentication see Chapter 11 “802.1X Configuration”.
  • Page 364 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP d Select Advanced request and click Next > e Select the first option and click Next > f Either copy the settings from the screenshot below or choose different key options.
  • Page 365 Setting Up a RADIUS Server followed by this warning message, select Yes and then OK The PKCS #10 file is now saved to the local drive. h To generate a portable certificate using PKCS #10, click the Home hyperlink at the top right of the CA Webpage.
  • Page 366 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Paste the copied information into the Saved Request field as shown below. Select Authenticated Session from the Certificate Template selector and click Submit > m Download the certificate and certification path. Click on the Download CA Certificate hyperlink to save the certificate.
  • Page 367 Setting Up a RADIUS Server o Click Install Certificate to launch the certificate import wizard p Leave the settings on the next screen as is, click Next > followed by Finish and OK. This will install the certificate, q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder.
  • Page 368 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP s Click Copy to File to save the certificate. This action is actually already performed with the Advanced Request, but this is an alternative way to save the certificate. Click Next when the wizard is launched. Save the certificate using DER x.509 encoding, select DER encoded binary followed by Next.
  • Page 369 Setting Up a RADIUS Server u Select the user that becomes the IEEE 802.1X client. Right-click on the user and select Name mappings. Select Add v Select the certificate that you have just exported and click Open. Click OK w In the Security Identity Mapping screen, click OK to close it. x Close the Active Directory Users and Domains management tool.
  • Page 370 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP b Create a new remote access policy under IAS and name it Switch Login. Select Next>.. c Specify Switch Login to match the users in the switch access group, select Next >...
  • Page 371 Setting Up a RADIUS Server e Use the Edit button to change the Service-Type to Administrative. f Add a Vendor specific attribute to indicate the access level that should be provided:...
  • Page 372 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP The Value 010600000003 indicates admin privileges for the Switch. 01 at the end indicates monitor and 02 indicates manager access. On the Switch 4500, 00 indicates visitor level. 11 Configure the RADIUS client. Refer to section Setting Up the RADIUS Client information on setting up the client.
  • Page 373 Setting Up a RADIUS Server Follow these steps to set up auto VLAN and QoS for use by Microsoft IAS: 1 Define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group. Go to Programs > Administrative Tools > Active Directory Users and Computers a For example, to create one group that will represent VLAN 4 select the Users folder from the domain (see below),...
  • Page 374 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP d Go to Programs > Administrative Tools > Internet Authentication Service. and select Remote Access Policies. Select the policy that you configured earlier, right-click and select Properties. e Click Add to add policy membership. f Select the Windows-Groups attribute type, and select Add and Add again...
  • Page 375 Setting Up a RADIUS Server g Select the VLAN group that you have just created and click Add and then OK to confirm. h Click OK again to return you to the Security Policy properties. Click Edit Profile... and select the Advanced tab. Click Add. Refer to Table 379 Table 381 for the RADIUS attributes to add to the profile.
  • Page 376 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Table 379 Summary of auto VLAN attributes Table 380 For Auto VLAN Return String Comment Tunnel-Medium-type Tunnel-Private-Group-ID VLAN value Tunnel-Type VLAN Table 381 Summary of QoS attributes Table 382 For Auto QoS Return String Comment Filter-id...
  • Page 377 Setting Up a RADIUS Server m Select the Tunnel-Pvt-Group-ID entry and click Add. n Click Add, ensure that the Attribute value is set to 4 (Attribute value in string format), and click OK. This value represents the VLAN ID. o Click OK again on the Multivalued Attribute Information screen to return to the Add Attributes screen.
  • Page 378: Configuring Funk Radius

    For troubleshooting, you can use the Event Viewer on both the workstation and the RADIUS server. Configuring Funk 3Com has successfully installed and tested Funk RADIUS running on a Windows RADIUS server in a network with Switch 4500 deployed. Download the Funk Steel-Belted RADIUS Server application from www.funk.com...
  • Page 379 Setting Up a RADIUS Server To configure Funk RADIUS as a RADIUS server for networks with the Switch 4500, follow these steps: 1 Open file and remove the ";" before the eap.ini \radius\service MD5-Challenge Line. This enables the MD5-challenge 2 Open file and change the log level to 5.
  • Page 380 Funk RADIUS is now ready to run. If you intend to use auto VLAN and QoS, you will need to create VLAN and QoS profiles on the 3Com Switch 4500 and follow the instructions in Configuring Auto VLAN and QoS for Funk RADIUS.
  • Page 381 Setting Up a RADIUS Server Passwords are case sensitive. 6 Enter the shared secret to encrypt the authentication data. The shared secret must be identical on the Switch 4500 and the RADIUS Server a Select RAS Clients from the left hand list, enter a Client name , the IP address and the Shared secret.
  • Page 382 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Configuring Auto VLAN and QoS for Funk RADIUS To set up auto VLAN and QoS using Funk RADIUS, follow these steps: 1 Edit the dictionary file so that Return list attributes from the Funk radius.dct RADIUS server are returned to the Switch 4500.
  • Page 383: Configuring Freeradius

    The following example shows the User name HOMER with the correct Return list Attributes inserted, The VLANs and QoS profiles must also be created on the 3Com Switch 4500. Configuring FreeRADIUS 3Com has successfully installed and tested FreeRADIUS running on Solaris 2.6 and RedHat Linux servers in networks with the Switch 4500 deployed.
  • Page 384: Setting Up The Radius Client

    Add an entry for Switch Login. For example user-name Auth-Type = System, 3Com-User-Access-Level = Administrator This indicates that the server should return the 3Com vendor specific attribute in the Access-Accept message for that user. 3Com-User-Access-Level b Add an entry for Network Login. For example user-name Auth-Type := Local, User-Password == "password"...
  • Page 385: Windows 2000 Built-in Client

    Setting Up the RADIUS Client Windows 2000 Built-in Windows 2000 requires Service Pack 3 and the IEEE 802.1X client patch for Client Windows 2000. 1 Downloaded the patches if required from: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&Famil yID=6B78EDBE-D3CA-4880-929F-453C695B9637 2 After the updates have been installed, start the Wireless Authentication Service in Component Services on the Windows 2000 workstation (set the service to startup type Automatic).
  • Page 386 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP Follow these steps to install the Aegis client: 1 Registering the Aegis Client. When using the Aegis client for the first time, a license key will be requested. To obtain a valid license key, complete an online form on the Meetinghouse website giving the System ID.
  • Page 387 Setting Up the RADIUS Client d Click OK to finish the configuration. e Restart the client either by rebooting, or stopping and re-starting the service. f Click the OK button, then return to the Aegis Client main interface. To restart the client, press the button with the red-cross.
  • Page 388 B: RADIUS S RADIUS C PPENDIX ERVER AND LIENT ETUP...
  • Page 389: Uthenticating The

    3Com Switch 4500 contain a Cisco Secure ACS server with TACACS+ to provide centralized control over network and management access, can also deploy the 3Com Switch 4500 on their network. Although 3Com does not directly support the proprietary TACACS+ protocol, 3Com Switches can still be authenticated in networks which use TACACS+ and Cisco Secure ACS.
  • Page 390: Adding A 3com Switch 4500 As A Radius Client

    1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients. 3 Enter the details of the 3Com Switch. Spaces are not permitted in the AAA Client Host name. An example is shown below...
  • Page 391 Setting Up the Cisco Secure ACS (TACACS+) Server 5 Select Interface Configuration from the left hand side. 6 Select RADIUS (IETF) from the list under Interface Configuration. 7 Check the RADIUS attributes that you wish to install. If you want to use auto VLAN and QoS, ensure that you have the following options selected for both the User and Group: Filter-ID ■...
  • Page 392: Adding A User For Network Login

    C: A 4500 PPENDIX UTHENTICATING THE WITCH WITH ISCO ECURE 8 Select Submit. 9 Repeat steps 1 to 8 for each Switch 4500 on your network. When all of the Switch 4500s have been added as clients to the Cisco Secure ACS server, restart the Secure ACS server by selecting System Configuration from the left hand side, then select Service Control and click Restart.
  • Page 393: Adding A User For Switch Login

    The User can now access the network through Network Login. Adding a User for Adding a user for switch login is slightly more complex, as 3Com specific RADIUS Switch Login attributes need to be returned to the 3Com Switch 4500. These RADIUS attributes define the access level of the user to the management interface.
  • Page 394 Once complete, log into the Secure ACS server again and complete steps 2 and 3. 2 To use the new RADIUS attributes, a client needs to be a user of RADIUS (3Com) attributes. Select Network Configuration from the left hand side and select an existing device or add a new device.
  • Page 395 Setting Up the Cisco Secure ACS (TACACS+) Server 3 Select Submit+Restart The IETF attributes will still be available to the device, the 3Com attributes are simply appended to them. 4 Select Interface Configuration, followed by RADIUS (3Com) a Ensure that the 3Com-User-Access-Level option is selected for both User and...
  • Page 396 6 In the RADIUS (3Com) Attribute box , check 3Com-User-Access-Level and select Administrator from the pull down list, see below: 7 Select Submit.

Comments to this Manuals

Symbols: 0
Latest comments: