Page 2
3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
About This Manual Organization 3Com Switch 4500 Family Configuration Guide is organized as follows: Chapter Contents 1 CLI Configuration Details how to use command line interface. 2 Logging In to an Ethernet Switch Details how to logging In to an Ethernet Switch.
Page 4
Chapter Contents Introduces the authentication, authorization and 32 AAA Overview accounting functions. 33 AAA Configuration Details how to configure AAA. 34 EAD Configuration Details how to configure EAD. 35 MAC Address Authentication Configuration Details how to configure MAC address authentication. 36 ARP Configuration Details how to configure ARP.
Page 5
Chapter Contents 67 Remote-ping Configuration Details how to configure remote-ping. 68 IPv6 Configuration Details how to configure IPv6. 69 IPv6 Application Configuration Details how to configure IPv6 Application. 70 Password Control Configuration Details how to configure Password Control. 71 Access Management Configuration Details how to configure access management.
3Com Switch 4500 Family Release Notes release notes, use the information in the Release Notes. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
What Is CLI? ............................1-1 Entering the CLI ............................1-1 Entering CLI Through the Console Port ..................1-1 Entering CLI Through Telnet ......................1-5 3Com Products CLI Descriptions......................1-7 Command Conventions ........................1-7 CLI View Description ........................1-8 Tips on Using the CLI..........................1-12 Using the CLI Online Help......................
Logging In Through the Web-based Network Management System............ 2-31 Introduction............................ 2-32 Establishing an HTTP Connection ....................2-32 Configuring the Login Banner......................2-33 Enabling/Disabling the WEB Server....................2-34 Logging In Through NMS........................2-35 Introduction............................ 2-35 Connection Establishment Using NMS ..................2-35 Configuring Source IP Address for Telnet Service Packets ..............
Introduction to VLAN ........................6-1 Advantages of VLANs ........................6-2 VLAN Fundamentals ........................6-2 VLAN Interface ..........................6-4 VLAN Classification ......................... 6-4 Port-Based VLAN............................ 6-4 Link Types of Ethernet Ports ......................6-4 Assigning an Ethernet Port to Specified VLANs ................6-5 Configuring the Default VLAN ID for a Port..................
How an IP Phone Works ....................... 10-1 How Switch 4500 Series Switches Identify Voice Traffic .............. 10-3 Setting the Voice Traffic Transmission Priority ................10-4 Configuring Voice VLAN Assignment Mode of a Port ..............10-4 Support for Voice VLAN on Various Ports..................10-4 Security Mode of Voice VLAN .......................
Introduction to Link Aggregation....................13-1 Introduction to LACP ........................13-1 Consistency Considerations for the Ports in Aggregation............. 13-1 Link Aggregation Classification......................13-2 Manual Aggregation Group ......................13-2 Static LACP Aggregation Group....................13-3 Dynamic LACP Aggregation Group....................13-4 Aggregation Group Categories ......................13-5 Link Aggregation Configuration......................
Configuring the MSTP Operation Mode ..................20-21 Configuring the Maximum Hop Count of an MST Region ............20-22 Configuring the Network Diameter of the Switched Network ............20-23 Configuring the MSTP Time-related Parameters ................ 20-23 Configuring the Timeout Time Factor..................20-25 Configuring the Maximum Transmitting Rate on the Current Port ..........
Configuring an ip-prefix list......................24-5 Displaying IP Route Policy........................24-5 IP Route Policy Configuration Example ....................24-6 Controlling RIP Packet Cost to Implement Dynamic Route Backup ..........24-6 Troubleshooting IP Route Policy......................24-9 25 Multicast Overview..........................25-1 Multicast Overview ..........................25-1 Information Transmission in the Unicast Mode ................
Configuring System Guard........................31-2 Configuring System Guard Against IP Attacks................31-2 Configuring System Guard Against TCN Attacks................31-2 Enabling Layer 3 Error Control...................... 31-3 Configuring CPU Protection ......................31-3 Displaying and Maintaining System Guard Configuration ..............31-4 32 AAA Overview ............................32-1 Introduction to AAA ..........................
Displaying and Maintaining HWTACACS Protocol Configuration..........33-29 AAA Configuration Examples......................33-29 Remote RADIUS Authentication of Telnet/SSH Users ............... 33-29 Local Authentication of FTP/Telnet Users................... 33-31 HWTACACS Authentication and Authorization of Telnet Users ..........33-32 Auto VLAN Configuration Example ..................... 33-33 Troubleshooting AAA ..........................
ARP Attack Defense Configuration Task List................37-4 Configuring the Maximum Number of Dynamic ARP Entries that a VLAN Interface Can Learn .. 37-5 Configuring ARP Source MAC Address Consistency Check ............37-5 ARP Packet Filtering Based on Gateway’s Address..............37-5 Configuring ARP Attack Detection ....................
Configuring BIMS Server Information for the DHCP Client............39-21 Configuring Option 184 Parameters for the Client with Voice Service........39-21 Configuring the TFTP Server and Bootfile Name for the DHCP Client........39-22 Configuring a Self-Defined DHCP Option ................... 39-23 Configuring DHCP Server Security Functions ..................39-24 Prerequisites..........................
Specifying the Fabric Port of a Switch................... 47-6 Specifying the VLAN Used to Form an XRN Fabric..............47-7 Setting a Unit ID for a Switch ......................47-8 Assigning a Unit Name to a Switch ....................47-9 Assigning an XRN Fabric Name to a Switch................. 47-9 Setting the XRN Fabric Authentication Mode................
Configuration Procedure......................54-12 Configuring Optional NTP Parameters ....................54-13 Configuring an Interface on the Local Switch to Send NTP messages ........54-13 Configuring the Number of Dynamic Sessions Allowed on the Local Switch ......54-14 Disabling an Interface from Receiving NTP messages............... 54-14 Displaying NTP Configuration......................
Log Output to a Linux Log Host....................59-17 Log Output to the Console ......................59-18 Configuration Example ........................ 59-19 60 Boot ROM and Host Software Loading....................60-1 Introduction to Loading Approaches ..................... 60-1 Local Boot ROM and Software Loading....................60-1 BOOT Menu ..........................
Configuration procedure ........................ 64-3 65 VLAN-VPN Configuration ........................65-1 VLAN-VPN Overview ..........................65-1 Introduction to VLAN-VPN......................65-1 Implementation of VLAN-VPN....................... 65-2 Configuring the TPID for VLAN-VPN Packets................65-2 Inner-to-Outer Tag Priority Replicating and Mapping..............65-3 VLAN-VPN Configuration........................65-3 VLAN-VPN Configuration Task List....................65-3 Enabling the VLAN-VPN Feature for a Port ..................
Setting LLDP Operating Mode ...................... 72-7 Setting the LLDP Re-Initialization Delay ..................72-7 Enabling LLDP Polling........................72-8 Configuring the TLVs to Be Advertised ..................72-8 Configuring the Management Address..................72-8 Setting Other LLDP Parameters....................72-9 Setting an Encapsulation Format for LLDPDUs................72-10 Configuring CDP Compatibility ......................
When you use the CLI of a 3Com switch for the first time, you can log in to the switch and enter the CLI through the console port only. Follow these steps to log in to your 3Com switch and enter the CLI thro...
Page 33
Figure 1-1 Use the console cable to connect your PC to your switch Identify the interface to avoid connection errors. Beca use the serial port of a PC is not hot swappable, do not plug or unplug the console cable when your switch is po wered on.
Page 34
Figure 1-2 Connection description Then, the Connect To window as shown in Figure 1-3 appears. Select the serial port you want to use from the Connect using drop-down list, and then click OK. Figure 1-3 Specify the serial port used to establish the connection The COM1 Properties window as shown in Figure 1-4 appears.
Page 35
Figure 1-4 Set the properties of the serial port The HyperTerminal window as shown in Figure 1-5 appears. Figure 1-5 The HyperTerminal window...
Telnet login as soon as possible, so that you can use a remote terminal to configure and manage your switch. Telnet login authentication methods In order to restrict the login to your switch, 3Com provides three Telnet login authentication methods. elect a proper me thod accordin g to your netw ork conditions.
Page 37
A 3Com switch provides multiple VTY user interfaces. At one time, only one user can telnet to a VTY user interface. Because a remote terminal cannot select the VTY user interface through which it logs in to the switch, it is recommended that you configure all VTY user interfaces with the same authentication method.
[Sysname-ui-vty0-4]user privilege level 3 3Com Products CLI Descriptions Command Conventions Before using commands provided in 3Com product manuals, learn the command conventions to understand the command meanings. Commands in 3Com product manuals comply with the following conventions, as described in Table 1-2.
Table 1-3 lists the CLI views provided by the 3com switch 4500, operations that can be performed in different CLI views and the commands used to enter specific CLI views. Table 1-3 CLI views...
Page 40
Available View Prompt example Enter method Quit method operation The 3com switch Execute the Aux1/0/0 port 4500 does not [Sysname-Aux1/0/ interface aux 1/0/0 support (the console command in port) view configuration on system view port Aux1/0/0 Execute the vlan Configure VLAN...
Page 41
Available View Prompt example Enter method Quit method operation Execute the rsa Configure the RSA [Sysname-rsa-publ peer-public-key Execute the public key for SSH ic-key] command in peer-public-ke users system view. Public key y end view command to Execute the Configure the RSA return to system [Sysname-peer-pu public-key peer...
Page 42
Available View Prompt example Enter method Quit method operation Configure RADIUS Execute the radius RADIUS [Sysname-radius-1 scheme scheme command scheme view parameters in system view. Execute the ISP domain Configure ISP [Sysname-isp-aaa domain command view domain parameters 123.net] in system view. Execute the Remote-ping Configure...
Available View Prompt example Enter method Quit method operation Execute the Execute the quit command vlan-vpn vid to return to command in Ethernet port Ethernet port view. view. Configure QinQ [Sysname-Etherne QinQ view parameters t1/0/1-vid-20] The vlan-vpn Execute the enable command return should be first command to...
% Ambiguous command found at '^' position. Ambiguous command Too many parameters Too many parameters % Wrong parameter found at '^' position. Wrong parameters Typing and Editing Commands Fuzzy match The 3Com series Ethernet switches support fuzzy match for efficient input of commands. 1-13...
If in the current view, the character string you have typed can already uniquely identify a keyword, you do not need to type the complete keyword. For example, in user view, commands starting with an s include save, startup saved-configuration, and system-view.
You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet. However, the up and down arrow keys are invalid in Windows 9X HyperTerminal, because they are defined differently. You can press Ctrl+P or Ctrl+N instead. Note that: The commands saved in the history command buffer are in the same format in which you typed the commands.
Action Function Press <PageUp> Displays the previous page. Press <PageDown> Displays the next page. CLI Configurations Configuring Command Aliases You can replace the first keyword of a command supported by the device with your preferred keyword by configuring the command alias function. For example, if you configure show as the replacement of the display keyword for each display command, you can input the command alias show xx to execute the display xx command.
Synchronous Information Output Synchronous information output refers to the feature that if your input is interrupted by system output, then after the completion of system output the system displays a command line prompt and your input so far, and you can continue your operations from where you were stopped. Follow these steps to enable synchronous information output: To do…...
Page 49
Level Privilege Description Involves commands for system maintenance and service fault diagnosis. Commands at this level are not allowed to be saved after being configured. After the device is restarted, the commands at this level will Monitor be restored to the default settings. Commands at this level include debugging, terminal, refresh, reset, and send.
TFTP server 192.168.0.1 and other TFTP servers. Saving Configurations Some commands in the CLI of 3Com switches are one-time commands, such as display commands, which display specified information, and the reset commands, which clear specified information. These commands are executed one-time only and are not saved when the switch reboots.
Supported User Interfaces The auxiliary (AUX) port and the console port of a 3Com low-end and mid-range Ethernet switch are the same port (referred to as console port in the following part). You will be in the AUX user interface if you g in through this port.
The absolute AUX user interfaces are numbered 0 through 7. VTY user interface indexes follow AUX user interf ace indexes. The first absolute VTY user interface is numbered 8, the second is 9, and so on. A relative user interface index can be obtained by appending a number to the identifier of a user interface type.
To do… Use the command… Remarks Display the physical attributes and configuration display user-interface [ type of the current/a specified number | number ] user interface Display the information display web users about the current web users Logging In Through the Console Port Go to these sections for information you are interested in: Introduction Logging In Through the Console Port...
Page 54
Figure 2-1 Diagram for connecting to the console port of a switch If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through...
Figure 2-4 Set port parameters Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. You can then configure the switch or check the information about the switch by executing the corresponding commands.
Page 56
Configuration Remarks Set the maximum Optional number of lines the By default, the screen can contain up to 24 lines. screen can contain Optional Set history command buffer By default, the history command buffer can contain up size to 10 commands. Optional Set the timeout time of a user interface...
Authentication Console port login configuration Remarks mode Optional Specify to AAA configuration perform local specifies whether to Local authentication is authentication or perform local performed by default. remote RADIUS authentication or RADIUS Refer to the AAA part for authentication authentication more.
Page 58
To do… Use the command… Remarks Optional Set the check parity { even | none | By default, the check mode of a mode odd } console port is none, that is, no check is performed. Optional Set the stop bits stopbits { 1 | 1.5 | 2 } The stop bits of a console port is 1.
The baud rate of the console port is 19,200 bps. The screen can contain up to 30 lines. The history command buffer can contain up to 20 commands. The timeout time of the AUX user interface is 6 minutes. Network diagram Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode bein none) Configuration procedure...
Page 60
To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface user-interface aux 0 — view Required By default, users logging in to a switch Configure to authenticate authentication-mode through the console port are not users using the local password authenticated;...
Page 61
To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, Set the timeout time for the idle-timeout minutes the connection to a user interface is user interface [ seconds ] terminated if no operation is performed...
[Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface. [Sysname-ui-aux0] user privilege level 2 # Set the baud rate of the console port to 19,200 bps.
Page 63
To do… Use the command… Remarks Specify the service type for service-type terminal [ level Required AUX users level ] Quit to system view quit — Enter AUX user interface view user-interface aux 0 — Required The specified AAA scheme determines whether to authentication-mode authenticate users locally or...
Page 64
To do… Use the command… Remarks Optional The default timeout time of a user interface is 10 minutes. With the timeout time being 10 minutes, the connection to a user Set the timeout time for the idle-timeout minutes interface is terminated if no user interface [ seconds ] operation is performed in the user...
<Sysname> system-view # Create a local user named guest and enter local user view. [Sysname] local-user guest # Set the authentication password to 123456 (in plain text). [Sysname-luser-guest] password simple 123456 # Set the service type to Terminal, Specify commands of level 2 are available to users logging in to the AUX user interface.
Page 66
Table 2-5 Requirements for Telnetting to a switch Item Requirement The IP address is configured for the VLAN of the switch, and the route between the switch and the Telnet terminal is reachable. (Refer to the IP Address Configuration – IP Performance Configuration and Routing Protocol parts for Switch more.) The authentication mode and other settings are configured.
Page 67
Telnet Configurations for Different Authentication Modes Table 2-7 Telnet configurations for different authentication modes Authentication Telnet configuration Description mode Optional Perform common Perform common None configuration Telnet configuration Refer to Table 2-6. Configure the Configure the password for local Required password authentication Password...
Telnet Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure Telnet with the authentication mode being none: To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user user-interface vty —...
Note that if you configure not to authenticate the users, the command level available to users logging in to a switch depends on the user privilege level level command Configuration Example Network requirements Assume current user logins through the console port, and the current user level is set to the administrator level (level 3).
Page 70
To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user-interface vty — user interface views first-number [ last-number ] Configure to authenticate users logging in to VTY authentication-mode Required password user interfaces using the local password set authentication Set the local password...
Page 71
Configuration Example Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. Authenticate users using the local password. Set the local password to 123456 (in plain text).
Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do… Use the command… Remarks Enter system view system-view — Enter the Optional default ISP domain domain-name By default, the local AAA scheme is domain view applied.
Page 73
To do… Use the command… Remarks Optional By default, the screen can contain Set the maximum number of up to 24 lines. screen-length screen-length lines the screen can contain You can use the screen-length 0 command to disable the function to display information in pages.
Page 74
Scenario Command Authentication level User type Command mode The user privilege level level command is not executed, and the service-type command does not specify the available command level. Level 0 The user privilege level level command is not executed, and the service-type command specifies the VTY users that available command level.
Configure to authenticate users logging in to VTY 0 in scheme mode. Only Telnet protocol is supported in VTY 0. The screen can contain up to 30 lines. The history command buffer can store up to 20 commands. The timeout time of VTY 0 is 6 minutes. Network diagram Figure 2-10 Network diagram for Telnet configuration (with the authentication mode being scheme) Configuration procedure...
Page 76
Figure 2-11 Diagram for establishing connection to a console port Launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 95/Windows 98/Windows NT/Windows 2000/Windows XP) on the PC terminal, with the baud rate set to 19,200 bps, data bits set to 8, parity check set to none, and flow control set to none. Turn on the switch and press Enter as prompted.
Page 77
<Sysname>) appears if the password is correct. If all VTY user interfaces of the switch are in use, you will fail to establish the connection and receive the message that says “All user interfaces are used, please try later!”. A 3Com Ethernet switch can accommodate up to five Telnet connections at same time.
Logging In Using a Modem Go to these sections for information you are interested in: Introduction Configuration on the Switch Side Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.
The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
Page 80
Figure 2-15 Establish the connection by using modems Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 2-16 through Figure 2-18. Note that you need to set the telephone number to that of the modem directly connected to the switch.
Figure 2-17 Set the telephone number Figure 2-18 Call the modem If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help.
Introduction Switch 4500 has a Web server built in. It enables you to log in to an Ethernet switch through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server. To log in to a Switch 4500 through the built-in Web-based network management system, you need to perform the related configuration on both the switch and the PC operating as the network management terminal.
When the login authentication interface (as shown in Figure 2-20) appears, enter the user name and the password configured in step 2 and click <Login> to bring up the main page of the Web-based network management system. Figure 2-20 The login page of the Web-based network management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command, when a user logs in through Web, the banner...
# Enter system view. <Sysname> system-view # Configure the banner Welcome to be displayed when a user logs into the switch through Web. [Sysname] header login %Welcome% Assume that a route is available between the user terminal (the PC) and the switch. After the above-mentioned configuration, if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press <Enter>, the browser will display the banner page, as shown in...
Logging In Through NMS Go to these sections for information you are interested in: Introduction Connection Establishment Using NMS Introduction You can also log in to a switch through a network management station (NMS), and then configure and manage the switch through the agent module on the switch. Simple network management protocol (SNMP) is applied between the NMS and the agent.
Page 86
Overview You can configure the source IP address for Telnet service packets for a Switch 4500 operating as a Telnet client. The IP address can only be the IP address of a Layer 3 interface on the switch. Figure 2-24 Specify source IP address for Telnet service packets As shown in Figure 2-24, suppose you are going to telnet to Switch B from PC.
Displaying Source IP Address Configuration To do… Use the command… Remarks Display the source IP address configured for the Telnet display telnet source-ip Available in any view service packets 2-37...
Page 88
User Control Go to these sections for information you are interested in: Introduction Controlling Telnet Users Controlling Network Management Users by Source IP Addresses Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Intro duction You can control users logging in through Telnet, SNMP and WEB by...
Controlling Telnet Users Prere quisites The controlling policy against Telnet users is determined, including th e source IP addresses, destination IP addresses and source MAC addresses to be controlled and the controlling actions (permitting or denying). Controlling Telnet Users by Source IP Addresses ontrolling Telnet users by s ource IP addresses is...
Page 90
To do… Use the command… Remarks user-interface [ type ] Enter user interface view — first-number [ last-number ] Required The inbound keyword specifies to Apply the ACL to control filter the users trying to Telnet to Telnet users by specified acl acl-number { inbound | the current switch.
Network diagram Figure 3-1 Network diagram for controlling Telnet users using ACL Configuration procedure # Define a basic ACL. <Sysname> system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Controlling Network Management Users by Source IP Addresses You can manage an Ethernet switch through network management software.
Page 92
To do… Use the command… Remarks As for the acl number Create a basic ACL or acl number acl-number [ match-order command, the config enter basic ACL view { auto | config } ] keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system view...
[Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch. [Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000 Controlling Web Users by Source IP Address...
To do… Use the command… Remarks Required Disconnect a Web user free web-users { all | user-id user-id | by force user-name user-name } Available in user view Configuration Example Network requirements Only the Web users sourced from the IP address of 10.110.100.52 are permitted to access the switch. Network diagram Figure 3-3 Network diagram for controlling Web users using ACLs Configuration procedure...
Page 95
Switching User Level rview Users can switch their user privilege level temporarily without logging out and disconnecting the current connection; after the switch, users can continue to configure the device without the need of relogin and reauthentication, but the commands that they can execute have changed. For example, if the current user privilege leve l is 3, the user can configure system parameters;...
Page 96
To do… Use the command… Remarks Enter system view system-view — user-interface [ type ] Enter user interface view — first-num ber [ last-number ] super Super password authentication-m authentication super-pa ssword Optional super These HWTACACS authentication authentic ation-mode configurations scheme will take effect on Specify the...
Follow these steps to set a password for use level switching: To do… Use the command… Remarks Enter system view system-view — Required The configuration will take Set the super password for super password [ level level ] effect on all user interfaces. user level switching { cipher | simple } password By default, the super password...
Switching to a specific user level Follow these steps to switch to a specific user level: To do… Use the command… Remarks Required Switch to a specified user level super [ level ] Execute this command in user view. If no user level is specified in the super password command or the super command, level 3 is used by default.
HWTACACS authentication configuration example The administrator configures the user level switching authentication policies. # Configure a HWTACACS authentication scheme named acs, and specify the user name and password used for user level switching on the HWTACACS server defined in the scheme. Refer to AAA Operation for detailed configuration procedures.
Page 100
Configuration File Management Wh n configuring configuration file management, go to these sections for information you are interested in: Introduction to Configuration File Configuration Task List Intro duction to Configuration File A configuration file record s and stores user configurations performed to a switch. It also enables users to check switch configurat ions easily.
Page 101
When saving the current configuration, you can specify the file to be a main or backup or normal configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backu p attribute of the file.
Page 102
Modes in saving the configuration Fast saving mode. This is the mode when you use the save command without the safely keyword. The mode saves the file quicker but is likely to lose the original configuration file if the switch reboots or the power fails during the process.
It is recommended to adopt the fast saving mode in the conditions of stable power and adopt the safe mode in the conditions of unstable power or remote maintenance. If you use the save command after a fabric is formed on the switch, the units in the fabric save their own startup configuration files automatically.
You can specify a configuration file to be used for the next startup and configure the main/backup attribute for the configuration file. Assigning main attribute to the startup configuration file If you save the current configuration to the main configuration file, the system will automatically set the file as the main startup configuration file.
Page 105
VLAN Overview Thi chapter covers the se topics: VLAN Overview Port-Based VLAN VLAN Overview Introd uction to VLAN The traditional Ethernet is a broadcast network, where a ll hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network conn ection devices, have limited forwarding functions.
Figure 6-1 A VLAN implementation Advantages of VLANs Compared with traditional Ethernet technology, VLAN technology delivers the following benefits: Confining broadcast traffic within individual VLANs. This saves bandwidth and improves network performance. Improving LAN security. By assigning user groups to different VLANs, you can isolate them at Layer 2.
Page 107
A VLAN tag comprises four fields: tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN tagged. On the 3Com series Ethernet switches, the default TPID is 0x8100.
Currently, Switch 4500 adopt the IVL mode only. For more information about the MAC address forwarding table, refer to the “MAC Address Forwarding Table Management” part of the manual. VLAN Interface Hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used to do Layer 3 forwarding.
The three types of ports can coexist on the same device. Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch. An access port can be assigned to only one VLAN, while a hybrid or trunk port can be assigned to multiple VLANs.
Page 110
Table 6-3 Packet processing of a hybrid port Processing of an incoming packet Processing of an outgoing packet For an untagged packet For a tagged packet If the port has already been If the VLAN ID is one of the Send the packet if the VLAN ID added to its default VLAN, VLAN IDs allowed to pass...
VLAN Configuration Wh n configuring a VLAN, go to these sections for information you are interested in: VLAN Configuration Configuring a Port-Bas ed VLAN VLAN Configuration VLAN Configuration Task List Complete the following t asks to configu re VLAN: Task Remarks Basic VLAN Configuration Required...
VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual.
The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Remarks Display the VLAN interface display interface Vlan-interface information [ vlan-id ] Available in any view.
To change the link type of a port from trunk to hybrid or vice versa, you must set the link type to access first. You can use the port link-type xrn-fabric command to configure fabric ports. For information about this command, refer to the XRN Fabric module in this manual. Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view.
To do… Use the command… Remarks Assign the specified Required access port or ports to port interface-list By default, all ports belong to VLAN 1. the current VLAN Configuring the Default VLAN for a Port Because an access port can belong to its default VLAN only, there is no need for you to configure the default VLAN for an access port.
Page 116
Configure VLAN interfaces for the two VLANs on Switch A for forwarding data from PC 1 to Server 2 at Layer 3. Network diagram Figure 7-1 Network diagram for VLAN configuratio Configuration procedure Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add Ethernet 1/0/1 to VLAN 100. <SwitchA>...
Page 117
# Create VLAN 200, specify its descriptive string as Dept2 and add Ethernet 1/0/11 and Ethernet 1/0/12 to VLAN 200. [SwitchB] vlan 200 [SwitchB-vlan200] description Dept2 [SwotchB-vlan200] port Ethernet1/0/11 Ethernet 1/0/12 [SwitchB-vlan200] quit Configure the link between Switch A and Switch B. Because the link between Switch A and Switch B needs to transmit data of both VLAN 100 and VLAN 200, you can configure the ports at both ends of the link as trunk ports and permit packets of the two VLANs to pass through the two ports.
Page 118
IP Addressing Configuration When configuring IP addressing, go to these sections for information you are interested in: IP Addressing Overview Configuring IP Addresses Displaying IP Addressing Configuration IP Address Configuration Exa mples IP Addressing O verview IP Ad dress Classes IP addressing uses a 32-bit address to identify each host on a network.
le 8-1 IP address clas ses and ranges Class Address range scription Address 0.0.0.0 means this host no this network. This address is used by a ho st at bootstrap when it does not know its IP address. This address is never a valid destination address.
adds an additional level, subnet ID, to the two-level hierarchy with IP addressing, IP routing now involves three steps: delivery to the site, delivery to the subnet, and delivery to the host. In the absence of subnetting, some s pecial addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones, are not assignable to hosts.
You can assign at most f ive IP address to an interface, am ong w hich one is the primary IP address and the others are secondary IP addresses. A newly specified primary IP address overwrites the previous one if there is any. The pri mary and secondary IP addresses of an interface cannot reside on the same network segment;...
Network diagram Figure 8-3 Network diagram for IP address configuration Configuration procedure # Configure an IP address for VLAN-interface 1. <Switch> system-view [Switch] interface Vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 IP Address Configuration Example II Network requirements As shown in Figure 8-4, VLAN-interface 1 on a switch is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.
# Set the gateway address to 172.16.1.1 on the PCs attached to the subnet 172.16.1.0/24, and to 172.16.2.1 on the PCs attached to the subnet 172.16.2.0/24. # Ping a host on the subnet 172.16.1.0/24 from the switch to check the conne ctivity.
Page 124
# Execute the ping host.com command to verify that the device can use static domain name resolution to get the IP address 10.1.1.2 corresponding to host.com. [Sysname] ping host.com PING host.com (10.1.1.2): 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=127 time=3 ms Reply from 10.1.1.2: byt es=56 Sequence=2 ttl=127 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=127 time=2 ms...
IP Performance Optimiz ation Configuration hen configuring I P performance, go to these se ctions for information you are interested in: IP Performance Overview Configurin g IP Performance Displaying and Maintaini ng IP Performance Configuration IP Pe rformance Over view Introduction to IP Performance Configuration In some network environments, you need to a djust the IP parameters to achieve best network...
terminated. If FIN packets are received, the TCP connection state chan ges to TIME_WAIT. If non-FIN packets a re received, the sy stem restarts the time r from receiving th e last non- FIN packet. The connection is b roken after the timer expires. Size of TCP receive/send buffer ollow these steps to configure T attributes:...
In a secure netw ork, you can cancel the system-defi ned ACLs for ICMP at tack guard, and thus incre he available ACL resource ollow these steps to cancel the system-defined ACLs for ICMP attack guard: To do … Use the command… Remarks Enter system view system-view...
Page 128
To do… Use the command… Remarks Clear IP traffic statistics reset ip statistics Available in Clear TCP traffic statistics reset tcp statistics user view Clear UDP traffic statistics reset udp statistics...
Voice VLAN Configuration Wh n configuring voice VLAN, g o to these sections for information you are interested in: Voice VLAN Overview Voice VLAN Configuration Displaying and Maintaining Voice VLAN Voice VLAN Configuratio n Example Voic e VLAN Overview Voice VLANs are VLANs configured specially for voice traffic. By adding the ports connected with voice devices to voice VLANs, you can have voice traffic transmitted within voice VLANs and perform QoS-related configuration for voice traffic as required, thus ensuring the transmission priority of voice...
Page 130
Refer to DHCP Operation for information about the Option184 field. Following describes the way an IP phone acquires an IP address. Figure 10-1 Network diagram for IP phones As s hown in Figure 10-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission.
Setting the Voice Traffic Transmission Priority In order to improve transmission quality of voice traffic, the switch by default re-marks the priority of the traffic in the voice VLAN as follows: Set the CoS (802.1p) priority to 6. Set the DSCP value to 46. Confi gu ing Voice VLAN Assignment Mode of a Port A po...
Page 133
Table 10-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN Voice assignment traffic Port type Supported or not mode type Access Not supported Supported Make sure the default VLAN of the port exists and is not Trunk a voice VLAN, and the access port permits the traffic of Tagged...
VLAN-tagged packets to consume the voice VLAN bandwidth, affecting normal voice communication. 3Com series switches provide the security mode for voice VLAN to address this problem. When the voice VLAN works in security mode, the switch checks the source MAC address of each packet to enter the voice VLAN and drops the packets whose source MAC addresses do not match the OUI list.
Voice VLAN Packet Type Processing Method Mode matches the OUI list, the packet is transmitted in Packet carrying the voice the voice VLAN. Otherwise, the packet is VLAN tag dropped. The packet is forwarded or dropped based on whether the receiving port is assigned to the Packet carrying any other carried VLAN.
To do… Use the command… Remarks Enable the voice VLAN function voice vlan vlan-id enable Required globally interface interface-type Enter Ethernet port view Required interface-number Required Enable the voice VLAN function voice vlan enable By default, voice VLAN is on a port disabled.
Page 137
To do… Use the command… Remarks Optional Set the voice VLAN aging timer voice vlan aging minutes The default aging timer is 1,440 minutes. Enable the voice VLAN function globally voice vlan vlan-id enable Required interface interface-type Enter port view Required interface-number Required...
VLAN. If you have to do so, make sure that the voice VLAN does not operate in security mode. The voice VLAN legacy feature realizes the communication between 3Com device and other vendor's voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors’...
Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in automatic voice VLAN assignment mode to enable the port to which an IP phone is connected to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN.
# Configure Ethernet 1/0/1 as a hybrid port. [DeviceA-Ethernet1/0/1] port link-type hybrid # Configure VLAN 6 as the default VLAN of Ethernet 1/0/1, and configure Ethernet 1/0/1 to permit packets with the tag of VLAN 6. [DeviceA-Ethernet1/0/1] port hybrid pvid vlan 6 [DeviceA-Ethernet1/0/1] port hybrid vlan 6 tagged # Enable the voice VLAN function on Ethernet 1/0/1.
Page 141
Pingtel phone 00e0-7500-0000 ffff-ff00-0000 Polycom phone 00e0-bb00-0000 ffff-ff00-0000 3Com phone # Display the status of the current voice VLAN. <DeviceA> display voice vlan status Voice Vlan status: ENABLE Voice Vlan ID: 2 Voice Vlan security mode: Security Voice Vlan aging time: 1440 minutes...
Page 142
GVRP Configuration Wh n configuring GVRP, g o to these sections for information you are interested in: Introduction to GVRP GVRP Configuration Displaying and Maintaining GVRP GVRP Configuration Exa mple Intro duction to GVRP GARP VLAN registration protocol (GVRP) is an implementation of generic attribute registration protocol ARP).
Page 143
GARP timers Timers determine the intervals of sending different types of GARP messages. GARP defines four timers to control the period of sending GARP messages. Hold: When a GARP entity receives a piece of registration information, it does not send out a Join message immediately.
Page 144
Figure 11-1 Format of GARP packets The following table describes the fields of a GARP packet. Table 11-1 Description of GARP packet fields Field Description Value Protocol ID Protocol ID Each message consists of two Message parts: Attribute Type and —...
GVRP As an implementation of GARP, GARP VLAN registration protocol (GVRP) maintains dynamic VLAN registration information and propagates the information to the other switches through GARP. With GVRP enabled on a device, the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information, including the information about the VLAN members, the ports through which the VLAN members can be reached, and so on.
To do ... Use the command ... Remarks Enter system view system-view — Required Enable GVRP globally gvrp By default, GVRP is disabled globally. interface interface-type Enter Ethernet port view — interface-number Required Enable GVRP on the port gvrp By default, GVRP is disabled on the port.
Table 11-2 Relations between the timers Timer Lower threshold Upper threshold This upper threshold is less than or equal to one-half of the timeout time of the Join timer. Hold 10 centiseconds You can change the threshold by changing the timeout time of the Join timer.
Displaying and Maintaining GVRP To do … Use the command … Remarks display garp statistics Display GARP statistics [ interface interface-list ] Display the settings of the display garp timer [ interface GARP timers interface-list ] Available in any view display gvrp statistics Display GVRP statistics [ interface interface-list ]...
Page 149
[SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] port trunk permit vlan all # Enable GVRP on Ethernet1/0/1. [SwitchA-Ethernet1/0/1] gvrp [SwitchA-Ethernet1/0/1] quit # Configure Ethernet1/0/2 to be a trunk port and to permit the packets of all the VLANs. [SwitchA] interface Ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] port trunk permit vlan all # Enable GVRP on Ethernet1/0/2.
Page 150
The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch B. [SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s).
Page 151
5, 8, # Display the VLAN information dynamically registered on Switch E. [SwitchE] display vlan dynamic No dynamic vlans exist! 11-10...
Page 152
Port Basic Configuration Wh n performing basic port configuration, go to these sections for information you are interested in: Ethernet Port Configuration Ethernet Port Configuration Example Troubleshooting Ethernet Port Con figuration Ethernet Port Configu ration bo Port Configuration troduction to Combo port A Combo port can operate as either an optical port or an electrical port.
Page 153
To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Optional By default, the port is enabled. Enable the Ethernet port undo shutdown Use the shutdow n command to disable th e port.
Follow these steps to configure auto-negotiation speeds for a port: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface interface interface-type — view interface-number Optional By default, the port speed is Configure the available speed auto [ 10 | 100 | determined through auto-negotiation speed(s)
To do... Use the command... Remarks Optional Limit unknown unicast traffic unicast-suppression { ratio | By default, the switch does not received on the current port pps max-pps } suppress unknown unicast traffic. Configuring Flow Control on a Port In situations where the receiving port is unable to process received frames, you can use the flow control function to enable the receiving port to inform the sending port to stop sending the frames for a while, thus preventing frames from being dropped.
Reflector ports and fabric ports do not support the flow-control no-pauseframe-sending command. Duplicating the Configuration of a Port to Other Ports To make other ports have the same configuration as that of a specific port, you can duplicate the configuration of a port to specific ports. Specifically, the following types of port configuration can be duplicated from one port to other ports: VLAN configuration, protocol-based VLAN configuration, LACP configuration, QoS configuration, GARP configuration, STP configuration and initial port configuration.
Page 157
If you have not enabled the loopback port auto-shutdown function on the port, the port will automatically resume the normal forwarding state after the loop is removed. If a loop is found on a trunk or hybrid port, the system sends log and trap messages to the terminal. If you have additionally enabled the loopback port control function or the loopback port auto-shutdown function, the system will deal with the port accordingly: If the loopback port control function is enabled on the port, the system will set the port to the block...
Operation Command Remarks Optional By default, the loopback port control Enable loopback port function is enabled on ports if the loopback-detection control control on the trunk or device boots with the default enable hybrid port configuration file (config.def); if the device boots with null configuration, this function is disabled.
external: Performs external loop test. In the external loop test, self-loop headers must be used on the port of the switch ( for 100M port, the self-loop headers are made from four cores of the 8-core cables, for 1000M port, the self-loop header are made from eight cores of the 8-core cables, then the packets forwarded by the port will be received by itself.).
To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Optional Set the interval to perform statistical analysis on port flow-interval interval By default, this interval is 300 traffic seconds. Enabling Giant-Frame Statistics Function The giant-frame statistics function is used to ensure normal data transmission and to facilitate statistics and analysis of unusual traffic on the network.
To do... Use the command... Remarks Required Disable a port from generating undo enable log updown By default, UP/Down log output UP/Down log is enabled. Configuration examples # In the default conditions, where UP/DOWN log output is enabled, execute the shutdown command or the undo shutdown command on Ethernet 1/0/1.
To do … Use the command … Remarks Required Set the port state change link-delay delay-time Defaults to 0, which indicates that no delay delay is introduced. The delay configured in this way does not take effect for ports in DLDP down state. For information about the DLDP down state, refer to DLDP.
Network diagram Figure 12-2 Network diagram for Ethernet port configuration Configuration procedure Only the configuration for Switch A is listed below. The configuration for Switch B is similar to that of Switch A. This example supposes that VLAN 2, VLAN 6 through VLAN 50 and VLAN 100 have been created. # Enter Ethernet 1/0/1 port view.
Page 164
Link Aggregation Configuration Wh n configuring link aggregation, g o to these sections for information you are interested in: Overview Link Aggregation Classification Aggregation Group Categories Link Aggregation Configuration Displaying and Maintaining Link Aggregation Configuration Link A ggregation Configuration Example Overview Introd uction to Link Aggregation...
Table 13-1 Consistency considerations for ports in an aggregation Category Considerations State of port-level STP (enabled or disabled) Attribute of the link (point-to-point or otherwise) connected to the port Port path cost STP priority STP packet format Loop protection Root protection Port type (whether the port is an edge port) Rate limiting Priority marking...
LACP is disabled on the member ports of manual aggregation groups, and you cannot enable LACP on ports in a manual aggregation group. Port status in manual aggregation group A port in a manual aggregation group can be in one of the two states: selected or unselected. In a manual aggregation group, only the selected ports can forward user service packets.
The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports. The system sets the ports with basic port configuration different from that of the master port to unselected state.
For an aggregation group: When the rate or duplex mode of a port in the aggregation group changes, packet loss may occur on this port; When the rate of a port decreases, if the port belongs to a manual or static LACP aggregation group, the port will be switched to the unselected state;...
A load-sharing aggregation group contains at least two selected ports, but a non-load-sharing aggregation group can only have one selected port at most, while others are unselected ports. When more than eight load-sharing aggregation groups are configured on a single switch, fabric ports cannot be enabled on this switch.
For a manual aggregation group, a port can only be manually added/removed to/from the manual aggregation group. Follow these steps to configure a manual aggregation group: To do… Use the command… Remarks Enter system view system-view — Create a manual aggregation link-aggregation group agg-id mode Required group...
To do… Use the command… Remarks Create a static aggregation link-aggregation group agg-id Required group mode static interface interface-type Enter Ethernet port view — interface-number Add the port to the aggregation port link-aggregation group Required group agg-id For a static LACP aggregation group or a manual aggregation group, you are recommended not to cross cables between the two devices at the two ends of the aggregation group.
To do… Use the command… Remarks Optional lacp port-priority Configure the port priority By default, the port priority is port-priority 32,768. Changing the system priority may affect the priority relationship between the aggregation peers, and thus affect the selected/unselected status of member ports in the dynamic aggregation group. Configuring a Description for an Aggregation Group To do…...
Link Aggregation Configuration Example Ethernet Port Aggregation Configuration Example Network requirements Switch A connects to Switch B with three ports Ethernet 1/0/1 to Ethernet 1/0/3. It is required that load between the two switches can be shared among the three ports. Adopt three different aggregation modes to implement link aggregation on the three ports between switch A and B.
Page 174
<Sysname> system-view [Sysname] link-aggregation group 1 mode static # Add Ethernet 1/0/1 through Ethernet 1/0/3 to aggregation group 1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-aggregation group 1 [Sysname-Ethernet1/0/1] quit [Sysname] interface Ethernet 1/0/2 [Sysname-Ethernet1/0/2] port link-aggregation group 1 [Sysname-Ethernet1/0/2] quit [Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] port link-aggregation group 1 Adopting dynamic LACP aggregation mode...
Port Isolation Configuration Wh n configuring port isolation, g o to these sections for information you are interested in: Port Isolation Overview Port Isolation Configuration Displaying and Maintaining Port Isolation Configuration Port Isolation Configuration Example Port Isolation Overview The port isolation feature is used to secure and add privacy to the data traffic and prevent malicious attackers from obtaining the user information.
When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group will join/leave the isolation group at the same time. For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports.
Page 177
Network diagram Figure 14-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. <Sysname> system-view System View: return to User View with Ctrl+Z. [Sysname] interface ethernet1/0/2 [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit [Sysname] interface ethernet1/0/3 [Sysname-Ethernet1/0/3] port isolate [Sysname-Ethernet1/0/3] quit...
Port Security Configuration Wh n configuring port security, go to these sections for information you are interested in: Port Security Overview Port Security Configuration Task List Displaying and Maintaining Port Security Configuration Port Security Configuration Examples The security modes of the port security feature provide extended and combined use of 802.1X authentication and MAC authentication.
Page 179
able 15-1 Description of port se curity modes On the port, if you want to… Use the security mode… autoLearn Control MAC address learning secure userLogin userLoginSecure Perform 802.1X authentication userLoginSecureExt userL oginWithO Perform MAC authentication macAddressWithRadius macAddressAndUserLoginSecure macAddressAndUserLoginSecure Perform a combination of MAC macAddressElseUserLoginSecure authentication and 802.1X Else...
Page 180
Figure 15-1 Packet processing and mode transition in autoLearn mode and secure mode The port receives a packet Security mode? secure mode autoLearn mode Change the security mode to Is the source Is the MAC in the MAC source MAC in the MAC address table? address table? Save the source MAC as a...
Page 181
MAC authentication macAddressWithRadius: A port in this mode performs MAC authentication for users. For description of MAC authentication, refer to MAC Address Authentication Operation. Security modes with the And keyword macAddressAndUserLoginSecure: A port in this mode first performs MAC authentication for a user and then, if the user passes MAC authentication, performs 802.1X authentication.
Page 182
Security modes with the Else keyword macAddressElseUserLoginSecure: As the Else keyword implies, MAC authentication is applied first. A port in this mode performs only MAC authentication for non-802.1X frames; it performs MAC authentication for 802.1X frames and then, if the authentication fails, 802.1X authentication. The port in this mode supports only one 802.1X online user, but supports multiple MAC authenticated online users.
Figure 15-4 Packet processing in a security mode with the Or keyword Port Security Features The following port security features are provided: NTK (need to know) feature: Checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices passing authentication. This prevents illegal devices from intercepting network traffic.
In userLogin mode, neither NTK nor intrusion protection will be triggered. In any other port security mode, the two features will be triggered upon detection of illegal frames. In userLoginWithOUI mode, intrusion protection will not be triggered even if the OUI value does not match.
To do... Use the command... Remarks Enter system view system-view — Required Enable port security port-security enable Disabled by default Enabling port security resets the following configurations on a port to the bracketed defaults. Then values of these configurations cannot be changed manually; the system will adjust them based on the port security mode automatically.
Setting the Port Security Mode Follow these steps to set the port security mode: To do... Use the command... Remarks Enter system view system-view — Optional In userLoginWithOUI mode, a port allows only one 802.1X Set the OUI value for user port-security oui OUI-value user and one user whose authentication...
Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK feature: To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required port-security ntk-mode { ntkonly | By default, NTK is disabled on Configure the NTK feature ntk-withbroadcasts |...
Configuring trapping Follow these steps to configure port security trapping: To do... Use the command... Remarks Enter system view system-view — port-security trap { addresslearned | Required Enable sending traps for the dot1xlogfailure | dot1xlogoff | dot1xlogon | By default, no specified type of event intrusion | ralmlogfailure | ralmlogoff | trap is sent.
If one user of the port has passed or is undergoing authentication, you cannot specify a guest VLAN for it. When a user using a port with a guest VLAN specified fail the authentication, the port is added to the guest VLAN and users of the port can access only the resources in the guest VLAN. Multiple users may connect to one port in the macAddressOrUserLoginSecure mode for authentication;...
Page 190
If the amount of secure MAC address entries has not yet reach the maximum number, the port will learn new MAC addresses and save them as secure MAC addresses. If the amount of secure MAC address entries reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from autoLearn to secure.
To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Set the maximum number of port-security max-mac-count By default, there is no limit on secure MAC addresses allowed count-value the number of secure MAC on the port addresses.
Network diagram Figure 15-5 Network diagram for port security mode autoLearn Configuration procedure # Enter system view. <Switch> system-view # Enable port security. [Switch] port-security enable # Enter Ethernet1/0/1 port view. [Switch] interface Ethernet 1/0/1 # Set the maximum number of MAC addresses allowed on the port to 80. [Switch-Ethernet1/0/1] port-security max-mac-count 80 # Set the port security mode to autoLearn.
Page 193
Network diagram Figure 15-6 Network diagram for configuring port security mode macAddressWithRadius Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.
[Switch-isp-aabbcc.net] scheme radius-scheme radius1 [Switch-isp-aabbcc.net] quit # Set aabbcc.net as the default user domain. [Switch] domain default enable aabbcc.net # Configure the switch to use MAC addresses as usernames for authentication, specifying that the MAC addresses should be lowercase without separators. [Switch] mac-authentication authmode usernameasmacaddress usernameformat without-hyphen # Specify the ISP domain for MAC authentication.
Page 195
The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1. <Switch> system-view [Switch] radius scheme radius1 # Specify the primary RADIUS authentication server and primary RADIUS accounting server.
[Switch-isp-aabbcc.net] quit # Set aabbcc.net as the default user domain. [Switch] domain default enable aabbcc.net # Create a local user. [Switch] local-user localuser [Switch-luser-localuser] service-type lan-access [Switch-luser-localuser] password simple localpass Configure port security # Enable port security. [Switch] port-security enable # Add two OUI values.
Page 197
Network diagram Figure 15-8 Network diagram for configuring port security mode macAddressElseUserLoginSecureExt Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.
[Switch-radius-radius1] timer realtime-accounting 15 # Configure the switch to send a username without the domain name to the RADIUS server. [Switch-radius-radius1] user-name-format without-domain [Switch-radius-radius1] quit # Create a domain named aabbcc.net and enter its view. [Switch] domain aabbcc.net # Specify the RADIUS scheme for the domain. [Switch-isp-aabbcc.net] scheme radius-scheme radius1 # Enable the idle disconnecting function and set the related parameters.
Page 199
Network diagram Figure 15-9 Network diagram for configuring port security mode macAddressElseUserLoginSecureExt Configuration procedure The following configurations involve some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Operation. Configurations on the user host and the RADIUS server are omitted. Configure RADIUS parameters # Create a RADIUS scheme named radius1.
[Switch-radius-radius1] timer realtime-accounting 15 # Configure the switch to send a username without the domain name to the RADIUS server. [Switch-radius-radius1] user-name-format without-domain [Switch-radius-radius1] quit # Create a domain named aabbcc.net and enter its view. [Switch] domain aabbcc.net # Specify the RADIUS scheme for the domain. [Switch-isp-aabbcc.net] scheme radius-scheme radius1 # Enable the idle disconnecting function and set the related parameters.
Page 201
Figure 15-10 Network diagram for guest VLAN configuration Configuration procedure The following configuration steps include configurations of AAA and RADIUS. For details about these commands, refer to AAA Command. The configurations on the 802.1X client and the RADIUS server are omitted. # Configure RADIUS scheme 2000.
Page 202
# Enable port security. [Switch] port-security enable # Specify the switch to trigger MAC authentication at an interval of 60 seconds. [Switch] port-security timer guest-vlan timer 60 # Create VLAN 10 and assign the port Ethernet 1/0/1 to it. [Switch] vlan 10 [Switch–vlan10] port Ethernet 1/0/1 # Set the security mode of the port Ethernet 1/0/2 to macAddressOrUserLoginSecure.
Page 203
Port Binding Configuration Wh n configuring port binding, go to these sections for infor mation you are interested in: Port Binding Overview Displaying and Maintaining Port Binding Configuration Port Binding Configuration Example Port Bindin g Overview Introd uction Binding is a simple security mechanism. Through the binding configuration on the switch, you can filter the packets forwarded on the ports.
To do... Use the command... Remarks Enter system view system-view — am user-bind mac-addr mac-address ip-addr In system ip-address [ interface interface-type view Either is interface-number ] required. Create a port-MAC-IP By default, interface interface-type interface-number binding entry no binding is In Ethernet configured.
Page 205
Network diagram Figure 16-1 Network diagram for port binding configuration Configuration procedure Configure Switch A as follows: # Enter system view. <SwitchA> system-view # Enter Ethernet 1/0/1 port view. [SwitchA] interface Ethernet 1/0/1 # Bind the MAC address and the IP address of Host A to Ethernet 1/0/1. [SwitchA-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1 16-3...
Page 206
DLDP Configuration Wh n configuring DLDP, g o to these sections for information you are interested in: Overview DLDP Configuration DLDP Configuration Example Overview Introd uction A special kind of links, namely, unidirectional links, may occur in a network. When a unidirectional link appears, the local device can receive packets from the pee r device through the link layer, but the peer device cannot receive packets from the local device.
Figure 17-2 Fiber broken or not connected Device A GE1/0/49 GE1/0/50 GE1/0/49 GE1/0/50 Device B DLDP provides the following features: As a link layer protocol, it works together with the physical layer protocols to monitor the link status of a device. The auto-negotiation mechanism at the physical layer detects physical signals and faults.
Page 208
DLDP packet type Function Advertisement packet with the RSY flag set to 1. RSY advertisement RSY-Advertisement packets are sent to request synchronizing the neighbor information when packets (referred to as neighbor information is not locally available or a neighbor information RSY packets hereafter) entry ages out.
Page 209
DLDP status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 17-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down This state indicates that: Active DLDP is enabled and the link is up.
Page 210
Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode, if no packet is received from the neighbor when the entry Entry aging timer aging timer expires, DLDP sends an advertisement packet with an RSY tag,...
Page 211
In normal DLDP mode, only fiber cross-connected unidirectional links (as shown in Figure 17-1 can be detected. In enhanced DLDP mode, two types of unidirectional links can be detected. One is fiber cross-connected links (as shown in Figure 17-1). The other refers to fiber pairs with one fiber not connected or disconnected (as shown in Figure 17-2).
Page 212
Packet type Processing procedure Discards this echo packet Discards this echo packet Checks Checks whether Sets the neighbor flag bit to whether the neighbor bidirectional link Echo packet local device information in is in the If all neighbors are in the the packet is probe state bidirectional link state, DLDP...
the local port and the neighbor is considered to be recovered to bidirectional, the port changes from the disable state to the active state, and neighboring relationship is reestablished between the local port and the neighbor. Only ports in the DLDP down state can send and process recover probe packets and recover echo packets.
To ensure unidirectional links can be detected, make sure DLDP is enabled on both sides; and the interval for sending advertisement packets, authentication mode, and password are the same on both sides. The interval for sending advertisement packets ranges from 1 to 100 seconds and defaults to 5 seconds.
Displaying and Maintaining DLDP To do … Use the command … Remarks Display the DLDP configuration display dldp { unit-id | Available in any view. of a unit or a port interface-type interface-number } DLDP Configuration Example Network requirements As shown in Figure 17-3, Switch A and Switch B are connected through two pairs of fibers.
Page 216
# Enable DLDP globally. [SwitchA] dldp enable # Set the interval for sending DLDP packets to 15 seconds. [SwitchA] dldp interval 15 # Configure DLDP to work in enhanced mode. [SwitchA] dldp work-mode enhance # Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state.
Page 217
MAC Address Table Management Wh n configur ing MAC address table management, go to these sections for information you are interested in: Overview Configuring MAC Address Table Management Displaying MAC Address Table Information Config uration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For formation about the management of multicast MAC address entries, refer to Multicast Operation.
Page 218
Generally, the majority of MAC address entries are created and maintained through MAC address lear ning. The following describes the MAC address learning process of a switch: As shown in Figure 18-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A needs to be transmitted to Ethernet 1/0/1.
Page 219
packet from User B is sent to Ethernet 1/0/4, the switch records the association between the MAC address of User B and the corresponding port to the MAC address table of the switch. Figure 18-4 MAC address learni ng diagram (3) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 18-5.
the entry . The switch removes the MAC address entry if no more packets with the MAC address recorded in th e entry are received within the aging time. The MAC address aging timer only take s effect on dynamic MAC address entries. With the destination MAC address triggered update function enabled, when a switch finds a packet with a destination address matching one MAC address entry within the aging time, it updates the entry and restarts the aging tim...
Page 221
Task Remarks Configuring a MAC Address Entry Required Setting the MAC Address Aging Timer Optional Setting the Maximum Number of MAC Addresses a Port Can Learn Optional Enabling Destination MAC Address Triggered Update Optional figuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dyn amic or static MAC address entries).
When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN.
Follow these steps to set the maximum number of MAC addresses a port can learn: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Set the maximum number of mac-address max-mac-count By default, the number of the MAC addresses the port can...
Configuration Example Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through Ethernet 1/0/2. To prevent the switch from broadcasting packets destined for the server, it is required to add the MAC address of the server to the MAC address table of the switch, which then forwards packets destined for the server through Ethernet 1/0/2.
Page 225
Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: Introduction to the Auto Detect Functio Auto Detect Configuration Auto Detect Configuration Examples Intro duction to the Auto Detect Function The Auto Detect function uses Internet Control Message Protocol (ICMP) request/reply packets to test network connectivity regularly between the Auto Detect-enabled switch and the detected object.
Task Remarks Auto Detect Implementation in VL AN Interface B ackup Optional Auto Detect Basic Configuration Follo w these steps to configure t auto detect function: To do… Use the command… Remarks Enter system view system-view — Create a detected group and detect-group group-number Required enter detected group view...
To void such problems, you can configure another route to bac k up the static route and use the Auto Detect function to judge the validity of the static route. If the static rou te is valid, packets are forwarded ccording to the static route, and the other route is standby.
Figure 19-1 Schematic diagram for VLAN interface backup Using Auto Detect can hel p implement VLAN interfaces backup. When data can be transmitted through two VLAN int erfaces on the switch to the same destination, configure one of the VLAN interface as the ctive interface and the other as the standby interface.
On switch A, configure a static route to Switch C. Enable the static route w hen the detected group 8 is reachable. To ensure normal operatin g of the auto detect function, configure a static route to Switch A on Switch C.
Page 230
Network diagram Figure 19-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 19-3. The configuration procedure is omitted. # Enter system view. <SwitchA> system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10.1.1.4 to detected group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and the detecting number set to 1.
MSTP Configuration Go to these sections for information you are interested in: Overview MSTP Configuration Task List Configuring Root Bridge Configuring Leaf Nodes Performing mCheck Operation Configuring Guard Functions Configuring Digest Snooping Configuring Rapid Transition Configuring VLAN-VPN Tunnel MSTP Maintenance Configuration Enabling Trap Messages Conforming to 802.1d Standard Displaying and Maintaining MSTP MSTP Configuration Example...
Page 232
STP identifies the network topology by transmitting BPDUs between STP compliant network devices, typically switches and routers. BPDUs contain sufficient information for the network devices to complete the spanning tree calculation. In STP, BPDUs come in two types: Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any.
Page 233
A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of a 3Com switch 4500 is 32768. You can use a command to configure the bridge priority of a device. For details, see Configuring the Bridge Priority of the Current Switch.
Page 234
Port ID A port ID used on a 3Com switch 4500 consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on 3Com switches 4500 is 128. You can use commands to configure port priorities.
Page 235
Table 20-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
Page 236
Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
Page 237
Device Port name BPDU of port {1, 0, 1, BP1} Device B {1, 0, 1, BP2} {2, 0, 2, CP1} Device C {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 20-5 Comparison process and result on each device BPDU of port after Device...
Page 238
BPDU of port after Device Comparison process comparison Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1.
Page 239
Figure 20-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. The BPDU forwarding mechanism in STP Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.
For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network.
Page 241
MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization.
Page 242
MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 20-4 contains multiple spanning trees known as MSTIs.
Page 243
A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port.
STP and RSTP and use them for their respective spanning tree calculation. The 3com switches 4500 support MSTP. After MSTP is enabled on a switch 4500, the switch operates in MSTP mode by default. If the network contains switches that run the STP/RSTP protocol, you can...
In addition to the basic MSTP functions, 3com Switch 4500 also provides the following functions for users to manage their switches. Root bridge hold Root bridge backup Root guard BPDU guard Loop guard TC-BPDU attack guard Protocols and Standards MSTP is documented in: IEEE 802.1D: spanning tree protocol...
Page 246
Task Remarks Optional Configuring the Maximum Transmitting Rate on the Current Port The default value is recommended. Configuring the Current Port as an Edge Optional Port Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter Enabling MSTP caused by other related configurations, you are recommended to enable MSTP...
Configuring Root Bridge Configuring an MST Region Configuration procedure Follow these steps to configure an MST region: To do... Use the command... Remarks Enter system view — system-view Enter MST region view — stp region-configuration Required Configure the name of the MST region-name name The default MST region name of a region...
802.1s-defined protocol selector, which is 0 by default and cannot be configured), MST region name, VLAN-to-instance mapping table, and revision level. The 3Com switches 4500 support only the MST region name, VLAN-to-instance mapping table, and revision level. Switches with the settings of these parameters being the same are assigned to the same MST region.
Page 249
Specify the current switch as the secondary root bridge of a spanning tree Follow these steps to specify the current switch as the secondary root bridge of a spanning tree: To do... Use the command... Remarks Enter system view — system-view stp [ instance instance-id ] root Specify the current switch as...
Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of switches. You can make a specific switch be selected as a root bridge by setting a lower bridge priority for the switch. An MSTP-enabled switch can have different bridge priorities in different MSTIs.
To do... Use the command... Remarks Required By default, a port recognizes and sends Configure how a port stp interface interface-list MSTP packets in the automatic mode. recognizes and sends compliance { auto | dot1s | That is, it determines the format of MSTP packets legacy } packets to be sent according to the...
To do... Use the command... Remarks Enter system view — system-view Required Configure the MSTP operation An MSTP-enabled switch stp mode { stp | rstp | mstp } mode operates in the MSTP mode by default. Configuration example # Specify the MSTP operation mode as STP-compatible. <Sysname>...
Configuring the Network Diameter of the Switched Network In a switched network, any two switches can communicate with each other through a specific path made up of multiple switches. The network diameter of a network is measured by the number of switches;...
Page 254
To do... Use the command... Remarks Required Configure the max age stp timer max-age The max age parameter defaults to parameter centiseconds 2,000 centiseconds (namely, 20 seconds). All switches in a switched network adopt the three time-related parameters configured on the CIST root bridge.
Page 255
Configuring the Timeout Time Factor When the network topology is stable, a non-root-bridge switch regularly forwards BPDUs received from the root bridge to its neighboring devices at the interval specified by the hello time parameter to check for link failures. Normally, a switch regards its upstream switch faulty if the former does not receive any BPDU from the latter in a period three times of the hello time and then initiates the spanning tree recalculation process.
To do... Use the command... Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface-number Required Configure the maximum The maximum transmitting rate stp transmit-limit packetnum transmitting rate of all Ethernet ports on a switch defaults to 10. As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources.
Page 257
To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required Configure the port as an edge By default, all the Ethernet stp edged-port enable port ports of a switch are non-edge ports. On a switch with BPDU guard disabled, an edge port becomes a non-edge port again once it receives a BPDU from another port.
Page 258
Setting the Link Type of a Port to P2P in Ethernet port view Follow these steps to specify whether the link connected to a port is point-to-point link in Ethernet port view: To do... Use the command... Remarks Enter system view —...
Use the To do... Remarks command... Optional By default, MSTP is enabled on all ports. stp interface Disable MSTP on To enable a switch to operate more flexibly, you can interface-list specified ports disable MSTP on specific ports. As MSTP-disabled disable ports do not participate in spanning tree calculation, this operation saves CPU resources of the switch.
Configuring the Timeout Time Factor Refer to Configuring the Timeout Time Factor. Configuring the Maximum Transmitting Rate on the Current Port Refer to Configuring the Maximum Transmitting Rate on the Current Port. Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port.
Page 261
Operation mode Latency Rate 802.1D-1998 IEEE 802.1t (half-/full-duplex) standard Full-duplex 20,000 Aggregated link 2 ports 10,000 1,000 Mbps Aggregated link 3 ports 6,666 Aggregated link 4 ports 5,000 Full-duplex 2,000 Aggregated link 2 ports 1,000 10 Gbps Aggregated link 3 ports Aggregated link 4 ports Normally, the path cost of a port operating in full-duplex mode is slightly less than that of the port operating in half-duplex mode.
Perform this configuration in system view <Sysname> system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 cost 2000 Perform this configuration in Ethernet port view <Sysname> system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 cost 2000 Configuration example (B) # Configure the path cost of Ethernet 1/0/1 in MSTI 1 to be calculated by the MSTP-enabled switch according to the IEEE 802.1D-1998 standard.
To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Required. Configure port priority for the stp [ instance instance-id ] port port priority priority The default port priority is 128. Changing port priority of a port may change the role of the port and put the port into state transition. A smaller port priority value indicates a higher possibility for the port to become the root port.
Configuration Procedure You can perform the mCheck operation in the following two ways. Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in system view: To do... Use the command... Remarks Enter system view —...
<Sysname> system-view [Sysname] stp bpdu-protection As Gigabit ports of a 3Com switch 4500 cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.
Page 266
forwarding packets (as if it is disconnected from the link). It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period. You are recommended to enable root guard on the designated ports of a root bridge. Loop guard, root guard, and edge port settings are mutually exclusive.
Configuring Loop Guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch. These BPDUs may get lost because of network congestions or unidirectional link failures. If a switch does not receive BPDUs from the upstream switch for certain period, the switch selects a new root port;...
Page 268
period, the switch may be busy in removing the MAC address table and ARP entries, which may affect spanning tree calculation, occupy large amount of bandwidth and increase switch CPU utilization. With the TC-BPDU attack guard function enabled, a switch performs a removing operation upon receiving a TC-BPDU and triggers a timer (set to 10 seconds by default) at the same time.
MST region. This problem can be overcome by implementing the digest snooping feature. If a port on a 3Com switch 4500 is connected to another manufacturer's switch that has the same MST region-related configuration as its own but adopts a proprietary spanning tree protocol, you can enable digest snooping on the port.
Page 270
To do... Use the command... Remarks Return to system view — quit Required Enable the digest snooping stp config-digest-snooping The digest snooping feature is feature globally disabled globally by default. Display the current Available in any view display current-configuration configuration When the digest snooping feature is enabled on a port, the port state turns to the discarding state.
Page 271
3Com switch 4500 running MSTP, the upstream designated port fails to change its state rapidly. The rapid transition feature is developed to resolve this problem. When a 3Com switch 4500 running MSTP is connected in the upstream direction to another manufacturer's switch running proprietary spanning tree protocols, you can enable the rapid transition feature on the ports of the switch 4500 operating as the downstream switch.
Page 272
Configuration prerequisites As shown in Figure 20-8, a 3Com switch 4500 is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports.
The rapid transition feature can be enabled on only root ports or alternate ports. If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. Configuring VLAN-VPN Tunnel Introduction The VLAN-VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks, through which spanning trees can be generated across these customer networks and are independent of those of the service provider network.
To do... Use the command... Remarks Required Enable the VLAN-VPN vlan-vpn tunnel The VLAN-VPN tunnel function is tunnel function globally disabled by default. Make sure that you enter the Ethernet port view of the port for which you interface interface-type Enter Ethernet port view want to enable the VLAN-VPN tunnel interface-number...
<Sysname> system-view [Sysname] stp instance 1 portlog # Enable log/trap output for the ports of all instances. <Sysname> system-view [Sysname] stp portlog all Enabling Trap Messages Conforming to 802.1d Standard A switch sends trap messages conforming to 802.1d standard to the network management device in the following two cases: The switch becomes the root bridge of an instance.
MSTP Configuration Example Network requirements Implement MSTP in the network shown in Figure 20-10 to enable packets of different VLANs to be forwarded along different MSTIs. The detailed configurations are as follows: All switches in the network belong to the same MST region. Packets of VLAN 10, VLAN 30, VLAN 40, and VLAN 20 are forwarded along MSTI 1, MSTI 3, MSTI 4, and MSTI 0 respectively.
Page 277
# Specify Switch A as the root bridge of MSTI 1. [Sysname] stp instance 1 root primary Configure Switch B # Enter MST region view. <Sysname> system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region. [Sysname-mst-region] region-name example [Sysname-mst-region] instance 1 vlan 10 [Sysname-mst-region] instance 3 vlan 30...
Network requirements Switch C and Switch D are the access devices for the service provider network. The 3Com switches 4500 operate as the access devices of the customer networks, that is, Switch A and Switch B in the network diagram.
Page 279
[Sysname] vlan-vpn tunnel # Add GigabitEthernet 1/0/1 to VLAN 10. [Sysname] vlan 10 [Sysname-Vlan10] port GigabitEthernet 1/0/1 [Sysname-Vlan10] quit # Enable the VLAN VPN function on GigabitEthernet 1/0/1. [Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port access vlan 10 [Sysname-GigabitEthernet1/0/1] vlan-vpn enable [Sysname-GigabitEthernet1/0/1] quit # Configure GigabitEthernet 1/0/2 as a trunk port.
IP Routing Protocol Overview Go to these sections for information you are interested in: Introduction to IP Route and Routing Table Routing Protocol Overview Displaying and Maintaining a Routing Table The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a uting protocol.
Page 281
address and network mask, you can get the address of the network segment where the destination host or router resides. For example, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, the address of the network segment where the destination host or router resides is 129.102.0.0.
15.0.0.0 17.0.0.2 16.0.0.0 16.0.0.2 17.0.0.0 17.0.0.1 Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in sm all, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes.
Page 283
Rout ing Protocols and Routing Priority Different routing protocols may find different r outes (including static routes) to the same destination. However, not all of those routes are optimal. In fact, at a particular moment, only one protocol uniquely determine the current optimal routing to the destination. For the purpose of route selection, each routing protocol (including static routes) is assigned a pri ority.
Routing Information Sharing As different routing protocols use different algorithms to calculate routes, they may discover different routes. In a large network with multiple routing protocols, it is required for routing protocols to share their routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism.
Static Route Configuration Wh n configuring a static route, go to these sections for information you are interested in: Introduction to Static Route Static Route Configuration Displaying and Maintaining Static Routes Static Route Configuration Example Trouble shooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a uting protocol.
Defau lt Route avoid too larg e a routing table, you can configure a default route. n the destination address of a packet fails to match any entry in the routing table, If there is default route in the routing table, the default route will be selected to forward the packet. If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.
Page 287
Display the brief information of a display ip routing-table routing table Display the detailed info rmation of a display ip routing-table verbose routing table Display the information of static display ip routing-table protocol static routes [ inactive | verbose ] Available in Delete all static routes delete static-routes all...
# Approach 1: Configure static routes on Switch A. <SwitchA> system-view [SwitchA] ip route-static 1.1.3.0 255.255.255. 0 1.1.2.2 [SwitchA] ip route-stat ic 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1 .2.2 # Approach 2: Configure a static route on Switch A. <SwitchA>...
RIP Configuration Wh n configuring RIP, go to these sections for information you are interested in: RIP Overview RIP Configuration Task List RIP Configuration Example Trouble shooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a uting protocol.
Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. Metric : Cost from the local router to the destination. Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated.
Task Remarks Enabling RIP on the interfaces attached to a specified Required network segment Configuring Basic RIP Functions Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional...
Related RIP commands configured in interface view can take effect only after RIP is enabled. RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route.
Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. Redistribute external routes in an environment with multiple routing protocols. Configuration Prerequisites Before configuring RIP route control, perform the following tasks: Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each...
Page 294
Follow these steps to configure RIP route summarization: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable RIP-2 automatic summary route summarization Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
Page 295
The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors.
RIP Network Adjustment and Optimization In some special network environments, some RIP features need to be configured and RIP network performance needs to be adjusted and optimized. By performing the configuration mentioned in this section, the following can be implemented: Changing the convergence speed of RIP network by adjusting RIP timers;...
Page 297
Split horizon cannot be disabled on a point-to-point link. Configuring RIP-1 packet zero field check Follow these steps to configure RIP-1 packet zero field check: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Enable the check of the must be zero checkzero...
Configuring RIP to unicast RIP packets Follow these steps to configure RIP to unicast RIP packets: To do... Use the command... Remarks Enter system view system-view — Enter RIP view — Required Configure RIP to When RIP runs on the link that does not support peer ip-address unicast RIP packets broadcast or multicast, you must configure RIP to...
Switch C Vlan-int1 110.11.2.3/24 Vlan-int4 117.102.0.1/16 Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. Configure Switch A: # Configure RIP.
IP Route Policy Configuration Wh n configuring an IP route policy, go to the se sections for information you are interested in: IP Route Policy Overview IP Route Policy Configuration Task List Displaying IP Route Policy IP Route Policy Configuration Example Trouble shooting IP Route Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a...
Page 301
For ACL conf iguration, refer to the part discussing ACL. -prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When IP-prefix list is applied to filter routing information, its matching object is the destination address field in routing information.
if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching objects are some attributes of the routing information. apply clause: Specifies actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clause.
Page 303
To do... Use the command... Remarks Enter system view system-view — route-policy Enter the route-policy route-policy-name { permit Required view | deny } node node-number Optional Define a rule to match the if-match { acl acl-number | IP address of routing By default, no matching is performed on ip-prefix ip-prefix-name } information...
IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and easier to understand. When IP-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information. Configuration Prerequisites Before configuring a filter list, prepare the following data: IP-prefix name Range of addresses to be matched...
IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dynamic Route Backup Network requirements The required speed of convergence in the small network of a company is not high. The network provides two services. Main and backup links are provided for each service for the purpose of reliability. The main link of one service serves as the backup link of the other.
Page 306
For the OA server, the main link is between Switch A and Switch C, while the backup link is between Switch B and Switch C. For the service server, the main link is between Switch B and Switch C, while the backup link is between Switch A and Switch C.
Page 307
[SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes matching the outgoing interface VLAN-interface 6 and prefix list 1. [SwitchC] route-policy in permit node 30 [SwitchC-route-policy] if-match interface Vlan-interface6 [SwitchC-route-policy] if-match ip-prefix 1...
Display data forwarding paths when the main link of the OA server between Switch A and Switch C is down. <SwitchC> display ip routing-table Routing Table: public net Destination/Mask Protocol Cost Nexthop Interface 1.0.0.0/8 6.6.6.5 Vlan-interface2 3.0.0.0/8 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 6.6.6.6 Vlan-interface6...
Page 309
Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch nning an IP multicast protocol. Mult icast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network.
Page 310
Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.
Inform ation Transmission in the Multicast Mode As described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the numb er of users requiring information is not certain, unicast and broadcast not ef ficient.
All receivers interested in the same information form a multicast group. Multicast groups are not subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Laye r 3 multicast device. In addition to providing multicast routing, a multicast router can also ma nage multicast group bers.
pp cation of multicast The multicast technology effectively addresses the issue of point-to-multipoint data tran smission. By enabling high-efficiency point-to-multipoint data transmission, ove r an IP network, multi cast greatly saves network bandwidth and reduces network load. Multicast supports the following applications: Applications of m ultimedia and flow media, such as Web TV, Web radio, and real-time video/audio conferencing.
Page 314
Host registration: What receivers reside on the network? Technologies of discovering a multicast source: Which multicast source should the receivers receive information from? Multicast addressing mechanism: Where should the multicast source transports information? Multicast routing: How is information transported? IP multicast is a kind of peer-to-peer service. Based on the protocol layer sequence from bottom to top, multicast mechanism contains address ing mechanism, host registration, multicast routing, and multicast application:...
Page 315
Note that: The IP addresses of a perma nent multicast group keep unchanged, while the members of the group can be changed. There can be any number of, or even zero, members in a perm anent multicast group. Those IP multicast addresses not assigned to perman ent multicast groups can be used by porary multicast groups.
Class D address range Description 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255 Other protocols Like h aving reserved the private network segment 10.0.0.0/8 for unicast, IANA has also reserved the etwork segment 239.0.0.0/8 for multicast. These are administratively scoped addresses. With the administratively scoped addresses, you can define the range of multicast domains flexibly to isolate IP addresses between different multicast domains, so that the same multicast address can be used in...
Page 317
Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.
An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs. So far, mature solutions include Multicast Source Discovery Protocol (MSDP). For the SSM model, multicast routes are not divided into inter-domain routes and intra-domain routes. Since receivers know the position of the multicast source, channels established through PIM-SM are sufficient for multicast information transport.
In the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast. To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface.
Page 320
considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source. Assume that unicast routes exist in the network, as shown in Figure 25-7. Multicast packets travel along the SPT from the multicast source to the receivers.
Page 321
Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch nning an IP multicast protocol. mon Multicast Configuration Table 26-1 Complete the following ta sks to pe rform common multicast configurations: Task Remarks...
Page 322
To do... Use the command... Remarks interface interface-type Enter Ethernet port view — interface-number Optional Configure multicast source port Multicas t source port multicast-source-deny suppression suppression is disabled by default. Conf iguring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast for warding entries dynamically through a Layer 2 multicast protocol.
If the multicast MAC address entry to be created already exists, the system gives you a prompt. If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
Page 324
IGMP Snooping Configuration Wh n configuring IGMP snooping , go to these sections for information you are interested in: IGMP Snooping Overview Configuring IGMP Snooping Displaying and Maintaining IGMP Snooping IGMP Snooping Configuration Examples Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch nning an IP multicast protocol.
Figure 27-1 Before and after IGMP Snooping is enabled on Layer 2 devic Multicast packet transmission Multicast packet transmission without IGMP Snooping when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Layer 2 switch Host A Host A Host C Host C...
member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table. Port aging timers in IGMP Snooping and related messages and actions Table 27-1 Port aging timers in IGMP Snooping and related messages and actions Message before Timer Description...
Page 327
A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.
Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Groups on a Port Optional Configuring IGMP Snooping Querier Optional...
Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view;...
Follow these steps to configure timers: To do... Use the command... Remarks Enter system view system-view — Optional Configure the aging igmp-snooping By default, the aging time of the router timer of the router port router-aging-time seconds port is 105 seconds. Optional igmp-snooping Configure the general...
The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3. The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified; if one or more VLANs are specified, the configuration takes effect on all ports in the specified VLAN(s).
A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. If no ACL rule is configured, all the multicast groups will be filtered. Since most devices broadcast unknown multicast packets by default, this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function.
Configuring IGMP Snooping Querier In an IP multicast network running IGMP, one dedicated multicast device is responsible for sending IGMP general queries, and this router or Layer 3 switch is called the IGMP querier. However, a Layer 2 multicast switch does not support IGMP, and therefore cannot send general queries by default.
Configuring the source address to be carried in IGMP queries Follow these steps to configure the source address to be carried in IGMP queries: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id —...
To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter Ethernet port view — interface-number Required Configure the current port as multicast static-group By default, no port is configured as a static member port for a group-address vlan vlan-id a static multicast group member multicast group in a VLAN...
In VLAN view Follow these steps to configure a static router port in VLAN view: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Required Configure a specified port as a multicast static-router-port By default, no static router port static router port interface-type interface-number...
Before configuring a simulated host, enable IGMP Snooping in VLAN view first. The port to be configured must belong to the specified VLAN; otherwise the configuration does not take effect. You can use the source-ip source-address command to specify a multicast source address that the port will join as a simulated host.
Page 338
To do... Use the command... Remarks Create a multicast VLAN and vlan vlan-id — enter VLAN view Return to system view quit — interface Vlan-interface Enter VLAN interface view — vlan-id Required Enable IGMP igmp enable By default, the IGMP feature is disabled.
To do... Use the command... Remarks Required The multicast VLAN must be Specify the VLANs to be port hybrid vlan vlan-id-list included, and the port must be allowed to pass the port { tagged | untagged } configured to forward tagged packets for the multicast VLAN.
Page 340
Network diagram Figure 27-3 Network diagram for IGMP Snooping configuratio Configuration procedure Configure the IP address of each interface Configure an IP address and subnet mask for each interface as per Figure 27-3. The detailed configuration steps are omitted. Configure Router A # Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/0/1.
<SwitchA> display igmp-snooping group vlan100 Total 1 IP Group(s). Total 1 MAC Group(s). Vlan(id):100. Total 1 IP Group(s). Total 1 MAC Group(s). Static Router port(s): Dynamic Router port(s): Ethernet1/0/1 IP group(s):the following ip group(s) match to one mac group. IP group address: 224.1.1.1 Static host port(s): Dynamic host port(s): Ethernet1/0/3...
Page 342
Device Device description Networking description Host A User 1 Host A is connected to Ethernet 1/0/1 on Switch B. Host B User 2 Host B is connected to Ethernet 1/0/2 on Switch B. In this configuration example, you need to configure the ports that connect Switch A and Switch B to each other as hybrid ports.
[SwitchA-Ethernet1/0/10] port hybrid vlan 10 tagged [SwitchA-Ethernet1/0/10] quit # Configure the interface IP address of VLAN 10 as 168.10.2.1, and enable PIM-DM and IGMP. [SwitchA] interface Vlan-interface 10 [SwitchA-Vlan-interface10] ip address 168.10.2.1 255.255.255.0 [SwitchA-Vlan-interface10] igmp enable [SwitchA-Vlan-interface10] pim dm Configure Switch B: # Enable the IGMP Snooping feature on Switch B.
Page 344
IGMP Snooping is not enabled. Use the display current-configuration command to check the status of IGMP Snooping. If IGMP Snooping is disabled, check whether it is disabled globally or in the specific VLAN. If it is disabled globally, use the igmp-snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time.
System Encapsulation of EAPoL Messages 802.1x Authentication Procedure Timers Used in 802.1x 802.1x Implementation on a 3Com 45 00 Series Switch Architecture of 802.1x Authentication As shown in Figure 28-1, 802.1x adopts a client/server architecture with three entities: a supplicant system, an authenticator system, and an authentication server system.
Page 346
The authenticator system is another entity residing at one end of a LAN segment. It authenticates the connected supplicant systems. The authenti cator system is usually an 802.1x-supported network device (such as a 3Com series switch). It provides the port (physical or logical) for the supplicant system to access the LAN. The authentication se rver system is an entity that provides authentication service to the authenticator system.
By default, a controlled port is a unidirectional port. he way a port is controlled A port of a 3Com series switch can be controlled in the following two ways. Port-based authentication. When a port is controlled in this way, all the suppli...
Page 348
Figure 28-3 The format of an EAPoL packet In an EAPoL packet: The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet.
Page 349
Figure 28-7 The format of an Message-authenticator field 802.1x A uthentication Procedure A 3Com Switch 4500 series Ethernet switch can authenticate supplicant systems in EAP terminating mode or EAP relay mode. 28-5...
Page 350
AP elay mode This mo de is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a valu e of 79) and the Message-authenticator field (with a value of 80).
Page 351
detailed procedure is as follows: A supplicant system launches an 802.1x client to initiate an access requ est by sending an EAPoL-start packet to the switch, with its user name and password provided. The 802.1x client program then forwards the packet to the switch to start the authentication process. Upon receiving the authentication request packet, the switch sends an EAP-request/identity packet to ask the 802.1x client for the user name.
Figure 28-9 802.1x authentication procedure (in EAP terminating mode) The authentication procedure in EAP terminating mode is the same as that in the EAP relay mode except that the randomly-generated key in the EAP terminating mode is generated by the switch, and that it is the switch that sends the user name, the randomly-generated key, and the supplicant system-encrypted password to the RADIUS server for further authentication.
802.1x Implementation on a 3Com 4500 Series Switch In addition to the earlier mentioned 802.1x features, a 3Com 4500 series switch is also capable of the following: Checking supplicant systems for proxies, multiple network adapters, and so on (This function needs the cooperation of a CAMS server.)
Page 354
In response to any of the three cases, a switch can optionally take the following measures: Only disconnects the supplicant system but sends no Trap packets. Sends Trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a CAMS server. The 802.1x client needs to be capable of detecting multiple network adapters, proxies, and IE proxies.
Page 355
The switch sends authentication triggering request (EAP-Request/Identity) packets to all the 802.1x-enabled ports. After the maximum number retries have been made and there are still ports that have not sent any response back, the switch will then add these ports to the guest VLAN. Users belonging to the guest VLAN can access the resources of the guest VLAN without being authenticated.
The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon receiving the packet, the switch re-authenticates the user periodically. You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the switch re-authenticates users periodically.
Basic 802.1x Configuration Configuration Prerequisites Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme. Ensure that the service type is configured as lan-access (by using the service-type command) if local authentication scheme is adopted.
To do… Use the command… Remarks Optional Enable online user dot1x handshake enable By default, online user handshaking handshaking is enabled. interface interface-type — Enter Ethernet port view interface-number Optional Enable the handshake dot1x handshake secure By default, the handshake packet packet protection function protection function is disabled.
To do… Use the command... Remarks Optional By default, the maximum retry times to send a request packet is Set the maximum retry times dot1x retry max-retry-value 2. That is, the authenticator to send request packets system sends a request packet to a supplicant system for up to two times by default.
Configuring Proxy Checking Follow these steps to configure proxy checking: To do... Use the command... Remarks Enter system view system-view — Required Enable proxy checking function dot1x supp-proxy-check By default, the 802.1x proxy globally { logoff | trap } checking function is globally disabled.
To do... Use the command... Remarks Optional Set the client version dot1x timer ver-period By default, the timer is set to 30 checking period timer ver-period-value seconds. As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports.
The guest VLAN function is available only when the switch operates in the port-based authentication mode. Only one guest VLAN can be configured for each switch. The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication. This is because the switch does not send authentication packets in that case.
During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
Page 364
a real-time accounting packet to the RADIUS servers once in every 15 minutes. A user name is sent to the RADIUS servers with the domain name truncated. The user name and password for local 802.1x authentication are “localuser” and “localpass” (in plain text) respectively.
Page 365
[Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages. [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers.
In real applications, however, deploying EAD clients proves to be time consuming and inconvenient. To address the issue, the 3Com 4500 series provides the forcible deployment of EAD clients with 802.1x authentication, easing the work of EAD client deployme...
Configuring Quick EAD Deployment Configuration Prerequisites Enable 802.1x on the switch. Set the access mode to auto for 802.1x-enabled ports. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do...
large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online.
Page 369
Network diagram Figure 29-1 Network diagram for quick EAD deploymen Configuration procedure Before enabling quick EAD deployment, be sure that: The Web server is configured properly. The default gateway of the user’s PC is configured as the IP address of the connected VLAN interface on the switch.
Troubleshooting Symptom: A user cannot be redirected to the specified URL server, no matter what URL the user enters in the IE address bar. Solution: If a user enters an IP address in a format other than the dotted decimal notation, the user may not be redirected.
HABP Configuration Wh n configuring HABP, go to the se sections for information you are interested in: Introduction to HABP HABP Server Configuration HABP Client Configuration Displaying and Maintaining HABP Configuration Intro duction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets.
To do... Use the command... Remarks Required By default, a switch operate as an HABP client after you Configure the current switch enable HABP on the switch. If habp server vlan vlan-id to be an HABP server you want to use the switch as a management switch, you need to configure the switch to be an HABP server.
System Guard Configuration The CPU protection function is added. See CPU Protection Configuring CPU Protection. Wh n configuring System Guard , go to these sections for information you are interested in: System Guard Overview Configuring System Guard Displaying and Maintaining Sy stem Guard Configuration System Guard Overvi Guar...
Configuring System Guard Configuring System Guard Against IP Attacks Configuration of System Guard against IP attacks includes these tasks: Enabling System Guard against IP attacks Setting the maximum number of infected hosts that can be concurrently monitored Configuring parameters related to MAC address learning Follow these steps to configure System Guard against IP attacks: To do...
To do... Use the command... Remarks Optional Set the threshold of TCN/TC system-guard tcn packet receiving rate rate-threshold rate-threshold 1 pps by default As the system monitoring cycle is 10 seconds, the system sends trap and log information if more than 10 TCN/TC packets are received within 10 seconds by default.
Displaying and Maintaining System Guard Configuration To do... Use the command... Remarks Display the monitoring result and parameter settings of display system-guard ip System Guard against IP state attacks Display the information about display system-guard Available in any view IP packets received by the CPU ip-record Display the status of Layer 3 display system-guard l3err...
Remote authentication: Users are authenticated remotely through RADIUS or HWTACACS protocol. This device (for example, a 3Com switch) acts as the client to communicate with the RADIUS or TACACS server. Remote authentication allows convenient centralized management and is feature-rich.
Acco un ing AAA supports the following ac counting methods: None accounting: No accounting is performed for users. Remote accounting: User accounting is performed on a remote RADIUS or TACACS server. Introd uction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@"...
Page 379
Clients: This database stores information about RADIUS clients (such as shared key). Dictionary: The information stored in this database i s used to interpret the attributes and attribute values in the RADIUS protocol. Figure 32-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service.
Page 380
RADIUS client an authentication response (Access-Accept), which contains the user’s authorization information. If the authentication fails, the server returns an Access-Reject response. The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting -Request, with the Status-Type attribute value = start) to the R ADIUS server.
Page 381
Code Message type Message description Direction: client->server. The client transmits this message to the server to request the server to start or end the accounting (whether to start or to end the Accounting-Request accounting is determined by the Acct-Status-Type attribute in the message).
Type field value Attribute type Type field value Attribute type Filter-ID Proxy-State Framed-MTU Login-LAT-Service Framed-Compression Login-LAT-Node Login-IP-Host Login-LAT-Group Login-Service Framed-AppleTalk-Link Login-TCP-Port Framed-AppleTalk-Network (unassigned) Framed-AppleTalk-Zone Reply-Message 40-59 (reserved for accounting) Callback-Number CHAP-Challenge Callback-ID NAS-Port-Type (unassigned) Port-Limit Framed-Route Login-LAT-Port The RADIUS protocol has good scalability. Attribute 26 (Vender-Specific) defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS.
Page 383
Table 32-3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP, providing more reliable network Adopts UDP. transmission. Encrypts the entire message except the HWTACACS Encrypts only the password field in header. authentication message. Separates authentication from authorization. For example, you can use one TACACS server for Combines authentication and authentication and another TACACS server for authorization.
Page 384
Figure 32-6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows: A user sends a login request to the switch acting as a TACACS client, which then sends an authentication start request to the TACACS server. The TACACS server returns an authentication response, asking for the username.
Page 385
After receiving the response indicating an authorization success, the TACACS client pushes the configuration interface of the switch to the user. 10) The TACACS client sends an accounting start request to the TACACS server. 11) The TACACS server returns an accounting response, indicating that it has received the accounting start request.
AAA Configuration Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices an d preventing unauthorized access and repudiation behavior. Complete the following tasks to configure AAA (configuring a combined A AA scheme for an ISP domain): Task...
Task Remarks Creating an ISP Domain and Configuring Its Required Attributes Configuring separate AAA schemes Required Required With separate AAA schemes, you can specify authentication, authorization and accounting Configuring an AAA Scheme for an ISP schemes respectively. Domain configuration You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication.
To do… Use the command… Remarks Optional messenger time { enable limit Set the messenger function By default, the messenger interval | disable } function is disabled. Optional Set the self-service server self-service-url { disable | By default, the self-service location function enable url-string } server location function is...
Page 389
To do… Use the command… Remarks Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain Required scheme { local | none | radius-scheme Configure an AAA scheme for radius-scheme-name [ local ] | By default, an ISP the ISP domain hwtacacs-scheme...
Page 390
Follow these steps to configure separate AAA schemes: To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and enter its view, or enter the view domain isp-name Required of an existing ISP domain authentication Optional { radius-scheme Configure an authentication...
accounting. In this case, if the combined scheme uses RADIUS or HWTACACS, the system never uses the secondary scheme for authorization and accounting. If you configure no separate scheme, the combined scheme is used for authentication, authorization, and accounting. In this case, if the system uses the secondary local scheme for authentication, it also does so for authorization and accounting;...
Page 392
For a VLAN ID with suffix t or T, the authentication port sends the frames of the VLAN tagged. For the first VLAN ID with suffix u or U, or with no suffix in the VLAN list, the authentication port sends the frames of the VLAN untagged and configures the VLAN as its default VLAN;...
To do… Use the command… Remarks Enter system view system-view — Create an ISP domain and domain isp-name — enter its view Optional Set the VLAN assignment vlan-assignment-mode By default, the VLAN assignment mode { integer | string | vlan-list } mode is integer.
Page 394
To do… Use the command… Remarks Optional By default, the password local-user display mode of all access Set the password display mode password-display-mode users is auto, indicating the of all local users { cipher-force | auto } passwords of access users are displayed in the modes set by the password command.
RADIUS Configuration Task List 3Com’s Ethernet switches can function not only as RADIUS clients but also as local RADIUS servers. Complete the following tasks to configure RADIUS (the switch functions as a RADIUS client):...
Page 396
Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring Ignorance of Assigned RADIUS Authorization Optional Attributes Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Optional Transmission Attempts Configuring the RADIUS client...
The RADIUS service configuration is performed on a RADIUS scheme basis. In an actual network environment, you can either use a single RADIUS server or two RADIUS servers (primary and secondary servers with the same configuration but different IP addresses) in a RADIUS scheme. After creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme.
To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Required Set the IP address and port By default, the IP address and number of the primary RADIUS primary authentication...
Figure 33-1 Network diagram for the RADIUS authorization attribute ignoring functio Follow these steps to configure the RADIUS authorization attribute ignoring function: To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name...
To do… Use the command… Remarks Required Set the IP address and By default, the IP address and UDP port port number of the primary accounting number of the primary accounting server primary RADIUS ip-address [ port-number ] are 0.0.0.0 and 1813 for a newly created accounting server RADIUS scheme.
received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key. Follow these steps to configure shared keys for RADIUS messages: To do…...
To do… Use the command… Remarks Enter system view system-view — Required Create a RADIUS scheme and radius scheme By default, a RADIUS scheme enter its view radius-scheme-name named "system" has already been created in the system. Configure the type of RADIUS server-type { extended | Optional servers to be supported...
To do… Use the command… Remarks Set the status of the secondary state secondary RADIUS authentication { block | authentication/authorization active } server Set the status of the secondary state secondary accounting RADIUS accounting server { block | active } Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these steps to configure the attributes of data to be sent to RADIUS servers: To do…...
Generally, the access users are named in the userid@isp-name or userid.isp-name format. Here, isp-name after the “@” or “.” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names.
adopt local RADIUS server function, port number authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch. The message encryption key set by the local-server nas-ip ip-address key password command must be identical with the authentication/authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server.
To do… Use the command… Remarks Optional Set the response timeout time timer response-timeout By default, the response of RADIUS servers seconds timeout time of RADIUS servers is three seconds. Optional Set the time that the switch waits before it try to By default, the switch waits five re-communicate with primary timer quiet minutes...
Page 407
online when the user re-logs into the network before the CAMS performs online user detection, and the user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem.
HWTACACS Configuration Task List Complete the following tasks to configure HWTACACS: Task Remarks Creating a HWTACACS Scheme Required Configuring TACACS Authentication Servers Required Configuring TACACS Authorization Servers Required Configuring the Configuring TACACS Accounting Servers Optional TACACS client Configuring Shared Keys for RADIUS Messages Optional Configuring the Attributes of Data to be Sent to TACACS Optional...
To do… Use the command… Remarks Required Set the IP address and port By default, the IP address of primary authentication number of the primary the primary authentication ip-address [ port ] TACACS authentication server server is 0.0.0.0, and the port number is 0.
You are not allowed to configure the same IP address for both primary and secondary authorization servers. If you do this, the system will prompt that the configuration fails. You can remove a server only when it is not used by any active TCP connection for sending authorization messages.
The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties. The two parties verify the validity of the HWTACACS messages received from each other by using the shared keys that have been set on them, and can accept and respond to the messages only when both parties have the same shared key.
Generally, the access users are named in the userid@isp-name or userid.isp-name format. Where, isp-name after the “@” or “.” character represents the ISP domain name. If the TACACS server does not accept the usernames that carry ISP domain names, it is necessary to remove domain names from usernames before they are sent to TACACS server.
Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Remarks Display configuration information about one specific display domain [ isp-name ] or all ISP domains display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip Display information about user Available in...
Displaying and Maintaining HWTACACS Protocol Configuration To do… Use the command… Remarks Display the configuration or statistic information about one display hwtacacs specific or all HWTACACS [ hwtacacs-scheme-name [ statistics ] ] Available in any schemes view Display buffered display stop-accounting-buffer non-response { hwtacacs-scheme stop-accounting requests...
Page 415
Network diagram Figure 33-2 Remote RADIUS authentication of Telnet user Configuration procedure # Enter system view. <Sysname> system-view # Adopt AAA authentication for Telnet users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] authentication-mode scheme [Sysname-ui-vty0-4] quit # Configure an ISP domain. [Sysname] domain cams [Sysname-isp-cams] access-limit enable 10 [Sysname-isp-cams] quit...
Local Authentication of FTP/Telnet Users The configuration procedure for local authentication of FTP users is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for local authentication. Network requirements In the network environment shown in Figure 33-3, you are required to configure the switch so that the...
This method is similar to the remote authentication method described in Remote RADIUS Authentication of Telnet/SSH Users. However, you need to: Change the server IP address, and the UDP port number of the authentication server to 127.0.0.1, and 1645 respectively in the configuration step "Configure a RADIUS scheme" in Remote RADIUS Authentication of Telnet/SSH Users.
# Configure the domain name of the HWTACACS scheme to hwtac. [Sysname] domain hwtacacs [Sysname-isp-hwtacacs] scheme hwtacacs-scheme hwtac Auto VLAN Configuration Example Network requirements As shown in Figure 33-5, use 802.1X authentication on Ethernet 1/0/1 and Ethernet 1/0/2 to authenticate users. After a user passes the authentication on a port, the RADIUS server issues a VLAN list to the switch, which assigns the authentication port to a VLAN that the IP phone needs to access.
[Switch-radius-bbb] quit # Create authentication domain aaa, and then enter domain view. [Switch] domain aaa # Configure the VLAN assignment mode in domain aaa as VLAN list. [Switch-isp-aaa] vlan-assignment-mode vlan-list # Specify the authentication scheme for the domain. [Switch-isp-aaa] radius-scheme bbb [Switch-isp-aaa] quit # Configure the authentication scheme.
The switch cannot communicate with the RADIUS server (you can determine by pinging the RADIUS server from the switch) — Take measures to make the switch communicate with the RADIUS server normally. Symptom 2: RADIUS packets cannot be sent to the RADIUS server. Possible reasons and solutions: The communication links (physical/link layer) between the switch and the RADIUS server is disconnected/blocked —...
EAD Configuration Intro duction to EAD Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance the active defense capability of network endpoints, prevents viruses and worms from spreading on the network, and protects the entire network by limiting the access rights of insecure endpoints. With the cooperation of switch, AAA sever, security policy server and security client, EAD is able to evaluate the security compliance of network endpoints and dynamically control their access rights.
Configuring a RADIUS scheme. Configuring the IP address of the security policy server. Associating the ISP domain with the RADIUS scheme. EAD is commonly used in RADIUS au thentication environment. This section mainly describes the con figuration of security policy server IP address. For other related configuration, refer to AAA Overview Follow these step...
Page 423
Network diagram Figure 34-2 EAD configuratio Configuration procedure # Configure 802.1x on the switch. Refer to “Configuring 802.1x” in 802.1x and System Guard Configuration. # Configure a domain. <Sysname> system-view [Sysname] domain system [Sysname-isp-system] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] accounting optional...
MAC Address Authentication Configuration Wh n configuring MAC address authentication, go to these sections for information you are interested: MAC Address Authentication Overview Related Concepts Configuring Basic MAC Address Authentication Functions MAC Address Authentication Enhanced Function Configuration Displaying and Maintaining MAC Address Authentication Configuration MAC Address Authentication Configuration Examples Address Authentication Overview MAC address authentication provides a way for authenticating users based on ports and MAC...
In MAC address mode, the local user name to be configured is the MAC address of an access user, while the password may be the MAC address of the user or the fixed password configured (which is used depends on your configuration). Hyphens must or must not be included depending on the format configured with...
Page 426
To do... Use the command... Remarks specified port(s) or Disabled by default interface interface-type the current port interface-number In interface view mac-authentication quit Optional Set the user name in mac-authentication uthmode By defaul t, the MAC MAC address mode usernam easmacaddr ess [ usernameformat address o...
MAC Address Authentication Enhanced Function Configuration MAC A ddress Authentication Enhanced Function Configuration k List omplete the following tasks to configure MAC address authentication enhanced function: Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Authentication Users Optional Allowed to Access a Port...
Page 428
After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast M AC address is learned by the switch) p eriodically. If this user passes the re-a uthenti cation, this port will exit the Guest VLAN,...
Page 429
If more than one client are con nected to a port, you can not co nfig ure a Guest VLAN for this port. When a Guest VLAN is confi gured for a port, o nly one MAC address authentication user can access the port.
If both the limit on the number of MAC address auth entication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum nu mber of MAC address authentication users allowed to access this port.
Page 431
# Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 Set the service type to lan-access.
ARP Configuration Wh n configuring ARP , go to these sections for information you are interested in: Introduction to ARP Configuring ARP Configuring Gratuitous ARP Displaying and Debugging ARP ARP Configuration Ex amples Introduction to ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer.
Page 433
Figure 36-1 ARP message format Hardware type (16 bits) Hardware type (16 bits) Hardware type (16 bits) Protocol type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Length of hardware address Length of protocol address Operator (16 bits) Operator (16 bits) Hardware address of the sender...
Value Description Chaos IEEE802.X ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored.
mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
To do… Use the command… Remarks Enable the ARP entry checking function (that is, disable the Optional switch from learning ARP arp check enable Enabled by default. entries with multicast MAC addresses) Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically.
Displaying and Debugging ARP To do… Use the command… Remarks Display specific ARP mapping display arp [ static | dynamic | ip-address ] table entries Display the ARP mapping display arp [ dynamic | static ] | { begin | entries related to a specified include | exclude } regular-expression string in a specified way...
ARP Attack Defense Configuration Attack Defense Configuration Although ARP is easy to implement, it provides no security mechanism and thus is prone to netwo attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features Introduction to Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on...
Page 439
Figure 37-1 Network diagram for ARP man-in-the-middle attac Switch Host A Host C IP_A IP_ C MAC_A MAC_ C Invalid Invalid ARP reply ARP reply Host B IP_B MAC_B ARP attack detection To guard against the man-in-the-middle attacks launched by hackers or attackers, S4500 series Ethernet switches support the ARP attack detection function.
For details about DHCP Snooping and IP static binding, refer to DHCP Operation. For details about 802.1x authentication, refer to 802.1x and System Guard Operation. ARP restricted forwarding With the ARP restricted forwarding function enabled, ARP request packets coming from untrusted port are forwarded through trusted ports only;...
Figure 37-2 Gateway spoofing attac To prevent gateway spoofing attacks, an S4500 series Ethernet switch can work as an access device (usually with the upstream port connected to the gateway and the downstream ports connected to hosts) and filter ARP packets based on the gateway’s address. To filter APR attack packets arriving on a downstream port, you can bind the gateway’s IP address to the downstream port (directly connected to hosts) of the switch.
Task Remarks Optional Configuring the Maximum Number of Dynamic ARP Entries that a VLAN Interface Can Learn The switch serves as a gateway. Optional Configuring ARP Source MAC Address Consistency The switch serves as a gateway or an Check access device. Optional ARP Packet Filtering Based on Gateway’s Address The switch serves as an access device.
To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Configure ARP packet filtering Required based on the gateway’s IP arp filter source ip-address Not configured by default. address Follow these steps to configure ARP packet filtering based on gateway’s IP and MAC address: To do…...
To do… Use the command… Remarks Optional After DHCP snooping is Specify the current port as a enabled, you need to configure dhcp-snooping trust trusted port the upstream port connected to the DHCP server as a trusted port. Optional By default, a port is an ARP Configure the port as an ARP untrusted port.
To do… Use the command… Remarks Required Enable the ARP packet rate By default, the ARP packet rate arp rate-limit enable limit function limit function is disabled on a port. Optional Configure the maximum ARP By default, the maximum ARP arp rate-limit rate packet rate allowed on the port packet rate allowed on a port is...
Page 446
Network diagram Figure 37-3 ARP attack detection and packet rate limit configuratio Configuration procedure # Enable DHCP snooping on Switch A. <SwitchA> system-view [SwitchA] dhcp-snooping # Specify Ethernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port. [SwitchA] interface Ethernet 1/0/1 [SwitchA-Ethernet1/0/1] dhcp-snooping trust [SwitchA-Ethernet1/0/1] arp detection trust...
ARP Attack Defense Configuration Example II Network Requirements As shown inFigure 37-4, Host A and Host B are connected to Gateway through an access switch (Switch). The IP and MAC addresses of Gateway are 192.168.100.1/24 and 000D-88F8-528C. To prevent gateway spoofing attacks from Host A and Host B, configure ARP packet filtering based on the gateway’s IP and MAC addresses on Switch.
ARP Attack Defense Configuration Example III Network Requirements As shown in Figure 37-5, Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To prevent ARP attacks such as ARP flooding: Enable ARP packet source MAC address consistency check on Switch A to block ARP packets with the sender MAC address different from the source MAC address in the Ethernet header.
Page 449
Enable ARP attack detection based on bindings of authenticated 802.1x clients on the switch to prevent ARP attacks. Network Diagram Figure 37-6 Network diagram for 802.1x based ARP attack defens Configuration Procedures # Enter system view. <Switch> system-view # Enable 802.1x authentication globally. [Switch] dot1x # Enable ARP attack detection for VLAN 1.
DHCP Overview Wh n configuring DHCP, go to these sections for information you are interested in: Introduction to DHCP DHCP IP Address Assignment DHCP Packet Format Protocol Specification Intro duction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.
Page 451
Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently. Dynamic assignment. The DHCP server assign s IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period.
Page 452
By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client.
Page 453
file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client. option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server. Prot ocol Specification Protocol sp...
DHCP Server Configuration Wh n configuring the DHCP server, go to th ese sections for information you are interested in: Introduction to DH CP Server DHCP Server Configuration Task List Enabling DHCP Configuring the Global Address Pool Based DHCP Server Configuring the Interface Address Pool Ba sed DHCP Server Configuring DHCP Server Security Functions...
Page 455
ypes of address pool The address pools of a DHCP server fall into two types: global address pool and interface address pool. A global address pool is created by executing the dhcp server ip-pool command in system view. It is valid on the current device. If an interface is configured with a valid unicast I P address, you can create an interface-based address pool for the interface by executing the dhcp select interface command in interface view.
If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server will select this address pool and assign the statically bound IP address to the client. Otherwise, the DHCP server observes the following principles to select a dynamic address pool.
When you merge two or more XRN systems into one XRN system, a new master unit is elected, and the new XRN system adopts new configurations accordingly. This may result in the existing system configurations (including the address pools configured for the DHCP servers) being lost. As the new XRN system cannot inherit the original DHCP server configurations, you need to perform DHCP server configurations for it.
To improve security and avoid malicious attacks to unused sockets, S4500 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After DHCP is enabled with the dhcp enable command, if the DHCP server and DHCP relay agent functions are not configured, UDP port 67 and UDP port 68 ports are kept disabled;...
To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the Configure the specified Optional current interface dhcp select global interface(s) or By default, the all the quit interface operates interfaces to in global address operate in Configure multiple dhcp select global { interface...
Page 460
Currently, only one IP address in a global DHCP address pool can be statically bound to a MAC address or a client ID. Follow these steps to configure the static IP address allocation mode: To do… Use the command… Remarks Enter system view system-view —...
Page 461
To improve security and avoid malicious attack to the unused sockets, S4500 Ethernet switches provide the following functions: UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP address pool is created by executing the dhcp server ip-pool command, the UDP 67 and UDP 68 ports used by DHCP are enabled.
Page 462
In the same DHCP global address pool, the network command can be executed repeatedly. In this case, the new configuration overwrites the previous one. The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. If an IP address that is not to be automatically assigned has been configured as a statically-bound IP address, the DHCP server still assigns this IP address to the client whose MAC address or ID has been bound.
Page 463
Configuring WINS Servers for the DHCP Client For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by Windows internet naming service (WINS) servers. So you need to perform WINS-related configuration for most Windows-based hosts. To implement host name-to-IP address translation for DHCP clients, you should enable the DHCP server to assign WINS server addresses when assigning IP addresses to DHCP clients.
Configuring Gateways for the DHCP Client Gateways are necessary for DHCP clients to access servers/hosts outside the current network segment. After you configure gateway addresses on a DHCP server, the DHCP server provides the gateway addresses to DHCP clients as well while assigning IP addresses to them. You can configure gateway addresses for global address pools on a DHCP server.
Page 465
Meanings of the sub-options for Option 184 Table 39-1 Meanings of the sub-options for Option 184 Sub-option Feature Function Note The IP address of the NCP server carried by sub-option 1 of Option When used in Option The NCP-IP sub-option 184 is intended for 184, this sub-option NCP-IP...
Page 466
Mechanism of using Option 184 on DHCP server The DHCP server encapsulates the information for Option 184 to carry in the response packets sent to the DHCP clients. Supposing that the DHCP clients are on the same segment as the DHCP server, the mechanism of Option 184 on the DHCP server is as follows: A DHCP client sends to the DHCP server a request packet carrying Option 55, which indicates the client requests the configuration parameters of Option 184.
Page 467
Configuring the TFTP Server and Bootfile Name for the DHCP Client This task is to specify the IP address and name of a TFTP server and the bootfile name in the DHCP global address pool. The DHCP clients use these parameters to contact the TFTP server, requesting the configuration file used for system initialization, which is called auto-configuration.
To do… Use the command… Remarks Required option code { ascii ascii-string | hex Configure a self-defined DHCP hex-string&<1-10> | ip-address Not configured by option ip-address&<1-8> } default. Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process.
Task Remarks Enabling the Interface Address Pool Mode on Interface(s) Required Configuring an Configuring the static IP address allocation One of the two options is Address Allocation mode required. And these two Mode for an options can be configured Configuring the dynamic IP address allocation Interface Address at the same time.
To improve security and avoid malicious attack to the unused sockets, S4500 Ethernet switches provide the following functions: UDP port 67 and UDP port 68 ports used by DHCP are enabled only when DHCP is enabled. UDP port 67 and UDP port 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: After a DHCP interface address pool is created by executing the dhcp select interface command, UDP port 67 and UDP port 68 ports used by DHCP are enabled.
Page 471
The IP addresses statically bound in interface address pools and the interface IP addresses must be in the same network segment. There is no limit to the number of IP addresses statically bound in an interface address pool, but the IP addresses statically bound in interface address pools and the interface IP addresses must be in the same segment.
Page 472
The dhcp server forbidden-ip command can be executed repeatedly. That is, you can configure multiple IP addresses that are not dynamically assigned to DHCP clients. Use the dhcp server forbidden-ip command to configure the IP addresses that are not assigned dynamically in global address pools and interface address pools.
Page 473
To do… Use the command… Remarks Enter system view system-view — interface interface-type interface-number Configure the current dhcp server dns-list ip-address&<1-8> Required Configure interface DNS server By default, no quit addresses DNS server for DHCP Configure address is dhcp server dns-list ip-address&<1-8> clients multiple configured.
Page 474
To do… Use the command… Remarks configured. Configure dhcp server nbns-list ip-address&<1-8> multiple { interface interface-type interface-number [ to interfaces in interface-type interface-number ] | all } system view interface interface-type interface-number Configure the dhcp server netbios-type { b-node | h-node | current m-node | p-node } Required...
Page 475
Follow these steps to configure Option 184 parameters for the client with voice service: To do… Use the command… Remarks Enter system view system-view — interface interface-type Enter interface view — interface-number Required Specify the primary dhcp server voice-config ncp-ip network calling Not specified by ip-address...
Page 476
Follow these steps to configure the TFTP server and bootfile name for the DHCP client: To do… Use the command… Remarks Enter system view system-view — interface interface-type — Enter interface view Specify the interface-number IP address Specify the TFTP dhcp server tftp-server ip-address and name of server...
Be cautious when configuring self-defined DHCP options because such configuration may affect the DHCP operation process. Configuring DHCP Server Security Functions DHCP security configuration is needed to ensure the security of DHCP service. Prerequisites Before configuring DHCP security, you should first complete the DHCP server configuration (either global address pool-based or interface address pool-based DHCP server configuration).
server will assign the IP address to the requesting client (The DHCP client probes the IP address by sending gratuitous ARP packets). Follow these steps to configure IP address detecting: To do… Use the command… Remarks Enter system view system-view —...
DHCP Accounting Configuration Prerequisites Before configuring DHCP accounting, make sure that: The DHCP server is configured and operates properly. Address pools and lease time are configured. DHCP clients are configured and DHCP service is enabled. The network operates properly. Configuring DHCP Accounting Follow these steps to configure DHCP accounting: To do…...
To do… Use the command… Remarks display dhcp server expired { ip ip-address | Display lease expiration pool [ pool-name ] | interface [ interface-type information interface-number ] | all } Display the free IP addresses display dhcp server free-ip display dhcp server ip-in-use { ip ip-address | Display information about pool [ pool-name ] | interface [ interface-type...
Page 481
In the address pool 10.1.1.0/25, the address lease duration is ten days and twelve hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2, gateway 10.1.1.126, and WINS server 10.1.1.4. In the address pool 10.1.1.128/25, the address lease duration is five days, domain name suffix aabbcc.com, DNS server address 10.1.1.2, and gateway address 10.1.1.254, and there is no WINS server address.
DHCP Server with Option 184 Support Configuration Example Network requirements A 3COM VCX device operating as a DHCP client requests the DHCP server for all sub-options of Option 184. A switch operates as the DHCP server. The Option 184 support function is configured for a global DHCP address pool.
Figure 39-2 Network diagram for Option 184 support configuratio Configuration procedure Configure the DHCP client. Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of Option 184. (Configuration process omitted) Configure the DHCP server.
Page 484
Ethernet 1/0/1 belongs to VLAN 2; Ethernet 1/0/2 belongs to VLAN 3. The IP address of VLAN-interface 1 is 10.1.1.1/24, and that of VLAN-interface 2 is 10.1.2.1/24. The IP address of the RADIUS server is 10.1.2.2/24. DHCP accounting is enabled on the DHCP server. The IP addresses of the global DHCP address pool belongs to the network segment 10.1.1.0.
[Sysname-radius-123] primary accounting 10.1.2.2 [Sysname] domain 123 [Sysname-isp-123] scheme radius-scheme 123 [Sysname-isp-123] quit # Create an address pool on the DHCP server. [Sysname] dhcp server ip-pool test [Sysname-dhcp-pool-test] network 10.1.1.0 mask 255.255.255.0 # Enable DHCP accounting. [Sysname-dhcp-pool-test] accounting domain 123 Troubleshooting a DHCP Server Symptom The IP address dynamically assigned by a DHCP server to a client conflicts with the IP address of...
DHCP Relay Agent Configuration Wh n configuring the DHCP relay agent, go to these se ctions for information you are interested in: Introduction to DHCP Relay Agent Configuring the DHCP Relay Agent Displaying and Maintaining DHCP Relay Agent Configuration DHCP Relay Agent Configuration Example Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN terfaces.
Page 487
Figure 40-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent.
Page 488
Figure 40-2 Padding contents for sub-option 1 of Option 82 Figure 40-3 Padding contents for sub-option 2 of Option 82 Mech anism of Option 82 supported on DHCP relay agent The pro ure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay gent is similar to that for the client to obtain an IP address from a DHCP server directly.
the XID (Transaction ID, a random value selected by the client to uniquely identify an address allocation process) in the message, and then forward the message to the DHCP server. fter receiving the message, the DHCP server returns a DHCP-ACK message to the client: If the DHCP- ACK message is unicast, the DHCP relay agent directly forwards the message to the client without replacing the XID in the message.
Follow these steps to e nable DHCP: To do… Use the command… Remarks Enter system view system-view — Required Enable DHCP dhcp enable Enabled b y default. Correlating a DHCP Server Group with a Relay Agent Interface To enhan ce reliability, you can set multiple DHCP servers on the same network. These DHCP servers form a DHCP server group.
You can configure up to eight DHCP server IP addresses in a DHCP server group. You can map multiple VLAN interfaces to one DHCP server group. But one VLAN interface can be mapped to only one DHCP server group. If you execute the dhcp-se rver groupNo comman d repeatedly, the ne w configura...
Page 492
The address-che ck en able command is indepen dent of other commands of the DHCP relay agent. That is, the invalid a ddress check takes effect when this command is executed, regardless of whether other comm nds (such as the command t nable DHC P) are used.
nabling unauthorized DHCP server detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client. With this feature enabled, upon receiving a DHCP mess age with the siaddr field (IP addresses of the servers offering IP addresses to the client) not being 0 from a client, the D HCP relay agent will record...
By default, with the Option 82 support function e nabled on the DHCP relay agent, the DHCP relay agent will adopt the replace strategy o process the request packets containing Option 82. However, if other strate gies are configured before, then enabling the 82 support on the DHCP relay agent will not change the configu strategies.
DHCP Relay Agent Configuration Example Netw ork requirements VLAN-i nterface 1 on the DHCP relay agent (Switch A) connects to the network where DHCP clients side. The IP address of VLAN-interface 1 is 10.10.1.1/24 and IP address of VLAN-interface 2 is 10.1.1.2/24 th at communicates with the DHCP server 10.1.1.1/24.
Page 496
Analysis This problem may be caused by improper DHCP relay agent configuration. When a DHCP relay agent operates improperly, you can locate the problem by enabling debugging and checking the information about debugging and interface state (You can display the information by executing the corresponding display command.) olu ion Check if DHCP is enabled on the DHCP server and the DHC...
DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: DHCP Snooping Overview Configuring DHCP Snooping Displaying and Maintaining DHCP Snooping Configuration DHCP Snooping Configuration Examples P Snooping Overview Introd uction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the inistrator to verify the corresponding rela tionship between the IP addresses the DHCP clients...
Figure 41-1 Typical network diagram for DHCP snoop ing application DHCP Server DHCP Client DHCP Client Internet Eth1/0/1 Eth1/0/2 Switch A Switch B (DHCP Snooping) (DHCP Relay) DHCP Client DHCP Client DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: DHCP-REQUEST packet DHCP-ACK packet...
Page 499
Figure 41-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, S4500 Series Ethe rnet Switches support Option 82 in the standard format.
When receiving a DHCP client’s request without Option 82, the DHCP snooping device will add the option field with the configured sub-option and then forward the packet. For details, see Table 41-2. Table 41-2 Ways of handling a DHCP packet without Option 82 Sub-option configuration The DHCP-Snooping device will …...
Page 501
client cannot be recorded in the DHCP-snooping table. Consequently, this client cannot pass the IP filtering of the DHCP-snooping table, thus it cannot access external networks. To s olve this problem, the switch supports the configuration of static binding table entries, that is, the bind ing relationship between IP address, MAC address , and the port connecting to the client, so that...
If an S4 500 Ether net switch is ena bled with DHCP snoop ing, the clients c onnected t o it cannot dynamically obtain IP addresse s through BOOTP. You need to spec ify the ports c onnected to the valid DHCP serve rs as trusted to ensure that DHCP...
Page 503
Configuring a handling policy for DHCP packets with Option 82 ollow these steps to confi gure a h andling policy for DHCP p acket ith Option 82: To do… Use the command… Remarks Enter system view system-view — Optional Configure a global handl dhcp-snooping information policy for requests that co ntain...
Page 504
To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Optional By default, the circuit ID dhcp-snooping nfigure the circuit ID sub-option contains the VLAN ID information [ vlan vlan-id ] s b-option in Option 82 and port index related to the port circuit-id string string that receives DHCP request...
If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the port receives a packet, and the globa l remote ID applies to other interfaces that have no remote ID sub-option configured. If you have configured a remote ID wit h the vlan vlan-id argument specified, and the other one without the argument in Ethernet port view, the former remote ID applies to the DHCP messages...
For details about 802.1x authentication, refer to 802.1x and System Guard Operation. You are not recomm ended to configure IP filtering on the ports of an aggregation group. Enable DHCP snooping and specify trusted ports on the switch before configuring IP filtering based on the DHCP-snooping table.
Page 507
P Snooping Configuration Examples DHCP-Snooping Option 82 Support Configuration Example Network requirements As shown in Figure 41-6, Ethernet 1/0/5 of the switch is connected to the DHCP server, and Ethernet 1/0/1, Ethernet 1/0/2, and Ethernet 1/0/3 are respectively connected to Client A, Client B, and Client C. Enable DHCP snooping on the switch.
Page 508
[Switch-Ethernet1/0/3] dhcp-s nooping information vlan 1 circuit-id string abcd IP Fil tering Configuration Example etwork requirements As shown in Figure 41-7, Ethernet 1/0/1 of the S4500 switch is connected to the DHCP server and Ethernet 1/0/2 is connected to H ost A.
Page 509
[Switch-Ethernet1/0/2] quit [Switch] interface ethernet 1/0/3 [Switch-Ethernet1/0/3] ip check source ip-address mac-address [Switch-Ethernet1/0/3] quit [Switch] interface ethernet 1/0/4 [Switch-Ethernet1/0/4] ip check source ip-address mac-address [Switch-Ethernet1/0/4] quit # Create static binding entries on Ethernet 1/0/2 of the switch. [Switch] interface ethernet 1/0/2 [Switch-Ethernet1/0/2] source static...
DHCP Packet Rate Limit Configuration n config uring the DHCP packet rate limit function, go to t hese sections for information you are terested in: Introduc tion to DHCP Packet Rate Limit Configu ring DHCP Packet Rate Limit Rate Limit Configuration Example Intro u d ction to DHCP Packet Rate Limit To prevent ARP attacks and attacks from unauthorized DHCP servers, ARP packets and DHCP...
To do… Use the command… Remarks interface interface-type Enter port view — interface-number Required Enable the DHCP packet dhcp rate-limit enable By default, DHCP packet rate limit is rate limit function disabled. Optional Configure the maximum DHCP packet rate allowed dhcp rate-limit rate By default, the maximum rate is 15 on the port...
Page 512
Networking diagram Figure 42-1 Network diagram for DHCP packet rate limit configuratio onfiguration procedure # Enable DHCP snooping on th e switch. <Switch> system-view [Switch] dhcp-snooping # Specify Ethernet 1/0/1 as the trusted port. [Switch] interface ethernet 1/0/1 [Switch-Ethernet1/0/1] dhcp-snooping trust [Switch-Ethernet1/0/1] quit # Enable auto recovery.
DHCP/BOOTP Client Configuration hen configuring the DHCP/B P client, go to these sections for i nformation you are interested in: Introduction to DHCP Client Introduction to BOOTP Client Config uring a DHCP/BOOTP Client Displaying DHCP/BOOTP Client Configuration Intro u d ction to DHCP Client Afte r you specify a VLAN interface as a DHCP client, the d evice can use DHCP to obtain parameters...
Configuring a DHCP/BOOTP Client Follow these steps to co nfigure a DHCP/BOOTP client: To do… Use the command… Remarks Enter system view system-view — interface vlan-interface Enter VLAN interface view — vlan-id Required Configure the VLAN interface ip address { bootp-alloc By default, no IP address is to obtain IP address through dhcp-alloc }...
DHCP Client Configuration Example Network requirements Using DHCP, VLAN-interface 1 of Switch B is connected to the LAN to obtain an IP address from the DHCP server. Network diagram F igure 39-1 Configuration procedure The following describes only the configuration on Switch B serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP.
ACL Configuration Wh n configuring ACL, go to these sections for information you are interested in: ACL Overview ACL Configuration Task List Displaying and Maintaining ACL Configuration Examples for Upper-layer Software Referencing ACLs Examples for Applying ACL s to Hardware Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management.
auto: where rules in an ACL are matched in the order determined by the system, namely the “depth-first” rule (Layer 2 ACLs, user-defined ACLs and IPv6 ACLs do not support this feature). depth-first rule, there are two cases: ept -first match order for rules of a basic ACL Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match p riority.
Wh n applying an ACL in this way, y ou can specify the order in which the rules in the ACL are matched. The match order cannot be modified once it is determined , unless you delete all the rules in the ACL and efine the match order.
Page 519
Conf igu ing Time Range ime ranges can be used to filter packets. You can specify a time range for each rule in an ACL. A time range-based ACL takes effect only in specified time ranges. Only after a time range is configured and the system time is within the time range, can an ACL rule take effect.
onfiguration example # Define a periodic time range that spans from 8:00 to 18:00 on Monday through Fr iday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 working-day [Sysname] display time-range test Current time is 13:27:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) 08:00 to 18:00 working-day # Define an absolute tim e range spans from 15:00 1/28/2006 to 15:00 1/28/2008.
With the config match order specified for the basic ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the basic ACL, you cannot modify any existent rule; otherwise the system will tell you that the rule cannot be modified. If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.
Page 522
nfiguration procedure Follo w these step s to define an advanced ACL rule: To do... Use the command... Remarks Enter system view system-view — acl number acl-number Required eate an advanced ACL and [ match-order { auto | enter a dvanced ACL view config by default config } ]...
Page 523
Configuring La yer 2 AC ayer 2 ACLs filter pa ckets accord ing to their Lay er 2 information, su as the source and destination AC addresses, VLAN priority, an d Layer 2 protocol types. Layer 2 ACL can be num bered from 4000 to 4999.
Page 524
[Sysname-acl-ethernetframe-4000] display acl 4000 Ethernet frame ACL 4000, 1 rule Acl's step is 1 rule 0 d eny cos e xcellent-effort source 000d-88f5-97ed ffff-ffff-ffff dest 0011-4301-991e fff-ffff-ffff Config uring User-defined CL A user-defined ACL filters packets by comparing specific bytes in packet headers with specified string. A user-defined ACL can be n umbered from 5000 to 5999.
Page 525
If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically. If the ACL has no rules, the ru le is numbered 0; otherwise, the number of the rule will be the greatest rule number plu s one.
Page 526
n configuring IPv6 ACL rules, note that: To specify the src-port or dest-port keyword for a ru le, you need to specify the ip-protocol rule-string rule-mask combination as TCP or UDP, that is, 0x06 or 0x11. To specify the icmpv6-type or icmpv 6-code keyword for a rule, you need to specify the ip-protocol rule-string rule-mask combination as ICMPv6, that is, 0x3a.
You can mo dify any existent rule of an IPv6 ACL. If you modify only the action to be taken or the time ra nge, t he unmodified part of the rule remains the same. If you modify the contents of a user-defined string, the new string overwrites the original one.
Page 528
Required Apply ACL rules on the packet-filter { inbound For information about acl-rule, refer port outbound } acl-rule to ACL Commands. Configuration example # Apply ACL 2000 on Ethernet 1/0/1 to filter inbound packets. <Sysname> system-view name] interface Ethernet 1/0/1 name-Ethernet1/0/1] packet-filter inbound ip-group 2000 Apply ng ACL Rules to Ports in a VLAN By applying ACL rules to ports...
Displaying and Maintaining ACL Configuration To do... Use the command... Remarks Display a configured AC L or all display acl { all | acl-number } the ACLs Display a time range or all the display time-range { all | time-name } time ranges Available in any display packet-filter { interface...
Example for Controlling Web Login Users by Source IP etwork requirement Apply an ACL to permit Web users with the source IP address of 10.110.100.46 to log in to the switch through HTTP. etwork diagram Figure 44-2 Network diagram for controlling Web login users by source IP Internet Switch 10.110.100.46...
Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter packets with the source IP address of 10.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [Sysname-acl-basic-2000] quit...
Page 532
er 2 ACL Configu ration Example etwork requirements PC 1 and PC 2 connect to the switch through Ethernet 1/0/1. PC 1’s MAC address is 0011-0011-0011. Apply an ACL to filter packets with the source MAC addre ss of 0011-0011-0011 and the destination MAC address of 0011-0011-0012 from 8:00 to 18:00 everyday Network diagram Figure 44-5 Network diagram for Layer 2 ACL...
Network diagram Figure 44-6 Network diagram for user-defined ACL onfiguration procedure # Define a periodic time range that is a ctive from 8:00 to 18:00 everyday. <Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 5000 to deny any ARP p acket whose source IP address is 192.168.0.1 from 8:00 to 18:00 everyday (provided that VLAN-VPN is not enabled on any port).
<Sysname> system-view [Sysname] time-range test 8:00 to 18:00 daily # Create an IPv6 ACL an d configure a rule for the ACL, denying packets from 3001::1/64 to 3002::1/64. [Sysname] acl number 5000 [Sysname-acl-user-5000] rule deny src-ip 3001::1 64 dest-ip 3002::1 64 time-range test [Sysname-acl-user-5000] quit # Apply the ACL to port Ethernet 1/0/1.
QoS Configuration Wh n configuring QoS, go to these sections for information you are interested in: Overview QoS Supported By Switch 4500 Series QoS Configuration Displaying and Maintaining QoS Configuration Examples Overview Introd uction to QoS Quality of Service (QoS) is a conce pt concerning service demand and supply.
All these new applications have one thing in common, that is, they have special requirements for bandwidth, delay, and jitter. For instance, bandwidth, delay, and jitter are critical for videoconference and VoD. As for other applications, such as transaction processing and Telnet, although bandwidth is not as critical, a too long delay may cause unexpected results.
Supported By Switch 4500 Series e Switch 4500 series suppo rt the QoS fea tures listed in Table 45-1 Table 45-1 QoS fea tures supported by Switch 45 00 series QoS Feature Description Refer to … Classify incoming traffic based on ACLs.
Page 538
protocol or the port number of an application. Normally, traffic classification is done by checking the information carried in packet header. Packet payload is rarely adopted for traffic classification. The identifying rule is unlimited in range. It can be a quintuplet consisting of source address, source port number, protocol n umber, destination address, and destination port number.
Page 539
Assured forwarding (AF) class: This class is further divided into four subclasses (AF1/2/3/4) and a subclass is further divided into three drop priorities, so the AF service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; Class selector (CS) cl ass: This class comes from the IP ToS field and includes eight subclasses;...
Page 540
802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 45-3 An Ethernet frame with an 802.1Q tag header 802.1Q header Source...
riority trust mode After a packet enters a switch, the switch sets the 802.1p priority and local precedence for the packet according to its own capability and the corresponding rules. For a packet carrying n o 802.1q tag When a packet carrying no 802.1q tag reaches the port of a switch, the switch uses the port priority as the 802.1p precedence value of the received packet, searches for the local precedence corresponding to the port priority of the receiving port in the 802.1p-to-local precedence mapping table, and assigns the local precedence to the packet.
Priority Marking The priority marking function is to reassign priority for the traffic matching an ACL referenced for traffic classification. If 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the output queue corresponding to local precedence.
enough to forward the packets, the traffic is conforming to the specification; otherwise, the traffic is nonconforming or excess. Parameters concerning token bucket include: Average rate: The rate at which tokens are put into the bucket, namely, the permitted average rate of the traffic.
Page 544
The Switch 4500 series support three queue scheduling algorithms: Strict Priority (SP) queuing, Weighted Fair Queuing (WFQ), and Weighted Round Robin (WRR) queuing. SP queuing Figure 45-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay.
Page 545
Figure 45-7 Diagram for WFQ queuing Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: Different queues are scheduled fairly, so the delay of each flow is balanced globally.
WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical 3Com switch there are eight output queues on ea ch port. WRR configures a weight value for...
Page 547
n WRED algorithm, an upper limit and a low er limit a re set for ea ch queue, and the packets in a queue re processed as follows. When the current queue length is sm aller than the lower l imit, no packet is dropped;...
Configuration procedure Follow these steps to configure to trust port priority: To do… Use the command… Remarks Enter system view system-view — inter ace interface-type Enter Ethernet port view — interfa ce-number Optional Configure to trust port priority By default, the switch trusts priority priority-level and configure the port pr iority...
onfiguration procedure Follow these steps to configure the mapping between 802.1p priority and local precedence: To do… Use the command… Remarks Enter system view system-view — qos cos-local-precedence-map Configure the mapping cos0-map-loca l-prec cos1-map-local-prec between 802.1p priority and cos2-map-loca l-prec cos3-map-local-prec Required lo al precedence cos4-map-local-prec cos5-map-local-prec...
onfiguration example Set the IP precedence of ICMP packets to 3. Display the configuration. Configuration procedure: <Sysname> system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protoc ol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority efer to section Priority Ma rking or information about mark ing packet priority...
To do… Use the command… Remarks Enter system view — system-view traffic-priority vlan vlan-id { inbound Required Mark the priorities for the | outbound } acl-rule { { dscp Refer to the command packets belonging to a VLAN dscp-value | ip-precedence { manual for information and matching specific ACL pre-value | from-cos } } | cos...
Page 552
Required Specify a committed information rate traffic-limit inbound acl-rule [ (CIR) for the target-rate argument, Configure traffic union-effect ] target-rate and specify a committed bust size policing [ bur st-bucket burst-bucket-size ] (CBS) for the burst-bucket-size [ exc eed action ] argument.
quired S ecify a committed information line-rate { inbound | outbound e (CIR) for the ta rget-rate Configure line rate } target-rate [ burst-bucket argument, and specify a burst-bucket-size ] committed bust size (CBS) for the burst-bucket-size argument. By default, line rate is disabled. Configuration example Configure line rate for outbound packets on Ethernet 1/0/1.
Page 554
To do… Use the command… Remarks Enter system view — system-view Required queue-sch eduler { strict-priority | wfq queue0-width queue1-width By default, the queue queue2-width queue3-width scheduling algorithm adopted queue4-width queue5-width on all the ports is WRR. The Configure qu queue6-width queue7-width | wrr default weights of the eight scheduling...
Page 555
The queue scheduling algorithm specified b y using the queue-scheduler command in system view takes effect on all the ports. The queue scheduling algorit hm configured in port view must be the same as that config ured in system view. Otherwise, the system prompts configuration errors. If the weight (or bandwi dth value) specified in system view for a queue of WRR queuing or WFQ queuing cannot meet the requiremen...
Page 556
To do… Use the command… Remarks Enter system view — system-view interface interface-type Enter Ethernet port view — interface -number Require wred queue-index qstart Configure WRED By default, WRED is not probabilit configured. nfiguration example onfigure WRE D for queu e 2 of Ether 1/0/1 to drop the p ackets in queu...
or information about the mirro ring-group monitor-port command and the monitor-port command, refer to the part talking about mirroring. nfiguration example Network requirements: Ethernet 1/0/1 is connected to the 10.1 .1.0/24 network segment. Duplicate the packets from netwo rk se gment 10.1.1.0/24 to the destination mir ing port Ether 1/0/4.
Configuration Examples Configuration Example of Traffic policing and Line Rate Network requirement An enterprise network connects all the departments through an Ethernet switch. PC 1, with the IP address 192.168.0.1 belongs to the R&D department and is connected to Ethernet 1/0/1 of the switch. The marketing department is connected to Ethernet 1/0/2 of the switch.
Configuration Example of Priority Marking and Queue Scheduling Network requirements As shown in Figure 45-10, an enterprise network connects all the departments through an Ethernet switch. Clients PC 1 through PC 3 are connected to Ethernet 1/0/1 of the switch; clients PC 4 through PC 6 are connected to Ethernet 1/0/3 of the switch.
Page 560
[Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-Ethernet1/0/2 ] quit Configure queue scheduling # Apply SP queue scheduling algorithm. [Sysname] queue-scheduler strict-priority VLAN Ma pping Configuration Example Netw ork requirements Two customer networks are connected to the public network through Switch A and Switch B.
Configuration procedure # Create customer VLANs VLAN 100 an d VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. <SwitchA> system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit [SwitchA] vlan 600 [SwitchA-vlan600] quit # Configure Ethernet 1/0/11 of Switch A as a trunk port an...
Page 562
# Configure VLAN mapping on Ethernet 1/0/11 to replace VLAN tag 100 with VLAN tag 500. [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] traffic-rema rk-vlanid inbound link-group 4000 remark-vlan 500 [SwitchA-Ethernet1/0/11] quit # Configure VLAN mapping on Ethernet 1/0/12 to replace VLAN tag 200 with VLAN tag 600. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] traffic-remark-vlanid inbound link-group 4001 remark-vlan 600 [SwitchA-Ethernet1/0/12] quit...
Mirroring Configuration Wh n configuring mirroring, g o to these sections for information you are interested in: Mirroring Overview Mirroring Configuration Displaying and Maintaining Port Mirroring Mirroring Configuratio n Examples Mirr oring Overview Mirroring is to duplicate packets from a port to another port connected with a data monitoring device for network monitoring and diagnosis.
Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device. The source and destination ports can be located on multiple devices across the network. This allows an administrator to monitor traffic on remote devices conveniently. To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is used.
Sends mirrored packets to the destination switch. Intermediate Two trunk ports are necessary for the intermediate Trunk port switch switch to connect the devices at the source switch side and the destination switch side. Trunk port Receives remote mirrored packets. Destination switch Receives packets forwarded from the trunk port and Destination port...
Mirroring Configuration Complete the following tasks to configure mirroring: Task Remarks Configuring Local Port Mirroring Optional Configuring Remote Port Mirroring Optional On a Switch 4500, only one destination port for local port mirroring and only one reflector port can be configured, and the two types of ports cannot both exist.
To do… Use the command… Remarks port for the views have the same effect. interface interface-type port mirroring interface-number group In port view mirroring-group group-id monitor-port When configuring local port mirroring, note that: You need to configure the source and destination ports for the local port mirroring to take effect. The source port and the destination port cannot be a fabric port or a member port of an existing mirroring group;...
Page 568
To do… Use the command… Remarks Enter system view — system-view Create a VLAN and enter the vlan-id is the ID of the vlan vlan-id VLAN view remote-probe VLAN. Configure the current VLAN as remote-probe vlan enable Required the remote-probe VLAN Return to system view quit —...
Page 569
Do not configure a port connecting the intermediate switch or destination switch as the mirroring source port. Otherwise, traffic disorder may occur in the network. With port mirroring – STP collaboration enabled, if you configure a port in Discarding state as a mirroring port, the port mirroring configuration does not take effect until the port transits to Forwarding state.
Page 570
The destination port and the remote-probe VLAN are determined. Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. Configuration procedure Follow these steps to configure remote port mirroring on the destination switch: To do… Use the command…...
Displaying and Maintaining Port Mirroring To do… Use the command… Remarks display mirroring-group Display port mirroring configuration { group-id | all | local | Available in any view on a Switch 4500 remote-destination | remote-source } Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4500 series: Research and Development (R&D) department is connected to Switch C through Ethernet 1/0/1.
[Sysname] mirroring-group 1 mirroring-port Ethernet 1/0/1 Ethernet 1/0/2 both [Sysname] mirroring-group 1 monitor-port Ethernet 1/0/3 # Display configuration information about local mirroring group 1. [Sysname] display mirroring-group 1 mirroring-group 1: type: local status: active mirroring port: Ethernet1/0/1 both Ethernet1/0/2 both monitor port: Ethernet1/0/3 After the configurations, you can monitor all packets received on and sent from the R&D department and the marketing department on the data detection device.
Page 573
Network diagram Figure 46-4 Network diagram for remote port mirroring Configuration procedure Configure the source switch (Switch A) # Create remote source mirroring group 1. <Sysname> system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source ports, reflector port, and remote-probe VLAN for the remote source mirroring...
Page 574
# Configure VLAN 10 as the remote-probe VLAN. <Sysname> system-view [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure Ethernet 1/0/1 as the trunk port, allowing packets of VLAN 10 to pass. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] port link-type trunk [Sysname-Ethernet1/0/1] port trunk permit vlan 10 [Sysname-Ethernet1/0/1] quit # Configure Ethernet 1/0/2 as the trunk port, allowing packets of VLAN 10 to pass.
Page 575
Example Intro duction to XRN Expandable Resilient Networking (XRN), a feature particular to 3Com Switch 4500 series switches, is a new technology for building the core o f a network. This feature allows you to build an XRN fabric by...
Figure 47-1 XRN networking Establishment of an XRN Fabric Topology and connections of an XRN fabric An XRN fabric typically has a daisy chain topology structure. As shown in Figure 47-2, each switch has two ports connected with two other switches in the fabric, but the switches at both ends of the daisy chain have only one port connected.
Page 577
Figure 47-3 Port connection mode for Switch 4500 series daisy chain topology XRN fabric Speed :Green=100Mbps ,Yellow=10Mbps Duplx :Green=Full Duplx ,Yellow=Half Duplx H3C S3600 Series 11 12 15 16 19 20 21 22 23 24 Console Unit Mode Green=Speed Yellow=Duplex 10/100Base-TX 1000 Base H3C S3600...
Page 578
The number of the existing devices in the fabric does not reach the maximum number of devices allowed by the fabric (up to eight devices can form a fabric). The fabric name of the device and the existing devices in the fabric are the same. The software version of the device is the same as that of the existing devices in the fabric.
Status Analysis Solution The XRN fabric authentication modes Configure the XRN fabric configured for the local device and that authentication modes and the auth failure of the fabric are not the same, or the passwords for the local device password configured does not match. and the fabric as the same.
Task Remarks Specifying the VLAN Used to Form an XRN Optional Fabric Setting a Unit ID for a Switch Optional Assigning a Unit Name to a Switch Optional Assigning an XRN Fabric Name to a Switch Optional Setting the XRN Fabric Authentication Mode Optional Specifying the Fabric Port of a Switch You can specify the fabric port of a switch in either system view or Ethernet interface view.
Establishing an XRN system requires a high consistency of the configuration of each device. Hence, before you enable the fabric port, do not perform any configuration for the port, and do not configure some functions that affect the XRN for other ports or globally. Otherwise, you cannot enable the fabric port.
Setting a Unit ID for a Switch FTM will automatically number the switches to constitute an XRN fabric by default, so that each switch has a unique unit ID in the fabric. You can use the command in the following table to set unit IDs for switches.
If auto-numbering is selected, the system sets the unit priority to 10. You can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one. Priority is the reference for FTM program to perform automatic numbering. The value of priority can be 5 or 10.
To do… Use the command… Remarks Enter system view system-view — Optional Set the XRN fabric xrn-fabric authentication mode for the authentication-mode { simple By default, no authentication switch password | md5 key } mode is set on a switch. When an XRN fabric operates normally, you can regard the whole fabric as a single device and perform configuration on it.
Page 586
# Configure the unit name as Unit 3. [Sysname] set unit 1 name unit3 # Configure the fabric name as hello. [Sysname] sysname hello # Configure the fabric authentication mode as simple and the password as welcome. [hello] xrn-fabric authentication-mode simple welcome Configure Switch D.
Cluster Configuration Wh n configuring cluster, go to these sections for information you are interested in: Cluster Overview Cluster Configuration Task List Displaying and Maintaining Cluster Configuration Cluster Configuration Examples The cluster synchronization function is added. For the configuration, refer to Configuring the Cluster ynchronization Function Cluster Overview...
Figure 48-1 A cluster implementation HGMP V2 has the following advantages: It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster; and then you can configure and manage all the member devices through the management device without the need to log onto them one by one.
Page 589
Table 48-1 Description on cluster roles Role Configuration Function Provides an interface for managing all the switches in a cluster Manages member devices through command redirection, that forwards commands intended specific member devices. Configured with a external IP Management device Discovers neighbors, address...
A candidate device becomes a member device after being added to a cluster. A member device becomes a candidate device after it is removed from the cluster. A management device becomes a candidate device only after the cluster is removed. After you create a cluster on a Switch 4500 switch, the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster.
Page 591
packet data. The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet. When they receive another NDP packet, if the information carried in the packet is different from the stored one, the corresponding entry in the NDP table is updated, otherwise only the holdtime of the entry is updated.
Page 592
To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP parameters. On member/candidate devices, you only need to enable NTDP globally and on specific ports. Member and candidate devices adopt the NTDP settings of the management device. Introduction to Cluster A cluster must have one and only one management device.
Page 593
Figure 48-3 State machine of the connection between the management device and a member device Active Receives the Fails to receive handshake or Disconnect state handshake management is recovered packets in three packets consecutive intervals State holdtime exceeds the specified value Connect Disconnect After a cluster is created and a candidate device is added to the cluster as a member device, both...
Page 594
Enabling the management packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the management VLAN only, through which the management packets are isolated from other packets and network security is improved. Enabling the management device and the member devices to communicate with each other in the management VLAN.
downstream switch compares its own MAC address with the destination MAC address carried in the multicast packet: If the two MAC addresses are the same, the downstream switch sends a response to the switch sending the tracemac command, indicating the success of the tracemac command. If the two MAC addresses are different, the downstream switch will query the port connected with its downstream switch based on the MAC address and VLAN ID, and then forward the packet to its downstream switch.
Page 596
Task Remarks Enabling NDP globally and on specific ports Required Configuring NDP-related parameters Optional Enabling NTDP globally and on a specific port Required Configuring NTDP-related parameters Optional Enabling the cluster function Required Configuring cluster parameters Required Configuring inside-outside interaction for a Optional cluster Configuring the network management interface...
Page 597
Configuring NDP-related parameters Follow these steps to configure NDP-related parameters: To do… Use the command… Remarks Enter system view system-view — Optional Configure the holdtime of NDP ndp timer aging By default, the holdtime of NDP information aging-in-seconds information is 180 seconds. Optional Configure the interval to send ndp timer hello seconds...
Page 598
To do… Use the command… Remarks Launch topology information ntdp explore Optional collection manually Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view — Required Enable the cluster function cluster enable By default, the cluster function globally...
Page 599
Establish a cluster in automatic mode Follow these steps to establish a cluster in automatic mode: To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — ip-pool Configure the IP address range administrator-ip-address { Required for the cluster ip-mask | ip-mask-length }...
The cluster switches are properly connected; The shared servers are properly connected to the management switch. Configuration procedure Follow these steps to configure the network management interface for a cluster: To do… Use the command… Remarks Enter system view — system-view Enter cluster view cluster...
Page 601
To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4500 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, Closing UDP port 40000 at the same time when the cluster function is closed.
To do… Use the command… Remarks interface interface-type Enter Ethernet port view — interface-number Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to enable the cluster function: To do… Use the command… Remarks Enter system view system-view —...
To do… Use the command… Remarks Return to system view quit — Return to user view quit — cluster switch-to Optional { member-number | Switch between management You can use this command mac-address mac-address | device and member device switch to the view of a member administrator | sysname device and switch back.
Page 604
Configuring the enhanced cluster features Complete the following tasks to configure the enhanced cluster feature: Task Remarks Configuring cluster topology management Required function Configuring cluster device blacklist Required Configuring cluster topology management function Configuration prerequisites Before configuring the cluster topology management function, make sure that: The basic cluster configuration is completed.
If the management device of a cluster is a slave device in an XRN fabric, the standard topology information is saved only to the local Flash of the master device in the XRN fabric. Configuring cluster device blacklist Follow these steps to configure the cluster device blacklist on a management device: To do…...
Page 606
NDP and NTDP have been enabled on the management device and member devices, and NDP- and NTDP-related parameters have been configured. A cluster is established, and you can manage the member devices through the management device. Configuration procedure Perform the following operations on the management device to synchronize SNMP configurations: To do…...
Page 607
The MIB view name is mib_a, which includes all objects of the subtree org The SNMPv3 user is user_a, which belongs to the group group_a. # Create a community with the name of read_a, allowing read-only access right using this community name.
Page 608
snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user v3 user_a group_a undo snmp-agent trap enable standard Configuration file content on a member device (only the SNMP-related information is displayed) <test_2.Sysname>...
Perform the above operations on the management device of the cluster. Creating a public local user is equal to executing these configurations on both the management device and the member devices (refer to the AAA Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices.
Cluster Configuration Examples Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: A Switch 4500 series switch serves as the management device. The rest are member devices. Serving as the management device, the Switch 4500 switch manages the two member devices. The configuration for the cluster is as follows: The two member devices connect to the management device through Ethernet 1/0/2 and Ethernet 1/0/3.
Page 611
[Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/0/1] quit # Enable the cluster function. [Sysname] cluster enable Configure the management device # Add port Ethernet 1/0/1 to VLAN 2. <Sysname> system-view [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/1 [Sysname-vlan2] quit # Configure the IP address of VLAN-interface 2 as 163.172.55.1.
Page 612
[Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topology collection requests to 15 ms. [Sysname] ntdp timer port-delay 15 # Set the interval between collecting topology information to 3 minutes. [Sysname] ntdp timer 3 # Enable the cluster function.
After completing the above configuration, you can execute the cluster switch-to { member-number | mac-address H-H-H | sysname member-sysname } command on the management device to switch to member device view to maintain and manage a member device. After that, you can execute the cluster switch-to administrator command to return to management device view.
[Sysname] management-vlan 3 # Add Ethernet 1/0/1 to VLAN 3. [Sysname] vlan 3 [Sysname-vlan3] port Ethernet 1/0/1 [Sysname-vlan3] quit # Set the IP address of VLAN-interface 3 to 192.168.5.30. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ip address 192.168.5.30 255.255.255.0 [Sysname-Vlan-interface3] quit # Add Ethernet 1/0/2 to VLAN 2.
Page 615
Network diagram Figure 48-6 Network diagram for the enhanced cluster feature configuration FTP server 192. 168.0.4 192. 168.0.1 Member Management device device Member Member device device 0001- 2034-a0e5 Configuration procedure # Enter cluster view. <aaa_0.Sysname> system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology.
PoE F eatures Supported by Switch 4500 PoE-capable 4500 switches incl ude: Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port A Po E-capable Switch 4500 has the following features: As the PSE, it supports the IEEE802.3af standard. It can also supply power to the PDs that do not support the 80 2.3af standard.
Page 617
It can deliver data and current simultaneously through data wires (1,2,3,and 6) of category-3/5 twisted pairs. Through the fixed 24/48 Ethernet electrical ports, it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (328 feet). Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD.
Page 618
Task Remarks Upgrading the PSE Processing Software Online Optional Upgrading the PSE Processing Software of Fabric Switches Online Optional Displaying PoE Configuration Optional Enab ling the PoE Feature on a Port Follow these steps to e nable the PoE fe ature on a port: To do…...
auto: When the switch is close to its full load in supplying power, it will first supply power to the PDs that are connected to the ports with critical priority, and then supply power to the PDs that are connected to the ports with high priority. For example: Port A has the priority of critical. When the switch PoE is close to its full load and a new PD is now added to port A, the switch will power down the PD connected to the port with the lowest priority and turn to supply power to this new PD.
Configuring the PD Compatibility Detection Function After the PD compatibility detection function is enabled, the switch can detect the PDs that do not conform to the 802.3af standard and supply power to them. After the PoE feature is enabled, perform the following configuration to enable the PD compatibility detection function.
When the internal temperature of the switch decreases from X (X>65°C, or X>149°F) to Y (60°C≤Y<65°C, or 140°F≤Y<149°F), the switch still keeps the PoE function disabled on all the ports. When the internal temperature of the switch increases from X (X<60°C, or X<140°F) to Y (60°C<Y≤65°C, or 140°F<Y≤149°F), the switch still keeps the PoE function enabled on all the ports.
Follow these steps to upgrade the PSE processing software online: To do… Use the command… Remarks Upgrade the PSE processing update fabric { file-url | software of the fabric switch Optional device-name file-url } online Displaying PoE Configuration To do… Use the command…...
Page 623
Network diagram Figure 49-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. <SwitchA> system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW.
PoE Profile Configuration Wh n configuring PoE profile, g o to these sections for information you are interested in: Introduction to PoE Profile PoE Profile Configuration Displaying PoE Profile Configuration PoE Profile Configuration Examp Intro duction to PoE Profile On a large-sized network or a network with mobi le users, to help network administrators to monitor the PoE features of the switc h, Switch 4500 provides the PoE profile features.
Page 625
To do… Use the command… Remarks Required Enable the PoE feature poe enable on a port Disabled by default. Optional Configure PoE mode poe mode { signal | spare } for Ethernet p orts signal by default. Configure the relevant Configure the Optional features in...
Displaying PoE Profile Configuration To do… Use the command… Remarks Display the detailed info rmation display poe-profile { all-profile | Available in any about the PoE profiles cre ated interface interface-type interface-number | view on the switch ofile-name } name pr PoE Profile Configuration Example PoE P f ro ile Application Example...
Page 627
etwork diagram Figure 50-1 PoE profile a pplication Network Switch A Eth1/0/1~Eth1/0/5 Eth1/0/6~Eth1/0/10 IP Phone IP Phone IP Phone IP Phone onfiguration procedure # Create Profile 1, and enter PoE profile view. <SwitchA> system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configuration applicable to Ethernet 1/0/1 through Ethernet 1/0/5 ports for users of group A.
Page 628
[SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configuration information for Profile2. [SwitchA] display poe-profile name Profile2 Poe-profile: Profile2, 2 action poe enable poe priority high # Apply the configured Profile 1 to Ethernet 1/0/1 through Ethernet 1/0/5 ports. [SwitchA] apply poe-profile Profile1 interface Ethernet1/0/1 to Ethernet1/0/5 # Apply the configured Profile 2 to Ethernet 1/0/6 through Ethernet 1/0/10 ports.
UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: Introduction to UDP Helper Configuring UDP Helper Displaying and Maintaining UDP Helper UDP Helper Configuration Examp Intro duction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or requ the names of other devices on the network.
Protocol UDP port number TACACS (Terminal Access Controller Access Control System) TFTP (Trivial File Transfer Protocol) Time Service Configuring UDP Helper Follow these steps to configure UDP Hel per: To do… Use the command… Remarks Enter system view system-view — Required Enable UDP Helper udp-helper enable...
Displaying and Maintaining UDP Helper To do… Use the command… Remarks Display the UDP broadcast relay forwarding information of a display udp-helper server Available in any view specified VLAN interface on the [ interface vlan-interface vlan-id ] switch Clear statistics about packets reset udp-helper packet Available in user view forwarded by UDP Helper...
SNMP Configuration Wh n configuring SNMP, go to these sec tions for information you are interested in: SNMP Overview Configuring Basic SNMP Functions Configuring Trap-Related Functions Enabling Logging for Network M anagement Displaying SNMP SNMP Configur ation Example P Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.
By default, the contact snmp-agent sys-info information for system Set system information, and specify { contact sys-contact | maintenance is " 3Com to enable SNMPv1 or SNMPv2c on location sys-location | Corporation.", the system the switch version { { v1 | v2c | v3 }* | all location is "...
Page 634
By default, the contact snmp-agent sys-info information for system Set system information and { contact sys-contact | maintenance is " 3Com specify to enable SNMPv3 on location sys-location | version Corporation.", the system the switch { { v1 | v2c | v3 }* | all } } location is "...
To do… Use the command… Remarks snmp-agent Optional calculate-password Encrypt a plain-text password This command is used if plain-password mode { md5 | to generate a cipher-text one password in cipher-text is sha } { local-engineid | needed for adding a new user. specified-engineid engineid } snmp-agent usm-user v3 user-name group-name...
To do… Use the command… Remarks snmp-agent trap enable [ configuration | Enable the switch to send flash | standard [ authentication | coldstart traps to NMS | linkdown | linkup | warmstart ]* | system ] Enter port view or Optional interface interface-type interface-number interface view...
To do… Use the command… Remarks snmp-agent log Optional Enable logging for network { set-operation | management Disabled by default. get-operation | all } When SNMP logging is enabled on a device, SNMP logs are output to the information center of the device.
Page 638
Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, contact and switch location, and enabling the switch to sent traps. Thus, the NMS is able to access Switch A and receive the traps sent by Switch A. Network diagram Figure 52-2 Network diagram for SNMP configuration Network procedure...
Page 639
Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully. For more information, refer to the corresponding manuals of 3Com’s NMS products. You can query and configure an Ethernet switch through the NMS.
RMON Configuration Wh n configuring RMON, g o to these sections for information you are interested in: Introduction to RMO RMON Configuration Displaying RMON RMON Configuration Exa mple Intro duction to RMON Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards.
statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Groups vent group Event group is used to define the indexes of events and the processing methods of the eve nts.
Page 642
tatistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from th e time when the statistics group is created. The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packet s, broadcast packets, multicast packets, and received bytes and packets.
The rmon alarm and rmon prialarm commands take effect on existing nodes only. For each port, only one RMON statistics entry can be created. That is, if a n RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
Page 644
[Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the exte nded alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6 .1.2.1.16.1.1.1.10.1) formula to get the numbers of all...
NTP Configuration Wh n configuring NTP, go to these sections for information you are interested in: Introduction to NTP NTP Configuration Task List Configuring NTP Implementation Modes Configuring Access Control Right Configuring NTP Authentication Configuring Optional NTP Parameters Displaying NTP Configuration Configuration Exampl Intro duction to NTP...
Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly Supporting access control (see section Configuring Access Control Right) and MD5 encrypted authentication (see section Configuring NTP Authentication) Sending protocol packets in unicast, multicast, or broadcast mode The clock stratum determines the accuracy, which ranges from 1 to 16.
Figure 54-1 Implementation principle of NTP NTP message 10:00:00 am IP network Device A Device B NTP message 10:00:00 am 11:00:01 am IP network Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network Device B Device A NTP message received at 10:00:03 am IP network...
Page 648
Server/client mode Figure 54-2 Server/client mode Symmetric peer mode Figure 54-3 Symmetric peer mode In the symmetric peer mode, the local S4500 Ethernet switch serves as the symmetric-active peer and sends clock synchronization request first, while the remote server serves as the symmetric-passive peer automatically.
Page 649
Multicast mode Figure 54-5 Multicast mode Table 54-1 describes how the above mentioned NTP modes are implemented on 3Com S4500 series Ethernet switches. Table 54-1 NTP implementation modes on 3Com S4500 series Ethernet switches NTP implementation mode Configuration on S4500 series switches Configure the local S4500 Ethernet switch to work in the NTP client mode.
When a 3Com S4500 Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the 3Com S4500 Ethernet switch has been synchronized.
Page 651
Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time. Execution of the undo form of one of the above six commands disables all implementation modes of the NTP feature and closes UDP port 123 at the same time.
Page 652
To do… Use the command… Remarks Required ntp-service unicast-peer { remote-ip | Specify a peer-name } [ authentication-keyid key-id | By default, a switch is not symmetric-passive priority | source-interface Vlan-interface configured to work in the peer for the switch vlan-id | version number ]* symmetric mode.
Page 653
To do… Use the command… Remarks interface Vlan-interface Enter VLAN interface view — vlan-id Configure the switch to work in ntp-service broadcast-server Required the NTP broadcast server [ authentication-keyid key-id | Not configured by default. mode version number ]* Configuring a switch to work in the NTP broadcast client mode Follow these steps to configure a switch to work in the NTP broadcast client mode: To do…...
To do… Use the command… Remarks Enter system view — system-view interface Vlan-interface Enter VLAN interface view — vlan-id Required Configure the switch to work in ntp-service multicast-client the NTP multicast client mode [ ip-address ] Not configured by default. Configuring Access Control Right With the following command, you can configure the NTP service access-control right to the local switch for a peer device.
The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring NTP Authentication In networks with higher security requirements, the NTP authentication function must be enabled to run NTP.
Page 656
Configuration Procedure Configuring NTP authentication on the client Follow these steps to configure NTP authentication on the client: To do… Use the command… Remarks Enter system view system-view — Required Enable the NTP authentication ntp-service authentication function enable Disabled by default. Required ntp-service Configure the NTP...
To do… Use the command… Remarks Required Configure the specified key as a ntp-service reliable By default, no trusted trusted key authentication-keyid key-id authentication key is configured. Enter VLAN interface view interface Vlan-interface vlan-id — In NTP broadcast server Configure on the mode and NTP multicast ntp-service broadcast-server NTP broadcast...
If you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending NTP messages. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.
Page 659
To do… Use the command… Remarks Display the information about the display ntp-service sessions maintained by NTP sessions [ verbose ] Display the brief information about NTP servers along the path display ntp-service trace from the local device to the reference clock source Configuration Examples Configuring NTP Server/Client Mode...
[DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The above output information indicates that Device B is synchronized to Device A, and the stratum level of its clock is 3, one level lower than that of Device A.
Page 661
Configuration procedure Configure Device C. # Set Device A as the NTP server. <DeviceC> system-view [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). # Enter system view. <DeviceB> system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration.
Configuring NTP Broadcast Mode Network requirements The local clock of Device C is set as the NTP master clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through VLAN-interface 2.
View the NTP status of Device D after the clock synchronization. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms...
Page 664
Network diagram Figure 54-9 Network diagram for NTP multicast mode configuration Configuration procedure Configure Device C. # Enter system view. <DeviceC> system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server Configure Device A (perform the same configuration on Device D).
Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (you can see that a connection is established between Device D and Device C).
Page 666
To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function. <DeviceA> system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
SSH Configuration Wh n configuring SSH, go to these sections for information you are interested: SSH Overview SSH Server and Client Displaying and Maintaining SSH Configuration Comparison of SSH Commands with the Same Functions SSH Configu ration Examples SSH Overview Introd uction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in...
The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key.
Page 669
Cu ently, the switch supports only SSH2 Version. Versi on negotiation The server opens port 22 to listen to connection requests from clients. The client sends a TCP connection request to the server. After the TCP connection is established, the server sends t he first packet to the client, which includes a version identification string in the format “SSH-<primary...
Page 670
The client selects an authentication type from the method list to perform authentication again. The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit. provides two authentication methods: password authen tication and publickey authentication.
Figure 55-2 Network diagram for SSH connections Configure the devices accordingly This document describes two cases: The switch acts as the SSH server to cooperate with software that supports the SSH client functions. The switc h acts as the SSH server to cooperate with another switch that acts as an SSH client. Complete the following tasks to configure the SSH server and clients: Server side Client side...
Complete the following tasks to configure the SSH server: Task Remarks Configuring the User Interfaces for Required SSH Clients Preparation Configuring the SSH Management Optional Functions Configuring Key Pairs Required Creating an SSH User and Specifying Authentication Required an Authentication Type Optional Specifying a Service Type for an SSH Authorization...
To do... Use the command... Remarks Optional Specify supported protocol inbound { all |ssh } By default, both Telnet and protocol(s) SSH are supported. f you have configured a user interface to support SSH pr otocol, you must configure AAA authenti cation for the user interfa...
You can configur e a login header on ly when the serv ice type is stelnet. For configuration of service types, refer to Specifying a Service Type for an SSH User on the Server For details of the header comman refer to the corresponding se ction in Login Command.
Page 675
To do… Use the command… Remarks Destroy the RSA key pair public-key local destroy rsa Optional Creating an SSH User and Specify ing an Authentication Type This task is to create an SSH user and specify an authentication type. Specifying an authentication type for a new user is a must to get the user login.
Page 676
To do... Use the command... Remarks are used and different authentication types are ssh user username C eate an SSH user, and specified, the authentication authentication-type { all | specify an authentication type type specified with the ssh password | password-publickey user authentication-type | publickey } command takes precedence.
If the ssh use r service-type command is executed with a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it. Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users.
To do... Use the command... Remarks Enter system iew system-view — Import the public key from a public-key peer keyname Required public key file import sshkey filename Assigning a Public Key to an SSH User This configuration task is unnecessary if the SSH user’s authenticatio n mode is password.
With the filename argument specified, you can export the RSA host public key to a file so that you can configure the key at a remote end by importing th e file. If the filename argument i s not specified, this command displays th e host public...
Page 680
Task Remarks Opening an SSH connection with publickey Required for publickey authentication; authenti cation unnecessary for password authentication For putty, it is recommended to use PuTTY release 0.53; PuTTY release 0.58 is also supported. For OpenSSH, it is recommended to use OpenSSH_3.1p1; OpenSSH_4.2p1 is also supported. Any other version or other client, please be careful to use.
Page 681
Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 55-4. Otherwise, the process bar stops moving and the key pair generating process is stopped. Figure 55-4 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public...
Page 682
Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case ) to save the private key.
Page 683
Figure 55-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure...
Page 684
Figure 55-9 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure...
Figure 55-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
Page 686
Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. With first-time authentication enabled, an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time, and it will save the host public key on the client for use in subsequent authentications.
Follow these steps to specify a source IP address/interface for the SSH client: To do... Use the command... Remarks Enter system view system-view — Optional Specify a source IP address for ssh2 source-ip ip-address default, source the SSH client address is configured. Optional Specify a source interface for ssh2...
To do... Use the command... Remarks Display information about all display user-information SSH users [ username ] Display the current source IP address or the IP address of display ssh-server source-ip the source interface specified for the SSH server. Display the mappings between host public keys and SSH display ssh server-info servers saved on a client...
The results of the display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they cannot be directly used as parameters in the public-key peer command. For the same reason, neither can the results of the display public-key local rsa public command be used in the rsa peer-public-key command directly.
Page 690
# Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001, and set the authentication password to abc, protocol type to SSH, and command privilege level to 3 for the client. [Switch] local-user client001 [Switch-luser-client001] password simple abc [Switch-luser-client001] service-type ssh level 3 [Switch-luser-client001] quit...
Figure 55-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. As shown in Figure 55-13, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server.
Page 692
Network diagram Figure 55-14 Switch acts as server for password and RADIUS authentication Configuration procedure Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management >...
Page 693
Figure 55-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: Add a user named hello, and specify the password.
Page 694
Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pairs. [Switch] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
Page 695
Figure 55-17 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 55-18 appears.
authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server. You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 55-16.
Page 697
# Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.1 49 [Switch-hwtacacs-hwtac] key authentication expert [Switch-hwtacacs-hwtac] key authorization expert [Switch-hwtacacs-hwtac] user-name-format without-domain [Switch-hwtacacs-hwtac] quit # Apply the scheme to the ISP domain.
From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 55-21 appears. Figure 55-21 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password.
Page 699
Configuration procedure Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. <Switch> system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Switch-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login.
Page 700
Figure 55-23 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 55-24. Otherwise, the process bar stops moving and the key pair generating process is stopped.
Page 701
Figure 55-24 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 55-25 Generate a client key pair (3) Likewise, to save the private key, click Save private key.
Page 702
Figure 55-26 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client. # Establish a connection with the SSH server Launch PuTTY.exe to enter the following interface.
Page 703
Figure 55-28 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Select Connection/SSH/Auth. The following window appears. Figure 55-29 SSH client configuration interface (3) Click Browse to bring up the file selection window, navigate to the private key file and click OK.
From the window shown in Figure 55-29, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in Figure 55-30, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange.
[SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-client001] quit # Configure the authentication type of user client001 as password. [SwitchB] ssh user client001 authentication-type password Configure Switch A # Create a VLAN interface on the switch and assign an IP address, which serves as the SSH client’s address in an SSH connection.
Page 706
[SwitchB-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pair. [SwitchB] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH.
After the key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client. # Establish an SSH connection to the server 10.165.87.136. [SwitchA] ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ...
Page 708
Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pair. [SwitchB] public-key local create rsa # Set AAA authentication on user interfaces. [SwitchB] user-interface vty 0 4 [SwitchB-ui-vty0-4] authentication-mode scheme # Configure the user interfaces to support SSH. [SwitchB-ui-vty0-4] protocol inbound ssh # Set the user command privilege level to 3.
Page 709
# Create a VLAN interface on the switch and assign an IP address, which serves as the SSH client’s address in an SSH connection. <SwitchA> system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate a RSA key pair [SwitchA] public-key local create rsa # Export the generated RSA key pair to a file named Switch001.
Prompt Mode Configuration Optional The 3com 4500 series Ethernet switches support Expandable Resilient Networking (XRN), and allow to access a file on a switch in one of the following ways: To access a file on the specified unit, you need to specify the file in universal resource locator (URL) format and starting with unit[No .]>flash:/, where [No.] represents the unit ID of the switch.
Directory Operations The file system provides directory-related functions, such a Creating/deleting a directory Displayi ng the curre nt work directo ry, or contents in a spec ified directory ollow these steps to perform direc tory-related oper ations: To do… Use the command… Remarks Optional Create a directory...
Page 712
To do… Use the command… Remarks Optional rename fileurl-source Rename a file fileurl-dest Available in user view Optional Copy a file copy fileurl-source fileurl-dest Available in user view Optional Move a file move fileurl-source fileurl-dest Available in user view Optional Available in user view Display the content of a file more file-url...
The format operation leads to the loss of all files, including the configuration files, on the Flash memory and is irretrievable. Prompt Mode Configuration ou can set the prom pt mode of the current file system to alert or iet. In alert mode, the file system will give a prompt for confirmation if you execute a command which may cause data loss, for example, eleting or overwriting a file.
Page 715
Web file and co nfiguration file, 3com may provide corresponding default file when releasing sof are versions. When booting, the device selects the startup files based on certain order. The device...
Configuring File Attributes ou can configure and view the m in attribute or backup attrib ute of t he file use d for the next startup of switch, and change the m ain or b ackup attr ibute of the file. ollow these steps to configure f attributes: To do…...
figuration File Backup and Restoration Introd uction to Configuration File Backup and Restoration Formerly, you can only back up and restore the configuration file of the units one by one in a fabric system. By using the configuration file b ackup and restoration feature, you can easily back up and restore the configuration files in the whole fabric as well as in a specific unit.
FTP server. With a 3com switch 4500 serving as an FTP server, the seven-segment digital LED on the front panel of the switch rotates clockwise when an FTP client is uploading files to the FTP server (the...
files from an FTP server, and stops rotating when the file downloading is finished, as shown in Figure 57-1. Figure 57-1 Clockwise rotating of the seven-se gment digital LED Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to switch to manage and tr ansmit files, providing a securer guarantee for data transmission.
Page 720
Disabled by default. Only one user can access a 3com switch 4500 at a given time when the latter operates as an FTP server. Operating as an FTP server, a 3com switch 4500 cannot receive a file whose size exceeds its storage space.
Page 721
Follow these steps to configure connection idle time: To do… Use the command… Remarks Enter system view system-view — Optional Configure the connection idle time ftp timeout minutes for the FTP server 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
Page 722
Required server With a 3com switch 4500 acting as the FTP server, if a network administrator attempts to disconnect a user that is uploading/downloading data to/from the FTP server the 3com switch 4500 will disconnect the user after the data transmission is completed.
Page 723
Figure 57-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks Enter system view system-view — Configure a login banner header login text Required Use either command or both. By default, no banner is Configure a shell banner header shell text...
Page 724
To do… Use the command… Remarks ftp [ cluster | remote-server Enter FTP client view — port-number Specify to transfer files in ASCII ascii Use either command. characters By default, files are transferred Specify to transfer files in in ASCII characters. binary binary streams Optional...
Page 725
To do… Use the command… Remarks Download a remote file from get remotefile [ localfile ] the FTP server Upload a local file to the remote localfile [ remotefile FTP server Rename a file on the remote rename remote source server remote-dest Log in with the specified user...
The specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. The value of the ip-address argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. The source interface/source IP address set for one connection is prior to the fixed source interface/source IP address set for each connection.
Page 727
[Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp Configure the PC (FTP client) Run an FTP client application on the PC to connect to the FTP server. Upload the application named switch.bin to the root directory of the Flash memory of the FTP server, and download the configuration file named config.cfg from the FTP server.
Boot ROM menu. 3com switch is not shipped with FTP client application software. You need to purchase and install it by yourself. Configure Switch A (FTP server) # After uploading the application, use the boot boot-loader command to specify the uploaded file (switch.bin) to be the startup file used when the switch starts the next time, and restart the switch.
Page 729
Configuration procedure Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell Configuration banner appears”. For detailed configuration of other network requirements, see section Example: A Switch Operating as an FTP Server.
Page 730
Configuration procedure Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello. (For detailed configuration, refer to the configuration instruction relevant to the FTP server software.) Configure the switch (FTP client) # Log in to the switch.
<Sysname> boot boot-loader switch.bin <Sysname> reboot For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual. SFTP Configuration Complete the following tasks to configure SFTP: Task Remarks Enabling an SFTP server...
10 minutes by default. Supported SFTP client software A 3com switch 4500 operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP. SFTP client software supports the following operations: logging in to a device; uploading a file;...
Page 733
To do… Use the command… Remarks sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | Required dh_exchange_group } | Support for the 3des keyword prefer_ctos_cipher { 3des | depends on the number of des | aes128 } | Enter SFTP client view...
If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key;...
Page 735
[Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
Page 736
sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx...
Page 737
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public.
TFTP server, then sends data to the TFTP server, and receives acknowledgement packets from the TFTP server. A 3com switch 4500 can act as a TFTP client only. When a 3com switch 4500 serving as a TFTP client d...
TFTP Configuration Complete the following tasks to configure TFTP: Task Remarks Basic configurations on a TFTP — client TFTP Configuration: A Switch Specifying the source interface Operating as a TFTP Client or source IP address fo r an Optional FTP client For details, see the TFTP server configuration —...
To do… Use the command… Remarks tftp tftp-server source-ip Optional Specify the source IP address ip-address { get source -file used for the current connection [ dest-file ] | put source-file-url Not specified by default. [ dest-file ] } Enter system view system-view —...
Page 741
Network diagram Figure 58-1 Network diagram for TFTP configuration Configuration procedure Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.) <Sysname>...
Page 742
For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual. 58-5...
Information Center Wh n configuring information center, g o to these sections for information you are interested in: Information Center Overview Information Center Configuration Displaying and Maintaining Information Center Information Center Configuration Ex amples Information Center Overview Introd uction to Information Center Acting as the system information hub, information center classifies and manages system information.
Page 744
Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. If the threshold is set to 1, only information with the severity being emergencies will be output; If the threshold is set to 8, information of all severities will be output.
Page 745
utputting system information by source module The system information ca n be classified by source module and then filtered. Some module names and description are shown in Table 59-3 Table 59-3 Source module name list Module name Description 8021X 802.1X module Access control list module ADBM Address base module...
Page 746
Module name Description SYSMIB System MIB module HWTACACS module TELNET Telnet module TFTPC TFTP client modul VLAN Virtual local area network module Virtual type terminal module XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system information from the ten channels to the...
Page 747
If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host.
Page 748
8 10:12:21:708 2006 [GMT+08:00:00] Sysname SHELL/5/LOGIN:- 1 - VTY(1.1.0.2) in unit1 login Sysname Sysname is the system name of the local switch and defaults to “3Com”. You can use the sysname command to modify the system name. Refer to the System Maintenance and Debugging part of this manual f...
Source his field indicates the source of the information , such as the source IP address of the log sender. This ield is optional and is displayed only when the output destination is the log host. ntext his field provides the content of the system information. Information Center Configuration Inform ation Center Configuration Task List...
Page 750
If the system information is output before you input any informati on followin g the current command line prompt, the system does ot echo any command line mpt after the system information output. In the interaction mode, you are prompted for som e information inpu t.
Page 751
To do… Use the command… Remarks Optional Enable system info-center console channel By default, the switch uses information output to { channel-number | information channel 0 to output the console channel-name } log/debugging/trap information to the console. info-center source { modu-name | default } channel Optional Configure the output...
Page 752
Follow these steps to enable the system information display on the console: To do… Use the command… Remarks Optional Enable the debugging/log/trap terminal monitor information terminal display function Enabled by default. Optional Enable debugging information terminal debugging terminal display function Disabled by default.
Page 753
When there are multiple Telnet users or dumb terminal users, they share some configuration parameters including module filter, language and severity level threshold. In this case, change to any such pa rameter m ade by one use r will also be reflected on all other use r terminals.
To do… Use the command… Remarks Optional By default, debugging information output info-center switch-on { unit Enable information is enabled, and log and trap informatio unit-id | master | a ll } output for a specified output are disabled for the master switch [ debugging | log ging | switch in a fabric...
Page 755
To do… Use the command… Remarks Optional By default, the switch uses Enable system info-center trapbuffer [channel information channel 3 to o utput information output to the { channel-number | channel-name } trap information to th e trap trap buffer size buffersize]* buffer, which can holds up to 256 items by default.
To do… Use the command… Remarks Optional info-center snmp channel Enable information By default, the switch outputs trap { channel-number | output to the SNMP NMS information to SNMP through channel -name } channel 5. info-center source { modu-name | default } channel Optional Configure the...
With this feature applied to a port, when the state of the port changes, the system does not generate port link up/dow n logging information. In this c ase, you cannot moni tor the port state change onveniently. Therefore, it is recommend d to use the default configuration in no rmal cases.
Page 758
onfiguration procedure Configure the switch: # Enable the information center. <Switch> system-view [Switch] info-center enable # Disable the function of outputting information to log host channels, because all modules output log information to the log host channels by default. [Switch] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.10 as the log host.
# kill -HUP 147 After all the above operations, the switch can make records in the corresponding log file. Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to a Linux Log Host Network requireme...
Note the following items when you edit file “/etc/syslog.conf”. A note must start in a new line, starting with a “#" sign. In each pair, a tab should be used as a separator instead of a space. No space is permitted at the end of the file name. The device name (facility) and received log information severity specified in file “/etc/syslog.conf”...
Page 761
<Switch> system-view [Switch] info-center enable # Disable the function of outputting information to the console channels. [Switch] undo info-center source default channel console # Enable log information output to the console. Permit ARP and IP modules to output log information with severity level higher than informational to the console.
Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port.
1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9.
Page 765
0. Return Enter your choice (0-5): Step 3: Choose an appropriate baudrate for downloading. For example, if you press 5, the baudrate 115200 bps is chosen and the system displays the following information: Download baudrate is 115200 bit/s Please change the terminal's baudrate to 115200 bit/s and select XMODEM protocol Press enter key when ready If you have chosen 19200 bps as the download baudrate, you need not modify the HyperTerminal’s baudrate, and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly.
Page 766
Figure 60-2 Console port configuration dialog box Step 5: Click the <Disconnect> button to disconnect the HyperTerminal from the switch and then click the <Connect> button to reconnect the HyperTerminal to the switch, as shown in Figure 60-3. Figure 60-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program.
Page 767
Figure 60-4 Send file dialog box Step 8: Click <Send>. The system displays the page, as shown in Figure 60-5. Figure 60-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5).
Loading host software Follow these steps to load the host software: Step 1: Select <1> in BOOT Menu and press <Enter>. The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0.
Page 769
Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. TFTP server program is not provided with the 3Com Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu.
0. Return to boot menu Enter your choice(0-3): Step 2: Enter 1 in the above menu to download the host software using TFTP. The subsequent steps are the same as those for loading the Boot ROM, except that the system gives the prompt for host software loading instead of Boot ROM loading.
Page 771
Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 4: Enter 2 in the above menu to download the Boot ROM using FTP. Then set the following FTP-related parameters as required: Load File name :switch.btm...
Remote Boot ROM and Software Loading If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load the Boot ROM and host software remotely. Remote Loading Using FTP Loading Procedure Using FTP Client Loading the Boot ROM As shown in...
Page 773
Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information. Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch.
Page 774
System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.28 255.255.255.0 Step 3: Enable FTP service on the switch, and configure the FTP user name to test and password to pass. [Sysname-Vlan-interface1] quit [Sysname] ftp server enable [Sysname] local-user test New local user added.
Page 775
Figure 60-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 60-12, to log on to the FTP server. Figure 60-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 60-13.
Figure 60-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. <Sysname> boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! <Sysname>...
Basic System Configuration and Debugging Wh n configuring basic system c onfiguration and debugging, go to these sections for information you are interested in: Basic System Configura tion Displaying the System Status Debugging the System ic System Configuration Perform the f ollowi ng basic system configuration:...
Page 778
Displaying the Sys tem St atus To do… Use the command… Remarks Display the current date and time of the system display clock Available in Display the version of the system display version any view Display the information about use rs logging onto the display users [ all ] switch...
You can use the following commands to enable the two switche Follow these steps to enable debugging and terminal display for a sp ecific modu To do… Use the command… Remarks Required Enable system debugging fo debugging module-n Disabled for all modul es by specific mod [ debugging-option ]...
Network Connectivity Test Wh n config uring network connectivity test, go to these sections for information you are interested in: ping tracert Network Connectivity Test ping You can u se the ping command to chec k the network connectivity and the rea chability of a host.
Device Management Wh n configuring device management, g o to these sections for information you are interested in: Introduction to Device Management Device Management Configuration Displaying the Device Management Configuration Remote Switch APP Upgrade Configuration Exa mple Introduction to Device Management Device Management includes the following: Reboot the Ethernet switch Configure real-time mon...
Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed. This prevents the system from losing the configurations in case of shutting down the system without saving the configurations Use the following command to reboot the Ethernet switch: To do…...
Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots.
Currently, in the S4500 series Ethernet switches, the auto power down configuration does not take effect on 1000BASE-X SFP Ports. Upgrading the Host Software in the Fabric You can execute the following command on any device in a Fabric to use specified host software to upgrade all devices in a Fabric, thus realizing the software version consistency in this Fabric.
To do… Use the command… Remarks display transceiver interface Display main parameters of Available for all pluggable [ interface-type the pluggable transceiver(s) transceivers interface-number ] Display part of the electrical display transceiver Available for anti-spoofing label information of the manuinfo interface pluggable transceiver(s) anti-spoofing transceiver(s) [ interface-type...
To do… Use the command… Remarks Display system diagnostic information or save system diagnostic information to a file with display diagnostic-information the extension .diag into the Flash memory Display enabled debugging on a display debugging { fabric | unit specified switch or all switches in the unit-id } [ interface interface-type fabric interface-number ] [ module-name ]...
Page 787
Refer to the Login Operation part of this manual for configuration commands and steps about telnet user. Execute the telnet command on the PC to log into the switch. The following prompt appears: <Sysname> If the Flash memory of the switch is not sufficient, delete the original applications before downloading the new ones.
Page 788
Unit 1: The current boot app is: switch.bin The main boot app is: switch.bin The backup boot app is: # Reboot the switch to upgrade the Boot ROM and host software of the switch. <Sysname> reboot Start to check configuration with next startup configuration file, please wait..
Scheduled Task Configuration t Is a Scheduled Task A scheduled task de fines a command or a group of commands and when such commands will be executed. It allows a device to execute specified command(s) at a time when no person is available to maintain the device.
Modification of the system time will affect the execution of a scheduled task. Config uring a scheduled task be executed after a delay time ollow these steps to configure a scheduled task that will be executed after a delay tim To do…...
Page 791
Configuration procedure <Switch> system-view # Create scheduled task pc1, and enter scheduled task view. [Switch] job pc1 # Configure the view where the specified command to be executed as Ethernet interface view. [Switch-job-pc1] view Ethernet1/0/1 # Configure the scheduled task so that the Ethernet port can be enabled on Switch at eight AM from Monday to Friday.
Page 792
VLAN-VPN Configuration Wh n configuring VLAN-VPN, go to these sections for information you are interested in: VLAN-VPN Overview VLAN-VPN Configuration Displaying and Maintaining VLAN-VPN Configuration VLAN-VPN Configuratio n Example VLAN-VPN Overview Introd uction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.
Page 793
Provides simple Layer 2 VPN solutions for small-sized MANs or intranets. Imple mentation of VLAN-VPN With the VLAN-VPN feature enabled, no matter whether or not a received packet already carries a VLAN tag, the switch will ta g the received packet with the default VLAN tag of the receiving port and add the source MAC address to the MAC address table of the default VLAN.
Inner-to-Outer Tag Priority Replicating and Mapping As shown in Figure 65-2, the user priority field is the 802.1p priority of the tag. The value of this 3-bit field is in the range 0 to 7. By configuring inner-to-outer tag priority replicating or mapping for a VLAN-VPN-enabled port, you can replicate the inner tag priority to the outer tag or assign outer tags of different priorities to packets according to their inner tag priorities.
Table 65-1. For 3Com series switches, the TPID defaults to 0x8100. Besides the default TPID 0x8100, you can configure only one TPID value on a Switch 4500 switch. For the Switch 4500 series to exchange packets with the public network device properly, you should configure the TPID value used by the public network device on both the customer-side port and the service provider-side port.
Displaying and Maintaining VLAN-VPN Configuration To do... Use the command... Remarks Display the VLAN-VPN display port vlan-vpn Available in any view configurations of all the ports VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements As shown in...
Page 797
# Enable the VLAN-VPN feature on Ethernet 1/0/11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag. <SwitchA> system-view [SwitchA] vlan 1040 [SwitchA-vlan1040] port Ethernet 1/0/11 [SwitchA-vlan1040] quit [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] vlan-vpn enable [SwitchA-Ethernet1/0/11] quit...
Page 798
# As the devices in the public network are from other vendors, only the basic principles are introduced here. That is, you need to configure the devices connecting to Ethernet 1/0/12 of Switch A and Ethernet 1/0/22 of Switch B to permit the corresponding ports to transmit tagged packets of VLAN 1040. Data transfer process The following describes how a packet is forwarded from Switch A to Switch B in this example.
Selective QinQ Configuration Wh n configuring selective QinQ, g o to these sections for information you are interested in: Selective QinQ Overview Selective QinQ Configuration Selective QinQ Configuration Example Selective QinQ Overv Selec tive QinQ Overview Selective QinQ is an enhanced application of the VLAN-VP N feature.
Page 800
telephone users (in VLAN 201 to VLAN 300). Packets of all these users are forwarded by Switch A to the public network. After the selective QinQ feature and the inner-to-outer tag mapping feature are enabled on the port connecting Switch A to these users, the port will add different outer VLAN tags to the packets according to their inner VLAN tags.
device receives a packet from the service provider network, this device will find the path for the packet by searching the MAC address table of the VLAN corresponding to the oute r tag and unicast the packet. Thus, packet broadcast is reduced in selective QinQ applications. Likewise, the entries in the MAC address table of the outer VLAN can also be replicated to that of the default VLAN on a port, through which the outbound port to the service provider network can be determined through the MAC ad...
Do not enable both the selective QinQ function and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may operate improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to enable the inter-VLAN MAC address replicating feature: To do...
Page 803
The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000. Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users, for the purpose of using QoS policies to guarantee higher priority for voice traffic.
Page 804
[SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hybrid port and configure VLAN 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200. [SwitchA] interface Ethernet 1/0/3 [SwitchA-Ethernet1/0/3] port link-type hybrid [SwitchA-Ethernet1/0/3] port hybrid pvid vlan 5...
Page 805
[SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and configure VLAN 12 as its default VLAN . Configure Ethernet 1/0/12 to remove VLAN tags when forwarding packets of VLAN 12 and VLAN 1000. [SwitchB] interface Ethernet 1/0/12 [SwitchB-Ethernet1/0/12] port link-type hybrid [SwitchB-Ethernet1/0/12] port hybrid pvid...
Remote-ping Configuration Wh n configuring remote-ping, g o to these sections for information you are interested in: Remote-ping Overview Remote-ping Configuration Remote-ping Configuration Example ote-ping Overview Remote-ping is a network diagnostic tool used to test the performance of protocols (only ICMP by far) running on network.
Page 807
If this parameter is set to a number greater than 1, the system sends the second test packet once it receives a response to the first one, or when the test timer times out if it receives no response after sen ing the first one, and so forth until the last test packet is sent out.
Page 808
Displ aying remote-ping Configuration After the a bove remote -ping configuration, you can exe cute the display co mmand in an y view to isplay the information of rem ote-p ing test operation status to you can verify the configuration effect. Table 67 -2 Display remote-pi ng co...
IPv6 Configuration Wh n configuring IPv6, go to thes e sections for information you are interested in: IPv6 Overview IPv6 Configuration Task List IPv6 Configu ration Example IPv6 Overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol Version 4 (IPv4).
Hierarchical address structure IPv6 adopts the hierarchical address structure to quicken route search and reduce the system source occupied by the IPv6 routing table by means of route aggregation. Automatic address configuration To simplify the host configuration, IPv6 supports stateful address configuration and stateless address configuration.
Page 812
If an IPv6 address contains two or more consecutive groups of zeros, they can be replaced by the double-colon :: option. For example, the above-mentioned address can be represented in the shortest format as 2001:0:130F::9C0:876A:130B. The double-colon :: can be used only once in an IPv6 address. Otherwise, the device is unable to determine how many zeros the double-colon represents when converting it to zeros to restore the IPv6 address to a 128-bit address.
Page 813
Type Format prefix (binary) IPv6 prefix ID Global unicast other forms — address Multicast address 11111111 FF00::/8 Anycast addresses are taken from unicast address space Anycast address and are not syntactically distinguishable from unicast addresses. Unicast address There are several forms of unicast address assignment in IPv6, including global unicast address, link-local address, and site-local address.
Where, FF02:0:0:0:0:1:FF is permanent and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 address. Interface identifier in IEEE EUI-64 format Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be unique on that link.
Page 815
The 3com switch 4500 does not support the RS, RA, or Redirect message. Of the above mentioned IPv6 NDP functions, 3com switches 4500 support the following three functions: address resolution, neighbor unreachability detection, and duplicate address detection.
Node A multicasts an NS message. The source address of the NS message is the IPv6 address of the interface of node A and the destination address is the solicited-node multicast address of node B. The NS message contains the link-layer address of node A. After receiving the NS message, node B judges whether the destination address of the packet is the corresponding solicited-node multicast address of its own IPv6 address.
RFC 1981: Path MTU Discovery for IP version 6 RFC 2375: IPv6 Multicast Address Assignments RFC 2460: Internet Protocol, Version 6 (IPv6) Specification. RFC 2461: Neighbor Discovery for IP Version 6 (IPv6) RFC 2462: IPv6 Stateless Address Autoconfiguration RFC 2463: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification RFC 2464: Transmission of IPv6 Packets over Ethernet Networks RFC 2526: Reserved IPv6 Subnet Anycast Addresses...
Page 818
To do... Use the command... Remarks Enter system view system-view — interface interface-type Enter VLAN interface view — interface-number ipv6 address { ipv6-address Use either Manually assign an prefix-length | command IPv6 address ipv6-address/prefix-length } By default, no site-local address or global unicast address is Configure an IPv6...
If XRN fabric ports are configured on a 3com switch 4500, no IPv6 address can be configured for the switch. IPv6 unicast addresses can be configured for only one VLAN interface on a 3com switch 4500. The total number of global unicast addresses and site-local addresses on the VLAN interface can be up to four.
Page 820
Configuring the maximum number of neighbors dynamically learned The device can dynamically acquire the link-layer address of a neighbor node through NS and NA messages and add it to the neighbor table. Too large a neighbor table may lead to the forwarding performance degradation of the device.
To do… Use the command… Remarks Optional ipv6 nd ns retrans-timer Specify the NS interval value 1,000 milliseconds by default. Configuring the neighbor reachable timeout time on an interface After a neighbor passed the reachability detection, the device considers the neighbor to be reachable in a specific period.
To do… Use the command… Remarks Optional Set the finwait timer of IPv6 tcp ipv6 timer fin-timeout TCP packets wait-time 675 seconds by default. Optional Set the synwait timer of IPv6 tcp ipv6 timer syn-timeout TCP packets wait-time 75 seconds by default. Optional Configure the size of IPv6 TCP tcp ipv6 window size...
Displaying and Maintaining IPv6 To do… Use the command… Remarks Display the FIB entries display ipv6 fib Display the brief IPv6 information display ipv6 interface [ interface-type of an interface interface-number | brief ] display ipv6 neighbors [ ipv6-address | all | dynamic | interface interface-type Display neighbor information interface-number | static | vlan vlan-id ] [ | { begin...
Page 824
Network diagram Figure 68-5 Network diagram for IPv6 address configuration Configuration procedure Configure Switch A. # Configure an automatically generated link-local address for the interface VLAN-interface 2. <SwitchA> system-view [SwitchA] interface Vlan-interface 2 [SwitchA-Vlan-interface2] ipv6 address auto link-local # Configure an EUI-64 address for the interface VLAN-interface 2. [SwitchA-Vlan-interface2] ipv6 address 2001::/64 eui-64 # Configure a global unicast address for the interface VLAN-interface 2.
Page 825
ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display the brief IPv6 information of the interface on Switch B. [SwitchB-Vlan-interface2] display ipv6 interface Vlan-interface 2 Vlan-interface2 current state : UP Line protocol current state : UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1 Global unicast address(es): 2001::20F:E2FF:FE00:1, subnet is 2001::/64...
Page 826
round-trip min/avg/max = 60/66/80 ms [SwitchA-Vlan-interface2] ping ipv6 2001::20F:E2FF:FE00:1 PING 2001::20F:E2FF:FE00:1 : 56 data bytes, press CTRL_C to break Reply from 2001::20F:E2FF:FE00:1 bytes=56 Sequence=1 hop limit=255 time = 40 ms Reply from 2001::20F:E2FF:FE00:1 bytes=56 Sequence=2 hop limit=255 time = 70 ms Reply from 2001::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms...
Troubleshooting IPv6 Application Intro duction to IPv6 Application IPv6 are sup porting more and more applications. Most of IPv6 applications are the same as those of IPv4. The applicati ons supported on 3com switch 4500 are: Ping Tracerout TFTP Telnet Configur...
IPv6 Traceroute The traceroute ipv6 command is used to record the route of IPv6 packets from source to destination, so as to check whether the link is available and determine the poi nt of failure. Figure 69-1 Traceroute process igure 69 shows, the traceroute process is as follows: The source sends an IP datagram with the Hop Limit of 1.
To do… Use the command… Remarks tftp ipv6 remote-system [ -i interface-type Required Download/Upload files from interface-number ] { get | put } TFTP server Available in user view source-filename [ destination-filename ] When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local address.
Applications Network requirements Figure 69-3, SWA, SWB, and SWC are three switches, among which SWA is a 3com switch 4500, SWB and SWC are two switches supporting IPv6 forwarding. In a LAN, there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively.
bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence =5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received...
olution Check that the IPv6 addresses are configured correctly. Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link -layer protocol between them are up. Use the display ipv6 route-table command to verify that the destination is reachable. the ping ipv6 -t timeout { destination-ipv6-address | hostname } [ -i interface-type interface-number ] command to increase the timeout time limit, so as to determin e whether it is due...
Password Control Configuration Operations Intro duction to Password Control Configuration The password control feature is designed to manage the following passwo rds: Telnet passwords: passwords for logging into the switch through Teln SSH passwords: passwords for logging into the switch through SSH. FTP passwords: passwords for logging into the switch through FTP.
Page 834
Function Description Application Encrypted display: The switch protects the displayed password. The password is always displayed as a string containing only asterisks (*) in the configuration file or on Password user terminal. protection All passwords encryption Saving passwords in ciphertext: The switch encrypts and saves the configured passwords in ciphertext in the configuration file.
Password Control Configuration Configuration Prerequisites A user PC is connected to the switch to be configured; both devices are operating normally. Configuration Tasks The following sections describe the configuration tasks for password control: Configuring Password Aging Configuring the Limitation of Minimum Password Length Configuring History Password Recording Configuring a User Login Password in Interactive Mode Configuring Login Attempt Times Limitation and Failure Processing Mode...
Page 836
Operation Command Description Create a local user or enter — local-user user-name local user view Optional Configure a password aging password-control aging By default, the aging time is time for the local user aging-time 90 days. In this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: Global settings in system view apply to all local user passwords and super passwords.
You can configure the password aging time when password aging is not yet enabled, but these configured parameters will not take effect. After the user changes the password successfully, the switch saves the old password in a readable file in the flash memory. The switch does not provide the alert function for FTP passwords.
In this section, you must note the effective range of the same commands when executed in different views or to different types of passwords: Global settings in system view apply to all local user passwords and super passwords. Settings in the local user view apply to the local user password only. Settings on the parameters of the super passwords apply to super passwords only.
Table 70-5 Manually remove history password records Operation Command Description Executing this command without the user-name reset user-name option removes the history password Remove history password-control records of all users. password records history-record Executing this command with the user-name of one or all users user-name user-name option removes the history password user-name ]...
lock-time: In this mode, the system inhibits the user from re-logging in within a certain time period. After the period, the user is allowed to log into the switch again. By default, this time is 120 minutes. lock: In this mode, the system inhibits the user from re-logging in forever. The user is allowed to log into the switch again only after the administrator removes the user from the user blacklist.
Table 70-9 Configure the timeout time for users to be authenticated Operation Command Description Enter system view system-view — Configure the timeout time password-control Optional for users to be authentication-timeout By default, it is 60 seconds. authenticated authentication-timeout Configuring Password Composition Policies A password can be combination of characters from the following four categories: letters A to Z, a to z, number 0 to 9, and 32 special characters of space and ~`!@#$%^&*()_+-={}|[]\:”;’<>,./.
Operation Command Description Optional By default, the minimum number password-control of types a password should Configure the password composition type-number contain is 1 and the minimum composition policy for the local policy-type [ type-length number of characters of each user type-length ] type is 1.
Page 843
For a local user named test, the minimum password length is 6 characters, the minimum number of password composition types is 2, the minimum number of characters in each password composition type is 3, and the password aging time is 20 days. Configuration procedure # Enter system view.
Access Management Configuration Wh n configuring access management, go to these section s for information you are interested in: Access Management Overview Configuring Access Management Access Management Configuration Exa mples ess Management Overview Normally, client PCs in a network are connected to switches operating on the network access layer (also referred to as access switches) through Layer 2 switches;...
Configuring Access Management Follow these steps to configure access management: To do… Use the command… Remarks Enter system view system-view — Required Enable access am enable By default, the system disables the management function access management function. Required Enable access am trap enable By default, access management trap is management trap...
Disable the PCs that are not of Organization 1 (PC 2 and PC 3) from accessing the external network through Ethernet 1/0/1 of Switch A. Network diagram Figure 71-2 Network diagram for access management configuration Configuration procedure Perform the following configuration on Switch A. # Enable access management.
Page 847
Ethernet 1/0/1 and Ethernet 1/0/2 belong to VLAN 1. The IP address of VLAN-interface 1 is 202.10.20.200/24. PCs of Organization 1 are isolated from those of Organization 2 on Layer 2. Network diagram Figure 71-3 Network diagram for combining access management and port isolation Configuration procedure Perform the following configuration on Switch A.
Page 848
[Sysname-Ethernet1/0/2] am ip-pool 202.10.20.25 26 202.10.20.55 11 # Add Ethernet 1/0/2 to the port isolation group. [Sysname-Ethernet1/0/2] port isolate [Sysname-Ethernet1/0/2] quit 71-5...
LLDP Configuration When configuring LLDP, go to these sections for information you are interested in: Overview LLDP Configuration Task List Performing Basic LLDP Configuration Configuring CDP Compatibility Configuring LLDP Trapping Displaying and Maintaining LLDP LLDP Configuration Examples Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake.
Page 850
Figure 72-1 Ethernet II-encapsulated LLDP frame format The fields in the frame are described in Table 72-1: Table 72-1 Description of the fields in an Ethernet II-encapsulated LLDP frame Field Description The MAC address to which the LLDPDU is advertised. It is fixed to Destination MAC address 0x0180-C200-000E, a multicast MAC address.
Field Description The MAC address of the sending port. If the port does not have a MAC Source MAC address address, the MAC address of the sending bridge is used. The SNAP type for the upper layer protocol. It is Type 0xAAAA-0300-0000-88CC for LLDP.
Page 852
VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, 3Com switches 4500 support receiving but not sending protocol identity TLVs. IEEE 802.3 organizationally specific TLVs Table 72-5 IEEE 802.3 organizationally specific TLVs Type...
LLDP-MED TLVs LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management. LLDP-MED TLVs satisfy the voice device vendors’ requirements for cost effectiveness, ease of deployment, and ease of management.
How LLDP Works Transmitting LLDP frames An LLDP-enabled port operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change, an interval is introduced between two successive LLDP frames.
Performing Basic LLDP Configuration Enabling LLDP To make LLDP take effect on certain ports, you need to enable LLDP both globally and on these ports. Follow these steps to enable LLDP: To do… Use the command… Remarks Enter system view system-view —...
Enabling LLDP Polling With LLDP polling enabled, a device checks for local configuration changes periodically. Upon detecting a configuration change, the device sends LLDP frames to inform the neighboring devices of the change. Follow these steps to enable LLDP polling: To do…...
To do… Use the command… Remarks interface interface-type Enter Ethernet interface view Required interface-number Optional By default, the management address is sent through Enable LLDP to advertise LLDPDUs, and the management address TLVs lldp management-address-tlv management address is the and configure the advertised [ ip-address ] main IP address of the management IP address...
LLDP-CDP (CDP is short for the Cisco Discovery Protocol) packets use only SNAP encapsulation. Configuring CDP Compatibility On a 3Com Switch 4500, only one voice VLAN exists at any given point in time. For detailed information about voice VLAN, refer to Voice VLAN Operation in this manual.
With CDP compatibility enabled, the device can use LLDP to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets carrying the voice VLAN ID of the device for the IP phones to configure the voice VLAN automatically. In this way, voice traffic is confined in the configured voice VLAN and is thus differentiated from other types of traffic.
Follow these steps to configure LLDP trapping: To do… Use the command… Remarks — Enter system view system-view interface interface-type Enter Ethernet interface view Required interface-number Required lldp notification remote-change Enable LLDP trap sending enable Disabled by default — Quit to system view quit Optional Set the interval to send LLDP...
Page 861
Figure 72-4 Network diagram for basic LLDP configuration Eth1/0/1 Eth1/0/2 Eth1/0/1 Switch A Switch B Configuration procedure Configure Switch A. # Enable LLDP globally. <SwitchA> system-view [SwitchA] lldp enable # Enable LLDP on Ethernet 1/0/1 and Ethernet 1/0/2 (you can skip this step because LLDP is enabled on ports by default), and set the LLDP operating mode to Rx.
Page 862
Hold multiplier Reinit delay : 2s Transmit delay : 2s Trap interval : 5s Fast start times Port 1 [Ethernet1/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV...
Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Roll time : 0s Number of neighbors Number of MED neighbors Number of CDP neighbors Number of sent optional TLV Number of received unknown TLV Port 2 [Ethernet1/0/2]: Port status of LLDP : Enable Admin status...
Page 864
[SwitchA-Ethernet1/0/1] port link-type trunk [SwitchA-Ethernet1/0/1] voice vlan 2 enable [SwitchA-Ethernet1/0/1] quit [SwitchA] interface ethernet 1/0/2 [SwitchA-Ethernet1/0/2] port link-type trunk [SwitchA-Ethernet1/0/2] voice vlan 2 enable [SwitchA-Ethernet1/0/2] quit Configure CDP-compatible LLDP on Switch A. # Enable LLDP globally and enable LLDP to be compatible with CDP globally. [SwitchA] lldp enable [SwitchA] lldp compliance cdp # Enable LLDP (you can skip this step because LLDP is enabled on ports by default), configure LLDP to...
PKI Configuration Wh n configuring PKI, go to thes e sections for information you are interested in: Introduction to PKI PKI Configuration Task List Displaying and Maintaining PKI PKI Configuration Examples Troubleshooting PKI Intro duction to PKI This section cov ers these topics: PKI Overview PKI Terms...
CAs are trusted by different users in a PKI system, the CAs will form a CA tree with the root CA at the top level. The root CA has a CA certificate signed by itself while each lower level CA has a CA certificate sign ed by the CA at the next higher level.
A CA is a trusted authority responsible for issuing and managing digital certificates. A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed by publishing CRLs. A registration authority (RA) is an extended part of a CA or an independent authority. An RA can implement functions including identity authentication, CRL management, key pair generation and key pair backup.
The RA reviews the identity of the entity and then sends the identity information and the public key with a digital signature to the CA. The CA verifies the digital signature, approves the application, and issues a certificate. The RA receives the certificate from the CA, sends it to the LDAP server to provide directory navigation service, and notifies the entity that the certificate is successfully issued.
Page 869
The configuration of an entity DN must comply with the CA certificate issue policy. You need to determine, for example, which entity DN parameters are mandatory and which are optional. Otherwise, certificate request may be rejected. Follow these steps to configure an entity DN: To do…...
Configuring a PKI Domain Before requesting a PKI certificate, an entity needs to be configured with some enrollment information, which is referred to as a PKI domain. A PKI domain is intended only for convenience of reference by other applications like SSL, and has only local significance. A PKI domain is defined by these parameters: Trusted CA An entity requests a certificate from a trusted CA.
To do… Use the command… Remarks Required Specify the entity for certificate certificate request entity No entity is specified by default. request entity-name The specified entity must exist. Required Specify the authority for certificate request from { ca | No authority is specified by certificate request ra } default.
Follow these steps to configure an entity to submit a certificate request in auto mode: To do… Use the command… Remarks Enter system view system-view — Enter PKI domain view pki domain domain-name — certificate request mode auto Required Set the certificate request [ key-length key-length | mode to auto password { cipher | simple }...
If a PKI domain already has a local certificate, creating an RSA key pair will result in inconsistency between the key pair and the certificate. To generate a new RSA key pair, delete the local certificate and then issue the public-key local create command. A newly created key pair will overwrite the existing one.
If a PKI domain already has a CA certificate, you cannot retrieve another CA certificate for it. This is in order to avoid inconsistency between the certificate and registration information due to related configuration changes. To retrieve a new CA certificate, use the pki delete-certificate command to delete the existing CA certificate and local certificate first.
To do… Use the command… Remarks Enter PKI domain view pki domain domain-name — Required Disable CRL checking crl check disable Enabled by default Return to system view quit — Refer to Retrieving a Certificate Retrieve the CA certificate Required Manually Verify the validity of the pki validate-certificate { ca |...
Configuring an Access Control Policy By configuring a certificate attribute-based access control policy, you can further control access to the server, providing additional security for the server. Follow these steps to configure a certificate attribute-based access control policy: To do… Use the command…...
PKI Configuration Examples The SCEP plug-in is required when you use the Windows Server as the CA. In this case, when configuring the PKI domain, you need to use the certificate request from ra command to specify that the entity requests a certificate from an RA. The SCEP plug-in is not required when RSA Keon is used.
Page 878
After configuring the basic attributes, you need to perform configuration on the jurisdiction configuration page of the CA server. This includes selecting the proper extension profiles, enabling the SCEP autovetting function, and adding the IP address list for SCEP autovetting. # Configure the CRL distribution behavior.
Page 879
Apply for certificates # Retrieve the CA certificate and save it locally. [Switch] pki retrieval-certificate ca domain torsa Retrieving CA/RA certificates. Please wait a while..The trusted CA's finger print is: fingerprint:EDE9 0394 A273 B61A F1B3 0072 A0B1 F9AB SHA1 fingerprint: 77F9 A077 2FB8 088C 550B A33C 2410 D354 23B2 73A8 Is the finger print correct?(Y/N):y Saving CA/RA certificates chain, please wait a moment..
Page 881
Configuration procedure Configure the CA server Install the certificate server suites From the start menu, select Control Panel > Add or Remove Programs, and then select Add/Remove Windows Components > Certificate Services and click Next to begin the installation. Install the SCEP plug-in As a CA server running the Windows 2003 server does not support SCEP by default, you need to install the SCEP plug-in so that the Switch can register and obtain its certificate automatically.
Page 882
# Specify the entity for certificate request as aaa. [Switch-pki-domain-torsa] certificate request entity aaa Generate a local key pair using RSA [Switch] public-key local create rsa The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, It may take a few minutes.
The network connection is not proper. For example, the network cable may be damaged or loose. No trusted CA is specified. The URL of the registration server for certificate request is not correct or not configured. No authority is specified for certificate request. The system clock of the device is not synchronized with that of the CA.
Page 885
The CRL distribution URL is not configured. The LDAP server version is wrong. Solution Make sure that the network connection is physically proper. Retrieve a CA certificate. Specify the IP address of the LDAP server. Specify the CRL distribution URL. Re-configure the LDAP version.
SSL Configuration Wh n configuring SSL, go to thes e sections for information you are interested in: SSL Overview SSL Configuration Task List Displaying and Maintaining SSL Troubleshoo ting SSL Overview Secure Sockets Layer (SSL) is a security protocol providing s ecure connection service for TCP-based application layer protocols, for example, HTTP protocol.
SSL Protocol Stack As shown in Figure 74-2, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer. Figure 74-2 SSL protocol stack SSL handshake protocol: As a very important part of the SSL protocol stack, it is responsible for negotiating the cipher suite to be used during communication (including the symmetric encryption...
Page 888
Configuration Prerequisites When configuring an SSL server policy, you need to specify the PKI domain to be used for obtaining the server side certificate. Therefore, before configuring an SSL server policy, you must configure a PKI domain. Configuration Procedure Follow these steps to configure an SSL server policy: To do...
If you enable client authentication here, you must request a local certificate for the client. Currently, SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the device acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify Hello packets from clients running SSL 2.0.
Page 890
[Switch-pki-entity-en] quit # Create a PKI domain and configure it. [Switch] pki domain 1 [Switch-pki-domain-1] ca identifier ca1 [Switch-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll [Switch-pki-domain-1] certificate request from ra [Switch-pki-domain-1] certificate request entity en [Switch-pki-domain-1] quit # Create the local RSA key pairs. [Switch] public-key local create rsa # Retrieve the CA certificate.
# Configure the system to strip domain name off a user name before transmitting the user name to the RADIUS server. [Sysname-radius-radius1] user-name-format without-domain [Sysname-radius-radius1] quit # Create ISP domain aabbcc.net for Web authentication users and enter the domain view. [Sysname] domain aabbcc.net # Configure domain aabbcc.net as the default user domain.
To do… Use the command… Remarks prefer-cipher { rsa_3des_ede_cbc_sha | rsa_aes_128_cbc_sha | Optional Specify the preferred cipher rsa_aes_256_cbc_sha | suite for the SSL client policy rsa_rc4_128_md5 by default rsa_des_cbc_sha | rsa_rc4_128_md5 | rsa_rc4_128_sha } Optional Specify the SSL protocol version { ssl3.0 | tls1.0 } version for the SSL client policy TLS 1.0 by default If you enable client authentication on the server, you must request a local certificate for the client.
Page 893
If the SSL server is configured to authenticate the client, but the certificate of the SSL client does not exist or cannot be trusted, request and install a certificate for the client. You can use the display ssl server-policy command to view the cipher suite used by the SSL server policy.
HTTPS Configuration Wh n configuring HTTPS, go to thes e sections for information you are interested in: HTTPS Overview HTTPS Configuration Task List Associating the HTTPS Service with an SSL Server Policy Enabling the HTTPS Service Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS Service with an ACL Displaying and Maintaining HTTPS...
Associating the HTTPS Service with an SSL Server Policy You need to associate the HTTPS service with a created SSL server policy before enabling the HTTPS service. Follow these steps to associate the HTTPS service with an SSL server policy: To do…...
Associating the HTTPS Service with a Certificate Attribute Access Control Policy Associating the HTTPS service with a configured certificate access control policy helps control the access right of the client, thus providing the device with enhanced security. Follow these steps to associate the HTTPS service with a certificate attribute access control policy: To do…...
HTTPS Configuration Example Network requirements Host acts as the HTTPS client and Device acts as the HTTPS server. Host accesses Device through Web to control Device. CA (Certificate Authority) issues certificate to Device. The common name of CA is new-ca. In this configuration example, Windows Server serves as CA and you need to install Simple Certificate Enrollment Protocol (SCEP) component.
Page 898
[Device] pki retrieval-certificate ca domain 1 # Apply for a local certificate. [Device] pki request-certificate domain 1 Configure an SSL server policy associated with the HTTPS service # Configure an SSL server policy. [Device] ssl server-policy myssl [Device-ssl-server-policy-myssl] pki-domain 1 [Device-ssl-server-policy-myssl] client-verify enable [Device-ssl-server-policy-myssl] quit Configure a certificate access control policy...
Need help?
Do you have a question about the 4500 PWR 26-Port and is the answer not in the manual?
Questions and answers