3Com Baseline Switch 2900 Family User Guide Baseline Switch 2920-SFP Plus Baseline Switch 2928-SFP Plus Baseline Switch 2952-SFP Plus Baseline Switch 2928-PWR Plus Baseline Switch 2928-HPWR Plus Manual Version: 6W102-20090810 www.3com.
Copyright © 2009, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
About This Manual Organization 3Com Baseline Switch 2900 Family User Guide is organized as follows: Part Contents 1 Overview Perform overview of 3Com baseline switch 2900 family. 2 Configuration Wizard Perform quick configuration of the device. 3 IRF Configure global parameters and stack ports, and display global settings, port settings, and topology summary of a stack. 4 Summary Display the basic system information, port information, system resource state, and recent system operation logs.
Part Contents 18 RMON Configure RMON, and dissplay, create, modify, and clear RMON statistics. 19 Energy Saving Display and configure the energy saving settings of an interface. 20 SNMP Configure SNMP, and dissplay, create, modify, and clear SNMP statistics. 21 Interface Statistics Display and clear the statistics information of an interface. 22 VLAN Create VLANs, and display the VLAN-related details of a port.
Conventions The manual uses the following conventions: Command conventions Convention Description Boldface The keywords of a command line are in Boldface. italic Command arguments are in italic. [] Items (keywords or arguments) in square brackets [ ] are optional. { x | y | ... } Alternative items are grouped in braces and separated by vertical bars. One is selected. [ x | y | ... ] Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.
Related Documentation In addition to this manual, each 3com Baseline Switch 2900 documentation set includes the following: Manual Description 3Com Baseline Switch 2900 Family Getting Started Guide This guide provides all the information you need to install and use the 3Com Baseline Switch 2900 Family. Obtaining Documentation You can access the most up-to-date 3Com product documentation on the World Wide Web at this URL: http://www.3com.com.
Table of Contents 1 Overview ·····················································································································································1-1 2 Configuration Through the Web Interface ······························································································2-1 Web-Based Network Management Operating Environment···································································2-1 Logging In to the Web Interface······································
1 Overview The 3Com baseline switch 2900 family can be configured through the command line interface (CLI), web interface, and SNMP/MIB. These configuration methods are suitable for different application scenarios. z The web interface supports all switch 2900 series configurations. z The CLI provides some configuration commands to facilitate your operation. To perform other configurations not supported by the CLI, use the web interface.
2 Configuration Through the Web Interface Web-Based Network Management Operating Environment 3Com provides the Web-based network management function to facilitate the operations and maintenance on 3Com’s network devices. Through this function, the administrator can visually manage and maintain network devices through the Web-based configuration interfaces. Figure 2-1 shows a Web-based network management operating environment.
Figure 2-2 Default IP address of the device 2) A DHCP server exists in the subnet where the device resides If a DHCP server exists in the subnet where the device resides, the device will dynamically obtain its default IP address through the DHCP server. You can log in to the device through the console port, and execute the summary command to view the information of its default IP address. summary Select menu option: Summary IP Method: DHCP IP address: 10.153.96.86 Subnet mask: 255.255.
Figure 2-3 Login page of the Web interface z The PC where you configure the device is not necessarily a Web-based network management terminal. A Web-based network management terminal is a PC used to log in to the Web interface and is required to be reachable to the device.
Figure 2-4 Web-based configuration interface (1) Navigation tree z (2) Body area (3) Title area Navigation tree: Organizes the Web-based NM functions as a navigation tree, where you can select and configure functions as needed. The result is displayed in the body area. z Body area: Allows you to configure and display features.
User level in Table 2-2 indicates that users of this level or users of a higher level can perform the corresponding operations. Table 2-2 Description of Web-based NM functions Function menu Wizard IP Setup Summary Basic Device Mainten ance Devi ce System Time Management Display global settings and port settings of a stack. Configure Configure global parameters and stack ports. Management Topology Summary Display the topology summary of a stack.
Function menu Description User level Save Save the current configuration to the configuration file to be used at the next startup. Configure Initialize Restore the factory default settings. Configure File Manageme nt Manage files on the device, such as displaying the file list, downloading a file, uploading a file, and removing a file. Management Summary Display port information by features. Monitor Detail Displays feature information by ports.
Function menu Energy Saving View, create, modify, and clear event entries. Configure Log Display log information about RMON events. Configure Energy Saving Display and configure the energy saving settings of an interface. Configure Setup Display and refresh SNMP configuration and statistics information. Monitor Configure SNMP. Configure Display SNMP community information. Monitor Create, modify and delete an SNMP community. Configure Display SNMP group information.
Function menu MAC Display the addresses of the OUIs that can be identified by voice VLAN. Monitor OUI Add Add the address of an OUI that can be identified by voice VLAN. Configure OUI Remove Remove the address of an OUI that can be identified by voice VLAN. Configure Display MAC address information. Monitor Create and remove MAC addresses. Configure Display and configure MAC address aging time. Configure Display information about MST regions. Monitor Modify MST regions.
Function menu Remove Configure Display information about the DHCP status, advanced configuration information of the DHCP relay agent, DHCP server group configuration, DHCP relay agent interface configuration, and the DHCP client information. Monitor Enable/disable DHCP, configure advanced DHCP relay agent settings, configure a DHCP server group, and enable/disable the DHCP relay agent on an interface.
Function menu RADIUS Setup Local User Users User Group Entity Domain PKI Certificate CRL Sec urity User level Display and configure RADIUS parameters. Management Display configuration information about local users. Monitor Create, modify and remove a local user. Management Display configuration information about user groups. Monitor Create, modify and remove a user group. Management Display information about PKI entities. Monitor Add, modify, and delete a PKI entity.
Function menu User level Summary Display classifier configuration information. Monitor Create Create a class. Configure Setup Configure the classification rules for a class. Configure Remove Delete a class or its classification rules. Configure Summary Display traffic behavior configuration information. Monitor Create Create a traffic behavior. Configure Setup Configure actions for a traffic behavior.
The advance search function is also provided. You can click before Search Item, as shown in Figure 2-5. You can select Match case and whole word, that is, the item to be searched must completely match the keyword, or you can select Search in previous results. If you do not select exact search, fuzzy search is performed. Figure 2-5 Advanced search Refresh button Click the button to refresh the display information of the current page.
Figure 2-7 About Sort display On the page, you can click the blue items of each column to sort and display the records based on the item you selected. Figure 2-8 Sort display Configuration Guidelines z The Web-based console supports Microsoft Internet Explorer 6.0 SP2 and higher, but it does not support the Back, Next, Refresh buttons provided by the browser. Using these buttons may result in abnormal display of Web pages.
z If the software version of the device changes, when you log in to the device through the Web interface, you are recommended to delete the temporary Internet files of IE; otherwise, the Web page content may not be displayed correctly.
3 Configuration Through the Command Line Interface z The 3Com baseline switch 2900 family can be configured through the command line interface (CLI), web interface, and SNMP/MIB, among which the web interface supports all switch 2900 series configurations. These configuration methods are suitable for different application scenarios. As a supplementary to the web interface, the CLI provides some configuration commands to facilitate your operation, which are described in this chapter.
Figure 3-1 Console cable Step2 Plug the DB-9 female connector of the console cable to the serial port of the console terminal or PC. Step3 Connect the RJ-45 connector of the console cable to the console port of the switch. (as shown below) Figure 3-2 Network diagram for configuration environment setup Console port Console cable Serial port Pay attention to the mark on the console port and be sure to plug the connector to the correct port.
information and the use of the HyperTerminal, refer to the HyperTerminal Help documentation in Help and Support Center on the PC running the Windows operating system. In the following configuration procedure, Windows XP HyperTerminal is used to communicate with the switch. 1) Start the PC and run the terminal emulation program.
Figure 3-4 Set the serial port used by the HyperTerminal connection Step3 Click OK after selecting a serial port. The following dialog box appears. Set Bits per second to 38400, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None. Figure 3-5 Set the serial port parameters Step4 Click OK after setting the serial port parameters and the system enters the HyperTerminal window shown below.
Figure 3-6 HyperTerminal window Step5 Click Properties in the HyperTerminal window to enter the Switch Properties dialog box. Click the Settings tab, set the emulation to VT100, and then click OK.
Logging In to the CLI The login process requires a user name and password. The default user name for first time configuration is admin, no password is required. User names and passwords are case sensitive. To logon to the CLI Interface: Step1 Press Enter. The Username prompt displays: Login authentication Username: Step2 Enter your User Name at the Username prompt. Username:admin Step3 Press Enter.
Description Use the initialize command to delete the configuration file to be used at the next startup and reboot the device with the default configuration being used during reboot. Use the command with caution because this command deletes the configuration file to be used at the next startup and restores the factory default settings. Examples # Delete the configuration file to be used at the next startup and reboot the device with the default configuration being used during reboot.
password Syntax password Parameters None Description Use the password command to modify the login password of a user. Examples # Modify the login password of user admin. password Change password for user: admin Old password: *** Enter new password: ** Retype password: ** The password has been successfully changed. ping Syntax ping host Parameters host: Destination IP address (in dotted decimal notation), URL, or host name (a string of 1 to 20 characters).
round-trip min/avg/max = 1/41/205 ms The above information shows that IP address 1.1.2.2 is reachable and the echo replies are all returned from the destination. The minimum, average, and maximum roundtrip intervals are 1 millisecond, 41 milliseconds, and 205 milliseconds respectively. quit Syntax quit Parameters None Description Use the quit command to log out of the system. Examples # Log out of the system.
If the main configuration file is corrupted or does not exist, the device cannot be rebooted with the z reboot command. In this case, you can specify a new main configuration file to reboot the device, or you can power off the device, and then power it on, and the system will automatically use the backup configuration file at the next startup. If you reboot the device when file operations are being performed, the system does not execute the z command to ensure security.
Copyright (c) 2004-2009 3Com Corp. and its licensors. All rights reserved. 3Com Baseline Switch 2928-PWR Plus uptime is 0 week, 0 day, 3 hours, 11 minutes 3Com Baseline Switch 2928-PWR Plus 128M bytes DRAM 128M bytes Nand Flash Memory Config Register points to Nand Flash Hardware Version is REV.B CPLD Version is 001 Bootrom Version is 112 [SubSlot 0] 24GE+4SFP+POE Hardware Version is REV.
# Download software package main.bin from the TFTP server and use the boot file in the package at the next startup. upgrade 192.168.20.41 main.bin runtime Configuration Example for Upgrading the Host Software Through the CLI Network requirements As shown in Figure 3-8, a Switch 2900 series switch is connected to the PC through the console cable, and connected to the gateway through GigabitEthernet 1/0/1. The IP address of the gateway is 192.168.1.
File downloaded successfully. The specified file will be used as the boot file at the next reboot. # Reboot the switch. reboot After getting the new application file, reboot the switch to have the upgraded application take effect.
Table of Contents 1 Configuration Wizard ································································································································1-1 Overview ·················································································································································1-1 Basic Service Setup ································································································································1-1 Entering the Configuration Wi
1 Configuration Wizard Overview The configuration wizard guides you through the basic service setup, including the system name, system location, contact information, and management IP address (IP address of the VLAN interface). Basic Service Setup Entering the Configuration Wizard Homepage From the navigation tree, select Wizard to enter the configuration wizard homepage, as shown in Figure 1-1.
Figure 1-2 System parameter configuration page Table 1-1 describes the system parameter configuration items. Table 1-1 System parameter configuration items Item Description Specify the system name. Sysname The system name appears at the top of the navigation tree. You can also set the system name in the System Name page you enter by selecting Device > Basic. For details, refer to Device Basic Information Configuration. Specify the physical location of the system.
Configuring Management IP Address Modifying the management IP address used for the current login will tear down the connection to the device. Use the new management IP address to re-log in to the system. A management IP address is the IP address of a VLAN interface, which can be used to access the device. You can also set configure a VLAN interface and its IP address in the page you enter by selecting Network > VLAN Interface. For configuration details, refer to VLAN Interface Configuration.
Table 1-2 Management IP address configuration items Item Select VLAN Interface Description Select a VLAN interface. Available VLAN interfaces are those configured in the page you enter by selecting Network > VLAN Interface and selecting the Create tab. Enable or disable the VLAN interface. When errors occurred on the VLAN interface, disable the interface and then enable the port to bring the port to work properly. Admin Status By default, the VLAN interface is down if no Ethernet ports in the VLAN is up.
Figure 1-4 Configuration finishes The page displays your configurations. Review the configurations and if you want to modify the settings click Back to go back to the page. Click Finish to confirm your settings and the system performs the configurations.
Table of Contents 1 IRF ·······························································································································································1-1 IRF Overview ··········································································································································1-1 Introduction to Stack························································································································1-1 Establishing a Stack ····
1 IRF IRF Overview An Intelligent Resilient Framework (IRF) stack is a set of network devices. Administrators can group multiple network devices into a stack and manage them as a whole. Therefore, stack management can help reduce customer investments and simplify network management. Introduction to Stack A stack is a management domain that comprises several network devices connected to one another through stack ports. In a stack, there is a master device and several slave devices.
z The administrator can log in to any slave device from the master device of the stack, and perform various configurations for the slave device. Configuring an IRF Stack Configuration Task List Perform the tasks in Table 1-1 to configure an IRF stack.
Configuring Global Parameters of a Stack Select IRF from the navigation tree to enter the page shown in Figure 1-2. You can configure global parameters of a stack in the Global Settings area. Figure 1-2 Set up Table 1-2 describes configuration items of global parameters.
Table 1-2 Configuration items of global parameters Item Description Configure a private IP address pool for the stack. Private Net IP The master device of a stack must be configured with a private IP address pool to ensure that it can automatically allocate an available IP address to a slave device when the device joints the stack.
Table 1-3 Fields of topology summary Fields Description Member ID of the device in the stack: Member ID z z Role Value 0 indicates that the device is the master device of the stack. A value other than 0 indicates that the device is a slave device and the value is the member ID of the slave device in the stack. Role of the device in the stack: master or slave. Return to Stack configuration task list.
Figure 1-5 Device summary (a slave device) Return to Stack configuration task list. IRF Stack Configuration Example Network requirements z As shown in Figure 1-6, Switch A, Switch B, Switch C, and Switch D are connected with one another. z Create a stack, where Switch A is the master device, Switch B, Switch C, and Switch D are slave devices. An administrator can log in to Switch B, Switch C and Switch D through Switch A to perform remote configurations.
Figure 1-7 Configure global parameters for the stack on Switch A z Type 192.168.1.1 in the text box of Private Net IP. z Type 255.255.255.0 in the text box of Mask. z Select Enable from the Build Stack drop-down list. z Click Apply. Now, switch A becomes the master device. # Configure a stack port on Switch A. z On the page of the Setup tab, perform the following configurations, as shown in Figure 1-8.
Figure 1-8 Configure a stack port on Switch A z In the Port Settings area, select the check box before GigabitEthernet1/0/1. z Click Enable. 2) Configure the slave devices # On Switch B, configure local ports GigabitEthernet 1/0/2 connecting with switch A, GigabitEthernet 1/0/1 connecting with Switch C, and GigabitEthernet 1/0/3 connecting with Switch D as stack ports.
Figure 1-9 Configure stack ports on Switch B z In the Port Settings area, select the check boxes before GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3. z Click Enable. Now, switch B becomes a slave device. # On Switch C, configure local port GigabitEthernet 1/0/1 connecting with Switch B as a stack port. z Select IRF from the navigation tree of Switch C to enter the page of the Setup tab, and then perform the following configurations, as shown in .
Figure 1-10 Configure a stack port on Switch C z In the Port Settings area, select the check box before GigabitEthernet1/0/1. z Click Enable. Now, Switch C becomes a slave device. # On Switch D, configure local port GigabitEthernet 1/0/1 connecting with Switch B as a stack port. z Select IRF from the navigation tree of Switch D to enter the page of the Setup tab, and then perform the following configurations, as shown in Figure 1-10.
Now, Switch D becomes a slave device. 3) Verify the configuration # Display the stack topology on Switch A. z Select IRF from the navigation tree of Switch A and click the Topology Summary tab. z You can view the information as shown in Figure 1-11. Figure 1-11 Verify the configuration Configuration Guidelines When configuring an IRF stack, note that: 1) If a device is already configured as the master device of a stack, you are not allowed to modify the private IP address pool on the device.
Table of Contents 1 Summary ····················································································································································1-1 Overview ·················································································································································1-1 Displaying Device Summary ···················································································································1-1 Displaying System Information
1 Summary Overview The device summary module helps you understand the system information, port information, power information, and fan information on the device. The system information includes the basic system information, system resources state, and recent system operation logs. Displaying Device Summary Displaying System Information After you log in to the Web interface, the System Information page appears by default, as shown in Figure 1-1.
Basic system information The INFO area on the right of the page displays the basic system information including device name, product information, device location, contact information, serial number, software version, hardware version, BootROM version, and running time. The running time displays how long the device is up since the last boot. You can configure the device location and contact information on the Setup page you enter by selecting Device > SNMP.
Figure 1-2 Device information Select from the Refresh Period drop-down list: z If you select a certain period, the system refreshes the information at the specified interval. z If you select Manual, the system refreshes the information only when you click the Refresh button.
Table of Contents 1 Device Basic Information Configuration ·································································································1-1 Overview ·················································································································································1-1 Configuring Device Basic Information·····································································································1-1 Configuring System Name ·····························
1 Device Basic Information Configuration Overview The device basic information feature provides you the following functions: z Set the system name of the device. The configured system name will be displayed on the top of the navigation bar. z Set the idle timeout period for a logged-in user. That is, the system will log an idle user off the Web for security purpose after the configured period.
Figure 1-2 Configuring idle timeout period Table 1-2 describes the idle timeout period configuration item. Table 1-2 Idle timeout period configuration item Item Idle timeout Description Set the idle timeout period for a logged-in user.
Table of Contents 1 System Time Configuration······················································································································1-1 Overview ·················································································································································1-1 Configuring System Time························································································································1-1 System Time Configuration Example·······
1 System Time Configuration Overview The system time module allows you to display and set the device system time on the Web interface. The device supports setting system time through manual configuration and automatic synchronization of NTP server time. An administrator can by no means keep time synchronized among all the devices within a network by changing the system clock on each device, because this is a huge amount of workload and cannot guarantee the clock precision.
Table 1-1 shows the system time configuration items. Table 1-1 System time configuration items Item Description Select to manually configure the system time, including the setting of Year, Month, Day, Hour, Minute, and Second. Manual Set the source interface for an NTP message.
Configuration procedure 1) Configure Device A # Configure the local clock as the reference clock, with the stratum of 2. Enable NTP authentication, set the key ID to 24, and specify the created authentication key aNiceKey is a trusted key. (Configuration omitted.) 2) Configure Switch B # Configure Device A as the NTP server of Switch B. z Select System > System Time from the navigation tree and perform the configurations as shown in Figure 1-3.
z A device can act as a server to synchronize the clock of other devices only after its clock has been synchronized. If the clock of a server has a stratum level higher than or equal to that of a client’s clock, the client will not synchronize its clock to the server’s. z The synchronization process takes a period of time. Therefore, the clock status may be unsynchronized after your configuration. In this case, you can click Refresh to view the clock status and system time later on.
Table of Contents 1 Log Management ·······································································································································1-1 Overview ·················································································································································1-1 Configuring Log Management·················································································································1-1 Configuration Task List··············
1 Log Management Overview System logs contain a large amount of network and device information, including running status and configuration changes. System logs are an important way for administrators to know network and device status. With system log information, administrators can take corresponding actions against network problems and security problems. System logs can be stored in the log buffer, or sent to the loghost.
Figure 1-1 Set system logs related parameters Table 1-2 describes the syslog configuration items. Table 1-2 Syslog configuration items Item Log Buffer Size Description Set the number of logs that can be stored in the log buffer. Set the refresh period on the log information displayed on the Web interface. You can select manual refresh or automatic refresh: Refresh Period z z Manual: You need to click Refresh to refresh the Web interface when displaying log information.
Figure 1-2 Display syslog Table 1-3 describes the syslog display items. Table 1-3 Syslog display items Item Description Time/Date Displays the time/date when system logs are generated. Source Displays the module that generates system logs. Level Displays the severity level of system logs. For the detailed description of the severity levels, refer to Table 1-4. Digest Displays the brief description of system logs Description Displays the contents of system logs.
Severity level Description Value Notification Normal information that needs to be noticed 5 Informational Informational information to be recorded 6 Debugging Information generated during debugging 7 Note: A smaller value represents a higher severity level. Return to Log management configuration task list. Setting Loghost Select Device > Syslog from the navigation tree, and click the Loghost tab to enter the loghost configuration page, as shown in Figure 1-3.
Table of Contents 1 Configuration Management ······················································································································1-1 Back Up Configuration ····························································································································1-1 Restore Configuration ·····························································································································1-1 Save Configuration··························
1 Configuration Management Back Up Configuration Configuration backup provides the following functions: z Open and view the configuration file (.cfg file or .xml file) for the next startup z Back up the configuration file (.cfg file or .xml file) for the next startup to the host of the current user Select Device > Configuration from the navigation tree to enter the backup configuration page, as shown in Figure 1-1.
Figure 1-2 Configuration restore page z After you click the upper Browse button in this figure, the file upload dialog box appears. You can select the .cfg file to be uploaded, and then click Apply. z After you click the lower Browse button in this figure, the file upload dialog box appears. You can select the .xml file to be uploaded, and then click Apply. Save Configuration The save configuration module provides the function to save the current configuration to the configuration file (.cfg file or .
Initialize This operation will restore the system to factory defaults, delete the current configuration file, and reboot the device. Select Device > Configuration from the navigation tree, and then click the Initialize tab to enter the initialize confirmation page as shown in Figure 1-4. Figure 1-4 Initialize confirmation dialog box Click the Restore Factory-Default Settings button to restore the system to factory defaults.
Table of Contents 1 Device Maintenance ··································································································································1-1 Software Upgrade ···································································································································1-1 Device Reboot·········································································································································1-2 Electronic Label·················
1 Device Maintenance Software Upgrade Software upgrade allows you to obtain a target application file from the current host and set the file as the main boot file or backup boot file to be used at the next reboot. A boot file, also known as the system software or device software, is an application file used to boot the device. A main boot file is used to boot a device and a backup boot file is used to boot a device only when the main boot file is unavailable.
Table 1-1 Software upgrade configuration items Item Description File Specifies the filename of the local application file, which must be with an extension .bin. Filename Specifies a filename for the file to be saved on the device. The filename must have an extension, which must be the same as that of the source application file. Specifies the type of the boot file for the next boot: File Type z z Main Backup Specifies whether to overwrite the file with the same name.
z If you select Check configuration with next startup configuration file, the system will check the configuration before rebooting the device. If the check succeeds, the system will reboot the device; if the check fails, a dialog box appears, telling you that the current configuration and the saved configuration are inconsistent, and the device will not be rebooted. In this case, you need to save the current configuration manually before you can reboot the device.
Figure 1-5 The diagnostic information file is created Click Click to Download, and the File Download dialog box appears. You can select to open this file or save this file to the local host. z The generation of the diagnostic file will take a period of time. During this process, do not perform any operation on the Web page. z After the diagnostic file is generated successfully, you can view this file by selecting Device > File Management, or downloading this file to the local host.
Table of Contents 1 File Management········································································································································1-1 Overview ·················································································································································1-1 File Management Configuration··············································································································1-1 Displaying File List················
1 File Management Overview The device saves useful files (such as host software, configuration file) into the storage device, and the system provides the file management function for the users to manage those files conveniently and effectively.
Download dialog box appears. You can select to open the file or to save the file locally. You can download only one file at one time. Uploading a File Select Device > File Management from the navigation tree to enter the file management page, as shown in Figure 1-1. In the Upload File area, select a disk from the Please select disk drop-down list to save the file, type the file path and filename in the File box, or click Browse to select a file.
Table of Contents 1 Port Management Configuration··············································································································1-1 Overview ·················································································································································1-1 Configuring a Port ···································································································································1-1 Setting Operation Parameters for a Po
1 Port Management Configuration Overview You can use the port management feature to set and view the operation parameters of a Layer 2 Ethernet port, including but not limited to its state, rate, duplex mode, link type, PVID, MDI mode, flow control settings, MAC learning limit, and storm suppression ratios.
Table 1-1 describes the port configuration items. Table 1-1 Port configuration items Item Port State Description Enable or disable the port. Sometimes, after you modify the operation parameters of a port, you need to disable and then enable the port to have the modifications take effect. Set the transmission rate of the port.
Item Description Set the Medium Dependent Interface (MDI) mode of the port. Two types of Ethernet cables can be used to connect Ethernet devices: crossover cable and straight-through cable. To accommodate these two types of cables, an Ethernet port can operate in one of the following three MDI modes: across, normal, and auto. An Ethernet port is composed of eight pins. By default, each pin has its particular role.
Item Description Set broadcast suppression on the port. You can suppress broadcast traffic by percentage or by PPS as follows: z z Broadcast Suppression z ratio: Sets the maximum percentage of broadcast traffic to the total bandwidth of an Ethernet port. When this option is selected, you need to input a percentage in the box below. pps: Sets the maximum number of broadcast packets that can be forwarded on an Ethernet port per second.
Viewing the Operation Parameters of a Port Select Device > Port Management from the navigation tree. The Summary tab is displayed by default. Select the parameter you want to view by clicking the radio button before it to display the setting of this parameter for all the ports in the lower part of the page, as shown in Figure 1-2.
Figure 1-3 The Details tab Port Management Configuration Example Network requirements As shown in Figure 1-4: z Server A, Server B, and Server C are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 or the switch respectively. The rates of the network adapters of these servers are all 1000 Mbps. z The switch connects to the external network through GigabitEthernet 1/0/4 whose rate is 1000 Mbps.
Configuration procedure # Set the rate of GigabitEthernet 1/0/4 to 1000 Mbps. z Select Device > Port Management from the navigation tree, click the Setup tab to enter the page shown in Figure 1-5, and make the following configurations: Figure 1-5 Configure the rate of GigabitEthernet 1/0/4 z Select 100 in the Speed dropdown list. z Select GigabitEthernet 1/0/4 on the chassis front panel. z Click Apply to end the operation.
Figure 1-6 Batch configure port rate # Display the rate settings of ports. z Click the Summary tab. z Select the Speed option to display the rate information of all ports on the lower part of the page, as shown in Figure 1-7.
Figure 1-7 Display the rate settings of ports 1-9
Table of Contents 1 Port Mirroring Configuration ····················································································································1-1 Introduction to Port Mirroring ··················································································································1-1 Implementing Port Mirroring ············································································································1-1 Configuring Port Mirroring····························
1 Port Mirroring Configuration Introduction to Port Mirroring Port mirroring is to copy the packets passing through a port (called a mirroring port) to another port (called the monitor port) connected with a monitoring device for packet analysis. You can select to port-mirror inbound, outbound, or bidirectional traffic on a port as needed. Implementing Port Mirroring Port mirroring is implemented through local port mirroring groups.
Perform the tasks described in Table 1-1 to configure local port mirroring: Table 1-1 Local port mirroring configuration task list Task Create a local mirroring group Remarks Required Refer to section Creating a Mirroring Group for details. Required Configure the mirroring ports Refer to section Configuring Ports for a Mirroring Group for details. During configuration, you need to select the port type Mirror Port. You can configure multiple mirroring ports for a mirroring group.
Table 1-2 Configuration items of creating a mirroring group Item Description Mirroring Group ID ID of the mirroring group to be created Specify the type of the mirroring group to be created: Type z Local: Creates a local mirroring group. Return to Local port mirroring configuration task list. Configuring Ports for a Mirroring Group Select Device > Port Mirroring from the navigation tree and click Modify Port to enter the page for configuring ports for a mirroring group, as shown in Figure 1-3.
Item Description Set the direction of the traffic monitored by the monitor port of the mirroring group Stream Orientation This configuration item is available when Mirror Port is selected is the Port Type drop-down list. z z z Select port(s) both: Mirrors both received and sent packets on mirroring ports. inbound: Mirrors only packets received by mirroring port. outbound: Mirrors only packets sent by mirroring ports. Click the ports to be configured on the chassis front panel.
Figure 1-5 Create a local mirroring group z Type in mirroring group ID 1. z Select Local in the Type drop-down list. z Click Apply. # Configure the mirroring ports. Click Modify Port to enter the page for configuring ports for the mirroring group, as shown in Figure 1-6.
z Select 1 – Local in the Mirroring Group ID drop-down list. z Select Mirror Port in the Port Type drop-down list. z Select both in the Stream Orientation drop-down list. z Select GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on the chassis front panel. z Click Apply. A configuration progress dialog box appears, as shown in Figure 1-7. Figure 1-7 Configuration progress dialog box z After the configuration process is complete, click Close. # Configure the monitor port.
z Click Apply. A configuration progress dialog box appears. z After the configuration process is complete, click Close in the dialog box. Configuration Guidelines Pay attention to the following points during local port mirroring configuration: z To ensure operation of your device, do not enable STP, MSTP, or RSTP on the monitor port. z You can configure multiple mirroring ports but only one monitor port for a local mirroring group.
Table of Contents 1 User Management······································································································································1-1 Overview ·················································································································································1-1 Users ·······················································································································································1-1 Creating a User ····
1 User Management Overview In the user management part, you can: z Set the username, password, and access level for an FTP or Telnet user. z Set the super password for switching the current Web user level to the management level. z Switch the current Web user access level to the management level. Users Creating a User Select Device > Users from the navigation tree, and click the Create tab to enter the page for creating local users, as shown in Figure 1-1.
Table 1-1 Configuration items for creating a user Item Username Description Set the username for a user Set the access level for a user. Users of different levels can perform different operations. Web user levels, from low to high, are visitor, monitor, configure, and management. z Access Level z z z Visitor: Users of visitor level can only use the network diagnostic tool ping and trace route. They can neither access the device data nor configure the device.
Figure 1-2 Super password Table 1-2 describes the configuration items of specifying a super password. Table 1-2 Super password configuration items Item Description Set the operation type: Create/Remove z z Create: Configure or modify the super password. Remove: Remove the current super password. Password Set the password for a user to switch to the management level. Confirm Password Input the same password again.
Figure 1-3 Switch to the management level.
Table of Contents 1 Loopback Test Configuration···················································································································1-1 Overview ·················································································································································1-1 Loopback Operation································································································································1-1 Configuration Guidelines··············
1 Loopback Test Configuration Overview You can check whether an Ethernet port works normally by performing the Ethernet port loopback test, during which the port cannot forward data packets normally. Ethernet port loopback test can be an internal loopback test or an external loopback test. z In an internal loopback test, self loop is established in the switching chip to check whether there is a chip failure related to the functions of the port.
After selecting a testing type, you need to select a port on which you want to perform the loopback test from the chassis front panel. After that, click Test to start the loopback test, and you can see the test result in the Result text box, as shown in Figure 1-2.
Table of Contents 1 VCT······························································································································································1-1 Overview ·················································································································································1-1 Testing Cable Status·······························································································································1-1 i
1 VCT Overview z The optical interface of a SFP port does not support this feature. z A link in the up state goes down and then up automatically if you perform this operation on one of the Ethernet interfaces forming the link. You can use the Virtual Cable Test (VCT) function to check the status of the cable connected to an Ethernet port on the device. The result is returned in less than 5 seconds.
Table 1-1 Description on the cable test result Item Description Status and length of the cable. The status of a cable can be normal, abnormal, abnormal(open), abnormal(short), or failure. z Cable status z When a cable is normal, the cable length displayed is the total length of the cable. When a cable is not normal, the cable length displayed is the length of the cable between the current port and the location where fault occurs. The error of the length detected is within 5 meters.
Table of Contents 1 Flow Interval Configuration ······················································································································1-1 Overview ·················································································································································1-1 Monitoring Port Traffic Statistics ·············································································································1-1 Setting the Traffic Statistics Gener
1 Flow Interval Configuration Overview With the flow interval module, you can view the average receiving rate and average sending rate of a port over the specified interval. Monitoring Port Traffic Statistics Setting the Traffic Statistics Generating Interval Select Device > Flow interval from the navigation bar, and click the Interval Configuration tab to enter the page shown in Figure 1-1.
Figure 1-2 Port traffic statistics 1-2
Table of Contents 1 Storm Constrain Configuration················································································································1-1 Overview ·················································································································································1-1 Configuring Storm Constrain···················································································································1-1 Setting the Traffic Statistics Generating I
1 Storm Constrain Configuration Overview The storm constrain function limits traffic of a port within a predefined upper threshold to suppress packet storms in an Ethernet. With this function enabled on a port, the system detects the amount of broadcast traffic, multicast traffic, and unicast traffic reaching the port periodically. When a type of traffic exceeds the threshold for it, the function, as configured, blocks or shuts down the port, and optionally, sends trap messages and logs.
Figure 1-1 The Storm Constrain tab z The traffic statistics generating interval set here is the interval used by the storm constrain function for measuring traffic against the traffic thresholds. It is different from the interval set in the flow interval module, which is used for measuring the average traffic sending and receiving rates over a specific interval.
Figure 1-2 Add storm constrain settings for ports Table 1-1 describes the port storm constrain configuration items. Table 1-1 Port storm constrain configuration items Item Remarks Specify the action to be performed when a type of traffic exceeds the corresponding upper threshold. Available options include: z z z Control Mode None: Perform no action. Block: Block the traffic of this type on a port when the type of traffic exceeds the upper threshold.
Item Remarks Trap Select or clear the option to enable or disable the system to send trap messages both when an upper threshold is crossed and when the corresponding lower threshold is crossed after that. Log Select or clear the option to enable or disable the system to output logs both when an upper threshold is crossed and when the corresponding lower threshold is crossed after that. Select ports Select ports from the chassis front panel to apply the storm constrain settings to them.
Table of Contents 1 RMON··························································································································································1-1 RMON Overview ·····································································································································1-1 Working Mechanism ························································································································1-1 RMON Groups··························
1 RMON RMON Overview Remote Monitoring (RMON) is used to realize the monitoring and management from the management devices to the managed devices on the network by implementing such functions as statistics and alarm. The statistics function enables a managed device to periodically or continuously track various traffic information on the network segments connecting to its ports, such as total number of received packets or total number of oversize packets received.
RMON Groups Among the RMON groups defined by RMON specifications (RFC 2819), the realized public MIB of the device supports the statistics group, history group, alarm group, and event group. Statistics group The statistics group defines that the system collects statistics on various traffic information on an interface (at present, only Ethernet interfaces are supported) and saves the statistics in the Ethernet statistics table (ethernetStatsTable) for query convenience of the management device.
z Log-Trap: Logging event information in the event log table and sending a trap to the NMS. z None: No action. Configuring RMON Configuration Task List Configuring the RMON statistics function RMON statistics function can be implemented by either the statistics group or the history group, but the objects of the statistics are different. You can choose to configure a statistics group or a history group accordingly.
Configuring the RMON alarm function z If you need to configure that the managed device sends a trap to the NMS when it triggers an alarm event, you should configure the SNMP agent as described in SNMP Configuration before configuring the RMON alarm function.
Task Remarks Displaying RMON Event Logs If you have configured the system to log an event after the event is triggered when you configure the event group, the event is recorded into the RMON log. You can perform this task to display the details of the log table Configuring a Statistics Entry Select Device > RMON from the navigation tree to enter the page of the Statistics tab, as shown in Figure 1-1. Click Add to enter the page for adding a statistics entry, as shown in Figure 1-2.
Configuring a History Entry Select Device > RMON from the navigation tree and click the History tab to enter the page, as shown in Figure 1-3. Click Add to enter the page for adding a history entry, as shown in Figure 1-4. Figure 1-3 History entry Figure 1-4 Add a history entry Table 1-6 describes the items for configuring a history entry. Table 1-6 History entry configuration items Item Interface Name Description Select the name of the interface on which the history entry is created.
Configuring an Event Entry Select Device > RMON from the navigation tree and click the Event tab to enter the page, as shown in Figure 1-5. Click Add to enter the page for adding an event entry, as shown in Figure 1-6. Figure 1-5 Event entry Figure 1-6 Add an event entry Table 1-7 describes the items for configuring an event entry. Table 1-7 Event entry configuration items Item Description Description Set the description for the event. Owner Set the owner of the entry.
Figure 1-7 Alarm entry Figure 1-8 Add an alarm entry Figure 1-8 describes the items for configuring an alarm entry. Table 1-8 Alarm entry configuration items Item Alarm variable Description Statics Item Set the traffic statistics that will be collected and monitored, see Table 1-9 for details. Interface Name Set the name of the interface whose traffic statistics will be collected and monitored.
Item Interval Description Set the sampling interval. Set the sampling type, including: Sample Item z Sample Type z Owner Absolute: Absolute sampling, namely, to obtain the value of the variable when the sampling time is reached. Delta: Delta sampling, namely, to obtain the variation value of the variable during the sampling interval when the sampling time is reached. Set the owner of the alarm entry. Select whether to create a default event.
Figure 1-9 RMON statistics information Table 1-9 describes the fields of RMON statistics. Table 1-9 Fields of RMON statistics Item Description Number of Received Bytes Total number of octets received by the interface, corresponding to the MIB node etherStatsOctets. Number of Received Packets Total number of packets received by the interface, corresponding to the MIB node etherStatsPkts.
Item Description Number of Received Packets Smaller Than 64 Bytes Total number of undersize packets (shorter than 64 octets) received by the interface, corresponding to the MIB node etherStatsUndersizePkts. Number of Received Packets Larger Than 1518 Bytes Total number of oversize packets (longer than 1518 octets) received by the interface, corresponding to the MIB node etherStatsOversizePkts.
Figure 1-10 RMON history sampling information Table 1-10 describes the fields of RMON history sampling information. Table 1-10 Fields of RMON history sampling information Item Description Number of the entry in the system buffer NO Statistics are numbered chronologically when they are saved to the system buffer. Time Time at which the information is saved DropEvents Dropped packets during the sampling period, corresponding to the MIB node etherHistoryDropEvents.
Displaying RMON Event Logs Select Device > RMON from the navigation tree and click the Log tab to enter the page, as shown in Figure 1-11, which displays log information for all event entries. Figure 1-11 Log Return to Display RMON running status. RMON Configuration Example Network requirements As shown in Figure 1-12, Agent is connected to a remote NMS across the Internet.
Figure 1-13 Add a statistics entry z Select GigabitEthernet1/0/1 from the Interface Name drop-down box. z Type user1-rmon in the text box of Owner. z Click Apply. # Display RMON statistics for interface Ethernet 1/0/1. z z Click the icon corresponding to GigabitEthernet 1/0/1. You can view the information as shown in Figure 1-14.
Figure 1-14 Display RMON statistics # Create an event to start logging after the event is triggered. z Click the Event tab, click Add, and then perform the following configurations, as shown in Figure 1-15.
z Type 1-rmon in the text box of Owner. z Select the check box before Log. z Click Apply. z The page goes to the page displaying the event entry, and you can see that the entry index of the new event is 1, as shown in Figure 1-16. Figure 1-16 Display the index of a event entry # Configure an alarm group to sample received bytes on Ethernet 1/0/1. When the received bytes exceed the rising or falling threshold, logging is enabled.
z Select Number of Received Bytes from the Statics Item drop-down box. z Select GigabitEthernet1/0/1 from the Interface Name drop-down box. z Type 10 in the text box of Interval. z Select Delta from the Simple Type drop-down box. z Type 1-rmon in the text box of Owner. z Type 1000 in the text box of Rising Threshold. z Select 1 from the Rising Event drop-down box. z Type 100 in the text box of Falling Threshold. z Select 1 from the Falling Event drop-down box. z Click Apply.
Table of Contents 1 Energy Saving Configuration ···················································································································1-1 Overview ·················································································································································1-1 Configuring Energy Saving on a Port······································································································1-1 i
1 Energy Saving Configuration Overview Energy saving allows you to configure a port to work at the lowest transmission speed, disable PoE, or go down during a specified time range on certain days of a week. The port resumes working normally when the effective time period ends. Configuring Energy Saving on a Port Select Device > Energy Saving from the navigation tree to enter the energy saving configuration page, as shown in Figure 1-1.
Item Description Set the port to transmit data at the lowest speed. Lowest Speed If you configure the lowest speed limit on a port that does not support 10 Mbps, the configuration cannot take effect. Shut down the port. Shutdown An energy saving policy can have all the three energy saving schemes configured, of which the shutdown scheme takes the highest priority.
Table of Contents 1 SNMP ··························································································································································1-1 SNMP Overview······································································································································1-1 SNMP Mechanism···························································································································1-1 SNMP Protocol Version················
1 SNMP SNMP Overview Simple Network Management Protocol (SNMP) offers the communication rules between a management device and the managed devices on the network; it defines a series of messages, methods and syntaxes to implement the access and management from the management device to the managed devices. SNMP has the following characteristics: z Automatic network management.
InformRequest; it supports more data types such as Counter64; and it provides various error codes, thus being able to distinguish errors in more detail. SNMPv3 offers an authentication that is implemented with a User-Based Security Model (USM). z You can set the authentication and privacy functions.
Subtree mask A subtree OID used with a subtree mask defines a view subtree. A subtree mask is in hexadecimal format. After it is converted to binary bits, each bit corresponds to a node of the OID. z 1 means precise matching, that is, the OID of the MIB object to be accessed must be identical with the subtree OID. z 0 means wildcard matching, that is, the OID of the MIB object to be accessed can be different from the subtree OID.
Task Configuring an SNMP Community Remarks Required Optional Configuring SNMP Trap Function Allows you to configure that the agent can send SNMP traps to the NMS, and configure information about the target host of the SNMP traps. By default, an agent is allowed to send SNMP traps to the NMS. Configuring SNMPv3 Perform the tasks in Table 1-2 to configure SNMPv3: Table 1-2 SNMPv3 configuration task list Task Enabling SNMP Remarks Required The SNMP agent function is disabled by default.
Figure 1-4 Set up Table 1-3 describes the configuration items for enabling SNMP. Table 1-3 Configuration items for enabling SNMP Item SNMP Description Specify to enable or disable SNMP. Configure the local engine ID. Local Engine ID Maximum Packet Size Contact The validity of a user after it is created depends on the engine ID of the SNMP agent. If the engine ID when the user is created is not identical to the current engine ID, the user is invalid.
Figure 1-5 View page Creating an SNMP view Click Add, the window appears as shown in Figure 1-6. Type the view name and click Apply, and then you enter the page as shown in Figure 1-7. Figure 1-6 Create an SNMP view (1) Figure 1-7 Create an SNMP view (2) Table 1-4 describes the configuration items for creating an SNMP view. After configuring the parameters of a rule, click Add to add the rule into the list box at the lower part of the page. After configuring all rules, click Apply to crate an SNMP view.
Table 1-4 Configuration items for creating an SNMP view Item Description View Name Set the SNMP view name. Rule Select to exclude or include the objects in the view range determined by the MIB subtree OID and subtree mask. Set the MIB subtree OID (such as 1.4.5.3.1) or name (such as system). MIB Subtree OID MIB subtree OID identifies the position of a node in the MIB tree, and it can uniquely identify a MIB subtree. Set the subtree mask.
Figure 1-9 Configure an SNMP community Figure 1-10 Create an SNMP Community Table 1-5 describes the configuration items for configuring an SNMP community. Table 1-5 Configuration items for configuring an SNMP community Item Community Name Description Set the SNMP community name.
Figure 1-11 SNMP group Figure 1-12 Create an SNMP group Table 1-6 describes the configuration items for creating an SNMP group. Table 1-6 Configuration items for creating an SNMP group Item Group Name Description Set the SNMP group name. Select the security level for the SNMP group. The available security levels are: z Security Level z z NoAuth/NoPriv: No authentication no privacy. Auth/NoPriv: Authentication without privacy. Auth/Priv: Authentication and privacy.
Item ACL Description Associate a basic ACL with the group to restrict the source IP address of SNMP packets, that is, you can configure to allow or prohibit SNMP packets with a specific source IP address, so as to restrict the intercommunication between the NMS and the agent. Return to SNMPv3 configuration task list. Configuring an SNMP User Select Device > SNMP from the navigation tree, then click the User tab to enter the page as shown in Figure 1-13.
Table 1-7 Configuration items for creating an SNMP user Item User Name Description Set the SNMP user name. Select the security level for the SNMP group. The available security levels are: Security Level z z z NoAuth/NoPriv: No authentication no privacy. Auth/NoPriv: Authentication without privacy. Auth/Priv: Authentication and privacy. Select an SNMP group to which the user belongs.
Figure 1-15 Traps configuration Figure 1-16 Add a target host of SNMP traps Table 1-8 describes the configuration items for adding a target host of SNMP traps. Table 1-8 Configuration items for adding a target host Item Destination IP Address Description Set the destination IP address. Select the IP address type: IPv4 or IPv6, and then type the corresponding IP address in the text box according to the IP address type.
Return to SNMPv1 or SNMPv2c configuration task list or SNMPv3 configuration task list. SNMP Configuration Example Network requirements z As shown in Figure 1-17, the NMS connects to the agent, Switch, through an Ethernet. z The IP address of the NMS is 1.1.1.2/24. z The IP address of the VLAN interface on Switch is 1.1.1.1/24. z The NMS monitors the agent using SNMPv3. The agent reports errors or faults to the NMS. The NMS uses port 5000 to receive traps.
Figure 1-19 Create an SNMP view (1) z Type view1 in the text box. z Click Apply to enter the SNMP rule configuration page, as shown in Figure 1-20. Figure 1-20 Create an SNMP view (2) z Select the Included radio box. z Type the MIB subtree OID interfaces. z Click Add. z Click Apply. A configuration progress dialog box appears, as shown in Figure 1-21. Figure 1-21 Configuration progress dialog box z After the configuration process is complete, click Close. # Configure an SNMP group.
z Click the Group tab and then click Add to enter the page as shown in Figure 1-22. Figure 1-22 Create an SNMP group z Type group1 in the text box of Group Name. z Select view1 from the Read View drop-down box. z Select view1 from the Write View drop-down box. z Click Apply. # Configure an SNMP user z Click the User tab and then click Add to enter the page as shown in Figure 1-23. Figure 1-23 Create an SNMP user z Type user1 in the text box of User Name.
z Click the Trap tab and enter the page as shown in Figure 1-24. Figure 1-24 Enable the agent to send SNMP traps z Select the Enable SNMP Trap check-box. z Click Apply. # Add target hosts of SNMP traps. z Click Add to enter the page as shown in Figure 1-25. Figure 1-25 Add target hosts of SNMP traps z Select the destination IP address type as IPv4. z Type the destination address 1.1.1.2. z Type the user name user1. z Type the UDP port 5000.
The configuration on NMS must be consistent with that on the agent. Otherwise, you cannot perform corresponding operations. SNMPv3 adopts a security mechanism of authentication and privacy. You need to configure username and security level. According to the configured security level, you need to configure the related authentication mode, authentication password, privacy mode, privacy password, and so on. Besides, you need to configure the aging time and retry times.
Table of Contents 1 Interface Statistics·····································································································································1-1 Overview ·················································································································································1-1 Displaying Interface Statistics ·················································································································1-1 i
1 Interface Statistics Overview The interface statistics module displays statistics information about the packets received and sent through interfaces. Displaying Interface Statistics Select Device > Interface Statistics from the navigation tree to enter the interface statistics display page, as shown in Figure 1-1. Figure 1-1 Interface statistics display page Table 1-1 describes the details about the interface statistics.
Field Description OutUcastPkts Number of unicast packets sent through the interface. OutNUcastPkts Number of non-unicast packets sent through the interface. OutDiscards Number of valid packets discarded in the outbound direction. OutErrors Number of invalid packets sent through the interface.
Table of Contents 1 VLAN Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction to VLAN ·······················································································································1-1 How VLAN Works·······················
1 VLAN Configuration Overview Introduction to VLAN Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on an Ethernet. To address the issue, virtual LAN (VLAN) was introduced. The idea is to break a LAN down into separate VLANs, that is, Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN.
The format of VLAN-tagged frames is defined in IEEE 802.1Q-1999. In the header of a traditional Ethernet data frame as shown in Figure 1-2, the field after the destination MAC address and the source MAC address fields (DA&SA in the figure) is the Type field indicating the upper layer protocol type. Figure 1-2 The format of a traditional Ethernet frame IEEE 802.1Q inserts a four-byte VLAN tag before the Type field, as shown in Figure 1-3.
Because the Web interface is available only for port-based VLANs, this chapter introduces only port-based VLANs. Introduction to Port-Based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type Depending on the tag handling mode, the link type of a port can be one of the following three: z Access. An access port belongs to only one VLAN and usually connects to a user device. z Trunk.
Configuring a VLAN Configuration Task List Use one of the following two approaches or combine the following two approaches to configure a VLAN: z Approach I: modify a VLAN, as shown in Table 1-1. z Approach II: modify a port, as shown in Table 1-2.
Figure 1-4 The Create tab Table 1-3 describes the configuration items of creating a VLAN. Table 1-3 Configuration items of creating VLANs Item VLAN IDs Description IDs of the VLANs to be created Select the ID of the VLAN whose description string is to be modified. Modify the description of the selected VLAN ID Click the ID of the VLAN to be modified in the list in the middle of the page. Set the description string of the selected VLAN.
Figure 1-5 The Select VLAN tab Table 1-4 describes the configuration items of selecting VLANs. Table 1-4 Configuration items of selecting VLANs Item Display all VLANs Description Select one of the two radio buttons: z Display a subnet of all configured VLANs z Display all VLANs: displays all configured VLANs. Display a subnet of all configured VLANs: type the VLAN ID(s) to be displayed. Return to VLAN configuration task list (approach I).
Figure 1-6 The Modify VLAN tab Table 1-5 describes the configuration items of modifying a VLAN. Table 1-5 Configuration items of modifying a VLAN Item Please select a VLAN to modify Description Select the VLAN to be modified. Select a VLAN in the drop-down list. The VLANs available for selection are created first and then selected on the page for selecting VLANs. Modify the description string of the selected VLAN.
Modifying Ports Select Network > VLAN from the navigation tree and click Modify Port to enter the page for modifying ports, as shown in Figure 1-7. Figure 1-7 The Modify Port tab Table 1-6 describes the configuration items of modifying ports. Table 1-6 Configuration items of modifying ports Item Description Select the ports to be modified. Select Ports Select memb ership type Click the ports to be modified on the chassis front panel. You can select one or more ports.
Item Description Set the link type of the selected ports, which can be access, hybrid, or trunk. Link Type This item is available when the Link Type option is selected in the Select membership type area. PVID Set the PVID of the select ports; selecting Delete is to restore the default VLAN, VLAN 1, of the ports. Delete This item is available when the PVID option is selected in the Select membership type area. Return to VLAN configuration task list (approach II).
Figure 1-9 Configure GigabitEthernet 1/0/1 as a trunk port and its PVID as 100 z Select Trunk in the Link Type drop-down list. z Select the PVID check box, and then type in PVID 100. z Select GigabitEthernet 1/0/1 on the chassis front device panel. z Click Apply. # Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100. Select Network > VLAN from the navigation tree and click Create to enter the page for creating VLANs, as shown in Figure 1-10.
Figure 1-10 Create VLAN 2, VLAN 6 through VLAN 50, and VLAN 100 z Type in VLAN IDs 2, 6-50, 100. z Click Apply. # Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member. Click Select VLAN to enter the page for selecting VLANs, as shown in Figure 1-11. Figure 1-11 Set a VLAN range z Select the radio button before Display a subnet of all configured VLANs and type 1-100 in the text box.
z Click Select. Click Modify VLAN to enter the page for modifying the ports in a VLAN, as shown in Figure 1-12. Figure 1-12 Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member z Select 100 – VLAN 0100 in the Please select a VLAN to modify: drop-down list. z Select the Untagged radio button. z Select GigabitEthernet 1/0/1 on the chassis front device panel. z Click Apply. A configuration progress dialog box appears, as shown in Figure 1-13.
Click Modify Port to enter the page for modifying the VLANs to which a port belongs, as shown in Figure 1-14. Figure 1-14 Assign GigabitEthernet 1/0/1 to VLAN 2, and VLAN 6 through VLAN 50 as a tagged member z Select GigabitEthernet 1/0/1 on the chassis front device panel. z Select the Tagged radio button. z Type in VLAN IDs 2, 6-50. z Click Apply. A configuration progress dialog box appears. z After the configuration process is complete, click Close in the dialog box.
Table of Contents 1 VLAN Interface Configuration ··················································································································1-1 Overview ·················································································································································1-1 Configuring VLAN Interfaces ··················································································································1-1 Configuration Task List··················
1 VLAN Interface Configuration Overview For details about VLAN, refer to VLAN Configuration. For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform layer 3 forwarding. To achieve this, VLAN interfaces are used. VLAN interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface.
Figure 1-1 The Create tab Table 1-2 describes the configuration items of creating a VLAN interface. Table 1-2 Configuration items of creating a VLAN interface Item Input a VLAN ID: DHCP BOOTP Config ure Primar y IPv4 Addres s Manual Description Input the ID of the VLAN interface to be created. Before creating a VLAN interface, make sure that the corresponding VLAN exists. Configure the way in which the VLAN interface gets an IPv4 address.
Modifying a VLAN Interface z After you modify the IPv4 address for a selected VLAN interface on the page for modifying VLAN interfaces, you need to click the correct Apply button to submit the modification. z After you change the IP address of the VLAN interface you are using to log in to the device, you will be disconnected from the device. You can use the changed IP address to re-log in.
Item Description DHCP Configure the way in which the VLAN interface gets an IPv4 address. BOOTP Allow the VLAN interface to automatically obtain an IP address by selecting the DHCP or BOOTP option, or manually assign the VLAN interface an IP address by selecting the Manual option. Manual Select Up or Down in the Admin Status drop-down list to bring up or shut down the selected VLAN interface.
Table of Contents 1 Voice VLAN Configuration························································································································1-1 Overview ·················································································································································1-1 Voice VLAN Assignment Modes ·····································································································1-1 Security Mode and Normal Mode of Voice VLANs ········
1 Voice VLAN Configuration Overview A voice VLAN is dedicated to voice traffic. After assigning the ports connecting to voice devices to a voice VLAN, you can configure quality of service (QoS) parameters for the voice traffic, thus improving transmission priority and ensuring voice quality. A device determines whether a received packet is a voice packet by checking its source MAC address.
When untagged packets are received from an IP phone: z In automatic mode, the system matches the source MAC addresses in the untagged packets sent by the IP phone upon its power-on against the OUI list. If a match is found, the system automatically assigns the receiving port to a voice VLAN, issues ACL rules and configures the packet precedence. You can configure an aging timer for the voice VLAN.
z If an IP phone sends tagged voice traffic and its access port is configured with 802.1X authentication and guest VLAN, you must assign different VLAN IDs for the voice VLAN, the default VLAN of the access port, and the 802.1X guest VLAN for the functions to operate normally. z If an IP phone sends untagged voice traffic, to deliver the voice VLAN function, you must configure the default VLAN of the access port as the voice VLAN. In this case, 802.1X authentication function cannot take effect.
Voice VLAN working mode Packet type Packet processing mode Untagged packets Normal mode Packets carrying the voice VLAN tag Packets carrying other tags The port does not check the source MAC addresses of inbound packets. All types of packets can be transmitted in the voice VLAN.
Table 1-5 Configuration task list for a port in manual voice VLAN assignment mode Task Remarks Optional Configuring Voice VLAN Globally Configure the voice VLAN to operate in security mode and configure the aging timer. Required Assigning the port to the voice VLAN Note that after an access port is assigned to the voice VLAN, the voice VLAN automatically becomes the default VLAN of the access port. For details, refer to VLAN Configuration.
Item Description Set the voice VLAN aging timer. Voice VLAN aging time The voice VLAN aging timer setting only applies to a port in automatic voice VLAN assignment mode. The voice VLAN aging timer starts as soon as the port is assigned to the voice VLAN. If no voice packet has been received before the timer expires, the port is removed from the voice VLAN. Return to Configuring voice VLAN on a port in automatic voice VLAN assignment mode.
Item Description Select the port on the chassis front panel. You can select multiple ports to configure them in bulk. The numbers of the selected ports will be displayed in the Ports selected for voice VLAN text box. Select Ports To set the voice VLAN assignment mode of a port to automatic, you must ensure that the link type of the port is trunk or hybrid, and that the port does not belong to the voice VLAN. Return to Configuring voice VLAN on a port in automatic voice VLAN assignment mode.
Item Description Description Set the description of the OUI address entry. Return to Configuring voice VLAN on a port in automatic voice VLAN assignment mode. Return to Configuring voice VLAN on a port working in manual voice VLAN assignment mode. Voice VLAN Configuration Examples Configuring Voice VLAN on a Port in Automatic Voice VLAN Assignment Mode Network requirements z Configure VLAN 2 as the voice VLAN allowing only voice traffic to pass through.
Figure 1-5 Create VLAN 2 z Type in VLAN ID 2. z Click Create. # Configure GigabitEthernet 1/0/1 as a hybrid port. z Select Device > Port Management from the navigation tree, and click Setup on the displayed page to enter the page shown in Figure 1-6.
Figure 1-6 Configure GigabitEthernet 1/0/1 as a hybrid port z Select Hybrid from the Link Type dropdown list. z Select GigabitEthernet 1/0/1 from the chassis front panel. z Click Apply. # Configure the voice VLAN function globally. z Select Network > Voice VLAN from the navigation tree and click the Setup tab on the displayed page to enter the page shown in Figure 1-7.
z Select Enable in the Voice VLAN security drop-down list. (You can skip this step, because the voice VLAN security mode is enabled by default) z Set the voice VLAN aging timer to 30 minutes. z Click Apply. # Configure voice VLAN on GigabitEthernet 1/0/1. z Click the Port Setup tab to enter the page shown in Figure 1-8. Figure 1-8 Configure voice VLAN on GigabitEthernet 1/0/1 z Select Auto in the Voice VLAN port mode drop-down list. z Select Enable in the Voice VLAN port state drop-down list.
Figure 1-9 Add OUI addresses to the OUI list z Type in OUI address 0011-2200-0000. z Select FFFF-FF00-0000 in the Mask drop-down list. z Type in description string test. z Click Apply. Verify the configuration z When the configurations described above are completed, the OUI Summary tab is displayed by default, as shown in Figure 1-10. You can view the information about the newly-added OUI address.
Figure 1-11 Current voice VLAN information Configuring a Voice VLAN on a Port in Manual Voice VLAN Assignment Mode Network requirements z Configure VLAN 2 as a voice VLAN that carries only voice traffic. z The IP phone connected to hybrid port GigabitEthernet 1/0/1 sends untagged voice traffic.
Figure 1-13 Create VLAN 2 z Type in VLAN ID 2. z Click Create. # Configure GigabitEthernet 1/0/1 as a hybrid port and configure its default VLAN as VLAN 2. z Select Device > Port Management from the navigation tree, and click Setup on the displayed page to enter the page shown in Figure 1-14.
Figure 1-14 Configure GigabitEthernet 1/0/1 as a hybrid port z Select Hybrid from the Link Type dropdown list. z Select the PVID option and type 2 in the text box. z Select GigabitEthernet 1/0/1 from the chassis front panel. z Click Apply. # Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member. z Select Network > VLAN from the navigation tree, and click Modify Port on the displayed page to enter the page shown in Figure 1-15.
Figure 1-15 Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged member z Select GigabitEthernet 1/0/1 from the chassis front panel. z Select the Untagged option. z Type in VLAN ID 2. z Click Apply. A configuration progress dialog box appears, as shown in Figure 1-16. Figure 1-16 Configuration progress dialog box z After the configuration process is complete, click Close. # Configure voice VLAN on GigabitEthernet 1/0/1.
Figure 1-17 Configure voice VLAN on GigabitEthernet 1/0/1 z Select Manual in the Voice VLAN port mode drop-down list. z Select Enable in the Voice VLAN port state drop-down list. z Type in voice VLAN ID 2. z Select GigabitEthernet 1/0/1 on the chassis front panel. z Click Apply. # Add OUI addresses to the OUI list. z Click the OUI Add tab to enter the page shown in Figure 1-18. Figure 1-18 Add OUI addresses to the OUI list z Type in OUI address 0011-2200-0000.
z Type in description string test. z Click Apply. Verify the configuration z When the configurations described above are completed, the OUI Summary tab is displayed by default, as shown in Figure 1-19. You can view the information about the newly-added OUI address. Figure 1-19 Current OUI list of the device z Click the Summary tab to enter the page shown in Figure 1-20, where you can view the current voice VLAN information.
z In automatic voice VLAN assignment mode, a hybrid port can process only tagged voice traffic. However, the protocol-based VLAN function requires hybrid ports to process untagged traffic. Therefore, if a VLAN is configured as the voice VLAN and a protocol-based VLAN at the same time, the protocol-based VLAN cannot be associated with the port. z At present, only one VLAN is supported and only an existing static VLAN can be configured as the voice VLAN.
Table of Contents 1 MAC Address Configuration ····················································································································1-1 Overview ·················································································································································1-1 Configuring MAC Addresses···················································································································1-2 Configuring a MAC Address Entry ············
1 MAC Address Configuration z Currently, MAC address configurations related to interfaces only apply to Layer 2 Ethernet interfaces. z This manual covers only the management of static and dynamic MAC address entries, not multicast MAC address entries. Overview A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the MAC address of a connected device, to which interface this device is connected and to which VLAN the interface belongs.
z Broadcast mode: If the device receives a frame with the destination address being all Fs, or no entry matches the destination MAC address, the device broadcasts the frame to all the ports except the receiving port. Figure 1-1 MAC address table of the device Configuring MAC Addresses MAC addresses configuration includes the configuring and displaying of MAC address entries, and the setting of MAC address entry aging time. Configuring a MAC Address Entry Select Network > MAC from the navigation tree.
Figure 1-2 The MAC tab Figure 1-3 Create a MAC address entry Table 1-1 shows the detailed configuration of creating a MAC address entry.
Table 1-1 Configuration items of creating a MAC address entry Item MAC Description Set the MAC address to be added Set the type of the MAC address entry, which can be: z z z static: indicates static MAC address entries that never age out dynamic: indicates dynamic MAC address entries that will age out blackhole: indicates blackhole MAC address entries that never age out Type The types of the MAC address entries displayed in the tab are as follows: z Config static: indicates static MAC address entries ma
MAC Address Configuration Example Network requirements Use the MAC address table management function of the Web-based NMS. It is required to add a static MAC address 00e0-fc35-dc71 under GigabitEthernet 1/0/1 in VLAN 1. Configuration procedure # Create a static MAC address entry. Select Network > MAC from the navigation tree to enter the MAC tab, and then click Add, as shown in Figure 1-2. The page shown in Figure 1-5 appears.
Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Introduction to STP ·································································································································1-1 Protocol Packets of STP·····
1 MSTP Configuration Overview As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and in the mean time, allows for link redundancy. Like many other protocols, STP evolves as the network grows. The later versions of STP are Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). This chapter describes the characteristics of STP, RSTP, and MSTP and the relationship among them.
Root port On a non-root bridge, the port nearest to the root bridge is called the root port. The root port is responsible for communication with the root bridge. Each non-root bridge has one and only one root port. The root bridge has no root port. Designated bridge and designated port The following table describes designated bridges and designated ports.
All the ports on the root bridge are designated ports. How STP Works The devices on a network exchange BPDUs to identify the network topology. Configuration BPDUs contain sufficient information for the network devices to complete spanning tree calculation. Important fields in a configuration BPDU include: z Root bridge ID: consisting of the priority and MAC address of the root bridge. z Root path cost: the cost of the path to the root bridge.
Table 1-2 Selection of the optimum configuration BPDU Step Actions Upon receiving a configuration BPDU on a port, the device performs the following: z 1 z If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device discards the received configuration BPDU and does not process the configuration BPDU of this port.
Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be defined, and acts depending on the comparison result: z 3 z If the calculated configuration BPDU is superior, the device considers this port as the designated port, and replaces the configuration BPDU on the port with the calculated configuration BPDU, which will be sent out periodically.
Device Device C z Port name BPDU of port CP1 {2, 0, 2, CP1} CP2 {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device Device Comparison process z z Device A z z z z Device B z z Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}.
Device Comparison process z z Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1. Port CP2 receives the configuration BPDU of port BP2 of Device B {1, 0, 1, BP2} before the configuration BPDU is updated.
Figure 1-3 The final calculated spanning tree Device A With priority 0 AP1 AP2 5 BP1 BP2 Device B With priority 1 4 CP2 Device C With priority 2 The spanning tree calculation process in this example is only a simplified process. The BPDU forwarding mechanism in STP z Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
For this reason, as a mechanism for state transition in STP, the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propagated throughout the network. z Hello time is the time interval at which a device sends hello packets to the surrounding devices to ensure that the paths are fault-free.
z MSTP supports mapping VLANs to MST instances (MSTIs) by means of a VLAN-to-MSTI mapping table. MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one MSTI. z MSTP divides a switched network into multiple regions, each containing multiple spanning trees that are independent of one another. z MSTP prunes a loop network into a loop-free tree, thus avoiding proliferation and endless cycling of packets in a loop network.
For example, all the devices in region A0 in Figure 1-4 have the same MST region configuration as follows: z The same region name, z The same VLAN-to-MSTI mapping configuration (VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to the common and internal spanning tree (CIST, that is, MSTI 0), and z The same MSTP revision level (not shown in the figure). Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region.
Common root bridge The common root bridge is the root bridge of the CIST. In Figure 1-4, for example, the common root bridge is a device in region A0. Boundary port A boundary port is a port that connects an MST region to another MST region, or to a single spanning-tree region running STP, or to a single spanning-tree region running RSTP. It is at the boundary of an MST region. During MSTP calculation, the role of a boundary port in an MSTI must be consistent with its role in the CIST.
Figure 1-5 Port roles Connecting to the common root bridge MST region Port 2 Port 1 Master port Alternate port A B C Port 6 Port 5 Backup port D Designated port Port 3 Port 4 In Figure 1-5, devices A, B, C, and D constitute an MST region. Port 1 and port 2 of device A are connected to the common root bridge, port 5 and port 6 of device C form a loop, port 3 and port 4 of Device D are connected downstream to the other MST regions.
Table 1-6 Ports states supported by different port roles Port role Port state Root port/master port Designated port Boundary port Alternate port Backup port Forwarding √ √ √ — — Learning √ √ √ — — Discarding √ √ √ √ √ How MSTP Works MSTP divides an entire Layer 2 network into multiple MST regions, which are interconnected by a calculated CST. Inside an MST region, multiple spanning trees are calculated, each being called an MSTI (Among these MSTIs, MSTI 0 is called the CIST).
Protocols and Standards MSTP is documented in: z IEEE 802.1d: Spanning Tree Protocol z IEEE 802.1w: Rapid Spanning Tree Protocol z IEEE 802.1s: Multiple Spanning Tree Protocol Configuring MSTP Configuration Task List Perform the tasks described in Table 1-7 to configure MSTP. Table 1-7 MSTP configuration task list Task Remarks Optional Configuring an MST Region Configure the MST region-related parameters and VLAN-to-MSTI mappings.
Figure 1-7 Configure an MST region Table 1-8 describes the configuration items of configuring an MST region. Table 1-8 Configuration items of configuring an MST region Item Description MST region name Region Name The MST region name is the bridge MAC address of the device by default. Revision Level Revision level of the MST region Manual Modulo Instance ID VLAN ID Modulo Value Manually add VLAN-to-MSTI mappings. Click Apply to add the VLAN-to-MSTI mapping entries to the list below.
Figure 1-8 Configure MSTP globally Table 1-9 describes the configuration items of configuring MSTP globally. Table 1-9 Configuration items of configuring MSTP globally Item Enable STP Globally Description Select whether to enable STP globally. Other MSTP configurations take effect only after you enable STP globally. Select whether to enable BPDU guard BPDU Guard BPDU guard can protect the device from malicious BPDU attacks, thus making the network topology stable.
Item Description Any two stations in a switched network are interconnected through a specific path composed of a series of devices. The bridge diameter (or the network diameter) is the number of devices on the path composed of the most devices. Bridge Diameter After you set the network diameter, you cannot set the timers. Instead, the device automatically calculates the forward delay, hello time, and max age. z z The configured network diameter is effective for CIST only, not for MSTIs.
Configuring MSTP on a Port Select Network > MSTP from the navigation tree, and then click Port Setup to enter the page for configuring MSTP on ports, as shown in Figure 1-9. Figure 1-9 MSTP configuration on a port Table 1-10 describes the configuration items of configuring MSTP on a port.
Item Instance ID Description Set the priority and path cost of the port in the current MSTI. z Port Priority Auto Path Cost Instance Manual Path Cost z The priority of a port is an important factor in determining whether the port can be elected as the root port of a device. If all other conditions are the same, the port with the highest priority will be elected as the root port.
Table 1-11 Protection types Protection type Description Set the port as an edge port. Edged Port Some ports of access layer devices are directly connected to PCs or file servers, which cannot generate BPDUs. You can set these ports as edge ports to achieve fast transition for these ports. You are recommended to enable the BPDU guard function in conjunction with the edged port function to avoid network topology changes when the edge ports receive configuration BPDUs. Enable the root guard function.
Select a port (GigabitEthernet 1/0/16 for example) on the chassis front panel (If aggregate interfaces are configured on the device, the page displays a list of aggregate interfaces below the chassis front panel. You can select aggregate interfaces from this list).
Field Num of Vlans Mapped Description Number of VLANs mapped to the current MSTI Major parameters for the port: z PortTimes z z z z Hello: Hello timer MaxAge: Max Age timer FWDly: Forward delay timer MsgAge: Message Age timer Remain Hop: Remaining hops BPDU Sent Statistics on sent BPDUs BPDU Received Statistics on received BPDUs Protocol Status Whether MSTP is enabled Protocol Std. MSTP standard Version MSTP version CIST Bridge-Prio.
Figure 1-11 Network diagram for MSTP configuration “Permit:“ next to a link in the figure is followed by the VLANs the packets of which are permitted to pass this link. Configuration procedure 1) Configure Switch A. # Configure an MST region. z Select Network > MSTP from the navigation tree to enter the page shown in Figure 1-12. Figure 1-12 The Region tab z Click Modify to enter the page for configuring MST regions, as shown in Figure 1-13.
Figure 1-13 Configure an MST region z Set the region name to example. z Set the revision level to 0. z Select the Manual radio button. z Select 1 in the Instance ID drop-down list. z Set the VLAN ID to 10. z Click Apply to map VLAN 10 to MSTI 1 and add the VLAN-to-MSTI mapping entry to the VLAN-to-MSTI mapping list. z Repeat the steps above to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN-to-MSTI mapping entries to the VLAN-to-MSTI mapping list. z Click Activate.
Figure 1-14 Configure MSTP globally (on Switch A) z Select Enable in the Enable STP Globally drop-down list. z Select MSTP in the Mode drop-down list. z Select the check box before Instance. z Set the Instance ID field to 1. z Set the Root Type field to Primary. z Click Apply. 2) Configure Switch B. # Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) # Configure MSTP globally.
z Set the Root Type field to Primary. z Click Apply. 3) Configure Switch C. # Configure an MST region. (The procedure here is the same as that of configuring an MST region on Switch A.) # Configure MSTP globally. z Select Network > MSTP from the navigation tree, and then click Global to enter the page for z Select Enable in the Enable STP Globally drop-down list. z Select MSTP in the Mode drop-down list. z Select the check box before Instance. z Set the Instance ID field to 3.
Figure 1-15 Configure MSTP globally (on Switch D) z Select Enable in the Enable STP Globally drop-down list. z Select MSTP in the Mode drop-down list. z Click Apply. Guidelines Follow these guidelines when configuring MSTP: z Two devices belong to the same MST region only if they are interconnected through physical links, and share the same region name, the same MSTP revision level, and the same VLAN-to-MSTI mappings.
z Configure ports that are directly connected to terminals as boundary ports and enable BPDU guard for them. In this way, these ports can rapidly transit to the forwarding state, and the network security can be ensured.
Table of Contents 1 Link Aggregation and LACP Configuration ····························································································1-1 Overview ·················································································································································1-1 Basic Concepts of Link Aggregation ·······························································································1-1 Link Aggregation Modes··········································
1 Link Aggregation and LACP Configuration Overview Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group. It allows you to increase bandwidth by distributing traffic across the member ports in the aggregation group. In addition, it provides reliable connectivity because these member ports can dynamically back up each other.
The rate of an aggregate interface is the sum of the selected member ports’ rates. The duplex mode of an aggregate interface is consistent with that of the selected member ports. Note that all selected member ports use the same duplex mode. For how the state of a member port is determined, refer to Static aggregation mode and Dynamic aggregation mode. LACP protocol The Link Aggregation Control Protocol (LACP) is defined in IEEE 802.3ad.
Link Aggregation Modes Depending on the link aggregation procedure, link aggregation operates in one of the following two modes: z Static aggregation mode z Dynamic aggregation mode Static aggregation mode LACP is disabled on the member ports in a static aggregation group.
z Compare the system ID (comprising the system LACP priority and the system MAC address) of the actor with that of the partner. The system with the lower LACP priority wins out. If they are the same, compare the system MAC addresses. The system with the smaller MAC address wins out. z Compare the port IDs of the ports on the system with the smaller system ID. A port ID comprises a port LACP priority and a port number. First compare the port LACP priorities. The port with the lower LACP priority wins out.
Table 1-2 Static aggregation group configuration task list Task Remarks Required Create a static aggregate interface and configure member ports for the static aggregation group automatically created by the system when you create the aggregate interface. Creating a Link Aggregation Group By default, no link aggregation group exists. Optional Displaying Information of an Aggregate Interface Perform this task to view detailed information of an existing aggregation group.
Figure 1-1 Create a link aggregation group Table 1-4 describes the configuration items of creating a link aggregation group. Table 1-4 Configuration items of creating a link aggregation group Item Enter Link Aggregation Interface ID Description Assign an ID to the link aggregation group to be created. You can view the result in the Summary list box at the bottom of the page.
Displaying Information of an Aggregate Interface Select Network > Link Aggregation from the navigation tree. The Summary tab is displayed by default, as shown in Figure 1-2. Figure 1-2 Display information of an aggregate interface Table 1-5 describes the fields on the Summary tab.
Figure 1-3 The Setup tab After finishing each configuration item, click the right Apply button to submit the configuration. Table 1-6 describes the configuration items. Table 1-6 LACP priority configuration items Item Select LACP enabled port(s) parameters Select port(s) to apply Port Priority System Priority Description Set a port LACP priority. Select the ports where the port LACP priority you set will apply on the chassis front panel.
Figure 1-4 Display the information of LACP-enabled ports The upper part of the page displays a list of all LACP-enabled ports on the device and information about them. To view information about the partner port of a LACP-enabled port, select it in the port list, and then click View Details. Detailed information about the peer port will be displayed on the lower part of the page. Table 1-7 describes the fields on the Summary tab.
Field/button Description Inactive Reason Reason code indicating why a port is inactive (that is, unselected) for receiving/transmitting user data. For the meanings of the reason codes, see the bottom of the page shown in Figure 1-4. Partner Port Name of the peer port State information of the peer port, represented by letters A through H. z z z z Partner Port State z z z z Oper Key A indicates that LACP is enabled. B indicates that LACP short timeout has occurred.
Figure 1-5 Network diagram for static link aggregation configuration Configuration procedure You can create a static or dynamic link aggregation group to achieve load balancing. 1) Approach 1: Create a static link aggregation group # Create static link aggregation group 1. Select Network > Link Aggregation from the navigation tree, and then click Create to enter the page as shown in Figure 1-6. Figure 1-6 Create static link aggregation group 1 z Set the link aggregation interface ID to 1.
z Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the chassis front panel. z Click Apply. 2) Approach 2: Create a dynamic link aggregation group # Create dynamic link aggregation group 1. Select Network > Link Aggregation from the navigation tree, and then click Create to enter the page as shown in Figure 1-7. Figure 1-7 Create dynamic link aggregation group 1 z Set the link aggregation interface ID to 1.
z Reference port: Select a port as the reference port from the ports that are in up state and with the same class-two configurations as the corresponding aggregate interface. The selection order is as follows: full duplex/high speed, full duplex/low speed, half duplex/high speed, and half duplex/low speed, with full duplex/high speed being the most preferred. If two ports with the same duplex mode/speed pair are present, the one with the lower port number wins out.
Table of Contents 1 LLDP ···························································································································································1-1 Overview ·················································································································································1-1 Background ·····································································································································1-1 Basic Concepts········
1 LLDP Overview Background In a heterogeneous network, it is important that different types of network devices from different vendors can discover one other and exchange configuration for interoperability and management sake. This calls for a standard configuration exchange platform. To address the needs, the IETF drafted the Link Layer Discovery Protocol (LLDP) in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Field Description Source MAC address The MAC address of the sending port. If the port does not have a MAC address, the MAC address of the sending bridge is used. Type The Ethernet type for the upper layer protocol. It is 0x88CC for LLDP. Data LLDP data. FCS Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame.
An LLDPDU can carry up 28 types of TLVs, of which the chassis ID TLV, port ID TLV, TTL TLV, and end of LLDPDU TLV (end TLV in the figure) are mandatory TLVs that must be carried and other TLVs are optional. TLVs TLVs are type, length, and value sequences that carry information elements, where the type field identifies the type of information, the length field indicates the length of the information field in octets, and the value field contains the information itself.
Type Description VLAN Name A specific VLAN name on the port Protocol Identity Protocols supported on the port Currently, 3Com Switch 2900 supports receiving but not sending protocol identity TLVs. 3) IEEE 802.3 organizationally specific TLVs Table 1-5 IEEE 802.
Type Description Manufacturer Name Allows a MED endpoint to advertise its vendor name. Model Name Allows a MED endpoint to advertise its model name. Asset ID Allows a MED endpoint to advertise its asset ID. The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking.
This is the fast sending mechanism of LLDP. With this mechanism, a specific number of LLDPDUs are sent successively at the 1-second interval to help LLDP neighbors discover the local device as soon as possible. Then, the normal LLDPDU transit interval resumes. Receiving LLDPDUs An LLDP-enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDPDU it receives for validity violation.
Task Remarks Optional LLDP settings include LLDP operating mode, packet encapsulation, CDP compatibility, device information polling, trapping, and advertised TLVs. Configuring LLDP Settings on Ports By default, z z z z z The LLDP operating mode is TxRx. The encapsulation format is Ethernet II. CDP compatibility is disabled. Device information polling and trapping are disabled. All TLVs except the Location Identification TLV are advertised.
Figure 1-4 The Port Setup tab Return to LLDP Configuration Task List. Configuring LLDP Settings on Ports Select Network > LLDP from the navigation tree to enter the Port Setup tab, as shown in Figure 1-4. You can configure LLDP settings on ports individually or in batch.
z To configure LLDP settings on ports individually, click the icon for the port you are configuring. On the page displayed as shown in Figure 1-5, you can modify or view the LLDP settings of the port. Figure 1-5 The page for modifying LLDP settings on a port z To configure LLDP settings on ports in batch, select one or more ports and click Modify Selected. The page shown in Figure 1-6 appears.
Figure 1-6 The page for modifying LLDP settings on ports in batch Table 1-8 describes the port LLDP configuration items. Table 1-8 Port LLDP configuration items Item Description Interface Name Displays the name of the port or ports you are configuring. DLDP State Displays the LLDP enabling status on the port you are configuring. This field is not available when you batch-configure ports. Set the LLDP operating mode on the port or ports you are configuring.
Item Description Set the CDP compatibility of LLDP. Available options include: z CDP Operating Mode z Disable: Neither sends nor receives CDPDUs. TxRx: Sends and receives CDPDUs To enable LLDP to be compatible with CDP on the port, you must enable CDP compatibility on the Global Setup tab and set the CDP operating mode on the port to TxRx. Enable LLDP polling and set the polling interval. If no polling interval is set, LLDP polling is disabled.
Item DOT3 TLV Setting MED TLV Setting Description Link Aggregation Select to include the link aggregation TLV in transmitted LLDPDUs. MAC/PHY Configuration/Status Select to include the MAC/PHY configuration/status TLV in transmitted LLDPDUs. Maximum Frame Size Select to include the maximum frame size TLV in transmitted LLDPDUs. Power via MDI Select to include the power via MDI TLV in transmitted LLDPDUs.
Figure 1-7 The Global Setup tab Table 1-9 describes the global LLDP setup configuration items. Table 1-9 Global LLDP setup configuration items Item LLDP Enable Description Select from the dropdown list to enable or disable global LLDP. Select from the dropdown list to enable or disable CDP compatibility of LLDP.
Item Description Set the TTL multiplier. The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device. You can configure the TTL of locally sent LLDPDUs to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier. The TTL is expressed as TTL multiplier × LLDPDU transit interval.
information is organized by type and displayed in tabs as shown in Figure 1-8. You can click these tabs to display data you are interested in. Figure 1-8 The Local Information tab Table 1-10 describes the local LLDP information of a port.
Field Description Available options include: z Port PSE priority z z z Unknown, which indicates that PSE priority of the port is unknown. Critical, which is priority level 1. High, which is priority level 2 Low: which is priority level 3 Figure 1-9 The Neighbor Information tab Table 1-11 describes the LLDP neighbor information of a port. Table 1-11 LLDP neighbor information of an LLDP-enabled port Field Description Chassis ID type.
Field Description The network function enabled on the system, which an be System capabilities enabled z z z Repeater Bridge Router Auto-negotiation supported The support of the neighbor for auto negotiation Auto-negotiation enabled The enable status of auto negotiation on the neighbor.
Field Asset tracking identifier PoE PSE power source Description Asset ID advertised by the neighbor. This ID is used for the purpose of inventory management and asset tracking. The type of PSE power source advertised by the neighbor, which can be: z z Primary Backup Available options include: z Port PSE priority z z z Unknown, which indicates that PSE priority of the port is unknown. Critical, which is priority level 1. High, which is priority level 2. Low, which is priority level 3.
Displaying Global LLDP Information Select Network > LLDP from the navigation tree, and click the Global Summary tab to display global local LLDP information and statistics, as shown in Figure 1-12. Figure 1-12 The Global Summary tab Table 1-12 describes the global LLDP information. Table 1-12 Global LLDP information Field Description Chassis ID The local chassis ID depending on the chassis type defined.
Return to LLDP Configuration Task List. Displaying LLDP Information Received from LLDP Neighbors Select Network > LLDP from the navigation tree and click the Neighbor Summary tab to display the global LLDP neighbor information, as shown in Figure 1-13. Figure 1-13 The Neighbor Summary tab Return to LLDP Configuration Task List.
Configuration procedure 1) Configure Switch A # Enable LLDP on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. (Optional. By default, LLDP is enabled on Ethernet ports.) # Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. z Select Network > LLDP from the navigation tree to enter the Port Setup tab, as shown in Figure 1-15. Select port GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and click Modify Selected. The page shown in Figure 1-16 appears.
Figure 1-16 The page for setting LLDP on multiple ports z Select Rx from the LLDP Operating Mode dropdown list. z Click Apply. # Enable global LLDP. z Click the Global Setup tab, as shown in Figure 1-17.
z Select Enable from the LLDP Enable dropdown list. z Click Apply. 2) Configure Switch B # Enable LLDP on port GigabitEthernet 1/0/1. (Optional. By default, LLDP is enabled on Ethernet ports.) # Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1. z Select Network > LLDP from the navigation tree to enter the Port Setup tab, as shown in Figure 1-18. Click the icon for port GigabitEthernet1/0/1. The page shown in Figure 1-19 is displayed.
z Click the Global Setup tab. z Select Enable from the LLDP Enable dropdown list. z Click Apply. Configuration verification # Display the status information of port GigabitEthernet1/0/2 on Switch A. z Select Network > LLDP from the navigation tree to enter the Port Setup tab. z Click the GigabitEthernet1/0/2 port name in the port list. z Click the Status Information tab at the lower half of the page.
CDP-Compatible LLDP Configuration Example Network requirements As shown in Figure 1-22, port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch A are each connected to a Cisco IP phone. On Switch A configure VLAN 2 as a voice VLAN and configure CDP-compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN, thus confining their voice traffic within the voice VLAN to be separate from other types of traffic.
Figure 1-24 The page for configuring ports z Select Trunk in the Link Type drop-down list. z Click to select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel. z Click Apply. # Configure the voice VLAN function on the two ports. z Select Network > Voice VLAN from the navigation bar and click the Port Setup tab to enter the page for configuring the voice VLAN function on ports, as shown in Figure 1-25.
Figure 1-25 The page for configuring the voice VLAN function on ports z Select Auto in the Voice VLAN port mode drop-down list. z Select Enable in the Voice VLAN port state drop-down list. z Type the voice VLAN ID 2. z Click to select port GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel. z Click Apply. # Enable LLDP on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. If LLDP is enabled (the default), skip this step.
Figure 1-26 The Port Setup tab 1-28
Figure 1-27 The page for modifying LLDP settings on ports z Select TxRx from the LLDP Operating Mode dropdown list. z Select TxRx from the CDP Operating Mode dropdown list. z Click Apply. # Enable global LLDP and CDP compatibility of LLDP. z Click the Global Setup tab, as shown in Figure 1-28.
z Select Enable from the LLDP Enable dropdown list. z Select Enable from the CDP Compatibility dropdown list. z Click Apply. Configuration verification # Display information about LLDP neighbors on Switch A. Display information about LLDP neighbors on Switch A after completing the configuration. You can see that Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet1/0/1 and GigabitEthernet1/0/2 and obtained their device information.
Table of Contents 1 IGMP snooping ··········································································································································1-1 Overview ·················································································································································1-1 Principle of IGMP Snooping ············································································································1-1 IGMP Snooping Related Ports ···········
1 IGMP snooping Overview Internet Group Management Protocol Snooping (IGMP snooping) is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups. Principle of IGMP Snooping By analyzing received IGMP messages, a Layer 2 device running IGMP snooping establishes mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings.
Figure 1-2 IGMP snooping related ports Router A Receiver Switch A GE1/0/1 GE1/0/2 Host A GE1/0/3 Host B Receiver GE1/0/1 GE1/0/2 Source Switch B Host C Router port Member port Multicast packets Host D IGMP snooping related ports include: z Router port: A router port is a port on an Ethernet switch that leads the switch towards the Layer 3 multicast device (DR or IGMP querier). In the figure, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are router ports.
You can add or delete only dynamic ports rather than static ports. When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers (224.0.0.1) on the local subnet to find out whether any active multicast group members exist on the subnet.
forwarding entry for the member port corresponding to the host from the forwarding table when its aging timer expires. When an IGMPv2 or IGMPv3 host leaves a multicast group, the host sends an IGMP leave message to the multicast router to announce that it has left the multicast group.
Task Remarks Required Enable IGMP snooping in the VLAN and configure the IGMP snooping version and querier feature. Configuring IGMP Snooping in a VLAN By default, IGMP snooping is disabled in a VLAN. z z IGMP snooping must be enabled globally before it can be enabled in a VLAN. When you enable IGMP snooping in a VLAN, this function takes effect for ports in this VLAN only. Optional Configure the maximum number of multicast groups allowed and the fast leave function for ports in the specified VLAN.
Table 1-2 IGMP snooping configuration items Item Description IGMP snooping Globally enable or disable IGMP snooping. Return to IGMP snooping configuration task list. Configuring IGMP Snooping in a VLAN Select Network > IGMP Snooping in the navigation tree to enter the basic configuration page shown in icon corresponding to the VLAN to enter the page you can configure IGMP Figure 1-3. Click the snooping in the VLAN, as shown in Figure 1-4.
Item Description Enable or disable the function of dropping unknown multicast packets. Unknown multicast data refer to multicast data for which no entries exist in the IGMP snooping forwarding table. Drop Unknown z z With the function of dropping unknown multicast data enabled, the switch drops all the unknown multicast data received. With the function of dropping unknown multicast data disabled, the switch floods unknown multicast data in the VLAN to which the unknown multicast data belong.
Table 1-4 Configuration items for advanced IGMP snooping features Item Description Select the port on which advanced IGMP snooping features are to be configured. The port can be an Ethernet port or Layer-2 aggregate port. Port After a port is selected, advanced features configured on this port are displayed at the lower part of this page.
Figure 1-7 Details about an IGMP snooping multicast entry Table 1-5Table 1-5Table 1-5 describes the IGMP snooping multicast entry information. Table 1-5 Description of IGMP snooping multicast entries Item Description VLAN ID ID of the VLAN to which the entry belongs Source Address Multicast source address, where 0.0.0.0 indicates all multicast sources.
Figure 1-8 Network diagram for IGMP snooping configuration Configuration procedure 1) Configure IP addresses Configure the IP address for each interface as per Figure 1-8. The detailed configuration steps are omitted. 2) Configure Router A Enable IP multicast routing, enable PIM-DM on each interface, and enable IGMP on Ethernet 1/1. The detailed configuration steps are omitted. 3) Configure Switch A # Create VLAN 100 and add GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to VLAN 100.
Figure 1-9 Create VLAN 100 z Type the VLAN ID 100. z Click Apply to complete the operation. z Click the Modify Port tab to enter the configuration page shown in Figure 1-10.
Figure 1-10 Add a port to the VLAN z Select GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 in the Select Ports field. z Select the Untagged radio button for Select membership type. z Type the VLAN ID 100. z Click Apply to complete the operation. # Enable IGMP snooping globally. z Select Network > IGMP snooping in the navigation tree to enter the basic configuration page and perform the following as shown in Figure 1-11.
Figure 1-11 Enable IGMP snooping globally z Select Enable and click Apply to globally enable IGMP snooping. # In VLAN 100, enable IGMP snooping and the function of dropping unknown multicast data. z Click the icon corresponding to VLAN 100 to enter its configuration page and perform the following configurations, as shown in Figure 1-12. Figure 1-12 Configure IGMP snooping in the VLAN z Select the Enable radio buttion for IGMP snooping and 2 for Version.
Figure 1-13 Configure IGMP snooping on GigabitEthernet 1/0/3. z Select GigabitEthernet 1/0/3 from the Port drop-down list. z Type the VLAN ID 100. z Select the Enable radio buttion for Fast Leave. z Click Apply to complete the operation. Configuration verification # Display the IGMP snooping multicast entry information on Switch A. z Select Network > IGMP Snooping in the navigation tree to enter the basic configuration page.
Figure 1-14 IGMP snooping multicast entry information displaying page z Click the icon corresponding to the multicast entry (0.0.0.0, 224.1.1.1) to view details about this entry, as shown in Figure 1-15. Figure 1-15 Details about an IGMP snooping multicast entry As shown above, GigabitEthernet 1/0/3 of Switch A is listening to multicast streams destined for multicast group 224.1.1.1.
Table of Contents 1 Routing Configuration·······························································································································1-1 Overview ·················································································································································1-1 Routing Table ··································································································································1-1 Static Route ·····················
1 Routing Configuration The term “router” in this document refers to a switch supporting routing function. Overview Routers are responsible for routing packets on the Internet. A router selects an appropriate route according to the destination address of a received packet and forwards the packet to the next router. The last router on the path is responsible for sending the packet to the destination host. Routing Table Routers forward packets through a routing table.
While configuring a static route, you can specify either the output interface or the next hop address as needed. The nexthop address cannot be a local interface’s IP address; otherwise, the route configuration will not take effect. Actually, it is necessary to identify next hop addresses for all route entries because the router needs to use the next hop address of a matching entry to resolve the corresponding link layer address.
Field Description Preference value for the IPv4 route Preference The smaller the number, the higher the preference. Next Hop Nexthop IP address of the IPv4 route Interface Outgoing interface of the IPv4 route. Packets destined for the specified network segment will be sent out the interface. Creating an IPv4 Static Route Select Network > IPv4 Routing from the navigation tree and click the Create tab to enter the IPv4 static route configuration page, as shown in Figure 1-2.
Item Description Set a preference value for the static route. The smaller the number, the higher the preference. Preference For example, specifying the same preference for multiple static routes to the same destination enables load sharing on the routes, while specifying different preferences enables route backup. Next Hop Type the nexthop IP address, in dotted decimal notation. Select the outgoing interface.
Figure 1-4 Configure a default route Make the following configurations on the page: z Type 0.0.0.0 for Destination IP Address. z Select 0 (0.0.0.0) from the Mask drop-down list. z Type 1.1.4.2 for Next Hop. z Click Apply. # Configure a static route to Switch A and Switch C respectively on Switch B. z After you log in to the Web interface of Switch B, select Network > IPv4 Routing from the navigation tree and then click the Create tab to enter the page shown in Figure 1-5.
Figure 1-5 Configure a static route Make the following configurations on the page: z Type 1.1.2.0 for Destination IP Address. z Select 24 (255.255.255.0) from the Mask drop-down list. z Type 1.1.4.1 for Next Hop. z Click Apply. z Type 1.1.3.0 for Destination IP Address. z Select 24 (255.255.255.0) from the Mask drop-down list. z Type 1.1.5.6 for Next Hop. z Click Apply. # Configure a default route to Switch B on Switch C.
Figure 1-6 Configure a default route z Type 0.0.0.0 for Destination IP Address. z Select 0 (0.0.0.0) from the Mask drop-down list. z Type 1.1.5.5 for Next Hop. z Click Apply. Verify the configuration # Display the route table. Enter the IPv4 route page of Switch A, Switch B, and Switch C respectively to verify that the newly configured static routes are displayed as active routes on the page. # Use the ping command for verification. Ping Host B from Host A (assuming both hosts run Windows XP).
Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms Precautions When configuring a static route, note the following: 1) If you do not specify the preference when configuring a static route, the default preference will be used. Reconfiguration of the default preference applies only to newly created static routes. Currently, the Web interface does not support configuration of the default preference.
Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP Address Allocation ·······················································································································1-1 Allocation Mechanisms··················
1 DHCP Overview After the DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates configuration and centralized management. For details about the DHCP client configuration, refer to VLAN Interface Configuration. Introduction to DHCP The fast expansion and growing complexity of networks result in scarce IP addresses assignable to hosts.
z Manual allocation: The network administrator assigns an IP address to a client like a WWW server, and DHCP conveys the assigned address to the client. z Automatic allocation: DHCP assigns a permanent IP address to a client. z Dynamic allocation: DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most DHCP clients obtain their addresses in this way.
IP Address Lease Extension The IP address dynamically allocated by a DHCP server to a client has a lease. When the lease expires, the DHCP server will reclaim the IP address. If the client wants to use the IP address longer, it has to extend the lease duration. When the half lease duration elapses, the DHCP client sends to the DHCP server a DHCP-REQUEST unicast to extend the lease duration.
z file: Bootfile name and path information, defined by the server to the client. z options: Optional parameters field that is variable in length, which includes the message type, lease, domain name server IP address, and WINS IP address. DHCP Options DHCP Options Overview The DHCP message adopts the same format as the Bootstrap Protocol (BOOTP) message for compatibility, but differs from it in the option field, which identifies new features for DHCP.
Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client’s request, it adds Option 82 to the request message before forwarding the message to the server. The administrator can locate the DHCP client to further implement security control and accounting.
2 DHCP Relay Agent Configuration Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages, the DHCP server and clients must be on the same subnet. Therefore, a DHCP server must be available on each subnet, which is not practical. DHCP relay agent solves the problem. Via a relay agent, DHCP clients communicate with a DHCP server on another subnet to obtain configuration parameters.
Figure 2-2 DHCP relay agent work process As shown in Figure 2-2, the DHCP relay agent works as follows: 1) After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. 2) Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters to the relay agent, which conveys them to the client.
Task Remarks Optional Create a static IP-to-MAC binding, and view static and dynamic bindings. Configuring and Displaying Clients' IP-to-MAC Bindings The DHCP relay agent can dynamically record clients’ IP-to-MAC bindings after clients get IP addresses. It also supports static bindings, that is, you can manually configure IP-to-MAC bindings on the DHCP relay agent, so that users can access external network using fixed IP addresses. By default, no static binding is created.
Table 2-1 DHCP service and advanced DHCP relay agent configuration items Item DHCP Service Description Enable or disable global DHCP. Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses.
Table 2-2 DHCP server group configuration items Item Server Group ID Description Type the ID of a DHCP server group. You can create up to 20 DHCP server groups. Type the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent; otherwise, the client cannot obtain an IP address. Return to DHCP Relay Agent Configuration Task List.
Configuring and Displaying Clients' IP-to-MAC Bindings Select Network > DHCP from the navigation tree to enter the default DHCP Relay page shown in Figure 2-3. In the User Information field, click the User Information button to view static and dynamic bindings, as shown in Figure 2-6. Click Add to enter the page shown in Figure 2-7. Figure 2-6 Display clients' IP-to-MAC bindings Figure 2-7 Create a static IP-to-MAC binding Table 2-4 describes static IP-to-MAC binding configuration items.
VLAN-interface 2 is 10.1.1.1/24. VLAN-interface 2 is connected to the DHCP server whose IP address is 10.1.1.1/24. The switch forwards messages between DHCP clients and the DHCP server. Figure 2-8 Network diagram for DHCP relay agent configuration Configuration procedure 1) Specify IP addresses for interfaces (omitted) 2) Configure the DHCP relay agent # Enable DHCP. z Select Network > DHCP from the navigation tree to enter the default DHCP Relay page.
Figure 2-9 Enable DHCP z Click on the Enable radio button next to DHCP Service. z Click Apply. # Configure a DHCP server group. z In the Server Group field, click Add and then perform the following operations, as shown in Figure 2-10. Figure 2-10 Add a DHCP server group z Type 1 for Server Group ID. z Type 10.1.1.1 for IP Address. z Click Apply. # Enable the DHCP relay agent on VLAN-interface 1.
z In the Interface Config field, click the operations, as shown in Figure 2-11. icon of VLAN-interface 1, and then perform the following Figure 2-11 Enable the DHCP relay agent on an interface and correlate it with a server group z Click on the Enable radio button next to DHCP Relay. z Select 1 for Server Group ID. z Click Apply. Because the DHCP relay agent and server are on different subnets, you need to configure a static route or dynamic routing protocol to make them reachable to each other.
3 DHCP Snooping Configuration z A DHCP snooping enabled device does not work if it is between the DHCP relay agent and DHCP server, and it can work when it is between the DHCP client and relay agent or between the DHCP client and server. z You are not recommended to enable the DHCP client, BOOTP client, and DHCP snooping on the same device. Otherwise, DHCP snooping entries may fail to be generated, or the BOOTP client/DHCP client may fail to obtain an IP address.
Application Environment of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 3-1 Configure trusted and untrusted ports As shown in Figure 3-1, a DHCP snooping device’s port that is connected to an authorized DHCP server should be configured as a trusted port to forward reply messages from the DHCP server, so that the DHCP client can obtain an IP address from the authorized DHCP server.
Table 3-1 Roles of ports Device Untrusted port Trusted port disabled from recording binding entries Trusted port enabled to record binding entries Switch A GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 GigabitEthernet 1/0/2 Switch B GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 GigabitEthernet 1/0/1 GigabitEthernet 1/0/2 Switch C GigabitEthernet 1/0/1 GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 GigabitEthernet 1/0/2 DHCP Snooping Support for Option 82 Option 82 records the location infor
Task Displaying Clients' IP-to-MAC Bindings Remarks Optional Display clients' IP-to-MAC bindings recorded by DHCP snooping. Enabling DHCP Snooping Select Network > DHCP from the navigation tree, and then click the DHCP Snooping tab to enter the page shown in Figure 3-3. You can enable or disable DHCP snooping in the DHCP Snooping field. Figure 3-3 DHCP snooping configuration page z To enable DHCP snooping, click on the Enable radio button in the DHCP Snooping field.
Configuring DHCP Snooping Functions on an Interface Select Network > DHCP from the navigation tree, and then click the DHCP Snooping tab to enter the page shown in Figure 3-3. You can view trusted and untrusted ports in the Interface Config field. Click the icon of a specific interface to enter the page shown in Figure 3-4. Figure 3-4 DHCP snooping interface configuration page Table 3-2 describes DHCP snooping interface configuration items.
Table 3-3 DHCP snooping user information configuration items Item Description IP Address This field displays the IP address assigned by the DHCP server to the client. MAC Address This field displays the MAC address of the client. This field displays the client type, which can be: Type z z Dynamic: The IP-to-MAC binding is generated dynamically. Static: The IP-to-MAC binding is configured manually. Currently, static bindings are not supported.
Figure 3-7 Enable DHCP snooping z Click on the Enable radio button next to DHCP Snooping. # Configure DHCP snooping functions on GigabitEthernet 1/0/1. z Click the icon of GigabitEthernet 1/0/1 on the interface list. Perform the following operations on the DHCP Snooping Interface Configuration page shown in Figure 3-8.
Figure 3-8 Configure DHCP snooping functions on GigabitEthernet 1/0/1 z Click on the Trust radio button next to Interface State. z Click Apply. # Configure DHCP snooping functions on GigabitEthernet 1/0/2. z Click the icon of GigabitEthernet 1/0/2 on the interface list. Perform the following operations on the DHCP Snooping Interface Configuration page shown in Figure 3-9. Figure 3-9 Configure DHCP snooping functions on GigabitEthernet 1/0/2 z Click on the Untrust radio button for Interface State.
z Click on the Untrust radio button for Interface State. z Click on the Enable radio button next to Option 82 Support. z Select Replace for Option 82 Strategy. z Click Apply.
Table of Contents 1 Service Management ·································································································································1-1 Overview ·················································································································································1-1 Configuring Service Management···········································································································1-2 i
1 Service Management Overview The service management module provides six types of services: FTP, Telnet, SSH, SFTP, HTTP and HTTPS. You can enable or disable the services as needed. In this way, the performance and security of the system can be enhanced, thus secure management of the device can be achieved.
z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity, thus realizing the security management of the device; z Defines certificate attribute-based access control policy for the device to control the access right of the client, in order to further avoid attacks from illegal clients. Configuring Service Management Select Network > Service from the navigation tree to enter the service management configuration page, as shown in Figure 1-1.
Item Description Specifies whether to enable the SFTP service. SFTP Enable SFTP service The SFTP service is disabled by default. When you enable the SFTP service, the SSH service must be enabled. Enable HTTP service Specifies whether to enable the HTTP service. The HTTP service is enabled by default. Sets the port number for HTTP service. HTTP Port Number You can view this configuration item by clicking the expanding button in front of HTTP.
Table of Contents 1 Diagnostic Tools········································································································································1-1 Overview ·················································································································································1-1 Ping··················································································································································1-1 Trace Route·············
1 Diagnostic Tools Overview Ping You can use the ping function to check whether a device with a specified address is reachable, and to examine network connectivity. A successful execution of the ping command involves the following steps: 1) The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device. 2) The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source device after receiving the ICMP echo request.
Diagnostic Tool Operations Ping Operation The Web interface supports the IPv4 ping operations only. Select Network > Diagnostic Tools from the navigation tree to enter the ping configuration page, as shown in Figure 1-1. Figure 1-1 Ping configuration page Type the IPv4 address of the destination device in the Ping text box, and click Start to execute the ping command. You will see the result in the Summary area.
Trace Route Operation z The Web interface supports trace route on IPv4 addresses only. z Before performing the trace route operation on the Web interface, on the device execute the commands of ip ttl-expires enable and ip unreachables enable to enable the sending of ICMP timeout and destination unreachable packets. Select Network > Diagnostic Tools from the navigation tree and then select the Trace Route to enter the Trace Route configuration page, as shown in Figure 1-3.
Table of Contents 1 ARP Management ······································································································································1-1 ARP Overview·········································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ····················
1 ARP Management ARP Overview ARP Function The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address). In an Ethernet LAN, when a device sends data to another device, it uses ARP to translate the IP address of the destination device to the corresponding MAC address. ARP Message Format ARP messages are classified into ARP requests and ARP replies. Figure 1-1 shows the format of the ARP request/reply.
ARP Operation Suppose that Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown in Figure 1-2. The resolution process is as follows: z Host A looks into its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
Static ARP entry A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. Using static ARP entries enhances communication security. After a static ARP entry is specified, only a specific MAC address is associated with the specified IP address. Attack packets cannot modify the IP-to-MAC mapping. Thus, communications between devices are protected. Static ARP entries can be classified into permanent or non-permanent.
Creating a Static ARP Entry Select Network > ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 1-3. Click Add to enter the New Static ARP Entry page. Select the Advanced Options checkbox to expand advanced configuration items, as shown in Figure 1-4. Figure 1-4 Add a static ARP entry Table 1-1 describes the static ARP entry configuration items. Table 1-1 Static ARP entry configuration items Item Description IP Address Type an IP address for the static ARP entry.
Figure 1-5 Network diagram for configuring static ARP entries Configuration procedure # Create VLAN 100. z Select Network > VLAN from the navigation tree, click the Add tab, and then perform the following operations, as shown in Figure 1-6. Figure 1-6 Create VLAN 100 z Type 100 for VLAN ID. z Click Create to complete the configuration. # Add GigabitEthernet 1/0/1 to VLAN 100. z Click the Modify Port tab and then perform the following operations, as shown in Figure 1-7.
Figure 1-7 Add GigabitEthernet 1/0/1 to VLAN 100 z Select interface GigabitEthernet 1/0/1 in the Select Ports field. z Click on the Untagged radio button in the Select membership type field. z Type 100 for VLAN IDs. z Click Apply. A configuration progress dialog box appears, as shown in Figure 1-8. Figure 1-8 Configuration progress dialog box z After the configuration process is complete, click Close. # Create VLAN-interface 100.
Figure 1-9 Create VLAN-interface 100 z Type 100 for VLAN ID. z Select the Configure Primary IPv4 Address checkbox. z Click on the Manual radio botton. z Type 192.168.1.2 for IPv4 Address. z Select 24 (255.255.255.0) for Mask Length. z Click Apply to complete the configuration. # Create a static ARP entry. z Select Network > ARP Management from the navigation tree to enter the default ARP Table page. Click Add Perform the following operations, as shown in Figure 1-10.
z Select the Advanced Options checkbox. z Type 100 for VLAN ID. z Select GigabitEthernet1/0/1 for Port. z Click Apply to complete the configuration. Gratuitous ARP Introduction to Gratuitous ARP In a gratuitous ARP packet, the sender IP address and the target IP address are both the IP address of the device issuing the packet, the sender MAC address is the MAC address of the device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.
Table 1-2 Gratuitous ARP configuration items Item Disable gratuitous ARP packets learning function Send gratuitous ARP packets when receiving ARP requests from another network segment Description Enable or disable learning of ARP entries according to gratuitous ARP packets. Enabled by default. Enable the device to send gratuitous ARP packets upon receiving ARP requests from another network segment. Disabled by default. Select interfaces for sending gratuitous ARP packets and type the sending period.
2 ARP Attack Defense Configuration Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features.
Figure 2-1 Man-in-the-middle attack Switch Host A Host C IP_ A MAC_ A IP_C MAC_C Forged ARP reply Forged ARP reply Host B IP_B MAC_B ARP detection mechanism With ARP detection enabled for a specific VLAN, ARP messages arrived on any interface in the VLAN are redirected to the CPU to have their MAC and IP addresses checked. ARP messages that pass the check are forwarded, and other ARP messages are discarded. 1) ARP detection based on DHCP snooping entries/802.
After you enable ARP detection based on static IP-to-MAC bindings, the device, upon receiving an ARP packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of the ARP packet against the static IP-to-MAC bindings. z If an entry with a matching IP address but a different MAC address is found, the ARP packet is considered invalid and discarded. z If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid and can pass the detection.
Configuring ARP Detection If both the ARP detection based on specified objects and the ARP detection based on static IP-to-MAC bindings/DHCP snooping entries/802.1X security entries are enabled, the former one applies first, and then the latter applies. Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page shown in Figure 2-2. Figure 2-2 ARP Detection configuration page Table 2-1 describes the ARP Detection configuration items.
Item Description Select trusted ports. Trusted Ports To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted Ports list box and click the << button. To remove ports from the Trusted Ports list box, select one or multiple ports from the list box and click the >> button.
If an entry with a matching IP address but a different MAC address is found, the ARP packet is considered invalid and discarded. If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid and can pass the detection.
Table of Contents 1 802.1X ·························································································································································1-1 Overview ·················································································································································1-1 Architecture of 802.
1 802.1X Overview The 802.1X protocol was proposed by the IEEE 802 LAN/WAN committee for security of wireless LANs (WLAN).It has been widely used on Ethernet as a common port access control mechanism. As a port-based access control protocol, 802.1X authenticates and controls accessing devices at the port level. A device connected to an 802.1X-enabled port of an access control device can access the resources on the LAN only after passing authentication. Architecture of 802.1X 802.
z Between the device and the RADIUS server, EAP protocol packets can be exchanged in two modes: EAP relay and EAP termination. In EAP relay mode, EAP packets are encapsulated in EAP over RADIUS (EAPOR) packets on the device, and then relayed by device to the RADIUS server.
Control direction In the unauthorized state, the controlled port can be set to deny traffic to and from the client or just the traffic from the client. Currently, your device can only be set to deny traffic from the client. EAP over LANs EAPOL frame format EAPOL, defined in 802.1X, is intended to carry EAP protocol packets between clients and devices over LANs. Figure 1-3 shows the EAPOL frame format. Figure 1-3 EAPOL frame format PAE Ethernet type: Protocol type. It takes the value 0x888E.
EAP packet format An EAP-Packet-type EAPOL frame carries an EAP packet in its Packet body field. The format of the EAP packet is shown in Figure 1-4. Figure 1-4 EAP packet format Code: Type of the EAP packet, which can be Request, Response, Success, or Failure. z An EAP success/failure packet has no Data field, and has a length of 4. z An EAP Request/Response packet has a Data field in the format shown in Figure 1-5. The Type field indicates the EAP authentication type.
Message-Authenticator Figure 1-7 shows the encapsulation format of the Message-Authenticator attribute. The Message-Authenticator attribute is used to prevent access requests from being snooped during EAP or CHAP authentication. It must be included in any packet with the EAP-Message attribute; otherwise, the packet will be considered invalid and discarded. Figure 1-7 Encapsulation format of the Message-Authenticator attribute 802.1X Authentication Triggering 802.
Figure 1-8 802.
9) When receiving the RADIUS Access-Request packet, the RADIUS server compares the password information encapsulated in the packet with that generated by itself. If the two are identical, the authentication server considers the user valid and sends to the device a RADIUS Access-Accept packet. 10) Upon receiving the RADIUS Access-Accept packet, the device opens the port to grant the access request of the client.
Figure 1-9 802.1X authentication procedure in EAP termination mode Client Device Server EAPOR EAPOL EAPOL-Start EAP-Request / Identity EAP-Response / Identity EAP-Request / MD5 challenge EAP-Response / MD5 challenge RADIUS Access-Request (CHAP-Response / MD5 challenge) RADIUS Access-Accept (CHAP-Success) EAP-Success Port authorized Handshake timer Handshake request ( EAP-Request / Identity ) Handshake response ( EAP-Response / Identity ) ......
z Server timeout timer: Once a device sends a RADIUS Access-Request packet to the authentication server, it starts this timer. If this timer expires but it receives no response from the server, it retransmits the request. z Handshake timer: After a client passes authentication, the device sends to the client handshake requests at this interval to check whether the client is online.
z With a Hybrid port, the VLAN assignment will fail if you have configured the assigned VLAN to carry tags. z With a Hybrid port, you cannot configure an assigned VLAN to carry tags after the VLAN has been assigned. ACL assignment ACLs provide a way of controlling access to network resources and defining access rights.
Configuring 802.1X Globally From the navigation tree, select Authentication > 802.1X to enter the 802.1X configuration page. Click the expansion mark + before Advanced to display the complete 802.1X configuration page, as shown in Figure 1-10. In the 802.1X Configuration area, you can view and configure the 802.1X feature globally. Figure 1-10 802.1X configuration page Table 1-3 lists global 802.1X configuration items. Table 1-3 Global 802.1X configuration items Item Enable 802.
Item Description Specify whether to enable the quiet timer. Quiet Quiet Period After an 802.1X user fails to be authenticated, the device will keep quiet for a period of time defined by Quiet Period. During the quiet period, the device will not perform 802.1X authentication on the user. Specify the value of the quiet timer. Specify the maximum number of attempts to send an authentication request to a client.
Figure 1-11 802.1X configuration on a port Table 1-4 lists port 802.1X configuration items. Table 1-4 Port 802.1X configuration items Item Port Port Control Description Select the port to be enabled with 802.1X authentication. Only ports not enabled with 802.1X authentication are available. Specify the 802.1X port access control method for the port, which can be MAC Based or Port Based. Specify the 802.1X authorization mode for the port.
Configuration Examples 802.1X Configuration Example Network requirements As shown in Figure 1-12: z It is required to perform 802.1X authentication on port GigabitEthernet 1/0/1 to control user access to the Internet, configure the access control method as MAC address based on the port, and enable periodic re-authentication of online users on the port, so that the server can periodically update the authorization information of the users. z All users belong to default domain test.
Figure 1-13 Global 802.1X configuration Perform the following configurations as shown in Figure 1-13. z Select the check box before Enable 802.1X. z Select the authentication method as CHAP. z Click Apply to finish the operation. # Enable and configure 802.1X on port GigabitEthernet 1/0/1. z In the Ports With 802.1X Enabled area, click Add. Figure 1-14 802.1X configuration of GigabitEthernet 1/0/1 Perform the following configurations as shown in Figure 1-14.
# Configure the RADIUS authentication servers. z From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page appears. Figure 1-15 RADIUS authentication server configuration Perform the following configurations as shown in Figure 1-15. z Select Authentication Server as the server type. z Enter the primary server IP address 10.1.1.1. z Select active as the primary server’s status. z Enter the secondary server IP address 10.1.1.2.
z Enter the secondary server IP address 10.1.1.1. z Select active as the secondary server’s status. z Click Apply to finish the operation. # Configure the scheme used for communication between the device and the RADIUS servers. z Select the RADIUS Setup tab to enter the RADIUS parameter configuration page. Perform the following configurations as shown in Figure 1-17. Figure 1-17 RADIUS parameter configuration z Select extended as the server type.
z From the navigation tree, select Authentication > AAA. The domain setup page appears. Perform the following configurations as shown in Figure 1-18. Figure 1-18 Create an ISP domain z Enter test in the Domain Name textbox. z Select Enable to use the domain as the default domain. z Click Apply to finish the operation. # Configure the AAA authentication method for the ISP domain. z Select the Authentication tab. Perform the following configurations as shown in Figure 1-19.
z Select system from the Name drop-down list to use it as the authentication scheme. z Click Apply. A configuration progress dialog box appears, as shown in Figure 1-20. Figure 1-20 Configuration progress dialog box z After the configuration process is complete, click Close. # Configure the AAA authorization method for the ISP domain. z Select the Authorization tab. Perform the following configuration as shown in Figure 1-21.
Figure 1-22 Configure the AAA accounting method for the ISP domain z Select the domain name test. z Select the Default Accounting checkbox and then select RADIUS as the accounting mode. z Select system from the Name drop-down list to use it as the accounting scheme. z Click Apply. A configuration progress dialog box appears. z After the configuration process is complete, click Close.
Configuration procedure 1) Configure the IP addresses of the interfaces. (Omitted) 2) Configure the RADIUS scheme system # Configure the RADIUS authentication server. z From the navigation tree, select Authentication > RADIUS. The RADIUS server configuration page appears. Figure 1-24 RADIUS authentication server configuration Perform the following configurations as shown in Figure 1-24. z Select Authentication Server as the server type. z Enter the primary server IP address 10.1.1.1.
z Enter the primary server UDP port number 1813. z Select active as the primary server status. z Click Apply to finish the operation. # Configure the scheme to be used for communication between the switch and the RADIUS servers. z Select the RADIUS Setup tab to enter the RADIUS parameter configuration page. Figure 1-26 RADIUS parameter configuration Perform the following configurations as shown in Figure 1-26. z Select extended as the server type.
Figure 1-27 Create an ISP domain Perform the following configurations, as shown in Figure 1-27. z Enter test in the Domain Name textbox. z Select Enable to use the domain the default domain. z Click Apply to finish the operation. # Configure the AAA authentication method for the ISP domain. z Select the Authentication tab. Figure 1-28 Configure the AAA authentication method for the ISP domain Perform the following configurations as shown in Figure 1-28. z Select the domain name test.
z Select the Default AuthN checkbox and then select RADIUS as the authentication mode. z Select system from the Name drop-down list to use it as the authentication scheme. z Click Apply. The configuration progress dialog box appears, as shown in Figure 1-29. Figure 1-29 Configuration progress dialog box z After you see the prompt of configuration success, click Close to finish the operation. # Configure the AAA authorization method for the ISP domain. z Select the Authorization tab.
Figure 1-31 Configure the AAA accounting method for the ISP domain Perform the following configurations, as shown in Figure 1-31. z Select the domain name test. z Select the Accounting Optional checkbox, and then select Enable for this parameter. z Select the Default Accounting checkbox and then select RADIUS as the accounting mode. z Select system from the Name drop-down list to use it as the accounting scheme. z Click Apply. The configuration progress dialog box appears.
z Click Apply to finish the operation. # Configure the ACL to deny packets with destination IP address 10.0.0.1. z Select the Advanced Setup tab. Figure 1-33 ACL rule configuration Perform the following configurations, as shown in Figure 1-33. z Select 3000 from the Select Access Control List(ACL) drop-down list. z Select the Rule ID check box, and enter 0 as the rule ID. z Select Deny as the operation action.
z Enter 0.0.0.0 in the Destination Wildcard text box. z Click Add to finish the operation. 5) Configure the 802.1X feature # Enable the 802.1X feature globally. z From the navigation tree, select Authentication > 802.1X to enter the 802.1X configuration page. Figure 1-34 Global 802.1X globally Perform the following configuration as shown in Figure 1-34. z Select the check box before Enable 802.1X. z Select the authentication method as CHAP. z Click Apply to finish the operation. # Enable 802.
Perform the following configurations as shown in Figure 1-35. z Select GigabitEthernet1/0/1 from the port list. z Click Apply to finish the operation. Configuration verification # After the user passes authentication and gets online, use the ping command to test whether ACL 3000 takes effect. z From the navigation tree, select Network > Diagnostic Tools. The ping page appears. z Enter the destination IP address 10.0.0.1. z Click Start to start the ping operation.
Table of Contents 1 AAA Configuration ····································································································································1-1 Overview ·················································································································································1-1 Introduction to AAA··························································································································1-1 Introduction to ISP Domain ········
1 AAA Configuration Overview Introduction to AAA Authentication, Authorization, and Accounting (AAA) provides a uniform framework for configuring these three security functions to implement network security management. AAA usually uses a client/server model, where the client runs on the network access server (NAS) and the server maintains user information centrally. In an AAA network, a NAS is a server for users but a client for the AAA servers, as shown in Figure 1-1.
configure an authentication server. If network usage information is expected to be recorded, you also need to configure an accounting server. As described above, AAA provides a uniform framework to implement network security management. It is a security mechanism that enables authenticated and authorized entities to access specific resources and records operations of the entities.
Table 1-1 AAA configuration task list Task Remarks Optional Configuring an ISP Domain Create ISP domains and specify one of them as the default ISP domain. By default, there is an ISP domain named system, which is the default ISP domain. Optional Configuring Authentication Methods for the ISP Domain Configure authentication methods for various types of users. By default, all types of users use local authentication.
Figure 1-2 Domain Setup page Table 1-2 describes the configuration items for creating an ISP domain. Table 1-2 ISP domain configuration items Item Description Type the ISP domain name, which is for identifying the domain. Domain Name You can type a new domain name to create a domain, or specify an existing domain to change its status (whether it is the default domain). Specify whether to use the ISP domain as the default domain. z Default Domain z Enable: Uses the domain as the default domain.
Figure 1-3 Authentication method configuration page Table 1-3 describes the configuration items for specifying the authentication methods for an ISP domain. Table 1-3 Authentication method configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods. Default AuthN Configure the default authentication method and secondary authentication method for all types of users.
Configuring Authorization Methods for the ISP Domain Select Authentication > AAA from the navigation tree and then select the Authorization tab to enter the authorization method configuration page, as shown in Figure 1-4. Figure 1-4 Authorization method configuration page Table 1-4 describes the configuration items for configuring the authorization methods for an ISP domain.
Item Login AuthZ Description Configure the authorization method and secondary authorization method for login users. Options include: Name z Secondary Method z z Name z Local: Performs local authorization. None: All users are trusted and authorized. A user gets the corresponding default rights of the system. RADIUS: Performs RADIUS authorization. You need to specify the RADIUS scheme to be used. Not Set: Uses the default authorization methods. Return to Configuration Task List.
Item Description z Secondary Method z z LAN-access Accounting Name Configure the accounting method and secondary accounting method for LAN access users. Options include: z z Secondary Method z z Login Accounting Name Local: Performs local accounting. None: Performs no accounting. RADIUS: Performs RADIUS accounting. You need to specify the RADIUS scheme to be used. Not Set: Uses the default accounting methods. Configure the accounting method and secondary accounting method for login users.
z Select Device > Users from the navigation tree and then select the Create tab to configure a local user as shown in Figure 1-7. Figure 1-7 Configure a local user z Enter telnet as the username. z Select Management as the access level. z Enter abcd as the password. z Enter abcd to confirm the password. z Select Telnet Service as the service type. z Click Apply. # Configure ISP domain test. z Select Authentication > AAA from the navigation tree. The domain configuration page appears.
Figure 1-8 Configure ISP domain test z Enter test as the domain name. z Click Apply. # Configure the ISP domain to use local authentication. z Select Authentication > AAA from the navigation tree and then select the Authentication tab and configure AAA authentication as shown in Figure 1-9. Figure 1-9 Configure the ISP domain to use local authentication z Select the domain test. z Select the Login AuthN check box and select the authentication method Local. z Click Apply.
Figure 1-10 Configuration progress dialog box z After the configuration process is complete, click Close. # Configure the ISP domain to use local authorization. z Select Authentication > AAA from the navigation tree and then select the Authorization tab and configure AAA authorization as shown in Figure 1-11. Figure 1-11 Configure the ISP domain to use local authorization z Select the domain test. z Select the Login AuthZ check box and select the authorization method Local. z Click Apply.
Figure 1-12 Configure the ISP domain to use local accounting z Select the domain test. z Select the Login Accounting check box and select the accounting method Local. z Click Apply. A configuration progress dialog box appears. z After the configuration process is complete, click Close. Now, if you telnet to the switch and enter username telnet@test and password abcd, you should be serviced as a user in domain test.
Table of Contents 1 RADIUS ·······················································································································································1-1 Overview ·················································································································································1-1 Introduction to RADIUS ···················································································································1-1 Client/Server Model ··········
1 RADIUS Overview Remote Authentication Dial-In User Service (RADIUS) is protocol for implementing Authentication, Authorization, and Accounting (AAA). For details about AAA, refer to AAA Configuration. Introduction to RADIUS RADIUS is a distributed information interaction protocol using the client/server model. RADIUS can protect networks against unauthorized access and is often used in network environments where both high security and remote user access are required.
Security and Authentication Mechanisms Information exchanged between a RADIUS client and the RADIUS server is authenticated with a shared key, which is never transmitted over the network. This enhances the information exchange security. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUS encrypts passwords before transmitting them. A RADIUS server supports multiple user authentication methods.
8) The RADIUS server returns a stop-accounting response (Accounting-Response) and stops accounting for the user. 9) The user stops access to network resources. RADIUS Packet Format RADIUS uses UDP to transmit messages. It ensures the smooth message exchange between the RADIUS server and the client through a series of mechanisms, including the timer management mechanism, retransmission mechanism, and slave server mechanism. Figure 1-3 shows the RADIUS packet format.
2) The Identifier field (1-byte long) is for matching request packets and response packets and detecting retransmitted request packets. The request and response packets of the same type have the same identifier. 3) The Length field (2-byte long) indicates the length of the entire packet, including the Code, Identifier, Length, Authenticator, and Attribute fields. The value of the field is in the range 20 to 4096. Bytes beyond the length are considered the padding and are neglected upon reception.
No. Attribute No.
z Vendor-ID (four bytes): Indicates the ID of the vendor. Its most significant byte is 0 and the other three bytes contain a code complying with RFC 1700. z Vendor-Type: Indicates the type of the sub-attribute. z Vendor-Length: Indicates the length of the sub-attribute. z Vendor-Data: Indicates the contents of the sub-attribute.
Table 1-3 RADIUS configuration task list Task Description Required Configuring RADIUS Authentication Servers Configure the information related to the primary and secondary RADIUS authentication servers. By default, no RADIUS authentication server is configured. Optional Configuring RADIUS Accounting Servers For configuration details, refer to Configuring RADIUS Servers. Configure the information related to the primary and secondary RADIUS accounting servers.
Table 1-4 RADIUS server configuration Item Server Type Description Specify the type of the server to be configured, which can be Authentication Server and Accounting Sever. Specify the IP address of the primary server. If no primary server is specified, the text box displays 0.0.0.0. Primary Server IP To remove the previously configured primary server, enter 0.0.0.0 in the text box. The specified IP address of the primary server cannot be the same as that of the secondary server.
Figure 1-6 RADIUS parameter configuration Table 1-5 lists the RADIUS parameters. Table 1-5 RADIUS parameters Item Description Specify the type of the RADIUS server supported by the device, including: z Server Type z Authentication Server Shared Key Confirm Authentication Shared Key Accounting Server Shared Key Confirm Accounting Shared Key extended: Specifies an extended RADIUS server (usually an iMC server).
Item Timeout Retransmission Times Description Set the maximum number of transmission attempts. The product of the timeout value and the number of retransmission attempts cannot exceed 75. Set the real-time accounting interval, whose value must be n times 3 (n is an integer). Realtime-Accounting Interval To implement real-time accounting on users, it is necessary to set the real-time accounting interval.
Table 1-6 Relationship between the real-time accounting interval and the number of users Number of users Real-time accounting interval (in minutes) 1 to 99 3 100 to 499 6 500 to 999 12 ú1000 ú15 Return to RADIUS configuration task list.
Figure 1-8 Configure the RADIUS authentication server Perform the following configurations, as shown in Figure 1-8. z Select Authentication Server as the server type. z Enter 10.110.91.146 as the IP address of the primary authentication server z Enter 1812 as the UDP port of the primary authentication server. z Select active as the primary server status. z Click Apply. # Configure the RADIUS accounting server.
Figure 1-10 Configure RADIUS parameters z Select extended as the server type. z Select the Authentication Server Shared Key check box and enter expert in the text box. z Enter expert in the Confirm Authentication Shared Key text box. z Select the Accounting Server Shared Key check box and enter expert in the text box. z Enter expert in the Confirm Accounting Shared Key text box. z Select without-domain for Username Format. z Click Apply 3) Configure AAA # Create an ISP domain.
Figure 1-11 Create an ISP domain Perform the following configurations, as shown in Figure 1-11. z Enter test in the Domain Name textbox. z Select Enable to use the domain as the default domain. z Click Apply. # Configure the AAA authentication method for the ISP domain. z Select the Authentication tab. Figure 1-12 Configure the AAA authentication method for the ISP domain Perform the following configurations, as shown in Figure 1-12. z Select the domain name test.
Figure 1-13 Configuration progress dialog box z After the configuration process is complete, click Close. # Configure the AAA authorization method for the ISP domain. z Select the Authorization tab. Figure 1-14 Configure the AAA authorization method for the ISP domain Perform the following configurations, as shown in Figure 1-14. z Select the domain name test. z Select the Default AuthZ checkbox and then select RADIUS as the authorization mode.
Figure 1-15 Configure the AAA accounting method for the ISP domain Perform the following configurations, as shown in Figure 1-15. z Select the domain name test. z Select the Accounting Optional checkbox and then select Enable. z Select the Default Accounting checkbox and then select RADIUS as the accounting mode. z Select system from the Name drop-down list to use it as the accounting scheme. z Click Apply. A configuration progress dialog box appears.
Table of Contents 1 Users···························································································································································1-1 Overview ·················································································································································1-1 Configuring Users ···································································································································1-1 Configuring a Loc
1 Users Overview This module allows you to configure local users and user groups. Local user A local user represents a set of user attributes configured on a device (such as the user password, service type, and authorization attribute), and is uniquely identified by the username. For a user requesting a network service to pass local authentication, you must add an entry as required in the local user database of the device. For details about local authentication, refer to AAA Configuration.
Figure 1-2 Local user configuration page Table 1-1 describes the configuration items for configuring a local user. Table 1-1 Local user configuration items Item Description Username Specify a name for the local user. Password Specify and confirm the password of the local user. The settings of these two fields must be the same. Confirm Select a user group for the local user. Group For information about user group configuration, refer for Configuring a User Group.
Item Description Level Select an authorization level for the local user, which can be Visitor, Monitor, Configure, or Management, in ascending order of priority. VLAN Specify the VLAN to be authorized to the local user after the user passes authentication. ACL Specify the ACL to be used by the access device to restrict the access of the local user after the user passes authentication. Specify the user profile for the local user.
Table 1-2 User group configuration items Item Description Group-name Specify a name for the user group. Level Select an authorization level for the user group, which can be Visitor, Monitor, Configure, or Management, in ascending order of priority. VLAN Specify the VLAN to be authorized to users of the user group after the users pass authentication. ACL Specify the ACL to be used by the access device to control the access of users of the user group after the users pass authentication.
Table of Contents 1 PKI Configuration ······································································································································1-1 PKI Overview ··········································································································································1-1 PKI Terms········································································································································1-1 Architecture of PKI·············
1 PKI Configuration PKI Overview The Public Key Infrastructure (PKI) is a hierarchical framework designed for providing information security through public key technologies and digital certificates and verifying the identities of the digital certificate owners. PKI employs digital certificates, which are bindings of certificate owner identity information and public keys. It allows users to obtain certificates, use certificates, and revoke certificates.
Architecture of PKI A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in Figure 1-1. Figure 1-1 PKI architecture Entity An entity is an end user of PKI products or services, such as a person, an organization, a device like a router or a switch, or a process running on a computer. CA A certificate authority (CA) is a trusted authority responsible for issuing and managing digital certificates.
VPN A virtual private network (VPN) is a private data communication network built on the public communication infrastructure. A VPN can leverage network layer security protocols (for instance, IPSec) in conjunction with PKI-based encryption and digital signature technologies to achieve confidentiality. Secure E-mail E-mails require confidentiality, integrity, authentication, and non-repudiation. PKI can address these needs.
Table 1-1 Configuration task list for requesting a certificate manually Task Remarks Required Create a PKI entity and configure the identity information. Creating a PKI Entity A certificate is the binding of a public key and an entity, where an entity is the collection of the identity information of a user. A CA identifies a certificate applicant by entity. The identity settings of an entity must be compliant to the CA certificate issue policy. Otherwise, the certificate request may be rejected.
Task Remarks Required When requesting a certificate, an entity introduces itself to the CA by providing its identity information and public key, which will be the major components of the certificate. A certificate request can be submitted to a CA in two ways: online and offline. z Requesting a Local Certificate z In online mode, if the request is granted, the local certificate will be retrieved to the local system automatically.
Task Remarks Retrieving a Certificate Optional Retrieving and Displaying a CRL Optional Retrieve an existing certificate. Retrieve a CRL and display its contents. Creating a PKI Entity Select Authentication > PKI from the navigation tree. The PKI entity list page is displayed by default, as shown in Figure 1-2. Click Add on the page to enter the PKI entity configuration page, as shown in Figure 1-3.
Item IP Address Description Type the IP address of the entity. Type the fully qualified domain name (FQDN) for the entity. FQDN An FQDN is a unique identifier of an entity on the network. It consists of a host name and a domain name and can be resolved to an IP address. For example, www.whatever.com is an FQDN, where www indicates the host name and whatever.com the domain name. Country/Region Code Type the country or region code for the entity. State Type the state or province for the entity.
Figure 1-5 PKI domain configuration page Table 1-4 describes the configuration items for creating a PKI domain. Table 1-4 PKI domain configuration items Item Domain Name Description Type the name for the PKI domain. Type the identifier of the trusted CA. CA Identifier An entity requests a certificate from a trusted CA. The trusted CA takes the responsibility of certificate registration, distribution, and revocation, and query.
Item Description Type the URL of the RA. Requesting URL The entity will submit the certificate request to the server at this URL through the SCEP protocol. The SCEP protocol is intended for communication between an entity and an authentication authority. In offline mode, this item is optional; while in other modes, this item is required. Currently, this item does not support domain name resolution.
Item Description Type the URL of the CRL distribution point. This item is available when the Enable CRL Checking check box is selected. CRL URL Note that when the URL of the CRL distribution point is not set, you should acquire the CA certificate and a local certificate, and then acquire a CRL through SCEP. Currently, this item does not support domain name resolution. Return to Configuration task list for requesting a certificate manually.
Table 1-5 Configuration item for generating an RSA key pair Item Key Length Description Type the length of the RSA keys. Return to Configuration task list for requesting a certificate manually. Destroying the RSA Key Pair Select Authentication > PKI from the navigation tree, and then select the Certificate tab to enter the page displaying existing PKI certificates, as shown in Figure 1-6. Click Destroy Key to enter RSA key pair destruction page, as shown in Figure 1-8.
Table 1-6 Configuration items for retrieving a PKI certificate Item Description Domain Name Select the PKI domain for the certificate. Certificate Type Select the type of the certificate to be retrieved, which can be CA or local. Enable Offline Mode Select this check box to retrieve a certificate in offline mode (that is, by an out-of-band means like FTP, disk, or e-mail) and then import the certificate into the local PKI system.
Return to Configuration task list for requesting a certificate automatically. Requesting a Local Certificate Select Authentication > PKI from the navigation tree, and then select the Certificate tab to enter the page displaying existing PKI certificates, as shown in Figure 1-6. Click Request Cert to enter the local certificate request page, as shown in Figure 1-11. Figure 1-11 Local certificate request page Table 1-7 describes the configuration items for requesting a local certificate.
Retrieving and Displaying a CRL Select Authentication > PKI from the navigation tree, and then select the CRL tab to enter the page displaying CRLs, as shown in Figure 1-13. Figure 1-13 CRL page z Click Retrieve CRL to retrieve the CRL of a domain. z Then, click View CRL for the domain to display the contents of the CRL, as shown in Figure 1-14. Figure 1-14 CRL details Table 1-8 describes some fields of the CRL details.
Field Description Pubic key identifier keyid A CA may have multiple key pairs, and this field identifies which key pair is used for the CRL signature. Return to Configuration task list for requesting a certificate manually. Return to Configuration task list for requesting a certificate automatically.
After the above configuration, make sure that the system clock of the Switch is synchronous to that of the CA, so that the Switch can request certificates and retrieve CRLs properly. 2) Configure Switch # Create a PKI entity. z Select Authentication > PKI from the navigation tree. The PKI entity list page is displayed by default. Click Add on the page, as shown in Figure 1-16, and then perform the following configurations as shown in Figure 1-17.
Figure 1-18 PKI domain list Figure 1-19 Configure a PKI domain z Type torsa as the PKI domain name. z Type myca as the CA identifier. z Select aaa as the local entity. z Select CA as the authority for certificate request. z Type http://4.4.4.133:446/c95e970f632d27be5e8cbf80e971d9c4a9a93337 as the URL for certificate request. The URL must be in the format of http://host:port/Issuing Jurisdiction ID, where Issuing Jurisdiction ID is the hexadecimal string generated on the CA.
z Select the Certificate tab, and then click Create Key, as shown in Figure 1-20, and perform the configuration as shown in Figure 1-21. Figure 1-20 Certificate list Figure 1-21 Generate an RSA key pair z Click Apply to generate an RSA key pair. # Retrieve the CA certificate. z Select the Certificate tab, and then click Retrieve Cert, as shown in Figure 1-22, and then perform the following configurations as shown in Figure 1-23.
Figure 1-23 Retrieve the CA certificate z Select torsa as the PKI domain. z Select CA as the certificate type. z Click Apply. # Request a local certificate. z Select the Certificate tab, and then click Request Cert, as shown in Figure 1-24, and then perform the following configurations as shown in Figure 1-25. Figure 1-24 Certificate list Figure 1-25 Request a local certificate z Select torsa as the PKI domain. z Select Password and then type challenge-word as the password. z Click Apply.
# Retrieve the CRL. z After retrieving a local certificate, select the CRL tab. z Click Retrieve CRL of the PKI domain of torsa, as shown in Figure 1-26. Figure 1-26 Retrieve the CRL Configuration Guidelines When configuring PKI, note that: 1) Make sure the clocks of entities and the CA are synchronous. Otherwise, the validity period of certificates will be abnormal. 2) The Windows 2000 CA server has some restrictions on the data length of a certificate request.
Table of Contents 1 Port Isolation Group Configuration ·········································································································1-1 Overview ·················································································································································1-1 Configuring a Port Isolation Group··········································································································1-1 Port Isolation Group Configuration Example ···
1 Port Isolation Group Configuration Overview Usually, Layer 2 traffic isolation is achieved by assigning ports to different VLANs. To save VLAN resources, port isolation is introduced to isolate ports within a VLAN, allowing for great flexibility and security. Currently: z 3Com Switch 2900 series support only one isolation group that is created automatically by the system as isolation group 1. You can neither remove the isolation group nor create other isolation groups on such devices.
Table 1-1 Port isolation group configuration items Item Description Specify the role of the port or ports in the isolation group. z Config type z Isolate port: Assign the port or ports to the isolation group as an isolated port or ports. Uplink-port: Assign the port to the isolation group as the uplink port. The uplink port is not supported on 3Com Switch 2900.series Select the port(s) you want to assign to the isolation group.
Figure 1-3 Configure isolated ports for an isolation group z Select Isolate port for the port type. z Select GigabitEthernet 1/0/2, GigabitEthernet 1/0/3, and GigabitEthernet 1/0/4 on the chassis front panel. z Click Apply. A configuration progress dialog box appears. z After the configuration process is complete, click Close in the dialog box. # View information about the isolation group. Click Summary. The page shown in Figure 1-4 appears.
Table of Contents 1 Authorized IP Configuration·····················································································································1-1 Overview ·················································································································································1-1 Configuring Authorized IP ·······················································································································1-1 Authorized IP Configuration Example ·
1 Authorized IP Configuration Overview The authorized IP function is to associate the HTTP or Telnet service with an ACL to filter the requests of clients. Only the clients that pass the ACL filtering can access the device. Configuring Authorized IP Select Security > Authorized IP from the navigation tree, and then click the Setup tab to enter the authorized IP configuration page, as shown in Figure 1-1.
Authorized IP Configuration Example Authorized IP Configuration Example Network requirements In Figure 1-2, configure Switch to deny telnet and HTTP requests from Host A , while permit telnet and HTTP requests from Host B. Figure 1-2 Network diagram for authorized IP Configuration procedure # Create an ACL. z Select QoS > ACL IPv4 from the navigation tree and then click the Create tab to enter the ACL configuration page shown in Figure 1-3.
Figure 1-4 Configure an ACL rule to permit Host B Make the following configurations on the page: z Select 2001 from the Select Access Control List (ACL) drop-down list. z Select Permit from the Operation drop-down list. z Select the Source IP Address check box and then type 10.1.1.3. z Type 0.0.0.0 in the Source Wildcard text box. z Click Add. # Configure authorized IP.
Figure 1-5 Configure authorized IP Make the following configurations on the page: z Select 2001 for IPv4 ACL in the Telnet field. z Select 2001 for IPv4 ACL in the Web(HTTP) field. z Click Apply.
Table of Contents 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 Introduction to IPv4 ACL··················································································································1-1 Effective Period of an ACL ···············
1 ACL Configuration ACL Overview With the growth of network scale and network traffic, network security and bandwidth allocation become more and more critical to network management. Packet filtering can be used to efficiently prevent illegal access to networks and to control network traffic and save network resources. One way to implement packet filtering is to use access control lists (ACLs).
Table 1-2 Depth-first match for IPv4 ACLs IPv4 ACL category Depth-first match procedure 1) Basic IPv4 ACL 2) 1) 2) Advanced IPv4 ACL 3) 4) 5) 1) Ethernet frame header ACL 2) 3) Sort rules by source IP address wildcard mask and compare packets against the rule configured with more zeros in the source IP address wildcard mask. In case of a tie, compare packets against the rule configured first. Sort rules by the protocol carried over IP.
ACL Step Currently, the Web interface does not support ACL step configuration. Meaning of the step The step defines the difference between two neighboring numbers that are automatically assigned to ACL rules by the device. For example, with a step of 5, rules are automatically numbered 0, 5, 10, 15, and so on. By default, the step is 5. Whenever the step changes, the rules are renumbered, starting from 0.
Configuring a Time Range Select QoS > Time Range from the navigation tree and then select the Create tab to enter the time range configuration page, as shown in Figure 1-1. Figure 1-1 The page for creating a time range Table 1-4 describes the configuration items for creating a time range. Table 1-4 Time range configuration items Item Time Range Name Periodic Time Range Absolute Time Range Description Set the name for the time range. Start Time Set the start time of the periodic time range.
Return to IPv4 ACL configuration task list. Creating an IPv4 ACL Select QoS > ACL IPv4 from the navigation tree and then select the Create tab to enter the IPv4 ACL configuration page, as shown in Figure 1-2. Figure 1-2 The page for creating an IPv4 ACL Table 1-5 describes the configuration items for creating an IPv4 ACL. Table 1-5 IPv4 ACL configuration items Item ACL Number Description Set the number of the IPv4 ACL. Set the match order of the ACL.
Figure 1-3 The page for configuring an basic IPv4 ACL Table 1-6 describes the configuration items for creating a rule for a basic IPv4 ACL. Table 1-6 Configuration items for a basic IPv4 ACL rule Item Select Access Control List (ACL) Description Select the basic IPv4 ACL for which you want to configure rules. Available ACLs are basic IPv4 ACLs that have been configured. Select the Rule ID option and type a number for the rule.
Item Time Range Description Select the time range during which the rule takes effect. Available time ranges are those that have been configured. Return to IPv4 ACL configuration task list. Configuring a Rule for an Advanced IPv4 ACL Select QoS > ACL IPv4 from the navigation tree and then select the Advance Setup tab to enter the rule configuration page for an advanced IPv4 ACL, as shown in Figure 1-4.
Table 1-7 describes the configuration items for creating a rule for an advanced IPv4 ACL. Table 1-7 Configuration items for an advanced IPv4 ACL rule Item Select Access Control List (ACL) Description Select the advanced IPv4 ACL for which you want to configure rules. Available ACLs are advanced IPv4 ACLs that have been configured. Select the Rule ID option and type a number for the rule. Rule ID If you do not specify the rule number, the system will assign one automatically.
Item Description Check Established Select this option to make the rule match packets used for establishing and maintaining TCP connections. These items are available only when you select 6 TCP from the Protocol drop-down box. Operator Source TCP/UDP Port Port To Port Select the operators and type the source port numbers and destination port numbers as required. These items are available only when you select 6 TCP or 17 UDP from the Protocol drop-down box.
Figure 1-5 The page for configuring a rule for an Ethernet frame header ACL Table 1-8 describes the configuration items for creating a rule for an Ethernet frame header IPv4 ACL. Table 1-8 Configuration items for an Ethernet frame header IPv4 ACL rule Item Select Access Control List (ACL) Description Select the Ethernet frame header IPv4 ACL for which you want to configure rules. Available ACLs are Ethernet frame header IPv4 ACLs that have been configured.
Item Type Filter Protocol Type Description Select the Protocol Type option and specify the link layer protocol type by configuring the following two items: z Protocol Mask Time Range z Protocol Type: Indicates the frame type. It corresponds to the type-code field of Ethernet_II and Ethernet_SNAP frames. Protocol Mask: Indicates the protocol mask. Select the time range during which the rule takes effect. Available time ranges are those that have been configured.
2 QoS Configuration Introduction to QoS Quality of Service (QoS) reflects the ability of a network to meet customer needs. In an internet, QoS evaluates the ability of the network to forward packets of different services. The evaluation can be based on different criteria because the network may provide various services. Generally, QoS performance is measured with respect to bandwidth, delay, jitter, and packet loss ratio during packet forwarding process.
Causes Congestion easily occurs in complex packet switching circumstances in the Internet. The following figure shows two common cases: Figure 2-1 Traffic congestion causes 100M 100M 10M 100M>10M 100M 10M 50M (100M+10M+50M)>100M (1) (2) z The traffic enters a device from a high speed link and is forwarded over a low speed link.
End-to-End QoS Figure 2-2 End-to-end QoS model As shown in Figure 2-2, traffic classification, traffic policing, traffic shaping, congestion management, and congestion avoidance are the foundations for a network to provide differentiated services. Mainly they implement the following functions: z Traffic classification uses certain match criteria to organize packets with different characteristics into different classes. Traffic classification is usually applied in the inbound direction of a port.
network can either adopt the classification results from its upstream network or classify the packets again according to its own criteria. To provide differentiated services, traffic classes must be associated with certain traffic control actions or resource allocation actions. What traffic control actions to adopt depends on the current phase and the resources of the network.
Expedited Forwarding (EF) class: In this class, packets are forwarded regardless of link share of z other traffic. The class is suitable for preferential services requiring low delay, low packet loss, low jitter, and high bandwidth. Assured forwarding (AF) class: This class is divided into four subclasses (AF 1 to AF 4), each z containing three drop priorities for more granular classification. The QoS level of the AF class is lower than that of the EF class.
Figure 2-4 An Ethernet frame with an 802.1Q tag header As shown in Figure 2-4, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure 2-5 presents the format of the 802.1Q tag header. Figure 2-5 802.
SP queuing SP queuing is specially designed for mission-critical applications, which require preferential service to reduce response delay when congestion occurs. Figure 2-6 Schematic diagram for SP queuing A typical switch provides eight queues per port. As shown in Figure 2-6, SP queuing classifies eight queues on a port into eight classes, numbered 7 to 0 in descending priority order. SP queuing schedules the eight queues strictly according to the descending order of priority.
Figure 2-7 Schematic diagram for WRR queuing A typical switch provides eight output queues per port. WRR assigns each queue a weight value (represented by w7, w6, w5, w4, w3, w2, w1, or w0) to decide the proportion of resources assigned to the queue. On a 100 Mbps port, you can set the weight values of WRR queuing to 50, 30, 10, 10, 50, 30, 10, and 10 (corresponding to w7, w6, w5, w4, w3, w2, w1, and w0 respectively).
Figure 2-8 Evaluate traffic with the token bucket Packets to be sent through this interface Tokens are put into the bucket at the set rate Packets sent Packet classification Token bucket Packets dropped The evaluation for the traffic specification is based on whether the number of tokens in the bucket can meet the need of packet forwarding.
Figure 2-9 Line rate implementation With a token bucket used for traffic control, when there are tokens in the token bucket, the bursty packets can be transmitted; if no tokens are available, packets cannot be transmitted until new tokens are generated in the token bucket. In this way, the traffic rate is restricted to the rate for generating tokens, thus limiting traffic rate and allowing bursty traffic.
Figure 2-10 Priority mapping process Introduction to Priority Mapping Tables The device provides various types of priority mapping table, as listed below: z CoS to DSCP: 802.1p-precedence-to-DSCP mapping table. z CoS to Queue: 802.1p-precedence-to-local-precedence mapping table. z DSCP to CoS: DSCP-to-802.1p-precedence mapping table, which is applicable to only IP packets. z DSCP to DSCP: DSCP-to-DSCP mapping table, which is applicable to only IP packets.
Input DSCP value Local precedence (Queue) CoS 48 to 55 6 6 56 to 63 7 7 In the default DSCP to DSCP mapping table, an input value yields a target value equal to it. QoS Configuration Configuration Task Lists Configuring a QoS policy A QoS policy involves three components: class, traffic behavior, and policy. You can associate a class with a traffic behavior using a QoS policy. 1) Class Classes are used to identify traffic. A class is identified by a class name and contains some match criteria.
Task Remarks Required Creating a Traffic Behavior Configure a traffic behavior Configuring actions for a behavior Create a traffic behavior. Configuring Traffic Mirroring and Traffic Redirecting for a Traffic Behavior Configuring Other Actions for a Traffic Behavior Use either approach Configure various actions for the traffic behavior. Required Creating a Policy Create a policy.
Table 2-9 Priority mapping table configuration task list Task Remarks Required Configuring Priority Mapping Tables Set priority mapping tables. Configuring priority trust mode Perform the task in Table 2-10 to configure priority trust mode: Table 2-10 Priority trust mode configuration task list Task Remarks Required Configuring Priority Trust Mode on a Port Set the priority trust mode of a port.
Table 2-11 Configuration items of creating a class Item Classifier Name Description Specify a name for the classifier to be created. Specify the logical relationship between rules of the classifier. z Operator z and: Specifies the relationship between the rules in a class as logic AND. That is, the device considers a packet belongs to a class only when the packet matches all the rules in the class. or: Specifies the relationship between the rules in a class as logic OR.
Table 2-12 shows the configuration items of configuring classification rules. Table 2-12 Configuration items of configuring classification rules Item Please select a classifier Description Select an existing classifier in the drop-down list. Define a rule to match all packets. Any Select the option to match all packets. Define a rule to match DSCP values. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one.
Item Description Define a rule to match service VLAN IDs. If multiple such rules are configured for a class, the new configuration does not overwrite the previous one. Service VLAN You can configure multiple VLAN IDs each time. If the same VLAN ID is specified multiple times, the system considers them as one. The relationship between different VLAN IDs is logical OR. After such a configuration. You can specify VLAN IDs in two ways: z z VLAN Enter a range of VLAN IDs, such as 10-500.
Table 2-13 Configuration items of creating a behavior Item Description Behavior name Specify a name for the behavior to be created. Return to QoS policy configuration task list. Configuring Traffic Mirroring and Traffic Redirecting for a Traffic Behavior Select QoS > Behavior from the navigation tree and click Port Setup to enter the port setup page for a traffic behavior, as shown in Figure 2-14.
Configuring Other Actions for a Traffic Behavior Select QoS > Behavior from the navigation tree and click Setup to enter the page for setting a traffic behavior, as shown in Figure 2-15. Figure 2-15 The page for setting a traffic behavior Table 2-15 describes the configuration items of configuring other actions for a traffic behavior.
Table 2-15 Configuration items of configuring other actions for a traffic behavior Item Description Please select a behavior Select an existing behavior in the drop-down list. Configure the packet filtering action. After selecting the Filter option, select one item in the following drop-down list: Filter z z z Permit: Forwards the packet. Deny: Drops the packet. Not Set: Cancels the packet filtering action. Return to QoS policy configuration task list.
Figure 2-17 The page for setting a policy Table 2-17 describes the configuration items of configuring classifier-behavior associations for the policy. Table 2-17 Configuration items of configuring classifier-behavior associations for the policy Item Please select a policy Description Select a created policy in the drop-down list. Select an existing classifier in the drop-down list. Classifier Name The classifiers available for selection are created on the page for creating a classifier.
Figure 2-18 The page for applying a policy to a port Table 2-18 describes the configuration items of applying a policy to a port. Table 2-18 Configuration items of applying a policy to a port Item Please select a policy Description Select a created policy in the drop-down list. Set the direction in which the policy is to be applied. Direction Please select port(s) Inbound: Applies the policy to the incoming packets of the specified ports.
Table 2-19 describes the configuration items of configuring queue scheduling on a port. Table 2-19 Configuration items of configuring queue scheduling on a port Item WRR Description Enable or disable the WRR queue scheduling mechanism on selected ports. Two options are available: z z Enable: Enables WRR on selected ports. Not Set: Restores the default queuing algorithm on selected ports. Select the queue to be configured.
Figure 2-20 The page for configuring line rate on a port Table 2-20 describes the configuration items of configuring line rate on a port. Table 2-20 Configuration items of configuring line rate on a port Item Description Select the types of interfaces to be configured with line rate. Please select an interface type The interface types available for selection depend on your device model. Rate Limit Enable or disable line rate on the specified port.
Figure 2-21 The page for configuring priority mapping tables Table 2-18 describes the configuration items of configuring priority mapping tables. Table 2-21 Configuration items of configuring priority mapping tables Item Mapping Type Input Priority Value Output Priority Value Restore Description Select the priority mapping table to be configured, which can be CoS to DSCP, CoS to Queue, DSCP to CoS, DSCP to DSCP, or DSCP to Queue.
Figure 2-23 The page for configuring port priority Figure 2-24 The page for modifying port priority Table 2-22 describes the port priority configuration items. Table 2-22 Port priority configuration items Item Description Interface The interface to be configured. Priority Set a local precedence value for the port. Select a priority trust mode for the port, which can be z Trust Mode z z Untrust: where packet priority is not trusted. CoS: where the 802.
Return to Priority trust mode configuration task list. Configuration Guidelines When configuring QoS, note that: When an ACL is referenced to implement QoS, the actions defined in the ACL rules, deny or permit, do not take effect; actions to be taken on packets matching the ACL depend on the traffic behavior definition in QoS.
3 ACL/QoS Configuration Examples ACL/QoS Configuration Example Network requirements As shown in Figure 3-1, in the network, the FTP server at IP address 10.1.1.1/24 is connected to the Switch, and the clients access the FTP server through GigabitEthernet 1/0/1 of the Switch. Configure an ACL and a QoS policy as follows to prevent the hosts from accessing the FTP server from 8:00 to 18:00 every day: 1) Create an ACL to prohibit the hosts from accessing the FTP server from 8:00 to 18:00 every day.
Figure 3-2 Define a time range covering 8:00 to 18:00 every day z Type the time range name test-time. z Select the Periodic Time Range option, set the Start Time to 8:00 and the End Time to 18:00, and then select the checkboxes Sun through Sat. z Click Apply. 2) Define an IPv4 ACL for traffic to the FTP server. # Create an advanced IPv4 ACL. z Select QoS > ACL IPv4 from the navigation tree and click Create. Perform configuration as shown in Figure 3-3.
Figure 3-3 Create an advanced IPv4 ACL z Type the ACL number 3000. z Click Apply. # Define an ACL rule for traffic to the FTP server. z Click Advance Setup. Perform configuration as shown in Figure 3-4.
Figure 3-4 Define an ACL rule for traffic to the FTP server z Select ACL 3000 in the drop-down list. z Select the Rule ID option, and type rule ID 2. z Select Permit in the Operation drop-down list. z Select the Destination IP Address option, and type IP address 10.1.1.1 and destination wildcard mask 0.0.0.0. z Select test-time in the Time Range drop-down list. z Click Add. 3) Configure a QoS policy # Create a class.
z Select QoS > Classifier from the navigation tree and click Create. Perform configuration as shown in Figure 3-5. Figure 3-5 Create a class z Type the class name class1. z Click Create. # Define classification rules. z Click Setup. Perform configuration as shown in Figure 3-6.
Figure 3-6 Define classification rules z Select the class name class1 in the drop-down list. z Select the ACL IPv4 option, and select ACL 3000 in the following drop-down list. z Click Apply. A configuration progress dialog box appears, as shown in Figure 3-7.
Figure 3-7 Configuration progress dialog box z After the configuration is complete, click Close on the dialog box. # Create a traffic behavior. z Select QoS > Behavior from the navigation tree and click Create. Perform configuration as shown in Figure 3-8. Figure 3-8 Create a traffic behavior z Type the behavior name behavior1. z Click Create. # Configure actions for the traffic behavior. z Click Setup. Perform configuration as shown in Figure 3-9.
Figure 3-9 Configure actions for the behavior z Select behavior1 in the drop-down list. z Select the Filter option, and then select Deny in the following drop-down list. z Click Apply. A configuration progress dialog box appears. z After the configuration is complete, click Close on the dialog box. # Create a policy. z Select QoS > QoS Policy from the navigation tree and click the Create tab. Perform configuration as shown in Figure 3-10.
Figure 3-10 Create a policy z Type the policy name policy1. z Click Create. # Configure classifier-behavior associations for the policy. z Click Setup. Perform configuration as shown in Figure 3-11. Figure 3-11 Configure classifier-behavior associations for the policy z Select policy1. z Select class1 in the Classifier Name drop-down list. z Select behavior1 in the Behavior Name drop-down list. z Click Apply. # Apply the QoS policy in the inbound direction of GigabitEthernet 1/0/1.
Figure 3-12 Apply the QoS policy in the inbound direction of GigabitEthernet 1/0/1 z Select policy1 in the Please select a policy drop-down list. z Select Inbound in the Direction drop-down list. z Select port GigabitEthernet 1/0/1. z Click Apply. A configuration progress dialog box appears. z After the configuration is complete, click Close on the dialog box.
Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Advantages······································································································································1-1 Composition························
1 PoE Configuration PoE Overview Power over Ethernet (PoE) means that power sourcing equipment (PSE) supplies power to powered devices (PDs) from Ethernet interfaces through twisted pair cables. Advantages z Reliable: Power is supplied in a centralized way so that it is very convenient to provide a backup power supply. z Easy to connect: A network terminal requires no external power supply but only an Ethernet cable. z Standard: In compliance with IEEE 802.
3Com Baseline Switch 2920-SFP Plus is a single PSE device, as so .this manual introduces the device with a single PSE only. A PSE can examine the Ethernet cables connected to PoE interfaces, search for PDs, classify them, and supply power to them. When detecting that a PD is unplugged, the PSE stops supplying power to the PD. PI An Ethernet interface with the PoE capability is called PoE interface. Currently, a PoE interface can be an FE or GE interface.
Configuring PoE Ports Select PoE > PoE from the navigation tree and click the Setup tab, as shown in Figure 1-2. Figure 1-2 Setup page Table 1-1 describes the PoE port configuration items. Table 1-1 PoE port configuration items Item Select Port Description Click to select ports to be configured and they will be displayed in the Selected Ports list box. Enable or disable PoE on the selected ports.
Item Description Set the power supply priority for a PoE port. The priority levels of a PoE port include low, high, and critical in ascending order. z z z Power Priority When the PoE power is insufficient, power is first supplied to PoE ports with a higher priority level. When the PSE power is overloaded, the PoE port with a lower priority is first disconnected to guarantee the power supply to the PD with a higher priority.
Figure 1-3 PoE summary PoE Configuration Example Network requirements z As shown in Figure 1-4, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are connected to IP telephones. z GigabitEthernet 1/0/11 is connected to AP whose maximum power does not exceed 9000 milliwatts. z The power supply priority of IP telephones is higher than that of AP; therefore, the PSE supplies power to IP telephones first when the PSE power is overloaded.
Configuration procedure # Enable PoE on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, and configure their power supply priority to critical. z Select PoE > PoE from the navigation tree and click the Setup tab to perform the following configurations, as shown in Figure 1-5. Figure 1-5 Configure the PoE ports supplying power to the IP telephones z Click to select ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 from the chassis front panel. z Select Enable from the Power State drop-down list.
Figure 1-6 Configure the PoE port supplying power to AP z Click to select port GigabitEthernet 1/0/11 from the chassis front panel. z Select Enable from the Power State drop-down list. z Select the check box before Power Max and type 9000. z Click Apply. After the configuration takes effect, the IP telephones and AP are powered and can work normally.
