About This Manual Organization H3C S3100-52P Ethernet Switch Operation Manual is organized as follows: Part Contents Introduces the characteristics, services, and network 0 Product Overview implementations of S3100-52P Ethernet Switches. Introduces the command hierarchy, command view, 1 CLI and CLI features of the Ethernet switch.
Page 4
Part Contents Introduces Web Authentication and the related 19 Web Authentication configuration. Address Introduces MAC address authentication and the Authentication related configuration. 21 ARP Introduces ARP and the related configuration. Introduces DHCP, DHCP-Snooping, and the related 22 DHCP configurations. 23 ACL Introduces ACL and the related configuration.
Page 5
Conventions The manual uses the following conventions: I. Command conventions Convention Description Boldface The keywords of a command line are in Boldface. italic Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are optional. Alternative items are grouped in braces and separated { x | y | ...
Page 6
Caution data loss or damage to equipment. Note Means a complementary description. Related Documentation In addition to this manual, each H3C S3100-52P Ethernet Switch documentation set includes the following: Manual Description H3C S3100-52P Ethernet Switch It provides information for the system Installation Manual installation and setup.
Software release notes 1.1 CD-ROM H3C delivers a CD-ROM together with each device. The CD-ROM contains a complete set of electronic documents of the product, including operation manuals and command manuals. After installing the reader program provided by the CD-ROM, you can search for the desired contents in a convenient way through the reader interface.
Operation Manual – Product Overview H3C S3100-52P Ethernet Switch Chapter 1 Obtaining the Documentation 1.3 Software Release Notes With software upgrade, new software features may be added. You can acquire the information about the newly added software features through software release notes.
2.1 Software Version H3C S3100-52P Ethernet Switch Operation Manual-Release 1602 and H3C S3100-52P Ethernet Switch Command Manual-Release 1602 are for the software version of Release1602 of the S3100-52P product. Compared with Release 1500, many new features are added in Release 1602. For...
Page 11
Operation Manual – Product Overview Chapter 2 Correspondence Between Documentation H3C S3100-52P Ethernet Switch and Software Added feature in Release 1602 Manual STP maintainability 14-MSTP 802.1d-compliant traps Support of IGMPv3 Snooping Support of IGMPv3 Snooping simulated joining Support of suppressing flooding of unknown multicast...
Page 12
Operation Manual – Product Overview Chapter 2 Correspondence Between Documentation H3C S3100-52P Ethernet Switch and Software Added feature in Release 1602 Manual VLAN mapping Configuration of burst traffic for port rate limiting and traffic policing Configuration of priority remarking in VLANs...
Chapter 3 Product Overview 3.1 Preface H3C S3100-52P Ethernet switch is a Layer 2 wire speed Ethernet switch developed by H3C independently. It is the intelligent and manageable switch designed for network environments where high performance, high port density, and ease of installation are required.
Page 15
Operation Manual – Product Overview H3C S3100-52P Ethernet Switch Chapter 3 Product Overview Part Features 3 Configuration Saving, restoring, and deleting the configuration file File Management IEEE 802.1Q-compliant VLAN 4 VLAN Port-based VLAN Protocol-based VLAN Configuring an IP address for a switch...
Page 16
Operation Manual – Product Overview H3C S3100-52P Ethernet Switch Chapter 3 Product Overview Part Features Authentication, authorization, and accounting (AAA) Remote authentication dial-In user service (RADIUS) 18 AAA Huawei terminal access controller access control system (HWTACACS) Endpoint admission defense (EAD)
Page 17
Operation Manual – Product Overview H3C S3100-52P Ethernet Switch Chapter 3 Product Overview Part Features System logs 32 Information Hierarchical alarms Center Debugging information output Loading Boot ROM and software in multiple ways 33 System Basic system configuration and debugging...
H3C S3100-52P Ethernet Switch Chapter 4 Networking Applications Chapter 4 Networking Applications You can deploy S3100-52P Ethernet switch on many types of networks, such as enterprise networks and broadband access networks. Following are several typical networking applications. 4.1 Broadband Ethernet Access for Residential Communities On the broadband access network of a residential community, an S3100-52P Ethernet switch is located in the center.
4.3 Application in Large Enterprise and Campus Networks In a large enterprise or campus network, the S3100-52P Ethernet switch can operate on the access layer. They are uplinked to layer 3 switches, S3600 Series or S5600 Series for example; and uplinked to a layer 3 switch. These switches together provide a...
Page 20
Operation Manual – Product Overview H3C S3100-52P Ethernet Switch Chapter 4 Networking Applications Figure 4-3 S3100-52P Ethernet switch application in large enterprise and campus network...
Page 21
Operation Manual – CLI H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 CLI Configuration ......................1-1 1.1 Introduction to the CLI ....................... 1-1 1.2 Command Hierarchy......................1-2 1.2.1 Command Level and User Privilege Level.............. 1-2 1.2.2 Modifying the Command Level................1-3 1.2.3 Switching User Level....................
CLI and a set of configuration commands for the convenience of the user to configure and manage the switch. The CLI on S3100-52P Ethernet switches provides the following features, and so has good manageability and operability. Hierarchical command protection: After users of different levels log in, they can only use commands at their own, or lower, levels.
1.2 Command Hierarchy 1.2.1 Command Level and User Privilege Level I. Command level The S3100-52P Ethernet switches use hierarchical command protection for command lines, so as to inhibit users at lower levels from using higher-level commands to configure the switches.
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Note: If a user logs in using AAA authentication, the user privilege level depends on the configuration of the AAA scheme. For details, refer to AAA Operation. 1.2.2 Modifying the Command Level I.
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration [Sysname] command-privilege level view shell tftp 192.168.0.1 bootrom.btm After the above configuration, general Telnet users can use the tftp get command to download file bootrom.btm and other files from TFTP server 192.168.0.1 and other TFTP servers.
Page 26
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration To do… Use the command… Remarks super Super password authentication-mode authentication super-password super HWTACACS authentication-mode authentication scheme Optional Super password By default, Specify the authentication preferred super super...
Page 27
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Follow these steps to set a password for use level switching: To do… Use the command… Remarks Enter system view system-view — Required super password [ level Set the super password...
Page 28
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Use the To do… Remarks command… Required Switch to a specified user super [ level ] level Execute this command in user view. Note: If no user level is specified in the super password command or the super command, level 3 is used by default.
Table 1-1 lists the CLI views provided by S3100-52P Ethernet switches, operations that can be performed in different CLI views and the commands used to enter specific CLI views.
Page 30
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Available Prompt View Enter method Quit method operation example 100 Mbps Execute the Execute the Ethernet port quit command interface view: to return to ethernet system view. command in [Sysname-Eth system view.
Page 31
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Available Prompt View Enter method Quit method operation example Configure FTP Execute the FTP client client [ftp] ftp command view parameters in user view. Execute the Configure SFTP client...
Page 32
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Available Prompt View Enter method Quit method operation example Define rules Execute the for an layer 2 [Sysname-acl- Layer 2 ACL acl number ACL (with ID ethernetframe view...
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Available Prompt View Enter method Quit method operation example Execute the Execute the vlan-vpn vid quit command command in to return to Ethernet port Ethernet port Configure [Sysname-Eth view.
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration If the question mark “?” is at a keyword position in the command, all available keywords at the position and their descriptions will be displayed on your terminal.
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Table 1-2 Display-related operations Operation Function Stop the display output and execution of Press <Ctrl+C> the command. Press any character except <Space>, <Enter>, /, +, and - when the display Stop the display output.
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration 1.4.4 Error Prompts If a command passes the syntax check, it will be successfully executed; otherwise, an error message will be displayed. Table 1-3 lists the common error messages.
Page 37
Operation Manual – CLI H3C S3100-52P Ethernet Switch Chapter 1 CLI Configuration Press… To… Use the partial online help. That is, when you input an incomplete keyword and press <Tab>, if the input parameter uniquely identifies a complete keyword, the system substitutes the complete keyword for the input parameter;...
Page 38
Operation Manual – Login H3C S3100-52P Ethernet switch Table of Contents Table of Contents Chapter 1 Logging In to an Ethernet Switch ................1-1 1.1 Logging In to an Ethernet Switch..................1-1 1.2 Introduction to the User Interface ..................1-1 1.2.1 Supported User Interfaces ..................
Page 39
Operation Manual – Login H3C S3100-52P Ethernet switch Table of Contents Chapter 4 Logging In Using a Modem..................4-1 4.1 Introduction ........................4-1 4.2 Configuration on the Switch Side..................4-1 4.2.1 Modem Configuration....................4-1 4.2.2 Switch Configuration ....................4-2 4.3 Modem Connection Establishment ..................4-3 Chapter 5 Logging In Through the Web-based Network Management System......
Banner. 1.1 Logging In to an Ethernet Switch You can log in to an S3100-52P Ethernet switch in one of the following ways: Logging in locally through the console port Logging in locally or remotely through an Ethernet port by means of Telnet or SSH...
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 1 Logging In to an Ethernet Switch AUX user interface: A view when you log in through the AUX port. AUX port is a line device port. Virtual type terminal (VTY) user interface: A view when you log in through VTY.
Page 42
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 1 Logging In to an Ethernet Switch To do… Use the command… Remarks Optional free user-interface [ type ] Free a user interface number Available in user view Enter system view system-view —...
To log in through the console port is the most common way to log in to a switch. It is also the prerequisite to configure other login methods. By default, you can locally log in to an S3100-52P Ethernet switch through its console port only. Table 2-1 lists the default settings of a console port.
Page 44
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port Figure 2-1 Diagram for connecting to the console port of a switch If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows...
Page 45
Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt (such as <H3C>) appears after you press the Enter key, as shown in Figure 2-5.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port 2.3 Console Port Login Configuration 2.3.1 Common Configuration Table 2-2 Common configuration of console port login Configuration Remarks Optional Baud rate The default baud rate is 9,600 bps.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port Caution: The change to console port configuration takes effect immediately, so the connection may be disconnected when you log in through a console port and then configure this console port.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port Authentication Console port login configuration Remarks mode Specify to Optional AAA configuration perform local specifies whether to Local authentication authenticatio perform local is performed by...
Page 49
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Required By default, users logging in Configure not to authentication-mode through the console port (AUX authenticate users none user interface) are not authenticated.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10...
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port III. Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate users logging in through the console port.
Page 52
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Required Configure to By default, users logging in to a authenticate users authentication-mod switch through the console port...
Page 53
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10...
Page 54
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port III. Configuration procedure # Enter system view. <Sysname> system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port 2.6 Console Port Login Configuration with Authentication Mode Being Scheme 2.6.1 Configuration Procedure Follow these steps to configure console port login with the authentication mode being scheme: To do…...
Page 56
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Required The specified AAA scheme determines whether to authentication-mode authenticate users locally or Configure to authenticate remotely. scheme [ command-...
Page 57
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port To do… Use the command… Remarks Optional The default history Set history command history-command command buffer size is 10. buffer size max-size value That is, a history command buffer can store up to 10 commands by default.
Page 58
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port II. Network diagram Ethernet1/0/1 Ethernet User PC running Telnet Figure 2-8 Network diagram for AUX user interface configuration (with the authentication mode being scheme) III.
Page 59
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 2 Logging In Through the Console Port [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 log in to the switch successfully.
Telnet Configuration with Authentication Mode Being Password 3.1 Introduction S3100-52P Ethernet switch support Telnet. You can manage and maintain a switch remotely by Telnetting to the switch. To log in to a switch through Telnet, the corresponding configuration is required on both the switch and the Telnet terminal.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet 3.1.1 Common Configuration Table 3-2 Common Telnet configuration Configuration Description Optional Configure the command level available to users By default, commands of level 0 are logging in to the VTY...
Page 62
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet Authentication Telnet configuration Description mode Specify to AAA configuration Optional perform local specifies whether Local authentication is authentication to perform local performed by default. or remote...
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet 3.2 Telnet Configuration with Authentication Mode Being None 3.2.1 Configuration Procedure Follow these steps to configure Telnet with the authentication mode being none: To do… Use the command…...
Page 64
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet To do… Use the command… Remarks Optional The default history Set the history command history-command command buffer size is 10. buffer size max-size value That is, a history command buffer can store up to 10 commands by default.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet III. Configuration procedure # Enter system view. <Sysname> system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0.
Page 66
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet To do… Use the command… Remarks Configure the Optional command level user privilege level By default, commands of level available to users level 0 are available to users logging logging in to the user in to VTY user interface.
Page 67
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet 3.3.2 Configuration Example I. Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 3.4 Telnet Configuration with Authentication Mode Being Scheme 3.4.1 Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do…...
Page 69
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet To do… Use the command… Remarks Required The specified AAA scheme Configure to authentication-mode determines whether to authenticate users scheme [ command- authenticate users locally or...
Page 70
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet Note that if you configure to authenticate the users in the scheme mode, the command level available to the users logging in to the switch depends on the user privilege level...
Page 71
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet Scenario Command Authenticati level User type Command on mode The user privilege level level command is not executed, and the service-type command does Level 0 not specify the available command level.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet II. Network diagram Figure 3-3 Network diagram for Telnet configuration (with the authentication mode being scheme) III. Configuration procedure # Enter system view. <Sysname> system-view # Create a local user named guest and enter local user view.
Page 73
XP) on the PC terminal, with the baud rate set to 9,600 bps, data bits set to 8, parity check set to none, and flow control set to none. Turn on the switch and press Enter as prompted. The prompt (such as <H3C>) appears, as shown in the following figure.
Page 74
VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A H3C series Ethernet switch can accommodate up to five Telnet connections at same time.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 3 Logging In Through Telnet Note: A Telnet connection is terminated if you delete or modify the IP address of the VLAN interface in the Telnet session. By default, commands of level 0 are available to Telnet users authenticated by password.
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S3100-52P Ethernet switch Network Management System Chapter 4 Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment 4.1 Introduction...
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S3100-52P Ethernet switch Network Management System AT&K0 ----------------------- Disable flow control AT&R1 ----------------------- Ignore RTS signal AT&S0 ----------------------- Set DSR to high level by force ATEQ1&W ----------------------- Disable the Modem from returning command response and the result, save the changes You can verify your configuration by executing the AT&V command.
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S3100-52P Ethernet switch Network Management System 4.3 Modem Connection Establishment Before using Modem to log in the switch, perform corresponding configuration for different authentication modes on the switch. Refer to...
Page 79
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S3100-52P Ethernet switch Network Management System Figure 4-2 Create a connection Figure 4-3 Set the telephone number Figure 4-4 Call the modem...
Page 80
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S3100-52P Ethernet switch Network Management System If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as <Sysname>) appears.
Enabling/Disabling the WEB Server 5.1 Introduction An S3100-52P Ethernet switch has a Web server built in. It enables you to log in to an S3100-52P Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S3100-52P Ethernet switch Network Management System Configure the user name and the password on the switch for the Web network management user to log in. # Create a Web user account, setting both the user name and the password to admin and the user level to 3.
Page 83
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S3100-52P Ethernet switch Network Management System enter the user login authentication page, and enter the main page of the Web-based network management system after passing the authentication. If no login banner is configured by the header command, a user logging in through Web directly enters the user login authentication page.
Operation Manual – Login Chapter 5 Logging In Through the Web-based H3C S3100-52P Ethernet switch Network Management System Figure 5-4 Banner page displayed when a user logs in to the switch through Web Click <Continue> to enter user login authentication page. You will enter the main page of the Web-based network management system if the authentication succeeds.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 6 Logging In Through NMS Chapter 6 Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS 6.1 Introduction You can also log in to a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch.
Displaying Source IP Address Configuration 7.1 Overview You can configure the source IP address for Telnet service packets for an S3100-52P switch operating as a Telnet client. The IP address can only be the IP address of a Layer 3 interface on the switch.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 8 User Control Chapter 8 User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Note: Refer to the ACL part for information about ACL.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 8 User Control 8.2 Controlling Telnet Users 8.2.1 Prerequisites The controlling policy against Telnet users is determined, including the source IP addresses, destination IP addresses and source MAC addresses to be controlled and the controlling actions (permitting or denying).
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 8 User Control To do… Use the command… Remarks Enter system view system-view — As for the acl number Create an advanced acl number acl-number command, the config ACL or enter...
# Apply the ACL. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound 8.3 Controlling Network Management Users by Source IP Addresses You can manage an S3100-52P Ethernet switch through network management software. Network management users can access switches through SNMP.
Page 92
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 8 User Control You need to perform the following two operations to control network management users by source IP addresses. Defining an ACL Applying the ACL to control users accessing the switch through SNMP 8.3.1 Prerequisites...
Page 93
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 8 User Control To do… Use the command… Remarks Apply the ACL while snmp-agent community { read | configuring the write } community-name [ acl SNMP community acl-number | mib-view view-name ]*...
[Sysname] snmp-agent usm-user v2c usera groupa acl 2000 8.4 Controlling Web Users by Source IP Address You can manage an S3100-52P Ethernet switch remotely through Web. Web users can access a switch through HTTP connections. You need to perform the following two operations to control Web users by source IP addresses.
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 8 User Control To do… Use the command… Remarks Optional Apply the ACL to ip http acl acl-number By default, no ACL is control Web users applied for Web users. 8.4.3 Disconnecting a Web User by Force The administrator can disconnect a Web user by force using the related commands.
Page 96
Operation Manual – Login H3C S3100-52P Ethernet switch Chapter 8 User Control # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch. [Sysname] ip http acl 2030...
Page 97
Operation Manual – Configuration File Management H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Configuration File Management ................. 1-1 1.1 Introduction to Configuration File..................1-1 1.2 Configuration Task List ...................... 1-2 1.2.1 Saving the Current Configuration................1-3 1.2.2 Erasing the Startup Configuration File ..............
Operation Manual – Configuration File Management H3C S3100-52P Ethernet Switch Chapter 1 Configuration File Management Chapter 1 Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List 1.1 Introduction to Configuration File...
Operation Manual – Configuration File Management H3C S3100-52P Ethernet Switch Chapter 1 Configuration File Management can be used instead. This increases the safety and reliability of the file system compared with the switch that only support one configuration file. You can configure a file to have both main and backup attribute, but only one file of either main or backup attribute is allowed on a switch.
Operation Manual – Configuration File Management H3C S3100-52P Ethernet Switch Chapter 1 Configuration File Management 1.2.1 Saving the Current Configuration You can modify the configuration on your switch at the command line interface (CLI). To use the modified configuration for your subsequent startups, you must save it (using the save command) as a configuration file.
Operation Manual – Configuration File Management H3C S3100-52P Ethernet Switch Chapter 1 Configuration File Management Backup attribute. When you use the save [ safely ] backup command to save the current configuration, the configuration file you get has backup attribute. If this configuration file already exists and has main attribute, the file will have both main and backup attributes after execution of this command.
Operation Manual – Configuration File Management H3C S3100-52P Ethernet Switch Chapter 1 Configuration File Management Caution: This command will permanently delete the configuration file from the switch. 1.2.3 Specifying a Configuration File for Next Startup Use the following command to specify a configuration file for next startup: To do…...
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 1 VLAN Overview Chapter 1 VLAN Overview This chapter covers these topics: VLAN Overview Port-Based VLAN Protocol-Based VLAN 1.1 VLAN Overview 1.1.1 Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches.
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 1 VLAN Overview communicate with each other directly but need the help of network layer devices, such as routers and Layer 3 switches. Figure 1-1 illustrates a VLAN implementation. Figure 1-1 A VLAN implementation 1.1.2 Advantages of VLANs...
Page 107
The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the H3C series Ethernet switches, the default TPID is 0x8100. The 3-bit priority field indicates the 802.1p priority of the frame. Refer to the “QoS-QoS profile”...
1.1.4 VLAN Interface Hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used to do Layer 3 forwarding. The S3100-52P Ethernet switch supports VLAN interfaces configuration to forward packets in Layer 3.
1.2.1 Link Types of Ethernet Ports The link type of an Ethernet port on the S3100-52P can be one of the following: Access: An access port can belong to only one VLAN, and is generally connected to a user PC.
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 1 VLAN Overview 1.2.2 Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch.
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 1 VLAN Overview Table 1-2 Packet processing of a trunk port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the port has already...
The switch identifies whether a packet is an Ethernet II packet or an 802.2/802.3 packet according to the ranges of the two fields. Note: The H3C S3100-52P switch recognizes packets with the value of the type field being in the range 0x05DD to 0x05FF as 802.2/802.3 encapsulated packets.
Page 113
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 1 VLAN Overview II. Extended encapsulation formats of 802.2/802.3 packets 802.2/802.3 packets have the following three extended encapsulation formats: 802.3 raw encapsulation: only the length field is encapsulated after the source and destination address field, followed by the upper layer data.
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 1 VLAN Overview Note: When the OUI is 00-00-00 in 802.2 SNAP encapsulation, the PID field has the same meaning as the type field in Ethernet II encapsulation, which both refer to globally unique protocol number.
Supported (0x809B) 1.3.5 Implementation of Protocol-Based VLAN S3100-52P Ethernet switch assigns the packet to the specific VLAN by matching the packet with the protocol template. The protocol template is the standard to determine the protocol to which a packet belongs. Protocol templates include standard templates and user-defined templates: The standard template adopts the RFC-defined packet encapsulation formats and values of some specific fields as the matching criteria.
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration Chapter 2 VLAN Configuration When configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Based VLAN Configuring a Protocol-Based VLAN 2.1 VLAN Configuration...
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration Caution: VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP.
The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. An S3100-52P switch can be configured with a single VLAN interface only, and the VLAN must be the management VLAN. For details about the management VLAN, refer to the “Stack-Cluster Configuration”...
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration Task Remarks Configuring the Default VLAN for a Port Optional 2.2.2 Configuring the Link Type of an Ethernet Port Follow these steps to configure the link type of an Ethernet port: To do…...
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration Note: When assigning an access or hybrid port to a VLAN, make sure the VLAN already exists. In VLAN view Follow these steps to assign one or multiple access ports to a VLAN in VLAN view: Use the To do…...
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration Caution: After configuring the default VLAN for a trunk or hybrid port, you need to use the port trunk permit command or the port hybrid vlan command to configure the port to allow traffic of the default VLAN to pass through.
Page 122
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration II. Network diagram Server2 Server1 SwitchA Eth1/0/12 Eth1/0/13 Eth1/0/2 Eth1/0/10 Eth1/0/11 SwitchB Eth1/0/1 Figure 2-1 Network diagram for VLAN configuration III. Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add Ethernet 1/0/1 to VLAN 100.
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration [SwitchB] vlan 100 [SwitchB-vlan100] description Dept1 [SwitchB-vlan100] port Ethernet 1/0/13 [SwitchB-vlan103] quit # Create VLAN 200, specify its descriptive string as Dept2 and add Ethernet 1/0/11 and Ethernet 1/0/12 to VLAN 200.
Page 124
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration II. Configuration procedure Follow these steps to configure the protocol template for a VLAN: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id —...
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration Caution: Because the IP protocol is closely associated with the ARP protocol, you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN, which will cause IP address resolution failure.
1/0/10 on the S3100-52P switch. IP network and AppleTalk network workstations (hosts) coexist in the Workroom. The S3100-52P switch connects to VLAN 100 (using IP network) through Ethernet 1/0/11 and to VLAN 200 (using AppleTalk network) through Ethernet 1/0/12. Configure the switch to automatically assign the IP and AppleTalk packets to proper VLANs for transmission, so as to ensure the normal communication between the workstations and servers.
Page 127
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration II. Network diagram Figure 2-2 Network diagram for protocol-based VLAN configuration III. Configuration procedure # Create VLAN 100 and VLAN 200, and add Ethernet 1/0/11 and Ethernet 1/0/12 to VLAN 100 and VLAN 200 respectively.
Page 128
Operation Manual – VLAN H3C S3100-52P Ethernet Switch Chapter 2 VLAN Configuration VLAN Type: Protocol-based VLAN Protocol Index Protocol Type ethernetii etype 0x0806 VLAN ID: 200 VLAN Type: Protocol-based VLAN Protocol Index Protocol Type # Configure Ethernet 1/0/10 as a hybrid port, which removes the VLAN tag of the packets of VLAN 100 and VLAN 200 before forwarding the packets.
Page 129
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 IP Addressing Configuration ..................1-1 1.1 IP Addressing Overview ....................1-1 1.1.1 IP Address Classes....................1-1 1.1.2 Special Case IP Addresses..................1-2 1.1.3 Subnetting and Masking..................
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Chapter 1 IP Addressing Configuration Chapter 1 IP Addressing Configuration When configuring IP addressing, go to these sections for information you are interested IP Addressing Overview Configuring IP Addresses...
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Chapter 1 IP Addressing Configuration Table 1-1 IP address classes and ranges Class Address range Description Address 0.0.0.0 means this host no this network. This address is used by a host at bootstrap when it does not know its IP address.
255.0.0.0, 255.255.0.0, and 255.255.255.0 respectively. 1.2 Configuring IP Addresses An S3100-52P Ethernet Switch supports assigning IP addresses to VLAN interfaces and loopback interfaces. Besides directly assigning an IP address to a VLAN interface, you may configure a VLAN interface to obtain an IP address through BOOTP or DHCP as alternatives.
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Chapter 1 IP Addressing Configuration Note: This chapter only covers how to assign an IP address manually. For the other two approaches to IP address assignment, refer to the part discussing DHCP in this manual.
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Chapter 1 IP Addressing Configuration 1.4 IP Address Configuration Examples 1.4.1 IP Address Configuration Example I I. Network requirement Assign IP address 129.2.2.1 with mask 255.255.255.0 to VLAN-interface 1 of the switch.
Page 135
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Chapter 1 IP Addressing Configuration II. Network diagram Figure 1-4 Network diagram for IP address configuration III. Configuration procedure # Assign a primary IP address and a secondary IP address to VLAN-interface 1.
Page 136
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Chapter 1 IP Addressing Configuration The output information shows the switch can communicate with the hosts on the subnet 172.16.1.0/24. # Ping a host on the subnet 172.16.2.0/24 from the switch to check the connectivity.
2.1 IP Performance Overview 2.1.1 Introduction to IP Performance Configuration In some network environments, you need to adjust the IP parameters to achieve best network performance. The IP performance configuration supported by an S3100-52P Ethernet Switch includes: Configuring TCP attributes...
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Chapter 2 IP Performance Configuration 2.2.2 Configuring TCP Attributes TCP optional parameters that can be configured include: synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packets are received before the synwait timer times out, the TCP connection is not successfully created.
Operation Manual – IP Address and Performance H3C S3100-52P Ethernet Switch Chapter 2 IP Performance Configuration Follow these steps to disable sending ICMP error packets: To do… Use the command… Remarks Enter system view system-view — Required undo icmp redirect...
Page 140
1.1 Voice VLAN Overview ....................... 1-1 1.1.1 How an IP Phone Works ..................1-1 1.1.2 How S3100-52P Switch Identifies Voice Traffic............1-3 1.1.3 Setting the Voice Traffic Transmission Priority ............1-4 1.1.4 Configuring Voice VLAN Assignment Mode of a Port..........1-4 1.1.5 Support for Voice VLAN on Various Ports ..............
Operation Manual – Voice VLAN H3C S3100-52P Ethernet Switch Chapter 1 Voice VLAN Configuration Chapter 1 Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuration Example 1.1 Voice VLAN Overview...
Page 142
Operation Manual – Voice VLAN H3C S3100-52P Ethernet Switch Chapter 1 Voice VLAN Configuration Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data.
OUI address which forms the first 24 bits of a MAC address. S3100-52P Ethernet switch supports OUI address mask configuration. You can adjust the matching depth of MAC address by setting different OUI address masks.
I. Processing mode of untagged packets sent by IP voice devices Automatic voice VLAN assignment mode. An S3100-52P Ethernet switch automatically adds a port connecting an IP voice device to the voice VLAN by learning the source MAC address in the untagged packet sent by the IP voice device when it is powered on.
Operation Manual – Voice VLAN H3C S3100-52P Ethernet Switch Chapter 1 Voice VLAN Configuration Caution: If the voice traffic transmitted by an IP voice device carries VLAN tags, and 802.1x authentication and guest VLAN is enabled on the port which the IP voice device is connected to, assign different VLAN IDs for the voice VLAN, the default VLAN of the port, and the 802.1x guest VLAN to ensure the effective operation of these...
Page 146
Operation Manual – Voice VLAN H3C S3100-52P Ethernet Switch Chapter 1 Voice VLAN Configuration Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice Port assignment traffic Supported or not...
1.1.6 Security Mode of Voice VLAN On S3100-52P Ethernet switch, a voice VLAN can operate in the security mode. Voice VLANs operating in this mode only permit voice data, enabling you to perform voice traffic-specific priority configuration.
Operation Manual – Voice VLAN H3C S3100-52P Ethernet Switch Chapter 1 Voice VLAN Configuration 1.2.2 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in automatic voice VLAN assignment mode: To do…...
Operation Manual – Voice VLAN H3C S3100-52P Ethernet Switch Chapter 1 Voice VLAN Configuration Caution: A port working in automatic voice VLAN assignment mode cannot be assigned to the voice VLAN manually. Therefore, if a VLAN is configured as the voice VLAN and a protocol-based VLAN at the same time, the protocol-based VLAN function cannot be bound with the port.
Page 150
Operation Manual – Voice VLAN H3C S3100-52P Ethernet Switch Chapter 1 Voice VLAN Configuration To do… Use the command… Remarks Enable the voice VLAN function voice vlan vlan-id Required globally enable interface interface-type Enter port view Required interface-number Required By default, voice...
VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between H3C device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...
Operation Manual – Voice VLAN H3C S3100-52P Ethernet Switch Chapter 1 Voice VLAN Configuration 1.4 Voice VLAN Configuration Example 1.4.1 Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) I. Network requirements Create a voice VLAN and configure it to operate in automatic voice VLAN assignment mode to enable the port to which an IP phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN.
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration Chapter 1 GVRP Configuration When configuring GVRP, go to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Example 1.1 Introduction to GVRP...
Page 158
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration messages deregister all the attributes, through which the attribute information of the entity can be registered again on the other GARP entities. Leave messages, LeaveAll messages, together with Join messages ensure attribute information can be deregistered and re-registered.
Page 159
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration workstation or a bridge; it instructs other GARP members to register/deregister its attribute information by declaration/recant, and register/deregister other GARP member's attribute information according to other member's declaration/recant. When a port receives an attribute declaration, the port will register this attribute.
Page 160
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration Field Description Value Each general attribute consists of three parts: Attribute Length, Attribute Event, and Attribute Value. Attribute — Each LeaveAll attribute consists of two parts: Attribute Length and LeaveAll Event.
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration Normal. A port in this mode can dynamically register/deregister VLANs and propagate dynamic/static VLAN information. Fixed. A port in this mode cannot register/deregister VLANs dynamically. It only propagates static VLAN information. Besides, the port permits only static VLANs, that is, it propagates only static VLAN information to the other GARP members.
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration To do ... Use the command ... Remarks Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port. Notes After you enable GVRP on a trunk port, you cannot change the port to a different type.
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration Table 1-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout Hold 10 centiseconds time of the Join timer. You...
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration To do ... Use the command ... Remarks interface interface-type Enter Ethernet port view — interface-number Optional Configure GVRP port gvrp registration { fixed | By default, GVRP port...
Page 165
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration II. Network diagram Switch B Switch A Eth1/0/1 Eth1/0/1 Eth1/0/2 Eth1/0/3 Eth1/0/2 Eth1/0/1 Eth1/0/1 Eth1/0/1 Switch E Switch C Switch D VLAN 5 VLAN 5 VLAN 8 VLAN 7 Figure 1-2 Network diagram for GVRP configuration III.
Page 166
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration Configure Switch B # The configuration procedure of Switch B is similar to that of Switch A and is thus omitted. Configure Switch C # Enable GVRP on Switch C, which is similar to that of Switch A and is thus omitted.
Page 167
Operation Manual – GVRP H3C S3100-52P Ethernet Switch Chapter 1 GVRP Configuration Configure Ethernet1/0/1 on Switch E to operate in fixed GVRP registration mode and display the VLAN information dynamically registered on Switch A, Switch B, and Switch E. # Configure Ethernet1/0/1 on Switch E to operate in fixed GVRP registration mode.
Page 168
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Port Basic Configuration .................... 1-1 1.1 Ethernet Port Configuration ....................1-1 1.1.1 Initially Configuring a Port ..................1-1 1.1.2 Configuring Port Auto-Negotiation Speed............... 1-2 1.1.3 Limiting Traffic on individual Ports ................
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration Chapter 1 Port Basic Configuration When performing port basic configuration, go to these sections for information you are interested in: Ethernet Port Configuration Ethernet Port Configuration Example...
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration To do... Use the command... Remarks Optional Set the description By default, the description string for the Ethernet description text string of an Ethernet port is port null.
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface interface interface-type — view interface-number Optional By default, the port speed is determined...
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Optional Limit broadcast traffic broadcast-suppression By default, the switch received on the current...
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration configuration, QoS configuration, GARP configuration, STP configuration and initial port configuration. Refer to the command manual for the configurations that can be duplicated. Follow these steps to duplicate the configuration of a port to specific ports: To do...
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration Follow these steps to configure loopback detection for an Ethernet port: To do... Use the command... Remarks Enter system view system-view — Required Enable loopback...
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Enable loopback test loopback { external | internal }...
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration 1.1.9 Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the interval to perform statistical analysis on the traffic of a port.
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration When the physical link status of an Ethernet port changes between Up and Down or Up and Administratively Down, the switch will generate Up/Down log and send the log information to the terminal automatically by default.
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration To do... Use the command... Remarks Optional Set the action to be taken when a type of traffic By default, no action is storm-constrain control...
Page 179
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration Caution: The port state change delay takes effect when the port goes down but not when the port goes up. Follow these steps to set the port state change delay: To do …...
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration 1.1.14 Displaying and Maintaining Basic Port Configuration To do... Use the command... Remarks Display port display interface [ interface-type configuration | interface-type interface-number ] information...
Operation Manual – Port Basic Configuration H3C S3100-52P Ethernet Switch Chapter 1 Port Basic Configuration Configure the default VLAN ID of both Ethernet 1/0/1 to 100. Allow the packets of VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 to pass both Ethernet 1/0/1.
Page 182
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Link Aggregation Configuration ................1-1 1.1 Overview ..........................1-1 1.1.1 Introduction to Link Aggregation ................1-1 1.1.2 Introduction to LACP ....................1-1 1.1.3 Requirements on Ports for Link Aggregation ............1-2 1.2 Link Aggregation Classification..................
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration Chapter 1 Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories...
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration 1.1.3 Requirements on Ports for Link Aggregation To achieve load sharing in an aggregation group, the member ports to perform load balancing must have the same speed, duplex mode, and basic configurations, which...
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration Among the ports in an aggregation group that are in up state, the system determines the mater port with one of the following settings being the highest (in descending order) as the master port: full duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed.
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration descending order) as the master port: full duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed. The ports with their rate, duplex mode and link type being the same as that of the master port are selected port, and the rest are unselected ports.
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration the port IDs of the preferred device (that is, the device with smaller system ID). The following is the negotiation procedure: Compare device IDs (system priority + system MAC address) between the two parties.
Page 188
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration An aggregation group containing special ports which require hardware aggregation resources has higher priority than any aggregation group containing no special port. A manual or static aggregation group has higher priority than a dynamic aggregation group (unless the latter contains special ports while the former does not).
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration 1.4 Link Aggregation Configuration Caution: The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to an aggregation group.
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration Follow these steps to configure a manual aggregation group: To do… Use the command… Remarks Enter system view system-view — Create a manual link-aggregation group agg-id...
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration Follow these steps to configure a static LACP aggregation group: To do… Use the command… Remarks Enter system view system-view — Create a static link-aggregation group agg-id...
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration To do… Use the command… Remarks Optional Configure the lacp system-priority By default, the system priority is system priority system-priority 32,768. Enter Ethernet interface interface-type —...
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration 1.5 Displaying and Maintaining Link Aggregation Configuration To do… Use the command… Remarks Display summary display link-aggregation information of all summary aggregation groups Display detailed information of a specific...
Page 194
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration III. Configuration procedure Note: The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation.
Page 195
Operation Manual – Link Aggregation H3C S3100-52P Ethernet Switch Chapter 1 Link Aggregation Configuration [Sysname-Ethernet1/0/1] quit [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] lacp enable [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable Caution: The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on).
Page 196
Operation Manual – Port Isolation H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Port Isolation Configuration ..................1-1 1.1 Port Isolation Overview...................... 1-1 1.2 Port Isolation Configuration ....................1-1 1.3 Displaying and Maintaining Port Isolation Configuration ........... 1-2...
Thus, you can construct your network in a more flexible way and improve your network security. Currently, you can create only one isolation group on an S3100-52P Ethernet switch. The number of Ethernet ports in an isolation group is not limited.
Operation Manual – Port Isolation H3C S3100-52P Ethernet Switch Chapter 1 Port Isolation Configuration Note: When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group on the local unit will join/leave the isolation group at the same time.
Page 199
Operation Manual – Port Isolation H3C S3100-52P Ethernet Switch Chapter 1 Port Isolation Configuration II. Network diagram Figure 1-1 Network diagram for port isolation configuration III. Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z.
Page 200
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Port Security Configuration..................1-1 1.1 Port Security Overview ...................... 1-1 1.1.1 Introduction......................1-1 1.1.2 Port Security Features .................... 1-1 1.1.3 Port Security Modes....................1-2 1.2 Port Security Configuration Task List ................
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration Chapter 1 Port Security Configuration When configuring port security, go to these sections for information you are interested Port Security Overview Port Security Configuration Task List...
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration Intrusion protection feature: By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on the port, intrusion protection detects illegal packets or events and takes a pre-set action accordingly.
Page 203
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration Security mode Description Feature In this mode, neither In this mode, port-based 802.1x NTK nor intrusion userlogin authentication is performed for access protection will be users.
Page 204
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration Security mode Description Feature In this mode, both MAC authentication and 802.1x authentication can be performed, but 802.1x authentication has a higher priority. 802.1x authentication can still be performed on an access user who has passed MAC authentication.
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration Note: When the port operates in the userlogin-withoui mode, Intrusion Protection will not be triggered even if the OUI address does not match. On a port operating in either the macAddressElseUserLoginSecure mode or the macAddressElseUserLoginSecureExt mode, Intrusion Protection is triggered only after both MAC-based authentication and 802.1x authentication on the same...
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration To do... Use the command... Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default Caution: Enabling port security resets the following configurations on the ports to the defaults (shown in parentheses below): 802.1x (disabled), port access control method (macbased), and port access control...
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration Follow these steps to set the maximum number of MAC addresses allowed on a port: To do... Use the command... Remarks Enter system view system-view —...
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration Note: Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command.
Page 209
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration II. Configuring intrusion protection Follow these steps to configure the intrusion protection feature: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view —...
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration III. Configuring the Trap feature Follow these steps to configure port security trapping: To do... Use the command... Remarks Enter system view system-view — port-security trap { addresslearned...
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses;...
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 1 Port Security Configuration 1.4 Port Security Configuration Example 1.4.1 Port Security Configuration Example I. Network requirements Implement access user restrictions through the following configuration on Ethernet 1/0/1 of the switch.
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 2 Port Binding Configuration Chapter 2 Port Binding Configuration When configuring port binding, go to these sections for information you are interested Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example 2.1 Port Binding Overview...
Operation Manual – Port Security-Port Binding H3C S3100-52P Ethernet Switch Chapter 2 Port Binding Configuration 2.2 Displaying and Maintaining Port Binding Configuration To do... Use the command... Remarks Display port display am user-bind [ interface Available in any binding interface-type interface-number | ip-addr...
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration Chapter 1 DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: Overview DLDP Configuration DLDP Configuration Example 1.1 Overview 1.1.1 Introduction A special kind of links, namely, unidirectional links, may occur in a network. When a unidirectional link appears, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device.
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration Figure 1-2 Fiber broken or not connected DLDP provides the following features: As a link layer protocol, it works together with the physical layer protocols to monitor the link status of a device.
Page 220
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration DLDP packet type Function RSY-Advertisement Advertisement packet with the RSY flag set to 1. RSY packets (referred to advertisement packets are sent to request synchronizing the as RSY packets...
Page 221
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration DLDP packet type Function Linkdown packets are used to notify unidirectional link emergencies (a unidirectional link emergency occurs when the local port is down and the peer port is up). Linkdown packets carry only the local port information instead of the neighbor information.
Page 222
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration A DLDP packet received is processed as follows: In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the authentication. The packet is further processed, as described in Table 1-3.
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration Table 1-4 Processing procedure when no echo packet is received from the neighbor No echo packet received from the Processing procedure neighbor In normal mode, no echo packet is...
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration 1.2.3 DLDP Timers Table 1-6 DLDP timers Timer Description Interval between sending advertisement packets, which can Advertisement be configured on a command line interface. sending timer By default, the timer length is 5 seconds.
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration Timer Description In the enhanced mode, if no packet is received from the neighbor when the entry aging timer expires, DLDP enables the enhanced timer for the neighbor. The enhanced timer...
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration DLDP detects The entry aging The enhanced whether neighbors timer is enabled timer is enabled DLDP operating exist or not when or not during or not when the...
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration recovered to bidirectional, the port changes from the disable state to the active state, and neighboring relationship is reestablished between the local port and the neighbor. Note: Only ports in the DLDP down state can send and process recover probe packets and recover echo packets.
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration To do … Use the command … Remarks Optional. dldp work-mode { enhance By default, Set the DLDP operating mode | normal } DLDP works in normal mode.
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration Note: This function is only applicable to ports that are in DLDP down state. Follow these steps to reset DLDP state: To do … Use the command …...
Page 230
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration II. Network diagram Figure 1-3 Network diagram for DLDP configuration III. Configuration procedure Configure Switch A # Configure the ports to work in mandatory full duplex mode at a rate of 1,000 Mbps.
Page 231
Operation Manual – DLDP H3C S3100-52P Ethernet Switch Chapter 1 DLDP Configuration Note: When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state.
Page 232
Operation Manual – MAC Address Table Management H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 MAC Address Table Management................1-1 1.1 Overview ..........................1-1 1.1.1 Introduction to MAC Address Table ................ 1-1 1.1.2 Introduction to MAC Address Learning ..............1-2 1.1.3 Managing MAC Address Table ................
Operation Manual – MAC Address Table Management Chapter 1 MAC Address Table H3C S3100-52P Ethernet Switch Management Chapter 1 MAC Address Table Management When configuring MAC address table management, go to these sections for information you are interested in: Overview...
Operation Manual – MAC Address Table Management Chapter 1 MAC Address Table H3C S3100-52P Ethernet Switch Management Broadcast forwarding: If the destination MAC address carried in the packet is not included in the MAC address table, the switch broadcasts the packet to all ports except the one receiving the packet.
Page 235
Operation Manual – MAC Address Table Management Chapter 1 MAC Address Table H3C S3100-52P Ethernet Switch Management After learning the MAC address of User A, the switch starts to forward the packet. Because there is no MAC address and port information of User B in the existing MAC address table, the switch forwards the packet to all ports except Ethernet 1/0/1 to ensure that User B can receive the packet.
Operation Manual – MAC Address Table Management Chapter 1 MAC Address Table H3C S3100-52P Ethernet Switch Management At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet, the switch unicasts the packet instead of broadcasting it to User A through Ethernet 1/0/1, because MAC-A is already in the MAC address table.
Operation Manual – MAC Address Table Management Chapter 1 MAC Address Table H3C S3100-52P Ethernet Switch Management II. Entries in a MAC address table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods: Static MAC address entry: Also known as permanent MAC address entry.
Operation Manual – MAC Address Table Management Chapter 1 MAC Address Table H3C S3100-52P Ethernet Switch Management Task Remarks Enabling Destination MAC Address Triggered Update Optional Assigning MAC Addresses for Ethernet Ports Optional 1.2.2 Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries).
Operation Manual – MAC Address Table Management Chapter 1 MAC Address Table H3C S3100-52P Ethernet Switch Management 1.2.4 Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mechanism enables an Ethernet switch to acquire the MAC addresses of the network devices on the segment connected to the ports of the switch.
To avoid the problem, you are allowed to assign MAC addresses to the Ethernet ports on an S3100-52P switch. The idea is to assign a MAC address (called the start port MAC address) for the start Ethernet port, that is, Ethernet 1/0/1, and each of the following ports uses the MAC address of the preceding port plus 1 as its MAC address.
Operation Manual – MAC Address Table Management Chapter 1 MAC Address Table H3C S3100-52P Ethernet Switch Management Port MAC address configuration does not affect service packet forwarding. 1.3 Displaying MAC Address Table Information To do… Use the command… Remarks Display information about the MAC...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Chapter 1 MSTP Configuration Go to these sections for information you are interested in: MSTP Overview Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions...
Page 246
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration II. Protocol packets of STP STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol packets. STP identifies the network topology by transmitting BPDUs between STP compliant network devices.
Page 247
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Classification Designated bridge Designated port The port through which A designated bridge is a device the designated bridge For a LAN responsible for forwarding forwards BPDUs to this BPDUs to this LAN segment.
Page 248
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration IV. How STP works STP identifies the network topology by transmitting configuration BPDUs between network devices. Configuration BPDUs contain sufficient information for network devices to complete the spanning tree calculation. Important fields in a configuration BPDU include: Root bridge ID, consisting of root bridge priority and MAC address.
Page 249
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than...
Page 250
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Table 1-3 Selection of the root port and designated ports Step Description A non-root-bridge device takes the port on which the optimum configuration BPDU was received as the root port.
Page 251
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Figure 1-2 Network diagram for STP algorithm Initial state of each device The following table shows the initial state of each device. Table 1-4 Initial state of each device...
Page 252
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Table 1-5 Comparison process and result on each device BPDU of port Device Comparison process after comparison Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}. Device A finds that the...
Page 253
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the...
Page 254
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Figure 1-3 The final calculated spanning tree Note: To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration root port and designated port begin to forward data as soon as they are elected, a temporary loop may occur. STP timers The following three time parameters are important for STP calculation: Forward delay, the period a device waits before state transition.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Note: In RSTP, the state of a root port can transit fast under the following conditions: the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data.
Page 257
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Region A0: VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU BPDU Region B0: VLAN 1 mapped to MSTI 1...
Page 258
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration III. VLAN-to-MSTI mapping table A VLAN-to-MSTI mapping table is maintained for each MST region. The table is a collection of mappings between VLANs and MSTIs. For example, in...
Page 259
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration A designated port is used to forward packets to a downstream network segment or switch. A master port connects an MST region to the common root. The path from the master port to the common root is the shortest path between the MST region and the common root.
Page 260
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Connecting to the common root bridge Region boundary ports Port 2 MST region Port 1 Master port Alternate port Port 6 Port 5 Backup port Designated port Port 3...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.2.3 Principle of MSTP MSTP divides a Layer 2 network into multiple MST regions. The CSTs are generated between these MST regions, and multiple spanning trees (also called MSTIs) can be generated in each MST region.
MSTP is compatible with both STP and RSTP. That is, MSTP-enabled switches can recognize the protocol packets of STP and RSTP and use them for spanning tree calculation. In addition to the basic MSTP functions, H3C series switches also provide the following functions for users to manage their switches.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.3 Configuring Root Bridge Complete the following tasks to configure the root bridge: Task Remarks Required To prevent network topology jitter caused by other related configurations, you are...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.3.1 Configuration Prerequisites The role (root, branch, or leaf) of each switch in each MSTI is determined. 1.3.2 Configuring an MST Region I. Configuration procedure Follow these steps to configure an MST region: To do...
Page 265
(a 802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-MSTI mapping table, and revision level. The H3C series support only the MST region name, VLAN-to-MSTI mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 20 to 30 1.3.3 Specifying the Current Switch as a Root Bridge/Secondary Root Bridge MSTP can automatically choose a switch as a root bridge through calculation. You can also manually specify the current switch as a root bridge by using the corresponding commands.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration You can specify the network diameter and the hello time parameters while configuring a root bridge/secondary root bridge. Refer to Configuring the Network Diameter of the Switched Network...
Page 268
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Caution: Once you specify a switch as the root bridge or a secondary root bridge by using the stp root primary or stp root secondary command, the bridge priority of the switch cannot be configured any more.
Page 269
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration If packets in legacy format are received, the port turns to discarding state to prevent network storm. I. Configuration procedure Follow these steps to configure how a port recognizes and sends MSTP packets (in system view): To do...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.3.6 Configuring the MSTP Operation Mode To make an MSTP-enabled switch compatible with STP/RSTP, MSTP provides the following three operation modes: STP-compatible mode, where the ports of a switch send STP BPDUs to neighboring devices.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration mechanism disables the switches that are beyond the maximum hop count from participating in spanning tree calculation, and thus limits the size of an MST region. With such a mechanism, the maximum hop count configured on the switch operating as the root bridge of the CIST or an MSTI in an MST region becomes the network diameter of the spanning tree, which limits the size of the spanning tree in the current MST region.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration The network diameter parameter indicates the size of a network. The bigger the network diameter is, the larger the network size is. After you configure the network diameter of a switched network, an MSTP-enabled switch adjusts its hello time, forward delay, and max age settings accordingly to better values.
Page 273
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Caution: The forward delay parameter and the network diameter are correlated. Normally, a large network diameter corresponds to a large forward delay. A too small forward delay parameter may result in temporary redundant paths. And a too large forward delay parameter may cause a network unable to resume the normal state in time after changes occurred to the network.
Page 274
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration by the hello time parameter to check for link failures. Normally, a switch regards its upstream switch faulty if the former does not receive any BPDU from the latter in a period three times of the hello time and then initiates the spanning tree recalculation process.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration To do... Use the command... Remarks Enter system view — system-view Required Configure the maximum The maximum stp interface interface-list transmitting rate for transmitting rate of all transmit-limit packetnum...
Page 276
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration port changes from the blocking state to the forwarding state, it does not have to wait for a delay. You can configure a port as an edge port in one of the following two ways.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 edged-port enable Configure Ethernet 1/0/1 as an edge port in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp edged-port enable 1.3.13 Specifying Whether the Link Connected to a Port Is Point-to-point...
Page 278
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Note: If you configure the link connected to a port in an aggregation group as a point-to-point link, the configuration will be synchronized to the rest ports in the same aggregation group.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Follow these steps to enable MSTP in Ethernet port view: To do... Use the command... Remarks Enter system view — system-view Required Enable MSTP stp enable MSTP is disabled by default.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Task Remarks Configuring an MST Region Required Configuring How a Port Recognizes and Optional Sends MSTP Packets Configuring the Timeout Time Factor Optional Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.4.6 Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port. 1.4.7 Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be different in different MSTIs.
Page 283
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Follow these steps to configure the path cost for a port in Ethernet port view: To do... Use the command... Remarks Enter system view — System-view interface interface-type Enter Ethernet port view —...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.4.8 Configuring Port Priority Port priority is an important criterion on determining the root port. In the same condition, the port with the smallest port priority value becomes the root port.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 port priority 16 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 port priority 16 1.4.9 Specifying Whether the Link Connected to a Port Is a Point-to-point...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration To do... Use the command... Remarks Enter system view — system-view Perform the mCheck stp [ interface Required operation interface-list ] mcheck II. Perform the mCheck operation in Ethernet port view Follow these steps to perform the mCheck operation in Ethernet port view: To do...
Page 287
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Normally, no configuration BPDU will reach edge ports. But malicious users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter. You can prevent this type of attacks by utilizing the BPDU guard function. With this function enabled on a switch, the switch shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration IV. TC-BPDU attack guard Normally, a switch removes its MAC address table and ARP entries upon receiving TC-BPDUs. If a malicious user sends a large amount of TC-BPDUs to a switch in a...
[Sysname] stp bpdu-protection Caution: As Gigabit ports of an S3100-52P Ethernet switch cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration To do... Use the command... Remarks Required Enable the root guard function on the current stp root-protection The root guard function is port disabled by default. II. Configuration example # Enable the root guard function on Ethernet 1/0/1.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration II. Configuration procedure Follow these steps to configure the TC-BPDU attack guard function: To do... Use the command... Remarks Enter system view — system-view Required Enable the TC-BPDU...
This problem can be overcome by implementing the digest snooping feature. If a port on an S3100-52P Ethernet switch is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.
Page 293
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Enable the digest The digest snooping snooping feature...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.8 Configuring Rapid Transition 1.8.1 Introduction Designated ports of RSTP-enabled or MSTP-enabled switches use the following two types of packets to implement rapid transition: Proposal packets: Packets sent by designated ports to request rapid transition...
RSTP in the way to implement rapid transition on designated ports. When a switch of this kind operating as the upstream switch connects with a H3C series switch running MSTP, the upstream designated port fails to change its state rapidly.
Page 296
RSTP in the way to implement rapid transition on designated ports. Port 1 is the designated port. The downstream H3C switch is running MSTP. Port 2 is the root port. Figure 1-8 Network diagram for rapid transition configuration II. Configuration procedure...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration Note: The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration To do... Use the command... Remarks Enter system view — system-view Enable MSTP globally — stp enable Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function tunnel function globally is disabled by default.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration To do... Use the command... Remarks Required Enable log/trap output for By default, log/trap output stp portlog all the ports of all instances is disabled for the ports of all instances.
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.12 Displaying and Maintaining MSTP To do... Use the command... Remarks display stp [ instance Display the state and statistics instance-id ] [ interface information about spanning interface-list | slot slot-number ]...
Page 301
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration II. Network diagram Figure 1-10 Network diagram for MSTP configuration Note: The word “permit” shown in Figure 1-10 means the corresponding link permits packets of specific VLANs. III. Configuration procedure Configure Switch A # Enter MST region view.
Page 302
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration # Configure the region name, VLAN-to-MSTI mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30...
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration 1.14 VLAN-VPN tunnel Configuration Example I. Network requirements Switch C and Switch D are the access devices for the service provider network. Switch A and Switch B are the access devices for the customer networks.
Page 304
Operation Manual – MSTP H3C S3100-52P Ethernet Switch Chapter 1 MSTP Configuration <Sysname> system-view [Sysname] stp enable # Enable the VLAN-VPN tunnel function. [Sysname] vlan-vpn tunnel # Add Ethernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port Ethernet 1/0/1 [Sysname-Vlan10] quit # Disable STP on Ethernet 1/0/1 and then enable the VLAN VPN function on it.
Page 305
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 IP Routing Protocol Overview ..................1-1 1.1 Introduction to IP Route and Routing Table ..............1-1 1.1.1 IP Route ........................1-1 1.1.2 Routing Table ......................1-1 1.1.3 Routing Protocols and Routing Priority ..............
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 1 IP Routing Protocol Overview Chapter 1 IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Displaying and Maintaining a Routing Table...
Page 307
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 1 IP Routing Protocol Overview Mask: Along with the destination address, it identifies the address of the network segment where the destination host or router resides. By performing a logical AND operation between destination address and network mask, you can get the address of the network segment where the destination host or router resides.
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 1 IP Routing Protocol Overview Note: The smaller the priority value, the higher the priority. The priority for a direct route is always 0, which you cannot change. Any other type of routes can have their priorities manually configured.
Page 310
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 1 IP Routing Protocol Overview To do… Use the command… Remarks Clear statistics about a reset ip routing-table statistics Available in routing table protocol { all | protocol } user view...
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 2 Static Route Configuration Chapter 2 Static Route Configuration When configuring a static route, go to these sections for information you are interested Introduction to Static Route Static Route Configuration...
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 2 Static Route Configuration Blackhole route: route with blackhole attribute. If a static route destined for a destination has the blackhole attribute, the outgoing interface of this route is the Null 0 interface regardless of the next hop address, and all the IP packets addressed to this destination will be dropped without notifying the source hosts.
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 2 Static Route Configuration Note: Use the ip route-static command to configure a default route by setting the destination IP address and the mask to 0.0.0.0. Avoid configuring the next hop address of a static route to the address of an interface on the local switch.
Page 314
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 2 Static Route Configuration Figure 2-1 Network diagram for static route configuration III. Configuration procedure Note: When only one interface of the device is interconnected with another network segment, you can implement network communication by configuring either a static route or default route.
Operation Manual – Static Route H3C S3100-52P Ethernet Switch Chapter 2 Static Route Configuration [SwitchB] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 # Configure static routes on Switch C. <SwitchC> system-view [SwitchC] ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [SwitchC] ip route-static 1.1.4.0 255.255.255.0 1.1.3.2 Perform the following configurations on the host.
Page 316
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Multicast Overview ...................... 1-1 1.1 Multicast Overview......................1-1 1.1.1 Information Transmission in the Unicast Mode............1-1 1.1.2 Information Transmission in the Broadcast Mode........... 1-2 1.1.3 Information Transmission in the Multicast Mode.............
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview Chapter 1 Multicast Overview Note: In this manual, the term “router” refers to a router in the generic sense and a Layer 3 Ethernet switch running an IP multicast protocol.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for Host B Packets for Host D Host E Packets for Host E Figure 1-1 Information transmission in the unicast mode Assume that Hosts B, D and E need this information.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for all the network Host E Figure 1-2 Information transmission in the broadcast mode Assume that Hosts B, D, and E need the information.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview Host A Receiver Host B Source Host C Server Receiver Host D Receiver Packets for the multicast group Host E Figure 1-3 Information transmission in the multicast mode Assume that Hosts B, D and E need the information.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview A router that supports Layer 3 multicast is called multicast router or Layer 3 multicast device. In addition to providing multicast routing, a multicast router can also manage multicast group members.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview Multicast provides the following applications: Applications of multimedia and flow media, such as Web TV, Web radio, and real-time video/audio conferencing. Communication for training and cooperative operations, such as remote education.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview 1.3 Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers.
Page 325
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview packets. Class D address must not appear in the IP address field of a source IP address of IP packets. Class E IP addresses are reserved for future use.
Page 326
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview Table 1-3 Reserved IP multicast addresses Class D address range Description 224.0.0.1 Address of all hosts 224.0.0.2 Address of all multicast routers 224.0.0.3 Unassigned Distance Vector Multicast Routing Protocol 224.0.0.4...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview II. Ethernet multicast MAC address When a unicast IP packet is transported in an Ethernet network, the destination MAC address is the MAC address of the receiver. When a multicast packet is transported in an Ethernet network, a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members.
Page 328
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview I. Layer 3 multicast protocols Layer 3 multicast protocols include multicast group management protocols and multicast routing protocols. Figure 1-5 describes where these multicast protocols are in a network.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview For the SSM model, multicast routes are not divided into inter-domain routes and intra-domain routes. Since receivers know the position of the multicast source, channels established through PIM-SM are sufficient for multicast information transport.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface. The result of the RPF check determines whether the packet will be forwarded or discarded.
Page 331
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 1 Multicast Overview independently maintain any type of unicast route; instead, it relies on the existing unicast routing information in creating multicast routing entries. When performing an RPF check, a router searches its unicast routing table. The specific process is as follows: The router automatically chooses an optimal unicast route by searching its unicast routing table, using the IP address of the “packet source”...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 2 Common Multicast Configuration Chapter 2 Common Multicast Configuration Note: In this manual, the term “router” refers to a router in the generic sense and a Layer 3 Ethernet switch running an IP multicast protocol.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 2 Common Multicast Configuration II. Configuring multicast source port suppression in Ethernet port view Follow these steps to configure multicast source port suppression in Ethernet port view: To do... Use the command...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 2 Common Multicast Configuration Note: If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 2 Common Multicast Configuration 2.2 Displaying Common Multicast Configuration Follow these commands to display common multicast configuration: To do... Use the command... Remarks Display the statistics display multicast-source-deny Available in information about multicast...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration Chapter 3 IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: IGMP Snooping Overview IGMP Snooping Configuration Task List...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration Router port: A router port is a port on the Layer 3 multicast device (DR or IGMP querier) side of the Ethernet switch. In the figure, Ethernet 1/0/1 of Switch A and Ethernet 1/0/1 of Switch B are router ports.
Page 339
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration Upon receiving an IGMP query, a multicast group member host responds with an IGMP report. When intended to join a multicast group, a host sends an IGMP report to the multicast router to announce that it is interested in the multicast information addressed to that group.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration through all the router ports in the VLAN and all member ports of that multicast group, and performs the following to the receiving port: If any IGMP report in response to the group-specific query arrives to the member...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Optional Configure the igmp-snooping version version of IGMP The default IGMP Snooping...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration 3.2.4 Configuring Fast Leave Processing With fast leave processing enabled, when the switch receives an IGMP leave message on a port, the switch directly removes that port from the forwarding table entry for the specific group.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration Note: The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified;...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration II. Configuring a multicast group filter in Ethernet port view Follow these steps to configure a multicast group filter in Ethernet port view: To do... Use the command...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration To do... Use the command... Remarks Required igmp-snooping group-limit Limit the number of The maximum number of limit [ vlan vlan-list multicast groups on a port multicast groups on a port [ overflow-replace ] ] is 256 by default.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration Note: If the function of dropping unknown multicast packets function is enabled, you cannot enable unknown multicast flooding suppression. Unknown multicast flooding suppression and multicast source port suppression cannot take effect at the same time.
H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration Caution: You can configure up to 200 static member ports on an S3100-52P switch. If a port has been configured as a reflect port, it cannot be configured as a static member port.
Page 350
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration there is no member of the multicast group on the local subnet and remove the corresponding path. To avoid this from happening, you can configure a port of the VLAN of the switch as a multicast group member.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration 3.2.12 Configuring a VLAN Tag for Query Messages By configuring the VLAN tag carried in IGMP general and group-specific queries forwarded and sent by IGMP Snooping switches, you can enable multicast packet forwarding between different VLANs In a Layer-2 multicast network environment.
Page 352
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration To do... Use the command... Remarks interface Vlan-interface Enter VLAN interface view — vlan-id Required Enable IGMP igmp enable By default, the IGMP feature is disabled. Return to system view quit —...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration To do... Use the command... Remarks Enter Ethernet port view interface interface-type — for a user device interface-number Define the port as a hybrid port link-type hybrid...
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration 3.4.2 Configuring Multicast VLAN I. Network requirements As shown in Figure 3-4, Workstation is a multicast source. Switch A forwards multicast data from the multicast source. A Layer 2 switch, Switch B forwards the multicast data to the end users Host A and Host B.
Page 357
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration II. Network diagram Vlan-int10 Vlan-int20 HostA Eth1/0/10 168.10.2.1 168.10.1.1 Eth1/0/10 Vlan10 Eth1/0/1 WorkStation SwitchA SwitchB HostB Figure 3-4 Network diagram for multicast VLAN configuration III. Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured.
Page 358
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration [SwitchA-Vlan-interface10] igmp enable [SwitchA-Vlan-interface10] pim dm Configure Switch B: # Enable the IGMP Snooping feature on Switch B. <SwitchB> system-view [SwitchB] igmp-snooping enable # Create VLAN 2, VLAN 3 and VLAN 10, configure VLAN 10 as the multicast VLAN, and then enable IGMP Snooping on it.
Operation Manual – Multicast H3C S3100-52P Ethernet Switch Chapter 3 IGMP Snooping Configuration 3.5 Troubleshooting IGMP Snooping Symptom: Multicast function does not work on the switch. Solution: Possible reasons are: IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping.
Page 360
1.1.3 Encapsulation of EAPoL Messages ................ 1-4 1.1.4 802.1x Authentication Procedure ................1-7 1.1.5 Timers Used in 802.1x ..................1-10 1.1.6 802.1x Implementation on an S3100-52P Switch ..........1-11 1.2 Introduction to 802.1x Configuration................1-15 1.3 Basic 802.1x Configuration....................1-16 1.3.1 Configuration Prerequisites...................
Page 361
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Table of Contents 3.4 Displaying and Maintaining HABP Configuration .............. 3-2 Chapter 4 System Guard Configuration..................4-1 4.1 System Guard Overview....................4-1 4.1.1 Guard Against IP Attacks ..................4-1 4.1.2 Guard Against TCN Attacks ..................
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Chapter 1 802.1x Configuration Note: The online user handshaking function is added. See Configuring Basic 802.1x Functions. The configuration of 802.1x re-authentication is added. See Configuring 802.1x...
The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenticator system is usually an 802.1x-supported network device (such as a H3C series switch). It provides the port (physical or logical) for the supplicant system to access the LAN.
By default, a controlled port is a unidirectional port. IV. The way a port is controlled A port of a H3C series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the supplicant systems connected to the port can access the network without being authenticated after one supplicant system among them passes the authentication.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Figure 1-2 The mechanism of an 802.1x authentication system EAP protocol packets transmitted between the supplicant system PAE and the authenticator system PAE are encapsulated as EAPoL packets.
Page 366
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration 00: Indicates that the packet is an EAP-packet, which carries authentication information. 01: Indicates that the packet is an EAPoL-start packet, which initiates the authentication.
Page 367
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Figure 1-5 shows the format of the Data field of a Request packet or a Response packet. Figure 1-5 The format of the Data field of a Request packet or a Response packet The Type field indicates the EAP authentication type.
H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration 1.1.4 802.1x Authentication Procedure A H3C S3100-52P Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. I. EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server.
Page 369
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration EAPOL EAPOR Authenticator system RADUIS Supplicant system server EAPOL - Start EAP- Request / Identity RADIUS Access - Request EAP- Response / Identity (EAP- Response / Identity)
Page 370
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Upon receiving the key (encapsulated in an EAP-request/MD5 challenge packet) from the switch, the client program encrypts the password of the supplicant system with the key and sends the encrypted password (contained in an EAP-response/MD5 challenge packet) to the RADIUS server through the switch.
1.1.6 802.1x Implementation on an S3100-52P Switch In addition to the earlier mentioned 802.1x features, an S3100-52P switch is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, and so on (This function needs the cooperation of a CAMS server.)
Page 373
Chapter 1 802.1x Configuration Note: H3C's CAMS Server is a service management system used to manage networks and to secure networks and user information. With the cooperation of other networking devices (such as switches) in the network, a CAMS server can implement the AAA functions and rights management.
Page 374
Note: The 802.1x client version-checking function needs the support of H3C’s 802.1x client program. III. The guest VLAN function The guest VLAN function enables supplicant systems that are not authenticated to access network resources in a restrained way.
Page 375
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration to the user. To connect to the switch again, the user needs to initiate 802.1x authentication with the client software again. Note: When re-authenticating a user, a switch goes through the complete authentication process.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Note: 802.1x re-authentication will fail if a CAMS server is used and configured to perform authentication but not accounting. This is because a CAMS server establishes a user session after it begins to perform accounting.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration 1.3 Basic 802.1x Configuration 1.3.1 Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme.
Page 378
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration To do… Use the command… Remarks dot1x port-method { macbased | portbased } quit Optional Set authentication dot1x By default, a switch performs method for 802.1x...
With the support of the H3C proprietary client, handshake packets are used to test whether or not a user is online. As clients that are not of H3C do not support the online user handshaking function, switches cannot receive handshake acknowledgement packets from them in handshaking periods.
Page 380
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration To do… Use the command... Remarks Optional By default, the maximum retry times to send a Set the maximum retry request packet is 2. That...
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Note: As for the dot1x max-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also use this command in port view.
Remarks quit Note: The proxy checking function needs the cooperation of H3C's 802.1x client (iNode) program. The proxy checking function depends on the online user handshaking function. To enable the proxy detecting function, you need to enable the online user handshaking function first.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Note: As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Caution: The guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one guest VLAN can be configured for each switch.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration The switch uses the value of the Session-timeout attribute field of the Access-Accept packet sent by the RADIUS server as the re-authentication interval. The switch uses the value configured with the dot1x timer reauth-period command as the re-authentication interval for access users.
Page 386
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration All supplicant systems that pass the authentication belong to the default domain named “aabbcc.net”. The domain can accommodate up to 30 users. As for authentication, a supplicant system is authenticated locally if the RADIUS server fails.
Page 387
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration Note: Following configuration covers the major AAA/RADIUS configuration commands. Refer to AAA Operation for the information about these commands. Configuration on the client and the RADIUS servers is omitted.
Page 388
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 1 802.1x Configuration # Configure to send the user name to the RADIUS server with the domain name truncated. [Sysname-radius-radius1] user-name-format without-domain [Sysname-radius-radius1] quit # Create the domain named “aabbcc.net” and enter its view.
In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the H3C S3100-52P provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployment.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 2 Quick EAD Deployment Configuration Note: The quick EAD deployment feature takes effect only when the access control mode of an 802.1x-enabled port is set to auto. 2.2 Configuring Quick EAD Deployment 2.2.1 Configuration Prerequisites...
Page 391
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 2 Quick EAD Deployment Configuration Caution: You must configure the URL for HTTP redirection before configuring a free IP range. A URL must start with http:// and the segment where the URL resides must be in the free IP range.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 2 Quick EAD Deployment Configuration The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch.
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 3 HABP Configuration Chapter 3 HABP Configuration When configuring HABP, go to these sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration 3.1 Introduction to HABP...
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 3 HABP Configuration To do... Use the command... Remarks Optional Enable HABP habp enable By default, HABP is enabled. Required By default, a switch operates as an HABP...
Page 396
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 3 HABP Configuration To do... Use the command... Remarks Display statistics on HABP Available in any view display habp traffic packets...
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 4 System Guard Configuration Chapter 4 System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining System Guard Configuration 4.1 System Guard Overview...
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 4 System Guard Configuration Configuring parameters related to MAC address learning Follow these steps to configure System Guard against IP attacks: To do... Use the command... Remarks Enter system view system-view —...
Operation Manual – 802.1x and System Guard H3C S3100-52P Ethernet switch Chapter 4 System Guard Configuration To do... Use the command... Remarks Required Enable System Guard system-guard tcn against TCN attacks enable Disabled by default Set the threshold of system-guard tcn...
Page 400
Operation Manual – AAA H3C S3100-52P Ethernet switch Table of Contents Table of Contents Chapter 1 AAA Overview ......................1-1 1.1 Introduction to AAA ......................1-1 1.1.1 Authentication......................1-1 1.1.2 Authorization ......................1-2 1.1.3 Accounting....................... 1-2 1.1.4 Introduction to ISP Domain ..................1-2 1.2 Introduction to AAA Services .....................
Page 401
Operation Manual – AAA H3C S3100-52P Ethernet switch Table of Contents 2.4 Displaying and Maintaining AAA Configuration ............... 2-32 2.4.1 Displaying and Maintaining AAA Configuration ............ 2-32 2.4.2 Displaying and Maintaining RADIUS Protocol Configuration........ 2-32 2.4.3 Displaying and Maintaining HWTACACS Protocol Configuration......2-33 2.5 AAA Configuration Examples ..................
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview Chapter 1 AAA Overview Note: The configuration of ISP domain delimiter is added. See Creating an ISP Domain and Configuring Its Attributes. The configuration of HWTACACS authentication scheme for user level switching is added.
Chapter 1 AAA Overview Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a H3C series switch) acts as the client to communicate with the RADIUS or TACACS server. You can use standard or extended RADIUS protocols in conjunction with such systems as iTELLIN/CAMS for user authentication.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview 1.2 Introduction to AAA Services 1.2.1 Introduction to RADIUS AAA is a management framework. It can be implemented by not only one protocol. But in practice, the most commonly used service for AAA is RADIUS.
Page 405
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. II. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key.
Page 406
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview The RADIUS server returns a start-accounting response (Accounting-Response). The user starts to access network resources. The RADIUS client sends a stop-accounting request (Accounting-Request, with the Status-Type attribute value = stop) to the RADIUS server.
Page 407
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview Code Message type Message description Direction: server->client. The server transmits this message to the Access-Reject client if any attribute value carried in the Access-Request message is unacceptable (that is, the user fails the authentication).
Page 408
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview Table 1-2 RADIUS attributes Type field Type field Attribute type Attribute type value value User-Name Framed-IPX-Network User-Password State CHAP-Password Class NAS-IP-Address Vendor-Specific NAS-Port Session-Timeout Service-Type Idle-Timeout Framed-Protocol Termination-Action...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview Type Length Vendor-ID Vendor-ID Type (specified) Length (specified) Specified attribute value…… …… Figure 1-4 Vendor-specific attribute format 1.2.2 Introduction to HWTACACS I. What is HWTACACS Huawei Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492).
Page 410
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview HWTACACS server HWTACACS client Host HWTACACS server Figure 1-5 Network diagram for a typical HWTACACS application II. Basic message exchange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication, authorization, and accounting for a user.
Page 411
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview Figure 1-6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server.
Page 412
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 1 AAA Overview After receiving the password, the TACACS client sends an authentication continuance message carrying the password to the TACACS server. The TACACS server returns an authentication response, indicating that the user has passed the authentication.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Chapter 2 AAA Configuration 2.1 AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Task Remarks Creating an ISP Domain and Required Configuring Its Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting schemes Configuring an AAA Scheme for an respectively.
Page 415
Note that: On an S3100-52P switch, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch. When a user logs in, if no ISP domain name is carried in the username, the switch assumes that the user belongs to the default ISP domain.
Note: H3C's CAMS Server is a service management system used to manage networks and ensure network and user information security. With the cooperation of other networking devices (such as switches) in a network, a CAMS server can implement the AAA functions and right management.
Page 417
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Caution: You can execute the scheme radius-scheme radius-scheme-name command to adopt an already configured RADIUS scheme to implement all the three AAA functions. If you adopt the local scheme, only the authentication and authorization functions are implemented, the accounting function cannot be implemented.
Page 418
RADIUS or local scheme still takes effect even if the authorization none command is executed. The S3100-52P Ethernet switch adopt hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration III. Configuration guidelines Suppose a combined AAA scheme is available. The system selects AAA schemes according to the following principles: If authentication, authorization, accounting each have a separate scheme, the separate schemes are used.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Create an ISP domain domain isp-name — and enter its view Optional Set the VLAN vlan-assignment-mode By default, the VLAN...
Page 421
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Optional By default, the password display mode of all access local-user Set the password display users is auto, indicating...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Caution: The following characters are not allowed in the user-name string: /:*?<>. And you cannot input more than one “@” in the string. After the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display a user password in plain text by using the password command.
2.2 RADIUS Configuration Task List H3C’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS...
Page 424
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Complete the following tasks to configure RADIUS (the switch functions as a local RADIUS server): Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Required Authentication/Authorization Servers Configuring RADIUS Accounting Servers...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Note: Actually, the RADIUS service configuration only defines the parameters for information exchange between switch and RADIUS server. To make these parameters take effect, you must reference the RADIUS scheme configured with these parameters in an ISP domain view (refer to Configuration).
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Required Set the IP address and By default, the IP address port number of the and UDP port number of primary authentication...
Page 427
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Optional Set the IP address By default, the IP address and and port number of secondary UDP port number of the the secondary...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Note: In an actual network environment, you can specify one server as both the primary and secondary accounting servers, as well as specifying two RADIUS servers as the primary and secondary accounting servers respectively. In addition, because...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Required Set a shared key for RADIUS accounting key accounting string By default, no shared key messages is created. Caution: The authentication/authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication/authorization server and the shared key on the accounting server.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Required By default, a RADIUS Create a RADIUS scheme radius scheme scheme named "system" and enter its view...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Follow these steps to set the status of RADIUS servers: To do… Use the command… Remarks Enter system view system-view — Required By default, a RADIUS Create a RADIUS scheme radius scheme scheme named "system"...
Page 432
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Optional data-flow-format data By default, in a RADIUS { byte | giga-byte | scheme, the data unit and Set the units of data flows...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Note: Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Follow these steps to configure the local RADIUS server function: To do… Use the command… Remarks Enter system view system-view — Optional Enable UDP ports for By default, the UDP ports...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration For the primary and secondary servers (authentication/authorization servers, or accounting servers) in a RADIUS scheme: When the switch fails to communicate with the primary server due to some server trouble, the switch will turn to the secondary server and exchange messages with the secondary server.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Optional Enable the sending of radius trap By default, the switch trap message when a { authentication-server-do...
Page 437
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration Once the CAMS receives the Accounting-On message, it sends a response to the switch. At the same time it finds and deletes the original online information of the...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration 2.3.2 Configuring TACACS Authentication Servers Follow these steps to configure TACACS authentication servers: To do… Use the command… Remarks Enter system view system-view — Required Create a HWTACACS...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Required Set the IP address and By default, the IP address port number of the primary authorization of the primary primary TACACS...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Optional Enable the By default, the stop-accounting message stop-accounting retransmission function retry stop-accounting messages retransmission and set the maximum retry-times function is enabled and...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration 2.3.6 Configuring the Attributes of Data to be Sent to TACACS Servers Follow these steps to configure the attributes for data to be sent to TACACS servers: To do…...
Page 443
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks Enter system view system-view — Required Create a HWTACACS hwtacacs scheme By default, no scheme and enter its view hwtacacs-scheme-name HWTACACS scheme exists.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration 2.4 Displaying and Maintaining AAA Configuration 2.4.1 Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one display domain [ isp-name ]...
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration To do… Use the command… Remarks reset stop-accounting-buffer Delete buffered { radius-scheme non-response radius-scheme-name | session-id Available in stop-accounting requests session-id | time-range start-time user view stop-time | user-name user-name }...
Page 446
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration I. Network requirements In the network environment shown in Figure 2-1, you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 2 AAA Configuration The user is not configured in the database of the RADIUS server — Check the database of the RADIUS server, make sure that the configuration information about the user exists.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 3 EAD Configuration Chapter 3 EAD Configuration 3.1 Introduction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints.
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 3 EAD Configuration After a client passes the authentication, the security Client (software installed on the client PC) interacts with the security policy server to check the security status of the client.
Page 453
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 3 EAD Configuration A user is connected to Ethernet 1/0/1 on the switch. The user adopts 802.1x client supporting EAD extended function. You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users.
Page 454
Operation Manual – AAA H3C S3100-52P Ethernet switch Chapter 3 EAD Configuration [Sysname-radius-cams] server-type extended # Configure the IP address of the security policy server. [Sysname-radius-cams] security-policy-server 10.110.91.166 # Associate the domain with the RADIUS scheme. [Sysname-radius-cams] quit [Sysname] domain system...
Page 455
Operation Manual – Web Authentication H3C S3100-52P Ethernet switch Table of Contents Table of Contents Chapter 1 Web Authentication Configuration ................1-1 1.1 Introduction to Web Authentication..................1-1 1.2 Web Authentication Configuration ..................1-1 1.2.1 Configuration Prerequisites..................1-1 1.2.2 Configuring Web Authentication................1-1 1.3 Displaying and Maintaining Web Authentication ...............
Operation Manual – Web Authentication H3C S3100-52P Ethernet switch Chapter 1 Web Authentication Configuration Chapter 1 Web Authentication Configuration When configuring Web authentication, go to these sections for information you are interested in: Introduction to Web Authentication Web Authentication Configuration...
Page 457
Operation Manual – Web Authentication H3C S3100-52P Ethernet switch Chapter 1 Web Authentication Configuration To do… Use the command… Remarks Enter system view system-view — Required If no port number is Set the IP address and web-authentication specified, port 80 will be...
Operation Manual – Web Authentication H3C S3100-52P Ethernet switch Chapter 1 Web Authentication Configuration Caution: Before enabling global Web authentication, you should first set the IP address of a Web authentication server. Web authentication cannot be enabled when one of the following features is enabled, and vice versa: 802.1x, MAC authentication, port security and port...
Page 459
Operation Manual – Web Authentication H3C S3100-52P Ethernet switch Chapter 1 Web Authentication Configuration Configure a free IP address range, which can be accessed by the user before it passes the Web authentication. II. Network diagram Figure 1-1 Web authentication for user III.
Page 460
Operation Manual – Web Authentication H3C S3100-52P Ethernet switch Chapter 1 Web Authentication Configuration # Set the password that will be used to encrypt the messages exchanged between the switch and the RADIUS authentication server. [Sysname -radius-radius1] key authentication expert # Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server.
Page 461
Operation Manual – MAC Address Authentication H3C S3100-52P Ethernet switch Table of Contents Table of Contents Chapter 1 MAC Address Authentication Configuration ............1-1 1.1 MAC Address Authentication Overview................1-1 1.1.1 Performing MAC Address Authentication on a RADIUS Server ......1-2 1.1.2 Performing MAC Address Authentication Locally ...........
Once detecting a new MAC address, it initiates the authentication process. During authentication, the user does not need to enter username or password manually. For S3100-52P Ethernet switch, MAC address authentication can be implemented locally or on a RADIUS server.
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S3100-52P Ethernet switch Configuration 1.1.1 Performing MAC Address Authentication on a RADIUS Server When authentications are performed on a RADIUS server, the switch serves as a RADIUS client and completes MAC address authentication in combination of the RADIUS server.
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S3100-52P Ethernet switch Configuration 1.2.2 Quiet MAC Address When a user fails MAC address authentication, the MAC address becomes a quiet MAC address, which means that any packets from the MAC address will be discarded simply by the switch until the quiet timer expires.
Page 465
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S3100-52P Ethernet switch Configuration To do... Use the command... Remarks Set the user name in fixed mac-authentication mode for MAC authmode address usernamefixed Optional authentication Set the user name...
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S3100-52P Ethernet switch Configuration 1.4 MAC Address Authentication Enhanced Function Configuration 1.4.1 MAC Address Authentication Enhanced Function Configuration Task List Complete the following tasks to configure MAC address authentication enhanced...
Page 467
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S3100-52P Ethernet switch Configuration After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically.
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S3100-52P Ethernet switch Configuration Caution: If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port.
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S3100-52P Ethernet switch Configuration Caution: If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port.
Page 470
Operation Manual – MAC Address Authentication Chapter 1 MAC Address Authentication H3C S3100-52P Ethernet switch Configuration III. Configuration Procedure # Enable MAC address authentication on port Ethernet 1/0/2. <Sysname> system-view [Sysname] mac-authentication interface Ethernet 1/0/2 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords.
Page 471
Operation Manual – ARP H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 ARP Configuration....................... 1-1 1.1 Introduction to ARP......................1-1 1.1.1 ARP Function ......................1-1 1.1.2 ARP Message Format..................... 1-1 1.1.3 ARP Table ....................... 1-3 1.1.4 ARP Process ......................1-4 1.1.5 Introduction to ARP Attack Detection..............
Operation Manual – ARP H3C S3100-52P Ethernet Switch Chapter 1 ARP Configuration Chapter 1 ARP Configuration When configuring ARP, go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP...
Page 473
Operation Manual – ARP H3C S3100-52P Ethernet Switch Chapter 1 ARP Configuration As for an ARP request, all the fields except the hardware address of the receiver field are set. The hardware address of the receiver is what the sender requests for.
IP address-to-MAC address mapping entries are stored. An S3100-52P Ethernet switch provides the display arp command to display the information about ARP mapping entries. ARP entries in an S3100-52P Ethernet switch can either be static entries or dynamic entries, as described in Table 1-3.
Operation Manual – ARP H3C S3100-52P Ethernet Switch Chapter 1 ARP Configuration 1.1.4 ARP Process Figure 1-2 ARP process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows: Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B.
Page 476
II. ARP attack detection To guard against the man-in-the-middle attacks launched by hackers or attackers, an S3100-52P Ethernet switch supports the ARP attack detection function. All ARP (both request and response) packets passing through the switch are redirected to the CPU, which checks the validity of all the ARP packets by using the DHCP snooping table or the manually configured IP binding table.
CPU will get overloaded, causing other functions to fail, and even the whole device to break down. To guard against such attacks, an S3100-52P Ethernet switch supports the ARP packets rate limit function, which will shut down the attacked port, thus preventing serious impact on the CPU.
Operation Manual – ARP H3C S3100-52P Ethernet Switch Chapter 1 ARP Configuration 1.2 Configuring ARP 1.2.1 Configuring ARP Basic Functions Follow these steps to configure ARP basic functions: To do… Use the command… Remarks Enter system view system-view — Optional...
Page 479
Operation Manual – ARP H3C S3100-52P Ethernet Switch Chapter 1 ARP Configuration To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Required By default, after DHCP Specify the current port as dhcp-snooping trust snooping is enabled, all...
Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S3100-52P Ethernet switch is the same as the default VLAN ID of the port. If the VLAN tag of an ARP packet is different from the default VLAN ID of the receiving port, the ARP packet cannot pass the ARP attack detection based on the IP-to-MAC bindings.
Note: The sending of gratuitous ARP packets is enabled as long as an S3100-52P switch operates. No command is needed for enabling this function. That is, the device sends gratuitous ARP packets whenever a VLAN interface is enabled (such as when a link is enabled or an IP address is configured for the VLAN interface) or whenever the IP address of a VLAN interface is changed.
Operation Manual – ARP H3C S3100-52P Ethernet Switch Chapter 1 ARP Configuration 1.5.2 ARP Attack Detection and Packet Rate Limit Configuration Example I. Network requirements As shown in Figure 1-4, Ethernet 1/0/1 of Switch A connects to DHCP Server; Ethernet 1/0/2 connects to Client A, Ethernet 1/0/3 connects to Client B.
Page 484
Operation Manual – ARP H3C S3100-52P Ethernet Switch Chapter 1 ARP Configuration # Enable ARP attack detection on all ports in VLAN 1. [SwitchA] vlan 1 [SwitchA-vlan1] arp detection enable # Enable the ARP packet rate limit function on Ethernet 1/0/2, and set the maximum ARP packet rate allowed on the port to 20 pps.
Page 485
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 DHCP Overview......................1-1 1.1 Introduction to DHCP......................1-1 1.2 DHCP IP Address Assignment ..................1-2 1.2.1 IP Address Assignment Policy ................1-2 1.2.2 Obtaining IP Addresses Dynamically ..............1-2 1.2.3 Updating IP Address Lease ..................
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 1 DHCP Overview Chapter 1 DHCP Overview When configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification Note: Support for DHCP Snooping Option 82 is added in this manual.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 1 DHCP Overview Figure 1-1 Typical DHCP application 1.2 DHCP IP Address Assignment 1.2.1 IP Address Assignment Policy Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients: Manual assignment.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 1 DHCP Overview Select: In this phase, the DHCP client selects an IP address. If more than one DHCP server sends DHCP-OFFER packets to the DHCP client, the DHCP client only accepts the DHCP-OFFER packet that first arrives, and then broadcasts a DHCP-REQUEST packet containing the assigned IP address carried in the DHCP-OFFER packet.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 1 DHCP Overview 1.3 DHCP Packet Format DHCP has eight types of packets. They have the same format, but the values of some fields in the packets are different. The DHCP packet format is based on that of the BOOTP packets.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 1 DHCP Overview file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client. option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server.
Untrusted: An untrusted port is connected to an unauthorized DHCP server. The DHCP-ACK or DHCP-OFFER packets received from the port are discarded, preventing DHCP clients from receiving invalid IP addresses. Figure 2-1 illustrates a typical network diagram for DHCP snooping application, where Switch A is an S3100-52P Ethernet switch.
II. Padding content and frame format of Option 82 There is no specification for what should be padded in Option 82. Manufacturers can pad it as required. By default, the sub-options of Option 82 for an S3100-52P Ethernet Switch (enabled with DHCP snooping) is padded as follows:...
Page 494
Figure 2-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, an S3100-52P Ethernet Switch supports Option 82 in the standard format. Refer to...
Page 495
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 2 DHCP Snooping Configuration Figure 2-5 Standard format of the remote ID sub-option III. Mechanism of DHCP-snooping Option 82 With DHCP snooping and DHCP-snooping Option 82 support enabled, when the DHCP snooping device receives a DHCP client’s request containing Option 82, it will handle the packet according to the handling policy and the configured contents in sub-options.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 2 DHCP Snooping Configuration Table 2-2 Ways of handling a DHCP packet without Option 82 Sub-option configuration The DHCP-Snooping device will … Forward the packet after adding Option 82 with the default contents.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 2 DHCP Snooping Configuration device, and the number of the VLAN to which the port belongs to. These records are saved as entries in the DHCP-snooping table. II. IP static binding table The DHCP-snooping table only records information about clients that obtains IP address dynamically through DHCP.
Note: If an S3100-52P Ethernet switch is enabled with DHCP snooping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses.
Page 499
III. Configuring the storage format of Option 82 An S3100-52P Ethernet Switch supports the HEX or ASCII format for the Option 82 field. Follow these steps to configure a storage format for the Option 82 field: To do…...
Page 500
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 2 DHCP Snooping Configuration To do… Use the command… Remarks Configure a storage dhcp-snooping Optional format for the Option information format { hex | By default, the format is hex. 82 field...
Page 501
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 2 DHCP Snooping Configuration V. Configuring the remote ID sub-option You can configure the remote ID sub-option in system view or Ethernet port view: In system view, the remote ID takes effect on all interfaces. You can configure Option 82 as the system name (sysname) of the device or any customized character string in the ASCII format.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 2 DHCP Snooping Configuration Note: If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the port receives a packet, and the global remote ID applies to other interfaces that have no remote ID sub-option configured.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 2 DHCP Snooping Configuration Note: Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering. You are not recommended to configure IP filtering on the ports of an aggregation group.
Page 504
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 2 DHCP Snooping Configuration II. Network diagram Figure 2-6 Network diagram for DHCP-snooping Option 82 support configuration III. Configuration procedure # Enable DHCP snooping on the switch. <Switch> system-view [Switch] dhcp-snooping # Specify Ethernet 1/0/5 as the trusted port.
As shown in Figure 2-7, Ethernet 1/0/1 of the S3100-52P switch is connected to the DHCP server and Ethernet 1/0/2 is connected to Host A. The IP address and MAC address of Host A are 1.1.1.1 and 0001-0001-0001 respectively. Ethernet 1/0/3 and Ethernet 1/0/4 are connected to DHCP Client B and Client C.
As a result, the switch cannot work normally and even goes down. An S3100-52P Ethernet switch supports ARP and DHCP packet rate limit on a port and shut down the port under attack to prevent hazardous impact on the device CPU.
I. Network requirements As shown in Figure 3-1, Ethernet 1/0/1 of the S3100-52P switch is connected to the DHCP server. Ethernet 1/0/2 is connected to client B and Ethernet 1/0/11 is connected to client A. Enable DHCP snooping on the switch, and specify Ethernet 1/0/1 as the DHCP snooping trusted port.
Page 510
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 3 DHCP Packet Rate Limit Configuration [Switch-Ethernet1/0/1] quit # Enable auto recovery. [Sysname] dhcp protective-down recover enable # Set the port state auto-recovery interval to 30 seconds. [Sysname] dhcp protective-down recover interval 30 # Enter port view.
4.2 Introduction to Automatic Configuration 4.2.1 Application Background Automatic configuration enables an S3100-52P ethernet switch to automatically obtain and execute the configuration files when it starts up with neither the main nor the backup configuration file exists. Since the devices of an enterprise network may be deployed in a wide geographical area, the task of manually configuring each device is huge.
4.2.2 How Automatic Configuration Works Figure 4-1 Network diagram for automatic configuration The S3100-52P switch supports automatic configuration. The working process is as follows: As shown in the above figure, when the switch starts up, and neither the main nor the backup configuration file exists, it automatically configures the VLAN interface of the default VLAN (in UP state) as a DHCP client.
Page 513
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 4 DHCP/BOOTP Client Configuration Note: An intermediate file maintains the IP address-to-host name mappings which are created using the ip host hostname ip-address command. When you use this command: You are recommended to type a space before the keyword ip or host.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 4 DHCP/BOOTP Client Configuration 4.3 Introduction to BOOTP Client After you specify an interface as a Bootstrap Protocol (BOOTP) client, the interface can use BOOTP to get information (such as IP address) from the BOOTP server, which simplifies your configuration.
Chapter 4 DHCP/BOOTP Client Configuration Note: Currently, an S3100-52P Ethernet switch functioning as the DHCP client can use an IP address for 24 days at most. That is, the DHCP client can obtain an address lease for no more than 24 days even though the DHCP server offers a longer lease period.
Operation Manual – DHCP H3C S3100-52P Ethernet Switch Chapter 4 DHCP/BOOTP Client Configuration III. Configuration procedure The following describes only the configuration on Switch A serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP.
Page 517
1.1 ACL Overview ........................1-1 1.1.1 ACL Matching Order ....................1-2 1.1.2 Ways to Apply an ACL on a Switch................. 1-3 1.1.3 Types of ACLs Supported by S3100-52P Ethernet Switch........1-4 1.2 ACL Configuration Task List ....................1-4 1.2.1 Configuring Time Range ..................1-4 1.2.2 Configuring Basic ACL ....................
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration Chapter 1 ACL Configuration When configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration...
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration Layer 2 ACL. Rules are created based on the Layer 2 information such as source and destination MAC addresses, VLAN priorities, type of Layer 2 protocol, and so User-defined ACL.
In the switch, an ACL can be directly applied to hardware for packet filtering and traffic classification. In this case, the rules in an ACL are matched in the order determined by the hardware instead of that defined in the ACL. For S3100-52P Ethernet Switch, the later the rule applies, the higher the match priority.
Periodic time range, which recurs periodically on the day or days of the week. Absolute time range, which takes effect only in a period of time and does not recur. Note: An absolute time range on an H3C S3100-52P Ethernet Switch can be within the range 1970/1/1 00:00 to 2100/12/31 24:00.
Page 522
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration I. Configuration procedure Follow these steps to configure a time range: To do... Use the command... Remarks Enter system view system-view — time-range time-name { start-time to end-time days-of-the-week [ from start-time...
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration <Sysname> system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 1.2.2 Configuring Basic ACL...
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration current greatest rule number is 65534, however, the system will display an error message and you need to specify a number for the rule.. The content of a modified or created rule cannot be identical with the content of any existing rule;...
Page 525
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration II. Configuration procedure Follow these steps to define an advanced ACL rule: To do... Use the command... Remarks Enter system view system-view — Create an advanced ACL acl number acl-number...
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the rule is numbered 0;...
Page 528
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration To do... Use the command... Remarks Required rule [ rule-id ] { permit | deny } [ rule-string rule-mask For information about Define an ACL rule offset ] &<1-8> [ time-range...
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration II. Configuration procedure Follow these steps to apply ACL rules to a VLAN: To do... Use the command... Remarks — Enter system view system-view Required packet-filter vlan vlan-id...
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration [Sysname] acl number 2001 [Sysname-acl-basic-2001] rule 1 permit source 10.110.100.46 0 [Sysname-acl-basic-2001] quit # Reference ACL 2001 to control users logging in to the Web server. [Sysname] ip http acl 2001 1.5 Examples for Applying ACLs to Hardware...
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration 1.5.2 Advanced ACL Configuration Example I. Network requirements Different departments of an enterprise are interconnected through a switch. The IP address of the wage query server is 192.168.1.2. The R&D department is connected to Ethernet 1/0/1 of the switch.
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration II. Network diagram PC 1 Eth1/0/1 0011-0011-0011 To the router Switch PC 2 Figure 1-5 Network diagram for Layer 2 ACL III. Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday.
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration II. Network diagram Figure 1-6 Network diagram for user-defined ACL III. Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 5000 to deny any ARP packet whose source IP address is 192.168.0.1...
Page 536
Operation Manual – ACL H3C S3100-52P Ethernet Switch Chapter 1 ACL Configuration II. Network diagram Database server 192.168.1.2 Eth1/0/1 Eth1/0/3 Eth1/0/2 VLAN 10 PC 1 PC 2 PC 3 Figure 1-7 Network diagram for applying an ACL to a VLAN III.
Page 537
1.1.2 Traditional Packet Forwarding Service ..............1-2 1.1.3 New Applications and New Requirements.............. 1-2 1.1.4 Major Traffic Control Techniques ................1-3 1.2 QoS Supported By S3100-52P Ethernet Switch ............... 1-4 1.3 Introduction to QoS Functions ................... 1-5 1.3.1 Traffic Classification ....................1-5 1.3.2 Priority Trust Mode....................
Page 538
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Table of Contents 1.6.2 Configuration Example of Priority Marking and Queue Scheduling...... 1-34 1.6.3 VLAN Mapping Configuration Example ..............1-35 1.6.4 Configuring Traffic Mirroring and Redirecting Traffic to a Port ......1-38 Chapter 2 QoS Profile Configuration...................
H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration Chapter 1 QoS Configuration When configuring QoS, go to these sections for information you are interested in: Overview QoS Supported By S3100-52P Ethernet Switch QoS Configuration Displaying and Maintaining QoS QoS Configuration Examples Note: The following features are added: VLAN mapping.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration 1.1.2 Traditional Packet Forwarding Service In traditional IP networks, packets are treated equally. That is, the FIFO (first in first out) policy is adopted for packet processing. Network resources required for packet forwarding is determined by the order in which packets arrive.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration 1.1.4 Major Traffic Control Techniques Figure 1-1 End-to-end QoS model As shown in the figure above, traffic classification, traffic policing, traffic shaping, congestion management, and congestion avoidance are the foundations for a network to provide differentiated services.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration QoS Feature Description Refer to … The S3100-52P supports SP, WFQ, and WRR queue scheduling algorithms and supports the following five queue Congestion For information about SP, WFQ, and...
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration 1.3.2 Priority Trust Mode I. Introduction to precedence types IP precedence, ToS precedence, and DSCP precedence Figure 1-2 DS field and ToS byte The ToS field in an IP header contains eight bits numbered 0 through 7, among which, The first three bits indicate IP precedence in the range 0 to 7.
Page 545
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration Assured forwarding (AF) class: This class is further divided into four subclasses (AF1/2/3/4) and a subclass is further divided into three drop priorities, so the AF service level can be segmented. The QoS rank of the AF class is lower than that of the EF class;...
Page 546
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2.
Page 547
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration Local precedence Local precedence is a locally significant precedence that the device assigns to a packet. A local precedence value corresponds to one of the eight hardware output queues.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration 802.1p priority Local precedence 1.3.3 Protocol Priority Protocol packets generated by a switch carry their own priority. You can set a new IP precedence or DSCP precedence for the specific type of protocol packets to implement QoS.
Page 549
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration I. Token bucket The token bucket can be considered as a container with a certain capacity to hold tokens. The system puts tokens into the bucket at the set rate. When the token bucket is full, the extra tokens will overflow and the number of tokens in the bucket stops increasing.
When the network is congested, the problem that many packets compete for resources must be solved, usually through queue scheduling. The S3100-52P Switch supports three queue scheduling algorithms: Strict Priority (SP) queuing, Weighted Fair Queuing (WFQ), and Weighted Round Robin (WRR) queuing.
Page 551
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration SP queuing Figure 1-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay.
Page 552
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration Figure 1-7 Diagram for WFQ queuing Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows.
In a typical H3C switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration packets of multiple TCP connections simultaneously, the TCP connections will turn to the state of congestion avoidance and slow startup for the traffics to be regulated. The traffic peak will then occur in a certain future time.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration Although the burst function helps reduce the packet loss ratio and improve packet processing capability in the networks mentioned above, it may affect QoS performance. So, use this function with caution.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration II. Configuration procedure Follow these steps to configure to trust port priority: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view —...
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration between 802.1p priority and the output queues and assigning packets with different priorities to the corresponding output queues. Note that, this is a global setting, not a per port setting. This is only recommended for advanced network environments.
| dscp corresponding protocol dscp-value } packets. Note: On an S3100-52P switch, you can set the priority for protocol packets of Telnet, SNMP, and ICMP. III. Configuration example Set the IP precedence of ICMP packets to 3. Display the configuration.
Page 559
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration I. Configuration prerequisites The following items are defined or determined before the configuration: The ACL rules used for traffic classification have been specified. Refer to the ACL module of this manual for related information.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration Note: The granularity of traffic policing is 64 Kbps. If the number you input is in the range of N*64 to (N+1)*64 (N is a natural number), it will be rounded off to (N+1)*64.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration To do… Use the command… Remarks Required Specify a committed information rate (CIR) for the line-rate { inbound | target-rate argument, and outbound } target-rate Configure line rate...
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration Note: Packets redirected to the CPU are not forwarded. If the traffic is redirected to a Combo port in down state, the system automatically redirects the traffic to the port corresponding to the Combo port in up state. Refer to the Port Basic Configuration module of this manual for information about Combo ports.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port interface interface-type — view interface-number Required traffic-remark-vlanid Configure VLAN inbound acl-rule By default, VLAN mapping...
Page 565
0 through queue 7). queue7-weight } A port of an S3100-52P Ethernet switch supports eight output queues. These queue scheduling algorithms are available: SP, WRR, and WFQ. With WRR (or WFQ) adopted, if you set the weight or the bandwidth of one or multiple queues to 0, the switch will add the queue or these queues to the SP group, where SP is adopted.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration Note: The queue scheduling algorithm specified by using the queue-scheduler command in system view takes effect on all the ports. The queue scheduling algorithm configured in port view must be the same as that configured in system view.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration I. Configuration prerequisites The indexes of queues to be dropped at random, the queue length that starts the drop action, and the drop probability have been determined.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration To do… Use the command… Remarks Required Configure traffic traffic-statistic inbound By default, traffic accounting acl-rule accounting is disabled. reset traffic-statistic Clear the traffic statistics Required inbound acl-rule III.
Page 569
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration I. Configuration prerequisites The ACL rules for traffic classification have been defined. Refer to the ACL module of this manual for information about defining ACL rules. The source mirroring ports and mirroring direction have been determined.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration 1.6 QoS Configuration Examples 1.6.1 Configuration Example of Traffic policing and Line Rate I. Network requirement An enterprise network connects all the departments through an Ethernet switch. PC 1, with the IP address 192.168.0.1 belongs to the R&D department and is connected to...
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration [Sysname-Ethernet1/0/2] line-rate inbound 64 [Sysname-Ethernet1/0/2] quit # Set the maximum rate of outbound IP packets sent by PC 1 in the R&D department to 640 kbps. [Sysname] interface Ethernet1/0/1 [Sysname-Ethernet1/0/1] traffic-limit inbound ip-group 2000 640 exceed drop 1.6.2 Configuration Example of Priority Marking and Queue Scheduling...
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration # Configure VLAN mapping on Ethernet 1/0/10 to replace VLAN tag 500 with VLAN tag 100 and replace VLAN tag 600 with VLAN tag 200. [SwitchA] interface Ethernet 1/0/10...
Page 577
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 1 QoS Configuration II. Network diagram Figure 1-12 Network diagram for traffic redirecting and traffic mirroring configuration III. Configuration procedure Define a time range for working days # Create a time range trname covering the period from 8:00 to 18:00 during working days.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 2 QoS Profile Configuration Chapter 2 QoS Profile Configuration When configuring QoS profile, go to these sections for information you are interested Overview QoS Profile Configuration Task List Displaying and Maintaining QoS Profile Configuration Configuration Example 2.1 Overview...
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 2 QoS Profile Configuration The switch directly applies the QoS profile to the port the user is connected to. Note: A user-based QoS profile application fails if the traffic classification rule defined in the QoS profile contains source address information (including source MAC address information, source IP address information, and VLAN information).
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 2 QoS Profile Configuration To do… Use the command… Remarks Configure the Optional mode to apply a qos-profile By default, the mode to QoS profile as port-based apply a QoS profile is port-based user-based.
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 2 QoS Profile Configuration 2.4 Configuration Example 2.4.1 QoS Profile Configuration Example I. Network requirements All departments of a company are interconnected through a switch. The 802.1x protocol is used to authenticate users and control their access to network resources. A user name is someone, and the authentication password is hello.
Page 584
Operation Manual – QoS-QoS Profile H3C S3100-52P Ethernet Switch Chapter 2 QoS Profile Configuration [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the encryption passwords for the switch to exchange packets with the authentication RADIUS servers and accounting RADIUS servers. [Sysname-radius-radius1] key authentication money...
Page 585
Operation Manual – Mirroring H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Mirroring Configuration ....................1-1 1.1 Mirroring Overview......................1-1 1.1.1 Local Port Mirroring....................1-1 1.1.2 Remote Port Mirroring..................... 1-2 1.1.3 Traffic Mirroring ....................... 1-3 1.2 Mirroring Configuration ...................... 1-4 1.2.1 Configuring Local Port Mirroring ................
Destination mirroring port Source mirroring port Data detection device Figure 1-1 Mirroring S3100-52P Ethernet switch supports three types of port mirroring: Local Port Mirroring Remote Port Mirroring Traffic Mirroring They are described in the following sections. 1.1.1 Local Port Mirroring...
Operation Manual – Mirroring H3C S3100-52P Ethernet Switch Chapter 1 Mirroring Configuration monitoring. In this case, the source ports and the destination port must be located on the same device. 1.1.2 Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device.
Operation Manual – Mirroring H3C S3100-52P Ethernet Switch Chapter 1 Mirroring Configuration Table 1-1 describes how the ports on various switches are involved in the mirroring operation. Table 1-1 Ports involved in the mirroring operation Switch Ports involved Function Port monitored. It copies packets to the Source port reflector port through local port mirroring.
Configuring Remote Port Mirroring Optional Note: On an S3100-52P Ethernet switch, only one destination port for local port mirroring and only one reflector port can be configured, and the two types of ports cannot both exist. 1.2.1 Configuring Local Port Mirroring I.
1.2.2 Configuring Remote Port Mirroring Note: An S3100-52P Ethernet switch can serve as a source switch, an intermediate switch, or a destination switch in a remote port mirroring networking environment. I. Configuration on a switch acting as a source switch Configuration prerequisites The source port, the reflector port, and the remote-probe VLAN are determined.
Page 591
Operation Manual – Mirroring H3C S3100-52P Ethernet Switch Chapter 1 Mirroring Configuration To do… Use the command… Remarks Return to system view quit — Enter the view of the Ethernet port that interface interface-type connects to the — interface-number intermediate switch or...
Page 592
Required remote-probe-vlan-id remote-probe VLAN Note that an S3100-52P Ethernet switch acting as the intermediate switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword). III. Configuration on a switch acting as a destination switch Configuration prerequisites The destination port and the remote-probe VLAN are determined.
Page 593
When configuring a destination switch, note that: An S3100-52P Ethernet switch acting as the destination switch in remote port mirroring networking does not support bidirectional packet mirroring (the both keyword). The destination port of remote port mirroring cannot be a member port of an existing mirroring group, a member port of an aggregation group, or a port enabled with LACP or STP.
} 1.4 Mirroring Configuration Examples 1.4.1 Local Port Mirroring Configuration Example I. Network requirements The departments of a company connect to each other through S3100-52P Ethernet switch: Research and Development (R&D) department is connected to Switch C through Ethernet 1/0/1.
R&D department and the marketing department on the data detection device. 1.4.2 Remote Port Mirroring Configuration Example I. Network requirements The departments of a company connect to each other through S3100-52P Ethernet switch: Switch A, Switch B, and Switch C are S3100-52P switch.
Page 596
Operation Manual – Mirroring H3C S3100-52P Ethernet Switch Chapter 1 Mirroring Configuration On Switch A, create a remote source mirroring group, configure VLAN 10 as the remote-probe VLAN, ports Ethernet 1/0/1 and Ethernet 1/0/2 as the source ports, and port Ethernet 1/0/4 as the reflector port.
Page 597
Operation Manual – Mirroring H3C S3100-52P Ethernet Switch Chapter 1 Mirroring Configuration [Sysname] interface Ethernet 1/0/3 [Sysname-Ethernet1/0/3] port link-type trunk [Sysname-Ethernet1/0/3] port trunk permit vlan 10 [Sysname-Ethernet1/0/3] quit # Display configuration information about remote source mirroring group 1. [Sysname] display mirroring-group 1...
Page 599
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Stack ..........................1-1 1.1 Stack Function Overview ....................1-1 1.1.1 The Main Switch of a Stack..................1-1 1.1.2 The Slave Switches of a Stack................1-1 1.1.3 Creating a Stack......................
The following are the phases undergone when a stack is created. Connect the intended main switch and slave switches through stack modules and dedicated stack cables. (Refer to H3C S3100-52P Ethernet Switch Installation Manual for the information about stack modules and stack cables.) Configure the IP address pool for the stack and enable the stack function.
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 1 Stack When adding a switch joins in a stack, the main switch automatically assigns an IP address to it. The main switch automatically adds any switches that are newly connected to the stack through their stack ports to the stack.
IP address. Since both stack and cluster use the management VLAN and only one VLAN interface is available on the S3100-52P switch, stack and cluster must share the same management VLAN if you want to configure stack within a cluster.
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 1 Stack join-in requests to the connected stack ports of all the switches connected with the device. This may cause switches not expecting to join in the stack to join in the stack automatically, affecting network stability.
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 1 Stack Table 1-4 Display and maintain stack configurations Operation Command Description Optional The display command can be executed in any view. When being executed with the members keyword not specified, this command...
Page 605
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 1 Stack II. Network diagram Figure 1-1 Network diagram for stack configuration III. Configuration procedure # Configure the IP address pool for the stack on Switch A. <Sysname> system-view [Sysname] stacking ip-pool 129.10.1.15 3 # Create the stack on switch A.
Page 606
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 1 Stack Member number: 1 Name:stack_1.Sysname Device: S3100-52P MAC Address: 000f-e200-3130 Member status:Up IP: 129.10.1.16/16 Member number: 2 Name:stack_2.Sysname Device: S3100-52P MAC Address: 000f-e200-3135 Member status:Up IP: 129.10.1.17/16 # Switch to Switch B (a slave switch).
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster Chapter 2 Cluster When configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Displaying and Maintaining Cluster Configuration Cluster Configuration Examples 2.1 Cluster Overview...
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster Figure 2-1 A cluster implementation HGMP V2 has the following advantages: It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster;...
Page 609
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster Table 2-1 Description on cluster roles Role Configuration Function Provides an interface for managing all the switches in a cluster Manages member devices through command redirection, that is, it forwards the commands intended for specific member devices.
Note: After you create a cluster on an S3100-52P switch, the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster. The interval for a management device to collect network topology information is determined by the NTDP timer.
Page 611
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster neighbor information: device type, software/hardware version, and connecting port. In addition, it may provide the following neighbor information: device ID, port full/half duplex mode, product version, the Boot ROM version and so on.
Page 612
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster When an NTDP topology collection request is propagated in the network, it is received and forwarded by large numbers of network devices, which may cause network congestion and the management device busy processing of the NTDP topology collection responses.
Page 613
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster Before performing any cluster-related configuration task, you need to enable the cluster function first. Note: On the management device, you need to enable the cluster function and configure cluster parameters. On the member/candidate devices, however, you only need to enable the cluster function so that they can be managed by the management device.
Page 614
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster The management device and the member devices exchange handshake packets periodically. Note that the handshake packets exchanged keep the states of the member devices to be Active and are not responded.
Page 615
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster Cluster management requires the packets of the management VLAN be permitted on ports connecting the management device and the member/candidate devices. Therefore: If the packets of management VLAN are not permitted on a candidate device port connecting to the management device, the candidate device cannot be added to the cluster.
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster If you specify a destination IP address in the tracemac command, the switch will query its local ARP address table according to the IP address to find out the corresponding MAC address and VLAN ID.
Note: To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S3100-52P Ethernet switch provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
Page 618
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster II. Enabling NDP globally and on specific ports Follow these steps to enable NDP globally and on specific ports: To do… Use the command… Remarks Enter system view system-view —...
Page 619
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster To do… Use the command… Remarks Required Enable NTDP on the ntdp enable Ethernet port Enabled by default V. Configuring NTDP-related parameters Follow these steps to configure NTDP-related parameters: To do…...
Page 620
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster VII. Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode, as described below. Establishing a cluster and configuring cluster parameters in manual mode...
Page 621
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster To do… Use the command… Remarks ip-pool Configure the IP address administrator-ip-address Required range for the cluster { ip-mask | ip-mask-length } Required Start automatic cluster auto-build [ recover ]...
Note: To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the S3100-52P Ethernet switch provides the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
Page 623
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster To do… Use the command… Remarks Enter system view system-view — Enable NDP globally ndp enable Required In system view ndp enable interface port-list Enter Enable interface interface-type Required...
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster V. Accessing the shared FTP/TFTP server from a member device Follow these steps to access the shared FTP/TFTP server from a member device: To do… Use the command… Remarks...
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster To do… Use the command… Remarks Optional Configure the MAC administrator-address address of the By default, a switch does mac-address name name management device not belong to any cluster.
Page 626
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster II. Configuring the enhanced cluster features Complete the following tasks to configure the enhanced cluster feature: Task Remarks Configuring cluster topology management function Required Configuring cluster device blacklist Required III.
Page 627
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster To do… Use the command… Remarks Display the detailed display ntdp single-device information about a single mac-address mac-address device display cluster current-topology [ mac-address mac-address1 Display the topology of...
2.4 Cluster Configuration Examples 2.4.1 Basic Cluster Configuration Example I. Network requirements Three switches compose a cluster, where: An S3100-52P switch serves as the management device. The rest are member devices. 2-22...
Page 629
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster Serving as the management device, the S3100-52P switch manages the two member devices. The configuration for the cluster is as follows: The two member devices connect to the management device through Ethernet 1/0/2 and Ethernet 1/0/3.
Page 630
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster [Sysname-Ethernet1/0/1] quit # Enable the cluster function. [Sysname] cluster enable Configure the management device # Add port Ethernet 1/0/1 to VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/1 [Sysname-vlan2] quit # Disable NDP and NTDP on the uplink port Ethernet 1/0/1.
Page 631
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster [Sysname-Ethernet1/0/3] ntdp enable [Sysname-Ethernet1/0/3] quit # Set the topology collection range to 2 hops. [Sysname] ntdp hop 2 # Set the delay for a member device to forward topology collection requests to 150 ms.
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster Perform the following operations on the member devices (taking one member as an example) After adding the devices under the management device to the cluster, perform the following operations on a member device.
Page 633
Operation Manual – Stack-Cluster H3C S3100-52P Ethernet Switch Chapter 2 Cluster II. Network diagram Figure 2-5 Network diagram for the enhanced cluster feature configuration III. Configuration procedure # Enter cluster view. <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist.
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 1 SNMP Configuration Chapter 1 SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network Management...
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 1 SNMP Configuration An NMS can send GetRequest, GetNextRequest and SetRequest messages to the agents. Upon receiving the requests from the NMS, an agent performs Read or Write operation on the managed object (MIB, Management Information Base) according to the message types, generates the corresponding Response packets and returns them to the NMS.
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 1 SNMP Configuration MIB describes the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network devices. In the above figure, the managed object B can be uniquely identified by a string of numbers {1.2.1.1}.
Page 638
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 1 SNMP Configuration To do… Use the command… Remarks Enter system view system-view — Optional Disabled by default. You can enable SNMP agent by executing Enable SNMP agent snmp-agent this command or any...
Page 639
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 1 SNMP Configuration To do… Use the command… Remarks Optional snmp-agent mib-view Create/Update the view { included | excluded } By default, the view information view-name oid-tree name is ViewDefault [ mask mask-value ] and OID is 1.
ViewDefault and OID is 1. mask-value ] Note: An S3100-52P Ethernet switch provides the following functions to prevent attacks through unused UDP ports. Executing the snmp-agent command or any of the commands used to configure SNMP agent enables the SNMP agent, and at the same opens UDP port 161 used by SNMP agents and the UDP port used by SNMP trap respectively.
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 1 SNMP Configuration Follow these steps to configure extended trap function: To do… Use the command… Remarks Enter system view system-view — Optional By default, the Configure the extended snmp-agent trap...
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 1 SNMP Configuration 1.5 Displaying SNMP To do… Use the command… Remarks Display the SNMP display snmp-agent sys-info information about the [ contact | location | version ]* current device Display SNMP packet...
Page 644
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 1 SNMP Configuration II. Network diagram Figure 1-2 Network diagram for SNMP configuration III. Network procedure # Enable SNMP agent, and set the SNMPv1 and SNMPv2c community names. <Sysname> system-view [Sysname] snmp-agent...
Page 645
IV. Configuring the NMS The S3100-52P Ethernet switch support H3C’s QuidView NMS. SNMPv3 adopts user name and password authentication. When you use H3C’s QuidView NMS, you need to set user names and choose the security level in [Quidview Authentication Parameter].
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 2 RMON Configuration Chapter 2 RMON Configuration When configuring RMON, go to these sections for information you are interested in: Introduction to RMON RMON Configuration Displaying RMON RMON Configuration Example 2.1 Introduction to RMON Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF).
(instead of all the information in the RMON MIB): alarm group, event group, history group, and statistics group. An H3C S3100-52P Ethernet switch implements RMON in the second way. With an RMON agent embedded in, an S3100-52P Ethernet switch can serve as a network device with the RMON probe function.
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 2 RMON Configuration III. Extended alarm group With extended alarm entry, you can perform operations on the samples of alarm variables and then compare the operation results with the thresholds, thus implement more flexible alarm functions.
Page 649
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 2 RMON Configuration Follow these steps to configure RMON: To do… Use the command… Remarks Enter system system-view — view rmon event event-entry [ description string ] { log | trap...
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 2 RMON Configuration 2.3 Displaying RMON To do… Use the command… Remarks display rmon statistics [ interface-type Display RMON statistics interface-number | unit unit-number ] Display RMON history display rmon history [ interface-type...
Page 651
Operation Manual – SNMP-RMON H3C S3100-52P Ethernet switch Chapter 2 RMON Configuration [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.1)
Page 652
Operation Manual – NTP H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 NTP Configuration ....................... 1-1 1.1 Introduction to NTP......................1-1 1.1.1 Applications of NTP....................1-1 1.1.2 Implementation Principle of NTP................1-2 1.1.3 NTP Implementation Modes..................1-4 1.2 NTP Configuration Task List....................
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration Chapter 1 NTP Configuration When configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes...
A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock. The local clock of an S3100-52P Ethernet switch cannot be set as a reference clock. It can serve as a reference clock source to synchronize the clock of other devices only after it is synchronized.
Page 655
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am...
Synchronize each other Figure 1-3 Symmetric peer mode In the symmetric peer mode, the local S3100-52P Ethernet switch serves as the symmetric-active peer and sends clock synchronization request first, while the remote server serves as the symmetric-passive peer automatically. If both of the peers have reference clocks, the one with a smaller stratum number is...
Page 657
Figure 1-4 Broadcast mode IV. Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on an H3C S3100-52P Ethernet Switch. Table 1-1 NTP implementation modes on an H3C S3100-52P Ethernet Switch NTP implementation...
The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the H3C S3100-52P Ethernet switch has been synchronized. When symmetric peer mode is configured on two Ethernet switches, to synchronize the clock of the two switches, make sure at least one switch’s clock has been...
H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration 1.3 Configuring NTP Implementation Modes An S3100-52P Ethernet switch can work in one of the following NTP modes: Configuring NTP Server/Client Mode Configuring the NTP Symmetric Peer Mode Configuring NTP Broadcast Mode...
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration Note: The remote server specified by remote-ip or server-name serves as the NTP server, and the local switch serves as the NTP client. The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server.
255.255.255.255. The switches working in the NTP broadcast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S3100-52P Ethernet switch can work as a broadcast server or a broadcast client.
The switches working in the NTP multicast client mode will respond to the NTP messages, so as to start the clock synchronization. An H3C S3100-52P Ethernet switch can work as a multicast server or a multicast client. Refer to for configuring a switch to work in the NTP multicast server mode.
A multicast server can synchronize multicast clients only after its clock has been synchronized. An S3100-52P switch working in the multicast server mode supports up to 1,024 multicast clients. I. Configuring a switch to work in the multicast server mode Follow these steps to configure a switch to work in the NTP multicast server mode: To do…...
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration synchronization: Synchronization right. This level of right permits the peer device to synchronize its clock to the local switch but does not permit the peer device to perform control query.
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration authentication. This improves network security. Table 1-2 shows the roles of devices in the NTP authentication function. Table 1-2 Description on the roles of devices in NTP authentication function...
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration 1.5.2 Configuration Procedure I. Configuring NTP authentication on the client Follow these steps to configure NTP authentication on the client: To do… Use the command… Remarks Enter system view system-view —...
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration Task Remarks Configuring an Interface on the Local Switch to Send NTP Optional Messages Configuring the Number of Dynamic Sessions Allowed on the Local Optional Switch Disabling an Interface from Receiving NTP Messages Optional 1.6.1 Configuring an Interface on the Local Switch to Send NTP Messages...
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration Follow these steps to configure the number of dynamic sessions allowed on the local switch: To do… Use the command… Remarks Enter system view — system-view Configure the maximum...
The local clock of Device A (a switch) is to be used as a master clock, with the stratum level of 2. Device A is used as the NTP server of Device B (an S3100-52P Ethernet switch) Configure Device B to work in the client mode, and then Device A will automatically work in the server mode.
The local clock of Device A is set as the NTP master clock, with the clock stratum level of 2. Device C (an S3100-52P Ethernet switch) uses Device A as the NTP server, and Device A works in server mode automatically.
Page 672
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration II. Network diagram Device A 3.0.1.31/24 3.0.1.32/24 3.0.1.33/24 Device B Device C Figure 1-7 Network diagram for NTP peer mode configuration III. Configuration procedure Configure Device C. # Set Device A as the NTP server.
2. Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through VLAN-interface 2. Device A and Device D are two S3100-52P Ethernet switches. Configure Device A and Device D to work in the NTP broadcast client mode and listen to broadcast messages through their own VLAN-interface 2.
Page 674
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration # Enter system view. <DeviceC> system-view # Set Device C as the broadcast server, which sends broadcast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service broadcast-server Configure Device A.
2. Configure Device C to work in the NTP multicast server mode and advertise multicast NTP messages through VLAN-interface 2. Device A and Device D are two S3100-52P Ethernet switches. Configure Device A and Device D to work in the NTP multicast client mode and listen to multicast messages through their own VLAN-interface 2.
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration # Set Device A as a multicast client to listen to multicast messages through VLAN-interface 2. [DeviceA] interface Vlan-interface 2 [DeviceA-Vlan-interface2] ntp-service multicast-client After the above configurations, Device A and Device D respectively listen to multicast messages through their own VLAN-interface 2, and Device C advertises multicast messages through VLAN-interface 2.
Page 677
H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration Device B is an S3100-52P Ethernet switch and uses Device A as the NTP server. Device B is set to work in client mode, while Device A works in server mode automatically.
Page 678
Operation Manual – NTP H3C S3100-52P Ethernet Switch Chapter 1 NTP Configuration # Specify the key 42 as a trusted key. [DeviceA] ntp-service reliable authentication-keyid 42 (After the above configurations, the clock of Device B can be synchronized to that of Device A.) View the status of Device B after synchronization.
Page 679
Operation Manual – SSH H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 SSH Configuration....................... 1-1 1.1 SSH Overview........................1-1 1.1.1 Introduction to SSH ....................1-1 1.1.2 Algorithm and Key....................1-2 1.1.3 Asymmetric Key Algorithm ..................1-2 1.1.4 SSH Operating Process ..................
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Chapter 1 SSH Configuration Note: The DSA algorithm is newly added in SSH configuration. Click the following links for related information: Generating/Destroying Key Pairs Creating an SSH User and Specifying an Authentication Type...
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Caution: Currently, the device that serves as an SSH server supports two SSH versions: SSH2 and SSH1, and the device that serves as an SSH client supports only SSH2.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Note: Currently, SSH supports both RSA and DSA. 1.1.4 SSH Operating Process The session establishment between an SSH client and the SSH server involves the following five stages:...
Page 683
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Note: All the packets above are transferred in plain text. II. Key negotiation The server and the client send algorithm negotiation packets to each other, which contain public key algorithm lists supported by the server and the client, encrypted algorithm list, message authentication code (MAC) algorithm list, and compressed algorithm list.
The H3C switch acts as the SSH server to cooperate with software that supports the SSH client functions. The H3C switch acts as the SSH server to cooperate with another H3C switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients:...
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration 1.3 Configuring the SSH Server The session establishment between an SSH client and the SSH server involves five stages. Similarly, SSH server configuration involves five aspects, as shown in the following table.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Note: The SSH server needs to cooperate with an SSH client to complete the interactions between them. For SSH client configuration, refer to Configuring the SSH Client. 1.3.1 Configuring the User Interfaces for SSH Clients An SSH client accesses the device through a VTY user interface.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration 1.3.2 Configuring the SSH Management Functions The SSH server provides a number of management functions. Some functions can prevent illegal operations such as malicious password guess, further guaranteeing the security of SSH connections.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration 1.3.3 Configuring the SSH Server to Be Compatible with SSH1 Clients Follow these steps to configure the SSH server to be compatible with SSH1 clients: To do... Use the command...
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Note: The SSH server’s key pairs are for generating session keys and for SSH clients to authenticate the server. As different clients may support different public key algorithms, the server may use different key pair for negotiation with different clients.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Caution: For password authentication type, the username argument must be consistent with the valid user name defined in AAA; for publickey authentication, the username argument is the SSH local user name, so that there is no need to configure a local user in AAA.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Caution: If the ssh user service-type command is executed with a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration To do... Use the command... Remarks Return to public key view — public-key-code end from public key edit view Exit public key view and peer-public-key end — return to system view Table 1-9 Follow these steps to import the RSA public key from a public key file: To do...
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Table 1-11 Follow these steps to export the RSA public key: To do... Use the command... Remarks Enter system view system-view — Display the RSA key on the...
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration SSH client configuration task Scenario For a client running For a client assumed by an SSH client software SSH2-capable switch Whether Configuring an SSH Client first-authentication — Assumed by an SSH2-Capable...
Page 695
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration The following takes the client software of PuTTY Version 0.58 as an example to illustrate how to configure the SSH client: I. Generating a client key To generate a client key, run PuTTYGen.exe, and select from the Parameters area the type of key you want to generate, either SSH-2 RSA or SSH-2 DSA, then click Generate.
Page 696
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-3 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key.
Page 697
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-4 Generate the client keys (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private”...
Page 698
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-6 Generate the client keys (5) II. Specifying the IP address of the Server Launch PuTTY.exe. The following window appears. 1-19...
Page 699
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-7 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client.
Page 700
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-8 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Note: Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration From the category on the left of the window, select Connection/SSH/Auth. The following window appears. Figure 1-9 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open.
Page 702
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Task Remarks Establishing the connection between the Required SSH client and server I. Configuring the SSH client for publickey authentication When the authentication mode is publickey, you need to configure the RSA or DSA...
Page 703
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Table 1-16 Follow these steps to disable first-time authentication support: To do... Use the command... Remarks — Enter system view system-view Required Disable first-time undo ssh client By default, the client is...
Page 704
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Table 1-18 Follow these steps to establish an SSH connection: To do... Use the command... Remarks — Enter system view system-view Required In this command, you can also...
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration 1.5 Displaying and Maintaining SSH Configuration To do... Use the command... Remarks Display the public key part of the display public-key local { dsa current switch’s key pairs...
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Operation Original commands Current commands rsa peer-public-key Import RSA public key public-key peer keyname keyname import sshkey from public key file import sshkey filename filename Specify publickey authentication as the...
Page 707
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration II. Network diagram Figure 1-10 Switch acts as server for local password authentication III. Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
Page 708
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Configure the SSH client # Configure an IP address (192.168.0.2 in this case) for the SSH client. This IP address and that of the VLAN interface on the switch must be in the same network segment.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-12 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 1-12, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc.
Page 710
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration II. Network diagram Figure 1-13 Switch acts as server for password and RADIUS authentication III. Configuration procedure Configure the RADIUS server Note: This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required.
Page 711
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-14 Add an access device # Add a user for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account window and perform the following configurations: Add a user named hello, and specify the password.
Page 712
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration [Switch] interface vlan-interface 2 [Switch-Vlan-interface2] ip address 192.168.1.70 255.255.255.0 [Switch-Vlan-interface2] quit Caution: Generating the RSA and DSA key pairs on the server is prerequisite to SSH login. # Generate RSA and DSA key pairs.
Page 713
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Run PuTTY.exe to enter the following configuration interface. Figure 1-16 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-17 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name hello and the password.
Page 715
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration II. Network diagram HWTACACS server 10.1.1.1/24 Vlan-int2 192.168.1.70/24 Internet SSH user Switch Figure 1-18 Switch acts as server for password and HWTACACS authentication III. Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign it an IP address.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-20 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password.
Page 718
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration III. Configuration procedure Note: Under the publickey authentication mode, either the RSA or DSA public key can be generated for the server to authenticate the client. Here takes the RSA public key as an example.
Page 719
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Note: Before performing the following steps, you must generate an RSA public key pair (using the client software) on the client, save the key pair in a file named public, and then upload the file to the SSH server through FTP or TFTP.
Page 720
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Note: While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-23. Otherwise, the process bar stops moving and the key pair generating process is stopped.
Page 721
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-24 Generate a client key pair (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (private.ppk in this case).
Page 722
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration # Establish a connection with the SSH server Launch PuTTY.exe to enter the following interface. Figure 1-26 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server.
Page 723
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-27 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. 1-44...
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Figure 1-28 SSH client configuration interface (2) Click Browse… to bring up the file selection window, navigate to the private key file and click OK. From the window shown in Figure 1-28, click Open.
Page 725
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration III. Configuration procedure Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n Enter password: ************************************************************************** * Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...
Page 727
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.
Page 728
The Server is not authenticated. Do you continue to access it?(Y/N):y Do you want to save the server's public key?(Y/N):n ************************************************************************** * Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed.
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration 1.7.7 When Switch Acts as Client and First-Time Authentication is not Supported I. Network requirements As shown in Figure 1-31, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange.
Page 730
Operation Manual – SSH H3C S3100-52P Ethernet Switch Chapter 1 SSH Configuration [SwitchB-ui-vty0-4] user privilege level 3 [SwitchB-ui-vty0-4] quit # Specify the authentication type for user client001 as publickey. [SwitchB] ssh user client001 authentication-type publickey Note: Before doing the following steps, you must first generate a DSA key pair on the client and save the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP.
Page 731
Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ... ************************************************************************** * Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * no decompiling or reverse-engineering shall be allowed. ************************************************************************** <SwitchB>...
Page 732
Operation Manual – File System Management H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 File System Management Configuration ..............1-1 1.1 File System Configuration....................1-1 1.1.1 Introduction to File System..................1-1 1.1.2 File System Configuration Tasks ................1-1 1.1.3 Directory Operations ....................
1.1 File System Configuration 1.1.1 Introduction to File System To facilitate management on the switch memory, S3100-52P Ethernet switches provide the file system function, allowing you to access and manage the files and directories. You can create, remove, copy or delete a file through command lines, and you can manage files using directories.
H3C S3100-52P Ethernet Switch Chapter 1 File System Management Configuration Note: S3100-52P Ethernet switches allow you to input a file path and file name in one of the following ways: In universal resource locator (URL) format and starting with “unit1>flash:/”. or “flash:/”...
Page 735
Operation Manual – File System Management H3C S3100-52P Ethernet Switch Chapter 1 File System Management Configuration Perform the following configuration in user view. Note that the execute command should be executed in system view. Table 1-3 File operations To do…...
Operation Manual – File System Management H3C S3100-52P Ethernet Switch Chapter 1 File System Management Configuration Caution: For deleted files whose names are the same, only the latest deleted file is kept in the recycle bin and can be restored.
Operation Manual – File System Management H3C S3100-52P Ethernet Switch Chapter 1 File System Management Configuration Table 1-5 Configuration on prompt mode of file system To do… Use the command… Remarks Enter system view system-view — Required Configure the prompt...
The device selects the main startup file as the preferred startup file. If the device fails to boot with the main startup file, it boots with the backup startup file. For the Web file and configuration file, Hangzhou H3C Technologies Co., Ltd (referred to as H3C hereinafter) may provide corresponding default file when releasing software versions.
Operation Manual – File System Management H3C S3100-52P Ethernet Switch Chapter 1 File System Management Configuration 1.2.3 Configuring File Attributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch, and change the main or backup attribute of the file.
Page 741
Operation Manual – File System Management H3C S3100-52P Ethernet Switch Chapter 1 File System Management Configuration Caution: The configuration of the main or backup attribute of a Web file takes effect immediately without restarting the switch. After upgrading a Web file, you need to specify the new Web file in the Boot menu after restarting the switch or specify a new Web file by using the boot web-package command.
Page 742
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 FTP and SFTP Configuration..................1-1 1.1 Introduction to FTP and SFTP ................... 1-1 1.1.1 Introduction to FTP....................1-1 1.1.2 Introduction to SFTP ....................1-2 1.2 FTP Configuration......................
FTP-based file transmission is performed in the following two modes: Binary mode for program file transfer ASCII mode for text file transfer An H3C S3100-52P Ethernet switch can act as an FTP client or the FTP server in FTP-employed data transmission:...
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration Table 1-1 Roles that an H3C S3100-52P Ethernet switch acts as in FTP Item Description Remarks An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients.
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration Task Remarks Creating an FTP user Required Enabling an FTP server Required Configuring connection idle time Optional FTP Configuration: A Specifying the source interface and Optional...
Page 746
Disabled by default. Note: Only one user can access an H3C S3100-52P Ethernet switch at a given time when the latter operates as an FTP server. Operating as an FTP server, an H3C S3100-52P Ethernet switch cannot receive a file whose size exceeds its storage space.
Page 747
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration IV. Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
Page 748
FTP server Note: With an H3C S3100-52P Ethernet switch acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the S3100-52P Ethernet switch will disconnect the user after the data transmission is completed.
Page 749
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration Figure 1-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks...
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration 1.2.2 FTP Configuration: A Switch Operating as an FTP Client I. Basic configurations on an FTP client By default a switch can operate as an FTP client. In this case, you can connect the switch to the FTP server to perform FTP-related operations (such as creating/removing a directory) by executing commands on the switch.
Page 751
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration To do… Use the command… Remarks dir [ remotefile ] [ localfile ] Optional If no file name is specified, all the files in the current directory are displayed.
Page 752
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration To do… Use the command… Remarks ftp { cluster | Specify the source remote-server } interface used for the source-interface Optional current connection interface-type interface-number Specify the source IP...
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration 1.2.3 Configuration Example: A Switch Operating as an FTP Server I. Network requirements A switch operates as an FTP server and a remote PC as an FTP client. The application switch.bin of the switch is stored on the PC.
Page 754
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration server, and download the configuration file named config.cfg from the FTP server. The following takes the command line window tool provided by Windows as an example: # Enter the command line window and switch to the directory where the file switch.bin...
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration II. Network diagram Figure 1-5 Network diagram for FTP banner display configuration III. Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”.
Page 757
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration the switch configuration file named config.cfg to directory switch of the PC to back up the configuration file. Create a user account on the FTP server with the username switch and password hello, and grant the user switch read and write permissions for the directory switch on the PC.
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration Trying ... Press CTRL+K to abort Connected. 220 FTP service ready. User(none):admin 331 Password required for admin. Password: 230 User logged in. [ftp] # Enter the authorized directory on the FTP server.
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration Task Remarks Enabling an SFTP server Required SFTP Configuration: A Configuring connection Optional idle time Switch Operating as an SFTP Server Supported SFTP client — software Basic configurations on an —...
Chapter 1 FTP and SFTP Configuration III. Supported SFTP client software An H3C S3100-52P Ethernet switch operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP. SFTP client software supports the following operations: logging in to a device;...
Page 762
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration To do… Use the command… Remarks Upload a local file to the put localfile [ remotefile ] remote SFTP server Rename a file on the rename remote-source...
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration 1.3.3 SFTP Configuration Example I. Network requirements As shown in Figure 1-7, establish an SSH connection between the SFTP client (switch A) and the SFTP server (switch B). Log in to switch B through switch A to manage and transmit files.
Page 764
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration [Sysname] ssh user client001 authentication-type password # Specify the service type as SFTP. [Sysname] ssh user client001 service-type sftp # Enable the SFTP server. [Sysname] sftp server enable Configure the SFTP client (switch A) # Configure the IP address of the VLAN interface on switch A.
Page 765
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration This operation may take a long time.Please wait... Received status: Success File successfully Removed sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx...
Page 766
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 1 FTP and SFTP Configuration Remote file:/pubkey2 ---> Local file: public.. Received status: End of file Received status: Success Downloading file successfully ended # Upload file pu to the server and rename it as puk, and then verify the result.
An H3C S3100-52P Ethernet switch can act as a TFTP client only. When an S3100-52P Ethernet switch serving as a TFTP client downloads files from the TFTP server, the seven-segment digital LED on the front panel of the switch rotates...
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 2 TFTP Configuration Note: Before performing TFTP-related configurations, you need to configure IP addresses for the TFTP client and the TFTP server, and make sure a route exists between the two.
Page 769
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 2 TFTP Configuration II. Specifying the source interface or source IP address for an FTP client You can specify the source interface and source IP address for a switch operating as a TFTP client, so that it can connect with a remote TFTP server through the IP address of the specified interface or the specified IP address.
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 2 TFTP Configuration Note: The specified interface must be an existing one; otherwise a prompt appears to show that the configuration fails. The value of the ip-address argument must be an IP address on the device where the configuration is performed, and otherwise a prompt appears to show that the configuration fails.
Page 771
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 2 TFTP Configuration Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch.
Page 772
Operation Manual – FTP-SFTP-TFTP H3C S3100-52P Ethernet Switch Chapter 2 TFTP Configuration Note: For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this...
Page 773
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Information Center....................... 1-1 1.1 Information Center Overview ..................... 1-1 1.1.1 Introduction to Information Center................1-1 1.1.2 System Information Format..................1-5 1.2 Information Center Configuration..................1-8 1.2.1 Information Center Configuration Task List ............
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center Chapter 1 Information Center When configuring information center, go to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center...
Page 775
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center Severity Severity value Description Information that demands prompt alerts reaction critical Critical information errors Error information warnings Warnings Normal information that needs to notifications be noticed Informational information to be...
Page 776
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center Information channel Default channel Default output direction number name Trap buffer (Receives trap trapbuffer information, a buffer inside the device for recording information.) Log buffer (Receives log...
Page 777
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center Module name Description Ethernet module Forwarding module FTPS FTP server module High availability module HTTPD HTTP server module IFNET Interface management module IGSP IGMP snooping module Internet protocol module...
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the...
Page 779
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center What follows is a detailed explanation of the information fields involved: I. Int_16 (Priority) The priority is calculated using the following formula: facility*8+severity-1, in which facility (the device name) defaults to local7 with the value being 23 (the value of local6 is 22, that of local5 is 21, and so on).
Page 780
VTY(1.1.0.2) in unit1 login III. Sysname Sysname is the system name of the local switch and defaults to “H3C”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual for details) Note that there is a space between the sysname and module fields.
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center If the character string ends with (l), it indicates the log information If the character string ends with (t), it indicates the trap information If the character string ends with (d), it indicates the debugging information IX.
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center To do… Use the command… Remarks Enter system view system-view — Required Enable synchronous info-center information output synchronous Disabled by default Note: If the system information is output before you input any information following the current command line prompt, the system does not echo any command line prompt after the system information output.
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center 1.2.4 Setting to Output System Information to the Console I. Setting to output system information to the console Follow these steps to set to output system information to the console: To do…...
Page 784
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center Table 1-4 Default output rules for different output directions TRAP DEBUG Output Modules Enabl Enable Enable Severi Severit Severit direction allowed ed/dis d/disab d/disab abled default Enabl...
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center Note: Make sure that the debugging/log/trap information terminal display function is enabled (use the terminal monitor command) before you enable the corresponding terminal display function by using the terminal debugging, terminal logging, or terminal trapping command.
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center Note: When there are multiple Telnet users or dumb terminal users, they share some configuration parameters including module filter, language and severity level threshold. In this case, change to any such parameter made by one user will also be reflected on all other user terminals.
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center To do… Use the command… Remarks Enter system view system-view — Optional Enable the information info-center enable center Enabled by default. Required By default, the switch does...
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center To do… Use the command… Remarks Optional Enable the information info-center enable center Enabled by default. Optional info-center trapbuffer By default, the switch [channel Enable system uses information channel...
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center To do… Use the command… Remarks Optional Set the format of time info-center timestamp By default, the time stamp stamp in the output { log | trap | debugging }...
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center To do… Use the command… Remarks Display the operation status of information display info-center [ unit center, the configuration unit-id ] of information channels, the format of time stamp...
Page 791
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center [Switch] info-center enable # Disable the function of outputting information to log host channels. [Switch] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.10 as the log host. Permit ARP and IP modules to output information with severity level higher than informational to the log host.
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center After all the above operations, the switch can make records in the corresponding log file. Note: Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort...
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center # Switch configuration messages local7.info /var/log/Switch/information Note: Note the following items when you edit file “/etc/syslog.conf”. A note must start in a new line, starting with a “#" sign.
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center II. Network diagram Figure 1-3 Network diagram for log output to the console III. Configuration procedure # Enable the information center. <Switch> system-view [Switch] info-center enable # Disable the function of outputting information to the console channels.
Page 795
Operation Manual – Information Center H3C S3100-52P Ethernet Switch Chapter 1 Information Center III. Configuration procedure # Name the local time zone z8 and configure it to be eight hours ahead of UTC time. <Switch> clock timezone z8 add 08:00:00 # Set the time stamp format of the log information to be output to the log host to date.
Page 796
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Boot ROM and Host Software Loading ..............1-1 1.1 Introduction to Loading Approaches .................. 1-1 1.2 Local Boot ROM and Software Loading ................1-1 1.2.1 BOOT Menu ......................
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Chapter 1 Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading.
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Enter the correct Boot ROM password (no password is set by default). The system enters the BOOT Menu: BOOT MENU 1. Download application file to flash 2.
Page 800
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 2: Press 3 in the above menu to download the Boot ROM using XMODEM. The...
Page 801
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Figure 1-1 Properties dialog box Figure 1-2 Console port configuration dialog box...
Page 802
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as...
Page 803
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Figure 1-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5).
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 2: Enter 3 in the above menu to load the host software by using XMODEM.
Page 805
Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. Caution: TFTP server program is not provided with the H3C Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu.
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Step 1: Select <1> in BOOT Menu and press <Enter>. The system displays the following information: 1. Set TFTP protocol parameter 2.
Page 807
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Note: You can use one computer as both configuration device and FTP server. Step 2: Run the FTP server program on the FTP server, configure an FTP user name and password, and copy the program file to the specified FTP directory.
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Enter your choice(0-3): Enter 2 in the above menu to download the host software using FTP. The subsequent steps are the same as those for loading the Boot ROM, except for that the system gives the prompt for host software loading instead of Boot ROM loading.
Page 809
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Password: 230 Logged in successfully [ftp] get switch.btm [ftp] bye Note: When using different FTP server software on PC, different information will be output to the switch.
Page 810
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading II. Loading Procedure Using FTP Server As shown in Figure 1-9, the switch is used as the FTP server. You can telnet to the switch, and then execute the FTP commands to upload the Boot ROM switch.btm to the...
Page 811
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Figure 1-10 Command line interface Step 5: Use the cd command on the interface to enter the path that the Boot ROM upgrade file is to be stored.
Page 812
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13.
Operation Manual – System Maintenance and Debugging Chapter 1 Boot ROM and Host Software H3C S3100-52P Ethernet Switch Loading <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...
Operation Manual – System Maintenance and Debugging Chapter 2 Basic System Configuration H3C S3100-52P Ethernet Switch and Debugging Chapter 2 Basic System Configuration and Debugging When configuring basic system configuration and debugging, go to these sections for information you are interested in:...
Operation Manual – System Maintenance and Debugging Chapter 2 Basic System Configuration H3C S3100-52P Ethernet Switch and Debugging To do… Use the command… Remarks Optional Execute this command in user view. When system reaches the specified start time, automatically adds the...
Operation Manual – System Maintenance and Debugging Chapter 2 Basic System Configuration H3C S3100-52P Ethernet Switch and Debugging 2.3 Debugging the System 2.3.1 Enabling/Disabling System Debugging The device provides various debugging functions. For the majority of protocols and features supported, the system provides corresponding debugging information to help users diagnose errors.
Operation Manual – System Maintenance and Debugging Chapter 2 Basic System Configuration H3C S3100-52P Ethernet Switch and Debugging Perform the following configuration to enable debugging and terminal display for a specific module: To do… Use the command… Remarks Required Enable system debugging...
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 3 Network Connectivity Test Chapter 3 Network Connectivity Test When configuring network connectivity test, go to these sections for information you are interested in: ping tracert 3.1 Network Connectivity Test 3.1.1 ping...
Page 819
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 3 Network Connectivity Test each ICMP TTL timeout message in order to offer the path that the packet passed through to the destination. To do… Use the command…...
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 4 Device Management Chapter 4 Device Management When configuring device management, go to these sections for information you are interested in: Introduction to Device Management Device Management Configuration...
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 4 Device Management 4.2.2 Rebooting the Ethernet Switch You can perform the following operation in user view when the switch is faulty or needs to be rebooted. Note: Before rebooting, the system checks whether there is any configuration change.
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 4 Device Management 4.2.4 Configuring Real-time Monitoring of the Running Status of the System This function enables you to dynamically record the system running status, such as CPU, thus facilitating analysis and solution of the problems of the device.
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 4 Device Management To do… Use the command… Remarks Upgrade the Boot ROM boot bootrom { file-url | device-name } Required 4.2.7 Loading Hot Patch A patch is a standalone software unit that is released to fix errors found in a system.
You are not encouraged to perform any operation on this file. 4.2.8 Displaying Pluggable Transceiver Information At present, three types of pluggable transceivers are commonly used on H3C series Ethernet switches: SFP (Small Form-factor Pluggable): generally used for 100M or 1000M Ethernet interfaces.
Page 825
S3100-52P Ethernet Switch Installation Manual. Transceivers customized by H3C refer to the pluggable transceivers with the Vendor Name field being H3C in the prompt information of the display transceiver interface command. Transceivers customized by H3C support display of electrical label information.
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 4 Device Management To do… Use the command… Remarks Display the currently measured value of the display transceiver Available for pluggable digital diagnosis diagnosis interface optical transceivers parameters of the optical...
Page 827
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 4 Device Management The switch acts as the FTP client, and the remote PC serves as both the configuration PC and the FTP server. Perform the following configuration on the FTP server.
Page 828
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 4 Device Management Caution: If the Flash memory of the switch is not sufficient, delete the original applications before downloading the new ones. Initiate an FTP connection with the following command in user view. Enter the correct user name and password to log into the FTP server.
Page 829
Operation Manual – System Maintenance and Debugging H3C S3100-52P Ethernet Switch Chapter 4 Device Management # Reboot the switch to upgrade the Boot ROM and host software of the switch. <Sysname> reboot Start to check configuration with next startup configuration file, please wait..
Page 830
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 VLAN-VPN Configuration.................... 1-1 1.1 VLAN-VPN Overview......................1-1 1.1.1 Introduction to VLAN-VPN ..................1-1 1.1.2 Implementation of VLAN-VPN................. 1-2 1.1.3 Configuring the TPID for VLAN-VPN Packets ............1-2 1.1.4 Inner-to-Outer Tag Priority Replicating and Mapping ..........
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 1 VLAN-VPN Configuration Chapter 1 VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuration Example 1.1 VLAN-VPN Overview...
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 1 VLAN-VPN Configuration Destination MAC address Source MAC address Outer VLAN Tag Inner VLAN Tag Data Figure 1-2 Structure of packets with double-layer VLAN tags Compared with MPLS-based Layer 2 VPN, VLAN-VPN has the following features: It provides Layer 2 VPN tunnels that are simpler.
TPID values such as 0x9100. For compatibility with these systems, the S3100-52P switch allow you to change the TPID that a port uses when tagging a received VLAN-VPN frame as needed. When doing that, you should set the same TPID on both the customer-side port and the service provider-side port.
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 1 VLAN-VPN Configuration Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the TPID Value for VLAN-VPN Packets on a Port Optional Configuring the Inner-to-Outer Tag Priority Replicating and...
Besides the default TPID 0x8100, you can configure only one TPID value on an S3100-52P switch. For the S3100-52P to exchange packets with the public network device properly, you should configure the TPID value used by the public network device on both the customer-side port and the service provider-side port.
As shown in Figure 1-4, Switch A and Switch B are both S3100-52P switch. They connect the users to the servers through the public network. PC users and PC servers are in VLAN 100 created in the private network, while terminal users and terminal servers are in VLAN 200, which is also created in the private network.
Page 837
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 1 VLAN-VPN Configuration II. Network diagram PC Server VLAN 100 SwitchB Eth1/0/21 Eth1/0/22 VLAN 200 PC User VLAN 100 TPID=0x9200 VLAN 1040 Terminal Server Eth1/0/12 Eth1/0/11 VLAN 200 SwitchA Terminal User Figure 1-4 Network diagram for VLAN-VPN configuration III.
Page 838
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 1 VLAN-VPN Configuration # Enable the VLAN-VPN feature on Ethernet 1/0/21 of Switch B and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag.
Page 839
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 1 VLAN-VPN Configuration The TPID value of the outer VLAN tag is set to 0x9200 before the packet is forwarded to the public network through Ethernet1/0/12 of Switch A. The outer VLAN tag of the packet remains unchanged while the packet travels in the public network, till it reaches Ethernet1/0/22 of Switch B.
H3C S3100-52P Ethernet Switch Chapter 2 Selective QinQ Configuration Chapter 2 Selective QinQ Configuration Note: The selective QinQ is new to H3C S3100-52P Ethernet Switch. When configuring selective QinQ, go to these sections for information you are interested in: Selective QinQ Overview...
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 2 Selective QinQ Configuration Server VLAN8~100 VIP Server VLAN101~200 Public Network VLAN1001/1002/1003 VoIP Device VLAN 1001~1003 VLAN201~300 SwitchA VLAN 8~300 User IP Phone VLAN8 ~100 VLAN101~200 VLAN201~300 Figure 2-1 Diagram for a selective QinQ implementation In this implementation, Switch A is an access device of the service provider.
Page 842
MAC address. As a result, this packet will be broadcast to all the ports in VLAN 4, which wastes the network resources and incurs potential security risks. The S3100-52P Ethernet switch provide the inter-VLAN MAC address replicating feature, which can replicate the entries in the MAC address table of the default VLAN to that of the VLAN corresponding to the outer tag.
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 2 Selective QinQ Configuration To do... Use the command... Remarks — Enter system view system-view Required Enable the mac-address-mapping index By default, the inter-VLAN MAC source-vlan source-vlan-id-list inter-VLAN MAC address replicating...
Page 845
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 2 Selective QinQ Configuration The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000.
Page 846
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 2 Selective QinQ Configuration [SwitchA] vlan 5 [SwitchA-vlan5] quit # Configure Ethernet 1/0/5 as a hybrid port and configure it not to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200.
Page 847
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 2 Selective QinQ Configuration After the above configuration, packets of VLAN 100 through VLAN 108 (that is, packets of PC users) are tagged with the tag of VLAN 1000 as the outer VLAN tag when they are forwarded to the public network by Switch A;...
Page 848
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 2 Selective QinQ Configuration To make the packets from the servers be transmitted to the clients in the same way, you need to configure the selective QinQ feature and the inter-VLAN MAC address replicating feature on Ethernet 1/0/12 and Ethernet 1/0/13.
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 3 BPDU Tunnel Configuration Chapter 3 BPDU Tunnel Configuration Note: Two features, the BPDU Tunnel support for packets of multiple protocols and adjusting tunnel packet MAC addresses, are newly added. For details, refer to BPDU Tunnel Configuration.
Page 850
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 3 BPDU Tunnel Configuration MAC address of an STP protocol packet is 0180-c200-0000) and contains a type field. Some proprietary protocols adopt the same packet structure, where a private MAC address is used to identify the corresponding proprietary protocol, and the type field is used to identify the specific protocol type.
BPDU tunnel in the service provider network. 3.2 BPDU Tunnel Configuration You can establish BPDU tunnels between S3100-52P Ethernet switch for the packets of the following protocols: LACP (link aggregation control protocol) STP (spanning tree protocol)
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 3 BPDU Tunnel Configuration Note: If BPDU tunnel transparent transmission is enabled for packets of a protocol, the protocol cannot be enabled on the port. For example, if you execute the bpdu-tunnel lacp command, the lacp enable command cannot be executed on the port.
Page 854
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 3 BPDU Tunnel Configuration Enable the service provider network to transmit STP packets of the customer network through BPDU tunnel. The destination MAC address for tunnel packets is 010f-e233-8b22. Enable the VLAN-VPN feature for the service provider network, and enable the service provider network to use VLAN 100 to transmit data packets of the customer network.
Page 855
Operation Manual – VLAN-VPN H3C S3100-52P Ethernet Switch Chapter 3 BPDU Tunnel Configuration Configure Provider2. # Disable STP on Ethernet1/0/4. <Sysname> system-view [Sysname] interface Ethernet 1/0/4 [Sysname-Ethernet1/0/4] stp disable # Enable BPDU tunnel for STP packets. [Sysname-Ethernet1/0/4] bpdu-tunnel stp # Enable VLAN-VPN and use VLAN 100 to transmit user data packets through BPDU tunnels.
Page 856
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 HWPing Configuration ....................1-1 1.1 HWPing Overview......................1-1 1.1.1 Introduction to HWPing ................... 1-1 1.1.2 Test Types Supported by HWPing................1-2 1.1.3 HWPing Test Parameters ..................1-2 1.2 HWPing Configuration .......................
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration Chapter 1 HWPing Configuration When configuring HWPing, go to these sections for information you are interested in: HWPing Overview HWPing Configuration HWPing Configuration Examples 1.1 HWPing Overview 1.1.1 Introduction to HWPing HWPing (pronounced Hua’Wei Ping) is a network diagnostic tool.
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration Figure 1-1 HWPing illustration 1.1.2 Test Types Supported by HWPing Table 1-1 Test types supported by HWPing Supported test types Description ICMP test DHCP test FTP test For these types of tests, you need to configure HWPing client and corresponding servers.
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration Test parameter Description For DHCP test, you must specify a source interface, which will be used by HWPing client to send DHCP requests. If no source interface is specified for a DHCP test, the test will not succeed.
Page 860
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration Test parameter Description Type of service is the value of the ToS field in IP Type of service (tos) header in the test packets. This parameter is used to specify a DNS domain name in a HWPing DNS test group.
Other types of tests need to configure HWPing client and corresponding different servers. You can enable both the HWPing client and HWPing server functions on an H3C S3100-52P Ethernet switch, that is, the switch can serve as a HWPing client and server simultaneously. 1.2.1 HWPing Server Configuration The following table describes the configuration on HWPing server, which is the same for HWPing test types that need to configure HWPing server.
Page 862
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration Different types of HWPing tests are somewhat different in parameters and parameter ranges. The following text describes the configuration on HWPing client for different test types. Configuring ICMP test on HWPing client Follow these steps to configure ICMP test on HWPing client: To do…...
Page 863
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Optional Configure the type of tos value By default, the service service (ToS) type is zero. Start the test test-enable Required display hwping results...
Page 864
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Required display hwping results Display test results [ admin-name You can execute the operation-tag ] command in any view. Configuring FTP test on HWPing client Follow these steps to configure FTP test on HWPing client: To do…...
Page 865
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Optional Configure the probe timeout time By default, a probe times timeout time out in three seconds. Optional Configure the type of...
Page 866
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Required You can configure an IP Configure the destination destination-ip ip-address address or a host name. IP address By default, no destination address is configured.
Page 867
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Required Configure the HTTP By default, HTTP operation string and http-string string version operation string and version in an HTTP test version are not configured.
Page 868
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Optional Configure the source port source-port port-number By default, no source port is configured. Optional Configure the number of count times By default, each test probes per test makes one probe.
Page 869
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Enter system view system-view — Required Enable the HWPing client hwping-agent enable By default, the HWPing function client function is disabled. Required...
Page 870
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Required display hwping results Display test results [ admin-name You can execute the operation-tag ] command in any view. Configuring TCP test on HWPing client Follow these steps to configure TCP test on HWPing client: To do…...
Page 871
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Optional Configure the source IP source-ip ip-address By default, the source IP address address is not specified. Optional Configure the source port...
Page 872
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Required test-type { udpprivate | Configure the test type By default, the test type is udppublic } ICMP. Required This IP address and the...
Page 873
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Optional By default, the automatic Configure the automatic test interval is zero frequency interval test interval seconds, indicating no automatic test will be made.
Page 874
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration To do… Use the command… Remarks Optional By default, the automatic Configure the automatic test interval is zero frequency interval test interval seconds, indicating no automatic test will be made.
1.3.1 ICMP Test I. Network requirements An H3C S3100-52P Ethernet switch serves as the HWPing client. A HWPing ICMP test between the switch and another switch uses ICMP to test the round trip time (RTT) for packets generated by the HWPing client to travel to and back from the destination switch.
Page 876
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration III. Configuration procedure Configure HWPing Client (Switch A): # Enable HWPing client. <Sysname> system-view [Sysname] hwping-agent enable # Create a HWPing test group, setting the administrator name to administrator and test tag to ICMP.
1.3.2 DHCP Test I. Network requirements Both the HWPing client and the DHCP server are H3C S3100-52P Ethernet switches. Perform a HWPing DHCP test between the two switches to test the time required for the HWPing client to obtain an IP address from the DHCP server.
Page 878
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration # Configure the source interface, which must be a VLAN interface. Make sure the DHCP server resides on the network connected to this interface. [Sysname-hwping-administrator-dhcp] source-interface Vlan-interface 1 # Configure to make 10 probes per test.
1.3.3 FTP Test I. Network requirements Both the HWPing client and the FTP server are H3C S3100-52P Ethernet switches. Perform a HWPing FTP test between the two switches to test the connectivity to the specified FTP server and the time required to upload a file to the server after the connection is established.
Page 880
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration [Sysname-hwping-administrator-ftp] destination-ip 10.2.2.2 # Configure the FTP login username. [Sysname-hwping-administrator-ftp] username admin # Configure the FTP login password. [Sysname-hwping-administrator-ftp] password admin # Configure the type of FTP operation.
1.3.4 HTTP Test I. Network requirements An H3C S3100-52P Ethernet switch serves as the HWPing client, and a PC serves as the HTTP server. Perform a HWPing HTTP test between the switch and the HTTP server to test the connectivity and the time required to download a file from the HTTP server after the connection to the server is established.
Page 882
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration # Create a HWPing test group, setting the administrator name to administrator and test tag to HTTP. [Sysname] Hwping administrator http # Configure the test type as http.
1.3.5 Jitter Test I. Network requirements Both the HWPing client and the HWPing server are H3C S3100-52P Ethernet switches. Perform a HWPing jitter test between the two switches to test the delay jitter of the UDP packets exchanged between this end (HWPing client) and the specified destination end (HWPing server).
Page 884
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration III. Configuration procedure Configure HWPing Server (Switch B): # Enable the HWPing server and configure the IP address and port to listen on. <Sysname> system-view [Sysname] hwping-server enable [Sysname] hwping-server udpecho 10.2.2.2 9000...
For detailed output description, see the corresponding command manual. 1.3.6 SNMP Test I. Network requirements Both the HWPing client and the SNMP Agent are H3C S3100-52P Ethernet switches. Perform HWPing SNMP tests between the two switches to test the time required from 1-29...
Page 886
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration Switch A sends an SNMP query message to Switch B (SNMP Agent) to it receives a response from Switch B. II. Network diagram Figure 1-7 Network diagram for the SNMP test III.
Page 887
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration [Sysname-hwping-administrator-snmp] destination-ip 10.2.2.2 # Configure to make 10 probes per test. [Sysname-hwping-administrator-snmp] count 10 # Set the probe timeout time to 30 seconds. [Sysname-hwping-administrator-snmp] timeout 30 # Start the test.
1.3.7 TCP Test (Tcpprivate Test) on the Specified Ports I. Network requirements Both the HWPing client and the HWPing server are H3C S3100-52P Ethernet switches. Perform a HWPing Tcpprivate test to test time required to establish a TCP connection between this end (Switch A) and the specified destination end (Switch B), with the port number set to 8000.
1.3.8 UDP Test (Udpprivate Test) on the Specified Ports I. Network requirements Both the HWPing client and the HWPing server are H3C S3100-52P Ethernet switches. Perform a HWPing Udpprivate test on the specified ports between the two switches to 1-33...
Page 890
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration test the RTT of UDP packets between this end (HWPing client) and the specified destination end (HWPing server). II. Network diagram Figure 1-9 Network diagram for the Udpprivate test III.
1.3.9 DNS Test I. Network requirements An H3C S3100-52P Ethernet switch serves as the HWPing client, and a PC serves as the DNS server. Perform a HWPing DNS test between the switch and the DNS server to test the time required from the client sends a DNS request to it receives a resolution result from the DNS server.
Page 892
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration II. Network diagram Figure 1-10 Network diagram for the DNS test III. Configuration procedure Configure DNS Server: Use Windows 2003 Server as the DNS server. For DNS server configuration, refer to the related instruction on Windows 2003 Server configuration.
Page 893
Operation Manual – HWPing H3C S3100-52P Ethernet Switch Chapter 1 HWPing Configuration Min/Max/Average Round Trip Time: 6/10/8 Square-Sum of Round Trip Time: 756 Last complete test time: 2006-11-28 11:50:40.9 Extend result: SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0%...
Page 894
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 IPv6 Configuration....................... 1-1 1.1 IPv6 Overview........................1-1 1.1.1 IPv6 Features ......................1-1 1.1.2 Introduction to IPv6 Address ................... 1-3 1.1.3 Introduction to IPv6 Neighbor Discovery Protocol ..........1-7 1.1.4 Introduction to IPv6 DNS..................
The term “router” in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. H3C S3100-52P Ethernet Switch supports IPv6 management features, but do not support IPv6 forwarding and related features. 1.1 IPv6 Overview...
Page 896
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration Figure 1-1 Comparison between IPv4 header format and IPv6 header format II. Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long.
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration VI. Support for QoS The Flow Label field in the IPv6 header allows the device to label packets in a flow and provide special handling for these packets.
Page 898
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration Caution: The double-colon :: can be used only once in an IPv6 address. Otherwise, the device is unable to determine how many zeros the double-colon represents when converting it to zeros to restore the IPv6 address to a 128-bit address.
Page 899
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration Table 1-1 Mapping between address types and format prefixes Type Format prefix (binary) IPv6 prefix ID Unassigned 00...0 (128 bits) ::/128 address Loopback 00...1 (128 bits) ::1/128...
Page 900
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration IV. Multicast address Multicast addresses listed in Table 1-2 are reserved for special purpose. Table 1-2 Reserved IPv6 multicast addresses Address Application FF01::1 Node-local scope all-nodes multicast address...
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration Figure 1-2 Convert a MAC address into an EUI-64 address 1.1.3 Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discovery Protocol (NDP) uses five types of ICMPv6 messages to...
Page 902
Note: H3C S3100-52P Ethernet Switch does not support the RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, H3C S3100-52P Ethernet Switch supports the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection.
Page 903
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration Node A multicasts an NS message. The source address of the NS message is the IPv6 address of the interface of node A and the destination address is the solicited-node multicast address of node B.
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration Node A learns that the IPv6 address is being used by node B after receiving the NA message from node B. Otherwise, node B is not using the IPv6 address and node A can use it.
Chapter 1 IPv6 Configuration Note: IPv6 unicast addresses can be configured for only one VLAN interface on an H3C S3100-52P Ethernet switch. The total number of global unicast addresses and site-local addresses on the VLAN interface can be up to four.
Page 908
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration Follow these steps to configure a static neighbor entry: To do... Use the command... Remarks Enter system view system-view — ipv6 neighbor ipv6-address Configure a static mac-address { vlan-id port-type...
Page 909
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration Follow these steps to configure the attempts to send an NS message for duplicate address detection: To do… Use the command… Remarks Enter system view — system-view...
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration To do… Use the command… Remarks Optional Configure the neighbor ipv6 nd nud 30,000 milliseconds by reachable timeout time reachable-time value default. 1.2.3 Configuring a Static IPv6 Route You can configure static IPv6 routes for network interconnection in a small sized IPv6 network.
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration To do… Use the command… Remarks Configure the size of IPv6 Optional TCP receiving/sending tcp ipv6 window size 8 KB by default. buffer 1.2.5 Configuring the Maximum Number of IPv6 ICMP Error Packets Sent...
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration To do… Use the command… Remarks Optional Configure the hop limit of ipv6 nd hop-limit value ICMPv6 reply packets 64 by default. 1.2.7 Configuring IPv6 DNS I. Configuring a static IPv6 DNS entry You can directly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address.
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration To do… Use the command… Remarks Required By default, no domain Configure the domain dns domain name suffix is configured, suffix. domain-name that is, the domain name is resolved according to the input information.
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration To do… Use the command… Remarks Display the statistics of IPv6 packets and IPv6 display ipv6 statistics ICMP packets Display the statistics of display tcp ipv6 statistics...
Page 915
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration II. Network diagram Figure 1-5 Network diagram for IPv6 address configuration III. Configuration procedure Configure Switch A. # Configure an automatically generated link-local address for the interface VLAN-interface 2.
Page 916
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration FF02::1:FF00:1 FF02::1:FF49:8048 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display the brief IPv6 information of the interface on Switch B.
Page 917
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration bytes=56 Sequence=1 hop limit=255 time = 80 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=2 hop limit=255 time = 60 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms...
Page 918
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 1 IPv6 Configuration bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from 3001::2 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- 3001::2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss...
IPv6 Application Configuration Example Troubleshooting IPv6 Application 2.1 Introduction to IPv6 Application IPv6 are supporting more and more applications. Most of IPv6 applications are the same as those of IPv4. The applications supported on H3C S3100-52P Ethernet Switch are: Ping Traceroute...
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 2 IPv6 Application Configuration Caution: When you use the ping ipv6 command to verify the reachability of the destination, you must specify the “–i” keyword if the destination address is a link-local address.
I. Network requirements Figure 2-3, SWA, SWB, and SWC are three switches, among which SWA is an H3C S3100-52P Ethernet switch, SWB and SWC are two switches supporting IPv6 forwarding. In a LAN, there is a Telnet server and a TFTP server for providing Telnet...
Page 923
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 2 IPv6 Application Configuration service and TFTP service to the switch respectively. It is required that you telnet to the telnet server from SWA and download files from the TFTP server.
Operation Manual – IPv6 Management H3C S3100-52P Ethernet Switch Chapter 2 IPv6 Application Configuration Use the display ipv6 route-table command to verify that the destination is reachable. Use the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determine whether it is due to the timeout limit is too small.
Page 926
Operation Manual – DNS H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 DNS Configuration....................... 1-1 1.1 DNS Overview ........................1-1 1.1.1 Static Domain Name Resolution ................1-1 1.1.2 Dynamic Domain Name Resolution ................ 1-1 1.2 Configuring Domain Name Resolution ................1-3 1.2.1 Configuring Static Domain Name Resolution............
DNS database. Reduction of the searching time in the dynamic DNS database would increase efficiency. Some frequently used addresses can be put in the static DNS database. Currently, an S3100-52P Ethernet switch supports both static and dynamic DNS clients. 1.1.1 Static Domain Name Resolution The static domain name resolution means manually setting up mappings between domain names and IP addresses.
Page 928
Operation Manual – DNS H3C S3100-52P Ethernet Switch Chapter 1 DNS Configuration resolution procedure is as follows: A user program sends a name query to the resolver in the DNS client. The DNS resolver looks up the local domain name cache for a match. If a match is found, it sends the corresponding IP address back.
Operation Manual – DNS H3C S3100-52P Ethernet Switch Chapter 1 DNS Configuration If there is no dot in the domain name, such as aabbcc, the resolver will consider this as a host name and add a DNS suffix before processing. The original name such as aabbcc is used if all DNS lookups fail.
Operation Manual – DNS H3C S3100-52P Ethernet Switch Chapter 1 DNS Configuration Note: You may configure up to six DNS servers and ten DNS suffixes. 1.3 Displaying and Maintaining DNS To do… Use the command… Remarks Display static DNS database...
Operation Manual – DNS H3C S3100-52P Ethernet Switch Chapter 1 DNS Configuration # Execute the ping host.com command to verify that the device can use static domain name resolution to get the IP address 10.1.1.2 corresponding to host.com. [Sysname] ping host.com PING host.com (10.1.1.2): 56...
Page 932
Operation Manual – DNS H3C S3100-52P Ethernet Switch Chapter 1 DNS Configuration III. Configuration procedure Note: Before doing the following configuration, make sure that: The routes between the DNS server, Switch, and Host are reachable. Necessary configurations are done on the devices. For the IP addresses of the interfaces, see the figure above.
Operation Manual – DNS H3C S3100-52P Ethernet Switch Chapter 1 DNS Configuration 1.5 Troubleshooting DNS I. Symptom After enabling the dynamic domain name resolution, the user cannot get the correct IP address. II. Solution Use the display dns dynamic-host command to check that the specified domain name is in the cache.
Page 934
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Chapter 1 Smart Link Configuration.................... 1-1 1.1 Smart Link Overview......................1-1 1.1.1 Basic Concepts in Smart Link ................. 1-1 1.1.2 Operating Mechanism of Smart Link............... 1-3 1.2 Configuring Smart Link ......................
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 1 Smart Link Configuration Chapter 1 Smart Link Configuration When configuring smart link, go to these sections for information you are interested in: Smart Link Overview Configuring Smart Link...
Page 936
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 1 Smart Link Configuration II. Master port The master port can be either an Ethernet port or a manually-configured or static LACP aggregation group. For example, you can configure Ethernet 1/0/1 of switch A in Figure as the master port through the command line.
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 1 Smart Link Configuration 1.2 Configuring Smart Link Note: Before configuring a member port of a Smart Link group, you must: Disable the port to avoid loops, thus preventing broadcast storm.
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 1 Smart Link Configuration To do… Use the command… Remarks Required Enable the function of By default, no sending flush messages control VLAN for flush enable control-vlan vlan-id in the specified control...
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 1 Smart Link Configuration However, you do not have to enable all the ports of an associated device to process flush messages received from the specified control VLAN. You need to enable this function only on the ports that are on the active and backup links connecting the Smart Link device and the target device.
I. Network requirements As shown in Figure 1-3, Switch A is an H3C S3100-52P Ethernet switch. Switch C, Switch D and Switch E support Smart Link. Configure Smart Link feature to provide remote PCs with reliable access to the server.
Page 942
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 1 Smart Link Configuration II. Network diagram Server Eth1/0/2 Eth1/0/3 Switch E Eth1/0/1 Eth1/0/1 Switch C Switch D Eth1/0/2 Eth1/0/2 Eth1/0/1 Eth1/0/2 Switch A Host Figure 1-3 Network diagram for Smart Link configuration III.
Page 943
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 1 Smart Link Configuration # Configure to send flush messages within VLAN 1. [SwitchA-smlk-group1] flush enable control-vlan 1 Enable the function of processing flush messages received from VLAN 1 on Switch C.
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 2 Monitor Link Configuration Chapter 2 Monitor Link Configuration When configuring Monitor Link, go to these sections for information you are interested Introduction to Monitor Link Configuring Monitor Link...
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 2 Monitor Link Configuration 2.1.1 How Monitor Link Works Eth1/0/12 Eth1/0/11 Switch E Switch C Switch D Eth1/0/1 Eth1/0/1 Eth1/0/2 Eth1/0/2 Eth1/0/3 Eth1/0/1 BLOCK Eth1/0/2 Switch A Switch B...
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 2 Monitor Link Configuration Note: Currently, member ports of a Monitor Link group cannot be dynamic link aggregation groups. If the uplink or downlink port in the Monitor Link group is a link aggregation group, you cannot directly delete this aggregation group or change this aggregation group into a dynamic aggregation group.
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 2 Monitor Link Configuration 2.2.3 Configuring the Uplink Port Follow these steps to configure the uplink port: To do… Use the command… Remarks Enter system view system-view — Enter the specified Monitor Link monitor-link group —...
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 2 Monitor Link Configuration To do… Use the command… Remarks Configure the specified link link-aggregation group aggregation group as group-id downlink a downlink port of the Monitor Link group...
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 2 Monitor Link Configuration 2.4 Monitor Link Configuration Example 2.4.1 Implementing Collaboration Between Smart Link and Monitor Link I. Network requirements As shown in Figure 2-3, the PCs access the server and Internet through the switch.
Page 950
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 2 Monitor Link Configuration [SwitchA-Ethernet1/0/1] quit [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] stp disable # Return to system view. [SwitchA-Ethernet1/0/2] quit # Create Smart Link group 1 and enter Smart Link group view.
Page 951
Operation Manual – Smart Link-Monitor Link H3C S3100-52P Ethernet Switch Chapter 2 Monitor Link Configuration [SwitchE] smart-link flush enable control-vlan 1 port Ethernet 1/0/10 to Ethernet 1/0/11...
Page 952
Operation Manual – Appendix H3C S3100-52P Ethernet Switch Table of Contents Table of Contents Appendix A Acronyms ........................A-1...
Page 953
Operation Manual – Appendix H3C S3100-52P Ethernet Switch Appendix A Acronyms Appendix A Acronyms Authentication, Authorization and Accounting Area Border Router Access Control List Address Resolution Protocol Autonomous System ASBR Autonomous System Border Router Backup Designated Router Command Line Interface...
Page 954
Operation Manual – Appendix H3C S3100-52P Ethernet Switch Appendix A Acronyms Internet Architecture Board ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol Interior Gateway Protocol Internet Protocol Medium Access Control Management Information Base Network Information Center Network Management System...
Page 955
Operation Manual – Appendix H3C S3100-52P Ethernet Switch Appendix A Acronyms TFTP Trivial File Transfer Protocol Type of Service Time To Live User Datagram Protocol VLAN Virtual LAN Video On Demand VRRP Virtual Router Redundancy Protocol Weighted Round Robin...