3Com 4500 PWR 26-Port Configuration Manual
Hide thumbs Also See for 4500 PWR 26-Port:
Table of Contents

Advertisement

3Com Switch 4500 Family

Configuration Guide

Switch 4500 26-Port
Switch 4500 50-Port
Switch 4500 PWR 26-Port
Switch 4500 PWR 50-Port
Product Version: V3.03.02p02
Manual Version: 6W100-20100418
www.3com.com
3Com Corporation
350 Campus Drive, Marlborough, MA, USA 01752 3064

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 4500 PWR 26-Port and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Summary of Contents for 3Com 4500 PWR 26-Port

  • Page 1: Configuration Guide

    3Com Switch 4500 Family Configuration Guide Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port Product Version: V3.03.02p02 Manual Version: 6W100-20100418 www.3com.com 3Com Corporation 350 Campus Drive, Marlborough, MA, USA 01752 3064...
  • Page 2 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
  • Page 3: Table Of Contents

    About This Manual Organization 3Com Switch 4500 Family Configuration Guide is organized as follows: Chapter Contents 1 CLI Configuration Details how to use command line interface. 2 Logging In to an Ethernet Switch Details how to logging In to an Ethernet Switch.
  • Page 4 Chapter Contents Introduces the authentication, authorization and 32 AAA Overview accounting functions. 33 AAA Configuration Details how to configure AAA. 34 EAD Configuration Details how to configure EAD. 35 MAC Address Authentication Configuration Details how to configure MAC address authentication. 36 ARP Configuration Details how to configure ARP.
  • Page 5 Chapter Contents 67 Remote-ping Configuration Details how to configure remote-ping. 68 IPv6 Configuration Details how to configure IPv6. 69 IPv6 Application Configuration Details how to configure IPv6 Application. 70 Password Control Configuration Details how to configure Password Control. 71 Access Management Configuration Details how to configure access management.
  • Page 6: Related Documentation

    3Com Switch 4500 Family Release Notes release notes, use the information in the Release Notes. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
  • Page 7: Cli Configuration

    What Is CLI? ............................1-1 Entering the CLI ............................1-1 Entering CLI Through the Console Port ..................1-1 Entering CLI Through Telnet ......................1-5 3Com Products CLI Descriptions......................1-7 Command Conventions ........................1-7 CLI View Description ........................1-8 Tips on Using the CLI..........................1-12 Using the CLI Online Help......................
  • Page 8: Switching User Level

    Logging In Through the Web-based Network Management System............ 2-31 Introduction............................ 2-32 Establishing an HTTP Connection ....................2-32 Configuring the Login Banner......................2-33 Enabling/Disabling the WEB Server....................2-34 Logging In Through NMS........................2-35 Introduction............................ 2-35 Connection Establishment Using NMS ..................2-35 Configuring Source IP Address for Telnet Service Packets ..............
  • Page 9: Vlan Configuration

    Introduction to VLAN ........................6-1 Advantages of VLANs ........................6-2 VLAN Fundamentals ........................6-2 VLAN Interface ..........................6-4 VLAN Classification ......................... 6-4 Port-Based VLAN............................ 6-4 Link Types of Ethernet Ports ......................6-4 Assigning an Ethernet Port to Specified VLANs ................6-5 Configuring the Default VLAN ID for a Port..................
  • Page 10: Gvrp Configuration

    How an IP Phone Works ....................... 10-1 How Switch 4500 Series Switches Identify Voice Traffic .............. 10-3 Setting the Voice Traffic Transmission Priority ................10-4 Configuring Voice VLAN Assignment Mode of a Port ..............10-4 Support for Voice VLAN on Various Ports..................10-4 Security Mode of Voice VLAN .......................
  • Page 11: Port Isolation Configuration

    Introduction to Link Aggregation....................13-1 Introduction to LACP ........................13-1 Consistency Considerations for the Ports in Aggregation............. 13-1 Link Aggregation Classification......................13-2 Manual Aggregation Group ......................13-2 Static LACP Aggregation Group....................13-3 Dynamic LACP Aggregation Group....................13-4 Aggregation Group Categories ......................13-5 Link Aggregation Configuration......................
  • Page 12: Dldp Configuration

    Port Binding Configuration Example ..................... 16-2 Port Binding Configuration Example ..................... 16-2 17 DLDP Configuration..........................17-1 Overview ............................... 17-1 Introduction............................ 17-1 DLDP Fundamentals ........................17-2 DLDP Configuration ..........................17-8 Performing Basic DLDP Configuration ..................17-8 Resetting DLDP State ........................17-9 Displaying and Maintaining DLDP....................
  • Page 13: Ip Routing Protocol Overview

    Configuring the MSTP Operation Mode ..................20-21 Configuring the Maximum Hop Count of an MST Region ............20-22 Configuring the Network Diameter of the Switched Network ............20-23 Configuring the MSTP Time-related Parameters ................ 20-23 Configuring the Timeout Time Factor..................20-25 Configuring the Maximum Transmitting Rate on the Current Port ..........
  • Page 14: Rip Configuration

    Routing Table ..........................21-1 Routing Protocol Overview ........................21-3 Static Routing and Dynamic Routing..................... 21-3 Classification of Dynamic Routing Protocols................. 21-3 Routing Protocols and Routing Priority ..................21-4 Load Sharing and Route Backup ....................21-4 Routing Information Sharing......................21-5 Displaying and Maintaining a Routing Table ..................21-5 22 Static Route Configuration ........................
  • Page 15: Multicast Overview

    Configuring an ip-prefix list......................24-5 Displaying IP Route Policy........................24-5 IP Route Policy Configuration Example ....................24-6 Controlling RIP Packet Cost to Implement Dynamic Route Backup ..........24-6 Troubleshooting IP Route Policy......................24-9 25 Multicast Overview..........................25-1 Multicast Overview ..........................25-1 Information Transmission in the Unicast Mode ................
  • Page 16: 802.1X Configuration

    Encapsulation of EAPoL Messages ....................28-3 802.1x Authentication Procedure ....................28-5 Timers Used in 802.1x........................28-8 802.1x Implementation on a 3Com 4500 Series Switch ............... 28-9 Introduction to 802.1x Configuration ....................28-12 Basic 802.1x Configuration ......................... 28-13 Configuration Prerequisites ......................28-13 Configuring Basic 802.1x Functions....................
  • Page 17: Aaa Overview

    Configuring System Guard........................31-2 Configuring System Guard Against IP Attacks................31-2 Configuring System Guard Against TCN Attacks................31-2 Enabling Layer 3 Error Control...................... 31-3 Configuring CPU Protection ......................31-3 Displaying and Maintaining System Guard Configuration ..............31-4 32 AAA Overview ............................32-1 Introduction to AAA ..........................
  • Page 18: Ead Configuration

    Displaying and Maintaining HWTACACS Protocol Configuration..........33-29 AAA Configuration Examples......................33-29 Remote RADIUS Authentication of Telnet/SSH Users ............... 33-29 Local Authentication of FTP/Telnet Users................... 33-31 HWTACACS Authentication and Authorization of Telnet Users ..........33-32 Auto VLAN Configuration Example ..................... 33-33 Troubleshooting AAA ..........................
  • Page 19: Dhcp Overview

    ARP Attack Defense Configuration Task List................37-4 Configuring the Maximum Number of Dynamic ARP Entries that a VLAN Interface Can Learn .. 37-5 Configuring ARP Source MAC Address Consistency Check ............37-5 ARP Packet Filtering Based on Gateway’s Address..............37-5 Configuring ARP Attack Detection ....................
  • Page 20: Dhcp Relay Agent Configuration

    Configuring BIMS Server Information for the DHCP Client............39-21 Configuring Option 184 Parameters for the Client with Voice Service........39-21 Configuring the TFTP Server and Bootfile Name for the DHCP Client........39-22 Configuring a Self-Defined DHCP Option ................... 39-23 Configuring DHCP Server Security Functions ..................39-24 Prerequisites..........................
  • Page 21: Dhcp Packet Rate Limit Configuration

    IP Filtering Configuration Example....................41-12 42 DHCP Packet Rate Limit Configuration ....................42-1 Introduction to DHCP Packet Rate Limit....................42-1 Configuring DHCP Packet Rate Limit ....................42-1 Configuring DHCP Packet Rate Limit.................... 42-1 Configuring Port State Auto Recovery ..................42-2 Rate Limit Configuration Example ......................
  • Page 22: Mirroring Configuration

    Traffic Classification ........................45-3 Priority Trust Mode ........................45-4 Protocol Priority ..........................45-7 Priority Marking..........................45-8 Traffic Policing ..........................45-8 Line Rate ............................45-9 VLAN Mapping ..........................45-9 Queue Scheduling ......................... 45-9 Congestion Avoidance......................... 45-12 Traffic mirroring ........................... 45-13 QoS Configuration..........................45-13 Configuring Priority Trust Mode....................
  • Page 23: 48-Cluster Configuration

    Specifying the Fabric Port of a Switch................... 47-6 Specifying the VLAN Used to Form an XRN Fabric..............47-7 Setting a Unit ID for a Switch ......................47-8 Assigning a Unit Name to a Switch ....................47-9 Assigning an XRN Fabric Name to a Switch................. 47-9 Setting the XRN Fabric Authentication Mode................
  • Page 24: Snmp Configuration

    PoE Profile Configuration........................50-1 Configuring PoE Profile ......................... 50-1 Displaying PoE Profile Configuration ....................50-3 PoE Profile Configuration Example....................... 50-3 PoE Profile Application Example....................50-3 51 UDP Helper Configuration........................51-1 Introduction to UDP Helper ........................51-1 Configuring UDP Helper ........................51-2 Displaying and Maintaining UDP Helper....................
  • Page 25: Ssh Configuration

    Configuration Procedure......................54-12 Configuring Optional NTP Parameters ....................54-13 Configuring an Interface on the Local Switch to Send NTP messages ........54-13 Configuring the Number of Dynamic Sessions Allowed on the Local Switch ......54-14 Disabling an Interface from Receiving NTP messages............... 54-14 Displaying NTP Configuration......................
  • Page 26: Ftp And Sftp Configuration

    Flash Memory Operations ......................56-3 Prompt Mode Configuration ......................56-4 File System Configuration Examples .................... 56-4 File Attribute Configuration ........................56-5 Introduction to File Attributes......................56-5 Booting with the Startup File ......................56-6 Configuring File Attributes ......................56-7 Configuration File Backup and Restoration ..................56-8 Introduction to Configuration File Backup and Restoration............
  • Page 27: Boot Rom And Host Software Loading

    Log Output to a Linux Log Host....................59-17 Log Output to the Console ......................59-18 Configuration Example ........................ 59-19 60 Boot ROM and Host Software Loading....................60-1 Introduction to Loading Approaches ..................... 60-1 Local Boot ROM and Software Loading....................60-1 BOOT Menu ..........................
  • Page 28: Vlan-Vpn Configuration

    Configuration procedure ........................ 64-3 65 VLAN-VPN Configuration ........................65-1 VLAN-VPN Overview ..........................65-1 Introduction to VLAN-VPN......................65-1 Implementation of VLAN-VPN....................... 65-2 Configuring the TPID for VLAN-VPN Packets................65-2 Inner-to-Outer Tag Priority Replicating and Mapping..............65-3 VLAN-VPN Configuration........................65-3 VLAN-VPN Configuration Task List....................65-3 Enabling the VLAN-VPN Feature for a Port ..................
  • Page 29: Ipv6 Application Configuration

    IPv6 Unicast Address Configuration.................... 68-14 69 IPv6 Application Configuration ......................69-1 Introduction to IPv6 Application ......................69-1 Configuring IPv6 Application......................... 69-1 IPv6 Ping ............................69-1 IPv6 Traceroute ..........................69-2 IPv6 TFTP ............................. 69-2 IPv6 Telnet ............................ 69-3 IPv6 Application Configuration Example....................69-4 IPv6 Applications ...........................
  • Page 30: Pki Configuration

    Setting LLDP Operating Mode ...................... 72-7 Setting the LLDP Re-Initialization Delay ..................72-7 Enabling LLDP Polling........................72-8 Configuring the TLVs to Be Advertised ..................72-8 Configuring the Management Address..................72-8 Setting Other LLDP Parameters....................72-9 Setting an Encapsulation Format for LLDPDUs................72-10 Configuring CDP Compatibility ......................
  • Page 31: Https Configuration

    Configuration Prerequisites ......................74-3 Configuration Procedure........................ 74-3 SSL Server Policy Configuration Example ..................74-4 Configuring an SSL Client Policy ......................74-6 Configuration Prerequisites ......................74-6 Configuration Procedure........................ 74-6 Displaying and Maintaining SSL ......................74-7 Troubleshooting SSL..........................74-7 SSL Handshake Failure......................... 74-7 75 HTTPS Configuration..........................
  • Page 32: Cli Configuration

    When you use the CLI of a 3Com switch for the first time, you can log in to the switch and enter the CLI through the console port only. Follow these steps to log in to your 3Com switch and enter the CLI thro...
  • Page 33 Figure 1-1 Use the console cable to connect your PC to your switch Identify the interface to avoid connection errors. Beca use the serial port of a PC is not hot swappable, do not plug or unplug the console cable when your switch is po wered on.
  • Page 34 Figure 1-2 Connection description Then, the Connect To window as shown in Figure 1-3 appears. Select the serial port you want to use from the Connect using drop-down list, and then click OK. Figure 1-3 Specify the serial port used to establish the connection The COM1 Properties window as shown in Figure 1-4 appears.
  • Page 35 Figure 1-4 Set the properties of the serial port The HyperTerminal window as shown in Figure 1-5 appears. Figure 1-5 The HyperTerminal window...
  • Page 36: Entering Cli Through Telnet

    Telnet login as soon as possible, so that you can use a remote terminal to configure and manage your switch. Telnet login authentication methods In order to restrict the login to your switch, 3Com provides three Telnet login authentication methods. elect a proper me thod accordin g to your netw ork conditions.
  • Page 37 A 3Com switch provides multiple VTY user interfaces. At one time, only one user can telnet to a VTY user interface. Because a remote terminal cannot select the VTY user interface through which it logs in to the switch, it is recommended that you configure all VTY user interfaces with the same authentication method.
  • Page 38: 3Com Products Cli Descriptions

    [Sysname-ui-vty0-4]user privilege level 3 3Com Products CLI Descriptions Command Conventions Before using commands provided in 3Com product manuals, learn the command conventions to understand the command meanings. Commands in 3Com product manuals comply with the following conventions, as described in Table 1-2.
  • Page 39: Cli View Description

    Table 1-3 lists the CLI views provided by the 3com switch 4500, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 1-3 CLI views...
  • Page 40 Available View Prompt example Enter method Quit method operation The 3com switch Execute the Aux1/0/0 port 4500 does not [Sysname-Aux1/0/ interface aux 1/0/0 support (the console command in port) view configuration on system view port Aux1/0/0 Execute the vlan Configure VLAN...
  • Page 41 Available View Prompt example Enter method Quit method operation Execute the rsa Configure the RSA [Sysname-rsa-publ peer-public-key Execute the public key for SSH ic-key] command in peer-public-ke users system view. Public key y end view command to Execute the Configure the RSA return to system [Sysname-peer-pu public-key peer...
  • Page 42 Available View Prompt example Enter method Quit method operation Configure RADIUS Execute the radius RADIUS [Sysname-radius-1 scheme scheme command scheme view parameters in system view. Execute the ISP domain Configure ISP [Sysname-isp-aaa domain command view domain parameters 123.net] in system view. Execute the Remote-ping Configure...
  • Page 43: Tips On Using The Cli

    Available View Prompt example Enter method Quit method operation Execute the Execute the quit command vlan-vpn vid to return to command in Ethernet port Ethernet port view. view. Configure QinQ [Sysname-Etherne QinQ view parameters t1/0/1-vid-20] The vlan-vpn Execute the enable command return should be first command to...
  • Page 44: Command Line Error Information

    % Ambiguous command found at '^' position. Ambiguous command Too many parameters Too many parameters % Wrong parameter found at '^' position. Wrong parameters Typing and Editing Commands Fuzzy match The 3Com series Ethernet switches support fuzzy match for efficient input of commands. 1-13...
  • Page 45: Displaying And Executing History Commands

    If in the current view, the character string you have typed can already uniquely identify a keyword, you do not need to type the complete keyword. For example, in user view, commands starting with an s include save, startup saved-configuration, and system-view.
  • Page 46: Undo Form Of A Command

    You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are defined differently. You can press Ctrl+P or Ctrl+N instead. Note that: The commands saved in the history command buffer are in the same format in which you typed the commands.
  • Page 47: Cli Configurations

    Action Function Press <PageUp> Displays the previous page. Press <PageDown> Displays the next page. CLI Configurations Configuring Command Aliases You can replace the first keyword of a command supported by the device with your preferred keyword by configuring the command alias function. For example, if you configure show as the replacement of the display keyword for each display command, you can input the command alias show xx to execute the display xx command.
  • Page 48: Synchronous Information Output

    Synchronous Information Output Synchronous information output refers to the feature that if your input is interrupted by system output, then after the completion of system output the system displays a command line prompt and your input so far, and you can continue your operations from where you were stopped. Follow these steps to enable synchronous information output: To do…...
  • Page 49 Level Privilege Description Involves commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after being configured. After the device is restarted, the commands at this level will Monitor be restored to the default settings. Commands at this level include debugging, terminal, refresh, reset, and send.
  • Page 50: Saving Configurations

    TFTP server 192.168.0.1 and other TFTP servers. Saving Configurations Some commands in the CLI of 3Com switches are one-time commands, such as display commands, which display specified information, and the reset commands, which clear specified information. These commands are executed one-time only and are not saved when the switch reboots.
  • Page 51: Logging In To An Ethernet Switch

    Supported User Interfaces The auxiliary (AUX) port and the console port of a 3Com low-end and mid-range Ethernet switch are the same port (referred to as console port in the following part). You will be in the AUX user interface if you g in through this port.
  • Page 52: Common User Interface Configuration

    The absolute AUX user interfaces are numbered 0 through 7. VTY user interface indexes follow AUX user interf ace indexes. The first absolute VTY user interface is numbered 8, the second is 9, and so on. A relative user interface index can be obtained by appending a number to the identifier of a user interface type.
  • Page 53: Logging In Through The Console Port

    To do… Use the command… Remarks Display the physical attributes and configuration display user-interface [ type of the current/a specified number | number ] user interface Display the information display web users about the current web users Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Logging In Through the Console Port...
  • Page 54 Figure 2-1 Diagram for connecting to the console port of a switch If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through...
  • Page 55: Console Port Login Configuration

    Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. You can then configure the switch or check the information about the switch by executing the corresponding commands.
  • Page 56 Configuration Remarks Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines. screen can contain Optional Set history command buffer By default, the history command buffer can contain up size to 10 commands. Optional Set the timeout time of a user interface...
  • Page 57: Console Port Login Configuration With Authentication Mode Being None

    Authentication Console port login configuration Remarks mode Optional Specify to AAA configuration perform local specifies whether to Local authentication is authentication or perform local performed by default. remote RADIUS authentication or RADIUS Refer to the AAA part for authentication authentication more.
  • Page 58 To do… Use the command… Remarks Optional Set the check parity { even | none | By default, the check mode of a mode odd } console port is none, that is, no check is performed. Optional Set the stop bits stopbits { 1 | 1.5 | 2 } The stop bits of a console port is 1.
  • Page 59: Console Port Login Configuration With Authentication Mode Being Password

    The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of the AUX user interface is 6 minutes. Network diagram Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode bein none) Configuration procedure...
  • Page 60 To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 — view Required By default, users logging in to a switch Configure to authenticate authentication-mode through the console port are not users using the local password authenticated;...
  • Page 61 To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, Set the timeout time for the idle-timeout minutes the connection to a user interface is user interface [ seconds ] terminated if no operation is performed...
  • Page 62: Console Port Login Configuration With Authentication Mode Being Scheme

    [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the console port to 19,200 bps.
  • Page 63 To do… Use the command… Remarks Specify the service type for service-type terminal [ level Required AUX users level ] Quit to system view quit — Enter AUX user interface view user-interface aux 0 — Required The specified AAA scheme determines whether to authentication-mode authenticate users locally or...
  • Page 64 To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user Set the timeout time for the idle-timeout minutes interface is terminated if no user interface [ seconds ] operation is performed in the user...
  • Page 65: Logging In Through Telnet

    <Sysname> system-view # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal, Specify commands of level 2 are available to users logging in to the AUX user interface.
  • Page 66 Table 2-5 Requirements for Telnetting to a switch Item Requirement The IP address is configured for the VLAN of the switch, and the route between the switch and the Telnet terminal is reachable. (Refer to the IP Address Configuration – IP Performance Configuration and Routing Protocol parts for Switch more.) The authentication mode and other settings are configured.
  • Page 67 Telnet Configurations for Different Authentication Modes Table 2-7 Telnet configurations for different authentication modes Authentication Telnet configuration Description mode Optional Perform common Perform common None configuration Telnet configuration Refer to Table 2-6. Configure the Configure the password for local Required password authentication Password...
  • Page 68: Telnet Configuration With Authentication Mode Being None

    Telnet Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure Telnet with the authentication mode being none: To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty —...
  • Page 69: Telnet Configuration With Authentication Mode Being Password

    Note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on the user privilege level level command Configuration Example Network requirements Assume current user logins through the console port, and the current user level is set to the administrator level (level 3).
  • Page 70 To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user-interface vty — user interface views first-number [ last-number ] Configure to authenticate users logging in to VTY authentication-mode Required password user interfaces using the local password set authentication Set the local password...
  • Page 71 Configuration Example Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. Authenticate users using the local password. Set the local password to 123456 (in plain text).
  • Page 72: Telnet Configuration With Authentication Mode Being Scheme

    Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do… Use the command… Remarks Enter system view system-view — Enter the Optional default ISP domain domain-name By default, the local AAA scheme is domain view applied.
  • Page 73 To do… Use the command… Remarks Optional By default, the screen can contain Set the maximum number of up to 24 lines. screen-length screen-length lines the screen can contain You can use the screen-length 0 command to disable the function to display information in pages.
  • Page 74 Scenario Command Authentication level User type Command mode The user privilege level level command is not executed, and the service-type command does not specify the available command level. Level 0 The user privilege level level command is not executed, and the service-type command specifies the VTY users that available command level.
  • Page 75: Telnetting To A Switch

    Configure to authenticate users logging in to VTY 0 in scheme mode. Only Telnet protocol is supported in VTY 0. The screen can contain up to 30 lines. The history command buffer can store up to 20 commands. The timeout time of VTY 0 is 6 minutes. Network diagram Figure 2-10 Network diagram for Telnet configuration (with the authentication mode being scheme) Configuration procedure...
  • Page 76 Figure 2-11 Diagram for establishing connection to a console port Launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 95/Windows 98/Windows NT/Windows 2000/Windows XP) on the PC terminal, with the baud rate set to 19,200 bps, data bits set to 8, parity check set to none, and flow control set to none. Turn on the switch and press Enter as prompted.
  • Page 77 <Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A 3Com Ethernet switch can accommodate up to five Telnet connections at same time.
  • Page 78: Logging In Using A Modem

    Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.
  • Page 79: Modem Connection Establishment

    The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
  • Page 80 Figure 2-15 Establish the connection by using modems Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 2-16 through Figure 2-18. Note that you need to set the telephone number to that of the modem directly connected to the switch.
  • Page 81: Logging In Through The Web-Based Network Management System

    Figure 2-17 Set the telephone number Figure 2-18 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help.
  • Page 82: Establishing An Http Connection

    Introduction Switch 4500 has a Web server built in. It enables you to log in to an Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server. To log in to a Switch 4500 through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.
  • Page 83: Configuring The Login Banner

    When the login authentication interface (as shown in Figure 2-20) appears, enter the user name and the password configured in step 2 and click <Login> to bring up the main page of the Web-based network management system. Figure 2-20 The login page of the Web-based network management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command, when a user logs in through Web, the banner...
  • Page 84: Enabling/Disabling The Web Server

    # Enter system view. <Sysname> system-view # Configure the banner Welcome to be displayed when a user logs into the switch through Web. [Sysname] header login %Welcome% Assume that a route is available between the user terminal (the PC) and the switch. After the above-mentioned configuration, if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press <Enter>, the browser will display the banner page, as shown in...
  • Page 85: Logging In Through Nms

    Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent.
  • Page 86 Overview You can configure the source IP address for Telnet service packets for a Switch 4500 operating as a Telnet client. The IP address can only be the IP address of a Layer 3 interface on the switch. Figure 2-24 Specify source IP address for Telnet service packets As shown in Figure 2-24, suppose you are going to telnet to Switch B from PC.
  • Page 87: Displaying Source Ip Address Configuration

    Displaying Source IP Address Configuration To do… Use the command… Remarks Display the source IP address configured for the Telnet display telnet source-ip Available in any view service packets 2-37...
  • Page 88 User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Intro duction You can control users logging in through Telnet, SNMP and WEB by...
  • Page 89: Controlling Telnet Users

    Controlling Telnet Users Prere quisites The controlling policy against Telnet users is determined, including th e source IP addresses, destination IP addresses and source MAC addresses to be controlled and the controlling actions (permitting or denying). Controlling Telnet Users by Source IP Addresses ontrolling Telnet users by s ource IP addresses is...
  • Page 90 To do… Use the command… Remarks user-interface [ type ] Enter user interface view — first-number [ last-number ] Required The inbound keyword specifies to Apply the ACL to control filter the users trying to Telnet to Telnet users by specified acl acl-number { inbound | the current switch.
  • Page 91: Controlling Network Management Users By Source Ip Addresses

    Network diagram Figure 3-1 Network diagram for controlling Telnet users using ACL Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage an Ethernet switch through network management software.
  • Page 92 To do… Use the command… Remarks As for the acl number Create a basic ACL or acl number acl-number [ match-order command, the config enter basic ACL view { auto | config } ] keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system view...
  • Page 93: Controlling Web Users By Source Ip Address

    [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch. [Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 Controlling Web Users by Source IP Address...
  • Page 94: Configuration Example

    To do… Use the command… Remarks Required Disconnect a Web user free web-users { all | user-id user-id | by force user-name user-name } Available in user view Configuration Example Network requirements Only the Web users sourced from the IP address of 10.110.100.52 are permitted to access the switch. Network diagram Figure 3-3 Network diagram for controlling Web users using ACLs Configuration procedure...
  • Page 95 Switching User Level rview Users can switch their user privilege level temporarily without logging out and disconnecting the current connection; after the switch, users can continue to configure the device without the need of relogin and reauthentication, but the commands that they can execute have changed. For example, if the current user privilege leve l is 3, the user can configure system parameters;...
  • Page 96 To do… Use the command… Remarks Enter system view system-view — user-interface [ type ] Enter user interface view — first-num ber [ last-number ] super Super password authentication-m authentication super-pa ssword Optional super These HWTACACS authentication authentic ation-mode configurations scheme will take effect on Specify the...
  • Page 97: Adopting Hwtacacs Authentication For User Level Switching

    Follow these steps to set a password for use level switching: To do… Use the command… Remarks Enter system view system-view — Required The configuration will take Set the super password for super password [ level level ] effect on all user interfaces. user level switching { cipher | simple } password By default, the super password...
  • Page 98: Configuration Examples

    Switching to a specific user level Follow these steps to switch to a specific user level: To do… Use the command… Remarks Required Switch to a specified user level super [ level ] Execute this command in user view. If no user level is specified in the super password command or the super command, level 3 is used by default.
  • Page 99: Hwtacacs Authentication Configuration Example

    HWTACACS authentication configuration example The administrator configures the user level switching authentication policies. # Configure a HWTACACS authentication scheme named acs, and specify the user name and password used for user level switching on the HWTACACS server defined in the scheme. Refer to AAA Operation for detailed configuration procedures.
  • Page 100 Configuration File Management Wh n configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Intro duction to Configuration File A configuration file record s and stores user configurations performed to a switch. It also enables users to check switch configurat ions easily.
  • Page 101 When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backu p attribute of the file.
  • Page 102 Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process.
  • Page 103: Erasing The Startup Configuration File

    It is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. If you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configuration files automatically.
  • Page 104: Displaying Switch Configuration

    You can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file. Assigning main attribute to the startup configuration file If you save the current configuration to the main configuration file, the system will automatically set the file as the main startup configuration file.
  • Page 105 VLAN Overview Thi chapter covers the se topics: VLAN Overview Port-Based VLAN VLAN Overview Introd uction to VLAN The traditional Ethernet is a broadcast network, where a ll hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network conn ection devices, have limited forwarding functions.
  • Page 106: Advantages Of Vlans

    Figure 6-1 A VLAN implementation Advantages of VLANs Compared with traditional Ethernet technology, VLAN technology delivers the following benefits: Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2.
  • Page 107 A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the 3Com series Ethernet switches, the default TPID is 0x8100.
  • Page 108: Vlan Interface

    Currently, Switch 4500 adopt the IVL mode only. For more information about the MAC address forwarding table, refer to the “MAC Address Forwarding Table Management” part of the manual. VLAN Interface Hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used to do Layer 3 forwarding.
  • Page 109: Assigning An Ethernet Port To Specified Vlans

    The three types of ports can coexist on the same device. Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch. An access port can be assigned to only one VLAN, while a hybrid or trunk port can be assigned to multiple VLANs.
  • Page 110 Table 6-3 Packet processing of a hybrid port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the port has already been If the VLAN ID is one of the Send the packet if the VLAN ID added to its default VLAN, VLAN IDs allowed to pass...
  • Page 111: Vlan Configuration

    VLAN Configuration Wh n configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Bas ed VLAN VLAN Configuration VLAN Configuration Task List Complete the following t asks to configu re VLAN: Task Remarks Basic VLAN Configuration Required...
  • Page 112: Basic Vlan Interface Configuration

    VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.
  • Page 113: Displaying Vlan Configuration

    The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface display interface Vlan-interface information [ vlan-id ] Available in any view.
  • Page 114: Assigning An Ethernet Port To A Vlan

    To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first. You can use the port link-type xrn-fabric command to configure fabric ports. For information about this command, refer to the XRN Fabric module in this manual. Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view.
  • Page 115: Configuring The Default Vlan For A Port

    To do… Use the command… Remarks Assign the specified Required access port or ports to port interface-list By default, all ports belong to VLAN 1. the current VLAN Configuring the Default VLAN for a Port Because an access port can belong to its default VLAN only, there is no need for you to configure the default VLAN for an access port.
  • Page 116 Configure VLAN interfaces for the two VLANs on Switch A for forwarding data from PC 1 to Server 2 at Layer 3. Network diagram Figure 7-1 Network diagram for VLAN configuratio Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add Ethernet 1/0/1 to VLAN 100. <SwitchA>...
  • Page 117 # Create VLAN 200, specify its descriptive string as Dept2 and add Ethernet 1/0/11 and Ethernet 1/0/12 to VLAN 200. [SwitchB] vlan 200 [SwitchB-vlan200] description Dept2 [SwotchB-vlan200] port Ethernet1/0/11 Ethernet 1/0/12 [SwitchB-vlan200] quit Configure the link between Switch A and Switch B. Because the link between Switch A and Switch B needs to transmit data of both VLAN 100 and VLAN 200, you can configure the ports at both ends of the link as trunk ports and permit packets of the two VLANs to pass through the two ports.
  • Page 118 IP Addressing Configuration When configuring IP addressing, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Exa mples IP Addressing O verview IP Ad dress Classes IP addressing uses a 32-bit address to identify each host on a network.
  • Page 119: Subnetting And Masking

    le 8-1 IP address clas ses and ranges Class Address range scription Address 0.0.0.0 means this host no this network. This address is used by a ho st at bootstrap when it does not know its IP address. This address is never a valid destination address.
  • Page 120: Configuring Ip Addresses

    adds an additional level, subnet ID, to the two-level hierarchy with IP addressing, IP routing now involves three steps: delivery to the site, delivery to the subnet, and delivery to the host. In the absence of subnetting, some s pecial addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts.
  • Page 121: Configuring Static Domain Name Resolution

    You can assign at most f ive IP address to an interface, am ong w hich one is the primary IP address and the others are secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. The pri mary and secondary IP addresses of an interface cannot reside on the same network segment;...
  • Page 122: Ip Address Configuration Example Ii

    Network diagram Figure 8-3 Network diagram for IP address configuration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch> system-view [Switch] interface Vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 IP Address Configuration Example II Network requirements As shown in Figure 8-4, VLAN-interface 1 on a switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.
  • Page 123: Static Domain Name Resolution Configuration Example

    # Set the gateway address to 172.16.1.1 on the PCs attached to the subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to the subnet 172.16.2.0/24. # Ping a host on the subnet 172.16.1.0/24 from the switch to check the conne ctivity.
  • Page 124 # Execute the ping host.com command to verify that the device can use static domain name resolution to get the IP address 10.1.1.2 corresponding to host.com. [Sysname] ping host.com PING host.com (10.1.1.2): 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=127 time=3 ms Reply from 10.1.1.2: byt es=56 Sequence=2 ttl=127 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=127 time=2 ms...
  • Page 125: Introduction To Ip Performance Configuration

    IP Performance Optimiz ation Configuration hen configuring I P performance, go to these se ctions for information you are interested in: IP Performance Overview Configurin g IP Performance Displaying and Maintaini ng IP Performance Configuration IP Pe rformance Over view Introduction to IP Performance Configuration In some network environments, you need to a djust the IP parameters to achieve best network...
  • Page 126: Disabling Icmp To Send Error Packets

    terminated. If FIN packets are received, the TCP connection state chan ges to TIME_WAIT. If non-FIN packets a re received, the sy stem restarts the time r from receiving th e last non- FIN packet. The connection is b roken after the timer expires. Size of TCP receive/send buffer ollow these steps to configure T attributes:...
  • Page 127: Displaying And Maintaining Ip Performance Configuration

    In a secure netw ork, you can cancel the system-defi ned ACLs for ICMP at tack guard, and thus incre he available ACL resource ollow these steps to cancel the system-defined ACLs for ICMP attack guard: To do … Use the command… Remarks Enter system view system-view...
  • Page 128 To do… Use the command… Remarks Clear IP traffic statistics reset ip statistics Available in Clear TCP traffic statistics reset tcp statistics user view Clear UDP traffic statistics reset udp statistics...
  • Page 129: How An Ip Phone Works

    Voice VLAN Configuration Wh n configuring voice VLAN, g o to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuratio n Example Voic e VLAN Overview Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice devices to voice VLANs, you can have voice traffic transmitted within voice VLANs and perform QoS-related configuration for voice traffic as required, thus ensuring the transmission priority of voice...
  • Page 130 Refer to DHCP Operation for information about the Option184 field. Following describes the way an IP phone acquires an IP address. Figure 10-1 Network diagram for IP phones As s hown in Figure 10-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission.
  • Page 131: How Switch 4500 Series Switches Identify Voice Traffic

    OUI add resses on Switch 4500 series switches. Table 10-1 Default OUI addresse s pre-defined o n the switch Number OUI address Vendor 0003-6b00-0000 Cisco phones 000f-e200-0000 H3C Aolynk phones 00d0-1e00-0000 Pingtel phones 00e0-7500-0000 Polycom phones 00e0-bb00-0000 3Com phones 10-3...
  • Page 132: Setting The Voice Traffic Transmission Priority

    Setting the Voice Traffic Transmission Priority In order to improve transmission quality of voice traffic, the switch by default re-marks the priority of the traffic in the voice VLAN as follows: Set the CoS (802.1p) priority to 6. Set the DSCP value to 46. Confi gu ing Voice VLAN Assignment Mode of a Port A po...
  • Page 133 Table 10-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk a voice VLAN, and the access port permits the traffic of Tagged...
  • Page 134: Security Mode Of Voice Vlan

    VLAN-tagged packets to consume the voice VLAN bandwidth, affecting normal voice communication. 3Com series switches provide the security mode for voice VLAN to address this problem. When the voice VLAN works in security mode, the switch checks the source MAC address of each packet to enter the voice VLAN and drops the packets whose source MAC addresses do not match the OUI list.
  • Page 135: Configuring The Voice Vlan To Operate In Automatic Voice Vlan Assignment Mode

    Voice VLAN Packet Type Processing Method Mode matches the OUI list, the packet is transmitted in Packet carrying the voice the voice VLAN. Otherwise, the packet is VLAN tag dropped. The packet is forwarded or dropped based on whether the receiving port is assigned to the Packet carrying any other carried VLAN.
  • Page 136: Configuring The Voice Vlan To Operate In Manual Voice Vlan Assignment Mode

    To do… Use the command… Remarks Enable the voice VLAN function voice vlan vlan-id enable Required globally interface interface-type Enter Ethernet port view Required interface-number Required Enable the voice VLAN function voice vlan enable By default, voice VLAN is on a port disabled.
  • Page 137 To do… Use the command… Remarks Optional Set the voice VLAN aging timer voice vlan aging minutes The default aging timer is 1,440 minutes. Enable the voice VLAN function globally voice vlan vlan-id enable Required interface interface-type Enter port view Required interface-number Required...
  • Page 138: Displaying And Maintaining Voice Vlan

    VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between 3Com device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...
  • Page 139: Voice Vlan Configuration Example (Automatic Voice Vlan Assignment Mode)

    Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in automatic voice VLAN assignment mode to enable the port to which an IP phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN.
  • Page 140: Voice Vlan Configuration Example (Manual Voice Vlan Assignment Mode)

    # Configure Ethernet 1/0/1 as a hybrid port. [DeviceA-Ethernet1/0/1] port link-type hybrid # Configure VLAN 6 as the default VLAN of Ethernet 1/0/1, and configure Ethernet 1/0/1 to permit packets with the tag of VLAN 6. [DeviceA-Ethernet1/0/1] port hybrid pvid vlan 6 [DeviceA-Ethernet1/0/1] port hybrid vlan 6 tagged # Enable the voice VLAN function on Ethernet 1/0/1.
  • Page 141 Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the status of the current voice VLAN. <DeviceA> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...
  • Page 142 GVRP Configuration Wh n configuring GVRP, g o to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Exa mple Intro duction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol ARP).
  • Page 143 GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
  • Page 144 Figure 11-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 11-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two Message parts: Attribute Type and —...
  • Page 145: Protocol Specifications

    GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.
  • Page 146: Configuring Gvrp Timers

    To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.
  • Page 147: Configuring Gvrp Port Registration Mode

    Table 11-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer.
  • Page 148: Displaying And Maintaining Gvrp

    Displaying and Maintaining GVRP To do … Use the command … Remarks display garp statistics Display GARP statistics [ interface interface-list ] Display the settings of the display garp timer [ interface GARP timers interface-list ] Available in any view display gvrp statistics Display GVRP statistics [ interface interface-list ]...
  • Page 149 [SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] port trunk permit vlan all # Enable GVRP on Ethernet1/0/1. [SwitchA-Ethernet1/0/1] gvrp [SwitchA-Ethernet1/0/1] quit # Configure Ethernet1/0/2 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] port trunk permit vlan all # Enable GVRP on Ethernet1/0/2.
  • Page 150 The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s).
  • Page 151 5, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic No dynamic vlans exist! 11-10...
  • Page 152 Port Basic Configuration Wh n performing basic port configuration, go to these sections for information you are interested in: Ethernet Port Configuration Ethernet Port Configuration Example Troubleshooting Ethernet Port Con figuration Ethernet Port Configu ration bo Port Configuration troduction to Combo port A Combo port can operate as either an optical port or an electrical port.
  • Page 153 To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional By default, the port is enabled. Enable the Ethernet port undo shutdown Use the shutdow n command to disable th e port.
  • Page 154: Limiting Traffic On Individual Ports

    Follow these steps to configure auto-negotiation speeds for a port: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface interface interface-type — view interface-number Optional By default, the port speed is Configure the available speed auto [ 10 | 100 | determined through auto-negotiation speed(s)
  • Page 155: Configuring Flow Control On A Port

    To do... Use the command... Remarks Optional Limit unknown unicast traffic unicast-suppression { ratio | By default, the switch does not received on the current port pps max-pps } suppress unknown unicast traffic. Configuring Flow Control on a Port In situations where the receiving port is unable to process received frames, you can use the flow control function to enable the receiving port to inform the sending port to stop sending the frames for a while, thus preventing frames from being dropped.
  • Page 156: Duplicating The Configuration Of A Port To Other Ports

    Reflector ports and fabric ports do not support the flow-control no-pauseframe-sending command. Duplicating the Configuration of a Port to Other Ports To make other ports have the same configuration as that of a specific port, you can duplicate the configuration of a port to specific ports. Specifically, the following types of port configuration can be duplicated from one port to other ports: VLAN configuration, protocol-based VLAN configuration, LACP configuration, QoS configuration, GARP configuration, STP configuration and initial port configuration.
  • Page 157 If you have not enabled the loopback port auto-shutdown function on the port, the port will automatically resume the normal forwarding state after the loop is removed. If a loop is found on a trunk or hybrid port, the system sends log and trap messages to the terminal. If you have additionally enabled the loopback port control function or the loopback port auto-shutdown function, the system will deal with the port accordingly: If the loopback port control function is enabled on the port, the system will set the port to the block...
  • Page 158: Enabling Loopback Test

    Operation Command Remarks Optional By default, the loopback port control Enable loopback port function is enabled on ports if the loopback-detection control control on the trunk or device boots with the default enable hybrid port configuration file (config.def); if the device boots with null configuration, this function is disabled.
  • Page 159: Enabling The System To Test Connected Cable

    external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).
  • Page 160: Enabling Giant-Frame Statistics Function

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Optional Set the interval to perform statistical analysis on port flow-interval interval By default, this interval is 300 traffic seconds. Enabling Giant-Frame Statistics Function The giant-frame statistics function is used to ensure normal data transmission and to facilitate statistics and analysis of unusual traffic on the network.
  • Page 161: Setting The Port State Change Delay

    To do... Use the command... Remarks Required Disable a port from generating undo enable log updown By default, UP/Down log output UP/Down log is enabled. Configuration examples # In the default conditions, where UP/DOWN log output is enabled, execute the shutdown command or the undo shutdown command on Ethernet 1/0/1.
  • Page 162: Displaying And Maintaining Basic Port Configuration

    To do … Use the command … Remarks Required Set the port state change link-delay delay-time Defaults to 0, which indicates that no delay delay is introduced. The delay configured in this way does not take effect for ports in DLDP down state. For information about the DLDP down state, refer to DLDP.
  • Page 163: Troubleshooting Ethernet Port Configuration

    Network diagram Figure 12-2 Network diagram for Ethernet port configuration Configuration procedure Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A. This example supposes that VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 have been created. # Enter Ethernet 1/0/1 port view.
  • Page 164 Link Aggregation Configuration Wh n configuring link aggregation, g o to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link A ggregation Configuration Example Overview Introd uction to Link Aggregation...
  • Page 165: Link Aggregation Classification

    Table 13-1 Consistency considerations for ports in an aggregation Category Considerations State of port-level STP (enabled or disabled) Attribute of the link (point-to-point or otherwise) connected to the port Port path cost STP priority STP packet format Loop protection Root protection Port type (whether the port is an edge port) Rate limiting Priority marking...
  • Page 166: Static Lacp Aggregation Group

    LACP is disabled on the member ports of manual aggregation groups, and you cannot enable LACP on ports in a manual aggregation group. Port status in manual aggregation group A port in a manual aggregation group can be in one of the two states: selected or unselected. In a manual aggregation group, only the selected ports can forward user service packets.
  • Page 167: Dynamic Lacp Aggregation Group

    The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports. The system sets the ports with basic port configuration different from that of the master port to unselected state.
  • Page 168: Aggregation Group Categories

    For an aggregation group: When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation group, the port will be switched to the unselected state;...
  • Page 169: Configuring A Manual Aggregation Group

    A load-sharing aggregation group contains at least two selected ports, but a non-load-sharing aggregation group can only have one selected port at most, while others are unselected ports. When more than eight load-sharing aggregation groups are configured on a single switch, fabric ports cannot be enabled on this switch.
  • Page 170: Configuring A Static Lacp Aggregation Group

    For a manual aggregation group, a port can only be manually added/removed to/from the manual aggregation group. Follow these steps to configure a manual aggregation group: To do… Use the command… Remarks Enter system view system-view — Create a manual aggregation link-aggregation group agg-id mode Required group...
  • Page 171: Configuring A Dynamic Lacp Aggregation Group

    To do… Use the command… Remarks Create a static aggregation link-aggregation group agg-id Required group mode static interface interface-type Enter Ethernet port view — interface-number Add the port to the aggregation port link-aggregation group Required group agg-id For a static LACP aggregation group or a manual aggregation group, you are recommended not to cross cables between the two devices at the two ends of the aggregation group.
  • Page 172: Configuring A Description For An Aggregation Group

    To do… Use the command… Remarks Optional lacp port-priority Configure the port priority By default, the port priority is port-priority 32,768. Changing the system priority may affect the priority relationship between the aggregation peers, and thus affect the selected/unselected status of member ports in the dynamic aggregation group. Configuring a Description for an Aggregation Group To do…...
  • Page 173: Link Aggregation Configuration Example

    Link Aggregation Configuration Example Ethernet Port Aggregation Configuration Example Network requirements Switch A connects to Switch B with three ports Ethernet 1/0/1 to Ethernet 1/0/3. It is required that load between the two switches can be shared among the three ports. Adopt three different aggregation modes to implement link aggregation on the three ports between switch A and B.
  • Page 174 <Sysname> system-view [Sysname] link-aggregation group 1 mode static # Add Ethernet 1/0/1 through Ethernet 1/0/3 to aggregation group 1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-aggregation group 1 [Sysname-Ethernet1/0/1] quit [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] port link-aggregation group 1 [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] port link-aggregation group 1 Adopting dynamic LACP aggregation mode...
  • Page 175: Port Isolation Overview

    Port Isolation Configuration Wh n configuring port isolation, g o to these sections for information you are interested in: Port Isolation Overview Port Isolation Configuration Displaying and Maintaining Port Isolation Configuration Port Isolation Configuration Example Port Isolation Overview The port isolation feature is used to secure and add privacy to the data traffic and prevent malicious attackers from obtaining the user information.
  • Page 176: Port Isolation Configuration Example

    When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
  • Page 177 Network diagram Figure 14-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] port isolate [Sysname-Ethernet1/0/3] quit...
  • Page 178: Port Security Overview

    Port Security Configuration Wh n configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Examples The security modes of the port security feature provide extended and combined use of 802.1X authentication and MAC authentication.
  • Page 179 able 15-1 Description of port se curity modes On the port, if you want to… Use the security mode… autoLearn Control MAC address learning secure userLogin userLoginSecure Perform 802.1X authentication userLoginSecureExt userL oginWithO Perform MAC authentication macAddressWithRadius macAddressAndUserLoginSecure macAddressAndUserLoginSecure Perform a combination of MAC macAddressElseUserLoginSecure authentication and 802.1X Else...
  • Page 180 Figure 15-1 Packet processing and mode transition in autoLearn mode and secure mode The port receives a packet Security mode? secure mode autoLearn mode Change the security mode to Is the source Is the MAC in the MAC source MAC in the MAC address table? address table? Save the source MAC as a...
  • Page 181 MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication for users. For description of MAC authentication, refer to MAC Address Authentication Operation. Security modes with the And keyword macAddressAndUserLoginSecure: A port in this mode first performs MAC authentication for a user and then, if the user passes MAC authentication, performs 802.1X authentication.
  • Page 182 Security modes with the Else keyword macAddressElseUserLoginSecure: As the Else keyword implies, MAC authentication is applied first. A port in this mode performs only MAC authentication for non-802.1X frames; it performs MAC authentication for 802.1X frames and then, if the authentication fails, 802.1X authentication. The port in this mode supports only one 802.1X online user, but supports multiple MAC authenticated online users.
  • Page 183: Port Security Features

    Figure 15-4 Packet processing in a security mode with the Or keyword Port Security Features The following port security features are provided: NTK (need to know) feature: Checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices passing authentication. This prevents illegal devices from intercepting network traffic.
  • Page 184: Port Security Configuration Task List

    In userLogin mode, neither NTK nor intrusion protection will be triggered. In any other port security mode, the two features will be triggered upon detection of illegal frames. In userLoginWithOUI mode, intrusion protection will not be triggered even if the OUI value does not match.
  • Page 185: Setting The Maximum Number Of Secure Mac Addresses Allowed On A Port

    To do... Use the command... Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default Enabling port security resets the following configurations on a port to the bracketed defaults. Then values of these configurations cannot be changed manually; the system will adjust them based on the port security mode automatically.
  • Page 186: Setting The Port Security Mode

    Setting the Port Security Mode Follow these steps to set the port security mode: To do... Use the command... Remarks Enter system view system-view — Optional In userLoginWithOUI mode, a port allows only one 802.1X Set the OUI value for user port-security oui OUI-value user and one user whose authentication...
  • Page 187: Configuring Port Security Features

    Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK feature: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required port-security ntk-mode { ntkonly | By default, NTK is disabled on Configure the NTK feature ntk-withbroadcasts |...
  • Page 188: Configuring Guest Vlan For A Port In Macaddressoruserloginsecure Mode

    Configuring trapping Follow these steps to configure port security trapping: To do... Use the command... Remarks Enter system view system-view — port-security trap { addresslearned | Required Enable sending traps for the dot1xlogfailure | dot1xlogoff | dot1xlogon | By default, no specified type of event intrusion | ralmlogfailure | ralmlogoff | trap is sent.
  • Page 189: Ignoring The Authorization Information From The Radius Server

    If one user of the port has passed or is undergoing authentication, you cannot specify a guest VLAN for it. When a user using a port with a guest VLAN specified fail the authentication, the port is added to the guest VLAN and users of the port can access only the resources in the guest VLAN. Multiple users may connect to one port in the macAddressOrUserLoginSecure mode for authentication;...
  • Page 190 If the amount of secure MAC address entries has not yet reach the maximum number, the port will learn new MAC addresses and save them as secure MAC addresses. If the amount of secure MAC address entries reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from autoLearn to secure.
  • Page 191: Displaying And Maintaining Port Security Configuration

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Set the maximum number of port-security max-mac-count By default, there is no limit on secure MAC addresses allowed count-value the number of secure MAC on the port addresses.
  • Page 192: Port Security Mode Macaddresswithradius Configuration Example

    Network diagram Figure 15-5 Network diagram for port security mode autoLearn Configuration procedure # Enter system view. <Switch> system-view # Enable port security. [Switch] port-security enable # Enter Ethernet1/0/1 port view. [Switch] interface Ethernet 1/0/1 # Set the maximum number of MAC addresses allowed on the port to 80. [Switch-Ethernet1/0/1] port-security max-mac-count 80 # Set the port security mode to autoLearn.
  • Page 193 Network diagram Figure 15-6 Network diagram for configuring port security mode macAddressWithRadius Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.
  • Page 194: Port Security Mode Userloginwithoui Configuration Example

    [Switch-isp-aabbcc.net] scheme radius-scheme radius1 [Switch-isp-aabbcc.net] quit # Set aabbcc.net as the default user domain. [Switch] domain default enable aabbcc.net # Configure the switch to use MAC addresses as usernames for authentication, specifying that the MAC addresses should be lowercase without separators. [Switch] mac-authentication authmode usernameasmacaddress usernameformat without-hyphen # Specify the ISP domain for MAC authentication.
  • Page 195 The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1. <Switch> system-view [Switch] radius scheme radius1 # Specify the primary RADIUS authentication server and primary RADIUS accounting server.
  • Page 196: Port Security Mode Macaddresselseuserloginsecureext Configuration Example

    [Switch-isp-aabbcc.net] quit # Set aabbcc.net as the default user domain. [Switch] domain default enable aabbcc.net # Create a local user. [Switch] local-user localuser [Switch-luser-localuser] service-type lan-access [Switch-luser-localuser] password simple localpass Configure port security # Enable port security. [Switch] port-security enable # Add two OUI values.
  • Page 197 Network diagram Figure 15-8 Network diagram for configuring port security mode macAddressElseUserLoginSecureExt Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.
  • Page 198: Port Security Mode Macaddressanduserloginsecureext Configuration Example

    [Switch-radius-radius1] timer realtime-accounting 15 # Configure the switch to send a username without the domain name to the RADIUS server. [Switch-radius-radius1] user-name-format without-domain [Switch-radius-radius1] quit # Create a domain named aabbcc.net and enter its view. [Switch] domain aabbcc.net # Specify the RADIUS scheme for the domain. [Switch-isp-aabbcc.net] scheme radius-scheme radius1 # Enable the idle disconnecting function and set the related parameters.
  • Page 199 Network diagram Figure 15-9 Network diagram for configuring port security mode macAddressElseUserLoginSecureExt Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.
  • Page 200: Guest Vlan Configuration Example

    [Switch-radius-radius1] timer realtime-accounting 15 # Configure the switch to send a username without the domain name to the RADIUS server. [Switch-radius-radius1] user-name-format without-domain [Switch-radius-radius1] quit # Create a domain named aabbcc.net and enter its view. [Switch] domain aabbcc.net # Specify the RADIUS scheme for the domain. [Switch-isp-aabbcc.net] scheme radius-scheme radius1 # Enable the idle disconnecting function and set the related parameters.
  • Page 201 Figure 15-10 Network diagram for guest VLAN configuration Configuration procedure The following configuration steps include configurations of AAA and RADIUS. For details about these commands, refer to AAA Command. The configurations on the 802.1X client and the RADIUS server are omitted. # Configure RADIUS scheme 2000.
  • Page 202 # Enable port security. [Switch] port-security enable # Specify the switch to trigger MAC authentication at an interval of 60 seconds. [Switch] port-security timer guest-vlan timer 60 # Create VLAN 10 and assign the port Ethernet 1/0/1 to it. [Switch] vlan 10 [Switch–vlan10] port Ethernet 1/0/1 # Set the security mode of the port Ethernet 1/0/2 to macAddressOrUserLoginSecure.
  • Page 203 Port Binding Configuration Wh n configuring port binding, go to these sections for infor mation you are interested in: Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example Port Bindin g Overview Introd uction Binding is a simple security mechanism. Through the binding configuration on the switch, you can filter the packets forwarded on the ports.
  • Page 204: Displaying And Maintaining Port Binding Configuration

    To do... Use the command... Remarks Enter system view system-view — am user-bind mac-addr mac-address ip-addr In system ip-address [ interface interface-type view Either is interface-number ] required. Create a port-MAC-IP By default, interface interface-type interface-number binding entry no binding is In Ethernet configured.
  • Page 205 Network diagram Figure 16-1 Network diagram for port binding configuration Configuration procedure Configure Switch A as follows: # Enter system view. <SwitchA> system-view # Enter Ethernet 1/0/1 port view. [SwitchA] interface Ethernet 1/0/1 # Bind the MAC address and the IP address of Host A to Ethernet 1/0/1. [SwitchA-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1 16-3...
  • Page 206 DLDP Configuration Wh n configuring DLDP, g o to these sections for information you are interested in: Overview DLDP Configuration DLDP Configuration Example Overview Introd uction A special kind of links, namely, unidirectional links, may occur in a network. When a unidirectional link appears, the local device can receive packets from the pee r device through the link layer, but the peer device cannot receive packets from the local device.
  • Page 207: Dldp Fundamentals

    Figure 17-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 GE1/0/49 GE1/0/50 Device B DLDP provides the following features: As a link layer protocol, it works together with the physical layer protocols to monitor the link status of a device. The auto-negotiation mechanism at the physical layer detects physical signals and faults.
  • Page 208 DLDP packet type Function Advertisement packet with the RSY flag set to 1. RSY advertisement RSY-Advertisement packets are sent to request synchronizing the neighbor information when packets (referred to as neighbor information is not locally available or a neighbor information RSY packets hereafter) entry ages out.
  • Page 209 DLDP status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 17-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down This state indicates that: Active DLDP is enabled and the link is up.
  • Page 210 Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode, if no packet is received from the neighbor when the entry Entry aging timer aging timer expires, DLDP sends an advertisement packet with an RSY tag,...
  • Page 211 In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 17-1 can be detected. In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in Figure 17-1). The other refers to fiber pairs with one fiber not connected or disconnected (as shown in Figure 17-2).
  • Page 212 Packet type Processing procedure Discards this echo packet Discards this echo packet Checks Checks whether Sets the neighbor flag bit to whether the neighbor bidirectional link Echo packet local device information in is in the If all neighbors are in the the packet is probe state bidirectional link state, DLDP...
  • Page 213: Performing Basic Dldp Configuration

    the local port and the neighbor is considered to be recovered to bidirectional, the port changes from the disable state to the active state, and neighboring relationship is reestablished between the local port and the neighbor. Only ports in the DLDP down state can send and process recover probe packets and recover echo packets.
  • Page 214: Resetting Dldp State

    To ensure unidirectional links can be detected, make sure DLDP is enabled on both sides; and the interval for sending advertisement packets, authentication mode, and password are the same on both sides. The interval for sending advertisement packets ranges from 1 to 100 seconds and defaults to 5 seconds.
  • Page 215: Displaying And Maintaining Dldp

    Displaying and Maintaining DLDP To do … Use the command … Remarks Display the DLDP configuration display dldp { unit-id | Available in any view. of a unit or a port interface-type interface-number } DLDP Configuration Example Network requirements As shown in Figure 17-3, Switch A and Switch B are connected through two pairs of fibers.
  • Page 216 # Enable DLDP globally. [SwitchA] dldp enable # Set the interval for sending DLDP packets to 15 seconds. [SwitchA] dldp interval 15 # Configure DLDP to work in enhanced mode. [SwitchA] dldp work-mode enhance # Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state.
  • Page 217 MAC Address Table Management Wh n configur ing MAC address table management, go to these sections for information you are interested in: Overview Configuring MAC Address Table Management Displaying MAC Address Table Information Config uration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For formation about the management of multicast MAC address entries, refer to Multicast Operation.
  • Page 218 Generally, the majority of MAC address entries are created and maintained through MAC address lear ning. The following describes the MAC address learning process of a switch: As shown in Figure 18-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A needs to be transmitted to Ethernet 1/0/1.
  • Page 219 packet from User B is sent to Ethernet 1/0/4, the switch records the association between the MAC address of User B and the corresponding port to the MAC address table of the switch. Figure 18-4 MAC address learni ng diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 18-5.
  • Page 220: Mac Address Table Management Configuration Task List

    the entry . The switch removes the MAC address entry if no more packets with the MAC address recorded in th e entry are received within the aging time. The MAC address aging timer only take s effect on dynamic MAC address entries. With the destination MAC address triggered update function enabled, when a switch finds a packet with a destination address matching one MAC address entry within the aging time, it updates the entry and restarts the aging tim...
  • Page 221 Task Remarks Configuring a MAC Address Entry Required Setting the MAC Address Aging Timer Optional Setting the Maximum Number of MAC Addresses a Port Can Learn Optional Enabling Destination MAC Address Triggered Update Optional figuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dyn amic or static MAC address entries).
  • Page 222: Setting The Mac Address Aging Timer

    When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.
  • Page 223: Enabling Destination Mac Address Triggered Update

    Follow these steps to set the maximum number of MAC addresses a port can learn: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Set the maximum number of mac-address max-mac-count By default, the number of the MAC addresses the port can...
  • Page 224: Adding A Static Mac Address Entry Manually

    Configuration Example Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through Ethernet 1/0/2. To prevent the switch from broadcasting packets destined for the server, it is required to add the MAC address of the server to the MAC address table of the switch, which then forwards packets destined for the server through Ethernet 1/0/2.
  • Page 225 Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Functio Auto Detect Configuration Auto Detect Configuration Examples Intro duction to the Auto Detect Function The Auto Detect function uses Internet Control Message Protocol (ICMP) request/reply packets to test network connectivity regularly between the Auto Detect-enabled switch and the detected object.
  • Page 226: Auto Detect Basic Configuration

    Task Remarks Auto Detect Implementation in VL AN Interface B ackup Optional Auto Detect Basic Configuration Follo w these steps to configure t auto detect function: To do… Use the command… Remarks Enter system view system-view — Create a detected group and detect-group group-number Required enter detected group view...
  • Page 227: Auto Detect Implementation In Vlan Interface Backup

    To void such problems, you can configure another route to bac k up the static route and use the Auto Detect function to judge the validity of the static route. If the static rou te is valid, packets are forwarded ccording to the static route, and the other route is standby.
  • Page 228: Configuration Example For Auto Detect Implementation With Static Routing

    Figure 19-1 Schematic diagram for VLAN interface backup Using Auto Detect can hel p implement VLAN interfaces backup. When data can be transmitted through two VLAN int erfaces on the switch to the same destination, configure one of the VLAN interface as the ctive interface and the other as the standby interface.
  • Page 229: Configuration Example For Auto Detect Implementation With Vlan Interface Backup

    On switch A, configure a static route to Switch C. Enable the static route w hen the detected group 8 is reachable. To ensure normal operatin g of the auto detect function, configure a static route to Switch A on Switch C.
  • Page 230 Network diagram Figure 19-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 19-3. The configuration procedure is omitted. # Enter system view. <SwitchA> system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10.1.1.4 to detected group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and the detecting number set to 1.
  • Page 231: Spanning Tree Protocol Overview

    MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example...
  • Page 232 STP identifies the network topology by transmitting BPDUs between STP compliant network devices, typically switches and routers. BPDUs contain sufficient information for the network devices to complete the spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any.
  • Page 233 A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of a 3Com switch 4500 is 32768. You can use a command to configure the bridge priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
  • Page 234 Port ID A port ID used on a 3Com switch 4500 consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on 3Com switches 4500 is 128. You can use commands to configure port priorities.
  • Page 235 Table 20-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
  • Page 236 Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
  • Page 237 Device Port name BPDU of port {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 20-5 Comparison process and result on each device BPDU of port after Device...
  • Page 238 BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
  • Page 239 Figure 20-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.
  • Page 240: Rapid Spanning Tree Protocol Overview

    For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
  • Page 241 MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
  • Page 242 MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 20-4 contains multiple spanning trees known as MSTIs.
  • Page 243 A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.
  • Page 244: Mstp Implementation On Switches

    STP and RSTP and use them for their respective spanning tree calculation. The 3com switches 4500 support MSTP. After MSTP is enabled on a switch 4500, the switch operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol, you can...
  • Page 245: Mstp Configuration Task List

    In addition to the basic MSTP functions, 3com Switch 4500 also provides the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol...
  • Page 246 Task Remarks Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter Enabling MSTP caused by other related configurations, you are recommended to enable MSTP...
  • Page 247: Configuring Root Bridge

    Configuring Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Required Configure the name of the MST region-name name The default MST region name of a region...
  • Page 248: Specifying The Current Switch As A Root Bridge/Secondary Root Bridge

    802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The 3Com switches 4500 support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
  • Page 249 Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do... Use the command... Remarks Enter system view — system-view stp [ instance instance-id ] root Specify the current switch as...
  • Page 250: Configuring The Bridge Priority Of The Current Switch

    Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different MSTIs.
  • Page 251: Configuring The Mstp Operation Mode

    To do... Use the command... Remarks Required By default, a port recognizes and sends Configure how a port stp interface interface-list MSTP packets in the automatic mode. recognizes and sends compliance { auto | dot1s | That is, it determines the format of MSTP packets legacy } packets to be sent according to the...
  • Page 252: Configuring The Maximum Hop Count Of An Mst Region

    To do... Use the command... Remarks Enter system view — system-view Required Configure the MSTP operation An MSTP-enabled switch stp mode { stp | rstp | mstp } mode operates in the MSTP mode by default. Configuration example # Specify the MSTP operation mode as STP-compatible. <Sysname>...
  • Page 253: Configuring The Network Diameter Of The Switched Network

    Configuring the Network Diameter of the Switched Network In a switched network, any two switches can communicate with each other through a specific path made up of multiple switches. The network diameter of a network is measured by the number of switches;...
  • Page 254 To do... Use the command... Remarks Required Configure the max age stp timer max-age The max age parameter defaults to parameter centiseconds 2,000 centiseconds (namely, 20 seconds). All switches in a switched network adopt the three time-related parameters configured on the CIST root bridge.
  • Page 255 Configuring the Timeout Time Factor When the network topology is stable, a non-root-bridge switch regularly forwards BPDUs received from the root bridge to its neighboring devices at the interval specified by the hello time parameter to check for link failures. Normally, a switch regards its upstream switch faulty if the former does not receive any BPDU from the latter in a period three times of the hello time and then initiates the spanning tree recalculation process.
  • Page 256: Configuring The Current Port As An Edge Port

    To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Configure the maximum The maximum transmitting rate stp transmit-limit packetnum transmitting rate of all Ethernet ports on a switch defaults to 10. As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources.
  • Page 257 To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Configure the port as an edge By default, all the Ethernet stp edged-port enable port ports of a switch are non-edge ports. On a switch with BPDU guard disabled, an edge port becomes a non-edge port again once it receives a BPDU from another port.
  • Page 258 Setting the Link Type of a Port to P2P in Ethernet port view Follow these steps to specify whether the link connected to a port is point-to-point link in Ethernet port view: To do... Use the command... Remarks Enter system view —...
  • Page 259: Configuring Leaf Nodes

    Use the To do... Remarks command... Optional By default, MSTP is enabled on all ports. stp interface Disable MSTP on To enable a switch to operate more flexibly, you can interface-list specified ports disable MSTP on specific ports. As MSTP-disabled disable ports do not participate in spanning tree calculation, this operation saves CPU resources of the switch.
  • Page 260: Configuring A Port As An Edge Port

    Configuring the Timeout Time Factor Refer to Configuring the Timeout Time Factor. Configuring the Maximum Transmitting Rate on the Current Port Refer to Configuring the Maximum Transmitting Rate on the Current Port. Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port.
  • Page 261 Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard Full-duplex 20,000 Aggregated link 2 ports 10,000 1,000 Mbps Aggregated link 3 ports 6,666 Aggregated link 4 ports 5,000 Full-duplex 2,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.
  • Page 262: Configuring Port Priority

    Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 cost 2000 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 cost 2000 Configuration example (B) # Configure the path cost of Ethernet 1/0/1 in MSTI 1 to be calculated by the MSTP-enabled switch according to the IEEE 802.1D-1998 standard.
  • Page 263: Performing Mcheck Operation

    To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required. Configure port priority for the stp [ instance instance-id ] port port priority priority The default port priority is 128. Changing port priority of a port may change the role of the port and put the port into state transition. A smaller port priority value indicates a higher possibility for the port to become the root port.
  • Page 264: Configuring Guard Functions

    Configuration Procedure You can perform the mCheck operation in the following two ways. Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in system view: To do... Use the command... Remarks Enter system view —...
  • Page 265: Configuring Root Guard

    <Sysname> system-view [Sysname] stp bpdu-protection As Gigabit ports of a 3Com switch 4500 cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.
  • Page 266 forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period. You are recommended to enable root guard on the designated ports of a root bridge. Loop guard, root guard, and edge port settings are mutually exclusive.
  • Page 267: Configuring Loop Guard

    Configuring Loop Guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch. These BPDUs may get lost because of network congestions or unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for certain period, the switch selects a new root port;...
  • Page 268 period, the switch may be busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization. With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time.
  • Page 269: Configuring Digest Snooping

    MST region. This problem can be overcome by implementing the digest snooping feature. If a port on a 3Com switch 4500 is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.
  • Page 270 To do... Use the command... Remarks Return to system view — quit Required Enable the digest snooping stp config-digest-snooping The digest snooping feature is feature globally disabled globally by default. Display the current Available in any view display current-configuration configuration When the digest snooping feature is enabled on a port, the port state turns to the discarding state.
  • Page 271 3Com switch 4500 running MSTP, the upstream designated port fails to change its state rapidly. The rapid transition feature is developed to resolve this problem. When a 3Com switch 4500 running MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the switch 4500 operating as the downstream switch.
  • Page 272 Configuration prerequisites As shown in Figure 20-8, a 3Com switch 4500 is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.
  • Page 273: Configuring Vlan-Vpn Tunnel

    The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks, through which spanning trees can be generated across these customer networks and are independent of those of the service provider network.
  • Page 274: Mstp Maintenance Configuration

    To do... Use the command... Remarks Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function is tunnel function globally disabled by default. Make sure that you enter the Ethernet port view of the port for which you interface interface-type Enter Ethernet port view want to enable the VLAN-VPN tunnel interface-number...
  • Page 275: Displaying And Maintaining Mstp

    <Sysname> system-view [Sysname] stp instance 1 portlog # Enable log/trap output for the ports of all instances. <Sysname> system-view [Sysname] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard A switch sends trap messages conforming to 802.1d standard to the network management device in the following two cases: The switch becomes the root bridge of an instance.
  • Page 276: Mstp Configuration Example

    MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 20-10 to enable packets of different VLANs to be forwarded along different MSTIs. The detailed configurations are as follows: All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively.
  • Page 277 # Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30...
  • Page 278: Vlan-Vpn Tunnel Configuration Example

    Network requirements Switch C and Switch D are the access devices for the service provider network. The 3Com switches 4500 operate as the access devices of the customer networks, that is, Switch A and Switch B in the network diagram.
  • Page 279 [Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/1 [Sysname-Vlan10] quit # Enable the VLAN VPN function on GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] vlan-vpn enable [Sysname-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port.
  • Page 280: Introduction To Ip Route And Routing Table

    IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a uting protocol.
  • Page 281 address and network mask, you can get the address of the network segment where the destination host or router resides. For example, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, the address of the network segment where the destination host or router resides is 129.102.0.0.
  • Page 282: Routing Protocol Overview

    15.0.0.0 17.0.0.2 16.0.0.0 16.0.0.2 17.0.0.0 17.0.0.1 Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in sm all, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.
  • Page 283 Rout ing Protocols and Routing Priority Different routing protocols may find different r outes (including static routes) to the same destination. However, not all of those routes are optimal. In fact, at a particular moment, only one protocol uniquely determine the current optimal routing to the destination. For the purpose of route selection, each routing protocol (including static routes) is assigned a pri ority.
  • Page 284: Displaying And Maintaining A Routing Table

    Routing Information Sharing As different routing protocols use different algorithms to calculate routes, they may discover different routes. In a large network with multiple routing protocols, it is required for routing protocols to share their routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism.
  • Page 285: Introduction To Static Route

    Static Route Configuration Wh n configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Static Route Configuration Example Trouble shooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a uting protocol.
  • Page 286: Displaying And Maintaining Static Routes

    Defau lt Route avoid too larg e a routing table, you can configure a default route. n the destination address of a packet fails to match any entry in the routing table, If there is default route in the routing table, the default route will be selected to forward the packet. If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.
  • Page 287 Display the brief information of a display ip routing-table routing table Display the detailed info rmation of a display ip routing-table verbose routing table Display the information of static display ip routing-table protocol static routes [ inactive | verbose ] Available in Delete all static routes delete static-routes all...
  • Page 288: Troubleshooting A Static Route

    # Approach 1: Configure static routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255. 0 1.1.2.2 [SwitchA] ip route-stat ic 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1 .2.2 # Approach 2: Configure a static route on Switch A. <SwitchA>...
  • Page 289: Rip Configuration

    RIP Configuration Wh n configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example Trouble shooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a uting protocol.
  • Page 290: Rip Configuration Task List

    Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. Metric : Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated.
  • Page 291: Configuring Basic Rip Functions

    Task Remarks Enabling RIP on the interfaces attached to a specified Required network segment Configuring Basic RIP Functions Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional...
  • Page 292: Rip Route Control

    Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.
  • Page 293: Configuring Rip Route Control

    Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. Redistribute external routes in an environment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route control, perform the following tasks: Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each...
  • Page 294 Follow these steps to configure RIP route summarization: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable RIP-2 automatic summary route summarization Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
  • Page 295 The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors.
  • Page 296: Rip Network Adjustment And Optimization

    RIP Network Adjustment and Optimization In some special network environments, some RIP features need to be configured and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implemented: Changing the convergence speed of RIP network by adjusting RIP timers;...
  • Page 297 Split horizon cannot be disabled on a point-to-point link. Configuring RIP-1 packet zero field check Follow these steps to configure RIP-1 packet zero field check: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable the check of the must be zero checkzero...
  • Page 298: Displaying And Maintaining Rip Configuration

    Configuring RIP to unicast RIP packets Follow these steps to configure RIP to unicast RIP packets: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Configure RIP to When RIP runs on the link that does not support peer ip-address unicast RIP packets broadcast or multicast, you must configure RIP to...
  • Page 299: Troubleshooting Rip Configuration

    Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/16 Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP.
  • Page 300: Ip Route Policy Overview

    IP Route Policy Configuration Wh n configuring an IP route policy, go to the se sections for information you are interested in: IP Route Policy Overview IP Route Policy Configuration Task List Displaying IP Route Policy IP Route Policy Configuration Example Trouble shooting IP Route Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a...
  • Page 301 For ACL conf iguration, refer to the part discussing ACL. -prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When IP-prefix list is applied to filter routing information, its matching object is the destination address field in routing information.
  • Page 302: Defining A Route Policy

    if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching objects are some attributes of the routing information. apply clause: Specifies actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clause.
  • Page 303 To do... Use the command... Remarks Enter system view system-view — route-policy Enter the route-policy route-policy-name { permit Required view | deny } node node-number Optional Define a rule to match the if-match { acl acl-number | IP address of routing By default, no matching is performed on ip-prefix ip-prefix-name } information...
  • Page 304: Ip-Prefix Configuration

    IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and easier to understand. When IP-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information. Configuration Prerequisites Before configuring a filter list, prepare the following data: IP-prefix name Range of addresses to be matched...
  • Page 305: Ip Route Policy Configuration Example

    IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dynamic Route Backup Network requirements The required speed of convergence in the small network of a company is not high. The network provides two services. Main and backup links are provided for each service for the purpose of reliability. The main link of one service serves as the backup link of the other.
  • Page 306 For the OA server, the main link is between Switch A and Switch C, while the backup link is between Switch B and Switch C. For the service server, the main link is between Switch B and Switch C, while the backup link is between Switch A and Switch C.
  • Page 307 [SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes matching the outgoing interface VLAN-interface 6 and prefix list 1. [SwitchC] route-policy in permit node 30 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match ip-prefix 1...
  • Page 308: Troubleshooting Ip Route Policy

    Display data forwarding paths when the main link of the OA server between Switch A and Switch C is down. <SwitchC> display ip routing-table Routing Table: public net Destination/Mask Protocol Cost Nexthop Interface 1.0.0.0/8 6.6.6.5 Vlan-interface2 3.0.0.0/8 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 6.6.6.6 Vlan-interface6...
  • Page 309 Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch nning an IP multicast protocol. Mult icast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network.
  • Page 310 Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.
  • Page 311: Roles In Multicast

    Inform ation Transmission in the Multicast Mode As described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the numb er of users requiring information is not certain, unicast and broadcast not ef ficient.
  • Page 312: Common Notations In Multicast

    All receivers interested in the same information form a multicast group. Multicast groups are not subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Laye r 3 multicast device. In addition to providing multicast routing, a multicast router can also ma nage multicast group bers.
  • Page 313: Multicast Models

    pp cation of multicast The multicast technology effectively addresses the issue of point-to-multipoint data tran smission. By enabling high-efficiency point-to-multipoint data transmission, ove r an IP network, multi cast greatly saves network bandwidth and reduces network load. Multicast supports the following applications: Applications of m ultimedia and flow media, such as Web TV, Web radio, and real-time video/audio conferencing.
  • Page 314 Host registration: What receivers reside on the network? Technologies of discovering a multicast source: Which multicast source should the receivers receive information from? Multicast addressing mechanism: Where should the multicast source transports information? Multicast routing: How is information transported? IP multicast is a kind of peer-to-peer service. Based on the protocol layer sequence from bottom to top, multicast mechanism contains address ing mechanism, host registration, multicast routing, and multicast application:...
  • Page 315 Note that: The IP addresses of a perma nent multicast group keep unchanged, while the members of the group can be changed. There can be any number of, or even zero, members in a perm anent multicast group. Those IP multicast addresses not assigned to perman ent multicast groups can be used by porary multicast groups.
  • Page 316: Multicast Protocols

    Class D address range Description 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255 Other protocols Like h aving reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the etwork segment 239.0.0.0/8 for multicast. These are administratively scoped addresses. With the administratively scoped addresses, you can define the range of multicast domains flexibly to isolate IP addresses between different multicast domains, so that the same multicast address can be used in...
  • Page 317 Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.
  • Page 318: Multicast Packet Forwarding Mechanism

    An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs. So far, mature solutions include Multicast Source Discovery Protocol (MSDP). For the SSM model, multicast routes are not divided into inter-domain routes and intra-domain routes. Since receivers know the position of the multicast source, channels established through PIM-SM are sufficient for multicast information transport.
  • Page 319: Implementation Of The Rpf Mechanism

    In the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast. To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface.
  • Page 320 considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source. Assume that unicast routes exist in the network, as shown in Figure 25-7. Multicast packets travel along the SPT from the multicast source to the receivers.
  • Page 321 Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch nning an IP multicast protocol. mon Multicast Configuration Table 26-1 Complete the following ta sks to pe rform common multicast configurations: Task Remarks...
  • Page 322 To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Optional Configure multicast source port Multicas t source port multicast-source-deny suppression suppression is disabled by default. Conf iguring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast for warding entries dynamically through a Layer 2 multicast protocol.
  • Page 323: Configuring Dropping Unknown Multicast Packets

    If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
  • Page 324 IGMP Snooping Configuration Wh n configuring IGMP snooping , go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch nning an IP multicast protocol.
  • Page 325: Basic Concepts In Igmp Snooping

    Figure 27-1 Before and after IGMP Snooping is enabled on Layer 2 devic Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host A Host C Host C...
  • Page 326: Work Mechanism Of Igmp Snooping

    member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snooping and related messages and actions Table 27-1 Port aging timers in IGMP Snooping and related messages and actions Message before Timer Description...
  • Page 327 A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.
  • Page 328: Configuring Igmp Snooping

    Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Groups on a Port Optional Configuring IGMP Snooping Querier Optional...
  • Page 329: Configuring The Version Of Igmp Snooping

    Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...
  • Page 330: Configuring Fast Leave Processing

    Follow these steps to configure timers: To do... Use the command... Remarks Enter system view system-view — Optional Configure the aging igmp-snooping By default, the aging time of the router timer of the router port router-aging-time seconds port is 105 seconds. Optional igmp-snooping Configure the general...
  • Page 331: Configuring A Multicast Group Filter

    The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).
  • Page 332: Configuring The Maximum Number Of Multicast Groups On A Port

    A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered. Since most devices broadcast unknown multicast packets by default, this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function.
  • Page 333: Configuring Igmp Snooping Querier

    Configuring IGMP Snooping Querier In an IP multicast network running IGMP, one dedicated multicast device is responsible for sending IGMP general queries, and this router or Layer 3 switch is called the IGMP querier. However, a Layer 2 multicast switch does not support IGMP, and therefore cannot send general queries by default.
  • Page 334: Suppressing Flooding Of Unknown Multicast Traffic In A Vlan

    Configuring the source address to be carried in IGMP queries Follow these steps to configure the source address to be carried in IGMP queries: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id —...
  • Page 335: Configuring A Static Router Port

    To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Configure the current port as multicast static-group By default, no port is configured as a static member port for a group-address vlan vlan-id a static multicast group member multicast group in a VLAN...
  • Page 336: Configuring A Port As A Simulated Group Member

    In VLAN view Follow these steps to configure a static router port in VLAN view: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Required Configure a specified port as a multicast static-router-port By default, no static router port static router port interface-type interface-number...
  • Page 337: Configuring A Vlan Tag For Query Messages

    Before configuring a simulated host, enable IGMP Snooping in VLAN view first. The port to be configured must belong to the specified VLAN; otherwise the configuration does not take effect. You can use the source-ip source-address command to specify a multicast source address that the port will join as a simulated host.
  • Page 338 To do... Use the command... Remarks Create a multicast VLAN and vlan vlan-id — enter VLAN view Return to system view quit — interface Vlan-interface Enter VLAN interface view — vlan-id Required Enable IGMP igmp enable By default, the IGMP feature is disabled.
  • Page 339: Displaying And Maintaining Igmp Snooping

    To do... Use the command... Remarks Required The multicast VLAN must be Specify the VLANs to be port hybrid vlan vlan-id-list included, and the port must be allowed to pass the port { tagged | untagged } configured to forward tagged packets for the multicast VLAN.
  • Page 340 Network diagram Figure 27-3 Network diagram for IGMP Snooping configuratio Configuration procedure Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure 27-3. The detailed configuration steps are omitted. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/0/1.
  • Page 341: Configuring Multicast Vlan

    <SwitchA> display igmp-snooping group vlan100 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): Ethernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.1.1.1 Static host port(s): Dynamic host port(s): Ethernet1/0/3...
  • Page 342 Device Device description Networking description Host A User 1 Host A is connected to Ethernet 1/0/1 on Switch B. Host B User 2 Host B is connected to Ethernet 1/0/2 on Switch B. In this configuration example, you need to configure the ports that connect Switch A and Switch B to each other as hybrid ports.
  • Page 343: Troubleshooting Igmp Snooping

    [SwitchA-Ethernet1/0/10] port hybrid vlan 10 tagged [SwitchA-Ethernet1/0/10] quit # Configure the interface IP address of VLAN 10 as 168.10.2.1, and enable PIM-DM and IGMP. [SwitchA] interface Vlan-interface 10 [SwitchA-Vlan-interface10] ip address 168.10.2.1 255.255.255.0 [SwitchA-Vlan-interface10] igmp enable [SwitchA-Vlan-interface10] pim dm Configure Switch B: # Enable the IGMP Snooping feature on Switch B.
  • Page 344 IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping. If IGMP Snooping is disabled, check whether it is disabled globally or in the specific VLAN. If it is disabled globally, use the igmp-snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time.
  • Page 345: Architecture Of 802.1X Authentication

    System Encapsulation of EAPoL Messages 802.1x Authentication Procedure Timers Used in 802.1x 802.1x Implementation on a 3Com 45 00 Series Switch Architecture of 802.1x Authentication As shown in Figure 28-1, 802.1x adopts a client/server architecture with three entities: a supplicant system, an authenticator system, and an authentication server system.
  • Page 346 The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenti cator system is usually an 802.1x-supported network device (such as a 3Com series switch). It provides the port (physical or logical) for the supplicant system to access the LAN. The authentication se rver system is an entity that provides authentication service to the authenticator system.
  • Page 347: Encapsulation Of Eapol Messages

    By default, a controlled port is a unidirectional port. he way a port is controlled A port of a 3Com series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the suppli...
  • Page 348 Figure 28-3 The format of an EAPoL packet In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet.
  • Page 349 Figure 28-7 The format of an Message-authenticator field 802.1x A uthentication Procedure A 3Com Switch 4500 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. 28-5...
  • Page 350 AP elay mode This mo de is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a valu e of 79) and the Message-authenticator field (with a value of 80).
  • Page 351 detailed procedure is as follows: A supplicant system launches an 802.1x client to initiate an access requ est by sending an EAPoL-start packet to the switch, with its user name and password provided. The 802.1x client program then forwards the packet to the switch to start the authentication process. Upon receiving the authentication request packet, the switch sends an EAP-request/identity packet to ask the 802.1x client for the user name.
  • Page 352: Timers Used In 802.1X

    Figure 28-9 802.1x authentication procedure (in EAP terminating mode) The authentication procedure in EAP terminating mode is the same as that in the EAP relay mode except that the randomly-generated key in the EAP terminating mode is generated by the switch, and that it is the switch that sends the user name, the randomly-generated key, and the supplicant system-encrypted password to the RADIUS server for further authentication.
  • Page 353: X Implementation On A 3Com 4500 Series Switch

    802.1x Implementation on a 3Com 4500 Series Switch In addition to the earlier mentioned 802.1x features, a 3Com 4500 series switch is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, and so on (This function needs the cooperation of a CAMS server.)
  • Page 354 In response to any of the three cases, a switch can optionally take the following measures: Only disconnects the supplicant system but sends no Trap packets. Sends Trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a CAMS server. The 802.1x client needs to be capable of detecting multiple network adapters, proxies, and IE proxies.
  • Page 355 The switch sends authentication triggering request (EAP-Request/Identity) packets to all the 802.1x-enabled ports. After the maximum number retries have been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated.
  • Page 356: Introduction To 802.1X Configuration

    The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon receiving the packet, the switch re-authenticates the user periodically. You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the switch re-authenticates users periodically.
  • Page 357: Basic 802.1X Configuration

    Basic 802.1x Configuration Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme. Ensure that the service type is configured as lan-access (by using the service-type command) if local authentication scheme is adopted.
  • Page 358: Timer And Maximum User Number Configuration

    To do… Use the command… Remarks Optional Enable online user dot1x handshake enable By default, online user handshaking handshaking is enabled. interface interface-type — Enter Ethernet port view interface-number Optional Enable the handshake dot1x handshake secure By default, the handshake packet packet protection function protection function is disabled.
  • Page 359: Advanced 802.1X Configuration

    To do… Use the command... Remarks Optional By default, the maximum retry times to send a request packet is Set the maximum retry times dot1x retry max-retry-value 2. That is, the authenticator to send request packets system sends a request packet to a supplicant system for up to two times by default.
  • Page 360: Configuring Proxy Checking

    Configuring Proxy Checking Follow these steps to configure proxy checking: To do... Use the command... Remarks Enter system view system-view — Required Enable proxy checking function dot1x supp-proxy-check By default, the 802.1x proxy globally { logoff | trap } checking function is globally disabled.
  • Page 361: Enabling Dhcp-Triggered Authentication

    To do... Use the command... Remarks Optional Set the client version dot1x timer ver-period By default, the timer is set to 30 checking period timer ver-period-value seconds. As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports.
  • Page 362: Configuring 802.1X Re-Authentication

    The guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one guest VLAN can be configured for each switch. The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication. This is because the switch does not send authentication packets in that case.
  • Page 363: Displaying And Maintaining 802.1X Configuration

    During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
  • Page 364 a real-time accounting packet to the RADIUS servers once in every 15 minutes. A user name is sent to the RADIUS servers with the domain name truncated. The user name and password for local 802.1x authentication are “localuser” and “localpass” (in plain text) respectively.
  • Page 365 [Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages. [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers.
  • Page 366: Quick Ead Deployment Configuration

    In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the 3Com 4500 series provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployme...
  • Page 367: Configuring Quick Ead Deployment

    Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the access mode to auto for 802.1x-enabled ports. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...
  • Page 368: Displaying And Maintaining Quick Ead Deployment

    large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online.
  • Page 369 Network diagram Figure 29-1 Network diagram for quick EAD deploymen Configuration procedure Before enabling quick EAD deployment, be sure that: The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch.
  • Page 370: Troubleshooting

    Troubleshooting Symptom: A user cannot be redirected to the specified URL server, no matter what URL the user enters in the IE address bar. Solution: If a user enters an IP address in a format other than the dotted decimal notation, the user may not be redirected.
  • Page 371: Habp Configuration

    HABP Configuration Wh n configuring HABP, go to the se sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Intro duction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.
  • Page 372: Habp Client Configuration

    To do... Use the command... Remarks Required By default, a switch operate as an HABP client after you Configure the current switch enable HABP on the switch. If habp server vlan vlan-id to be an HABP server you want to use the switch as a management switch, you need to configure the switch to be an HABP server.
  • Page 373: System Guard Configuration

    System Guard Configuration The CPU protection function is added. See CPU Protection Configuring CPU Protection. Wh n configuring System Guard , go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining Sy stem Guard Configuration System Guard Overvi Guar...
  • Page 374: Configuring System Guard

    Configuring System Guard Configuring System Guard Against IP Attacks Configuration of System Guard against IP attacks includes these tasks: Enabling System Guard against IP attacks Setting the maximum number of infected hosts that can be concurrently monitored Configuring parameters related to MAC address learning Follow these steps to configure System Guard against IP attacks: To do...
  • Page 375: Enabling Layer 3 Error Control

    To do... Use the command... Remarks Optional Set the threshold of TCN/TC system-guard tcn packet receiving rate rate-threshold rate-threshold 1 pps by default As the system monitoring cycle is 10 seconds, the system sends trap and log information if more than 10 TCN/TC packets are received within 10 seconds by default.
  • Page 376: Displaying And Maintaining System Guard Configuration

    Displaying and Maintaining System Guard Configuration To do... Use the command... Remarks Display the monitoring result and parameter settings of display system-guard ip System Guard against IP state attacks Display the information about display system-guard Available in any view IP packets received by the CPU ip-record Display the status of Layer 3 display system-guard l3err...
  • Page 377: Aaa Overview

    Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a 3Com switch) acts as the client to communicate with the RADIUS or TACACS server. Remote authentication allows convenient centralized management and is feature-rich.
  • Page 378: Introduction To Radius

    Acco un ing AAA supports the following ac counting methods: None accounting: No accounting is performed for users. Remote accounting: User accounting is performed on a remote RADIUS or TACACS server. Introd uction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@"...
  • Page 379 Clients: This database stores information about RADIUS clients (such as shared key). Dictionary: The information stored in this database i s used to interpret the attributes and attribute values in the RADIUS protocol. Figure 32-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service.
  • Page 380 RADIUS client an authentication response (Access-Accept), which contains the user’s authorization information. If the authentication fails, the server returns an Access-Reject response. The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting -Request, with the Status-Type attribute value = start) to the R ADIUS server.
  • Page 381 Code Message type Message description Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting (whether to start or to end the Accounting-Request accounting is determined by the Acct-Status-Type attribute in the message).
  • Page 382: Introduction To Hwtacacs

    Type field value Attribute type Type field value Attribute type Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.
  • Page 383 Table 32-3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable network Adopts UDP. transmission. Encrypts the entire message except the HWTACACS Encrypts only the password field in header. authentication message. Separates authentication from authorization. For example, you can use one TACACS server for Combines authentication and authentication and another TACACS server for authorization.
  • Page 384 Figure 32-6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username.
  • Page 385 After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. 10) The TACACS client sends an accounting start request to the TACACS server. 11) The TACACS server returns an accounting response, indicating that it has received the accounting start request.
  • Page 386: Aaa Configuration Task List

    AAA Configuration Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices an d preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined A AA scheme for an ISP domain): Task...
  • Page 387: Creating An Isp Domain And Configuring Its Attributes

    Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting Configuring an AAA Scheme for an ISP schemes respectively. Domain configuration You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication.
  • Page 388: Configuring An Aaa Scheme For An Isp Domain

    To do… Use the command… Remarks Optional messenger time { enable limit Set the messenger function By default, the messenger interval | disable } function is disabled. Optional Set the self-service server self-service-url { disable | By default, the self-service location function enable url-string } server location function is...
  • Page 389 To do… Use the command… Remarks Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain Required scheme { local | none | radius-scheme Configure an AAA scheme for radius-scheme-name [ local ] | By default, an ISP the ISP domain hwtacacs-scheme...
  • Page 390 Follow these steps to configure separate AAA schemes: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain authentication Optional { radius-scheme Configure an authentication...
  • Page 391: Configuring Dynamic Vlan Assignment

    accounting. In this case, if the combined scheme uses RADIUS or HWTACACS, the system never uses the secondary scheme for authorization and accounting. If you configure no separate scheme, the combined scheme is used for authentication, authorization, and accounting. In this case, if the system uses the secondary local scheme for authentication, it also does so for authorization and accounting;...
  • Page 392 For a VLAN ID with suffix t or T, the authentication port sends the frames of the VLAN tagged. For the first VLAN ID with suffix u or U, or with no suffix in the VLAN list, the authentication port sends the frames of the VLAN untagged and configures the VLAN as its default VLAN;...
  • Page 393: Configuring The Attributes Of A Local User

    To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and domain isp-name — enter its view Optional Set the VLAN assignment vlan-assignment-mode By default, the VLAN assignment mode { integer | string | vlan-list } mode is integer.
  • Page 394 To do… Use the command… Remarks Optional By default, the password local-user display mode of all access Set the password display mode password-display-mode users is auto, indicating the of all local users { cipher-force | auto } passwords of access users are displayed in the modes set by the password command.
  • Page 395: Cutting Down User Connections Forcibly

    RADIUS Configuration Task List 3Com’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client):...
  • Page 396 Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring Ignorance of Assigned RADIUS Authorization Optional Attributes Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the RADIUS client...
  • Page 397: Creating A Radius Scheme

    The RADIUS service configuration is performed on a RADIUS scheme basis. In an actual network environment, you can either use a single RADIUS server or two RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme.
  • Page 398: Configuring Ignorance Of Assigned Radius Authorization Attributes

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS primary authentication...
  • Page 399: Configuring Radius Accounting Servers

    Figure 33-1 Network diagram for the RADIUS authorization attribute ignoring functio Follow these steps to configure the RADIUS authorization attribute ignoring function: To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name...
  • Page 400: Configuring Shared Keys For Radius Messages

    To do… Use the command… Remarks Required Set the IP address and By default, the IP address and UDP port port number of the primary accounting number of the primary accounting server primary RADIUS ip-address [ port-number ] are 0.0.0.0 and 1813 for a newly created accounting server RADIUS scheme.
  • Page 401: Configuring The Maximum Number Of Radius Request Transmission Attempts

    received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key. Follow these steps to configure shared keys for RADIUS messages: To do…...
  • Page 402: Configuring The Status Of Radius Servers

    To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Configure the type of RADIUS server-type { extended | Optional servers to be supported...
  • Page 403: Configuring The Attributes Of Data To Be Sent To Radius Servers

    To do… Use the command… Remarks Set the status of the secondary state secondary RADIUS authentication { block | authentication/authorization active } server Set the status of the secondary state secondary accounting RADIUS accounting server { block | active } Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these steps to configure the attributes of data to be sent to RADIUS servers: To do…...
  • Page 404: Configuring The Local Radius Server

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names.
  • Page 405: Configuring Timers For Radius Servers

    adopt local RADIUS server function, port number authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.
  • Page 406: Enabling Sending Trap Message When A Radius Server Goes Down

    To do… Use the command… Remarks Optional Set the response timeout time timer response-timeout By default, the response of RADIUS servers seconds timeout time of RADIUS servers is three seconds. Optional Set the time that the switch waits before it try to By default, the switch waits five re-communicate with primary timer quiet minutes...
  • Page 407 online when the user re-logs into the network before the CAMS performs online user detection, and the user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem.
  • Page 408: Hwtacacs Configuration Task List

    HWTACACS Configuration Task List Complete the following tasks to configure HWTACACS: Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...
  • Page 409: Configuring Tacacs Authorization Servers

    To do… Use the command… Remarks Required Set the IP address and port By default, the IP address of primary authentication number of the primary the primary authentication ip-address [ port ] TACACS authentication server server is 0.0.0.0, and the port number is 0.
  • Page 410: Configuring Tacacs Accounting Servers

    You are not allowed to configure the same IP address for both primary and secondary authorization servers. If you do this, the system will prompt that the configuration fails. You can remove a server only when it is not used by any active TCP connection for sending authorization messages.
  • Page 411: Configuring The Attributes Of Data To Be Sent To Tacacs Servers

    The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties. The two parties verify the validity of the HWTACACS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key.
  • Page 412: Configuring The Timers Regarding Tacacs Servers

    Generally, the access users are named in the userid@isp-name or userid.isp-name format. Where, isp-name after the “@” or “.” character represents the ISP domain name. If the TACACS server does not accept the usernames that carry ISP domain names, it is necessary to remove domain names from usernames before they are sent to TACACS server.
  • Page 413: Displaying And Maintaining Aaa Configuration

    Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific display domain [ isp-name ] or all ISP domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip Display information about user Available in...
  • Page 414: Displaying And Maintaining Hwtacacs Protocol Configuration

    Displaying and Maintaining HWTACACS Protocol Configuration To do… Use the command… Remarks Display the configuration or statistic information about one display hwtacacs specific or all HWTACACS [ hwtacacs-scheme-name [ statistics ] ] Available in any schemes view Display buffered display stop-accounting-buffer non-response { hwtacacs-scheme stop-accounting requests...
  • Page 415 Network diagram Figure 33-2 Remote RADIUS authentication of Telnet user Configuration procedure # Enter system view. <Sysname> system-view # Adopt AAA authentication for Telnet users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure an ISP domain. [Sysname] domain cams [Sysname-isp-cams] access-limit enable 10 [Sysname-isp-cams] quit...
  • Page 416: Local Authentication Of Ftp/Telnet Users

    Local Authentication of FTP/Telnet Users The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 33-3, you are required to configure the switch so that the...
  • Page 417: Hwtacacs Authentication And Authorization Of Telnet Users

    This method is similar to the remote authentication method described in Remote RADIUS Authentication of Telnet/SSH Users. However, you need to: Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in Remote RADIUS Authentication of Telnet/SSH Users.
  • Page 418: Auto Vlan Configuration Example

    # Configure the domain name of the HWTACACS scheme to hwtac. [Sysname] domain hwtacacs [Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac Auto VLAN Configuration Example Network requirements As shown in Figure 33-5, use 802.1X authentication on Ethernet 1/0/1 and Ethernet 1/0/2 to authenticate users. After a user passes the authentication on a port, the RADIUS server issues a VLAN list to the switch, which assigns the authentication port to a VLAN that the IP phone needs to access.
  • Page 419: Troubleshooting Aaa

    [Switch-radius-bbb] quit # Create authentication domain aaa, and then enter domain view. [Switch] domain aaa # Configure the VLAN assignment mode in domain aaa as VLAN list. [Switch-isp-aaa] vlan-assignment-mode vlan-list # Specify the authentication scheme for the domain. [Switch-isp-aaa] radius-scheme bbb [Switch-isp-aaa] quit # Configure the authentication scheme.
  • Page 420: Troubleshooting Hwtacacs Configuration

    The switch cannot communicate with the RADIUS server (you can determine by pinging the RADIUS server from the switch) — Take measures to make the switch communicate with the RADIUS server normally. Symptom 2: RADIUS packets cannot be sent to the RADIUS server. Possible reasons and solutions: The communication links (physical/link layer) between the switch and the RADIUS server is disconnected/blocked —...
  • Page 421: Ead Configuration

    EAD Configuration Intro duction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints. With the cooperation of switch, AAA sever, security policy server and security client, EAD is able to evaluate the security compliance of network endpoints and dynamically control their access rights.
  • Page 422: Ead Configuration Example

    Configuring a RADIUS scheme. Configuring the IP address of the security policy server. Associating the ISP domain with the RADIUS scheme. EAD is commonly used in RADIUS au thentication environment. This section mainly describes the con figuration of security policy server IP address. For other related configuration, refer to AAA Overview Follow these step...
  • Page 423 Network diagram Figure 34-2 EAD configuratio Configuration procedure # Configure 802.1x on the switch. Refer to “Configuring 802.1x” in 802.1x and System Guard Configuration. # Configure a domain. <Sysname> system-view [Sysname] domain system [Sysname-isp-system] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] accounting optional...
  • Page 424: Mac Address Authentication Configuration

    MAC Address Authentication Configuration Wh n configuring MAC address authentication, go to these sections for information you are interested: MAC Address Authentication Overview Related Concepts Configuring Basic MAC Address Authentication Functions MAC Address Authentication Enhanced Function Configuration Displaying and Maintaining MAC Address Authentication Configuration MAC Address Authentication Configuration Examples Address Authentication Overview MAC address authentication provides a way for authenticating users based on ports and MAC...
  • Page 425: Quiet Mac Address

    In MAC address mode, the local user name to be configured is the MAC address of an access user, while the password may be the MAC address of the user or the fixed password configured (which is used depends on your configuration). Hyphens must or must not be included depending on the format configured with...
  • Page 426 To do... Use the command... Remarks specified port(s) or Disabled by default interface interface-type the current port interface-number In interface view mac-authentication quit Optional Set the user name in mac-authentication uthmode By defaul t, the MAC MAC address mode usernam easmacaddr ess [ usernameformat address o...
  • Page 427: Mac Address Authentication Enhanced Function Configuration

    MAC Address Authentication Enhanced Function Configuration MAC A ddress Authentication Enhanced Function Configuration k List omplete the following tasks to configure MAC address authentication enhanced function: Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Authentication Users Optional Allowed to Access a Port...
  • Page 428 After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast M AC address is learned by the switch) p eriodically. If this user passes the re-a uthenti cation, this port will exit the Guest VLAN,...
  • Page 429 If more than one client are con nected to a port, you can not co nfig ure a Guest VLAN for this port. When a Guest VLAN is confi gured for a port, o nly one MAC address authentication user can access the port.
  • Page 430: Mac Address Authentication Configuration Examples

    If both the limit on the number of MAC address auth entication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum nu mber of MAC address authentication users allowed to access this port.
  • Page 431 # Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to lan-access.
  • Page 432: Arp Configuration

    ARP Configuration Wh n configuring ARP , go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP ARP Configuration Ex amples Introduction to ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer.
  • Page 433 Figure 36-1 ARP message format Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits) Hardware address of the sender...
  • Page 434: Arp Table

    Value Description Chaos IEEE802.X ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored.
  • Page 435: Introduction To Gratuitous Arp

    mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
  • Page 436: Configuring Gratuitous Arp

    To do… Use the command… Remarks Enable the ARP entry checking function (that is, disable the Optional switch from learning ARP arp check enable Enabled by default. entries with multicast MAC addresses) Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically.
  • Page 437: Displaying And Debugging Arp

    Displaying and Debugging ARP To do… Use the command… Remarks Display specific ARP mapping display arp [ static | dynamic | ip-address ] table entries Display the ARP mapping display arp [ dynamic | static ] | { begin | entries related to a specified include | exclude } regular-expression string in a specified way...
  • Page 438: Arp Attack Defense Configuration

    ARP Attack Defense Configuration Attack Defense Configuration Although ARP is easy to implement, it provides no security mechanism and thus is prone to netwo attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on...
  • Page 439 Figure 37-1 Network diagram for ARP man-in-the-middle attac Switch Host A Host C IP_A IP_ C MAC_A MAC_ C Invalid Invalid ARP reply ARP reply Host B IP_B MAC_B ARP attack detection To guard against the man-in-the-middle attacks launched by hackers or attackers, S4500 series Ethernet switches support the ARP attack detection function.
  • Page 440: Introduction To Arp Packet Rate Limit

    For details about DHCP Snooping and IP static binding, refer to DHCP Operation. For details about 802.1x authentication, refer to 802.1x and System Guard Operation. ARP restricted forwarding With the ARP restricted forwarding function enabled, ARP request packets coming from untrusted port are forwarded through trusted ports only;...
  • Page 441: Configuring Arp Attack Defense

    Figure 37-2 Gateway spoofing attac To prevent gateway spoofing attacks, an S4500 series Ethernet switch can work as an access device (usually with the upstream port connected to the gateway and the downstream ports connected to hosts) and filter ARP packets based on the gateway’s address. To filter APR attack packets arriving on a downstream port, you can bind the gateway’s IP address to the downstream port (directly connected to hosts) of the switch.
  • Page 442: Configuring The Maximum Number Of Dynamic Arp Entries That A Vlan Interface Can Learn

    Task Remarks Optional Configuring the Maximum Number of Dynamic ARP Entries that a VLAN Interface Can Learn The switch serves as a gateway. Optional Configuring ARP Source MAC Address Consistency The switch serves as a gateway or an Check access device. Optional ARP Packet Filtering Based on Gateway’s Address The switch serves as an access device.
  • Page 443: Configuring Arp Attack Detection

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Configure ARP packet filtering Required based on the gateway’s IP arp filter source ip-address Not configured by default. address Follow these steps to configure ARP packet filtering based on gateway’s IP and MAC address: To do…...
  • Page 444: Configuring The Arp Packet Rate Limit Function

    To do… Use the command… Remarks Optional After DHCP snooping is Specify the current port as a enabled, you need to configure dhcp-snooping trust trusted port the upstream port connected to the DHCP server as a trusted port. Optional By default, a port is an ARP Configure the port as an ARP untrusted port.
  • Page 445: Arp Attack Defense Configuration Example

    To do… Use the command… Remarks Required Enable the ARP packet rate By default, the ARP packet rate arp rate-limit enable limit function limit function is disabled on a port. Optional Configure the maximum ARP By default, the maximum ARP arp rate-limit rate packet rate allowed on the port packet rate allowed on a port is...
  • Page 446 Network diagram Figure 37-3 ARP attack detection and packet rate limit configuratio Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify Ethernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port. [SwitchA] interface Ethernet 1/0/1 [SwitchA-Ethernet1/0/1] dhcp-snooping trust [SwitchA-Ethernet1/0/1] arp detection trust...
  • Page 447: Arp Attack Defense Configuration Example Ii

    ARP Attack Defense Configuration Example II Network Requirements As shown inFigure 37-4, Host A and Host B are connected to Gateway through an access switch (Switch). The IP and MAC addresses of Gateway are 192.168.100.1/24 and 000D-88F8-528C. To prevent gateway spoofing attacks from Host A and Host B, configure ARP packet filtering based on the gateway’s IP and MAC addresses on Switch.
  • Page 448: Arp Attack Defense Configuration Example Iii

    ARP Attack Defense Configuration Example III Network Requirements As shown in Figure 37-5, Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To prevent ARP attacks such as ARP flooding: Enable ARP packet source MAC address consistency check on Switch A to block ARP packets with the sender MAC address different from the source MAC address in the Ethernet header.
  • Page 449 Enable ARP attack detection based on bindings of authenticated 802.1x clients on the switch to prevent ARP attacks. Network Diagram Figure 37-6 Network diagram for 802.1x based ARP attack defens Configuration Procedures # Enter system view. <Switch> system-view # Enable 802.1x authentication globally. [Switch] dot1x # Enable ARP attack detection for VLAN 1.
  • Page 450: Dhcp Overview

    DHCP Overview Wh n configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification Intro duction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.
  • Page 451 Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently. Dynamic assignment. The DHCP server assign s IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period.
  • Page 452 By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client.
  • Page 453 file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client. option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server. Prot ocol Specification Protocol sp...
  • Page 454: Dhcp Server Configuration

    DHCP Server Configuration Wh n configuring the DHCP server, go to th ese sections for information you are interested in: Introduction to DH CP Server DHCP Server Configuration Task List Enabling DHCP Configuring the Global Address Pool Based DHCP Server Configuring the Interface Address Pool Ba sed DHCP Server Configuring DHCP Server Security Functions...
  • Page 455 ypes of address pool The address pools of a DHCP server fall into two types: global address pool and interface address pool. A global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device. If an interface is configured with a valid unicast I P address, you can create an interface-based address pool for the interface by executing the dhcp select interface command in interface view.
  • Page 456: Dhcp Ip Address Preferences

    If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client. Otherwise, the DHCP server observes the following principles to select a dynamic address pool.
  • Page 457: Dhcp Server Configuration Task List

    When you merge two or more XRN systems into one XRN system, a new master unit is elected, and the new XRN system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the DHCP servers) being lost. As the new XRN system cannot inherit the original DHCP server configurations, you need to perform DHCP server configurations for it.
  • Page 458: Configuring The Global Address Pool Based Dhcp Server

    To improve security and avoid malicious attacks to unused sockets, S4500 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After DHCP is enabled with the dhcp enable command, if the DHCP server and DHCP relay agent functions are not configured, UDP port 67 and UDP port 68 ports are kept disabled;...
  • Page 459: Creating A Dhcp Global Address Pool

    To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the Configure the specified Optional current interface dhcp select global interface(s) or By default, the all the quit interface operates interfaces to in global address operate in Configure multiple dhcp select global { interface...
  • Page 460 Currently, only one IP address in a global DHCP address pool can be statically bound to a MAC address or a client ID. Follow these steps to configure the static IP address allocation mode: To do… Use the command… Remarks Enter system view system-view —...
  • Page 461 To improve security and avoid malicious attack to the unused sockets, S4500 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.
  • Page 462 In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address or ID has been bound.
  • Page 463 Configuring WINS Servers for the DHCP Client For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. To implement host name-to-IP address translation for DHCP clients, you should enable the DHCP server to assign WINS server addresses when assigning IP addresses to DHCP clients.
  • Page 464: Configuring Gateways For The Dhcp Client

    Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them. You can configure gateway addresses for global address pools on a DHCP server.
  • Page 465 Meanings of the sub-options for Option 184 Table 39-1 Meanings of the sub-options for Option 184 Sub-option Feature Function Note The IP address of the NCP server carried by sub-option 1 of Option When used in Option The NCP-IP sub-option 184 is intended for 184, this sub-option NCP-IP...
  • Page 466 Mechanism of using Option 184 on DHCP server The DHCP server encapsulates the information for Option 184 to carry in the response packets sent to the DHCP clients. Supposing that the DHCP clients are on the same segment as the DHCP server, the mechanism of Option 184 on the DHCP server is as follows: A DHCP client sends to the DHCP server a request packet carrying Option 55, which indicates the client requests the configuration parameters of Option 184.
  • Page 467 Configuring the TFTP Server and Bootfile Name for the DHCP Client This task is to specify the IP address and name of a TFTP server and the bootfile name in the DHCP global address pool. The DHCP clients use these parameters to contact the TFTP server, requesting the configuration file used for system initialization, which is called auto-configuration.
  • Page 468: Configuring The Interface Address Pool Based Dhcp Server

    To do… Use the command… Remarks Required option code { ascii ascii-string | hex Configure a self-defined DHCP hex-string&<1-10> | ip-address Not configured by option ip-address&<1-8> } default. Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process.
  • Page 469: Enabling The Interface Address Pool Mode On Interface(S)

    Task Remarks Enabling the Interface Address Pool Mode on Interface(s) Required Configuring an Configuring the static IP address allocation One of the two options is Address Allocation mode required. And these two Mode for an options can be configured Configuring the dynamic IP address allocation Interface Address at the same time.
  • Page 470: Configuring An Address Allocation Mode For An Interface Address Pool

    To improve security and avoid malicious attack to the unused sockets, S4500 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP interface address pool is created by executing the dhcp select interface command, UDP port 67 and UDP port 68 ports used by DHCP are enabled.
  • Page 471 The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same network segment. There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.
  • Page 472 The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. Use the dhcp server forbidden-ip command to configure the IP addresses that are not assigned dynamically in global address pools and interface address pools.
  • Page 473 To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current dhcp server dns-list ip-address&<1-8> Required Configure interface DNS server By default, no quit addresses DNS server for DHCP Configure address is dhcp server dns-list ip-address&<1-8> clients multiple configured.
  • Page 474 To do… Use the command… Remarks configured. Configure dhcp server nbns-list ip-address&<1-8> multiple { interface interface-type interface-number [ to interfaces in interface-type interface-number ] | all } system view interface interface-type interface-number Configure the dhcp server netbios-type { b-node | h-node | current m-node | p-node } Required...
  • Page 475 Follow these steps to configure Option 184 parameters for the client with voice service: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Specify the primary dhcp server voice-config ncp-ip network calling Not specified by ip-address...
  • Page 476 Follow these steps to configure the TFTP server and bootfile name for the DHCP client: To do… Use the command… Remarks Enter system view system-view — interface interface-type — Enter interface view Specify the interface-number IP address Specify the TFTP dhcp server tftp-server ip-address and name of server...
  • Page 477: Configuring Dhcp Server Security Functions

    Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process. Configuring DHCP Server Security Functions DHCP security configuration is needed to ensure the security of DHCP service. Prerequisites Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration).
  • Page 478: Configuring Dhcp Accounting Functions

    server will assign the IP address to the requesting client (The DHCP client probes the IP address by sending gratuitous ARP packets). Follow these steps to configure IP address detecting: To do… Use the command… Remarks Enter system view system-view —...
  • Page 479: Displaying And Maintaining The Dhcp Server

    DHCP Accounting Configuration Prerequisites Before configuring DHCP accounting, make sure that: The DHCP server is configured and operates properly. Address pools and lease time are configured. DHCP clients are configured and DHCP service is enabled. The network operates properly. Configuring DHCP Accounting Follow these steps to configure DHCP accounting: To do…...
  • Page 480: Dhcp Server Configuration Examples

    To do… Use the command… Remarks display dhcp server expired { ip ip-address | Display lease expiration pool [ pool-name ] | interface [ interface-type information interface-number ] | all } Display the free IP addresses display dhcp server free-ip display dhcp server ip-in-use { ip ip-address | Display information about pool [ pool-name ] | interface [ interface-type...
  • Page 481 In the address pool 10.1.1.0/25, the address lease duration is ten days and twelve hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2, gateway 10.1.1.126, and WINS server 10.1.1.4. In the address pool 10.1.1.128/25, the address lease duration is five days, domain name suffix aabbcc.com, DNS server address 10.1.1.2, and gateway address 10.1.1.254, and there is no WINS server address.
  • Page 482: Dhcp Server With Option 184 Support Configuration Example

    DHCP Server with Option 184 Support Configuration Example Network requirements A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of Option 184. A switch operates as the DHCP server. The Option 184 support function is configured for a global DHCP address pool.
  • Page 483: Dhcp Accounting Configuration Example

    Figure 39-2 Network diagram for Option 184 support configuratio Configuration procedure Configure the DHCP client. Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of Option 184. (Configuration process omitted) Configure the DHCP server.
  • Page 484 Ethernet 1/0/1 belongs to VLAN 2; Ethernet 1/0/2 belongs to VLAN 3. The IP address of VLAN-interface 1 is 10.1.1.1/24, and that of VLAN-interface 2 is 10.1.2.1/24. The IP address of the RADIUS server is 10.1.2.2/24. DHCP accounting is enabled on the DHCP server. The IP addresses of the global DHCP address pool belongs to the network segment 10.1.1.0.
  • Page 485: Troubleshooting A Dhcp Server

    [Sysname-radius-123] primary accounting 10.1.2.2 [Sysname] domain 123 [Sysname-isp-123] scheme radius-scheme 123 [Sysname-isp-123] quit # Create an address pool on the DHCP server. [Sysname] dhcp server ip-pool test [Sysname-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0 # Enable DHCP accounting. [Sysname-dhcp-pool-test] accounting domain 123 Troubleshooting a DHCP Server Symptom The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of...
  • Page 486: Dhcp Relay Agent Configuration

    DHCP Relay Agent Configuration Wh n configuring the DHCP relay agent, go to these se ctions for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN terfaces.
  • Page 487 Figure 40-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent.
  • Page 488 Figure 40-2 Padding contents for sub-option 1 of Option 82 Figure 40-3 Padding contents for sub-option 2 of Option 82 Mech anism of Option 82 supported on DHCP relay agent The pro ure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay gent is similar to that for the client to obtain an IP address from a DHCP server directly.
  • Page 489: Dhcp Relay Agent Configuration Task List

    the XID (Transaction ID, a random value selected by the client to uniquely identify an address allocation process) in the message, and then forward the message to the DHCP server. fter receiving the message, the DHCP server returns a DHCP-ACK message to the client: If the DHCP- ACK message is unicast, the DHCP relay agent directly forwards the message to the client without replacing the XID in the message.
  • Page 490: Correlating A Dhcp Server Group With A Relay Agent Interface

    Follow these steps to e nable DHCP: To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP dhcp enable Enabled b y default. Correlating a DHCP Server Group with a Relay Agent Interface To enhan ce reliability, you can set multiple DHCP servers on the same network. These DHCP servers form a DHCP server group.
  • Page 491: Configuring Dhcp Relay Agent Security Functions

    You can configure up to eight DHCP server IP addresses in a DHCP server group. You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be mapped to only one DHCP server group. If you execute the dhcp-se rver groupNo comman d repeatedly, the ne w configura...
  • Page 492 The address-che ck en able command is indepen dent of other commands of the DHCP relay agent. That is, the invalid a ddress check takes effect when this command is executed, regardless of whether other comm nds (such as the command t nable DHC P) are used.
  • Page 493: Configuring The Dhcp Relay Agent To Support Option

    nabling unauthorized DHCP server detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client. With this feature enabled, upon receiving a DHCP mess age with the siaddr field (IP addresses of the servers offering IP addresses to the client) not being 0 from a client, the D HCP relay agent will record...
  • Page 494: Configuring Dhcp Inform Message Handling Feature Used In Xrn System

    By default, with the Option 82 support function e nabled on the DHCP relay agent, the DHCP relay agent will adopt the replace strategy o process the request packets containing Option 82. However, if other strate gies are configured before, then enabling the 82 support on the DHCP relay agent will not change the configu strategies.
  • Page 495: Dhcp Relay Agent Configuration Example

    DHCP Relay Agent Configuration Example Netw ork requirements VLAN-i nterface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients side. The IP address of VLAN-interface 1 is 10.10.1.1/24 and IP address of VLAN-interface 2 is 10.1.1.2/24 th at communicates with the DHCP server 10.1.1.1/24.
  • Page 496 Analysis This problem may be caused by improper DHCP relay agent configuration. When a DHCP relay agent operates improperly, you can locate the problem by enabling debugging and checking the information about debugging and interface state (You can display the information by executing the corresponding display command.) olu ion Check if DHCP is enabled on the DHCP server and the DHC...
  • Page 497: Dhcp Snooping Configuration

    DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Displaying and Maintaining DHCP Snooping Configuration DHCP Snooping Configuration Examples P Snooping Overview Introd uction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the inistrator to verify the corresponding rela tionship between the IP addresses the DHCP clients...
  • Page 498: Introduction To Dhcp-Snooping Option

    Figure 41-1 Typical network diagram for DHCP snoop ing application DHCP Server DHCP Client DHCP Client Internet Eth1/0/1 Eth1/0/2 Switch A Switch B (DHCP Snooping) (DHCP Relay) DHCP Client DHCP Client DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: DHCP-REQUEST packet DHCP-ACK packet...
  • Page 499 Figure 41-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, S4500 Series Ethe rnet Switches support Option 82 in the standard format.
  • Page 500: Introduction To Ip Filtering

    When receiving a DHCP client’s request without Option 82, the DHCP snooping device will add the option field with the configured sub-option and then forward the packet. For details, see Table 41-2. Table 41-2 Ways of handling a DHCP packet without Option 82 Sub-option configuration The DHCP-Snooping device will …...
  • Page 501 client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP filtering of the DHCP-snooping table, thus it cannot access external networks. To s olve this problem, the switch supports the configuration of static binding table entries, that is, the bind ing relationship between IP address, MAC address , and the port connecting to the client, so that...
  • Page 502: Configuring Dhcp Snooping To Support Option

    If an S4 500 Ether net switch is ena bled with DHCP snoop ing, the clients c onnected t o it cannot dynamically obtain IP addresse s through BOOTP. You need to spec ify the ports c onnected to the valid DHCP serve rs as trusted to ensure that DHCP...
  • Page 503 Configuring a handling policy for DHCP packets with Option 82 ollow these steps to confi gure a h andling policy for DHCP p acket ith Option 82: To do… Use the command… Remarks Enter system view system-view — Optional Configure a global handl dhcp-snooping information policy for requests that co ntain...
  • Page 504 To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Optional By default, the circuit ID dhcp-snooping nfigure the circuit ID sub-option contains the VLAN ID information [ vlan vlan-id ] s b-option in Option 82 and port index related to the port circuit-id string string that receives DHCP request...
  • Page 505: Configuring Ip Filtering

    If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the port receives a packet, and the globa l remote ID applies to other interfaces that have no remote ID sub-option configured. If you have configured a remote ID wit h the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former remote ID applies to the DHCP messages...
  • Page 506: Displaying And Maintaining Dhcp Snooping Configuration

    For details about 802.1x authentication, refer to 802.1x and System Guard Operation. You are not recomm ended to configure IP filtering on the ports of an aggregation group. Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering based on the DHCP-snooping table.
  • Page 507 P Snooping Configuration Examples DHCP-Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 41-6, Ethernet 1/0/5 of the switch is connected to the DHCP server, and Ethernet 1/0/1, Ethernet 1/0/2, and Ethernet 1/0/3 are respectively connected to Client A, Client B, and Client C. Enable DHCP snooping on the switch.
  • Page 508 [Switch-Ethernet1/0/3] dhcp-s nooping information vlan 1 circuit-id string abcd IP Fil tering Configuration Example etwork requirements As shown in Figure 41-7, Ethernet 1/0/1 of the S4500 switch is connected to the DHCP server and Ethernet 1/0/2 is connected to H ost A.
  • Page 509 [Switch-Ethernet1/0/2] quit [Switch] interface ethernet 1/0/3 [Switch-Ethernet1/0/3] ip check source ip-address mac-address [Switch-Ethernet1/0/3] quit [Switch] interface ethernet 1/0/4 [Switch-Ethernet1/0/4] ip check source ip-address mac-address [Switch-Ethernet1/0/4] quit # Create static binding entries on Ethernet 1/0/2 of the switch. [Switch] interface ethernet 1/0/2 [Switch-Ethernet1/0/2] source static...
  • Page 510: Dhcp Packet Rate Limit Configuration

    DHCP Packet Rate Limit Configuration n config uring the DHCP packet rate limit function, go to t hese sections for information you are terested in: Introduc tion to DHCP Packet Rate Limit Configu ring DHCP Packet Rate Limit Rate Limit Configuration Example Intro u d ction to DHCP Packet Rate Limit To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets and DHCP...
  • Page 511: Configuring Port State Auto Recovery

    To do… Use the command… Remarks interface interface-type Enter port view — interface-number Required Enable the DHCP packet dhcp rate-limit enable By default, DHCP packet rate limit is rate limit function disabled. Optional Configure the maximum DHCP packet rate allowed dhcp rate-limit rate By default, the maximum rate is 15 on the port...
  • Page 512 Networking diagram Figure 42-1 Network diagram for DHCP packet rate limit configuratio onfiguration procedure # Enable DHCP snooping on th e switch. <Switch> system-view [Switch] dhcp-snooping # Specify Ethernet 1/0/1 as the trusted port. [Switch] interface ethernet 1/0/1 [Switch-Ethernet1/0/1] dhcp-snooping trust [Switch-Ethernet1/0/1] quit # Enable auto recovery.
  • Page 513: Dhcp/Bootp Client Configuration

    DHCP/BOOTP Client Configuration hen configuring the DHCP/B P client, go to these sections for i nformation you are interested in: Introduction to DHCP Client Introduction to BOOTP Client Config uring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration Intro u d ction to DHCP Client Afte r you specify a VLAN interface as a DHCP client, the d evice can use DHCP to obtain parameters...
  • Page 514: Configuring A Dhcp/Bootp Client

    Configuring a DHCP/BOOTP Client Follow these steps to co nfigure a DHCP/BOOTP client: To do… Use the command… Remarks Enter system view system-view — interface vlan-interface Enter VLAN interface view — vlan-id Required Configure the VLAN interface ip address { bootp-alloc By default, no IP address is to obtain IP address through dhcp-alloc }...
  • Page 515: X Configuration

    DHCP Client Configuration Example Network requirements Using DHCP, VLAN-interface 1 of Switch B is connected to the LAN to obtain an IP address from the DHCP server. Network diagram F igure 39-1 Configuration procedure The following describes only the configuration on Switch B serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP.
  • Page 516: Acl Configuration

    ACL Configuration Wh n configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration Examples for Upper-layer Software Referencing ACLs Examples for Applying ACL s to Hardware Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management.
  • Page 517: Ways To Apply An Acl On A Switch

    auto: where rules in an ACL are matched in the order determined by the system, namely the “depth-first” rule (Layer 2 ACLs, user-defined ACLs and IPv6 ACLs do not support this feature). depth-first rule, there are two cases: ept -first match order for rules of a basic ACL Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match p riority.
  • Page 518: Acl Configuration Task List

    Wh n applying an ACL in this way, y ou can specify the order in which the rules in the ACL are matched. The match order cannot be modified once it is determined , unless you delete all the rules in the ACL and efine the match order.
  • Page 519 Conf igu ing Time Range ime ranges can be used to filter packets. You can specify a time range for each rule in an ACL. A time range-based ACL takes effect only in specified time ranges. Only after a time range is configured and the system time is within the time range, can an ACL rule take effect.
  • Page 520: Configuring Basic Acl

    onfiguration example # Define a periodic time range that spans from 8:00 to 18:00 on Monday through Fr iday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day [Sysname] display time-range test Current time is 13:27:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) 08:00 to 18:00 working-day # Define an absolute tim e range spans from 15:00 1/28/2006 to 15:00 1/28/2008.
  • Page 521: Configuring Advanced Acl

    With the config match order specified for the basic ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the basic ACL, you cannot modify any existent rule; otherwise the system will tell you that the rule cannot be modified. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.
  • Page 522 nfiguration procedure Follo w these step s to define an advanced ACL rule: To do... Use the command... Remarks Enter system view system-view — acl number acl-number Required eate an advanced ACL and [ match-order { auto | enter a dvanced ACL view config by default config } ]...
  • Page 523 Configuring La yer 2 AC ayer 2 ACLs filter pa ckets accord ing to their Lay er 2 information, su as the source and destination AC addresses, VLAN priority, an d Layer 2 protocol types. Layer 2 ACL can be num bered from 4000 to 4999.
  • Page 524 [Sysname-acl-ethernetframe-4000] display acl 4000 Ethernet frame ACL 4000, 1 rule Acl's step is 1 rule 0 d eny cos e xcellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e fff-ffff-ffff Config uring User-defined CL A user-defined ACL filters packets by comparing specific bytes in packet headers with specified string. A user-defined ACL can be n umbered from 5000 to 5999.
  • Page 525 If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the ru le is numbered 0; otherwise, the number of the rule will be the greatest rule number plu s one.
  • Page 526 n configuring IPv6 ACL rules, note that: To specify the src-port or dest-port keyword for a ru le, you need to specify the ip-protocol rule-string rule-mask combination as TCP or UDP, that is, 0x06 or 0x11. To specify the icmpv6-type or icmpv 6-code keyword for a rule, you need to specify the ip-protocol rule-string rule-mask combination as ICMPv6, that is, 0x3a.
  • Page 527: Applying Acl Rules On Ports

    You can mo dify any existent rule of an IPv6 ACL. If you modify only the action to be taken or the time ra nge, t he unmodified part of the rule remains the same. If you modify the contents of a user-defined string, the new string overwrites the original one.
  • Page 528 Required Apply ACL rules on the packet-filter { inbound For information about acl-rule, refer port outbound } acl-rule to ACL Commands. Configuration example # Apply ACL 2000 on Ethernet 1/0/1 to filter inbound packets. <Sysname> system-view name] interface Ethernet 1/0/1 name-Ethernet1/0/1] packet-filter inbound ip-group 2000 Apply ng ACL Rules to Ports in a VLAN By applying ACL rules to ports...
  • Page 529: Displaying And Maintaining Acl Configuration

    Displaying and Maintaining ACL Configuration To do... Use the command... Remarks Display a configured AC L or all display acl { all | acl-number } the ACLs Display a time range or all the display time-range { all | time-name } time ranges Available in any display packet-filter { interface...
  • Page 530: Example For Controlling Web Login Users By Source Ip

    Example for Controlling Web Login Users by Source IP etwork requirement Apply an ACL to permit Web users with the source IP address of 10.110.100.46 to log in to the switch through HTTP. etwork diagram Figure 44-2 Network diagram for controlling Web login users by source IP Internet Switch 10.110.100.46...
  • Page 531: Advanced Acl Configuration Example

    Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter packets with the source IP address of 10.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [Sysname-acl-basic-2000] quit...
  • Page 532 er 2 ACL Configu ration Example etwork requirements PC 1 and PC 2 connect to the switch through Ethernet 1/0/1. PC 1’s MAC address is 0011-0011-0011. Apply an ACL to filter packets with the source MAC addre ss of 0011-0011-0011 and the destination MAC address of 0011-0011-0012 from 8:00 to 18:00 everyday Network diagram Figure 44-5 Network diagram for Layer 2 ACL...
  • Page 533: Ipv6 Acl Configuration Example

    Network diagram Figure 44-6 Network diagram for user-defined ACL onfiguration procedure # Define a periodic time range that is a ctive from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 5000 to deny any ARP p acket whose source IP address is 192.168.0.1 from 8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled on any port).
  • Page 534: Example For Applying An Acl To A Vlan

    <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Create an IPv6 ACL an d configure a rule for the ACL, denying packets from 3001::1/64 to 3002::1/64. [Sysname] acl number 5000 [Sysname-acl-user-5000] rule deny src-ip 3001::1 64 dest-ip 3002::1 64 time-range test [Sysname-acl-user-5000] quit # Apply the ACL to port Ethernet 1/0/1.
  • Page 535: Qos Configuration

    QoS Configuration Wh n configuring QoS, go to these sections for information you are interested in: Overview QoS Supported By Switch 4500 Series QoS Configuration Displaying and Maintaining QoS Configuration Examples Overview Introd uction to QoS Quality of Service (QoS) is a conce pt concerning service demand and supply.
  • Page 536: Major Traffic Control Techniques

    All these new applications have one thing in common, that is, they have special requirements for bandwidth, delay, and jitter. For instance, bandwidth, delay, and jitter are critical for videoconference and VoD. As for other applications, such as transaction processing and Telnet, although bandwidth is not as critical, a too long delay may cause unexpected results.
  • Page 537: Qos Supported By Switch 4500 Series

    Supported By Switch 4500 Series e Switch 4500 series suppo rt the QoS fea tures listed in Table 45-1 Table 45-1 QoS fea tures supported by Switch 45 00 series QoS Feature Description Refer to … Classify incoming traffic based on ACLs.
  • Page 538 protocol or the port number of an application. Normally, traffic classification is done by checking the information carried in packet header. Packet payload is rarely adopted for traffic classification. The identifying rule is unlimited in range. It can be a quintuplet consisting of source address, source port number, protocol n umber, destination address, and destination port number.
  • Page 539 Assured forwarding (AF) class: This class is further divided into four subclasses (AF1/2/3/4) and a subclass is further divided into three drop priorities, so the AF service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; Class selector (CS) cl ass: This class comes from the IP ToS field and includes eight subclasses;...
  • Page 540 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 45-3 An Ethernet frame with an 802.1Q tag header 802.1Q header Source...
  • Page 541: Protocol Priority

    riority trust mode After a packet enters a switch, the switch sets the 802.1p priority and local precedence for the packet according to its own capability and the corresponding rules. For a packet carrying n o 802.1q tag When a packet carrying no 802.1q tag reaches the port of a switch, the switch uses the port priority as the 802.1p precedence value of the received packet, searches for the local precedence corresponding to the port priority of the receiving port in the 802.1p-to-local precedence mapping table, and assigns the local precedence to the packet.
  • Page 542: Priority Marking

    Priority Marking The priority marking function is to reassign priority for the traffic matching an ACL referenced for traffic classification. If 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the output queue corresponding to local precedence.
  • Page 543: Line Rate

    enough to forward the packets, the traffic is conforming to the specification; otherwise, the traffic is nonconforming or excess. Parameters concerning token bucket include: Average rate: The rate at which tokens are put into the bucket, namely, the permitted average rate of the traffic.
  • Page 544 The Switch 4500 series support three queue scheduling algorithms: Strict Priority (SP) queuing, Weighted Fair Queuing (WFQ), and Weighted Round Robin (WRR) queuing. SP queuing Figure 45-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay.
  • Page 545 Figure 45-7 Diagram for WFQ queuing Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: Different queues are scheduled fairly, so the delay of each flow is balanced globally.
  • Page 546: Congestion Avoidance

    WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical 3Com switch there are eight output queues on ea ch port. WRR configures a weight value for...
  • Page 547 n WRED algorithm, an upper limit and a low er limit a re set for ea ch queue, and the packets in a queue re processed as follows. When the current queue length is sm aller than the lower l imit, no packet is dropped;...
  • Page 548: Configuring The Mapping Between 802.1P Priority And Local Precedence

    Configuration procedure Follow these steps to configure to trust port priority: To do… Use the command… Remarks Enter system view system-view — inter ace interface-type Enter Ethernet port view — interfa ce-number Optional Configure to trust port priority By default, the switch trusts priority priority-level and configure the port pr iority...
  • Page 549: Setting The Priority Of Protocol Packets

    onfiguration procedure Follow these steps to configure the mapping between 802.1p priority and local precedence: To do… Use the command… Remarks Enter system view system-view — qos cos-local-precedence-map Configure the mapping cos0-map-loca l-prec cos1-map-local-prec between 802.1p priority and cos2-map-loca l-prec cos3-map-local-prec Required lo al precedence cos4-map-local-prec cos5-map-local-prec...
  • Page 550: Marking Packet Priority

    onfiguration example Set the IP precedence of ICMP packets to 3. Display the configuration. Configuration procedure: <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protoc ol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority efer to section Priority Ma rking or information about mark ing packet priority...
  • Page 551: Configuring Traffic Policing

    To do… Use the command… Remarks Enter system view — system-view traffic-priority vlan vlan-id { inbound Required Mark the priorities for the | outbound } acl-rule { { dscp Refer to the command packets belonging to a VLAN dscp-value | ip-precedence { manual for information and matching specific ACL pre-value | from-cos } } | cos...
  • Page 552 Required Specify a committed information rate traffic-limit inbound acl-rule [ (CIR) for the target-rate argument, Configure traffic union-effect ] target-rate and specify a committed bust size policing [ bur st-bucket burst-bucket-size ] (CBS) for the burst-bucket-size [ exc eed action ] argument.
  • Page 553: Configuring Queue Scheduling

    quired S ecify a committed information line-rate { inbound | outbound e (CIR) for the ta rget-rate Configure line rate } target-rate [ burst-bucket argument, and specify a burst-bucket-size ] committed bust size (CBS) for the burst-bucket-size argument. By default, line rate is disabled. Configuration example Configure line rate for outbound packets on Ethernet 1/0/1.
  • Page 554 To do… Use the command… Remarks Enter system view — system-view Required queue-sch eduler { strict-priority | wfq queue0-width queue1-width By default, the queue queue2-width queue3-width scheduling algorithm adopted queue4-width queue5-width on all the ports is WRR. The Configure qu queue6-width queue7-width | wrr default weights of the eight scheduling...
  • Page 555 The queue scheduling algorithm specified b y using the queue-scheduler command in system view takes effect on all the ports. The queue scheduling algorit hm configured in port view must be the same as that config ured in system view. Otherwise, the system prompts configuration errors. If the weight (or bandwi dth value) specified in system view for a queue of WRR queuing or WFQ queuing cannot meet the requiremen...
  • Page 556 To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface -number Require wred queue-index qstart Configure WRED By default, WRED is not probabilit configured. nfiguration example onfigure WRE D for queu e 2 of Ether 1/0/1 to drop the p ackets in queu...
  • Page 557: Displaying And Maintaining Qos

    or information about the mirro ring-group monitor-port command and the monitor-port command, refer to the part talking about mirroring. nfiguration example Network requirements: Ethernet 1/0/1 is connected to the 10.1 .1.0/24 network segment. Duplicate the packets from netwo rk se gment 10.1.1.0/24 to the destination mir ing port Ether 1/0/4.
  • Page 558: Qos Configuration Examples

    Configuration Examples Configuration Example of Traffic policing and Line Rate Network requirement An enterprise network connects all the departments through an Ethernet switch. PC 1, with the IP address 192.168.0.1 belongs to the R&D department and is connected to Ethernet 1/0/1 of the switch. The marketing department is connected to Ethernet 1/0/2 of the switch.
  • Page 559: Configuration Example Of Priority Marking And Queue Scheduling

    Configuration Example of Priority Marking and Queue Scheduling Network requirements As shown in Figure 45-10, an enterprise network connects all the departments through an Ethernet switch. Clients PC 1 through PC 3 are connected to Ethernet 1/0/1 of the switch; clients PC 4 through PC 6 are connected to Ethernet 1/0/3 of the switch.
  • Page 560 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-Ethernet1/0/2 ] quit Configure queue scheduling # Apply SP queue scheduling algorithm. [Sysname] queue-scheduler strict-priority VLAN Ma pping Configuration Example Netw ork requirements Two customer networks are connected to the public network through Switch A and Switch B.
  • Page 561: Configuration Procedure

    Configuration procedure # Create customer VLANs VLAN 100 an d VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit [SwitchA] vlan 600 [SwitchA-vlan600] quit # Configure Ethernet 1/0/11 of Switch A as a trunk port an...
  • Page 562 # Configure VLAN mapping on Ethernet 1/0/11 to replace VLAN tag 100 with VLAN tag 500. [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] traffic-rema rk-vlanid inbound link-group 4000 remark-vlan 500 [SwitchA-Ethernet1/0/11] quit # Configure VLAN mapping on Ethernet 1/0/12 to replace VLAN tag 200 with VLAN tag 600. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] traffic-remark-vlanid inbound link-group 4001 remark-vlan 600 [SwitchA-Ethernet1/0/12] quit...
  • Page 563: Mirroring Configuration

    Mirroring Configuration Wh n configuring mirroring, g o to these sections for information you are interested in: Mirroring Overview Mirroring Configuration Displaying and Maintaining Port Mirroring Mirroring Configuratio n Examples Mirr oring Overview Mirroring is to duplicate packets from a port to another port connected with a data monitoring device for network monitoring and diagnosis.
  • Page 564: Remote Port Mirroring

    Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device. The source and destination ports can be located on multiple devices across the network. This allows an administrator to monitor traffic on remote devices conveniently. To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is used.
  • Page 565: Port Mirroring – Stp Collaboration

    Sends mirrored packets to the destination switch. Intermediate Two trunk ports are necessary for the intermediate Trunk port switch switch to connect the devices at the source switch side and the destination switch side. Trunk port Receives remote mirrored packets. Destination switch Receives packets forwarded from the trunk port and Destination port...
  • Page 566: Configuring Local Port Mirroring

    Mirroring Configuration Complete the following tasks to configure mirroring: Task Remarks Configuring Local Port Mirroring Optional Configuring Remote Port Mirroring Optional On a Switch 4500, only one destination port for local port mirroring and only one reflector port can be configured, and the two types of ports cannot both exist.
  • Page 567: Configuring Remote Port Mirroring

    To do… Use the command… Remarks port for the views have the same effect. interface interface-type port mirroring interface-number group In port view mirroring-group group-id monitor-port When configuring local port mirroring, note that: You need to configure the source and destination ports for the local port mirroring to take effect. The source port and the destination port cannot be a fabric port or a member port of an existing mirroring group;...
  • Page 568 To do… Use the command… Remarks Enter system view — system-view Create a VLAN and enter the vlan-id is the ID of the vlan vlan-id VLAN view remote-probe VLAN. Configure the current VLAN as remote-probe vlan enable Required the remote-probe VLAN Return to system view quit —...
  • Page 569 Do not configure a port connecting the intermediate switch or destination switch as the mirroring source port. Otherwise, traffic disorder may occur in the network. With port mirroring – STP collaboration enabled, if you configure a port in Discarding state as a mirroring port, the port mirroring configuration does not take effect until the port transits to Forwarding state.
  • Page 570 The destination port and the remote-probe VLAN are determined. Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. Configuration procedure Follow these steps to configure remote port mirroring on the destination switch: To do… Use the command…...
  • Page 571: Displaying And Maintaining Port Mirroring

    Displaying and Maintaining Port Mirroring To do… Use the command… Remarks display mirroring-group Display port mirroring configuration { group-id | all | local | Available in any view on a Switch 4500 remote-destination | remote-source } Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4500 series: Research and Development (R&D) department is connected to Switch C through Ethernet 1/0/1.
  • Page 572: Remote Port Mirroring Configuration Example

    [Sysname] mirroring-group 1 mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 both [Sysname] mirroring-group 1 monitor-port Ethernet 1/0/3 # Display configuration information about local mirroring group 1. [Sysname] display mirroring-group 1 mirroring-group 1: type: local status: active mirroring port: Ethernet1/0/1 both Ethernet1/0/2 both monitor port: Ethernet1/0/3 After the configurations, you can monitor all packets received on and sent from the R&D department and the marketing department on the data detection device.
  • Page 573 Network diagram Figure 46-4 Network diagram for remote port mirroring Configuration procedure Configure the source switch (Switch A) # Create remote source mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source ports, reflector port, and remote-probe VLAN for the remote source mirroring...
  • Page 574 # Configure VLAN 10 as the remote-probe VLAN. <Sysname> system-view [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure Ethernet 1/0/1 as the trunk port, allowing packets of VLAN 10 to pass. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] port trunk permit vlan 10 [Sysname-Ethernet1/0/1] quit # Configure Ethernet 1/0/2 as the trunk port, allowing packets of VLAN 10 to pass.
  • Page 575 Example Intro duction to XRN Expandable Resilient Networking (XRN), a feature particular to 3Com Switch 4500 series switches, is a new technology for building the core o f a network. This feature allows you to build an XRN fabric by...
  • Page 576: Establishment Of An Xrn Fabric

    Figure 47-1 XRN networking Establishment of an XRN Fabric Topology and connections of an XRN fabric An XRN fabric typically has a daisy chain topology structure. As shown in Figure 47-2, each switch has two ports connected with two other switches in the fabric, but the switches at both ends of the daisy chain have only one port connected.
  • Page 577 Figure 47-3 Port connection mode for Switch 4500 series daisy chain topology XRN fabric Speed :Green=100Mbps ,Yellow=10Mbps Duplx :Green=Full Duplx ,Yellow=Half Duplx H3C S3600 Series 11 12 15 16 19 20 21 22 23 24 Console Unit Mode Green=Speed Yellow=Duplex 10/100Base-TX 1000 Base H3C S3600...
  • Page 578 The number of the existing devices in the fabric does not reach the maximum number of devices allowed by the fabric (up to eight devices can form a fabric). The fabric name of the device and the existing devices in the fabric are the same. The software version of the device is the same as that of the existing devices in the fabric.
  • Page 579: How Xrn Works

    Status Analysis Solution The XRN fabric authentication modes Configure the XRN fabric configured for the local device and that authentication modes and the auth failure of the fabric are not the same, or the passwords for the local device password configured does not match. and the fabric as the same.
  • Page 580: Specifying The Fabric Port Of A Switch

    Task Remarks Specifying the VLAN Used to Form an XRN Optional Fabric Setting a Unit ID for a Switch Optional Assigning a Unit Name to a Switch Optional Assigning an XRN Fabric Name to a Switch Optional Setting the XRN Fabric Authentication Mode Optional Specifying the Fabric Port of a Switch You can specify the fabric port of a switch in either system view or Ethernet interface view.
  • Page 581: Specifying The Vlan Used To Form An Xrn Fabric

    Establishing an XRN system requires a high consistency of the configuration of each device. Hence, before you enable the fabric port, do not perform any configuration for the port, and do not configure some functions that affect the XRN for other ports or globally. Otherwise, you cannot enable the fabric port.
  • Page 582: Setting A Unit Id For A Switch

    Setting a Unit ID for a Switch FTM will automatically number the switches to constitute an XRN fabric by default, so that each switch has a unique unit ID in the fabric. You can use the command in the following table to set unit IDs for switches.
  • Page 583: Assigning A Unit Name To A Switch

    If auto-numbering is selected, the system sets the unit priority to 10. You can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one. Priority is the reference for FTM program to perform automatic numbering. The value of priority can be 5 or 10.
  • Page 584: Displaying And Maintaining Xrn Fabric

    To do… Use the command… Remarks Enter system view system-view — Optional Set the XRN fabric xrn-fabric authentication mode for the authentication-mode { simple By default, no authentication switch password | md5 key } mode is set on a switch. When an XRN fabric operates normally, you can regard the whole fabric as a single device and perform configuration on it.
  • Page 585: Network Diagram

    Network Diagram Figure 47-4 Network diagram for forming an XRN fabric XRN Fabric GE1/0/25 GE1/0/25 GE1/0/25 GE1/0/26 GE1/0/26 GE1/0/26 Switch A(Unit 1) Switch B(Unit 2) Switch C(Unit 3) Switch D(Unit 4) Configuration Procedure Configure Switch A. # Configure fabric ports. <Sysname>...
  • Page 586 # Configure the unit name as Unit 3. [Sysname] set unit 1 name unit3 # Configure the fabric name as hello. [Sysname] sysname hello # Configure the fabric authentication mode as simple and the password as welcome. [hello] xrn-fabric authentication-mode simple welcome Configure Switch D.
  • Page 587: Cluster Configuration

    Cluster Configuration Wh n configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Displaying and Maintaining Cluster Configuration Cluster Configuration Examples The cluster synchronization function is added. For the configuration, refer to Configuring the Cluster ynchronization Function Cluster Overview...
  • Page 588: Roles In A Cluster

    Figure 48-1 A cluster implementation HGMP V2 has the following advantages: It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster; and then you can configure and manage all the member devices through the management device without the need to log onto them one by one.
  • Page 589 Table 48-1 Description on cluster roles Role Configuration Function Provides an interface for managing all the switches in a cluster Manages member devices through command redirection, that forwards commands intended specific member devices. Configured with a external IP Management device Discovers neighbors, address...
  • Page 590: How A Cluster Works

    A candidate device becomes a member device after being added to a cluster. A member device becomes a candidate device after it is removed from the cluster. A management device becomes a candidate device only after the cluster is removed. After you create a cluster on a Switch 4500 switch, the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster.
  • Page 591 packet data. The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet. When they receive another NDP packet, if the information carried in the packet is different from the stored one, the corresponding entry in the NDP table is updated, otherwise only the holdtime of the entry is updated.
  • Page 592 To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP parameters. On member/candidate devices, you only need to enable NTDP globally and on specific ports. Member and candidate devices adopt the NTDP settings of the management device. Introduction to Cluster A cluster must have one and only one management device.
  • Page 593 Figure 48-3 State machine of the connection between the management device and a member device Active Receives the Fails to receive handshake or Disconnect state handshake management is recovered packets in three packets consecutive intervals State holdtime exceeds the specified value Connect Disconnect After a cluster is created and a candidate device is added to the cluster as a member device, both...
  • Page 594 Enabling the management packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the management VLAN only, through which the management packets are isolated from other packets and network security is improved. Enabling the management device and the member devices to communicate with each other in the management VLAN.
  • Page 595: Cluster Configuration Task List

    downstream switch compares its own MAC address with the destination MAC address carried in the multicast packet: If the two MAC addresses are the same, the downstream switch sends a response to the switch sending the tracemac command, indicating the success of the tracemac command. If the two MAC addresses are different, the downstream switch will query the port connected with its downstream switch based on the MAC address and VLAN ID, and then forward the packet to its downstream switch.
  • Page 596 Task Remarks Enabling NDP globally and on specific ports Required Configuring NDP-related parameters Optional Enabling NTDP globally and on a specific port Required Configuring NTDP-related parameters Optional Enabling the cluster function Required Configuring cluster parameters Required Configuring inside-outside interaction for a Optional cluster Configuring the network management interface...
  • Page 597 Configuring NDP-related parameters Follow these steps to configure NDP-related parameters: To do… Use the command… Remarks Enter system view system-view — Optional Configure the holdtime of NDP ndp timer aging By default, the holdtime of NDP information aging-in-seconds information is 180 seconds. Optional Configure the interval to send ndp timer hello seconds...
  • Page 598 To do… Use the command… Remarks Launch topology information ntdp explore Optional collection manually Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view — Required Enable the cluster function cluster enable By default, the cluster function globally...
  • Page 599 Establish a cluster in automatic mode Follow these steps to establish a cluster in automatic mode: To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — ip-pool Configure the IP address range administrator-ip-address { Required for the cluster ip-mask | ip-mask-length }...
  • Page 600: Configuring Member Devices

    The cluster switches are properly connected; The shared servers are properly connected to the management switch. Configuration procedure Follow these steps to configure the network management interface for a cluster: To do… Use the command… Remarks Enter system view — system-view Enter cluster view cluster...
  • Page 601 To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4500 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
  • Page 602: Managing A Cluster Through The Management Device

    To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view —...
  • Page 603: Configuring The Enhanced Cluster Features

    To do… Use the command… Remarks Return to system view quit — Return to user view quit — cluster switch-to Optional { member-number | Switch between management You can use this command mac-address mac-address | device and member device switch to the view of a member administrator | sysname device and switch back.
  • Page 604 Configuring the enhanced cluster features Complete the following tasks to configure the enhanced cluster feature: Task Remarks Configuring cluster topology management Required function Configuring cluster device blacklist Required Configuring cluster topology management function Configuration prerequisites Before configuring the cluster topology management function, make sure that: The basic cluster configuration is completed.
  • Page 605: Configuring The Cluster Synchronization Function

    If the management device of a cluster is a slave device in an XRN fabric, the standard topology information is saved only to the local Flash of the master device in the XRN fabric. Configuring cluster device blacklist Follow these steps to configure the cluster device blacklist on a management device: To do…...
  • Page 606 NDP and NTDP have been enabled on the management device and member devices, and NDP- and NTDP-related parameters have been configured. A cluster is established, and you can manage the member devices through the management device. Configuration procedure Perform the following operations on the management device to synchronize SNMP configurations: To do…...
  • Page 607 The MIB view name is mib_a, which includes all objects of the subtree org The SNMPv3 user is user_a, which belongs to the group group_a. # Create a community with the name of read_a, allowing read-only access right using this community name.
  • Page 608 snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user v3 user_a group_a undo snmp-agent trap enable standard Configuration file content on a member device (only the SNMP-related information is displayed) <test_2.Sysname>...
  • Page 609: Displaying And Maintaining Cluster Configuration

    Perform the above operations on the management device of the cluster. Creating a public local user is equal to executing these configurations on both the management device and the member devices (refer to the AAA Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices.
  • Page 610: Cluster Configuration Examples

    Cluster Configuration Examples Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: A Switch 4500 series switch serves as the management device. The rest are member devices. Serving as the management device, the Switch 4500 switch manages the two member devices. The configuration for the cluster is as follows: The two member devices connect to the management device through Ethernet 1/0/2 and Ethernet 1/0/3.
  • Page 611 [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/0/1] quit # Enable the cluster function. [Sysname] cluster enable Configure the management device # Add port Ethernet 1/0/1 to VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/1 [Sysname-vlan2] quit # Configure the IP address of VLAN-interface 2 as 163.172.55.1.
  • Page 612 [Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topology collection requests to 15 ms. [Sysname] ntdp timer port-delay 15 # Set the interval between collecting topology information to 3 minutes. [Sysname] ntdp timer 3 # Enable the cluster function.
  • Page 613: Network Management Interface Configuration Example

    After completing the above configuration, you can execute the cluster switch-to { member-number | mac-address H-H-H | sysname member-sysname } command on the management device to switch to member device view to maintain and manage a member device. After that, you can execute the cluster switch-to administrator command to return to management device view.
  • Page 614: Enhanced Cluster Feature Configuration Example

    [Sysname] management-vlan 3 # Add Ethernet 1/0/1 to VLAN 3. [Sysname] vlan 3 [Sysname-vlan3] port Ethernet 1/0/1 [Sysname-vlan3] quit # Set the IP address of VLAN-interface 3 to 192.168.5.30. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ip address 192.168.5.30 255.255.255.0 [Sysname-Vlan-interface3] quit # Add Ethernet 1/0/2 to VLAN 2.
  • Page 615 Network diagram Figure 48-6 Network diagram for the enhanced cluster feature configuration FTP server 192. 168.0.4 192. 168.0.1 Member Management device device Member Member device device 0001- 2034-a0e5 Configuration procedure # Enter cluster view. <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology.
  • Page 616: Poe Configuration

    PoE F eatures Supported by Switch 4500 PoE-capable 4500 switches incl ude: Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port A Po E-capable Switch 4500 has the following features: As the PSE, it supports the IEEE802.3af standard. It can also supply power to the PDs that do not support the 80 2.3af standard.
  • Page 617 It can deliver data and current simultaneously through data wires (1,2,3,and 6) of category-3/5 twisted pairs. Through the fixed 24/48 Ethernet electrical ports, it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (328 feet). Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD.
  • Page 618 Task Remarks Upgrading the PSE Processing Software Online Optional Upgrading the PSE Processing Software of Fabric Switches Online Optional Displaying PoE Configuration Optional Enab ling the PoE Feature on a Port Follow these steps to e nable the PoE fe ature on a port: To do…...
  • Page 619: Setting The Poe Mode On A Port

    auto: When the switch is close to its full load in supplying power, it will first supply power to the PDs that are connected to the ports with critical priority, and then supply power to the PDs that are connected to the ports with high priority. For example: Port A has the priority of critical. When the switch PoE is close to its full load and a new PD is now added to port A, the switch will power down the PD connected to the port with the lowest priority and turn to supply power to this new PD.
  • Page 620: Configuring The Pd Compatibility Detection Function

    Configuring the PD Compatibility Detection Function After the PD compatibility detection function is enabled, the switch can detect the PDs that do not conform to the 802.3af standard and supply power to them. After the PoE feature is enabled, perform the following configuration to enable the PD compatibility detection function.
  • Page 621: Upgrading The Pse Processing Software Online

    When the internal temperature of the switch decreases from X (X>65°C, or X>149°F) to Y (60°C≤Y<65°C, or 140°F≤Y<149°F), the switch still keeps the PoE function disabled on all the ports. When the internal temperature of the switch increases from X (X<60°C, or X<140°F) to Y (60°C<Y≤65°C, or 140°F<Y≤149°F), the switch still keeps the PoE function enabled on all the ports.
  • Page 622: Poe Configuration Example

    Follow these steps to upgrade the PSE processing software online: To do… Use the command… Remarks Upgrade the PSE processing update fabric { file-url | software of the fabric switch Optional device-name file-url } online Displaying PoE Configuration To do… Use the command…...
  • Page 623 Network diagram Figure 49-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW.
  • Page 624: Poe Profile Configuration

    PoE Profile Configuration Wh n configuring PoE profile, g o to these sections for information you are interested in: Introduction to PoE Profile PoE Profile Configuration Displaying PoE Profile Configuration PoE Profile Configuration Examp Intro duction to PoE Profile On a large-sized network or a network with mobi le users, to help network administrators to monitor the PoE features of the switc h, Switch 4500 provides the PoE profile features.
  • Page 625 To do… Use the command… Remarks Required Enable the PoE feature poe enable on a port Disabled by default. Optional Configure PoE mode poe mode { signal | spare } for Ethernet p orts signal by default. Configure the relevant Configure the Optional features in...
  • Page 626: Displaying Poe Profile Configuration

    Displaying PoE Profile Configuration To do… Use the command… Remarks Display the detailed info rmation display poe-profile { all-profile | Available in any about the PoE profiles cre ated interface interface-type interface-number | view on the switch ofile-name } name pr PoE Profile Configuration Example PoE P f ro ile Application Example...
  • Page 627 etwork diagram Figure 50-1 PoE profile a pplication Network Switch A Eth1/0/1~Eth1/0/5 Eth1/0/6~Eth1/0/10 IP Phone IP Phone IP Phone IP Phone onfiguration procedure # Create Profile 1, and enter PoE profile view. <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configuration applicable to Ethernet 1/0/1 through Ethernet 1/0/5 ports for users of group A.
  • Page 628 [SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configuration information for Profile2. [SwitchA] display poe-profile name Profile2 Poe-profile: Profile2, 2 action poe enable poe priority high # Apply the configured Profile 1 to Ethernet 1/0/1 through Ethernet 1/0/5 ports. [SwitchA] apply poe-profile Profile1 interface Ethernet1/0/1 to Ethernet1/0/5 # Apply the configured Profile 2 to Ethernet 1/0/6 through Ethernet 1/0/10 ports.
  • Page 629: Udp Helper Configuration

    UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Examp Intro duction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or requ the names of other devices on the network.
  • Page 630: Configuring Udp Helper

    Protocol UDP port number TACACS (Terminal Access Controller Access Control System) TFTP (Trivial File Transfer Protocol) Time Service Configuring UDP Helper Follow these steps to configure UDP Hel per: To do… Use the command… Remarks Enter system view system-view — Required Enable UDP Helper udp-helper enable...
  • Page 631: Displaying And Maintaining Udp Helper

    Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UDP broadcast relay forwarding information of a display udp-helper server Available in any view specified VLAN interface on the [ interface vlan-interface vlan-id ] switch Clear statistics about packets reset udp-helper packet Available in user view forwarded by UDP Helper...
  • Page 632: Snmp Configuration

    SNMP Configuration Wh n configuring SNMP, go to these sec tions for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network M anagement Displaying SNMP SNMP Configur ation Example P Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.
  • Page 633: Supported Mibs

    By default, the contact snmp-agent sys-info information for system Set system information, and specify { contact sys-contact | maintenance is " 3Com to enable SNMPv1 or SNMPv2c on location sys-location | Corporation.", the system the switch version { { v1 | v2c | v3 }* | all location is "...
  • Page 634 By default, the contact snmp-agent sys-info information for system Set system information and { contact sys-contact | maintenance is " 3Com specify to enable SNMPv3 on location sys-location | version Corporation.", the system the switch { { v1 | v2c | v3 }* | all } } location is "...
  • Page 635: Configuring Trap-Related Functions

    To do… Use the command… Remarks snmp-agent Optional calculate-password Encrypt a plain-text password This command is used if plain-password mode { md5 | to generate a cipher-text one password in cipher-text is sha } { local-engineid | needed for adding a new user. specified-engineid engineid } snmp-agent usm-user v3 user-name group-name...
  • Page 636: Configuring Extended Trap Function

    To do… Use the command… Remarks snmp-agent trap enable [ configuration | Enable the switch to send flash | standard [ authentication | coldstart traps to NMS | linkdown | linkup | warmstart ]* | system ] Enter port view or Optional interface interface-type interface-number interface view...
  • Page 637: Snmp Configuration Example

    To do… Use the command… Remarks snmp-agent log Optional Enable logging for network { set-operation | management Disabled by default. get-operation | all } When SNMP logging is enabled on a device, SNMP logs are output to the information center of the device.
  • Page 638 Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, contact and switch location, and enabling the switch to sent traps. Thus, the NMS is able to access Switch A and receive the traps sent by Switch A. Network diagram Figure 52-2 Network diagram for SNMP configuration Network procedure...
  • Page 639 Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully. For more information, refer to the corresponding manuals of 3Com’s NMS products. You can query and configure an Ethernet switch through the NMS.
  • Page 640: Rmon Configuration

    RMON Configuration Wh n configuring RMON, g o to these sections for information you are interested in: Introduction to RMO RMON Configuration Displaying RMON RMON Configuration Exa mple Intro duction to RMON Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards.
  • Page 641: Commonly Used Rmon Groups

    statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Groups vent group Event group is used to define the indexes of events and the processing methods of the eve nts.
  • Page 642 tatistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from th e time when the statistics group is created. The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packet s, broadcast packets, multicast packets, and received bytes and packets.
  • Page 643: Displaying Rmon

    The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if a n RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
  • Page 644 [Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the exte nded alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6 .1.2.1.16.1.1.1.10.1) formula to get the numbers of all...
  • Page 645: Ntp Configuration

    NTP Configuration Wh n configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Exampl Intro duction to NTP...
  • Page 646: Implementation Principle Of Ntp

    Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control (see section Configuring Access Control Right) and MD5 encrypted authentication (see section Configuring NTP Authentication) Sending protocol packets in unicast, multicast, or broadcast mode The clock stratum determines the accuracy, which ranges from 1 to 16.
  • Page 647: Ntp Implementation Modes

    Figure 54-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...
  • Page 648 Server/client mode Figure 54-2 Server/client mode Symmetric peer mode Figure 54-3 Symmetric peer mode In the symmetric peer mode, the local S4500 Ethernet switch serves as the symmetric-active peer and sends clock synchronization request first, while the remote server serves as the symmetric-passive peer automatically.
  • Page 649 Multicast mode Figure 54-5 Multicast mode Table 54-1 describes how the above mentioned NTP modes are implemented on 3Com S4500 series Ethernet switches. Table 54-1 NTP implementation modes on 3Com S4500 series Ethernet switches NTP implementation mode Configuration on S4500 series switches Configure the local S4500 Ethernet switch to work in the NTP client mode.
  • Page 650: Ntp Configuration Task List

    When a 3Com S4500 Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the 3Com S4500 Ethernet switch has been synchronized.
  • Page 651 Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time. Execution of the undo form of one of the above six commands disables all implementation modes of the NTP feature and closes UDP port 123 at the same time.
  • Page 652 To do… Use the command… Remarks Required ntp-service unicast-peer { remote-ip | Specify a peer-name } [ authentication-keyid key-id | By default, a switch is not symmetric-passive priority | source-interface Vlan-interface configured to work in the peer for the switch vlan-id | version number ]* symmetric mode.
  • Page 653 To do… Use the command… Remarks interface Vlan-interface Enter VLAN interface view — vlan-id Configure the switch to work in ntp-service broadcast-server Required the NTP broadcast server [ authentication-keyid key-id | Not configured by default. mode version number ]* Configuring a switch to work in the NTP broadcast client mode Follow these steps to configure a switch to work in the NTP broadcast client mode: To do…...
  • Page 654: Configuring Access Control Right

    To do… Use the command… Remarks Enter system view — system-view interface Vlan-interface Enter VLAN interface view — vlan-id Required Configure the switch to work in ntp-service multicast-client the NTP multicast client mode [ ip-address ] Not configured by default. Configuring Access Control Right With the following command, you can configure the NTP service access-control right to the local switch for a peer device.
  • Page 655: Configuring Ntp Authentication

    The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring NTP Authentication In networks with higher security requirements, the NTP authentication function must be enabled to run NTP.
  • Page 656 Configuration Procedure Configuring NTP authentication on the client Follow these steps to configure NTP authentication on the client: To do… Use the command… Remarks Enter system view system-view — Required Enable the NTP authentication ntp-service authentication function enable Disabled by default. Required ntp-service Configure the NTP...
  • Page 657: Configuring Optional Ntp Parameters

    To do… Use the command… Remarks Required Configure the specified key as a ntp-service reliable By default, no trusted trusted key authentication-keyid key-id authentication key is configured. Enter VLAN interface view interface Vlan-interface vlan-id — In NTP broadcast server Configure on the mode and NTP multicast ntp-service broadcast-server NTP broadcast...
  • Page 658: Configuring The Number Of Dynamic Sessions Allowed On The Local Switch

    If you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending NTP messages. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.
  • Page 659 To do… Use the command… Remarks Display the information about the display ntp-service sessions maintained by NTP sessions [ verbose ] Display the brief information about NTP servers along the path display ntp-service trace from the local device to the reference clock source Configuration Examples Configuring NTP Server/Client Mode...
  • Page 660: Configuring Ntp Symmetric Peer Mode

    [DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The above output information indicates that Device B is synchronized to Device A, and the stratum level of its clock is 3, one level lower than that of Device A.
  • Page 661 Configuration procedure Configure Device C. # Set Device A as the NTP server. <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration.
  • Page 662: Configuring Ntp Broadcast Mode

    Configuring NTP Broadcast Mode Network requirements The local clock of Device C is set as the NTP master clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through VLAN-interface 2.
  • Page 663: Configuring Ntp Multicast Mode

    View the NTP status of Device D after the clock synchronization. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms...
  • Page 664 Network diagram Figure 54-9 Network diagram for NTP multicast mode configuration Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D).
  • Page 665: Configuring Ntp Server/Client Mode With Authentication

    Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (you can see that a connection is established between Device D and Device C).
  • Page 666 To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function. <DeviceA> system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
  • Page 667: Ssh Overview

    SSH Configuration Wh n configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configu ration Examples SSH Overview Introd uction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in...
  • Page 668: Ssh Operating Process

    The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key.
  • Page 669 Cu ently, the switch supports only SSH2 Version. Versi on negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends t he first packet to the client, which includes a version identification string in the format “SSH-<primary...
  • Page 670 The client selects an authentication type from the method list to perform authentication again. The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit. provides two authentication methods: password authen tication and publickey authentication.
  • Page 671: Configuring The Ssh Server

    Figure 55-2 Network diagram for SSH connections Configure the devices accordingly This document describes two cases: The switch acts as the SSH server to cooperate with software that supports the SSH client functions. The switc h acts as the SSH server to cooperate with another switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients: Server side Client side...
  • Page 672: Configuring The User Interfaces For Ssh Clients

    Complete the following tasks to configure the SSH server: Task Remarks Configuring the User Interfaces for Required SSH Clients Preparation Configuring the SSH Management Optional Functions Configuring Key Pairs Required Creating an SSH User and Specifying Authentication Required an Authentication Type Optional Specifying a Service Type for an SSH Authorization...
  • Page 673: Configuring The Ssh Management Functions

    To do... Use the command... Remarks Optional Specify supported protocol inbound { all |ssh } By default, both Telnet and protocol(s) SSH are supported. f you have configured a user interface to support SSH pr otocol, you must configure AAA authenti cation for the user interfa...
  • Page 674: Configuring Key Pairs

    You can configur e a login header on ly when the serv ice type is stelnet. For configuration of service types, refer to Specifying a Service Type for an SSH User on the Server For details of the header comman refer to the corresponding se ction in Login Command.
  • Page 675 To do… Use the command… Remarks Destroy the RSA key pair public-key local destroy rsa Optional Creating an SSH User and Specify ing an Authentication Type This task is to create an SSH user and specify an authentication type. Specifying an authentication type for a new user is a must to get the user login.
  • Page 676 To do... Use the command... Remarks are used and different authentication types are ssh user username C eate an SSH user, and specified, the authentication authentication-type { all | specify an authentication type type specified with the ssh password | password-publickey user authentication-type | publickey } command takes precedence.
  • Page 677: Configuring The Public Key Of A Client On The Server

    If the ssh use r service-type command is executed with a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it. Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users.
  • Page 678: Assigning A Public Key To An Ssh User

    To do... Use the command... Remarks Enter system iew system-view — Import the public key from a public-key peer keyname Required public key file import sshkey filename Assigning a Public Key to an SSH User This configuration task is unnecessary if the SSH user’s authenticatio n mode is password.
  • Page 679: Configuring The Ssh Client

    With the filename argument specified, you can export the RSA host public key to a file so that you can configure the key at a remote end by importing th e file. If the filename argument i s not specified, this command displays th e host public...
  • Page 680 Task Remarks Opening an SSH connection with publickey Required for publickey authentication; authenti cation unnecessary for password authentication For putty, it is recommended to use PuTTY release 0.53; PuTTY release 0.58 is also supported. For OpenSSH, it is recommended to use OpenSSH_3.1p1; OpenSSH_4.2p1 is also supported. Any other version or other client, please be careful to use.
  • Page 681 Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 55-4. Otherwise, the process bar stops moving and the key pair generating process is stopped. Figure 55-4 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public...
  • Page 682 Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case ) to save the private key.
  • Page 683 Figure 55-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
  • Page 684 Figure 55-9 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...
  • Page 685: Configuring An Ssh Client Assumed By An Ssh2-Capable Switch

    Figure 55-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
  • Page 686 Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication enabled, an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time, and it will save the host public key on the client for use in subsequent authentications.
  • Page 687: Displaying And Maintaining Ssh Configuration

    Follow these steps to specify a source IP address/interface for the SSH client: To do... Use the command... Remarks Enter system view system-view — Optional Specify a source IP address for ssh2 source-ip ip-address default, source the SSH client address is configured. Optional Specify a source interface for ssh2...
  • Page 688: Comparison Of Ssh Commands With The Same Functions

    To do... Use the command... Remarks Display information about all display user-information SSH users [ username ] Display the current source IP address or the IP address of display ssh-server source-ip the source interface specified for the SSH server. Display the mappings between host public keys and SSH display ssh server-info servers saved on a client...
  • Page 689: Ssh Configuration Examples

    The results of the display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they cannot be directly used as parameters in the public-key peer command. For the same reason, neither can the results of the display public-key local rsa public command be used in the rsa peer-public-key command directly.
  • Page 690 # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001, and set the authentication password to abc, protocol type to SSH, and command privilege level to 3 for the client. [Switch] local-user client001 [Switch-luser-client001] password simple abc [Switch-luser-client001] service-type ssh level 3 [Switch-luser-client001] quit...
  • Page 691: When Switch Acts As Server For Password And Radius Authentication

    Figure 55-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 55-13, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
  • Page 692 Network diagram Figure 55-14 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management >...
  • Page 693 Figure 55-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: Add a user named hello, and specify the password.
  • Page 694 Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pairs. [Switch] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 695 Figure 55-17 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 55-18 appears.
  • Page 696: When Switch Acts As Server For Password And Hwtacacs Authentication

    authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server. You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 55-16.
  • Page 697 # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Apply the scheme to the ISP domain.
  • Page 698: When Switch Acts As Server For Publickey Authentication

    From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 55-21 appears. Figure 55-21 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password.
  • Page 699 Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Switch-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login.
  • Page 700 Figure 55-23 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 55-24. Otherwise, the process bar stops moving and the key pair generating process is stopped.
  • Page 701 Figure 55-24 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 55-25 Generate a client key pair (3) Likewise, to save the private key, click Save private key.
  • Page 702 Figure 55-26 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client. # Establish a connection with the SSH server Launch PuTTY.exe to enter the following interface.
  • Page 703 Figure 55-28 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 55-29 SSH client configuration interface (3) Click Browse to bring up the file selection window, navigate to the private key file and click OK.
  • Page 704: When Switch Acts As Client For Password Authentication

    From the window shown in Figure 55-29, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in Figure 55-30, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange.
  • Page 705: When Switch Acts As Client For Publickey Authentication

    [SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-client001] quit # Configure the authentication type of user client001 as password. [SwitchB] ssh user client001 authentication-type password Configure Switch A # Create a VLAN interface on the switch and assign an IP address, which serves as the SSH client’s address in an SSH connection.
  • Page 706 [SwitchB-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pair. [SwitchB] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
  • Page 707: When Switch Acts As Client And First-Time Authentication Is Not Supported

    After the key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client. # Establish an SSH connection to the server 10.165.87.136. [SwitchA] ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ...
  • Page 708 Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pair. [SwitchB] public-key local create rsa # Set AAA authentication on user interfaces. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH. [SwitchB-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3.
  • Page 709 # Create a VLAN interface on the switch and assign an IP address, which serves as the SSH client’s address in an SSH connection. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate a RSA key pair [SwitchA] public-key local create rsa # Export the generated RSA key pair to a file named Switch001.
  • Page 710: File System Management Configuration

    Prompt Mode Configuration Optional The 3com 4500 series Ethernet switches support Expandable Resilient Networking (XRN), and allow to access a file on a switch in one of the following ways: To access a file on the specified unit, you need to specify the file in universal resource locator (URL) format and starting with unit[No .]>flash:/, where [No.] represents the unit ID of the switch.
  • Page 711: Directory Operations

    Directory Operations The file system provides directory-related functions, such a Creating/deleting a directory Displayi ng the curre nt work directo ry, or contents in a spec ified directory ollow these steps to perform direc tory-related oper ations: To do… Use the command… Remarks Optional Create a directory...
  • Page 712 To do… Use the command… Remarks Optional rename fileurl-source Rename a file fileurl-dest Available in user view Optional Copy a file copy fileurl-source fileurl-dest Available in user view Optional Move a file move fileurl-source fileurl-dest Available in user view Optional Available in user view Display the content of a file more file-url...
  • Page 713: Prompt Mode Configuration

    The format operation leads to the loss of all files, including the configuration files, on the Flash memory and is irretrievable. Prompt Mode Configuration ou can set the prom pt mode of the current file system to alert or iet. In alert mode, the file system will give a prompt for confirmation if you execute a command which may cause data loss, for example, eleting or overwriting a file.
  • Page 714: Introduction To File Attributes

    Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin -rwh Apr 01 2000 23:55:49 snmpboots -rwh Apr 02 2000 00:47:30 hostkey -rwh Apr 02 2000 00:47:38 serverkey -rw- 1220 Apr 02 2000 00:06:57 song.cfg -rw- 26103 01 1970 00:04:34 testv1r1.bin -rwh Apr 01 2000 23:55:53...
  • Page 715 Web file and co nfiguration file, 3com may provide corresponding default file when releasing sof are versions. When booting, the device selects the startup files based on certain order. The device...
  • Page 716: Configuring File Attributes

    Configuring File Attributes ou can configure and view the m in attribute or backup attrib ute of t he file use d for the next startup of switch, and change the m ain or b ackup attr ibute of the file. ollow these steps to configure f attributes: To do…...
  • Page 717: File Backup And Restoration

    figuration File Backup and Restoration Introd uction to Configuration File Backup and Restoration Formerly, you can only back up and restore the configuration file of the units one by one in a fabric system. By using the configuration file b ackup and restoration feature, you can easily back up and restore the configuration files in the whole fabric as well as in a specific unit.
  • Page 718: Ftp And Sftp Configuration

    FTP server. With a 3com switch 4500 serving as an FTP server, the seven-segment digital LED on the front panel of the switch rotates clockwise when an FTP client is uploading files to the FTP server (the...
  • Page 719: Introduction To Sftp

    files from an FTP server, and stops rotating when the file downloading is finished, as shown in Figure 57-1. Figure 57-1 Clockwise rotating of the seven-se gment digital LED Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to switch to manage and tr ansmit files, providing a securer guarantee for data transmission.
  • Page 720 Disabled by default. Only one user can access a 3com switch 4500 at a given time when the latter operates as an FTP server. Operating as an FTP server, a 3com switch 4500 cannot receive a file whose size exceeds its storage space.
  • Page 721 Follow these steps to configure connection idle time: To do… Use the command… Remarks Enter system view system-view — Optional Configure the connection idle time ftp timeout minutes for the FTP server 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
  • Page 722 Required server With a 3com switch 4500 acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the 3com switch 4500 will disconnect the user after the data transmission is completed.
  • Page 723 Figure 57-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks Enter system view system-view — Configure a login banner header login text Required Use either command or both. By default, no banner is Configure a shell banner header shell text...
  • Page 724 To do… Use the command… Remarks ftp [ cluster | remote-server Enter FTP client view — port-number Specify to transfer files in ASCII ascii Use either command. characters By default, files are transferred Specify to transfer files in in ASCII characters. binary binary streams Optional...
  • Page 725 To do… Use the command… Remarks Download a remote file from get remotefile [ localfile ] the FTP server Upload a local file to the remote localfile [ remotefile FTP server Rename a file on the remote rename remote source server remote-dest Log in with the specified user...
  • Page 726: Configuration Example: A Switch Operating As An Ftp Server

    The specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. The value of the ip-address argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. The source interface/source IP address set for one connection is prior to the fixed source interface/source IP address set for each connection.
  • Page 727 [Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp Configure the PC (FTP client) Run an FTP client application on the PC to connect to the FTP server. Upload the application named switch.bin to the root directory of the Flash memory of the FTP server, and download the configuration file named config.cfg from the FTP server.
  • Page 728: Ftp Banner Display Configuration Example

    Boot ROM menu. 3com switch is not shipped with FTP client application software. You need to purchase and install it by yourself. Configure Switch A (FTP server) # After uploading the application, use the boot boot-loader command to specify the uploaded file (switch.bin) to be the startup file used when the switch starts the next time, and restart the switch.
  • Page 729 Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell Configuration banner appears”. For detailed configuration of other network requirements, see section Example: A Switch Operating as an FTP Server.
  • Page 730 Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello. (For detailed configuration, refer to the configuration instruction relevant to the FTP server software.) Configure the switch (FTP client) # Log in to the switch.
  • Page 731: Sftp Configuration

    <Sysname> boot boot-loader switch.bin <Sysname> reboot For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual. SFTP Configuration Complete the following tasks to configure SFTP: Task Remarks Enabling an SFTP server...
  • Page 732: Sftp Configuration: A Switch Operating As An Sftp Client

    10 minutes by default. Supported SFTP client software A 3com switch 4500 operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP. SFTP client software supports the following operations: logging in to a device; uploading a file;...
  • Page 733 To do… Use the command… Remarks sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | Required dh_exchange_group } | Support for the 3des keyword prefer_ctos_cipher { 3des | depends on the number of des | aes128 } | Enter SFTP client view...
  • Page 734: Sftp Configuration Example

    If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
  • Page 735 [Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
  • Page 736 sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx...
  • Page 737 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public.
  • Page 738: Tftp Configuration

    TFTP server, then sends data to the TFTP server, and receives acknowledgement packets from the TFTP server. A 3com switch 4500 can act as a TFTP client only. When a 3com switch 4500 serving as a TFTP client d...
  • Page 739: Tftp Configuration: A Switch Operating As A Tftp Client

    TFTP Configuration Complete the following tasks to configure TFTP: Task Remarks Basic configurations on a TFTP — client TFTP Configuration: A Switch Specifying the source interface Operating as a TFTP Client or source IP address fo r an Optional FTP client For details, see the TFTP server configuration —...
  • Page 740: Tftp Configuration Example

    To do… Use the command… Remarks tftp tftp-server source-ip Optional Specify the source IP address ip-address { get source -file used for the current connection [ dest-file ] | put source-file-url Not specified by default. [ dest-file ] } Enter system view system-view —...
  • Page 741 Network diagram Figure 58-1 Network diagram for TFTP configuration Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
  • Page 742 For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual. 58-5...
  • Page 743: Information Center Overview

    Information Center Wh n configuring information center, g o to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Ex amples Information Center Overview Introd uction to Information Center Acting as the system information hub, information center classifies and manages system information.
  • Page 744 Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output.
  • Page 745 utputting system information by source module The system information ca n be classified by source module and then filtered. Some module names and description are shown in Table 59-3 Table 59-3 Source module name list Module name Description 8021X 802.1X module Access control list module ADBM Address base module...
  • Page 746 Module name Description SYSMIB System MIB module HWTACACS module TELNET Telnet module TFTPC TFTP client modul VLAN Virtual local area network module Virtual type terminal module XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the...
  • Page 747 If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host.
  • Page 748 8 10:12:21:708 2006 [GMT+08:00:00] Sysname SHELL/5/LOGIN:- 1 - VTY(1.1.0.2) in unit1 login Sysname Sysname is the system name of the local switch and defaults to “3Com”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual f...
  • Page 749: Information Center Configuration

    Source his field indicates the source of the information , such as the source IP address of the log sender. This ield is optional and is displayed only when the output destination is the log host. ntext his field provides the content of the system information. Information Center Configuration Inform ation Center Configuration Task List...
  • Page 750 If the system information is output before you input any informati on followin g the current command line prompt, the system does ot echo any command line mpt after the system information output. In the interaction mode, you are prompted for som e information inpu t.
  • Page 751 To do… Use the command… Remarks Optional Enable system info-center console channel By default, the switch uses information output to { channel-number | information channel 0 to output the console channel-name } log/debugging/trap information to the console. info-center source { modu-name | default } channel Optional Configure the output...
  • Page 752 Follow these steps to enable the system information display on the console: To do… Use the command… Remarks Optional Enable the debugging/log/trap terminal monitor information terminal display function Enabled by default. Optional Enable debugging information terminal debugging terminal display function Disabled by default.
  • Page 753 When there are multiple Telnet users or dumb terminal users, they share some configuration parameters including module filter, language and severity level threshold. In this case, change to any such pa rameter m ade by one use r will also be reflected on all other use r terminals.
  • Page 754: Setting To Output System Information To The Trap Buffer

    To do… Use the command… Remarks Optional By default, debugging information output info-center switch-on { unit Enable information is enabled, and log and trap informatio unit-id | master | a ll } output for a specified output are disabled for the master switch [ debugging | log ging | switch in a fabric...
  • Page 755 To do… Use the command… Remarks Optional By default, the switch uses Enable system info-center trapbuffer [channel information channel 3 to o utput information output to the { channel-number | channel-name } trap information to th e trap trap buffer size buffersize]* buffer, which can holds up to 256 items by default.
  • Page 756: Disabling A Port From Generating Link Up/Down Logging Information

    To do… Use the command… Remarks Optional info-center snmp channel Enable information By default, the switch outputs trap { channel-number | output to the SNMP NMS information to SNMP through channel -name } channel 5. info-center source { modu-name | default } channel Optional Configure the...
  • Page 757: Information Center Configuration Examples

    With this feature applied to a port, when the state of the port changes, the system does not generate port link up/dow n logging information. In this c ase, you cannot moni tor the port state change onveniently. Therefore, it is recommend d to use the default configuration in no rmal cases.
  • Page 758 onfiguration procedure Configure the switch: # Enable the information center. <Switch> system-view [Switch] info-center enable # Disable the function of outputting information to log host channels, because all modules output log information to the log host channels by default. [Switch] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.10 as the log host.
  • Page 759: Log Output To A Linux Log Host

    # kill -HUP 147 After all the above operations, the switch can make records in the corresponding log file. Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to a Linux Log Host Network requireme...
  • Page 760: Log Output To The Console

    Note the following items when you edit file “/etc/syslog.conf”. A note must start in a new line, starting with a “#" sign. In each pair, a tab should be used as a separator instead of a space. No space is permitted at the end of the file name. The device name (facility) and received log information severity specified in file “/etc/syslog.conf”...
  • Page 761 <Switch> system-view [Switch] info-center enable # Disable the function of outputting information to the console channels. [Switch] undo info-center source default channel console # Enable log information output to the console. Permit ARP and IP modules to output log information with severity level higher than informational to the console.
  • Page 762: Boot Rom And Host Software Loading

    Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.
  • Page 763: Boot Menu

    BOOT Menu Starting..****************************************************************** Switch 4500 26-Port BOOTROM, Version 3.01 ****************************************************************** Copyright (c) 2004-2008 3Com Corporation and its licensors. Creation date : Sep 8 2008, 14:35:39 CPU Clock Speed : 200MHz BUS Clock Speed : 33MHz Memory Size...
  • Page 764: Loading By Xmodem Through Console Port

    1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9.
  • Page 765 0. Return Enter your choice (0-5): Step 3: Choose an appropriate baudrate for downloading. For example, if you press 5, the baudrate 115200 bps is chosen and the system displays the following information: Download baudrate is 115200 bit/s Please change the terminal's baudrate to 115200 bit/s and select XMODEM protocol Press enter key when ready If you have chosen 19200 bps as the download baudrate, you need not modify the HyperTerminal’s baudrate, and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly.
  • Page 766 Figure 60-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 60-3. Figure 60-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
  • Page 767 Figure 60-4 Send file dialog box Step 8: Click <Send>. The system displays the page, as shown in Figure 60-5. Figure 60-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5).
  • Page 768: Loading By Tftp Through Ethernet Port

    Loading host software Follow these steps to load the host software: Step 1: Select <1> in BOOT Menu and press <Enter>. The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0.
  • Page 769 Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. TFTP server program is not provided with the 3Com Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu.
  • Page 770: Loading By Ftp Through Ethernet Port

    0. Return to boot menu Enter your choice(0-3): Step 2: Enter 1 in the above menu to download the host software using TFTP. The subsequent steps are the same as those for loading the Boot ROM, except that the system gives the prompt for host software loading instead of Boot ROM loading.
  • Page 771 Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 4: Enter 2 in the above menu to download the Boot ROM using FTP. Then set the following FTP-related parameters as required: Load File name :switch.btm...
  • Page 772: Remote Boot Rom And Software Loading

    Remote Boot ROM and Software Loading If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load the Boot ROM and host software remotely. Remote Loading Using FTP Loading Procedure Using FTP Client Loading the Boot ROM As shown in...
  • Page 773 Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information. Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch.
  • Page 774 System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.28 255.255.255.0 Step 3: Enable FTP service on the switch, and configure the FTP user name to test and password to pass. [Sysname-Vlan-interface1] quit [Sysname] ftp server enable [Sysname] local-user test New local user added.
  • Page 775 Figure 60-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 60-12, to log on to the FTP server. Figure 60-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 60-13.
  • Page 776: Remote Loading Using Tftp

    Figure 60-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...
  • Page 777: Basic System Configuration And Debugging

    Basic System Configuration and Debugging Wh n configuring basic system c onfiguration and debugging, go to these sections for information you are interested in: Basic System Configura tion Displaying the System Status Debugging the System ic System Configuration Perform the f ollowi ng basic system configuration:...
  • Page 778 Displaying the Sys tem St atus To do… Use the command… Remarks Display the current date and time of the system display clock Available in Display the version of the system display version any view Display the information about use rs logging onto the display users [ all ] switch...
  • Page 779: Displaying Debugging Status

    You can use the following commands to enable the two switche Follow these steps to enable debugging and terminal display for a sp ecific modu To do… Use the command… Remarks Required Enable system debugging fo debugging module-n Disabled for all modul es by specific mod [ debugging-option ]...
  • Page 780: Network Connectivity Test

    Network Connectivity Test Wh n config uring network connectivity test, go to these sections for information you are interested in: ping tracert Network Connectivity Test ping You can u se the ping command to chec k the network connectivity and the rea chability of a host.
  • Page 781: Device Management

    Device Management Wh n configuring device management, g o to these sections for information you are interested in: Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Exa mple Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time mon...
  • Page 782: Scheduling A Reboot On The Switch

    Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations Use the following command to reboot the Ethernet switch: To do…...
  • Page 783: Specifying The App To Be Used At Reboot

    Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots.
  • Page 784: Upgrading The Host Software In The Fabric

    Currently, in the S4500 series Ethernet switches, the auto power down configuration does not take effect on 1000BASE-X SFP Ports. Upgrading the Host Software in the Fabric You can execute the following command on any device in a Fabric to use specified host software to upgrade all devices in a Fabric, thus realizing the software version consistency in this Fabric.
  • Page 785: Displaying The Device Management Configuration

    To do… Use the command… Remarks display transceiver interface Display main parameters of Available for all pluggable [ interface-type the pluggable transceiver(s) transceivers interface-number ] Display part of the electrical display transceiver Available for anti-spoofing label information of the manuinfo interface pluggable transceiver(s) anti-spoofing transceiver(s) [ interface-type...
  • Page 786: Remote Switch App Upgrade Configuration Example

    To do… Use the command… Remarks Display system diagnostic information or save system diagnostic information to a file with display diagnostic-information the extension .diag into the Flash memory Display enabled debugging on a display debugging { fabric | unit specified switch or all switches in the unit-id } [ interface interface-type fabric interface-number ] [ module-name ]...
  • Page 787 Refer to the Login Operation part of this manual for configuration commands and steps about telnet user. Execute the telnet command on the PC to log into the switch. The following prompt appears: <Sysname> If the Flash memory of the switch is not sufficient, delete the original applications before downloading the new ones.
  • Page 788 Unit 1: The current boot app is: switch.bin The main boot app is: switch.bin The backup boot app is: # Reboot the switch to upgrade the Boot ROM and host software of the switch. <Sysname> reboot Start to check configuration with next startup configuration file, please wait..
  • Page 789: Scheduled Task Configuration

    Scheduled Task Configuration t Is a Scheduled Task A scheduled task de fines a command or a group of commands and when such commands will be executed. It allows a device to execute specified command(s) at a time when no person is available to maintain the device.
  • Page 790: Scheduled Task Configuration Example

    Modification of the system time will affect the execution of a scheduled task. Config uring a scheduled task be executed after a delay time ollow these steps to configure a scheduled task that will be executed after a delay tim To do…...
  • Page 791 Configuration procedure <Switch> system-view # Create scheduled task pc1, and enter scheduled task view. [Switch] job pc1 # Configure the view where the specified command to be executed as Ethernet interface view. [Switch-job-pc1] view Ethernet1/0/1 # Configure the scheduled task so that the Ethernet port can be enabled on Switch at eight AM from Monday to Friday.
  • Page 792 VLAN-VPN Configuration Wh n configuring VLAN-VPN, go to these sections for information you are interested in: VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuratio n Example VLAN-VPN Overview Introd uction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.
  • Page 793 Provides simple Layer 2 VPN solutions for small-sized MANs or intranets. Imple mentation of VLAN-VPN With the VLAN-VPN feature enabled, no matter whether or not a received packet already carries a VLAN tag, the switch will ta g the received packet with the default VLAN tag of the receiving port and add the source MAC address to the MAC address table of the default VLAN.
  • Page 794: Inner-To-Outer Tag Priority Replicating And Mapping

    Inner-to-Outer Tag Priority Replicating and Mapping As shown in Figure 65-2, the user priority field is the 802.1p priority of the tag. The value of this 3-bit field is in the range 0 to 7. By configuring inner-to-outer tag priority replicating or mapping for a VLAN-VPN-enabled port, you can replicate the inner tag priority to the outer tag or assign outer tags of different priorities to packets according to their inner tag priorities.
  • Page 795: Configuring The Inner-To-Outer Tag Priority Replicating And Mapping Feature

    Table 65-1. For 3Com series switches, the TPID defaults to 0x8100. Besides the default TPID 0x8100, you can configure only one TPID value on a Switch 4500 switch. For the Switch 4500 series to exchange packets with the public network device properly, you should configure the TPID value used by the public network device on both the customer-side port and the service provider-side port.
  • Page 796: Displaying And Maintaining Vlan-Vpn Configuration

    Displaying and Maintaining VLAN-VPN Configuration To do... Use the command... Remarks Display the VLAN-VPN display port vlan-vpn Available in any view configurations of all the ports VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements As shown in...
  • Page 797 # Enable the VLAN-VPN feature on Ethernet 1/0/11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag. <SwitchA> system-view [SwitchA] vlan 1040 [SwitchA-vlan1040] port Ethernet 1/0/11 [SwitchA-vlan1040] quit [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] vlan-vpn enable [SwitchA-Ethernet1/0/11] quit...
  • Page 798 # As the devices in the public network are from other vendors, only the basic principles are introduced here. That is, you need to configure the devices connecting to Ethernet 1/0/12 of Switch A and Ethernet 1/0/22 of Switch B to permit the corresponding ports to transmit tagged packets of VLAN 1040. Data transfer process The following describes how a packet is forwarded from Switch A to Switch B in this example.
  • Page 799: Selective Qinq Configuration

    Selective QinQ Configuration Wh n configuring selective QinQ, g o to these sections for information you are interested in: Selective QinQ Overview Selective QinQ Configuration Selective QinQ Configuration Example Selective QinQ Overv Selec tive QinQ Overview Selective QinQ is an enhanced application of the VLAN-VP N feature.
  • Page 800 telephone users (in VLAN 201 to VLAN 300). Packets of all these users are forwarded by Switch A to the public network. After the selective QinQ feature and the inner-to-outer tag mapping feature are enabled on the port connecting Switch A to these users, the port will add different outer VLAN tags to the packets according to their inner VLAN tags.
  • Page 801: Selective Qinq Configuration Task List

    device receives a packet from the service provider network, this device will find the path for the packet by searching the MAC address table of the VLAN corresponding to the oute r tag and unicast the packet. Thus, packet broadcast is reduced in selective QinQ applications. Likewise, the entries in the MAC address table of the outer VLAN can also be replicated to that of the default VLAN on a port, through which the outbound port to the service provider network can be determined through the MAC ad...
  • Page 802: Enabling The Inter-Vlan Mac Address Replicating Feature

    Do not enable both the selective QinQ function and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may operate improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to enable the inter-VLAN MAC address replicating feature: To do...
  • Page 803 The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000. Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users, for the purpose of using QoS policies to guarantee higher priority for voice traffic.
  • Page 804 [SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hybrid port and configure VLAN 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] port link-type hybrid [SwitchA-Ethernet1/0/3] port hybrid pvid vlan 5...
  • Page 805 [SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and configure VLAN 12 as its default VLAN . Configure Ethernet 1/0/12 to remove VLAN tags when forwarding packets of VLAN 12 and VLAN 1000. [SwitchB] interface Ethernet 1/0/12 [SwitchB-Ethernet1/0/12] port link-type hybrid [SwitchB-Ethernet1/0/12] port hybrid pvid...
  • Page 806: Remote-Ping Configuration

    Remote-ping Configuration Wh n configuring remote-ping, g o to these sections for information you are interested in: Remote-ping Overview Remote-ping Configuration Remote-ping Configuration Example ote-ping Overview Remote-ping is a network diagnostic tool used to test the performance of protocols (only ICMP by far) running on network.
  • Page 807 If this parameter is set to a number greater than 1, the system sends the second test packet once it receives a response to the first one, or when the test timer times out if it receives no response after sen ing the first one, and so forth until the last test packet is sent out.
  • Page 808 Displ aying remote-ping Configuration After the a bove remote -ping configuration, you can exe cute the display co mmand in an y view to isplay the information of rem ote-p ing test operation status to you can verify the configuration effect. Table 67 -2 Display remote-pi ng co...
  • Page 809: Displayed Information

    Square-Sum of Round Trip Time: 66 Last complete test time: 2000-4-2 7:59:54.7 Extend result: SD Maximal delay: 0 DS Maximal delay: 0 Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: Operation sequence errors: 0 Drop operati...
  • Page 810: Ipv6 Configuration

    IPv6 Configuration Wh n configuring IPv6, go to thes e sections for information you are interested in: IPv6 Overview IPv6 Configuration Task List IPv6 Configu ration Example IPv6 Overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol Version 4 (IPv4).
  • Page 811: Introduction To Ipv6 Address

    Hierarchical address structure IPv6 adopts the hierarchical address structure to quicken route search and reduce the system source occupied by the IPv6 routing table by means of route aggregation. Automatic address configuration To simplify the host configuration, IPv6 supports stateful address configuration and stateless address configuration.
  • Page 812 If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by the double-colon :: option. For example, the above-mentioned address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B. The double-colon :: can be used only once in an IPv6 address. Otherwise, the device is unable to determine how many zeros the double-colon represents when converting it to zeros to restore the IPv6 address to a 128-bit address.
  • Page 813 Type Format prefix (binary) IPv6 prefix ID Global unicast other forms — address Multicast address 11111111 FF00::/8 Anycast addresses are taken from unicast address space Anycast address and are not syntactically distinguishable from unicast addresses. Unicast address There are several forms of unicast address assignment in IPv6, including global unicast address, link-local address, and site-local address.
  • Page 814: Introduction To Ipv6 Neighbor Discovery Protocol

    Where, FF02:0:0:0:0:1:FF is permanent and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 address. Interface identifier in IEEE EUI-64 format Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be unique on that link.
  • Page 815 The 3com switch 4500 does not support the RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, 3com switches 4500 support the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection.
  • Page 816: Protocols And Standards

    Node A multicasts an NS message. The source address of the NS message is the IPv6 address of the interface of node A and the destination address is the solicited-node multicast address of node B. The NS message contains the link-layer address of node A. After receiving the NS message, node B judges whether the destination address of the packet is the corresponding solicited-node multicast address of its own IPv6 address.
  • Page 817: Ipv6 Configuration Task List

    RFC 1981: Path MTU Discovery for IP version 6 RFC 2375: IPv6 Multicast Address Assignments RFC 2460: Internet Protocol, Version 6 (IPv6) Specification. RFC 2461: Neighbor Discovery for IP Version 6 (IPv6) RFC 2462: IPv6 Stateless Address Autoconfiguration RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2464: Transmission of IPv6 Packets over Ethernet Networks RFC 2526: Reserved IPv6 Subnet Anycast Addresses...
  • Page 818 To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter VLAN interface view — interface-number ipv6 address { ipv6-address Use either Manually assign an prefix-length | command IPv6 address ipv6-address/prefix-length } By default, no site-local address or global unicast address is Configure an IPv6...
  • Page 819: Configuring Ipv6 Ndp

    If XRN fabric ports are configured on a 3com switch 4500, no IPv6 address can be configured for the switch. IPv6 unicast addresses can be configured for only one VLAN interface on a 3com switch 4500. The total number of global unicast addresses and site-local addresses on the VLAN interface can be up to four.
  • Page 820 Configuring the maximum number of neighbors dynamically learned The device can dynamically acquire the link-layer address of a neighbor node through NS and NA messages and add it to the neighbor table. Too large a neighbor table may lead to the forwarding performance degradation of the device.
  • Page 821: Configuring A Static Ipv6 Route

    To do… Use the command… Remarks Optional ipv6 nd ns retrans-timer Specify the NS interval value 1,000 milliseconds by default. Configuring the neighbor reachable timeout time on an interface After a neighbor passed the reachability detection, the device considers the neighbor to be reachable in a specific period.
  • Page 822: Configuring The Maximum Number Of Ipv6 Icmp Error Packets Sent Within A Specified Time

    To do… Use the command… Remarks Optional Set the finwait timer of IPv6 tcp ipv6 timer fin-timeout TCP packets wait-time 675 seconds by default. Optional Set the synwait timer of IPv6 tcp ipv6 timer syn-timeout TCP packets wait-time 75 seconds by default. Optional Configure the size of IPv6 TCP tcp ipv6 window size...
  • Page 823: Ipv6 Configuration Example

    Displaying and Maintaining IPv6 To do… Use the command… Remarks Display the FIB entries display ipv6 fib Display the brief IPv6 information display ipv6 interface [ interface-type of an interface interface-number | brief ] display ipv6 neighbors [ ipv6-address | all | dynamic | interface interface-type Display neighbor information interface-number | static | vlan vlan-id ] [ | { begin...
  • Page 824 Network diagram Figure 68-5 Network diagram for IPv6 address configuration Configuration procedure Configure Switch A. # Configure an automatically generated link-local address for the interface VLAN-interface 2. <SwitchA> system-view [SwitchA] interface Vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address auto link-local # Configure an EUI-64 address for the interface VLAN-interface 2. [SwitchA-Vlan-interface2] ipv6 address 2001::/64 eui-64 # Configure a global unicast address for the interface VLAN-interface 2.
  • Page 825 ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display the brief IPv6 information of the interface on Switch B. [SwitchB-Vlan-interface2] display ipv6 interface Vlan-interface 2 Vlan-interface2 current state : UP Line protocol current state : UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1 Global unicast address(es): 2001::20F:E2FF:FE00:1, subnet is 2001::/64...
  • Page 826 round-trip min/avg/max = 60/66/80 ms [SwitchA-Vlan-interface2] ping ipv6 2001::20F:E2FF:FE00:1 PING 2001::20F:E2FF:FE00:1 : 56 data bytes, press CTRL_C to break Reply from 2001::20F:E2FF:FE00:1 bytes=56 Sequence=1 hop limit=255 time = 40 ms Reply from 2001::20F:E2FF:FE00:1 bytes=56 Sequence=2 hop limit=255 time = 70 ms Reply from 2001::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms...
  • Page 827: Ipv6 Application Configuration

    Troubleshooting IPv6 Application Intro duction to IPv6 Application IPv6 are sup porting more and more applications. Most of IPv6 applications are the same as those of IPv4. The applicati ons supported on 3com switch 4500 are: Ping Tracerout TFTP Telnet Configur...
  • Page 828: Ipv6 Traceroute

    IPv6 Traceroute The traceroute ipv6 command is used to record the route of IPv6 packets from source to destination, so as to check whether the link is available and determine the poi nt of failure. Figure 69-1 Traceroute process igure 69 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1.
  • Page 829: Ipv6 Telnet

    To do… Use the command… Remarks tftp ipv6 remote-system [ -i interface-type Required Download/Upload files from interface-number ] { get | put } TFTP server Available in user view source-filename [ destination-filename ] When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local address.
  • Page 830: Ipv6 Applications

    Applications Network requirements Figure 69-3, SWA, SWB, and SWC are three switches, among which SWA is a 3com switch 4500, SWB and SWC are two switches supporting IPv6 forwarding. In a LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively.
  • Page 831: Unable To Ping A Remote Destination

    bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence =5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received...
  • Page 832: Unable To Run Traceroute

    olution Check that the IPv6 addresses are configured correctly. Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link -layer protocol between them are up. Use the display ipv6 route-table command to verify that the destination is reachable. the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determin e whether it is due...
  • Page 833: Password Control Configuration Operations

    Password Control Configuration Operations Intro duction to Password Control Configuration The password control feature is designed to manage the following passwo rds: Telnet passwords: passwords for logging into the switch through Teln SSH passwords: passwords for logging into the switch through SSH. FTP passwords: passwords for logging into the switch through FTP.
  • Page 834 Function Description Application Encrypted display: The switch protects the displayed password. The password is always displayed as a string containing only asterisks (*) in the configuration file or on Password user terminal. protection All passwords encryption Saving passwords in ciphertext: The switch encrypts and saves the configured passwords in ciphertext in the configuration file.
  • Page 835: Password Control Configuration

    Password Control Configuration Configuration Prerequisites A user PC is connected to the switch to be configured; both devices are operating normally. Configuration Tasks The following sections describe the configuration tasks for password control: Configuring Password Aging Configuring the Limitation of Minimum Password Length Configuring History Password Recording Configuring a User Login Password in Interactive Mode Configuring Login Attempt Times Limitation and Failure Processing Mode...
  • Page 836 Operation Command Description Create a local user or enter — local-user user-name local user view Optional Configure a password aging password-control aging By default, the aging time is time for the local user aging-time 90 days. In this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: Global settings in system view apply to all local user passwords and super passwords.
  • Page 837: Configuring The Limitation Of Minimum Password Length

    You can configure the password aging time when password aging is not yet enabled, but these configured parameters will not take effect. After the user changes the password successfully, the switch saves the old password in a readable file in the flash memory. The switch does not provide the alert function for FTP passwords.
  • Page 838: Configuring History Password Recording

    In this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: Global settings in system view apply to all local user passwords and super passwords. Settings in the local user view apply to the local user password only. Settings on the parameters of the super passwords apply to super passwords only.
  • Page 839: Configuring A User Login Password In Interactive Mode

    Table 70-5 Manually remove history password records Operation Command Description Executing this command without the user-name reset user-name option removes the history password Remove history password-control records of all users. password records history-record Executing this command with the user-name of one or all users user-name user-name option removes the history password user-name ]...
  • Page 840: Aaa Configuration

    lock-time: In this mode, the system inhibits the user from re-logging in within a certain time period. After the period, the user is allowed to log into the switch again. By default, this time is 120 minutes. lock: In this mode, the system inhibits the user from re-logging in forever. The user is allowed to log into the switch again only after the administrator removes the user from the user blacklist.
  • Page 841: Configuring Password Composition Policies

    Table 70-9 Configure the timeout time for users to be authenticated Operation Command Description Enter system view system-view — Configure the timeout time password-control Optional for users to be authentication-timeout By default, it is 60 seconds. authenticated authentication-timeout Configuring Password Composition Policies A password can be combination of characters from the following four categories: letters A to Z, a to z, number 0 to 9, and 32 special characters of space and ~`!@#$%^&*()_+-={}|[]\:”;’<>,./.
  • Page 842: Displaying Password Control

    Operation Command Description Optional By default, the minimum number password-control of types a password should Configure the password composition type-number contain is 1 and the minimum composition policy for the local policy-type [ type-length number of characters of each user type-length ] type is 1.
  • Page 843 For a local user named test, the minimum password length is 6 characters, the minimum number of password composition types is 2, the minimum number of characters in each password composition type is 3, and the password aging time is 20 days. Configuration procedure # Enter system view.
  • Page 844: Access Management Configuration

    Access Management Configuration Wh n configuring access management, go to these section s for information you are interested in: Access Management Overview Configuring Access Management Access Management Configuration Exa mples ess Management Overview Normally, client PCs in a network are connected to switches operating on the network access layer (also referred to as access switches) through Layer 2 switches;...
  • Page 845: Configuring Access Management

    Configuring Access Management Follow these steps to configure access management: To do… Use the command… Remarks Enter system view system-view — Required Enable access am enable By default, the system disables the management function access management function. Required Enable access am trap enable By default, access management trap is management trap...
  • Page 846: Combining Access Management With Port Isolation

    Disable the PCs that are not of Organization 1 (PC 2 and PC 3) from accessing the external network through Ethernet 1/0/1 of Switch A. Network diagram Figure 71-2 Network diagram for access management configuration Configuration procedure Perform the following configuration on Switch A. # Enable access management.
  • Page 847 Ethernet 1/0/1 and Ethernet 1/0/2 belong to VLAN 1. The IP address of VLAN-interface 1 is 202.10.20.200/24. PCs of Organization 1 are isolated from those of Organization 2 on Layer 2. Network diagram Figure 71-3 Network diagram for combining access management and port isolation Configuration procedure Perform the following configuration on Switch A.
  • Page 848 [Sysname-Ethernet1/0/2] am ip-pool 202.10.20.25 26 202.10.20.55 11 # Add Ethernet 1/0/2 to the port isolation group. [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit 71-5...
  • Page 849: Lldp Configuration

    LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
  • Page 850 Figure 72-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 72-1: Table 72-1 Description of the fields in an Ethernet II-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.
  • Page 851: Device Management

    Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is Type 0xAAAA-0300-0000-88CC for LLDP.
  • Page 852 VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, 3Com switches 4500 support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs Table 72-5 IEEE 802.3 organizationally specific TLVs Type...
  • Page 853: Operating Modes Of Lldp

    LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management. LLDP-MED TLVs satisfy the voice device vendors’ requirements for cost effectiveness, ease of deployment, and ease of management.
  • Page 854: How Lldp Works

    How LLDP Works Transmitting LLDP frames An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change, an interval is introduced between two successive LLDP frames.
  • Page 855: Performing Basic Lldp Configuration

    Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports. Follow these steps to enable LLDP: To do… Use the command… Remarks Enter system view system-view —...
  • Page 856: Enabling Lldp Polling

    Enabling LLDP Polling With LLDP polling enabled, a device checks for local configuration changes periodically. Upon detecting a configuration change, the device sends LLDP frames to inform the neighboring devices of the change. Follow these steps to enable LLDP polling: To do…...
  • Page 857: Setting Other Lldp Parameters

    To do… Use the command… Remarks interface interface-type Enter Ethernet interface view Required interface-number Optional By default, the management address is sent through Enable LLDP to advertise LLDPDUs, and the management address TLVs lldp management-address-tlv management address is the and configure the advertised [ ip-address ] main IP address of the management IP address...
  • Page 858: Setting An Encapsulation Format For Lldpdus

    LLDP-CDP (CDP is short for the Cisco Discovery Protocol) packets use only SNAP encapsulation. Configuring CDP Compatibility On a 3Com Switch 4500, only one voice VLAN exists at any given point in time. For detailed information about voice VLAN, refer to Voice VLAN Operation in this manual.
  • Page 859: Configuring Lldp Trapping

    With CDP compatibility enabled, the device can use LLDP to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets carrying the voice VLAN ID of the device for the IP phones to configure the voice VLAN automatically. In this way, voice traffic is confined in the configured voice VLAN and is thus differentiated from other types of traffic.
  • Page 860: Displaying And Maintaining Lldp

    Follow these steps to configure LLDP trapping: To do… Use the command… Remarks — Enter system view system-view interface interface-type Enter Ethernet interface view Required interface-number Required lldp notification remote-change Enable LLDP trap sending enable Disabled by default — Quit to system view quit Optional Set the interval to send LLDP...
  • Page 861 Figure 72-4 Network diagram for basic LLDP configuration Eth1/0/1 Eth1/0/2 Eth1/0/1 Switch A Switch B Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on Ethernet 1/0/1 and Ethernet 1/0/2 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx.
  • Page 862 Hold multiplier Reinit delay : 2s Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [Ethernet1/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV...
  • Page 863: Cdp-Compatible Lldp Configuration Example

    Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [Ethernet1/0/2]: Port status of LLDP : Enable Admin status...
  • Page 864 [SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] voice vlan 2 enable [SwitchA-Ethernet1/0/1] quit [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] voice vlan 2 enable [SwitchA-Ethernet1/0/2] quit Configure CDP-compatible LLDP on Switch A. # Enable LLDP globally and enable LLDP to be compatible with CDP globally. [SwitchA] lldp enable [SwitchA] lldp compliance cdp # Enable LLDP (you can skip this step because LLDP is enabled on ports by default), configure LLDP to...
  • Page 865: Pki Configuration

    PKI Configuration Wh n configuring PKI, go to thes e sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Intro duction to PKI This section cov ers these topics: PKI Overview PKI Terms...
  • Page 866: Architecture Of Pki

    CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate sign ed by the CA at the next higher level.
  • Page 867: Applications Of Pki

    A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.
  • Page 868: Pki Configuration Task List

    The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
  • Page 869 The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...
  • Page 870: Configuring A Pki Domain

    Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.
  • Page 871: Submitting A Pki Certificate Request

    To do… Use the command… Remarks Required Specify the entity for certificate certificate request entity No entity is specified by default. request entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.
  • Page 872: Submitting A Certificate Request In Manual Mode

    Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — certificate request mode auto Required Set the certificate request [ key-length key-length | mode to auto password { cipher | simple }...
  • Page 873: Retrieving A Certificate Manually

    If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. A newly created key pair will overwrite the existing one.
  • Page 874: Configuring Pki Certificate Verification

    If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.
  • Page 875: Destroying A Local Rsa Key Pair

    To do… Use the command… Remarks Enter PKI domain view pki domain domain-name — Required Disable CRL checking crl check disable Enabled by default Return to system view quit — Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually Verify the validity of the pki validate-certificate { ca |...
  • Page 876: Configuring An Access Control Policy

    Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server. Follow these steps to configure a certificate attribute-based access control policy: To do… Use the command…...
  • Page 877: Pki Configuration Examples

    PKI Configuration Examples The SCEP plug-in is required when you use the Windows Server as the CA. In this case, when configuring the PKI domain, you need to use the certificate request from ra command to specify that the entity requests a certificate from an RA. The SCEP plug-in is not required when RSA Keon is used.
  • Page 878 After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting. # Configure the CRL distribution behavior.
  • Page 879 Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..
  • Page 880: Requesting A Certificate From A Ca Running Windows 2003 Server

    Modulus (1024 bit): 00D67D50 41046F6A 43610335 CA6C4B11 F8F89138 E4E905BD 43953BA2 623A54C0 EA3CB6E0 B04649CE C9CDDD38 34015970 981E96D9 FF4F7B73 A5155649 E583AC61 D3A5C849 CBDE350D 2A1926B7 0AE5EF5E D1D8B08A DBF16205 7C2A4011 05F11094 73EB0549 A65D9E74 0F2953F2 D4F0042F 19103439 3D4F9359 88FB59F3 8D4B2F6C Exponent: 65537 (0x10001) X509v3 extensions: X509v3 CRL Distribution Points: URI:http://4.4.4.133:447/myca.crl Signature Algorithm: sha1WithRSAEncryption...
  • Page 881 Configuration procedure Configure the CA server Install the certificate server suites From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components > Certificate Services and click Next to begin the installation. Install the SCEP plug-in As a CA server running the Windows 2003 server does not support SCEP by default, you need to install the SCEP plug-in so that the Switch can register and obtain its certificate automatically.
  • Page 882 # Specify the entity for certificate request as aaa. [Switch-pki-domain-torsa] certificate request entity aaa Generate a local key pair using RSA [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It may take a few minutes.
  • Page 883: Troubleshooting Pki

    Subject: CN=switch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00A6637A 8CDEA1AC B2E04A59 F7F6A9FE 5AEE52AE 14A392E4 E0E5D458 0D341113 0BF91E57 FA8C67AC 6CE8FEBB 5570178B 10242FDD D3947F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F Exponent: 65537 (0x10001)
  • Page 884: Failed To Request A Local Certificate

    The network connection is not proper. For example, the network cable may be damaged or loose. No trusted CA is specified. The URL of the registration server for certificate request is not correct or not configured. No authority is specified for certificate request. The system clock of the device is not synchronized with that of the CA.
  • Page 885 The CRL distribution URL is not configured. The LDAP server version is wrong. Solution Make sure that the network connection is physically proper. Retrieve a CA certificate. Specify the IP address of the LDAP server. Specify the CRL distribution URL. Re-configure the LDAP version.
  • Page 886: Ssl Configuration

    SSL Configuration Wh n configuring SSL, go to thes e sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshoo ting SSL Overview Secure Sockets Layer (SSL) is a security protocol providing s ecure connection service for TCP-based application layer protocols, for example, HTTP protocol.
  • Page 887: Ssl Configuration Task List

    SSL Protocol Stack As shown in Figure 74-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 74-2 SSL protocol stack SSL handshake protocol: As a very important part of the SSL protocol stack, it is responsible for negotiating the cipher suite to be used during communication (including the symmetric encryption...
  • Page 888 Configuration Prerequisites When configuring an SSL server policy, you need to specify the PKI domain to be used for obtaining the server side certificate. Therefore, before configuring an SSL server policy, you must configure a PKI domain. Configuration Procedure Follow these steps to configure an SSL server policy: To do...
  • Page 889: Ssl Server Policy Configuration Example

    If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.
  • Page 890 [Switch-pki-entity-en] quit # Create a PKI domain and configure it. [Switch] pki domain 1 [Switch-pki-domain-1] ca identifier ca1 [Switch-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Switch-pki-domain-1] certificate request from ra [Switch-pki-domain-1] certificate request entity en [Switch-pki-domain-1] quit # Create the local RSA key pairs. [Switch] public-key local create rsa # Retrieve the CA certificate.
  • Page 891: Configuring An Ssl Client Policy

    # Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server. [Sysname-radius-radius1] user-name-format without-domain [Sysname-radius-radius1] quit # Create ISP domain aabbcc.net for Web authentication users and enter the domain view. [Sysname] domain aabbcc.net # Configure domain aabbcc.net as the default user domain.
  • Page 892: Displaying And Maintaining Ssl

    To do… Use the command… Remarks prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | Optional Specify the preferred cipher rsa_aes_256_cbc_sha | suite for the SSL client policy rsa_rc4_128_md5 by default rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } Optional Specify the SSL protocol version { ssl3.0 | tls1.0 } version for the SSL client policy TLS 1.0 by default If you enable client authentication on the server, you must request a local certificate for the client.
  • Page 893 If the SSL server is configured to authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, request and install a certificate for the client. You can use the display ssl server-policy command to view the cipher suite used by the SSL server policy.
  • Page 894: Https Configuration

    HTTPS Configuration Wh n configuring HTTPS, go to thes e sections for information you are interested in: HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS...
  • Page 895: Associating The Https Service With An Ssl Server Policy

    Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service. Follow these steps to associate the HTTPS service with an SSL server policy: To do…...
  • Page 896: Associating The Https Service With A Certificate Attribute Access Control Policy

    Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus providing the device with enhanced security. Follow these steps to associate the HTTPS service with a certificate attribute access control policy: To do…...
  • Page 897: Https Configuration Example

    HTTPS Configuration Example Network requirements Host acts as the HTTPS client and Device acts as the HTTPS server. Host accesses Device through Web to control Device. CA (Certificate Authority) issues certificate to Device. The common name of CA is new-ca. In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component.
  • Page 898 [Device] pki retrieval-certificate ca domain 1 # Apply for a local certificate. [Device] pki request-certificate domain 1 Configure an SSL server policy associated with the HTTPS service # Configure an SSL server policy. [Device] ssl server-policy myssl [Device-ssl-server-policy-myssl] pki-domain 1 [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit Configure a certificate access control policy...

This manual is also suitable for:

4500 26-port4500 50-port

Table of Contents