1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470
HP V1910 Switch Series
59982269
Part number: 5998-2269
Software version: Release 1108
Document version: 6W100-20110615

Advertising

   Also See for HP V1910 Switch Series

   Related Manuals for HP V1910 Switch Series

   Summary of Contents for HP V1910 Switch Series

  • Page 1: User Guide

    HP V1910 Switch Series User Guide 59982269 Part number: 5998-2269 Software version: Release 1108 Document version: 6W100-20110615...

  • Page 2

    The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.

  • Page 3

    Preface The HP V1910 Switch Series User Guide describes the software features for the HP 1910 switches and guides you through the software configuration procedures. It also provide configuration examples to help you apply software features to different network scenarios.

  • Page 4

    Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device. Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.com/support Before contacting HP, collect the following information: Product model names and numbers ...

  • Page 5: Subscription Service

    Warranty The Hewlett-Packard Limited Warranty Statement for this product and the HP Software License Terms which apply to any software accompanying this product are available on the HP networking Web site www.hp.com/networking/warranty. The customer warranty support and services information are available on the HP networking Web site at www.hp.com/networking/support.

  • Page 6: Table Of Contents

    Contents Overview ······································································································································································ 1 Configuration through the web interface ··················································································································· 2 Web-based network management operating environment ·························································································· 2 Logging in to the web interface ······································································································································· 2 Default login information ········································································································································· 2 Example ····································································································································································· 3 Logging out of the web interface ····································································································································· 4 Introduction to the web interface ·····································································································································...

  • Page 7: Table Of Contents

    Displaying system information ····························································································································· 43 Displaying device information ····························································································································· 44 Device basic information configuration ···················································································································· 46 Configuring device basic information ·························································································································· 46 Configuring system name ····································································································································· 46 Configuring idle timeout period ··························································································································· 46 System time configuration ·········································································································································· 48 Configuring system time ················································································································································ 48 System time configuration example ·····························································································································...

  • Page 8: Table Of Contents

    Managing users ····························································································································································· 81 Adding a local user ··············································································································································· 81 Setting the super password ·································································································································· 82 Switching to the management level ····················································································································· 83 Loopback test configuration ······································································································································ 84 Overview ········································································································································································· 84 Loopback operation ······················································································································································· 84 Configuration guidelines ··············································································································································· 85 VCT·············································································································································································· 86 Overview ·········································································································································································...

  • Page 9: Table Of Contents

    Interface statistics ···················································································································································· 131 Overview ······································································································································································· 131 Displaying interface statistics ······································································································································ 131 VLAN configuration ················································································································································ 133 Introduction to VLAN ··········································································································································· 133 VLAN fundamentals············································································································································· 133 VLAN types ·························································································································································· 134 Introduction to port-based VLAN ······················································································································· 135 Configuring a VLAN ···················································································································································· 136 Configuration task list ········································································································································· 136 Creating VLANs ···················································································································································...

  • Page 10: Table Of Contents

    Protocols and standards ····································································································································· 185 Configuring MSTP ························································································································································ 185 Configuration task list ········································································································································· 185 Configuring an MST region ······························································································································· 185 Configuring MSTP globally ································································································································ 187 Configuring MSTP on a port ······························································································································ 189 Displaying MSTP information of a port ············································································································· 191 MSTP configuration example ······································································································································...

  • Page 11: Table Of Contents

    Routing configuration ·············································································································································· 259 Routing table ························································································································································ 259 Static route ··························································································································································· 259 Default route ························································································································································· 260 Configuring IPv4 routing ············································································································································· 260 Displaying the IPv4 active route table ··············································································································· 260 Creating an IPv4 static route ······························································································································ 261 Static route configuration example ···························································································································· 262 Precautions ····································································································································································...

  • Page 12: Table Of Contents

    A comparison of EAP relay and EAP termination ···························································································· 316 EAP relay ······························································································································································ 317 EAP termination ··················································································································································· 319 802.1X configuration ············································································································································· 320 HP implementation of 802.1X ···································································································································· 320 Access control methods ······································································································································ 320 Using 802.1X authentication with other features ···························································································· 320 Configuring 802.1X ···················································································································································· 321 Configuration prerequisites ································································································································...

  • Page 13: Table Of Contents

    AAA configuration example ······································································································································· 349 RADIUS configuration ············································································································································· 354 Introduction to RADIUS ······································································································································· 354 Client/server model ············································································································································ 354 Security and authentication mechanisms ·········································································································· 354 Basic message exchange process of RADIUS ·································································································· 355 RADIUS packet format ········································································································································ 356 Extended RADIUS attributes ······························································································································· 358 Protocols and standards ·····································································································································...

  • Page 14: Table Of Contents

    Configuring an ACL ····················································································································································· 403 Configuration task list ········································································································································· 403 Configuring a time range ··································································································································· 403 Creating an IPv4 ACL ········································································································································· 405 Configuring a rule for a basic IPv4 ACL ··········································································································· 405 Configuring a rule for an advanced IPv4 ACL ································································································· 407 Configuring a rule for an Ethernet frame header ACL ····················································································...

  • Page 15: Overview

    Overview The HP V1910 Switch Series can be configured through the command line interface (CLI), web interface, and SNMP/MIB. These configuration methods are suitable for different application scenarios. The web interface supports all V1910 Switch Series configurations.   The CLI provides some configuration commands to facilitate your operation. To perform other...

  • Page 16: Configuration Through The Web Interface

    HP provides the web-based network management function to facilitate the operations and maintenance on HP’s network devices. Through this function, the administrator can visually manage and maintain network devices through the web-based configuration interfaces. Figure 1 Web-based network management operating environment...

  • Page 17: Example

    If a DHCP server exists in the subnet where the device resides, the device will dynamically obtain its default IP address through the DHCP server. You can log in to the device through the console port, and execute the summary command to view the information of its default IP address. <Sysname>...

  • Page 18: Logging Out Of The Web Interface

    Logging out of the web interface Click Logout in the upper-right corner of the web interface, as shown in Figure 4 to quit the web console. The system does not save the current configuration automatically. Therefore, you are recommended to save the current configuration before logout.

  • Page 19: Introduction To The Web-based Nm Functions

     Configure—Users of this level can access device data and configure the device, but they cannot upgrade the host software, add/delete/modify users, or back up/restore configuration files.  Management—Users of this level can perform any operations to the device. Introduction to the web-based NM functions NOTE: User level in Table 2...

  • Page 20

    Function menu Description User level Allows you to back up the configuration file to be Backup used at the next startup from the device to the host Management of the current user. Allows you to upload the configuration file to be Configurati Restore used at the next startup from the host of the current...

  • Page 21

    Function menu Description User level Displays and allows you to set the interval for collecting storm constrain statistics. Storm Storm Constrain Configure Constrain Displays, and allows you to create, modify, and remove the port traffic threshold. Displays, and allows you to create, modify, and Statistics Configure clear RMON statistics.

  • Page 22

    Function menu Description User level Create Allows you to create VLANs. Configure Port Detail Displays the VLAN-related details of a port. Monitor Detail Displays the member port information of a VLAN. Monitor Allows you to modify the description and member Modify VLAN Configure ports of a VLAN.

  • Page 23

    Function menu Description User level Displays information about LACP-enabled ports Summary Monitor and their partner ports. LACP Setup Allows you to set LACP priorities. Configure Displays the LLDP configuration information, local information, neighbor information, statistics Monitor Port Setup information, and status information of a port. Allows you to modify LLDP configuration on a port.

  • Page 24

    Function menu Description User level Ping Allows you to ping an IPv4 address. Visitor Diagnostic Tools Trace Route Allows you to perform trace route operations. Visitor Displays ARP table information. Monitor ARP Table Allows you to add, modify, and remove ARP Configure entries.

  • Page 25

    Function menu Description User level Allows you to add, modify, and delete a PKI entity. Configure Displays information about PKI domains. Monitor Domain Allows you to add, modify, and delete a PKI Configure domain. Displays the certificate information of PKI domains Monitor and allows you to view the contents of a certificate.

  • Page 26: Introduction To The Common Items On The Web Pages

    Function menu Description User level Allows you to configure actions for a traffic Setup Configure behavior. Allows you to configure traffic mirroring and traffic Port Setup Configure redirecting for a traffic behavior Remove Allows you to delete a traffic behavior. Configure Summary Displays QoS policy configuration information.

  • Page 27

    Button and icon Function Used to deselect all the entries on a list, or all the ports on the device panel. Generally present on the configuration wizard; used to buffer but not apply the configuration of the current step and enter the next configuration step. Generally present on the configuration wizard;...

  • Page 28

    Search function On some list pages, the web interface provides basic and advanced search functions. You can use the search function to display those entries matching certain search criteria. Basic search function—Select a search item from the drop-down list as shown in Figure 5, input the ...

  • Page 29: Configuration Guidelines

    Configuration guidelines The web console supports Microsoft Internet Explorer 6.0 SP2 and higher.  The web console does not support the Back, Next, Refresh buttons provided by the browser. Using  these buttons may result in abnormal display of web pages. When the device is performing spanning tree calculation, you cannot log in to or use the web ...

  • Page 30: Configuration At The Cli

    Configuration at the CLI NOTE: The HP V1910 Switch Series can be configured through the CLI, web interface, and SNMP/MIB, among  which the web interface supports all V1910 Switch Series configurations. These configuration methods are suitable for different application scenarios. As a supplementary to the web interface, the CLI provides some configuration commands to facilitate your operation, which are described in this chapter.

  • Page 31: Setting Terminal Parameters

    Figure 9 Network diagram for configuration environment setup CAUTION: Identify the mark on the console port to ensure that you are connecting to the correct port. NOTE: The serial port on a PC does not support hot swapping. When you connect a PC to a powered-on switch, connect the DB-9 connector of the console cable to the PC before connecting the RJ-45 connector to the switch.

  • Page 32

    Figure 10 Connection description of the HyperTerminal Select the serial port to be used from the Connect using drop-down list, and click OK. Step2 Figure 11 Set the serial port used by the HyperTerminal connection Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None, Step3 and click OK.

  • Page 33

    Figure 12 Set the serial port parameters Select File > Properties in the HyperTerminal window. Step4 Figure 13 HyperTerminal window Click the Settings tab, set the emulation to VT100, and click OK in the Switch Properties dialog box. Step5...

  • Page 34: Logging In To The Cli

    Enter your username at the Username prompt. Step2 Username:admin Press Enter. The Password prompt display Step3 Password: The login information is verified, and displays the following CLI menu: <HP V1910 Switch> If the password is invalid, the following message appears and process restarts. % Login failed!

  • Page 35: Cli Commands

    CLI commands This Command section contains the following commands: To do… Use the command… Display a list of CLI commands on the device Reboot the device and run the default configuration initialize ipsetup { dhcp | ip address ip-address { mask Specify VLAN-interface 1 to obtain an IP address through | mask-length } [ default-gateway DHCP or manual configuration...

  • Page 36: Password

    ip-address ip-address: Specifies an IP address for VLAN-interface 1 in dotted decimal notation. mask: Subnet mask in dotted decimal notation. mask-length: Subnet mask length, the number of consecutive ones in the mask, in the range of 0 to 32. default-gateway ip-address: Specifies the IP address of the default gateway or the IP address of the outbound interface.

  • Page 37: Quit

    Parameters host: Destination IP address (in dotted decimal notation), URL, or host name (a string of 1 to 20 characters). Description Use the ping command to ping a specified destination. You can enter Ctrl+C to terminate a ping operation. Examples # Ping IP address 1.1.2.2.

  • Page 38: Reboot

    Please press ENTER. reboot Syntax reboot Parameters None Description Use the reboot command to reboot the device and run the main configuration file. Use the command with caution because reboot results in service interruption. If the main configuration file is corrupted or does not exist, the device cannot be rebooted with the reboot command.

  • Page 39: Upgrade

    Next backup boot app is: NULL HP Comware Platform Software Comware Software, Version 5.20 Alpha 1108, Copyright (c) 2004-2011 Hewlett-Packard Development Company, L.P. HP V1910-24G-PoE (365W) Switch uptime is 0 week, 0 day, 6 hours, 28 minutes HP V1910-24G-PoE (365W) Switch 128M bytes DRAM...

  • Page 40: Configuration Example For Upgrading The System Software Image At The Cli

    To make the downloaded software package file take effect, reboot the device. NOTE: The HP V1910 Switch Series does not provide an independent Boot ROM image; instead, it integrates the Boot ROM image with the system software image file together in a software package file with the extension name of .bin.

  • Page 41

    File downloaded successfully. # Download the software package file SwitchV1910.bin on the TFTP server to the switch, and upgrade the Boot ROM image. <Switch> upgrade 192.168.10.1 SwitchV1910.bin bootrom The file flash:/SwitchV1910.bin exists. Overwrite it? [Y/N]:y Verifying server file... Deleting the old file, please wait... File will be transferred in binary mode Downloading file from remote TFTP server, please wait.../ TFTP: 10262144 bytes received in 61 second(s)

  • Page 42: Configuration Wizard

    Configuration wizard Overview The configuration wizard guides you through the basic service setup, including the system name, system location, contact information, and management IP address (IP address of the VLAN interface). Basic service setup Entering the configuration wizard homepage From the navigation tree, select Wizard to enter the configuration wizard homepage, as shown in Figure Figure 16 Configuration wizard homepage Configuring system parameters...

  • Page 43: Configuring Management Ip Address

    Figure 17 System parameter configuration page Table 4 System parameter configuration items Item Description Specify the system name. The system name appears at the top of the navigation tree. Sysname You can also set the system name in the System Name page you enter by selecting Device >...

  • Page 44

    A management IP address is the IP address of a VLAN interface, which can be used to access the device. You can also set configure a VLAN interface and its IP address in the page you enter by selecting Network > VLAN Interface. For more information, see the chapter “VLAN interface configuration.” After finishing the configuration, click Next to enter the management IP address configuration page, as shown in Figure...

  • Page 45: Finishing Configuration Wizard

    Item Description through BOOTP.  Manual: Allows you to specify an IPv4 address and a mask length. Manual IMPORTANT: Support for IPv4 obtaining methods depends on the device model. IPv4 Specify an IPv4 address and the mask length for the VLAN interface. address These two text boxes are configurable if Manual is selected.

  • Page 46: Irf Stack Management

    IRF stack management The HP V1910 IRF stack management feature enables you to configure and monitor a stack of connected HP V1910 switches by logging in to one switch in the stack, as shown in Figure IMPORTANT: The HP V1910 IRF stack management feature does not provide the functions of HP Intelligent Resilient Framework (IRF) technology.

  • Page 47: Configuring Global Parameters Of A Stack

    Task Remarks Required Configuring stack Configure the ports of the master switch that connect to member ports switches as stack ports. By default, a port is not a stack port. Required Configuring member Configuring stack Configure a port of a member switch that connects to the master switch switches of a ports or another member switch as a stack port.

  • Page 48

    Figure 21 Setup Table 7 Configuration items of global parameters Item Description Configure a private IP address pool for the stack. The master switch of a stack must be configured with a private IP address pool to Private Net IP ensure that it can automatically allocate an available IP address to a member switch when the device joints the stack.

  • Page 49: Configuring Stack Ports

    Item Description Enable the switch to establish a stack. After you enable the switch to establish a stack, the switch becomes the master switch of the stack and automatically adds the switches connected to its stack ports to the stack. Build Stack IMPORTANT: You can delete a stack only on the master switch of the stack.

  • Page 50: Displaying Device Summary Of A Stack

    Displaying device summary of a stack Select IRF from the navigation tree and click the Device Summary tab to enter the page shown in Figure 23. On this page, you can view interfaces and power socket layout on the panel of each stack member by clicking the tab of the corresponding member switch.

  • Page 51: Configuration Procedure

     Create a stack, where Switch A is the master switch, Switch B, Switch C, and Switch D are stack members. An administrator can log in to Switch B, Switch C and Switch D through Switch A to perform remote configurations. Figure 25 Network diagram for stack management Switch A (Master switch)

  • Page 52

    Figure 26 Configure global parameters for the stack on Switch A Type 192.168.1.1 in the text box of Private Net IP.   Type 255.255.255.0 in the text box of Mask. Select Enable from the Build Stack drop-down list.  Click Apply.

  • Page 53

     On the page of the Setup tab, perform the following configurations, as shown in Figure Figure 27 Configure a stack port on Switch A In the Port Settings area, select the check box before GigabitEthernet1/0/1.  Click Enable.  Configure the member switches # On Switch B, configure local ports GigabitEthernet 1/0/2 connecting with switch A, GigabitEthernet 1/0/1 connecting with Switch C, and GigabitEthernet 1/0/3 connecting with Switch D as stack ports.

  • Page 54

     Select IRF from the navigation tree of Switch B to enter the page of the Setup tab. Figure 28 Configure stack ports on Switch B Port Settings area, select check boxes before GigabitEthernet1/0/1,  GigabitEthernet1/0/2, and GigabitEthernet1/0/3. Click Enable. ...

  • Page 55

     Select IRF from the navigation tree of Switch C to enter the page of the Setup tabFigure Figure 29 Configure a stack port on Switch C In the Port Settings area, select the check box before GigabitEthernet1/0/1.  Click Enable. ...

  • Page 56

     In the Port Settings area, select the check box before GigabitEthernet1/0/1. Click Enable.  Now, Switch D becomes a member switch. Verify the configuration # Display the stack topology on Switch A. Select IRF from the navigation tree of Switch A and click the Topology Summary tab. ...

  • Page 57: Summary

    Summary The device summary module helps you understand the system information, port information, power information, and fan information on the device. The system information includes the basic system information, system resources state, and recent system operation logs. Displaying device summary Displaying system information After you log in to the web interface, the System Information tab appears by default, as shown in Figure...

  • Page 58: Displaying Device Information

    version, Boot ROM version, and running time. The running time displays how long the device is up since the last boot. You can configure the device location and contact information on the Setup page you enter by selecting Device > SNMP. System resource state The System Resource State displays the latest CPU usage and memory usage.

  • Page 59

    Figure 32 Device information  If you select a certain period from the Refresh Period drop-down list, the system refreshes the information at the specified interval.  If you select Manual from the Refresh Period drop-down list, the system refreshes the information only when you click the Refresh button.

  • Page 60: Device Basic Information Configuration

    Device basic information configuration The device basic information feature provides the following functions:  Set the system name of the device. The configured system name is displayed on the top of the navigation bar.  Set the idle timeout period for logged-in users. The system logs an idle user off the web for security purpose after the confiugred period.

  • Page 61

    Figure 34 Configure idle timeout period Table 11 Idle timeout period configuration item Item Description Idle timeout Set the idle timeout period for logged-in users.

  • Page 62: System Time Configuration

    System time configuration The system time module allows you to display and set the device system time on the web interface. The device supports setting system time through manual configuration and automatic synchronization of NTP server time. An administrator can keep time synchronized among all the devices within a network by changing the system clock on each device, because this is a huge amount of workload and cannot guarantee the clock precision.

  • Page 63: System Time Configuration Example

    Table 12 System time configuration items Item Description Select to manually configure the system time, including the setting Manual of Year, Month, Day, Hour, Minute, and Second. Set the source interface for an NTP message. If you do not want the IP address of a certain interface on the local device to become the destination address of response messages, Source Interface you can specify the source interface for NTP messages, so that the...

  • Page 64

    Configuration procedure Configure Device A # Configure the local clock as the reference clock, with the stratum of 2. Enable NTP authentication, set the key ID to 24, and specify the created authentication key aNiceKey as a trusted key. (Configuration omitted.) Configure Switch B # Configure Device A as the NTP server of Switch B.

  • Page 65

    Configuration guidelines When configuring system time, note the following guidelines: A device can act as a server to synchronize the clock of other devices only after its clock has been  synchronized. If the clock of a server has a stratum level higher than or equal to that of a client’s clock, the client does not synchronize its clock to the server’s.

  • Page 66: Log Management Configuration

    Log management configuration System logs contain a large amount of network and device information, including running status and configuration changes. System logs are an important way for administrators to know network and device status. With system log information, administrators can take corresponding actions against network problems and security problems.

  • Page 67: Displaying Syslog

    Figure 38 Set system logs related parameters Table 14 Syslog configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer. Set the refresh period on the log information displayed on the web interface. You can select manual refresh or automatic refresh: ...

  • Page 68

    Figure 39 Display syslog Table 15 Syslog display items Item Description Time/Date Displays the time/date when system logs are generated. Source Displays the module that generates system logs. Displays the severity level of system logs. For more information about severity levels, Level Table Digest...

  • Page 69: Setting Loghost

    Setting loghost Select Device > Syslog from the navigation tree, and click the Loghost tab to enter the loghost configuration page, as shown in Figure Figure 40 Set loghost Table 17 Loghost configuration item Item Description IP address of the loghost. ...

  • Page 70: Configuration Management

    Configuration management Back up configuration Configuration backup provides the following functions: Open and view the configuration file (.cfg file or .xml file) for the next startup  Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user ...

  • Page 71: Save Configuration

    Figure 42 Configuration restore page When you click the upper Browse button in this figure, the file upload dialog box appears. Select  the .cfg file to be uploaded, and then click OK. When you click the lower Browse button in this figure, the file upload dialog box appears. Select ...

  • Page 72: Initialize

    Initialize This operation restores the system to factory defaults, deletes the current configuration file, and reboots the device. Select Device > Configuration from the navigation tree, and then click the Initialize tab to enter the initialize confirmation page as shown in Figure Figure 44 Initialize confirmation dialog box Click the Restore Factory-Default Settings button to restore the system to factory defaults.

  • Page 73: Device Maintenance

    Device maintenance Software upgrade A system software image file is used to boot the device. Software upgrade allows you to obtain a target system software image file from the local host and set the file as the startup configuration file. In addition, you can select whether to reboot the device to bring the upgraded system software image file into effect.

  • Page 74: Device Reboot

    Item Description Specifies whether to overwrite the file with the same name. If a file with same name If you do not select the option, when a file with the same name exists, a dialog box already exists, overwrite appears, telling you that the file already exists and you can not continue the it without prompt.

  • Page 75: Diagnostic Information

    Select Device > Device Maintenance from the navigation tree, and click the Electronic Label tab to enter the page as shown in Figure Figure 47 Electronic label Diagnostic information Each functional module has its own running information, and generally, you view the output information for each module one by one.

  • Page 76

    NOTE:  The generation of the diagnostic file takes some time. During this process, do not perform any operation on the web page.  After the diagnostic file is generated successfully, you can view this file by selecting Device > File Management, or downloading this file to the local host.

  • Page 77: File Management

    File management The device saves files such as host software and configuration file into the storage device, and provides the file management function for users to manage those files conveniently and effectively. File management function provides the following operations: Displaying file list ...

  • Page 78: Downloading A File

    Browse. Click Apply to upload the file to the specified storage device. CAUTION: Uploading a file takes some time. HP recommends you not to perform any operation on the web interface during the upgrading procedure. Removing a file Select Device >...

  • Page 79: Port Management Configuration

    Port management configuration You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port, including but not limited to its state, rate, duplex mode, link type, PVID, MDI mode, flow control settings, MAC learning limit, and storm suppression ratios.

  • Page 80

    Table 19 Port configuration items Item Description Enable or disable the port. Sometimes, after you modify the operation Port State parameters of a port, you need to disable and then enable the port to have the modifications take effect. Set the transmission rate of the port. Available options include: ...

  • Page 81

    Therefore, you should configure the MDI mode depending on the cable types.  HP does not recommend you to use the auto mode. The other two modes are used only when the device cannot determine the cable type. ...

  • Page 82

    Item Description Set broadcast suppression on the port. You can suppress broadcast traffic by percentage or by PPS as follows:  ratio: Sets the maximum percentage of broadcast traffic to the total bandwidth of an Ethernet port. When this option is selected, you need to input a percentage in the box below.

  • Page 83: Viewing The Operation Parameters Of A Port

    Item Description Port or ports that you have selected from the chassis front panel and the aggregate interface list below, for which you have set operation parameters IMPORTANT: Selected Ports  Only in the presence of link aggregations groups, Aggregation ports will be displayed under the chassis front panel.

  • Page 84: Port Management Configuration Example

    Figure 53 The Details Port management configuration example Network requirements As shown in Figure  Server A, Server B, and Server C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 or the switch respectively. The rates of the network adapters of these servers are all 1000 Mbps.

  • Page 85

    Configuration procedure # Set the rate of GigabitEthernet 1/0/4 to 1000 Mbps. Select Device > Port Management from the navigation tree, click the Setup tab to enter the page  shown in Figure 55, and make the following configurations: Figure 55 Configure the rate of GigabitEthernet 1/0/4 ...

  • Page 86

    Figure 56 Batch configure port rate # Display the rate settings of ports. Click the Summary tab.   Select the Speed option to display the rate information of all ports on the lower part of the page, as shown in Figure...

  • Page 87

    Figure 57 Display the rate settings of ports...

  • Page 88: Port Mirroring Configuration

    Port mirroring configuration Introduction to port mirroring Port mirroring is the process of copying the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis. You can mirror inbound, outbound, or bidirectional traffic on a port as needed. Implementing port mirroring Port mirroring is implemented through local port mirroring groups.

  • Page 89: Creating A Mirroring Group

    Table 20 Local port mirroring configuration task list Task Remarks Required Create a local mirroring group For more information, see “Creating a mirroring group.” Required For more information, see “Configuring ports for a mirroring group.” Configure the mirroring ports During configuration, you need to select the port type Mirror Port. You can configure multiple mirroring ports for a mirroring group.

  • Page 90: Configuring Ports For A Mirroring Group

    Return to Local port mirroring configuration task list. Configuring ports for a mirroring group Select Device > Port Mirroring from the navigation tree and click Modify Port to enter the page for configuring ports for a mirroring group, as shown in Figure Figure 60 The Modify Port tab Table 22 Configuration items of configuring ports for a mirroring group...

  • Page 91: Configuration Examples

    Return to Local port mirroring configuration task list. Configuration examples Local port mirroring configuration example Network requirements Department 1 accesses Switch C through GigabitEthernet 1/0/1.  Department 2 accesses Switch C through GigabitEthernet 1/0/2.   Server is connected to GigabitEthernet 1/0/3 of Switch C. Configure port mirroring to monitor the bidirectional traffic of Department 1 and Department 2 on the server.

  • Page 92

    Figure 62 Create a local mirroring group  Type in mirroring group ID 1. Select Local in the Type drop-down list.  Click Apply.  # Configure the mirroring ports. Click Modify Port to enter the page for configuring ports for the mirroring group, as shown in Figure...

  • Page 93

    Figure 63 Configure the mirroring ports  Select 1 – Local in the Mirroring Group ID drop-down list. Select Mirror Port in the Port Type drop-down list.  Select both in the Stream Orientation drop-down list.   Select GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on the chassis front panel. Click Apply.

  • Page 94

    Figure 65 Configure the monitor port Select 1 – Local in the Mirroring Group ID drop-down list.  Select Monitor Port in the Port Type drop-down list.  Select GigabitEthernet 1/0/3 on the chassis front panel.  Click Apply. A configuration progress dialog box appears. ...

  • Page 95: User Management

    User management Overview The switch provides the following user management functions: Add local user accounts for FTP and Telnet users, and specify the password, access level, and  service types for each user. Set the super password for non-management level users to switch to the management level. ...

  • Page 96: Setting The Super Password

    Item Description Select an access level for the user. Users of different levels can perform different operations. User levels, in order from low to high, are visitor, monitor, configure, and management.  Visitor: Users of this level can only perform ping and traceroute operations. They can neither access data on the switch nor configure the switch.

  • Page 97: Switching To The Management Level

    Table 24 Super password configuration items Item Description Select the operation type. Options include: Create/Remove  Create: Configure or modify the super password.  Remove: Remove the current super password. Password Set the password for non-management level users to switch to the management level. Input the same password again.

  • Page 98: Loopback Test Configuration

    Loopback test configuration Overview You can check whether an Ethernet port works normally by performing the Ethernet port loopback test, during which the port cannot forward data packets normally. Ethernet port loopback test can be an internal loopback test or an external loopback test. ...

  • Page 99

    After that, click Test to start the loopback test, and you can see the test result in the Result box, as shown Figure Figure 70 Loopback test result Configuration guidelines Note the following when performing a loopback test: You can perform an internal loopback test but not an external loopback test on a port that is ...

  • Page 100

    Overview NOTE: The fiber interface of a SFP port does not support this feature. A link in the up state goes down and then up automatically if you perform this operation on one of the Ethernet interfaces forming the link. You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device.

  • Page 101

    Table 26 Description on the cable test result Item Description Status and length of the cable. The status of a cable can be normal, abnormal, abnormal(open), abnormal(short), or failure.  When a cable is normal, the cable length displayed is the total length of the cable. Cable status ...

  • Page 102: Flow Interval Configuration

    Flow interval configuration Overview With the flow interval module, you can view the number of packets and bytes sent/received by a port over the specified interval. Monitoring port traffic statistics Setting the traffic statistics generating interval Select Device > Flow interval from the navigation bar, and click the Interval Configuration tab to enter the page shown in Figure Figure 72 The page for setting the traffic statistics generating interval...

  • Page 103

    Figure 73 Port traffic statistics...

  • Page 104: Storm Constrain Configuration

    Storm constrain configuration Overview The storm constrain function limits traffic of a port within a predefined upper threshold to suppress packet storms in an Ethernet. With this function enabled on a port, the system detects the amount of broadcast traffic, multicast traffic, and unicast traffic reaching the port periodically. When a type of traffic exceeds the threshold for it, the function, as configured, blocks or shuts down the port, and optionally, sends trap messages and logs.

  • Page 105: Configuring Storm Constrain

    Figure 74 The Storm Constrain tab NOTE: The traffic statistics generating interval set here is the interval used by the storm constrain function for measuring traffic against the traffic thresholds. It is different from the interval set in the flow interval module, which is used for measuring the average traffic sending and receiving rates over a specific interval.

  • Page 106

    Figure 75 Add storm constrain settings for ports Table 28 Port storm constrain configuration items Item Remarks Specify the action to be performed when a type of traffic exceeds the corresponding upper threshold. Available options include:  None—Performs no action. ...

  • Page 107

    Item Remarks Select or clear the option to enable or disable the system to send trap messages both Trap when an upper threshold is crossed and when the corresponding lower threshold is crossed after that. Select or clear the option to enable or disable the system to output logs both when an upper threshold is crossed and when the corresponding lower threshold is crossed after that.

  • Page 108: Rmon Configuration

    MIB information, alarm, event, history, and statistics, in most cases. The HP device adopts the second way and realizes the RMON agent function. With the RMON agent function, the management device can obtain the traffic that flow among the managed devices on each connected network segments;...

  • Page 109: Rmon Groups

    Among the RMON groups defined by RMON specifications (RFC 2819), the device uses the statistics group, history group, event group, and alarm group supported by the public MIB. Besides, HP also defines and implements a private alarm group, which enhances the functions of the alarm group. This section describes the five kinds of groups.

  • Page 110: Configuring Rmon

    Figure 76 Rising and falling alarm events Event group The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group. The events can be handled in one of the following ways: ...

  • Page 111

    Table 29 RMON statistics group configuration task list Task Remarks Required You can create up to 100 statistics entries for a statistics table. After a statistics entry is created on an interface, the system collects statistics on various traffic information on the interface. It provides statistics about network Configuring a statistics collisions, CRC alignment errors, undersize/oversize packets, broadcasts, entry...

  • Page 112: Configuring A Statistics Entry

    Task Remarks Required You can create up to 60 alarm entries for an alarm table. With an alarm entry created, the specified alarm event will be triggered when an Configuring an alarm abnormity occurs, and the alarm event defines how to deal with the abnormity. entry IMPORTANT: An entry cannot be created if the values of the specified event description, owners,...

  • Page 113: Configuring A History Entry

    Figure 78 Add a statistics entry Table 33 Statistics entry configuration items Item Description Select the name of the interface on which the statistics entry is created. Interface Name Only one statistics entry can be created on one interface. Owner Set the owner of the statistics entry.

  • Page 114: Configuring An Event Entry

    Figure 80 Add a history entry Table 34 History entry configuration items Item Description Interface Name Select the name of the interface on which the history entry is created. Set the capacity of the history record list corresponding to this history entry, namely, the maximum number of records that can be saved in the history record list.

  • Page 115: Configuring An Alarm Entry

    Figure 82 Add an event entry Table 35 Event entry configuration items Item Description Description Set the description for the event. Owner Set the owner of the entry. Set the actions that the system will take when the event is triggered: ...

  • Page 116

    Figure 84 Add an alarm entry Table 36 Alarm entry configuration items Item Description Set the traffic statistics that will be collected and monitored. For more information, Statics Item Table Alarm variable Set the name of the interface whose traffic statistics will be collected and Interface Name monitored.

  • Page 117: Displaying Rmon Statistics Information

    Item Description Select whether to create a default event. The description of the default event is default event, the action is log-and-trap, and the owner is default owner. Create Default If there is no event, you can select to create the default event. And when the value Event of the alarm variable is higher than the alarm rising threshold or lower than the alarm falling threshold, the system will adopt the default action, that is,...

  • Page 118

    Figure 85 RMON statistics information Table 37 Fields of RMON statistics Item Description Total number of octets received by the interface, Number of Received Bytes corresponding to the MIB node etherStatsOctets. Total number of packets received by the interface, Number of Received Packets corresponding to the MIB node etherStatsPkts.

  • Page 119: Displaying Rmon History Sampling Information

    Item Description Total number of undersize packets (shorter than 64 octets) Number of Received Packets Smaller Than 64 received by the interface, corresponding to the MIB node Bytes etherStatsUndersizePkts. Total number of oversize packets (longer than 1518 octets) Number of Received Packets Larger Than 1518 received by the interface, corresponding to the MIB node Bytes etherStatsOversizePkts.

  • Page 120

    Figure 86 RMON history sampling information Table 38 Fields of RMON history sampling information Item Description Number of the entry in the system buffer Statistics are numbered chronologically when they are saved to the system buffer. Time Time at which the information is saved Dropped packets during the sampling period, corresponding to the MIB node DropEvents etherHistoryDropEvents.

  • Page 121: Displaying Rmon Event Logs

    Displaying RMON event logs Select Device > RMON from the navigation tree and click the Log tab to enter the page, as shown in Figure 87, which displays log information for all event entries. Figure 87 Log Return to Display RMON running status.

  • Page 122

    Figure 89 Add a statistics entry Select GigabitEthernet1/0/1 from the Interface Name drop-down box.   Type user1-rmon in the text box of Owner. Click Apply.  # Display RMON statistics for interface Ethernet 1/0/1. Click the icon corresponding to GigabitEthernet 1/0/1. ...

  • Page 123

    Figure 90 Display RMON statistics # Create an event to start logging after the event is triggered. Click the Event tab, click Add. ...

  • Page 124

    Figure 91 Configure an event group Type 1-rmon in the text box of Owner.   Select the check box before Log. Click Apply.  The page goes to the page displaying the event entry, and you can see that the entry index of the ...

  • Page 125

    Figure 93 Configure an alarm group Select Number of Received Bytes from the Statics Item drop-down box.   Select GigabitEthernet1/0/1 from the Interface Name drop-down box. Type 10 in the text box of Interval.  Select Delta from the Simple Type drop-down box. ...

  • Page 126: Energy Saving Configuration

    Energy saving configuration Overview Energy saving allows you to configure a port to work at the lowest transmission speed, disable PoE, or go down during a specified time range on certain days of a week. The port resumes working normally when the effective time period ends.

  • Page 127

    Item Description Set the port to transmit data at the lowest speed. IMPORTANT: Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. IMPORTANT: Shutdown An energy saving policy can have all the three energy saving schemes configured, of...

  • Page 128: Snmp Configuration

    SNMP configuration The Simple Network Management Protocol (SNMP) is an Internet standard protocol widely used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices to monitor their operating and health state, diagnose network problems, and collect statistics for management purposes.

  • Page 129: Snmp Protocol Version

    SNMP protocol version SNMP agents support three SNMP protocol versions: SNMPv1, SNMPv2c, and SNMPv3. SNMPv1 uses community names for authentication. A community name performs a similar role as  a password to regulate access from the NMS to the agent. If the community name provided by the NMS is different from the community name set on the agent, the SNMP connection cannot be established and the NMS fails to access the agent.

  • Page 130: Enabling Snmp

    Configuring SNMPv3 Perform the tasks in Table 41 to configure SNMPv3: Table 41 SNMPv3 configuration task list Task Remarks Required Enabling SNMP The SNMP agent function is disabled by default. Optional After creating SNMP views, you can specify an SNMP view for an Configuring an SNMP SNMP group to limit the MIB objects that can be accessed by the SNMP group.

  • Page 131

    Figure 97 Set up Table 42 Configuration items for enabling SNMP Item Description SNMP Specify to enable or disable SNMP. Configure the local engine ID. The validity of a user after it is created depends on the engine ID of the SNMP Local Engine ID agent.

  • Page 132: Configuring An Snmp View

    Item Description Location Set a character string to describe the physical location of the device. SNMP Version Set the SNMP version run by the system Return to SNMPv1 or SNMPv2c configuration task list SNMPv3 configuration task list. Configuring an SNMP view Select Device >...

  • Page 133

    Figure 100 Create an SNMP view (2) Configure the parameters of a rule and click Add to add the rule into the list box at the lower part of the page. Configure all rules and click Apply to crate an SNMP view. Note that the view will not be created if you click Cancel.

  • Page 134: Configuring An Snmp Community

    Figure 101 Add rules to an SNMP view NOTE: You can also click the icon corresponding to the specified view on the page as shown in Figure and then you can enter the page to modify the view. Return to SNMPv1 or SNMPv2c configuration task list SNMPv3 configuration task list.

  • Page 135: Configuring An Snmp Group

    Table 44 Configuration items for configuring an SNMP community Item Description Community Name Set the SNMP community name. Configure SNMP NMS access right  Read only—The NMS can perform read-only operations to the MIB objects when it uses this community name to access the agent, Access Right ...

  • Page 136: Configuring An Snmp User

    Table 45 Configuration items for creating an SNMP group Item Description Group Name Set the SNMP group name. Select the security level for the SNMP group. The available security levels are:  NoAuth/NoPriv—No authentication no privacy.  Auth/NoPriv—Authentication without privacy. Security Level ...

  • Page 137

    Figure 107 Create an SNMP user Table 46 Configuration items for creating an SNMP user Item Description User Name Set the SNMP user name. Select the security level for the SNMP group. The following are the available security levels:  NoAuth/NoPriv—No authentication no privacy.

  • Page 138: Configuring Snmp Trap Function

    Item Description The confirm privacy password must be the same with the privacy Confirm Privacy Password password. Associate a basic ACL with the user to restrict the source IP address of SNMP packets, that is, you can configure to allow or prohibit SNMP packets with a specific source IP address, so as to allow or prohibit the specified NMS to access the agent by using this user name.

  • Page 139: Snmp Configuration Example

    Figure 109 Add a target host of SNMP traps Table 47 Configuration items for adding a target host Item Description Set the destination IP address. Destination IP Address Select the IP address type: IPv4 or IPv6, and then type the corresponding IP address in the text box according to the IP address type.

  • Page 140

     The IP address of the NMS is 1.1.1.2/24. The IP address of the VLAN interface on Switch is 1.1.1.1/24.  The NMS monitors the agent using SNMPv3. The agent reports errors or faults to the NMS.  Figure 110 Network diagram for SNMP configuration Configuration procedure Configure Agent # Configuration IP addresses for the interfaces.

  • Page 141

    Figure 112 Create an SNMP view (1) Type view1 in the text box.   Click Apply to enter the SNMP rule configuration page, as shown in Figure 1 Figure 113 Create an SNMP view (2) Select the Included radio box. ...

  • Page 142

     After the configuration process is complete, click Close. # Configure an SNMP group.  Click the Group tab and then click Add to enter the page as shown in Figure 1 Figure 115 Create an SNMP group  Type group1 in the text box of Group Name. Select view1 from the Read View drop-down box.

  • Page 143

     Type user1 in the text box of User Name. Select group1 from the Group Name drop-down box.  Click Apply.  # Enable the agent to send SNMP traps. Click the Trap tab and enter the page as shown in Figure 1 ...

  • Page 144

    CAUTION: The configuration on NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. SNMPv3 adopts a security mechanism of authentication and privacy. You must configure username and security level. According to the configured security level, you must configure the related authentication mode, authentication password, privacy mode, privacy password, and so on.

  • Page 145: Interface Statistics

    Interface statistics Overview The interface statistics module displays statistics information about the packets received and sent through interfaces. Displaying interface statistics Select Device > Interface Statistics from the navigation tree to enter the interface statistics display page, as shown in Figure 1 Figure 119 Interface statistics display page Table 48 Details about the interface statistics...

  • Page 146

    Field Description OutNUcastPkts Number of non-unicast packets sent through the interface. OutDiscards Number of valid packets discarded in the outbound direction. OutErrors Number of invalid packets sent through the interface.

  • Page 147: Vlan Configuration

    VLAN configuration Introduction to VLAN Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on Ethernet networks. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs.

  • Page 148: Vlan Types

    Figure 121 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 122. Figure 122 Position and format of VLAN tag A VLAN tag comprises the following fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID.

  • Page 149: Introduction To Port-based Vlan

    Introduction to port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods: An access port belongs to only one VLAN and sends traffic untagged.

  • Page 150: Configuring A Vlan

    Configuring a VLAN Configuration task list Use either of the following approaches or the combination of them to configure a VLAN, as shown in Table 49 Table Table 49 VLAN configuration task list (approach I) Task Remarks Required Creating VLANs Create one or multiple VLANs.

  • Page 151: Selecting Vlans

    Figure 123 The Create tab Table 51 Configuration items of creating VLANs Item Description VLAN IDs IDs of the VLANs to be created. Select the ID of the VLAN whose description string is to be modified. Modify the description Click the ID of the VLAN to be modified in the list in the middle of the page. of the Set the description string of the selected VLAN.

  • Page 152: Modifying A Vlan

    Figure 124 The Select VLAN tab Table 52 Configuration items of selecting VLANs Item Description Select one of the two options: Display all VLANs  Display all VLANs—Display all configured VLANs.  Display a subnet of all configured VLANs—Type the VLAN Display a subnet of all configured VLANs IDs you want to display.

  • Page 153

    Figure 125 The Modify VLAN tab Table 53 Configuration items of modifying a VLAN Item Description Select the VLAN to be modified. Please select a VLAN to Select a VLAN in the drop-down list. The VLANs available for selection are modify created first and then selected on the page for selecting VLANs.

  • Page 154: Modifying Ports

    Modifying ports Select Network > VLAN from the navigation tree and click the Modify Port tab to enter the page shown Figure 126. Figure 126 The Modify Port tab Table 54 Configuration items of modifying ports Item Description Select the ports to be modified. Click one or more ports you want to modify on the chassis front panel.

  • Page 155: Vlan Configuration Example

    Item Description Set the link type of the selected ports, which can be access, hybrid, or trunk. Link Type This item is available when the Link Type option is selected in the Select membership type area. PVID Set the PVID of the selected ports. If you select Delete, you restore the PVID to VLAN 1.

  • Page 156

    Figure 128 Configure GigabitEthernet 1/0/1 as a trunk port and its PVID as 100  Select Trunk in the Link Type drop-down list. Select the PVID option, and type 100 in the text box.  Select GigabitEthernet 1/0/1 on the chassis front device panel. ...

  • Page 157

    Figure 129 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100  Type VLAN IDs 2, 6-50, 100. Click Create.  # Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member. Click Select VLAN to enter the page for selecting VLANs, as shown in Figure 130.

  • Page 158

     Select the Display a subnet of all configured VLANs option and type 1-100 in the text box. Click Select.  Click Modify VLAN to enter the page for modifying the ports in a VLAN, as shown in Figure 131. Figure 131 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member Select 100 –...

  • Page 159

     After the configuration process is complete, click Close. # Assign GigabitEthernet 1/0/1 to VLAN 2 and VLANs 6 through 50 as a tagged member. Click Modify Port to enter the page for modifying the VLANs to which a port belongs, as shown in Figure 133.

  • Page 160: Vlan Interface Configuration

    VLAN interface configuration NOTE: For more information about VLANs, see the chapter “VLAN configuration.” For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding. To achieve this, VLAN interfaces are used. VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs.

  • Page 161: Modifying A Vlan Interface

    Figure 134 The Create tab Table 56 Configuration items of creating a VLAN interface Item Description Input the ID of the VLAN interface to be created. Before creating a VLAN Input a VLAN ID: interface, make sure that the corresponding VLAN exists. DHCP Configure the way in which the VLAN interface obtains an IPv4 address.

  • Page 162

    Figure 135 The Modify tab Table 57 Configuration items of modifying a VLAN interface Item Description Select the VLAN interface to be configured. Select VLAN Interface The VLAN interfaces available for selection in the drop-down list are those created on the page for creating VLAN interfaces. DHCP Configure the way in which the VLAN interface obtains an IPv4 address.

  • Page 163: Voice Vlan Configuration

    Voice VLAN configuration A voice VLAN is configured especially for voice traffic. After assigning the ports connecting to voice devices to a voice VLAN, the system automatically configures quality of service (QoS) parameters for voice traffic, improving the transmission priority of voice traffic and ensuring voice quality. OUI addresses A device determines whether a received packet is a voice packet by checking its source MAC address.

  • Page 164: Security Mode And Normal Mode Of Voice Vlans

     In manual mode, you need to manually assign an IP phone accessing port to a voice VLAN. Then, the system matches the source MAC addresses carried in the packets against the device’s OUI addresses. If a match is found, the system issues ACL rules and configures the packet precedence. In this mode, assigning ports to and removing ports from a voice VLAN are performed manually.

  • Page 165: Configuring The Voice Vlan

    In a safe network, you can configure the voice VLANs to operate in normal mode, reducing the consumption of system resources due to source MAC addresses checking. HP does not recommend you transmit both voice traffic and non-voice traffic in a voice VLAN. If you have to, ensure that the voice VLAN security mode is disabled.

  • Page 166

    Table 61 Voice VLAN configuration task list for a port in automatic voice VLAN assignment mode Task Remarks Optional Configuring voice VLAN globally Configure the voice VLAN to operate in security mode and configure the aging timer. Required Configure the voice VLAN assignment mode of a port as Configuring voice VLAN on a port automatic and enable the voice VLAN function on the port.

  • Page 167: Configuring Voice Vlan Globally

    Configuring voice VLAN globally Select Network > Voice VLAN from the navigation tree, and click the Setup tab to enter the page shown Figure 136. Figure 136 Configure voice VLAN Table 63 Global voice VLAN configuration items Item Description Select Enable or Disable in the drop-down list to enable or disable the voice VLAN security mode.

  • Page 168

    Figure 137 Configure voice VLAN on a port Table 64 Configuration items of configuring voice VLAN for a port Item Description Set the voice VLAN assignment mode of a port:  Voice VLAN port mode Auto—Indicates the automatic voice VLAN assignment mode. ...

  • Page 169: Adding Oui Addresses To The Oui List

    Adding OUI addresses to the OUI list Select Network > Voice VLAN from the navigation tree and click the OUI Add tab to enter the page shown in Figure 138. Figure 138 Add OUI addresses to the OUI list Table 65 OUI list configuration items Item Description OUI Address...

  • Page 170

     Configure VLAN 2 as the voice VLAN allowing only voice traffic to pass through. The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic.  GigabitEthernet 1/0/1 operates in automatic VLAN assignment mode. Set the voice VLAN aging ...

  • Page 171

    # Configure GigabitEthernet 1/0/1 as a hybrid port. Select Device > Port Management from the navigation tree, and click the Setup tab to enter the  page shown in Figure 141. Figure 141 Configure GigabitEthernet 1/0/1 as a hybrid port Select Hybrid from the Link Type drop-down list.

  • Page 172

    Figure 142 Configure the voice VLAN function globally Select Enable in the Voice VLAN security drop-down list. You can skip this step, because the voice  VLAN security mode is enabled by default. Set the voice VLAN aging timer to 30 minutes. ...

  • Page 173

    Figure 144 Add OUI addresses to the OUI list  Type OUI address 001 1-2200-0000. Select FFFF-FF00-0000 in the Mask drop-down list.  Type description string test.   Click Apply. Verify the configuration When the configurations are completed, the OUI Summary tab is displayed by default, as shown ...

  • Page 174: Configuring A Voice Vlan On A Port In Manual Voice Vlan Assignment Mode

    Figure 146 Current voice VLAN information Configuring a voice VLAN on a port in manual voice VLAN assignment mode Network requirements As shown in Figure 147, Configure VLAN 2 as a voice VLAN that carries only voice traffic.   The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic.

  • Page 175

    Configuration procedure # Create VLAN 2. Select Network > VLAN from the navigation tree, and click the Create tab to enter the page shown  Figure 148. Figure 148 Create VLAN 2  Type VLAN ID 2. Click Create.  # Configure GigabitEthernet 1/0/1 as a hybrid port and configure its PVID as VLAN 2.

  • Page 176

    Figure 149 Configure GigabitEthernet 1/0/1 as a hybrid port Select Hybrid from the Link Type drop-down list.  Select the PVID option and type 2 in the text box.  Select GigabitEthernet 1/0/1 from the chassis front panel.   Click Apply.

  • Page 177

    Figure 150 Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member Select GigabitEthernet 1/0/1 from the chassis front panel.  Select the Untagged option.  Type VLAN ID 2.   Click Apply. A configuration progress dialog box appears, as shown in Figure 151.

  • Page 178

    Figure 152 Configure voice VLAN on GigabitEthernet 1/0/1 Select Manual in the Voice VLAN port mode drop-down list.  Select Enable in the Voice VLAN port state drop-down list.  Type voice VLAN ID 2.   Select GigabitEthernet 1/0/1 on the chassis front panel. Click Apply.

  • Page 179

     Type OUI address 001 1-2200-0000. Select FFFF-FF00-0000 from the Mask drop-down list.  Type description string test.   Click Apply. Verify the configuration When the configurations are completed, the OUI Summary tab is displayed by default, as shown ...

  • Page 180

    Configuration guidelines When configuring the voice VLAN function, follow these guidelines: To remove a VLAN functioning as a voice VLAN, disable its voice VLAN function first.  In automatic voice VLAN assignment mode, a hybrid port can process only tagged voice traffic. ...

  • Page 181: Mac Address Configuration

    MAC address configuration NOTE: The MAC address table can contain only Layer 2 Ethernet ports. This manual covers only the management of static and dynamic MAC address entries, not multicast MAC address entries. An Ethernet device uses a MAC address table for forwarding frames through unicast instead of broadcast.

  • Page 182: Configuring Mac Addresses

    Figure 156 MAC address table of the device Configuring MAC addresses You can configure and display MAC address entries and set the MAC address entry aging time. Configuring a MAC address entry Select Network > MAC from the navigation tree. The system automatically displays the MAC tab, which shows all the MAC address entries on the device, as shown in Figure 157.

  • Page 183

    Figure 157 The MAC tab Click Add in the bottom to enter the page as shown in Figure 158. Figure 158 Create a MAC address entry Table 66 Configuration items of creating a MAC address entry Item Description Set the MAC address to be added.

  • Page 184: Setting The Aging Time Of Mac Address Entries

    Item Description Set the type of the MAC address entry:  Static—Static MAC address entries that never age out.  Dynamic—Dynamic MAC address entries that will age out.  Blackhole—Blackhole MAC address entries that never age out. IMPORTANT: Type The tab displays the following types of the MAC address entries: ...

  • Page 185

    Configuration procedure # Create a static MAC address entry. Select Network > MAC from the navigation tree to enter the MAC tab, and then click Add. The page shown in Figure 160 appears. Figure 160 Create a static MAC address entry Type MAC address 00e0-fc35-dc71.

  • Page 186: Mstp Configuration

    MSTP configuration As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and also allows for link redundancy. Recent versions of STP include Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP).

  • Page 187: How Stp Works

    Designated bridge and designated port Table 68 Description of designated bridges and designated ports Classification Designated bridge Designated port A device directly connected with the local The port through which the designated For a device device and responsible for forwarding bridge forwards BPDUs to this device BPDUs to the local device The port through which the designated...

  • Page 188

     Designated bridge ID: Comprises the priority and MAC address of the designated bridge. Designated port ID: Comprises the port priority and global port number.  Message age: age of the configuration BPDU while it propagates in the network.  ...

  • Page 189

    Selection of the root bridge  Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.

  • Page 190

    As shown in Figure 162, the priority values of Device A, Device B, and Device C are 0, 1, and 2, and the path costs of links among the three devices are 5, 10 and 4 respectively.  Initial state of each device Table 71 Initial state of each device Device Port name...

  • Page 191

    Configuration BPDU on Device Comparison process ports after comparison  Device B compares the configuration BPDUs of all its ports, and determines that the configuration BPDU of BP1 is the optimum configuration BPDU. Then, it uses BP1 as the root port, the configuration BPDUs of which will not be changed.

  • Page 192

    Configuration BPDU on Device Comparison process ports after comparison After comparison:  Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is Blocked port CP2: elected as the optimum BPDU, and CP2 is elected as the root...

  • Page 193: Rstp

    BPDU with itself as the root and sends out the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity. However, the newly calculated configuration BPDU cannot be propagated throughout the network immediately, so the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path.

  • Page 194: Mstp Features

    Although RSTP supports rapid network convergence, it has the same drawback as STP—All bridges within a LAN share the same spanning tree, so redundant links cannot be blocked based on VLAN, and the packets of all VLANs are forwarded along the same spanning tree. MSTP features Developed based on IEEE 802.1s, MSTP overcomes the shortcomings of STP and RSTP.

  • Page 195

    Figure 164 Basic concepts in MSTP MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: MSTP-enabled  Same region name ...

  • Page 196

    mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-MSTI mapping table. An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0, a special MSTI to which all VLANs are mapped by default.

  • Page 197

     Root port: Forwards data for a non-root bridge to the root bridge. Designated port: Forwards data to the downstream network segment or device.  Master port: A port on the shortest path from the local MST region to the common root bridge, ...

  • Page 198: How Mstp Works

    A port state is not exclusively associated with a port role. Table 73 lists the port states supported by each port role, where “√” indicates that the port supports the state and “—” indicates that the port does not support the state. Table 73 Ports states supported by different port roles Port role (right) Root...

  • Page 199: Protocols And Standards

     TC-BPDU (a message that notifies the device of topology changes) guard Protocols and standards IEEE 802.1d, Media Access Control (MAC) Bridges  IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration   IEEE 802.1s, Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees Configuring MSTP Configuration task list Perform the tasks described in...

  • Page 200

    Figure 166 MST region Click Modify to enter the page shown in Figure 167. Figure 167 Configure an MST region Table 75 Configuration items of configuring an MST region Item Description MST region name. Region Name The MST region name is the bridge MAC address of the device by default.

  • Page 201: Configuring Mstp Globally

    Configuring MSTP globally Select Network > MSTP from the navigation tree, and click the Global tab to enter the page shown in Figure 168. Figure 168 Configure MSTP globally Table 76 Configuration items of MSTP global configuration Item Description Globally enable or disable STP. Enable STP Globally Other MSTP configurations take effect only after you globally enable STP.

  • Page 202

    Otherwise, the network topology will not be stable. HP Timer recommends you set the network diameter and then have the Set the maximum length of time a...

  • Page 203: Configuring Mstp On A Port

    With the TC-BPDU guard function, you can prevent frequent flushing of forwarding address entries. IMPORTANT: HP does not recommend you to disable this function. Set the maximum number of immediate forwarding address entry flushes the device TC Protection Threshold can perform within a certain period of time after receiving the first TC-BPDU.

  • Page 204

    Transmit Limit The larger the transmit limit is, the more network resources will be occupied. HP recommends you to use the default value. Set whether or not the port migrates to the MSTP mode. In a switched network, if a port on an MSTP (or RSTP) device connects to a device running STP, this port will automatically migrate to the STP-compatible mode.

  • Page 205: Displaying Mstp Information Of A Port

    BPDUs. You can set these ports as edge ports to achieve Edged Port fast transition for these ports. HP recommends you to enable the BPDU guard function in conjunction with the edged port function to avoid network topology changes when the edge ports receive configuration BPDUs.

  • Page 206

    Figure 170 The Port Summary tab Select a port (GigabitEthernet 1/0/16 for example) on the chassis front panel. If aggregate interfaces are configured on the device, the page displays a list of aggregate interfaces below the chassis front panel, and you can select aggregate interfaces from this list. The lower part of the page displays the MSTP information of the port in MSTI 0 (when STP is enabled globally) or the STP status and statistics (when STP is disabled globally), the MSTI to which the port belongs, and the path cost and priority of the port in the MSTI.

  • Page 207

    Field Description Path cost of the port. The field in the bracket indicates the standard used for port path cost calculation, which can be Legacy, dot1d-1998, or dot1t. Port Cost(Legacy)  Config indicates the configured value.  Active indicates the actual value. Designated bridge ID and port ID of the port.

  • Page 208: Mstp Configuration Example

    Field Description Max age(s) Maximum age of a configuration BPDU. Forward delay(s) Port state transition delay, in seconds. Hello time(s) Configuration BPDU transmission interval, in seconds. Max hops Maximum hops of the current MST region. Return to MSTP configuration task list.

  • Page 209

    Figure 172 The Region tab Click Modify to enter the page shown in Figure 173.  Figure 173 Configure an MST region  Type the region name example. Set the revision level to 0.  Select the Manual option.  Select 1 in the Instance ID drop-down list.

  • Page 210

    Figure 174 Configure MSTP globally (on Switch A) Select Enable in the Enable STP Globally drop-down list.   Select MSTP in the Mode drop-down list. Select the Instance option.  Type the Instance ID 1.  Select Primary in the Root Type drop-down list. ...

  • Page 211

     Select MSTP in the Mode drop-down list. Select the Instance option.  Select 2 in the Instance ID drop-down list.   Select Primary in the Root Type drop-down list. Click Apply.  Configure Switch C. # Configure an MST region. The procedure is the same as that of configuring an MST region on Switch # Configure MSTP globally.

  • Page 212

    Figure 175 Configure MSTP globally (on Switch D) Select Enable in the Enable STP Globally drop-down list.   Select MSTP in the Mode drop-down list. Click Apply.  Configuration guidelines When configuring MSTP, follow these guidelines: Two devices belong to the same MST region only if they are interconnected through physical links, ...

  • Page 213

     If the device is not enabled with BPDU guard, when a boundary port receives a BPDU from another port, it transits into a non-boundary port. To restore its port role as a boundary port, you need to restart the port. Configure ports that are directly connected to terminals as boundary ports and enable BPDU guard ...

  • Page 214: Link Aggregation And Lacp Configuration

    Link aggregation and LACP configuration Ethernet link aggregation, or simply link aggregation, combines multiple physical Ethernet ports into one logical link, called an aggregate link. Link aggregation delivers the following benefits: Increases bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed ...

  • Page 215: Link Aggregation Modes

    LACP is automatically enabled on interfaces in a dynamic aggregation group. For information about dynamic aggregation groups, see “Dynamic aggregation mode.” An LACP-enabled interface sends LACPDUs to notify the remote system (the partner) of its system LACP priority, system MAC address, LACP port priority, port number, and operational key.

  • Page 216

    Full duplex/high speed  Full duplex/low speed  Half duplex/high speed  Half duplex/low speed  Consider the ports in up state with the same port attributes and class-two configurations as the  reference port as candidate Selected ports, and set all others in the Unselected state. Static aggregation limits the number of Selected ports in an aggregation group.

  • Page 217: Load Sharing Mode Of An Aggregation Group

    Load sharing mode of an aggregation group Every link aggregation group created on HP V1910 Switch Series operates in load sharing mode all the time, even when it contains only one member port.

  • Page 218: Creating A Link Aggregation Group

    Table 82 Dynamic aggregation group configuration task list Task Remarks Required Create a dynamic aggregate interface and configure member ports for the dynamic aggregation group Creating a link aggregation group automatically created by the system when you create the aggregate interface. LACP is enabled automatically on all the member ports.

  • Page 219

    Figure 176 Create a link aggregation group Table 83 Configuration items of creating a link aggregation group Item Description Assign an ID to the link aggregation group to be created. Enter Link Aggregation Interface ID You can view the result in the Summary list box at the bottom of the page.

  • Page 220: Displaying Information Of An Aggregate Interface

    Displaying information of an aggregate interface Select Network > Link Aggregation from the navigation tree. The Summary tab is displayed by default, as shown in Figure 177. Figure 177 Display information of an aggregate interface Table 84 Fields on the Summary tab Field Description Type and ID of the aggregate interface.

  • Page 221: Displaying Information Of Lacp-enabled Ports

    Figure 178 The Setup tab After finishing each configuration item, click the right Apply button to submit the configuration. Table 85 describes the configuration items. Table 85 LACP priority configuration items Item Description Select LACP enabled port(s) parameters Set a port LACP priority. Select the ports where the port LACP priority you set will apply on the chassis front panel.

  • Page 222

    Figure 179 Display information about LACP-enabled ports The upper part of the page displays a list of all LACP-enabled ports on the device and information about them. To view information about the partner port of a LACP-enabled port, select it in the port list, and then click View Details.

  • Page 223: Link Aggregation And Lacp Configuration Example

    Field/button Description Reason code indicating why a port is inactive (that is, unselected) for Inactive Reason receiving/transmitting user data. For the meanings of the reason codes, see the bottom of the page shown in Figure 179. Partner Port Name of the peer port. State information of the peer port, represented by letters A through H.

  • Page 224

    Figure 180 Network diagram for static link aggregation configuration Configuration procedure You can create a static or dynamic link aggregation group to achieve load balancing. Approach 1: Create a static link aggregation group # Create static link aggregation group 1. Select Network >...

  • Page 225

     Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the chassis front panel.  Click Apply. Approach 2: Create a dynamic link aggregation group # Create dynamic link aggregation group 1. Select Network > Link Aggregation from the navigation tree, and click the Create tab to enter the page as shown in Figure 182.

  • Page 226

     In an aggregation group, the port to be a selected port must be the same as the reference port in port attributes, and class-two configurations. To keep these configurations consistent, you should configure the port manually. Reference port: Select a port as the reference port from the ports that are in up state and with the ...

  • Page 227: Lldp Configuration

    LLDP configuration Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake. A standard configuration exchange platform was created. The IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.

  • Page 228

    Field Description Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. SNAP-encapsulated LLDPDU format Figure 184 SNAP-encapsulated LLDPDU format Table 89 Fields in a SNAP encapsulated LLDPDU Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.

  • Page 229

    Port And Protocol VLAN ID Port and protocol VLAN IDs. VLAN Name A specific VLAN name on the port. Protocol Identity Protocols supported on the port. NOTE: HP V1910 Switch Series can receive but cannot send protocol identity TLVs. IEEE 802.3 organizationally specific TLVs...

  • Page 230

    Table 92 IEEE 802.3 organizationally specific TLVs Type Description Contains the rate and duplex capabilities of the sending port, support MAC/PHY Configuration/Status for auto negotiation, enabling status of auto negotiation, and the current rate and duplex mode. Power Via MDI Contains Power supply capability of the port.

  • Page 231: How Lldp Works

    Management address The management address of a device is used by the network management system to identify and manage the device for topology maintenance and network management. The management address is encapsulated in the management address TLV. How LLDP works Operating modes of LLDP LLDP can operate in one of the following modes: TxRx mode.

  • Page 232

    With CDP compatibility enabled, your device can receive and recognize CDP packets from a Cisco IP phone and respond with CDP packets, which carry the voice VLAN configuration TLVs. The voice traffic is confined in the configured voice VLAN, and differentiated from other types of traffic. CDP-compatible LLDP operates in one of the following modes: TxRx: CDP packets can be transmitted and received.

  • Page 233: Enabling Lldp On Ports

    Task Remarks Displaying LLDP Optional information received from You can display the LLDP information received from LLDP neighbors. LLDP neighbors NOTE: LLDP-related configurations made in Ethernet interface view takes effect only on the current port, and those made in port group view takes effect on all ports in the current port group. Enabling LLDP on ports Select Network >...

  • Page 234: Configuring Lldp Settings On Ports

    Figure 186 The Port Setup tab Return to LLDP configuration task list. Configuring LLDP settings on ports Select Network > LLDP from the navigation tree to enter the Port Setup tab, as shown in Figure 186. You can configure LLDP settings on ports individually or in batch. ...

  • Page 235

    Figure 187 The page for modifying LLDP settings on a port  To bulk configure LLDP settings on ports, select multiple ports and click Modify Selected. The page shown in Figure 188 appears. Figure 188 The page for modifying LLDP settings on ports in batch...

  • Page 236

    Table 95 Port LLDP configuration items Item Description Interface Name Displays the name of the port or ports you are configuring. Displays the LLDP enabling status on the port you are configuring. LLDP State This field is not available when you batch-configure ports. Set the LLDP operating mode on the port or ports you are configuring: ...

  • Page 237

    Item Description Select to include the system capabilities TLV in transmitted System Capabilities LLDPDUs. Select to include the system description TLV in transmitted System Description LLDPDUs. System Name Select to include the system name TLV in transmitted LLDPDUs. Select to include the management address TLV in transmitted LLDPDUs and in addition, set the management address and its format (a numeric or character string in the TLV).

  • Page 238: Configuring Global Lldp Setup

    Item Description and network device address. When configuring the network device address, select the address information type from the drop-down list, type the address information in the text box below and click Add next to the text box to add the information to the address information Network Device Address list below.

  • Page 239

    Item Description Select from the drop-down list to enable or disable CDP compatibility of LLDP. IMPORTANT:  To enable LLDP to be compatible with CDP on a port, you must set the CDP work mode (or the CDP operating mode) on the port to TxRx in addition to enabling CDP Compatibility CDP compatibility on the Global Setup tab.

  • Page 240: Displaying Lldp Information For A Port

    Item Description Set the LLDPDU transmit interval. IMPORTANT: If the product of the TTL multiplier and the LLDPDU transmit interval is greater than Tx Interval 65535, the TTL carried in transmitted LLDPDUs takes 65535 seconds. In this case, the likelihood exists that the LLDPDU transmit interval is greater than TTL. You should avoid the situation, because the LLDP neighbors will fail to receive LLDPDUs to update information about the device you are configuring before it is aged out.

  • Page 241

    Field Description Port power classification of the PD:  Unknown  Class 0  Port power classification Class 1  Class 2  Class 3  Class 4 Available options include:  Unknown  Voice  Voice signaling  Guest voice Media policy type ...

  • Page 242

    Table 98 LLDP neighbor information of an LLDP-enabled port Field Description Chassis ID type:  Chassis component  Interface alias  Port component Chassis type  MAC address  Network address  Interface name  Locally assigned—Local configuration. Chassis ID depending on the chassis type, which can be a MAC address of Chassis ID the device.

  • Page 243

    Field Description MED device type:  Connectivity device—An intermediate device that provide network connectivity.  Class I—a generic endpoint device. All endpoints that require the discovery service of LLDP belong to this category.  Class II—A media endpoint device. The class II endpoint devices support Device class the media stream capabilities in addition to the capabilities of generic endpoint devices.

  • Page 244: Displaying Global Lldp Information

    Field Description Available options include:  Unknown—The PSE priority of the port is unknown.  Port PSE priority Critical—The priority level 1.  High—The priority level 2.  Low—The priority level 3. Figure 192 The Statistic Information tab Figure 193 The Status Information tab Return to LLDP configuration task list.

  • Page 245

    Figure 194 The Global Summary tab Table 99 Global LLDP information Field Description Chassis ID The local chassis ID depending on the chassis type defined. The primary network function advertised by the local device: System capabilities  Bridge supported  Router The enabled network function advertised by the local device: System capabilities...

  • Page 246: Displaying Lldp Information Received From Lldp Neighbors

    Field Description The device class advertised by the local device:  Connectivity device—An intermediate device that provide network connectivity.  Class I—A generic endpoint device. All endpoints that require the discovery service of LLDP belong to this category.  Class II—A media endpoint device. The class II endpoint devices support the Device class media stream capabilities in addition to the capabilities of generic endpoint devices.

  • Page 247

    Figure 196 Network diagram for basic LLDP configuration Configuration procedure Configure Switch A # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. This step is optional, because LLDP is enabled on Ethernet ports by default. # Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. Select Network >...

  • Page 248

    Figure 197 The Port Setup tab...

  • Page 249

    Figure 198 The page for setting LLDP on multiple ports Select Rx from the LLDP Operating Mode drop-down list.   Click Apply. # Enable global LLDP.  Click the Global Setup tab, as shown in Figure 199.

  • Page 250

    Figure 199 The Global Setup tab  Select Enable from the LLDP Enable drop-down list. Click Apply.  Configure Switch B # Enable LLDP on port GigabitEthernet 1/0/1. (Optional. By default, LLDP is enabled on Ethernet ports.) # Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1. Select Network >...

  • Page 251

    Figure 201 The page for configuring LLDP on the selected port Select Tx from the LLDP Operating Mode drop-down list.   Click Apply. # Enable global LLDP and configure the global LLDP setup as needed (see Figure 199). Click the Global Setup tab. ...

  • Page 252: Cdp-compatible Lldp Configuration Example

    Figure 202 The Status Information tab # Tear down the link between Switch A and Switch B. # Display the status information of port GigabitEthernet 1/0/2 on Switch A. Click Refresh. The updated status information of port GigabitEthernet 1/0/2 shows that no ...

  • Page 253

    Figure 204 Network diagram for CDP-compatible LLDP configuration Configuration procedure # Create VLAN 2. Select Network > VLAN from the navigation bar and click the Create tab to enter the page shown  Figure 205. Figure 205 The page for creating VLANs Type 2 in the VLAN IDs field.

  • Page 254

    Figure 206 The page for configuring ports Select Trunk in the Link Type drop-down list.  Select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on the chassis front panel.  Click Apply.  # Configure the voice VLAN function on the two ports. Select Network >...

  • Page 255

    Figure 207 The page for configuring the voice VLAN function on ports Select Auto in the Voice VLAN port mode drop-down list.  Select Enable in the Voice VLAN port state drop-down list.   Type 2 in the Voice VLAN ID field. Select ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on the chassis front panel.

  • Page 256

    Figure 208 The Port Setup tab...

  • Page 257

    Figure 209 The page for modifying LLDP settings on ports Select TxRx from the LLDP Operating Mode drop-down list.  Select TxRx from the CDP Operating Mode drop-down list.   Click Apply. # Enable global LLDP and CDP compatibility of LLDP. ...

  • Page 258

    Figure 210 The Global Setup tab Select Enable from the LLDP Enable drop-down list.   Select Enable from the CDP Compatibility drop-down list. Click Apply.  Configuration verification # Display information about LLDP neighbors on Switch A. Display information about LLDP neighbors on Switch A after completing the configuration. You can see that Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 and obtained their device information.

  • Page 259: Igmp Snooping Configuration

    IGMP snooping configuration Overview Internet Group Management Protocol (IGMP) snooping is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP snooping By analyzing received IGMP messages, a Layer 2 device running IGMP snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.

  • Page 260: Work Mechanism Of Igmp Snooping

    Figure 212 IGMP snooping related ports Receiver Router A Switch A GE1/0/1 GE1/0/2 Host A GE1/0/3 Host B Receiver GE1/0/1 Source GE1/0/2 Host C Switch B Router port Member port Multicast packets Host D IGMP snooping related ports include:  Router port: A router port is a port on an Ethernet switch that leads the switch towards the Layer 3 multicast device (DR or IGMP querier).

  • Page 261

    After receiving an IGMP general query, the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port:  The switch resets the aging timer for the receiving port if the port is in the router port list. The switch adds the receiving port to the router port list if it is not in the list and starts the aging timer ...

  • Page 262: Igmp Snooping Querier

    multicast group through the port that received the leave group message. After hearing the IGMP group-specific query, the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group, and performs the following to the port (in case it is a dynamic member port) before the member port aging timer of the port expires: If any IGMP report in response to the group-specific query is heard on a member port before its ...

  • Page 263: Enabling Igmp Snooping Globally

    Task Remarks Optional Configure the maximum number of multicast groups allowed and the fast leave function for ports in the specified VLAN. Configuring IGMP snooping IMPORTANT: port functions  IGMP snooping must be enabled globally before IGMP snooping can be enabled on a port.

  • Page 264

    Figure 214 VLAN configuration Table 101 Items for configuring IGMP snooping in a VLAN Item Description VLAN ID This field displays the ID of the VLAN to be configured. Enable or disable IGMP snooping in the VLAN. IGMP Snooping You can proceed with the subsequent configurations only if Enable is selected here. By configuring an IGMP snooping version, you actually configure the versions of IGMP messages that IGMP snooping can process.

  • Page 265: Configuring Igmp Snooping Port Functions

    Item Description General Query Source Specify the source IP address of general queries. HP recommends you to configure a non-all-zero IP address as the source IP address of IGMP queries. Special Query Source Specify the source IP address of group-specific queries. HP recommends you to...

  • Page 266: Display Igmp Snooping Multicast Entry Information

    Item Description Configure the maximum number of multicast groups that the port can join. With this feature, you can regulate multicast traffic on the port. IMPORTANT: Group Limit When the number of multicast groups a port has joined reaches the configured threshold, the system deletes all the forwarding entries persistent on that port from the IGMP snooping forwarding table, and the hosts on this port need to join the multicast groups again.

  • Page 267: Igmp Snooping Configuration Example

    Table 103 Description of IGMP snooping multicast entries Item Description VLAN ID ID of the VLAN to which the entry belongs Source Address Multicast source address, where 0.0.0.0 indicates all multicast sources. Group Address Multicast group address Router Port(s) All router ports Member Port(s) All member ports Return to...

  • Page 268

    # Create VLAN 100 and add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100. Select Network > VLAN in the navigation tree and click the Create tab to enter the configuration  page shown in Figure 219. Figure 219 Create VLAN 100 Type the VLAN ID 100.

  • Page 269

    Figure 220 Add a port to the VLAN Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select  Ports field. Select the Untagged radio button for Select membership type.  Type the VLAN ID 100.  Click Apply to complete the operation. ...

  • Page 270

    Figure 221 Enable IGMP snooping globally Select Enable and click Apply to globally enable IGMP snooping.  # In VLAN 100, enable IGMP snooping and the function of dropping unknown multicast data.  Click the icon corresponding to VLAN 100 to enter its configuration page and perform the following configurations, as shown in Figure 222.

  • Page 271

    # Enable the fast leave function for GigabitEthernet 1/0/3. Click the Advanced tab.  Figure 223 Configure IGMP snooping on GigabitEthernet 1/0/3 Select GigabitEthernet 1/0/3 from the Port drop-down list.   Type the VLAN ID 100. Select the Enable radio button for Fast Leave. ...

  • Page 272

    Figure 225 Details about an IGMP snooping multicast entry As shown above, GigabitEthernet 1/0/3 of Switch A is listening to multicast streams destined for multicast group 224.1.1.1.

  • Page 273: Routing Configuration

    Routing configuration NOTE: router The term in this document refers to a switch supporting routing function. Upon receiving a packet, a router determines the optimal route based on the destination address and forwards the packet to the next router in the path. When the packet reaches the last router, it then forwards the packet to the destination host.

  • Page 274: Default Route

    Default route A default route is used to forward packets that match no entry in the routing table. Without a default route, the packet is discarded. An IPv4 static default route has both its destination IP address and mask being 0.0.0.0. Configuring IPv4 routing Displaying the IPv4 active route table Select Network >...

  • Page 275: Creating An Ipv4 Static Route

    Creating an IPv4 static route Select Network > IPv4 Routing from the navigation tree and click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 227. Figure 227 Create an IPv4 static route Table 105 IPv4 static route configuration items Item Description Destination IP Address...

  • Page 276: Static Route Configuration Example

    Static route configuration example Network requirements The IP addresses of devices are shown in Figure 228. Configure IPv4 static routes on Switch A, Switch B, and Switch C so that any two hosts can communicate with each other. Figure 228 Network diagram for IPv4 static route configuration Configuration outlines On Switch A, configure a default route with Switch B as the next hop.

  • Page 277

    Figure 229 Configure a default route # Configure a static route to Switch A and Switch C respectively on Switch B. Select Network > IPv4 Routing from the navigation tree of Switch B, and then click the Create tab  to enter the page shown in Figure 230.

  • Page 278

    Figure 230 Configure a static route # Configure a default route to Switch B on Switch C. Select Network > IPv4 Routing from the navigation tree of Switch C, and then click the Create tab  to enter the page as shown in Figure 231.

  • Page 279

    Figure 231 Configure a default route Configuration verification # Display the active route table. Enter the IPv4 route page of Switch A, Switch B, and Switch C respectively to verify that the newly configured static routes are displayed in the active route table. # Ping Host B from Host A (assuming both hosts run Windows XP).

  • Page 280: Precautions

    Precautions When configuring a static route, note the following: If you do not specify the preference when configuring a static route, the default preference will be used. Reconfiguration of the default preference applies only to newly created static routes. The web interface does not support configuration of the default preference.

  • Page 281: Dhcp Overview

    DHCP overview NOTE: After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For more information about the DHCP client configuration, see the chapter “VLAN interface configuration.”...

  • Page 282: Dynamic Ip Address Allocation Process

     Manual allocation: The network administrator assigns an IP address to a client like a WWW server, and DHCP conveys the assigned address to the client.  Automatic allocation: DHCP assigns a permanent IP address to a client. Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is ...

  • Page 283: Dhcp Message Format

    When the half lease duration elapses, the DHCP client sends to the DHCP server a DHCP-REQUEST unicast to extend the lease duration. Upon availability of the IP address, the DHCP server returns a DHCP-ACK unicast confirming that the client’s lease duration has been extended, or a DHCP-NAK unicast denying the request.

  • Page 284: Dhcp Options

     options: Optional parameters field that is variable in length, which includes the message type, lease, domain name server IP address, and WINS IP address. DHCP options DHCP options overview The DHCP message adopts the same format as the Bootstrap Protocol (BOOTP) message for compatibility, but differs from it in the option field, which identifies new features for DHCP.

  • Page 285

    Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client’s request, it adds Option 82 to the request message before forwarding the message to the server. The administrator can locate the DHCP client to further implement security control and accounting.

  • Page 286: Dhcp Relay Agent Configuration

    DHCP relay agent configuration Introduction to DHCP relay agent Application environment Since DHCP clients request IP addresses via broadcast messages, the DHCP server and clients must be on the same subnet. Therefore, a DHCP server must be available on each subnet, which is not practical. DHCP relay agent solves the problem.

  • Page 287: Dhcp Relay Agent Configuration Task List

    Figure 239 DHCP relay agent work process As shown in Figure 239, the DHCP relay agent works as follows: After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode.

  • Page 288: Enabling Dhcp And Configuring Advanced Parameters For The Dhcp Relay Agent

    Task Remarks Optional Create a static IP-to-MAC binding, and view static and dynamic bindings. The DHCP relay agent can dynamically record clients’ IP-to-MAC Configuring and displaying clients' bindings after clients get IP addresses. It also supports static bindings, IP-to-MAC bindings that is, you can manually configure IP-to-MAC bindings on the DHCP relay agent, so that users can access external network using fixed IP addresses.

  • Page 289: Creating A Dhcp Server Group

    Item Description Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses. With this feature enabled, upon receiving a DHCP request, the DHCP relay agent will Unauthorized Server record the IP address of any DHCP server that assigned an IP address to the DHCP Detect client and the receiving interface.

  • Page 290: Enabling The Dhcp Relay Agent On An Interface

    Table 107 DHCP server group configuration items Item Description Type the ID of a DHCP server group. Server Group ID You can create up to 20 DHCP server groups. Type the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent;...

  • Page 291: Configuring And Displaying Clients' Ip-to-mac Bindings

    Configuring and displaying clients' IP-to-MAC bindings Select Network > DHCP from the navigation tree to enter the default DHCP Relay page shown in Figure 240. In the User Information field, click the User Information button to view static and dynamic bindings, as shown in Figure 243.

  • Page 292

    VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is 10.1.1.1/24. The switch forwards messages between DHCP clients and the DHCP server. Figure 245 Network diagram for DHCP relay agent configuration Configuration procedure Specify IP addresses for interfaces (omitted) Configure the DHCP relay agent # Enable DHCP.

  • Page 293

    Figure 246 Enable DHCP Click on the Enable radio button next to DHCP Service.  Click Apply.  # Configure a DHCP server group. In the Server Group field, click Add and then perform the following operations, as shown in Figure ...

  • Page 294

     Click Apply. # Enable the DHCP relay agent on VLAN-interface 1. In the Interface Config field, click the icon of VLAN-interface 1, and then perform the following  operations, as shown in Figure 248. Figure 248 Enable the DHCP relay agent on an interface and correlate it with a server group ...

  • Page 295: Dhcp Snooping Configuration

    DHCP client and relay agent or between the DHCP client and server. HP recommends you not to to enable the DHCP client, BOOTP client, and DHCP snooping on the same device. Otherwise, DHCP snooping entries may fail to be generated, or the BOOTP client/DHCP client may fail to obtain an IP address.

  • Page 296: Application Environment Of Trusted Ports

    Application environment of trusted ports Configuring a trusted port connected to a DHCP server Figure 249 Configure trusted and untrusted ports As shown in Figure 249, a DHCP snooping device’s port that is connected to an authorized DHCP server should be configured as a trusted port to forward reply messages from the DHCP server, so that the DHCP client can obtain an IP address from the authorized DHCP server.

  • Page 297: Dhcp Snooping Support For Option 82

    Table 110 Roles of ports Trusted port disabled from Trusted port enabled to Device Untrusted port recording binding entries record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2 GigabitEthernet 1/0/3 and Switch B GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 GigabitEthernet 1/0/4 GigabitEthernet 1/0/3 and Switch C GigabitEthernet 1/0/1...

  • Page 298: Enabling Dhcp Snooping

    Task Remarks Optional Displaying clients' IP-to-MAC bindings Display clients' IP-to-MAC bindings recorded by DHCP snooping. Enabling DHCP snooping Select Network > DHCP from the navigation tree, and then click the DHCP Snooping tab to enter the page shown in Figure 251.

  • Page 299: Configuring Dhcp Snooping Functions On An Interface

     To disable DHCP snooping, click on the Disable radio button in the DHCP Snooping field. Return to DHCP snooping configuration task list. Configuring DHCP snooping functions on an interface Select Network > DHCP from the navigation tree, and then click the DHCP Snooping tab to enter the page shown in Figure 251.

  • Page 300: Dhcp Snooping Configuration Example

    Figure 253 DHCP snooping user information Table 112 DHCP snooping user information configuration items Item Description IP Address This field displays the IP address assigned by the DHCP server to the client. MAC Address This field displays the MAC address of the client. This field displays the client type, which can be: ...

  • Page 301

    Figure 254 Network diagram for DHCP snooping configuration Device DHCP server GE1/0/1 Switch DHCP snooping GE1/0/3 GE1/0/2 DHCP client DHCP client Configuration procedure # Enable DHCP snooping. Select Network > DHCP from the navigation tree, and then click the DHCP Snooping tab. Perform ...

  • Page 302

    Figure 255 Enable DHCP snooping  Click on the Enable radio button next to DHCP Snooping. # Configure DHCP snooping functions on GigabitEthernet 1/0/1. Click the icon of GigabitEthernet 1/0/1 on the interface list. Perform the following operations  on the DHCP Snooping Interface Configuration page shown in Figure 256.

  • Page 303

    Figure 256 Configure DHCP snooping functions on GigabitEthernet 1/0/1 Click on the Trust radio button next to Interface State.   Click Apply. # Configure DHCP snooping functions on GigabitEthernet 1/0/2. Click the icon of GigabitEthernet 1/0/2 on the interface list. Perform the following operations ...

  • Page 304

    Figure 258 Configure DHCP snooping functions on GigabitEthernet 1/0/3 Click on the Untrust radio button for Interface State.  Click on the Enable radio button next to Option 82 Support.  Select Replace for Option 82 Strategy.   Click Apply.

  • Page 305: Service Management Configuration

    Service management configuration The service management module provides the following types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved. The service management module also provides the function to modify HTTP and HTTPS port numbers, and the function to associate the FTP, HTTP, or HTTPS service with an ACL, thus reducing attacks of illegal users on these services.

  • Page 306: Configuring Service Management

    Configuring service management Select Network > Service from the navigation tree to enter the service management configuration page, as shown in Figure 259. Figure 259 Service management Table 113 Service management configuration items Item Description Specify whether to enable the FTP service. Enable FTP service The FTP service is disabled by default.

  • Page 307

    Item Description Set the port number for HTTP service. You can view this configuration item by clicking the expanding button in front of HTTP. Port Number IMPORTANT: When you modify a port, ensure that the port is not used by other service. Associate the HTTP service with an ACL.

  • Page 308: Diagnostic Tools

    Diagnostic tools Ping The ping command allows you to verify whether a device with a specified address is reachable, and to examine network connectivity. The ping function is implemented through the Internet Control Message Protocol (ICMP): The source device sends an ICMP echo request to the destination device. The source device determines whether the destination is reachable based on whether it receives an ICMP echo reply.

  • Page 309: Diagnostic Tool Operations

    When the source device receives the port unreachable ICMP error message, it knows that the packet has reached the destination, and it can get the addresses of all the Layer 3 devices involved to get to the destination device (1.1.1.2, 1.1.2.2, 1.1.3.2). Diagnostic tool operations Ping operation NOTE:...

  • Page 310: Trace Route Operation

    Figure 262 Ping operation result Trace route operation NOTE: The web interface supports trace route on IPv4 addresses only. Before performing the trace route operation on the Web interface, on the intermediate device execute the ip ttl-expires enable command to enable the sending of ICMP timeout packets and on the destination device execute the ip unreachables enable command to enable the sending of ICMP destination unreachable packets.

  • Page 311

    Figure 264 Trace route operation result...

  • Page 312: Arp Management

    ARP management ARP overview ARP function The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the IP address of the destination device to the corresponding MAC address.

  • Page 313: Arp Operation

     Target protocol address: This field specifies the protocol address of the device the message is being sent to. ARP operation Suppose that Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown Figure 266.

  • Page 314: Managing Arp Entries

    Dynamic ARP entry A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed.

  • Page 315: Creating A Static Arp Entry

    Creating a static ARP entry Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown Figure 267. Click Add to enter the New Static ARP Entry page. Select the Advanced Options checkbox to expand advanced configuration items, as shown in Figure 268.

  • Page 316

    Figure 269 Network diagram for configuring static ARP entries Configuration procedure # Create VLAN 100.  Select Network > VLAN from the navigation tree, click the Add tab, and then perform the following operations, as shown in Figure 270. Figure 270 Create VLAN 100 ...

  • Page 317

    Figure 271 Add GigabitEthernet 1/0/1 to VLAN 100  Select interface GigabitEthernet 1/0/1 in the Select Ports field. Click on the Untagged radio button in the Select membership type field.  Type 100 for VLAN IDs.   Click Apply. A configuration progress dialog box appears, as shown in Figure 272.

  • Page 318

     Select Network > VLAN Interface from the navigation tree, click the Create tab, and then perform the following operations, as shown in Figure 273. Figure 273 Create VLAN-interface 100  Type 100 for VLAN ID. Select the Configure Primary IPv4 Address checkbox. ...

  • Page 319: Gratuitous Arp

    Figure 274 Create a static ARP entry Type 192.168.1.1 for IP Address.  Type 00e0-fc01-0000 for MAC Address.  Select the Advanced Options checkbox.   Type 100 for VLAN ID. Select GigabitEthernet1/0/1 for Port.  Click Apply to complete the configuration. ...

  • Page 320

    Figure 275 Gratuitous ARP configuration page Table 115 Gratuitous ARP configuration items Item Description Enable or disable learning of ARP entries according to gratuitous ARP Disable gratuitous ARP packets packets. learning function Enabled by default. Enable the device to send gratuitous ARP packets upon receiving ARP Send gratuitous ARP packets requests from another network segment.

  • Page 321: Arp Attack Defense Configuration

    ARP attack defense configuration Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features. ARP detection Introduction to ARP detection The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, preventing...

  • Page 322

    Figure 276 Man-in-the-middle attack Switch Host A Host C IP_ A IP_C MAC_ A MAC_C Forged Forged ARP reply ARP reply Host B IP_B MAC_B ARP detection mechanism With ARP detection enabled for a specific VLAN, ARP messages arrived on any interface in the VLAN are redirected to the CPU to have their MAC and IP addresses checked.

  • Page 323: Configuring Arp Detection

    The last two detection types are used to prevent user spoofing. You can select detection types according to the networking environment. If all access clients acquire IP addresses through DHCP, HP recommends that you enable DHCP  snooping and ARP detection based on DHCP snooping entries on your access device.

  • Page 324

    Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page shown in Figure 277. Figure 277 ARP Detection configuration page Table 116 ARP Detection configuration items Item Description Select VLANs on which ARP detection is to be enabled. To add VLANs to the Enabled VLAN list box, select one or multiple VLANs from the Disabled VLAN Settings VLAN list box and click the <<...

  • Page 325: Creating A Static Binding Entry

    Item Description Select user validity check modes, including:  Using DHCP Snooping to validate users  Using Dot1x to validate users  Using Static-Binding entries to guard against spoofing gateway attack: You can configure static IP-to-MAC bindings if you select this mode. For the detailed configuration, see “Creating a static binding entry.”...

  • Page 326: X Fundamentals

    802.1X fundamentals 802.1X is a port-based network access control protocol initially proposed by the IEEE 802 LAN/WAN committee for securing wireless LANs (WLANs), and it has also been widely used on Ethernet networks for access control. 802.1X controls network access by authenticating the devices connected to 802.1X-enabled LAN ports. Architecture of 802.1X 802.1X operates in the client/server model.

  • Page 327: X-related Protocols

    Performs unidirectional traffic control to deny traffic from the client.  NOTE: The HP devices support only unidirectional traffic control. 802.1X-related protocols 802.1X uses the Extensible Authentication Protocol (EAP) to transport authentication information for the client, the network access device, and the authentication server. EAP is an authentication framework that uses the client/server model.

  • Page 328

    Protocol version: The EAPOL protocol version used by the EAPOL packet sender.  Type: Type of the EAPOL packet. Table 1 17 lists the types of EAPOL packets that the HP  implementation of 802.1X supports. Table 117 Types of EAPOL packets...

  • Page 329: Eap Over Radius

    EAP over RADIUS RADIUS adds two attributes, EAP-Message and Message-Authenticator, for supporting EAP authentication. For the RADIUS packet format, see the chapter “RADIUS configuration.” EAP-Message RADIUS encapsulates EAP packets in the EAP-Message attribute, as shown in Figure 282. The Type field takes 79, and the Value field can be up to 253 bytes.

  • Page 330: X Authentication Procedures

     Unicast trigger mode—Upon receiving a frame with the source MAC address not in the MAC address table, the access device sends an Identity EAP-Request packet out of the receiving port to the unknown MAC address. It retransmits the packet if no response has been received within a certain time interval.

  • Page 331: Eap Relay

    EAP relay Figure 286 shows the basic 802.1X authentication procedure in EAP relay mode, assuming that EAP-MD5 is used. Figure 286 802.1X authentication procedure in EAP relay mode Client Device Authentication server EAPOR EAPOL (1) EAPOL-Start (2) EAP-Request/Identity (3) EAP-Response/Identity (4) RADIUS Access-Request (EAP-Response/Identity) (5) RADIUS Access-Challenge...

  • Page 332

    The client uses the received challenge to encrypt the password, and sends the encrypted password in an EAP-Response/MD5 Challenge packet to the network access device. The network access device relays the EAP-Response/MD5 Challenge packet in a RADIUS Access-Request packet to the authentication server. The authentication server compares the received encrypted password with the one it generated at step 5.

  • Page 333: Eap Termination

    EAP termination Figure 287 shows the basic 802.1X authentication procedure in EAP termination mode, assuming that CHAP authentication is used. Figure 287 802.1X authentication procedure in EAP termination mode In EAP termination mode, it is the network access device rather than the authentication server generates an MD5 challenge for password encryption (see Step 4).

  • Page 334: X Configuration

    HP implementation of 802.1X This chapter describes how to configure 802.1X on an HP device. Access control methods HP implements port-based access control as defined in the 802.1X protocol, and extends the protocol to support MAC-based access control.  With port-based access control, once an 802.1X user passes authentication on a port, any subsequent user can access the network through the port without authentication.

  • Page 335: Configuring 802.1x

    Guest VLAN You can configure a guest VLAN on a port to accommodate users that have not performed 802.1X authentication or have failed 802.1X authentication, so they can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. After a user in the guest VLAN passes 802.1X authentication, it is removed from the guest VLAN and can access authorized network resources.

  • Page 336: X Configuration Task List

    802.1X configuration task list Table 118 802.1X configuration task list Task Description Required Enable 802.1X authentication globally and configure the Configuring 802.1X globally authentication method and advanced parameters. By default, 802.1X authentication is disabled globally. Required Error! Reference source not Enable 802.1X authentication on specified ports and configure found.

  • Page 337

    Item Description Specify the authentication method for 802.1X users. Options include CHAP, PAP, and EAP.  CHAP: Sets the access device to perform EAP termination and use the CHAP to communicate with the RADIUS server.  PAP: Sets the access device to perform EAP termination and use the PAP to communicate with the RADIUS server.

  • Page 338: Configuring 802.1x On A Port

    Item Description Set the username request timeout timer. The timer starts when the device sends an EAP-Request/Identity packet to a client in response to an authentication request. If the device receives no response before this timer TX-Period expires, it retransmits the request. The timer also sets the interval at which the network device sends multicast EAP-Request/Identity packets to detect clients that cannot actively request authentication.

  • Page 339

    Figure 289 802.1X configuration on a port Table 122 Port 802.1X configuration items Item Description Select the port to be enabled with 802.1X authentication. Only 802.1X-disabled ports are available. IMPORTANT: Port  If the PVID of a port is the same as a voice VLAN, the 802.1X function cannot take effect on the port.

  • Page 340

    Item Description Specify whether to enable the online user handshake function. The online user handshake function checks the connectivity status of online 802.1X users. The network access device sends handshake messages to online users at the interval specified by the Handshake Period setting. If no response is received from an online user after the maximum number of handshake attempts (set by the Retry Times setting) has been made, the network access device sets the HandShake...

  • Page 341

     A server group with two RADIUS servers is connected to the switch. The IP addresses of the servers are 10.1.1.1 and 10.1.1.2 respectively. Use the former as the primary authentication/secondary accounting server, and the latter as the secondary authentication/primary accounting server. Set the shared key for the device to exchange packets with the authentication server as name, and ...

  • Page 342

     Select the check box before Enable 802.1X. Select the authentication method as CHAP.  Click Apply to finish the operation.  # Enable and configure 802.1X on port GigabitEthernet 1/0/1. In the Ports With 802.1X Enabled area, click Add. ...

  • Page 343

    Figure 293 RADIUS authentication server configuration Select Authentication Server as the server type.  Enter the primary server IP address 10.1.1.1.   Select active as the primary server’s status. Enter the secondary server IP address 10.1.1.2.  Select active as the secondary server’s status. ...

  • Page 344

    # Configure the scheme used for communication between the device and the RADIUS servers. Select the RADIUS Setup tab to enter the RADIUS parameter configuration page.  Figure 295 RADIUS parameter configuration Select extended as the server type.  Select the Authentication Server Shared Key checkbox, and enter name in the textbox. ...

  • Page 345

    Figure 296 Create an ISP domain Enter test in the Domain Name textbox.  Select Enable to use the domain as the default domain.  Click Apply to finish the operation.  # Configure the AAA authentication method for the ISP domain. Select the Authentication tab.

  • Page 346

     Select system from the Name drop-down list to use it as the authentication scheme. Click Apply. A configuration progress dialog box appears, as shown in Figure 298.  Figure 298 Configuration progress dialog box  After the configuration process is complete, click Close. # Configure the AAA authorization method for the ISP domain.

  • Page 347: Acl Assignment Configuration Example

    Figure 300 Configure the AAA accounting method for the ISP domain Select the domain name test.   Select the Default Accounting checkbox and then select RADIUS as the accounting mode. Select system from the Name drop-down list to use it as the accounting scheme. ...

  • Page 348

    Configuration procedure Configure the IP addresses of the interfaces. (Omitted) Configure the RADIUS scheme system # Configure the RADIUS authentication server. From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page  appears. Figure 302 RADIUS authentication server configuration Select Authentication Server as the server type.

  • Page 349

     Enter the primary server IP address 10.1.1.2. Enter the primary server UDP port number 1813.  Select active as the primary server status.   Click Apply to finish the operation. # Configure the scheme to be used for communication between the switch and the RADIUS servers. ...

  • Page 350

    Figure 305 Create an ISP domain Enter test in the Domain Name textbox.  Select Enable to use the domain the default domain.  Click Apply to finish the operation.  # Configure the AAA authentication method for the ISP domain. Select the Authentication tab.

  • Page 351

     Select system from the Name drop-down list to use it as the authentication scheme. Click Apply. A configuration progress dialog box appears, as shown in Figure 307.  Figure 307 Configuration progress dialog box  After the configuration process is complete, click Close. # Configure the AAA authorization method for the ISP domain.

  • Page 352

    Figure 309 Configure the AAA accounting method for the ISP domain Select the domain name test.  Select the Accounting Optional checkbox, and then select Enable for this parameter.  Select the Default Accounting checkbox and then select RADIUS as the accounting mode. ...

  • Page 353

     Click Apply to finish the operation. # Configure the ACL to deny packets with destination IP address 10.0.0.1.  Select the Advanced Setup tab. Figure 311 ACL rule configuration Select 3000 from the Select Access Control List(ACL) drop-down list. ...

  • Page 354

     In the IP Address Filter area, select the Destination IP Address check box, and enter 10.0.0.1 in the text box.  Enter 0.0.0.0 in the Destination Wildcard text box. Click Add to finish the operation.  Configure the 802.1X feature. # Enable the 802.1X feature globally.

  • Page 355

    Figure 313 802.1X configuration of GigabitEthernet 1/0/1 Select GigabitEthernet1/0/1 from the port list.  Click Apply to finish the operation.  Configuration verification # After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect.

  • Page 356: Aaa Configuration

    AAA configuration Overview Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing network access management. It can provide the following security functions: Authentication—Identifies users and determines whether a user is valid.  Authorization—Grants different users different rights and controls their access to resources and ...

  • Page 357: Domain-based User Management

    AAA can be implemented through multiple protocols. The switch supports using RADIUS, which is the most commonly used protocol in practice. For more information, see the chapter “RADIUS configuration.” Domain-based user management On a NAS, each user belongs to one Internet service provider (ISP) domain. A NAS determines the ISP domain a user belongs to by the username entered by the user at login, and controls access of the user based on the AAA methods configured for the domain.

  • Page 358: Configuring An Isp Domain

    Task Remarks Optional Configuring authentication Configure authentication methods for various types of AAA user types methods for the ISP domain users. include LAN users By default, all types of users use local authentication. (such as 802.1X authentication users Optional and MAC Configuring authorization Specify the authorization methods for various types of authentication users),...

  • Page 359: Configuring Authentication Methods For The Isp Domain

    Table 123 ISP domain configuration items Item Description Type the ISP domain name, which is for identifying the domain. Domain Name You can type a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain). Specify whether to use the ISP domain as the default domain.

  • Page 360: Configuring Authorization Methods For The Isp Domain

    Item Description Configure the authentication method and secondary authentication method for LAN LAN-access AuthN users. Name Options include:  Local—Performs local authentication.  None—All users are trusted and no authentication is performed. For security, do not use this mode whenever possible. Secondary Method ...

  • Page 361: Configuring Accounting Methods For The Isp Domain

    Item Description Configure the default authorization method and secondary authorization method for all Default AuthZ types of users. Options include: Name  Local—Performs local authorization.  None—All users are trusted and authorized. A user gets the corresponding default rights of the system. Secondary ...

  • Page 362

    Figure 320 Accounting method configuration page Table 126 Accounting method configuration items Item Description Select an ISP Select the ISP domain for which you want to specify authentication methods. domain Specify whether to enable the accounting optional feature. Accounting When no accounting server is available or communication with the accounting servers Optional fails , this feature allows users to use network resources and stops the switch from sending real-time accounting updates for the users.

  • Page 363: Aaa Configuration Example

    Item Description  None—Performs no accounting.  RADIUS—Performs RADIUS accounting. You must specify the RADIUS scheme to be Secondary used. Method  Not Set—Uses the default accounting methods. Return to Configuration task list. AAA configuration example Network requirements As shown in Figure 321, configure the switch to perform local authentication, authorization, and accounting for Telnet users.

  • Page 364

    Figure 322 Configure a local user Enter telnet as the username.  Select Management as the access level.   Enter abcd as the password. Enter abcd to confirm the password.  Select Telnet Service as the service type.  ...

  • Page 365

    Figure 323 Configure ISP domain test  Enter test as the domain name. Click Apply.  # Configure the ISP domain to use local authentication. Select Authentication > AAA from the navigation tree and then select the Authentication tab, as ...

  • Page 366

    Figure 325 Configuration progress dialog box After the configuration process is complete, click Close.  # Configure the ISP domain to use local authorization. Select Authentication > AAA from the navigation tree and then select the Authorization tab, as  shown in Figure 326.

  • Page 367

    Figure 327 Configure the ISP domain to use local accounting Select the domain test.   Select the Login Accounting check box and select the accounting method Local. Click Apply. A configuration progress dialog box appears.  After the configuration process is complete, click Close. ...

  • Page 368: Radius Configuration

    RADIUS configuration Introduction to RADIUS The Remote Authentication Dial-In User Service (RADIUS) protocol implements Authentication, Authorization, and Accounting (AAA). For more information, see the chapter “AAA configuration.” RADIUS uses the client/server model. It can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required.

  • Page 369: Basic Message Exchange Process Of Radius

    addition, to prevent user passwords from being intercepted on insecure networks, RADIUS encrypts passwords before transmitting them. A RADIUS server supports multiple user authentication methods. Moreover, a RADIUS server can act as the client of another AAA server to provide authentication proxy services. Basic message exchange process of RADIUS Figure 329 illustrates the interaction of the host, the RADIUS client, and the RADIUS server.

  • Page 370: Radius Packet Format

    The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting for the user. The user stops access to network resources. RADIUS packet format RADIUS uses UDP to transmit messages. It ensures the smooth message exchange between the RADIUS server and the client through a series of mechanisms, including the timer management mechanism, retransmission mechanism, and slave server mechanism.

  • Page 371

    The Length field (2 byte long) indicates the length of the entire packet, including the Code, Identifier, Length, Authenticator, and Attribute fields. Bytes beyond this length are considered padding and are neglected upon reception. If the length of a received packet is less than this length, the packet is dropped.

  • Page 372: Extended Radius Attributes

    Attribute Attribute Framed-IPX-Network ARAP-Password State ARAP-Features Class ARAP-Zone-Access Vendor-Specific ARAP-Security Session-Timeout ARAP-Security-Data Idle-Timeout Password-Retry Termination-Action Prompt Called-Station-Id Connect-Info Calling-Station-Id Configuration-Token NAS-Identifier EAP-Message Proxy-State Message-Authenticator Login-LAT-Service Tunnel-Private-Group-id Login-LAT-Node Tunnel-Assignment-id Login-LAT-Group Tunnel-Preference Framed-AppleTalk-Link ARAP-Challenge-Response Framed-AppleTalk-Network Acct-Interim-Interval Framed-AppleTalk-Zone Acct-Tunnel-Packets-Lost Acct-Status-Type NAS-Port-Id Acct-Delay-Time Framed-Pool Acct-Input-Octets (unassigned) Acct-Output-Octets...

  • Page 373

     Vendor-Data—Indicates the contents of the sub-attribute. Figure 331 Segment of a RADIUS packet containing an extended attribute Protocols and standards  RFC 2865, Remote Authentication Dial In User Service (RADIUS) RFC 2866, RADIUS Accounting  RFC 2867, RADIUS Accounting Modifications for Tunnel Protocol Support ...

  • Page 374: Configuring Radius Servers

    Configuring RADIUS servers From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page appears, as shown in Figure 332. Figure 332 RADIUS server configuration Table 130 RADIUS server configuration Item Description Specify the type of the server to be configured, which can be Authentication Server Type Server and Accounting Sever.

  • Page 375: Configuring Radius Parameters

    Item Description Specify the UDP port of the secondary server. If the IP address of the secondary server is not specified or the specified IP Secondary Server UDP Port address is to be removed, the port number is 1812 for authentication or 1813 for accounting.

  • Page 376

    Table 131 RADIUS parameters Item Description Specify the type of the RADIUS server supported by the device, including:  extended: Specifies an extended RADIUS server (usually a CAMS or iMC server). That is, the RADIUS client and RADIUS server communicate using the proprietary RADIUS protocol and Server Type packet format.

  • Page 377: Radius Configuration Example

    Item Description Set the format of username sent to the RADIUS server. A username is generally in the format of userid@isp-name, of which isp-name is used by the device to determine the ISP domain to which a user belongs. If a RADIUS server does not accept a username including an ISP domain name, you can configure the device to remove the domain name of a username before sending it to the Username Format...

  • Page 378

    Figure 334 Network diagram for RADIUS server configuration Configuration procedure NOTE: Enable the Telnet server function, and configure the switch to use AAA for authentication, authorization and accounting of Telnet users.Detailed configuration steps are omitted here. Configure IP addresses for the interfaces. Detailed configuration steps are omitted here. Configure RADIUS scheme system # Configure the RADIUS authentication server.

  • Page 379

    Figure 336 Configure the RADIUS accounting server  Select Accounting Server as the server type. Enter 10.1 10.91.146 as the IP address of the primary accounting server.  Enter 1813 as the UDP port of the primary accounting server.  Select active as the primary server status.

  • Page 380

     Enter expert in the Confirm Accounting Shared Key text box. Select without-domain for Username Format.  Click Apply  Configure AAA # Create an ISP domain.  From the navigation tree, select Authentication > AAA. The domain setup page appears. Figure 338 Create an ISP domain ...

  • Page 381

    Figure 339 Configure the AAA authentication method for the ISP domain  Select the domain name test. Select the Default AuthN checkbox and then select RADIUS as the authentication mode.  Select system from the Name drop-down list to use it as the authentication scheme. ...

  • Page 382

    Figure 341 Configure the AAA authorization method for the ISP domain Select the domain name test.  Select the Default AuthZ checkbox and then select RADIUS as the authorization mode.   Select system from the Name drop-down list to use it as the authorization scheme. Click Apply.

  • Page 383

    Configuration guidelines When you configure the RADIUS client, note the following guidelines: When you modify the parameters of the RADIUS scheme, the system does not check whether the  scheme is being used by users. After accounting starts, update-accounting and stop-accounting packets will be sent to the ...

  • Page 384: Users

    Users This module allows you to configure local users and user groups. Local user A local user represents a set of user attributes configured on a device (such as the user password, service type, and authorization attribute), and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry as required in the local user database of the device.

  • Page 385

    Figure 344 Local user configuration page Table 133 Local user configuration items Item Description Username Specify a name for the local user. Password Specify and confirm the password of the local user. The settings of these two fields must be the same. Confirm Select a user group for the local user.

  • Page 386: Configuring A User Group

    Specify the user profile for the local user. NOTE: User-profile HP V1910 Switch Series does not support user-profile configuration. Configuring a user group Select Authentication > Users from the navigation tree, and then select the User Group tab to display the...

  • Page 387

    Specify the ACL to be used by the access device to control the access of users of the user group after the users pass authentication. Specify the user profile for the user group. User-profile NOTE: HP V1910 Switch Series does not support user-profile configuration.

  • Page 388: Pki Configuration

    PKI configuration PKI overview The Public Key Infrastructure (PKI) is a hierarchical framework designed for providing information security through public key technologies and digital certificates and verifying the identities of the digital certificate owners. PKI employs digital certificates, which are bindings of certificate owner identity information and public keys.

  • Page 389: Applications Of Pki

    Figure 347 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer. A certificate authority (CA) is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs.

  • Page 390: Operation Of Pki

    Secure email Emails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs. The secure e-mail protocol that is developing rapidly is Secure/Multipurpose Internet Mail Extensions (S/MIME), which is based on PKI and allows for transfer of encrypted mails with signature. Web security For Web security, two peers can establish a Secure Sockets Layer (SSL) connection first for transparent and secure communications at the application layer.

  • Page 391

    Table 135 Configuration task list for requesting a certificate manually Task Remarks Required Create a PKI entity and configure the identity information. A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate applicant by Creating a PKI entity entity.

  • Page 392

    Task Remarks Required When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in two ways: online and offline. ...

  • Page 393: Creating A Pki Entity

    Task Remarks Optional Retrieving a certificate Retrieve an existing certificate. Optional Retrieving and displaying a CRL Retrieve a CRL and display its contents. Creating a PKI entity Select Authentication > PKI from the navigation tree. The PKI entity list page is displayed by default, as shown in Figure 348.

  • Page 394: Creating A Pki Domain

    Item Description IP Address Type the IP address of the entity. Type the fully qualified domain name (FQDN) for the entity. An FQDN is a unique identifier of an entity on the network. It consists of a host name and FQDN a domain name and can be resolved to an IP address.

  • Page 395

    Figure 351 PKI domain configuration page Table 138 PKI domain configuration items Item Description Domain Name Type the name for the PKI domain. Type the identifier of the trusted CA. An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility CA Identifier of certificate registration, distribution, and revocation, and query.

  • Page 396

    Item Description Type the URL of the RA. The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority. Requesting URL In offline mode, this item is optional;...

  • Page 397: Generating An Rsa Key Pair

    Return to Configuration task list for requesting a certificate manually. Return to Configuration task list for requesting a certificate automatically. Generating an RSA key pair Select Authentication > PKI from the navigation tree, and then select the Certificate tab to enter the page displaying existing PKI certificates, as shown in Figure 352.

  • Page 398: Retrieving A Certificate

    Figure 354 Key pair destruction page Return to Configuration task list for requesting a certificate manually. Return to Configuration task list for requesting a certificate automatically. Retrieving a certificate You can download an existing CA certificate or local certificate from the CA server and save it locally. To do so, you can use two ways: online and offline.

  • Page 399: Requesting A Local Certificate

    After retrieving a certificate, you can click View Cert corresponding to the certificate from the PKI certificates list to display the contents of the certificate, as shown in Figure 356. Figure 356 Certificate details Return to Configuration task list for requesting a certificate manually.

  • Page 400: Retrieving And Displaying A Crl

    Figure 357 Local certificate request page Table 141 Configuration items for requesting a local certificate Item Description Domain Name Select the PKI domain for the certificate. Password Type the password for certificate revocation. Select this check box to request a certificate in offline mode, that is, by an Enable Offline Mode out-of-band means like FTP, disk, or e-mail.

  • Page 401

    Figure 359 CRL page Click Retrieve CRL to retrieve the CRL of a domain.  Then, click View CRL for the domain to display the contents of the CRL, as shown in Figure 360.  Figure 360 CRL details Table 142 Description about some fields of the CRL details Field Description Version...

  • Page 402: Pki Configuration Example

    Return to Configuration task list for requesting a certificate manually. Return to Configuration task list for requesting a certificate automatically. PKI configuration example Configuring a PKI entity to request a certificate from a CA Network requirements As shown in Figure 361, configure the Switch working as the PKI entity, so that: The Switch submits a local certificate request to the CA server, which runs the RSA Keon software.

  • Page 403

     Select Authentication > PKI from the navigation tree. The PKI entity list page is displayed by default. Click Add on the page, as shown in Figure 362, and then perform the following configurations as shown in Figure 363. Figure 362 PKI entity list Figure 363 Configure a PKI entity Type aaa as the PKI entity name.

  • Page 404

    Figure 365 Configure a PKI domain Type torsa as the PKI domain name.   Type myca as the CA identifier. Select aaa as the local entity.  Select CA as the authority for certificate request.   Type http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request.

  • Page 405

    Figure 366 Certificate list Figure 367 Generate an RSA key pair  Click Apply to generate an RSA key pair. # Retrieve the CA certificate. Select the Certificate tab, and then click Retrieve Cert, as shown in Figure 368, and then perform ...

  • Page 406

    Figure 369 Retrieve the CA certificate Select torsa as the PKI domain.  Select CA as the certificate type.  Click Apply.  # Request a local certificate. Select the Certificate tab, and then click Request Cert, as shown in Figure 370, and then perform the ...

  • Page 407

     Click Apply. # Retrieve the CRL.  After retrieving a local certificate, select the CRL tab. Click Retrieve CRL of the PKI domain of torsa, as shown in Figure 372.  Figure 372 Retrieve the CRL Configuration guidelines When you configure PKI, note the following guidelines: Make sure the clocks of entities and the CA are synchronous.

  • Page 408: Port Isolation Group Configuration

    VLAN, allowing for great flexibility and security. HP V1910 Switch Series supports only one isolation group that is created automatically by the system as isolation group 1. You can neither remove the isolation group nor create other isolation groups on such devices.

  • Page 409: Port Isolation Group Configuration Example

     Uplink-port: Assign the port to the isolation group as the uplink port. IMPORTANT: The uplink port is not supported on HP V1910 Switch Series. Select the port(s) you want to assign to the isolation group. Select port(s) You can click ports on the chassis front panel for selection; if aggregation interfaces are configured, they will be listed under the chassis panel for selection.

  • Page 410

    Figure 375 Configure isolated ports for an isolation group  Select Isolate port for the port type. Select GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 on the chassis  front panel. Click Apply. A configuration progress dialog box appears.  After the configuration process is complete, click Close in the dialog box.

  • Page 411: Authorized Ip Configuration

    Authorized IP configuration Overview The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuring authorized IP Select Security >...

  • Page 412: Authorized Ip Configuration Example

    Authorized IP configuration example Authorized IP configuration example Network requirements Figure 378, configure Switch to deny Telnet and HTTP requests from Host A, and permit Telnet and HTTP requests from Host B. Figure 378 Network diagram for authorized IP Configuration procedure # Create an ACL.

  • Page 413

     Select Permit from the Operation drop-down list. Select the Source IP Address check box and then type 10.1.1.3.  Type 0.0.0.0 in the Source Wildcard text box.   Click Add. Figure 380 Configure an ACL rule to permit Host B # Configure authorized IP.

  • Page 414

    Figure 381 Configure authorized IP...

  • Page 415: Acl Configuration

    ACL configuration ACL overview With the growth of network scale and network traffic, network security and bandwidth allocation become more and more critical to network management. Packet filtering can be used to efficiently prevent illegal access to networks and to control network traffic and save network resources. One way to implement packet filtering is to use access control lists (ACLs).

  • Page 416: Effective Period Of An Acl

    Table 146 Depth-first match for IPv4 ACLs IPv4 ACL category Depth-first match procedure Sort rules by source IP address wildcard mask and compare packets against the rule configured with more zeros in the source IP Basic IPv4 ACL address wildcard mask. In case of a tie, compare packets against the rule configured first.

  • Page 417: Configuring An Acl

    NOTE: The Web interface does not support ACL step configuration. Meaning of the step The step defines the difference between two neighboring numbers that are automatically assigned to ACL rules by the device. For example, with a step of 5, rules are automatically numbered 0, 5, 10, 15, and so on.

  • Page 418

    Figure 382 The page for creating a time range Table 148 describes the configuration items for creating a time range. Table 148 Time range configuration items Item Description Time Range Name Set the name for the time range. Start Time Set the start time of the periodic time range.

  • Page 419: Creating An Ipv4 Acl

    Creating an IPv4 ACL Select QoS > ACL IPv4 from the navigation tree and then select the Create tab to enter the IPv4 ACL configuration page, as shown in Figure 383. Figure 383 The page for creating an IPv4 ACL Table 149 describes the configuration items for creating an IPv4 ACL.

  • Page 420

    Figure 384 The page for configuring an basic IPv4 ACL Table 150 describes the configuration items for creating a rule for a basic IPv4 ACL. Table 150 Configuration items for a basic IPv4 ACL rule Item Description Select the basic IPv4 ACL for which you want to configure rules. Select Access Control List (ACL) Available ACLs are basic IPv4 ACLs that have been configured.

  • Page 421: Configuring A Rule For An Advanced Ipv4 Acl

    Item Description and a wildcard mask, in dotted decimal notation. Source Wildcard Select the time range during which the rule takes effect. Time Range Available time ranges are those that have been configured. Return to IPv4 ACL configuration task list. Configuring a rule for an advanced IPv4 ACL Select QoS >...

  • Page 422

    Figure 385 The page for configuring an advanced IPv4 ACL Table 151 describes the configuration items for creating a rule for an advanced IPv4 ACL.

  • Page 423

    Table 151 Configuration items for an advanced IPv4 ACL rule Item Description Select the advanced IPv4 ACL for which you want to configure rules. Select Access Control List (ACL) Available ACLs are advanced IPv4 ACLs that have been configured. Select the Rule ID option and type a number for the rule. Rule ID If you do not specify the rule number, the system will assign one automatically.

  • Page 424: Configuring A Rule For An Ethernet Frame Header Acl

    Item Description These items are available only when you select 6 TCP or To Port 17 UDP from the Protocol drop-down box. Operator Different operators have different configuration Port requirements for the port number fields:  Not Check—The following port number fields cannot be configured.

  • Page 425

    Figure 386 The page for configuring a rule for an Ethernet frame header ACL Table 152 describes the configuration items for creating a rule for an Ethernet frame header IPv4 ACL. Table 152 Configuration items for an Ethernet frame header IPv4 ACL rule Item Description Select the Ethernet frame header IPv4 ACL for which you want to configure...

  • Page 426

    Item Description COS(802.1p precedence) Specify the 802.1p precedence for the rule. Select the LSAP Type option and specify the DSAP and SSAP fields in the LLC LSAP Type encapsulation by configuring the following items:  LSAP Type—Indicates the frame encapsulation format. LSAP Mask ...

  • Page 427: Qos Configuration

    QoS configuration Introduction to QoS Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an Internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network may provide various services. Generally, QoS performance is measured with respect to bandwidth, delay, jitter, and packet loss ratio during packet forwarding process.

  • Page 428

    Figure 387 Traffic congestion causes The traffic enters a device from a high speed link and is forwarded over a low speed link.  The packet flows enter a device from several incoming interfaces and are forwarded out an  outgoing interface, whose rate is smaller than the total rate of these incoming interfaces.

  • Page 429: End-to-end Qos

    End-to-end QoS Figure 388 End-to-end QoS model As shown in Figure 388, traffic classification, traffic policing, traffic shaping, congestion management, and congestion avoidance are the foundations for a network to provide differentiated services. Mainly they implement the following functions: Traffic classification uses certain match criteria to organize packets with different characteristics into ...

  • Page 430: Packet Precedences

    To provide differentiated services, traffic classes must be associated with certain traffic control actions or resource allocation actions. What traffic control actions to adopt depends on the current phase and the resources of the network. For example, CAR is adopted to police packets when they enter the network; GTS is performed on packets when they flow out of the node;...

  • Page 431

    Class selector (CS) class: This class is derived from the IP ToS field and includes eight subclasses;  Best effort (BE) class: This class is a special CS class that does not provide any assurance. AF traffic  exceeding the limit is degraded to the BE class. All IP network traffic belongs to this class by default. Table 154 Description on DSCP values DSCP value (decimal) DSCP value (binary)

  • Page 432: Queue Scheduling

    Figure 391 802.1Q tag header Byte 1 Byte 2 Byte 3 Byte 4 TPID (Tag protocol identifier) TCI (Tag control information) 1 0 0 0 0 0 0 1 0 0 0 0 0 0 0 Priority VLAN ID 5 4 3 2 1 0 7 5 4 3 2 1 0 5 4 3 2 1 0 7 5 4 3 2 1 0...

  • Page 433

    Figure 392 Schematic diagram for SP queuing A typical switch provides eight queues per port. As shown in Figure 392, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority. It sends packets in the queue with the highest priority first.

  • Page 434: Line Rate

    queue with the lowest priority is assured of at least 5 Mbps of bandwidth, avoiding the disadvantage of SP queuing that packets in low-priority queues may fail to be served for a long time. Another advantage of WRR queuing is that while the queues are scheduled in turn, the service time for each queue is not fixed, that is, if a queue is empty, the next queue will be scheduled immediately.

  • Page 435: Priority Mapping

    Burst size—The capacity of the token bucket (the maximum traffic size that is permitted in each  burst). It is usually set to the committed burst size (CBS). The set burst size must be greater than the maximum packet size. One evaluation is performed on each arriving packet.

  • Page 436: Introduction To Priority Mapping Tables

    Trust port priority—The device assigns a priority to a packet by mapping the priority of the receiving  port. You can select one priority trust mode as needed. Figure 396 shows the process of priority mapping on a device. Figure 396 Priority mapping process Introduction to priority mapping tables The device provides various types of priority mapping table, as listed below: CoS to DSCP: 802.1p-to-DSCP priority mapping table.

  • Page 437

    Input DSCP value Local precedence (Queue) 16 to 23 24 to 31 32 to 39 40 to 47 48 to 55 56 to 63 NOTE: In the default DSCP to DSCP mapping table, an input value yields a target value equal to it. QoS configuration Configuration task lists Configuring a QoS policy...

  • Page 438

    Task Remarks Required Creating a traffic behavior Create a traffic behavior. Configuring traffic Configure a mirroring and traffic traffic redirecting for a Use either approach Configuring actions behavior traffic behavior Configure various actions for the traffic for a behavior behavior. Configuring other actions for a traffic behavior...

  • Page 439: Creating A Class

    Table 161 Priority mapping table configuration task list Task Remarks Required Configuring priority mapping tables Set priority mapping tables. Configuring priority trust mode Perform the task in Table 162 to configure priority trust mode: Table 162 Priority trust mode configuration task list Task Remarks Required...

  • Page 440: Configuring Match Criteria

    Configuring match criteria Select QoS > Classifier from the navigation tree and click Setup to enter the page for setting a class, as shown in Figure 398. Figure 398 The page for configuring match criteria Table 164 shows the configuration items of configuring match criteria. Table 164 Configuration items of configuring match criteria Item Description...

  • Page 441

    Item Description Define a match criterion to match DSCP values. If multiple such match criteria are configured for a class, the new configuration does not overwrite the previous one. DSCP You can configure up to eight DSCP values each time. If multiple identical DSCP values are specified, the system considers them as one.

  • Page 442: Creating A Traffic Behavior

    Item Description Define a match criterion to match customer VLAN IDs. If multiple such match criteria are configured for a class, the new configuration does not overwrite the previous one. You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one.

  • Page 443

    Configuring traffic mirroring and traffic redirecting for a traffic behavior Select QoS > Behavior from the navigation tree and click Port Setup to enter the port setup page for a traffic behavior, as shown in Figure 400. Figure 400 Port setup page for a traffic behavior Table 166 describes the traffic mirroring and traffic redirecting configuration items.

  • Page 444: Configuring Other Actions For A Traffic Behavior

    Configuring other actions for a traffic behavior Select QoS > Behavior from the navigation tree and click Setup to enter the page for setting a traffic behavior, as shown in Figure 401. Figure 401 The page for setting a traffic behavior Table 167 describes the configuration items of configuring other actions for a traffic behavior.

  • Page 445: Creating A Policy

    Creating a policy Select QoS > QoS Policy from the navigation tree and click Create to enter the page for creating a policy, as shown in Figure 402. Figure 402 The page for creating a policy Table 168 describes the configuration items of creating a policy. Table 168 Configuration items of creating a policy Item Description...

  • Page 446: Applying A Policy To A Port

    Figure 403 The page for setting a policy Table 169 describes the configuration items of configuring classifier-behavior associations for the policy. Table 169 Configuration items of configuring classifier-behavior associations for the policy Item Description Please select a policy Select a created policy in the drop-down list. Select an existing classifier in the drop-down list.

  • Page 447: Configuring Queue Scheduling On A Port

    Figure 404 The page for applying a policy to a port Table 170 describes the configuration items of applying a policy to a port. Table 170 Configuration items of applying a policy to a port Item Description Please select a policy Select a created policy in the drop-down list.

  • Page 448: Configuring Line Rate On A Port

    Table 171 Configuration items of configuring queue scheduling on a port Item Description Enable or disable the WRR queue scheduling mechanism on selected ports. Two options are available:  Enable—Enables WRR on selected ports.  Not Set—Restores the default queuing algorithm on selected ports. Select the queue to be configured.

  • Page 449: Configuring Priority Mapping Tables

    Table 172 describes the configuration items of configuring line rate on a port. Table 172 Configuration items of configuring line rate on a port Item Description Select the types of interfaces to be configured with line rate. Please select an interface type The interface types available for selection depend on your device model.

  • Page 450: Configuring Priority Trust Mode On A Port

    Figure 408 The page for configuring DSCP to DSCP mapping table Return to Priority mapping table configuration task list. Configuring priority trust mode on a port Select QoS > Port Priority from the navigation tree to enter the page shown in Figure 409.

  • Page 451

    Figure 409 The page for configuring port priority Figure 410 The page for modifying port priority Table 174 describes the port priority configuration items. Table 174 Port priority configuration items Item Description Interface The interface to be configured. Priority Set a local precedence value for the port. Select a priority trust mode for the port: ...

  • Page 452

    Configuration guidelines When an ACL is referenced to implement QoS, the actions defined in the ACL rules, deny or permit, do not take effect; actions to be taken on packets matching the ACL depend on the traffic behavior definition in QoS.

  • Page 453: Acl/qos Configuration Examples

    ACL/QoS configuration examples ACL/QoS configuration example Network requirements As shown in Figure 41 1, in the network, the FTP server at IP address 10.1.1.1/24 is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: Create an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.

  • Page 454

    Figure 412 Define a time range covering 8:00 to 18:00 every day Type the time range name test-time.  Select the Periodic Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and  then select the checkboxes Sun through Sat. ...

  • Page 455

    Type the ACL number 3000.  Click Apply.  # Define an ACL rule for traffic to the FTP server.  Click Advanced Setup. Figure 414 Define an ACL rule for traffic to the FTP server  Select ACL 3000 in the drop-down list. ...

  • Page 456

    Select the Destination IP Address option, and type IP address 10.1.1.1 and destination wildcard  mask 0.0.0.0. Select test-time in the Time Range drop-down list.  Click Add.  Configure a QoS policy # Create a class. Select QoS > Classifier from the navigation tree and click Create. ...

  • Page 457

    Figure 416 Define match criteria Select the class name class1 in the drop-down list.  Select the ACL IPv4 option, and select ACL 3000 in the following drop-down list.   Click Apply. A configuration progress dialog box appears, as shown in Figure 417.

  • Page 458

    Figure 417 Configuration progress dialog box After the configuration is complete, click Close on the dialog box.  # Create a traffic behavior. Select QoS > Behavior from the navigation tree and click Create.  Figure 418 Create a traffic behavior Type the behavior name behavior1.

  • Page 459

    Figure 419 Configure actions for the behavior Select behavior1 in the drop-down list.  Select the Filter option, and then select Deny in the following drop-down list.  Click Apply. A configuration progress dialog box appears.  After the configuration is complete, click Close on the dialog box. ...

  • Page 460

    Figure 420 Create a policy  Type the policy name policy1.  Click Create. # Configure classifier-behavior associations for the policy. Click Setup.  Figure 421 Configure classifier-behavior associations for the policy Select policy1.  Select class1 in the Classifier Name drop-down list. ...

  • Page 461

    Figure 422 Apply the QoS policy in the inbound direction of GigabitEthernet 1/0/1 Select policy1 in the Please select a policy drop-down list.  Select Inbound in the Direction drop-down list.  Select port GigabitEthernet 1/0/1.  Click Apply. A configuration progress dialog box appears. ...

  • Page 462: Poe Configuration

    PSE is integrated in a switch or router, and an external PSE is independent from a switch or router. The HP PSEs are built in, and can be classified into two types: Device with a single PSE—Only one PSE is available on the device; so the whole device is ...

  • Page 463: Protocol Specification

    NOTE: HP V1910-24G-PoE (365W) Switch JE007A and HP V1910-24G-PoE (170W) Switch JE008A are devices with a single PSE, so this document describes the device with a single PSE only. A PSE can examine the Ethernet cables connected to PoE interfaces, search for PDs, classify them, and supply power to them.

  • Page 464

    Figure 424 port setup page Table 175 PoE port configuration items Item Description Click to select ports to be configured and they will be displayed in the Select Port Selected Ports list box. Enable or disable PoE on the selected ports. ...

  • Page 465: Configuring Non-standard Pd Detection

    Item Description Set the power supply priority for a PoE port. The priority levels of a PoE port include low, high, and critical in ascending order.  When the PoE power is insufficient, power is first supplied to PoE ports with a higher priority level.

  • Page 466: Poe Configuration Example

    Displaying information about PSE and PoE ports Select PoE > PoE from the navigation tree to enter the page of the Summary tab. The upper part of the page displays the PSE summary. Click a port on the chassis front panel, and the configuration and power information are displayed in the lower part of the page, as shown in Figure 426.

  • Page 467

    Configuration procedure # Enable PoE on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, and set their power supply priority to critical. Select PoE > PoE from the navigation tree and click the Setup tab to perform the following  configurations, as shown in Figure 428.

  • Page 468

    Figure 429 Configure the PoE port supplying power to AP  Click to select port GigabitEthernet 1/0/1 1 from the chassis front panel.  Select Enable from the Power State drop-down list.  Select the check box before Power Max and type 9000. Click Apply.

  • Page 469: Index

    Index A B C D E F G H I L M O P Q R S T V W Configuring device basic information,46 Configuring DHCP snooping functions on an AAA configuration example,349 interface,285 overview,401 Configuring energy saving on a port,1 12 ACL/QoS configuration example,439...

  • Page 470

    PKI configuration example,388 Getting started with the CLI,16 overview,374 Gratuitous ARP,305 PoE configuration example,452 overview,448 Port isolation group configuration example,395 HP implementation of 802.1X,320 Port management configuration example,70 Precautions,266 IGMP snooping configuration example,253 Protocols and standards,271 Initialize,58 Initiating 802.1X authentication,315...

This manual also for:

1910 series

Comments to this Manuals

Symbols: 0
Latest comments: