Download Print this page

3Com SuperStack 4 Configuration Manual

5500g-ei family

Hide thumbs Also See for SuperStack 4:

Getting started manual (118 pages)

page of 432

/ 432
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

SuperStack

Configuration Guide

http://www.3com.com/

Part number: DUA1725-0BAA02

Published: August 2005

4 Switch 5500G-EI Family

®

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the SuperStack 4 and is the answer not in the manual?

Questions and answers

Summary of Contents for 3Com SuperStack 4

Page 1: Configuration Guide
SuperStack 4 Switch 5500G-EI Family ® Configuration Guide http://www.3com.com/ Part number: DUA1725-0BAA02 Published: August 2005...
Page 2 All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software.
Page 3 BOUT UIDE This guide provides information about configuring your network using the ® ® commands supported on the 3Com SuperStack 4 Switch 5500G-EI. Organization of the The Switch 5500G-EI Configuration Guide consists of the following chapters: Manual Getting Started — Details the main features and configurations of the Switch ■...
Page 4 BOUT UIDE Conventions This manual uses the following conventions: Table 1 Icons Icon Notice Type Description Information note Information that describes important features or instructions. Caution Information that alerts you to potential loss of data or potential damage to an application, system, or device. Warning Information that alerts you to potential personal injury.
Page 5 Related Manuals Related Manuals The 3Com SuperStack 4 Switch 5500G-EI Getting Started Guide provides information about installation. The 3Com SuperStack 4 Switch 5500G-EI Command Reference Guide provides all the information you need to use the configuration commands.
Page 6 BOUT UIDE...
Page 7 ETTING TARTED This chapter covers the following topics: Product Overview ■ XRN Overview ■ Product Features ■ Logging in to the Switch ■ Command Line Interface ■ User Interface Configuration ■ Product Overview The Switch 5500G-EI Family are wire speed Layer 3 switching products supporting expandable resilient networking (XRN).
Page 8 1: G HAPTER ETTING TARTED 8 Port 1000 Mbps SFP Module ■ 1 Port 10 Gbps XENPAK Module ■ The front panel has 48 x 10/100/1000Base-T auto-negotiation ethernet ports with RJ-45 connectors and 4 SFP combo ports. Each combo port corresponds to an ethernet port, so there are 4 port pairs.
Page 9 XRN Overview XRN Overview Brief Introduction With the XRN (eXpandable Resilient Networking) feature, you can connect several devices into a combined device and manage them as a single unit. The combined device is called the Fabric, while the member devices are units. With XRN you can: Manage multiple devices in centralized manner, with low management cost.
Page 10: Product Features
1: G HAPTER ETTING TARTED Figure 1 Networking Topology with XRN Server Unit 1 Unit3 Core Fabric switches Unit 4 Unit 2 Workgroup switches Desktop Product Features Table 4 lists the function features: Table 4 Function Features Features Description VLAN VLAN compliant with IEEE 802.1Q Standard Port-based VLAN Voice VLAN...
Page 11 Product Features Table 4 Function Features Features Description Security features Multi-level user management and password protect 802.1X authentication Packet filtering Quality of Service (QoS) Traffic classification Bandwidth control Priority Queues of different priority on the port Queue scheduling: supports Strict Priority Queuing (SP), Weighted Round Robin (WRR), WFQ, SP+WFQ, and SP+WRR QoS profile management manner Management and...
Page 12 1: G HAPTER ETTING TARTED Logging in to the Switch Setting up Configuration Environment through the Console Port 1 To set up the local configuration environment, connect the serial port of a PC (or a terminal) to the console port of the Switch with the console cable (see Figure Figure 2 Setting up the Local Configuration Environment through the Console Port RS-232 Serial port...
Page 13 Logging in to the Switch Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...
Page 14 1: G HAPTER ETTING TARTED Figure 5 Setting Communication Parameters 3 The Switch is powered on and it displays self-test information. Press < Enter> to show the command line prompt such as <SW5500> 4 Enter a command to configure the Switch or view the operation state. Enter a view online help.
Page 15 Logging in to the Switch Figure 6 Setting up the Configuration Environment through Telnet Workstation Workstation Ethernet port Ethernet port Ethernet Ethernet Serv er Serv er Workstation Workstation PC ( for configuri n g the switch PC ( for configuri n g the switch via Telnet ) via Telnet ) 3 Run Telnet on the PC and enter the IP address of the VLAN connected to the...
Page 16 1: G HAPTER ETTING TARTED Figure 8 Providing Telnet Client Service Telnet Server Telnet Client 1 Authenticate the Telnet user through the console port on the Telnet Server (a Switch) before login. By default, the password is required to authenticate Telnet users and to enable them to log on to the Switch.
Page 17 The Modem configuration commands and outputs may be different according to different Modems. For details, refer to the User Manual of the Modem. 3Com recommends that the transmission rate on the console port must lower than that of Modem, otherwise packets may be lost.
Page 18 1: G HAPTER ETTING TARTED Figure 10 Setting the Dialed Number Figure 11 Dialing on the Remote PC 5 Enter the preset login password on the remote terminal emulator and wait for the prompt . Then you can configure and manage the Switch. Enter <SW5500>...
Page 19 Command Line Interface Command Line Interface Command Line The Switch 5500G-EI family provide a series of configuration commands and Interface command line interfaces for configuring and managing the Switch. The command line interface has the following characteristics: Local configuration through the console port. ■...
Page 20 1: G HAPTER ETTING TARTED Login users are also classified into four levels that correspond to the four command levels respectively. After users of different levels log in, they can only use commands at the levels that are equal to or lower than their own level. To prevent unauthorized users from illegal intrusion, the user will be identified when switching from a lower level to a higher level with the super...
Page 21 Command Line Interface Table 5 describes the features of different views and the ways to enter or quit. Table 5 Features of Command Views Command view Function Prompt Command to enter Command to exit User View Show the basic This is the view you are in quit disconnects <SW5500>...
Page 22 [SW5500-radius-1] Group View parameters in System View System View return returns to User View ISP Domain Configure ISP Enter domain 3Com.net in quit returns to [SW5500-isp-3Com.net] View domain System View System View parameters return returns to User View...
Page 23 Command Line Interface Features and Functions Command Line Help of Command Line The command line interface provides full and partial online help. You can get help information through the online help commands, which are described below: 1 Enter in any view to get all the commands in that view. 2 Enter a command with a separated by a space.
Page 24 1: G HAPTER ETTING TARTED command buffer is defaulted as 10. That is, the command line interface stores 10 history commands for each user. The operations are shown in Table Table 7 Retrieving History Command Operation Result Display history command Display history command by display user inputting...
Page 25 User Interface Configuration Table 9 Editing Functions Function <Tab> Press <Tab> after typing an incomplete keyword and the system will display partial help: If the keyword matching the one entered is unique, the system will replace it with the complete keyword and display it in a new line;...
Page 26 1: G HAPTER ETTING TARTED User Interface Tasks for configuring the user interface are described in the following sections: Configuration Entering User Interface View ■ Configuring the User Interface-Supported Protocol ■ Configuring the Attributes of AUX (Console) Port ■ Configuring the Terminal Attributes ■...
Page 27 User Interface Configuration Perform the following configurations in User Interface (AUX user interface only) View. Configuring the Transmission Speed on the AUX (Console) Port Table 12 Configuring the Transmission Speed on the AUX (Console) Port Operation Command Configure the transmission speed on the AUX speed_value speed (console) port...
Page 28 1: G HAPTER ETTING TARTED Configuring the Terminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length, and history command buffer size. Perform the following configuration in User Interface View. Perform the lock command in User View.
Page 29 User Interface Configuration Setting the Screen Length If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently.
Page 30 In the following example, local username and password authentication are configured. Perform username and password authentication when a user logs in through VTY 0 user interface and set the username and password to zbr and 3Com respectively. [SW5500-ui-vty0]authentication-mode scheme [SW5500-ui-vty0]quit...
Page 31 User Interface Configuration Table 24 Setting the Command Level used after a User Logs In Operation Command Restore the default undo service-type { ftp [ ftp-directory ] command level used after lan-access | { ssh | telnet | terminal }* } a user logs in By default, the specified logged-in user can access the commands at Level 1.
Page 32 1: G HAPTER ETTING TARTED Configuring Redirection send command The following command can be used for sending messages between user interfaces. Perform the following configuration in User View. Table 27 Configuring to Send Messages Between Different User Interfaces Operation Command send { all | Configuring to send messages between number...
Page 33 User Interface Configuration Table 29 Displaying and Debugging User Interface Operation Command Display the user application display users [ all ] information of the user interface Display the physical attributes and display user-interface [ type number some configurations of the user ] [ summary ] number interface...
Page 34 1: G HAPTER ETTING TARTED...
Page 35 PERATION This chapter covers the following topics: Ethernet Port Configuration ■ Link Aggregation Configuration ■ Ethernet Port Configuration Ethernet Port Overview The Switch 5500G-EI 24 Port provides 24 fixed 10/100/1000Base-T Ethernet ports, 4 combo SFP ports, 2 fixed stack ports and one expansion slot. The expansion slot can accomodate the 8 port SFP module, 1 port 10G module or 2 port 10G module.
Page 36 2: P HAPTER PERATION Setting the Description Character String for the Ethernet Port ■ Setting the Duplex Attribute of the Ethernet Port ■ Setting Speed on the Ethernet Port ■ Setting the Cable Type for the Ethernet Port ■ Enabling/Disabling Flow Control for the Ethernet Port ■...
Page 37 Ethernet Port Configuration Table 32 Setting the Description Character String for the Ethernet Port Operation Command Delete the description character string of Ethernet. undo description By default, the port description is a null character string. The cascade ports do not support the command.
Page 38 2: P HAPTER PERATION Setting the Cable Type for the Ethernet Port Ethernet ports support straight-through and cross-over network cables. Use the following command to configure the cable type. Perform the following configuration in Ethernet Port View. Table 35 Setting the Type of the Cable Connected to an Ethernet Port Operation Command mdi { across | auto | normal }...
Page 39 Ethernet Port Configuration Perform the following configuration in Ethernet Port View. Table 38 Setting the Ethernet Port Suppression Ratio Operation Command Set Ethernet port broadcast broadcast-suppression { | pps } ratio suppression ratio Restore the default Ethernet port undo broadcast-suppression broadcast suppression ratio Set Ethernet port multicast multicast-suppression {...
Page 40 2: P HAPTER PERATION Adding an Ethernet Port to Specified VLANs Use the following commands to add an Ethernet port to a specified VLAN. An access port can only be added to one VLAN, while hybrid and trunk ports can be added to multiple VLANs.
Page 41 Ethernet Port Configuration By default, the VLAN of a hybrid port and a trunk port is VLAN 1 and that of the access port is the VLAN to which it belongs. Note that to guarantee the proper packet transmission, the default VLAN ID of the local hybrid port or trunk port should be identical with that of the hybrid port or trunk port on the peer Switch.
Page 42 2: P HAPTER PERATION Perform the following configuration in System View. Table 43 Copying Port Configuration to Other Ports Operation Command Copy port copy configuration source { interface_type configuration to | aggregation_group interface_number interface_name } destination { other ports agg_id interface_list ] | aggregation_group agg_id...
Page 43 Link Aggregation Configuration When receiving packets without a VLAN Tag, the port can forward them to the ■ member ports belonging to the default VLAN When it is sending the packets with VLAN Tag and the packet VLAN ID is the ■...
Page 44 2: P HAPTER PERATION For the member ports in an aggregation group, their basic configurations must be the same. That is, if one is a trunk port, the others must also be; when it turns into access port, then others must change to access port. The basic configuration includes STP setting, QoS setting, VLAN setting, and port setting.
Page 45 Link Aggregation Configuration with the minimum port number serves as the master port, while others as sub-ports. In a manual aggregation group, the system sets the ports to active or inactive state by using these rules: The system sets the port with the highest priority to active state, and others to ■...
Page 46 2: P HAPTER PERATION systems as well as under manual control through direct manipulation of the state variables of Link Aggregation (for example, keys) by a network manager. Dynamic LACP aggregation can be established even for a single port, as is called single port aggregation.
Page 47 Link Aggregation Configuration A load sharing aggregation group may contain several selected ports, but a non-load sharing aggregation group can only have one selected port, while others are unselected ports. Selection criteria of selected ports vary for different types of aggregation groups.
Page 48 2: P HAPTER PERATION aggregation group: when you delete a manual aggregation group, all its member ports are disaggregated; when you delete a static or dynamic LACP aggregation group, its member ports form one or several dynamic LACP aggregation groups. Perform the following configuration in System View.
Page 49 Link Aggregation Configuration port with 802.1x enabled. ■ You must delete the aggregation group, instead of the port, if the manual or ■ static LACP aggregation group contains only one port. Setting/Deleting the Aggregation Group Descriptor Perform the following configuration in System View. Table 48 Setting/Deleting the Aggregation Group Descriptor Operation Command...
Page 50 2: P HAPTER PERATION Perform the following configuration in Ethernet Port View. Table 50 Configuring Port Priority Operation Command Configure port priority lacp port-priority port_priority_value Restore the default port priority undo lacp port-priority By default, port priority is 32768. Displaying and After the above configuration, enter the command in any view to display display...
Page 51: Networking Diagram
Link Aggregation Configuration Networking Diagram Figure 13 Networking for Link Aggregation Switch A Link aggregation Switch B Configuration Procedure The following only lists the configuration for Switch A; configure Switch B similarly. 1 Manual link aggregation a Create manual aggregation group 1. [SW5500]link-aggregation group 1 mode manual b Add Ethernet ports GigabitEthernet1/0/1 to GigabitEthernet1/0/3 into aggregation group 1.
Page 52 2: P HAPTER PERATION Only when the three ports are configured with identical basic configuration, rate and duplex mode, can they be added into a same dynamic aggregation group after LACP is enabled on them, for load sharing.
Page 53 VLAN O PERATION This chapter covers the following topics: VLAN Configuration ■ Voice VLAN Configuration ■ VLAN Configuration VLAN Overview A virtual local area network (VLAN) creates logical groups of LAN devices into segments to implement virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions.
Page 54 3: VLAN O HAPTER PERATION Table 52 Creating/Deleting a VLAN Operation Command undo vlan { Delete the specified VLAN [ to vlan_id ] | all } vlan_id Note that the default VLAN, namely VLAN 1, cannot be deleted. Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN.
Page 55 VLAN Configuration Table 55 Specifying/Removing the VLAN Interface Operation Command Remove the specified VLAN interface undo interface vlan_id vlan-interface Create a VLAN first before creating an interface for it. For this configuration task, takes the VLAN ID. vlan_id Shutting Down/Enabling the VLAN Interface Use the following command to shut down/enable a VLAN interface.
Page 56 3: VLAN O HAPTER PERATION Networking Diagram Figure 14 VLAN Configuration Example Switch Switch Switch Switch E1/0/1 E1/0/1 E1/0/2 E1/0/2 E1/0/3 E1/0/3 E1/0/4 E1/0/4 VLAN2 VLAN2 VLAN3 VLAN3 VLAN3 VLAN3 Configuration Procedure 1 Create VLAN 2 and enter its view. [SW5500]vlan 2 2 Add GigabitEthernet1/0/1 and GigabitEthernet1/0/2 to VLAN2.
Page 57 Voice VLAN Configuration Voice VLAN Configuration Voice VLAN Overview Voice VLAN is specially designed for users’ voice flow, and it distributes different port precedence in different cases. The system uses the source MAC of the traffic traveling through the port to identify the IP Phone data flow.
Page 58 3: VLAN O HAPTER PERATION Setting/Removing the OUI Address Learned by Voice VLAN ■ Enabling/Disabling Voice VLAN Security Mode ■ Enabling/Disabling Voice VLAN Auto Mode ■ Setting the Aging Time of Voice VLAN ■ If you change the status of Voice VLAN security mode, you must first enable Voice VLAN features globally.
Page 59 Voice VLAN Configuration There are four default OUI addresses after the system starts. Table 62 Default OUI Addresses Description 00:E0:BB 3Com phone 00:03:6B Cisco phone 00:E0:75 Polycom phone 00:D0:1E Pingtel phone Enabling/Disabling Voice VLAN Security Mode In security mode, the system can filter out the traffic whose source MAC is not OUI within the Voice VLAN, while the other VLANs are not influenced.
Page 60 3: VLAN O HAPTER PERATION Perform the following configuration in System View. Table 65 Configuring the Aging Time of Voice VLAN Operation command Set the aging time of Voice VLAN voice vlan aging minutes Restore the default aging time undo voice vlan aging The default aging time is 1440 minutes.
Page 61 Voice VLAN Configuration [SW5500-GigabitEthernet1/0/2]quit [SW5500]undo voice vlan mode auto [SW5500]voice vlan mac_address 0011-2200-0000 mask ffff-ff00-0000 description private [SW5500]voice vlan 2 enable [SW5500]voice vlan aging 100...
Page 62 3: VLAN O HAPTER PERATION...
Page 63 OWER OVER THERNET ONFIGURATION This chapter covers the following topics: PoE Overview ■ PoE Configuration ■ PoE Overview The Switch 5500G-EI 24 Port PWR and Switch 5500G-EI 48 Port PWR support Power over Ethernet (PoE). This feature uses twisted pairs to provide -44 through -62 VDC power to remote powered devices (PDs), such as IP Phones, WLAN APs, Network Cameras, and so on.
Page 64 4: P E) C HAPTER OWER OVER THERNET ONFIGURATION When using the PWR switches to supply power to remote PDs, the PDs need ■ not have any external power supply. If a remote PD has an external power supply, the PWR switches and the ■...
Page 65 PoE Configuration Setting the Maximum The maximum power that can be supplied by an Ethernet port of the Power Output on a Port S5624P-PWR/S5648P-PWR to its PD is 15400 mW. In practice, you can set the maximum power on a port depending on the actual power of the PD, with a range from 1000 to 15400 mW and in the increment of 100 mW.
Page 66 4: P E) C HAPTER OWER OVER THERNET ONFIGURATION Table 70 Setting the Power Supply Management Mode on the Switch Operation Command Set the power supply management mode on the poe power-management auto Switch to auto Set the power supply management mode on the poe power-management manual Switch to manual Restore the default power supply management mode...
Page 67 PoE Configuration Upgrading the PSE The online upgrading of PSE processing software can update the processing Processing Software software or repair the software if it is damaged. After upgrading files are Online downloaded, you can use the following command to perform online upgrading on the PSE processing software.
Page 68 4: P E) C HAPTER OWER OVER THERNET ONFIGURATION 12000 mW. This is required to guarantee the power feeding to the PD that will be connected to the GigabitEthernet1/0/24 even when the Switch 5500 PWR is in full load. Network Diagram Figure 17 PoE Remote Power Supply Configuration Procedure Update the PSE processing software online.
Page 69 PoE Configuration...
Page 70 4: P E) C HAPTER OWER OVER THERNET ONFIGURATION...
Page 71 ETWORK ROTOCOL PERATION This chapter covers the following topics: IP Address Configuration ■ ARP Configuration ■ Resilient ARP Configuration ■ BOOTP Client Configuration ■ DHCP Configuration ■ Access Management Configuration ■ UDP Helper Configuration ■ IP Performance Configuration ■ IP Address Configuration IP Address Overview IP Address Classification and Indications...
Page 72 5: N HAPTER ETWORK ROTOCOL PERATION The IP address is in dotted decimal format. Each IP address contains 4 integers in dotted decimal notation. Each integer corresponds to one byte, for example, 10.110.50.101. When using IP addresses, note that some of them are reserved for special uses, and are seldom used.
Page 73 IP Address Configuration A mask is a 32-bit number corresponding to an IP address. The number consists of 1s and 0s. Principally, these 1s and 0s can be combined randomly. However, the first consecutive bits are set to 1s when designing the mask. The mask divides the IP address into two parts: subnet address and host address.
Page 74 5: N HAPTER ETWORK ROTOCOL PERATION The IP address configuration is described in the following sections: Configuring the Hostname and Host IP Address ■ Configuring the IP Address of the VLAN Interface ■ Configuring the Hostname and Host IP Address Perform the following configuration in System View.
Page 75 ARP Configuration IP Address Configuration Networking Requirements Example Configure the IP address as 129.2.2.1 and subnet mask as 255.255.255.0 for VLAN interface 1 of the Ethernet Switch. Networking Diagram Figure 20 IP Address Configuration Networking Console cable Switch Configuration Procedure 1 Enter VLAN interface 1.
Page 76 5: N HAPTER ETWORK ROTOCOL PERATION dynamic ARP mapping entry is not in use for a specified period of time, the host will remove it from the ARP mapping table so as to save the memory space and shorten the interval for Switch to search ARP mapping table. Suppose there are two hosts on the same network segment: Host A and Host B.
Page 77 ARP Configuration Table 80 Manually Adding/Deleting Static ARP Mapping Entries Operation Command Manually add a static ARP ip_address mac_address vlan_id arp static mapping entry (Ethernet Port View) Manually delete a static ARP ip_address undo arp mapping entry (System View or Ethernet Port View) By default, the ARP mapping table is empty and the address mapping is obtained through dynamic ARP.
Page 78 5: N HAPTER ETWORK ROTOCOL PERATION By default, this feature is enabled. Displaying and After the above configuration, enter the command in any view to display display Debugging ARP the running of the ARP configuration, and to verify the effect of the configuration. Enter the command in User View to debug ARP configuration.
Page 79 Resilient ARP Configuration Perform the following configuration in System View. Table 84 Enabling/Disabling Resilient ARP Function Operation Command Enable resilient ARP function resilient-arp enable Disable resilient ARP function undo resilient-arp enable By default, resilient ARP function is enabled. If you are attempting to stop the Switch from transmitting packets, you need to disable all features which may generate packets.
Page 80 5: N HAPTER ETWORK ROTOCOL PERATION You can also enter the command in User View to debug the resilient debugging ARP function. Table 86 Displaying and Debugging Resilient ARP Configuration Operation Command Display resilient ARP state display resilient-arp [ unit unit_id information Enable resilient ARP...
Page 81 BOOTP Client Configuration BOOTP Client Configuration Overview of BOOTP A BOOTP client can request the server to allocate an IP address to it using BOOTP Client (bootstrap protocol). These two major processes are included on the BOOTP client: Sending BOOTP Request message to the server ■...
Page 82 5: N HAPTER ETWORK ROTOCOL PERATION DHCP Configuration Overview of DHCP Dynamic Host Configuration Protocol (DHCP) offers dynamic IP address assignment. DHCP works in Client-Server mode. With this protocol, the DHCP Client can dynamically request configuration information and the DHCP server can configure the information for the Client.
Page 83 DHCP Configuration DHCP server sends the DHCP_ACK message containing the allocated IP address and other settings back to the client. Then the DHCP client binds its TCP/IP components to the NIC (network interface card). Other DHCP servers not selected still can allocate their IP addresses to other clients later.
Page 84 5: N HAPTER ETWORK ROTOCOL PERATION Figure 23 Typical DHCP Relay Application DHCP client DHCP client Ethernet Internet Switch ( DHCP Relay) DHCP client DHCP client DHCP Server DHCP Relay works on the following principle: When the DHCP client starts and initializes DHCP, it broadcasts the request ■...
Page 85 DHCP Configuration DHCP Relay DHCP relay configuration is described in the followng sections: Configuration Configuring the IP address for the DHCP server ■ Configuring the DHCP Server Group for the VLAN Interfaces ■ Configuring the User Address Entry for the DHCP Server Group ■...
Page 86 5: N HAPTER ETWORK ROTOCOL PERATION Configuring the User Address Entry for the DHCP Server Group To ensure that a valid user with a fixed IP address in a VLAN configured with DHCP Relay passes the address validity check of the DHCP security feature, you must add a static address entry which indicates the correspondence between an IP address and a MAC address.
Page 87 DHCP Configuration Table 94 Displaying and Debugging DHCP Configuration Operation Command Enable/disable DHCP Client hot backup [ undo ] debugging dhcp xrn xha debugging Enable/disable DHCP relay debugging [ undo ] debugging dhcp-relay DHCP Relay Networking Requirements Configuration Example There are two VLANs (1 and 10) and they both need to use the same DHCP server. Networking Diagram Figure 24 Configuring DHCP Relay DHCP client...
Page 88 5: N HAPTER ETWORK ROTOCOL PERATION Networking Diagram Figure 25 Networking Diagram of Configuration DHCP Relay DHCP client DHCP client DHCP Server 10.110.0.0 202.38.1.2 Ethernet 10.110.1.1 202.38.1.1 Internet Ethernet 202.38.0.0 Switch ( DHCP Relay ) Configuration Procedure 1 Configure the group number of DHCP Server as 1 and the IP address as 202.38.1.2.
Page 89 Access Management Configuration enable the in User View and then use the debugging dhcp-relay terminal command to output the debugging information to the console. In this debugging way, you can view the detailed information of all DHCP packets on the console as they apply for the IP address, and so locate the problem.
Page 90 5: N HAPTER ETWORK ROTOCOL PERATION By default, the IP address pools for access control on the port are null and all the packets are permitted. Note that if the IP address pool to be configured contains the IP addresses configured in the static ARP at other ports, then the system prompts you to delete the static ARP to make the later binding effective.
Page 91 Access Management Configuration Perform the following configuration in System View. Table 98 Enabling/Disabling Access Management Trap Operation Command Enable access management trap am trap enable Disable access management trap undo am trap enable By default, the access management trap is disabled. Displaying and After the above configuration, enter the command in any view to display...
Page 92: Udp Helper Configuration
5: N HAPTER ETWORK ROTOCOL PERATION 4 Configure the IP address pool for access management on port 2 [SW5500-GigabitEthernet1/0/1]interface gigabitethernt1/0/2 [SW5500-GigabitEthernet1/0/2]am ip-pool 202.10.20.21 30 5 Add port 2 into isolation group. [SW5500-GigabitEthernet1/0/2]port isolate Access Management via The Security/Authorized IP menu option on the Web interface allows the user to the Web specify a range of IP addresses that will permit Web, Telnet and SSH access.
Page 93 UDP Helper Configuration Note: After you have configured DHCP Relay, the Switch automatically configure ■ UDP-Helper whether the Switch is a single unit or in a fabric. The UDP-Helper configuration remains when you remove the DHCP Relay configuration. If you remove UDP-Helper configuration when the DHCP Relay configuration ■...
Page 94 5: N HAPTER ETWORK ROTOCOL PERATION Note that: You must first enable the UDP Helper function and then configure the UDP ■ port with the relay function. Otherwise, error information will appear. The parameters ■ dns, netbios-ds, netbios-ns, tacacs, tftp time respectively refer to the six default ports.
Page 95 IP Performance Configuration UDP Helper Networking Requirement Configuration Example The IP address of VLAN interface 2 on the Switch is 10.110.1.1, which is connected with network segment 10.110.0.0. Set to relay-forward the broadcast packets with destination IP of all 1s and destination UDP port 55 in the network segment 10.110.0.0 to the destination server 202.38.1.2.
Page 96 5: N HAPTER ETWORK ROTOCOL PERATION Perform the following configuration in System View. Table 105 Configuring TCP Attributes Operation Command Configure synwait timer in TCP tcp timer syn-timeout time_value Restore synwait timer undo tcp timer syn-timeout Configure FIN_WAIT_2 timer in TCP time_value tcp timer fin-timeout Restore FIN_WAIT_2 timer...
Page 97 IP Performance Configuration Troubleshooting IP Fault: IP layer protocol works normally but TCP and UDP cannot work normally. Performance In the event of such a fault, you can enable the corresponding debugging information output to view the debugging information. Use the command to output the debugging information ■...
Page 98 5: N HAPTER ETWORK ROTOCOL PERATION...
Page 99 IP R OUTING ROTOCOL PERATION IP Routing Protocol Routers select an appropriate path through a network for an IP packet according Overview to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submits the packet to the destination host.
Page 100 6: IP R HAPTER OUTING ROTOCOL PERATION If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link, message routing in the Internet works in a similar way as the message routing in a conventional network.
Page 101 IP Routing Protocol Overview To limit the size of the routing table, an option is available to set a default route. All the packets that fail to find a suitable table entry are forwarded through this default route. In a complicated Internet configuration, as shown in Figure 29, the number in each network is the network address.
Page 102 6: IP R HAPTER OUTING ROTOCOL PERATION Table 107 Routing Protocols and the Default Preferences for Routes Routing protocol or route type The preference of the corresponding route IBGP EBGP UNKNOWN Table 107, 0 indicates a direct route, and 255 indicates any route from an unreliable source.
Page 103 Static Routes Import Routes of Other Protocols” page 125, “Configuring OSPF to Import the Default Route” page 146 “Importing Routing Information Discovered by Other Routing Protocols” page 158. Static Routes A static route is a route that is manually configured by the network administrator. You can set up an interconnected network using static routes.
Page 104 6: IP R HAPTER OUTING ROTOCOL PERATION Configuring Static Static route configuration tasks are described in the following sections: Routes Configuring a Static Route ■ Configuring a Default Route ■ Deleting All The Static Routes ■ Displaying and Debugging Static Routes ■...
Page 105 Static Routes Configuring a Default Route Perform the following configurations in System View. Table 109 Configuring a default route Operation Command Configure a ip route-static 0.0.0.0 { 0.0.0.0 | 0 } { default route interface_type interface_number gateway_address preference value ] [ reject | blackhole ] Delete a default undo ip route-static 0.0.0.0 { 0.0.0.0 | 0 } [ route...
Page 106 6: IP R HAPTER OUTING ROTOCOL PERATION Example: Typical Static Networking Requirements Route Configuration The masks of all the IP addresses shown in Figure 30 are 255.255.255.0. All the hosts or switches must be interconnected in pairs by configuring static routes. Networking Diagram Figure 30 Networking diagram of the static route configuration example H ost 1.1.5.1...
Page 107 Use the command to view whether the ■ display ip routing-table corresponding route is valid. Routing Information Protocol (RIP) is a simple dynamic routing protocol, that is Distance-Vector (D-V) algorithm based. It uses hop counts to measure the distance to the destination host. This is called the routing cost. In RIP, the hop count from a router to its directly connected network is 0;...
Page 108 6: IP R HAPTER OUTING ROTOCOL PERATION timeout mechanism to handle timed out routes to ensure the timeliness and validity of the routes. With these mechanisms, RIP, an interior routing protocol, enables the router to learn the routing information of the entire network. RIP has become one of the most popular standards of transmitting router and host routes.
Page 109 By default, RIP does not send messages to unicast addresses. 3Com does not recommend the use of this command, because the destination address does not need to receive two copies of the same message at the same time. Note that...
Page 110 6: IP R HAPTER OUTING ROTOCOL PERATION multicast mode is that the hosts in the same network that do not run RIP, do not receive RIP broadcast packets. In addition, this mode prevents the hosts that are running RIP-1 from incorrectly receiving and processing the routes with subnet masks in RIP-2.
Page 111 Before RIP completely deletes an unreachable route from the routing table, it advertises the route by sending four update packets with a route metric of 16, to let all the neighbors know that the route is unreachable. Routes do not always become unreachable when a new period starts so the actual value of the garbage-collection timer is 3 to 4 times of that of the period update timer.
Page 112 6: IP R HAPTER OUTING ROTOCOL PERATION Disabling Host Route In some cases, the router can receive many host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources. Routers can be configured to reject host routes by using the command.
Page 113 Perform the following configuration in Interface View: Table 121 Setting RIP-2 Packet Authentication Operation Command Configure RIP-2 simple authentication key rip authentication-mode simple password_string Configure RIP-2 MD5 authentication with rip authentication-mode md5 usual packet type following RFC 1723 key_string Configure RIP-2 MD5 authentication with rip authentication-mode md5 packet type following RFC 2082 key_string key_id...
Page 114 6: IP R HAPTER OUTING ROTOCOL PERATION route, RIP will set the cost to the default cost, specified by the default cost parameter. Perform the following configurations in RIP View. Table 124 Configuring the Default Cost for the Imported Route Operation Command Configure default cost for the imported route...
Page 115 Configuring Route Filtering The Router provides a route filtering function. You can configure the filter policy rules by specifying the ACL and ip-prefix for route redistribution and distribution. To import a route, the RIP packet of a specific router can also be received by designating a neighbor router.
Page 116 6: IP R HAPTER OUTING ROTOCOL PERATION enabled, then traffic can be distributed equally among interfaces by employing equivalent routes. Table 129 Configuring RIP to Filter the Distributed Routes Configuration Item Command Description Enter System view system-view Enter RIP view Enter RIP traffic sharing Required by default, RIP traffic traffic-share-across...
Page 117 Networking Diagram Figure 31 RIP configuration networking Network address: 155.10.1.0/24 Interface address: 155.10.1.1/24 SwitchA Interface address: Ethernet 110.11.2.1/24 Network address: 110.11.2.2/24 SwitchC SwitchB Interface address: Interface address: 117.102.0.1/16 Network address: 196.38.165.1/24 196.38.165.0/24 Network address: 117.102.0.0/16 Configuration Procedure The following configuration only shows the operations related to RIP. Before performing the following configuration, please make sure the Ethernet link layer can work normally.
Page 118 6: IP R HAPTER OUTING ROTOCOL PERATION OSPF Configuration Open Shortest Path First (OSPF) is an Interior Gateway Protocol based on the link state developed by IETF. The Switch 5500G-EI uses OSPF version 2 (RFC2328), which has the following features: Scope —...
Page 119 OSPF Configuration The Hello Packet is the most common packet sent by the OSPF protocol. A router periodically sends it to its neighbor. It contains the values of some timers, DR, BDR and the known neighbor. Database Description (DD) Packet. ■...
Page 120 6: IP R HAPTER OUTING ROTOCOL PERATION the segment, and routing information is also exchanged between them. After the existing DR fails, the BDR will immediately becomes a DR. Area ■ If all routers on a large network are running OSPF, the large number of routers results in an enormous LSD, which consumes storage space, complicates the SPF algorithm, and adds CPU load.
Page 121 When enabling OSPF, note the following: By default, the OSPF process ID is 1. ■ If a router is running multiple OSPF processes, 3Com recommends that you to ■ in the command to specify different Router IDs for different router-id...
Page 122 6: IP R HAPTER OUTING ROTOCOL PERATION Entering OSPF Area View Perform the following configurations in OSPF View. Table 132 Entering OSPF Area View Operation Command Enter an OSPF Area View area_id area Delete a designated OSPF area area_id undo area is the ID of the OSPF area, which can be a decimal integer or in IP area_id address format.
Page 123 OSPF Configuration To ensure the stability of OSPF, you must determine the division of router IDs and manually configure them when implementing network planning. Configuring the Network Type on the OSPF Interface The route calculation of OSPF is based upon the topology of the adjacent network of the local router.
Page 124 6: IP R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in Interface View: Table 135 Configuring a Network Type on the Interface That Starts OSPF Operation Command Configure network ospf network-type { broadcast | nbma | p2mp | p2p } type on the interface After the interface has been configured with a new network type, the original network type of the interface is removed automatically.
Page 125 OSPF Configuration Note that: The DR on the network is not necessarily the router with the highest priority. ■ Likewise, the BDR is not necessarily the router with the second highest priority. If a new router is added after DR and BDR election, it is impossible for the router to become the DR even if it has the highest priority.
Page 126 6: IP R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in Interface View Table 139 Setting Hello Timer and Poll Interval Operation Command Set the hello interval of the interface ospf timer hello seconds Restore the default hello of the interface undo ospf timer hello Set the poll interval on the NBMA interface seconds...
Page 127 OSPF Configuration Setting an Interval for LSA Retransmission between Neighboring Routers If a router transmits an LSA (Link State Advertisements) to the peer, it requires an acknowledgement packet from the peer. If it does not receive the acknowledgement packet within the retransmit time, it retransmits this LSA to the neighbor.
Page 128 6: IP R HAPTER OUTING ROTOCOL PERATION Note the following items when you configure a STUB area: The backbone area cannot be configured as a STUB area, and virtual links ■ cannot pass through the STUB area. If you want to configure an area as a STUB area, all the routers in this area ■...
Page 129 OSPF Configuration Figure 32 NSSA area NSSA NSSA area 1 area 1 NSSA NSSA NSSA NSSA ASBR ASBR area 0 area 0 area 2 area 2 Perform the following configuration in OSPF Area View. Table 145 Configuring the NSSA of OSPF Operation Command Configure an area to be the NSSA area...
Page 130 6: IP R HAPTER OUTING ROTOCOL PERATION Once the aggregate segment of a certain network is added to the area, all the internal routes of the IP addresses in the range of the aggregate segment will no longer be separately advertised to other areas. Only the route summary of the whole aggregate network will be advertised.
Page 131 OSPF Configuration virtual link refers to a logic channel set up through the area of a non-backbone internal route between two ABRs. Both ends of the logic channel should be ABRs and the connection can take effect only when both ends are configured. The virtual link is identified by the ID of the remote router.
Page 132 6: IP R HAPTER OUTING ROTOCOL PERATION Configuring OSPF Packet Authentication OSPF supports simple authentication or MD5 authentication between neighboring routers. Perform the following configuration in Interface View: Table 150 Configuring OSPF Packet Authentication Operation Command Specify a password for OSPF simple password ospf authentication-mode simple text authentication...
Page 133 2, cost is 1 and the tag is 1. variable specifies a source routing protocol that can be imported. protocol This can be Direct, Static and RIP. 3Com recommends that you configure the route together in type cost one command.
Page 134 6: IP R HAPTER OUTING ROTOCOL PERATION Table 152 Configuring Parameters for OSPF to Import External routes Operation Command Restore the default tag for the OSPF to import external undo default tag routes Configure the default type of external routes that OSPF default type { 1 | 2 } will import Restore the default type of the external routes imported...
Page 135 OSPF Configuration Configuring OSPF to Filter the Received Routes Table 155 Enabling OSPF to filter the received routes Operation Command Disable to filter the received global filter-policy { acl_number | ip-prefix routing information ip_prefix_name | gateway ip_prefix_name } import Cancel to filter the received global undo filter-policy { acl_number routing information...
Page 136 6: IP R HAPTER OUTING ROTOCOL PERATION By default, the interface does not fill in the MTU field when transmitting DD packets, and the MTU in the DD packets is 0. Disabling the Interface to Send OSPF Packets Use the command to prevent the interface from transmitting silent-interface OSPF packets.
Page 137 OSPF Configuration Perform the following configuration in System View. Table 160 Enabling/disabling OSPF TRAP function Operation Command Enable OSPF process_id snmp-agent trap enable ospf [ TRAP function ifstatechange | virifstatechange | nbrstatechange | virnbrstatechange | ifcfgerror | virifcfgerror | ifauthfail | virifauthfail | ifrxbadpkt | virifrxbadpkt | txretransmit | viriftxretransmit | originatelsa | maxagelsa | lsdboverflow | lsdbapproachoverflow ]...
Page 138 6: IP R HAPTER OUTING ROTOCOL PERATION configuration. Execute the command in User View to debug the OSPF debugging module. Table 162 Displaying and debugging OSPF Operation Command Display the brief information of the display ospf [ process_id ] brief OSPF routing process Display OSPF statistics process_id...
Page 139 OSPF Configuration Networking Diagram Figure 33 Networking for configuring DR election based on OSPF priority 1.1.1.1 Switch A 4.4.4.4 Switch D 196.1.1.4/24 196.1.1.1/24 196.1.1.3/24 196.1.1.2/24 3.3.3.3 Switch B 2.2.2.2 Switch C The commands listed in the following examples enable Switch A and Switch C to be DR and BDR, respectively.
Page 140 6: IP R HAPTER OUTING ROTOCOL PERATION [Switch D-ospf-1]area 0 [Switch D-ospf-1-area-0.0.0.0]network 196.1.1.0 0.0.0.255 On Switch A, run the command to show the Switch’s OSPF display ospf peer neighbors. Note that Switch A has three neighbors. The status of each neighbor is full, which means that adjacency is set up between Switch A and each neighbor.
Page 141 OSPF Configuration Networking diagram Figure 34 OSPF virtual link configuration networking Switch A 1.1.1.1 Area 0 196.1.1.1/24 196.1.1.2/24 Switch B 197.1.1.2/24 2.2.2.2 Virtual Area 1 Link 197.1.1.1/24 152.1.1.1/24 Switch C Area 2 3.3.3.3 The following commands configure a virtual link between Switch B and Switch C in Area 1.
Page 142 6: IP R HAPTER OUTING ROTOCOL PERATION [Switch C-ospf-1-area-0.0.0.1]network 197.1.1.0 0.0.0.255 [Switch C-ospf-1-area-0.0.0.1]vlink-peer 2.2.2.2 [Switch C-ospf-1-area-0.0.0.1]quit [Switch C-ospf-1]area 2 [Switch C-ospf-1-area-0.0.0.2]network 152.1.1.0 0.0.0.255 Troubleshooting OSPF OSPF has been configured in accordance with the above-mentioned steps, but OSPF does not run normally on the router Troubleshooting locally: Check whether the protocol between two directly connected routers is operating normally.
Page 143 IP Routing Policy If more than two areas are configured on a router, at least one area should be ■ configured as the backbone area. As shown in Figure 35, RTA and RTD are each configured to belong to only one area, whereas RTB and RTC are both configured to belong to two areas.
Page 144 6: IP R HAPTER OUTING ROTOCOL PERATION actions that are performed after the node match test concerning the attribute settings of the route information. The comparisons of different nodes in a route policy uses a Boolean “OR” statement. The system examines the nodes in the route policy in sequence. Once the route is permitted by a single node in the route-policy, the route passes the matching test of the route policy without attempting the test of the next node.
Page 145 IP Routing Policy Perform the following configurations in System View. Table 163 Defining a route-policy Operation Command Enter Route Policy View route_policy_name route-policy { permit | deny } node { node_number Remove the specified route-policy route_policy_name undo route-policy node_number permit | deny | node parameter specifies that if a route satisfies all the clauses of permit...
Page 146 6: IP R HAPTER OUTING ROTOCOL PERATION Table 164 Defining if-match Conditions Operation Command Cancel the matched next-hop of undo if-match ip next-hop ip-prefix the routing information set by the address prefix list Match the routing cost of the cost if-match cost routing information Cancel the matched routing cost of...
Page 147 IP Routing Policy Perform the following configuration in Routing Protocol View. Table 166 Configuring to import the routes of other protocols Operation Command Import routes of other protocols protocol cost import-route [ cost value ] type { 1 | 2 } [ route-policy route_policy_name Do not import routes of other protocol...
Page 148 6: IP R HAPTER OUTING ROTOCOL PERATION command specifies that only the update packets from a filter-policy gateway specific neighboring router will be received. Table 168 Configuring the Filtering of Received Routes Operation Command Configure to filter the received ip_prefix_name filter-policy gateway routing information distributed by import...
Page 149: Configuration Example
IP Routing Policy Displaying and Enter the command in any view to display the operation of the routing display Debugging the Routing policy configuration, and to verify the effect of the configuration. Policy Table 170 Displaying and Debugging the Routing Policy Operation Command Display the routing policy...
Page 150 6: IP R HAPTER OUTING ROTOCOL PERATION 2 Configure Switch B: a Configure the IP address of VLAN interface. [Switch B]interface vlan-interface 100 [Switch B-Vlan-interface100]ip address 10.0.0.2 255.0.0.0 b Configure the access control list. [Switch B]acl number 2000 [Switch B-acl-basic-2000]rule deny source 30.0.0.0 0.255.255.255 [Switch B-acl-basic-2000]rule permit source any c Enable OSPF protocol and specifies the number of the area to which the interface belongs.
Page 151 Route Capacity Configuration Limiting Route Capacity The size of the routing table is determined by OSPF routes. Therefore, the route capacity limitation of the Switch 5500G-EI is only effective for these two types of routes and has no impact on static routes and other dynamic routing protocols. When the free memory of the Switch 5500G-EI reduces to the lower limit value, the system will disconnect OSPF and remove the routes from the routing table to release memory.
Page 152 6: IP R HAPTER OUTING ROTOCOL PERATION Displaying and Enter the command in any view to display the operation of the Route display Debugging Route Capacity configuration. Capacity Table 173 Displaying and debugging route capacity Operation Command Display the route capacity memory information display memory [ unit unit_id Display the route capacity memory setting and display memory limit...
Page 153 ULTICAST ROTOCOL This chapter includes information on the following: IP Multicast Overview ■ IGMP Snooping ■ Common Multicast Configuration ■ Internet Group Management Protocol (IGMP) ■ PIM-DM Overview ■ PIM-SM Overview ■ IP Multicast Overview Many transmission methods can be used when the destination (including data, voice and video) is the secondary use of the network.
Page 154 7: M HAPTER ULTICAST ROTOCOL Figure 37 Comparison between the unicast and multicast transmission Unicast Receiver Receiver Server Receiver Receiver Receiver Server Multicast Receiver A multicast source does not necessarily belong to a multicast group. It only sends data to the multicast group and it is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously.
Page 155 IP Multicast Overview members in the group can change. The number of members in a permanent multicast group can be random or even 0. Those IP multicast addresses that are not reserved for permanent multicast groups can be used by temporary groups. Ranges and meanings of Class D addresses are shown in Table 174 Table 174 Ranges and meaning of Class D addresses...
Page 156 7: M HAPTER ULTICAST ROTOCOL Assigned Number Authority) stipulates that the higher 24 bits of the multicast MAC address is 0x01005e and the lower 23 bits of the MAC address is the lower 23 bits of the multicast IP address. Figure 38 Mapping between the multicast IP address and the Ethernet MAC address 32 bits IP address 111 0...
Page 157 IP Multicast Overview a distribution tree architecture. A multicast router can use multiple methods to build up a path for data transmission, i.e., the distribution tree. PIM-DM (Protocol-Independent Multicast Dense Mode, PIM-DM) PIM dense mode is suitable for small networks. It assumes that each subnet in the network contains at least one receiver interested in the multicast source.
Page 158 7: M HAPTER ULTICAST ROTOCOL shortest path from the receiver to the source address. If a source tree is used, the source address is the address of the source host sending the multicast packet. If a shared tree is used, the source address is the address of the root of the shared tree.
Page 159 IGMP Snooping Figure 39 Multicast packet transmission without IGMP Snooping Video stream Internet / Intranet Multicast router Video stream VOD Server Layer 2 Ethernet Switch Switch 5500 Video stream Video stream Video stream Multicast group member Non-multicast Non-multicast group member group member When IGMP Snooping operates, packets are not forwarded to all ports, see Figure...
Page 160 7: M HAPTER ULTICAST ROTOCOL Table 176 Switching Terminology relevant to IGMP Snooping Term Meaning Router port aging time Time set on the router port aging timer. If the switch has not received any IGMP general query messages before the timer times out, it is no longer considered a router port.
Page 161 IGMP Snooping Table 177 explains IGMP Snooping terminology. Table 177 IGMP Snooping Terminology Term Meaning IGMP general query message Transmitted by the multicast router to query which multicast group contains member. When a router port receives an IGMP general query message, the Switch 5500G-EI will reset the aging timer of the port.
Page 162 7: M HAPTER ULTICAST ROTOCOL Enabling/Disabling IGMP Snooping Use the commands in Table 178 to enable/disable IGMP Snooping on Layer 2. First enable IGMP Snooping globally in System View, and then enable IGMP Snooping of the corresponding VLAN in VLAN View. Perform the following configuration in System View and VLAN View.
Page 163 IGMP Snooping Configuring Aging Time of Multicast Group Member Use the commands in Table 181 to manually set the aging time of the multicast group member port. If the switch receives no multicast group report message during the member port aging time, it will transmit the specific query message to that port and start a maximum response timer.
Page 164 7: M HAPTER ULTICAST ROTOCOL Networking Diagram Figure 42 IGMP Snooping configuration network Internet Router Multicast Switch Configuration Procedure Enable IGMP Snooping globally. [SW5500]igmp-snooping enable Enable IGMP Snooping on VLAN 10. [SW5500]vlan 10 [SW5500-vlan10]igmp-snooping enable IGMP Snooping Fault Fault: Multicast function cannot be implemented on the switch. Diagnosis and Troubleshooting: Troubleshooting...
Page 165 Common Multicast Configuration Diagnosis 3: Multicast forwarding table set up on the bottom layer is wrong. 1 Enable IGMP Snooping group in user view and then input the command display to check if MAC multicast forwarding table in the bottom igmp-snooping group layer and that created by IGMP Snooping is consistent.
Page 166: Statistics Information
7: M HAPTER ULTICAST ROTOCOL Clearing MFC Use the command in Table 185 to clear the multicast forwarding cache (MFC) Forwarding Entries or forward entries or statistics information. Statistics Information Perform the following configuration in User View. Table 185 Clearing MFC forwarding entries or its statistic information Operation Command Clear MFC forwarding...
Page 167 Common Multicast Configuration Table 187 Displaying and debugging Common Multicast Configuration Operation Command Enable multicast forwarding debugging multicast status-forwarding status debugging Disable multicast forwarding undo debugging multicast status-forwarding status debugging Enable multicast kernel debugging multicast kernel-routing routing debugging Disable multicast kernel undo debugging multicast kernel-routing routing debugging There are three types of multicast routing tables: individual multicast routing tables...
Page 168 7: M HAPTER ULTICAST ROTOCOL Internet Group IGMP is a protocol in the TCP/IP suite, responsible for management of IP multicast Management Protocol members. It is used to establish and maintain multicast membership among IP (IGMP) hosts and their directly connected neighboring routers. IGMP excludes transmitting and maintenance of membership information among multicast routers, which are completed by multicast routing protocols.
Page 169 Internet Group Management Protocol (IGMP) Specific Group Query In IGMP Version 1, a query of multicast routers is targeted at all the multicast groups on the network segment. This is known as General Query. In addition to General Query, IGMP Version 2 also supports Group-Specific Query. The destination IP address of the query packet is the IP address of the multicast group.
Page 170 7: M HAPTER ULTICAST ROTOCOL Configuring the IGMP Version Perform the following configuration in Interface View. Table 190 Selecting the IGMP version Operation Command Select the IGMP version that the router uses igmp version { 1 | 2 } Restore the default setting undo igmp version By default, IGMP Version 2 is used.
Page 171 Internet Group Management Protocol (IGMP) 5 If the IGMP querier does not receive a report message from any other host within this period, then it takes it as timeout and ends membership maintenance for this group. This command can be used only when the querier runs IGMP version 2, since a host running IGMP Version 1 does not send an IGMP Leave Group message when it leaves a group.
Page 172 7: M HAPTER ULTICAST ROTOCOL Setting the maximum response time reasonably can enable the host to respond to query messages quickly. In this case, the router can fast master the existing status of the members of the multicast group. Perform the following configuration in Interface view. Table 195 Configuring the maximum response time for IGMP query message Operation Command...
Page 173 Internet Group Management Protocol (IGMP) Perform the following configuration in the corresponding view. Table 197 Configuring a router to join specified multicast group Operation Command Configure a router to join group_address igmp host-join port interface_type interface_ num | interface_name } specified multicast group (VLAN Interface View) { interface_type interface_ num |...
Page 174 7: M HAPTER ULTICAST ROTOCOL Perform the following configuration in Interface view. Table 199 Configuring the interval to send IGMP query message Operation Command Configure the interval to send IGMP query message seconds igmp timer query Restore the default value undo igmp timer query When there are multiple multicast routers on a network segment, the querier is responsible for sending IGMP query messages to all hosts on the LAN.
Page 175 PIM-DM Overview Neighbor discovery The PIM-DM router uses Hello messages to perform neighbor discovery when it is started. All network nodes running PIM-DM stay in touch with one another by periodically sending Hello messages. Flood&Prune PIM-DM assumes that all hosts on the network are ready to receive multicast data. When a multicast source "S"...
Page 176 Clearing Multicast Route Entries from PIM Routing Table ■ Clearing PIM Neighbors ■ When the router is run in the PIM-DM domain, 3Com recommends that you enable PIM-DM on all interfaces of the non-border router. Enabling Multicast Refer to “Common Multicast Configuration”...
Page 177 Disable PIM-DM on an interface undo pim dm 3Com recommends that you configure PIM-DM on all interfaces in non-special cases. This configuration is effective only after the multicast routing is enabled in System View. Once PIM-DM is enabled on an interface, PIM-SM cannot be enabled on the same interface and vice versa.
Page 178 7: M HAPTER ULTICAST ROTOCOL Configuring the Filtering of Multicast Source/Group You can set to filter the source (and group) address of multicast data packets via this command. When this feature is configured, the router filters not only multicast data, but the multicast data encapsulated in the registration packets. Perform the following configuration in the PIM view.
Page 179 PIM-DM Overview By default, the PIM neighbors on the interface are limited to 128. If the number of PIM neighbors of an interface has exceeded the configured value by the time of configuration, the existing PIM neighbors will not be deleted. Clearing Multicast Route Entries from PIM Routing Table Perform the following configuration in User View.
Page 180 7: M HAPTER ULTICAST ROTOCOL Execute the command in user view for the debugging of PIM-DM. debugging Table 210 Displaying and debugging PIM-DM Operation Command Display the PIM multicast display pim routing-table [ { { *g [ routing table group_address [ mask { mask_length mask...
Page 181 PIM-SM Overview Networking Diagram Figure 44 PIM-DM configuration networking VLAN20 VLAN20 VLAN10 VLAN10 VLAN11 VLAN11 Switch_B RECEIVER 1 RECEIVER 1 Lanswitch2 Lanswitch2 Switch_A VLAN30 VLAN30 Multicast Multicast VLAN12 VLAN12 Lanswitch1 Lanswitch1 Source Source Switch_C Lanswitch3 Lanswitch3 RECEIVER 2 RECEIVER 2 Configuration Procedure This section only describes the configuration procedure for Switch_A.
Page 182 7: M HAPTER ULTICAST ROTOCOL and the BSR (Bootstrap Router) to advertise multicast information to all PIM-SM routers, and uses the join/prune information of the router to build the RP-rooted shared tree (RPT). This reduces the bandwidth occupied by data packets and control packets, and reduces the processing overhead on the router.
Page 183 PIM-SM Overview Figure 45 RPT schematic diagram Multicast Source S Receiver join Multicast source registration Multicast Source Registration When multicast source S sends a multicast packet to the multicast group G, the PIM-SM multicast router directly connected to S will encapsulate the received packet into a registration packet and send it to the corresponding RP in unicast form.
Page 184 7: M HAPTER ULTICAST ROTOCOL Configuring Static RP The router that serves as the RP is the core router of multicast routes. If the dynamic RP elected by BSR mechanism is invalid for some reason, the static RP can be configured to specify RP. As the backup of dynamic RP, static RP improves network resilience and enhances the operation and management capability of multicast network.
Page 185 PIM-SM Overview Repeat this configuration to enable PIM-SM on other interfaces. Only one multicast routing protocol can be enabled on an interface at a time. Once enabled PIM-SM on an interface, PIM-DM cannot be enabled on the same interface and vice versa. Configuring the PIM-SM Domain Border After the PIM-SM domain border is configured, bootstrap messages cannot cross the border in any direction.
Page 186 When configuring RP, if the range of the served multicast group is not specified, the RP will serve all multicast groups. Otherwise, the range of the served multicast group is the multicast group in the specified range. 3Com recommends that you configure Candidate RP on the backbone router.
Page 187 PIM-SM Overview Basic ACL can control the range of multicast group served by static RP. If static RP is in use, all routers in the PIM domain must adopt the same configuration. If the configured static RP address is the interface address of the local router whose state is UP, the router will function as the static RP.
Page 188 7: M HAPTER ULTICAST ROTOCOL Only the register messages matching the ACL clause can be accepted by permit the RP. Specifying an undefined ACL will make the RP to deny all register messages. Limiting the Range of Legal BSR In the PIM SM network using BSR (bootstrap router) mechanism, every router can set itself as C-BSR (candidate BSR) and take the authority to advertise RP information in the network once it wins in the contention.
Page 189 PIM-SM Overview Perform the following configuration in PIM view. Table 220 Limiting the range of legal C-RP Operation Command Set the legal C-RP range limit acl-number crp-policy Restore to the default setting undo crp-policy For detailed information of , please refer to the command manual. crp-policy Clearing Multicast Route Entries from PIM Routing Table Refer to...
Page 190 7: M HAPTER ULTICAST ROTOCOL Networking Diagram Figure 46 PIM-SM configuration networking Host A Host A Host B Host B VLAN11 VLAN11 VLAN12 VLAN12 VLAN12 VLAN12 VLAN10 VLAN10 Switch_A LS_A LS_A Switch_C LS_C LS_C VLAN10 VLAN10 VLAN11 VLAN11 VLAN11 VLAN11 VLAN10 VLAN10 LS_B...
Page 191 PIM-SM Overview [SW5500-vlan-interface10]igmp enable [SW5500-vlan-interface10]pim sm [SW5500-vlan-interface10]quit [SW5500]vlan 11 [SW5500-vlan11]port gigabitethernet 1/0/4 to gigabitethernet 1/0/5 [SW5500-vlan11]quit [SW5500]interface vlan-interface 11 [SW5500-vlan-interface11]igmp enable [SW5500-vlan-interface11]pim sm [SW5500-vlan-interface11]quit [SW5500]vlan 12 [SW5500-vlan12]port gigabitethernet 1/0/6 to gigabitethernet 1/0/7 [SW5500-vlan12]quit [SW5500]interface vlan-interface 12 [SW5500-vlan-interface12]igmp enable [SW5500-vlan-interface12]pim sm [SW5500-vlan-interface12]quit b Configure the C-BSR.
Page 192 7: M HAPTER ULTICAST ROTOCOL [SW5500-vlan-interface12]igmp enable [SW5500-vlan-interface12]pim sm [SW5500-vlan-interface12]quit...
Page 193: Acl C Onfiguration
ACL C ONFIGURATION This chapter covers the following topics: Brief Introduction to ACL ■ QoS Configuration ■ QoS Profile Configuration ■ ACL Control Configuration ■ Brief Introduction to A series of matching rules are required for the network devices to identify the packets to be filtered.
Page 194 8: ACL C HAPTER ONFIGURATION specifies the match-order of an access control rule, it cannot be modified later, unless all the content is deleted and the match-order specified again. The case includes: ACL cited by route policy function, ACL used for control logon user, and so on.
Page 195 Brief Introduction to ACL You can use the following command to set the time range by performing the following configuration in the System View. Table 224 Set the Absolute Time Range Operation Command Set the time range time-name start_time end_time time-range days_of_the_week start_time start_date...
Page 196 8: ACL C HAPTER ONFIGURATION Table 225 Define Basic ACL Operation Command Enter basic ACL view (from System acl number acl_number [ match-order { View) config | auto } ] add a sub-item to the ACL (from rule_id rule [ ] { permit | deny } [ Basic ACL View) source_addr wildcard...
Page 197 Brief Introduction to ACL You can use the following command to define the numbered Layer-2 ACL. Perform the following configuration in corresponding view. Table 227 Define Layer-2 ACL Operation Command Enter Layer-2 ACL view (from acl number acl_number [ match-order { System View) config | auto } Add a sub-item to the ACL...
Page 198 1 Define the work time range Define time range from 8:00 to 18:00. [SW5500]time-range 3Com 8:00 to 18:00 working-day 2 Define the ACL to access the payment server. a Enter the numbered advanced ACL, number as 3000. [SW5500]acl number 3000 match-order config b Define the rules for other department to access the payment server.
Page 199 Enter the number basic ACL, number as 2000. [SW5500]acl number 2000 b Define the rules for packet which source IP is 10.1.1.1. [SW5500-acl-basic-2000]rule 1 deny source 10.1.1.1 0 time-range 3Com 3 Activate ACL. Activate the ACL 2000. [SW5500-GigabitEthernet1/0/1]packet-filter inbound ip-group 2000...
Page 200 1 Define the time range Define time range from 8:00 to 18:00. [SW5500]time-range 3Com 8:00 to 18:00 daily 2 Define the ACL for the packet whose source MAC address is 00e0-fc01-0101 and destination MAC address is 00e0-fc01-0303. a Enter the numbered link ACL, number as 4000.
Page 201 QoS Configuration Packet Filter Packet filter is used to filter traffic. For example, the operation “deny” discards the traffic that is matched with a traffic classification rule, while allowing other traffic to pass through. With the complex traffic classification rules, the Switche enables the filtering of various information carried in Layer 2 traffic to discard the useless, unreliable or doubtful traffic, thereby enhancing the network security.
Page 202 8: ACL C HAPTER ONFIGURATION Figure 50 SP high priority queue 7 Packets sent via this queue 6 interface Packets sent queue 5 queue 4 Dequeue Sending queue Classify queue 3 queue 2 queue 1 queue 0 Low priority The SP is designed for the key service application. A significant feature of the key service is the need for priority to enjoy the service to reduce the responding delay when congestion occurs.
Page 203 QoS Configuration QoS Configuration The process of QoS based traffic: 1 Identify the traffic by ACL 2 Perform the QoS operation to the traffic. The configuration steps of QoS based traffic: 1 Define the ACL 2 Configure the QoS operation If QoS is not based on traffic, you need not define ACL first.
Page 204 8: ACL C HAPTER ONFIGURATION Setting Port Mirroring Port mirroring means duplicating data on the monitored port to the designated mirror port, for purpose of data analysis and supervision. The Switch supports one monitor port and multi mirroring port. If several Switches form a Fabric, only one monitor port and one mirroring port can be configured in the Fabric.
Page 205 QoS Configuration Only one monitor port can be configured on one Switch. If a group of Switches form a Fabric, only one monitor port can be configured on one Fabric. 2 Configure traffic mirroring Perform the following configuration in the Ethernet Port View. Table 237 Configuring Traffic Mirroring Operation Command...
Page 206 8: ACL C HAPTER ONFIGURATION Table 241 Configure the Queue Scheduling Algorithm Operation Command Configure the queue queue-scheduler { queue1_weight scheduling algorithm queue2_weight queue3_weight queue4_weight queue5_weight queue6_weight queue7_weight queue8_weight Restore the default undo queue-scheduler queue scheduling algorithm By default, the Switch uses the WRR algorithm. For details about the command, refer to the Command Reference Manual.
Page 207 QoS Configuration Perform the following configurations in the Ethernet Port View. Table 244 Relabeling Priority Level Operation Command Relabel traffic priority traffic-priority inbound |ip-group acl_number [ rule rule [ link-group acl_number rule rule acl_number rule ] ] | link-group [ rule ] } { { dscp_value pre_value...
Page 208: Qos Configuration
8: ACL C HAPTER ONFIGURATION Operation Command Cancel the undo traffic-statistic inbound ip-group configuration of traffic acl_number [ rule rule [ link-group acl_number statistics rule rule ] ] | link-group acl_number [ rule rule Display the statistics interface_name display qos-interface { information interface_type interface_num unit_id...
Page 209 QoS Configuration Networking Diagram Figure 51 QoS Configuration Example Wage server 129.110.1.2 GE2/0/1 Switch To switch Configuration Procedure Only the commands concerning QoS/ACL configuration are listed here. 1 Define outbound traffic for the wage server. a Enter numbered advanced ACL view. [SW5500]acl number 3000 b Define the traffic-of-payserver rule in the advanced ACL 3000.
Page 210 2.0.0.1/8 Configuration Procedure 1 Define the time range. Define the time range 8:00~18:00. [SW5500]time-range 3Com 8:00 to 18:00 daily 2 Define traffic rules for PC packets. a Enter the number-based basic ACL and select the ACL 2000. [SW5500]acl number 2000 b Define traffic classification rules for PC1 packets.
Page 211 QoS Profile Configuration 3 Relabel ef priority for PC1 packets. [SW5500-Ethernet1/0/1]traffic-priority inbound ip-group 2000 dscp ef QoS Profile When used together with the 802.1x authentication function, the QoS profile Configuration function can offer preconfigured QoS settings for a qualified user in authentication (or a group of users).
Page 212: Configuring Profile Application Mode
8: ACL C HAPTER ONFIGURATION Configuring QoS Profile You must first define ACLs for the traffic actions before adding the actions to the QoS profile. Entering QoS Profile View To configure the QoS profile, you must first enter QoS profile view. Perform the following configuration in System View.
Page 213 QoS Profile Configuration User-based mode: If the source station information (source MAC address, ■ source IP address or source MAC address + IP address) has been defined in the ACL which is referenced in the traffic actions, the Switch cannot deliver the QoS profile;...
Page 214: Network Diagram
8: ACL C HAPTER ONFIGURATION Table 254 Displaying QoS Profile Configuration Operation Command Display QoS profile display qos-profile { all | name profile_name configuration interface_name interface_type interface { interface_num user_name } | user QoS Profile Networking Requirement Configuration Example The Switch implements the QoS profile function for the accessed user. The user (with user name and authentication password ) is...
Page 215 ACL Control Configuration [SW5500-radius-radius1]quit e Create the user domain 3com163.net and specify radius1 as the RADIUS server group for the user. [SW5500]domain 3com163.net [SW5500-isp-3com163.net]radius-scheme radius1 [SW5500-isp-3com163.net]quit f Define the ACL [SW5500]acl number 3000 [SW5500-acl-adv-3000]rule 1 permit ip destination any [SW5500-acl-adv-3000]quit g Configure the QoS profile [SW5500]qos-profile example [SW5500-qos-profile-example]traffic-limit inbound ip-group 3000 128...
Page 216 8: ACL C HAPTER ONFIGURATION Table 255 Defining Basic ACL Operation Command Enter basic ACL (System View) acl number acl_number match-order { config | auto } Define a sub-rule (Basic ACL rule-id rule [ ] { permit | deny } [ source View) source_addr wildcard | any } |...
Page 217 ACL Control Configuration 2 Import the ACL. [SW5500]user-interface vty 0 4 [SW5500-ui-vty0-4]acl 2000 inbound Configuring ACL for The Switch 5500G-EI Family supports remote network management (NM) and the SNMP Users user can use SNMP to access them. Proper ACL configuration can prevent illegal users from logging onto the Switches.
Page 218 [SW5500-acl-baisc-2000]rule 1 permit source 10.110.100.52 0 [SW5500-acl-baisc-2000]rule 2 permit source 10.110.100.46 0 [SW5500-acl-baisc-2000]quit 2 Import the ACL. [SW5500]snmp-agent community read 3Com acl 2000 [SW5500]snmp-agent group v2c 3Comgroup acl 2000 [SW5500]snmp-agent usm-user v2c 3Comuser 3Comgroup acl 2000 Configuring ACL Control The Switch 5500G-EI Family supports the remote management through the Web over the HTTP Users interface.
Page 219 ACL Control Configuration Perform the following configuration in System View. Table 258 Calling ACL to Control HTTP Users Operation Command Call an ACL to control the WEB NM users. ip http acl acl_number Cancel the ACL control function. undo ip http acl For more about the commands, refer to the Command Reference Manual.
Page 220 8: ACL C HAPTER ONFIGURATION...
Page 221 XRN F ABRIC This chapter covers the following topics: Introduction to XRN ■ Configuring an XRN Fabric ■ Fabric Configuration Example ■ Introduction to XRN Several XRN Switches of the same model can be interconnected to create a “Fabric”, in which each Switch is a unit. The ports used to interconnect all the units are called Fabric ports, while the other ports that are used to connect the Fabric to users are called user ports.
Page 222: Configuring An Xrn Fabric
9: XRN F HAPTER ABRIC Configuring an XRN FTM provides user interfaces. You can configure VLAN unit IDs, Fabric name, and Fabric the authentication mode between units by using the command. Table 259 Configuring FTM Device Configuration Default Settings Comment Switch Set unit IDs for the The unit ID of a...
Page 223 Fabric Configuration Example Displaying and Following completion of the above configuration, you can execute the display Debugging a Fabric command in any view to view device management and verify the settings. Table 263 Displaying and Debugging FTM Operation Command Display the information of the entire Fabric display xrn-fabric [ port ] Display the topology information of Fabric display ftm{ information |...
Page 224 9: XRN F HAPTER ABRIC [SW5500}set unit 1 name unit3 [SW5500]sysname hello Configure Switch D: [SW5500]change unit-id 1 to auto-numbering [SW5500}set unit 1 name unit [[SW5500]sysname hello In the example, it is assumed that the system will automatically change the unit IDs of Switch B, Switch C and Switch D to 2, 3 and 4 after you choose auto-numbering for unit-id.
Page 225 RSTP C ONFIGURATION This chapter covers the following topics: STP Overview ■ RSTP Configuration ■ RSTP Configuration Example ■ STP Overview Spanning Tree Protocol (STP) is applied in loop networks to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.
Page 226 10: RSTP C HAPTER ONFIGURATION What are the Designated Bridge and Designated Port? Figure 61 Designated Bridge and Designated Port Switch A Switch C Switch B For a Switch, the designated bridge is a Switch in charge of forwarding BPDU to the local Switch via a port called the designated port.
Page 227 STP Overview figure above, the priorities of Switch A, B and C are 0, 1 and 2 and the path costs of their links are 5, 10 and 4 respectively. 1 Initial state When initialized, each port of the Switches will generate the configuration BPDU taking itself as the root with a root path cost as 0, designated bridge IDs as their own Switch IDs and the designated ports as their ports.
Page 228 10: RSTP C HAPTER ONFIGURATION The comparison process of each Switch is as follows. Switch A: ■ AP1 receives the configuration BPDU from Switch B and finds out that the local configuration BPDU priority is higher than that of the received one, so it discards the received configuration BPDU.
Page 229 STP Overview CP2 will receive the updated configuration BPDU, {0, 5, 1, BP2}, from Switch B. Since this configuration BPDU is better then the old one, the old BPDU will be updated to {0, 5, 1, BP2}. Meanwhile, CP1 receives the configuration BPDU from Switch A but its configuration BPDU will not be updated and retain {0, 0, 0, AP2}.
Page 230 10: RSTP C HAPTER ONFIGURATION designated port begin to send data again. That is, the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state. Implement RSTP on the The Switch implements the Rapid Spanning Tree Protocol (RSTP), an enhanced Switch form of STP.
Page 231: Rstp Configuration
RSTP Configuration RSTP Configuration The configuration of RSTP changes with the position of the Switch in the network, as discussed below. Figure 64 Configuring STP Switch A and Switch B: Root Switch C and Switch D: Switch E, Switch F and Switch bridge and backup root Intermediate Switches in the G: Switches directly...
Page 232 10: RSTP C HAPTER ONFIGURATION Device Configuration Default Value Note Specify Forward Forward Delay fixes The other Switches copies the Delay, Hello on 15 seconds, configuration on the root bridge with Time, and Max Hello Times on 2 respect to these time parameters. You can seconds, and Max therefore only configure them on the root Age on 20...
Page 233 RSTP Configuration Device Configuration Default Value Note Specify the No Ethernet port The more STP packets a port sends within maximum can send more one Hello Time, the more resources are transmission than 3 STP packets consumed. It is therefore recommended to rate of STP within one Hello limit the transmission rate of STP packets...
Page 234 10: RSTP C HAPTER ONFIGURATION Device Configuration Default Value Note Specify the All Ethernet ports The port preference plays an important preference of a are at the role in root port selection. You can make a port preference 128. port to be root port by giving it a smallest preference value.
Page 235 RSTP Configuration Table 266 Enable/Disable RSTP on a Port Operation Command Enable RSTP on a specified port stp enable Disable RSTP on a specified port stp disable Note that the redundancy route may be generated after RSTP is disabled on the Ethernet port.
Page 236 10: RSTP C HAPTER ONFIGURATION Operation Command Cancel the configuration of the STP-Ignored undo stp ignored vlan vlan_list VLAN By default, no VLAN is STP-Ignored if STP is enabled on the Switch. Set Priority of a Whether a bridge can be selected as the “root” of the spanning tree depends on Specified Bridge its priority.
Page 237 RSTP Configuration To configure a Switch as the root of the spanning tree instance, you can specify its priority as 0 or simply set it as the root, using the command. It is not necessary to specify two or more roots for an STI — do not specify the root for an STI on two or more Switches.
Page 238 10: RSTP C HAPTER ONFIGURATION Table 272 Set Hello Time of the Specified Bridge Operation Command Set Hello Time of the specified bridge stp timer hello centiseconds Restore the default Hello Time of the specified undo stp timer hello bridge An appropriate Hello Time can ensure that the bridge can detect certain link failures in the network in a timely manner.
Page 239 RSTP Configuration By default, the multiple value of hello time of the bridge is 3. Specifying the The maximum transmission rate of STP packets on an Ethernet port is dependent Maximum Transmission on the physical status of the port and the network architecture. You can specify it Rate of STP Packets on a as needed.
Page 240 10: RSTP C HAPTER ONFIGURATION By default, all the Ethernet ports are configured as non-EdgePort. Specifying the Path Cost Path Cost is a parameter related with the link rate. on a Port Specify the Path Cost on a Port You can specify the Path Cost on a port by using the following commands. Perform the following configuration in Ethernet Interface View.
Page 241 RSTP Configuration Table 279 Set the Priority of a Specified Port Operation Command Set the priority of a specified port port_priority stp port priority Restore the default priority of the specified port undo stp port priority By setting the priority of an Ethernet port, you can put a specified Ethernet port into the final spanning tree.
Page 242 10: RSTP C HAPTER ONFIGURATION Switch running RSTP is still working in STP-compatible mode. You can use the following command to manually configure the port to work in RSTP mode. This command can only be issued if the bridge runs RSTP in RSTP mode and has no effect in the STP-compatible mode.
Page 243 RSTP Configuration Table 282 Configure the Switch Security Function Operation Command Configure Switch BPDU protection (from System View) stp bpdu-protection Restore the disabled BPDU protection state, as defaulted, undo stp bpdu-protection (from System View). Configure Switch Root protection (from Ethernet Port stp root-protection View) Restore the disabled Root protection state, as defaulted,...
Page 244 10: RSTP C HAPTER ONFIGURATION RSTP Configuration Networking Requirements Example In the following scenario, Switch C serves as a standby of Switch B and forwards data when a fault occurs on Switch B. They are connected to each other with two links, so that, in case one of the links fails, the other one can still work normally.
Page 245 RSTP Configuration Example e Enable the Root protection function on every designated port. [SW5500]interface gigabitethernet 2/0/1 [SW5500-GigabitEthernet2/0/1]stp root-protection [SW5500]interface gigabitethernet 2/0/2 [SW5500-GigabitEthernet2/0/2]stp root-protection 2 Configure Switch B a Enable RSTP globally. [SW5500]stp enable b The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in RSTP calculation, however, be careful and do not disable those involved.
Page 246 10: RSTP C HAPTER ONFIGURATION RSTP operating mode, time parameters, and port parameters take default values. 4 Configure Switch D a Enable RSTP globally. [SW5500]stp enable b The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in RSTP calculation, however, be careful and do not disable those involved.
Page 247 802.1 ONFIGURATION This chapter covers the following topics: IEEE 802.1x Overview ■ Configuring 802.1x ■ Centralized MAC Address Authentication Configuration ■ AAA and RADIUS Protocol Configuration ■ For information on setting up a RADIUS server and RADIUS client refer to Appendix For details on how to authenticate the Switch 5500G-EI with a Cisco Secure ACS server with TACACS+, refer to...
Page 248 802.1x. The devices at the user side such as the computers need to be installed with the 802.1x client Supplicant (User) software, for example, the 802.1x client provided by 3Com (or by Microsoft Windows XP). The 802.1x Authentication Server system normally stays in the carrier's AAA center.
Page 249 Configuring 802.1x The EAPoL-Start, EAPoL-Logoff and EAPoL-Key only exist between the user and the Authenticator. The EAP-Packet information is re-encapsulated by the Authenticator System and then transmitted to the Authentication Server System. The EAPoL-Encapsulated-ASF-Alert is related to the network management information and terminated by the Authenticator.
Page 250 11: 802.1 HAPTER ONFIGURATION Enabling/Disabling The following command can be used to enable/disable the 802.1x on the specified 802.1x port or globally. When it is used in System View ,if the parameter interface-list is not specified, 802.1x will be globally enabled. If the parameter interface-list is specified, 802.1x will be enabled on the specified port.
Page 251 Configuring 802.1x Operation Command Restore the default port undo dot1x port-method [ interface access control method interface_list By default, 802.1x authentication method on the port is . That is, macbased authentication is performed based on MAC addresses. Checking the Users that The following commands are used for checking the users that log on the Switch Log on the Switch via via proxy.
Page 252 11: 802.1 HAPTER ONFIGURATION Operation Command Enable the switch to trigger the undo dot1x dhcp-launch authentication over them By default, the Switch can trigger the user ID authentication over the users who configure static IP addresses in DHCP environment. Configuring the The following commands can be used to configure the authentication method for Authentication Method 802.1x user.
Page 253 Configuring 802.1x Operation Command Restore default undo dot1x timer { handshake-period | quiet-period settings of the timers | tx-period | supp-timeout | server-timeout } This timer begins after the user has passed the handshake-period: authentication. After setting handshake-period, system will send the handshake packet by the period.
Page 254 11: 802.1 HAPTER ONFIGURATION again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication. Perform the following configuration in System View. Table 293 Enabling/Disabling a Quiet-Period Timer Operation Command Enable a quiet-period timer dot1x quiet-period Disable a quiet-period timer undo dot1x quiet-period By default, the quiet-period timer is disabled.
Page 255 Configuring 802.1x primary-authentication/second-accounting server. The latter one acts as the secondary-authentication/primary-accounting server. Set the encryption key as “name” when the system exchanges packets with the authentication RADIUS server and “money” when the system exchanges packets with the accounting RADIUS server. Configure the system to retransmit packets to the RADIUS server if no response is received within 5 seconds.
Page 256: Authentication Configuration
11: 802.1 HAPTER ONFIGURATION 5 Set the IP address of the secondary authentication/accounting RADIUS servers. [SW5500-radius-radius1]secondary authentication 10.11.1.2 [SW5500-radius-radius1]secondary accounting 10.11.1.1 6 Set the encryption key when the system exchanges packets with the authentication RADIUS server. [SW5500-radius-radius1]key authentication name 7 Set the encryption key when the system exchanges packets with the accounting RADIUS server.
Page 257 Centralized MAC Address Authentication Configuration user name and password. The authentication to the user initiates after the Switch detects the user’s MAC address for the first time. The Switch 5500G-EI supports local and RADIUS MAC address authentication. When it functions as the RADIUS client and works with the RADIUS server to finish the MAC address authentication, it sends the detected user MAC address used as the user name and password to the RADIUS server and the rest processing is the same to 802.1x.
Page 258 11: 802.1 HAPTER ONFIGURATION Table 297 Configuring the ISP Domain used by the Centralized MAC Address Authentication User Operation Command Configure the ISP domain used by the mac-authentication domain centralized MAC address authentication user isp_name Return to the defaults undo mac-authentication domain By default, the domain used by the centralized MAC address authentication user is null, that is, not configured.
Page 259 Centralized MAC Address Authentication Configuration Table 300 Auto VLAN Auto VLAN Return String Comment Tunnel-Medium-type Tunnel-Private-Group-ID VLAN value Tunnel-Type VLAN Before the VLAN is correctly received by the Switch 5500G-EI, you need to execute the following command on the Switch 5500G-EI to use standard private-group-ID: [5500-xx]private-group-id mode standard Configuration Example How to enable centralized MAC address authentication both on a port and...
Page 260 11: 802.1 HAPTER ONFIGURATION AAA and RADIUS Authentication, Authorization and Accounting (AAA) provide a uniform Protocol framework used for configuring these three security functions to implement the Configuration network security management. The network security mentioned here refers to access control and it includes: Which user can access the network server? ■...
Page 261 AAA and RADIUS Protocol Configuration the RADIUS server various kinds of response messages in which the ACCEPT message indicates that the user has passed the authentication, and the REJECT message indicates that the user has not passed the authentication and needs to input their username and password again, otherwise they will be rejected access.
Page 262 11: 802.1 HAPTER ONFIGURATION users of different ISP. Because the attributes of ISP users, such as username and password formats, and so on, may be different, it is necessary to differentiate them through setting ISP domain. In the Switch 5500G-EI units, ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-ISP domain basis, which includes AAA policy ( RADIUS scheme applied etc.) For the Switch 5500G-EI, each user belongs to an ISP domain.
Page 263 AAA and RADIUS Protocol Configuration When using in the scheme radius-scheme radius-scheme-name local configuraton command, the local refers to the alternative authentication scheme if the RADIUS server does not respond normally. Therefore, when RADIUS server operates normally, the local scheme is not used. Otherwise, the local scheme is used.
Page 264 11: 802.1 HAPTER ONFIGURATION Perform the following configurations in ISP Domain View. Table 306 Enabling the Selection of the RADIUS Accounting Option Operation Command Enable the selection of RADIUS accounting option accounting optional Disable the selection of RADIUS accounting option undo accounting optional By default, the selection of RADIUS accounting option is disabled.
Page 265 AAA and RADIUS Protocol Configuration Change user password on this page. ■ Perform the following configuration in ISP domain view. Table 308 Configuring the self-service server URL Operation Command Configure self-service server URL and configure the self-service-url enable URL address used to change the user password on the url-string self-service server Remove the configuration of self-service server URL...
Page 266 11: 802.1 HAPTER ONFIGURATION Setting the Attributes of Local Users Perform the following configurations in Local User View. Table 311 Setting/Removing the Attributes Concerned with a Specified User Operation Command Set a password for a specified user password password { simple | cipher } Remove the password set for the undo password specified user...
Page 267 AAA and RADIUS Protocol Configuration Table 312 Disconnecting a User by Force Operation Command Disconnect a user by cut connection { all | access-type { dot1x | gcm | force domain_name mac-authentication } | domain interface_type interface_number interface | ip ip_address mac_address | mac...
Page 268 11: 802.1 HAPTER ONFIGURATION Perform the following configurations in System View. Table 313 Creating/Deleting a RADIUS Server Group Operation Command Create a RADIUS scheme and enter its view radius scheme radius_scheme_name Delete a RADIUS scheme undo radius scheme radius_scheme_name By default, the system has a RADIUS scheme named as whose default system attributes are all default values.
Page 269 AAA and RADIUS Protocol Configuration In real networking environments, you may specify two RADIUS servers as primary and secondary authentication/authorization servers respectively, or specify one server to function as both. The RADIUS service port settings on the Switch 5500G-EI should be consistent with the port settings on the RADIUS server.
Page 270 11: 802.1 HAPTER ONFIGURATION while, it will consider that there is device failure and stop accounting. It is necessary to disconnect the user at the NAS end and on the RADIUS server synchronously when some unpredictable failure occurs. The Switch allows you to set the maximum number of times of a real-time accounting request failing to be responded to.
Page 271 Restore the default RADIUS accounting packet key undo key accounting By default, the keys of RADIUS authentication/authorization and accounting packets are all “3com”. Setting Retransmission Since RADIUS protocol uses UDP packets to carry the data, the communication Times of RADIUS process is not reliable.
Page 272 Table 322 Setting the Supported Type of the RADIUS Server Operation Command Setting the Supported Type of RADIUS Server server-type { 3com | standard } Restore the RADIUS server type to the default setting undo server_type By default, the newly created RADIUS scheme supports the server type standard while the "system"...
Page 273 AAA and RADIUS Protocol Configuration Setting the Username As mentioned above, the users are generally named in userid@isp-name format. Format Transmitted to The part following “@” is the ISP domain name. The Switch will put the users into the RADIUS Server different ISP domains according to the domain names.
Page 274 By default, the IP address of the local RADIUS authentication server is 127.0.0.1 and the password is 3com. 1) When using local RADIUS authentication server function of 3com, remember the number of the UDP port used for authentication is 1645 and that for accounting is 1646.
Page 275 NAS and RADIUS that are required. When there are a large amount of users (more than 1000, inclusive), 3Com suggests a larger value. The following table recommends the ratio of value to the number of users.
Page 276 11: 802.1 HAPTER ONFIGURATION Table 332 Displaying and Debugging AAA and RADIUS Protocol Operation Command Display the configuration information of display domain [ isp_name the specified or all the ISP domains. Display related information of user’s display connection [ access-type { connection dot1x | mac-authentication } | domain_name...
Page 277 2 Configure remote authentication mode for the Telnet user, that is, scheme mode. [SW5500-ui-vty0-4]authentication-mode scheme 3 Configure domain. [SW5500]domain cams [SW5500-isp-cams]quit 4 Configure RADIUS scheme. [SW5500]radius scheme cams [SW5500-radius-cams]primary authentication 10.110.91.146 1812 [SW5500-radius-cams]key authentication expert [SW5500-radius-cams]server-type 3com [SW5500-radius-cams]user-name-format without-domain 5 Configuration association between domain and RADIUS. [SW5500-radius-cams]quit [SW5500]domain cams [SW5500-isp-cams]scheme radius-scheme cams...
Page 278 2 Method 2: Using Local RADIUS authentication server. Local server method is similar to remote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authentication password to 3com, the UDP port number of the authentication server to 1645.
Page 279: Network Login
AAA and RADIUS Protocol Configuration information about the local domain can be seen by typing "display domain". For example: <SW5500>display domain Domain = default system State = Active Scheme = LOCAL Access-limit = Disable Domain User Template: Idle-cut = Disable Self-service = Disable Messenger Time = Disable Default Domain Name: default system...
Page 280 11: 802.1 HAPTER ONFIGURATION Once enabled globally, the network login needs to be enabled on a per port basis. This can be done in one of two ways: To enable dot1x on one port, enter the interface of the port and enable dot1x ■...
Page 281 AAA and RADIUS Protocol Configuration the end of the username. This states the user is a member of the local domain, and as a result uses the local RADIUS server. Based on the steps in section Domain and RADIUS scheme creation to login using the external RADIUS server defined, you need to login as user@domain, eg joe@demo.
Page 282 RADIUS debugging, enter the command: ■ <5500> debugging radius packet 3Com-User-Access-Level This determines the Access level a user will have with Switch login. This can be administrator, manager , monitor or visitor. You may need to add the return list attributes to a dictionary file using the...
Page 283 YSTEM ANAGEMENT This chapter covers the following topics: File System Overview ■ Configuring File Management ■ FTP Overview ■ TFTP Overview ■ MAC Address Table Management ■ Device Management ■ System Maintenance and Debugging ■ Displaying the State and Information of the System ■...
Page 284 12: F HAPTER YSTEM ANAGEMENT Directory Operation You can use the file system to create or delete a directory, display the current working directory, and display the information about the files or directories under a specified directory. You can use the following commands to perform directory operations.
Page 285 Configuring File Management Perform the following configuration in System View. Table 335 Execute the Specified Batch File Operation Command Execute the specified batch file execute filename Storage Device The file system can be used to format a specified memory device. You can use the Operation following commands to format a specified memory device.
Page 286 12: F HAPTER YSTEM ANAGEMENT Displaying the After being powered on, the system reads the configuration files from Flash for Current-configuration the initialization of the device. (Such configuration files are called and Saved-configuration saved-configuration files.) If there is no configuration file in Flash, the system will of the Switch begin the initialization with the default parameters.
Page 287 FTP Overview You may erase the configuration files from the Flash in the following cases: After being upgraded, the software does not match with the configuration ■ files. The configuration files in flash are damaged. (A common case is that a wrong ■...
Page 288 12: F HAPTER YSTEM ANAGEMENT Table 343 Configuration of the Switch as FTP Client Device Configuration Default Description Switch Log into the remote FTP server directly with the ftp command. You need first get FTP user command and password, and then log into the remote FTP server.
Page 289 FTP Overview Operation Command Configure password for local user (Local User password [ cipher | simple ] View) password Configure service type for local user (Local User service-type ftp ftp-directory View) directory Cancel password for local user (Local User View) undo password Cancel service type for local user (Local User undo service-type ftp [ View)
Page 290 12: F HAPTER YSTEM ANAGEMENT password hello and with read and write authority over the Switch root directory on the PC. The IP address of a VLAN interface on the Switch is 1.1.1.1, and that of the PC is 2.2.2.2. The Switch and PC are reachable. The Switch application is stored on the PC.
Page 291 FTP Overview 6 Use the command to release FTP connection and return to User View. quit [ftp]quit <SW5500> 7 Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch. <SW5500>...
Page 292 12: F HAPTER YSTEM ANAGEMENT Use the command to specify the downloaded program as the boot boot-loader application at the next login and reboot the Switch. <SW5500> boot boot-loader switch.app <SW5500> reboot TFTP Overview Trivial File Transfer Protocol (TFTP) is a simple protocol for file transmission. Compared with FTP, another file transmission protocol, TFTP has no complicated interactive access interface or authentication control, and therefore it can be used when there is no complicated interaction between the clients and server.
Page 293 TFTP Overview Table 350 Download Files by means of TFTP Operation Command Download files by means of TFTP tftp tftp-server source-file dest-file Uploading Files by To upload a file, the client sends a request to the TFTP server and then transmits means of TFTP data to it and receives the acknowledgement from it.
Page 294 12: F HAPTER YSTEM ANAGEMENT [SW5500] 4 Configure IP address 1.1.1.1 for the VLAN interface, ensure the port connecting the PC is also in this VALN (VLAN 1 in this example). [SW5500]interface vlan 1 [SW5500-vlan-interface1]ip address 1.1.1.1 255.255.255.0 [SW5500-vlan-interface1]quit 5 Upload the to the TFTP server.
Page 295 MAC Address Table Management Figure 76 The Switch Forwards Packets with MAC Address Table MAC Address Port MACA MACB MACC MACD MACA ..MACD Port 1 MACD MACA ..Port 2 The Switch also provides the function of MAC address aging. If the Switch receives no packet for a period of time, it will delete the related entry from the MAC address table.
Page 296 12: F HAPTER YSTEM ANAGEMENT When deleting the dynamic address table entries, the learned entries will be deleted simultaneously. Setting MAC Address Aging Time Setting an appropriate aging time implements MAC address aging. Too long or too short an aging time set by subscribers will cause the Ethernet switch to flood a large amount of data packets.
Page 297 MAC Address Table Management Table 354 Set the Max Count of MAC Address Learned by a Port Operation Command Set the Max Count of MAC Address count mac-address max-mac-count Learned by a Port Restore the default Max Count of MAC undo mac-address max-mac-count Address Learned by a Port By default, there is no limit to the MAC addresses learned via the Ethernet port.
Page 298 12: F HAPTER YSTEM ANAGEMENT Networking diagram Figure 77 Display MAC address table Internet Network Port Console Port Switch Configuration procedure command shows a stack wide view of the MAC address table. display [SW5500]display mac-address MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 00e0-fc00-3943...
Page 299 Device Management Networking Diagram Figure 78 Typical Configuration of Address Table Management Internet Network Port Console Port Switch Configuration Procedure 1 Enter the System View of the Switch. <SW5500> system-view System View: return to User View with Ctrl+Z 2 Add a MAC address (specify the native VLAN, port and state). [SW5500]mac-address static 00e0-fc35-dc71 interface gigabitethernet1/0/2 vlan 1 3 Set the address aging time to 500s.
Page 300 12: F HAPTER YSTEM ANAGEMENT Perform the following configuration in User View. Table 356 Reboot the Switch Operation Command Reboot the Switch unit-id reboot [ unit Enabling the Timing Reboot Function After enabling the timing reboot function on the Switch, the Switch will be rebooted at the specified time.
Page 301 Device Management Table 360 Display and Debug Device Management Operation Command Display the module types and running states unit-id display device [ unit of each card. Display the running state of the built-in fans. display fan [ unit unit-id Display the Used status of Switch memory unit-id display memory [ unit Display the state of the power.
Page 302: System Maintenance And Debugging
12: F HAPTER YSTEM ANAGEMENT CAUTION: If the flash memory of the Switch is not enough, you need to first delete the existing programs in the flash memory and then upload the new ones. 3 Type in the correct command in User View to establish FTP connection, then enter the correct username and password to log into the FTP server.
Page 303 Displaying the State and Information of the System Setting the System Clock Perform the operation of command in the User View. clock datetime Table 362 Set the System Clock Operation Command Set the system clock clock datetime time date Setting the Time Zone You can configure the name of the local time zone and the time difference between the local time and the standard Universal Time Coordinated (UTC).
Page 304 12: F HAPTER YSTEM ANAGEMENT Configuration agent is one of the XRN features. You can log into one Switch of the Fabric to configure and manage the Fabric. The functions of the configuration agent include: Distributing configuration commands to the right destination Switches or ■...
Page 305 Displaying the State and Information of the System Figure 80 Debug Output Debugging information Protocol debugging switch Screen output switch You can use the following commands to control the above-mentioned debugging. Perform the following operations in User View. Table 366 Enable/Disable the Debugging Operation Command Enable the protocol debugging...
Page 306 12: F HAPTER YSTEM ANAGEMENT After the synchronization of the whole fabric, a great deal of terminal display is generated. You are recommended not to enable the information synchronization switch of the whole fabric. If you enabled the information synchronization switch, after the synchronization information statistics and detection, you must execute command to disable the switch in time.
Page 307 HWPing Table 369 Test Periodically if the IP address is Reachable Operation Command Configure the IP address end-station polling ip-address requiring periodical testing ip-address Delete the IP address requiring undo end-station polling ip-address periodical testing ip-address The Switch can ping an IP address every one minute to test if it is reachable. Three PING packets can be sent at most for every IP address in every testing with a time interval of five seconds.
Page 308 12: F HAPTER YSTEM ANAGEMENT Configure the Test Parameter ■ Enable HWPing Client By enabling HWPing client, various types of tests can be set and carried out. Perform the following configurations in System View. Table 370 Enable HWPing Client Operation Command Enable HWPing client hwping-agent enable...
Page 309 HWPing Configuring a Test Type You can test various connections by using the HWPing function. You can only configure one test type at a time. Currently, the system only supports ICMP test. Perform the following configuration in HWPing Test Group View. Table 373 Configure a Test Type Operation Command...
Page 310 12: F HAPTER YSTEM ANAGEMENT regard the destination unreachable. The parameter discussed in this subsection is equal to the parameter in a command, except in a different time unit. ping Perform the following configurations in HWPing Test Group View. Table 376 Configure a Test Timeout Time Operation Command Configure a test timeout time...
Page 311 HWPing Typical HWPing Like ping test, ICMP test in HWPing determines the roundtrip delay of a packet by Configuration Example making use of ICMP. Network Diagram Figure 82 HWPing In te rn e t In te rn e t In te rn e t X .
Page 312 12: F HAPTER YSTEM ANAGEMENT Logging Function Introduction to The Info-center serves as an information center of the system software modules. Info-center The logging system is responsible for most of the information outputs, and it also makes detailed classification to filter the information efficiently. Coupled with the debugging program, the info-center provides powerful support for network administrators and support personnel to monitor the operating state of networks and diagnose network failures.
Page 313 Logging Function If changed to boot format, it represents the milliseconds from system booting. Generally, the data are so large that two 32 bits integers are used, and separated with a dot '.'. For example: <189>0.166970 SW5500 IFNET/6/UPDOWN:Line protocol on interface Ethernet1/0/2, changed state to UP It means that 166970ms (0*2^32+166970) has passed from system booting.
Page 314 12: F HAPTER YSTEM ANAGEMENT Module name Description IFNET Interface management module IGSP IGMP snooping module IP module Inter-process communication module IPMC IP multicast module L2INF Interface management module LACL LANswitch ACL module LQOS LANswitch QoS module Local server module Multicast port management module Network time protocol module PPRDT...
Page 315 Logging Function Definition of severity in logging information is as follows. Table 380 Info-Center-Defined Severity Severity Description emergencies Extremely emergent errors alerts Errors that need to be corrected immediately critical Critical errors errors Errors that need to be addressed but are not critical warnings Warning, there may be some types of errors notifications...
Page 316 12: F HAPTER YSTEM ANAGEMENT The output language can be selected between Chinese and English. ■ 1 Sending the information to loghost. Table 382 Sending the Information to Loghost Device Configuration Default Value Configuration Description Switch Enable info-center By default, info-center Other configurations are valid only if is enabled.
Page 317 Logging Function Table 384 Sending the Information to Monitor Terminal Device Configuration Default Value Configuration Description Enable info-center By default, Other configurations are valid only if info-center is the info-center is enabled. enabled. Set the information output direction to monitor Set information You can define which modules and Switch...
Page 318 12: F HAPTER YSTEM ANAGEMENT Table 387 Sending the Information to SNMP Device Configuration Default value Configuration description Enable info-center By default, Other configurations are valid info-center is only if the info-center is enabled. enabled. Set the information output direction to SNMP Set information source You can define which modules and information to be sent out...
Page 319 Logging Function Table 389 Configuring to Output Information to Loghost Operation Command Output information to loghost host-ip-addr info-center loghost channel { c hannel-number channel-name local-number | facility | language { chinese | english } ] Cancel the configuration of undo info-center loghost host-ip-addr outputting information to loghost Ensure to enter the correct IP address using the...
Page 320 12: F HAPTER YSTEM ANAGEMENT Operation Command Output time-stamp is disabled undo info-center timestamp { log | trap | debugging } 4 Configuring loghost The configuration on the loghost must be the same with that on the Switch. For related configuration, see the configuration examples in the latter part of this chapter.
Page 321 Logging Function When defining the information sent to the control terminal, channel-number must be set to the channel that corresponds to the Console channel-name direction. Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000. However, for different channels, the default record may have different default settings of log, trap and debugging.
Page 322 12: F HAPTER YSTEM ANAGEMENT Table 396 Enable/Disable Info-Center Operation Command Enable info-center info-center enable Disable info-center undo info-center enable Info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting.
Page 323 Logging Function If you want to view the debugging information of some modules on the Switch, you must select as the information type when configuring information debugging source, meantime using the command to turn on the debugging debugging Switch of those modules. You can use the following commands to configure log information, debugging information and the time-stamp output format of trap information.
Page 324 12: F HAPTER YSTEM ANAGEMENT Info-center is enabled by default. After info-center is enabled, system performances are affected when the system processes much information because of information classification and outputting. 2 Configuring to output information to the log buffer Perform the following operation in System View. Table 402 Configuring the Output Information to Log Buffer Operation Command...
Page 325 Logging Function Table 404 Configuring the Output Format of Time-stamp Operation Command Configure the output format of info-center timestamp { log | trap | the time-stamp debugging } { boot | date | none } Output time-stamp is disabled undo info-center timestamp { log | trap | debugging } Sending the Information To send information to the trap buffer, follow the steps below:...
Page 326 12: F HAPTER YSTEM ANAGEMENT When defining the information sent to the trap buffer, channel-number must be set to the channel that corresponds to the Console channel-name direction. Every channel has been set with a default record, whose module name is default and the module number is 0xffff0000.
Page 327 Logging Function With this configuration, you can define the information that is sent to SNMP NM: generated by which modules, information type, information level, and so on. Perform the following operation in System View. Table 411 Defining Information Source Operation Command Define information info-center source {...
Page 328 12: F HAPTER YSTEM ANAGEMENT The Switch provides a command to turn on/off the synchronization Switch in every Switch. If the synchronization Switch of a Switch is turned off, it does not send information to other Switches but still receives information from others. 1 Enable info-center Perform the following operation in System View.
Page 329 Logging Function The information with the severity level above informational will be sent to the ■ loghost The output language is English ■ The modules that allowed to output information are ARP and IP ■ Networking Diagram Figure 86 Schematic Diagram of Configuration Network Network Switch...
Page 330 12: F HAPTER YSTEM ANAGEMENT (3) No redundant space after file name. (4) The device name and the acceptant log information level specified in /etc/syslog.conf must be consistent with info-center loghost and info-center loghost a.b.c.d facility configured on the Switch. Otherwise, the log information probably cannot be output to the loghost correctly.
Page 331 Logging Function [SW5500]info-center loghost 202.38.1.10 facility local7 language english [SW5500]info-center source default channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost. a Perform the following command as the super user (root). # mkdir /var/log/SW5500 # touch /var/log/SW5500/information b Edit file as the super user (root), add the following...
Page 332 12: F HAPTER YSTEM ANAGEMENT The modules that allowed to output information are ARP and IP ■ Networking Diagram Figure 88 Schematic Diagram of Configuration console console console console Switch Switch Switch Switch Configuration Procedure 1 Configuration on the Switch Enabling info-center [SW5500]info-center enable 2 Configure control terminal log output;...
Page 333 SNMP Configuration to report the events whenever the device encounters any abnormalities such as new device found and restart. SNMP Versions and To uniquely identify the management variables of a device in SNMP messages, Supported MIB SNMP adopts the hierarchical naming scheme to identify the managed objects. It is like a tree.
Page 334 12: F HAPTER YSTEM ANAGEMENT Configure SNMP The main configuration of SNMP includes: Set community name ■ Set the Method of Identifying and Contacting the Administrator ■ Enable/Disable snmp Agent to Send Trap ■ Set the Destination Address of Trap ■...
Page 335 SNMP Configuration Table 417 Enable/Disable SNMP Agent to Send Trap Operation Command Enable to send trap snmp-agent trap enable [ configuration | flash | process-id ospf-trap-list ospf [ ] | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system ] Disable to send trap undo snmp-agent trap enable [ bgp [ backwardtransition ] [ established ] |...
Page 336 12: F HAPTER YSTEM ANAGEMENT Operation Command Restore the default SNMP System undo snmp-agent sys-info [ { contact | Information of the Switch location }* | version { { v1 | v2c | v3 }* | all } ] By default, the sysLocation is specified as a blank string, that is, “”. Setting the Engine ID of You can use the following commands to set the engine ID of a local or remote a Local or Remote...
Page 337 SNMP Configuration Table 424 Add/Delete a user to/from an SNMP Group Operation Command Add a user to an SNMP username snmp-agent usm-user { v1 | v2c } group. groupname acl-list [ acl ] snmp-agent usm-user v3 username groupname [ authentication-mode { md5 | authpassstring sha } [ privacy-mode { des56...
Page 338 12: F HAPTER YSTEM ANAGEMENT If user disable NMP Agent, it will be enabled whatever command is snmp-agent configured thereafter. Displaying and After the above configuration, execute the command in all views to display Debugging SNMP display the running of the SNMP configuration, and to verify the effect of the configuration.
Page 339 [SW5500]snmp-agent target-host trap address udp-domain 129.102.149.23 udp-port 5000 params securityname public Configure Network Management System The Switch supports 3Com Network Director. Users can query and configure the Switch through the network management system. For more information, refer to the network management user documentation.
Page 340 12: F HAPTER YSTEM ANAGEMENT Reading Usmusr Table Networking requirements Configuration Example ViewDefault view should be reconfigured if you use SNMP V3 to read the usmusr table. The snmpVacmMIB and snmpUsmMIB should be included in ViewDefault view. Networking diagram Figure 91 SNMP configuration example 129.102.0.1 129.102.149.23 Ethernet...
Page 341 RMON Configuration View name:ViewDefault MIB Subtree:snmpModules.18 Subtree mask: Storage-type: nonVolatile View Type:excluded View status:active RMON Configuration Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network.
Page 342 12: F HAPTER YSTEM ANAGEMENT Add/Delete an Entry to/from the Statistics table ■ Adding/Deleting an Entry to/from the Alarm Table RMON alarm management can monitor the specified alarm variables such as the statistics on a port. When a value of the monitored data exceeds the defined threshold, an alarm event will be generated.
Page 343 RMON Configuration Table 432 Add/Delete an Entry to/from the History Control Terminal Operation Command Add an entry to the history entry-number number rmon history buckets control terminal. sampling-interval text-string interval [ owner Delete an entry from the entry-number undo rmon history history control terminal.
Page 344 1 Configure RMON. [SW5500-GigabitEthernet1/0/1]rmon statistics 1 owner 3com-rmon 2 View the configurations in User View. <SW5500> display rmon statistics Ethernet 1/0/1 Statistics entry 1 owned by 3com-rmon is VALID. Gathers statistics of interface GigabitEthernet1/0/1. Received: octets : 270149,packets : 1954...
Page 345 NTP Overview NTP Overview As the network topology gets more and more complex, it becomes important to synchronize the clocks of the equipment on the whole network. Network Time Protocol (NTP) is the TCP/IP that advertises the accurate time throughout the network.
Page 346 12: F HAPTER YSTEM ANAGEMENT Switch A sends an NTP packet to Switch B. The packet carries the timestamp ■ 10:00:00am (T ) that tells when it left Switch A. When the NTP packet arrives at Switch B, Switch B adds a local timestamp ■...
Page 347 NTP Configuration Configure NTP server mode ■ Configure NTP peer mode ■ Configure NTP broadcast server mode ■ Configure NTP broadcast client mode ■ Configure NTP multicast server mode ■ Configure NTP multicast client mode ■ Configuring NTP Server Mode Set a remote server whose ip address is ip-address as the local time server.
Page 348 12: F HAPTER YSTEM ANAGEMENT which the source IP address of the NTP packets sent from the local Switch to the peer will be taken; indicates the peer will be the first choice for the time priority server. Configuring NTP Broadcast Server Mode Designate an interface on the local Switch to transmit NTP broadcast packets.
Page 349 NTP Configuration Table 440 Configure NTP Multicast Server Mode Operation Command Configure NTP multicast server ip-address ntp-service multicast-server [ mode keyid ] [ authentication-keyid ] [ ttl ttl-number number ] [ version Cancel NTP multicast server mode undo ntp-service multicast-server NTP version number ranges from 1 to 3 and defaults to 3;...
Page 350 12: F HAPTER YSTEM ANAGEMENT Table 443 Configure NTP Authentication Key Operation Command Configure NTP authentication ntp-service authentication-keyid number value authentication-mode md5 Remove NTP authentication key undo ntp-service authentication-keyid number Key number ranges from 1 to 4294967295; the key contains 1 to number value 32 ASCII characters.
Page 351 NTP Configuration Table 446 Enable/Disable an Interface to Receive NTP Message Operation Command Disable an interface to receive NTP message ntp-service in-interface disable Enable an interface to receive NTP message undo ntp-service in-interface disable This configuration task must be performed on the interface to be disabled to receive NTP message.
Page 352: Configuration Examples
12: F HAPTER YSTEM ANAGEMENT Displaying and After completing the above configurations, you can use the command to display Debugging NTP show how NTP runs and verify the configurations according to the outputs. In User View, you can use the command to debug NTP.
Page 353 Typical NTP Configuration Examples Configuration Procedure Configure Switch 1: 1 Enter System View. <switch1> system-view 2 Set the local clock as the NTP master clock at stratum 2. [switch1]ntp-service refclock-master 2 Configure Switch 2: 1 Enter System View. <switch2> system-view 2 Set SW5500 1 as the NTP server.
Page 354 12: F HAPTER YSTEM ANAGEMENT ******************************************************************** [12345]1.0.1.11 LOCAL(0) 16 -0.4 0.0 0.9 note: 1 source(master),2 source(peer),3 selected,4 candidate,5 configured NTP peer Configuration Network Requirements On Switch 3, set local clock as the NTP master clock at stratum 2. On Switch 2, configure SW5500G-EI 1 as the time server in server mode and set the local equipment as in client mode.
Page 355 Typical NTP Configuration Examples By this time, Switch 4 has been synchronized by Switch 5 and it is at stratum 2, or higher than Switch 5 by 1. Display the sessions of Switch 4 and you will see Switch 4 has been connected with Switch 5.
Page 356 12: F HAPTER YSTEM ANAGEMENT In the above examples Switch 4 and Switch 1 are configured to listen to the broadcast via Vlan-interface2, Switch 3 to broadcast packets from Vlan-interface2. As Switch 1 and Switch 3 are not located on the same segment, they cannot receive any broadcast packets from Switch 3, while Switch 4 is synchronized by Switch 3 after receiving its broadcast packet.
Page 357 Typical NTP Configuration Examples [switch3-Vlan-Interface2]ntp-service multicast-server Configure Switch 4: 1 Enter System View. <switch4> system-view 2 Enter Vlan-interface2 view. [switch4]interface vlan-interface 2 3 Enable multicast client mode. [switch4-Vlan-Interface2]ntp-service multicast-client Configure Switch 1: 1 Enter System View. <switch1> system-view 2 Enter Vlan-interface2 view. [switch1]interface vlan-interface 2 3 Enable multicast client mode.
Page 358 12: F HAPTER YSTEM ANAGEMENT [switch2]ntp-service authentication enable 4 Set the key. [switch2]ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey Set the key as reliable. 5 [switch2]ntp-service reliable authentication-keyid 42 [switch2]ntp-service unicast-server 1.0.1.11 authentication-keyid 42 The above examples synchronized Switch 2 by Switch 1. Since Switch 1 has not been enabled authentication, it cannot synchronize Switch 2.
Page 359 SSH Terminal Services The communication process between the server and client include these five stages: version negotiation stage, key negotiation stage, authentication stage, session request stage, interactive session stage. Version negotiation stage: The client sends TCP connection requirement to the ■...
Page 360 12: F HAPTER YSTEM ANAGEMENT Setting system protocol and link maximum ■ Configuring and deleting local RSA key pair ■ Configuring authentication type ■ Defining update interval of server key ■ Defining SSH authentication timeout value ■ Defining SSH authentication retry value ■...
Page 361 SSH Terminal Services Table 452 Configuring Authentication Type Operation Command Configure authentication type username ssh user authentication-type { password | rsa | all } Remove authentication type setting undo ssh user username authentication-type If the configuration is RSA authentication type, then the RSA public key of the client user must be configured on the Switch, that is to perform the 7 and 8 serial number marked configuration.
Page 362 12: F HAPTER YSTEM ANAGEMENT This operation is only available for the SSH users using RSA authentication. At the Switch, you configure the RSA public key of the client, while at the client, you specify the RSA private key which corresponds to the RSA public key. This operation will fail if you configure password authentication for the SSH user.
Page 363 SSH Terminal Services Specifying RSA private key file. If you specify RSA authentication for the SSH ■ user, you must specify RSA private key file. The RSA key, which includes the public key and private key, are generated by the client software. The former is configured in the server (Switch) and the latter is in the client.
Page 364 12: F HAPTER YSTEM ANAGEMENT Figure 99 SSH key convert. Use the save button to save this converted key to a file. Open the public key file in notepad and the following lines of text before the existing text: mykey rsa peer-public-key public-key-code begin where...
Page 365 SSH Terminal Services Figure 100 Text file of myKey Save this to a file ending with a ".bat" extension e.g "keys.bat". This file can be transferred to the switch using FTP or TFTP. The key is installed using the execute command in the System view [SW5500]execute keys.bat Specifying Server IP Address Start PuTTY program and the client configuration interface pops up.
Page 366 12: F HAPTER YSTEM ANAGEMENT Figure 101 SSH Client Configuration Interface (1) In the Host Name (or IP address) text box key in the IP address of the Switch, for example, 10.110.28.10. You can also input the IP address of an interface in UP state, but its route to SSH client PC must be reachable.
Page 367 SSH Terminal Services Figure 102 SSH Client Configuration Interface (2) You can select 1, as shown in the above figure. Specifying RSA Private Key File If you want to enable RSA authentication, you must specify RSA private key file, which is not required for password authentication. Click [SSH/Auth] to enter the interface as shown in the following figure:...
Page 368 12: F HAPTER YSTEM ANAGEMENT Figure 103 SSH client configuration interface (3) Click Browse to enter the File Select interface. Choose a desired file and click OK. Opening SSH Connection Click Open to enter SSH client interface. If it runs normally, you are prompted to enter username and password.
Page 369 [SW5500]user-interface vty 0 4 [SW5500-ui-vty0-4]authentication-mode scheme [SW5500-ui-vty0-4]protocol inbound ssh [SW5500]local-user client001 [SW5500-luser-client001]password simple 3com [SW5500-luser-client001]service-type ssh [SW5500]ssh user client001 authentication-type password Select the default values for SSH authentication timeout value, retry value and update interval of server key. Then run SSH1.5 client program on the PC which is...
Page 370 12: F HAPTER YSTEM ANAGEMENT connected to the Switch and access the Switch using username “client001” and password “3com”. 3 For RSA authentication mode: Create local user client002 [SW5500]local-user client002 [SW5500-luser-client002]service-type ssh 4 Specify AAA authentication on the user interface.
Page 371 However, if the password recovery mechanism is disabled and the user configurable bootrom password is lost, there is no recovery mechanism available. In this instance, the Switch will need to be returned to 3Com for repair. The following commands are all executed from the Bootrom directly via the console.
Page 372 A: P HAPTER ASSWORD ECOVERY ROCESS Bootrom Interface During the intitial boot phase of the Switch (when directly connected via the console), various messages are displayed and the following prompt is shown with a five second countdown timer: Press Ctrl-B to enter Boot Menu... 4 Before the countdown reaches 0 enter <CTRL>B.
Page 373 If the user configured bootrom password is lost, a fixed, unit unique password can be provided by 3Com Technical Support to bypass the lost password. Please ensure that the Switch is registered with 3Com promptly as the unit unique password will only be supplied to the registered owner of the Switch.
Page 374 This option allows the user to disable the fixed, unit unique password recovery mechanism. If this is disabled and the bootrom password recovery is lost then a recovery will not be possible. In this instance, the Switch will need to be returned to 3Com for repair.
Page 375 ■ The remainder of this section describes how to setup a RADIUS server using these products. Microsoft IAS RADIUS, Funk RADIUS and FreeRADIUS are not 3Com products and are not supported by 3Com. Configuring Microsoft 3Com has successfully installed and tested Microsoft IAS RADIUS running on a IAS RADIUS Windows server in a network with Switch 5500G-EI deployed.
Page 376 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP and Computers window, right-click Domain and choose Properties, select Change Mode. c Add a user that is allowed to use the network. Go to Active Directory Users and Computers, from the left hand window right-click the Users folder and choose New >...
Page 377 Setting Up A RADIUS Server e The password for the user must be set to be stored in reversible encryption. Right-click the user account and select Properties. Select the Account tab, check the box labelled Store password using reversible encryption. f Now re-enter the password for the account, right-click the user account and select Reset Password…...
Page 378 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP In the Certificate Authority Type window select Enterprise root CA Enter information to identify the Certificate Authority on the CA Identifying Information window. Enter the storage location on the Data Storage Location window. To complete the installation and set up of the certificates server, the wizard will require the Install CD for Microsoft Windows 2000 Server.
Page 379 Setting Up A RADIUS Server 5 Configure a Certificate Authority a Go to Programs > Administrative Tools > Certification Authority and right-click Policy Settings under your Certificate Authority server. b Select New > Certificate to Issue c Select Authenticated Session and select OK. d Go to Programs >...
Page 380 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP e Select the Group Policy tab, and ensure that the Default Domain Policy is highlighted. Click Edit to launch the Group Policy editor. f Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies, and right-click Automatic Certificate Request Settings.
Page 381 Setting Up A RADIUS Server Open up a command prompt (Start > Run, enter ). Enter secedit . The command may take a few minutes to /refreshpolicy machine_policy take effect. 6 Setup the Internet Authentication Service (IAS) RADIUS Server a Go to Programs > Administrative Tools > Internet Authentication Service, right-click Clients, and Select New Client.
Page 382 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP h Select Grant remote access permission, and select Next Click on Edit Profile... and select the Authentication tab. Ensure Extensible Authentication Protocol is selected, and Smart Card or other Certificate is set. Deselect any other authentication methods listed.
Page 383 Setting Up A RADIUS Server b Select the Dial-in tab from the client Properties window. Select Allow access. Click OK. c Click OK to confirm. 8 Configure the Switch 5500G-EI for RADUIS access and client authentication see Chapter 11 “802.1x Configuration”.
Page 384 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP d Select Advanced request and click Next > e Select the first option and click Next > f Either copy the settings from the screenshot below or choose different key options.
Page 385 Setting Up A RADIUS Server followed by this warning message, select Yes and then OK The PKCS #10 file is now saved to the local drive. h To generate a portable certificate using PKCS #10, click the Home hyperlink at the top right of the CA Webpage.
Page 386 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP Paste the copied information into the Saved Request field as shown below. Select Authenticated Session from the Certificate Template selector and click Submit > m Download the certificate and certification path. Click on the Download CA Certificate hyperlink to save the certificate.
Page 387 Setting Up A RADIUS Server o Click Install Certificate to launch the certificate import wizard p Leave the settings on the next screen as is, click Next > followed by Finish and OK. This will install the certificate, q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder.
Page 388 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP s Click Copy to File to save the certificate. This action is actually already performed with the Advanced Request, but this is an alternative way to save the certificate. Click Next when the wizard is launched. Save the certificate using DER x.509 encoding, select DER encoded binary followed by Next.
Page 389 Setting Up A RADIUS Server u Select the user that becomes the IEEE 802.1x client. Right-click on the user and select Name mappings. Select Add v Select the certificate that you have just exported and click Open. Click OK w In the Security Identity Mapping screen, click OK to close it. x Close the Active Directory Users and Domains management tool.
Page 390 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP b Create a new remote access policy under IAS and name it Switch Login. Select Next>.. c Specify Switch Login to match the users in the switch access group, select Next >...
Page 391 Setting Up A RADIUS Server e Use the Edit button to change the Service-Type to Administrative. f Add a Vendor specific attribute to indicate the access level that should be provided:...
Page 392 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP The Value 010600000003 indicates admin privileges for the switch. 01 at the end indicates monitor and 02 indicates manager access. On the Switch 5500G-EI, 00 indicates visitor level. 11 Configure the RADIUS client. Refer to section Setting Up the RADIUS Client information on setting up the client.
Page 393 Setting Up A RADIUS Server Follow these steps to set up auto VLAN and QoS for use by Microsoft IAS: 1 Define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group. Go to Programs > Administrative Tools > Active Directory Users and Computers a For example, to create one group that will represent VLAN 4 select the Users folder from the domain (see below),...
Page 394 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP d Go to Programs > Administrative Tools > Internet Authentication Service. and select Remote Access Policies. Select the policy that you configured earlier, right-click and select Properties. e Click Add to add policy membership. f Select the Windows-Groups attribute type, and select Add and Add again...
Page 395 Setting Up A RADIUS Server g Select the VLAN group that you have just created and click Add and then OK to confirm. h Click OK again to return you to the Security Policy properties. Click Edit Profile... and select the Advanced tab. Click Add. Refer to Table 459 Table 460 for the RADIUS attributes to add to the profile.
Page 396 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP Table 459 Summary of auto VLAN attributes For Auto VLAN Return String Comment Tunnel-Medium-type Tunnel-Private-Group-ID VLAN value Tunnel-Type VLAN Table 460 Summary of QoS attributes For Auto QoS Return String Comment Filter-id profile=student...
Page 397 Setting Up A RADIUS Server m Select the Tunnel-Pvt-Group-ID entry and click Add. n Click Add, ensure that the Attribute value is set to 4 (Attribute value in string format), and click OK. This value represents the VLAN ID. o Click OK again on the Multivalued Attribute Information screen to return to the the Add Attributes screen.
Page 398 For troubleshooting, you can use the Event Viewer on both the workstation and the RADIUS server. Configuring Funk 3Com has successfully installed and tested Funk RADIUS running on a Windows RADIUS server in a network with Switch 5500G-EI deployed. Download the Funk Steel-Belted RADIUS Server application from www.funk.com...
Page 399 Setting Up A RADIUS Server To configure Funk RADIUS as a RADIUS server for networks with the Switch 5500G-EI, follow these steps: 1 Open file and remove the ";" before the eap.ini \radius\service MD5-Challenge Line. This enables the MD5-challenge 2 Open file and change the log level to 5.
Page 400 Funk RADIUS is now ready to run. If you intend to use auto VLAN and QoS, you will need to create VLAN and QoS profiles on the 3Com Switch 5500G-EI and follow the instructions in Configuring auto VLAN and QoS for Funk RADIUS.
Page 401 Setting Up A RADIUS Server Passwords are case sensitive. 6 Enter the shared secret to encrypt the authentication data. The shared secret must be identical on the Switch 5500G-EI and the RADIUS Server a Select RAS Clients from the left hand list, enter a Client name , the IP address and the Shared secret.
Page 402 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP Configuring auto VLAN and QoS for Funk RADIUS To set up auto VLAN and QoS using Funk RADIUS, follow these steps: 1 Edit the dictionary file so that Return list attributes from the Funk radius.dct RADIUS server are returned to the Switch 5500G-EI.
Page 403 The following example shows the User name HOMER with the correct Return list Attributes inserted, The VLANs and QoS profiles must also be created on the 3Com Switch 5500G-EI. Configuring FreeRADIUS 3Com has successfully installed and tested FreeRADIUS running on Solaris 2.6 and RedHat Linux servers in networks with the Switch 5500G-EI deployed.
Page 404 Add an entry for Switch Login. For example user-name Auth-Type = System, 3Com-User-Access-Level = Administrator This indicates that the server should return the 3Com vendor specific attribute in the Access-Accept message for that user. 3Com-User-Access-Level b Add an entry for Network Login. For example user-name Auth-Type := Local, User-Password == "password"...
Page 405 Setting Up the RADIUS Client Windows 2000 built-in Windows 2000 requires Service Pack 3 and the IEEE 802.1x client patch for client Windows 2000. 1 Downloaded the patches if required from: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&Famil yID=6B78EDBE-D3CA-4880-929F-453C695B9637 2 After the updates have been installed, start the Wireless Authentication Service in Component Services on the Windows 2000 workstation (set the service to startup type Automatic).
Page 406 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP Follow these steps to install the Aegis client: 1 Registering the Aegis Client. When using the Aegis client for the first time, a license key will be requested. To obtain a valid license key, complete an online form on the Meetinghouse website giving the System ID.
Page 407 Setting Up the RADIUS Client d Click OK to finish the configuration. e Restart the client either by rebooting, or stopping and re-starting the service. f Click the OK button, then return tothe Aegis Client main interface. To restart the client, press the button with the red-cross. If authentication is successful, the icon will turn green.
Page 408 B: RADIUS S RADIUS C HAPTER ERVER AND LIENT ETUP...
Page 409 5500G-EI on their network. Although 3Com does not directly support the proprietary TACACS+ protocol, 3Com switches can still be authenticated in networks which use TACACS+ and Cisco Secure ACS. The windows based Cisco Secure ACS server contains a built-in RADIUS server. This RADIUS server integrates seamlessly with the TACACS database allowing 3Com switches to authenticate correctly using the RADIUS protocol.
Page 410 1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients. 3 Enter the details of the 3Com switch. Spaces are not permitted in the AAA Client Host name. An example is shown below...
Page 411 Setting Up the Cisco Secure ACS (TACACS+) server 5 Select Interface Configuration from the left hand side. 6 Select RADIUS (IETF) from the list under Interface Configuration. 7 Check the RADIUS attributes that you wish to install. If you want to use auto VLAN and QoS, ensure that you have the following options selected for both the User and Group: Filter-ID ■...
Page 412 C: A 5500G-EI HAPTER UTHENTICATING THE WITCH WITH ISCO ECURE 8 Select Submit. 9 Repeat steps 1 to 8 for each Switch 5500G-EI on your network. When all of the Switch 5500G-EIs have been added as clients to the Cisco Secure ACS server, restart the Secure ACS server by selecting System Configuration from the left hand side, then select Service Control and click Restart.
Page 413 The User can now access the network through Network Login. Adding a User for Adding a user for switch login is slightly more complex, as 3Com specific RADIUS Switch Login attributes need to be returned to the 3Com Switch 5500G-EI. These RADIUS attributes define the access level of the the user to the management interface.
Page 414 Once complete, log into the Secure ACS server again and complete steps 2 and 3. 2 To use the new RADIUS attributes, a client needs to be a user of RADIUS (3Com) attributes. Select Network Configuration from the left hand side and select an existing device or add a new device.
Page 415 Setting Up the Cisco Secure ACS (TACACS+) server 3 Select Submit+Restart The IETF attributes will still be available to the device, the 3Com attributes are simply appended to them. 4 Select Interface Configuration, followed by RADIUS (3Com) a Ensure that the 3Com-User-Access-Level option is selected for both User and...
Page 416 6 In the RADIUS (3Com) Attribute box , check 3Com-User-Access-Level and select Administrator from the pull down list, see below: 7 Select Submit.
Page 417 This section explains what 3Com XRN™ (eXpandable Resilient Networking) is and how you can use it to benefit your network. It also explains how to implement XRN on your network. This chapter contains the following sections: What is XRN? ■...
Page 418 Fabric Interconnect ports. XRN Terminology This section contains a glossary of the common XRN terminology. eXpandable Resilient XRN is developed by 3Com that allows you to implement fault tolerant, high Network (XRN) performance and scalable multilayer networks. Fabric Interconnect Fabric Interconnect is the interconnection between XRN Switches that form the Distributed Fabric.
Page 419 Link Aggregation supported across the Distributed Fabric. ■ Flexibility provided by: ■ Support across any of the Switches within an individual SuperStack 4 Switch ■ 5500G-EI family to create an XRN Distributed Fabric. XRN Features This section describes the key features of XRN.
Page 420 D: 3C PPENDIX DRR is an XRN-specific implementation that only operates on XRN within the Distributed Fabric. However it will interoperate with other routers outside of the XRN Distributed Fabric. Figure 106 Network Example illustrating Distributed Resilient Routing VLAN1 VLAN 2 VLAN 1 VLAN 3 VLAN 2...
Page 421 How to Implement XRN — Overview Figure 107 Distributed Link Aggregation at the Network Backbone XRN Distributed Fabric Switch 5500 units 802.1w Wiring Closet Aggregation XRN Distributed Fabric Backbone Aggregation How to Implement This section provides an overview on how to implement XRN in your network. XRN —...
Page 422 It is not possible to create an XRN Distributed Fabric with Switches from ■ different SuperStack 4 5500 families, for example, a Switch 5500-EI with a 5500G-EI. You can only use Switches within an individual SuperStack 4 5500 family to create an XRN Distributed Fabric, for example, a Switch 5500G-EI 52-Port with a Switch 5500G-EI 28-Port.
Page 423 MAC address assumes the ID in question and the other unit will automatically renumber. 3Com recommends that you manually assign the unit IDs within the Fabric if you wish to have predictability of knowing which units have which IDs at all times.
Page 424 D: 3C PPENDIX The unit LEDs will display the unit number in the Fabric, from 1 to 8. Network Example The following example explains how to set up XRN in a network to gain maximum using XRN resilence using two Distributed Fabrics. The same process scales for larger networks if you are using multiple XRN Distributed Fabrics.
Page 425 It will override any pre-defined VLAN membership for the aggregated link. Recovering your XRN In the event of a failure within your XRN network, 3Com recommends that you Network follow the recommendations below.
Page 426 VLAN membership. This will result in the different VLANs not being able to communicate. 3Com recommends that you set individual ports that are to be members of an aggregated link to the same VLAN membership. This ensures communication...
Page 427 How XRN Interacts with other Features Figure 109 How XRN interacts with VLANs — Example 1 VLAN 1 VLAN2 Switch 5500 units 802.3ad Aggregated Link VLAN ID 1, 2 VLAN ID 1, 2 XRN Distributed Fabric The Distributed Resilient Routing (DRR) feature also requires that all units can communicate with each other on all VLANs.
Page 428 D: 3C PPENDIX However, in Figure 111, if the interconnect fails, the aggregation is still a single logical entity at the legacy Switch end, but it is now split over both units within the Distributed Fabric. The legacy Switch is not aware that the aggregation has split and will continue to send traffic over both links, resulting in data loss.
Page 429 How a Failure affects the Distributed Fabric For example, if the resilient links were configured on Switches A and B, if the interconnect fails, both Switches will detect a failed link to Switch 3300 and both A and B will activate their links to Switch 3300. So both links in the resilient link will be passing traffic, potentially causing a loop in the network.
Page 430 D: 3C PPENDIX Legacy STP (IEEE802.1D) and RSTP (IEEE 802.1w) The Switch 4200 is using legacy STP. STP will reconfigure the network to open the previously blocked link to Switch B. The STP reconfiguration will cause all Switch forwarding databases (MAC address tables) to be fast aged (if using RSTP, they will be flushed).
Page 431 Distributed Fabric and will no longer operate and will cause network disruption. Legacy aggregated links are not resilient to an interconnect failure. Hence the 3Com recommendation to use IEEE 802.3ad aggregated links (LACP) for maximum resilience. IEEE802.1D (Legacy STP) and RSTP The Switch 4200 is using legacy STP.
Page 432 D: 3C PPENDIX...

This manual is also suitable for:

Superstack 4 5500g-ei series