H3C S3100 Series Operation Manual
  1. Manuals
  2. Brands
  3. H3C Manuals
  4. Network Router
  5. S3100 Series
  6. Operation manual

H3C S3100 Series Operation Manual

H3c s3100 series ethernet switches operation manual
Hide thumbs Also See for S3100 Series:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual See also: Command Manual, Installation Manual
H3C S3100 Series Ethernet Switches
Operation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Document Version: 20100908-C-1.00
Product Version: Release 22XX Series

Advertisement

Chapters

Table of Contents
loading
Need help?

Need help?

Do you have a question about the S3100 Series and is the answer not in the manual?

Questions and answers

Related Manuals for H3C S3100 Series

Summary of Contents for H3C S3100 Series

  • Page 1 H3C S3100 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com Document Version: 20100908-C-1.00 Product Version: Release 22XX Series...
  • Page 2 SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V G, V G, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.
  • Page 3 H3C S3100 Series Ethernet Switches Operation Manual-Release 22XX Series describes the software features for the H3C S3100 Series Ethernet Switches and guides you through the software configuration procedures. It also provides configuration examples to help you apply software features to different network scenarios.
  • Page 4 Part Features Introduction to static route 05-Static Route Operation Static route configuration Troubleshooting a static route Configuring an IP address for a switch 06-IP Address-IP Performance Operation Configuring the TCP attributes for a switch 07-Voice VLAN Operation Voice VLAN (applicable only to the S3100-EI series) 08-GVRP Operation GARP VLAN registration protocol (GVRP) Configuring port auto-negotiation speed...
  • Page 5 Part Features Internet group management protocol (IGMP) snooping v2&v3 Multicast Listener Discovery (MLD) snooping v1&v3 (applicable only to the S3100-EI series) 16-Multicast Operation IPv6 multicast VLAN configuration (applicable only to the S3100-EI series) Multicast user control policy configuration (applicable only to the S3100-EI series) Basic 802.1x configuration Advanced 802.1x configuration...
  • Page 6 Part Features Stack Huawei Group Management Protocol (HGMP) v2 Neighbor Discovery Protocol (NDP) 27-Stack-Cluster Operation Neighbor Topology Discovery Protocol (NTDP) Cluster topology management function Cluster synchronization function Power over Ethernet (PoE) 28-PoE-PoE Profile Operation PoE profile Simple network management protocol (SNMP) 29-SNMP-RMON Operation Remote monitoring (RMON) 30-NTP Operation...

  • Page 7: Software Version

    Configuring LT on MEPs Software Version H3C S3100 Series Ethernet Switches Operation Manual-Release 22XX Series and H3C S3100 Series Ethernet Switches Command Manual-Release 22XX Series are for the software version Release 22XX Series of the S3100-SI series and S3100-EI series switches.
  • Page 8 Software Added features compared with the earlier version Part version Release 2108P04 09-Port Basic Configuration Limit broadcast traffic in pps Operation Multicast user control policy configuration (applicable only to the S3100-EI series) 16-Multicast Operation Disables the EPON ONU from dropping unknown multicast packets (applicable only to the S3100-EI series) Unicast trigger function of 802.1x (applicable only to the 17-802.1X-System Guard...
  • Page 9 Software Added features compared with the earlier version Part version Release 2108P04 20-Web Authentication Web authentication Operation DHCP Server (applicable only to the S3100-EI series) 23-DHCP Operation Removing DHCP snooping entries Automatic Configuration IPv6 ACL (applicable only to the S3100-EI series) 24-ACL Operation 25-QoS-QoS Profile VLAN marking...
  • Page 10 Means an action or information that needs special attention to ensure successful configuration or good performance. Means a complementary description. Means techniques helpful for you to make configuration with ease. About the H3C S3100 Documentation Set The H3C S3100 documentation set includes:...

  • Page 11: Obtaining Documentation

    Obtaining Documentation You can access the most up-to-date H3C product documentation on the World Wide Web at http://www.h3c.com. Click the links on the top navigation bar to obtain different categories of product documentation: [Technical Support &...
  • Page 12 You can e-mail your comments about product documentation to info@h3c.com. We appreciate your comments.

  • Page 13: Table Of Contents

    Table of Contents 1 CLI Configuration ······································································································································1-1 Introduction to the CLI·····························································································································1-1 Command Hierarchy ·······························································································································1-1 Command Level and User Privilege Level ······················································································1-1 Modifying the Command Level········································································································1-2 Switching User Level ·······················································································································1-3 CLI Views ················································································································································1-7 CLI Features ·········································································································································1-12 Online Help····································································································································1-12 Terminal Display····························································································································1-13 Command History··························································································································1-13 Error Prompts ································································································································1-14 Command Edit·······························································································································1-14...

  • Page 14: Cli Configuration

    Each S3100 series Ethernet switch provides an easy-to-use CLI and a set of configuration commands for the convenience of the user to configure and manage the switch. The CLI on S3100 series Ethernet switches provides the following features, and so has good manageability and operability.

  • Page 15: Modifying The Command Level

    Manage level (level 3): Commands at this level are associated with the basic operation modules and support modules of the system. These commands provide support for services. Commands concerning file system, FTP/TFTP/XModem downloading, user management, and level setting are at this level. By using the command-privilege level command, the administrator can change the level of a command in a specific view as required.

  • Page 16: Switching User Level

    It is recommended not to change the level of a command arbitrarily, for it may cause inconvenience to maintenance and operation. When you change the level of a command with multiple keywords or arguments, you should input the keywords or arguments one by one in the order they appear in the command syntax. Otherwise, your configuration will not take effect.
  • Page 17 The high-to-low user level switching is unlimited. However, the low-to-high user level switching requires the corresponding authentication. Generally, two authentication modes are available: the super password authentication mode and HWTACACS authentication mode. Complete the following tasks to configure user level switching: Operation Remarks The administrator...
  • Page 18 When both the super password authentication and the HWTACACS authentication are specified, the device adopts the preferred authentication mode first. If the preferred authentication mode cannot be implemented (for example, the super password is not configured or the HWTACACS authentication server is unreachable), the backup authentication mode is adopted.
  • Page 19 Operation Command Description — Enter system view system-view — Enter ISP domain view domain domain-name Required Set the HWTACACS authentication super By default, the HWTACACS authentication scheme for hwtacacs-scheme authentication scheme for user level user level switching hwtacacs-scheme-name switching is not set. When setting the HWTACACS authentication scheme for user level switching using the authentication super hwtacacs-scheme command, make sure the HWTACACS authentication scheme identified by the hwtacacs-scheme-name argument already exists.

  • Page 20: Cli Views

    # Set the password used by the current user to switch to level 3. [Sysname] super password level 3 simple 123 A VTY 0 user switches its level to level 3 after logging in. # A VTY 0 user telnets to the switch, and then uses the set password to switch to user level 3. <Sysname>...
  • Page 21 Table 1-2 lists the CLI views provided by S3100 series Ethernet switches, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 1-2 CLI views Available View Prompt example Enter method...
  • Page 22 Available View Prompt example Enter method Quit method operation Configure FTP FTP client Execute the ftp command client [ftp] view in user view. parameters Configure SFTP SFTP Execute the sftp command client sftp-client> client view in system view. parameters Configure MST Execute the stp [Sysname-mst-re region...
  • Page 23 Available View Prompt example Enter method Quit method operation Define rules for an advanced IPv6 ACL (with Advanced Execute the acl ipv6 ID ranging from [Sysname-acl6-a IPv6 ACL number command in 3000 to 3999) dv-3000] view system view. Supported by only S3100-EI series switches Define QoS...
  • Page 24 Available View Prompt example Enter method Quit method operation Configure PKI PKI entity [Sysname-pki-ent Execute the pki entity entity view ity-en] command in system view. parameters Configure PKI [Sysname-cert-at Execute the pki certificate certificate certificate tribute-group-my attribute-group command attribute attribute group group] in system view.

  • Page 25: Cli Features

    The shortcut key <Ctrl+Z> is equivalent to the return command. CLI Features Online Help When configuring the switch, you can use the online help to get related help information. The CLI provides two types of online help: complete and partial. Complete online help Enter a question mark (?) in any view on your terminal to display all the commands available in the view and their brief descriptions.

  • Page 26: Terminal Display

    Partial online help Enter a character/string, and then a question mark (?) next to it. All the commands beginning with the character/string will be displayed on your terminal. For example: <Sysname> p? ping Enter a command, a space, a character/string and a question mark (?) next to it. All the keywords beginning with the character/string (if available) are displayed on your terminal.

  • Page 27: Error Prompts

    Purpose Operation Remarks Recall the next history Press the down arrow key or This operation recalls the next command <Ctrl+N> history command (if available). The Windows 9x HyperTerminal explains the up and down arrow keys in a different way, and therefore the two keys are invalid when you access history commands in such an environment.
  • Page 28 Press… To… Left arrow key or <Ctrl+B> Move the cursor one character to the left. Right arrow key or <Ctrl+F> Move the cursor one character to the right. Up arrow key or <Ctrl+P> Display history commands. Down arrow key or <Ctrl+N> Use the partial online help.
  • Page 29 Table of Contents 1 Logging into an Ethernet Switch ·············································································································1-1 Logging into an Ethernet Switch ·············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ··············································································································1-1 User Interface Index ························································································································1-1 Common User Interface Configuration····························································································1-2 2 Logging in through the Console Port······································································································2-1 Introduction ·············································································································································2-1 Logging in through the Console Port ······································································································2-1 Console Port Login Configuration ···········································································································2-4...
  • Page 30 Configuration on the Switch Side············································································································4-1 Modem Configuration ······················································································································4-1 Switch Configuration························································································································4-2 Modem Connection Establishment ·········································································································4-2 5 Logging in through the Web-based Network Management System·····················································5-1 Introduction ·············································································································································5-1 Establishing an HTTP Connection ··········································································································5-1 Configuring the Login Banner ·················································································································5-2 Configuration Procedure··················································································································5-2 Configuration Example ····················································································································5-3 Enabling/Disabling the WEB Server ·······································································································5-3 6 Logging in through NMS···························································································································6-1 Introduction ·············································································································································6-1...

  • Page 31: Logging Into An Ethernet Switch

    Supported User Interfaces The auxiliary (AUX) port and the Console port of an H3C Ethernet switch are the same port (refereed to as Console port in the following part). You will be in the AUX user interface if you log in through this port.

  • Page 32: Common User Interface Configuration

    Set the banner login | shell ] text By default, no banner is configured Optional Set a system name for the sysname string switch By default, the system name is H3C. Optional By default, copyright displaying is Enable copyright information copyright-info enable enabled.

  • Page 33: Logging In Through The Console Port

    Logging in through the Console Port Introduction To log in through the Console port is the most common way to log into a switch. It is also the prerequisite to configure other login methods. By default, you can locally log into an S3100 Ethernet switch through its Console port only.
  • Page 34 If you use a PC to connect to the Console port, launch a terminal emulation utility (such as Terminal in Windows XP/Windows 2000. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created.
  • Page 35 Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after you press the Enter key, as shown in Figure 2-5.

  • Page 36: Console Port Login Configuration

    Console Port Login Configuration Common Configuration Table 2-2 lists the common configuration of Console port login. Table 2-2 Common configuration of Console port login Configuration Remarks Optional Baud rate The default baud rate is 9,600 bps. Optional Check mode By default, the check mode of the Console port is set to Console port “none”, which means no check bit.

  • Page 37: Console Port Login Configuration With Authentication Mode Being None

    Table 2-3 Console port login configurations for different authentication modes Authentication Console port login configuration Remarks mode Perform common Optional Perform common None configuration for configuration Refer to Table 2-2. Console port login Configure the Configure the password Required password for local authentication Password Perform common...
  • Page 38 Operation Command Description Required By default, users logging in through the Configure not to authenticate users authentication-mode none Console port (AUX user interface) are not authenticated. Optional Set the baud rate speed speed-value The default baud rate of a Console port is 9,600 bps.

  • Page 39: Configuration Example

    Configuration Example Network requirements Assume that the switch is configured to allow users to log in through Telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the Console port (AUX user interface).

  • Page 40: Console Port Login Configuration With Authentication Mode Being Password

    After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 to log into the switch successfully. Console Port Login Configuration with Authentication Mode Being Password Configuration Procedure Table 2-5 Console port login configuration with the authentication mode being password...

  • Page 41: Configuration Example

    Operation Command Description Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the Set the timeout time for the user idle-timeout minutes connection to a user interface is terminated interface [ seconds ] if no operation is performed in the user interface within 10 minutes.

  • Page 42: Console Port Login Configuration With Authentication Mode Being Scheme

    # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging into the AUX user interface. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the Console port to 19,200 bps. [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30.
  • Page 43 Operation Command Description Required The specified AAA scheme determines authentication-mode whether to authenticate users locally or Configure to authenticate users scheme command- remotely. locally or remotely authorization ] By default, users logging in through the Console port (AUX user interface) are not authenticated.

  • Page 44: Configuration Example

    Configuration Example Network requirements Assume the switch is configured to allow users to log in through Telnet, and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in through the console port (AUX user interface). Configure the local user name as “guest”.
  • Page 45 [Sysname-ui-aux0] speed 19200 # Set the maximum number of lines the screen can contain to 30. [Sysname-ui-aux0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in...

  • Page 46: Logging In Through Telnet

    Logging in through Telnet Introduction S3100 series Ethernet switches support Telnet. You can manage and maintain a switch remotely by Telnetting to the switch. To log into a switch through Telnet, the corresponding configuration is required on both the switch and the Telnet terminal.

  • Page 47: Telnet Configurations For Different Authentication Modes

    Table 3-2 Common Telnet configuration Configuration Description Optional Configure command level available to users logging into the By default, commands of level 0 are available to VTY user interface users logging into a VTY user interface. user Optional Configure the protocols the user interface interface supports By default, Telnet and SSH protocol are supported.

  • Page 48: Telnet Configuration With Authentication Mode Being None

    Authentication Telnet configuration Description mode Set service type for VTY Manage VTY users Required users Optional Perform common Perform common Telnet configuration configuration Refer to Table 3-2. To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations.

  • Page 49: Configuration Example

    Operation Command Description Optional Make terminal services shell By default, terminal services are available available in all user interfaces. Optional By default, the screen can contain up to 24 Set the maximum number of lines. screen-length screen-length lines the screen can contain You can use the screen-length 0 command to disable the function to display information in pages.

  • Page 50: Telnet Configuration With Authentication Mode Being Password

    # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging into VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging into VTY 0. [Sysname-ui-vty0] user privilege level 2 # Configure Telnet protocol is supported.

  • Page 51: Configuration Example

    Operation Command Description Optional By default, the screen can contain up to Set the maximum number of 24 lines. screen-length screen-length lines the screen can contain You can use the screen-length 0 command to disable the function to display information in pages. Optional The default history command buffer Set the history command buffer...

  • Page 52: Telnet Configuration With Authentication Mode Being Scheme

    # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure to authenticate users logging into VTY 0 using the password. [Sysname-ui-vty0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-vty0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging into VTY 0.
  • Page 53 Operation Command Description Enter one or more VTY user user-interface vty first-number — interface views [ last-number ] Required The specified AAA scheme determines Configure to authenticate users authentication-mode scheme whether to authenticate users locally or locally or remotely [ command- authorization ] remotely.
  • Page 54 Table 3-7 Determine the command level when users logging into switches are authenticated in the scheme mode Scenario Command level Authentication User type Command mode The user privilege level level command is executed, service-type Level 0 command does not specify the available command level.

  • Page 55: Configuration Example

    Refer to AAA Operation and SSH Operation of this manual for information about AAA, RADIUS, and SSH. Configuration Example Network requirements Assume current user logins through the Console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging into VTY 0 using Telnet. Configure the local user name as “guest”.

  • Page 56: Telnetting To A Switch

    9,600 bps, data bits set to 8, parity check set to none, and flow control set to none. Turn on the switch and press Enter as prompted. The prompt (such as <H3C>) appears, as shown in the following figure.
  • Page 57 <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A H3C series Ethernet switch can accommodate up to five Telnet connections at same time.

  • Page 58: Telnetting To Another Switch From The Current Switch

    A Telnet connection is terminated if you delete or modify the IP address of the VLAN interface in the Telnet session. By default, commands of level 0 are available to Telnet users authenticated by password. Refer to section 1.2 “Command Hierarchy/Command View” in CLI part for information about command hierarchy.

  • Page 59: Logging In Using A Modem

    Logging in Using a Modem Introduction The administrator can log into the Console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.

  • Page 60: Switch Configuration

    The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging into a switch through its Console port by using a modem, you will enter the AUX user interface.
  • Page 61 Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through...
  • Page 62 Figure 4-3 Set the telephone number Figure 4-4 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears. You can then configure or manage the switch.

  • Page 63: Introduction

    Logging in through the Web-based Network Management System Introduction An S3100 Ethernet switch has a Web server built in. It enables you to log into an S3100 Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.

  • Page 64: Configuring The Login Banner

    Figure 5-1 Establish an HTTP connection between your PC and the switch Log into the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar. (Make sure the route between the Web-based network management terminal and the switch is available.) When the login authentication interface (as shown in...

  • Page 65: Configuration Example

    Configuration Example Network requirements A user logs in to the switch through Web. The banner page is desired when a user logs into the switch. Network diagram Figure 5-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. <Sysname>...
  • Page 66 Operation Command Description Required Enable the Web server ip http shutdown By default, the Web server is enabled. undo ip http shutdown Disable the Web server Required To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration.

  • Page 67: Logging In Through Nms

    Logging in through NMS Introduction You can also log into a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent. Refer to the SNMP-RMON part for related information.

  • Page 68: User Control

    User Control Refer to the ACL part for information about ACL. Introduction A switch provides ways to control different types of login users, as listed in Table 7-1. Table 7-1 Ways to control different types of login users Login mode Control method Implementation Related section...

  • Page 69: Controlling Telnet Users By Source And Destination Ip Addresses

    Table 7-2 Control Telnet users by source IP addresses Operation Command Description system-view Enter system view — acl number acl-number As for the acl number command, the Create a basic ACL or enter basic ACL view [ match-order { config | auto } ] config keyword is specified by default.

  • Page 70: Configuration Example

    Table 7-4 Control Telnet users by source MAC addresses Operation Command Description Enter system view system-view — Create or enter Layer 2 acl number acl-number — ACL view Required rule [ rule-id ] { deny | permit } Define rules for the ACL You can define rules as needed to filter [ rule-string ] by specific source MAC addresses.

  • Page 71: Controlling Network Management Users By Source Ip Addresses

    Controlling Network Management Users by Source IP Addresses You can manage an S3100 Ethernet switch through network management software. Network management users can access switches through SNMP. You need to perform the following two operations to control network management users by source IP addresses.

  • Page 72: Controlling Web Users By Source Ip Address

    Network diagram Figure 7-2 Network diagram for controlling SNMP users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch.

  • Page 73: Disconnecting A Web User By Force

    Operation Command Description Create a basic ACL or acl number acl-number As for the acl number command, the enter basic ACL view [ match-order { config | auto } ] config keyword is specified by default. rule [ rule-id ] { deny | permit } Define rules for the ACL Required [ rule-string ]...
  • Page 74 [Sysname] ip http acl 2030...
  • Page 75 Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Management of Configuration File··········································································································1-2 Saving the Current Configuration ····································································································1-2 Erasing the Startup Configuration File ····························································································1-3 Specifying a Configuration File for Next Startup ·············································································1-4 Displaying Device Configuration ·····································································································1-5...

  • Page 76: Configuration File Management

    Configuration File Management Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily. Types of configuration The configuration of a device falls into two types: Saved configuration, a configuration file used for initialization.

  • Page 77: Management Of Configuration File

    When setting the configuration file for next startup, you can specify to use the main or backup configuration file. Startup with the configuration file When booting, the system chooses the configuration files following the rules below: If the main configuration file exists, the device initializes with this configuration. If the main configuration file does not exist but the backup configuration file exists, the device initializes with the backup configuration.

  • Page 78: Erasing The Startup Configuration File

    S3100 series Ethernet switches do not support the safe mode. When you are saving a configuration file using the save safely command, if the device reboots or the power fails during the saving process, the configuration file will be lost.

  • Page 79: Specifying A Configuration File For Next Startup

    While the reset saved-configuration [ main ] command erases the configuration file with main attribute, it only erases the main attribute of a configuration file having both main and backup attribute. While the reset saved-configuration backup command erases the configuration file with backup attribute, it only erases the backup attribute of a configuration file having both main and backup attribute.

  • Page 80: Displaying Device Configuration

    Displaying Device Configuration After the above configuration, you can execute the display command in any view to display the current and initial configurations of the device, so as to verify your configuration. Table 1-5 Display Device Configuration Operation Command Description Display the initial configuration file saved display saved-configuration [ unit unit-id ] in the storage device...
  • Page 81 Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ·····················································································································1-2 VLAN Fundamentals ·······················································································································1-2 VLAN Interface ································································································································1-4 VLAN Classification ·························································································································1-4 Port-Based VLAN····································································································································1-5 Link Types of Ethernet Ports ···········································································································1-5 Assigning an Ethernet Port to Specified VLANs ·············································································1-5 Configuring the Default VLAN ID for a Port·····················································································1-6 MAC-Based VLAN ··································································································································1-7 Introduction to MAC-Based VLAN···································································································1-7...
  • Page 82 Associating a Port with a Protocol-Based VLAN···········································································2-10 Displaying Protocol-Based VLAN Configuration ···········································································2-10 Protocol-Based VLAN Configuration Example··············································································2-11...

  • Page 83: Vlan Overview

    VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN MAC-Based VLAN Protocol-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.

  • Page 84: Advantages Of Vlans

    way. However, hosts in different VLANs cannot communicate with each other directly but need the help of network layer devices, such as routers and Layer 3 switches. Figure 1-1 illustrates a VLAN implementation. Figure 1-1 A VLAN implementation Advantages of VLANs Compared with traditional Ethernet technology, VLAN technology delivers the following benefits: Confining broadcast traffic within individual VLANs.
  • Page 85 A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the H3C series Ethernet switches, the default TPID is 0x8100.

  • Page 86: Vlan Interface

    And a VLAN interface serves as the gateway of the segment to forward packets in Layer 3 based on IP addresses. An S3100 series switch can be configured with a single VLAN interface only, and the VLAN must be the management VLAN. For details about the management VLAN, refer to the “Management VLAN Configuration”...

  • Page 87: Port-Based Vlan

    Port-Based VLAN Port-based VLAN technology introduces the simplest way to classify VLANs. You can assign the ports on the device to different VLANs. Thus packets received on a port will be transmitted through the corresponding VLAN only, so as to isolate hosts to different broadcast domains and divide them into different virtual workgroups.

  • Page 88: Configuring The Default Vlan Id For A Port

    Before assigning an access or hybrid port to a VLAN, create the VLAN first. Configuring the Default VLAN ID for a Port An access port can belong to only one VLAN. Therefore, the VLAN an access port belongs to is also the default VLAN of the access port.

  • Page 89: Mac-Based Vlan

    MAC-Based VLAN The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Introduction to MAC-Based VLAN The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is mostly used in conjunction with security technologies such as 802.1X to provide secure, flexible network access for terminal devices.

  • Page 90: Protocol-Based Vlan

    Protocol-Based VLAN The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Introduction to Protocol-Based VLAN Protocol-based VLAN is also known as protocol VLAN, which is another way to classify VLANs. Through the protocol-based VLANs, the switch can analyze the received packets carrying no VLAN tag on the port and match the packets with the user-defined protocol template automatically according to different encapsulation formats and the values of specific fields.

  • Page 91: Encapsulation Formats

    Supported Implementation of Protocol-Based VLAN S3100 series Ethernet switches assign the packet to the specific VLAN by matching the packet with the protocol template. The protocol template is the standard to determine the protocol to which a packet belongs. Protocol...

  • Page 92: Vlan Configuration

    VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN MAC-Based VLAN Configuring a Protocol-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration...

  • Page 93: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.

  • Page 94: Displaying Vlan Configuration

    To do... Use the command... Remarks Required Create a VLAN interface interface Vlan-interface and enter VLAN interface By default, there is no VLAN interface on a vlan-id view switch. Optional Specify the description By default, the description string of a VLAN string for the current VLAN description text interface is the name of this VLAN interface.

  • Page 95: Configuring A Hybrid-Port-Based Vlan

    To do… Use the command… Remarks Enter system view system-view — Required If the specified VLAN does not exist, this Enter VLAN view vlan vlan-id command be created first creates the VLAN before entering its view. Required Add an Access port to the port interface-list current VLAN By default, system will add all ports to VLAN 1.

  • Page 96: Configuring A Trunk-Port-Based Vlan

    To configure a Trunk port into a Hybrid port (or vice versa), you need to use the Access port as a medium. For example, the Trunk port has to be configured as an Access port first and then a Hybrid port.

  • Page 97: Port-Based Vlan Configuration Example

    Port-Based VLAN Configuration Example Network requirements As shown in Figure 2-1, Switch A and Switch B each connect to a server and a workstation (Host). For data security concerns, the two servers are assigned to VLAN 101 with the descriptive string being “DMZ”, and the PCs are assigned to VLAN 201.

  • Page 98: Troubleshooting Ethernet Port Configuration

    For information about the display interface command, refer to Port Basic Configuration in this manual. Configuring a MAC-Based VLAN The contents of this section are only applicable to the S3100-EI series among S3100 series switches. MAC-based VLANs are available only on hybrid ports.

  • Page 99: Configuring A Mac-Based Vlan

    { all | dynamic | static | vlan vlan-id } entries Display all interfaces with display mac-vlan interface MAC-based VLAN enabled Configuring a Protocol-Based VLAN The contents of this section are only applicable to the S3100-EI series among S3100 series switches.

  • Page 100: Protocol-Based Vlan Configuration Task List

    Protocol-Based VLAN Configuration Task List Complete these tasks to configure protocol-based VLAN: Task Remarks Configuring a Protocol Template for a Protocol-Based VLAN Required Associating a Port with a Protocol-Based VLAN Required Displaying Protocol-Based VLAN Configuration Optional Configuring a Protocol Template for a Protocol-Based VLAN Configuration prerequisites Create a VLAN before configuring the VLAN as a protocol-based VLAN.

  • Page 101: Associating A Port With A Protocol-Based Vlan

    At present, the S3100 series support only the standard templates of AppleTalk and IP, the standard template of IPX encapsulated in Ethernet II format, and the user-defined templates matching the Ethernet II encapsulation format. Protocol templates matching 802.2/802.3 encapsulation formats and their extended encapsulation formats are not supported on the S3100 series currently.

  • Page 102: Protocol-Based Vlan Configuration Example

    To do... Use the command... Remarks Display the protocol information and display protocol-vlan interface protocol indexes configured on the specified { interface-type interface-number [ to port interface-type interface-number ] | all } Protocol-Based VLAN Configuration Example Network requirements As shown in Figure 2-2, Workroom connects to the LAN through port Ethernet 1/0/10 on the S3100 switch.
  • Page 103 [Switch] vlan 100 [Switch-vlan100] protocol-vlan ip # To ensure the normal operation of IP network, you need to configure a user-defined protocol template for VLAN 100 to match the ARP protocol (assume Ethernet II encapsulation is adopted here). [Switch-vlan100] protocol-vlan mode ethernetii etype 0806 # Display the created protocol-based VLANs and the protocol templates.
  • Page 104 Table of Contents 1 Static Route Configuration ·······················································································································1-1 Introduction to Static Route·····················································································································1-1 Static Route ·····································································································································1-1 Default Route···································································································································1-1 Static Route Configuration ······················································································································1-2 Configuration Prerequisites ·············································································································1-2 Configuring a Static Route ··············································································································1-2 Displaying and Maintaining Static Routes·······························································································1-2 Troubleshooting a Static Route···············································································································1-3...

  • Page 105: Static Route Configuration

    Static Route Configuration When configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Troubleshooting a Static Route Introduction to Static Route Static Route Static routes are special routes.

  • Page 106: Static Route Configuration

    Static Route Configuration Configuration Prerequisites Before configuring a static route, perform the following tasks: Configuring the physical parameters of related interfaces Configuring IP addresses for related interfaces Configuring a Static Route Follow these steps to configure a static route: To do... Use the command...

  • Page 107: Troubleshooting A Static Route

    Operation Command Remarks Display the routes that match a display ip routing-table acl specified basic access control list acl-number [ verbose ] (ACL) Display the routing table in a tree display ip routing-table radix structure Display the statistics on the routing display ip routing-table statistics table Clear statistics about a routing...
  • Page 108 Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special Case IP Addresses·············································································································1-2 Subnetting and Masking ··················································································································1-2 Configuring IP Addresses ·······················································································································1-3 Configuring an IP address to a loopback interface ·········································································1-3 Configuring an IP address to a VLAN interface ··············································································1-4 Displaying IP Addressing Configuration··································································································1-4 IP Address Configuration Examples ·······································································································1-5 IP Address Configuration Example I ·······························································································1-5...

  • Page 109: Ip Addressing Configuration

    IP Addressing Configuration IP Addressing Overview IP Address Classes IP addressing uses a 32-bit address to identify each host on a network. An example is 01010000100000001000000010000000 in binary. To make IP addresses in 32-bit form easier to read, they are written in dotted decimal notation, each being four octets in length, for example, 10.1.1.1 for the address just mentioned.

  • Page 110: Special Case Ip Addresses

    Class Address range Description 224.0.0.0 to 239.255.255.255 Multicast address. Reserved for future use except for the 240.0.0.0 to 255.255.255.255 broadcast address 255.255.255.255. Special Case IP Addresses The following IP addresses are for special use, and they cannot be used as host IP addresses: IP address with an all-zeros net ID: Identifies a host on the local network.

  • Page 111: Configuring Ip Addresses

    255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively. Configuring IP Addresses S3100 Series Ethernet Switches support assigning IP addresses to VLAN interfaces and loopback interfaces. Besides directly assigning an IP address to a VLAN interface, you may configure a VLAN interface to obtain an IP address through BOOTP or DHCP as alternatives. If you change the way an interface obtains an IP address, from manual assignment to BOOTP for example, the IP address obtained from BOOTP will overwrite the old one manually assigned.

  • Page 112: Configuring An Ip Address To A Vlan Interface

    Configuring an IP address to a VLAN interface Table 1-3 Configure an IP address to a VLAN interface(S3100-SI) Operation Command Remarks Enter system view system-view — Required Configure a specified VLAN to management-vlan vlan-id By default, VLAN 1 operates as be the management VLAN the management VLAN.

  • Page 113: Ip Address Configuration Examples

    Operation Command Remarks Display brief configuration display ip interface brief information about a specified or all [ interface-type Layer 3 interfaces [ interface-number ] ] IP Address Configuration Examples IP Address Configuration Example I Network requirement Assign IP address 129.2.2.1 with mask 255.255.255.0 to VLAN interface 1 of the switch. Network diagram Figure 1-3 Network diagram for IP address configuration Configuration procedure...

  • Page 114: Ip Performance Configuration

    IP Performance Overview Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance. The IP performance configuration supported by S3100 Series Ethernet Switches includes: Configuring TCP attributes Disabling ICMP to send error packets Introduction to FIB Every switch stores a forwarding information base (FIB).

  • Page 115: Disabling Icmp To Send Error Packets

    By default, S3100 Series Ethernet Switches support sending ICMP redirect and destination unreachable packets. Although sending ICMP error packets facilitate control and management, it still has the following disadvantages: Sending a lot of ICMP packets will increase network traffic.
  • Page 116 Use the reset command in user view to clear the IP, TCP, and UDP traffic statistics. Table 2-4 Display and maintain IP performance Operation Command Remarks Display TCP connection status display tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics...
  • Page 117 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How S3100 Series Switches Identify Voice Traffic ·········································································1-3 Setting the Voice Traffic Transmission Priority ···············································································1-4 Configuring Voice VLAN Assignment Mode of a Port ·····································································1-4 Support for Voice VLAN on Various Ports·······················································································1-4 Security Mode of Voice VLAN ·········································································································1-6...

  • Page 118: Voice Vlan Configuration

    Voice VLAN Configuration The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches. When configuring voice VLAN, go to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN...
  • Page 119 Voice VLAN configuration Failover call routing Following describes the way a typical IP phone acquires an IP address. Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission.

  • Page 120: How S3100 Series Switches Identify Voice Traffic

    NCP is reachable to the IP address to be set. How S3100 Series Switches Identify Voice Traffic S3100 series Ethernet switches determine whether a received packet is a voice packet by checking its source MAC address against an organizationally unique identifier (OUI) list. If a match is found, the packet is considered as a voice packet.

  • Page 121: Setting The Voice Traffic Transmission Priority

    Setting the Voice Traffic Transmission Priority In order to improve transmission quality of voice traffic, the switch by default re-marks the priority of the traffic in the voice VLAN as follows: Set the CoS (802.1p) priority to 6. Set the DSCP value to 46. Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode.
  • Page 122 Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice Port type Supported or not assignment traffic mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not a voice Trunk Tagged VLAN, and the access port permits the traffic of the default...

  • Page 123: Security Mode Of Voice Vlan

    H3C series switches provide the security mode for voice VLAN to address this problem. When the voice VLAN works in security mode, the switch checks the source MAC address of each packet to enter the voice VLAN and drops the packets whose source MAC addresses do not match the OUI list.

  • Page 124: Voice Vlan Configuration

    Voice VLAN Packet Type Processing Method Mode The packet is forwarded or dropped based on whether Packet carrying any other VLAN the receiving port is assigned to the carried VLAN. The processing method is irrelevant to the voice VLAN mode (security or normal). Untagged packet The source MAC address of the packet is not checked.

  • Page 125: Configuring The Voice Vlan To Operate In Automatic Voice Vlan Assignment Mode

    Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in automatic voice VLAN assignment mode: To do… Use the command… Remarks Enter system view system-view — Optional Set an OUI address that can be voice vlan mac-address oui By default, the switch determines...

  • Page 126: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    When the voice VLAN is working normally, if the device restarts, in order to make the established voice connections work normally, the system does not need to be triggered by the voice traffic to add the port in automatic voice VLAN assignment mode to the local devices but does so immediately after the restart or the changes.
  • Page 127 VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between H3C device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...

  • Page 128: Displaying And Maintaining Voice Vlan

    Displaying and Maintaining Voice VLAN To do… Use the command… Remarks Display information about the ports on which voice VLAN display voice vlan error-info configuration fails Display the voice VLAN configuration status display voice vlan status In any view Display the OUI list display voice vlan oui display vlan vlan-id Display the ports operating in the voice VLAN...

  • Page 129: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)

    # Set the voice VLAN aging timer. [DeviceA] voice vlan aging 100 # Add a user-defined OUI address 0011-2200-000 and set the description string to “test”. [DeviceA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Enable the voice VLAN function globally. [DeviceA] voice vlan 2 enable # Configure the vocie VLAN to operate in automatic voice VLAN assignment mode on Ethernet 1/0/1.
  • Page 130 # Display the OUI addresses, the corresponding OUI address masks and the corresponding description strings that the system supports. <DeviceA> display voice vlan oui Oui Address Mask Description 0003-6b00-0000 ffff-ff00-0000 Cisco phone 000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone 0011-2200-0000 ffff-ff00-0000 test 00d0-1e00-0000 ffff-ff00-0000 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000...
  • Page 131 Table of Contents 1 GVRP Configuration ··································································································································1-1 Introduction to GVRP ······························································································································1-1 GARP···············································································································································1-1 GVRP···············································································································································1-4 Protocol Specifications ····················································································································1-4 GVRP Configuration································································································································1-4 GVRP Configuration Tasks ·············································································································1-4 Enabling GVRP ·······························································································································1-4 Configuring GVRP Timers ···············································································································1-5 Configuring GVRP Port Registration Mode ·····················································································1-6 Displaying and Maintaining GVRP··········································································································1-6 GVRP Configuration Example ················································································································1-7 GVRP Configuration Example·········································································································1-7...

  • Page 132: Gvrp Configuration

    GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example Introduction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol (GARP).
  • Page 133 Through message exchange, all the attribute information to be registered can be propagated to all the GARP-enabled switches in the same LAN. GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
  • Page 134 Figure 1-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 1-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two parts: Message — Attribute Type and Attribute List. Defined by the specific GARP Attribute Type The attribute type of GVRP is 0x01.

  • Page 135: Gvrp

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.

  • Page 136: Configuring Gvrp Timers

    To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.

  • Page 137: Configuring Gvrp Port Registration Mode

    Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of Hold 10 centiseconds the Join timer. You can change the threshold by changing the timeout time of the Join timer.

  • Page 138: Gvrp Configuration Example

    To do … Use the command … Remarks Display the settings of the GARP display garp timer [ interface interface-list ] timers display gvrp statistics [ interface Display GVRP statistics interface-list ] Display the global GVRP status display gvrp status reset garp statistics [ interface Clear GARP statistics interface-list ]...
  • Page 139 [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] port trunk permit vlan all # Enable GVRP on Ethernet1/0/2. [SwitchA-Ethernet1/0/2] gvrp [SwitchA-Ethernet1/0/2] quit # Configure Ethernet1/0/3 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] port link-type trunk [SwitchA-Ethernet1/0/3] port trunk permit vlan all...
  • Page 140 The following dynamic VLANs exist: Configure Ethernet1/0/1 on Switch E to operate in fixed GVRP registration mode and display the VLAN information dynamically registered on Switch A, Switch B, and Switch E. # Configure Ethernet1/0/1 on Switch E to operate in fixed GVRP registration mode. [SwitchE] interface Ethernet 1/0/1 [SwitchE-Ethernet1/0/1] gvrp registration fixed # Display the VLAN information dynamically registered on Switch A.
  • Page 141 Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Initially Configuring a Port ···············································································································1-1 Configuring Port Auto-Negotiation Speed ·······················································································1-2 Limiting Traffic on individual Ports···································································································1-3 Enabling Flow Control on a Port······································································································1-3 Duplicating the Configuration of a Port to Other Ports ····································································1-4 Configure loopback detection for Ethernet port(s) ··········································································1-4 Enabling Loopback Test··················································································································1-6 Configuring a Port Group·················································································································1-7...

  • Page 142: Port Basic Configuration

    Port Basic Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface. For a Combo port, the electrical port and the corresponding optical port are TX-SFP multiplexed.

  • Page 143: Configuring Port Auto-Negotiation Speed

    Operation Command Remarks Optional By default, the port is enabled. Enable the Ethernet port undo shutdown Use the shutdown command to disable the port. Optional Set the description string for the description text By default, the description string of Ethernet port an Ethernet port is null.

  • Page 144: Limiting Traffic On Individual Ports

    After you configure auto-negotiation speed(s) for a port, if you execute the undo speed command or the speed auto command, the auto-negotiation speed setting of the port restores to the default setting. The effect of executing speed auto 10 100 1000 equals to that of executing speed auto, that is, the port is configured to support all the auto-negotiation speeds: 10 Mbps, 100 Mbps, and 1000 Mbps.

  • Page 145: Duplicating The Configuration Of A Port To Other Ports

    Table 1-3 Enable flow control on a port Operation Command Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Enable flow control on the Ethernet By default, flow control is not flow-control port enabled on the port. Duplicating the Configuration of a Port to Other Ports To make other ports have the same configuration as that of a specific port, you can duplicate the configuration of a port to specific ports.
  • Page 146 If you have additionally enabled the loopback port auto-shutdown function on the port, the system will shut down the port, and send log and trap messages to the terminal. After the loop is removed, you need to use the undo shutdown command to bring up the port. If you have not enabled the loopback port auto-shutdown function on the port, the port will automatically resume the normal forwarding state after the loop is removed.

  • Page 147: Enabling Loopback Test

    Operation Command Remarks Optional By default, the loopback detection function Enable loopback detection is enabled on ports if the device boots with loopback-detection enable on a specified port the default configuration file (config.def); if the device boots with null configuration, this function is disabled.

  • Page 148: Configuring A Port Group

    external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).

  • Page 149: Enabling The System To Test Connected Cable

    Enabling the System to Test Connected Cable You can enable the system to test the cable connected to a specific port. The test result will be returned in five seconds. The system can test these attributes of the cable: Receive and transmit directions (RX and TX), short circuit/open circuit or not, the length of the faulty cable.

  • Page 150: Configuring Storm Control On A Port

    status of Ethernet ports in a network changes frequently, large amount of log information may be sent, which increases work load of the log server and consumes more network resources. You can limit the amount of the log information sent to the log server by disabling the Up/Down log output function on Ethernet ports.

  • Page 151: Setting The Port State Change Delay

    With traffic upper and lower thresholds specified on a port, the system periodically collects statistics about the broadcast/multicast traffic on the port. Once it finds that a type of traffic exceeds the specified upper threshold, it blocks this type of traffic on the port or directly shuts down the port, and outputs trap/log information according to your configuration.
  • Page 152 The port state change delay takes effect when the port goes down but not when the port goes up. Table 1-11 set the port state change delay Operation Command Remarks — Enter system view system-view Enter Ethernet interface interface interface-type —...

  • Page 153: Displaying And Maintaining Basic Port Configuration

    Displaying and Maintaining Basic Port Configuration Table 1-12 Display and maintain basic port configuration Operation Command Remarks Display port configuration display interface [ interface-type | information interface-type interface-number ] Display the enable/disable status display loopback-detection of port loopback detection Display information for a specified port group (Only S3100-EI Series display port-group group-id switches support this feature)

  • Page 154: Troubleshooting Ethernet Port Configuration

    Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A. This example supposes that VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 have been created. # Enter Ethernet 1/0/1 port view. <Sysname>...
  • Page 155 Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ·······················································································································1-1 Operational Key·······························································································································1-2 Requirements on Ports for Link Aggregation ··················································································1-2 Link Aggregation Classification···············································································································1-2 Manual Aggregation Group ·············································································································1-2 Static LACP Aggregation Group······································································································1-3 Dynamic LACP Aggregation Group·································································································1-4 Aggregation Group Categories ···············································································································1-5 Link Aggregation Configuration···············································································································1-6 Configuring a Manual Aggregation Group·······················································································1-6...

  • Page 156: Link Aggregation Configuration

    Link Aggregation Configuration Overview Introduction to Link Aggregation Link aggregation can aggregate multiple Ethernet ports together to form a logical aggregation group. To upper layer entities, all the physical links in an aggregation group are a single logical link. Link aggregation is designed to increase bandwidth by implementing outgoing/incoming load sharing among the member ports in an aggregation group.

  • Page 157: Requirements On Ports For Link Aggregation

    S3100 series that support extended LACP functions can be used as intermediate devices in LACP MAD implementation. For details about IRF, member devices, intermediate devices, and the LACP MAD mechanism, see the operation manuals of IRF-supported devices. Operational Key Operation key is generated by the system. It is determined by port settings such as port speed, duplex...

  • Page 158: Static Lacp Aggregation Group

    manual aggregation group must contain at least one port. When a manual aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group. LACP is disabled on the member ports of manual aggregation groups, and you cannot enable LACP on ports in a manual aggregation group.

  • Page 159: Dynamic Lacp Aggregation Group

    The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports. The system sets the ports with basic port configuration different from that of the master port to unselected state.

  • Page 160: Aggregation Group Categories

    When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation group, the port will be switched to the unselected state; if the port belongs to a dynamic LACP aggregation group, deaggregation will occur on the port.

  • Page 161: Link Aggregation Configuration

    Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group.

  • Page 162: Configuring A Static Lacp Aggregation Group

    If the aggregation group you are creating already exists but contains no port, its type will change to the type you set. If the aggregation group you are creating already exists and contains ports, the possible type changes may be: changing from dynamic or static to manual, and changing from dynamic to static; and no other kinds of type change can occur.

  • Page 163: Configuring A Dynamic Lacp Aggregation Group

    Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP-enabled ports. The adding and removing of ports to/from a dynamic aggregation group are automatically accomplished by LACP. You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system, because, only when LACP is enabled on those ports at both ends, can the two parties reach agreement in adding/removing ports to/from dynamic aggregation groups.

  • Page 164: Displaying And Maintaining Link Aggregation Configuration

    Operation Command Remarks Optional Configure a description for an link-aggregation group agg-id By default, no description is aggregation group description agg-name configured for an aggregation group. If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost.
  • Page 165 Network diagram Figure 1-1 Network diagram for link aggregation configuration Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. Adopting manual aggregation mode # Create manual aggregation group 1. <Sysname>...
  • Page 166 Adopting dynamic LACP aggregation mode # Enable LACP on Ethernet1/0/1 through Ethernet1/0/3. <Sysname> system-view [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] lacp enable [Sysname-Ethernet1/0/1] quit [Sysname] interface Ethernet1/0/2 [Sysname-Ethernet1/0/2] lacp enable [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on).
  • Page 167 Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying Port Isolation Configuration ···································································································1-2 Port Isolation Configuration Example······································································································1-2...

  • Page 168: Port Isolation Configuration

    Layer 2 and Layer 3 data between each port in the isolation group. Thus, you can construct your network in a more flexible way and improve your network security. Currently, you can create only one isolation group on an S3100 Series Ethernet switch. The number of Ethernet ports in an isolation group is not limited.

  • Page 169: Displaying Port Isolation Configuration

    When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group on the local device will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
  • Page 170 Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] port isolate [Sysname-Ethernet1/0/3] quit...
  • Page 171 Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················································································································1-1 Port Security Modes ························································································································1-1 Port Security Configuration Task List······································································································1-4 Enabling Port Security ·····················································································································1-5 Setting the Maximum Number of MAC Addresses Allowed on a Port ············································1-5 Setting the Port Security Mode········································································································1-6 Configuring Port Security Features ·································································································1-7 Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode ······························1-8 Ignoring the Authorization Information from the RADIUS Server····················································1-9...

  • Page 172: Port Security Configuration

    Port Security Configuration When configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Example Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
  • Page 173 Table 1-1 Description of port security modes Security mode Description Feature In this mode, neither the In this mode, access to the port is not NTK nor the intrusion noRestriction restricted. protection feature is triggered. In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses.
  • Page 174 Security mode Description Feature MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user In any of these modes, the can pass through the port.

  • Page 175: Port Security Configuration Task List

    Security mode Description Feature This mode is similar to the macAddressElseUs macAddressElseUserLoginSecure mode, erLoginSecureExt except that there can be more than one 802.1x-authenticated user on the port. In this mode, a port firstly performs MAC authentication for a user and then performs 802.1x authentication for the user if the user passes MAC authentication.

  • Page 176: Enabling Port Security

    Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. Enabling Port Security Follow these steps to enable port security: To do... Use the command... Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default...

  • Page 177: Setting The Port Security Mode

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Set the maximum number of Required port-security max-mac-count MAC addresses allowed on the count-value Not limited by default port Setting the Port Security Mode Follow these steps to set the port security mode: To do...

  • Page 178: Configuring Port Security Features

    If the port-security port-mode mode command has been executed on a port, none of the following can be configured on the same port: Maximum number of MAC addresses that the port can learn Reflector port for port mirroring Link aggregation Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK feature:...

  • Page 179: Configuring Guest Vlan For A Port In Macaddressoruserloginsecure Mode

    If you configure the NTK feature and execute the port-security intrusion-mode blockmac command on the same port, the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port; that is, the NTK feature configured will not take effect on the packets whose destination MAC address is illegal.

  • Page 180: Ignoring The Authorization Information From The Radius Server

    To do… Use the command… Remarks Enter system view system-view — Set the interval at which the switch triggers MAC address port-security timer Optional authentication after a port is guest-vlan-reauth interval added to the guest VLAN interface interface-type Enter Ethernet port view —...

  • Page 181: Configuring Security Mac Addresses

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Ignore the authorization port-security authorization By default, a port uses the information from the RADIUS ignore authorization information from server the RADIUS server. Configuring Security MAC Addresses A port in autolearn mode performs MAC address learning and maintains a security MAC address forwarding table.

  • Page 182: Displaying And Maintaining Port Security Configuration

    To do... Use the command... Remarks security MAC interface interface-type interface-number address is In Ethernet configured. port view mac-address security mac-address vlan vlan-id Configuring an aging time for learned security MAC address entries By default, learned security MAC address entries will never be aged; they are deleted only when the port security feature is disabled or the security mode is not autolearn any more.

  • Page 183: Port Security Configuration Example

    To do... Use the command... Remarks Display information about display mac-address security [ interface security MAC address interface-type interface-number ] [ vlan vlan-id ] configuration [ count ] Port Security Configuration Example Port Security Configuration Example Network requirements Implement access user restrictions through the following configuration on Ethernet 1/0/1 of the switch. Allow a maximum of 80 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as security MAC addresses.

  • Page 184: Guest Vlan Configuration Example

    [Switch-Ethernet1/0/1] quit [Switch] port-security timer disableport 30 Guest VLAN Configuration Example Network requirements As shown in Figure 1-2, Ethernet 1/0/2 connects to a PC and a printer, which are not used at the same time. Configure the port to operate in macAddressOrUserLoginSecure mode and specify a guest VLAN for the port.
  • Page 185 [Switch] radius scheme 2000 [Switch-radius-2000] primary authentication 10.11.1.1 1812 [Switch-radius-2000] primary accounting 10.11.1.1 1813 [Switch-radius-2000] key authentication abc [Switch-radius-2000] key accounting abc [Switch-radius-2000] user-name-format without-domain [Switch-radius-2000] quit # Configure the ISP domain and apply the scheme 2000 to the domain. [Switch] domaim system [Switch-isp-system] scheme radius-scheme 2000 [Switch-isp-system] quit...

  • Page 186: Port Binding Configuration

    Port Binding Configuration When configuring port binding, go to these sections for information you are interested in: Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example Currently, only the S3100-EI series support port binding. Port Binding Overview Introduction Binding is a simple security mechanism.

  • Page 187: Configuring Port Binding

    Configuring Port Binding Follow these steps to configure port binding: To do... Use the command... Remarks Enter system view system-view — am user-bind mac-addr mac-address In system { ip-addr ip-address s | ipv6 view ipv6-address } [ interface interface-type Either is required. Bind the MAC interface-number ] address and...
  • Page 188 Network diagram Figure 2-1 Network diagram for port binding configuration Switch A Eth1/0/1 Switch B Host A Host B 10.12.1.1/24 MAC address: 0001-0002-0003 Configuration procedure Configure Switch A as follows: # Enter system view. <SwitchA> system-view # Enter Ethernet 1/0/1 port view. [SwitchA] interface Ethernet 1/0/1 # Bind the MAC address and the IP address of Host A to Ethernet 1/0/1.
  • Page 189 Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Fundamentals·······························································································································1-3 DLDP packets··································································································································1-3 DLDP Status····································································································································1-4 DLDP Timers ···································································································································1-5 DLDP Operating Mode ····················································································································1-6 DLDP Implementation ·····················································································································1-7 DLDP Neighbor State ······················································································································1-8 Link Auto-recovery Mechanism ·······································································································1-9 DLDP Configuration ································································································································1-9 Performing Basic DLDP Configuration ····························································································1-9 Resetting DLDP State ···················································································································1-10 Displaying and Maintaining DLDP·································································································1-11 DLDP Configuration Example ···············································································································1-11...

  • Page 190: Dldp Configuration

    Currently, only S3100-EI series Ethernet switches support the DLDP feature. Overview Device link detection protocol (DLDP) is an H3C technology for dealing with unidirectional links that may occur in a network. If two switches, A and B, are connected via a pair of optical fiber cables, one used for sending from A to B, the other sending from B to A, it is a bidirectional link (two-way link).
  • Page 191 Figure 1-1 Fiber cross-connection Figure 1-2 Fiber broken or not connected Switch A GE1/1/1 GE1/1/2 GE1/1/1 GE1/1/2 Switch B Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.

  • Page 192: Dldp Fundamentals

    The auto-negotiation mechanism at the physical layer detects physical signals and faults. DLDP identifies peer devices and unidirectional links, and disables unreachable ports. Even if both ends of links can work normally at the physical layer, DLDP can detect whether these links are connected correctly and whether packets can be exchanged normally at both ends.

  • Page 193: Dldp Status

    DLDP packet type Function Linkdown packets are used to notify unidirectional link emergencies (a unidirectional link emergency occurs when the local port is down and the peer port is up). Linkdown packets carry only the local port information instead of the neighbor information. In some conditions, a port is considered to be physically down if the link connecting to the port is physically abnormal (for example, the Rx line of the fiber on the port is disconnected, while the Tx line operates properly).

  • Page 194: Dldp Timers

    Status Description When a device in the active, advertisement, or probe DLDP state receives a port down message, it does not removes the corresponding neighbor immediately, neither does it changes to the inactive state. Instead, it changes to the delaydown state first. DelayDown When a device changes to the delaydown state, the related DLDP neighbor information remains, and the DelayDown timer is triggered.

  • Page 195: Dldp Operating Mode

    Timer Description When a device in the active, advertisement, or probe DLDP state receives a port down message, it does not removes the corresponding neighbor immediately, neither does it changes to the inactive state. Instead, it changes to the delaydown state first. When a device changes to the delaydown state, the related DLDP neighbor information remains, and the DelayDown timer is triggered.

  • Page 196: Dldp Implementation

    Figure 1-3 A case for Enhanced DLDP mode In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 1-1 ) can be detected. In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in Figure 1-1).

  • Page 197: Dldp Neighbor State

    Table 1-6 The procedure to process a received DLDP packet Packet type Processing procedure If the corresponding neighbor entry does not exist on the local device, DLDP creates the neighbor entry, triggers Advertisement Extracts neighbor the entry aging timer, and switches to the probe state. packet information If the corresponding neighbor entry already exists on the...

  • Page 198: Link Auto-Recovery Mechanism

    Link Auto-recovery Mechanism If the shutdown mode of a port is set to auto shutdown, the port is set to the DLDP down state when DLDP detects the link connecting to the port is a unidirectional link. A port in DLDP down state does not forward service packets or receive/send protocol packets except DLDPDUs.

  • Page 199: Resetting Dldp State

    To do … Use the command … Remarks Optional dldp delaydown-timer By default, the delaydown Set the delaydown timer delaydown-time timer expires after 1 second it is triggered. Optional. dldp Set the DLDP handling mode when an unidirectional-shutdown By default, the handling unidirectional link is detected { auto | manual } mode is auto.

  • Page 200: Displaying And Maintaining Dldp

    This function is only applicable to ports that are in DLDP down state. Follow these steps to reset DLDP state: To do … Use the command … Remarks system-view Reset DLDP state for all the ports shut down by DLDP dldp reset Select either of the two.
  • Page 201 Network diagram Figure 1-4 Network diagram for DLDP configuration Switch A GE1/1/1 GE1/1/2 GE1/1/1 GE1/1/2 Switch B Configuration procedure Configure Switch A # Configure the ports to work in mandatory full duplex mode at a rate of 1000 Mbps. <SwitchA> system-view [SwitchA] interface gigabitethernet 1/1/1 [SwitchA-GigabitEthernet1/1/1] duplex full [SwitchA-GigabitEthernet1/1/1] speed 1000...
  • Page 202 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state. When a fiber is connected to a device correctly on one end with the other end connected to no device: If the device operates in the normal DLDP mode, the end that receives optical signals is in the advertisement state;...
  • Page 203 Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to MAC Address Table ································································································1-1 Introduction to MAC Address Learning ···························································································1-1 Managing MAC Address Table ·······································································································1-4 MAC Address Replication Configuration ·························································································1-5 MAC Address Table Management··········································································································1-6 MAC Address Table Management Configuration Task List ····························································1-6 Configuring a MAC Address Entry ··································································································1-7 Setting the MAC Address Aging Timer····························································································1-8 Setting the Maximum Number of MAC Addresses a Port Can Learn ·············································1-8...

  • Page 204: Mac Address Table Management

    MAC Address Table Management When configuring MAC address table management, go to these sections for information you are interested in: Overview MAC Address Table Management Displaying MAC Address Table Information Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Multicast Operation.
  • Page 205 Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the switch on Ethernet 1/0/1.
  • Page 206 Because the switch broadcasts the packet, both User B and User C can receive the packet. However, User C is not the destination device of the packet, and therefore does not process the packet. Normally, User B will respond to User A, as shown in Figure 1-4.

  • Page 207: Managing Mac Address Table

    Managing MAC Address Table Aging of MAC address table To fully utilize a MAC address table, which has a limited capacity, the switch uses an aging mechanism for updating the table. That is, the switch starts an aging timer for an entry when dynamically creating the entry.

  • Page 208: Mac Address Replication Configuration

    MAC Address Replication Configuration The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Overview The MAC address replication feature allows you to copy the MAC address table entries of one or multiple VLANs to the MAC address table of another VLAN. This feature effectively reduces the broadcasts and improves network security when you use the VLAN marking function with the traffic-remark-vlanid command.

  • Page 209: Mac Address Table Management

    With the MAC address replication feature enabled, the switch copies the MAC address entries of the original VLAN to the MAC address table of the marked VLAN. When the switch receives a response packet from the marked VLAN, it searches the MAC address table of the marked VLAN, obtains the outbound port for the MAC address of the packet, and unicasts the packet.

  • Page 210: Configuring A Mac Address Entry

    Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). You can add a MAC address entry in either system view or Ethernet port view. Adding a MAC address entry in system view Follow these steps to add a MAC address entry in system view: To do…...

  • Page 211: Setting The Mac Address Aging Timer

    When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.

  • Page 212: Disabling Mac Address Learning For A Vlan

    MAC address authentication or port security functions on the port, and vice versa. Disabling MAC Address learning for a VLAN The contents of this section are only applicable to the S3100-EI series among S3100 series switches. You can disable a switch from learning MAC addresses in specific VLANs to improve stability and security for the users belong to these VLANs and prevent unauthorized accesses.

  • Page 213: Assigning Mac Addresses For Ethernet Ports

    If the VLAN is configured as a remote probe VLAN used by port mirroring, you can not disable MAC address learning of this VLAN. Similarly, after you disable MAC address learning, this VLAN can not be configured as a remote probe VLAN. Disabling the MAC address learning function of a VLAN takes no effect on enabling the MAC address authentication on the ports that belong to the VLAN.

  • Page 214: Configuring Mac Address Replication

    Configuring MAC Address Replication The contents of this section are only applicable to the S3100-EI series among S3100 series switches. Follow these steps to configure the MAC address replication feature: To do... Use the command... Remarks Enter system view system-view —...

  • Page 215: Adding A Static Mac Address Entry Manually

    Configuration Example Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through Ethernet 1/0/2. To prevent the switch from broadcasting packets destined for the server, it is required to add the MAC address of the server to the MAC address table of the switch, which then forwards packets destined for the server through Ethernet 1/0/2.
  • Page 216 Figure 1-8 Network diagram for MAC address replication and VLAN marking configuration Network MAC-A VLAN4 Eth1/0/2 SwitchA Eth1/0/1 MAC-A VLAN3 Network 192.168.1.0/24 Configuration procedure # Create VLAN 3 and VLAN 4 on Switch A. <SwitchA> system-view [SwitchA] vlan 3 to 4 Please wait..
  • Page 217 # Configure MAC address replication on Ethernet 1/0/1 to copy the MAC address entries of VLAN 3 to the MAC address table of VLAN 4. [SwitchA-Ethernet1/0/1] mac-address-mapping 0 source-vlan 3 destination-vlan 4 [SwitchA-Ethernet1/0/1] quit # Configure VLAN marking on Ethernet 1/0/2 to replace the VLAN tag of packets that matches ACL 3001 with VLAN tag 3.
  • Page 218 Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ······················································································1-10 Multiple Spanning Tree Protocol Overview ···················································································1-10 MSTP Implementation on Switches ······························································································1-14 Protocols and Standards ···············································································································1-15 MSTP Configuration Task List ··············································································································1-15 Configuring Root Bridge························································································································1-17 Configuring an MST Region ··········································································································1-17 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge·····································1-18 Configuring the Bridge Priority of the Current Switch····································································1-20...
  • Page 219 Introduction····································································································································1-40 Configuring Digest Snooping·········································································································1-40 Configuring Rapid Transition ················································································································1-41 Introduction····································································································································1-41 Configuring Rapid Transition·········································································································1-43 Configuring VLAN-VPN Tunnel·············································································································1-44 Introduction····································································································································1-44 Configuring VLAN-VPN tunnel ······································································································1-45 MSTP Maintenance Configuration ········································································································1-45 Introduction····································································································································1-45 Enabling Log/Trap Output for Ports of MSTP Instance·································································1-45 Configuration Example ··················································································································1-46 Enabling Trap Messages Conforming to 802.1d Standard···································································1-46 Displaying and Maintaining MSTP ········································································································1-46 MSTP Configuration Example···············································································································1-47 VLAN-VPN Tunnel Configuration Example ··························································································1-49...

  • Page 220: Overview

    MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example...
  • Page 221 STP identifies the network topology by transmitting BPDUs between STP compliant network devices, typically switches and routers. BPDUs contain sufficient information for the network devices to complete the spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any.
  • Page 222 A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of an H3C device is 32768. You can use a command to configure the bridge priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
  • Page 223 Port ID A port ID used on an H3C device consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on H3C devices is 128. You can use commands to configure port priorities.
  • Page 224 Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
  • Page 225 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
  • Page 226 Device Port name BPDU of port {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device BPDU of port after Device...
  • Page 227 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 228 Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.

  • Page 229: Rapid Spanning Tree Protocol Overview

    For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
  • Page 230 MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
  • Page 231 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs.
  • Page 232 A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.

  • Page 233: Mstp Implementation On Switches

    STP and RSTP and use them for their respective spanning tree calculation. The S3100 series switches support MSTP. After MSTP is enabled on an S3100 series switch, the switch operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol,...

  • Page 234: Protocols And Standards

    In addition to the basic MSTP functions, H3C series switches also provide the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard BPDU dropping Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol...
  • Page 235 Task Remarks Configuring the Timeout Time Factor Optional Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter...

  • Page 236: Configuring Root Bridge

    Configuring Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Required Configure the name of the MST region-name name The default MST region name of a region...

  • Page 237: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The H3C series support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
  • Page 238 Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do... Use the command... Remarks Enter system view — system-view stp [ instance instance-id ] root Specify the current switch as...

  • Page 239: Configuring The Bridge Priority Of The Current Switch

    Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different MSTIs.

  • Page 240: Configuring The Mstp Operation Mode

    In auto mode, if a port frequently receives MSTP packets of different formats alternately, the port will be forcibly placed in the discarding state and no longer forwards MSTP packets. The physical state of the port will be displayed as STP DOWN. To restore such a port, you can first run the shutdown command and then the undo shutdown command on it.

  • Page 241: Configuring The Maximum Hop Count Of An Mst Region

    STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices. If STP-enabled switches exist in a switched network, you can use the stp mode stp command to configure an MSTP-enabled switch to operate in STP-compatible mode. RSTP-compatible mode, where the ports of a switch send RSTP BPDUs to neighboring devices.

  • Page 242: Configuring The Network Diameter Of The Switched Network

    To do... Use the command... Remarks Required Configure the maximum hop stp max-hops hops By default, the maximum hop count of the MST region count of an MST region is 20. The bigger the maximum hop count, the larger the MST region is. Note that only the maximum hop settings on the switch operating as a region root can limit the size of the MST region.
  • Page 243 Configuration procedure Follow these steps to configure MSTP time-related parameters: To do... Use the command... Remarks Enter system view — system-view Required Configure the forward delay stp timer forward-delay The forward delay parameter parameter centiseconds defaults to 1,500 centiseconds (namely, 15 seconds). Required Configure the hello time The hello time parameter defaults to...

  • Page 244: Configuring The Timeout Time Factor

    Configuration example # Configure the forward delay parameter to be 1,600 centiseconds, the hello time parameter to be 300 centiseconds, and the max age parameter to be 2,100 centiseconds (assuming that the current switch operates as the CIST root bridge). <Sysname>...

  • Page 245: Configuring The Current Port As An Edge Port

    To do... Use the command... Remarks Enter system view — system-view Required Configure the maximum stp interface interface-list The maximum transmitting rate transmitting rate for specified transmit-limit packetnum of all Ethernet ports on a switch ports defaults to 10. Configure the maximum transmitting rate in Ethernet port view Follow these steps to configure the maximum transmitting rate in Ethernet port view: To do...

  • Page 246: Setting The Link Type Of A Port To P2P

    To do... Use the command... Remarks Required Configure the specified ports as stp interface interface-list By default, all the Ethernet edge ports edged-port enable ports of a switch are non-edge ports. Configure a port as an edge port in Ethernet port view Follow these steps to configure a port as an edge port in Ethernet port view: To do...
  • Page 247 You can determine whether or not the link connected to a port is a point-to-point link in one of the following two ways. Setting the Link Type of a Port to P2P in system view Follow these steps to specify whether the link connected to a port is point-to-point link in system view: To do...

  • Page 248: Enabling Mstp

    Enabling MSTP Configuration procedure Follow these steps to enable MSTP in system view: Use the To do... Remarks command... Enter system view — system-view Required Enable MSTP stp enable MSTP is disabled by default. Optional By default, MSTP is enabled on all ports after you enable MSTP in system view.

  • Page 249: Configuring Leaf Nodes

    [Sysname-Ethernet1/0/1] stp disable Configuring Leaf Nodes Configuring the MST Region Refer to Configuring an MST Region. Configuring How a Port Recognizes and Sends MSTP Packets Refer to Configuring How a Port Recognizes and Sends MSTP Packets. Configuring the Timeout Time Factor Refer to Configuring the Timeout Time Factor.
  • Page 250 Table 1-7 Transmission rates vs. path costs Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard — 65,535 200,000,000 200,000 Half-duplex/Full-duplex 2,000,000 2,000 Aggregated link 2 ports 1,000,000 1,800 10 Mbps Aggregated link 3 ports 666,666 1,600 Aggregated link 4 ports 500,000 1,400 Half-duplex/Full-duplex...

  • Page 251: Configuring Port Priority

    Follow these steps to configure the path cost for a port in Ethernet port view: To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Configure the path cost for the stp [ instance instance-id ] An MSTP-enabled switch can port...

  • Page 252: Setting The Link Type Of A Port To P2P

    Configure port priority in system view Follow these steps to configure port priority in system view: To do... Use the command... Remarks Enter system view — system-view stp interface interface-list Required Configure port priority for instance instance-id port specified ports The default port priority is 128.

  • Page 253: Performing Mcheck Operation

    Performing mCheck Operation Ports on an MSTP-enabled switch can operate in three modes: STP-compatible, RSTP-compatible, and MSTP. If a port on a device running MSTP (or RSTP) connects to a device running STP, this port will automatically migrate to the STP-compatible mode. However, it will not be able to migrate automatically back to the MSTP (or RSTP) mode, but will remain working in the STP-compatible mode under the following circumstances: The device running STP is shut down or removed.

  • Page 254: Configuring Guard Functions

    [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp mcheck Configuring Guard Functions The following guard functions are available on an MSTP-enabled switch: BPDU guard, root guard, loop guard, TC-BPDU attack guard, and BPDU drop. Configuring BPDU Guard Normally, the access ports of the devices operating on the access layer are directly connected to terminals (such as PCs) or file servers.

  • Page 255: Configuring Root Guard

    Configuring Root Guard A root bridge and its secondary root bridges must reside in the same region. The root bridge of the CIST and its secondary root bridges are usually located in the high-bandwidth core region. Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge, which causes a new root bridge to be elected and network topology jitter to occur.

  • Page 256: Configuring Loop Guard

    Configuration example # Enable the root guard function on Ethernet 1/0/1. Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 root-protection Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp root-protection Configuring Loop Guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch.

  • Page 257: Configuring Tc-Bpdu Attack Guard

    Configuration example # Enable the loop guard function on Ethernet 1/0/1. <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp loop-protection Configuring TC-BPDU Attack Guard Normally, a switch removes its MAC address table and ARP entries upon receiving Topology Change BPDUs (TC-BPDUs). If a malicious user sends a large amount of TC-BPDUs to a switch in a short period, the switch may be busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization.

  • Page 258: Configuring Bpdu Dropping

    # Set the maximum times for the switch to remove the MAC address table and ARP entries within 10 seconds to 5. <Sysname> system-view [Sysname] stp tc-protection threshold 5 Configuring BPDU Dropping In a STP-enabled network, attackers may send BPDUs to switches continuously in order to destroy the network.

  • Page 259: Configuring Digest Snooping

    Configuring Digest Snooping Introduction According to IEEE 802.1s, two interconnected switches can communicate with each other through MSTIs in an MST region only when the two switches have the same MST region-related configuration. Interconnected MSTP-enabled switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them (A configuration ID contains information such as region ID and configuration digest).

  • Page 260: Configuring Rapid Transition

    To do... Use the command... Remarks Return to system view — quit Required Enable the digest snooping stp config-digest-snooping The digest snooping feature is feature globally disabled globally by default. Display the current Available in any view display current-configuration configuration When the digest snooping feature is enabled on a port, the port state turns to the discarding state.
  • Page 261 MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the H3C series switch operating as the downstream switch. Among these ports, those operating as the root ports will...

  • Page 262: Configuring Rapid Transition

    Configuration prerequisites As shown in Figure 1-8, a H3C series switch is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.

  • Page 263: Configuring Vlan-Vpn Tunnel

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Currently, only S3100-SI series Ethernet Switches support the VLAN-VPN tunnel feature. Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider...

  • Page 264: Configuring Vlan-Vpn Tunnel

    Configuring VLAN-VPN tunnel Follow these steps to configure VLAN-VPN tunnel: To do... Use the command... Remarks Enter system view — system-view Enable MSTP globally — stp enable Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function is tunnel function globally disabled by default.

  • Page 265: Configuration Example

    Configuration Example # Enable log/trap output for the ports of instance 1. <Sysname> system-view [Sysname] stp instance 1 portlog # Enable log/trap output for the ports of all instances. <Sysname> system-view [Sysname] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard When enabled, the switch sends the following two types of 802.1d-compliant traps to the network management device: When the switch is configured to be the root bridge of a spanning tree instance, it sends...

  • Page 266: Mstp Configuration Example

    To do... Use the command... Remarks Display information about the root port of the instance where the switch display stp root reside Clear statistics about MSTP reset stp [ interface interface-list ] Available in user view MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 1-10 to enable packets of different VLANs to be...
  • Page 267 [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30 [Sysname-mst-region] instance 4 vlan 40 [Sysname-mst-region] revision-level 0 # Activate the settings of the MST region manually. [Sysname-mst-region] active region-configuration # Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view.

  • Page 268: Vlan-Vpn Tunnel Configuration Example

    [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30 [Sysname-mst-region] instance 4 vlan 40 [Sysname-mst-region] revision-level 0 # Activate the settings of the MST region manually. [Sysname-mst-region] active region-configuration VLAN-VPN Tunnel Configuration Example Network requirements Switch C and Switch D are the access devices for the service provider network. S3100-SI switches operate as the access devices of the customer networks, that is, Switch A and Switch B in the network diagram.
  • Page 269 # Add Ethernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port Ethernet 1/0/1 Configure Switch C # Enable MSTP. <Sysname> system-view [Sysname] stp enable # Enable the VLAN-VPN tunnel function. [Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/1 [Sysname-Vlan10] quit...
  • Page 270 [Sysname-GigabitEthernet1/0/1] port trunk permit vlan all 1-51...
  • Page 271 Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode···········································································1-2 Information Transmission in the Multicast Mode·············································································1-2 Roles in Multicast ····························································································································1-3 Advantages and Applications of Multicast·······················································································1-4 Multicast Models ·····································································································································1-4 Multicast Architecture······························································································································1-5 Multicast Address ····························································································································1-6 Multicast Protocols ························································································································1-10...
  • Page 272 Introduction to MLD Snooping·········································································································3-1 Basic Concepts in MLD Snooping···································································································3-2 How MLD Snooping Works ·············································································································3-3 MLD Snooping Proxying··················································································································3-5 Protocols and Standards ·················································································································3-6 MLD Snooping Configuration Task List ··································································································3-7 Configuring Basic Functions of MLD Snooping ······················································································3-8 Configuration Prerequisites ·············································································································3-8 Enabling MLD Snooping··················································································································3-8 Configuring the Version of MLD Snooping ······················································································3-8 Configuring Limit on the Number of Forwarding Entries Globally ···················································3-9 Configuring MLD Snooping Port Functions ····························································································3-9...
  • Page 273 Configuration Prerequisites ·············································································································4-3 Configuring User Port Attributes······································································································4-3 Configuring IPv6 Multicast VLAN Ports···························································································4-4 Displaying and Maintaining IPv6 Multicast VLAN ···················································································4-4 IPv6 Multicast VLAN Configuration Examples························································································4-5 5 Multicast User Control Policy Configuration··························································································5-1 IPv4 Multicast User Control Policy Configuration ···················································································5-1 Configuring IPv4 Multicast User Control Policy···············································································5-1 IPv4 Multicast User Control Policy Configuration Example·····························································5-2 IPv6 Multicast Group Filter Configuration ·······························································································5-5 IPv6 ACL Overview ·························································································································5-5...

  • Page 274: Multicast Overview

    Multicast Overview Multicast Overview With development of networks on the Internet, more and more interaction services such as data, voice, and video services are running on the networks. In addition, highly bandwidth- and time-critical services, such as e-commerce, Web conference, online auction, video on demand (VoD), and tele-education have come into being.

  • Page 275: Information Transmission In The Broadcast Mode

    Information Transmission in the Broadcast Mode When you adopt broadcast, the system transmits information to all users on a network. Any user on the network can receive the information, no matter the information is needed or not. Figure 1-2 shows information transmission in broadcast mode.

  • Page 276: Roles In Multicast

    Figure 1-3 Information transmission in the multicast mode Assume that Hosts B, D and E need the information. To transmit the information to the right users, it is necessary to group Hosts B, D and E into a receiver set. The routers on the network duplicate and distribute the information based on the distribution of the receivers in this set.

  • Page 277: Advantages And Applications Of Multicast

    Table 1-1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission A TV station transmits a TV program A multicast source sends multicast data to a multicast through a television channel. group. A user tunes the TV set to the channel. A receiver joins the multicast group.

  • Page 278: Multicast Architecture

    ASM model In the ASM model, any sender can become a multicast source and send information to a multicast group; numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group. In this model, receivers are not aware of the position of a multicast source in advance.

  • Page 279: Multicast Address

    Multicast Address As receivers are multiple hosts in a multicast group, you should be concerned about the following questions: What destination should the information source send the information to in the multicast mode? How to select the destination address? These questions are about multicast addressing. To enable the communication between the information source and members of a multicast group (a group of information receivers), network-layer multicast addresses, namely, IP multicast addresses must be provided.
  • Page 280 Class D address range Description Available source-specific multicast (SSM) multicast group 232.0.0.0 to 232.255.255.255 addresses. Administratively scoped multicast addresses, which are for 239.0.0.0 to 239.255.255.255 specific local use only. As specified by IANA, the IP addresses ranging from 224.0.0.0 to 224.0.0.255 are reserved for network protocols on local networks.
  • Page 281 Figure 1-4 IPv6 multicast format Referring to Figure 1-4, the meanings of the fields of an IPv6 multicast address are as follows: 0xFF: The most significant 8 bits are 11111111, indicating that this address is an IPv6 multicast address. Figure 1-5 Format of the Flags field Flags: Referring to Figure 1-5, the following table describes the four bits of the Flags field.
  • Page 282 Value Meaning Global scope Group ID: 112 bits, IPv6 multicast group identifier that uniquely identifies an IPv6 multicast group in the scope defined by the Scope field. Ethernet multicast MAC address When a unicast IP packet is transported in an Ethernet network, the destination MAC address is the MAC address of the receiver.

  • Page 283: Multicast Protocols

    Multicast Protocols Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP/MLD, PIM/IPv6 PIM, MSDP, and MBGP/IPv6 MBGP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping/MLD Snooping, and multicast VLAN/IPv6 multicast VLAN.
  • Page 284 Multicast routing protocols A multicast routing protocol runs on Layer 3 multicast devices to establish and maintain multicast routes and forward multicast packets correctly and efficiently. Multicast routes constitute loop-free data transmission paths from a data source to multiple receivers, namely, a multicast distribution tree. In the ASM model, multicast routes include intra-domain routes and inter-domain routes.

  • Page 285: Multicast Packet Forwarding Mechanism

    In the traditional multicast-on-demand mode, when users in different VLANs on a Layer 2 device need multicast information, the upstream Layer 3 device must forward a separate copy of the multicast data to each VLAN of the Layer 2 device. With the multicast VLAN or IPv6 multicast VLAN feature enabled on the Layer 2 device, the Layer 3 multicast device sends only one copy of multicast to the multicast VLAN or IPv6 multicast VLAN on the Layer 2 device.

  • Page 286: Rpf Check

    using the RPF interface as the incoming interface, and installs the entry into the multicast forwarding table. If the interface on which the packet actually arrived is the RPF interface, the RPF check is successful and the router forwards the packet to all the outgoing interfaces. If the interface on which the packet actually arrived is not the RPF interface, the RPF check fails and the router discards the packet.
  • Page 287 the interface on which the packet actually arrived. The RPF check succeeds and the packet is forwarded. 1-14...

  • Page 288: Igmp Snooping Configuration

    IGMP Snooping Configuration IGMP Snooping Overview Internet Group Management Protocol Snooping (IGMP Snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 device running IGMP Snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.

  • Page 289: Work Mechanism Of Igmp Snooping

    Figure 2-2 IGMP Snooping related ports Receiver Router A Switch A Eth1/0/1 Eth1/0/2 Host A Eth1/0/3 Host B Receiver Eth1/0/1 Source Eth1/0/2 Host C Switch B Router port Member port Multicast packets Host D Ports involved in IGMP Snooping, as shown in Figure 2-2, are described as follows: Router port: A router port is a port on the Layer 3 multicast device (DR or IGMP querier) side of the...
  • Page 290 If the receiving port is a router port existing in its router port list, the switch resets the aging timer of this router port. If the receiving port is not a router port existing in its router port list, the switch adds it into its router port list and sets an aging timer for this router port.

  • Page 291: Igmp Snooping Configuration

    If any IGMP report in response to the group-specific query arrives to the member port before its aging timer expires, this means that some other members of that multicast group still exist under that port: the switch resets the aging timer of the member port. If no IGMP report in response to the group-specific query arrives to the member port before its aging timer expires as a response to the IGMP group-specific query, this means that no members of that multicast group still exist under the port: the switch deletes the forwarding entry...

  • Page 292: Configuring The Version Of Igmp Snooping

    Operation Command Remarks Required Enable IGMP Snooping globally igmp-snooping enable By default, IGMP Snooping is disabled globally. — Enter VLAN view vlan vlan-id Required Enable IGMP Snooping on the igmp-snooping enable By default, IGMP Snooping is VLAN disabled on all the VLANs. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...

  • Page 293: Configuring Timers

    Configuring Timers This section describes how to configure the aging timer of the router port, the aging timer of the multicast member ports,. Table 2-5 Configure timers Operation Command Remarks — system-view Enter system view Optional Configure the aging timer of the igmp-snooping By default, the aging time of the router port...

  • Page 294: Configuring A Multicast Group Filter

    The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).

  • Page 295: Configuring The Maximum Number Of Multicast Groups On A Port

    Operation Command Remarks Optional igmp-snooping group-policy No group filter is configured by Configure a multicast group filter acl-number [ vlan vlan-list ] default, namely hosts can join any multicast group. A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered.

  • Page 296: Configuring Igmp Snooping Querier

    To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one.

  • Page 297: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    Operation Command Remarks Required Enable IGMP Snooping igmp-snooping enable By default, IGMP Snooping is disabled. Enter VLAN view vlan vlan-id — Required Enable IGMP Snooping igmp-snooping enable By default, IGMP Snooping is disabled. Required Enable IGMP Snooping querier igmp-snooping querier By default, IGMP Snooping querier is disabled.

  • Page 298: Configuring Static Member Port For A Multicast Group

    Table 2-11 Suppress flooding of unknown multicast traffic in the VLAN Operation Command Remarks Enter system view system-view — Required Enable unknown multicast flooding igmp-snooping By default, unknown multicast nonflooding-enable suppression flooding suppression If the function of dropping unknown multicast packets is enabled, you cannot enable unknown multicast flooding suppression.

  • Page 299: Configuring A Static Router Port

    Operation Command Remarks Required Configure specified port(s) as multicast static-group By default, no port is configured as static member port(s) of a multicast group-address interface a static multicast group member group in the VLAN interface-list port. Configuring a Static Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a static router port, so that the switch has a static connection to a multicast router and receives IGMP messages from that router.

  • Page 300: Configuring A Vlan Tag For Query Messages

    When receiving an IGMP general query, the simulated host responds with an IGMP report. Meanwhile, the switch sends the same IGMP report to itself to ensure that the IGMP entry does not age out. When the simulated joining function is disabled on an Ethernet port, the simulated host sends an IGMP leave message.

  • Page 301: Configuring Multicast Vlan

    It is not recommended to configure this function while the multicast VLAN function is in effect. Configuring Multicast VLAN In traditional multicast implementations, when users in different VLANs listen to the same multicast group, the multicast data is copied on the multicast router for each VLAN that contains receivers. This is a big waste of network bandwidth.

  • Page 302: Displaying And Maintaining Igmp Snooping

    Operation Command Remarks — Enable IGMP Snooping igmp-snooping enable — Enter VLAN view vlan vlan-id Enable IGMP Snooping igmp-snooping enable Required Enable multicast VLAN service-type multicast Required — Return to system view quit Enter Ethernet port view for the interface interface-type —...

  • Page 303: Igmp Snooping Configuration Examples

    Table 2-20 Display and maintain IGMP Snooping Operation Command Remarks Display the current IGMP display igmp-snooping Snooping configuration configuration Display IGMP Snooping message display igmp-snooping You can execute the display statistics statistics commands in any view. Display the information about IP display igmp-snooping group and MAC multicast groups in one [ vlan vlanid ]...
  • Page 304 Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet1/0/1. <RouterA> system-view [RouterA] multicast routing-enable [RouterA] interface Ethernet 1/0/1 [RouterA-Ethernet1/0/1] igmp enable [RouterA-Ethernet1/0/1] quit [RouterA] interface Ethernet 1/0/2 [RouterA-Ethernet1/0/2] pim dm [RouterA-Ethernet1/0/2] quit Configure Switch A # Enable IGMP Snooping globally.

  • Page 305: Configuring Multicast Vlan

    Configuring Multicast VLAN Network requirements As shown in Figure 2-4, Workstation is a multicast source. Switch A forwards multicast data from the multicast source. A Layer 2 switch, Switch B forwards the multicast data to the end users Host A and Host B.
  • Page 306 Configure Switch A: # Set the interface IP address of VLAN 20 to 168.10.1.1 and enable PIM DM on the VLAN interface. <SwitchA> system-view [SwitchA] multicast routing-enable [SwitchA] vlan 20 [SwitchA–vlan20]port Ethernet 1/0/1 [SwitchA-vlan20] quit [SwitchA] interface Vlan-interface 20 [SwitchA-Vlan-interface20] ip address 168.10.1.1 255.255.255.0 [SwitchA-Vlan-interface20] pim dm [SwitchA-Vlan-interface20] quit # Configure VLAN 10.

  • Page 307: Troubleshooting Igmp Snooping

    [SwitchB] interface Ethernet 1/0/2 [SwitchB-Ethernet1/0/2] port link-type hybrid [SwitchB-Ethernet1/0/2] port hybrid vlan 3 10 untagged [SwitchB-Ethernet1/0/2] port hybrid pvid vlan 3 [SwitchB-Ethernet1/0/2] quit Troubleshooting IGMP Snooping Symptom: Multicast function does not work on the switch. Solution: Possible reasons are: IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping.

  • Page 308: Mld Snooping Configuration

    MLD Snooping Configuration Only the S3100-EI series support MLD Snooping Configuration. When configuring MLD snooping, go to these sections for information you are interested in: MLD Snooping Overview MLD Snooping Configuration Task List Displaying and Maintaining MLD Snooping MLD Snooping Configuration Examples Troubleshooting MLD Snooping MLD Snooping Overview Multicast Listener Discovery Snooping (MLD snooping) is an IPv6 multicast constraining mechanism...

  • Page 309: Basic Concepts In Mld Snooping

    Figure 3-1 Before and after MLD snooping is enabled on the Layer 2 device IPv6 multicast packet transmission IPv6 multicast packet transmission without MLD Snooping when MLD Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host C Host A...

  • Page 310: How Mld Snooping Works

    Ports involved in MLD snooping, as shown in Figure 3-2, are described as follows: Router port: A router port is a port on the Ethernet switch that leads switch towards the Layer-3 multicast device (DR or MLD querier). In the figure, Ethernet 1/0/1 of Switch A and Ethernet 1/0/1 of Switch B are router ports.
  • Page 311 The description about adding or deleting a port in this section is only for a dynamic port. Static ports can be added or deleted only through the corresponding configurations. For details, see Configuring Static Ports. General queries The MLD querier periodically sends MLD general queries to all hosts and routers (FF02::1) on the local subnet to find out whether IPv6 multicast group members exist on the subnet.

  • Page 312: Mld Snooping Proxying

    Done messages When a host leaves an IPv6 multicast group, the host sends an MLD done message to the multicast router. When the switch receives an MLD done message on a dynamic member port, the switch first checks whether a forwarding table entry for the IPv6 multicast group address in the message exists, and, if one exists, whether the outgoing port list contains the port.

  • Page 313: Protocols And Standards

    Figure 3-3 Network diagram for MLD snooping proxying As shown in Figure 3-3, Switch A works as an MLD Snooping proxy. As a host from the perspective of the querier Router A, Switch A represents its attached hosts to send their membership reports and done messages to Router A.

  • Page 314: Mld Snooping Configuration Task List

    MLD Snooping Configuration Task List Complete these tasks to configure MLD snooping: Task Remarks Enabling MLD Snooping Required Configuring the Version of MLD Snooping Optional Configuring Basic Functions of MLD Snooping Configuring Limit on the Number of Forwarding Entries Optional Globally Configuring Aging Timers for Dynamic Ports Optional...

  • Page 315: Configuring Basic Functions Of Mld Snooping

    Configuring Basic Functions of MLD Snooping Configuration Prerequisites Before configuring the basic functions of MLD snooping, complete the following tasks: Configure the corresponding VLANs Before configuring the basic functions of MLD snooping, prepare the following data: The version of MLD snooping Enabling MLD Snooping Follow these steps to enable MLD snooping: To do...

  • Page 316: Configuring Limit On The Number Of Forwarding Entries Globally

    If you switch MLD snooping from version 2 to version 1, the system will clear all MLD snooping forwarding entries from dynamic joining, and will: Keep forwarding entries from version 2 static (*, G) joining; Clear forwarding entries from version 2 static (S, G) joining, which will be restored when MLD snooping is switched back to version 2.

  • Page 317: Configuring Aging Timers For Dynamic Ports

    Configuring Aging Timers for Dynamic Ports If the switch receives no MLD general queries or IPv6 PIM hello messages on a dynamic router port, the switch removes the port from the router port list when the aging timer of the port expires. If the switch receives no MLD reports for an IPv6 multicast group on a dynamic member port, the switch removes the port from the outgoing port list of the forwarding table entry for that IPv6 multicast group when the port aging timer expires.

  • Page 318: Configuring Simulated Joining

    To do... Use the command... Remarks mld-snooping static-group Required Configure the port(s) as static ipv6-group-address [ source-ip member port(s) No static member ports by default ipv6-source-address ] vlan vlan-id Required Configure the port(s) as static mld-snooping static-router-port router port(s) vlan vlan-id No static router ports by default An IPv6 static (S, G) join takes effect only if a valid IPv6 multicast source address is specified and MLD snooping version 2 is currently running.

  • Page 319: Configuring Fast Leave Processing

    Each simulated host is equivalent to an independent host. For example, when receiving an MLD query, the simulated host corresponding to each configuration responds respectively. Unlike a static member port, a port configured as a simulated member host will age out like a dynamic member port.

  • Page 320: Configuring Mld Snooping Querier

    Configuring MLD Snooping Querier Configuration Prerequisites Before configuring MLD snooping querier, complete the following task: Enable MLD snooping in the VLAN. Before configuring MLD snooping querier, prepare the following data: MLD general query interval, MLD last-member query interval, Maximum response time for MLD general queries, Source IPv6 address of MLD general queries, and Source IPv6 address of MLD multicast-address-specific queries.
  • Page 321 the maximum response time (the host obtains the value of the maximum response time from the Max Response Time field in the MLD query it received). When the timer value comes down to 0, the host sends an MLD report to the corresponding IPv6 multicast group. An appropriate setting of the maximum response time for MLD queries allows hosts to respond to queries quickly and avoids bursts of MLD traffic on the network caused by reports simultaneously sent by a large number of hosts when the corresponding timers expire simultaneously.

  • Page 322: Configuring Source Ipv6 Addresses Of Mld Queries

    Configuring Source IPv6 Addresses of MLD Queries This configuration allows you to change the source IPv6 address of MLD queries. Follow these steps to configure source IPv6 addresses of MLD queries: To do... Use the command... Remarks Enter system view system-view —...

  • Page 323: Configuring A Source Ipv6 Address For The Mld Messages Sent By The Proxy

    Configuring a Source IPv6 Address for the MLD Messages Sent by the Proxy You can set the source IPv6 addresses in the MLD reports and done messages sent by the MLD snooping proxy on behalf of its attached hosts. Follow these steps to configure the source IPv6 addresses for the MLD messages sent by the MLD snooping proxy on behalf of its attached hosts in a VLAN: To do...

  • Page 324: Configuring Mld Report Suppression

    Configuring MLD Report Suppression When a Layer 2 device receives an MLD report from an IPv6 multicast group member, the Layer 2 device forwards the message to the Layer 3 device directly connected with it. Thus, when multiple members belonging to an IPv6 multicast group exist on the Layer 2 device, the Layer 3 device directly connected with it will receive duplicate MLD reports from these members.

  • Page 325: Configuring Ipv6 Multicast Group Replacement

    When the number of IPv6 multicast groups that can be joined on a port reaches the maximum number configured, the system deletes all the forwarding entries persistent to that port from the MLD snooping forwarding table, and the hosts on this port need to join IPv6 multicast groups again. If you have configured static or simulated joining on a port, however, when the number of IPv6 multicast groups on the port exceeds the configured threshold, the system deletes all the forwarding entries persistent to that port from the MLD snooping forwarding table and applies the...

  • Page 326: Configuring 802.1P Precedence For Mld Messages

    To do... Use the command... Remarks Required Enable IPv6 multicast group mld-snooping overflow-replace replacement [ vlan vlan-list ] Disabled by default Be sure to configure the maximum number of IPv6 multicast groups allowed on a port (refer to Configuring Maximum Multicast Groups that Can Be Joined on a Port) before enabling IPv6 multicast group replacement.

  • Page 327: Mld Snooping Configuration Examples

    To do… Use the command... Remarks Clear the statistics information of all kinds of MLD messages learned by MLD reset mld-snooping statistics Available in user view snooping The reset mld-snooping group command works only on an MLD snooping–enabled VLAN. The reset mld-snooping group command cannot clear the MLD snooping multicast group information for static joining.
  • Page 328 Enable IPv6 forwarding and configure an IPv6 address and prefix length for each interface as per Figure 3-4. The detailed configuration steps are omitted. Configure Router A # Enable IPv6 multicast routing, enable IPv6 PIM-DM on each interface, and enable MLDv1 on Ethernet 1/0/1.

  • Page 329: Static Port Configuration Example

    Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. Eth1/0/1 (D) ( 00:01:30 ) IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Attribute:...
  • Page 330 If no static router port is configured, when the path of Switch A—Switch B—Switch C gets blocked, at least one MLD query-response cycle must be completed before the IPv6 multicast data can flow to the receivers along the new path of Switch A—Switch C, namely IPv6 multicast delivery will be interrupted during this process.
  • Page 331 # Enable MLD snooping globally. <SwitchA> system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 100, assign Ethernet 1/0/1 through Ethernet 1/0/3 to this VLAN, and enable MLD snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port ethernet 1/0/1 to ethernet 1/0/3 [SwitchA-vlan100] mld-snooping enable [SwitchA-vlan100] quit # Configure Ethernet 1/0/3 to be a static router port.
  • Page 332 Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 2 port. Eth1/0/1 (D) ( 00:01:30 ) Eth1/0/3...

  • Page 333: Mld Snooping Querier Configuration Example

    As shown above, Ethernet 1/0/3 and Ethernet 1/0/5 on Switch C have become static member ports for IPv6 multicast group FF1E::101. MLD Snooping Querier Configuration Example Network requirements As shown in Figure 3-6, in a Layer-2-only network environment, two multicast sources Source 1 and Source 2 send IPv6 multicast data to multicast groups FF1E::101 and FF1E::102 respectively, Host A and Host C are receivers of multicast group FF1E::101, while Host B and Host D are receivers of multicast group FF1E::102.

  • Page 334: Mld Snooping Proxying Configuration Example

    [SwitchA-vlan100] mld-snooping querier [SwitchA-vlan100] quit Configure Switch B # Enable IPv6 forwarding and enable MLD snooping globally. <SwitchB> system-view [SwitchB] ipv6 [SwitchB] mld-snooping [SwitchB-mld-snooping] quit # Create VLAN 100, add Ethernet 1/0/1 through Ethernet 1/0/4 into VLAN 100. [SwitchB] vlan 100 [SwitchB-vlan100] port ethernet 1/0/1 to ethernet 1/0/4 # Enable the MLD snooping feature and the function of dropping unknown IPv6 multicast data packets in VLAN 100.
  • Page 335 Figure 3-7 Network diagram for MLD snooping proxying configuration Receiver Host A Source Receiver Eth1/0/4 Eth1/0/2 Eth1/0/1 2001::1/64 Eth1/0/1 Eth1/0/3 1::2/64 Switch A Host B Router A Eth1/0/2 1::1/64 Proxy & Querier MLD querier Host C Configuration procedure Configure IPv6 addresses for interfaces Configure an IP address and prefix length for each interface as per Figure 3-7.
  • Page 336 After the configuration is completed, Host A and Host B send MLD join messages addressed to group FF1E::101. When receiving the messages, Switch A sends a join message for the group out port Ethernet 1/0/1 (a router port) to Router A. Use the display mld-snooping group command and the display mld group command to display information about MLD snooping multicast groups and MLD multicast groups.

  • Page 337: Troubleshooting Mld Snooping

    Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):100. Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Router port(s):total 1 port. Eth1/0/1 (D) ( 00:01:23 ) IP group(s):the following ip group(s) match to one mac group. IP group address:FF1E::101 (::, FF1E::101): Host port(s):total 1 port.

  • Page 338: Ipv6 Multicast Vlan Configuration

    IPv6 Multicast VLAN Configuration Only the S3100-EI series support IPv6 Multicast VLAN Configuration. When configuring IPv6 multicast VLAN, go to these sections for information you are interested in: Introduction to IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Task List Configuring IPv6 Multicast VLAN Displaying and Maintaining IPv6 Multicast VLAN IPv6 Multicast VLAN Configuration Examples Introduction to IPv6 Multicast VLAN...

  • Page 339: Ipv6 Multicast Vlan Configuration Task List

    As shown in Figure 4-2, Host A, Host B and Host C are in three different user VLANs. All the user ports are hybrid ports. On Switch A, configure VLAN 10 as an IPv6 multicast VLAN, assign all the user ports to this IPv6 multicast VLAN, and enable MLD Snooping in the IPv6 multicast VLAN and all the user VLANs.

  • Page 340: Configuring Ipv6 Multicast Vlan

    Configuring IPv6 Multicast VLAN When configuring port-based IPv6 multicast VLAN, you need to configure the attributes of each user port and then assign the ports to the IPv6 multicast VLAN. A user port can be configured as a multicast VLAN port only if it is of the Ethernet interface type. Configuration Prerequisites Before configuring port-based IPv6 multicast VLAN, complete the following tasks: Create VLANs as required...

  • Page 341: Configuring Ipv6 Multicast Vlan Ports

    Configuring IPv6 Multicast VLAN Ports In this approach, you need to configure a VLAN as an IPv6 multicast VLAN and then assign user ports to this IPv6 multicast VLAN by either adding the user ports in the IPv6 multicast VLAN or specifying the IPv6 multicast VLAN on the user ports.

  • Page 342: Ipv6 Multicast Vlan Configuration Examples

    IPv6 Multicast VLAN Configuration Examples Network requirements As shown in Figure 4-3, Router A connects to an IPv6 multicast source (Source) through Ethernet 1/0/1, and to Switch A through Ethernet 1/0/2. MLDv1 is required on Router A. MLDv1 Snooping is required on Switch A. Router A acts as the MLD querier.
  • Page 343 [RouterA-Ethernet1/0/1] ipv6 pim dm [RouterA-Ethernet1/0/1] quit [RouterA] interface ethernet 1/0/2 [RouterA-Ethernet1/0/2] ipv6 pim dm [RouterA-Ethernet1/0/2] mld enable Configure Switch A # Enable MLD Snooping globally. <SwitchA> system-view [SwitchA] mld-snooping [SwitchA-mld-snooping] quit # Create VLAN 10, assign Ethernet 1/0/1 to VLAN 10, and enable MLD Snooping in this VLAN. [SwitchA] vlan 10 [SwitchA-vlan10] port ethernet 1/0/1 [SwitchA-vlan10] mld-snooping enable...
  • Page 344 # View the MLD Snooping multicast group information on Switch A. [SwitchA] display mld-snooping group Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):10.

  • Page 345: Multicast User Control Policy Configuration

    Multicast User Control Policy Configuration Only the S3100-EI series support multicast user control policy configuration. IPv4 Multicast User Control Policy Configuration Configuring IPv4 Multicast User Control Policy Multicast user control policies are configured on access switches to allow only authorized users to receive requested multicast traffic flows.

  • Page 346: Ipv4 Multicast User Control Policy Configuration Example

    To do... Use the command... Remarks If the 802.1x authentication mode is MAC address-based, the mode to apply a QoS profile Configure the must configured mode to apply a undo qos-profile user-based. QoS profile as port-based If the 802.1x authentication user-based mode is port-based, the mode to apply a QoS profile must be...
  • Page 347 Figure 5-1 Network diagram for IPv4 multicast user control policy configuration Source 1 1.1.1.1/24 Eth1/0/1 Vlan-int101 Receiver Switch B 1.1.1.2/24 Eth1/0/1 Eth1/0/3 Eth1/0/3 Vlan-int103 Eth1/0/2 Host A Eth1/0/2 3.1.1.1/24 Vlan-int102 2.1.1.2/24 Switch A RADIUS server 2.1.1.1/24 Host B Configuration procedures Configure IP addresses for interfaces Configure an IP address and subnet mask for each interface as per Figure...
  • Page 348 [SwitchB] igmp-snooping enable # Create VLAN 103, assign Ethernet 1/0/1 through Ethernet 1/0/3 to this VLAN, and enable IGMP snooping in this VLAN. [SwitchB] vlan 103 [SwitchB-vlan103] port ethernet 1/0/1 to ethernet 1/0/3 [SwitchB-vlan103] igmp-snooping enable [SwitchB-vlan103] quit # Create a QoS profile profile1 to allow users to join or leave only one multicast group, 224.1.1.1. [SwitchB] acl number 2001 [SwitchB-acl-basic-2001] rule permit source 224.1.1.1 0 [SwitchB-acl-basic-2001] quit...

  • Page 349: Ipv6 Multicast Group Filter Configuration

    # Display information about IGMP snooping multicast groups in VLAN 103 on Switch B. [SwitchB] display igmp-snooping group vlan 103 verbose Total 1 IP Group(s). Total 1 IP Source(s). Total 1 MAC Group(s). Port flags: D-Dynamic port, S-Static port, C-Copy port Subvlan flags: R-Real VLAN, C-Copy VLAN Vlan(id):103.
  • Page 350 is then processed as per the rule), the rule order is important in determining which match criteria will apply. Two rule orders are available for IPv6 ACLs: config: ACL rules are sorted in ascending order rule ID. That is, a rule with a smaller ID number has a higher priority auto: ACL rules are sorted in depth-first order.

  • Page 351: Ipv6 Acl Configuration

    A bigger step means more numbering flexibility. This is helpful when the config rule order is adopted, with which ACL rules are sorted in ascending order of rule ID. If no ID is specified for a rule when the rule is created, the system automatically assigns it the smallest multiple of the step that is bigger than the current biggest rule ID, starting with 0.
  • Page 352 You can only modify the existing rules of an ACL that uses the rule order of config. When modifying a rule of such an ACL, you may choose to change just some of the settings, in which case the other settings remain the same. You cannot create a rule with, or modify a rule to have, the same permit/deny statement as an existing rule in the ACL.
  • Page 353 To do… Use the command… Remarks Optional Set the rule numbering step step step-value 5 by default Optional Configure a description for the description text By default, an advanced IPv6 advanced IPv6 ACL ACL has no ACL description. Optional Configure a rule description rule rule-id comment text By default, an IPv6 ACL rule has no rule description.

  • Page 354: Ipv6 Multicast Group Filter Configuration

    The source IPv6 ACL and the destination IPv6 ACL must be of the same type. The destination ACL does not take the name of the source IPv6 ACL. Displaying and Maintaining IPv6 ACLs To do… Use the command… Remarks Display information about one or all display acl ipv6 { acl6-number | all | name Available in any view IPv6 ACLs...

  • Page 355: Ipv6 Multicast User Control Policy Configuration

    To do... Use the command... Remarks Required By default, no IPv6 group filter is mld-snooping group-policy Configure an IPv6 multicast group configured on an interface, that is, filter acl6-number [ vlan vlan-list ] hosts on the interface can join any valid multicast group.

  • Page 356: Ipv6 Multicast User Control Policy Configuration Example

    For details about the qos-profile, qos-profile port-based and undo qos-profile port-based commands, refer to QoS-QoS Profile Operation. A IPv6 multicast user control policy functions only if 802.1x is configured, that is, 802.1x must be enabled on the port to which the QoS profile is applied. For details about 802.1x, refer to 802.1x-System Guard Operation.
  • Page 357 # Create VLAN 101 through VLAN 104 and assign Ethernet 1/0/1 through Ethernet 1/0/3 to the four VLANs respectively. <SwitchA> system-view [SwitchA] vlan 101 [SwitchA-vlan101] port ethernet 1/0/1 [SwitchA-vlan101] quit [SwitchA] vlan 102 [SwitchA-vlan102] port ethernet 1/0/2 [SwitchA-vlan102] quit [SwitchA] vlan 103 [SwitchA-vlan103] port ethernet 1/0/3 [SwitchA-vlan103] quit # Enable IPv6 multicast routing.
  • Page 358 [SwitchB-radius-scheme1] primary accounting 2::1 [SwitchB-radius-scheme1] key accounting 321123 [SwitchB-radius-scheme1] user-name-format without-domain [SwitchB-radius-scheme1] quit # Create an ISP domain domain1; reference scheme1 for the authentication, and accounting for LAN users; specify domain1 as the default ISP domain. [SwitchB] domain domain1 [SwitchB-isp-domian1] authentication lan-access radius-scheme scheme1 [SwitchB-isp-domian1] accounting lan-access radius-scheme scheme1 [SwitchB-isp-domian1] quit [SwitchB] domain default enable domain1...
  • Page 359 MAC group address:3333-0000-0101 Host port(s):total 1 port. Eth1/0/3 As shown above, Ethernet 1/0/3 on Switch B has joined FF1E::101 but not FF1E::102. 5-15...

  • Page 360: Common Multicast Configuration

    Common Multicast Configuration Common Multicast Configuration Table 6-1 Common multicast configuration tasks Configuration task Remarks Configuring Suppression on the Multicast Source Port Optional Configuring a Multicast MAC Address Entry Optional Configuring Dropping Unknown Multicast Packets Optional Configuring Suppression on the Multicast Source Port Only the S3100-EI series support multicast source port suppression.

  • Page 361: Configuring A Multicast Mac Address Entry

    Configuring multicast source port suppression in Ethernet port view Table 6-3 Configure multicast source port suppression in Ethernet port view Operation Command Remarks — Enter system view system-view interface interface-type — Enter Ethernet port view interface-number Optional Configure multicast source port multicast-source-deny Multicast source port suppression suppression...

  • Page 362: Configuring Dropping Unknown Multicast Packets

    If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
  • Page 363 Table 6-7 Display common multicast configuration Operation Command Remarks Display the statistics information display multicast-source-deny [ interface about multicast source port These interface-type [ interface-number ] ] suppression commands can be executed in display mac-address multicast [ static Display the created multicast MAC any view.
  • Page 364 The Mechanism of an 802.1x Authentication System ·····································································1-2 Encapsulation of EAPoL Messages ································································································1-3 802.1x Authentication Procedure ····································································································1-5 Timers Used in 802.1x·····················································································································1-8 802.1x Implementation on an S3100 Series Switch········································································1-9 Introduction to 802.1x Configuration ·····································································································1-13 Basic 802.1x Configuration ···················································································································1-14 Configuration Prerequisites ···········································································································1-14 Configuring Basic 802.1x Functions······························································································1-14...
  • Page 365 4 System-Guard Configuration (For S3100-EI) ··························································································4-1 System-Guard Overview ·························································································································4-1 Configuring the System-Guard Feature ··································································································4-1 Configuring the System-Guard Feature ··························································································4-1 Displaying and Maintaining System-Guard·····························································································4-2 5 System-Guard Configuration (For S3100-SI) ··························································································5-1 System-Guard Overview ·························································································································5-1 System-Guard Configuration ··················································································································5-1 Enabling the System-Guard function·······························································································5-1 Configuring System-Guard-Related Parameters ············································································5-1 Enabling System-Guard on Ports····································································································5-2 Displaying and Maintaining the System-Guard Function········································································5-2...

  • Page 366: Introduction To 802.1X

    The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenticator system is usually an 802.1x-supported network device (such as an H3C series switch). It provides the port (physical or logical) for the supplicant system to access the LAN.

  • Page 367: The Mechanism Of An 802.1X Authentication System

    By default, a controlled port is a unidirectional port. The way a port is controlled A port of an H3C series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication.

  • Page 368: Encapsulation Of Eapol Messages

    Figure 1-2 The mechanism of an 802.1x authentication system EAP protocol packets transmitted between the supplicant system PAE and the authenticator system PAE are encapsulated as EAPoL packets. EAP protocol packets transmitted between the authenticator system PAE and the RADIUS server can either be encapsulated as EAP over RADIUS (EAPoR) packets or be terminated at system PAEs.
  • Page 369 The Packet body field differs with the Type field. Note that EAPoL-Start, EAPoL-Logoff, and EAPoL-Key packets are only transmitted between the supplicant system and the authenticator system. EAP-packets are encapsulated by RADIUS protocol to allow them successfully reach the authentication servers. Network management-related information (such as alarming information) is encapsulated in EAPoL-Encapsulated-ASF-Alert packets, which are terminated by authenticator systems.

  • Page 370: 802.1X Authentication Procedure

    Figure 1-7 The format of an Message-authenticator field 802.1x Authentication Procedure An H3C S3100 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. EAP relay mode This mode is defined in 802.1x. In this mode, EAP-packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server.
  • Page 371 Figure 1-8 802.1x authentication procedure (in EAP relay mode) EAPOR EAPOL Authenticator System RADUIS Supplicant System server EAPOL-Start EAP-Request / Identity RADIUS Access-Request EAP-Response / Identity (EAP-Response / Identity) RADIUS Access-Challenge EAP-Request / MD5 challenge (EAP-Request / MD5 challenge) RADIUS Access-Request EAP-Response / MD5 challenge (EAP-Response / MD5 challenge) RADIUS Access-Accept...
  • Page 372 The RADIUS server compares the received encrypted password (contained in a RADIUS access-request packet) with the locally-encrypted password. If the two match, it will then send feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated.

  • Page 373: Timers Used In 802.1X

    Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant EAPOL RADIUS Authenticator system RADIUS server system PAE EAPOL-Start EAP-Request/Identity EAP-Response/Identity EAP-Request/MD5 Challenge EAP-Response/MD5 Challenge RADIUS Access-Request (CHAP-Response/MD5 Challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request [EAP-Request/Identity] Handshake response [EAP-Response/Identity] ..

  • Page 374: 802.1X Implementation On An S3100 Series Switch

    802.1x Implementation on an S3100 Series Switch In addition to the earlier mentioned 802.1x features, an S3100 series switch is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, and so on (This function needs the cooperation of a CAMS server.)
  • Page 375 This function makes the switch to send version-requesting packets again if the 802.1x client fails to send version-reply packet to the switch when the version-checking timer times out. The 802.1x client version-checking function needs the support of H3C’s 802.1x client program. The Guest VLAN function The Guest VLAN function enables supplicant systems that are not authenticated to access network resources in a restrained way.
  • Page 376 VLAN or return the user to the initial VLAN of the port, depending on whether the authentication server assigns a VLAN. At present, among the S3100 series Ethernet switches, only the S3100-EI series supports the MAC VLAN function. Thus, the S3100-EI series supports both PGV and MGV, while the S3100-SI series supports only PGV.
  • Page 377 VLAN or return the user to the initial VLAN of the port, depending on whether the authentication server assigns a VLAN. At present, among the S3100 series Ethernet switches, only the S3100-EI series supports the Auth-Fail VLAN function.

  • Page 378: Introduction To 802.1X Configuration

    Figure 1-10 802.1x re-authentication Internet Switch RADIUS Server 802.1x re-authentication can be enabled in one of the following two ways: The RADIUS server triggers the switch to perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon receiving the packet, the switch re-authenticates users periodically.

  • Page 379: Basic 802.1X Configuration

    802.1x users use domain names to associate with the ISP domains configured on switches Configure the AAA scheme (a local authentication scheme or a RADIUS scheme) to be adopted in the ISP domain. If you specify to use a local authentication scheme, you need to configure the user names and passwords manually on the switch.
  • Page 380 Operation Command Remarks quit dot1x port-method { macbased | In system portbased } [ interface view interface-list ] Set port Optional access interface interface-type The default port access method is method interface-number MAC-address-based (that is, the macbased keyword is used by In port specified dot1x port-method { macbased |...

  • Page 381: Timer And Maximum User Number Configuration

    Handshaking packets need the support of the H3C-proprietary client. They are used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshaking acknowledgement packets from them in handshaking periods. To prevent users being falsely considered offline, you need to disable the online user handshaking function in this case.

  • Page 382: Advanced 802.1X Configuration

    Operation Command Remarks dot1x timer Optional { handshake-period The settings of 802.1x timers are as handshake-period-value | follows. quiet-period quiet-period-value | handshake-period-value: 15 seconds Set 802.1x timers server-timeout quiet-period-value: 60 seconds server-timeout-value | server-timeout-value: 100 seconds supp-timeout supp-timeout-value: 30 seconds supp-timeout-value | tx-period-value: 30 seconds tx-period tx-period-value |...
  • Page 383 authentication domains for different ports even if the user certificates are from the same certificate authority (that is, the user domain names are the same). This allows you to deploy 802.1X access policies flexibly. Table 1-3 shows the relations of the 802.1X username entered for authentication, mandatory authentication domain configured for the port connecting users, authentication domain for users, and username suffix on the RADIUS server.

  • Page 384: Configuring Proxy Checking

    { logoff | trap } quit The proxy checking function needs the cooperation of H3C's 802.1x client (iNode) program. The proxy checking function depends on the online user handshaking function. To enable the proxy detecting function, you need to enable the online user handshaking function first.

  • Page 385: Enabling Dhcp-Triggered Authentication

    Operation Command Remarks Optional Set the client version dot1x timer ver-period By default, the timer is set to 30 checking period timer ver-period-value seconds. As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports.

  • Page 386: Configuring Guest Vlan

    Configuring Guest VLAN Table 1-8 Configure a guest VLAN Operation Command Remarks Enter system view system-view — In system dot1x guest-vlan vlan-id view [ interface interface-list ] Enable Required interface interface-type the Guest By default, the guest VLAN function interface-number VLAN In port is disabled.

  • Page 387: Configuring 802.1X Re-Authentication

    At present, only the S3100-EI series supports the Auth-Fail VLAN function. Different ports can be configured with different Auth-Fail VLANs, but a port can be configured with only one Auth-Fail VLAN. If you configure both 802.1X authentication and MAC authentication on a port and specify an MAFV for 802.1X authentication and an MGV for MAC authentication, the assignment of the MAFV entry for a user will overwrite the MGV entry for the user, while the assignment of the MGV entry for a user will not overwrite the MAFV entry for the user.

  • Page 388: Displaying And Debugging 802.1X

    The switch uses the value configured with the dot1x timer reauth-period command as the re-authentication interval for access users. Note the following: During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
  • Page 389 The switch is connected to a server comprising of two RADIUS servers whose IP addresses are 10.11.1.1 and 10.11.1.2. The RADIUS server with an IP address of 10.11.1.1 operates as the primary authentication server and the secondary accounting server. The other operates as the secondary authentication server and primary accounting server.
  • Page 390 # Create a RADIUS scheme named “radius1” and enter RADIUS scheme view. [Sysname] radius scheme radius1 # Assign IP addresses to the primary authentication and accounting RADIUS servers. [Sysname-radius-radius1] primary authentication 10.11.1.1 [Sysname-radius-radius1] primary accounting 10.11.1.2 # Assign IP addresses to the secondary authentication and accounting RADIUS server. [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages.

  • Page 391: 802.1X Mandatory Authentication Domain Configuration Example

    802.1X Mandatory Authentication Domain Configuration Example Network Requirements As shown in Figure 1-13, Host A (an 802.1X user) and Host B (a telnet user) are connected to the Internet through Ethernet 1/0/1 and Ethernet 1/0/2 on Switch, respectively. It is required to implement RADIUS authentication and local authentication for Host A and Host B (that do not support usernames with suffixes) by performing the following configurations on Switch: Host A belongs to domain aabbcc and Host B belongs to domain test;...
  • Page 392 [Switch-isp-aabbcc] scheme radius-scheme radius1 [Switch-isp-aabbcc] quit # Configure RADIUS scheme radius1. [Switch] radius scheme radius1 [Switch-radius-radius1] primary authentication 10.110.91.164 1812 [Switch-radius-radius1] primary accounting 10.110.91.164 1813 [Switch-radius-radius1] key authentication aabbcc [Switch-radius-radius1] key accounting aabbcc [Switch-radius-radius1] server-type extended [Switch-radius-radius1] user-name-format with-domain [Switch-radius-radius1] quit # Specify aabbcc as the mandatory authentication domain for Ethernet 1/0/1.

  • Page 393: Quick Ead Deployment Configuration

    In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the H3C S3100 series provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment.

  • Page 394: Configuring Quick Ead Deployment

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the access mode to auto for 802.1x-enabled ports. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Table 2-1 Configure a free IP range To do...

  • Page 395: Displaying And Maintaining Quick Ead Deployment

    You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online. If the user has not passed authentication when the ACL timer expires, the occupied ACL resources are released for other users to use. When a tremendous of access requests are present, you can decrease the timeout period of the ACL timer appropriately for higher utilization of ACL resources.
  • Page 396 Network diagram Figure 2-1 Network diagram for quick EAD deployment Configuration procedure Before enabling quick EAD deployment, be sure that: The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch.

  • Page 397: Troubleshooting

    Troubleshooting Symptom: A user cannot be redirected to the specified URL server, no matter what URL the user enters in the IE address bar. Solution: If a user enters an IP address in a format other than the dotted decimal notation, the user may not be redirected.

  • Page 398: Habp Configuration

    HABP Configuration Introduction to HABP With 802.1x enabled, a switch authenticates and then authorizes 802.1x-enabled ports. Packets can be forwarded only by authorized ports. For ports with switches attached and are not authenticated and authorized by 802.1x, their received packets will be filtered. This means that you cannot manage the attached switches.

  • Page 399: Habp Client Configuration

    HABP Client Configuration HABP clients reside on switches attached to HABP servers. After you enable HABP for a switch, the switch operates as an HABP client by default. So you only need to enable HABP on a switch to make it an HABP client.

  • Page 400: System-Guard Configuration (For S3100

    System-Guard Configuration (For S3100-EI) The configuration introduced in this chapter is only supported by the S3100-EI series switches. System-Guard Overview At first, you must determine whether the CPU is under attack to implement system guard for the CPU. You should not determine whether the CPU is under attack just according to whether congestion occurs in a queue.

  • Page 401: Displaying And Maintaining System-Guard

    Operation Command Description Optional Set the length of the isolation system-guard By default, the length of the after an attack is detected timer-interval isolate-timer isolation after an attack is detected is 10 minutes. Displaying and Maintaining System-Guard After the above configuration, execute the display command in any view to display the running status of the system-guard feature, and to verify the configuration.

  • Page 402: System-Guard Configuration (For S3100

    System-Guard Configuration (For S3100-SI) The configuration introduced in this chapter is only supported by the S3100-SI series switches. System-Guard Overview The system-guard function checks system-guard-enabled ports regularly to determine if the ports are under attack. With this function enabled, if the number of the packets received by a system-guard-enabled port exceeds the set threshold, the port is regarded to be under attack.

  • Page 403: Enabling System-Guard On Ports

    Table 5-2 Configure system-guard related parameters Operation Command Description Enter system view system-view — Required The default system-guard-related Configure system-guard mode parameters are as follows. system-guard-related rate-limit interval-time interval-time: 5 seconds parameters threshold timeout threshold: 64 timeout: 60 seconds Enabling System-Guard on Ports Table 5-3 lists the operations to enable system-guard on ports.
  • Page 404 Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization····································································································································1-1 Accounting·······································································································································1-2 Introduction to ISP Domain ·············································································································1-2 Introduction to AAA Services ··················································································································1-3 Introduction to RADIUS ···················································································································1-3 Introduction to HWTACACS ············································································································1-7 2 AAA Configuration ····································································································································2-1 AAA Configuration Task List ···················································································································2-1 Configuration introduction ···············································································································2-1 Creating an ISP Domain and Configuring Its Attributes ··································································2-2 Configuring an AAA Scheme for an ISP Domain ············································································2-3...
  • Page 405 Per User Type AAA Configuration Example··················································································2-31 Remote RADIUS Authentication of Telnet/SSH Users ·································································2-32 Local Authentication of FTP/Telnet Users·····················································································2-33 HWTACACS Authentication and Authorization of Telnet Users ···················································2-35 Troubleshooting AAA ····························································································································2-36 Troubleshooting RADIUS Configuration························································································2-36 Troubleshooting HWTACACS Configuration ················································································2-36 3 EAD Configuration·····································································································································3-1 Introduction to EAD ·································································································································3-1 Typical Network Application of EAD ·······································································································3-1 EAD Configuration ··································································································································3-2 EAD Configuration Example ···················································································································3-3...

  • Page 406: Aaa Overview

    Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, an H3C series switch) acts as the client to communicate with the RADIUS or TACACS server. You can use standard or extended RADIUS protocols in conjunction with such systems as iTELLIN/CAMS for user authentication.

  • Page 407: Accounting

    Accounting AAA supports the following accounting methods: None accounting: No accounting is performed for users. Local accounting: It is not used for charging purposes, but for collecting statistics and limiting the number of local user connections. Remote accounting: User accounting is performed on a remote RADIUS or TACACS server. Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP.

  • Page 408: Introduction To Aaa Services

    Introduction to AAA Services Introduction to RADIUS AAA is a management framework. It can be implemented by not only one protocol. But in practice, the most commonly used service for AAA is RADIUS. What is RADIUS RADIUS (remote authentication dial-in user service) is a distributed service based on client/server structure.
  • Page 409 the authentication response message. Figure 1-3 depicts the message exchange procedure between user, switch and RADIUS server. Figure 1-3 Basic message exchange procedure of RADIUS Host RADIUS Client RADIUS Server The user inputs the user ( 1 ) name and password ( 2 ) Access-Request ( 3 )
  • Page 410 Figure 1-4 RADIUS message format The Code field (one byte) decides the type of RADIUS message, as shown in Table 1-1. Table 1-1 Description on the major values of the Code field Code Message type Message description Direction: client->server. The client transmits this message to the server to determine if the user can access the network.
  • Page 411 The Authenticator field (16 bytes) is used to authenticate the response from the RADIUS server; and is used in the password hiding algorithm. There are two kinds of authenticators: Request Authenticator and Response Authenticator. The Attributes field contains specific authentication/authorization/accounting information to provide the configuration details of a request or response message.

  • Page 412: Introduction To Hwtacacs

    Figure 1-5 depicts the format of attribute 26. The Vendor-ID field used to identify a vendor occupies four bytes, where the first byte is 0, and the other three bytes are defined in RFC 1700. Here, the vendor can encapsulate multiple customized sub-attributes (containing vendor-specific Type, Length and Value) to implement a RADIUS extension.
  • Page 413 Figure 1-6 Network diagram for a typical HWTACACS application HWTACACS server HWTACACS client Host HWTACACS server Basic message exchange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication, authorization, and accounting for a user. Figure 1-7 illustrates the basic message exchange procedure:...
  • Page 414 A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username. Upon receiving the response, the TACACS client requests the user for the username. After receiving the username from the user, the TACACS client sends an authentication continuance message carrying the username.

  • Page 415: Aaa Configuration

    AAA Configuration AAA Configuration Task List Configuration introduction You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior. Table 2-1 AAA configuration tasks (configuring a combined AAA scheme for an ISP domain) Task Remarks Creating an ISP Domain and Configuring...

  • Page 416: Creating An Isp Domain And Configuring Its Attributes

    Note that: On an S3100 series switch, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the user...

  • Page 417: Configuring An Aaa Scheme For An Isp Domain

    A server installed with self-service software is called a self-service server. H3C's CAMS Server is a service management system used to manage networks and ensure network and user information security. With the cooperation of other networking devices (such as switches) in a network, a CAMS server can implement the AAA functions and right management.
  • Page 418 Operation Command Remarks Create an ISP domain and enter its view, or enter the view Required domain isp-name of an existing ISP domain Required scheme { local | none | radius-scheme Configure an AAA scheme for radius-scheme-name [ local ] | By default, an ISP the ISP domain hwtacacs-scheme...
  • Page 419 You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three AAA functions. If you adopt the local scheme, only the authentication and authorization functions are implemented, the accounting function cannot be implemented. If you execute the scheme radius-scheme radius-scheme-name local command, the local scheme is used as the secondary scheme in case no RADIUS server is available.
  • Page 420 Local authentication (local): Authentication is performed by the NAS, which is configured with the user information, including the usernames, passwords, and attributes. Local authentication features high speed and low cost, but the amount of information that can be stored is limited by the hardware.
  • Page 421 Operation Command Remarks Optional Specify the default authorization { local | none | By default, no separate authorization method for all hwtacacs-scheme authorization scheme is types of users hwtacacs-scheme-name [ local ] } configured. authorization login Optional Specify the authorization { hwtacacs-scheme The default authorization method for login users...

  • Page 422: Configuring Dynamic Vlan Assignment

    Configuring Dynamic VLAN Assignment The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access. Currently, the switch supports the following two types of assigned VLAN IDs: integer and string.

  • Page 423: Configuring The Attributes Of A Local User

    In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for example).

  • Page 424: Cutting Down User Connections Forcibly

    Operation Command Remarks Required Configure the authorization VLAN for authorization vlan string By default, no authorization VLAN is the local user configured for the local user. Optional attribute { ip ip-address | mac When binding the user to a remote mac-address | idle-cut second port, you must use nas-ip ip-address Set the attributes of the...

  • Page 425: Radius Configuration Task List

    RADIUS Configuration Task List H3C’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Table 2-9 RADIUS configuration tasks (the switch functions as a RADIUS client)

  • Page 426: Creating A Radius Scheme

    Task Remarks Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes of Data to be Sent to RADIUS Optional Servers Configuring the Local RADIUS Authentication Server Required Function Configuring Timers for RADIUS Servers Optional Enabling Sending Trap Message when a RADIUS Server Optional...

  • Page 427: Configuring Radius Authentication/Authorization Servers

    Operation Command Remarks Optional Enable RADIUS radius client enable By default, RADIUS authentication port is authentication port enabled. Required Create a RADIUS scheme radius scheme By default, a RADIUS scheme named and enter its view radius-scheme-name "system" has already been created in the system.

  • Page 428: Configuring Ignorance Of Assigned Radius Authorization Attributes

    The authentication response sent from the RADIUS server to the RADIUS client carries authorization information. Therefore, you need not (and cannot) specify a separate RADIUS authorization server. In an actual network environment, you can specify one server as both the primary and secondary authentication/authorization servers, as well as specifying two RADIUS servers as the primary and secondary authentication/authorization servers respectively.

  • Page 429: Configuring The Sending Mode Of Accounting Start Requests

    Follow these steps to configure the RADIUS authorization attribute ignoring function: To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS radius scheme By default, a RADIUS scheme named scheme and enter radius-scheme-name "system" has already been created in its view the system.

  • Page 430: Configuring Radius Accounting Servers

    Configuring RADIUS Accounting Servers Table 2-14 Configure RADIUS accounting servers Operation Command Remarks Enter system view system-view — Required Create a RADIUS scheme radius scheme By default, a RADIUS scheme and enter its view radius-scheme-name named "system" has already been created in the system.

  • Page 431: Configuring Shared Keys For Radius Messages

    In an actual network environment, you can specify one server as both the primary and secondary accounting servers, as well as specifying two RADIUS servers as the primary and secondary accounting servers respectively. In addition, because RADIUS adopts different UDP ports to exchange authentication/authorization messages and accounting messages, you must set a port number for accounting different from that set for authentication/authorization.

  • Page 432: Configuring The Maximum Number Of Radius Request Transmission Attempts

    The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server. Configuring the Maximum Number of RADIUS Request Transmission Attempts The communication in RADIUS is unreliable because this protocol uses UDP packets to carry its data.

  • Page 433: Configuring The Status Of Radius Servers

    If you change the type of RADIUS server, the data stream destined to the original RADIUS server will be restored to the default unit. When the third party RADIUS server is used, you can select standard or extended as the server-type in a RADIUS scheme;...

  • Page 434: Configuring The Attributes Of Data To Be Sent To Radius Servers

    Configuring the Attributes of Data to be Sent to RADIUS Servers Table 2-19 Configure the attributes of data to be sent to RADIUS servers Operation Command Remarks Enter system view system-view — Required Create a RADIUS scheme radius scheme By default, a RADIUS scheme and enter its view radius-scheme-name named "system"...

  • Page 435: Configuring The Local Radius Authentication Server Function

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the user names that carry ISP domain names.

  • Page 436: Configuring Timers For Radius Servers

    If you adopt the local RADIUS authentication server function, the UDP port number of the authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified...

  • Page 437: Enabling Sending Trap Message When A Radius Server Goes Down

    Operation Command Remarks Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Optional Set the response timeout time timer response-timeout By default, the response timeout of RADIUS servers seconds time of RADIUS servers is three...
  • Page 438 In an environment that a CAMS server is used to implement AAA functions, if the switch reboots after an exclusive user (a user whose concurrent online number is set to 1 on the CAMS) gets authenticated and authorized and begins being charged, the switch will give a prompt that the user has already been online when the user re-logs into the network before the CAMS performs online user detection, and the user cannot get authenticated.

  • Page 439: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Table 2-24 HWTACACS configuration tasks Task Remarks Creating an HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...

  • Page 440: Configuring Tacacs Authorization Servers

    Operation Command Remarks Required Set the IP address and port By default, the IP address of the primary authentication number of the primary TACACS primary authentication server is ip-address [ port ] authentication server 0.0.0.0, and the port number is Optional Set the IP address and port By default, the IP address of the...

  • Page 441: Configuring Tacacs Accounting Servers

    Configuring TACACS Accounting Servers Table 2-28 Configure TACACS accounting servers Operation Command Remarks Enter system view system-view — Required Create an HWTACACS hwtacacs scheme By default, no HWTACACS scheme and enter its view hwtacacs-scheme-name scheme exists. Required Set the IP address and port By default, the IP address of primary accounting number of the primary...

  • Page 442: Configuring The Attributes Of Data To Be Sent To Tacacs Servers

    Operation Command Remarks Required Create an HWTACACS scheme hwtacacs scheme By default, no HWTACACS and enter its view hwtacacs-scheme-name scheme exists. Set a shared key for HWTACACS key { accounting | Required authentication, authorization or authorization | By default, no such key is set. accounting messages authentication } string Configuring the Attributes of Data to be Sent to TACACS Servers...

  • Page 443: Configuring The Timers Regarding Tacacs Servers

    Configuring the Timers Regarding TACACS Servers Table 2-31 Configure the timers regarding TACACS servers Operation Command Remarks Enter system view system-view — Required Create an HWTACACS hwtacacs scheme By default, no HWTACACS scheme and enter its view hwtacacs-scheme-name scheme exists. Optional Set the response timeout time timer response-timeout...
  • Page 444 Operation Command Remarks command in display connection [ access-type { dot1x | any view. mac-authentication } | domain isp-name | interface interface-type interface-number | ip Display information about user ip-address | ipv6 ipv6-address | mac connections mac-address | radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-name ] display local-user [ domain isp-name | idle-cut...

  • Page 445: Aaa Configuration Examples

    Operation Command Remarks reset stop-accounting-buffer Delete buffered non-response hwtacacs-scheme stop-accounting requests hwtacacs-scheme-name AAA Configuration Examples Per User Type AAA Configuration Example Network Requirements As shown in Figure 2-2, Host A, serving as an 802.1X user, accesses the network through Ethernet 1/0/1 of Switch, and Host B, serving as a telnet user, accesses the network through Ethernet 1/0/2 of Switch.

  • Page 446: Remote Radius Authentication Of Telnet/Ssh Users

    # Configure RADIUS scheme radius1. [Switch] radius scheme radius1 [Switch-radius-radius1] primary authentication 10.110.91.164 1812 [Switch-radius-radius1] primary accounting 10.110.91.164 1813 [Switch-radius-radius1] key authentication aabbcc [Switch-radius-radius1] server-type extended [Switch-radius-radius1] user-name-format with-domain [Switch-radius-radius1] quit # In the test domain, specify the authentication method for 802.1X users as radius1, and that for telnet users as local.

  • Page 447: Local Authentication Of Ftp/Telnet Users

    The Telnet user names added to the RADIUS server must be in the format of userid@isp-name if you have configured the switch to include domain names in the user names to be sent to the RADIUS server in the RADIUS scheme. Network diagram Figure 2-3 Remote RADIUS authentication of Telnet users Configuration procedure...
  • Page 448 The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 2-4, you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally.

  • Page 449: Hwtacacs Authentication And Authorization Of Telnet Users

    Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in section Remote RADIUS Authentication of Telnet/SSH Users. Enable the local RADIUS server function, set the IP address and shared key for the network access server to 127.0.0.1 and aabbcc, respectively.

  • Page 450: Troubleshooting Aaa

    Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol prescribes how the switch and the RADIUS server of the ISP exchange user information with each other. Symptom 1: User authentication/authorization always fails. Possible reasons and solutions: The user name is not in the userid@isp-name or userid.isp-name format, or the default ISP domain is not correctly specified on the switch —...

  • Page 451: Ead Configuration

    EAD Configuration Only the S3100-EI series switches support the EAD configuration. Introduction to EAD Endpoint admission defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints.

  • Page 452: Ead Configuration

    Figure 3-1 Typical network application of EAD Virus patch server Authentication server Supplicant Security policy server After a client passes the authentication, the security Client (software installed on the client PC) interacts with the security policy server to check the security status of the client. If the client is not compliant with the security standard, the security policy server issues an ACL to the switch, which then inhibits the client from accessing any parts of the network except for the virus/patch server.

  • Page 453: Ead Configuration Example

    EAD Configuration Example Network requirements Figure 3-2: A user is connected to Ethernet 1/0/1 on the switch. The user adopts 802.1x client supporting EAD extended function. You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users.
  • Page 454 [Sysname-radius-cams] key authentication expert [Sysname-radius-cams] server-type extended # Configure the IP address of the security policy server. [Sysname-radius-cams] security-policy-server 10.110.91.166 # Associate the domain with the RADIUS scheme. [Sysname-radius-cams] quit [Sysname] domain system [Sysname-isp-system] radius-scheme cams...
  • Page 455 Table of Contents 1 MAC Authentication Configuration··········································································································1-1 MAC Authentication Overview ················································································································1-1 Performing MAC Authentication on a RADIUS Server····································································1-1 Performing MAC Authentication Locally··························································································1-1 Related Concepts····································································································································1-2 MAC Authentication Timers·············································································································1-2 Quiet MAC Address·························································································································1-2 Configuring Basic MAC Authentication Functions ··················································································1-2 MAC Address Authentication Enhanced Function Configuration ···························································1-4 MAC Address Authentication Enhanced Function Configuration Tasks ·········································1-4 Configuring a Guest VLAN or Auth-Fail VLAN················································································1-4 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port...

  • Page 456: Mac Authentication Configuration

    During authentication, the user does not need to enter username or password manually. For S3100 Series Ethernet switches, MAC authentication can be implemented locally or on a RADIUS server. After determining the authentication method, users can select one of the following types of user name...

  • Page 457: Related Concepts

    If the quiet MAC is the same as the static MAC configured or an authentication-passed MAC, then the quiet function is not effective. The S3100 series Ethernet switches support quiet MAC function on ports. Configuring Basic MAC Authentication Functions Table 1-1 Configure basic MAC authentication functions...
  • Page 458 Operation Command Remarks Set the user name in fixed mac-authentication mode for MAC authmode usernamefixed Optional authentication Set the user name in By default, the user name fixed mode for MAC Configure the mac-authentication is “mac” and no password authentication user name authusername username is configured.

  • Page 459: Mac Address Authentication Enhanced Function Configuration

    The guest VLAN and Auth-Fail VLAN for MAC authentication are VLANs for users failing MAC authentication to access for certain resources. At present, among the S3100 series Ethernet switches, only the S3100-EI series supports the Auth-Fail VLAN function for MAC authentication.
  • Page 460 In PGV or PAFV mode, when a user fails MAC authentication on a port, the device adds the port to the guest VLAN or Auth-Fail VLAN. Therefore, the guest VLAN can separate unauthenticated users on an access port. When it comes to a trunk port or a hybrid port, if a packet itself carries a VLAN tag and the VLAN is allowed on the port, the port will forward the packet according to the VLAN tag, regardless of the guest VLAN or Auth-Fail VLAN.

  • Page 461: Configuring The Maximum Number Of Mac Address Authentication Users Allowed To Access A Port

    The Auth-Fail VLAN for MAC authentication takes precedence over the guest VLAN for MAC authentication. When both of them are configured on a user access port and they are different VLANs, a user failing MAC authentication on the port will be added to the Auth-Fail VLAN, that is, the user is authorized to access resources in the Auth-Fail VLAN.

  • Page 462: Configuring The Quiet Mac Function On A Port

    If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.

  • Page 463: Mac Authentication Configuration Example

    MAC Authentication Configuration Example Network requirements As illustrated in Figure 1-1, a supplicant is connected to the switch through port Ethernet 1/0/2. MAC authentication is required on port Ethernet 1/0/2 to control user access to the Internet. All users belong to domain aabbcc.net. The authentication performed is locally and the MAC address of the PC (00-0d-88-f6-44-c1) is used as both the user name and password.
  • Page 464 After doing so, your MAC authentication configuration will take effect immediately. Only users with the MAC address of 00-0d-88-f6-44-c1 are allowed to access the Internet through port Ethernet 1/0/2.
  • Page 465 Table of Contents 1 Web Authentication Configuration ··········································································································1-1 Introduction to Web Authentication ·········································································································1-1 Web Authentication Configuration ··········································································································1-1 Configuration Prerequisites ·············································································································1-1 Configuring Web Authentication······································································································1-2 Configuring an Auth-Fail VLAN for Web Authentication ·········································································1-3 Configuration Prerequisites ·············································································································1-3 Configuration Procedure··················································································································1-4 Configuring a Web Authentication-Free User ·························································································1-4 Configuring HTTPS Access for Web Authentication···············································································1-4 Configuration Prerequisites ·············································································································1-5 Configuration Procedure··················································································································1-5...

  • Page 466: Web Authentication Configuration

    Web Authentication Configuration When configuring Web authentication, go to these sections for information you are interested in: Introduction to Web Authentication Web Authentication Configuration Configuring an Auth-Fail VLAN for Web Authentication Configuring a Web Authentication-Free User Configuring HTTPS Access for Web Authentication Customizing Web Authentication Pages Configuring Web Authentication Transition Configuring a Proxy Server Port for Web Authentication...

  • Page 467: Configuring Web Authentication

    Web authentication can use only a RADIUS authentication scheme; it does not support local authentication. The user number limit configured under an AAA scheme does not take effect for Web authentication. Web authentication does not support accounting. Configure accounting for the AAA scheme as optional.

  • Page 468: Configuring An Auth-Fail Vlan For Web Authentication

    Before enabling global Web authentication, you should first set the IP address of a Web authentication server. Do not add a Web authentication enabled port to a port aggregation group and do not enable Web authentication on a port that is in a port aggregation group. You can make Web authentication settings on individual ports before Web authentication is enabled globally, but they will not take effect.

  • Page 469: Configuration Procedure

    Configuration Procedure Follow these steps to configure an Auth-Fail VLAN for Web authentication: To do… Use the command… Remarks system-view Enter system view — interface interface-type Enter port view — interface-number Required Configure an Auth-Fail VLAN for web-authentication auth-fail Web authentication vlan authfail-vlan-id Not configured by default.

  • Page 470: Configuration Prerequisites

    After you configure HTTPS access for Web authentication on the switch, the switch will allow clients to use HTTPS to open the authentication pages for secure transmission of authentication information. Configuration Prerequisites To configure the access protocol as HTTPS, be sure to configure the PKI domain and SSL server policy, and request a certificate for the PKI domain at first.

  • Page 471: Customizing Authentication Pages

    The web-authentication customize command is used to customize part of the information provided on the default authentication page. You cannot change the overall style of the authentication page. This is applicable to simple authentication pages. Customizing Authentication Pages The device also supports Web authentication pages totally developed by third parties as long as the authentication pages comply with rules of customizing the authentication page file.
  • Page 472 Table 1-1 Main authentication page file names Main authentication page File name Login page login.htm Login success page loginSuccess.htm Login failure page loginFail.htm Online page online.htm Pushed for online state notification System busy page busy.htm Pushed when the system is busy or the user is in the login process Authentication-free page freeUser.htm...

  • Page 473: Configuring Web Authentication Transition

    <p><input type=SUBMIT value="Login" name = "WaButton" style="width:60px;"> </form> Authentication pages loginSuccess.htm and online.htm must contain the logout Post request. The following example shows part of the script in page online.htm. <form action=login.cgi method = post > <p><input type=SUBMIT value="Logout" name="WaButton" style="width:60px;"> </form>...

  • Page 474: Configuring A Proxy Server Port For Web Authentication

    The auto mode allows a user to move between ports in the same VLAN rather than different VLANs. If a user moves between VLANs, the access is denied but the previous port is still open for this user. Configuring a Proxy Server Port for Web Authentication When a proxy server is used for web authentication, its port must be specified.

  • Page 475: Web Authentication Configuration Example

    Web Authentication Configuration Example Network requirements As shown in Figure 1-1, a user connects to the Ethernet switch through port Ethernet 1/0/1. Configure the DHCP server so that users can obtain IP addresses from it. Configure Web authentication on Ethernet 1/0/1 to control the access of the user to the Internet. Configure a free IP address range, which can be accessed by the user before it passes the Web authentication.
  • Page 476 [Sysname -radius-radius1] key authentication expert # Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server. [Sysname-radius-radius1] user-name-format without-domain [Sysname-radius-radius1] quit # Create ISP domain aabbcc.net for Web authentication users and enter the domain view. [Sysname] domain aabbcc.net # Configure domain aabbcc.net as the default user domain.
  • Page 477 Table of Content 1 Triple Authentication Configuration ········································································································1-1 Triple Authentication Overview ···············································································································1-1 Background ·····································································································································1-1 Triple Authentication Mechanism ····································································································1-1 Extended Functions·························································································································1-2 Triple Authentication Configuration·········································································································1-3 Triple Authentication Configuration Example··························································································1-3 Network Requirement······················································································································1-3 Network Diargram····························································································································1-3 Configuration Procedure··················································································································1-4...

  • Page 478: Triple Authentication Configuration

    Triple Authentication Configuration Triple Authentication Overview Currently, among S3100 series Ethernet switches, only the S3100-EI series support triple authentication. Background The terminals in a LAN may support different authentication methods. As shown in Figure 1-1, a printer supports only MAC authentication, a PC installed with the 802.1X client supports 802.1X authentication, and the other PC without the 802.1X client installed carries out Web authentication.

  • Page 479: Extended Functions

    Upon startup, a terminal triggers MAC authentication first on the access device. If it passes MAC authentication, no other types of authentication will be performed. If it fails, 802.1X or Web authentication can be triggered. If a terminal sends an EAP packet using the 802.1X client or a thirty-party client, only 802.1X authentication is triggered for the terminal on the access device.

  • Page 480: Triple Authentication Configuration

    Triple Authentication Configuration Complete the following tasks to configure triple authentication: Task Remarks For details Refer to 802.1X and System-guard Configure 802.1X authentication Required Operation. Refer to MAC Address Authentication Configure MAC authentication Required Operation. Configure Web authentication Required Refer to Web Authentication Operation. Triple Authentication Configuration Example Network Requirement As shown in...

  • Page 481: Configuration Procedure

    Configuration Procedure Make sure that the terminals, the servers and the switch are reachable to each other. If using an external DHCP server, ensure that the terminals can get IP addresses from the server before and after authentication. Complete the configuration on the RADIUS server and make sure the authentication, authorization and accounting functions work normally.
  • Page 482 Configure IP address pool 3, including the address range, lease and gateway address. A short lease is recommended to shorten the time terminals use to re-acquire IP addresses after failing authentication or being logged off. [Switch] dhcp server ip-pool 3 [Switch-dhcp-pool-3] network 3.3.3.0 mask 255.255.255.0 [Switch-dhcp-pool-3] expired day 0 hour 0 minute 0 second 30 [Switch-dhcp-pool-3] gateway-list 3.3.3.1...
  • Page 483 # Set the MAC authentication timers. [Switch] mac-authentication timer offline-detect 180 [Switch] mac-authentication timer quiet 180 # Specify the MAC authentication username format as MAC address, that is, using the MAC address (with hyphens) of a user as the username and password for MAC authentication of the user. [Switch] mac-authentication user-name-format mac-address with-hyphen # Enable MAC authentication on Ethernet 1/0/1, and specify VLAN 2 as the Auth-Fail VLAN [Switch–Ethernet1/0/1] mac-authentication...
  • Page 484 Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ·····················································································································1-1 ARP Table ·······································································································································1-2 ARP Process ···································································································································1-3 Introduction to ARP Attack Detection ······························································································1-4 Introduction to ARP Packet Rate Limit ····························································································1-5 Introduction to Gratuitous ARP········································································································1-5 ARP Configuration ··································································································································1-5 Configuring ARP Basic Functions ···································································································1-5 Configuring ARP Attack Detection ··································································································1-6...

  • Page 485: Arp Configuration

    ARP Configuration Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the data link layer address (MAC address, for example) of the destination host or the next hop.

  • Page 486: Arp Table

    S3100 series Ethernet switches provide the display arp command to display the information about ARP mapping entries. ARP entries in an S3100 series Ethernet switch can either be static entries or dynamic entries, as described in Table 1-3.

  • Page 487: Arp Process

    Table 1-3 ARP entries ARP entry Generation Method Maintenance Mode Static ARP entry Manually configured Manual maintenance ARP entries of this type age with time. Dynamic ARP entry Dynamically generated The aging period is set by the ARP aging timer. ARP Process Figure 1-2 ARP process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B.

  • Page 488: Introduction To Arp Attack Detection

    Introduction to ARP Attack Detection Man-in-the-middle attack According to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC mapping of the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce the ARP traffic in the network, but it also makes ARP spoofing possible.

  • Page 489: Introduction To Arp Packet Rate Limit

    packets, or through trusted ports if the MAC address table contains no such destination MAC addresses. Introduction to ARP Packet Rate Limit To prevent the man-in-the-middle attack, a switch enabled with the ARP attack detection function delivers ARP packets to the CPU to check the validity of the packets. However, this causes a new problem: If an attacker sends a large number of ARP packets to a port of a switch, the CPU will get overloaded, causing other functions to fail, and even the whole device to break down.

  • Page 490: Configuring Arp Attack Detection

    Currently, static ARP entries cannot be configured on the ports of an aggregation group. Configuring ARP Attack Detection Among the S3100 series Ethernet switches, only the S3100-EI series support ARP attack detection function. Table 1-5 Configure the ARP attack detection function...

  • Page 491: Configuring The Arp Packet Rate Limit Function

    VLAN mapping, refer to VLAN-VPN Operation in this manual. You are not recommended to configure ARP attack detection on the ports of an aggregation group. Configuring the ARP Packet Rate Limit Function Among the S3100 series Ethernet switches, only the S3100-EI series support ARP Packet Rate Limit function.

  • Page 492: Gratuitous Arp Packet Configuration

    Table 1-6 Configure the ARP packet rate limit function Operation Command Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Enable the ARP packet rate By default, the ARP packet rate arp rate-limit enable limit function limit function is disabled on a port.

  • Page 493: Displaying And Debugging Arp

    [ dynamic | static | interface Available in user Clear specific ARP entries interface-type interface-number ] view. Among the S3100 series Ethernet switches, only the S3100-EI series support display arp detection statistics interface interface-type interface-number command. ARP Configuration Example ARP Basic Configuration Example Network requirement Disable ARP entry check on the switch.

  • Page 494: Arp Attack Detection And Packet Rate Limit Configuration Example

    Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being 000f-e201-0000, and the outbound port being Ethernet1/0/10 of VLAN 1. Configuration procedure <Sysname> system-view [Sysname] undo arp check enable [Sysname] arp timer aging 10 [Sysname] arp static 192.168.1.1 000f-e201-0000 1 Ethernet1/0/10 ARP Attack Detection and Packet Rate Limit Configuration Example Network requirements As shown in...
  • Page 495 [SwitchA-Ethernet1/0/1] arp detection trust [SwitchA-Ethernet1/0/1] quit # Enable ARP attack detection on all ports in VLAN 1. [SwitchA] vlan 1 [SwitchA-vlan1] arp detection enable [SwitchA-vlan1] quit # Enable the ARP packet rate limit function on Ethernet1/0/2, and set the maximum ARP packet rate allowed on the port to 20 pps.
  • Page 496 Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-1 IP Address Assignment Policy ········································································································1-1 Obtaining IP Addresses Dynamically ······························································································1-2 Updating IP Address Lease·············································································································1-2 DHCP Packet Format······························································································································1-3 Protocol Specification······························································································································1-4 2 DHCP Server Configuration······················································································································2-1 Introduction to DHCP Server ··················································································································2-1 Usage of DHCP Server ···················································································································2-1 DHCP Address Pool ························································································································2-1 DHCP IP Address Preferences ·······································································································2-3...
  • Page 497 Introduction to DHCP Accounting··································································································2-23 DHCP Accounting Fundamentals··································································································2-23 DHCP Accounting Configuration ···································································································2-24 Enabling the DHCP Server to Process Option 82 ················································································2-24 Displaying and Maintaining the DHCP Server ······················································································2-25 DHCP Server Configuration Examples ·································································································2-26 DHCP Server Configuration Example ···························································································2-26 DHCP Server with Option 184 Support Configuration Example ···················································2-28 DHCP Accounting Configuration Example ····················································································2-29 Troubleshooting a DHCP Server ··········································································································2-31 3 DHCP Snooping Configuration ················································································································3-1...

  • Page 498: Introduction To Dhcp

    DHCP Overview Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts and frequent change of IP addresses also require new technology.

  • Page 499: Obtaining Ip Addresses Dynamically

    Obtaining IP Addresses Dynamically A DHCP client undergoes the following four phases to dynamically obtain an IP address from a DHCP server: Discover: In this phase, the DHCP client tries to find a DHCP server by broadcasting a DHCP-DISCOVER packet. Offer: In this phase, the DHCP server offers an IP address.

  • Page 500: Dhcp Packet Format

    If the DHCP client fails to update its IP address lease when half of the lease time elapses, it will update its IP address lease by broadcasting a DHCP-REQUEST packet to the DHCP servers again when seven-eighths of the lease time elapses. The DHCP server performs the same operations as those described above.

  • Page 501: Protocol Specification

    Protocol Specification Protocol specifications related to DHCP include: RFC2131: Dynamic Host Configuration Protocol RFC2132: DHCP Options and BOOTP Vendor Extensions RFC1542: Clarifications and Extensions for the Bootstrap Protocol RFC3046: DHCP Relay Agent Information option...

  • Page 502: Dhcp Server Configuration

    Displaying and Maintaining the DHCP Server DHCP Server Configuration Examples Troubleshooting a DHCP Server The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches. Currently, the interface-related DHCP server configurations can only be made on VLAN interfaces.
  • Page 503 picks an IP address from the pool and sends the IP address and other related parameters (such as the IP address of the DNS server, and the lease time of the IP address) to the DHCP client. Types of address pool The address pools of a DHCP server fall into two types: global address pool and interface address pool.

  • Page 504: Dhcp Ip Address Preferences

    The DHCP server assigns an IP address to the client in the following order from an interface address pool or a global address pool: If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client.

  • Page 505: Configuring The Global Address Pool Based Dhcp Server

    To do… Use the command… Remarks Enter system view system-view — Optional Enable DHCP dhcp enable By default, DHCP is enabled. To improve security and avoid malicious attacks to unused sockets, S3100 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled.

  • Page 506: Enabling The Global Address Pool Mode On Interface

    Enabling the Global Address Pool Mode on Interface(s) You can configure the global address pool mode on the specified or all interfaces of a DHCP server. After that, when the DHCP server receives DHCP packets from DHCP clients through these interfaces, it assigns IP addresses in the global address pool to the DHCP clients.
  • Page 507 address, the DHCP server searches for the IP address corresponding to the MAC address of the DHCP client and assigns the IP address to the DHCP client. When some DHCP clients send DHCP-DISCOVER packets to the DHCP server to apply for IP addresses, they construct client IDs and add them in the DHCP-DISCOVER packets.
  • Page 508 To improve security and avoid malicious attack to the unused sockets, S3100 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.

  • Page 509: Configuring A Domain Name Suffix For The Dhcp Client

    In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address or ID has been bound.

  • Page 510: Configuring Wins Servers For The Dhcp Client

    Configuring WINS Servers for the DHCP Client For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. To implement host name-to-IP address translation for DHCP clients, you should enable the DHCP server to assign WINS server addresses when assigning IP addresses to DHCP clients.

  • Page 511: Configuring Gateways For The Dhcp Client

    Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them. You can configure gateway addresses for global address pools on a DHCP server.
  • Page 512 Sub-option 4: Fail-over call routing. Meanings of the sub-options for Option 184 Figure 2-1 Meanings of the sub-options for Option 184 Sub-option Feature Function Note The IP address of the NCP server carried by sub-option 1 of Option When used in Option The NCP-IP sub-option 184 is intended for 184, this sub-option...
  • Page 513 For the configurations specifying to add sub-option 2, sub-option 3, and sub-option 4 in the response packets to take effect, you need to configure the DHCP server to add sub-option 1. Mechanism of using Option 184 on DHCP server The DHCP server encapsulates the information for Option 184 to carry in the response packets sent to the DHCP clients.

  • Page 514: Configuring A Self-Defined Dhcp Option

    Specify an IP address for the network calling processor before performing other configuration. Configuring a Self-Defined DHCP Option By configuring self-defined DHCP options, you can: Define new DHCP options. New configuration options will come out with DHCP development. To support new options, you can add them into the attribute list of the DHCP server. Extend existing DHCP options.

  • Page 515: Configuring The Interface Address Pool Based Dhcp Server

    Configuring the Interface Address Pool Based DHCP Server In the interface address pool mode, after the addresses in the interface address pool have been assigned, the DHCP server picks IP addresses from the global interface address pool containing the network segment of the interface address pool and assigns them to the DHCP clients. As a result, the IP addresses obtained from global address pools and those obtained from interface address pools are not on the same network segment, so the clients cannot communicate with each other.

  • Page 516: Enabling The Interface Address Pool Mode On Interface

    Task Remarks Enabling the Interface Address Pool Mode on Interface(s) Required Configuring an Configuring the static IP address Address Allocation allocation mode One of the two options is required. And these two options can be configured at Mode for an Configuring the dynamic IP address the same time.

  • Page 517: Configuring An Address Allocation Mode For An Interface Address Pool

    To improve security and avoid malicious attack to the unused sockets, S3600 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP interface address pool is created by executing the dhcp select interface command, UDP port 67 and UDP port 68 ports used by DHCP are enabled.
  • Page 518 The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same network segment. There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.

  • Page 519: Configuring A Domain Name Suffix For The Dhcp Client

    To do… Use the command… Remarks Optional Specify the IP addresses By default, all IP addresses in a dhcp server forbidden-ip that are not dynamically DHCP address pool are low-ip-address [ high-ip-address ] assigned available for being dynamically assigned. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients.

  • Page 520: Configuring Wins Servers For The Dhcp Client

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current dhcp server dns-list ip-address&<1-8> Required Configure interface DNS server By default, no quit addresses DNS server for DHCP Configure address is dhcp server dns-list ip-address&<1-8> clients multiple configured.

  • Page 521: Configuring Bims Server Information For The Dhcp Client

    To do… Use the command… Remarks configured. Configure dhcp server nbns-list ip-address&<1-8> multiple { interface interface-type interface-number [ to interfaces in interface-type interface-number ] | all } system view interface interface-type interface-number Configure the dhcp server netbios-type { b-node | h-node | current m-node | p-node } Required...

  • Page 522: Configuring A Self-Defined Dhcp Option

    Follow these steps to configure Option 184 parameters for the client with voice service: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Specify the primary dhcp server voice-config ncp-ip network calling Not specified by ip-address...

  • Page 523: Configuring Dhcp Server Security Functions

    Define new DHCP options. New configuration options will come out with DHCP development. To support new options, you can add them into the attribute list of the DHCP server. Extend existing DHCP options. When the current DHCP options cannot meet customers’ requirements (for example, you cannot use the dns-list command to configure more than eight DNS server addresses), you can configure a self defined option for extension.

  • Page 524: Configuring Ip Address Detecting

    To do… Use the command… Remarks Required Enable the unauthorized DHCP server dhcp server detect detecting function Disabled by default. With the unauthorized DHCP server detection enabled, the relay agent will log all DHCP servers, including authorized ones, and each server is recorded only once. The administrator needs to find unauthorized DHCP servers from the system log information.

  • Page 525: Dhcp Accounting Configuration

    After sending a DHCP-ACK packet with the IP configuration parameters to the DHCP client, the DHCP server sends an Accounting START packet to a specified RADIUS server. The RADIUS server processes the packet, makes a record, and sends a response to the DHCP server. Once releasing a lease, the DHCP server sends an Accounting STOP packet to the RADIUS server.

  • Page 526: Displaying And Maintaining The Dhcp Server

    If a DHCP server is configured to ignore Option 82, after the DHCP server receives packets containing Option 82, the DHCP server will not add Option 82 into the responses when assigning IP addresses and other configuration information to the clients. Follow these steps to configure the DHCP server to process Option 82: To do…...

  • Page 527: Dhcp Server Configuration Examples

    DHCP Server Configuration Examples Currently, DHCP networking can be implemented in two ways. One is to deploy the DHCP server and DHCP clients in the same network segment. This enables the clients to communicate with the server directly. The other is to deploy the DHCP server and DHCP clients in different network segments. In this case, IP address assigning is carried out through DHCP relay agent.
  • Page 528 If you use the inheriting relation of parent and child address pools, make sure that the number of the assigned IP addresses does not exceed the number of the IP addresses in the child address pool; otherwise extra IP addresses will be obtained from the parent address pool, and the attributes (for example, gateway) also are based on the configuration of the parent address pool.

  • Page 529: Dhcp Server With Option 184 Support Configuration Example

    A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of Option 184. An H3C series switch operates as the DHCP server. The Option 184 support function is configured for a global DHCP address pool. The sub-options of Option 184 are as follows: NCP-IP: 3.3.3.3...

  • Page 530: Dhcp Accounting Configuration Example

    Network diagram DHCP client DHCP client DHCP Server IP:10.1.1.1/24 DHCP client 3COM VCX Figure 2-3 Network diagram for Option 184 support configuration Configuration procedure Configure the DHCP client. Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of Option 184.
  • Page 531 The IP address of VLAN-interface 1 is 10.1.1.1/24, and that of VLAN-interface 2 is 10.1.2.1/24. The IP address of the RADIUS server is 10.1.2.2/24. DHCP accounting is enabled on the DHCP server. The IP addresses of the global DHCP address pool belongs to the network segment 10.1.1.0. The DHCP server operates as a RADIUS client and adopts AAA for authentication.

  • Page 532: Troubleshooting A Dhcp Server

    [Sysname] domain 123 [Sysname-isp-123] scheme radius-scheme 123 [Sysname-isp-123] quit # Create an address pool on the DHCP server. [Sysname] dhcp server ip-pool test [Sysname-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0 # Enable DHCP accounting. [Sysname-dhcp-pool-test] accounting domain 123 Troubleshooting a DHCP Server Symptom The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of another host.

  • Page 533: Dhcp Snooping Configuration

    Figure 3-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is an S3100 series Ethernet switch. Figure 3-1 Typical network diagram for DHCP snooping application On S3100-SI series Ethernet switches, DHCP snooping listens the DHCP-REQUEST packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients.

  • Page 534: Introduction To Unauthorized Dhcp Server Detection

    Trusted: A trusted port is connected to an authorized DHCP server directly or indirectly. It forwards DHCP messages to guarantee that DHCP clients can obtain valid IP addresses. Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from receiving invalid IP addresses.
  • Page 535 Padding content and frame format of Option 82 There is no specification for what should be padded in Option 82. Manufacturers can pad it as required. By default, the sub-options of Option 82 for S3100-EI Series Ethernet Switches (enabled with DHCP snooping) are padded as follows: sub-option 1 (circuit ID sub-option): Padded with the port index (smaller than the physical port number by 1) and VLAN ID of the port that received the client’s request.
  • Page 536 Figure 3-5 Standard format of the remote ID sub-option Mechanism of DHCP-snooping Option 82 With DHCP snooping and DHCP-snooping Option 82 support enabled, when the DHCP snooping device receives a DHCP client’s request containing Option 82, it will handle the packet according to the handling policy and the configured contents in sub-options.

  • Page 537: Overview Of Ip Filtering

    The circuit ID and remote ID sub-options in Option 82, which can be configured simultaneously or separately, are independent of each other in terms of configuration sequence. When the DHCP snooping device receives a DHCP response packet from the DHCP server, the DHCP snooping device will delete the Option 82 field, if contained, before forwarding the packet, or will directly forward the packet if the packet does not contain the Option 82 field.

  • Page 538: Dhcp Snooping Configuration

    S3100-EI switch are untrusted ports. Only the S3100-EI series among S3100 series switches support the configuration of DHCP snooping trusted ports.S3100-SI series Ethernet switches do not support the configuration of DHCP snooping trusted ports. That is, after DHCP snooping is enabled, all ports of the S3100-SI series Ethernet switches are trusted ports.

  • Page 539: Configuring Unauthorized Dhcp Server Detection

    Configuring Unauthorized DHCP Server Detection Only the S3100-SI series among S3100 series switches support the unauthorized DHCP server detection. Follow these steps to configure unauthorized DHCP server detection: Operation Command Description Enter system view — system-view interface interface-type Enter Ethernet port view —...
  • Page 540 Only the S3100-EI series among S3100 series switches support the DHCP-snooping Option 82 support feature. Enable DHCP snooping and specify trusted ports on the switch before configuring DHCP snooping to support Option 82. Table 3-1 DHCP-snooping Option 82 support configuration task list...
  • Page 541 If a handling policy is configured on a port, this configuration overrides the globally configured handling policy for requests received on this port, while the globally configured handling policy applies on those ports where a handling policy is not natively configured. Configure the storage format of Option 82 S3100-EI Series Ethernet Switches support the HEX or ASCII format for the Option 82 field.
  • Page 542 If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former circuit ID applies to the DHCP messages from the specified VLAN; while the latter one applies to DHCP messages from other VLANs. In a port aggregation group, you can use this command to configure the primary and member ports respectively.

  • Page 543: Configuring Ip Filtering

    { extended | By default, the padding format standard } is in extended format. Configuring IP Filtering Only the S3100-EI series among S3100 series switches support IP filtering. Follow these steps to Configure IP filtering: Operation Command Description Enter system view system-view —...

  • Page 544: Displaying Dhcp Snooping Configuration

    [ vlan vlan-id | interface interface-type table interface-number ] Remove DHCP snooping reset dhcp-snooping [ ip-address ] Available in user view entries Among S3100 series ethernet switches, only S3100-EI series switches support the display dhcp-snooping trust and display ip source static binding commands. 3-12...

  • Page 545: Dhcp Snooping Configuration Example

    DHCP Snooping Configuration Example DHCP-Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 3-8, Ethernet1/0/5 of the switch (S3100-EI) is connected to the DHCP server, and Ethernet1/0/1, Ethernet1/0/2, and Ethernet1/0/3 are respectively connected to Client A, Client B, and Client C.

  • Page 546: Unauthorized Dhcp Server Detection Configuration Example

    # Set the circuit ID sub-option in DHCP packets from VLAN 1 to “abcd” on Ethernet 1/0/3. [Switch] interface Ethernet1/0/3 [Switch-Ethernet1/0/3] dhcp-snooping information vlan 1 circuit-id string abcd Unauthorized DHCP Server Detection Configuration Example Network requirements As shown in Figure 3-9, Ethernet 1/0/1 of the switch (S3100-SI) is connected to the DHCP server, and Ethernet 1/0/2 and Ethernet 1/0/3 are respectively connected to Client A, Client B.

  • Page 547: Ip Filtering Configuration Example

    [Sysname-Ethernet1/0/2] quit # Enable unauthorized DHCP server detection on Ethernet 1/0/3. [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] dhcp-snooping server-guard enable # Specify the method for handling unauthorized DHCP servers as shutdown on Ethernet 1/0/3.. [Sysname-Ethernet1/0/3] dhcp-snooping server-guard method shutdown IP Filtering Configuration Example Network requirements As shown in Figure...
  • Page 548 [Switch-Ethernet1/0/1] dhcp-snooping trust [Switch-Ethernet1/0/1] quit # Enable IP filtering on Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to filter packets based on the source IP addresses/MAC addresses. [Switch] interface Ethernet1/0/2 [Switch-Ethernet1/0/2] ip check source ip-address mac-address [Switch-Ethernet1/0/2] quit [Switch] interface Ethernet1/0/3 [Switch-Ethernet1/0/3] ip check source ip-address mac-address [Switch-Ethernet1/0/3] quit [Switch] interface Ethernet1/0/4 [Switch-Ethernet1/0/4] ip check source ip-address mac-address...

  • Page 549: Dhcp Packet Rate Limit Configuration

    DHCP Packet Rate Limit Configuration The contents of this chapter are only applicable to the S3100-EI series among S3100 series switches. Introduction to DHCP Packet Rate Limit To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets and DHCP packets will be processed by the switch CPU for validity checking.

  • Page 550: Configuring Dhcp Packet Rate Limit

    Configuring DHCP Packet Rate Limit Configuring DHCP Packet Rate Limit Follow these steps to configure rate limit of DHCP packets: Operation Command Description Enter system view system-view — interface interface-type Enter port view — interface-number Required Enable the DHCP packet rate dhcp rate-limit enable By default, DHCP packet rate limit function...
  • Page 551 Networking diagram Figure 4-1 Network diagram for DHCP packet rate limit configuration DHCP Server Ethernet1/0/1 DHCP Snooping Ethernet1/0/11 Ethernet1/0/2 Client A Client B Configuration procedure # Enable DHCP snooping on the switch. <Switch> system-view [Switch] dhcp-snooping # Specify Ethernet1/0/1 as the trusted port. [Switch] interface Ethernet1/0/1 [Switch-Ethernet1/0/1] dhcp-snooping trust [Switch-Ethernet1/0/1] quit...

  • Page 552: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and management. Refer to “Obtaining IP Addresses Dynamically”...

  • Page 553: How Automatic Configuration Works

    The S3100 EPON series Ethernet switches do not support automatic configuration feature. To implement the automatic configuration feature, there is no need to configure devices that need to get a configuration file, but you need to configure some parameters on the DHCP server and save the configuration files on the TFTP server.

  • Page 554: Introduction To Bootp Client

    An intermediate file maintains the IP address-to-host name mappings which are created using the ip host hostname ip-address command. When you use this command: The hostname argument is a character string consisting of letters, digits, “.” and “_” only, which cannot start with “.”.

  • Page 555: Configuring A Dhcp/Bootp Client

    Because a DHCP server can interact with a BOOTP client, you can use the DHCP server to assign an IP address to the BOOTP client, without needing to configure any BOOTP server. Configuring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP client: Operation Command Description...

  • Page 556: Dhcp Client Configuration Example

    DHCP Client Configuration Example Network requirements Using DHCP, VLAN-interface 1 of Switch A is connected to the LAN to obtain an IP address from the DHCP server. Network diagram Figure 5-2 A DHCP network Configuration procedure The following describes only the configuration on Switch A serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP.
  • Page 557 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 ACL Matching Order························································································································1-1 Ways to Apply an ACL on a Switch·································································································1-2 Types of ACLs Supported by S3100 Series Ethernet Switches ·····················································1-3 ACL Configuration···································································································································1-3 Configuring Time Range··················································································································1-3 Configuring Basic ACL ····················································································································1-5 Configuring Advanced ACL ·············································································································1-6 Configuring Layer 2 ACL ·················································································································1-7...

  • Page 558: Acl Matching Order

    ACL Configuration ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management. Filtering data packets can prevent a network from being accessed by unauthorized users efficiently while controlling network traffic and saving network resources.

  • Page 559: Ways To Apply An Acl On A Switch

    In the switch, an ACL can be directly applied to hardware for packet filtering and traffic classification. In this case, the rules in an ACL are matched in the order determined by the hardware instead of that defined in the ACL. For H3C S3100 series Ethernet switches, the earlier the rule applies, the higher the match priority.

  • Page 560: Types Of Acls Supported By S3100 Series Ethernet Switches

    When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web login users, the switch will deny packets if the packets do not match the ACL. Types of ACLs Supported by S3100 Series Ethernet Switches S3100-SI Series Ethernet switches support the following types of ACLs.
  • Page 561 Periodic time range, which recurs periodically on the day or days of the week. Absolute time range, which takes effect only in a period of time and does not recur. An absolute time range on an H3C S3100 Series Ethernet Switches can be within the range 1970/1/1 00:00 to 2100/12/31 24:00.

  • Page 562: Configuring Basic Acl

    Time-range : test ( Inactive ) 08:00 to 18:00 working-day # Define an absolute time range spans from 15:00 1/28/2006 to 15:00 1/28/2008. <Sysname> system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2000 to 15:00 Jan/28/2004 Configuring Basic ACL...

  • Page 563: Configuring Advanced Acl

    With the auto match order specified, the newly created rules will be inserted in the existent ones by depth-first principle, but the numbers of the existent rules are unaltered. Configuration example # Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1. <Sysname>...

  • Page 564: Configuring Layer 2 Acl

    Operation Command Description Optional Assign a description description text string to the ACL No description by default Note that: With the config match order specified for the advanced ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the ACL, you cannot modify any existent rule;...

  • Page 565: Configuring An Ipv6 Acl

    Configuring an IPv6 ACL You can match IPv6 packets by IPv6 ACLs to process IPv6 data flows as required. S3100 Series Ethernet switches support matching IPv6 packets by the following fields: dscp: Matches the traffic class field in IPv6 packets.
  • Page 566 src-ip: Matches the source address field in IPv6 packets. dest-ip: Matches the destination address field in IPv6 packets. src-port: Matches the TCP/UDP source port field in IPv6 packets. dest-port: Matches the TCP/UDP destination port field in IPv6 packets. icmpv6-type: Matches the ICMPv6 message type field in IPv6 packets. icmpv6-code: Matches the ICMPv6 message code field in IPv6 packets.
  • Page 567 Configuration prerequisites To configure a time range-based IPv6 ACL rule, you need to create the corresponding time range first. For information about time range configuration, refer to section Configuring Time Range. The settings to be specified in the rule are determined. Configuration procedure Table 1-5 Define an IPv6 ACL rule Operation...

  • Page 568: Acl Assignment

    IPv6 ACLs do not match IPv6 packets with extension headers. Do not use IPv6 ACLs with VLAN mapping and trusted port priority together. Configuration example # Configure an rule for IPv6 ACL 5000, denying packets sent from 3001::1/64 to 3002::1/64. <Sysname>...

  • Page 569: Assigning An Acl Globally

    Assigning an ACL Globally Configuration prerequisites Before applying ACL rules to a VLAN, you need to define the related ACLs. For information about defining an ACL, refer to section Configuring Basic ACL, section Configuring Advanced ACL, section Configuring Layer 2 ACL, and section Configuring an IPv6 ACL.

  • Page 570: Assigning An Acl To A Port Group

    Configuration example # Apply ACL 2000 to VLAN 10 to filter the inbound packets of VLAN 10 on all the ports. <Sysname> system-view [Sysname] packet-filter vlan 10 inbound ip-group 2000 Assigning an ACL to a Port Group Configuration prerequisites Before applying ACL rules to a VLAN, you need to define the related ACLs. For information about defining an ACL, refer to section Configuring Basic ACL, section...

  • Page 571: Displaying Acl Configuration

    Configuration procedure Table 1-9 Apply an ACL to a port Operation Command Description — Enter system view system-view interface interface-type — Enter Ethernet port view interface-number Required For description on the acl-rule Apply an ACL to the port packet-filter inbound acl-rule argument, refer to ACL Command.

  • Page 572: Example For Upper-Layer Software Referencing Acls

    Example for Upper-Layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements Apply an ACL to permit users with the source IP address of 10.110.100.52 to telnet to the switch. Network diagram Figure 1-1 Network diagram for controlling Telnet login users by source IP Internet Switch 10.110.100.52...

  • Page 573: Example For Applying Acls To Hardware

    Configuration procedure # Define ACL 2001. <Sysname> system-view [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [Sysname-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [Sysname] ip http acl 2001 Example for Applying ACLs to Hardware Basic ACL Configuration Example Network requirements PC 1 and PC 2 connect to the switch through Ethernet 1/0/1.

  • Page 574: Advanced Acl Configuration Example

    Advanced ACL Configuration Example Network requirements Different departments of an enterprise are interconnected through a switch. The IP address of the wage query server is 192.168.1.2. The R&D department is connected to Ethernet 1/0/1 of the switch. Apply an ACL to deny requests from the R&D department and destined for the wage server during the working hours (8:00 to 18:00).

  • Page 575: Ipv6 Acl Configuration Example

    Network diagram Figure 1-5 Network diagram for Layer 2 ACL Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 4000 to filter packets with the source MAC address of 0011-0011-0011 and the destination MAC address of 0011-0011-0012.

  • Page 576: Example For Applying An Acl To A Port Group

    <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Set the port to trust the 802.1p (CoS) priority in received packets. [Sysname] priority trust # Define an IPv6 ACL template to match the source address and destination address fields in IPv6 packets.
  • Page 577 # Define an ACL to deny packets destined for the database server. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test [Sysname-acl-adv-3000] quit # Create port group 1 and add Ethernet 1/0/1, Ethernet 1/0/2, and Ethernet 1/0/3 in the port group 1. [Sysname] port-group 1 [Sysname-port-group-1] port Ethernet 1/0/1 to Ethernet 1/0/3 # Apply ACL 3000 to port group 1.
  • Page 578 Overview ·················································································································································1-1 Introduction to QoS··························································································································1-1 Traditional Packet Forwarding Service····························································································1-1 New Applications and New Requirements ······················································································1-1 Major Traffic Control Techniques ····································································································1-2 QoS Supported by the S3100 Series Ethernet Switches········································································1-2 Introduction to QoS Features··················································································································1-3 Traffic Classification ························································································································1-3 Priority Trust Mode ··························································································································1-4 Priority Marking································································································································1-8 Traffic Policing and Traffic Shaping·································································································1-8...
  • Page 579 Configuration Example····························································································································2-4 QoS Profile Configuration Example·································································································2-4...

  • Page 580: Introduction To Qos

    QoS Configuration Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving services under certain conditions. In an internet, QoS refers to the ability of the network to forward packets.

  • Page 581: Major Traffic Control Techniques

    They are occurrences of differentiated services. QoS Supported by the S3100 Series Ethernet Switches The S3100 series Ethernet switches support the QoS features listed in Table 1-1.

  • Page 582: Introduction To Qos Features

    Category Features Refer to… following types: refer to Traffic Classification. Basic ACLs Advanced ACLs Layer-2 ACLs (applicable only S3100-EI series) IPv6 ACLs (applicable only S3100-EI series) For information about priority marking, refer Priority Marking. S3100-EI series QoS actions For information about traffic policing, refer to for packets matching the Traffic Policing and Traffic Shaping.

  • Page 583: Priority Trust Mode

    Priority Trust Mode Precedence types IP precedence, ToS precedence, and DSCP precedence Figure 1-2 DS field and ToS byte The ToS field in an IP header contains eight bits numbered 0 through 7, among which, The first three bits indicate IP precedence in the range 0 to 7. Bit 3 to bit 6 indicate ToS precedence in the range of 0 to 15.
  • Page 584 Best Effort (BE) class: This class is a special class without any assurance in the CS class. The AF class can be degraded to the BE class if it exceeds the limit. Current IP network traffic belongs to this class by default. Table 1-3 Description on DSCP precedence values DSCP value (decimal) DSCP value (binary)
  • Page 585 The 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure 1-4 describes the detailed contents of an 802.1Q tag header. Figure 1-4 802.1Q tag headers In the figure above, the priority field (three bits in length) in TCI is 802.1p priority (also known as CoS precedence), which ranges from 0 to 7.
  • Page 586 The switch searches for the local precedence corresponding to the IP IP precedence precedence of the packet in the IP-to-local precedence mapping table and assigns the local precedence to the packet. The S3100 series switches provide 802.1p-to-local-precedence, DSCP-to-local-precedence, and IP-to-local-precedence mapping tables for priority mapping. Table 1-6 through...

  • Page 587: Priority Marking

    Table 1-7 DSCP-precedence-to-local-precedence mapping table DSCP Local precedence 0 to 15 16 to 31 32 to 47 48 to 63 Table 1-8 IP-precedence-to-local-precedence mapping table IP precedence Local precedence configuration trusting precedence received packets IP-precedence-to-local-precedence mapping tables are not available on S3100-EI series Ethernet switches.
  • Page 588 network resources and provide better service for more users. For example, a traffic flow can be limited to get only its committed resources during a time period to avoid network congestion caused by excessive bursts. Traffic policing and traffic shaping is each a kind of traffic control policy used to limit the traffic and the resource occupied by supervising the traffic.
  • Page 589 Traffic policing The typical application of traffic policing is to supervise specific traffic into the network and limit it to a reasonable range, or to "discipline" the extra traffic. In this way, the network resources and the interests of the operators are protected. For example, you can limit HTTP packets to be within 50% of the network bandwidth.

  • Page 590: Port Rate Limiting

    Port Rate Limiting Port rate limiting refers to limiting the total rate of inbound or outbound packets on a port. Port rate limiting can be implemented through token buckets. That is, if you perform port rate limiting configuration for a port, the token bucket determines the way to process the packets to be sent by this port or packets reaching the port.

  • Page 591: Flow-Based Traffic Accounting

    In queue scheduling, SP sends packets in the queue with higher priority strictly following the priority order from high to low. When the queue with higher priority is empty, packets in the queue with lower priority are sent. You can put critical service packets into the queues with higher priority and put non-critical service (such as e-mail) packets into the queues with lower priority.

  • Page 592: Burst

    Configuring Priority Trust Mode The switch provides the following two priority trust modes: Trusting port priority By default, the S3100 series trust port priority. Trusting packet priority You can configure the switch to trust the 802.1p priority, DSCP precedence, or IP precedence of packets.
  • Page 593 Table 1-10 Configure priority trust mode Operation Command Description Enter system view system-view — Optional Configure to trust port undo priority trust By default, the S3100 series priority switches trust port priority. Enter interface Ethernet port interface-type — Configure view interface-number...

  • Page 594: Configuring Priority Mapping

    802.1p (CoS) priority of the received packets. Note that the H3C S3100-EI series Ethernet switches do not support the ip-precedence keyword of this command. Configuration examples # Configure to trust port priority and set the priority of Ethernet 1/0/1 to 7.
  • Page 595 Configuration procedure Table 1-11 Configure CoS-precedence-to-local-precedence mapping table Operation Command Description Enter system view system-view — qos cos-local-precedence-map Configure cos0-map-local-prec cos1-map-local-prec CoS-precedence-to-local-p cos2-map-local-prec cos3-map-local-prec Required recedence mapping table cos4-map-local-prec cos5-map-local-prec cos6-map-local-prec cos7-map-local-prec Table 1-12 Configure DSCP-precedence-to-local-precedence mapping table Operation Command Description Enter system view system-view...

  • Page 596: Marking Packet Priority

    : Marking Packet Priority Only H3C S3100-EI series switches support this configuration. Refer to section Priority Marking for information about marking packet priority. Marking packet priority can be implemented in the following two ways: Through traffic policing When configuring traffic policing, you can define the action of marking the 802.1p priority and DSCP precedence for packets exceeding the traffic specification.
  • Page 597 Table 1-15 Mark the priority for packets that are of a VLAN and match specific ACL rules Operation Command Description Enter system view system-view — traffic-priority vlan vlan-id inbound Mark the priorities for acl-rule { dscp dscp-value | cos packets matching specific Required cos-value | local-precedence ACL rules...

  • Page 598: Configuring Traffic Policing

    [Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-priority vlan 2 inbound ip-group 2000 dscp 56 Configuring Traffic Policing Only H3C S3100-EI series switches support this configuration. Refer to section Traffic Policing and Traffic Shaping for information about traffic policing. Note that, the target-rate argument is committed information rate (CIR), and the burst-bucket-size argument is committed burst size (CBS).
  • Page 599 Table 1-20 Configure traffic policing for packets that are of a port group and match specific ACL rules Operation Command Description Enter system view system-view — Enter port group view port-group group-id — traffic-limit inbound acl-rule target-rate Required Configure traffic [ burst-bucket burst-bucket-size ] [ conform By default, traffic policing...

  • Page 600: Configuring Traffic Shaping

    [Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-limit vlan 2 inbound ip-group 2000 128 exceed remark-dscp 56 Configuring Traffic Shaping Only H3C S3100-EI series switches support this configuration. Refer to section Traffic Policing and Traffic Shaping for information about traffic shaping.

  • Page 601: Configuring Traffic Redirecting

    Configuration procedure: <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] line-rate inbound 1024 Configuring Traffic Redirecting Only H3C S3100-EI series switches support this configuration. Refer to section Traffic Redirecting for information about traffic redirecting. Configuration prerequisites The ACL rules used for traffic classification are defined. Refer to the ACL module of this manual for information about defining ACL rules.
  • Page 602 Table 1-25 Redirect packets that are of a VLAN and match specific ACL rules Operation Command Description Enter system view system-view — traffic-redirect vlan vlan-id inbound Configure traffic redirecting acl-rule { cpu | interface interface-type Required interface-number } Table 1-26 Redirect packets that are of a port group and match specific ACL rules Operation Command Description...

  • Page 603: Configuring Vlan Marking

    Method II <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] traffic-redirect vlan 2 inbound ip-group 2000 interface Ethernet1/0/7 Configuring VLAN Marking Configuration prerequisites The ACL rules used for traffic classification are defined. Refer to the ACL module of this manual for information about defining ACL rules.

  • Page 604: Configuring Traffic Accounting

    } queues 0 to 3 as 1, 2, 3, and 4. The SP queue scheduling algorithm is not available on H3C S3100-SI series Ethernet switches. Configuration example # Adopt the WRR queue scheduling algorithm, with the weight for queue 0, queue 1, queue 2, and queue 3 as 12, 8, 4, and 1.
  • Page 605 Table 1-30 Generate traffic statistics on all the packets matching specific ACL rules Operation Command Description Enter system view system-view — Generate the statistics on the packets traffic-statistic inbound Required matching specific ACL rules acl-rule Clear the statistics on the packets matching reset traffic-statistic Optional specific ACL rules...

  • Page 606: Configuring Traffic Mirroring

    Configuration example Ethernet 1/0/1 is connected to the 10.1.1.0/24 network segment. Generate statistics on the packets sourced from the 10.1.1.0/24 network segment. Clear the statistics. Method I <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.1 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] traffic-statistic inbound ip-group 2000 [Sysname-Ethernet1/0/1] reset traffic-statistic inbound ip-group 2000...
  • Page 607 Only H3C S3100-EI series switches support this configuration. Refer to section Traffic Mirroring for information about traffic mirroring. Configuration prerequisites The ACL rules for traffic classification are defined. Refer to the ACL module of this manual for information about defining ACL rules.
  • Page 608 Table 1-37 Configure traffic mirroring for a port group Operation Command Description Enter system view system-view — Enter Ethernet port view of the interface interface-type — destination port interface-number Define the current port as the monitor-port Required destination port Exit current view quit —...

  • Page 609: Displaying Qos

    [Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] monitor-port [Sysname-Ethernet1/0/4] quit [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] mirrored-to inbound ip-group 2000 monitor-interface Method II <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit [Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] monitor-port [Sysname-Ethernet1/0/4] quit [Sysname] mirrored-to vlan 2 inbound ip-group 2000 monitor-interface Displaying QoS...

  • Page 610: Qos Configuration Example

    Operation Command Description unit-id } traffic-shape display qos-interface Display traffic accounting configuration of { interface-type interface-number | a port or all the ports unit-id } traffic-statistic display qos-interface Display traffic mirroring configuration of a { interface-type interface-number | port or all the ports unit-id } mirrored-to Display the configuration of traffic display qos-global { all |...
  • Page 611 Network diagram Figure 1-9 Network diagram for traffic policing configuration Configuration procedure Define an ACL for traffic classification. # Create ACL 2000 and enter basic ACL view to classify packets sourced from the 192.168.1.0/24 network segment. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Sysname-acl-basic-2000] quit # Create ACL 2001 and enter basic ACL view to classify packets sourced from the 192.168.2.0/24...

  • Page 612: Qos Profile Configuration

    QoS Profile Configuration Only H3C S3100-EI series switches support this configuration. Overview Introduction to QoS Profile QoS profile is a set of QoS configurations. It provides an easy way for performing and managing QoS configuration. A QoS profile can contain one or multiple QoS actions. In networks where hosts change their positions frequently, you can define QoS policies for the specific hosts and add the QoS policies to a QoS profile.

  • Page 613: Qos Profile Configuration

    A user-based QoS profile application fails if the traffic classification rule defined in the QoS profile contains source address information (including source MAC address information, source IP address information, and VLAN information). Manual application mode You can use the apply command to manually apply a QoS profile to a port. QoS Profile Configuration Table 2-1 QoS profile configuration tasks Operation...

  • Page 614: Applying A Qos Profile

    Operation Command Description local-precedence pre-value }* Applying a QoS Profile You can configure to apply a QoS profile dynamically or simply apply a QoS profile manually. Configuration prerequisites To configure to apply a QoS profile dynamically, make sure 802.1x is enabled both globally and on the port, and the authentication mode is determined.

  • Page 615: Displaying Qos Profile Configuration

    Displaying QoS Profile Configuration After the above configuration, you can execute the display command in any view to view the running status of the QoS profile and verify the configuration. Table 2-5 Display QoS profile configuration Operation Command Description display qos-profile { all | name Display QoS profile profile-name | interface interface-type Available in any view...
  • Page 616 <Sysname> system-view [Sysname] radius scheme radius1 [Sysname-radius-radius1] primary authentication 10.11.1.1 [Sysname-radius-radius1] primary accounting 10.11.1.2 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the encryption passwords for the switch to exchange packets with the authentication RADIUS servers and accounting RADIUS servers. [Sysname-radius-radius1] key authentication money [Sysname-radius-radius1] key accounting money # Configure the switch to delete the user domain name from the user name and then send the user...
  • Page 617 Table of Contents 1 Mirroring Configuration ····························································································································1-1 Mirroring Overview ··································································································································1-1 Local Port Mirroring ·························································································································1-1 Remote Port Mirroring ·····················································································································1-1 Mirroring Configuration····························································································································1-3 Configuring Local Port Mirroring······································································································1-3 Configuring Remote Port Mirroring··································································································1-4 Displaying Port Mirroring ·················································································································1-7 Mirroring Configuration Example ············································································································1-7 Local Port Mirroring Configuration Example····················································································1-7 Remote Port Mirroring Configuration Example ···············································································1-8...

  • Page 618: Local Port Mirroring

    Figure 1-1 A port mirroring implementation H3C S3100 series Ethernet switches support two kinds of port mirroring: local port mirroring and remote port mirroring. Local port mirroring: a device copies packets passing through one or more source ports of the device to the destination port.
  • Page 619 To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is needed. All mirrored packets are sent from the reflector port of the source switch to the monitor port (destination port) of the destination switch through the remote-probe VLAN, so as to implement the monitoring of packets received on and sent from the source switch on the destination switch.

  • Page 620: Configuring Local Port Mirroring

    Switch Ports involved Function Trunk port Receives remote mirrored packets. Receives packets forwarded from the trunk port Destination switch Destination port and transmits the packets to the data detection device. Do not configure the default VLAN (VLAN 1), the port VLAN, or a dynamic VLAN as the remote probe VLAN.

  • Page 621: Configuring Remote Port Mirroring

    STP. Configuring Remote Port Mirroring An S3100 series Ethernet switch can serve as a source switch, an intermediate switch, or a destination switch in a remote port mirroring networking environment. Configuration on a switch acting as a source switch Configuration prerequisites The source port, the reflector port, and the remote-probe VLAN are determined.
  • Page 622 Operation Command Description Configure the current VLAN Required remote-probe vlan enable as the remote-probe VLAN Return to system view quit — Enter the view of the Ethernet port that connects to the interface interface-type — intermediate switch or interface-number destination switch Required Configure the current port as port link-type trunk...
  • Page 623 Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. Configuration procedure Table 1-5 Configuration on the intermediate switch Operation Command Description Enter system view system-view — Create a VLAN and enter vlan-id is the ID of the vlan vlan-id VLAN view remote-probe VLAN.

  • Page 624: Displaying Port Mirroring

    Operation Command Description Configure trunk port to permit port trunk permit vlan packets from the Required remote-probe-vlan-id remote-probe VLAN Return to system view quit — Create a remote destination mirroring-group group-id Required mirroring group remote-destination Configure the destination port mirroring-group group-id for the remote destination Required monitor-port monitor-port...

  • Page 625: Remote Port Mirroring Configuration Example

    Network requirements The departments of a company connect to each other through S3100 Ethernet switches: Switch A, Switch B, and Switch C are S3100 series switches. Department 1 is connected to Ethernet 1/0/1 of Switch A. Department 2 is connected to Ethernet 1/0/2 of Switch A.
  • Page 626 Ethernet 1/0/2 of Switch B connects to Ethernet 1/0/1 of Switch C. The data detection device is connected to Ethernet 1/0/2 of Switch C. The administrator wants to monitor the packets sent from Department 1 and 2 through the data detection device.
  • Page 627 # Configure Ethernet 1/0/3 as trunk port, allowing packets of VLAN 10 to pass. [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] port link-type trunk [Sysname-Ethernet1/0/3] port trunk permit vlan 10 [Sysname-Ethernet1/0/3] quit # Display configuration information about remote source mirroring group 1. [Sysname] display mirroring-group 1 mirroring-group 1: type: remote-source...
  • Page 628 [Sysname-Ethernet1/0/1] port trunk permit vlan 10 [Sysname-Ethernet1/0/1] quit # Display configuration information about remote destination mirroring group 1. [Sysname] display mirroring-group 1 mirroring-group 1: type: remote-destination status: active monitor port: Ethernet1/0/2 remote-probe vlan: 10 After the configurations, you can monitor all packets sent from Department 1 and 2 on the data detection device.
  • Page 629 Table of Contents 1 Stack ···························································································································································1-1 Stack Function Overview ························································································································1-1 The Main Switch of a Stack·············································································································1-1 The Slave Switches of a Stack········································································································1-1 Creating a Stack ······························································································································1-1 Main Switch Configuration ······················································································································1-2 Configuring the IP Address Pool and Creating the Stack ·······························································1-2 Maintaining Slave Switches·············································································································1-3 Stack-Port Function Configuration ··································································································1-3 Slave Switch Configuration ·····················································································································1-4...

  • Page 630: Stack

    Stack The S3100 series switches can be stacked only when stack modules are installed. Stack Function Overview A stack is a management domain formed by a group of Ethernet switches interconnected through their stack ports. A stack contains a main switch and multiple slave switches.

  • Page 631: Main Switch Configuration

    Connect the intended main switch and slave switches through stack modules and dedicated stack cables. (Refer to H3C S3100 Series Ethernet Switches Installation Manual for the information about stack modules and stack cables.) Configure the IP address pool for the stack and enable the stack function. The main switch then automatically adds the switches connected to its stack ports to the stack.

  • Page 632: Maintaining Slave Switches

    Quit slave switch view quit command in user view of a slave switch. Stack-Port Function Configuration On the S3100 series switches, only GE SFP ports that are installed with stack modules can be used as stack ports.

  • Page 633: Slave Switch Configuration

    Introduction to the Stack-Port Function If you enable the stack function on a stack-supporting device, the device will send join-in requests to the connected stack ports of all the switches connected with the device. This may cause switches not expecting to join in the stack to join in the stack automatically, affecting network stability. You can configure the stack-port function on the stack ports that are connected with other switches to choose whether to send join-in requests to the switches, so as to prevent the switches that do not belong to the local stack from joining in.

  • Page 634: Stack Configuration Example

    Operation Command Description The display command can be executed in any view. The displayed information indicates that the local switch is Display the stack status display stacking a slave switch. The information information on a slave switch such as stack number of the local switch, and the MAC address of the main switch in the stack is also displayed.
  • Page 635 Main device for stack. Total members:3 Management-vlan:1(default vlan) # Display the information about the stack members on switch A. <stack_0.Sysname> display stacking members Member number: 0 Name:stack_0.Sysname Device: S3100-EI MAC Address:000f-e20f-c43a Member status:Admin IP: 129.10.1.15 /16 Member number: 1 Name:stack_1.Sysname Device: S3100 MAC Address: 000f-e200-3130 Member status:Up...

  • Page 636: Cluster

    Cluster Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way. Cluster management is implemented through Huawei group management protocol (HGMP). HGMP version 2 (HGMPv2) is used at present. A switch in a cluster plays one of the following three roles: Management device Member device...

  • Page 637: Roles In A Cluster

    you can configure and manage all the member devices through the management device without the need to log onto them one by one. It provides the topology discovery and display function, which assists in monitoring and maintaining the network. It allows you to configure and upgrade multiple switches at the same time. It enables you to manage your remotely devices conveniently regardless of network topology and physical distance.

  • Page 638: How A Cluster Works

    Figure 2-2 State machine of cluster role A candidate device becomes a management device when you create a cluster on it. Note that a cluster must have one (and only one) management device. On becoming a management device, the device collects network topology information and tries to discover and determine candidate devices, which can then be added to the cluster through configurations.
  • Page 639 The management device adds the candidate devices to the cluster or removes member devices from the cluster according to the candidate device information collected through NTDP. Introduction to NDP NDP is a protocol used to discover adjacent devices and provide information about them. NDP operates on the data link layer, and therefore it supports different network layer protocols.
  • Page 640 device busy processing of the NTDP topology collection responses. To avoid such cases, the following methods can be used to control the NTDP topology collection request advertisement speed. Configuring the devices not to forward the NTDP topology collection request immediately after they receive an NTDP topology collection request.
  • Page 641 To create a cluster, you need to determine the device to operate as the management device first. The management device discovers and determines candidate devices through NDP and NTDP, and adds them to the cluster. You can also add candidate devices to a cluster manually. After a candidate device is added to a cluster, the management device assigns a member number and a private IP address (used for cluster management) to it.
  • Page 642 Additionally, on the management device, you can configure the FTP server, TFTP server, logging host and SNMP host to be shared by the whole cluster. When a member device in the cluster communicates with an external server, the member device first transmits data to the management device, which then forwards the data to the external server.

  • Page 643: Cluster Configuration Tasks

    Determine whether the destination MAC address or destination IP address is used to trace a device in the cluster If you use the tracemac command to trace the device by its MAC address, the switch will query its MAC address table according to the MAC address and VLAN ID in the command to find out the port connected with the downstream switch.

  • Page 644: Configuring The Management Device

    Optional To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S3100 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
  • Page 645 Operation Command Description specified enabled on a port. Enter Ethernet interface interface-type Ethernet port view interface-number ports Ethernet Enable NDP on port view ndp enable the port Configuring NDP-related parameters Follow these steps to configure NDP-related parameters: Operation Command Description Enter system view system-view —...
  • Page 646 Operation Command Description Optional Configure the port forward delay of topology collection ntdp timer port-delay time By default, the port forward requests delay is 20 ms. Optional Configure the interval to collect By default, the topology topology information ntdp timer interval-in-minutes collection interval is one periodically minute.
  • Page 647 Operation Command Description Optional Set the interval for the cluster-mac syn-interval management device to send By default, the interval to send time-interval multicast packets multicast packets is one minutes. Optional Set the holdtime of member holdtime seconds By default, the holdtime is 60 switches seconds.

  • Page 648: Configuring Member Devices

    Operation Command Description Optional Configure a shared TFTP tftp-server ip-address By default, no shared TFTP server for the cluster server is configured. Optional Configure a shared logging logging-host ip-address By default, no shared logging host for the cluster host is configured. Optional Configure a shared SNMP host snmp-host ip-address...
  • Page 649 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S3100 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.

  • Page 650: Managing A Cluster Through The Management Device

    Operation Command Description interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to enable the cluster function: Operation Command Description Enter system view system-view — Optional Enable the cluster function cluster enable By default, the cluster function...

  • Page 651: Configuring The Enhanced Cluster Features

    Operation Command Description Enter system view system-view — Enter cluster view cluster — Configuring MAC address of administrator-address Optional Management device mac-address name name add-member Add a candidate device to the [ member-number ] Optional cluster mac-address H-H-H [ password password ] Remove a member device from delete-member Optional...
  • Page 652 The topology information is saved as a topology.top file in the Flash memory to the administrative device. You cannot specify the file name manually. Cluster device blacklist function To ensure stability and security of the cluster, you can use the blacklist to restrict the devices to be added to the cluster.

  • Page 653: Configuring The Cluster Synchronization Function

    Operation Command Description be executed in any display cluster current-topology view. [ mac-address mac-address1 Display the topology of the [ to-mac-address mac-address2 ] | current cluster member-id member-id1 [ to-member-id member-id2 ] ] display cluster base-topology Display the information about [ mac-address mac-address | member the base topology of the cluster member-id ]...
  • Page 654 SNMP configuration synchronization With this function, you can configure the public SNMP community name, SNMP group, SNMP users and MIB views. These configurations will be synchronized to the member devices of the cluster automatically, which not only simplifies the configurations on the member devices, but also enables the network management station (NMS) to access any member device of the cluster conveniently.
  • Page 655 Perform the above operations on the management device of the cluster. Configuring the public SNMP information is equal to executing these configurations on both the management device and the member devices (refer to the SNMP-RMON Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices.
  • Page 656 Member 2 succeeded in the usm-user configuration. Member 1 succeeded in the usm-user configuration. Finish to synchronize the command. # After the above configuration, you can see that the public SNMP configurations for the cluster are saved to the management device and member devices by viewing the configuration files. Configuration file content on the management device (only the SNMP-related information is displayed) [test_0.Sysname-cluster] display current-configuration...

  • Page 657: Displaying And Maintaining Cluster Configuration

    A cluster is established, and you can manage the member devices through the management device. Configuration procedure Perform the following operations on the management device to synchronize local user configurations: To do… Use the command… Remarks Enter system view system-view —...

  • Page 658: Cluster Configuration Example

    Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: An S3100 series switch serves as the management device. The rest are member devices. Serving as the management device, the S3100 switch manages the two member devices. The...
  • Page 659 Network diagram Figure 2-4 Network diagram for HGMP cluster configuration SNMP host/logging host 69.172.55.4/24 FTP server/TFTP server 63.172.55.1/24 Network Vlan-int2 Eth1/0/1 163.172.55.1/24 Management Switch Eth1/0/2 Eth1/0/3 Cluster Eth1/0/1 Eth1/0/1 Member Switch Member switch MAC:000f.e001.0011 MAC: 000f.e001.0012 Configuration procedure Configure the member devices (taking one member as an example) # Enable NDP globally and on Ethernet1/0/1.
  • Page 660 # Set the holdtime of NDP information to 200 seconds. [Sysname] ndp timer aging 200 # Set the interval to send NDP packets to 70 seconds. [Sysname] ndp timer hello 70 # Enable NTDP globally and on Ethernet 1/0/2 and Ethernet 1/0/3. [Sysname] ntdp enable [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] ntdp enable...

  • Page 661: Enhanced Cluster Feature Configuration Example

    [aaa_0.Sysname-cluster] tftp-server 63.172.55.1 [aaa_0.Sysname-cluster] logging-host 69.172.55.4 [aaa_0.Sysname-cluster] snmp-host 69.172.55.4 Perform the following operations on the member devices (taking one member as an example) After adding the devices under the management device to the cluster, perform the following operations on a member device. # Connect the member device to the remote shared FTP server of the cluster.
  • Page 662 Network diagram Figure 2-5 Network diagram for the enhanced cluster feature configuration Configuration procedure # Enter cluster view. <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology. [aaa_0.Sysname-cluster] topology accept all save-to local-flash 2-27...
  • Page 663 Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by S3100·································································································1-1 PoE Configuration ···································································································································1-2 PoE Configuration Tasks·················································································································1-2 Enabling the PoE Feature on a Port································································································1-3 Setting the Maximum Output Power on a Port················································································1-3 Setting PoE Management Mode and PoE Priority of a Port····························································1-4 Setting the PoE Mode on a Port······································································································1-4 Configuring the PD Compatibility Detection Function ·····································································1-5...

  • Page 664: Poe Configuration

    PDs conform to the 802.3af standard, including IP phones, Wireless APs, network cameras and so PI: PIs are RJ45 interfaces which connect PSE/PDs to network cables. PoE Features Supported by S3100 PoE-enabled S3100 series Ethernet switches include: S3100-8TP-PWR-EI S3100-16TP-PWR-EI S3100-26TP-PWR-EI...

  • Page 665: Poe Configuration

    Number of Total Input Maximum Maximum power electrical ports Maximum Switch power provided by each supplying PoE output supply distance electrical port power power AC input 370 W A PoE-enabled S3100 switch has the following features: As the PSE, it supports the IEEE802.3af standard. It can also supply power to PDs that do not support the 802.3af standard.

  • Page 666: Enabling The Poe Feature On A Port

    Task Remarks Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection Function Optional Configuring PoE Over-Temperature Protection on the Switch Optional Upgrading the PSE Processing Software Online Optional Displaying PoE Configuration Optional...

  • Page 667: Setting Poe Management Mode And Poe Priority Of A Port

    When a switch is close to its full load in supplying power, you can adjust the power supply of the switch through the cooperation of the PoE management mode and the port PoE priority settings. S3100 series switches support two PoE management modes, auto and manual. The auto mode is adopted by default.

  • Page 668: Configuring The Pd Compatibility Detection Function

    Operation Command Description Optional Set the PoE mode on the port to poe mode signal signal signal by default. Configuring the PD Compatibility Detection Function After the PD compatibility detection function is enabled, the switch can detect the PDs that do not conform to the 802.3af standard and supply power to them.

  • Page 669: Upgrading The Pse Processing Software Online

    Upgrading the PSE Processing Software Online The online upgrading of PSE processing software can update the processing software or repair the software if it is damaged. Before performing the following configuration, download the PSE processing software to the Flash of the switch. Table 1-9 Upgrade PSE processing software online Operation Command...

  • Page 670: Poe Configuration Example

    PoE Configuration Example Networking requirements Switch A is an S3100 series Ethernet switch supporting PoE, Switch B can be PoE powered. The Ethernet 1/0/1 and Ethernet 1/0/2 ports of Switch A are connected to Switch B and an AP respectively; the Ethernet 1/0/8 port is intended to be connected with an important AP.
  • Page 671 [SwitchA] interface Ethernet 1/0/8 [SwitchA-Ethernet1/0/8] poe enable [SwitchA-Ethernet1/0/8] poe priority critical [SwitchA-Ethernet1/0/8] quit # Set the PoE management mode on the switch to auto (it is the default mode, so this step can be omitted). [SwitchA] poe power-management auto # Enable the PD compatibility detect of the switch to allow the switch to supply power to part of the devices noncompliant with the 802.3af standard.

  • Page 672: Poe Profile Configuration

    On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, S3100 series Ethernet switches provide the PoE profile features. A PoE profile is a set of PoE configurations, including multiple PoE features.

  • Page 673: Displaying Poe Profile Configuration

    { all-profile | interface about the PoE profiles created on interface-type interface-number | name Available in any view the switch profile-name } PoE Profile Configuration Example PoE Profile Application Example Network requirements Switch A is an S3100 series Ethernet switch supporting PoE.
  • Page 674 Ethernet 1/0/1 through Ethernet 1/0/10 of Switch A are used by users of group A, who have the following requirements: The PoE function can be enabled on all ports in use. Signal mode is used to supply power. The PoE priority for Ethernet 1/0/1 through Ethernet 1/0/5 is Critical, whereas the PoE priority for Ethernet 1/0/6 through Ethernet 1/0/10 is High.
  • Page 675 [SwitchA] display poe-profile name Profile1 Poe-profile: Profile1, 3 action poe enable poe max-power 3000 poe priority critical # Create Profile2, and enter PoE profile view. [SwitchA] poe-profile Profile2 # In Profile2, add the PoE policy configuration applicable to Ethernet 1/0/6 through Ethernet 1/0/10 ports for users of group A.
  • Page 676 Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·······························································································································1-1 Supported MIBs·······························································································································1-1 Configuring Basic SNMP Functions········································································································1-3 Configuring Trap Parameters··················································································································1-5 Configuring Basic Trap ····················································································································1-5 Configuring Extended Trap ·············································································································1-6 Enabling Logging for Network Management···························································································1-6 Displaying SNMP ····································································································································1-6 SNMP Configuration Examples ··············································································································1-7 SNMP Configuration Examples·······································································································1-7 2 RMON Configuration ·································································································································2-1 Introduction to RMON ·····························································································································2-1...

  • Page 677: Snmp Configuration

    SNMP Configuration SNMP Overview The simple network management protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes. In this way, network administrators can easily retrieve and modify the information about any node on the network. In the meantime, they can locate faults promptly and implement the fault diagnosis, capacity planning and report generating.
  • Page 678 adopts a hierarchical naming scheme to organize the managed objects. It is like a tree, with each tree node representing a managed object, as shown in Figure 1-1. Each node in this tree can be uniquely identified by a path starting from the root. Figure 1-1 Architecture of the MIB tree The management information base (MIB) describes the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network devices.

  • Page 679: Configuring Basic Snmp Functions

    Set system information, and specify { contact sys-contact | maintenance is "R&D to enable SNMPv1 or SNMPv2c on location sys-location | Hangzhou, H3C the switch version { { v1 | v2c | v3 }* | Technology Co., Ltd.", the all } } system location is "Hangzhou China", and the...
  • Page 680 Set system information system maintenance is "R&D sys-contact | location and specify to enable Hangzhou, H3C Technology Co., sys-location | version { { v1 | SNMPv3 on the switch Ltd.", the system location is v2c | v3 }* | all } } "Hangzhou China", and the SNMP...

  • Page 681: Configuring Trap Parameters

    An S3100 Ethernet switch provides the following functions to prevent attacks through unused UDP ports. Executing the snmp-agent command or any of the commands used to configure SNMP agent enables the SNMP agent, and at the same opens UDP port 161 used by SNMP agents and the UDP port used by SNMP trap respectively.

  • Page 682: Configuring Extended Trap

    Configuring Extended Trap The extended Trap includes the following. “Interface description” and “interface type” are added into the linkUp/linkDown Trap message. When receiving this extended Trap message, NMS can immediately determine which interface on the device fails according to the interface description and type. In all Trap messages sent from the information center to the log server, a MIB object name is added after the OID field of the MIB object.

  • Page 683: Snmp Configuration Examples

    Table 1-7 Display SNMP Operation Command Description Display the SNMP information about display snmp-agent sys-info the current device [ contact | location | version ]* Display SNMP packet statistics display snmp-agent statistics Display the engine ID of the current display snmp-agent device { local-engineid | remote-engineid } Display group information about the...
  • Page 684 Configuring the NMS The S3100 series Ethernet switches support H3C’s QuidView NMS. SNMPv3 adopts user name and password authentication. When you use H3C’s QuidView NMS, you need to set user names and choose the security level in [Quidview Authentication Parameter]. For each security level, you need to set authorization mode, authorization password, encryption mode, encryption password, and so on.
  • Page 685 Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully.

  • Page 686: Rmon Configuration

    RMON MIB): alarm group, event group, history group, and statistics group. An H3C S3100 Ethernet switch implements RMON in the second way. With an RMON agent embedded in, an S3100 Ethernet switch can serve as a network device with the RMON probe function. Through...

  • Page 687: Commonly Used Rmon Groups

    Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.

  • Page 688: Rmon Configuration

    The statistics include the number of the following items: collisions, packets with cyclic redundancy check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets. With the RMON statistics management function, you can monitor the use of a port and make statistics on the errors occurred when the ports are being used.

  • Page 689: Displaying Rmon

    Displaying RMON After the above configuration, you can execute the display command in any view to display the RMON running status, and to verify the configuration. Table 2-2 Display RMON Operation Command Description display rmon statistics [ interface-type Display RMON statistics interface-number | unit unit-number ] Display RMON history display rmon history [ interface-type...
  • Page 690 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1) formula to get the numbers of all the oversize and undersize packets received by Ethernet 1/0/1 that are in correct data format and sample it in every 10 seconds.
  • Page 691 Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP·····································································································1-2 NTP Implementation Modes············································································································1-3 NTP Configuration Tasks ························································································································1-5 Configuring NTP Implementation Modes ································································································1-5 Configuring NTP Server/Client Mode ······························································································1-6 Configuring the NTP Symmetric Peer Mode ···················································································1-7 Configuring NTP Broadcast Mode···································································································1-8 Configuring NTP Multicast Mode·····································································································1-9 Configuring Access Control Right ·········································································································1-10...

  • Page 692: Ntp Configuration

    NTP Configuration Introduction to NTP Network time protocol (NTP) is a time synchronization protocol defined in RFC 1305. It is used for time synchronization between a set of distributed time servers and clients. Carried over UDP, NTP transmits packets through UDP port 123. NTP is intended for time synchronization between all devices that have clocks in a network so that the clocks of all devices can keep consistent.

  • Page 693: Implementation Principle Of Ntp

    The clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15. The clock accuracy decreases as the stratum number increases. A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock. The local clock of an S3100 Ethernet switch cannot be set as a reference clock.

  • Page 694: Ntp Implementation Modes

    Device A sends an NTP message to Device B, with a timestamp 10:00:00 am (T ) identifying when it is sent. When the message arrives at Device B, Device B inserts its own timestamp 11:00:01 am (T ) into the packet. When the NTP message leaves Device B, Device B inserts its own timestamp 11:00:02 am (T into the packet.
  • Page 695 Multicast clock synchronization the multicast client mode packets periodically Receives multicast packets and synchronizes the local clock Table 1-1 describes how the above mentioned NTP modes are implemented on H3C S3100 series Ethernet switches.

  • Page 696: Ntp Configuration Tasks

    VLAN interface configured on the switch. When an H3C S3100 Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer.

  • Page 697: Configuring Ntp Server/Client Mode

    Configuring NTP Broadcast Mode Configuring NTP Multicast Mode To protect unused sockets against attacks by malicious users and improve security, H3C S3100 series Ethernet switches provide the following functions: UDP port 123 is opened only when the NTP feature is enabled.
  • Page 698 The remote server specified by remote-ip or server-name serves as the NTP server, and the local switch serves as the NTP client. The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server. remote-ip cannot be a broadcast address, a multicast address or the IP address of the local clock.
  • Page 699 255.255.255.255. The switches working in the NTP broadcast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S3100 series Ethernet switch can work as a broadcast server or a broadcast client. Refer to Table 1-5 for configuring a switch to work in the NTP broadcast server mode.
  • Page 700 NTP multicast messages to multicast clients. The switches working in the NTP multicast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S3100 series Ethernet switch can work as a multicast server or a multicast client. Refer to Table 1-7 for configuring a switch to work in the NTP multicast server mode.

  • Page 701: Configuring Access Control Right

    Configuring a switch to work in the multicast client mode Table 1-8 Configure a switch to work in the NTP multicast client mode Operation Command Description Enter system view system-view — Enter VLAN interface view interface Vlan-interface vlan-id — Required ntp-service multicast-client Configure the switch to work in the NTP multicast client mode...

  • Page 702: Configuring Ntp Authentication

    The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring NTP Authentication In networks with higher security requirements, the NTP authentication function must be enabled to run NTP.
  • Page 703 with the corresponding NTP broadcast/multicast client. Otherwise, NTP authentication cannot be enabled normally. Configurations on the server and the client must be consistent. Configuration Procedure Configuring NTP authentication on the client Table 1-11 Configure NTP authentication on the client Operation Command Description Enter system view...

  • Page 704: Configuring Optional Ntp Parameters

    Operation Command Description Required Configure the specified key as a ntp-service reliable By default, no trusted authentication key authentication-keyid key-id trusted key is configured. Enter VLAN interface view interface Vlan-interface vlan-id — In NTP broadcast server mode and Configure on NTP multicast server mode, you the NTP ntp-service broadcast-server...

  • Page 705: Configuring The Number Of Dynamic Sessions Allowed On The Local Switch

    Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations. A static association refers to an association that a user has manually created by using an NTP command, while a dynamic association is a temporary association created by the system during operation.

  • Page 706: Configuration Example

    Operation Command Description Display the brief information about NTP servers along the path from the local device to the display ntp-service trace reference clock source Configuration Example Configuring NTP Server/Client Mode Network requirements The local clock of Device A (a switch) is to be used as a master clock, with the stratum level of 2. Device A is used as the NTP server of Device B (an S3100 Ethernet switch) Configure Device B to work in the client mode, and then Device A will automatically work in the server mode.

  • Page 707: Configuring Ntp Symmetric Peer Mode

    Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The above output information indicates that Device B is synchronized to Device A, and the stratum level of its clock is 3, one level lower than that of Device A.
  • Page 708 # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration. Device B works in symmetric active mode, while Device C works in symmetric passive mode. Because the stratum level of the local clock of Device B is 1, and that of Device C is 3, the clock of Device C is synchronized to that of Device View the status of Device C after the clock synchronization.
  • Page 709 Network diagram Figure 1-8 Network diagram for the NTP broadcast mode configuration Vlan-int2 3.0.1.31/24 Device C Vlan-int2 1.0.1.31/24 Device A Device B Vlan-int2 3.0.1.32/24 Device D Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as the broadcast server, which sends broadcast messages through Vlan-interface2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server Configure Device A.
  • Page 710 The output information indicates that Device D is synchronized to Device C, with the clock stratum level of 3, one level lower than that of Device C. # View the information about the NTP sessions of Device D and you can see that a connection is established between Device D and Device C.

  • Page 711: Configuring Ntp Server/Client Mode With Authentication

    [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-service multicast-client After the above configurations, Device A and Device D respectively listen to multicast messages through their own Vlan-interface2, and Device C advertises multicast messages through Vlan-interface2. Because Device A and Device C do not share the same network segment, Device A cannot receive multicast messages from Device C, while Device D is synchronized to Device C after receiving multicast messages from Device C.
  • Page 712 Configuration procedure Configure Device B. # Enter system view. <DeviceB> system-view # Enable the NTP authentication function. [DeviceB] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceB] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
  • Page 713 Total associations : 1-22...
  • Page 714 Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ···························································································································1-1 Asymmetric Key Algorithm ··············································································································1-2 SSH Operating Process ··················································································································1-2 SSH Server and Client Configuration Task List······················································································1-4 Configuring the SSH Server····················································································································1-4 Configuring the User Interfaces for SSH Clients·············································································1-5 Configuring the SSH Management Functions·················································································1-6 Configuring the SSH Server to Be Compatible with SSH1 Clients ·················································1-7 Generating/Destroying Key Pairs ····································································································1-7...

  • Page 715: Ssh Configuration

    SSH Configuration When configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Configuration Task List Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments.

  • Page 716: Asymmetric Key Algorithm

    Figure 1-1 Encryption and decryption Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm. Asymmetric Key Algorithm Asymmetric key algorithm means that a key pair exists at both ends. The key pair consists of a private key and a public key.
  • Page 717 Version negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format “SSH-<primary protocol...

  • Page 718: Ssh Server And Client Configuration Task List

    The H3C switch acts as the SSH server to cooperate with software that supports the SSH client functions. The H3C switch acts as the SSH server to cooperate with another H3C switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients:...

  • Page 719: Configuring The User Interfaces For Ssh Clients

    Table 1-2 Complete the following tasks to configure the SSH server: Task Remarks Configuring the User Interfaces for SSH Required Clients Preparation Configuring the SSH Management Optional Functions Optional This task determines which SSH Configuring the SSH Server to Be Version versions the server should support.

  • Page 720: Configuring The Ssh Management Functions

    Table 1-3 Follow these steps to configure the user interface for SSH clients: To do... Use the command... Remarks Enter system view system-view — Enter user interface view of user-interface vty first-number — one or more user interfaces [ last-number ] Required Configure the authentication-mode scheme...

  • Page 721: Configuring The Ssh Server To Be Compatible With Ssh1 Clients

    You can configure a login header only when the service type is stelnet. For configuration of service types, refer to Specifying a Service Type for an SSH User. For details of the header command, refer to the corresponding section in Login Command. Currently, only the S3100-EI series support the ssh server rekey-interval command.

  • Page 722: Creating An Ssh User And Specifying An Authentication Type

    To do... Use the command... Remarks Optional Destroy the DSA key pair public-key local destroy dsa Use the command to destroy the generated DSA key pair. The SSH server’s key pairs are for generating session keys and for SSH clients to authenticate the server.

  • Page 723: Specifying A Service Type For An Ssh User

    For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local user name, so that there is no need to configure a local user in AAA. If the default authentication type for SSH users is password and local AAA authentication is adopted, you need not use the ssh user command to create an SSH user.

  • Page 724: Assigning A Public Key To An Ssh User

    This configuration is not necessary if the password authentication mode is configured for SSH users. With the publickey authentication mode configured for an SSH client, you must configure the client’s RSA or DSA host public key(s) on the server for authentication. You can manually configure the public key or import it from a public key file.

  • Page 725: Exporting The Rsa Or Dsa Public Key

    This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication. Table 1-10 Follow these steps to assign a public key for an SSH user: To do...

  • Page 726: Configuring The Ssh Client

    Configuring the SSH Client The configurations required on the SSH client are related to the authentication mode that the SSH server uses. In addition, if an SSH client does not support first-time authentication, you need to configure the public key of the server on the client, so that the client can authenticate the server. SSH Client Configuration Task List Table 1-13 Complete the following tasks to configure the SSH client: SSH client configuration task...
  • Page 727 Selecting the protocol for remote connection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH Selecting the SSH version. Since the device supports SSH2.0 now, select 2.0 or lower for the client.
  • Page 728 Figure 1-3 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key. Figure 1-4 Generate the client keys (3) 1-14...
  • Page 729 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-5 Generate the client keys (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.
  • Page 730 Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
  • Page 731 Figure 1-8 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...

  • Page 732: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
  • Page 733 Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication enabled, an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time, and it will save the host public key on the client for use in subsequent authentications.

  • Page 734: Displaying And Maintaining Ssh Configuration

    To do... Use the command... Remarks Required ssh2 { host-ip | host-name } In this command, you can also specify [ port-num ] [ identity-key the preferred key exchange algorithm, { dsa | rsa } | prefer_kex encryption algorithms and HMAC { dh_group1 | algorithms between the server and dh_exchange_group } |...

  • Page 735: Ssh Configuration Examples

    Operation Original commands Current commands Display information about display rsa peer-public-key display public-key peer [ brief | the peer RSA public keys [ brief | name keyname ] name pubkey-name ] Generate a RSA key pair rsa local-key-pair create public-key local create rsa Destroy a RSA key pair rsa local-key-pair destroy public-key local destroy rsa...
  • Page 736 Network diagram Figure 1-10 Switch acts as server for local password authentication Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <Switch>...
  • Page 737 # Configure the SSH client software to establish a connection to the SSH server. Take SSH client software Putty (version 0.58) as an example: Run PuTTY.exe to enter the following configuration interface. Figure 1-11 SSH client configuration interface In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select SSH under Connection.

  • Page 738: When Switch Acts As Server For Password And Radius Authentication

    Figure 1-12 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-12, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
  • Page 739 Network diagram Figure 1-13 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log into the CAMS management platform and select System Management >...
  • Page 740 Figure 1-14 Add an access device # Add a user for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account window and perform the following configurations: Add a user named hello, and specify the password.
  • Page 741 Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs. [Switch] public-key local create rsa [Switch] public-key local create dsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 742 Figure 1-16 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-17 appears.

  • Page 743: When Switch Acts As Server For Password And Hwtacacs Authentication

    authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server. You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 1-15.
  • Page 744 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit...

  • Page 745: When Switch Acts As Server For Publickey Authentication

    From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-20 appears. Figure 1-20 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password.
  • Page 746 Configuration procedure Under the publickey authentication mode, either the RSA or DSA public key can be generated for the server to authenticate the client. Here takes the RSA public key as an example. Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 747 # Import the client’s public key named Switch001 from file public. [Switch] public-key peer Switch001 import sshkey public # Assign the public key Switch001 to client client001. [Switch] ssh user client001 assign publickey Switch001 Configure the SSH client (taking PuTTY version 0.58 as an example) # Generate an RSA key pair.
  • Page 748 Figure 1-23 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-24 Generate a client key pair (3) 1-34...
  • Page 749 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (private.ppk in this case). Figure 1-25 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client.
  • Page 750 Figure 1-27 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 1-28 SSH client configuration interface (2) 1-36...

  • Page 751: When Switch Acts As Client For Password Authentication

    Click Browse… to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-28, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in...

  • Page 752: When Switch Acts As Client For Publickey Authentication

    The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: ************************************************************************** Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...
  • Page 753 Configuration procedure In public key authentication, you can use either RSA or DSA public key. Here takes the DSA public key as an example. Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
  • Page 754 The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n ************************************************************************** Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed.

  • Page 755: When Switch Acts As Client And First-Time Authentication Is Not Supported

    When Switch Acts as Client and First-Time Authentication is not Supported Network requirements As shown in Figure 1-31, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name is client001 and the SSH server’s IP address is 10.165.87.136.
  • Page 756 Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP. For details, refer to the following “Configure Switch A”.
  • Page 757 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ************************************************************************** Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* Without the owner's prior written consent, no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB> 1-43...
  • Page 758 Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Tasks·····································································································1-1 Directory Operations························································································································1-1 File Operations ································································································································1-2 Flash Memory Operations ···············································································································1-3 Prompt Mode Configuration ············································································································1-3 File System Configuration Example ································································································1-4 File Attribute Configuration ·····················································································································1-5 Introduction to File Attributes···········································································································1-5 Booting with the Startup File ···········································································································1-6 Configuring File Attributes ···············································································································1-6...

  • Page 759: File System Management Configuration

    Prompt Mode Configuration Optional S3100 series Ethernet switches allow you to input a file path and file name in one of the following ways: In universal resource locator (URL) format and starting with “unit1>flash:/”. or “flash:/” This method is used to specify a file in the current Flash memory. For example, the URL of a file named text.txt in the root directory of the switch is unit1>flash:/text.txt or flash:/text.txt.

  • Page 760: File Operations

    Table 1-2 Directory operations To do… Use the command… Remarks mkdir directory Create a directory Optional Delete a directory rmdir directory Optional Display the current work directory Optional Display the information about specific dir [ /all ] [ file-url ] Optional directories and files cd directory...

  • Page 761: Flash Memory Operations

    To do… Use the command… Remarks Optional Execute the specified batch file execute filename This command should be executed in system view. For deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored.

  • Page 762: File System Configuration Example

    To do… Use the command… Remarks Required Configure the prompt mode of the file prompt { alert | quiet } By default, the prompt mode of the file file system system is alert. File System Configuration Example # Display all the files in the root directory of the file system. <Sysname>...

  • Page 763: File Attribute Configuration

    7239 KB total (3585 KB free) (*) -with main attribute (b) -with backup attribute (*b) -with both main and backup attribute File Attribute Configuration Introduction to File Attributes The following three startup files support file attribute configuration: App files: An app file is an executable file, with .bin as the extension. Configuration files: A configuration file is used to store and restore configuration, with .cfg as the extension.

  • Page 764: Booting With The Startup File

    The device selects the main startup file as the preferred startup file. If the device fails to boot with the main startup file, it boots with the backup startup file. For the Web file and configuration file, Hangzhou H3C Technologies Co., Ltd (referred to as H3C hereinafter) may provide corresponding default file when releasing software versions. When booting, the device selects the startup files based on certain order.
  • Page 765 The configuration of the main or backup attribute of a Web file takes effect immediately without restarting the switch. After upgrading a Web file, you need to specify the new Web file in the Boot menu after restarting the switch or specify a new Web file by using the boot web-package command. Otherwise, Web server cannot function normally.
  • Page 766 Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP························································································································1-1 FTP Configuration ···································································································································1-2 FTP Configuration: A Switch Operating as an FTP Server ·····························································1-2 FTP Configuration: A Switch Operating as an FTP Client ······························································1-5 Configuration Example: A Switch Operating as an FTP Server······················································1-6 FTP Banner Display Configuration Example···················································································1-8 FTP Configuration: A Switch Operating as an FTP Client ······························································1-9...

  • Page 767: Introduction To Ftp And Sftp

    Binary mode for program file transfer ASCII mode for text file transfer An H3C S3100 series Ethernet switch can act as an FTP client or the FTP server in FTP-employed data transmission: Table 1-1 Roles that an H3C S3100 series Ethernet switch acts as in FTP...

  • Page 768: Ftp Configuration: A Switch Operating As An Ftp Server

    FTP Configuration Table 1-2 FTP configuration tasks Item Configuration task Description Creating an FTP user Required Enabling an FTP server Required Configuring connection idle time Optional FTP Configuration: A Switch Operating as an FTP Server Disconnecting a specified user Optional Configuring the banner for an FTP server Optional Displaying FTP server information...
  • Page 769 Only one user can access an H3C S3100 series Ethernet switch at a given time when the latter operates as an FTP server. Operating as an FTP server, an H3C S3100 series Ethernet switch cannot receive a file whose size exceeds its storage space.
  • Page 770 With an H3C S3100 series Ethernet switch acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the S3100 Ethernet switch will disconnect the user after the data transmission is completed.

  • Page 771: Ftp Configuration: A Switch Operating As An Ftp Client

    Table 1-7 Configure the banner display for an FTP server Operation Command Description Enter system view system-view — Configure a login banner header login text Required Use either command or both. Configure a shell banner header shell text By default, no banner is configured. For details about the header command, refer to the Login part of the manual.

  • Page 772: Configuration Example: A Switch Operating As An Ftp Server

    Operation Command Description Get the local working path on the FTP client Display the working directory on the FTP server Create a directory on the remote mkdir pathname FTP server Remove a directory on the remote rmdir pathname FTP server Delete a specified file delete remotefile Optional...
  • Page 773 to upgrade the switch application and download the configuration file config.cfg from the switch, thus to back up the configuration file. Create a user account on the FTP server with the user name “switch” and password “hello”. The IP addresses 1.1.1.1 for a VLAN interface on the switch and 2.2.2.2 for the PC have been configured.

  • Page 774: Ftp Banner Display Configuration Example

    Boot ROM menu. H3C series switch is not shipped with FTP client application software. You need to purchase and install it by yourself. Configure Switch A (FTP server) # After uploading the application, use the boot boot-loader command to specify the uploaded file (switch.bin) to be the startup file used when the switch starts the next time, and restart the switch.

  • Page 775: Ftp Configuration: A Switch Operating As An Ftp Client

    An FTP user named “switch” and the password “hello” have been configured on the FTP server. The IP addresses 1.1.1.1 for a VLAN interface on the switch and 2.2.2.2 for the PC have been configured. Ensure that a route exists between the switch and the PC. Configure the login banner of the switch as “login banner appears”...
  • Page 776 Create a user account on the FTP server with the user name “switch” and password “hello”, and grant the user “switch” read and write permissions for the directory named “Switch” on the PC. Configure the IP address 1.1.1.1 for a VLAN interface on the switch, and 2.2.2.2 for the PC. Ensure a route exists between the switch and the PC.

  • Page 777: Sftp Configuration

    [ftp] put config.cfg # Execute the get command to download the file named switch.bin to the Flash memory of the switch. [ftp] get switch.bin # Execute the quit command to terminate the FTP connection and return to user view. [ftp] quit <Sysname>...

  • Page 778: Sftp Configuration: A Switch Operating As An Sftp Client

    10 minutes by default Supported SFTP client software An H3C S3100 series Ethernet switch operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP. SFTP client software supports the following operations: logging in to a device; uploading a file;...
  • Page 779 Operation Command Description sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | Enter SFTP client view aes128 } | prefer_stoc_cipher Required { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } |...

  • Page 780: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 781 # Configure the authentication mode as password. Authentication timeout time, retry number, and update time of the server key adopt the default values. [Sysname] ssh user client001 authentication-type password # Specify the service type as SFTP. [Sysname] ssh user client001 service-type sftp # Enable the SFTP server.
  • Page 782 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub Received status: End of file Received status: Success # Add a directory new1, and then check whether the new directory is successfully created. sftp-client>...
  • Page 783 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk Received status: End of file Received status: Success sftp-client> # Exit SFTP. sftp-client> quit [Sysname] 1-17...

  • Page 784: Tftp Configuration

    An H3C S3100 series Ethernet switch can act as a TFTP client only. When an S3100 series Ethernet switch serving as a TFTP client downloads files from When you download a file that is larger than the free space of the switch’s flash memory:...

  • Page 785: Tftp Configuration: A Switch Operating As A Tftp Client

    Item Configuration task Description TFTP server configuration For details, see the corresponding manual — TFTP Configuration: A Switch Operating as a TFTP Client Basic configurations on a TFTP client By default a switch can operate as a TFTP client. In this case you can connect the switch to the TFTP server to perform TFTP-related operations (such as creating/removing a directory) by executing commands on the switch.
  • Page 786 Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the “Login” module for detailed information.) If available space on the Flash memory of the switch is not enough to hold the file to be uploaded, you need to delete files not in use from the Flash memory to make room for the file, and then upload the file again.
  • Page 787 Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ·············································································································1-4 Information Center Configuration············································································································1-6 Introduction to the Information Center Configuration Tasks····························································1-6 Configuring Synchronous Information Output ·················································································1-7 Configuring to Display the Time Stamp with the UTC Time Zone ··················································1-7 Setting to Output System Information to the Console ·····································································1-8 Setting to Output System Information to a Monitor Terminal ··························································1-9 Setting to Output System Information to a Log Host·····································································1-11...

  • Page 788: Information Center

    Information Center Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information. Together with the debugging function (the debugging command), information center offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems.
  • Page 789 The system supports ten channels. The channels 0 through 5 have their default channel names and are associated with six output directions by default. Both the channel names and the associations between the channels and output directions can be changed through commands. Table 1-2 Information channels and output directions Information channel Default channel...
  • Page 790 Module name Description Device management module Domain name system module Ethernet module Forwarding module Fabric topology management module FTPS FTP server module High availability module HABP Huawei authentication bypass protocol module HTTPD HTTP server module HWCM Huawei Configuration Management private MIB module HWPing module IFNET Interface management module...

  • Page 791: System Information Format

    To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the six output directions. System Information Format The format of system information varies with the output destinations.
  • Page 792 %Dec 8 10:12:21:708 2006 [GMT+08:00:00] Sysname SHELL/5/LOGIN:- 1 - VTY(1.1.0.2) in unit1 login Sysname Sysname is the system name of the local switch and defaults to “H3C”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details)

  • Page 793: Information Center Configuration

    Note that there is a space between the sysname and module fields. This field is a preamble used to identify a vendor. It is displayed only when the output destination is log host. This field is a version identifier of syslog. It is displayed only when the output destination is log host. Module The module field represents the name of the module that generates system information.

  • Page 794: Configuring Synchronous Information Output

    Task Remarks Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log, trap, or debugging information is output when the user is inputting commands, the command line prompt (in command editing mode a prompt, or a [Y/N] string in interaction mode) and the input information are echoed after the output.

  • Page 795: Setting To Output System Information To The Console

    Operation Command Description Set the time stamp Log host info-center timestamp loghost format in the output direction date Required direction of the Use either command Non log host info-center timestamp { log | trap information center to direction | debugging } date date Required Set to display the UTC time zone in the...

  • Page 796: Setting To Output System Information To A Monitor Terminal

    Table 1-8 Default output rules for different output directions TRAP DEBUG Output Modules Enabled direction allowed Enabled/d Enabled/d /disable Severity Severity Severity isabled isabled default (all Console Enabled warnings Enabled debugging Enabled debugging modules) Monitor default (all Enabled warnings Enabled debugging Enabled debugging...
  • Page 797 Setting to output system information to a monitor terminal Table 1-10 Set to output system information to a monitor terminal Operation Command Description Enter system view system-view — Optional Enable the information center info-center enable Enabled by default. Optional Enable system information By default, a switch outputs info-center monitor channel output to Telnet terminal or...

  • Page 798: Setting To Output System Information To A Log Host

    Make sure that the debugging/log/trap information terminal display function is enabled (use the terminal monitor command) before you enable the corresponding terminal display function by using the terminal debugging, terminal logging, or terminal trapping command. Setting to Output System Information to a Log Host Table 1-12 Set to output system information to a log host Operation Command...

  • Page 799: Setting To Output System Information To The Trap Buffer

    Setting to Output System Information to the Trap Buffer Table 1-13 Set to output system information to the trap buffer Operation Command Description Enter system view system-view — Optional Enable the information center info-center enable Enabled by default. Optional By default, the switch uses info-center trapbuffer [channel Enable system information output information channel 3 to output...

  • Page 800: Setting To Output System Information To The Snmp Nms

    Setting to Output System Information to the SNMP NMS Table 1-15 Set to output system information to the SNMP NMS Operation Command Description Enter system view system-view — Optional Enable the information center info-center enable Enabled by default. Optional Enable information output to the info-center snmp channel By default, the switch outputs trap SNMP NMS...

  • Page 801: Information Center Configuration Examples

    Operation Command Description Display the status of trap buffer display trapbuffer [ unit unit-id ] [ size and the information recorded in the buffersize ] trap buffer Clear information recorded in the reset logbuffer [ unit unit-id ] log buffer Available in user view Clear information recorded in the reset trapbuffer [ unit unit-id ]...

  • Page 802: Log Output To A Linux Log Host

    # Switch configuration messages local4.info /var/log/Switch/information When you edit the file “/etc/syslog.conf”, note that: A note must start in a new line, starting with a “#” sign. In each pair, a tab should be used as a separator instead of a space. No space is allowed at the end of a file name.
  • Page 803 # Enable the information center. <Switch> system-view [Switch] info-center enable # Configure the host whose IP address is 202.38.1.10 as the log host. Permit all modules to output log information with severity level higher than error to the log host. [Switch] info-center loghost 202.38.1.10 facility local7 [Switch] info-center source default channel loghost log level errors debug state off trap state off...

  • Page 804: Log Output To The Console

    Log Output to the Console Network requirements The switch sends the following information to the console: the log information of the two modules ARP and IP, with severity higher than “informational”. Network diagram Figure 1-3 Network diagram for log output to the console Configuration procedure # Enable the information center.
  • Page 805 # Set the time stamp format of the log information to be output to the log host to date. <Switch> system-view System View: return to User View with Ctrl+Z. [Switch] info-center timestamp loghost date # Configure to add UTC time to the output information of the information center. [Switch] info-center timestamp utc 1-18...
  • Page 806 Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-1 BOOT Menu ····································································································································1-2 Loading by XModem through Console Port ····················································································1-3 Loading by TFTP through Ethernet Port ·························································································1-7 Loading by FTP through Ethernet Port····························································································1-9 Remote Boot ROM and Software Loading ···························································································1-11 Remote Loading Using FTP ··········································································································1-11 Remote Loading Using TFTP········································································································1-15...
  • Page 807 Configuring a Scheduled Task················································································································5-1 Configuration Prerequisites ·············································································································5-1 Configuring a Scheduled Task ········································································································5-1 Scheduled Task Configuration Example·································································································5-2...

  • Page 808: Introduction To Loading Approaches

    Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.

  • Page 809: Boot Menu

    BOOT Menu Starting..*********************************************************** H3C S3100-26TP-EI-W BOOTROM, Version 506 *********************************************************** Copyright(c) 2004-2007 Hangzhou H3C Technologies Co., Ltd. Creation date : Apr 17 2007, 10:12:36 CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size : 64MB Mac Address : 000fe2123456 Press Ctrl-B to enter Boot Menu...

  • Page 810: Loading By Xmodem Through Console Port

    Loading by XModem through Console Port Introduction to XModem XModem protocol is a file transfer protocol that is widely used due to its simplicity and high stability. The XModem protocol transfers files through Console port. It supports two types of data packets (128 bytes and 1 KB), two check methods (checksum and CRC), and multiple attempts of error packet retransmission (generally the maximum number of retransmission attempts is ten).
  • Page 811 If you have chosen 9600 bps as the download baudrate, you need not modify the HyperTerminal’s baudrate, and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly. In this case, the system will not display the above information. Following are configurations on PC.
  • Page 812 Figure 1-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3. Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
  • Page 813 Step 7: Choose [Transfer/Send File] in HyperTerminal, and click <Browse> in pop-up dialog box, as shown in Figure 1-4. Select the software file that you need to load to the switch, and set the protocol to XModem. Figure 1-4 Send file dialog box Step 8: Click <Send>.

  • Page 814: Loading By Tftp Through Ethernet Port

    If the HyperTerminal’s baudrate is not reset to 9600 bps, the system prompts "Your baudrate should be set to 9600 bps again! Press enter key when ready". You need not reset the HyperTerminal’s baudrate and can skip the last step if you have chosen 9600 bps.
  • Page 815 Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. TFTP server program is not provided with the H3C Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu.

  • Page 816: Loading By Ftp Through Ethernet Port

    Step 6: Enter Y to start file downloading or N to return to the Boot ROM update menu. If you enter Y, the system begins to download and update the Boot ROM. Upon completion, the system displays the following information: Loading........done Bootrom updating..done! Loading host software...
  • Page 817 You can use one computer as both configuration device and FTP server. Step 2: Run the FTP server program on the FTP server, configure an FTP user name and password, and copy the program file to the specified FTP directory. Step 3: Run the HyperTerminal program on the configuration PC.

  • Page 818: Remote Boot Rom And Software Loading

    When loading the Boot ROM and host software using FTP through BOOT menu, you are recommended to use the PC directly connected to the device as FTP server to promote upgrading reliability. Remote Boot ROM and Software Loading If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load the Boot ROM and host software remotely.
  • Page 819 This will update BootRom file on unit 1. Continue? [Y/N] y Upgrading BOOTROM, please wait... Upgrade BOOTROM succeeded! Step 3: Restart the switch. <Sysname> reboot Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information.
  • Page 820 You can configure the IP address for any VLAN on the switch for FTP transmission. However, before configuring the IP address for a VLAN interface, you have to make sure whether the IP addresses of this VLAN and PC are routable. <Sysname>...
  • Page 821 Figure 1-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 1-12, to log on to the FTP server. Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13.

  • Page 822: Remote Loading Using Tftp

    Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...
  • Page 823 1-16...

  • Page 824: Basic System Configuration And Debugging

    — user view Optional Set the system name of the sysname sysname switch By default, the name is H3C. Optional Return from current view to quit If the current view is user view, you will quit lower level view the current user interface.

  • Page 825: Debugging The System

    Table 2-2 System information display commands Operation Command Description Display the current date and time of the display clock system You can execute the Display the version of the system display version display commands in any view Display the information about users logging display users [ all ] onto the switch Debugging the System...

  • Page 826: Displaying Debugging Status

    You can use the following commands to enable the two switches. Table 2-3 Enable debugging and terminal display for a specific module Operation Command Description Required Enable system debugging for debugging module-name specific module [ debugging-option ] Disabled for all modules by default. Required Enable terminal display for terminal debugging...

  • Page 827: Command Alias Configuration

    Command Alias Configuration Introduction As the network environment becomes more complex and network products become increasingly diverse, users always use network devices from several vendors in real networking environments. In this case, command keywords differences of devices from different vendors greatly increase the complexity of device configurations by network administrators.

  • Page 828: Network Connectivity Test

    Network Connectivity Test Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host. Table 3-1 The ping command Operation Command Description ping [ -a ip-address ] [-c count ] [ -d ] [ -f ] [ -h ttl ] Check the IP network [ -i interface-type interface-number ] [ ip ] [ -n ] [ - You can execute this...

  • Page 829: Introduction To Device Management

    Device Management Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time monitoring of the running status of the system Specify the APP to be used at the next reboot Update the Boot ROM Identifying and Diagnosing Pluggable Transceivers Device Management Configuration Device Management Configuration Tasks Table 4-1 Device management configuration tasks...

  • Page 830: Scheduling A Reboot On The Switch

    Scheduling a Reboot on the Switch After you schedule a reboot on the switch, the switch will reboot at the specified time. Table 4-3 Schedule a reboot on the switch Operation Command Description schedule reboot at hh:mm [ mm/dd/yyyy Schedule a reboot on the switch, and set the Optional reboot date and time | yyyy/mm/dd ]...

  • Page 831: Upgrading The Boot Rom

    Table 4-5 Specify the APP to be used at reboot Operation Command Description Specify the APP to be used at boot boot-loader [ backup-attribute ] { file-url | Required reboot device-name } Upgrading the Boot ROM You can use the Boot ROM program saved in the Flash memory of the switch to upgrade the running Boot ROM.
  • Page 832 EtherNet Transceiver Ethernet interfaces Package) For pluggable transceivers supported by S3100 series Ethernet switches, refer to H3C S3100 Series Ethernet Switches Installation Manual. Identifying pluggable transceivers As pluggable transceivers are of various types and from different vendors, you can perform the...

  • Page 833: Displaying The Device Management Configuration

    [ interface-type pluggable optical transceiver(s) optical transceiver(s) customized interface-number ] customized by H3C only by H3C Displaying the Device Management Configuration After the above configurations, you can execute the display command in any view to display the operating status of the device management to verify the configuration effects.
  • Page 834 The switch acts as the FTP client, and the remote PC serves as both the configuration PC and the FTP server. Perform the following configuration on the FTP server. Configure an FTP user, whose name is switch and password is hello. Authorize the user with the read-write right on the directory Switch on the PC.
  • Page 835 Trying ... Press CTRL+K to abort Connected. 220 WFTPD 2.0 service (by Texas Imperial Software) ready for new user User(none):switch 331 Give me your password, please Password: 230 Logged in successfully [ftp] Enter the authorized path on the FTP server. [ftp] cd switch Execute the get command to download the switch.bin and boot.btm files on the FTP server to the Flash memory of the switch.

  • Page 836: Scheduled Task Configuration

    Scheduled Task Configuration What Is a Scheduled Task A scheduled task defines a command or a group of commands and when such commands will be executed. It allows a device to execute specified command(s) at a time when no person is available to maintain the device.

  • Page 837: Scheduled Task Configuration Example

    Specify the time delay to execute the commands in the task Follow these steps to configure a scheduled task: To do… Use the command… Description Enter system view system-view — Create a scheduled task, and enter job job-name Required scheduled task view Configure the view where the view view specified commands are to be...
  • Page 838 [Switch] job phone1 # Configure the view where the specified command to be executed as Ethernet interface view. [Switch-job-phone1] view Ethernet1/0/2 # Configure the scheduled task so that PoE can be enabled on Switch at eight AM from Monday to Friday.
  • Page 839 Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·········································································································1-2 Configuring the TPID for VLAN-VPN Packets·················································································1-2 VLAN-VPN Configuration························································································································1-3 VLAN-VPN Configuration Task List·································································································1-3 Enabling the VLAN-VPN Feature for a Port ····················································································1-3 Configuring the TPID Value for VLAN-VPN Packets ······································································1-3 Displaying and Maintaining VLAN-VPN Configuration ···········································································1-4 VLAN-VPN Configuration Example·········································································································1-4 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN·············1-4...

  • Page 840: Vlan-Vpn Configuration

    VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested in: VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.

  • Page 841: Implementation Of Vlan-Vpn

    Configuring the TPID for VLAN-VPN Packets The contents of this section are only applicable to the S3100-EI series among S3100 series switches. A VLAN tag uses the tag protocol identifier (TPID) field to identify the protocol type of the tag. The value of this field is 0x8100 for IEEE 802.1Q.

  • Page 842: Vlan-Vpn Configuration

    Protocol type Value IS-IS 0x8000 LACP 0x8809 802.1x 0x888E VLAN-VPN Configuration VLAN-VPN Configuration Task List Complete the following tasks to configure VLAN-VPN: Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the TPID Value for VLAN-VPN Optional Packets Enabling the VLAN-VPN Feature for a Port Follow these steps to enable the VLAN-VPN feature for a port: To do...

  • Page 843: Displaying And Maintaining Vlan-Vpn Configuration

    As shown in Figure 1-4, Switch A and Switch B are both S3100 series switches. They connect the users to the servers through the public network. PC users and PC servers are in VLAN 100 created in the private network, while terminal users and terminal servers are in VLAN 200, which is also created in the private network.
  • Page 844 Network diagram Figure 1-4 Network diagram for VLAN-VPN configuration Configuration procedure Configure Switch A. # Enable the VLAN-VPN feature on Ethernet 1/0/11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag. <SwitchA>...
  • Page 845 [SwitchB] interface Ethernet 1/0/21 [SwitchB-Ethernet1/0/21] vlan-vpn enable # Set the global TPID value to 0x9200 (for intercommunication with the devices in the public network) and set Ethernet 1/0/22 as a trunk port permitting packets of VLAN 1024. [SwitchB-Ethernet1/0/21] quit [SwitchB] vlan-vpn tpid 9200 [SwitchB] interface Ethernet 1/0/22 [SwitchB-Ethernet1/0/22] port link-type trunk [SwitchB-Ethernet1/0/22] port trunk permit vlan 1040...

  • Page 846: Selective Qinq Configuration

    Selective QinQ Configuration This chapter is only applicable to S3100-EI series switches. When configuring selective QinQ, go to these sections for information you are interested in: Selective QinQ Overview Selective QinQ Configuration Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature.

  • Page 847: Selective Qinq Configuration Task List

    Figure 2-1 Diagram for a selective QinQ implementation In this implementation, Switch A is an access device of the service provider. The users connecting to it include common customers (in VLAN 8 to VLAN 100), VIPs (in VLAN 101 to VLAN 200), and IP telephone users (in VLAN 201 to VLAN 300).

  • Page 848: Configuring Global Tag Mapping Rules For Selective Qinq

    Configuring Global Tag Mapping Rules for Selective QinQ Table 2-1 Configure global tag mapping rules for selective QinQ Operation Command Description — Enter system view system-view Configure the outer VLAN tag vlan-vpn vid vlan-id Required and enter QinQ view Required Configure to add outer VLAN By default, the feature of raw-vlan-id inbound...
  • Page 849 The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000. Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users, for the purpose of using QoS policies to guarantee higher priority for voice traffic.
  • Page 850 [SwitchA-Etherent1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hybrid port and configure VLAN 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] port link-type hybrid [SwitchA-Ethernet1/0/3] port hybrid pvid vlan 5...
  • Page 851 [SwitchB-Etherent1/0/12] port hybrid pvid vlan 12 [SwitchB-Etherent1/0/12] port hybrid vlan 12 1000 untagged [SwitchB-Ethernet1/0/12] quit # Configure Ethernet 1/0/13 as a hybrid port and configure VLAN 13 as its default VLAN . Configure Ethernet 1/0/13 to remove VLAN tags when forwarding packets of VLAN 13 and VLAN 1200. [SwitchB] interface Ethernet 1/0/13 [SwitchB-Etherent1/0/13] port link-type hybrid [SwitchB-Etherent1/0/13] port hybrid pvid vlan 13...

  • Page 852: Bpdu Tunnel Configuration

    BPDU Tunnel Configuration This chapter is only applicable to S3100-EI series switches. When configuring BPDU tunnel, go to these sections for information you are interested in: BPDU Tunnel Overview BPDU Tunnel Configuration Displaying and Maintaining BPDU Tunnel Configuration BPDU Tunnel Configuration Example BPDU Tunnel Overview Introduction to the BPDU Tunnel Feature Normally, Layer 2 protocols are needed in a LAN for network topology maintenance and management.
  • Page 853 customer network to the service provider network. The customer network contains Network A and Network B. You can make the BPDU packets of the customer network to be transmitted in the service provider network transparently by enabling the BPDU tunnel feature on the edge devices at both ends of the service provider network.

  • Page 854: Bpdu Tunnel Configuration

    MAC address of a tunnel packet must be a multicast address uniquely assigned to the BPDU tunnel in the service provider network. BPDU Tunnel Configuration You can establish BPDU tunnels between S3100 series Ethernet switches for the packets of the following protocols: LACP (link aggregation control protocol)

  • Page 855: Displaying And Maintaining Bpdu Tunnel Configuration

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Enable BPDU tunnel By default, BPDU tunnel is bpdu-tunnel protocol-type packets of a specific protocol disabled for packets of any protocol. If BPDU tunnel transparent transmission is enabled for packets of a protocol, the protocol cannot be enabled on the port.
  • Page 856 Enable the service provider network to transmit STP packets of the customer network through BPDU tunnel. The destination MAC address for tunnel packets is 010f-e233-8b22. Enable the VLAN-VPN feature for the service provider network, and enable the service provider network to use VLAN 100 to transmit data packets of the customer network. Network diagram Figure 3-4 Network diagram for BPDU Tunnel configuration Configuration procedure...
  • Page 857 [Sysname-Ethernet1/0/4] bpdu-tunnel stp # Enable VLAN-VPN and use VLAN 100 to transmit user data packets through BPDU tunnels. [Sysname-Ethernet1/0/4] port access vlan 100 [Sysname-Ethernet1/0/4] vlan-vpn enable # Configure the destination MAC address for the packets transmitted in the tunnel. [Sysname-Ethernet1/0/4] quit [Sysname] bpdu-tunnel tunnel-dmac 010f-e233-8b22 # Configure Ethernet1/0/3 as a trunk port that permits packets of all VLANs.
  • Page 858 Table of Contents 1 VLAN Mapping Configuration ··················································································································1-1 VLAN Mapping Overview ························································································································1-1 Implementation and Application of One-to-one VLAN mapping ·····················································1-1 Implementation and Application of Many-to-One VLAN Mapping···················································1-2 Configuring the DHCP Option 82 for Many-to-One VLAN Mapping ···············································1-3 Configuring One-to-one VLAN Mapping ·································································································1-4 One-to-one VLAN Mapping Configuration Task List ·······································································1-4 Configuring a Global One-to-One VLAN Mapping Rule··································································1-4 Configuring a Port-Level One-to-One VLAN Mapping Rule····························································1-5...

  • Page 859: Vlan Mapping Configuration

    VLAN Mapping Configuration The VLAN mapping feature is applicable to only the S3100-EI series among the S3100 series. VLAN Mapping Overview VLAN mapping replaces the original VLAN tag of a packet with a new one, so that the packet can be processed and forwarded according to the new VLAN tag.

  • Page 860: Implementation And Application Of Many-To-One Vlan Mapping

    As shown in Figure 1-1, each user in the community has multiple applications. The VLAN technology is used on the home gateway to distinguish traffic types. Because each home gateway has the same configuration, the same type of traffic from different users is transmitted within the same VLAN. As a result, the upper-layer device (such as the distribution switch) cannot identify the users of traffic streams.

  • Page 861: Configuring The Dhcp Option 82 For Many-To-One Vlan Mapping

    Figure 1-3 After many-to-one VLAN mapping Configuring the DHCP Option 82 for Many-to-One VLAN Mapping Option 82 is the relay agent option in the option field of the DHCP message. A DHCP snooping-enabled device that supports option 82 can insert the location information (including the port number and VLAN) of the DHCP client to the DHCP request.

  • Page 862: Configuring One-To-One Vlan Mapping

    Configuring One-to-one VLAN Mapping One-to-one VLAN Mapping Configuration Task List Complete the following tasks to configure one-to-one VLAN mapping: Task Remarks Configuring a Global One-to-One VLAN Mapping Rule Use either approach Configuring a Port-Level One-to-One VLAN Mapping Rule On a port, one-to-one VLAN mapping is mutually exclusive with VLAN VPN. One-to-one VLAN mapping is mutually exclusive with protocol-based VLAN.

  • Page 863: Configuring A Port-Level One-To-One Vlan Mapping Rule

    You cannot enable one-to-one VLAN mapping on a link aggregation group member port. When you configure a global one-to-one VLAN mapping rule and then enable one-to-one VLAN mapping on a port, selective QinQ is automatically enabled on the port. Configuring a Port-Level One-to-One VLAN Mapping Rule Follow these steps to configure a port-level one-to-one VLAN mapping rule: To do…...

  • Page 864: Configuring Dhcp Snooping Option 82 To Carry The Original Vlan Information

    To do… Use the command… Remarks Configure a many-to-one VLAN Required mapping rule and enable vlan-mapping n-to-1 vlan Repeat this step to map multiple many-to-one VLAN mapping on old-vlan-id remark new-vlan-id original VLANs to the target VLAN the port One-to-one VLAN mapping is mutually exclusive with many-to-one VLAN mapping. With many-to-one VLAN mapping enabled on a port, you cannot enable one-to-one VLAN mapping on any other port.
  • Page 865 This example describes how to configure one-to-one VLAN mapping for two users: map the three traffic streams from user A to VLAN 1001, VLAN 1002, and VLAN 1003, and map the three traffic streams from user B to VLAN 2001, VLAN 2002, and VLAN 2003. Figure 1-5 Network diagram for one-to-one VLAN mapping configuration Configuration Procedure # Create VLAN 1 (which exists by default), VLAN 2, and VLAN 3 on Switch A, and the target VLANs...

  • Page 866: Many-To-One Vlan Mapping Configuration Example

    If you configure Ethernet 1/0/1 and Ethernet 1/0/2 as trunk ports, you also need to assign them to the corresponding original VLANs and target VLANs. In the configuration above, the default VLAN of each port is VLAN 1. If you have changed the default VLAN of a port, you must assign the port to the default VLAN.
  • Page 867 Figure 1-6 Network diagram for many-to-one VLAN mapping configuration Configuration Procedure Configuring Many-to-One VLAN Mapping # Create VLAN 1 (which exits by default), VLAN 2, and VLAN 3, and the target VLANs (VLAN 1001 and VLAN 2001) on Switch A. <SwitchA>...

  • Page 868: Configuring Dhcp Option 82

    [SwitchA] interface GigabitEthernet 1/1/1 [SwitchA-GigabitEthernet1/1/1] port link-type trunk [SwitchA-GigabitEthernet1/1/1] port trunk permit vlan 1001 2001 Configuring DHCP Option 82 # Enable DHCP snooping on Switch A, and configure GigabitEthernet 1/1/1 as a trusted port. [Sysname] dhcp-snooping [Sysname] interface GigabitEthernet 1/1/1 [Sysname-GigabitEthernet1/1/1] dhcp-snooping trust [Sysname-GigabitEthernet1/1/1] quit # Configure DHCP snooping to support option 82 on Switch A.
  • Page 869 Table of Contents 1 HWPing Configuration ······························································································································1-1 HWPing Overview ···································································································································1-1 Introduction to HWPing····················································································································1-1 Test Types Supported by HWPing ··································································································1-2 HWPing Test Parameters················································································································1-2 HWPing Configuration·····························································································································1-4 HWPing Server Configuration ·········································································································1-4 HWPing Client Configuration···········································································································1-4 Displaying HWPing Configuration ·································································································1-20 HWPing Configuration Examples··········································································································1-20 ICMP Test······································································································································1-20 DHCP Test ····································································································································1-21 FTP Test········································································································································1-23 HTTP Test ·····································································································································1-24...

  • Page 870: Introduction To Hwping

    HWPing Configuration When configuring HWPing, go to these sections for information you are interested in: HWPing Overview HWPing Configuration HWPing Configuration Examples HWPing Overview Introduction to HWPing HWPing (pronounced Hua’Wei Ping) is a network diagnostic tool. It is used to test the performance of various protocols running in networks.

  • Page 871: Test Types Supported By Hwping

    Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Description ICMP test DHCP test FTP test For these types of tests, you need to configure the HWPing client and corresponding servers. HTTP test DNS test SNMP test Jitter test These types of tests need the cooperation of the HWPing client and...
  • Page 872 Test parameter Description For tests except jitter test, only one test packet is sent in a probe. In a jitter test, Number of probes per test you can use the jitter-packetnum command to set the number of packets to be (count) sent in a probe.

  • Page 873: Hwping Server Configuration

    Test parameter Description Each jitter probe will send multiple UDP test packets at regular intervals (you can Interval to send jitter test set the interval). The smaller the interval is, the faster the test is. But a too small packets (jitter-interval) interval may somewhat impact your network.
  • Page 874 To do… Use the command… Remarks Enter system view system-view — Required Enable the HWPing client function hwping-agent enable By default, the HWPing client function is disabled. Required Create an HWPing test group and hwping administrator-name By default, no test group is enter its view operation-tag configured.
  • Page 875 To do… Use the command… Remarks Optional Configure the retaining time of By default, the retaining time of statistics keep-time keep-time statistics information statistics information is 120 minutes. Optional test-time begin { hh:mm :ss Configure test start time and [ yyyy/mm/dd ] | now } lifetime By default,no test start time and lifetime lifetime...
  • Page 876 To do… Use the command… Remarks Required Create an HWPing test hwping administrator-name group and enter its view operation-tag By default, no test group is configured. Required Configure the test type test-type dhcp By default, the test type is ICMP. Required Configure the source source-interface interface-type...
  • Page 877 To do… Use the command… Remarks Required Enable the HWPing client hwping-agent enable By default, the HWPing client function is function disabled. Required Create an HWPing test hwping administrator-name group and enter its view operation-tag By default, no test group is configured. Required Configure the test type test-type ftp...
  • Page 878 Required Configure the test type test-type http By default, the test type is ICMP. Required When you use H3C S3100 Series Switches as HWPing Client for http Configure the destination IP destination-ip ip-address test, the destination address can be address host name or IP address.
  • Page 879 To do… Use the command… Remarks Optional Configure the source IP address source-ip ip-address By default, no source IP address is configured. Optional Configure the source port source-port port-number By default, no source port is configured. Optional Configure the number of probes count times By default, each test makes one per test...
  • Page 880 To do… Use the command… Remarks Optional By default, the type of HTTP Configure the type of HTTP http-operation { get | post } operation is get, that is, the HTTP operation operation will get data from the HTTP server. Optional Configure the HTTP operation http-string string version...
  • Page 881 To do… Use the command… Remarks Optional Configure a stuffing character By default, the numbers between 0 datafill string string and 255 are stuffed into datagrams in a cyclically way. Optional Configure a test description description string By default, no description information is configured.
  • Page 882 To do… Use the command… Remarks Configure advantage factor for a By default, the advantage factor is adv-factor adv-number jitter voice test zero. Start the test test-enable Required Required display hwping results Display test results You can execute the command in [ admin-name operation-tag ] any view.
  • Page 883 To do… Use the command… Remarks Optional Configure the retaining time of By default, the retaining time of statistics keep-time keep-time statistics information statistics information is 120 minutes. Optional test-time begin { hh:mm :ss Configure test start time and [ yyyy/mm/dd ] | now } lifetime By default, no test start time and lifetime lifetime...
  • Page 884 To do… Use the command… Remarks Required in a Tcpprivate test A Tcppublic test is a TCP connection test on port 7. Use the hwping-server tcpconnect ip-address 7 command on the server to configure the listening service port; otherwise destination-port Configure the destination the test will fail.
  • Page 885 To do… Use the command… Remarks Optional Configure the type of tos value service By default, the service type is zero. Start the test test-enable Required Required display hwping results Display test results The display command can be executed in [ admin-name operation-tag ] any view.
  • Page 886 To do… Use the command… Remarks Optional Enable history record history-record enable By default, history record is not enabled. Optional Configure the retaining history keep-time By default, the retaining time of history record is 120 time of history record keep-time minutes.
  • Page 887 To do… Use the command… Remarks Optional Configure the source IP address source-ip ip-address By default, no source IP address is specified. Optional Configure the number of probes count times By default, one probe is made per per test test. Optional description string Configure a test description...
  • Page 888 To do… Use the command… Remarks Required Configure the IP address of the dns-server ip-address By default, no DNS server address DNS server is configured. test-enable Start the test Required Required display hwping results Display test results The display command can be [ admin-name operation-tag ] executed in any view.

  • Page 889: Displaying Hwping Configuration

    ICMP Test Network requirements An H3C S3100 series Ethernet switch serves as the HWPing client. An HWPing ICMP test between the switch and another switch uses ICMP to test the round trip time (RTT) for packets generated by the HWPing client to travel to and back from the destination switch.

  • Page 890: Dhcp Test

    DHCP Test Network requirements The HWPing client is an H3C S3100 series Ethernet switch, while the DHCP server can be an H3C S5600 series Ethernet switch. Perform an HWPing DHCP test between the two switches to test the time required for the HWPing client to obtain an IP address from the DHCP server.
  • Page 891 [Sysname-hwping-administrator-dhcp] source-interface Vlan-interface 1 # Configure to make 10 probes per test. [Sysname-hwping-administrator-dhcp] count 10 # Set the probe timeout time to 5 seconds. [Sysname-hwping-administrator-dhcp] timeout 5 # Enable the saving of history records and set the maximum number of history records that can be saved to 10.

  • Page 892: Ftp Test

    FTP Test Network requirements Both the HWPing client and the FTP server are H3C S3100 series Ethernet switches. Perform an HWPing FTP test between the two switches to test the connectivity to the specified FTP server and the time required to upload a file to the server after the connection is established. Both the username and password used to log in to the FTP server are admin.

  • Page 893: Http Test

    HTTP Test Network requirements An H3C S3100 series Ethernet switch serves as the HWPing client, and a PC serves as the HTTP server. Perform an HWPing HTTP test between the switch and the HTTP server to test the connectivity and the time required to download a file from the HTTP server after the connection to the server is established.
  • Page 894 Network diagram Figure 1-5 Network diagram for the HTTP test Configuration procedure Configure HTTP Server: Use Windows 2003 Server as the HTTP server. For HTTP server configuration, refer to the related instruction on Windows 2003 Server configuration. Configure HWPing Client (Switch A): # Enable the HWPing client.

  • Page 895: Jitter Test

    For detailed output description, see the corresponding command manual. When you use H3C S3100 Series Switches as HWPing Client for http test, if configuring the destination address as the host name, you must configure the IP address of the DNS server to resolve the host name into an IP address, which is the destination IP address of this HTTP test.
  • Page 896 <Sysname> system-view [Sysname] hwping-server enable [Sysname] hwping-server udpecho 10.2.2.2 9000 Configure HWPing Client (Switch A): # Enable the HWPing client. <Sysname> system-view [Sysname] hwping-agent enable # Create an HWPing test group, setting the administrator name to administrator and test tag to Jitter. [Sysname] hwping administrator Jitter # Configure the test type as jitter [Sysname-hwping-administrator-Jitter] test-type Jitter...

  • Page 897: Snmp Test

    SNMP Test Network requirements Both the HWPing client and the SNMP Agent are H3C S3100 series Ethernet switches. Perform HWPing SNMP tests between the two switches to test the time required from Switch A sends an SNMP query message to Switch B (SNMP Agent) to it receives a response from Switch B.
  • Page 898 The SNMP network management function must be enabled on SNMP agent before it can receive response packets. The SNMPv2c version is used as reference in this example. This configuration may differ if the system uses any other version of SNMP. For details, see SNMP – RMON Operation Manual. Configure HWPing Client (Switch A): # Enable the HWPing client.

  • Page 899: Tcp Test (Tcpprivate Test) On The Specified Ports

    TCP Test (Tcpprivate Test) on the Specified Ports Network requirements Both the HWPing client and the HWPing server are H3C S3100 series Ethernet switches. Perform an HWPing Tcpprivate test to test time required to establish a TCP connection between this end (Switch A) and the specified destination end (Switch B), with the port number set to 8000.

  • Page 900: Udp Test (Udpprivate Test) On The Specified Ports

    UDP Test (Udpprivate Test) on the Specified Ports Network requirements Both the HWPing client and the HWPing server are H3C S3100 series Ethernet switches. Perform an HWPing Udpprivate test on the specified ports between the two switches to test the RTT of UDP packets between this end (HWPing client) and the specified destination end (HWPing server), with the port number set to 8000.
  • Page 901 <Sysname> system-view [Sysname] hwping-server enable [Sysname] hwping-server udpecho 10.2.2.2 8000 Configure HWPing Client (Switch A): # Enable the HWPing client. <Sysname> system-view [Sysname] hwping-agent enable # Create an HWPing test group, setting the administrator name to administrator and test tag to udpprivate.

  • Page 902: Dns Test

    Network requirements An H3C S3100 series Ethernet switch serves as the HWPing client, and a PC serves as the DNS server. Perform an HWPing DNS test between the switch and the DNS server to test the time required from the client sends a DNS request to it receives a resolution result from the DNS server.
  • Page 903 [Sysname-hwping-administrator-dns] display hwping results administrator dns HWPing entry(admin administrator, tag dns) test result: Destination ip address:10.2.2.2 Send operation times: 10 Receive response times: 10 Min/Max/Average Round Trip Time: 6/10/8 Square-Sum of Round Trip Time: 756 Last complete test time: 2006-11-28 11:50:40.9 Extend result: SD Maximal delay: 0 DS Maximal delay: 0...
  • Page 904 Table of Contents 1 IPv6 Configuration·····································································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ···········································································································1-2 Introduction to IPv6 Neighbor Discovery Protocol···········································································1-5 Introduction to ND Snooping ···········································································································1-7 Introduction to ND Detection ···········································································································1-8 Introduction to DHCPv6 Snooping ································································································1-10 Introduction to IPv6 Filtering··········································································································1-11 Introduction to IPv6 DNS ···············································································································1-12 Protocols and Standards ···············································································································1-12 IPv6 Configuration Task List ·················································································································1-13...

  • Page 905: Ipv6 Configuration

    IPv6 Configuration H3C S3100 Series Ethernet Switches support IPv6 management features, but do not support IPv6 forwarding and related features. The term “router” in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol.

  • Page 906: Introduction To Ipv6 Address

    Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long. IPv6 can provide 3.4 x 10 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses. Hierarchical address structure IPv6 adopts the hierarchical address structure to quicken route search and reduce the system source occupied by the IPv6 routing table by means of route aggregation.
  • Page 907 If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by the double-colon (::) option. For example, the above-mentioned address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B. The double-colon can be used only once in an IPv6 address. Otherwise, the device is unable to determine how many zeros the double-colon represents when converting it to zeros to restore the IPv6 address to a 128-bit address.
  • Page 908 Type Format prefix (binary) IPv6 prefix ID Anycast addresses are taken from unicast address space and Anycast address are not syntactically distinguishable from unicast addresses. Unicast address There are several forms of unicast address assignment in IPv6, including global unicast address, link-local address, and site-local address.

  • Page 909: Introduction To Ipv6 Neighbor Discovery Protocol

    hexadecimal number FFFE needs to be inserted in the middle of MAC addresses (behind the 24 high-order bits).To ensure the interface identifier obtained from a MAC address is unique, it is necessary to set the universal/local (U/L) bit (the seventh high-order bit) to “1”. Thus, an interface identifier in EUI-64 format is obtained.
  • Page 910 H3C S3100 Series Ethernet Switches do not support RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, H3C S3100 Series Ethernet Switches support the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection. The subsequent sections present a detailed description of these three functions and relevant configuration.

  • Page 911: Introduction To Nd Snooping

    B. Otherwise, node B is not using the IPv6 address and node A can use it. Introduction to ND Snooping Among the S3100 series Ethernet switches, only the S3100-EI series support ND snooping. The ND snooping feature is used in Layer 2 switching networks. It creates ND snooping entries using NS messages.

  • Page 912: Introduction To Nd Detection

    Introduction to ND Detection Among the S3100 series Ethernet switches, only the S3100-EI series support ND Detection. Background The IPv6 Neighbor Discovery (ND) protocol uses five types of ICMPv6 messages to implement the following five functions: address resolution, authentication of neighbor reachability, detection of repeated address, router and prefix discovery, and address auto-configuration and redirection.
  • Page 913 Router Advertisement (RA) Redirect The ND protocol functions powerfully, but without any security mechanism, it is apt to be used by attackers. ND attacks usually come from users. Normally, when the device Switch is a Layer-2 access device, ND multiple packets sent by users are broadcast on the VLAN, and ND unicast packets are forwarded on Layer 2.

  • Page 914: Introduction To Dhcpv6 Snooping

    Introduction to DHCPv6 Snooping Among the S3100 series Ethernet switches, only the S3100-EI series support DHCPv6 snooping. For the sake of security, the IPv6 addresses used by online DHCPv6 clients need to be tracked for the administrator to verify the corresponding relationship between the IPv6 addresses the DHCPv6 clients obtained from DHCPv6 servers and the MAC addresses of the DHCPv6 clients.

  • Page 915: Introduction To Ipv6 Filtering

    DHCPv6 client can obtain an IPv6 address from the authorized DHCPv6 server. Introduction to IPv6 Filtering Among the S3100 series Ethernet switches, only the S3100-EI series support IPv6 Filtering. With the IPv6 filtering function enabled on the user access port of the device, the device can block illegal usages of network resources and improve the network security.

  • Page 916: Introduction To Ipv6 Dns

    Figure 1-7 Diagram for the IPv6 filtering function The switch can filter invalid IPv6 packets through IPv6 static binding entries or IP-to-MAC address mappings of IPv6 dynamic binding entries. IPv6 Static Binding Entry A static binding is configured manually. It is suitable when there are a few hosts in a LAN or you need to configure a binding entry for a host separately.

  • Page 917: Ipv6 Configuration Task List

    RFC 1981: Path MTU Discovery for IP version 6 RFC 2375: IPv6 Multicast Address Assignments RFC 2460: Internet Protocol, Version 6 (IPv6) Specification. RFC 2461: Neighbor Discovery for IP Version 6 (IPv6) RFC 2462: IPv6 Stateless Address Autoconfiguration RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2464: Transmission of IPv6 Packets over Ethernet Networks RFC 2526: Reserved IPv6 Subnet Anycast Addresses...
  • Page 918 Manual configuration: IPv6 site-local addresses or global unicast addresses are configured manually. IPv6 link-local addresses can be acquired in either of the following ways: Automatic generation: The device automatically generates a link-local address for an interface according to the link-local address prefix (FE80::/64) and the link-layer address of the interface. Manual assignment: IPv6 link-local addresses can be assigned manually.

  • Page 919: Configuring Ipv6 Ndp

    IPv6 unicast addresses can be configured for only one VLAN interface of an H3C S3100 Series Ethernet Switches. Only one global unicast address or one site-local address can be configured for an interface. After an IPv6 site-local address or global unicast address is configured for an interface, a link-local address will be generated automatically.
  • Page 920 dynamically learned neighbors reaches the threshold, the interface will stop learning neighbor information. Table 1-7 Configure the maximum number of neighbors dynamically learned: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter VLAN interface view —...

  • Page 921: Configuring A Static Ipv6 Route

    Table 1-10 Configure the neighbor reachable timeout time on an interface To do… Use the command… Remarks system-view Enter system view — interface interface-type Enter VLAN interface view — interface-number Optional Configure the neighbor reachable ipv6 nd nud reachable-time timeout time value 30,000 milliseconds Configuring a Static IPv6 Route...

  • Page 922: Configuring The Maximum Number Of Ipv6 Icmp Error Packets Sent Within A Specified Time

    Use the command… Remarks Enter system view system-view — Optional Configure the hop limit of ICMPv6 ipv6 nd hop-limit value reply packets 64 by default. Configuring ND Snooping Among the S3100 series Ethernet switches, only the S3100-EI series support ND Snooping. 1-18...

  • Page 923: Configuring The Nd Detection

    [ probe ] ] Not configured by default. Configuring the ND Detection Among the S3100 series Ethernet switches, only the S3100-EI series support ND Detection. Follow these steps to configure the ND detection: To do… Use the command...

  • Page 924: Configuring Dhcpv6 Snooping

    DHCPv6 snooping, or ND snooping. Otherwise, all the ND packets received from ND untrusted ports are discarded. Configuring DHCPv6 Snooping Among the S3100 series Ethernet switches, only the S3100-EI series support DHCPv6 Snooping. Configuring DHCPv6 snooping Follow these steps to configure DHCPv6 snooping: To do…...

  • Page 925: Configuring Ipv6 Filtering

    | ipv6-address ipv6-address | string Not configured by default. string | sysname } Configuring IPv6 Filtering Among the S3100 series Ethernet switches, only the S3100-EI series support IPv6 filtering. Follow these steps to configure IPv6 filtering: To do… Use the command…...

  • Page 926: Configuring Ipv6 Dns

    You cannot configure both IPv6 filtering and port binding. Configuring IPv6 DNS Configure a static host name to IPv6 address mapping You can directly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address. Each host name can correspond to only one IPv6 address. A newly configured IPv6 address will overwrite the previous one.

  • Page 927: Displaying And Maintaining Ipv6

    Displaying and Maintaining IPv6 To do… Use the command… Remarks display dhcp-snooping ipv6 { all | unit Display DHCPv6 snooping entries Available in any view unit-id } Display DNS domain name suffix display dns domain [ dynamic ] Available in any view information Display IPv6 dynamic domain name display dns ipv6 dynamic-host...

  • Page 928: Ipv6 Configuration Examples

    To do… Use the command… Remarks reset ipv6 nd detection statistics Clear the statistics by ND detection [ interface interface-type Available in user view interface-number ] reset ipv6 nd snooping [ ipv6-address | Remove ND snooping entries Available in user view vlan vlan-id ] Clear the statistics of all IPv6 TCP reset tcp ipv6 statistics...
  • Page 929 [SwitchB-Vlan-interface1] ipv6 address 3001::2/64 Verification # Display the brief IPv6 information of an interface on Switch A. [SwitchA-Vlan-interface1] display ipv6 interface vlan-interface 1 Vlan-interface1 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE47:4CA3 Global unicast address(es): 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1...

  • Page 930: Dhcpv6 Snooping Configuration Example

    bytes=56 Sequence=3 hop limit=64 time = 6 ms Reply from FE80::2E0:FCFF:FE00:2006 bytes=56 Sequence=4 hop limit=64 time = 7 ms Reply from FE80::2E0:FCFF:FE00:2006 bytes=56 Sequence=5 hop limit=64 time = 14 ms --- FE80::2E0:FCFF:FE00:2006 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 6/22/77 ms [SwitchA-Vlan-interface1] ping ipv6 3001::2...

  • Page 931: Nd Detection Configuration Example

    Configuration procedure # Enable DHCPv6 snooping. <SwitchA> system-view [SwitchA] dhcp-snooping ipv6 enable # Specify Ethernet 1/1 as trusted. [SwitchA] interface Ethernet 1/0/1 [SwitchA-Ethernet1/0/1] dhcp-snooping ipv6 trust ND Detection Configuration Example Networking requirement Users Host A and Host B connect to Switch A, the gateway, through Switch B. Host A has the IPv6 address 10::5 and MAC address 0001-0203-0405.

  • Page 932: Ipv6 Filtering Configuration Example

    # Configure the upper port Ethernet 1/0/3 as ND trusted port, while the lower ports Ethernet 1/0/1 and Ethernet 1/0/2 as the default state, namely ND untrusted ports [SwitchB] interface ethernet 1/0/3 [SwitchB-Ethernet1/0/3] ipv6 nd detection trust After the configuration above, check the ND packets received by Ethernet 1/0/1 and Ethernet 1/0/2, based on the security entry of ND snooping.
  • Page 933 # Enable IPv6 filtering on Ethernet 1/0/2, Ethernet 1/0/3, and Ethernet 1/0/4 to filter packets based on the source IP addresses/MAC addresses. [SwitchB] interface Ethernet1/0/2 [SwitchB-Ethernet1/0/2] ipv6 check source ip-address mac-address [SwitchB-Ethernet1/0/2] quit [SwitchB] interface Ethernet1/0/3 [SwitchB-Ethernet1/0/3] ipv6 check source ip-address mac-address [SwitchB-Ethernet1/0/3] quit [SwitchB] interface Ethernet1/0/4 [SwitchB-Ethernet1/0/4] ipv6 check source ip-address mac-address...

  • Page 934: Ipv6 Application Configuration

    IPv6 Application Configuration Introduction to IPv6 Applications IPv6 are supporting more and more applications. Most of IPv6 applications are the same as those of IPv4. The applications supported on H3C S3100 Series Ethernet Switches are: Ping Traceroute TFTP Telnet Configuring IPv6 Applications IPv6 Ping The ping ipv6 command is commonly used for testing the reachability of a host.

  • Page 935: Ipv6 Tftp

    Figure 2-1 Traceroute process Device A Device B Device C Device D Hop Limit=1 Hop Limit exceeded Hop Limit=2 Hop Limit exceeded Hop Limit=n UDP port unreachable Figure 2-1 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1. If the first hop device receiving the datagram reads the Hop Limit of 1, it will discard the packet and return an ICMP timeout error message.

  • Page 936: Ipv6 Telnet

    When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local address. IPv6 Telnet Telnet protocol belongs to application layer protocols of the TCP/IP protocol suite, and is used to provide remote login and virtual terminals.

  • Page 937: Ipv6 Application Configuration Example

    Network requirements Figure 2-3, SWA, SWB, and SWC are three switches, among which SWA is an H3C S3100 Ethernet switch, SWB and SWC are two switches supporting IPv6 forwarding. In a LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively. It is required that you telnet to the telnet server from SWA and download files from the TFTP server.

  • Page 938: Troubleshooting Ipv6 Applications

    # On SWA, configure static routes to SWC, the Telnet Server, and the TFTP Server. <SWA> system-view [SWA] ipv6 route-static 3002:: 64 3003::1 [SWA] ipv6 route-static 3001:: 64 3003::1 [SWA] quit # Trace the IPv6 route from SWA to SWC. <SWA>...

  • Page 939: Unable To Run Tftp

    Unable to Run TFTP Symptom Unable to download and upload files by performing TFTP operations. Solution Check that the route between the device and the TFTP server is up. Check that the file system of the device is usable. You can check it by running the dir command in user view.
  • Page 940 Table of Contents 1 DNS Configuration·····································································································································1-1 DNS Overview·········································································································································1-1 Static Domain Name Resolution ·····································································································1-1 Dynamic Domain Name Resolution ································································································1-1 Configuring Domain Name Resolution····································································································1-2 Configuring Static Domain Name Resolution ··················································································1-2 Configuring Dynamic Domain Name Resolution·············································································1-3 Displaying and Maintaining DNS ············································································································1-3 DNS Configuration Example ···················································································································1-4 Static Domain Name Resolution Configuration Example································································1-4 Dynamic Domain Name Resolution Configuration Example···························································1-5 Troubleshooting DNS······························································································································1-6...

  • Page 941: Dns Configuration

    DNS Configuration This chapter covers only IPv4 DNS configuration. For details about IPv6 DNS, refer to IPv6 Management Operation. DNS Overview Domain name system (DNS) is a mechanism used for TCP/IP applications to provide domain name-to-IP address translation. With DNS, you can use memorizable and meaningful domain names in some applications and let the DNS server resolve it into correct IP addresses.

  • Page 942: Configuring Domain Name Resolution

    Figure 1-1 Dynamic domain name resolution Figure 1-1 shows the relationship between user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client run on the same device, while the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest mappings between name and IP address in the dynamic domain name cache of the DNS client.

  • Page 943: Configuring Dynamic Domain Name Resolution

    The IP address you assign to a host name last time will overwrite the previous one if there is any. You may create up to 50 static mappings between domain names and IP addresses. Configuring Dynamic Domain Name Resolution Table 1-2 Configure dynamic domain name resolution Operation Command Remarks...

  • Page 944: Dns Configuration Example

    Operation Command… Remarks Clear the information in the Available in user reset dns dynamic-host dynamic domain name cache view DNS Configuration Example Static Domain Name Resolution Configuration Example Network requirements The switch uses static domain name resolution to access host 10.1.1.2 through domain name host.com.

  • Page 945: Dynamic Domain Name Resolution Configuration Example

    Dynamic Domain Name Resolution Configuration Example Network requirements As shown in Figure 1-3, the switch serving as a DNS client uses dynamic domain name resolution to access the host at 3.1.1.1/16 through its domain name host. The DNS server has the IP address 2.1.1.2/16.

  • Page 946: Troubleshooting Dns

    Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=125 time=4 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=125 time=5 ms --- host.com ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 4/4/5 ms...
  • Page 947 Table of Contents 1 Smart Link Configuration ·························································································································1-1 Smart Link Overview ·······························································································································1-1 Basic Concepts in Smart Link ·········································································································1-1 Operating Mechanism of Smart Link ·······························································································1-3 Configuring Smart Link····························································································································1-3 Configuration Tasks·························································································································1-4 Configuring a Smart Link Device·····································································································1-4 Configuring Associated Devices······································································································1-5 Precautions······································································································································1-5 Displaying and Debugging Smart Link····································································································1-6 Smart Link Configuration Example ·········································································································1-7 Implementing Link Redundancy Backup ·························································································1-7 2 Monitor Link Configuration ······················································································································2-1...

  • Page 948: Smart Link Configuration

    Smart Link Configuration Currently, only S3100-EI series Ethernet switches support the smart link feature. Smart Link Overview As shown in Figure 1-1, dual-uplink networking is widely applied currently. Usually, spanning tree protocol (STP) is used to implement link redundancy backup in the network. However, STP is not suitable for users with a high demand for convergence time.
  • Page 949 Master port The master port can be either an Ethernet port or a manually-configured or static LACP aggregation group. For example, you can configure Ethernet1/0/1 of switch A in Figure 1-1 as the master port through the command line. Slave port The slave port can be either an Ethernet port or a manually-configured or static LACP aggregation group.

  • Page 950: Operating Mechanism Of Smart Link

    Operating Mechanism of Smart Link Figure 1-2 Network diagram of Smart Link operating mechanism Eth1/0/12 Eth1/0/11 Switch E Switch C Switch D Eth1/0/1 Eth1/0/1 Eth1/0/2 Eth1/0/2 Eth1/0/3 Eth1/0/1 BLOCK Eth1/0/2 Switch A Switch B As shown in Figure 1-2, Ethernet1/0/1 on Switch A is active and Ethernet1/0/2 on Switch A is blocked. When the link connected to Ethernet1/0/1 fails, Ethernet1/0/1 is blocked automatically, and the state of Ethernet1/0/2 turns to active state.

  • Page 951: Configuring A Smart Link Device

    Configuration Tasks Table 1-1 Smart Link configuration tasks Task Remarks Create a Smart Link group Configuring a Smart Link Add member ports to the Smart Link group Required Device Enable the function of sending flush messages in the specified control VLAN Configuring Associated Enable the function of processing flush messages Required...

  • Page 952: Configuring Associated Devices

    Operation Command Remarks Configure a link aggregation link-aggregation group group as a member of the Optional group-id { master | slave } Smart Link group Optional Enable the function of sending flush enable control-vlan By default, no control VLAN for flush messages in the specified vlan-id sending flush messages is...

  • Page 953: Displaying And Debugging Smart Link

    When a Combo port operates as a member port of a Smart Link group, the optical port and the electrical port of the Combo port must not be both engaged with a cable at the same time. When you copy a port, the Smart Link/Monitor Link group member information configured on the port will not be copied to other ports.

  • Page 954: Smart Link Configuration Example

    Network requirements As shown in Figure 1-3, Switch A is an H3C S3100 series Ethernet switch. Switch C, Switch D and Switch E support Smart Link. Configure Smart Link feature to provide remote PCs with reliable access to the server.
  • Page 955 # Configure Ethernet1/0/1 as the master port and Ethernet1/0/2 as the slave port for Smart Link group [SwitchA-smlk-group1] port Ethernet 1/0/1 master [SwitchA-smlk-group1] port Ethernet 1/0/2 slave # Configure to send flush messages within VLAN 1. [SwitchA-smlk-group1] flush enable control-vlan 1 Enable the function of processing flush messages received from VLAN 1 on Switch C.

  • Page 956: Monitor Link Configuration

    Monitor Link Configuration Currently, only S3100-EI series Ethernet switches support the monitor link feature. Introduction to Monitor Link Monitor Link is a collaboration scheme introduced to complement for Smart Link. It is used to monitor uplink and to perfect the backup function of Smart Link. A monitor Link consists of an uplink port and one or multiple downlink ports.

  • Page 957: How Monitor Link Works

    How Monitor Link Works Figure 2-2 Network diagram for a Monitor Link group implementation Eth1/0/12 Eth1/0/11 Switch E Switch C Switch D Eth1/0/1 Eth1/0/1 Eth1/0/2 Eth1/0/2 Eth1/0/3 Eth1/0/1 BLOCK Eth1/0/2 Switch A Switch B As shown in Figure 2-2, the devices Switch C and Switch D are connected to the uplink device Switch E. Switch C is configured with a Monitor Link group, where Ethernet1/0/1 is the uplink port, while Ethernet1/0/2 and Ethernet1/0/3 are the downlink ports.

  • Page 958: Creating A Monitor Link Group

    Before configuring a Monitor Link group, you must create a Monitor Link group and configure member ports for it. A Monitor Link group consists of an uplink port and one or multiple downlink ports. The uplink port can be a manually-configured or static LACP link aggregation group, an Ethernet port, or a Smart Link group.

  • Page 959: Configuring A Downlink Port

    Operation Command Remarks Monitor Link port interface-type group view interface-number uplink Configure the specified quit Ethernet port as the uplink interface interface-type Ethernet port of the interface-number port view Monitor Link group port monitor-link group group-id uplink Configuring a Downlink Port Table 2-4 Configure a downlink port Operation Command...

  • Page 960: Monitor Link Configuration Example

    Table 2-5 Display Monitor Link configuration Operation Command Remarks Display the information about display monitor-link group You can use the display one or all Monitor Link groups { group-id | all } command in any view. Monitor Link Configuration Example Implementing Collaboration Between Smart Link and Monitor Link Network requirements As shown in...
  • Page 961 [SwitchA-Ethernet1/0/1] stp disable [SwitchA-Ethernet1/0/1] quit [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] stp disable # Return to system view. [SwitchA-Ethernet1/0/2] quit # Create Smart Link group 1 and enter Smart Link group view. [SwitchA] smart-link group 1 # Configure Ethernet1/0/1 as the master port of the Smart Link group and Ethernet1/0/2 as the slave port.
  • Page 962 Table of Contents 1 ARP and IP Attack Defense Configuration ································································································ 1 ARP Packet Filtering Based on Gateway’s Address ················································································· 1 Introduction········································································································································· 1 Configuring ARP Packet Filtering······································································································· 1 Configuring the Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn······················ 2 Introduction·········································································································································...

  • Page 963: Arp And Ip Attack Defense Configuration

    ARP and IP Attack Defense Configuration ARP Packet Filtering Based on Gateway’s Address Introduction According to the ARP design, after receiving an ARP packet with the target IP address being that of the receiving interface, a device adds the IP-to-MAC mapping of the sender into its ARP mapping table even if the MAC address is not requested by itself.

  • Page 964: Configuring The Maximum Number Of Dynamic Arp Entries A Vlan Interface Can Learn

    Among the S3100 series Ethernet switches, only the S3100-EI series support ARP Packet Filtering. Follow these steps to configure ARP packet filtering based on gateway’s address: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view —...

  • Page 965: Arp/Ip Attack Defense Based On 802.1X

    For details about IP filtering and IP static binding, refer to DHCP Operation. For details about 802.1x authentication, refer to 802.1x and System Guard Operation. Configuring 802.1x-Based ARP/IP Attack Defense Among the S3100 series Ethernet switches, only the S3100-EI series support 802.1x-Based ARP/IP Attack Defense.

  • Page 966: Configuring Arp Source Mac Address Consistency Check

    Follow these steps to configure 802.1x-based ARP/IP attack defense: To do… Use the command… Remarks Enter system view system-view — Enable using IP-MAC bindings of Required ip source static import authenticated 802.1x clients for ARP dot1x Disabled by default. attack detection interface interface-type Enter Ethernet port view —...

  • Page 967: Enabling Arp Source Mac Address Consistency Check

    If they are not consistent, the ARP packet is considered invalid and the corresponding ARP entry is not learned. Enabling ARP Source MAC Address Consistency Check To do… Use the command… Remarks Enter system view system-view — Required Enable ARP source MAC arp anti-attack valid-check address consistency check enable...

  • Page 968: Arp Attack Defense Configuration Example Ii

    [Switch] interface Ethernet 1/0/2 [Switch-Ethernet1/0/2] arp filter source 192.168.100.1 [Switch-Ethernet1/0/2] quit # Configure ARP packet filtering based on the gateway’s IP address on Ethernet 1/0/3. [Switch] interface Ethernet 1/0/3 [Switch-Ethernet1/0/3] arp filter source 192.168.100.1 [Switch-Ethernet1/0/3] quit ARP Attack Defense Configuration Example II Network Requirements Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B).

  • Page 969: Arp/Ip Attack Defense Configuration Example Iii

    [SwitchA-Vlan-interface1] arp max-learning-num 500 [SwitchA-Vlan-interface1] quit ARP/IP Attack Defense Configuration Example III Network Requirements Host A is assigned with an IP address statically and installed with an 802.1x client. A CAMS authentication, authorization and accounting server serves as the authentication server. Enable ARP attack detection and IP filtering based on bindings of authenticated 802.1x clients on the switch to prevent ARP attacks.
  • Page 970 [Switch] interface ethernet1/0/1 [Switch-Ethernet1/0/1] dot1x # Enable IP filtering based on IP-MAC bindings of authenticated 802.1x clients. [Switch-Ethernet1/0/1] ip check dot1x enable...
  • Page 971 Table of Contents 1 LLDP Configuration···································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 Basic Concepts································································································································1-1 Operating Modes of LLDP···············································································································1-5 How LLDP Works ····························································································································1-6 Protocols and Standards ·················································································································1-6 LLDP Configuration Task List ·················································································································1-6 Performing Basic LLDP Configuration ····································································································1-7 Enabling LLDP·································································································································1-7 Setting LLDP Operating Mode ········································································································1-7 Setting the LLDP Re-Initialization Delay ·························································································1-7 Enabling LLDP Polling·····················································································································1-8 Configuring the TLVs to Be Advertised ···························································································1-8...

  • Page 972: Overview

    LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
  • Page 973 Figure 1-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 1-1: Table 1-1 Description of the fields in an Ethernet II-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.
  • Page 974 Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is Type 0xAAAA-0300-0000-88CC for LLDP.
  • Page 975 VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, H3C devices support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs Table 1-5 IEEE 802.3 organizationally specific TLVs Type...

  • Page 976: Operating Modes Of Lldp

    LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management. LLDP-MED TLVs satisfy the voice device vendors’ requirements for cost effectiveness, ease of deployment, and ease of management.

  • Page 977: How Lldp Works

    How LLDP Works Transmitting LLDP frames An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change, an interval is introduced between two successive LLDP frames.

  • Page 978: Performing Basic Lldp Configuration

    Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports. Follow these steps to enable LLDP: To do… Use the command… Remarks Enter system view system-view —...

  • Page 979: Enabling Lldp Polling

    Enabling LLDP Polling With LLDP polling enabled, a device checks for local configuration changes periodically. Upon detecting a configuration change, the device sends LLDP frames to inform the neighboring devices of the change. Follow these steps to enable LLDP polling: To do…...

  • Page 980: Setting Other Lldp Parameters

    To do… Use the command… Remarks interface interface-type Enter Ethernet interface view Required interface-number Optional By default, the management address is sent through LLDPDUs. Enable LLDP to advertise lldp The management address is the management address TLVs management-address-tlv main IP address of the lowest-ID and configure the advertised [ ip-address ] VLAN carried on the port.

  • Page 981: Setting An Encapsulation Format For Lldpdus

    LLDP-CDP (CDP is short for the Cisco Discovery Protocol) packets use only SNAP encapsulation. Configuring CDP Compatibility Of the S3100 series, only the S3100-EI series switches support the CDP compatibility function. On a S3100-EI series switch, only one voice VLAN exists at any given point in time. For detailed information about voice VLAN, refer to Voice VLAN Operation in this manual.

  • Page 982: Configuring Cdp Compatibility

    With CDP compatibility enabled, the device can use LLDP to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets carrying the voice VLAN ID of the device for the IP phones to configure the voice VLAN automatically. In this way, voice traffic is confined in the configured voice VLAN and is thus differentiated from other types of traffic.

  • Page 983: Displaying And Maintaining Lldp

    Follow these steps to configure LLDP trapping: To do… Use the command… Remarks — Enter system view system-view interface interface-type Enter Ethernet interface view Required interface-number Required lldp notification remote-change Enable LLDP trap sending enable Disabled by default — Quit to system view quit Optional Set the interval to send LLDP...
  • Page 984 Figure 1-4 Network diagram for basic LLDP configuration Eth1/0/1 Eth1/0/2 Eth1/0/1 Switch A Switch B Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on Ethernet 1/0/1 and Ethernet 1/0/2 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx.
  • Page 985 Hold multiplier Reinit delay : 2s Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [Ethernet1/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV...

  • Page 986: Cdp-Compatible Lldp Configuration Example

    As shown in the sample output, Ethernet 1/0/2 of Switch A does not connect any neighboring devices. CDP-Compatible LLDP Configuration Example Of the S3100 series, only the S3100-EI series switches support the CDP compatibility function. Network requirements As shown in...
  • Page 987 Figure 1-5 Network diagram for CDP-compatible LLDP configuration Configuration procedure Configure a voice VLAN on Switch A # Create VLAN 2. <SwitchA> system-view [SwitchA] vlan 2 [SwitchA-vlan2] quit # Set the link type of Ethernet 1/0/1 and Ethernet 1/0/2 to trunk and enable voice VLAN on them. [SwitchA] interface ethernet 1/0/1 [SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] voice vlan 2 enable...
  • Page 988 [SwitchA] display lldp neighbor-information CDP neighbor-information of port 1[Ethernet1/0/1]: CDP neighbor index : 1 Chassis ID : SEP00141CBCDBFE Port ID : Port 1 Sofrware version : P0030301MFG2 Platform : Cisco IP Phone 7960 Duplex : Full CDP neighbor-information of port 2[Ethernet1/0/2]: CDP neighbor index : 2 Chassis ID : SEP00141CBCDBFF...
  • Page 989 Table of Contents 1 PKI Configuration ······································································································································1-1 Introduction to PKI···································································································································1-1 PKI Overview···································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI···························································································································1-2 Applications of PKI ··························································································································1-3 Operation of PKI ······························································································································1-3 PKI Configuration Task List ····················································································································1-4 Configuring an Entity DN ························································································································1-4 Configuring a PKI Domain ······················································································································1-6 Submitting a PKI Certificate Request······································································································1-7 Submitting a Certificate Request in Auto Mode ··············································································1-7 Submitting a Certificate Request in Manual Mode ··········································································1-8...

  • Page 990: Pki Configuration

    PKI Configuration When configuring PKI, go to these sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Introduction to PKI This section covers these topics: PKI Overview PKI Terms Architecture of PKI Applications of PKI...

  • Page 991: Architecture Of Pki

    CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate signed by the CA at the next higher level.

  • Page 992: Applications Of Pki

    A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.

  • Page 993: Pki Configuration Task List

    The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
  • Page 994 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...

  • Page 995: Configuring A Pki Domain

    Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.

  • Page 996: Submitting A Pki Certificate Request

    To do… Use the command… Remarks Required Specify the entity for certificate certificate request entity No entity is specified by default. request entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.

  • Page 997: Submitting A Certificate Request In Manual Mode

    Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — certificate request mode auto Required Set the certificate request [ key-length key-length | mode to auto password { cipher | simple }...

  • Page 998: Retrieving A Certificate Manually

    If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. A newly created key pair will overwrite the existing one.

  • Page 999: Configuring Pki Certificate Verification

    If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.

  • Page 1000: Destroying A Local Rsa Key Pair

    To do… Use the command… Remarks Enter PKI domain view pki domain domain-name — Required Disable CRL checking crl check disable Enabled by default Return to system view quit — Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually Verify the validity of the pki validate-certificate { ca |...

Table of Contents