Switch 7700 Configuration Guide http://www.3com.com/ Published October 2003...
Page 2
3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change. 3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose.
BOUT UIDE Conventions YSTEM CCESS Product Overview Function Features Configuring the Switch 7700 Setting Terminal Parameters Configuring Through Telnet Configuring Through a Dial-up the Modem Configuring the User Interface Command Line Interface Command Line View Feature and Functions of the Command Line...
Page 4
Configure IP Address Displaying and Debugging an IP Address Troubleshooting an IP Address Configuration ARP Configuration Configure Static ARP DHCP Relay Configuring DHCP Relay Displaying and Debugging DHCP Relay Troubleshooting a DHCP Relay Configuration IP Performance Displaying and Debugging IP Performance Troubleshooting IP Performance OUTING ROTOCOL...
Page 5
Configure IGMP Snooping Display and debug IGMP Snooping IGMP Snooping Configuration Example TroubleshootinIGMP Snooping Common Multicast Configuration Common Multicast Configuration Display and Debug Common Multicast Configuration IGMP Configuration IGMP Configuration Display and Debug IGMP PIM-DM Configuration PIM-DM Configuration Display and Debug PIM-DM PIM-DM Configuration Example PIM-SM Configuration PIM-SM Operating Principle...
Page 6
Configuring the BPDU Forwarding Mechanism Implementing STP on the Switch 7700 Configuring RSTP Displaying and Debugging RSTP RADIUS O PERATION IEEE 802.1x 802.1x System Architecture Configuring 802.1x Displaying and Debugging 802.1x Configuring the AAA and RADIUS Protocols Configuring AAA Configuring the RADIUS Protocol...
Page 7
Display the State and Information of the System System Debugging Testing Tools for Network Connection Logging Function SNMP SNMP Versions and Supported MIB Configure SNMP Display and Debug SNMP RMON Configure RMON Display and Debug RMON...
BOUT UIDE This guide describes the 3Com ® Switch 7700 and how to configure it. Conventions Table 1 and Table 2 list conventions that are used throughout this guide. Table 1 Notice Icons Icon Notice Type Description Information note Information that describes important features or instructions.
Layer 2/Layer 3 Ethernet switch. It is designed for IP metropolitan area networks (MAN), large-sized enterprise network and campus network users. The Switch 7700 has an integrated chassis structure. The chassis contains a card area, fan area, power supply area, and a power distribution area. In the card area, there are seven slots.
PING and Tracert Remote maintenance via Telnet and Modem Configuring the On the Switch 7700, you can set up the configuration environment through the Switch 7700 console port. To set up the the local configuration environment: 1 Plug the DB-9 or DB-25 female plug of the console cable into the serial port of the PC or the terminal where the switch is to be configured.
Setting Terminal Parameters Setting Terminal To set terminal parameters: Parameters 1 Start the PC and select Start > Programs > Accessories > Communications > HyperTerminal. 2 The HyperTerminal window displays the Connection Description dialog box, as shown in Figure 2. Figure 2 Set up the New Connection 3 Enter the name of the new connection in the Name field and click OK.
Page 14
1: S HAPTER YSTEM CCESS 5 Click OK. The Port Settings tab, shown in Figure 4, displays and you can set serial port parameters. Set the following parameters: Baud rate = 9600 ■ Databit = 8 ■ Parity check = none ■...
Page 15
Setting Terminal Parameters Figure 5 HyperTerminal Window 8 In the Properties dialog box, select the Settings tab, as shown in Figure 6. 9 Select VT100 in the Emulation dropdown menu. 10 Click OK. Figure 6 Settings Tab...
Ethernet switch through the console port (using the ip address command in VLAN interface view), and added the port (that connects to a terminal) to this VLAN (using the port command in VLAN view), you can telnet this Switch 7700 and configure it.
Page 17
(that connects to a terminal) to this VLAN (using the port command in VLAN view), you can telnet the Switch 7700 to another Switch 7700 to carry out the configuration, as shown in Figure 10. The local end is the Telnet client and the peer is the Telnet server.
Note: By default, the password is required for authenticating the modem user to log in to the Switch 7700. If a user logs in through the modem without a password, the user sees the message, Password required, but none set a Enter system view, return user view with Ctrl+Z.
Page 19
Setting Terminal Parameters Figure 11 Set Up Remote Configuration Environment Modem serial port line Modem Telephone line Modem Remote telephone: Console port 555-5555 3 Dial for a connection to the switch, using the terminal emulator and modem on the remote end. Dial the telephone number of the modem connected to the Ethernet switch.
VTY user interface is used to telnet the Ethernet switch. ■ Note: For the Switch 7700, the AUX port and Console port are the same port. There is only the type of AUX user interface. The user interface is numbered by absolute number or relative number.
Page 21
Setting Terminal Parameters To number the user interface by relative number, represented by interface + number assigned to each type of user interface: AUX user interface = AUX 0. ■ The first VTY interface = VTY 0, the second one = VTY 1, and so on. ■...
Page 22
Enabling and Disabling Terminal Service After the terminal service is disabled on a user interface, you cannot log in to the Switch 7700 through the user interface. However, if a user logged in through the user interface before disabling the terminal service, the user can continue operation.
Page 23
Setting Terminal Parameters Configure idle-timeout By default, idle-timeout is enabled and set to 10 minutes on all the user interfaces. The idle-timeout command is described in Table 5. Table 5 Idle Timeout Operation Command Configure idle-timeout idle-timeout minutes [ seconds ] (idle-timeout 0 means disabling idle-timeout.) Restore the default idle-timeout undo idle-timeout...
Page 24
For detailed information, see “AAA and Radius” Perform username and password authentication when a user logs in through the VTY 0 user interface and set the username and password to zbr and 3Com respectively: [SW7700-ui-vty0] authentication-mode scheme...
Page 25
Setting Terminal Parameters Note: By default, the password is required for authenticating the modem and Telnet users when they log in. If the password has not been set, when a user logs in, the following message displays, Password required, but none set If the authentication-mode none command is used, the modem and Telnet users are not required to enter a password.
Page 26
1: S HAPTER YSTEM CCESS Perform the following configuration in system view. Table 13 Set Command Priority Operation Command Set the command priority in a command-privilege level level view view command specified view. Restore the default command undo command-privilege view view command level in a specified view.
Local configuration through the console port. ■ Local or remote configuration through Telnet. ■ Remote configuration through a dial-up Modem to log in to the Switch 7700. ■ Hierarchy command protection to prevent unauthorized users from accessing ■ the switch.
You can enter the whole keyword or part of it, as long as it is unique and not ambiguous. Command Line View The Switch 7700 provides hierarchy protection for the command lines to prevent unauthorized users from accessing the switch illegally. There are four levels of commands: Visit level —...
Page 29
Command Line Interface The command line provides the following views: User view ■ System view ■ Ethernet Port view ■ VLAN view ■ VLAN interface view ■ Local-user view ■ User interface view ■ FTP client view ■ Cluster view ■...
Page 30
1: S HAPTER YSTEM CCESS Figure 14 Relation Diagram of the Views Ethernet port view User interface viiew VLAN view VLAN interface view RIP view OSPF view OSPF area view Route policy view Basic ACL view System User view view Advanced ACL view Interface-based ACL view Layer-2 ACL view...
Page 31
Command Line Interface Table 18 Function Feature of Command View Command Command to Command to view Function Prompt enter exit VLAN Configure IP Key in interface quit returns to [SW7700-Vlan- interface interface vlan-interface 1 System view interface1] view parameters for a in System view return returns VLAN or a VLAN...
1: S HAPTER YSTEM CCESS Table 18 Function Feature of Command View Command Command to Command to view Function Prompt enter exit quit returns to Layer-2 ACL Define the rule of Key in acl [SW7700-acl- System view view layer-2 ACL number 200 in link-200] System view...
Page 33
Command Line Interface -v Verbose output. ICMP packets other than ECHO_RESPONSE that are received are listed STRING<1-20> IP address or hostname of a remote system IP Protocol Enter a command with a , separated by a space. If this position is for ■...
Page 34
1: S HAPTER YSTEM CCESS Table 20 Retrieve History Command Result Operation Retrieve the previous Up cursor key <> or <Ctrl+P> Retrieves the previous history history command command, if there is any. Retrieve the next history Down cursor key <> or Retrieves the next history command <Ctrl+N>...
Ethernet Port Overview ■ Link Aggregation Configuration ■ Ethernet Port A brief description of Switch 7700 I/O modules are listed below: Overview 48-port 10/100Base-T auto-sensing fast Ethernet card ■ 8-port 1000Base-X (Gigabit Interface Converter or GBIC) Gigabit Ethernet card ■...
Page 36
Command Enter Ethernet port view interface {Gigabit | Ethernet} slot/subslot/port Note: In the Switch 7700, the subslot is always 0. Enabling and Disabling Ethernet PortS The following command can be used for disabling or enabling the port. After configuring the related parameters and protocol of the port, you can use the following command to enable the port.
Page 37
Ethernet Port Overview Perform the following configuration in Ethernet port view. Table 4 Set Duplex Attribute for Ethernet Port Operation Command Set duplex attribute for duplex {auto | full | half} Ethernet port. Restore the default duplex undo duplex attribute of Ethernet port. Note: 100M electrical Ethernet port can operate in full-duplex, half-duplex or auto-negotiation mode.
Page 38
Note: The settings only take effect on 10/100Base-T and 10/100/1000Base-T ports. The Switch 7700 only supports auto (auto-sensing). If you set some other type, you will see the prompt “Not support this operation!”. The cable type is auto (auto-recognized) by default. The system will automatically recognize the type of cable connecting to the port.
Page 39
Ethernet Port Overview Setting the Maximum MAC Addresses an Ethernet Port can Learn Use the following command to set an amount limit on MAC addresses learned by the Ethernet port. If the number of MAC address learned by this port exceeds the value set by the user, this port will not learn MAC address.
Page 40
2: P HAPTER ONFIGURATION Adding the Ethernet Port to a VLAN The following commands are used for adding an Ethernet port to a specified VLAN. The access port can only be added to one VLAN, while the hybrid and trunk ports can be added to multiple VLANs.
Ethernet Port Overview Table 12 Set the Default VLAN ID for the Ethernet Port Operation Command Restore the default VLAN ID of the undo port trunk pvid trunk port to the default value Note: The Trunk port and isolate-user-vlan cannot be configured simultaneously, ■...
Link aggregation appears as a single port physically. The Switch 7700 supports 64 link aggregation groups. For the 48-port 10/100BASE-T auto-sensing fast Ethernet interface card, the first 24 ports can be aggregated arbitrarily as long as they are assigned contiguously; meaning port 1 to port 2 to port 3 and so on.
{master_port_num | all} aggregation Note: The Ethernet ports to be aggregated should be configured with the same speed and duplex otherwise, they cannot be aggregated. The Switch 7700 does not support ingress aggregation mode. Display and Debug Link...
2: P HAPTER ONFIGURATION Mode: both Ethernet Link When configuring link aggregation, you might see a message that the Aggregation configuration has failed. To address this situation: Troubleshooting Check the input parameter and see whether the starting number of Ethernet ■...
VLAN C ONFIGURATION VLAN Overview A virtual local area network (VLAN) groups the devices of a LAN logically, but not physically, into segments to implement the virtual workgroups. Using VLAN technology, network managers can logically divide the physical LAN into different broadcast domains. Every VLAN contains a group of workstations with the same demands.
Page 46
3: VLAN C HAPTER ONFIGURATION Add Ethernet Ports to a VLAN You can use the following command to add Ethernet ports to a VLAN. Perform the following configuration in VLAN view. Table 2 Add Ethernet Ports to a VLAN Operation Command Add Ethernet ports to a VLAN port { interface_type interface_num | interface_name [...
Page 47
VLAN Overview Set or Delete VLAN Description Character String You can use the following command to set or delete VLAN description character string. The description character strings, such as workgroup name and department name, are used to distinguish the different VLANs. Perform the following configuration in VLAN view.
3: VLAN C HAPTER ONFIGURATION Perform the following configuration in VLAN interface view. Table 7 Shut Down or Enable a VLAN interface Operation Command Shut down the VLAN interface shutdown Enabling the VLAN interface undo shutdown The operation of shutting down or enabling the VLAN interface has no effect on the status of the Ethernet ports on the local VLAN.
GARP participants and processes them with the corresponding GARP applications (GVRP or GMRP). GARP and GMRP are described in details in the IEEE 802.1p standard (which has been added to the IEEE 802.1D standard). The Switch 7700 fully supports the GARP compliant with the IEEE standards. Note: The value of the GARP timer is used in all the GARP applications, including ■...
Page 50
3: VLAN C HAPTER ONFIGURATION Setting the GARP Timer GARP timers include the hold, join, leave, and leaveall timers. The GARP participant sends join message regularly when join timer times out so that other GARP participants can register its attribute values. When the GARP participant wants to remove some attribute values, it sends a leave message outward.
GVRP is described in details in the IEEE 802.1Q standard. The Switch 7700 fully supports the GARP compliant with the IEEE standards. Main GVRP configuration steps include: Enable or Disable Global GVRP ■...
Page 52
3: VLAN C HAPTER ONFIGURATION Perform the following configurations in Ethernet port view. Table 12 Enable/Disable Port GVRP Operation Command Enable port GVRP gvrp Disable port GVRP undo gvrp GVRP should be enabled globally before it is enabled on the port. GVRP can only be enabled or disabled on a Trunk port.
Page 53
GARP/GVRP Configuration Table 14 Display and Debug GVRP Operation Command Disable GVRP packet or event undo debugging gvrp { packet | event} debugging The network requirement is to dynamically register and update VLAN information Example: GVRP Configuration Example among switches. Figure 2 GVRP Configuration Example E1/01 E2/0/1...
ETWORK ROTOCOL PERATION This chapter covers the following topics: Configure IP Address ■ ARP Configuration ■ DHCP Relay ■ IP Performance ■ Configure IP Address IP address is a 32-bit address represented by four octets. IP addresses are divided into five classes: A, B, C, D and E. The octets are set according to the first a few bits of the first octet.
4: N HAPTER ETWORK ROTOCOL PERATION With the rapid development of the Internet, IP addresses are depleting very fast. The traditional IP address allocation method uses up IP addresses with little efficiency. The concept of mask and subnet was proposed to make full use of the available IP addresses.
1 Enter VLAN interface 1. [3Com] interface vlan 1 2 Configure the IP address for VLAN interface 1. [3Com-vlan-interface1] ip address 129.2.2.1 255.255.255.0 Troubleshooting an IP If the Ethernet Switch cannot ping through a certain host in the LAN: Address Configuration 1 Determine which VLAN includes the port connected to the host.
4: N HAPTER ETWORK ROTOCOL PERATION but not receive the ARP packets, there are probably errors on the Ethernet physical layer. ARP Configuration An IP address cannot be directly used for communication between network devices because devices can only identify MAC addresses. An IP address is only the address of a host in the network layer.
4: N HAPTER ETWORK ROTOCOL PERATION Figure 2 DHCP Relay Schematic Diagram DHCP client DHCP client Intranet Intranet Switch Switch DHCP server DHCP server When the DHCP Client performs initialization, it broadcasts the request packet on the local network segment. If there is a DHCP server on the local network segment (e.g.
DHCP Relay Configure Corresponding DHCP Server Group of the VLAN Interface Perform the following configuration in VLAN interface view. Table 7 Configure/Delete the Corresponding DHCP Server Group of VLAN Interface Operation Command Configure Corresponding DHCP dhcp-server groupNo Server Group of the VLAN Interface Delete the corresponding DHCP undo dhcp-server server group of the VLAN interface...
Page 62
VLAN 3 1.88.255.35 1 Configure the IP address corresponding to DHCP Server Group 1. [3Com] dhcp-server 1 ip 1.99.255.36 1.99.255.35 2 Configure the DHCP Server Group 1 corresponding to the VLAN interface 2. [3Com-VLAN-Interface2] dhcp-server 1 3 Configure the IP address corresponding to DHCP Server Group 2.
<3Com> display dhcp-server 1 9 Show the DHCP Server Group number corresponding to the VLAN interface in User view. <3Com> display dhcp-server interface vlan-interface 2 <3Com> display dhcp-server interface vlan-interface 3 Troubleshooting a DHCP If a user cannot apply for IP address dynamically, perform the following procedure:...
4: N HAPTER ETWORK ROTOCOL PERATION IP Performance TCP attributes to be configured include: : When sending the syn packets, TCP starts the synwait timer. If ■ synwait timer response packets are not received before synwait timeout, the TCP connection will be terminated.
Debug and trace the packets of the TCP connection that take this device as one ■ end. Operations include: <3Com> terminal debugging <3Com> debugging tcp packet Then the TCP packets received or sent can be checked in real time. Specific packet formats include: TCP output packet: Source IP address:202.38.160.1 Source port:1024 Destination IP Address 202.38.160.1...
OUTING ROTOCOL PERATION This chapter covers the following topics: IP Routing Protocol Overview ■ Static Routes ■ ■ OSPF ■ IP Routing Policy ■ IP Routing Protocol Routers select an appropriate path through a network for an IP packet according Overview to the destination address of the packet.
5: R HAPTER OUTING ROTOCOL PERATION Figure 1 About Hops Route Segment Networks can have different sizes so the segment lengths connected between two different pairs of routers are also different. If a router in a network is regarded as a node and a route segment in the Internet is regarded as a link, message routing in the Internet works in a similar way as the message routing in a conventional network.
12.0.0.3 12.0.0.1 Routing Management The Switch 7700 supports the configuration of a series of dynamic routing Policy protocols such as RIP, OSPF, as well as the static routes. The static routes configured by the user are managed together with the dynamic routes as detected by the routing protocol.
As the algorithms of various routing protocols are different, different protocols can generate different routes. This situation creates the problem of how to resolve different routes being generated by different routing protocols. The Switch 7700 supports an operation of importing the routes generated by one routing protocol into another routing protocol.
Static Routes The following routes are static routes: Reachable route — The normal route in which the IP packet is sent to the next ■ hop by the route marked by the destination. It is a common type of static route.
5: R HAPTER OUTING ROTOCOL PERATION The IP address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be replaced by the mask-length which refers to the digits of the consecutive 1s in the mask. Transmitting interface or next hop address ■...
Page 73
Static Routes Table 4 Display and Debug the Routing Table Operation Command view the route filtered through display ip routing-table acl { acl-number | acl-name } [ specified basic access control verbose ] list (ACL) view the route information display ip routing-table ip-prefix ip-prefix-number [ that through specified ip prefix verbose ] list...
Using this procedure, all the hosts or switches in Figure 3 can be interconnected in pairs. Static Route Fault The Switch 7700 is not configured with the dynamic routing protocol, and both Diagnosis and the physical status and the link layer protocol status of the interface is enabled, Troubleshooting but the IP packets cannot be forwarded normally.
Route tag — The indication whether the route is generated by an interior ■ routing protocol or by an exterior routing protocol. The whole process of RIP startup and operation can be described as follows: 1 If RIP is enabled on a router for the first time, the router broadcasts a request packet to adjacent routers.
Page 76
5: R HAPTER OUTING ROTOCOL PERATION Enable RIP and Enter the RIP View Perform the following configurations in system view. Table 5 Enable RIP and Enter the RIP View Operation Command Enable RIP and enter the RIP view Disable RIP undo rip By default, RIP is not enabled.
Page 77
Usually, this command is not recommended because the opposite side does not need to receive two of the same messages at a time. It should be noted that the peer command should also be restricted by rip work, rip output, rip input and network commands.
Page 78
5: R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in VLAN interface view. Table 10 Specify the Operating State of the Interface Operation Command Enable the interface to run RIP rip work Disable the interface to run RIP undo rip work Enable the interface to receive RIP rip input update packet...
Page 79
Perform the following configurations in RIP view. Table 12 Route Aggregation Operation Command Activate the automatic summary aggregation function of RIP-2 Disable the automatic undo summary aggregation function of RIP-2 RIP-2 uses the route aggregation function by default. Set RIP-2 Packet Authentication RIP-1 does not support packet authentication.
Page 80
5: R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in VLAN interface view. Table 14 Configure Split Horizon Operation Command Enable split horizon rip split-horizon Disable split horizon undo rip split-horizon By default, split horizon of the interface is enabled. Configure RIP to Import Routes of Other Protocols RIP allows users to import the route information of other protocols into the routing table.
Page 81
Perform the following configurations in RIP view. Table 17 Set the RIP Preference Operation Command Set the RIP Preference preference value Restore the default value of undo preference RIP preference By default, the preference of RIP is 100. Set Additional Routing Metric The additional routing metric is the input or output routing metric added to an RIP route.
5: R HAPTER OUTING ROTOCOL PERATION Table 19 Configure RIP to Filter Routes Operation Command Cancel filtering the received undo filter-policy gateway ip-prefix-name import routing information distributed by the specified address Configure filtering the received filter-policy {acl-number | ip-prefix ip-prefix-name } global routing information import Cancel filtering the received global...
[Switch C-rip] network 110.11.2.0 RIP Fault Diagnosis and Troubleshooting 1 The Switch 7700 cannot receive update packets when the physical connection to the peer routing device is normal. RIP does not operate on the corresponding interface (for example, if the ■...
5: R HAPTER OUTING ROTOCOL PERATION Scope — Supports networks in various sizes and can support several hundred ■ routers Fast convergence — Transmits the update packets instantly after the network ■ topology changes so the change is synchronized in the AS Loop-free —...
Page 85
OSPF When two routers synchronize their databases, they use the DD packets to describe their own Link State Databases (LSDs), including the digest of each LSA. The digest refers to the HEAD of an LSA, which can be used to uniquely identify the LSA.
5: R HAPTER OUTING ROTOCOL PERATION topology becomes more likely to change. Hence, the network is always in “turbulence”, and a large number of OSFP packets are generated and transmitted in the network. This shrinks network bandwidth. In addition, each change causes all the routers on the network to recalculate the routes.
Page 87
OSPF Configure NSSA of OSPF ■ Configure the Route Summarization of OSPF Area ■ Configure OSPF Virtual Link ■ Configure Route Summarization Imported into OSPF ■ Configure the OSPF Area to Support Packet Authentication ■ Configure OSPF Packet Authentication ■ Configure OSPF to Import the Routes of Other Protocols ■...
Page 88
5: R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in OSPF Area view. Table 23 Specify Interface Operation Command Specify an interface to run OSPF network ip-address ip-mask Disable OSPF on the interface undo network ip-address ip-mask You must specify the segment to which the OSPF will be applied after enabling the OSPF tasks.
Page 89
OSPF the sending polling hello packets before the adjacency of the neighboring routers is formed. Configure the interface type to nonbroadcast on a broadcast network without ■ multi-access capability. Configure the interface type to P2MP if not all the routers are directly ■...
Page 90
5: R HAPTER OUTING ROTOCOL PERATION Set the Interface Priority for DR Election The priority of the router interface determines the qualification of the interface for DR election, a router of higher priority is considered first if there is a collision in the election.
Page 91
OSPF broadcasting the Hello packets, you must manually specify an IP address for the adjacent router for the interface, and whether the adjacent router is eligible for election. This can be done by configuring the peer ip-address command. If dr-priority-number is not specified, the adjacent router will be regarded as ineligible.
Page 92
5: R HAPTER OUTING ROTOCOL PERATION Table 30 Set a Dead Timer for the Neighboring Routers Operation Command Restore the default dead interval of undo ospf timer dead the neighboring routers By default, the dead interval for the neighboring routers of P2P or broadcast interfaces is 40 seconds and for the neighboring routers of P2MP or NBMA interfaces is 120 seconds.
Page 93
OSPF Note that a LSA retransmission interval that is too small will cause unnecessary retransmission. Set a Shortest Path First (SPF) Calculation Interval for OSPF Whenever the OSPF LSDB changes, the shortest path requires recalculation. Calculating the shortest path after a change consumes enormous resources and affects the operating efficiency of the router.
Page 94
5: R HAPTER OUTING ROTOCOL PERATION Table 34 Configure an OSPF STUB Area Operation Command Remove the cost of the default undo default-cost route to the STUB area By default, the STUB area is not configured, and the cost of the default route to a STUB area is 1.
Page 95
OSPF Table 35 Configure NSSA of OSPF Operation Command Restore the default cost value undo default-cost of the route to the NSSA area All routers connected to the NSSA must use the nssa command to configure the area with the NSSA attribute. The default-route-advertise parameter is used to generate the default type-7 LSAs.
Page 96
5: R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in OSPF Area view. Table 36 Configure the Route Summarization of an OSPF Area Operation Command Configure the Route abr-summary ip-address mask [ advertise | Summarization of OSPF Area not-advertise ] Cancel route summarization of undo abr-summary ip-address mask OSPF Area...
Page 97
10 seconds, retransmit is 5 seconds, trans-delay is 1 second, and the dead timer is 40 seconds. Configure Route Summarization Imported into OSPF The OSPF implementation in the Switch 7700 supports route summarization of imported routes. Perform the following configurations in OSPF view.
Page 98
5: R HAPTER OUTING ROTOCOL PERATION Perform the following configuration in VLAN interface view. Table 40 Configure OSPF Packet Authentication Operation Command Configure the interface to use ospf authentication-mode simple password simple authentication Disable the interface to use simple undo ospf authentication-mode simple authentication Configure the interface to use MD5 ospf authentication-mode md5 key_id key...
Page 99
OSPF Perform the following configuration in OSPF view. Table 41 Configure OSPF to Import the Routes of Other Protocols Operation Command Configure OSPF to impor import-route protocol [ cost value ] [ type value ] [ tag value routes of other protocols ] [ route-policy route-policy-name ] Cancel importing routing undo import-route protocol...
Page 100
5: R HAPTER OUTING ROTOCOL PERATION Configure OSPF to Import the Default Route The import-route command cannot be used to import the default route. Using the default-route-advertise command, you can import the default route into the routing table. Perform the following configuration in OSPF view. Table 43 Configure OSPF to Import the Default Route Operation Command...
Page 101
OSPF By default, OSPF does not filter the imported and distributed routing information. For detailed description, see “IP Routing Policy”. Configure Filling the MTU Field When an Interface Transmits DD Packets OSPF-running routers use the DD (Database Description) packets to describe their own LSDBs when synchronizing the databases.
Configuring DR Election Based on OSPF Priority Example: OSPF Configuration In this example, four Switch 7700 routers, Switch A, Switch B, Switch C, and Switch D, which can perform the router functions and run OSPF, are located on the same segment, as shown in Figure 6.
Page 103
OSPF Figure 6 Configuring DR Election Based on OSPF Priority Switch A Switch D 1.1.1.1 4.4.4.4 196.1.1.1/24 196.1.1.4/24 196.1.1.2/24 196.1.1.3/24 3.3.3.3 2.2.2.2 Switch C Switch B The commands listed in the following examples enable Switch A and Switch C to be DR and BDR respectively.
Page 104
5: R HAPTER OUTING ROTOCOL PERATION On Switch A, execute the display ospf peer command to display the OSPF neighbors. Note that Switch A has three neighbors. The state of each neighbor is full, which means that adjacency is set up between Switch A and each neighbor.
5: R HAPTER OUTING ROTOCOL PERATION If the physical link and the lower layer protocol are normal, check the OSPF ■ parameters configured on the interface. The parameters should be the same parameters configured on the router adjacent to the interface. The same area ID should be used, and the networks and the masks should also be consistent.
The rules can be set in advance and then used in the routing policy to advertise, receive, and import the route information. Routing Information The Switch 7700 supports four kinds of filters, route-policy, acl, ip-prefix, and Filters community-list. The following sections introduce these filters: Route Policy ■...
5: R HAPTER OUTING ROTOCOL PERATION gateway options and require it to receive only the routing information distributed by certain routers. An ip-prefix is identified by the ip-prefix name. Each ip-prefix can include multiple list items, and each list item can independently specify the match range of the network prefix forms and is identified with a index-number.
Page 109
IP Routing Policy The deny argument specifies that the apply clauses are not executed. If a route satisfies all the if-match clauses of the node, the node denies the route and the route does not take the test of the next node. If a route does not satisfy all the if-match clauses of the node, however, the route takes the test of the next node.
Page 110
5: R HAPTER OUTING ROTOCOL PERATION Table 51 Define If-match Conditions Operation Command Match the tag domain of the if-match tag value OSPF routing information Cancel the tag domain of the undo if-match tag matched OSPF routing information By default, no matching is performed. Note that: The if-match clauses for a node in the route policy require that the route ■...
Page 111
IP Routing Policy Table 52 Define Apply Clauses Operation Command Cancel the route origin of the BGP undo apply origin routing information Set the tag domain of the OSPF apply tag value routing information Cancel the tag domain of the OSPF undo apply tag routing information By default, no apply clauses are defined.
Page 112
5: R HAPTER OUTING ROTOCOL PERATION Perform the following configurations in system view. Table 54 Define Prefix-list Operation Command Define a prefix list ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } network len [ greater-equal greater-equal ] [ less-equal less-equal ] Remove a prefix list undo ip ip-prefix ip-prefix-name [ index index-number |...
IP Routing Policy Perform the following configuration in routing protocol view. Table 56 Configure Filtering of Distributed Routes Operation Command Configure to filter the routes filter-policy { acl-number | ip-prefix ip-prefix-name } distributed by the protocol export [ routing-process ] Cancel the filtering of the routes undo filter-policy { acl-number | ip-prefix distributed by the protocol...
5: R HAPTER OUTING ROTOCOL PERATION Figure 9 Filtering Received Routing Information static 20.0.0.1/8 1.1.1.1 2.2.2.2 30.0.0.1/8 area 0 40.0.0.1/8 Switch A Switch B Configure Switch A: 1 Configure the IP address of VLAN interface. [Switch A] interface vlan-interface 100 [Switch A-Vlan-interface100] ip address 10.0.0.1 255.0.0.0 [Switch A] interface vlan-interface 200 [Switch A-Vlan-interface200] ip address 12.0.0.1 255.0.0.0...
Page 115
IP Routing Policy The if-match mode of at least one node of the Route policy should be the ■ permit mode. When a Route-policy is used for the routing information filtering, if a piece of routing information does not pass the filtering of any node, then it means that the route information does not pass the filtering of the Route-policy.
ULTICAST ROTOCOL This chapter includes information on the following: IP Multicast Overview ■ GMRP ■ IGMP Snooping ■ Common Multicast Configuration ■ IGMP Configuration ■ PIM-DM Configuration ■ PIM-SM Configuration ■ IP Multicast Overview Many transmission methods can be used when the destination (including data, voice and video) is the secondary use of the network.
6: M HAPTER ULTICAST ROTOCOL Figure 1 Comparison Between the Unicast and Multicast Transmission Receiver Unicast Receiver Receiver Server Receiver Multicast Receiver Server Receiver Note: A multicast source does not necessarily belong to a multicast group. It only sends data to the multicast group and it is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously.
Page 119
IP Multicast Overview Ranges and meanings of Class D addresses are shown in Table 1. Table 1 Ranges and Meanings of Class D Addresses Class D address range Meaning 224.0.0.0∼224.0.0.255 Reserved multicast addresses (addresses of permanent groups). Address 224.0.0.0 is reserved. The other addresses can be used by routing protocols.
6: M HAPTER ULTICAST ROTOCOL Figure 2 Mapping Between the Multicast IP Address and the Ethernet MAC Address 32-bit IP address 5 bits Lower 23 bits directly mapped mapped 48-bit MAC address Only 23 bits of the last 28 bits in the IP multicast address are mapped to the MAC address.
IP Multicast Overview resources related (such as bandwidth and CPU of routers) are consumed. In order to decrease the consumption of these precious network resources, branches that do not have members send Prune messages toward the source to reduce the unwanted/unnecessary traffic. To enable the receivers to receive multicast data streams, the pruned branches can be restored periodically to a forwarding state.
6: M HAPTER ULTICAST ROTOCOL Application of Multicast IP multicast technology effectively solves the problem of packet forwarding from single-point to multi-point. It implements high-efficient data transmission from single-point to multi-point in IP networks and can save a large amount of network bandwidth and reduce network loads.
GMRP By default, GMRP is disabled. Enabling/Disabling GMRP on the Port Perform the following configuration in Ethernet port view. Table 4 Enabling/Disabling GMRP on the Port Operation Command Enable GMRP on the port gmrp Disable GMRP on the port undo gmrp GMRP should be enabled globally before being enabled on a port.
IGMP Snooping runs on the link layer. When receiving the IGMP messages, the Layer 2 Switch 7700 uses IGMP Snooping to analyze the information. If the switch hears IGMP host report message from an IGMP host, it adds the host to the corresponding multicast table.
Page 125
IGMP report message before the timer times out, it will remove the port from the multicast member ports The Switch 7700 runs IGMP Snooping to listen to the IGMP messages and map the host and its ports to the corresponding multicast group address. To implement...
Page 126
Switch 7700 will reset the aging timer of the port. When a port other than a router port receives the IGMP general query message, the Switch 7700 will notify the multicast router that a port is ready to join a multicast group and starts the aging timer for the port.
By default, the port aging time is 260s. Configuring Maximum Response Time This task sets the maximum response time. If the Switch 7700 receives no report message from a port in the maximum response time, it will remove the port from...
6: M HAPTER ULTICAST ROTOCOL Perform the following configuration in system view. Table 8 Configuring the Maximum Response Time Operation Command Configure the maximum response igmp-snooping max-response-time seconds time Restore the default setting undo IGMP-snooping max-response-time By default, the maximum response time is 10 seconds. Configure Aging Time of Multicast Group Member This task sets the aging time of the multicast group member port.
Common Multicast Configuration Figure 7 IGMP Snooping Configuration Network Internet Router Multicast Switch 1 Display the status of GMRP. <SW7700> display gmrp status 2 Display the current status of IGMP Snooping when GMRP is disabled. <SW7700> display igmp-snooping configuration 3 Enable IGMP Snooping if it is disabled. [SW7700] igmp-snooping enable TroubleshootinIGMP If the multicast function cannot be implemented on the switch, check for the...
6: M HAPTER ULTICAST ROTOCOL Common Multicast Common multicast configuration includes: Configuration Enabling multicast ■ Enabling Multicast Enable multicast first before enabling the multicast routing protocol. Enabling multicast will automatically enable IGMP operation on all interfaces. Perform the following configuration in system view. Table 11 Enabling Multicast Operation Command...
IGMP Configuration IGMP Configuration IGMP (Internet Group Management Protocol) is a protocol in the TCP/IP suite responsible for management of IP multicast members. It is used to establish and maintain multicast membership among IP hosts and their connected neighboring routers. IGMP excludes transmitting and maintenance information among multicast routers, which are completed by multicast routing protocols.
6: M HAPTER ULTICAST ROTOCOL multicast group. This prevents the hosts of members of other multicast groups from sending response messages. Max response time ■ The Max Response Time is added in IGMP Version 2. It is used to dynamically adjust the allowed maximum time for a host to response to the membership query message.
Page 133
IGMP Configuration Limit ing Access to IP Multicast Groups A multicast router learns whether there are members of a multicast group on the network via the received IGMP membership message. A filter can be set on an interface to limit the range of allowed multicast groups. Perform the following configuration in VLAN-interface view.
6: M HAPTER ULTICAST ROTOCOL Configuring the IGMP Querier Present Timer The IGMP querier present timer defines the period of time before the router takes over as the querier. Perform the following configuration in VLAN interface view. Table 17 Configure the IGMP Querier Present Timer Operation Command Change the IGMP querier present...
6: M HAPTER ULTICAST ROTOCOL independent of any specified unicast routing protocol such as the routing information learned by RIP and OSPF Assert mechanism ■ As shown in the following figure, both routers A and B on the LAN have their own receiving paths to multicast source S.
PIM-DM Configuration Perform the following configuration in VLAN interface view. Table 20 Enable PIM-DM Operation Command Enable PIM-DM on an pim dm interface Disable PIM-DM on an undo pim dm interface It’s recommended you configure PIM-DM on all interfaces in non-special cases. This configuration is effective only after the multicast routing is enabled in system view.
6: M HAPTER ULTICAST ROTOCOL Multicast Source S Receiver join Multicast source registration Figure 10 RPT Schematic Diagram Multicast source S Receiver join Multicast source registration Multicast Source Registration When multicast source S sends a multicast packet to the group G, the PIM-SM multicast router is responsible for encapsulating the packet into a registration packet upon receipt.
PIM-SM Configuration calculate the RPs corresponding to multicast groups according to the same algorithm after receiving the C-RP messages that the BSR advertises. It should be noted that one RP can serve multiple multicast groups or all multicast groups. Each multicast group can only be uniquely correspondent to one RP at a time rather than multiple RPs.
Page 142
6: M HAPTER ULTICAST ROTOCOL Once enabled , PIM-DM cannot be enabled on the same interface. Configure the Interface Hello Message Interval Generally, PIM-SM advertises Hello messages periodically on the interface enabled with it to detect PIM neighbors and discover which router is the Designated Router (DR).
Page 143
PIM-SM Configuration Using undo pim command, you can clear the configuration in PIM view, and back to system view. Configure Candidate-BSRs In a PIM domain, one or more candidate BSRs should be configured. A BSR (Bootstrap Router) is elected among candidate BSRs. The BSR takes charge of collecting and advertising RP information.
6: M HAPTER ULTICAST ROTOCOL multicast group in the specified range. It is suggested to configure Candidate RP on the backbone router. Configure RP to Filter the Register Messages Sent by DR In the PIM-SM network, the register message filtering mechanism can control which sources to send messages to which groups on the RP, i.e., RP can filter the register messages sent by DR to accept specified messages only.
Page 145
PIM-SM Configuration Table 31 Display and Debug PIM-SM Operation Command Display the RP information display pim rp-info [ group-address ] Enable the PIM-SM debugging debugging pim sm { all | mbr | register-proxy | mrt | timer | warning | { recv | send } { assert | graft | graft-ack | join | prune } } Disable the PIM-SM undo debugging pim sm { all | mbr | register-proxy | mrt |...
Page 146
6: M HAPTER ULTICAST ROTOCOL [SW7700] vlan 12 [SW7700-vlan12] port Ethernet 1/0/6 to Ethernet 1/0/7 [SW7700-vlan12] quit [SW7700] pim [SW7700-pim] interface vlan-interface 12 [SW7700-vlan-interface12] pim sm [SW7700-vlan-interface12] quit 2 Configure the threshold for multicast group to switch from shared tree to the STP as 10kbps.
S/ACL O PERATION ACL Overview A series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, the switch can permit or deny them to pass through according to the defined policy. The Access Control List (ACL) is used to implement these functions.
If the port numbers are in the same range, the configuration sequence is used. ACL Supported by For the Switch 7700, ACLs are divided into the following categories: Ethernet Switch Numbered basic ACL ■...
The end time must be later than the start time. Selecting the ACL Mode The Switch 7700 can only have one of two modes, ip-based or link-based. In link-based mode, only L2 ACL can be defined, activated, and cited by other applications.
Page 152
7: Q S/ACL O HAPTER PERATION Note: If a specific time range is not defined, the ACL always functions after it is activated. During the process of defining the ACL, you can use the rule command several times to define multiple rules for an ACL. If ACL is used to filter or classify the data transmitted by the hardware of the switch, the match order defined in the acl command is not effective.
Page 153
The numbered interface ACLs can be identified with numbers ranging from 1000 to 1999. Notes: The Switch 7700 does not have any Layer-3 physical interface but has Layer-3 VLAN virtual interface. Therefore when the command line prompts for the input interface type, you can only select Vlan-interface. Otherwise, the system will display a failure message.
CPU. The matched information of the transmitted data by the switch can be displayed with the display qos-info traffic-statistic command. For a description of the syntax of these commands, see the “3Com Router Command Reference Guide”.
Define the work time range: 1 Set the time range from 8:00 to 18:00. [SW7700] time-range 3com 8:00 to 18:00 Define the ACL to access the payment server: 1 Enter the name of the advanced ACL. [SW7700] acl name traffic-of-payserver advanced match-order config 2 Set the rules for other department to access the payment server.
7: Q S/ACL O HAPTER PERATION out (FIFO) policy. Switches and routers make their best effort to transmit the packets to the destination, not making any commitment or guarantee of the transmission reliability, delay, or to satisfy other performance requirements. Ethernet technology is currently the most widely used network technology.
Page 157
The port rate limit is the port-based rate limit used for limiting the general speed of packet output on the port. Traffic Priority The Switch 7700 can deliver priority tag service for special packets. The tags include TOS, DSCP and 802.1p, etc., which can be used and defined in different QoS modules.
With flow-based traffic counting, you can request a traffic count to count and analyze the packets. When the congestion reaches a certain degree, the Switch 7700 selects some frames to drop, using the RED algorithm. The RED alogrithm can alleviate the excessive congestion.
Page 159
} [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } The Switch 7700 supports a function to tag the packets with IP precedence (specified by ip-precedence in the traffic-priority command), or DSCP (specified by dscp in the traffic-priority command).
Page 160
} [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } For details about the command, refer to the “3Com Command Reference Guide”. Configure Bandwidth Assurance Bandwidth Assurance guarantees bandwidth for specified traffic.
{ acl-number | acl-name } [ rule rule ] } Display the statistics information display qos-info traffic-statistic For details about the command, refer to the “3Com Command Reference Guide”. Display and Debug QoS After you configure QoS, execute the display command in all views to display the running of the QoS configuration, and to verify the effect of the configuration.
} [ rule rule ] | link-group { acl-number | acl-name } [ rule rule ] } For output and description of the related commands, refer to the “3Com Command Reference Guide”. The interconnection between different departments on a company network is...
User LogonACL Control Configuration At the first level, the user connection is controlled with an ACL filter and only legal users can be connected to the switch. At the second level, a connected user can log on to the device only if the user can pass the password authentication. This chapter introduces how to configure the first level security control to filter the logon users with ACL.
Call an ACL (from acl acl-number { inbound | outbound } user-interface view) For more information about the command, refer to the “3Com Command Reference Guide”. Note: Only the numbered basic ACL can be called for TELNET user control. Figure 4 illustrates a configuration that controls TELNET user with ACL.
Note: You can call different ACLs for these commands. Only the numbered basic ACL can be called for network management user control. For more about the commands, refer to the “3Com Command Reference Guide”. Example: Controlling Figure 5 illustrates a configuration that controls SNMP users with ACL.
Page 166
7: Q S/ACL O HAPTER PERATION [SW7700-acl-basic-21] quit [SW7700] acl number 22 match-order config [SW7700-acl-basic-22] rule 1 permit source 10.110.100.55 0 [SW7700-acl-basic-22] quit 2 Call the basic ACLs. [SW7700] snmp-agent community public read acl 20 [SW7700] snmp-agent group v2c 3comgroup acl 21 [SW7700] snmp-agent usm-user v2c 3comuser 3comgroup acl 22...
STP O PERATION STP Overview Spanning Tree Protocol (STP) is applied in a loop network to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of a packet in the loop network.
Switch B E1/0/4 E1/0/1 Calculating the STP The following example illustrates the calculation process of STP. Algorithm The figure1-2 below illustrates the network. Figure 2 Switch 7700 Networking Switch A with priority 0 E1/0/1 E1/0/2 E1/0/7 Switch B with priority 1...
Implementing STP Configuration BPDU of Ethernet 1/0/7: {1, 0, 1, e1/0/7} Configuration BPDU of Ethernet 1/0/4: {1, 0, 1, e1/0/4} Switch C ■ Configuration BPDU of Ethernet 1/0/1: {2, 0, 2, e1/0/1} Configuration BPDU of Ethernet 1/0/5: {2, 0, 2, e1/0/5} Selecting the Optimum Every switch transmits its configuration BPDU to others.
Page 170
8: STP O HAPTER PERATION Configuration BPDU of Ethernet 1/0/1: {0, 0, 0, e1/0/1} Configuration BPDU of Ethernet 1/0/2: {0, 0, 0, e1/0/2} Switch B ■ Ethernet 1/0/7 receives the configuration BPDU from Switch A and finds that the received BPDU has a higher priority than the local one, so it updates its configuration BPDU.
Forward Delay before they enter the forwarding state. Implementing STP on The Switch 7700 implements the Rapid Spanning Tree Protocol (RSTP), an the Switch 7700 enhancement to STP. The Forward Delay for the root ports and designated ports to enter forwarding state is greatly reduced in certain conditions, thereby shortening the time period for stabilizing the network topology.
8: STP O HAPTER PERATION To achieve the rapid transition of the root port state, the following requirement should be met: The old root port on this switch has stopped data forwarding and the designated port in the upstream has begun forwarding data. The conditions for rapid state transition of the designated port are: The port is an Edge port that does not connect with any switch directly or ■...
Page 173
Implementing STP on the Switch 7700 Among the above-mentioned tasks, only the steps of enabling STP on the switch and enabling STP on the port are required. For other tasks, if you do not configure them, the system will use the default settings.
Page 174
8: STP O HAPTER PERATION Perform the following configurations in system view. Table 3 Setting the Diameter of a Switching Network Operation Command Set diameter of a switching stp bridge-diameter bridgenum network Restore a default diameter of the undo stp bridge-diameter switching network The diameter of the switching network should not exceed 7.
Page 175
Implementing STP on the Switch 7700 is enabled, an assignment of a priority to the bridge will lead to recalculation of the spanning tree. By default, the priority of the bridge is 32768. Specifying the Switch as a Primary or Secondary Root Switch RSTP can determine the spanning tree root through calculation.
Page 176
8: STP O HAPTER PERATION state and resume data frame forwarding. This delay ensures that the new configuration BPDU has been propagated throughout the network before the data frame forwarding is resumed. Perform the following configurations in system view. Table 7 Set the Forward Delay for a Bridge Operation Command Set forward delay of a specified...
Page 177
Implementing STP on the Switch 7700 Table 9 Set Max Age for a Bridge Operation Command Restore the default Max Age undo stp timer max-age of the specified bridge If the Max Age is too short, it results in frequent calculation of spanning tree or misjudging the network congestion as a link fault.
Page 178
8: STP O HAPTER PERATION bridge is configured as an edge port, RSTP will automatically detect and reconfigure it as a non-EdgePort. After the network topology changes, if a configured non-EdgePort changes to an EdgePort and is not connected to any other port, you should configure it as an EdgePort manually because RSTP cannot configure a non-EdgePort as an EdgePort automatically.
Page 179
Implementing STP on the Switch 7700 tree. If all the Ethernet ports of the bridge adopt the same priority parameter value, then the priority of these ports depends on the Ethernet port index number. Note that changing the priority of an Ethernet port causes recalculation of the spanning tree.
Page 180
8: STP O HAPTER PERATION Perform the following configurations in Ethernet port view. Table 15 Set mCheck for the Port Operation Command Set mCheck for the port stp mcheck This command can be used when the bridge runs RSTP in RSTP mode, but it cannot be used when the bridge runs RSTP in STP-compatible mode.
By default, the switch does not enable loop protection, BPDU protection or root protection. For more information about the configuration commands, refer to the “3Com Command Reference Guide”. Displaying and...
Page 182
8: STP O HAPTER PERATION Figure 4 RSTP Configuration Example Switch A GE1/0/1 GE1/0/2 GE1/M GE1/M E0/23 E0/23 Switch C E0/24 E0/24 Switch B E0/3 E0/1 E0/3 E0/2 E0/1 E0/2 E2/1 E1/1 E1/1 E2/1 E2/1 E1/1 Switch D Switch E Switch F Only the configurations related to RSTP are listed in the following procedure.
Page 183
Implementing STP on the Switch 7700 and do not disable those involved. (The following configuration takes Ethernet 0/4 as an example.) [SW7700] interface ethernet 0/4 [SW7700-Ethernet0/4] stp disable 3 Configure Switch C and Switch B to serve as standby of each other and sets the Bridge priority of Switch B to 4069.
Page 184
8: STP O HAPTER PERATION 3 Configure the ports (Ethernet 0/1 through Ethernet 0/24) directly connected to users as edge ports and enable BPDU PROTECTION function. (Take Ethernet 0/1 as an example.) [SW7700] interface ethernet 0/1 [SW7700-Ethernet0/1] stp edged-port enable [SW7700] stp bpdu-protection 4 RSTP operating mode, time parameters, and port parameters take default values.
RADIUS O PERATION This chapter covers the following topics: IEEE 802.1x ■ Configuring the AAA and RADIUS Protocols ■ IEEE 802.1x IEEE 802.1x (hereinafter simplified as 802.1x) is a port-based network access control protocol that is used as the standard for LAN user access authentication. In LANs that comply with IEEE 802 standards, the user can access devices and share resources in the LAN by connecting a device such as the LAN Switch.
Page 186
9: AAA RADIUS O HAPTER PERATION There are two types of ports for the Authenticator. One is the Uncontrolled Port, and the other is the Controlled Port. The Uncontrolled Port is always in a bi-directional connection state. The user can access and share the network resources any time through the ports.
IEEE 802.1x Implement 802.1x on Ethernet Switch The 3Com Switch 7700 not only supports the port access authentication method regulated by 802.1x, but also extends and optimizes it in the following way: Support to connect several End Stations in the downstream via a physical port.
Page 188
9: AAA RADIUS O HAPTER PERATION By default, 802.1x authentication has not been enabled globally and on any port. Setting the Port Access Control Mode The following commands can be used for setting 802.1x access control mode on the specified port. When no port is specified, the access control mode of all ports is configured.
Page 189
[interface interface-list] of users on the port to the default value By default, 802.1x allows up to 1024 supplicants on each port for Switch 7700 Enabling DHCP to Launch Authentication Use the following commands for setting whether 802.1x enables the Ethernet switch to launch the user ID authentication when the user runs DHCP and applies for dynamic IP addresses.
Page 190
9: AAA RADIUS O HAPTER PERATION Perform the following configurations in system view. Table 8 Set the Maximum Retransmission Times Operation Command Set the maximum dot1x retry max-retry-value retransmission times Restore the default maximum undo dot1x retry retransmission times By default, the max-retry-value is 3. That is, the switch can retransmit the authentication request frame to a supplicant for 3 times at most.
Enabling/Disabling Quiet-Period Timer You can use the following commands to enable/disable a quiet-period timer of the Switch 7700. If an 802.1x user has not passed authentication, the Authenticator will keep quiet (specified by quiet-period) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.
Page 192
9: AAA RADIUS O HAPTER PERATION A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2 respectively, is connected to the switch. The former one acts as the primary-authentication/second-accounting server. The latter one acts as the secondary-authentication/primary-accounting server. Set the encryption key as “name”...
Configuring the AAA and RADIUS Protocols [SW7700-radius-radius1] key authentication name 7 Set the encryption key when the system exchanges packets with the accounting RADIUS server. [SW7700-radius-radius1] key accounting money 8 Set the timeouts and times for the system to retransmit packets to the RADIUS server.
Page 194
Implementing AAA/RADIUS on Ethernet Switch By now, we understand that in the Switch 7700, serving as the user access device or NAS, is the client end of RADIUS. In other words, the AAA/RADIUS concerning...
(i.e. 3com163.net) following the @ is the ISP domain name. When the Switch 7700 control user access, as for an ISP user whose username is in userid@isp-name format, the system will take userid part as username for identification and take isp-name part as domain name.
Page 196
HAPTER PERATION For the Switch 7700, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system will put it into the default domain.
Page 197
Configuring the AAA and RADIUS Protocols Creating a Local User A local user is a group of users set on NAS. The username is the unique identifier of a user. A supplicant requesting network service may use local authentication only if its corresponding local user has been added onto NAS. Perform the following configurations in system view.
| ucibindex ucib-index | user-name user-name } By default, no online user will be disconnected by force. Configuring the RADIUS On the Switch 7700, the RADIUS protocol is configured per RADIUS server group Protocol basis. In real networking environment, a RADIUS server group can be an independent RADIUS server or a set of primary/second RADIUS servers with the same configuration but two different IP addresses.
Page 199
Configuring the AAA and RADIUS Protocols Setting Username Format Transmitted to RADIUS Server ■ Setting the Unit of Data Flow that Transmitted to RADIUS Server ■ Configuring a Local RADIUS Server Group ■ Among the above tasks, creating RADIUS server group and setting IP address of RADIUS server are required, while other takes are optional and can be performed as per your requirements.
Page 200
(Especially for some earlier RADIUS Servers, authentication/authorization port number is often set to 1645 and accounting port number is 1646.) The RADIUS service port settings on The Switch 7700 need to be consistent with the port settings on RADIUS server. Normally, RADIUS accounting service port is 1813 and the authentication/authorization service port is 1812.
Page 201
Configuring the AAA and RADIUS Protocols encryption key. Only when the keys are identical can both ends to accept the packets from each other end and give response. Perform the following configurations in RADIUS server group view. Table 20 Set RADIUS Packet Encryption Key Operation Command Set RADIUS...
Page 202
Accordingly, it may be necessary to disconnect the user at NAS end and on RADIUS server when some unpredictable failure exists. The Switch 7700 supports setting the maximum times of real-time accounting request failing to be responded. NAS disconnects the user if it has not received real-time accounting response from RADIUS server for some specified times.
Page 203
NAS makes its best effort to send the message to RADIUS accounting server. Accordingly, if the message from the Switch 7700 to RADIUS accounting server has not been responded, the switch saves it in the local buffer and retransmits until the server responds or discards the messages.
Page 204
Setting Username Format Transmitted to RADIUS Server As mentioned above, the supplicants are generally named in userid@isp-name format. The part following “@” is the ISP domain name. The Switch 7700 will put users into different ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name.
By default, the IP address of local RADIUS server group is 127.0.0.1 and the password is 3com. When using local RADIUS server function of the Switch 7700, remember the number of UDP port used for authentication is 1812 and that for accounting is 1813.
9: AAA RADIUS O HAPTER PERATION configuration. Execute the debugging command in user view to debug AAA and RADIUS. Table 33 Display and Debug AAA and RADIUS Protocol Operation Command Display the configuration display domain [isp-name] information of the specified or all the ISP domains.
Page 207
Configuring the AAA and RADIUS Protocols 5 There might be some communication fault between NAS and RADIUS server, which can be discovered through pinging RADIUS from NAS. Ensure the normal communication between NAS and RADIUS. RADIUS packet cannot be transmitted to RADIUS server. 1 The communication lines (on physical layer or link layer) connecting NAS and RADIUS server may not work well.
ELIABILITY This chapter covers the following topics: VRRP Overview ■ Configuring VRRP ■ VRRP Overview Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. In general, a default route, for example, 10.100.10.1 in Figure 1, is configured for every host on a network, so that packets destined for another network segment go through the default route to the Layer 3 Switch1, implementing communication between the host and the external network.
10: R HAPTER ELIABILITY Figure 2 Virtual Router Network Actual IP address 10.100.10.3 Actual IP address 10.100.10.2 Backup Master Virtual IP address 10.100.10.1 Ethernet Virtual IP address 10.100.10.1 10.100.10.7 10.100.10.8 10.100.10.9 Host 1 Host 2 Host 3 This virtual router has its own IP address: 10.100.10.1, which can be the interface address of a switch within the virtual router.
Configuring VRRP The following command is used for assigning an IP address of the local segment to a virtual router or removing an assigned virtual IP address of a virtual router from the virtual address list. Perform the following configuration in VLAN interface view. Table 1 Add/Delete a Virtual IP Address Operation Command...
10: R HAPTER ELIABILITY Perform the following configuration in VLAN interface view. Table 3 Configure Preemption and Delay for a Switch Operation Command Enable the preemption mode and vrrp vrid virtual-router-ID preempt-mode [ timer configure a period of delay. delay delay-value ] Disable the preemption mode.
Configuring VRRP backup switch’s master-down-interval is three times the duration of the adver-interval. Excessive network traffic or the differences between different switch timers results in master-down-interval timing out and state changing abnormally. Such problems can be solved through prolonging the adver-interval and setting delay time.
Page 214
10: R HAPTER ELIABILITY Host A uses the VRRP virtual router which combines switch A and switch B as its Example: VRRP Single Virtual Router default gateway to visit host B on the Internet. VRRP virtual router information includes virtual router ID1, virtual IP address 202.38.160.111, switch A as the Master and switch B as the backup allowed preemption.
Page 215
Configuring VRRP Configure switch A 1 Create a virtual router. [LSW_A-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 2 Set the priority for the virtual router. [LSW_A-vlan-interface2] vrrp vrid 1 priority 110 3 Set the authentication key for the virtual router. [LSW_A-vlan-interface2] vrrp authentication-mode md5 lanswitch 4 Set Master to send VRRP packets every 5 seconds.
10: R HAPTER ELIABILITY Configure switch B: 1 Create virtual router 1. [LSW_B-vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 2 Create virtual router 2. [LSW_B-vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 3 Set the priority for the virtual router. [LSW_B-vlan-interface2] vrrp vrid 2 priority 110 Troubleshooting VRRP The configuration of VRRP is simple so almost all troubleshooting can be done by viewing the configuration and debugging information.
YSTEM ANAGEMENT This chapter includes the following information: File System Management ■ MAC Address Table Management ■ Device Management ■ System Maintenance and Debugging ■ SNMP ■ RMON ■ File System The Ethernet switch provides a file system module for efficient management with Management storage devices such as flash memory.
11: S HAPTER YSTEM ANAGEMENT Table 1 Directory Operation Operation Command Change the current directory cd directory File Operation The file system can be used to delete or undelete a file or permanently delete a file. It can also be used to display file contents, rename, copy and move a file and display the information about a specified file.
File System Management 2 Display the working directory in the flash. <SW7700> cd flash:/ <SW7700> pwd flash:/ 3 Create a directory named test. <SW7700> mkdir test 4 Display the flash directory information after creating the test directory. <SW7700> dir Directory of * drw- Mar 09 2002 12:01:44 test...
11: S HAPTER YSTEM ANAGEMENT Perform the following configuration in all views. Table 5 Display the Configurations of the Ethernet Switch Operation Command Display the display saved-configuration saved-configuration of the Ethernet switch Display the display current-configuration current-configuration of the Ethernet switch The configuration files are displayed in their corresponding saving formats.
Page 221
File System Management The Ethernet switch provides the following FTP services: FTP server: You can run FTP client program to log in the server and access the ■ files on it. FTP client: After connected to the server through running the terminal emulator ■...
11: S HAPTER YSTEM ANAGEMENT Perform the following configuration in system view. Table 10 Configure FTP Server Connection Timeout Operation Command Configure FTP server connection ftp timeout minute timeouts Restoring the default FTP server undo ftp timeout connection timeouts By default, the FTP server connection timeout is 30 minutes. Display and debug FTP Server After the above configuration, execute display command in all views to display the FTP Server configuration, and to verify the effect of the configuration.
Upload files by means of TFTP tftp put mmm.nnn //A.A.A.A/xxx.yyy MAC Address Table The Switch 7700 maintains a MAC address table for fast forwarding packets. A Management table entry includes the MAC address of a device and the port ID of the Ethernet switch connected to it.
Page 224
MACD MACA Port 2 The Switch 7700 also provides the function of MAC address aging. If the switch receives no packet for a period of time, it will delete the related entry from the MAC address table. However, this function has no effect on the static MAC addresses.
Page 225
MAC Address Table Management Perform the following configuration in system view. Table 15 Set MAC Address Table Entries Operation Command Add/Modify an address entry mac-address { static | dynamic } hw-addr interface { interface-name | interface-type interface-num } Delete an address entry undo mac-address [ static | dynamic ] [ [ hw-addr ] interface [interface-name | interface-type interface-num When deleting the dynamic address table entries, the learned entries will be...
11: S HAPTER YSTEM ANAGEMENT Set MAC Address Aging Time Setting an appropriate aging time implements MAC address aging. Too long or too short an aging time set by subscribers will cause the Ethernet switch to broadcast a large amount of data packets without MAC addresses. This affects the switch operation performance.
Page 227
Learned Ethernet1/0/2 Device Management With device management, the Switch 7700 displays the current running state and event debugging information about the slots and physical devices. In addition, there is a command for rebooting the system, when a function failure occurs.
Operation Command Upgrade BootROM boot BootROM file-url Reset a slot The Switch 7700 allows the administrator to reset a slot in the system. Perform the following configuration in user view. Table 23 Reset a Slot Operation Command Reset a slot reboot [ slot slot-num ] The parameter slot-num ranges from 0 to 6.
Set backboard view The backboard view command determines the backplane bandwidth allocated to each slot in the Switch 7700. Currently, the Switch Fabric has the capability of 32Gbpos full duplex yet the chassis has a maximum capability of 48 Gbps full duplex.
} ] [ module-name ] System Debugging Enable/disable the terminal debugging The Switch 7700 provides various ways for debugging most of the supported protocols and functions, which can help you diagnose errors. The following switches control the outputs of debugging information: Protocol debugging switch controls debugging output of a protocol.
Page 231
System Maintenance and Debugging Figure 3 Debug Output Debugging information Protocol debugging switch Screen output switch You can use the following commands to control the above-mentioned debugging. Perform the following operations in user view. Table 29 Enable/Disable the Debugging Operation Command Enable the protocol debugging debugging { all | module-name [ debugging-option ] }...
] [ -w timeout ] host Logging Function The Syslog is an indispensable part of the Switch 7700. It serves as an information center of the system software modules. The logging system is responsible for most of the information outputs, and it also makes detailed classification to filter...
Page 233
R&D personnel to monitor the operating state of networks and diagnose network failures. The syslog of the Switch 7700 has the following features: Support to output log in six directions, i.e., Console, monitor to Telnet terminal, ■...
Page 234
11: S HAPTER YSTEM ANAGEMENT Perform the following configuration in system view. Table 34 Log Output Operation Command info-center console channel { channel-number | Configure to output the information to the Console channel-name } Configure to output the info-center monitor channel { channel-number | information to the Telnet terminal channel-name } or monitor...
Page 235
System Maintenance and Debugging Table 36 Syslog-Defined Severity Severity Description alerts The errors that need to be corrected immediately. critical Critical errors errors The errors that need to be concerned but not critical warnings Warning, there might exist some kinds of errors. notifications The information should be concerned.
Page 236
11: S HAPTER YSTEM ANAGEMENT Local4.crit /var/log/SW7700/config SW7700 security messages: local5.notice /var/log/SW7700/security Pay attention to the following points when editing the file “/etc/syslog.conf”: The description must start from a fresh line and begin with a pound key #. ■ Use tab character to separate the selectors/action pairs instead of space. ■...
SNMP SNMP The Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as the industry standard. It is used for transmitting management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network.
11: S HAPTER YSTEM ANAGEMENT The current SNMP Agent of Ethernet switch supports SNMP V1, V2C and V3. The MIBs supported are listed in the following table. Table 38 MIBs Supported by the Ethernet Switch attribute MIB content References Public MIB MIB II based on TCP/IP network RFC1213 device...
Page 239
SNMP You can use the following commands to set the community name. Perform the following configuration in system view. Table 39 Set Community Name Operation Command Set the community name and the snmp-agent community { read | write } access authority community-name [ [ mib-view view-name ] [ acl acl-list ] Remove the community name and undo snmp-agent community community-name...
Page 240
11: S HAPTER YSTEM ANAGEMENT Perform the following configuration in system view. Table 42 Set the Destination Address of Trap Operation Command Set the destination address of trap snmp-agent target-host trap adress udp-domain host-addr [ udp-port udp-port-number ] params securityname community-string [ v1 | v2c | v3 { authentication | privacy } ] Delete the destination address of undo snmp-agent target-host host-addr...
Page 241
SNMP By default, the engine ID is expressed as enterprise No. + device information. The device information can be IP address, MAC address, or user-defined text. Set/Delete an SNMP Group You can use the following commands to set or delete an SNMP group. Perform the following configuration in system view.
11: S HAPTER YSTEM ANAGEMENT Create/Update View Information or Deleting a View You can use the following commands to create, update the information of views or delete a view. Perform the following configuration in system view. Table 49 Create/Update View Information or Deleting a View Operation Command Create/Update view information...
Page 243
SNMP Table 52 Display and Debug SNMP Operation Command Display the group name, the display snmp-agent group security mode, the states for all types of views, and the storage mode of each group of the switch. Display the names of all users in the display snmp-agent usm-user [ { local | { engineid group user table engineid } } | username groupname ]...
11: S HAPTER YSTEM ANAGEMENT RMON Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is used for monitoring the data traffic on a segment and even on a whole network. It is one of the widely used Network Management standards by far.
Page 245
RMON defined in event management. The alarm management includes browsing, adding and deleting alarm entries. You can use the following commands to add/delete an entry to/from the alarm table. Perform the following configuration in system view. Table 53 Add/Delete an Entry to/from the Alarm Table Operation Command Add an entry to the alarm table.
11: S HAPTER YSTEM ANAGEMENT Add/Delete an Entry to/from the Extended RMON Alarm Table You can use the command to add/delete an entry to/from the extended RMON alarm table. Perform the following configuration in system view. Table 56 Add/Delete an Entry to/from the Extended RMON AlarmTable Operation Command Add an entry to the extended...
Page 247
1 Configure RMON. [SW7700-Ethernet2/0/1] rmon statistics 1 owner 3com-rmon 2 View the configurations in user view. <SW7700> display rmon statistics Ethernet2/0/1 Statistics entry 1 owned by 3com-rmon is VALID. Gathers statistics of interface Ethernet2/0/1. Received: octets : 270149,packets : 1954...