3Com Switch 4500 Family Configuration Guide Switch 4500 26-Port Switch 4500 50-Port Switch 4500 PWR 26-Port Switch 4500 PWR 50-Port Product Version: V03.03.00 Manual Version: 6W101-20090811 www.3com.
Copyright © 2006-2009, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation. 3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.
About This Manual Organization 3Com Switch 4500 Family Configuration Guide is organized as follows: Part Contents 1 Login Introduces the ways to log into an Ethernet switch and CLI related configuration. 2 Configuration File Management Introduces configuration file and the related configuration. 3 VLAN Introduces VLAN and related configuration.
Part Contents 27 UDP Helper Introduces UDP helper and the related configuration. 28 SNMP-RMON Introduces the configuration for network management through SNMP and RMON 29 NTP Introduces NTP and the related configuration. 30 SSH Introduces SSH2.0 and the related configuration. 31 File System Management Introduces basic configuration for file system management. 32 FTP-SFTP-TFTP Introduces basic configuration for FTP, SFTP and TFTP, and the applications.
GUI conventions Convention Description <> Button names are inside angle brackets. For example, click . [] Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window. / Multi-level menus are separated by forward slashes. For example, [File/Create/Folder]. Symbols Convention Description Means reader be extremely careful. Improper operation may cause bodily injury. Means reader be careful.
Table of Contents 1 Logging In to an Ethernet Switch ············································································································1-1 Logging In to an Ethernet Switch ············································································································1-1 Introduction to the User Interface············································································································1-1 Supported User Interfaces ······························
Switch Configuration························································································································4-2 Modem Connection Establishment ·········································································································4-2 5 CLI Configuration ······································································································································5-1 Introduction to the CLI···············································
1 Logging In to an Ethernet Switch Go to these sections for information you are interested in: z Logging In to an Ethernet Switch z Introduction to the User Interface Logging In to an Ethernet Switch To manage or configure a Switch 4500, you can log in to it in one of the following three methods: z Command Line Interface z Web-based Network Management Interface z Network Management Station The following table shows the configurations corresponding to each method: Method Tasks Logging In Through
Table 1-1 Description on user interface User interface Applicable user Port used Remarks AUX Users logging in through the console port Console port Each switch can accommodate one AUX user. VTY Telnet users and SSH users Ethernet port Each switch can accommodate up to five VTY users. One user interface corresponds to one user interface view, where you can configure a set of parameters, such as whether to authenticate users at login and the user level after login.
Common User Interface Configuration Follow these steps to configure common user interface: To do… Use the command… Remarks Optional Lock the current user interface lock Available in user view Specify to send messages to all user interfaces/a specified user interface send { all | number | type number } Free a user interface free user-interface [ type ] number Enter system view system-view Set the banner header [ incoming | legal | login | shell ] text Set a system name for the switch sysname s
2 Logging In Through the Console Port Go to these sections for information you are interested in: z Introduction z Setting Up a Login Environment for Login Through the Console Port z Console Port Login Configuration z Console Port Login Configuration with Authentication Mode Being None z Console Port Login Configuration with Authentication Mode Being Password z Console Port Login Configuration with Authentication Mode Being Scheme Introduction To log in through the console port is the most comm
2) If you use a PC to connect to the console port, launch a terminal emulation utility (such as Terminal in Windows 3.X or HyperTerminal in Windows 9X/Windows 2000/Windows XP. The following assumes that you are running Windows XP) and perform the configuration shown in Figure 2-2 through Figure 2-4 for the connection to be created. Normally, both sides (that is, the serial port of the PC and the console port of the switch) are configured as those listed in Table 2-1.
Figure 2-4 Set port parameters 3) Turn on the switch. You will be prompted to press the Enter key if the switch successfully completes POST (power-on self test). The prompt appears after you press the Enter key. 4) You can then configure the switch or check the information about the switch by executing the corresponding commands. You can also acquire help by typing the ? character. Refer to related parts in this manual for information about the commands used for configuring the switch.
Configuration Remarks Set the maximum number of lines the screen can contain Optional Set history command buffer size Optional Set the timeout time of a user interface Optional By default, the screen can contain up to 24 lines. By default, the history command buffer can contain up to 10 commands. The default timeout time is 10 minutes.
To do… Use the command… Remarks Optional Set the maximum number of lines the screen can contain screen-length screen-length By default, the screen can contain up to 24 lines. You can use the screen-length 0 command to disable the function to display information in pages. Optional Set the history command buffer size history-command max-size value The default history command buffer size is 10, that is, a history command buffer of a user can store up to 10 commands by default.
Changes made to the authentication mode for console port login takes effect after you quit the command-line interface and then log in again.
Network diagram Figure 2-5 Network diagram for AUX user interface configuration (with the authentication mode being none) GE1/0/1 Ethernet Configuration PC running Telnet Configuration procedure # Enter system view. system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify not to authenticate users logging in through the console port.
To do… Use the command… Remarks Enter system view system-view — Enter AUX user interface view user-interface aux 0 — Required Configure to authenticate users using the local password authentication-mode password Set the local password set authentication password { cipher | simple } password By default, users logging in to a switch through the console port are not authenticated; while those logging in through Modems or Telnet are authenticated.
system-view # Enter AUX user interface view. [Sysname] user-interface aux 0 # Specify to authenticate users logging in through the console port using the local password. [Sysname-ui-aux0] authentication-mode password # Set the local password to 123456 (in plain text). [Sysname-ui-aux0] set authentication password simple 123456 # Specify commands of level 2 are available to users logging in to the AUX user interface.
To do… Configure the authenticati on mode Use the command… Enter the default ISP domain view domain domain-name Specify the AAA scheme to be applied to the domain scheme { local | none | radius-scheme radius-scheme-name [ local ] } Remarks Optional By default, the local AAA scheme is applied. If you specify to apply the local AAA scheme, you need to perform the configuration concerning local user as well.
z Set the service type of the local user to Terminal and the command level to 2. z Configure to authenticate the users in the scheme mode. z The baud rate of the console port is 19,200 bps. z The screen can contain up to 30 lines. z The history command buffer can store up to 20 commands. z The timeout time of the AUX user interface is 6 minutes.
[Sysname-ui-aux0] history-command max-size 20 # Set the timeout time of the AUX user interface to 6 minutes. [Sysname-ui-aux0] idle-timeout 6 After the above configuration, you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2-4 to log in to the switch successfully.
3 Logging In Through Telnet Go to these sections for information you are interested in: z Introduction z Telnet Configuration with Authentication Mode Being None z Telnet Configuration with Authentication Mode Being Password Introduction Switch 4500 supports Telnet. You can manage and maintain a switch remotely by Telnetting to the switch. To log in to a switch through Telnet, the corresponding configuration is required on both the switch and the Telnet terminal.
Configuration Description Configure the protocols the user interface supports Set the commands to be executed automatically after a user log in to the user interface successfully By default, Telnet and SSH protocol are supported. Optional By default, no command is executed automatically after a user logs into the VTY user interface.
To do… Use the command… Remarks Optional Set the history command buffer size history-command max-size value The default history command buffer size is 10, that is, the history command buffer of a user can store up to 10 commands by default. Optional The default timeout time of a user interface is 10 minutes.
To improve security and prevent attacks to the unused Sockets, TCP 23 and TCP 22, ports for Telnet and SSH services respectively, will be enabled or disabled after corresponding configurations. z If the authentication mode is none, TCP 23 will be enabled, and TCP 22 will be disabled. z If the authentication mode is password, and the corresponding password has been set, TCP 23 will be enabled, and TCP 22 will be disabled.
Network diagram Figure 3-1 Network diagram for Telnet configuration (with the authentication mode being none) Configuration procedure # Enter system view. system-view # Enter VTY 0 user interface view. [Sysname] user-interface vty 0 # Configure not to authenticate Telnet users logging in to VTY 0. [Sysname-ui-vty0] authentication-mode none # Specify commands of level 2 are available to users logging in to VTY 0.
When the authentication mode is password, the command level available to users logging in to the user interface is determined by the user privilege level command. Configuration Example Network requirements Assume current user logins through the console port and the current user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. z Authenticate users using the local password.
Telnet Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure Telnet with the authentication mode being scheme: To do… Use the command… Remarks Enter system view system-view — Enter one or more VTY user interface views user-interface vty first-number [ last-number ] — Required Configure to authenticate users in the scheme mode Quit to system view Configure the authenticati on scheme authentication-mode scheme [ commandauthorization ] The spec
Refer to the AAA part of this manual for information about AAA, RADIUS. Configuration Example Network requirements Assume current user logins through the console port and the user level is set to the administrator level (level 3). Perform the following configurations for users logging in to VTY 0 using Telnet. z Configure the local user name as guest. z Set the authentication password of the local user to 123456 (in plain text). z Set the service type of VTY users to Telnet and the command level to 2.
# Set the maximum number of lines the screen can contain to 30. [Sysname-ui-vty0] screen-length 30 # Set the maximum number of commands the history command buffer can store to 20. [Sysname-ui-vty0] history-command max-size 20 # Set the timeout time to 6 minutes. [Sysname-ui-vty0] idle-timeout 6 Telnetting to a Switch Telnetting to a Switch from a Terminal 1) Assign an IP address to VLAN-interface 1 of the switch (VLAN 1 is the default VLAN of the switch).
Figure 3-5 Network diagram for Telnet connection establishment Workstation Ethernet Switch Ethernet port Ethernet Server 4) Workstation Configuration PC running Telnet Launch Telnet on your PC, with the IP address of VLAN-interface 1 of the switch as the parameter, as shown in Figure 3-6. Figure 3-6 Launch Telnet 5) If the password authentication mode is specified, enter the password when the Telnet window displays “Login authentication” and prompts for login password.
Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch. In this case, the current switch operates as the client, and the other operates as the server. If the interconnected Ethernet ports of the two switches are in the same LAN segment, make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment, or the route between the two VLAN interfaces is available.
4 Logging In Using a Modem Go to these sections for information you are interested in: z Introduction z Configuration on the Switch Side z Modem Connection Establishment Introduction The administrator can log in to the console port of a remote switch using a modem through public switched telephone network (PSTN) if the remote switch is connected to the PSTN through a modem to configure and maintain the switch remotely.
You can verify your configuration by executing the AT&V command. The configuration commands and the output of different modems may differ. Refer to the user manual of the modem when performing the above configuration. Switch Configuration After logging in to a switch through its console port by using a modem, you will enter the AUX user interface.
Figure 4-1 Establish the connection by using modems Modem serial cable Telephone line Modem PSTN Modem Telephone number of the romote end: 82882285 Console port 4) Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch, as shown in Figure 4-2 through Figure 4-4. Note that you need to set the telephone number to that of the modem directly connected to the switch.
Figure 4-3 Set the telephone number Figure 4-4 Call the modem 5) If the password authentication mode is specified, enter the password when prompted. If the password is correct, the prompt (such as ) appears. You can then configure or manage the switch. You can also enter the character ? at anytime for help. Refer to the related parts in this manual for information about the configuration commands.
5 CLI Configuration When configuring CLI, go to these sections for information you are interested in: z Introduction to the CLI z Command Hierarchy z CLI Views z CLI Features Introduction to the CLI A command line interface (CLI) is a user interface to interact with a switch. Through the CLI on a switch, a user can enter commands to configure the switch and check output information to verify the configuration.
z Monitor level (level 1): Commands at this level are mainly used to maintain the system and diagnose service faults, and they cannot be saved in configuration file. Such commands include debugging and terminal. z System level (level 2): Commands at this level are mainly used to configure services. Commands concerning routing and network layers are at this level. These commands can be used to provide network services directly.
To do… z Use the command… Remarks Enter system view system-view — Configure the level of a command in a specific view command-privilege level level view view command Required You are recommended to use the default command level or modify the command level under the guidance of professional staff; otherwise, the change of command level may bring inconvenience to your maintenance and operation, or even potential security problem.
To avoid misoperations, the administrators are recommended to log in to the device by using a lower privilege level and view device operating parameters, and when they have to maintain the device, they can switch to a higher level temporarily; when the administrators need to leave for a while or ask someone else to manage the device temporarily, they can switch to a lower privilege level before they leave to restrict the operation by others. The high-to-low user level switching is unlimited.
To do… Switch to a specified user level z Use the command… super [ level ] Remarks Required Execute this command in user view. If no user level is specified in the super password command or the super command, level 3 is used by default. z For security purpose, the password entered is not displayed when you switch to another user level. You will remain at the original user level if you have tried three times but failed to enter the correct authentication information.
Table 5-1 CLI views View User view System view Available operation Display operation status and statistical information of the switch Configure system parameters Prompt example Configure Ethernet port parameters Quit method Enter user view once logging into the switch. Execute the quit command to log out of the switch. [Sysname] Execute the system-view command in user view. Execute the quit or return command to return to user view.
View Available operation Prompt example Enter method FTP client view Configure FTP client parameters [ftp] Execute the ftp command in user view. SFTP client view Configure SFTP client parameters sftp-client> Execute the sftp command in system view. MST region view Configure MST region parameters [Sysname-mst-regi on] Execute the stp region-configurati on command in system view. Cluster view Configure cluster parameters [Sysname-cluster] Execute the cluster command in system view.
Available operation Prompt example Enter method RADIUS scheme view Configure RADIUS scheme parameters [Sysname-radius-1 ] Execute the radius scheme command in system view. ISP domain view Configure ISP domain parameters [Sysname-isp-aaa 123.net] Execute the domain command in system view. Remote-ping test group view Configure remote-ping test group parameters [Sysname-remoteping-a123-a123] Execute the remote-ping command in system view.
cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system information 2) Enter a command, a space, and a question mark (?).
Table 5-2 Display-related operations Operation Function Press Stop the display output and execution of the command. Press any character except , , /, +, and - when the display output pauses Stop the display output. Press the space key Get to the next page. Press Get to the next line. Command History The CLI provides the command history function.
Table 5-3 Common error messages Error message Remarks The command does not exist. Unrecognized command The keyword does not exist. The parameter type is wrong. The parameter value is out of range. Incomplete command The command entered is incomplete. Too many parameters The parameters entered are too many. Ambiguous command The parameters entered are ambiguous. Wrong parameter A parameter entered is wrong. found at '^' position An error is found at the '^' position.
6 Logging In Through the Web-based Network Management Interface Go to these sections for information you are interested in: z Introduction z Establishing an HTTP Connection z Configuring the Login Banner z Enabling/Disabling the WEB Server Introduction Switch 4500 has a Web server built in. It enables you to log in to Switch 4500 through a Web browser and then manage and maintain the switch intuitively by interacting with the built-in Web server.
3) Establish an HTTP connection between your PC and the switch, as shown in Figure 6-1. Figure 6-1 Establish an HTTP connection between your PC and the switch 4) Log in to the switch through IE. Launch IE on the Web-based network management terminal (your PC) and enter the IP address of the management VLAN interface of the switch in the address bar. (Make sure the route between the Web-based network management terminal and the switch is available.
Configuration Example Network requirements z A user logs in to the switch through Web. z The banner page is desired when a user logs into the switch. Network diagram Figure 6-3 Network diagram for login banner configuration Configuration Procedure # Enter system view. system-view # Configure the banner Welcome to be displayed when a user logs into the switch through Web. [Sysname] header login %Welcome% Assume that a route is available between the user terminal (the PC) and the switch.
To do… Use the command… Remarks Enter system view system-view — Enable the Web server ip http shutdown By default, the Web server is enabled. Disable the Web server undo ip http shutdown Required Required To improve security and prevent attack to the unused Sockets, TCP 80 port (which is for HTTP service) is enabled/disabled after the corresponding configuration. z Enabling the Web server (by using the undo ip http shutdown command) opens TCP 80 port.
7 Logging In Through NMS Go to these sections for information you are interested in: z Introduction z Connection Establishment Using NMS Introduction You can also log in to a switch through a Network Management Station (NMS), and then configure and manage the switch through the agent software on the switch. Simple Network Management Protocol (SNMP) is applied between the NMS and the agent. Refer to the SNMP-RMON part for related information.
8 Configuring Source IP Address for Telnet Service Packets Go to these sections for information you are interested in: z Overview z Configuring Source IP Address for Telnet Service Packets z Displaying Source IP Address Configuration Overview You can configure source IP address or source interface for the Telnet server and Telnet client. This provides a way to manage services and enhances security.
Operation Command Description Specify a source interface for Telnet server telnet-server source-interface interface-type interface-number Optional Specify source IP address for Telnet client telnet source-ip ip-address Optional Specify a source interface for Telnet client telnet source-interface interface-type interface-number Optional To perform the configurations listed in Table 8-1 and Table 8-2, make sure that: z The IP address specified is that of the local device.
9 User Control Go to these sections for information you are interested in: z Introduction z Controlling Telnet Users z Controlling Network Management Users by Source IP Addresses z Controlling Web Users by Source IP Address Refer to the ACL part for information about ACL. Introduction You can control users logging in through Telnet, SNMP and WEB by defining Access Control List (ACL), as listed in Table 9-1.
z If no ACL is configured on the VTY user interface, users are not controlled when establishing a Telnet connection using this user interface. z If an ACL is configured on the VTY user interface, there will be two possibilities: if the packets for establishing a Telnet connection match the ACL rule configured on the VTY user interface, the connection will be permitted or denied according to the ACL rule; if not, the connection will be denied directly.
To do… Apply an ACL to control Telnet users by ACL Apply a basic or advanced ACL to control Telnet users Apply a Layer 2 ACL to control Telnet users Use the command… Remarks Required acl acl-number { inbound | outbound } Use either command z z acl acl-number inbound The inbound keyword specifies to filter the users trying to Telnet to the current switch. The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch.
z Defining an ACL z Applying the ACL to control users accessing the switch through SNMP To control whether an NMS can manage the switch, you can use this function. Prerequisites The controlling policy against network management users is determined, including the source IP addresses to be controlled and the controlling actions (permitting or denying).
Network diagram Figure 9-2 Network diagram for controlling SNMP users using ACLs 10.110.100.46 Host A IP network Switch Host B 10.110.100.52 Configuration procedure # Define a basic ACL. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Apply the ACL to only permit SNMP users sourced from the IP addresses of 10.110.100.52 to access the switch.
To do… Use the command… Remarks Enter system view system-view — Create a basic ACL or enter basic ACL view acl number acl-number [ match-order { config | auto } ] As for the acl number command, the config keyword is specified by default. Define rules for the ACL rule [ rule-id ] { deny | permit } [ rule-string ] Required Quit to system view quit — Optional Apply the ACL to control Web users ip http acl acl-number By default, no ACL is applied for Web users.
[Sysname-acl-basic-2030] quit # Apply ACL 2030 to only permit the Web users sourced from the IP address of 10.110.100.52 to access the switch.
Table of Contents 1 Configuration File Management···············································································································1-1 Introduction to Configuration File ············································································································1-1 Configuration Task List ···························································································································1-2 Saving the Current Configuration ·················
1 Configuration File Management When configuring configuration file management, go to these sections for information you are interested in: z Introduction to Configuration File z Configuration Task List Introduction to Configuration File A configuration file records and stores user configurations performed to a switch. It also enables users to check switch configurations easily.
When saving the current configuration, you can specify the file to be a main or backup or normal z configuration file. When removing a configuration file from a switch, you can specify to remove the main or backup z configuration file. Or, if it is a file having both main and backup attribute, you can specify to erase the main or backup attribute of the file. When setting the configuration file for next startup, you can specify to use the main or backup z configuration file.
When you use the save safely command to save the configuration file, if the switch reboots or the power fails during the saving process, the switch initializes itself in the following two conditions when it starts up next time: z If a configuration file with the extension .cfg exists in the Flash, the switch uses the configuration file to initialize itself when it starts up next time. z If there is no .cfg configuration file in the Flash, but there is a configuration file with the extension .
To do… Erase the startup configuration file from the storage switch Use the command… reset saved-configuration [ backup | main ] Remarks Required Available in user view You may need to erase the configuration file for one of these reasons: z After you upgrade software, the old configuration file does not match the new software. z The startup configuration file is corrupted or not the one you needed.
The configuration file must use .cfg as its extension name and the startup configuration file must be saved at the root directory of the switch.
Table of Contents 1 VLAN Overview ··········································································································································1-1 VLAN Overview·······································································································································1-1 Introduction to VLAN ·······················································································································1-1 Advantages of VLANs ····················
1 VLAN Overview This chapter covers these topics: z VLAN Overview z Port-Based VLAN VLAN Overview Introduction to VLAN The traditional Ethernet is a broadcast network, where all hosts are in the same broadcast domain and connected with each other through hubs or switches. Hubs and switches, which are the basic network connection devices, have limited forwarding functions.
Figure 1-1 A VLAN implementation Advantages of VLANs Compared with the traditional Ethernet, VLAN enjoys the following advantages. z Broadcasts are confined to VLANs. This decreases bandwidth consumption and improves network performance. z Network security is improved. Because each VLAN forms a broadcast domain, hosts in different VLANs cannot communicate with each other directly unless routers or Layer 3 switches are used. z A more flexible way to establish virtual workgroups.
tag is encapsulated after the destination MAC address and source MAC address to show the information about VLAN. Figure 1-3 Format of VLAN tag As shown in Figure 1-3, a VLAN tag contains four fields, including the tag protocol identifier (TPID), priority, canonical format indicator (CFI), and VLAN ID. z TPID is a 16-bit field, indicating that this data frame is VLAN-tagged. By default, it is 0x8100 in Ethernet switches. z Priority is a 3-bit field, referring to 802.1p priority.
z Independent VLAN learning (IVL), where the switch maintains an independent MAC address forwarding table for each VLAN. The source MAC address of a packet received in a VLAN on a port is recorded to the MAC address forwarding table of this VLAN only, and packets received in a VLAN are forwarded according to the MAC address forwarding table for the VLAN. Currently, Switch 4500 series Ethernet switches adopt the IVL mode only.
A hybrid port allows the packets of multiple VLANs to be sent untagged, but a trunk port only allows the packets of the default VLAN to be sent untagged. The three types of ports can coexist on the same device. Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a VLAN to forward packets for the VLAN, thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch.
Table 1-2 Packet processing of a trunk port Processing of an incoming packet For an untagged packet z z If the port has already been added to its default VLAN, tag the packet with the default VLAN tag and then forward the packet. If the port has not been added to its default VLAN, discard the packet. Processing of an outgoing packet For a tagged packet z z If the VLAN ID is one of the VLAN IDs allowed to pass through the port, receive the packet.
2 VLAN Configuration When configuring VLAN, go to these sections for information you are interested in: z VLAN Configuration z Configuring a Port-Based VLAN VLAN Configuration VLAN Configuration Task List Complete the following tasks to configure VLAN: Task Remarks Basic VLAN Configuration Required Basic VLAN Interface Configuration Optional Displaying VLAN Configuration Optional Basic VLAN Configuration Follow these steps to perform basic VLAN configuration: To do... Use the command...
z VLAN 1 is the system default VLAN, which needs not to be created and cannot be removed, either. z The VLAN you created in the way described above is a static VLAN. On the switch, there are dynamic VLANs which are registered through GVRP. For details, refer to “GVRP” part of this manual. z When you use the vlan command to create VLANs, if the destination VLAN is an existing dynamic VLAN, it will be transformed into a static VLAN and the switch will output the prompt information.
The operation of enabling/disabling a VLAN’s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN. Displaying VLAN Configuration To do... Use the command... Display the VLAN interface information display interface Vlan-interface [ vlan-id ] Display the VLAN information display vlan [ vlan-id [ to vlan-id ] | all | dynamic | static ] Remarks Available in any view.
Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view. z You can assign an access port to a VLAN in either Ethernet port view or VLAN view. z You can assign a trunk port or hybrid port to a VLAN only in Ethernet port view.
Configuring the Default VLAN for a Port Because an access port can belong to only one VLAN, its default VLAN is the VLAN it resides in and cannot be configured. This section describes how to configure a default VLAN for a trunk or hybrid port.
Network diagram Figure 2-1 Network diagram for VLAN configuration Server2 SwitchA GE1/0/12 GE1/0/2 Server1 GE1/0/13 GE1/0/10 GE1/0/1 SwitchB GE1/0/11 PC1 PC2 Configuration procedure z Configure Switch A. # Create VLAN 100, specify its descriptive string as Dept1, and add GigabitEthernet 1/0/1 to VLAN 100. system-view [SwitchA] vlan 100 [SwitchA-vlan100] description Dept1 [SwitchA-vlan100] port GigabitEthernet 1/0/1 [SwitchA-vlan100] quit z Configure Switch B.
[SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 200 # Configure GigabitEthernet 1/0/10 of Switch B.
Table of Contents 1 IP Addressing Configuration····················································································································1-1 IP Addressing Overview··························································································································1-1 IP Address Classes ·························································································································1-1 Special IP Addresses ································
1 IP Addressing Configuration The term IP address used throughout this chapter refers to IPv4 address. For details about IPv6 address, refer to IPv6 Management. When configuring IP addressing, go to these sections for information you are interested in: z IP Addressing OverviewConfiguring IP Addresses z Displaying IP Addressing Configuration z IP Address Configuration Examples IP Addressing Overview IP Address Classes On an IP network, a 32-bit address is used to identify a host.
Table 1-1 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at bootstrap for temporary communication. This address is never a valid destination address. A 0.0.0.0 to 127.255.255.255 Addresses starting with 127 are reserved for loopback test. Packets destined to these addresses are processed locally as input packets rather than sent to the link. B 128.0.0.0 to 191.255.255.255 –– C 192.0.0.0 to 223.255.255.255 –– D 224.0.0.0 to 239.255.255.
subnetting. When designing your network, you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts. For example, a Class B network can accommodate 65,534 (216 – 2. Of the two deducted Class B addresses, one with an all-ones host ID is the broadcast address and the other with an all-zero host ID is the network address) hosts before being subnetted.
z A newly specified IP address overwrites the previous one if there is any. z The IP address of a VLAN interface must not be on the same network segment as that of a loopback interface on a device.
Network diagram Figure 1-3 Network diagram for IP address configuration Configuration procedure # Configure an IP address for VLAN-interface 1. system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 129.2.2.1 255.255.255.0 Static Domain Name Resolution Configuration Example Network requirements The switch uses static domain name resolution to access host 10.1.1.2 through domain name host.com.
round-trip min/avg/max = 2/3/5 ms 1-6
2 IP Performance Optimization Configuration When optimizing IP performance, go to these sections for information you are interested in: z IP Performance Overview z Configuring IP Performance Optimization z Displaying and Maintaining IP Performance Optimization Configuration IP Performance Overview Introduction to IP Performance Configuration In some network environments, you can adjust the IP parameters to achieve best network performance.
synwait timer: When sending a SYN packet, TCP starts the synwait timer. If no response packet is z received within the synwait timer interval, the TCP connection cannot be created. finwait timer: When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is z started. If no FIN packet is received within the timer timeout, the TCP connection will be terminated. If a FIN packet is received, the TCP connection state changes to TIME_WAIT.
z If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device, the device sends a “protocol unreachable” ICMP error packet to the source. z When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet’s port number does not match the running process, the device will send the source a “port unreachable” ICMP error packet.
To do… Use the command… Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket [ socktype sock-type ] [ task-id socket-id ] Display the forwarding information base (FIB) entries display fib Display the FIB entries matching the destination IP address display fib ip_address1 [ { mask1 | mask-length1 } [ ip_address2 { mask2 | mask-length2 } | longer ] | longer ] Display the FIB entries filtering through a specific ACL display fi
Table of Contents 1 Voice VLAN Configuration························································································································1-1 Voice VLAN Overview·····························································································································1-1 How an IP Phone Works ·················································································································1-1 How Switch 4500 Series Switches Identify Voice Traffic ··
1 Voice VLAN Configuration When configuring voice VLAN, go to these sections for information you are interested in: z Voice VLAN Overview z Voice VLAN Configuration z Displaying and Maintaining Voice VLAN z Voice VLAN Configuration Example Voice VLAN Overview Voice VLANs are allocated specially for voice traffic.
Figure 1-1 Network diagram for IP phones As shown in Figure 1-1, the IP phone needs to work in conjunction with the DHCP server and the NCP to establish a path for voice data transmission. An IP phone goes through the following three phases to become capable of transmitting voice data. 1) After the IP phone is powered on, it sends an untagged DHCP request message containing four special requests in the Option 184 field besides the request for an IP address.
z An untagged packet carries no VLAN tag. z A tagged packet carries the tag of a VLAN. To set an IP address and a voice VLAN for an IP phone manually, just make sure that the voice VLAN ID to be set is consistent with that of the switch and the NCP is reachable to the IP address to be set.
Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode. You can configure the voice VLAN assignment mode for a port according to data traffic passing through the port. Processing mode of untagged packets sent by IP voice devices z Automatic voice VLAN assignment mode.
Table 1-2 Matching relationship between port types and voice devices capable of acquiring IP address and voice VLAN automatically Voice VLAN assignment mode Voice traffic type Port type Access Supported or not Not supported Supported Tagged voice traffic Automatic Untagge d voice traffic Trunk Make sure the default VLAN of the port exists and is not a voice VLAN, and the access port permits the traffic of the default VLAN.
Table 1-3 Matching relationship between port types and voice devices acquiring voice VLAN through manual configuration Voice VLAN assignment mode Port type Access Supported or not Not supported Supported Trunk Automatic Make sure the default VLAN of the port exists and is not a voice VLAN, and the access port permits the traffic of the default VLAN.
Voice VLAN Mode Packet Type Processing Method Packet carrying the voice VLAN tag matches the OUI list, the packet is transmitted in the voice VLAN. Otherwise, the packet is dropped. Packet carrying any other VLAN tag The packet is forwarded or dropped based on whether the receiving port is assigned to the carried VLAN. The processing method is irrelevant to the voice VLAN mode (security or normal). Untagged packet The source MAC address of the packet is not checked.
To do… Use the command… Remarks Optional Set the voice VLAN aging timer voice vlan aging minutes The default aging timer is 1440 minutes. Enable the voice VLAN function globally voice vlan vlan-id enable Required Enter Ethernet port view interface interface-type interface-number Required Enable the voice VLAN function on a port voice vlan enable Enable the voice VLAN legacy function on the port voice vlan legacy Required By default, voice VLAN is disabled.
To do… Use the command… Remarks Optional Enable the voice VLAN security mode voice vlan security enable By default, the voice VLAN security mode is enabled. Optional Set the voice VLAN aging timer voice vlan aging minutes The default aging timer is 1,440 minutes.
z The voice VLAN function can be enabled for only one VLAN at one time. z If the Link Aggregation Control Protocol (LACP) is enabled on a port, voice VLAN feature cannot be enabled on it. z Voice VLAN function can be enabled only for the static VLAN. A dynamic VLAN cannot be configured as a voice VLAN. z When ACL number applied to a port reaches to its threshold, voice VLAN cannot be enabled on this port. You can use the display voice vlan error-info command to locate such ports.
Voice VLAN Configuration Example Voice VLAN Configuration Example (Automatic Voice VLAN Assignment Mode) Network requirements As shown in Figure 1-2, The MAC address of IP phone A is 0011-1100-0001. The phone connects to a downstream device named PC A whose MAC address is 0022-1100-0002 and to GigabitEthernet 1/0/1 on an upstream device named Device A. The MAC address of IP phone B is 0011-2200-0001.
# Configure the allowed OUI addresses as MAC addresses prefixed by 0011-1100-0000 or 0011-2200-0000. In this way, Device A identifies packets whose MAC addresses match any of the configured OUI addresses as voice packets. [DeviceA] voice vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP phone A [DeviceA] voice vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP phone B # Configure GigabitEthernet 1/0/1 to operate in automatic voice VLAN assignment mode. (Optional.
Voice VLAN Configuration Example (Manual Voice VLAN Assignment Mode) Network requirements Create a voice VLAN and configure it to operate in manual voice VLAN assignment mode. Add the port to which an IP phone is connected to the voice VLAN to enable voice traffic to be transmitted within the voice VLAN. z Create VLAN 2 and configure it as a voice VLAN. Set the voice VLAN to operate in security mode z The IP phone sends untagged packets. It is connected to Ethernet 1/0/1, a hybrid port.
[DeviceA-Ethernet1/0/1] port hybrid pvid vlan 2 [DeviceA-Ethernet1/0/1] port hybrid vlan 2 untagged # Enable the voice VLAN function on Ethernet 1/0/1. [DeviceA-Ethernet1/0/1] voice vlan enable Verification # Display the OUI addresses, the corresponding OUI address masks and the corresponding description strings that the system supports.
Table of Contents 1 Port Basic Configuration ··························································································································1-1 Ethernet Port Configuration ····················································································································1-1 Combo Port Configuration ···············································································································1-1 Initially Configuring a Port ························
1 Port Basic Configuration When performing basic port configuration, go to these sections for information you are interested in: z Ethernet Port Configuration z Ethernet Port Configuration Example z Troubleshooting Ethernet Port Configuration Ethernet Port Configuration Combo Port Configuration Introduction to Combo port A Combo port can operate as either an optical port or an electrical port. Inside the device there is only one forwarding interface.
To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Optional By default, the port is enabled. Enable the Ethernet port undo shutdown Set the description string for the Ethernet port description text Set the duplex mode of the Ethernet port duplex { auto | full | half } Use the shutdown command to disable the port. Optional By default, the description string of an Ethernet port is null.
Follow these steps to configure auto-negotiation speeds for a port: To do... Use the command... Remarks Enter system view system-view — Enter Ethernet interface view interface interface-type interface-number — Optional Configure the available auto-negotiation speed(s) for the port speed auto [ 10 | 100 | 1000 ]* z z z By default, the port speed is determined through auto-negotiation. Use the 1000 keyword for Gigabit Ethernet ports only.
To do... Use the command... Remarks Optional Limit unknown unicast traffic received on the current port unicast-suppression { ratio | pps max-pps } By default, the switch does not suppress unknown unicast traffic. Enabling Flow Control on a Port Flow control is enabled on both the local and peer switches. If congestion occurs on the local switch: z The local switch sends a message to notify the peer switch of stopping sending packets to itself or reducing the sending rate temporarily.
z If you specify a source aggregation group ID, the system will use the port with the smallest port number in the aggregation group as the source. z If you specify a destination aggregation group ID, the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port. Configuring Loopback Detection for an Ethernet Port Loopback detection is used to monitor if loopback occurs on a switch port.
z To enable loopback detection on a specific port, you must use the loopback-detection enable command in both system view and the specific port view. z After you use the undo loopback-detection enable command in system view, loopback detection will be disabled on all ports. Enabling Loopback Test You can configure the Ethernet port to run loopback test to check if it operates normally. The port running loopback test cannot forward data packets normally.
To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Enable the system to test connected cables virtual-cable-test Required Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration, you can set the interval to perform statistical analysis on the traffic of a port.
The port state change delay takes effect when the port goes down but not when the port goes up. Follow these steps to set the port state change delay: To do … Use the command … Remarks Enter system view system-view — Enter Ethernet interface view interface interface-type interface-number — Set the port state change delay Required link-delay delay-time Defaults to 0, which indicates that no delay is introduced. The delay configured in this way does not take effect for ports in DLDP down state.
To do... Use the command... Remarks Available in user view Clear port statistics reset counters interface [ interface-type | interface-type interface-number ] After 802.1x is enabled on a port, clearing the statistics on the port will not work. Ethernet Port Configuration Example Network requirements z Switch A and Switch B are connected to each other through two trunk port (Ethernet 1/0/1). z Configure the default VLAN ID of both Ethernet 1/0/1 to 100.
Troubleshooting Ethernet Port Configuration Symptom: Fail to configure the default VLAN ID of an Ethernet port. Solution: Take the following steps: z Use the display interface or display port command to check if the port is a trunk port or a hybrid port. z If the port is not a trunk or hybrid port, configure it to be a trunk or hybrid port. z Configure the default VLAN ID of the port.
Table of Contents 1 Link Aggregation Configuration ··············································································································1-1 Overview ·················································································································································1-1 Introduction to Link Aggregation······································································································1-1 Introduction to LACP ······························
1 Link Aggregation Configuration When configuring link aggregation, go to these sections for information you are interested in: z Overview z Link Aggregation Classification z Aggregation Group Categories z Link Aggregation Configuration z Displaying and Maintaining Link Aggregation Configuration z Link Aggregation Configuration Example Overview Introduction to Link Aggregation Link aggregation aggregates multiple physical Ethernet ports into one logical link, also called an aggregation group.
Table 1-1 Consistency considerations for ports in an aggregation Category Considerations State of port-level STP (enabled or disabled) Attribute of the link (point-to-point or otherwise) connected to the port Port path cost STP STP priority STP packet format Loop protection Root protection Port type (whether the port is an edge port) Rate limiting QoS Priority marking 802.
In a manual aggregation group, the system sets the ports to selected or unselected state according to the following rules. z Among the ports in an aggregation group that are in up state, the system determines the mater port with one of the following settings being the highest (in descending order) as the master port: full duplex/high speed, full duplex/low speed, half duplex/high speed, half duplex/low speed.
z There is a limit on the number of selected ports in an aggregation group. Therefore, if the number of the selected ports in an aggregation group exceeds the maximum number supported by the device, those with lower port numbers operate as the selected ports, and others as unselected ports. Dynamic LACP Aggregation Group Introduction to dynamic LACP aggregation group A dynamic LACP aggregation group is automatically created and removed by the system. Users cannot add/remove ports to/from it.
Aggregation Group Categories Depending on whether or not load sharing is implemented, aggregation groups can be load-sharing or non-load-sharing aggregation groups. When load sharing is implemented, z For IP packets, the system will implement load-sharing based on source IP address and destination IP address; z For non-IP packets, the system will implement load-sharing based on source MAC address and destination MAC address.
Link Aggregation Configuration The commands of link aggregation cannot be configured with the commands of port loopback z detection feature at the same time. The ports where the mac-address max-mac-count command is configured cannot be added to z an aggregation group. Contrarily, the mac-address max-mac-count command cannot be configured on a port that has already been added to an aggregation group. MAC-authentication-enabled ports and 802.1x-enabled ports cannot be added to an aggregation z group.
When you change a dynamic/static group to a manual group, the system will automatically disable z LACP on the member ports. When you change a dynamic group to a static group, the system will remain the member ports LACP-enabled. 2) When a manual or static aggregation group contains only one port, you cannot remove the port unless you remove the whole aggregation group.
You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system, because, only when LACP is enabled on those ports at both ends, can the two parties reach agreement in adding/removing ports to/from dynamic aggregation groups. You cannot enable LACP on a port which is already in a manual aggregation group.
If you have saved the current configuration with the save command, after system reboot, the configuration concerning manual and static aggregation groups and their descriptions still exists, but that of dynamic aggregation groups and their descriptions gets lost.
Configuration procedure The following only lists the configuration on Switch A; you must perform the similar configuration on Switch B to implement link aggregation. 1) Adopting manual aggregation mode # Create manual aggregation group 1. system-view [Sysname] link-aggregation group 1 mode manual # Add Ethernet 1/0/1 through Ethernet 1/0/3 to aggregation group 1.
[Sysname] interface Ethernet1/0/3 [Sysname-Ethernet1/0/3] lacp enable The three LACP-enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration (such as rate, duplex mode, and so on).
Table of Contents 1 Port Isolation Configuration ·····················································································································1-1 Port Isolation Overview ···························································································································1-1 Port Isolation Configuration·····················································································································1-1 Displaying and Maintaining Port Isolation
1 Port Isolation Configuration When configuring port isolation, go to these sections for information you are interested in: z Port Isolation Overview z Port Isolation Configuration z Displaying and Maintaining Port Isolation Configuration z Port Isolation Configuration Example Port Isolation Overview The port isolation feature is used to secure and add privacy to the data traffic and prevent malicious attackers from obtaining the user information.
z When a member port of an aggregation group joins/leaves an isolation group, the other ports in the same aggregation group will join/leave the isolation group at the same time. z For ports that belong to an aggregation group and an isolation group simultaneously, removing a port from the aggregation group has no effect on the other ports. That is, the rest ports remain in the aggregation group and the isolation group.
Network diagram Figure 1-1 Network diagram for port isolation configuration Configuration procedure # Add Ethernet1/0/2, Ethernet1/0/3, and Ethernet1/0/4 to the isolation group. system-view System View: return to User View with Ctrl+Z.
Table of Contents 1 Port Security Configuration······················································································································1-1 Port Security Overview····························································································································1-1 Introduction······································································································································1-1 Port Security Features·····················
1 Port Security Configuration When configuring port security, go to these sections for information you are interested in: z Port Security Overview z Port Security Configuration Task List z Displaying and Maintaining Port Security Configuration z Port Security Configuration Examples Port Security Overview Introduction Port security is a security mechanism for network access control. It is an expansion to the current 802.1x and MAC address authentication.
Table 1-1 Description of port security modes Security mode noRestriction autolearn Description In this mode, access to the port is not restricted. In this mode, neither the NTK nor the intrusion protection feature is triggered. In this mode, a port can learn a specified number of MAC addresses and save those addresses as security MAC addresses. It permits only packets whose source MAC addresses are the security MAC addresses that were learned or configured manually.
Security mode userlogin Description Feature In this mode, port-based 802.1x authentication is performed for access users. In this mode, neither NTK nor intrusion protection will be triggered. MAC-based 802.1x authentication is performed on the access user. The port is enabled only after the authentication succeeds. When the port is enabled, only the packets of the successfully authenticated user can pass through the port. userLoginSecure In this mode, only one 802.
Security mode macAddressElseUs erLoginSecure macAddressElseUs erLoginSecureExt macAddressAndUs erLoginSecure Description Feature In this mode, a port performs MAC authentication of an access user first. If the authentication succeeds, the user is authenticated. Otherwise, the port performs 802.1x authentication of the user. In this mode, there can be only one 802.1x-authenticated user on the port, but there can be several MAC-authenticated users.
Task Remarks Configuring Security MAC Addresses Optional Enabling Port Security Configuration Prerequisites Before enabling port security, you need to disable 802.1x and MAC authentication globally. Enabling Port Security Follow these steps to enable port security: To do... Use the command...
This configuration is different from that of the maximum number of MAC addresses that can be leaned by a port in MAC address management. Follow these steps to set the maximum number of MAC addresses allowed on a port: To do... Use the command...
z Before setting the port security mode to autolearn, you need to set the maximum number of MAC addresses allowed on the port with the port-security max-mac-count command. z When the port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port. z After you set the port security mode to autolearn, you cannot configure any static or blackhole MAC addresses on the port.
To do... Set the timer during which the port remains disabled Use the command... Remarks Optional port-security timer disableport timer 20 seconds by default The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.
Configuring Security MAC Addresses Security MAC addresses are special MAC addresses that never age out. One security MAC address can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the same VLAN. Security MAC addresses can be learned by the auto-learn function of port security or manually configured. Before adding security MAC addresses to a port, you must configure the port security mode to autolearn.
Displaying and Maintaining Port Security Configuration To do... Use the command...
[Switch-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1 # Configure the port to be silent for 30 seconds after intrusion protection is triggered.
Table of Contents 1 DLDP Configuration ··································································································································1-1 Overview ·················································································································································1-1 DLDP Fundamentals·······························································································································1-2 DLDP packets·····················
1 DLDP Configuration When configuring DLDP, go to these sections for information you are interested in: z Overview z DLDP Fundamentals z DLDP Configuration z DLDP Configuration Example Overview Device link detection protocol (DLDP) is an technology for dealing with unidirectional links that may occur in a network. If two switches, A and B, are connected via a pair of optical fiber cables, one used for sending from A to B, the other sending from B to A, it is a bidirectional link (two-way link).
Figure 1-2 Fiber broken or not connected GE1/0/49 GE1/0/49 Device A Device B GE1/0/50 GE1/0/50 PC Device link detection protocol (DLDP) can detect the link status of an optical fiber cable or copper twisted pair (such as super category 5 twisted pair). If DLDP finds a unidirectional link, it disables the related port automatically or prompts you to disable it manually according to the configurations, to avoid network problems.
DLDP packet type Function RSY-Advertisement packets (referred to as RSY packets hereafter) Advertisement packet with the RSY flag set to 1. RSY advertisement packets are sent to request synchronizing the neighbor information when neighbor information is not locally available or a neighbor information entry ages out. Flush-Advertisement packets (referred to as flush packets hereafter) Advertisement packet with the flush flag set to 1.
DLDP Status A link can be in one of these DLDP states: initial, inactive, active, advertisement, probe, disable, and delaydown. Table 1-2 DLDP status Status Description Initial Initial status before DLDP is enabled. Inactive DLDP is enabled but the corresponding link is down Active DLDP is enabled, and the link is up or an neighbor entry is cleared Advertisement All neighbors communicate normally in both directions, or DLDP remains in active state for more than five seconds and enters this status.
Timer Description When a new neighbor joins, a neighbor entry is created and the corresponding entry aging timer is enabled When an advertisement packet is received from a neighbor, the neighbor entry is updated and the corresponding entry aging timer is updated Entry aging timer In the normal mode, if no packet is received from the neighbor when the entry aging timer expires, DLDP sends an advertisement packet with an RSY tag, and deletes the neighbor entry.
Table 1-4 DLDP operating mode and neighbor entry aging DLDP operating mode Detecting a neighbor after the corresponding neighbor entry ages out Removing the neighbor entry immediately after the Entry timer expires Triggering the Enhanced timer after an Entry timer expires Normal mode No Yes No No Yes (When the enhanced timer expires, the state of the local end is set to unidirectional link, and the neighbor entry is aged out.
Table 1-5 DLDP state and DLDP packet type DLDP state Type of the DLDP packets sent Active Advertisement packets, with the RSY flag set or not set. Advertisement Advertisement packets Probe Probe packets 2) A DLDP packet received is processed as follows: z In authentication mode, the DLDP packet is authenticated and is then dropped if it fails the authentication. The packet is further processed, as described in Table 1-6.
Table 1-7 Processing procedure when no echo packet is received from the neighbor No echo packet received from the neighbor In normal mode, no echo packet is received when the echo waiting timer expires. In enhanced mode, no echo packet is received when the enhanced timer expires Processing procedure DLDP switches to the disable state, outputs log and tracking information, and sends flush packets.
DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration: To do … Use the command … Enter system view system-view Enable DLDP on all optical ports of the switch Enable DLDP Enable DLDP on the current port (a non-optical port or an optical port) Remarks — dldp enable Enter Ethernet port view interface interface-type interface-number Enable DLDP dldp enable Set the authentication mode and password dldp authentication-mode { none | simple simple
z When connecting two DLDP-enabled devices, make sure the software running on them is of the same version. Otherwise, DLDP may operate improperly. z When you use the dldp enable/dldp disable command in system view to enable/disable DLDP on all optical ports of the switch, the configuration takes effect on the existing optical ports, instead of those added subsequently. z Make sure the authentication mode and password configured on both sides are the same for DLDP to operate properly.
DLDP Configuration Example Network requirements As shown in Figure 1-4, Switch A and Switch B are connected through two pairs of fibers. Both of them support DLDP. All z the ports involved operate in mandatory full duplex mode, with their rates all being 1,000 Mbps. Suppose the fibers between Switch A and Switch B are cross-connected. DLDP disconnects the z unidirectional links after detecting them. After the fibers are connected correctly, the ports shut down by DLDP are restored.
# Set the DLDP handling mode for unidirectional links to auto. [SwitchA] dldp unidirectional-shutdown auto # Display the DLDP state [SwitchA] display dldp 1 When two switches are connected through fibers in a crossed way, two or three ports may be in the disable state, and the rest in the inactive state.
Table of Contents 1 MAC Address Table Management············································································································1-1 Overview ·················································································································································1-1 Introduction to the MAC Address Table ··························································································1-1 Introduction to MAC Address Learning ·························
1 MAC Address Table Management When MAC address table management functions, go to these sections for information you are interested in: z Overview z MAC Address Table Management z Displaying MAC Address Table Information z Configuration Example This chapter describes the management of static, dynamic, and blackhole MAC address entries. For information about the management of multicast MAC address entries, refer to Multicast Operation.
Generally, the majority of MAC address entries are created and maintained through MAC address learning. The following describes the MAC address learning process of a switch: 1) As shown in Figure 1-1, User A and User B are both in VLAN 1. When User A communicates with User B, the packet from User A comes into the switch on GigabitEthernet 1/0/1.
Figure 1-4 MAC address learning diagram (3) 4) At this time, the MAC address table of the switch includes two forwarding entries shown in Figure 1-5. When forwarding the response packet from User B to User A, the switch sends the response to User A through GigabitEthernet 1/0/1 (technically called unicast), because MAC-A is already in the MAC address table.
z The MAC address aging timer only takes effect on dynamic MAC address entries. z With the “destination MAC address triggered update function” enabled, when a switch finds a packet with a destination address matching one MAC address entry within the aging time, it updates the entry and restarts the aging timer.
Task Remarks Enabling Destination MAC Address Triggered Update Optional Configuring a MAC Address Entry You can add, modify, or remove a MAC address entry, remove all MAC address entries concerning a specific port, or remove specific type of MAC address entries (dynamic or static MAC address entries). Adding a MAC address entry in system view You can add a MAC address entry in either system view or Ethernet port view.
z When you add a MAC address entry, the current port must belong to the VLAN specified by the vlan argument in the command. Otherwise, the entry will not be added. z If the VLAN specified by the vlan argument is a dynamic VLAN, after a static MAC address is added, it will become a static VLAN. Setting the MAC Address Aging Timer Setting an appropriate MAC address aging timer is important for the switch to run efficiently.
By setting the maximum number of MAC addresses that can be learned from individual ports, the administrator can control the number of the MAC address entries the MAC address table can dynamically maintain. When the number of the MAC address entries learnt from a port reaches the set value, the port stops learning MAC addresses.
To do… Use the command… Display the aging time of the dynamic MAC address entries in the MAC address table display mac-address aging-time Display the configured start port MAC address display port-mac Remarks Configuration Examples Adding a Static MAC Address Entry Manually Network requirements The server connects to the switch through GigabitEthernet 1/0/2.
Table of Contents 1 Auto Detect Configuration························································································································1-1 Introduction to the Auto Detect Function·································································································1-1 Auto Detect Configuration·······················································································································1-1 Auto Detect Basic Configuration ······················
1 Auto Detect Configuration When configuring the auto detect function, go to these sections for information you are interested in: z Introduction to the Auto Detect Function z Auto Detect Configuration z Auto Detect Configuration Examples Introduction to the Auto Detect Function The Auto Detect function uses Internet Control Message Protocol (ICMP) request/reply packets to test network connectivity regularly between the Auto Detect-enabled switch and the detected object.
Task Remarks Auto Detect Implementation in VLAN Interface Backup Optional Auto Detect Basic Configuration Follow these steps to configure the auto detect function: To do… Use the command… Remarks Enter system view system-view — Create a detected group and enter detected group view detect-group group-number Required Add an IP address to be detected to the detected group detect-list list-number ip address ip-address [ nexthop ip-address ] Required Specify a relationship between detected IP add
To avoid such problems, you can configure another route to back up the static route and use the Auto Detect function to judge the validity of the static route. If the static route is valid, packets are forwarded according to the static route, and the other route is standby. If the static route is invalid, packets are forwarded according to the backup route. In this way, the communication is not interrupted, and the network reliability is improved. You can bind the static route with a detected group.
Figure 1-1 Schematic diagram for VLAN interface backup Using Auto Detect can help implement VLAN interfaces backup. When data can be transmitted through two VLAN interfaces on the switch to the same destination, configure one of the VLAN interface as the active interface and the other as the standby interface. The standby interface is enabled automatically when the active fails, so as to ensure the data transmission.
z On switch A, configure a static route to Switch C. z Enable the static route when the detected group 8 is reachable. z To ensure normal operating of the auto detect function, configure a static route to Switch A on Switch C. Network diagram Figure 1-2 Network diagram for implementing the auto detect function in static route Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-2. The configuration procedure is omitted. z Configure Switch A.
Network diagram Figure 1-3 Network diagram for VLAN interface backup Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1-3. The configuration procedure is omitted. # Enter system view. system-view # Create auto detected group 10. [SwitchA] detect-group 10 # Add the IP address of 10.1.1.4 to detected group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and the detecting number set to 1.
Table of Contents 1 MSTP Configuration ··································································································································1-1 Overview ·················································································································································1-1 Spanning Tree Protocol Overview···································································································1-1 Rapid Spanning Tree Protocol Overview ·········
Configuring Digest Snooping·········································································································1-39 Configuring Rapid Transition ················································································································1-40 Introduction····································································································································1-40 Configuring Rapid Transition····················································
1 MSTP Configuration Go to these sections for information you are interested in: z Overview z MSTP Configuration Task List z Configuring Root Bridge z Configuring Leaf Nodes z Performing mCheck Operation z Configuring Guard Functions z Configuring Digest Snooping z Configuring Rapid Transition z MSTP Maintenance Configuration z Enabling Trap Messages Conforming to 802.
In STP, BPDUs come in two types: z Configuration BPDUs, used to calculate spanning trees and maintain the spanning tree topology. z Topology change notification (TCN) BPDUs, used to notify concerned devices of network topology changes, if any. Basic concepts in STP 1) Root bridge A tree network must have a root; hence the concept of root bridge has been introduced in STP. There is one and only one root bridge in an entire STP-based network at a given time.
Figure 1-1 A schematic diagram of designated bridges and designated ports All the ports on the root bridge are designated ports. 4) Bridge ID A bridge ID consists of eight bytes, where the first two bytes represent the bridge priority of the device, and the latter six bytes represent the MAC address of the device. The default bridge priority of a 3Com switch 4500 is 32768. You can use a command to configure the bridge priority of a device.
6) Port ID A port ID used on a 3Com switch 4500 consists of two bytes, that is, 16 bits, where the first six bits represent the port priority, and the latter ten bits represent the port number. The default priority of all Ethernet ports on 3Com switches 4500 is 128. You can use commands to configure port priorities. For details, see Configuring Port Priority. How STP works STP identifies the network topology by transmitting configuration BPDUs between network devices.
Table 1-2 Selection of the optimum configuration BPDU Step Description Upon receiving a configuration BPDU on a port, the device performs the following processing: z 1 z If the received configuration BPDU has a lower priority than that of the configuration BPDU generated by the port, the device will discard the received configuration BPDU without doing any processing on the configuration BPDU of this port.
Step Description The device compares the calculated configuration BPDU with the configuration BPDU on the port whose role is to be determined, and acts as follows based on the comparison result: z 3 z If the calculated configuration BPDU is superior, this port will serve as the designated port, and the configuration BPDU on the port will be replaced with the calculated configuration BPDU, which will be sent out periodically.
Device Device B Device C z Port name BPDU of port BP1 {1, 0, 1, BP1} BP2 {1, 0, 1, BP2} CP1 {2, 0, 2, CP1} CP2 {2, 0, 2, CP2} Comparison process and result on each device The following table shows the comparison process and result on each device. Table 1-5 Comparison process and result on each device Device Comparison process z z Device A z z z z Device B z z Port AP1 receives the configuration BPDU of Device B {1, 0, 1, BP1}.
Device Comparison process z z Port CP1 receives the configuration BPDU of Device A {0, 0, 0, AP2}. Device C finds that the received configuration BPDU is superior to the configuration BPDU of the local port {2, 0, 2, CP1}, and updates the configuration BPDU of CP1. Port CP2 receives the configuration BPDU of port BP2 of Device B {1, 0, 1, BP2} before the message was updated.
Figure 1-3 The final calculated spanning tree To facilitate description, the spanning tree calculation process in this example is simplified, while the actual process is more complicated. 3) The BPDU forwarding mechanism in STP z Upon network initiation, every switch regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular interval of hello time.
For this reason, the protocol uses a state transition mechanism. Namely, a newly elected root port and the designated ports must go through a period, which is twice the forward delay time, before they transit to the forwarding state. The period allows the new configuration BPDUs to be propagated throughout the entire network. z Hello time, the interval for sending hello packets. Hello packets are used to check link state.
z MSTP supports mapping VLANs to Multiple Spanning Tree (MST) instances (MSTIs) by means of a VLAN-to-instance mapping table. MSTP introduces instances (which integrates multiple VLANs into a set) and can bind multiple VLANs to an instance, thus saving communication overhead and improving resource utilization. z MSTP divides a switched network into multiple regions, each containing multiple spanning trees that are independent of one another.
2) MSTI A multiple spanning tree instance (MSTI) refers to a spanning tree in an MST region. Multiple spanning trees can be established in one MST region. These spanning trees are independent of each other. For example, each region in Figure 1-4 contains multiple spanning trees known as MSTIs. Each of these spanning trees corresponds to a VLAN. 3) VLAN-to-instance mapping table A VLAN-to-instance mapping table is maintained for each MST region.
z A region boundary port is located on the boundary of an MST region and is used to connect one MST region to another MST region, an STP-enabled region or an RSTP-enabled region. z An alternate port is a secondary port of a root port or master port and is used for rapid transition. With the root port or master port being blocked, the alternate port becomes the new root port or master port. z A backup port is the secondary port of a designated port and is used for rapid transition.
z Forwarding state. Ports in this state can forward user packets and receive/send BPDU packets. z Learning state. Ports in this state can receive/send BPDU packets but do not forward user packets. z Discarding state. Ports in this state can only receive BPDU packets. Port roles and port states are not mutually dependent. Table 1-6 lists possible combinations of port states and port roles.
In addition to the basic MSTP functions, 3com Switch 4500 also provides the following functions for users to manage their switches. z Root bridge hold z Root bridge backup z Root guard z BPDU guard z Loop guard z TC-BPDU attack guard Protocols and Standards MSTP is documented in: z IEEE 802.1D: spanning tree protocol z IEEE 802.1w: rapid spanning tree protocol z IEEE 802.
Task Remarks Configuring the Maximum Transmitting Rate on the Current Port Optional The default value is recommended. Configuring the Current Port as an Edge Port Optional Setting the Link Type of a Port to P2P Optional Required To prevent network topology jitter caused by other related configurations, you are recommended to enable MSTP after performing other configurations.
To do... Configure the name of the MST region Configure the VLAN-to-instance mapping table for the MST region Use the command... Remarks Required region-name name The default MST region name of a switch is its MAC address. instance instance-id vlan vlan-list Required vlan-mapping modulo modulo Both commands can be used to configure VLAN-to-instance mapping tables. By default, all VLANs in an MST region are mapped to MSTI 0.
Configuration example # Configure an MST region named info, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through VLAN 30 being mapped to MSTI 2. system-view [Sysname] stp region-configuration [Sysname-mst-region] region-name info [Sysname-mst-region] instance 1 vlan 2 to 10 [Sysname-mst-region] instance 2 vlan 20 to 30 [Sysname-mst-region] revision-level 1 [Sysname-mst-region] active region-configuration # Verify the above configuration.
Using the stp root primary/stp root secondary command, you can specify the current switch as the root bridge or the secondary root bridge of the MSTI identified by the instance-id argument. If the value of the instance-id argument is set to 0, the stp root primary/stp root secondary command specify the current switch as the root bridge or the secondary root bridge of the CIST. A switch can play different roles in different MSTIs.
To do... Use the command... Set the bridge priority for the current switch z stp [ instance instance-id ] priority priority Remarks Required The default bridge priority of a switch is 32,768. Once you specify a switch as the root bridge or a secondary root bridge by using the stp root primary or stp root secondary command, the bridge priority of the switch cannot be configured any more.
To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Required Configure how a port recognizes and sends MSTP packets stp compliance { auto | dot1s | legacy } By default, a port recognizes and sends MSTP packets in the automatic mode. That is, it determines the format of packets to be sent according to the format of the packets received.
system-view [Sysname] stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region. The value of the maximum hop count limits the size of the MST region. A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU. And a switch discards the configuration BPDUs whose remaining hops are 0.
To do... Use the command... Enter system view system-view Configure the network diameter of the switched network stp bridge-diameter bridgenumber Remarks — Required The default network diameter of a network is 7. The network diameter parameter indicates the size of a network. The bigger the network diameter is, the larger the network size is.
z The forward delay parameter and the network diameter are correlated. Normally, a large network diameter corresponds to a large forward delay. A too small forward delay parameter may result in temporary redundant paths. And a too large forward delay parameter may cause a network unable to resume the normal state in time after changes occurred to the network. The default value is recommended.
Configuration procedure Follow these steps to configure the timeout time factor: To do... Enter system view Configure the timeout time factor for the switch Use the command... system-view Remarks — Required stp timer-factor number The timeout time factor defaults to 3. For a steady network, the timeout time can be five to seven times of the hello time. Configuration example # Configure the timeout time factor to be 6.
As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time, set it to a proper value to prevent MSTP from occupying too many network resources. The default value is recommended. Configuration example # Set the maximum transmitting rate of Ethernet 1/0/1 to 15.
You are recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time. This not only enables these ports to turn to the forwarding state rapidly but also secures your network. Configuration example # Configure Ethernet 1/0/1 as an edge port.
To do... Use the command... Specify whether the link connected to a port is a point-to-point link stp point-to-point { force-true | force-false | auto } Remarks Required The auto keyword is adopted by default. If you configure the link connected to a port in an aggregation group as a point-to-point link, the z configuration will be synchronized to the rest ports in the same aggregation group.
To do... Use the command... Enter system view system-view Enable MSTP stp enable Enter Ethernet port view interface interface-type interface-number Remarks — Required MSTP is enabled globally by default. — Optional By default, MSTP is enabled on all ports. Disable MSTP on the port To enable a switch to operate more flexibly, you can disable MSTP on specific ports. As MSTP-disabled ports do not participate in spanning tree calculation, this operation saves CPU resources of the switch.
Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port. For a port on an MSTP-enabled switch, the path cost may be different in different MSTIs. You can enable flows of different VLANs to travel along different physical links by configuring appropriate path costs on ports, so that VLAN-based load balancing can be implemented. Path cost of a port can be determined by the switch or through manual configuration.
When calculating the path cost of an aggregated link, the 802.1D-1998 standard does not take the number of the ports on the aggregated link into account, whereas the 802.1T standard does. The following formula is used to calculate the path cost of an aggregated link: Path cost = 200,000,000 / link transmission rate Where, “link transmission rate” is the sum of the rates of all the unblocked ports on the aggregated link measured in 100 Kbps.
[Sysname] undo stp interface Ethernet 1/0/1 instance 1 cost [Sysname] stp pathcost-standard dot1d-1998 2) Perform this configuration in Ethernet port view system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] undo stp instance 1 cost [Sysname-Ethernet1/0/1] quit [Sysname] stp pathcost-standard dot1d-1998 Configuring Port Priority Port priority is an important criterion on determining the root port.
1) Perform this configuration in system view system-view [Sysname] stp interface Ethernet 1/0/1 instance 1 port priority 16 2) Perform this configuration in Ethernet port view system-view [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] stp instance 1 port priority 16 Setting the Link Type of a Port to P2P Refer to Setting the Link Type of a Port to P2P. Enabling MSTP Refer to Enabling MSTP.
To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Perform the mCheck operation stp mcheck Required Configuration Example # Perform the mCheck operation on Ethernet 1/0/1.
To do... Use the command... Enter system view system-view Enable the BPDU guard function stp bpdu-protection Remarks — Required The BPDU guard function is disabled by default. Configuration example # Enable the BPDU guard function. system-view [Sysname] stp bpdu-protection As Gigabit ports of a 3Com switch 4500 cannot be shut down, the BPDU guard function is not applicable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports.
Configuration procedure Follow these steps to configure the root guard function in system view: To do... Use the command... Enter system view system-view Enable the root guard function on specified ports stp interface interface-list root-protection Remarks — Required The root guard function is disabled by default. Follow these steps to enable the root guard function in Ethernet port view: To do... Use the command...
z You are recommended to enable loop guard on the root port and alternate port of a non-root bridge. z Loop guard, root guard, and edge port settings are mutually exclusive. With one of these functions enabled on a port, any of the other two functions cannot take effect even if you have configured it on the port. Configuration Prerequisites MSTP runs normally on the switch. Configuration procedure Follow these steps to configure loop guard: To do... Use the command...
maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch receives 200 TC-BPDUs in the period, the switch removes the MAC address table and ARP entries for only 100 times within the period. Configuration prerequisites MSTP runs normally on the switch. Configuration procedure Follow these steps to configure the TC-BPDU attack guard function: To do... Enter system view Use the command...
switch, and put them in the BPDUs to be sent to the another manufacturer's switch. In this way, the switch 4500 can communicate with another manufacturer’s switches in the same MST region. The digest snooping function is not applicable to edge ports. Configuring Digest Snooping Configure the digest snooping feature on a switch to enable it to communicate with other switches adopting proprietary protocols to calculate configuration digests in the same MST region through MSTIs.
z When the digest snooping feature is enabled on a port, the port state turns to the discarding state. That is, the port will not send BPDU packets. The port is not involved in the STP calculation until it receives BPDU packets from the peer port. z The digest snooping feature is needed only when your switch is connected to another manufacturer’s switches adopting proprietary spanning tree protocols.
Figure 1-6 The RSTP rapid transition mechanism Upstream switch Downstream switch Proposal for rapid transition e Agre Root port blocks other nonedge ports, changes to forwarding state and sends Agreement to upstream device t men Designated port changes to forwarding state Root port Designated port Figure 1-7 The MSTP rapid transition mechanism Upstream switch Downstream switch Proposal for rapid transition Root port blocks other non- edge ports Agreement Root port changes to forwarding state and
Configuring Rapid Transition Configuration prerequisites As shown in Figure 1-8, a 3Com switch 4500 is connected to another manufacturer's switch. The former operates as the downstream switch, and the latter operates as the upstream switch. The network operates normally. The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports. Port 1 is the designated port. The downstream switch is running MSTP.
z The rapid transition feature can be enabled on only root ports or alternate ports. z If you configure the rapid transition feature on a designated port, the feature does not take effect on the port. MSTP Maintenance Configuration Introduction In a large-scale network with MSTP enabled, there may be many MSTP instances, and so the status of a port may change frequently.
Configuration procedure Follow these steps to enable trap messages conforming to 802.1d standard: To do... Use the command... Remarks Enter system view system-view — Enable trap messages conforming to 802.1d standard in an instance stp [ instance instance-id ] dot1d-trap [ newroot | topologychange ] enable Required Configuration example # Enable a switch to send trap messages conforming to 802.1d standard to the network management device when the switch becomes the root bridge of instance 1.
Network diagram Figure 1-9 Network diagram for MSTP configuration The word “permit” shown in Figure 1-9 means the corresponding link permits packets of specific VLANs. Configuration procedure 1) Configure Switch A # Enter MST region view. system-view [Sysname] stp region-configuration # Configure the region name, VLAN-to-instance mapping table, and revision level for the MST region.
# Activate the settings of the MST region manually. [Sysname-mst-region] active region-configuration # Specify Switch B as the root bridge of MSTI 3. [Sysname] stp instance 3 root primary 3) Configure Switch C. # Enter MST region view. system-view [Sysname] stp region-configuration # Configure the MST region.
Table of Contents 1 IP Routing Protocol Overview ··················································································································1-1 Introduction to IP Route and Routing Table····························································································1-1 IP Route···········································································································································1-1 Routing Table ··········································
Filters ···············································································································································4-1 IP Route Policy Configuration Task List··································································································4-2 Route Policy Configuration ·····················································································································4-2 Configuration Prerequisites ········································
1 IP Routing Protocol Overview Go to these sections for information you are interested in: z Introduction to IP Route and Routing Table z Routing Protocol Overview z Displaying and Maintaining a Routing Table Introduction to IP Route and Routing Table IP Route Routers are used for route selection on the Internet. As a router receives a packet, it selects an appropriate route (through a network) according to the destination address of the packet and forwards the packet to the next router.
z Preference: There may be multiple routes with different next hops to the same destination. These routes may be discovered by different routing protocols, or be manually configured static routes. The one with the highest preference (the smallest numerical value) will be selected as the current optimal route. According to different destinations, routes fall into the following categories: z Subnet route: The destination is a subnet. z Host route: The destination is a host.
Routing Protocol Overview Static Routing and Dynamic Routing Static routing is easy to configure and requires less system resources. It works well in small, stable networks with simple topologies. It cannot adapt itself to any network topology change automatically so that you must perform routing configuration again whenever the network topology changes. Dynamic routing is based on dynamic routing protocols, which can detect network topology changes and recalculate the routes accordingly.
each routing protocol (including static routes) is assigned a priority. The route found by the routing protocol with the highest priority is preferred. The following table lists some routing protocols and the default priorities for routes found by them: Table 1-1 Routing protocols and priorities of their default route Routing approach Priority DIRECT 0 OSPF 10 STATIC 60 RIP 100 OSPF ASE 150 OSPF NSSA 150 UNKNOWN 255 z The smaller the priority value, the higher the priority.
routing information. Each routing protocol shares routing information discovered by other routing protocols through a route redistribution mechanism.
2 Static Route Configuration When configuring a static route, go to these sections for information you are interested in: z Introduction to Static Route z Static Route Configuration z Displaying and Maintaining Static Routes z Static Route Configuration Example z Troubleshooting a Static Route The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. Introduction to Static Route Static Route Static routes are special routes.
Default Route To avoid too large a routing table, you can configure a default route. When the destination address of a packet fails to match any entry in the routing table, z If there is default route in the routing table, the default route will be selected to forward the packet. z If there is no default route, the packet will be discarded and an ICMP Destination Unreachable or Network Unreachable packet will be returned to the source.
To do... Use the command...
1) Perform the following configurations on the switch. # Approach 1: Configure static routes on Switch A. system-view [SwitchA] ip route-static 1.1.3.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.4.0 255.255.255.0 1.1.2.2 [SwitchA] ip route-static 1.1.5.0 255.255.255.0 1.1.2.2 # Approach 2: Configure a static route on Switch A. system-view [SwitchA] ip route-static 0.0.0.0 0.0.0.0 1.1.2.2 # Approach 1: Configure static routes on Switch B.
3 RIP Configuration When configuring RIP, go to these sections for information you are interested in: z RIP Overview z RIP Configuration Task List z RIP Configuration Example z Troubleshooting RIP Configuration The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol. RIP Overview Routing information protocol (RIP) is a simple interior gateway protocol (IGP) suitable for small-sized networks.
z Interface: Outbound interface on this router, through which IP packets should be forwarded to reach the destination. z Metric: Cost from the local router to the destination. z Route time: Time elapsed since the routing entry was last updated. The time is reset to 0 every time the routing entry is updated. RIP timers As defined in RFC 1058, RIP is controlled by three timers: Period update, Timeout, and Garbage-collection.
Task Configuring Basic RIP Functions Configuring RIP Route Control RIP Network Adjustment and Optimization Remarks Enabling RIP on the interfaces attached to a specified network segment Required Setting the RIP operating status on an interface Optional Specifying the RIP version on an interface Optional Setting the additional routing metrics of an interface Optional Configuring RIP route summarization Optional Disabling the router from receiving host routes Optional Configuring RIP to filte
z Related RIP commands configured in interface view can take effect only after RIP is enabled. z RIP operates on the interfaces attached to a specified network segment. When RIP is disabled on an interface, it does not operate on the interface, that is, it neither receives/sends routes on the interface, nor forwards any interface route. Therefore, after RIP is enabled globally, you must also specify its operating network segments to enable it on the corresponding interfaces.
z Set the preference of RIP to change the preference order of routing protocols. This order makes sense when more than one route to the same destination is discovered by multiple routing protocols. z Redistribute external routes in an environment with multiple routing protocols.
Follow these steps to configure RIP route summarization: To do... Use the command... Remarks Enter system view system-view — Enter RIP view rip — Enable RIP-2 automatic route summarization summary Required Enabled by default Disabling the router from receiving host routes In some special cases, the router can receive a lot of host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources.
z The filter-policy import command filters the RIP routes received from neighbors, and the routes being filtered out will neither be added to the routing table nor be advertised to any neighbors. z The filter-policy export command filters all the routes to be advertised, including the routes redistributed with the import-route command and routes learned from neighbors. z You can also use the filter-policy export command to filter outgoing routes redistributed from a specified routing protocol.
RIP Network Adjustment and Optimization In some special network environments, some RIP features need to be configured and RIP network performance needs to be adjusted and optimized.
Split horizon cannot be disabled on a point-to-point link. Configuring RIP-1 packet zero field check Follow these steps to configure RIP-1 packet zero field check: To do... Use the command... Remarks Enter system view system-view — Enter RIP view rip — Enable the check of the must be zero field in RIP-1 packets checkzero Required Enabled by default Some fields in a RIP-1 packet must be 0, and they are known as must be zero field.
Configuring RIP to unicast RIP packets Follow these steps to configure RIP to unicast RIP packets: To do... Use the command... Remarks Enter system view system-view — Enter RIP view rip — Required Configure RIP to unicast RIP packets When RIP runs on the link that does not support broadcast or multicast, you must configure RIP to unicast RIP packets. peer ip-address Displaying and Maintaining RIP Configuration To do... Use the command...
Switch C Vlan-int1 Vlan-int4 110.11.2.3/24 117.102.0.1/16 Configuration procedure Only the configuration related to RIP is listed below. Before the following configuration, make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly. 1) Configure Switch A: # Configure RIP. system-view [SwitchA] rip [SwitchA-rip] network 110.11.2.0 [SwitchA-rip] network 155.10.1.0 2) Configure Switch B: # Configure RIP.
4 IP Route Policy Configuration When configuring an IP route policy, go to these sections for information you are interested in: z IP Route Policy Overview z IP Route Policy Configuration Task List z Displaying IP Route Policy z IP Route Policy Configuration Example z Troubleshooting IP Route Policy The term router in this chapter refers to a router in a generic sense or an Ethernet switch running a routing protocol.
For ACL configuration, refer to the part discussing ACL. IP-prefix list IP-prefix list plays a role similar to ACL. But it is more flexible than ACL and easier to understand. When IP-prefix list is applied to filter routing information, its matching object is the destination address field in routing information. Moreover, with IP-prefix list, you can use the gateway option to specify that only routing information advertised by certain routers will be received.
z if-match clause: Defines matching rules; that is, the filtering conditions that the routing information should satisfy for passing the current route policy. The matching objects are some attributes of the routing information. z apply clause: Specifies actions, which are the configuration commands executed after a route satisfies the filtering conditions specified by the if-match clause. Thereby, some attributes of the route can be modified.
To do... z Use the command...
IP-Prefix Configuration IP-prefix plays a role similar to ACL and but is more flexible and easier to understand. When IP-prefix is applied to filtering routing information, its matching object is the destination address information field of routing information. Configuration Prerequisites Before configuring a filter list, prepare the following data: z IP-prefix name z Range of addresses to be matched Configuring an ip-prefix list An IP-prefix list is identified by its IP-prefix list name.
IP Route Policy Configuration Example Controlling RIP Packet Cost to Implement Dynamic Route Backup Network requirements The required speed of convergence in the small network of a company is not high. The network provides two services. Main and backup links are provided for each service for the purpose of reliability. The main link of one service serves as the backup link of the other. The two services are distinguished by IP addresses.
z For the OA server, the main link is between Switch A and Switch C, while the backup link is between Switch B and Switch C. z For the service server, the main link is between Switch B and Switch C, while the backup link is between Switch A and Switch C. z Apply a route policy to control the cost of routes received by Switch C to provide main and backup links for the services of the OA server and service server. Configuration procedure 1) Configure Switch A.
[SwitchC-route-policy] if-match interface Vlan-interface2 [SwitchC-route-policy] if-match ip-prefix 2 [SwitchC-route-policy] apply cost 6 [SwitchC-route-policy] quit # Create node 30 with the matching mode being permit in the route policy. Define if-match clauses. Apply the cost 6 to routes matching the outgoing interface VLAN-interface 6 and prefix list 1.
2) Display data forwarding paths when the main link of the OA server between Switch A and Switch C is down. display ip routing-table Routing Table: public net Destination/Mask Protocol Pre Cost Nexthop Interface 1.0.0.0/8 RIP 100 6 6.6.6.5 Vlan-interface2 3.0.0.0/8 RIP 100 5 6.6.6.5 Vlan-interface6 6.0.0.0/8 DIRECT 0 0 6.6.6.6 Vlan-interface6 6.6.6.6/32 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.0/8 DIRECT 0 0 127.0.0.1 InLoopBack0 127.0.0.
Table of Contents 1 Multicast Overview ····································································································································1-1 Multicast Overview ··································································································································1-1 Information Transmission in the Unicast Mode ···············································································1-1 Information Transmission in the Broadcast Mode··········
Configuring IGMP Snooping··········································································································1-17 Configuring Multicast VLAN ··········································································································1-18 Troubleshooting IGMP Snooping··········································································································1-21 ii
1 Multicast Overview In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol. Multicast Overview With the development of the Internet, more and more interaction services such as data, voice, and video services are running on the network. In addition, highly bandwidth- and time-critical services, such as e-commerce, Web conferencing, online auctions, video on demand (VoD), and tele-education have come into being.
Assume that Hosts B, D and E need this information. The source server establishes transmission channels for the devices of these users respectively. As the transmitted traffic over the network is in direct proportion to the number of users that receive this information, when a large number of users need the same information, the server must send many packets of information with the same content to the users.
Information Transmission in the Multicast Mode As described in the previous sections, unicast is suitable for networks with sparsely distributed users, whereas broadcast is suitable for networks with densely distributed users. When the number of users requiring information is not certain, unicast and broadcast not efficient. Multicast solves this problem.
All receivers interested in the same information form a multicast group. Multicast groups are not z subject to geographic restrictions. A router that supports Layer 3 multicast is called multicast router or Layer 3 multicast device. In z addition to providing multicast routing, a multicast router can also manage multicast group members. For a better understanding of the multicast concept, you can use the analogy of a transmission of TV programs, as shown in Table 1-1.
z Distributive application: Multicast makes multiple-point application possible. Application of multicast The multicast technology effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission, over an IP network, multicast greatly saves network bandwidth and reduces network load.
Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers.
z The membership of a group is dynamic. A host can join and leave a multicast group at any time. z A multicast group can be either permanent or temporary. z A multicast group whose addresses are assigned by IANA is a permanent multicast group. It is also called reserved multicast group. Note that: z The IP addresses of a permanent multicast group keep unchanged, while the members of the group can be changed. z There can be any number of, or even zero, members in a permanent multicast group.
Class D address range Description 224.0.0.13 All Protocol Independent Multicast (PIM) routers 224.0.0.14 Resource Reservation Protocol (RSVP) encapsulation 224.0.0.15 All core-based tree (CBT) routers 224.0.0.16 The specified subnetwork bandwidth management (SBM) 224.0.0.17 All SBMS 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 to 224.0.0.255 Other protocols Like having reserved the private network segment 10.0.0.
Multicast Protocols z Generally, we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols, which include IGMP, PIM, and MSDP; we refer to IP multicast working at the data link layer as Layer 2 multicast and the corresponding multicast protocols as Layer 2 multicast protocols, which include IGMP Snooping.
Among a variety of mature intra-domain multicast routing protocols, Protocol Independent Multicast (PIM) is a popular one. Based on the forwarding mechanism, PIM comes in two modes – dense mode (often referred to as PIM-DM) and sparse mode (often referred to as PIM-SM). z An inter-domain multicast routing protocol is used for delivery of multicast information between two ASs. So far, mature solutions include Multicast Source Discovery Protocol (MSDP).
z In the network, multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast. z To process the same multicast information from different peers received on different interfaces of the same device, every multicast packet is subject to a Reverse Path Forwarding (RPF) check on the incoming interface.
considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source. Assume that unicast routes exist in the network, as shown in Figure 1-7. Multicast packets travel along the SPT from the multicast source to the receivers. Figure 1-7 RPF check process Switch B Vlan-int2 Receiver Vlan-int1 Source Router A 192.168.0.
2 Common Multicast Configuration In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.
To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Optional Configure multicast source port suppression multicast-source-deny Multicast source port suppression is disabled by default. Configuring a Multicast MAC Address Entry In Layer 2 multicast, the system can add multicast forwarding entries dynamically through a Layer 2 multicast protocol.
z If the multicast MAC address entry to be created already exists, the system gives you a prompt. z If you want to add a port to a multicast MAC address entry created through the mac-address multicast command, you need to remove the entry first, create this entry again, and then add the specified port to the forwarding ports of this entry.
3 IGMP Snooping Configuration When configuring IGMP snooping, go to these sections for information you are interested in: z IGMP Snooping Overview z Configuring IGMP Snooping z Displaying and Maintaining IGMP Snooping z IGMP Snooping Configuration Examples z Troubleshooting IGMP Snooping In this manual, the term “router” refers to a router in the generic sense or a Layer 3 Ethernet switch running an IP multicast protocol.
Figure 3-1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission without IGMP Snooping Multicast packet transmission when IGMP Snooping runs Multicast router Multicast router Source Source Layer 2 switch Host A Receiver Layer 2 switch Host A Receiver Host C Receiver Host B Host C Receiver Host B Multicast packets Basic Concepts in IGMP Snooping IGMP Snooping related ports As shown in Figure 3-2, Router A connects to the multicast source, IGMP Snooping runs on
member ports. The switch records all member ports on the local device in the IGMP Snooping forwarding table.
A switch will not forward an IGMP report through a non-router port for the following reason: Due to the IGMP report suppression mechanism, if member hosts of that multicast group still exist under non-router ports, the hosts will stop sending reports when they receive the message, and this prevents the switch from knowing if members of that multicast group are still attached to these ports.
Configuring IGMP Snooping Complete the following tasks to configure IGMP Snooping: Task Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Groups on a Port Optional Configuring IGMP Snooping Querier Optional Suppressing Flooding of Unknown Multicast Traffic in a VLAN Optional Configuring Stati
z Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously, they cannot run simultaneously on a VLAN or its corresponding VLAN interface. z Before enabling IGMP Snooping in a VLAN, be sure to enable IGMP Snooping globally in system view; otherwise the IGMP Snooping settings will not take effect. z If IGMP Snooping and VLAN VPN are enabled on a VLAN at the same time, IGMP queries are likely to fail to pass the VLAN.
Configuring Timers This section describes how to configure the aging timer of the router port, the aging timer of the multicast member ports, and the query response timer. Follow these steps to configure timers: To do... Use the command...
To do... z Use the command... Enter Ethernet port view interface interface-type interface-number Enable fast leave processing for specific VLANs igmp-snooping fast-leave [ vlan vlan-list ] Remarks — Required By default, the fast leave processing feature is disabled. The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3.
To do... Use the command... Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Optional Configure a multicast group filter igmp-snooping group-policy acl-number [ vlan vlan-list ] No group filter is configured by default, namely hosts can join any multicast group. z A port can belong to multiple VLANs, you can configure only one ACL rule per VLAN on a port. z If no ACL rule is configured, all the multicast groups will be filtered.
z To prevent bursting traffic in the network or performance deterioration of the device caused by excessive multicast groups, you can set the maximum number of multicast groups that the switch should process. z When the number of multicast groups exceeds the configured limit, the switch removes its multicast forwarding entries starting from the oldest one. In this case, the multicast packets for the removed multicast group(s) will be flooded in the VLAN as unknown multicast packets.
To do... Use the command... Remarks Required Enable IGMP Snooping querier igmp-snooping querier By default, IGMP Snooping querier is disabled. Configuring IGMP query interval Follow these steps to configure IGMP query interval: To do... Use the command... Remarks Enter system view system-view — Enter VLAN view vlan vlan-id — Configure the IGMP query interval igmp-snooping query-interval seconds Optional 60 seconds by default.
z If the function of dropping unknown multicast packets or the XRN fabric function is enabled, you cannot enable unknown multicast flooding suppression. z Unknown multicast flooding suppression and multicast source port suppression cannot take effect at the same time. If both are enabled, only multicast source port suppression takes effect. In this case, multicast data received on the blocked port will be dropped.
Configuring a Static Router Port In a network where the topology is unlikely to change, you can configure a port on the switch as a static router port, so that the switch has a static connection to a multicast router and receives IGMP messages from that router. In Ethernet port view Follow these steps to configure a static router port in Ethernet port view: To do... Use the command...
Therefore, to ensure that IGMP entries will not age out, the port must receive IGMP general queries periodically. Follow these steps to configure a port as a simulated group member: To do... Use the command...
Configuring Multicast VLAN In traditional multicast implementations, when users in different VLANs listen to the same multicast group, the multicast data is copied on the multicast router for each VLAN that contains receivers. This is a big waste of network bandwidth. In an IGMP Snooping environment, by configuring a multicast VLAN and adding ports to the multicast VLAN, you can allow users in different VLANs to share the same multicast VLAN.
To do... Use the command... Remarks Enter Ethernet port view for the Layer 3 switch interface interface-type interface-number — Define the port as a trunk or hybrid port port link-type { trunk | hybrid } Required port hybrid vlan vlan-list { tagged | untagged } Required The multicast VLAN must be included, and the port must be configured to forward tagged packets for the multicast VLAN if the port type is hybrid.
IGMP Snooping Configuration Examples Configuring IGMP Snooping Network requirements To prevent multicast traffic from being flooded at Layer 2, enable IGMP snooping on Layer 2 switches. z As shown in Figure 3-3, Router A connects to a multicast source (Source) through Ethernet 1/0/2, and to Switch A through Ethernet 1/0/1. z Run PIM-DM and IGMP on Router A. Run IGMP snooping on Switch A. Router A acts as the IGMP querier. z The multicast source sends multicast data to the multicast group 224.1.1.1.
3) Configure Switch A # Enable IGMP Snooping globally. system-view [SwitchA] igmp-snooping enable Enable IGMP-Snooping ok. # Create VLAN 100, assign Ethernet 1/0/1 through Ethernet 1/0/4 to this VLAN, and enable IGMP Snooping in the VLAN. [SwitchA] vlan 100 [SwitchA-vlan100] port Ethernet 1/0/1 to Ethernet 1/0/4 [SwitchA-vlan100] igmp-snooping enable [SwitchA-vlan100] quit 4) Verify the configuration # View the detailed information of the multicast group in VLAN 100 on Switch A.
Table 3-2 Network devices and their configurations Device Switch A Device description Layer 3 switch Networking description The interface IP address of VLAN 20 is 168.10.1.1. Ethernet 1/0/1 is connected to the workstation and belongs to VLAN 20. The interface IP address of VLAN 10 is 168.10.2.1. Ethernet 1/0/10 belongs to VLAN 10. Ethernet 1/0/10 is connected to Switch B. z z z Switch B Layer 2 switch z z z VLAN 2 contains Ethernet 1/0/1 and VLAN 3 contains Ethernet 1/0/2.
Network diagram Figure 3-4 Network diagram for multicast VLAN configuration Vlan-int20 168.10.1.1 Eth1/0/10 Eth1/0/1 WorkStation /0 / 1 Eth Vlan-int10 168.10.2.1 Eth1/0/10 Vlan10 SwitchA 1 n2 V la HostA Vla n3 Eth 1/0 SwitchB /2 HostB Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured. 1) Configure Switch A: # Set the interface IP address of VLAN 20 to 168.10.1.
# Create VLAN 2, VLAN 3 and VLAN 10, configure VLAN 10 as the multicast VLAN, and then enable IGMP Snooping on it. [SwitchB] vlan 2 to 3 Please wait.... Done. [SwitchB] vlan 10 [SwitchB-vlan10] service-type multicast [SwitchB-vlan10] igmp-snooping enable [SwitchB-vlan10] quit # Define Ethernet 1/0/10 as a hybrid port, add the port to VLAN 2, VLAN 3, and VLAN 10, and configure the port to forward tagged packets for VLAN 2, VLAN 3, and VLAN 10.
z If the multicast group set up by IGMP Snooping is not correct, contact your technical support personnel.
Table of Contents 1 802.1x Configuration ·································································································································1-1 Introduction to 802.1x······························································································································1-1 Architecture of 802.1x Authentication······························································································1-1 The Mechanism of an 802.
Layer 3 Error Control ·······················································································································4-1 Configuring System Guard······················································································································4-1 Configuring System Guard Against IP Attacks················································································4-1 Configuring System Guard Against TCN Attacks··················································
1 802.1x Configuration When configuring 802.1x, go to these sections for information you are interested in: z Introduction to 802.1x z Introduction to 802.1x Configuration z Basic 802.1x Configuration z Advanced 802.1x Configuration z Displaying and Maintaining 802.1x Configuration z Configuration Example Introduction to 802.1x The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN committee to address security issues of wireless LANs.
Figure 1-1 Architecture of 802.1x authentication z The supplicant system is the entity seeking access to the LAN. It resides at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN segment. The supplicant system is usually a user terminal device. An 802.1x authentication is triggered when a user launches an 802.1x-capable client program on the supplicant system.
z The controlled port can be used to pass service packets when it is in authorized state. It is blocked when not in authorized state. In this case, no packets can pass through it. z Controlled port and uncontrolled port are two properties of a port. Packets reaching a port are visible to both the controlled port and uncontrolled port of the port.
Figure 1-3 The format of an EAPoL packet In an EAPoL packet: z The PAE Ethernet type field holds the protocol identifier. The identifier for 802.1x is 0x888E. z The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet. z The Type field can be one of the following: 00: Indicates that the packet is an EAP-packet, which carries authentication information. 01: Indicates that the packet is an EAPoL-start packet, which initiates the authentication.
The Length field indicates the size of an EAP packet, which includes the Code, Identifier, Length, z and Data fields. The Data field carries the EAP packet, whose format differs with the Code field. z A Success or Failure packet does not contain the Data field, so the Length field of it is 4. Figure 1-5 shows the format of the Data field of a Request packet or a Response packet.
EAP relay mode This mode is defined in 802.1x. In this mode, EAP packets are encapsulated in higher level protocol (such as EAPoR) packets to enable them to successfully reach the authentication server. Normally, this mode requires that the RADIUS server support the two newly-added fields: the EAP-message field (with a value of 79) and the Message-authenticator field (with a value of 80).
Figure 1-8 802.
feedbacks (through a RADIUS access-accept packet and an EAP-success packet) to the switch to indicate that the supplicant system is authenticated. z The switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network. z The supplicant system can also terminate the authenticated state by sending EAPoL-Logoff packets to the switch. The switch then changes the port state from accepted to rejected.
Figure 1-9 802.1x authentication procedure (in EAP terminating mode) Supplicant system PAE EAPOL EAPOL- Start RADIUS Authenticator system PAE RADIUS server EAP- Request /Identity EAP- Response/Identity EAP- Request/ MD5 Challenge EAP- Response/MD5 Challenge RADIUS Access-Request ( CHAP- Response/MD5 Challenge) RADIUS Access- Accept ( CHAP-Success) EAP- Success Port authorized Handshake request [EAP- Request/Identity] Handshake timer Handshake response [EAP- Response/Identity] ......
z Re-authentication timer (reauth-period). The switch initiates 802.1x re-authentication at the interval set by the re-authentication timer. z RADIUS server timer (server-timeout). This timer sets the server-timeout period. After sending an authentication request packet to the RADIUS server, the switch sends another authentication request packet if it does not receive the response from the RADIUS server when this timer times out. z Supplicant system timer (supp-timeout).
z Only disconnects the supplicant system but sends no Trap packets. z Sends Trap packets without disconnecting the supplicant system. This function needs the cooperation of 802.1x client and a CAMS server. z The 802.1x client needs to be capable of detecting multiple network adapters, proxies, and IE proxies. z The CAMS server is configured to disable the use of multiple network adapters, proxies, or IE proxies. By default, an 802.
After the maximum number retries have been made and there are still ports that have not sent any z response back, the switch will then add these ports to the guest VLAN. Users belonging to the guest VLAN can access the resources of the guest VLAN without being z authenticated. But they need to be authenticated when accessing external resources. Normally, the guest VLAN function is coupled with the dynamic VLAN delivery function.
z The RADIUS server has the switch perform 802.1x re-authentication of users. The RADIUS server sends the switch an Access-Accept packet with the Termination-Action attribute field of 1. Upon receiving the packet, the switch re-authenticates the user periodically. z You enable 802.1x re-authentication on the switch. With 802.1x re-authentication enabled, the switch re-authenticates users periodically. 802.
Basic 802.1x Configuration Configuration Prerequisites z Configure ISP domain and the AAA scheme to be adopted. You can specify a RADIUS scheme or a local scheme. z Ensure that the service type is configured as lan-access (by using the service-type command) if local authentication scheme is adopted. Configuring Basic 802.1x Functions Follow these steps to configure basic 802.1x functions: To do… Enter system view Use the command… Remarks — system-view Required Enable 802.1x globally Enable 802.
To do… Use the command… Enable online user handshaking dot1x handshake enable Remarks Optional By default, online user handshaking is enabled. z 802.1x configurations take effect only after you enable 802.1x both globally and for specified ports. z The settings of 802.1x and MAC address learning limit are mutually exclusive. Enabling 802.1x on a port will prevent you from setting the limit on MAC address learning on the port and vice versa. z The settings of 802.
To do… Use the command... Remarks Optional Set 802.1x timers Enable the quiet-period timer z dot1x timer { handshake-period handshake-period-value | quiet-period quiet-period-value | server-timeout server-timeout-value | supp-timeout supp-timeout-value | tx-period tx-period-value | ver-period ver-period-value } The settings of 802.1x timers are as follows.
To do... Use the command... Remarks Required Enable proxy checking function globally In system view Enable proxy checking for a port/specified ports dot1x supp-proxy-check { logoff | trap } dot1x supp-proxy-check { logoff | trap } [ interface interface-list ] interface interface-type interface-number In port view By default, the 802.1x proxy checking function is globally disabled. dot1x supp-proxy-check { logoff | trap } Required By default, the 802.1x proxy checking is disabled on a port.
As for the dot1x version-user command, if you execute it in system view without specifying the interface-list argument, the command applies to all ports. You can also execute this command in port view. In this case, this command applies to the current port only and the interface-list argument is not needed. Enabling DHCP-triggered Authentication After performing the following configuration, 802.
z The guest VLAN function is available only when the switch operates in the port-based access control mode. z Only one guest VLAN can be configured for each switch. z The guest VLAN function cannot be implemented if you configure the dot1x dhcp-launch command on the switch to enable DHCP-triggered authentication. This is because the switch does not send authentication packets in that case. Configuring 802.1x Re-Authentication Follow these steps to enable 802.1x re-authentication: To do...
During re-authentication, the switch always uses the latest re-authentication interval configured, no matter which of the above-mentioned two ways is used to determine the re-authentication interval. For example, if you configure a re-authentication interval on the switch and the switch receives an Access-Accept packet whose Termination-Action attribute field is 1, the switch will ultimately use the value of the Session-timeout attribute field as the re-authentication interval.
a real-time accounting packet to the RADIUS servers once in every 15 minutes. A user name is sent to the RADIUS servers with the domain name truncated. z The user name and password for local 802.1x authentication are “localuser” and “localpass” (in plain text) respectively. The idle disconnecting function is enabled. Network diagram Figure 1-12 Network diagram for AAA configuration with 802.
[Sysname-radius-radius1] secondary authentication 10.11.1.2 [Sysname-radius-radius1] secondary accounting 10.11.1.1 # Set the password for the switch and the authentication RADIUS servers to exchange messages. [Sysname-radius-radius1] key authentication name # Set the password for the switch and the accounting RADIUS servers to exchange messages. [Sysname-radius-radius1] key accounting money # Set the interval and the number of the retries for the switch to send packets to the RADIUS servers.
2 Quick EAD Deployment Configuration When configuring quick EAD deployment, go to these sections for information you are interested in: z Introduction to Quick EAD Deployment z Configuring Quick EAD Deployment z Displaying and Maintaining Quick EAD Deployment z Quick EAD Deployment Configuration Example z Troubleshooting Introduction to Quick EAD Deployment Quick EAD Deployment Overview As an integrated solution, an Endpoint Admission Defense (EAD) solution can improve the overall defense power o
Configuring Quick EAD Deployment Configuration Prerequisites z Enable 802.1x on the switch. z Set the port authorization mode to auto for 802.1x-enabled ports using the dot1x port-control command. Configuration Procedure Configuring a free IP range A free IP range is an IP range that users can access before passing 802.1x authentication. Follow these steps to configure a free IP range: To do... z Use the command...
large number of users log in but cannot pass authentication, the switch may run out of ACL resources, preventing other users from logging in. A timer called ACL timer is designed to solve this problem. You can control the usage of ACL resources by setting the ACL timer. The ACL timer starts once a user gets online. If the user has not passed authentication when the ACL timer expires, the occupied ACL resources are released for other users to use.
Configuration procedure Before enabling quick EAD deployment, make sure sure that: z The Web server is configured properly. z The default gateway of the PC is configured as the IP address of the Layer-3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs. # Configure the URL for HTTP redirection. system-view [Sysname] dot1x url http://192.168.0.111 # Configure a free IP range. [Sysname] dot1x free-ip 192.168.0.
3 HABP Configuration When configuring HABP, go to these sections for information you are interested in: z Introduction to HABP z HABP Server Configuration z HABP Client Configuration z Displaying and Maintaining HABP Configuration Introduction to HABP When a switch is configured with the 802.1x function, 802.1x will authenticate and authorize 802.1x-enabled ports and allow only the authorized ports to forward packets. In case a port fails 802.
To do... Use the command... Remarks Required Configure the current switch to be an HABP server habp server vlan vlan-id By default, a switch operates as an HABP client after you enable HABP on the switch. If you want to use the switch as a management switch, you need to configure the switch to be an HABP server. Optional Configure the interval to send HABP request packets. habp timer interval The default interval for an HABP server to send HABP request packets is 20 seconds.
4 System Guard Configuration When configuring System Guard, go to these sections for information you are interested in: z System Guard Overview z Configuring System Guard z Displaying and Maintaining System Guard Configuration System Guard Overview Guard Against IP Attacks System-guard operates to inspect the IP packets over 10-second intervals for the CPU for suspicious source IP addresses.
To do... Use the command...
Enabling Layer 3 Error Control Follow these steps to enable Layer 3 error control: To do... Use the command... Enter system view system-view Enable Layer 3 error control system-guard l3err enable Remarks — Required Enabled by default Displaying and Maintaining System Guard Configuration To do... Use the command...
Table of Contents 1 AAA Overview ············································································································································1-1 Introduction to AAA ·································································································································1-1 Authentication··································································································································1-1 Authorization·····················
1 AAA Overview Introduction to AAA AAA is the acronym for the three security functions: authentication, authorization and accounting. It provides a uniform framework for you to configure these three functions to implement network security management. z Authentication: Defines what users can access the network, z Authorization: Defines what services can be available to the users who can access the network, and z Accounting: Defines how to charge the users who are using network resources.
Introduction to ISP Domain An Internet service provider (ISP) domain is a group of users who belong to the same ISP. For a username in the format of userid@isp-name or userid.isp-name, the isp-name following the "@" character is the ISP domain name. The access device uses userid as the username for authentication, and isp-name as the domain name. In a multi-ISP environment, the users connected to the same access device may belong to different domains.
Figure 1-1 Databases in a RADIUS server In addition, a RADIUS server can act as a client of some other AAA server to provide authentication or accounting proxy service. Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client (a switch, for example) and a RADIUS server are verified through a shared key. This enhances the security.
4) The RADIUS client accepts or denies the user depending on the received authentication result. If it accepts the user, the RADIUS client sends a start-accounting request (Accounting-Request, with the Status-Type attribute value = start) to the RADIUS server. 5) The RADIUS server returns a start-accounting response (Accounting-Response). 6) The user starts to access network resources.
Code Message type Message description Direction: client->server. 4 Accounting-Request The client transmits this message to the server to request the server to start or end the accounting (whether to start or to end the accounting is determined by the Acct-Status-Type attribute in the message). This message carries almost the same attributes as those carried in the Access-Request message. Direction: server->client.
Type field value Type field value Attribute type Attribute type 10 Framed-Routing 32 NAS-Identifier 11 Filter-ID 33 Proxy-State 12 Framed-MTU 34 Login-LAT-Service 13 Framed-Compression 35 Login-LAT-Node 14 Login-IP-Host 36 Login-LAT-Group 15 Login-Service 37 Framed-AppleTalk-Link 16 Login-TCP-Port 38 Framed-AppleTalk-Network 17 (unassigned) 39 Framed-AppleTalk-Zone 18 Reply-Message 40-59 (reserved for accounting) 19 Callback-Number 60 CHAP-Challenge 20 Callback-I
2 AAA Configuration AAA Configuration Task List You need to configure AAA to provide network access services for legal users while protecting network devices and preventing unauthorized access and repudiation behavior.
Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring separate AAA schemes Required Required AAA configuration Configuring an AAA Scheme for an ISP Domain With separate AAA schemes, you can specify authentication, authorization and accounting schemes respectively. You need to configure RADIUS or HWATACACS before performing RADIUS authentication.
To do… Set the messenger function Use the command… messenger time { enable limit interval | disable } Remarks Optional By default, the messenger function is disabled. Optional Set the self-service server location function self-service-url { disable | enable url-string } By default, the self-service server location function is disabled. Note that: z On a Switch 4500, each access user belongs to an ISP domain. You can configure up to 16 ISP domains on the switch.
To do… Use the command… Remarks Required Configure an AAA scheme for the ISP domain scheme { local | none | radius-scheme radius-scheme-name [ local ] } By default, an ISP domain uses the local AAA scheme. You can execute the scheme radius-scheme radius-scheme-name command to adopt an already z configured RADIUS scheme to implement all the three AAA functions.
To do… Configure an authentication scheme for the ISP domain Use the command… authentication { radius-scheme radius-scheme-name [ local ] | local | none } Remarks Optional By default, no separate authentication scheme is configured. Optional z Configure an authorization scheme for the ISP domain authorization { none } Configure an accounting scheme for the ISP domain accounting { none | radius-scheme radius-scheme-name } By default, no separate authorization scheme is configured.
Currently, the switch supports the following two types of assigned VLAN IDs: integer and string. z Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then, upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID.
The local users are users set on the switch, with each user uniquely identified by a username. To make a user who is requesting network service pass local authentication, you should add an entry in the local user database on the switch for the user.
z The following characters are not allowed in the user-name string: /:*?<>. And you cannot input more than one “@” in the string. z After the local-user password-display-mode cipher-force command is executed, any password will be displayed in cipher mode even though you specify to display a user password in plain text by using the password command.
Task Configuring the RADIUS client Configuring the RADIUS server Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication/Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes o
creating a new RADIUS scheme, you should configure the IP address and UDP port number of each RADIUS server you want to use in this scheme. These RADIUS servers fall into two types: authentication/authorization, and accounting. And for each type of server, you can configure two servers in a RADIUS scheme: primary server and secondary server. A RADIUS scheme has some parameters such as IP addresses of the primary and secondary servers, shared keys, and types of the RADIUS servers.
To do… Use the command… Remarks Required Create a RADIUS scheme and enter its view By default, a RADIUS scheme named "system" has already been created in the system. radius scheme radius-scheme-name Required Set the IP address and port number of the primary RADIUS authentication/authorization server primary authentication ip-address [ port-number ] By default, the IP address and UDP port number of the primary server are 0.0.0.0 and 1812 respectively for a newly created RADIUS scheme.
To do… Use the command… Remarks Optional Set the IP address and port number of the secondary RADIUS accounting server secondary accounting ip-address [ port-number ] Enable stop-accounting request buffering stop-accounting-buffer enable Set the maximum number of transmission attempts of a buffered stop-accounting request. retry stop-accounting retry-times By default, the IP address and UDP port number of the secondary accounting server are 0.0.0.0 and 1813 for a newly created RADIUS scheme.
To do… Use the command… Enter system view system-view Create a RADIUS scheme and enter its view radius scheme radius-scheme-name Remarks — Required By default, a RADIUS scheme named "system" has already been created in the system. Required Set a shared key for RADIUS authentication/authorization messages key authentication string Set a shared key for RADIUS accounting messages key accounting string By default, no shared key is created. Required By default, no shared key is created.
To do… Use the command… Remarks Required z Create a RADIUS scheme and enter its view radius scheme radius-scheme-name Configure the type of RADIUS servers to be supported server-type { extended | standard } By default, a RADIUS scheme named "system" has already been created in the system. Optional If you change the RADIUS server type, the units of data flows sent to RADIUS servers will be restored to the defaults.
To do… Use the command… Set the status of the secondary RADIUS authentication/authorization server state secondary authentication { block | active } Set the status of the secondary RADIUS accounting server state secondary accounting { block | active } Remarks Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these steps to configure the attributes of data to be sent to RADIUS servers: To do… Use the command… Enter system view system-view Create a RADIUS scheme and enter its v
z Generally, the access users are named in the userid@isp-name format. Here, isp-name after the “@” character represents the ISP domain name, by which the device determines which ISP domain a user belongs to. However, some old RADIUS servers cannot accept the usernames that carry ISP domain names. In this case, it is necessary to remove domain names from usernames before sending the usernames to RADIUS server.
z If you adopt the local RADIUS server function, the UDP port number of the authentication/authorization server must be 1645, the UDP port number of the accounting server must be 1646, and the IP addresses of the servers must be set to the addresses of this switch.
To do… Use the command… Remarks Optional Set the response timeout time of RADIUS servers timer response-timeout seconds By default, the response timeout time of RADIUS servers is three seconds.
online when the user re-logs into the network before the CAMS performs online user detection, and the user cannot get authenticated. In this case, the user can access the network again only when the CAMS administrator manually removes the user's online information. The user re-authentication at restart function is designed to resolve this problem.
Displaying and Maintaining AAA Configuration Displaying and Maintaining AAA Configuration To do… Use the command… Display configuration information about one specific or all ISP domains display domain [ isp-name ] Display information about user connections display connection [ access-type { dot1x | mac-authentication } | domain isp-name | interface interface-type interface-number | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | vlan vlan-id | ucibindex ucib-index | user-name user-
The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that for Telnet users. The following text only takes Telnet users as example to describe the configuration procedure for remote authentication. Network requirements In the network environment shown in Figure 2-1, you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server. z A RADIUS authentication server with IP address 10.110.91.
[Sysname-isp-cams] quit # Configure a RADIUS scheme. [Sysname] radius scheme cams [Sysname-radius-cams] accounting optional [Sysname-radius-cams] primary authentication 10.110.91.164 1812 [Sysname-radius-cams] key authentication aabbcc [Sysname-radius-cams] server-type Extended [Sysname-radius-cams] user-name-format with-domain [Sysname-radius-cams] quit # Associate the ISP domain with the RADIUS scheme.
[Sysname-ui-vty0-4] quit # Create and configure a local user named telnet. [Sysname] local-user telnet [Sysname-luser-telnet] service-type telnet [Sysname-luser-telnet] password simple aabbcc [Sysname-luser-telnet] quit # Configure an authentication scheme for the default “system” domain.
z None or incorrect RADIUS server IP address is set on the switch — Be sure to set a correct RADIUS server IP address. z One or all AAA UDP port settings are incorrect — Be sure to set the same UDP port numbers as those on the RADIUS server. Symptom 3: The user passes the authentication and gets authorized, but the accounting information cannot be transmitted to the RADIUS server.
Figure 3-1 Typical network application of EAD EAD Configuration The EAD configuration includes: z Configuring the attributes of access users (such as username, user type, and password). For local authentication, you need to configure these attributes on the switch; for remote authentication, you need to configure these attributes on the AAA sever. z Configuring a RADIUS scheme. z Configuring the IP address of the security policy server. z Associating the ISP domain with the RADIUS scheme.
z You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users. The following are the configuration tasks: z Connect the RADIUS authentication server 10.110.91.164 and the switch, and configure the switch to use port number 1812 to communicate with the server. z Configure the authentication server type to extended.
[Sysname-isp-system] radius-scheme cams 3-27
Table of Contents 1 MAC Address Authentication Configuration ··························································································1-1 MAC Address Authentication Overview ··································································································1-1 Performing MAC Address Authentication on a RADIUS Server ·····················································1-1 Performing MAC Address Authentication Locally ···························································
1 MAC Address Authentication Configuration When configuring MAC address authentication, go to these sections for information you are interested: z MAC Address Authentication Overview z Related Concepts z Configuring Basic MAC Address Authentication Functions z MAC Address Authentication Enhanced Function Configuration z Displaying and Maintaining MAC Address Authentication Configuration z MAC Address Authentication Configuration Examples MAC Address Authentication Overview MAC address authentic
format configured with the mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail. z In fixed mode, all users’ MAC addresses are automatically mapped to the configured local passwords and usernames. z The service type of a local user needs to be configured as lan-access.
To do... Use the command...
Task Remarks Configuring a Guest VLAN Optional Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port Optional Configuring a Guest VLAN Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication.
After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally. z Guest VLANs are implemented in the mode of adding a port to a VLAN.
z If more than one client are connected to a port, you cannot configure a Guest VLAN for this port. z When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect. z The undo vlan command cannot be used to remove the VLAN configured as a Guest VLAN.
z If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port. Refer to the Port Security manual for the description on the port security function.
# Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords. [Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase # Add a local user. z Specify the user name and password. [Sysname] local-user 00-0d-88-f6-44-c1 [Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1 z Set the service type to lan-access.
Table of Contents 1 ARP Configuration·····································································································································1-1 Introduction to ARP ·································································································································1-1 ARP Function ··································································································································1-1 ARP Message Format ···················
1 ARP Configuration When configuring ARP, go to these sections for information you are interested in: z Introduction to ARP z Configuring ARP z Configuring Gratuitous ARP z Configuring ARP Source MAC Address Consistency Check z Displaying and Debugging ARP z ARP Configuration Examples Introduction to ARP ARP Function Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address. An IP address is the address of a host at the network layer.
Figure 1-1 ARP message format Hardware type (16 bits) Protocol type (16 bits) Length of hardware address Length of protocol address Operator (16 bits) Hardware address of the sender IP address of the sender Hardware address of the receiver IP address of the receiver Table 1-1 describes the fields of an ARP packet. Table 1-1 Description on the fields of an ARP packet Field Description Hardware Type Type of the hardware interface. Refer to Table 1-2 for the information about the field values.
Value Description 5 Chaos 6 IEEE802.X 7 ARC network ARP Table In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored. S4500 series Ethernet switches provide the display arp command to display the information about ARP mapping entries.
mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request. 3) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
z If they are not consistent, the ARP packet is considered invalid and the corresponding ARP entry is not learned.
The sending of gratuitous ARP packets is enabled as long as an S4500 switch operates. No command is needed for enabling this function. That is, the device sends gratuitous ARP packets whenever a VLAN interface is enabled (such as when a link is enabled or an IP address is configured for the VLAN interface) or whenever the IP address of a VLAN interface is changed.
Configuration procedure system-view [Sysname] undo arp check enable [Sysname] interface vlan 1 [Sysname-Vlan-interface1] undo gratuitous-arp period-resending enable [Sysname-Vlan-interface1] quit [Sysname] arp timer aging 10 [Sysname] arp static 192.168.1.
Table of Contents 1 DHCP Overview··········································································································································1-1 Introduction to DHCP ······························································································································1-1 DHCP IP Address Assignment ···············································································································1-1 IP Address Assignment Policy ···············
1 DHCP Overview When configuring DHCP, go to these sections for information you are interested in: z Introduction to DHCP z DHCP IP Address Assignment z DHCP Packet Format z Protocol Specification Introduction to DHCP With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators.
z Automatic assignment. The DHCP server assigns IP addresses to DHCP clients. The IP addresses will be occupied by the DHCP clients permanently. z Dynamic assignment. The DHCP server assigns IP addresses to DHCP clients for predetermined period of time. In this case, a DHCP client must apply for an IP address again at the expiration of the period. This policy applies to most clients.
By default, a DHCP client updates its IP address lease automatically by unicasting a DHCP-REQUEST packet to the DHCP server when half of the lease time elapses. The DHCP server responds with a DHCP-ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client. Otherwise, the DHCP server responds with a DHCP-NAK packet to notify the DHCP client that the IP address will be reclaimed when the lease time expires.
z file: Path and name of the boot configuration file that the DHCP server specifies for the DHCP client. z option: Optional variable-length fields, including packet type, valid lease time, IP address of a DNS server, and IP address of the WINS server.
2 DHCP Relay Agent Configuration When configuring the DHCP relay agent, go to these sections for information you are interested in: z Introduction to DHCP Relay Agent z Configuring the DHCP Relay Agent z Displaying and Maintaining DHCP Relay Agent Configuration z DHCP Relay Agent Configuration Example z Troubleshooting DHCP Relay Agent Configuration Currently, the interface-related DHCP relay agent configurations can only be made on VLAN interfaces.
Figure 2-1 Typical DHCP relay agent application In the process of dynamic IP address assignment through the DHCP relay agent, the DHCP client and DHCP server interoperate with each other in a similar way as they do without the DHCP relay agent. The following sections only describe the forwarding process of the DHCP relay agent. For the interaction process of the packets, see section Obtaining IP Addresses Dynamically.
Figure 2-2 Padding contents for sub-option 1 of Option 82 Figure 2-3 Padding contents for sub-option 2 of Option 82 Mechanism of Option 82 supported on DHCP relay agent The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay agent is similar to that for the client to obtain an IP address from a DHCP server directly. The following are the mechanism of Option 82 support on DHCP relay agent.
If a switch belongs to an XRN fabric, you need to enable the UDP Helper function on it before configuring it as a DHCP relay agent.
To improve security and avoid malicious attack to the unused SOCKETs, S4500 Ethernet switches provide the following functions: z UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled. z UDP 67 and UDP 68 ports are disabled when DHCP is disabled. The corresponding implementation is as follows: z When a VLAN interface is mapped to a DHCP server group with the dhcp-server command, the DHCP relay agent is enabled. At the same time, UDP 67 and UDP 68 ports used by DHCP are enabled.
To do… z Use the command… Remarks Create a static IP-to-MAC binding dhcp-security static ip-address mac-address Optional Enter interface view interface interface-type interface-number — Enable the address checking function address-check enable Not created by default. Required Disabled by default. The address-check enable command is independent of other commands of the DHCP relay agent.
Currently, the DHCP relay agent handshake function on an S4500 series switch can only interoperate with a Windows 2000 DHCP server. Enabling unauthorized DHCP server detection If there is an unauthorized DHCP server in the network, when a client applies for an IP address, the unauthorized DHCP server may assign an incorrect IP address to the DHCP client.
To do… z Use the command… Remarks Enable Option 82 support on the DHCP relay agent dhcp relay information enable Required Configure the strategy for the DHCP relay agent to process request packets containing Option 82 dhcp relay information strategy { drop | keep | replace } Optional Disabled by default.
Network diagram Figure 2-4 Network diagram for DHCP relay agent DHCP client DHCP client Vlan-int1 10.10.1.1/24 Vlan-int2 10.1.1.2/24 Switch A DHCP relay DHCP client Vlan-int2 10.1.1.1/24 Switch B DHCP server DHCP client Configuration procedure # Create DHCP server group 1 and configure an IP address of 10.1.1.1 for it. system-view [SwitchA] dhcp-server 1 ip 10.1.1.1 # Map VLAN-interface 1 to DHCP server group 1.
z Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server. z Check if a reachable route is configured between the DHCP relay agent and the DHCP server. z Check the DHCP relay agent. Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides. Check if the IP address of the DHCP server group is correct.
3 DHCP Snooping Configuration When configuring DHCP snooping, go to these sections for information you are interested in: z DHCP Snooping Overview z Configuring DHCP Snooping z Displaying and Maintaining DHCP Snooping Configuration z DHCP Snooping Configuration Examples DHCP Snooping Overview Introduction to DHCP Snooping For the sake of security, the IP addresses used by online DHCP clients need to be tracked for the administrator to verify the corresponding relationship between the IP addresses t
Figure 3-1 Typical network diagram for DHCP snooping application DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: z DHCP-REQUEST packet z DHCP-ACK packet Introduction to DHCP-Snooping Option 82 Introduction to Option 82 For details about Option 82, refer to Option 82 Support on DHCP Relay Agent.
Figure 3-3 Extended format of the remote ID sub-option In practice, some network devices do not support the type and length identifiers of the Circuit ID and Remote ID sub-options. To interwork with these devices, S4500 Series Ethernet Switches support Option 82 in the standard format. Refer to Figure 3-4 and Figure 3-5 for the standard format of the sub-options (with the default padding contents).
When receiving a DHCP client’s request without Option 82, the DHCP snooping device will add the option field with the configured sub-option and then forward the packet. For details, see Table 3-2. Table 3-2 Ways of handling a DHCP packet without Option 82 Sub-option configuration The DHCP-Snooping device will … Forward the packet after adding Option 82 with the default contents. Neither of the two sub-options is configured.
z If an S4500 Ethernet switch is enabled with DHCP snooping, the clients connected to it cannot dynamically obtain IP addresses through BOOTP. z You need to specify the ports connected to the valid DHCP servers as trusted to ensure that DHCP clients can obtain valid IP addresses. The trusted port and the port connected to the DHCP client must be in the same VLAN.
Configuring a handling policy for DHCP packets with Option 82 Follow these steps to configure a handling policy for DHCP packets with Option 82: To do… Use the command… Remarks Enter system view system-view — Configure a global handling policy for requests that contain Option 82 dhcp-snooping information strategy { drop | keep | replace } Optional Enter Ethernet port view interface interface-type interface-number — Configure a handling policy for requests that contain Option 82 received on the s
To do… Enter Ethernet port view Use the command… interface interface-type interface-number Remarks — Optional Configure the circuit ID sub-option in Option 82 z dhcp-snooping information [ vlan vlan-id ] circuit-id string string By default, the circuit ID sub-option contains the VLAN ID and port index related to the port that receives DHCP request packets from DHCP clients If you have configured a circuit ID with the vlan vlan-id argument specified, and the other one without the argument in Ethernet
z If you configure a remote ID sub-option in both system view and on a port, the remote ID sub-option configured on the port applies when the port receives a packet, and the global remote ID applies to other interfaces that have no remote ID sub-option configured.
z Enable DHCP-snooping Option 82 support on the switch and set the remote ID field in Option 82 to the system name of the switch. Set the circuit ID sub-option to abcd in DHCP packets from VLAN 1 on Ethernet 1/0/3. Network diagram Figure 3-6 Network diagram for DHCP-snooping Option 82 support configuration Configuration procedure # Enable DHCP snooping on the switch. system-view [Switch] dhcp-snooping # Specify Ethernet 1/0/5 as the trusted port.
4 DHCP/BOOTP Client Configuration When configuring the DHCP/BOOTP client, go to these sections for information you are interested in: z Introduction to DHCP Client z Introduction to BOOTP Client z Configuring a DHCP/BOOTP Client z Displaying DHCP/BOOTP Client Configuration Introduction to DHCP Client After you specify a VLAN interface as a DHCP client, the device can use DHCP to obtain parameters such as IP address dynamically from the DHCP server, which facilitates user configuration and managemen
Configuring a DHCP/BOOTP Client Follow these steps to configure a DHCP/BOOTP client: To do… z Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface vlan-interface vlan-id — Configure the VLAN interface to obtain IP address through DHCP or BOOTP ip address { bootp-alloc | dhcp-alloc } Required By default, no IP address is configured for the VLAN interface.
Network diagram Figure 4-1 A DHCP network Configuration procedure The following describes only the configuration on Switch A serving as a DHCP client. # Configure VLAN-interface 1 to dynamically obtain an IP address by using DHCP. system-view [SwitchA] interface Vlan-interface 1 [SwitchA-Vlan-interface1] ip address dhcp-alloc BOOTP Client Configuration Example Network requirement Switch B’s port belonging to VLAN1 is connected to the LAN.
Table of Contents 1 ACL Configuration·····································································································································1-1 ACL Overview ·········································································································································1-1 ACL Matching Order························································································································1-1 Ways to Apply an ACL on a Switch··········
1 ACL Configuration When configuring ACL, go to these sections for information you are interested in: z ACL Overview z ACL Configuration Task List z Displaying and Maintaining ACL Configuration z Examples for Upper-layer Software Referencing ACLs z Examples for Applying ACLs to Hardware ACL Overview As the network scale and network traffic are increasingly growing, security control and bandwidth assignment play a more and more important role in network management.
Depth-first match order for rules of a basic ACL 1) Range of source IP address: The smaller the source IP address range (that is, the more the number of zeros in the wildcard mask), the higher the match priority. 2) Fragment keyword: A rule with the fragment keyword is prior to others. 3) If the above two conditions are identical, the earlier configured rule applies.
z Referenced by routing policies z Used to control Telnet, SNMP and Web login users z When an ACL is directly applied to hardware for packet filtering, the switch will permit packets if the packets do not match the ACL. z When an ACL is referenced by upper-layer software to control Telnet, SNMP and Web login users, the switch will deny packets if the packets do not match the ACL.
An absolute time range on Switch 4500 Series can be within the range 1970/1/1 00:00 to 2100/12/31 24:00. Configuration procedure Follow these steps to configure a time range: To do... Use the command...
system-view [Sysname] time-range test from 15:00 1/28/2006 to 15:00 1/28/2008 [Sysname] display time-range test Current time is 13:30:32 Apr/16/2005 Saturday Time-range : test ( Inactive ) From 15:00 Jan/28/2006 to 15:00 Jan/28/2008 Configuring Basic ACL A basic ACL filters packets based on their source IP addresses. A basic ACL can be numbered from 2000 to 2999. Configuration prerequisites z To configure a time range-based basic ACL rule, you need to create the corresponding time range first.
Configuration example # Configure ACL 2000 to deny packets whose source IP addresses are 192.168.0.1. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule deny source 192.168.0.1 0 # Display the configuration information of ACL 2000. [Sysname-acl-basic-2000] display acl 2000 Basic ACL 2000, 1 rule Acl's step is 1 rule 0 deny source 192.168.0.
Note that: z With the config match order specified for the advanced ACL, you can modify any existent rule. The unmodified part of the rule remains. With the auto match order specified for the ACL, you cannot modify any existent rule; otherwise the system prompts error information. z If you do not specify the rule-id argument when creating an ACL rule, the rule will be numbered automatically.
To do... Use the command... Remarks Required Define an ACL rule rule [ rule-id ] { permit | deny } rule-string Assign a description string to the ACL rule rule rule-id comment text Assign a description string to the ACL description text For information about rule-string, refer to ACL Commands. Optional No description by default Optional No description by default Note that: z You can modify any existent rule of the Layer2 ACL and the unmodified part of the ACL remains.
To do... Use the command... Remarks Enter system view system-view — Create a user-defined ACL and enter user-defined ACL view acl number acl-number Required Define an ACL rule rule [ rule-id ] { permit | deny } [ rule-string rule-mask offset ] &<1-8> [ time-range time-name ] Define a comment for the ACL rule rule rule-id comment text Define a description for the ACL description text Required For information about rule-string, refer to ACL Commands.
Acl's step is 1 rule 0 deny 06 ff 27 Applying ACL Rules on Ports By applying ACL rules on ports, you can filter packets on the corresponding ports. Configuration prerequisites You need to define an ACL before applying it on a port. For information about defining an ACL, refer to Configuring Basic ACL, Configuring Advanced ACL, Configuring Layer 2 ACL, and Configuring User-defined ACL. Configuration procedure Follow these steps to apply ACL rules on a port: To do... Use the command...
Configuration procedure Follow these steps to apply ACL rules to ports in a VLAN: To do... Use the command... Remarks Enter system view system-view — Apply ACL rules to ports in a VLAN packet-filter vlan vlan-id { inbound | outbound } acl-rule Required For information about acl-rule, refer to ACL Commands. Configuration example # Apply ACL 2000 to all ports of VLAN 1 in the inbound direction to filter packets.
Configuration procedure # Define ACL 2000. system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0 [Sysname-acl-basic-2000] quit # Reference ACL 2000 on VTY user interface to control Telnet login users. [Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound Example for Controlling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source IP address of 10.110.100.
Network diagram Figure 1-3 Network diagram for basic ACL configuration Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. system-view [Sysname] time-range test 8:00 to 18:00 daily # Define ACL 2000 to filter packets with the source IP address of 10.1.1.1. [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule 1 deny source 10.1.1.1 0 time-range test [Sysname-acl-basic-2000] quit # Apply ACL 2000 on Ethernet 1/0/1.
Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 everyday. system-view [Sysname] time-range test 8:00 to 18:00 working-day # Define ACL 3000 to filter packets destined for wage query server. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.2 0 time-range test [Sysname-acl-adv-3000] quit # Apply ACL 3000 on Ethernet 1/0/1.
User-defined ACL Configuration Example Network requirements As shown in Figure 1-6, PC 1 and PC 2 are connected to the switch through Ethernet 1/0/1 and Ethernet 1/0/2 respectively. They belong to VLAN 1 and access the Internet through the same gateway, which has an IP address of 192.168.0.1 (the IP address of VLAN-interface 1). Configure a user-defined ACL to deny all ARP packets from PC 1 that use the gateway IP address as the source address from 8:00 to 18:00 everyday.
Network diagram Figure 1-7 Network diagram for applying an ACL to a VLAN Database server 192.168.1.2 Eth1/0/1 Eth1/0/3 Eth1/0/2 VLAN 10 PC 1 PC 2 PC 3 Configuration procedure # Define a periodic time range that is active from 8:00 to 18:00 in working days. system-view [Sysname] time-range test 8:00 to 18:00 working-day # Define an ACL to deny packets destined for the database server. [Sysname] acl number 3000 [Sysname-acl-adv-3000] rule 1 deny ip destination 192.168.1.
Table of Contents 1 QoS Configuration·····································································································································1-1 Overview ·················································································································································1-1 Introduction to QoS··························································································································1-1 Traditional Packet Forwarding Servi
1 QoS Configuration When configuring QoS, go to these sections for information you are interested in: z Overview z QoS Supported By Switch 4500 Series z QoS Configuration z Displaying and Maintaining QoS z QoS Configuration Examples Overview Introduction to QoS Quality of Service (QoS) is a concept concerning service demand and supply. It reflects the ability to meet customer needs. Generally, QoS does not focus on grading services precisely, but on improving services under certain conditions.
and VoD. As for other applications, such as transaction processing and Telnet, although bandwidth is not as critical, a too long delay may cause unexpected results. That is, they need to get serviced in time even if congestion occurs. Newly emerging applications demand higher service performance from IP networks.
QoS Supported By Switch 4500 Series The Switch 4500 series support the QoS features listed in Table 1-1: Table 1-1 QoS features supported by Switch 4500 series QoS Feature Traffic classification Description Refer to … Classify incoming traffic based on ACLs.
protocol or the port number of an application. Normally, traffic classification is done by checking the information carried in packet header. Packet payload is rarely adopted for traffic classification. The identifying rule is unlimited in range. It can be a quintuplet consisting of source address, source port number, protocol number, destination address, and destination port number. It can also be simply a network segment.
Assured forwarding (AF) class: This class is further divided into four subclasses (AF1/2/3/4) and a z subclass is further divided into three drop priorities, so the AF service level can be segmented. The QoS rank of the AF class is lower than that of the EF class; z Class selector (CS) class: This class comes from the IP ToS field and includes eight subclasses; z Best Effort (BE) class: This class is a special class without any assurance in the CS class.
2) 802.1p priority 802.1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2. Figure 1-3 An Ethernet frame with an 802.1Q tag header As shown in the figure above, the 4-byte 802.1Q tag header consists of the tag protocol identifier (TPID, two bytes in length), whose value is 0x8100, and the tag control information (TCI, two bytes in length). Figure 1-4 describes the detailed contents of an 802.
Priority trust mode After a packet enters a switch, the switch sets the 802.1p priority and local precedence for the packet according to its own capability and the corresponding rules. 1) For a packet carrying no 802.1q tag When a packet carrying no 802.1q tag reaches the port of a switch, the switch uses the port priority as the 802.1p precedence value of the received packet, searches for the local precedence corresponding to the port priority of the receiving port in the 802.
Priority Marking The priority marking function is to reassign priority for the traffic matching an ACL referenced for traffic classification. z If 802.1p priority marking is configured, the traffic will be mapped to the local precedence corresponding to the re-marked 802.1p priority and assigned to the output queue corresponding to the local precedence. z If local precedence marking is configured, the traffic will be assigned to the output queue corresponding to the re-marked local precedence.
enough to forward the packets, the traffic is conforming to the specification; otherwise, the traffic is nonconforming or excess. Parameters concerning token bucket include: z Average rate: The rate at which tokens are put into the bucket, namely, the permitted average rate of the traffic. It is generally set to committed information rate (CIR). z Burst size: The capacity of the token bucket, namely, the maximum traffic size that is permitted in each burst.
The Switch 4500 series support three queue scheduling algorithms: Strict Priority (SP) queuing, Weighted Fair Queuing (WFQ), and Weighted Round Robin (WRR) queuing. 1) SP queuing Figure 1-6 Diagram for SP queuing SP queue-scheduling algorithm is specially designed for critical service applications. An important feature of critical services is that they demand preferential service in congestion in order to reduce the response delay.
Figure 1-7 Diagram for WFQ queuing Before WFQ is introduced, you must understand fair queuing (FQ) first. FQ is designed for the purpose of sharing network resources fairly and optimizing the delays and delay jitters of all the flows. It takes the interests of all parties into account, such as: z Different queues are scheduled fairly, so the delay of each flow is balanced globally. z Both short and long packets are scheduled fairly.
Figure 1-8 Diagram for WRR queuing WRR queue-scheduling algorithm schedules all the queues in turn and every queue can be assured of a certain service time. In a typical 3Com switch there are eight output queues on each port. WRR configures a weight value for each queue, for example: w7, w6, w5, w4, w3, w2, w1, and w0 respectively for queue 7 through queue 0. A weight value indicates the proportion of resources available for a queue.
In WRED algorithm, an upper limit and a lower limit are set for each queue, and the packets in a queue are processed as follows. z When the current queue length is smaller than the lower limit, no packet is dropped; z When the queue length exceeds the upper limit, all the newly received packets are dropped; z When the queue length is between the lower limit and the upper limit, the newly received packets are dropped at random.
Configuration procedure Follow these steps to configure to trust port priority: To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Optional Configure to trust port priority and configure the port priority priority priority-level By default, the switch trusts port priority and the priority of a port is 0.
Configuration procedure Follow these steps to configure the mapping between 802.1p priority and local precedence: To do… Use the command… Remarks Enter system view system-view — Configure the mapping between 802.
Configuration example z Set the IP precedence of ICMP packets to 3. z Display the configuration. Configuration procedure: system-view [Sysname] protocol-priority protocol-type icmp ip-precedence 3 [Sysname] display protocol-priority Protocol: icmp IP-Precedence: flash(3) Marking Packet Priority Refer to section Priority Marking for information about marking packet priority.
To do… Use the command… Remarks Enter system view system-view — Mark the priorities for the packets belonging to a VLAN and matching specific ACL rules traffic-priority vlan vlan-id { inbound | outbound } acl-rule { { dscp dscp-value | ip-precedence { pre-value | from-cos } } | cos { pre-value | from-ipprec } | local-precedence pre-value }* Required Refer to the command manual for information about the acl-rule argument.
To do… Use the command… Remarks Required Configure traffic policing traffic-limit inbound acl-rule [ union-effect ] target-rate [ burst-bucket burst-bucket-size ] [ exceed action ] Specify a committed information rate (CIR) for the target-rate argument, and specify a committed bust size (CBS) for the burst-bucket-size argument. By default, traffic policing is disabled. The granularity of traffic policing is 64 Kbps.
To do… Use the command… Remarks Required Configure line rate line-rate { inbound | outbound } target-rate [ burst-bucket burst-bucket-size ] Specify a committed information rate (CIR) for the target-rate argument, and specify a committed bust size (CBS) for the burst-bucket-size argument. By default, line rate is disabled. Configuration example z Configure line rate for outbound packets on Ethernet 1/0/1.
Configuration procedure Follow these steps to configure queue scheduling in system view: To do… Use the command… Remarks Enter system view system-view — Required Configure queue scheduling queue-scheduler { strict-priority | wfq queue0-width queue1-width queue2-width queue3-width queue4-width queue5-width queue6-width queue7-width | wrr queue0-weight queue1-weight queue2-weight queue3-weight queue4-weight queue5-weight queue6-weight queue7-weight } By default, the queue scheduling algorithm adopted
z The queue scheduling algorithm specified by using the queue-scheduler command in system view takes effect on all the ports. The queue scheduling algorithm configured in port view must be the same as that configured in system view. Otherwise, the system prompts configuration errors.
To do… Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Configure WRED wred queue-index qstart probability Required By default, WRED is not configured. Configuration example Configure WRED for queue 2 of Ethernet 1/0/1 to drop the packets in queue 2 randomly when the number of packets in queue 2 exceeds 64, setting the dropping probability being 20%.
For information about the mirroring-group monitor-port command and the monitor-port command, refer to the part talking about mirroring. Configuration example Network requirements: z Ethernet 1/0/1 is connected to the 10.1.1.0/24 network segment. z Duplicate the packets from network segment 10.1.1.0/24 to the destination mirroring port Ethernet 1/0/4. Configuration procedure: system-view [Sysname] acl number 2000 [Sysname-acl-basic-2000] rule permit source 10.1.1.0 0.0.0.
QoS Configuration Examples Configuration Example of Traffic policing and Line Rate Network requirement An enterprise network connects all the departments through an Ethernet switch. PC 1, with the IP address 192.168.0.1 belongs to the R&D department and is connected to Ethernet 1/0/1 of the switch. The marketing department is connected to Ethernet 1/0/2 of the switch.
Configuration Example of Priority Marking and Queue Scheduling Network requirements As shown in Figure 1-10, an enterprise network connects all the departments through an Ethernet switch. Clients PC 1 through PC 3 are connected to Ethernet 1/0/1 of the switch; clients PC 4 through PC 6 are connected to Ethernet 1/0/3 of the switch. Server 1 (the database server), Server 2 (the mail server), and Server 3 (the file server) are connected to Ethernet 1/0/2 of the switch.
[Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 1 local-precedence 3 [Sysname-Ethernet1/0/2] traffic-priority inbound ip-group 3000 rule 2 local-precedence 2 [Sysname-Ethernet1/0/2] quit 3) Configure queue scheduling # Apply SP queue scheduling algorithm. [Sysname] queue-scheduler strict-priority VLAN Mapping Configuration Example Network requirements Two customer networks are connected to the public network through Switch A and Switch B.
Configuration procedure # Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A. system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] vlan 500 [SwitchA-vlan500] quit [SwitchA] vlan 600 [SwitchA-vlan600] quit # Configure Ethernet 1/0/11 of Switch A as a trunk port and configure its default VLAN as VLAN 100. Assign Ethernet 1/0/11 to VLAN 100 and VLAN 500. Configure Ethernet 1/0/12 in the same way.
# Configure VLAN mapping on Ethernet 1/0/11 to replace VLAN tag 100 with VLAN tag 500. [SwitchA] interface Ethernet 1/0/11 [SwitchA-Ethernet1/0/11] traffic-remark-vlanid inbound link-group 4000 remark-vlan 500 [SwitchA-Ethernet1/0/11] quit # Configure VLAN mapping on Ethernet 1/0/12 to replace VLAN tag 200 with VLAN tag 600.
Table of Contents 1 Mirroring Configuration ····························································································································1-1 Mirroring Overview ··································································································································1-1 Local Port Mirroring ·························································································································1-1 Remote Port Mirroring ···················
1 Mirroring Configuration When configuring mirroring, go to these sections for information you are interested in: z Mirroring Overview z Mirroring Configuration z Displaying and Maintaining Port Mirroring z Mirroring Configuration Examples Mirroring Overview Mirroring is to duplicate packets from a port to another port connected with a data monitoring device for network monitoring and diagnosis.
Remote Port Mirroring Remote port mirroring does not require the source and destination ports to be on the same device. The source and destination ports can be located on multiple devices across the network. This allows an administrator to monitor traffic on remote devices conveniently. To implement remote port mirroring, a special VLAN, called remote-probe VLAN, is used.
Switch Ports involved Function Sends mirrored packets to the destination switch. Intermediate switch Destination switch z Trunk port Two trunk ports are necessary for the intermediate switch to connect the devices at the source switch side and the destination switch side. Trunk port Receives remote mirrored packets. Destination port Receives packets forwarded from the trunk port and transmits the packets to the data detection device.
Configuring Local Port Mirroring Configuration prerequisites z The source port is determined and the direction in which the packets are to be mirrored is determined. z The destination port is determined.
Configuration on a switch acting as a source switch 1) Configuration prerequisites z The source port, the reflector port, and the remote-probe VLAN are determined. z Layer 2 connectivity is ensured between the source and destination switches over the remote-probe VLAN. z The direction of the packets to be monitored is determined.
cannot be configured with functions like VLAN-VPN, port loopback detection, packet filtering, QoS, port security, and so on. z You cannot modify the duplex mode, port rate, and MDI attribute of a reflector port. z Only an existing static VLAN can be configured as the remote-probe VLAN. To remove a remote-probe VLAN, you need to restore it to a normal VLAN first. A remote port mirroring group gets invalid if the corresponding remote port mirroring VLAN is removed.
To do… Use the command… Remarks Enter system view system-view — Create a VLAN and enter VLAN view vlan vlan-id vlan-id is the ID of the remote-probe VLAN.
Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4500 series: z Research and Development (R&D) department is connected to Switch C through Ethernet 1/0/1. z Marketing department is connected to Switch C through Ethernet 1/0/2.
Ethernet1/0/1 both Ethernet1/0/2 both monitor port: Ethernet1/0/3 After the configurations, you can monitor all packets received on and sent from the R&D department and the marketing department on the data detection device. Remote Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4500 series: z Switch A, Switch B, and Switch C are Switch 4500 series. z Department 1 is connected to Ethernet 1/0/1 of Switch A.
Configuration procedure 1) Configure the source switch (Switch A) # Create remote source mirroring group 1. system-view [Sysname] mirroring-group 1 remote-source # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the source ports, reflector port, and remote-probe VLAN for the remote source mirroring group.
[Sysname-Ethernet1/0/2] port trunk permit vlan 10 3) Configure the destination switch (Switch C) # Create remote destination mirroring group 1. system-view [Sysname] mirroring-group 1 remote-destination # Configure VLAN 10 as the remote-probe VLAN. [Sysname] vlan 10 [Sysname-vlan10] remote-probe vlan enable [Sysname-vlan10] quit # Configure the destination port and remote-probe VLAN for the remote destination mirroring group.
Table of Contents 1 XRN Fabric Configuration·························································································································1-1 Introduction to XRN·································································································································1-1 Establishment of an XRN Fabric ·····································································································1-1 How XRN Works··········································
1 XRN Fabric Configuration When configuring XRN fabric, go to these sections for information you are interested in: z Introduction to XRN z XRN Fabric Configuration z Displaying and Maintaining XRN Fabric z XRN Fabric Configuration Example Introduction to XRN Expandable Resilient Networking (XRN), a feature particular to 3Com Switch 4500 series switches, is a new technology for building the core of a network.
Figure 1-2 Port connection mode for Switch 4500 series bus topology XRN fabric Speed:Green=100Mbps ,Yellow=10Mbps 1 2 3 4 5 6 7 Duplx:Green=Full Duplx ,Yellow=Half Duplx 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 H3C S3600 Series H3C S3600 Series H3C S3600 Series 23 24 25 26 27 28 Console Unit Mode Green=Speed Yellow=Duplex RPS PWR 1000 Base -X 10/100Base-TX Speed:Green=100Mbps ,Yellow=10Mbps 1 2 3 4 5 6 7 Duplx:Green=Full Duplx ,Yellow=Half Duplx 8 9 10 11 12 13 14 15 16 17 18
z The number of the existing devices in the fabric does not reach the maximum number of devices allowed by the fabric (up to eight devices can form a fabric). z The fabric name of the device and the existing devices in the fabric are the same. z The software version of the device is the same as that of the existing devices in the fabric.
Status Analysis Solution of the fabric are not the same, or the password configured does not match. passwords for the local device and the fabric as the same. How XRN Works When a fabric is established, the devices determine their respective roles in the fabric by comparing their CPU MAC addresses. The device with the lowest CPU MAC address is elected as the master and the other devices are slaves. After the election, the fabric can operate normally.
Task Remarks Fabric Setting a Unit ID for a Switch Optional Assigning a Unit Name to a Switch Optional Assigning an XRN Fabric Name to a Switch Optional Setting the XRN Fabric Authentication Mode Optional Specifying the Fabric Port of a Switch You can specify the fabric port of a switch in either system view or Ethernet interface view.
z Establishing an XRN system requires a high consistency of the configuration of each device. Hence, before you enable the fabric port, do not perform any configuration for the port, and do not configure some functions that affect the XRN for other ports or globally. Otherwise, you cannot enable the fabric port. For detailed restrictions refer to the error information output by devices.
Setting a Unit ID for a Switch On the switches that support automatic numbering, FTM will automatically number the switches to constitute an XRN fabric by default, so that each switch has a unique unit ID in the fabric. You can use the command in the following table to set unit IDs for switches. Make sure to set different unit IDs for different switches in an XRN fabric. Otherwise, FTM will automatically number the switches with the same unit ID.
z If auto-numbering is selected, the system sets the unit priority to 10. You can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one. Priority is the reference for FTM program to perform automatic numbering. The value of priority can be 5 or 10. Priority 5 means the switch adopts manual numbering, and priority 10 means the switch adopts automatic numbering.
To do… Use the command… Remarks Enter system view system-view — Set the XRN fabric authentication mode for the switch xrn-fabric authentication-mode { simple password | md5 key } Optional By default, no authentication mode is set on a switch. When an XRN fabric operates normally, you can regard the whole fabric as a single device and perform configuration on it. Multiple switches constitute an XRN fabric.
Network Diagram Figure 1-3 Network diagram for forming an XRN fabric Configuration Procedure 1) Configure Switch A. # Configure fabric ports. system-view [Sysname] fabric-port GigabitEthernet1/0/25 enable # Configure the unit name as Unit 1. [Sysname] set unit 1 name Unit1 # Configure the fabric name as hello. [Sysname] sysname hello # Configure the fabric authentication mode as simple and the password as welcome. [hello] xrn-fabric authentication-mode simple welcome 2) Configure Switch B.
# Configure the unit name as Unit 3. [Sysname] set unit 1 name unit3 # Configure the fabric name as hello. [Sysname] sysname hello # Configure the fabric authentication mode as simple and the password as welcome. [hello] xrn-fabric authentication-mode simple welcome 4) Configure Switch D. # Configure fabric ports. system-view [Sysname] fabric-port GigabitEthernet1/0/26 enable # Set the unit ID to 4. [Sysname] change unit-id 1 to 4 # Configure the unit name as Unit 4.
Table of Contents 1 Cluster ························································································································································1-1 Cluster Overview·····································································································································1-1 Introduction to HGMP ······················································································································1-1 Roles in a Cluster ·············
1 Cluster When configuring cluster, go to these sections for information you are interested in: z Cluster Overview z Cluster Configuration Task List z Displaying and Maintaining Cluster Configuration z Cluster Configuration Examples Cluster Overview Introduction to HGMP A cluster contains a group of switches. Through cluster management, you can manage multiple geographically dispersed in a centralized way. Cluster management is implemented through Huawei Group Management Protocol (HGMP).
Figure 1-1 A cluster implementation HGMP V2 has the following advantages: z It eases the configuration and management of multiple switches: You just need to configure a public IP address for the management device instead of for all the devices in the cluster; and then you can configure and manage all the member devices through the management device without the need to log onto them one by one.
Table 1-1 Description on cluster roles Role Configuration Function z z Management device Configured with a external IP address z z z z Member device Normally, a member device is not assigned an external IP address Candidate device Normally, a candidate device is not assigned an external IP address Provides an interface for managing all the switches in a cluster Manages member devices through command redirection, that is, it forwards the commands intended for specific member devices.
z A candidate device becomes a member device after being added to a cluster. z A member device becomes a candidate device after it is removed from the cluster. z A management device becomes a candidate device only after the cluster is removed. After you create a cluster on a Switch 4500 switch, the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster.
packet data. The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet. When they receive another NDP packet, if the information carried in the packet is different from the stored one, the corresponding entry in the NDP table is updated, otherwise only the holdtime of the entry is updated. Introduction to NTDP NTDP is a protocol used to collect network topology information.
z To implement NTDP, you need to enable NTDP both globally and on specific ports on the management device, and configure NTDP parameters. z On member/candidate devices, you only need to enable NTDP globally and on specific ports. z Member and candidate devices adopt the NTDP settings of the management device. Introduction to Cluster A cluster must have one and only one management device. Note the following when creating a cluster: z You need to designate a management device for the cluster.
Figure 1-3 State machine of the connection between the management device and a member device Active Receives the handshake or management packets Connect z Fails to receive handshake packets in three consecutive intervals Disconnect state is recovered State holdtime exceeds the specified value Disconnect After a cluster is created and a candidate device is added to the cluster as a member device, both the management device and the member device store the state information of the member device and mar
z Enabling the management packets (including NDP packets, NTDP packets, and handshake packets) to be transmitted in the management VLAN only, through which the management packets are isolated from other packets and network security is improved. z Enabling the management device and the member devices to communicate with each other in the management VLAN. Cluster management requires the packets of the management VLAN be permitted on ports connecting the management device and the member/candidate devices.
downstream switch compares its own MAC address with the destination MAC address carried in the multicast packet: z If the two MAC addresses are the same, the downstream switch sends a response to the switch sending the tracemac command, indicating the success of the tracemac command. z If the two MAC addresses are different, the downstream switch will query the port connected with its downstream switch based on the MAC address and VLAN ID, and then forward the packet to its downstream switch.
Task Remarks Enabling NDP globally and on specific ports Required Configuring NDP-related parameters Optional Enabling NTDP globally and on a specific port Required Configuring NTDP-related parameters Optional Enabling the cluster function Required Configuring cluster parameters Required Configuring inside-outside interaction for a cluster Optional Configuring the network management interface for a cluster Optional Enabling management VLAN synchronization Optional To reduce the risk of b
Configuring NDP-related parameters Follow these steps to configure NDP-related parameters: To do… Use the command… Enter system view system-view Configure the holdtime of NDP information ndp timer aging aging-in-seconds Configure the interval to send NDP packets Remarks — Optional By default, the holdtime of NDP information is 180 seconds. Optional ndp timer hello seconds By default, the interval to send NDP packets is 60 seconds.
To do… Launch topology information collection manually Use the command… ntdp explore Remarks Optional Enabling the cluster function Follow these steps to enable the cluster function: To do… Enter system view Enable the cluster function globally Use the command… system-view Remarks — Required cluster enable By default, the cluster function is enabled.
2) Establish a cluster in automatic mode Follow these steps to establish a cluster in automatic mode: To do… Use the command… Remarks Enter system view system-view — Enter cluster view cluster — Configure the IP address range for the cluster ip-pool administrator-ip-address { ip-mask | ip-mask-length } Required Start automatic cluster establishment auto-build [ recover ] Required Follow prompts to establish a cluster.
z The cluster switches are properly connected; z The shared servers are properly connected to the management switch.
To reduce the risk of being attacked by malicious users against opened socket and enhance switch security, the Switch 4500 series Ethernet switches provide the following functions, so that a cluster socket is opened only when it is needed: z Opening UDP port 40000 (used for cluster) only when the cluster function is implemented, z Closing UDP port 40000 at the same time when the cluster function is closed.
To do… Use the command… Remarks Enter Ethernet port view interface interface-type interface-number — Enable NTDP on the port ntdp enable Required Enabling the cluster function Follow these steps to enable the cluster function: To do… Enter system view Enable the cluster function globally Use the command… system-view Remarks — Optional cluster enable By default, the cluster function is enabled.
To do… Use the command… Remarks Return to system view quit — Return to user view quit — cluster switch-to { member-number | mac-address H-H-H | administrator } Optional Switch between management device and member device Configure the MAC address of the management device administrator-address mac-address name name Trace a device through MAC address or IP address tracemac { by-mac mac-address vlan vlan-id | by-ip ip-address } [ nondp ] You can use this command switch to the view of a member de
Configuring the enhanced cluster features Complete the following tasks to configure the enhanced cluster feature: Task Remarks Configuring cluster topology management function Required Configuring cluster device blacklist Required Configuring cluster topology management function 1) Configuration prerequisites Before configuring the cluster topology management function, make sure that: z The basic cluster configuration is completed. z Devices in the cluster work normally.
If the management device of a cluster is a slave device in an XRN fabric, the standard topology information is saved only to the local Flash of the master device in the XRN fabric.
NDP and NTDP have been enabled on the management device and member devices, and NDP- z and NTDP-related parameters have been configured. A cluster is established, and you can manage the member devices through the management z device.
z The MIB view name is mib_a, which includes all objects of the subtree org z The SNMPv3 user is user_a, which belongs to the group group_a. # Create a community with the name of read_a, allowing read-only access right using this community name. [test_0.Sysname-cluster] cluster-snmp-agent community read read_a Member 2 succeeded in the read-community configuration. Member 1 succeeded in the read-community configuration. Finish to synchronize the command.
snmp-agent community read read_a@cm0 snmp-agent community write write_a@cm0 snmp-agent sys-info version all snmp-agent group v3 group_a snmp-agent mib-view included mib_a org snmp-agent usm-user v3 user_a group_a undo snmp-agent trap enable standard Configuration file content on a member device (only the SNMP-related information is displayed) z
z Perform the above operations on the management device of the cluster. z Creating a public local user is equal to executing these configurations on both the management device and the member devices (refer to the AAA Operation part in this manual), and these configurations will be saved to the configuration files of the management device and the member devices. z The public local user configurations cannot be synchronized to the devices that are on the cluster blacklist.
Cluster Configuration Examples Basic Cluster Configuration Example Network requirements Three switches compose a cluster, where: z A Switch 4500 series switch serves as the management device. z The rest are member devices. Serving as the management device, the Switch 4500 switch manages the two member devices. The configuration for the cluster is as follows: z The two member devices connect to the management device through Ethernet 1/0/2 and Ethernet 1/0/3.
[Sysname] ntdp enable [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] ntdp enable [Sysname-Ethernet1/0/1] quit # Enable the cluster function. [Sysname] cluster enable 2) Configure the management device # Add port Ethernet 1/0/1 to VLAN 2. system-view [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/1 [Sysname-vlan2] quit # Configure the IP address of VLAN-interface 2 as 163.172.55.1. [Sysname] interface Vlan-interface 2 [Sysname-Vlan-interface2] ip address 163.172.55.1 255.255.
# Set the delay for a member device to forward topology collection requests to 150 ms. [Sysname] ntdp timer hop-delay 150 # Set the delay for a member device port to forward topology collection requests to 15 ms. [Sysname] ntdp timer port-delay 15 # Set the interval between collecting topology information to 3 minutes. [Sysname] ntdp timer 3 # Enable the cluster function. [Sysname] cluster enable # Enter cluster view.
z After completing the above configuration, you can execute the cluster switch-to { member-number | mac-address H-H-H } command on the management device to switch to member device view to maintain and manage a member device. After that, you can execute the cluster switch-to administrator command to return to management device view. z In addition, you can execute the reboot member { member-number | mac-address H-H-H } [ eraseflash ] command on the management device to reboot a member device.
system-view [Sysname] management-vlan 3 # Add Ethernet 1/0/1 to VLAN 3. [Sysname] vlan 3 [Sysname-vlan3] port Ethernet 1/0/1 [Sysname-vlan3] quit # Set the IP address of VLAN-interface 3 to 192.168.5.30. [Sysname] interface Vlan-interface 3 [Sysname-Vlan-interface3] ip address 192.168.5.30 255.255.255.0 [Sysname-Vlan-interface3] quit # Add Ethernet 1/0/2 to VLAN 2. [Sysname] vlan 2 [Sysname-vlan2] port Ethernet 1/0/2 [Sysname-vlan2] quit # Set the IP address of VLAN-interface 2 to 192.168.4.
Network diagram Figure 1-6 Network diagram for the enhanced cluster feature configuration FTP server 192. 168.0.1 192. 168.0.4 1 4 Management device 2 Member device Member device Member device 3 0001- 2034-a0e5 Configuration procedure # Enter cluster view. system-view [aaa_0.Sysname] cluster # Add the MAC address 0001-2034-a0e5 to the cluster blacklist. [aaa_0.Sysname-cluster] black-list add-mac 0001-2034-a0e5 # Backup the current topology. [aaa_0.
Table of Contents 1 PoE Configuration ·····································································································································1-1 PoE Overview ·········································································································································1-1 Introduction to PoE ··························································································································1-1 PoE Features Supported by Switch 4500
1 PoE Configuration When configuring PoE, go to these sections for information you are interested in: z PoE Overview z PoE Configuration z PoE Configuration Example PoE Overview Introduction to PoE Power over Ethernet (PoE)-enabled devices use twisted pairs through electrical ports to supply power to the remote powered devices (PD) in the network and implement power supply and data transmission simultaneously.
z Through the fixed 24/48 Ethernet electrical ports, it can supply power to up to 24/48 remote Ethernet switches with a maximum distance of 100 m (328 feet). z Each Ethernet electrical port can supply at most a power of 15,400 mW to a PD. z When AC power input is adopted for the switch, the maximum total power that can be provided is 300 W. The switch can determine whether to supply power to the next remote PD it detects depending on its available power.
Task Remarks Upgrading the PSE Processing Software Online Optional Upgrading the PSE Processing Software of Fabric Switches Online Optional Displaying PoE Configuration Optional Enabling the PoE Feature on a Port Follow these steps to enable the PoE feature on a port: To do… z Use the command… Remarks Enter system view system-view — Enter Ethernet port view interface interface-type interface-number — Enable the PoE feature on a port poe enable Required By default, the PoE function on a
z auto: When the switch is close to its full load in supplying power, it will first supply power to the PDs that are connected to the ports with critical priority, and then supply power to the PDs that are connected to the ports with high priority. For example: Port A has the priority of critical. When the switch PoE is close to its full load and a new PD is now added to port A, the switch will power down the PD connected to the port with the lowest priority and turn to supply power to this new PD.
Configuring the PD Compatibility Detection Function After the PD compatibility detection function is enabled, the switch can detect the PDs that do not conform to the 802.3af standard and supply power to them. After the PoE feature is enabled, perform the following configuration to enable the PD compatibility detection function.
z When the internal temperature of the switch decreases from X (X>65°C, or X>149°F) to Y (60°C≤Y<65°C, or 140°F≤Y<149°F), the switch still keeps the PoE function disabled on all the ports. z When the internal temperature of the switch increases from X (X<60°C, or X<140°F) to Y (60°C
Follow these steps to upgrade the PSE processing software online: To do… Upgrade the PSE processing software of the fabric switch online Use the command… update fabric { file-url | device-name file-url } Remarks Optional Displaying PoE Configuration To do… Use the command… Display the current PD disconnection detection mode of the switch display poe disconnect Display the PoE status of a specific port or all ports of the switch display poe interface [ interface-type interface-number ] Display the P
Network diagram Figure 1-1 Network diagram for PoE Configuration procedure # Upgrade the PSE processing software online. system-view [SwitchA] poe update refresh 0290_021.s19 # Enable the PoE feature on Ethernet 1/0/1, and set the PoE maximum output power of Ethernet 1/0/1 to 12,000 mW.
2 PoE Profile Configuration When configuring PoE profile, go to these sections for information you are interested in: z Introduction to PoE Profile z PoE Profile Configuration z Displaying PoE Profile Configuration z PoE Profile Configuration Example Introduction to PoE Profile On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, Switch 4500 provides the PoE profile features.
To do… Configure the relevant features in PoE profile Use the command… Required Enable the PoE feature on a port poe enable Configure PoE mode for Ethernet ports poe mode { signal | spare } Configure the PoE priority for Ethernet ports poe priority { critical | high | low } Configure the maximum power for Ethernet ports poe max-power max-power 15,400 mW by default.
Displaying PoE Profile Configuration To do… Use the command… Display the detailed information about the PoE profiles created on the switch display poe-profile { all-profile | interface interface-type interface-number | name profile-name } Remarks Available in any view PoE Profile Configuration Example PoE Profile Application Example Network requirements Switch A is a Switch 4500 supporting PoE.
Network diagram Figure 2-1 PoE profile application Network Switch A Eth1/0/1~Eth1/0/5 Eth1/0/6~Eth1/0/10 IP Phone AP IP Phone AP IP Phone AP IP Phone AP Configuration procedure # Create Profile 1, and enter PoE profile view. system-view [SwitchA] poe-profile Profile1 # In Profile 1, add the PoE policy configuration applicable to Ethernet 1/0/1 through Ethernet 1/0/5 ports for users of group A.
[SwitchA-poe-profile-Profile2] poe mode signal [SwitchA-poe-profile-Profile2] poe priority high [SwitchA-poe-profile-Profile2] poe max-power 15400 [SwitchA-poe-profile-Profile2] quit # Display detailed configuration information for Profile2. [SwitchA] display poe-profile name Profile2 Poe-profile: Profile2, 2 action poe enable poe priority high # Apply the configured Profile 1 to Ethernet 1/0/1 through Ethernet 1/0/5 ports.
Table of Contents 1 UDP Helper Configuration ························································································································1-1 Introduction to UDP Helper ·····················································································································1-1 Configuring UDP Helper ·························································································································1-2 Displaying and Maintaining UDP Helper··········
1 UDP Helper Configuration When configuring UDP helper, go to these sections for information you are interested in: z Introduction to UDP Helper z Configuring UDP Helper z Displaying and Maintaining UDP Helper z UDP Helper Configuration Example Introduction to UDP Helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.
Protocol UDP port number Time Service 37 Configuring UDP Helper Follow these steps to configure UDP Helper: To do… Use the command… Enter system view system-view Enable UDP Helper udp-helper enable Remarks — Required Disabled by default.
To do… Clear statistics about packets forwarded by UDP Helper Use the command… reset udp-helper packet Remarks Available in user view UDP Helper Configuration Example Cross-Network Computer Search Through UDP Helper Network requirements PC A resides on network segment 192.168.1.0/24 and PC B on 192.168.10.0/24; they are connected through Switch A and are routable to each other. It is required to configure UDP Helper on the switch, so that PC A can find PC B through computer search.
Table of Contents 1 SNMP Configuration··································································································································1-1 SNMP Overview······································································································································1-1 SNMP Operation Mechanism··········································································································1-1 SNMP Versions ·········································
1 SNMP Configuration When configuring SNMP, go to these sections for information you are interested in: z SNMP Overview z Configuring Basic SNMP Functions z Configuring Trap-Related Functions z Enabling Logging for Network Management z Displaying SNMP z SNMP Configuration Example SNMP Overview The Simple Network Management Protocol (SNMP) is used for ensuring the transmission of the management information between any two network nodes.
Set the permission for a community to access an MIB object to be read-only or read-write. z Communities with read-only permissions can only query the switch information, while those with read-write permission can configure the switch as well. Set the basic ACL specified by the community name. z Supported MIBs An SNMP packet carries management variables with it. Management variable is used to describe the management objects of a switch.
To do… Direct configura tion Set a community name and access permission Indirect configura tion Use the command… Remarks Required Set a community name snmp-agent community { read | write } community-name [ acl acl-number | mib-view view-name ]* Set an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ] Add a user to an SNMP group snmp-agent usm-user { v1 | v2c } user-name group-name [ acl acl-number ]
To do… Use the command… Remarks Encrypt a plain-text password to generate a cipher-text one snmp-agent calculate-password plain-password mode { md5 | sha } { local-engineid | specified-engineid engineid } Add a user to an SNMP group snmp-agent usm-user v3 user-name group-name [ [ cipher ] authentication-mode { md5 | sha } auth-password [ privacy-mode des56 } priv-password ] ] [ acl acl-number ] Set the maximum size of an SNMP packet for SNMP agent to receive or send snmp-agent packet max-size byte-c
To do… Enable the switch to send traps to NMS Enable the port to send traps Use the command… Remarks snmp-agent trap enable [ configuration | flash | standard [ authentication | coldstart | linkdown | linkup | warmstart ]* | system ] Enter port view or interface view interface interface-type interface-number Enable the port or interface to send traps enable snmp trap updown Quit to system view quit Optional By default, a port is enabled to send all types of traps.
To do… Enable logging for network management z Use the command… snmp-agent log { set-operation | get-operation | all } Remarks Optional Disabled by default. When SNMP logging is enabled on a device, SNMP logs are output to the information center of the device. With the output destinations of the information center set, the output destinations of SNMP logs will be decided. z The severity level of SNMP logs is informational, that is, the logs are taken as general prompt information of the device.
z Perform the following configuration on Switch A: setting the community name and access permission, administrator ID, contact and switch location, and enabling the switch to sent traps. Thus, the NMS is able to access Switch A and receive the traps sent by Switch A. Network diagram Figure 1-2 Network diagram for SNMP configuration Switch A NMS 10.10.10.2/16 10.10.10.1/16 Network procedure # Enable SNMP agent, and set the SNMPv1 and SNMPv2c community names.
[Sysname] snmp-agent trap enable standard linkdown [Sysname] snmp-agent target-host trap address udp-domain 10.10.10.1 udp-port 5000 params securityname public Configuring the NMS Authentication-related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully. For more information, refer to the corresponding manuals of 3Com’s NMS products. You can query and configure an Ethernet switch through the NMS.
2 RMON Configuration When configuring RMON, go to these sections for information you are interested in: z Introduction to RMON z RMON Configuration z Displaying RMON z RMON Configuration Example Introduction to RMON Remote Monitoring (RMON) is a kind of MIB defined by Internet Engineering Task Force (IETF). It is an important enhancement made to MIB II standards.
statistics and performance statistics of the network segments to which the ports of the managed network devices are connected. Thus, the NMS can further manage the networks. Commonly Used RMON Groups Event group Event group is used to define the indexes of events and the processing methods of the events. The events defined in an event group are mainly used by entries in the alarm group and extended alarm group to trigger alarms.
Statistics group Statistics group contains the statistics of each monitored port on a switch. An entry in a statistics group is an accumulated value counting from the time when the statistics group is created. The statistics include the number of the following items: collisions, packets with Cyclic Redundancy Check (CRC) errors, undersize (or oversize) packets, broadcast packets, multicast packets, and received bytes and packets.
z The rmon alarm and rmon prialarm commands take effect on existing nodes only. z For each port, only one RMON statistics entry can be created. That is, if an RMON statistics entry is already created for a given port, you will fail to create another statistics entry with a different index for the same port.
[Sysname-Ethernet1/0/1] quit # Add the event entries numbered 1 and 2 to the event table, which will be triggered by the following extended alarm. [Sysname] rmon event 1 log [Sysname] rmon event 2 trap 10.21.30.55 # Add an entry numbered 2 to the extended alarm table to allow the system to calculate the alarm variables with the (.1.3.6.1.2.1.16.1.1.1.9.1+.1.3.6.1.2.1.16.1.1.1.10.
Table of Contents 1 NTP Configuration ·····································································································································1-1 Introduction to NTP ·································································································································1-1 Applications of NTP ·························································································································1-1 Implementation Principle of NTP········
1 NTP Configuration When configuring NTP, go to these sections for information you are interested in: z Introduction to NTP z NTP Configuration Task List z Configuring NTP Implementation Modes z Configuring Access Control Right z Configuring NTP Authentication z Configuring Optional NTP Parameters z Displaying NTP Configuration z Configuration Examples Introduction to NTP Network Time Protocol (NTP) is a time synchronization protocol defined in RFC 1305.
z Defining the accuracy of clocks by stratum to synchronize the clocks of all devices in a network quickly z Supporting access control (see section Configuring Access Control Right) and MD5 encrypted authentication (see section Configuring NTP Authentication) z Sending protocol packets in unicast, multicast, or broadcast mode z The clock stratum determines the accuracy, which ranges from 1 to 16. The stratum of a reference clock ranges from 1 to 15.
Figure 1-1 Implementation principle of NTP NTP message 10:00:00 am IP network 1. Device A Device B NTP message 10:00:00 am 11:00:01 am IP network 2. Device B Device A NTP message 10:00:00 am 11:00:01 am 11:00:02 am IP network 3. Device B Device A NTP message received at 10:00:03 am IP network 4. Device A Device B The procedure of synchronizing the system clock is as follows: z Device A sends an NTP message to Device B, with a timestamp 10:00:00 am (T1) identifying when it is sent.
Server/client mode Figure 1-2 Server/client mode Symmetric peer mode Figure 1-3 Symmetric peer mode Active peer Passive peer Network Clock synchronization request packet In peer mode, both sides can be synchronized to each other Response packet Works in passive peer mode automatically Synchronize In the symmetric peer mode, the local S4500 Ethernet switch serves as the symmetric-active peer and sends clock synchronization request first, while the remote server serves as the symmetric-passive peer aut
Multicast mode Figure 1-5 Multicast mode Table 1-1 describes how the above mentioned NTP modes are implemented on 3Com S4500 series Ethernet switches. Table 1-1 NTP implementation modes on 3Com S4500 series Ethernet switches NTP implementation mode Configuration on S4500 series switches Server/client mode Configure the local S4500 Ethernet switch to work in the NTP client mode. In this mode, the remote server serves as the local time server, while the local switch serves as the client.
z When a 3Com S4500 Ethernet switch works in server mode or symmetric passive mode, you need not to perform related configurations on this switch but do that on the client or the symmetric-active peer. z The NTP server mode, NTP broadcast mode, or NTP multicast mode takes effect only after the local clock of the 3Com S4500 Ethernet switch has been synchronized.
z Execution of one of the ntp-service unicast-server, ntp-service unicast-peer, ntp-service broadcast-client, ntp-service broadcast-server, ntp-service multicast-client, and ntp-service multicast-server commands enables the NTP feature and opens UDP port 123 at the same time. z Execution of the undo form of one of the above six commands disables all implementation modes of the NTP feature and closes UDP port 123 at the same time.
To do… Specify a symmetric-passive peer for the switch z Use the command… Remarks ntp-service unicast-peer { remote-ip | peer-name } [ authentication-keyid key-id | priority | source-interface Vlan-interface vlan-id | version number ]* Required By default, a switch is not configured to work in the symmetric mode.
To do… Use the command… Remarks Enter VLAN interface view interface Vlan-interface vlan-id — Configure the switch to work in the NTP broadcast server mode ntp-service broadcast-server [ authentication-keyid key-id | version number ]* Required Not configured by default.
To do… Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface Vlan-interface vlan-id — Configure the switch to work in the NTP multicast client mode ntp-service multicast-client [ ip-address ] Required Not configured by default. Configuring Access Control Right With the following command, you can configure the NTP service access-control right to the local switch for a peer device.
The access-control right mechanism provides only a minimum degree of security protection for the local switch. A more secure method is identity authentication. Configuring NTP Authentication In networks with higher security requirements, the NTP authentication function must be enabled to run NTP. Through password authentication on the client and the server, the clock of the client is synchronized only to that of the server that passes the authentication. This improves network security.
Configuration Procedure Configuring NTP authentication on the client Follow these steps to configure NTP authentication on the client: To do… Use the command… Remarks Enter system view system-view — Enable the NTP authentication function ntp-service authentication enable Required Required Configure the NTP authentication key ntp-service authentication-keyid key-id authentication-model md5 value Configure the specified key as a trusted key ntp-service reliable authentication-keyid key-id Associa
To do… Use the command… Remarks Required Configure the specified key as a trusted key ntp-service reliable authentication-keyid key-id By default, no trusted authentication key is configured.
If you have specified an interface in the ntp-service unicast-server or ntp-service unicast-peer command, this interface will be used for sending NTP messages. Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time, including static associations and dynamic associations.
To do… Use the command… Display the information about the sessions maintained by NTP display ntp-service sessions [ verbose ] Display the brief information about NTP servers along the path from the local device to the reference clock source display ntp-service trace Remarks Configuration Examples Configuring NTP Server/Client Mode Network requirements z The local clock of Device A (a switch) is to be used as a master clock, with the stratum level of 2.
[DeviceB] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 1.0.1.11 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 0.66 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.
Configuration procedure Configure Device C. z # Set Device A as the NTP server. system-view [DeviceC] ntp-service unicast-server 3.0.1.31 Configure Device B (after the Device C is synchronized to Device A). z # Enter system view. system-view # Set Device C as the peer of Device B. [DeviceB] ntp-service unicast-peer 3.0.1.33 Device C and Device B are symmetric peers after the above configuration.
Configuring NTP Broadcast Mode Network requirements z The local clock of Device C is set as the NTP master clock, with a stratum level of 2. Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through VLAN-interface 2. z Device A and Device D are two S4500 Ethernet switches. Configure Device A and Device D to work in the NTP broadcast client mode and listen to broadcast messages through their own VLAN-interface 2.
View the NTP status of Device D after the clock synchronization. [DeviceD] display ntp-service status Clock status: synchronized Clock stratum: 3 Reference clock ID: 3.0.1.31 Nominal frequency: 100.0000 Hz Actual frequency: 100.0000 Hz Clock precision: 2^18 Clock offset: 198.7425 ms Root delay: 27.47 ms Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.
Network diagram Figure 1-9 Network diagram for NTP multicast mode configuration Configuration procedure z Configure Device C. # Enter system view. system-view # Set Device C as a multicast server to send multicast messages through VLAN-interface 2. [DeviceC] interface Vlan-interface 2 [DeviceC-Vlan-interface2] ntp-service multicast-server z Configure Device A (perform the same configuration on Device D). # Enter system view.
Root dispersion: 208.39 ms Peer dispersion: 9.63 ms Reference time: 17:03:32.022 UTC Apr 2 2007 (BF422AE4.05AEA86C) The output information indicates that Device D is synchronized to Device C, with a clock stratum level of 3, one stratum level lower than that Device C. # View the information about the NTP sessions of Device D (you can see that a connection is established between Device D and Device C).
z To synchronize Device B, you need to perform the following configurations on Device A. # Enable the NTP authentication function. system-view [DeviceA] ntp-service authentication enable # Configure an MD5 authentication key, with the key ID being 42 and the key being aNiceKey. [DeviceA] ntp-service authentication-keyid 42 authentication-mode md5 aNiceKey # Specify the key 42 as a trusted key.
Table of Contents 1 SSH Configuration·····································································································································1-1 SSH Overview·········································································································································1-1 Introduction to SSH ·························································································································1-1 Algorithm and Key ······················
1 SSH Configuration When configuring SSH, go to these sections for information you are interested: z SSH Overview z SSH Server and Client z Displaying and Maintaining SSH Configuration z Comparison of SSH Commands with the Same Functions z SSH Configuration Examples SSH Overview Introduction to SSH Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments, allowing for secure access to the Command Line Interface (CLI) of a swit
The same key is used for both encryption and decryption. Supported symmetric key algorithms include DES, 3DES, and AES, which can effectively prevent data eavesdropping. z Asymmetric key algorithm Asymmetric key algorithm is also called public key algorithm. Both ends have their own key pair, consisting of a private key and a public key. The private key is kept secret while the public key may be distributed widely. The private key cannot be practically derived from the public key.
Currently, the switch supports only SSH2 Version. Version negotiation z The server opens port 22 to listen to connection requests from clients. z The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format of “SSH-.-”.
z The server starts to authenticate the user. If authentication fails, the server sends an authentication failure message to the client, which contains the list of methods used for a new authentication process. z The client selects an authentication type from the method list to perform authentication again. z The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit.
Figure 1-2 Network diagram for SSH connections Configure the devices accordingly This document describes two cases: z The 3Com switch acts as the SSH server to cooperate with software that supports the SSH client functions. z The 3Com switch acts as the SSH server to cooperate with another 3Com switch that acts as an SSH client.
Task Remarks Configuring the User Interfaces for SSH Clients Required Configuring the SSH Management Functions Optional Key Configuring Key Pairs Required Authentication Creating an SSH User and Specifying an Authentication Type Required Authorization Specifying a Service Type for an SSH User Preparation Optional By default, an SSH user can use the service type of stelnet.
To do... Specify the protocol(s) z Use the command... supported Remarks Optional protocol inbound { all |ssh } By default, both Telnet and SSH are supported. If you have configured a user interface to support SSH protocol, you must configure AAA authentication for the user interface by using the authentication-mode scheme command to ensure successful login.
z You can configure a login header only when the service type is stelnet. For configuration of service types, refer to Specifying a Service Type for an SSH User. z For details of the header command, refer to the corresponding section in Login Command. Configuring Key Pairs The SSH server’s key pairs are for generating session keys and for SSH clients to authenticate the server. The SSH client's key pairs are for the SSH server to authenticate the SSH clients in publickey authentication mode.
To do… Use the command… Destroy the RSA key pair Remarks Optional public-key local destroy rsa Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type. Specifying an authentication type for a new user is a must to get the user login. An SSH user is represented as a set of user attributes on the SSH server. This set is uniquely identified with the SSH username.
To do... Create an SSH user, and specify an authentication type for it z Use the command... ssh user username authentication-type { all | password | password-publickey | publickey } Remarks are used and different authentication types are specified, the authentication type specified with the ssh user authentication-type command takes precedence.
If the ssh user service-type command is executed with a username that does not exist, the system will automatically create the SSH user. However, the user cannot log in unless you specify an authentication type for it. Configuring the Public Key of a Client on the Server This configuration is not necessary if the password authentication mode is configured for SSH users.
To do... Use the command... Remarks Enter system view system-view — Import the public key from a public key file public-key peer keyname import sshkey filename Required Assigning a Public Key to an SSH User This configuration task is unnecessary if the SSH user’s authentication mode is password. For the publickey authentication mode, you must specify the client’s public key on the server for authentication. Follow these steps to assign a public key for an SSH user: To do...
With the filename argument specified, you can export the RSA host public key to a file so that you can configure the key at a remote end by importing the file. If the filename argument is not specified, this command displays the host public key information on the screen in a specified format. Configuring the SSH Client The configurations required on the SSH client are related to the authentication mode that the SSH server uses.
Task Remarks Required for publickey authentication; unnecessary for password authentication Opening an SSH connection with publickey authentication z For putty, it is recommended to use PuTTY release 0.53; PuTTY release 0.58 is also supported. For OpenSSH, it is recommended to use OpenSSH_3.1p1; OpenSSH_4.2p1 is also supported. Any other version or other client, please be careful to use. z Selecting the protocol for remote connection as SSH.
Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating process is stopped. Figure 1-4 Generate the client keys (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key.
Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key. Figure 1-6 Generate the client keys (4) To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.
Figure 1-8 SSH client configuration interface 1 In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client. Selecting a protocol for remote connection As shown in Figure 1-8, select SSH under Protocol. Selecting an SSH version From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 1-9 appears.
Figure 1-9 SSH client configuration interface 2 Under Protocol options, select 2 from Preferred SSH protocol version. Some SSH client software, for example, Tectia client software, supports the DES algorithm only when the ssh1 version is selected. The PuTTY client software supports DES algorithm negotiation ssh2. Opening an SSH connection with password authentication From the window shown in Figure 1-9, click Open. If the connection is normal, you will be prompted to enter the username and password.
Figure 1-10 SSH client configuration interface 3 Click Browse… to bring up the file selection window, navigate to the private key file and click Open. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log in to the server.
Configuring whether first-time authentication is supported When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication. z With first-time authentication enabled, an SSH client that is not configured with the server host public key can continue accessing the server when it accesses the server for the first time, and it will save the host public key on the client for use in subsequent authentications.
Follow these steps to specify a source IP address/interface for the SSH client: To do... Enter system view Use the command... system-view Remarks — Optional Specify a source IP address for the SSH client ssh2 source-ip ip-address Specify a source interface for the SSH client ssh2 source-interface interface-type interface-number By default, no source address is configured. IP Optional By default, no source interface is configured.
To do... Use the command... Display information about all SSH users display ssh [ username ] Display the current source IP address or the IP address of the source interface specified for the SSH server. display ssh-server source-ip Display the mappings between host public keys and SSH servers saved on a client display ssh server-info Display the current source IP address or the IP address of the source interface specified for the SSH Client.
The results of the display rsa local-key-pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type, so they cannot be directly used as parameters in the public-key peer command. For the same reason, neither can the results of the display public-key local rsa public command be used in the rsa peer-public-key command directly.
[Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Create local client client001, and set the authentication password to abc, protocol type to SSH, and command privilege level to 3 for the client.
Figure 1-13 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. 3) As shown in Figure 1-13, click Open. If the connection is normal, you will be prompted to enter the user name client001 and password abc. Once authentication succeeds, you will log in to the server. 1.1.
Network diagram Figure 1-14 Switch acts as server for password and RADIUS authentication Configuration procedure 1) Configure the RADIUS server This document takes CAMS Version 2.10 as an example to show the basic RADIUS server configurations required. # Add an access device. Log in to the CAMS management platform and select System Management > System Configuration from the navigation tree.
Figure 1-15 Add an access device # Add a user account for device management. From the navigation tree, select User Management > User for Device Management, and then in the right pane, click Add to enter the Add Account page and perform the following configurations: z Add a user named hello, and specify the password. z Select SSH as the service type. z Specify the IP address range of the hosts to be managed.
Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pairs. [Switch] public-key local create rsa # Set the authentication mode for the user interfaces to AAA. [Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the RADIUS scheme.
Figure 1-17 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the SSH server. z From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-18 appears.
Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name hello and the password. Once authentication succeeds, you will log in to the server. The level of commands that you can access after login is authorized by the CAMS server. You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 1-16. 1.1.
[Switch] user-interface vty 0 4 [Switch-ui-vty0-4] authentication-mode scheme # Enable the user interfaces to support SSH. [Switch-ui-vty0-4] protocol inbound ssh [Switch-ui-vty0-4] quit # Configure the HWTACACS scheme. [Switch] hwtacacs scheme hwtac [Switch-hwtacacs-hwtac] primary authentication 10.1.1.1 49 [Switch-hwtacacs-hwtac] primary authorization 10.1.1.
In the Host Name (or IP address) text box, enter the IP address of the SSH server. 2) From the category on the left pane of the window, select Connection > SSH. The window as shown in Figure 1-21 appears. Figure 1-21 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. Then, click Open. If the connection is normal, you will be prompted to enter the user name client001 and the password. Once authentication succeeds, you will log in to the server.
Configuration procedure z Configure the SSH server # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Switch-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pair.
Figure 1-23 Generate a client key pair (1) While generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1-24. Otherwise, the process bar stops moving and the key pair generating process is stopped.
Figure 1-24 Generate a client key pair (2) After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case). Figure 1-25 Generate a client key pair (3) Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (private.ppk in this case).
Figure 1-26 Generate a client key pair (4) After a public key pair is generated, you need to upload the pubic key file to the server through FTP or TFTP, and complete the server end configuration before you continue to configure the client. # Establish a connection with the SSH server 2) Launch PuTTY.exe to enter the following interface. Figure 1-27 SSH client configuration interface (1) In the Host Name (or IP address) text box, enter the IP address of the server.
Figure 1-28 SSH client configuration interface (2) Under Protocol options, select 2 from Preferred SSH protocol version. 4) Select Connection/SSH/Auth. The following window appears.
Click Browse to bring up the file selection window, navigate to the private key file and click OK. 5) From the window shown in Figure 1-29, click Open. If the connection is normal, you will be prompted to enter the username. When Switch Acts as Client for Password Authentication Network requirements As shown in Figure 1-30, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange.
[SwitchB-luser-client001] password simple abc [SwitchB-luser-client001] service-type ssh level 3 [SwitchB-luser-client001] quit # Configure the authentication type of user client001 as password. [SwitchB] ssh user client001 authentication-type password z Configure Switch A # Create a VLAN interface on the switch and assign an IP address, which serves as the SSH client’s address in an SSH connection. system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.
Configuration procedure z Configure Switch B # Create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection. system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login. # Generate RSA key pair.
system-view [SwitchA] interface vlan-interface 1 [SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0 [SwitchA-Vlan-interface1] quit # Generate a RSA key pair [SwitchA] public-key local create rsa # Export the generated RSA key pair to a file named Switch001.
Network diagram Figure 1-32 Switch acts as client and first-time authentication is not supported Configuration procedure z Configure Switch B # Create a VLAN interface on the switch and assign an IP address for it to serve as the destination of the client. system-view [SwitchB] interface vlan-interface 1 [SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0 [SwitchB-Vlan-interface1] quit Generating the RSA key pair on the server is prerequisite to SSH login.
# Import the client’s public key file Switch001 and name the public key as Switch001. [SwitchB] public-key peer Switch001 import sshkey Switch001 # Assign public key Switch001 to user client001 [SwitchB] ssh user client001 assign publickey Switch001 # Export the generated RSA host public key pair to a file named Switch002.
# Import the public key pair named Switch002 from the file Switch002. [SwitchA] public-key peer Switch002 import sshkey Switch002 # Specify the host public key pair name of the server. [SwitchA] ssh client 10.165.87.136 assign publickey Switch002 # Establish the SSH connection to server 10.165.87.136. [SwitchA] ssh2 10.165.87.136 Username: client001 Trying 10.165.87.136 ... Press CTRL+K to abort Connected to 10.165.87.136 ...
Table of Contents 1 File System Management Configuration ·································································································1-1 File System Configuration·······················································································································1-1 Introduction to File System ··············································································································1-1 File System Configuration Task List·····························
1 File System Management Configuration When configuring file system management, go to these sections for information you are interested in: z File System Configuration z File Attribute Configuration z Configuration File Backup and Restoration File System Configuration Introduction to File System To facilitate management on the switch memory, 4500 series Ethernet switches provide the file system function, allowing you to access and manage the files and directories.
Directory Operations The file system provides directory-related functions, such as: z Creating/deleting a directory z Displaying the current work directory, or contents in a specified directory Follow these steps to perform directory-related operations: To do… Use the command… Create a directory mkdir directory Delete a directory rmdir directory Display the current work directory pwd Display the information about specific directories and files dir [ /all ] [ /fabric | file-url ] Enter a specif
To do… Use the command… Rename a file rename fileurl-source fileurl-dest Copy a file copy fileurl-source fileurl-dest Move a file move fileurl-source fileurl-dest Remarks Optional Available in user view Optional Available in user view Optional Available in user view Optional z Available in user view Display the content of a file more file-url Display the information about a directory or a file dir [ /all ] [ /fabric | file-url ] Enter system view system-view Execute the specified batch file
The format operation leads to the loss of all files, including the configuration files, on the Flash memory and is irretrievable. Prompt Mode Configuration You can set the prompt mode of the current file system to alert or quiet. In alert mode, the file system will give a prompt for confirmation if you execute a command which may cause data loss, for example, deleting or overwriting a file. In quiet mode, such prompt will not be displayed.
Directory of unit1>flash:/ 1 (*) -rw- 5822215 Jan 01 1970 00:07:03 test.bin 2 -rwh 4 Apr 01 2000 23:55:49 snmpboots 3 -rwh 428 Apr 02 2000 00:47:30 hostkey 4 -rwh 572 Apr 02 2000 00:47:38 serverkey 5 -rw- 1220 Apr 02 2000 00:06:57 song.cfg 6 -rw- 26103 Jan 01 1970 00:04:34 testv1r1.bin 7 -rwh 88 Apr 01 2000 23:55:53 private-data.txt 8 (*) -rw- 1376 Apr 02 2000 01:56:28 config.
Attribute name Description Feature Identifier backup Identifies backup startup files. The backup startup file is used after a switch fails to start up using the main startup file. In the Flash memory, there can be only one app file, one configuration file and one Web file with the backup attribute. (b) none Identifies files that are neither of main attribute nor backup attribute. — None A file can have both the main and backup attributes. Files of this kind are labeled *b.
Configuring File Attributes You can configure and view the main attribute or backup attribute of the file used for the next startup of a switch, and change the main or backup attribute of the file.
Configuration File Backup and Restoration Introduction to Configuration File Backup and Restoration Formerly, you can only back up and restore the configuration file of the units one by one in a fabric system. By using the configuration file backup and restoration feature, you can easily back up and restore the configuration files in the whole fabric as well as in a specific unit.
Table of Contents 1 FTP and SFTP Configuration····················································································································1-1 Introduction to FTP and SFTP ················································································································1-1 Introduction to FTP ··························································································································1-1 Introduction to SFTP···································
1 FTP and SFTP Configuration When configuring FTP and SFTP, go to these sections for information you are interested in: z Introduction to FTP and SFTP z FTP Configuration z SFTP Configuration Introduction to FTP and SFTP Introduction to FTP File Transfer Protocol (FTP) is commonly used in IP-based networks to transmit files. Before World Wide Web comes into being, files are transferred through command lines, and the most popular application is FTP.
files from an FTP server, and stops rotating when the file downloading is finished, as shown in Figure 1-1. Figure 1-1 Clockwise rotating of the seven-segment digital LED Introduction to SFTP Secure FTP (SFTP) is established based on an SSH2 connection. It allows a remote user to log in to a switch to manage and transmit files, providing a securer guarantee for data transmission. In addition, since the switch can be used as a client, you can log in to remote devices to transfer files securely.
To do… Configure a password for the specified user Configure the service type as FTP Use the command… password { simple | cipher } password Remarks Optional By default, no password is configured. Required service-type ftp By default, no service is configured. Enabling an FTP server Follow these steps to enable an FTP server: To do… z Use the command… Enter system view system-view Enable the FTP server function ftp server enable Remarks — Required Disabled by default.
Follow these steps to configure connection idle time: To do… Use the command… Enter system view system-view Configure the connection idle time for the FTP server ftp timeout minutes Remarks — Optional 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security.
Disconnecting a specified user On the FTP server, you can disconnect a specified user from the FTP server to secure the network.
Figure 1-3 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server: To do… Use the command… Remarks Enter system view system-view — Configure a login banner header login text Required Use either command or both. Configure a shell banner By default, no banner is configured. header shell text For details about the header command, refer to the Login part of the manual.
To do… Use the command… Remarks Enter FTP client view ftp [ cluster | remote-server [ port-number ] ] — Specify to transfer files in ASCII characters ascii Use either command. Specify to transfer files in binary streams binary By default, files are transferred in ASCII characters.
To do… Use the command… Download a remote file from the FTP server get remotefile [ localfile ] Upload a local file to the remote FTP server put localfile [ remotefile ] Rename a file on the remote server rename remote-source remote-dest Log in with the specified user name and password user username [ password ] Connect to a remote FTP server open { ip-address | server-name } [ port ] Terminate the current FTP connection without exiting FTP client view disconnect Terminate the current FTP conn
z The specified interface must be an existing one. Otherwise a prompt appears to show that the configuration fails. z The value of the ip-address argument must be the IP address of the device where the configuration is performed. Otherwise a prompt appears to show that the configuration fails. z The source interface/source IP address set for one connection is prior to the fixed source interface/source IP address set for each connection.
[Sysname] local-user switch [Sysname-luser-switch] password simple hello [Sysname-luser-switch] service-type ftp 2) Configure the PC (FTP client) Run an FTP client application on the PC to connect to the FTP server. Upload the application named switch.bin to the root directory of the Flash memory of the FTP server, and download the configuration file named config.cfg from the FTP server.
z If available space on the Flash memory of the switch is not enough to hold the file to be uploaded, you need to delete files not in use from the Flash memory to make room for the file, and then upload the file again. The files in use cannot be deleted. If you have to delete the files in use to make room for the file to be uploaded, you can only delete/download them through the Boot ROM menu. z 3com switch is not shipped with FTP client application software.
Configuration procedure 1) Configure the switch (FTP server) # Configure the login banner of the switch as “login banner appears” and the shell banner as “shell banner appears”. For detailed configuration of other network requirements, see section Configuration Example: A Switch Operating as an FTP Server. system-view [Sysname] header login %login banner appears% [Sysname] header shell %shell banner appears% 2) Configure the PC (FTP client) # Access the Ethernet switch through FTP.
Configuration procedure 1) Configure the PC (FTP server) Perform FTP server–related configurations on the PC, that is, create a user account on the FTP server with username switch and password hello. (For detailed configuration, refer to the configuration instruction relevant to the FTP server software.) 2) Configure the switch (FTP client) # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.
boot boot-loader switch.bin reboot For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual.
To do… Use the command… Enter system view system-view Configure the connection idle time for the SFTP server ftp timeout time-out-value Remarks — Optional 10 minutes by default. Supported SFTP client software A 3com switch 4500 operating as an SFTP server can interoperate with SFTP client software, including SSH Tectia Client v4.2.0 (SFTP), v5.0, and WINSCP.
To do… Use the command… Enter SFTP client view sftp { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { 3des | des | aes128 } | prefer_stoc_cipher { 3des | des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] * Change the working directory on the remote SFTP server cd pathname Change the working directory to be the parent directory cdup Display the
If you specify to authenticate a client through public key on the server, the client needs to read the local private key when logging in to the SFTP server. Since both RSA and DSA are available for public key authentication, you need to use the identity-key key word to specify the algorithms to get correct local private key; otherwise you will fail to log in. For details, see SSH Operation Manual.
[Sysname] public-key local create dsa # Create a VLAN interface on the switch and assign to it an IP address, which is used as the destination address for the client to connect to the SFTP server. [Sysname] interface vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.1 255.255.255.0 [Sysname-Vlan-interface1] quit # Specify the SSH authentication mode as AAA.
sftp-client> # Display the current directory of the server. Delete the file z and verify the result. sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 Received status: End of file Received status: Success # Download the file pubkey2 from the server and rename it as public. sftp-client> get pubkey2 public This operation may take a long time, please wait... . Remote file:/pubkey2 ---> Local file: public..
2 TFTP Configuration When configuring TFTP, go to these sections for information you are interested in: z Introduction to TFTP z TFTP Configuration Introduction to TFTP Compared with FTP, Trivial File Transfer Protocol (TFTP) features simple interactive access interface and no authentication control. Therefore, TFTP is applicable in the networks where client-server interactions are relatively simple. TFTP is implemented based on UDP. It transfers data through UDP port 69.
TFTP Configuration Complete the following tasks to configure TFTP: Task TFTP Configuration: A Switch Operating as a TFTP Client TFTP server configuration Remarks Basic configurations on a TFTP client — Specifying the source interface or source IP address for an FTP client Optional For details, see the corresponding manual — TFTP Configuration: A Switch Operating as a TFTP Client Basic configurations on a TFTP client By default a switch can operate as a TFTP client.
z To do… Use the command… Specify the source IP address used for the current connection tftp tftp-server source-ip ip-address { get source-file [ dest-file ] | put source-file-url [ dest-file ] } Enter system view system-view Specify an interface as the source interface a TFTP client uses every time it connects to a TFTP server tftp source-interface interface-type interface-number Remarks Optional Not specified by default. — Use either command Not specified by default.
Network diagram Figure 2-1 Network diagram for TFTP configurations Configuration procedure 1) Configure the TFTP server (PC) Start the TFTP server and configure the working directory on the PC. 2) Configure the TFTP client (switch). # Log in to the switch. (You can log in to a switch through the Console port or by telnetting the switch. See the Login module for detailed information.
For information about the boot boot-loader command and how to specify the startup file for a switch, refer to the System Maintenance and Debugging module of this manual.
Table of Contents 1 Information Center·····································································································································1-1 Information Center Overview ··················································································································1-1 Introduction to Information Center···································································································1-1 System Information Format ····························
1 Information Center When configuring information center, go to these sections for information you are interested in: z Information Center Overview z Information Center Configuration z Displaying and Maintaining Information Center z Information Center Configuration Examples Information Center Overview Introduction to Information Center Acting as the system information hub, information center classifies and manages system information.
Information filtering by severity works this way: information with the severity value greater than the configured threshold is not output during the filtering. z If the threshold is set to 1, only information with the severity being emergencies will be output; z If the threshold is set to 8, information of all severities will be output.
Outputting system information by source module The system information can be classified by source module and then filtered. Some module names and description are shown in Table 1-3. Table 1-3 Source module name list Module name Description 8021X 802.
Module name Description SYSMIB System MIB module TAC HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module VTY Virtual type terminal module XM XModem module default Default settings for all the modules To sum up, the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user’s settings, and then redirect the system informa
z If the address of the log host is specified in the information center of the switch, when logs are generated, the switch sends the logs to the log host in the above format. For detailed information, refer to Setting to Output System Information to a Log Host. z There is the syslog process on the Unix or Linux platform, you can start the process to receive the logs sent from the switch; in the Windows platform, you need to install the specific software, and it will operate as the syslog host.
Module The module field represents the name of the module that generates system information. You can enter the info-center source ? command in system view to view the module list. Refer to Table 1-3 for module name and description. Between “module” and “level” is a “/”. Level (Severity) System information can be divided into eight levels based on its severity, from 1 to 8. Refer to Table 1-1 for definition and description of these severity levels.
Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log, trap, or debugging information is output when the user is inputting commands, the command line prompt (in command editing mode a prompt, or a [Y/N] string in interaction mode) and the input information are echoed after the output. This feature is used in the case that your input is interrupted by a large amount of system output.
To do… Use the command… Set to display the UTC time zone in the output information of the information center Remarks Required By default, no UTC time zone is displayed in the output information info-center timestamp utc Setting to Output System Information to the Console Setting to output system information to the console Follow these steps to set to output system information to the console: To do… Use the command… Remarks Enter system view system-view — Enable the information center info-center
LOG Output destination Modules allowed TRAP Enable d/disab led Severit y Enabled/ disabled DEBUG Severity Enabled/ disabled Severity Monitor terminal default (all modules) Enabled warning s Enabled debuggin g Enabled debuggin g Log host default (all modules) Enabled informati onal Enabled debuggin g Disabled debuggin g Trap buffer default (all modules) Disable d informati onal Enabled warnings Disabled debuggin g Log buffer default (all modules) Enabled warning s Disabl
Setting to output system information to a monitor terminal Follow these steps to set to output system information to a monitor terminal: To do… Use the command… Enter system view system-view Enable the information center info-center enable Remarks — Optional Enabled by default.
To do… Use the command… Enable trap information terminal display function Remarks Optional terminal trapping Enabled by default Make sure that the debugging/log/trap information terminal display function is enabled (use the terminal monitor command) before you enable the corresponding terminal display function by using the terminal debugging, terminal logging, or terminal trapping command.
z After the switches form a fabric, you can use the info-center switch-on command to enable the information output for the switches to make the log, debugging and trap information of each switch in the fabric synchronous. Each switch sends its own information to other switches in the fabric and receives information sent by other switches at the same time to update the information on itself. In this way, the switch ensures the synchronization of log, debugging and trap information in the whole fabric.
To do… Use the command… Remarks Optional Enable information output to the log buffer info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ]* Configure the output rules of system information info-center source { modu-name | default } channel { channel-number | channel-name } [ { log | trap | debug } { level severity | state state } ]* Set the format of time stamp in the output information info-center timestamp { log | trap | debugging } { boot | date | none } By defaul
Displaying and Maintaining Information Center To do… Use the command… Display information on an information channel display channel [ channel-number | channel-name ] Display the operation status of information center, the configuration of information channels, the format of time stamp and the information output in case of fabric display info-center [ unit unit-id ] Display the status of log buffer and the information recorded in the log buffer display logbuffer [ unit unit-id ] [ level severity | siz
# Disable the function of outputting information to log host channels, because all modules output log information to the log host channels by default. [Switch] undo info-center source default channel loghost # Configure the host whose IP address is 202.38.1.10 as the log host. Permit ARP and IP modules to output information with severity level higher than informational to the log host. [Switch] info-center loghost 202.38.1.
Through combined configuration of the device name (facility), information severity level threshold (severity), module name (filter) and the file “syslog.conf”, you can sort information precisely for filtering. Log Output to a Linux Log Host Network requirements The switch sends the following log information to the Linux log host whose IP address is 202.38.1.10: All modules' log information, with severity higher than “errors”.
Note the following items when you edit file “/etc/syslog.conf”. z A note must start in a new line, starting with a “#" sign. z In each pair, a tab should be used as a separator instead of a space. z No space is permitted at the end of the file name. z The device name (facility) and received log information severity specified in file “/etc/syslog.conf” must be the same with those corresponding parameters configured in commands info-center loghost and info-center source.
system-view [Switch] info-center enable # Disable the function of outputting information to the console channels. [Switch] undo info-center source default channel console # Enable log information output to the console. Permit ARP and IP modules to output log information with severity level higher than informational to the console.
Table of Contents 1 Boot ROM and Host Software Loading ···································································································1-1 Introduction to Loading Approaches ·······································································································1-1 Local Boot ROM and Software Loading··································································································1-1 BOOT Menu ·································································
1 Boot ROM and Host Software Loading Traditionally, switch software is loaded through a serial port. This approach is slow, time-consuming and cannot be used for remote loading. To resolve these problems, the TFTP and FTP modules are introduced into the switch. With these modules, you can load/download software/files conveniently to the switch through an Ethernet port. This chapter introduces how to load the Boot ROM and host software to a switch locally and remotely.
The loading process of the Boot ROM software is the same as that of the host software, except that during the former process, you should press “6” or and after entering the BOOT menu and the system gives different prompts. The following text mainly describes the Boot ROM loading process. BOOT Menu Starting...... ****************************************************************** * * * Switch 4500 26-Port BOOTROM, Version 3.
1. Download application file to flash 2. Select application file to boot 3. Display all files in flash 4. Delete file from flash 5. Modify bootrom password 6. Enter bootrom upgrade menu 7. Skip current configuration file 8. Set bootrom password recovery 9. Set switch startup mode 0. Reboot Enter your choice(0-9): Loading by XModem through Console Port Introduction to XModem XModem protocol is a file transfer protocol that is widely used due to its simplicity and high stability.
0. Return Enter your choice (0-5): Step 3: Choose an appropriate baudrate for downloading.
Figure 1-2 Console port configuration dialog box Step 5: Click the button to disconnect the HyperTerminal from the switch and then click the button to reconnect the HyperTerminal to the switch, as shown in Figure 1-3. Figure 1-3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program. Step 6: Press to start downloading the program.
Figure 1-4 Send file dialog box Step 8: Click . The system displays the page, as shown in Figure 1-5. Figure 1-5 Sending file page Step 9: After the sending process completes, the system displays the following information: Loading ...CCCCCCCCCC done! Step 10: Reset HyperTerminal’s baudrate to 9600 bps (refer to Step 4 and 5). Then, press any key as prompted. The system will display the following information when it completes the loading. Bootrom updating.....................................
Loading host software Follow these steps to load the host software: Step 1: Select <1> in BOOT Menu and press . The system displays the following information: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 2: Enter 3 in the above menu to load the host software by using XModem.
You can use one PC as both the configuration device and the TFTP server. Step 2: Run the TFTP server program on the TFTP server, and specify the path of the program to be downloaded. TFTP server program is not provided with the 3Com Series Ethernet Switches. Step 3: Run the HyperTerminal program on the configuration PC. Start the switch. Then enter the BOOT Menu.
0. Return to boot menu Enter your choice(0-3): Step 2: Enter 1 in the above menu to download the host software using TFTP. The subsequent steps are the same as those for loading the Boot ROM, except that the system gives the prompt for host software loading instead of Boot ROM loading. When loading Boot ROM and host software using TFTP through BOOT menu, you are recommended to use the PC directly connected to the device as TFTP server to promote upgrading reliability.
Bootrom update menu: 1. Set TFTP protocol parameter 2. Set FTP protocol parameter 3. Set XMODEM protocol parameter 0. Return to boot menu Enter your choice(0-3): Step 4: Enter 2 in the above menu to download the Boot ROM using FTP. Then set the following FTP-related parameters as required: Load File name :switch.btm Switch IP address :10.1.1.2 Server IP address :10.1.1.1 FTP User Name :Switch FTP User Password :abc Step 5: Press .
Remote Boot ROM and Software Loading If your terminal is not directly connected to the switch, you can telnet to the switch, and use FTP or TFTP to load the Boot ROM and host software remotely. Remote Loading Using FTP Loading Procedure Using FTP Client 1) Loading the Boot ROM As shown in Figure 1-8, a PC is used as both the configuration device and the FTP server. You can telnet to the switch, and then execute the FTP commands to download the Boot ROM program switch.
Before restarting the switch, make sure you have saved all other configurations that you want, so as to avoid losing configuration information. 2) Loading host software Loading the host software is the same as loading the Boot ROM program, except that the file to be downloaded is the host software file, and that you need to use the boot boot-loader command to select the host software used for next startup of the switch. After the above operations, the Boot ROM and host software loading is completed.
System View: return to User View with Ctrl+Z. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 192.168.0.28 255.255.255.0 Step 3: Enable FTP service on the switch, and configure the FTP user name to test and password to pass. [Sysname-Vlan-interface1] quit [Sysname] ftp server enable [Sysname] local-user test New local user added. [Sysname-luser-test] password simple pass [Sysname-luser-test] service-type ftp Step 4: Enable FTP client software on the PC.
Figure 1-11 Enter Boot ROM directory Step 6: Enter ftp 192.168.0.28 and enter the user name test, password pass, as shown in Figure 1-12, to log on to the FTP server. Figure 1-12 Log on to the FTP server Step 7: Use the put command to upload the file switch.btm to the switch, as shown in Figure 1-13.
Figure 1-13 Upload file switch.btm to the switch Step 8: Configure switch.btm to be the Boot ROM at next startup, and then restart the switch. boot bootrom switch.btm This will update Bootrom on unit 1. Continue? [Y/N] y Upgrading Bootrom, please wait... Upgrade Bootrom succeeded! reboot After the switch restarts, the file switch.btm is used as the Boot ROM. It indicates that the Boot ROM loading is finished.
2 Basic System Configuration and Debugging When configuring basic system configuration and debugging, go to these sections for information you are interested in: z Basic System Configuration z Displaying the System Status z Debugging the System Basic System Configuration Perform the following basic system configuration: To do… Use the command… Remarks Required Set the current date and time of the system clock datetime HH:MM:SS { YYYY/MM/DD | MM/DD/YYYY } Set the local time zone clock timezone z
Displaying the System Status To do… Use the command… Display the current date and time of the system display clock Display the version of the system display version Display the information about users logging onto the switch display users [ all ] Remarks Available in any view Debugging the System Enabling/Disabling System Debugging The device provides various debugging functions.
You can use the following commands to enable the two switches. Follow these steps to enable debugging and terminal display for a specific module: To do… Use the command… Enable system debugging for specific module debugging module-name [ debugging-option ] Enable terminal display for debugging terminal debugging Remarks Required Disabled for all modules by default. Required Disabled by default. The output of debugging information affects the system operation.
3 Network Connectivity Test When configuring network connectivity test, go to these sections for information you are interested in: z ping z tracert Network Connectivity Test ping You can use the ping command to check the network connectivity and the reachability of a host.
4 Device Management When configuring device management, go to these sections for information you are interested in: z Introduction to Device Management z Device Management Configuration z Displaying the Device Management Configuration z Remote Switch APP Upgrade Configuration Example Introduction to Device Management Device Management includes the following: z Reboot the Ethernet switch z Configure real-time monitoring of the running status of the system z Specify the APP to be used at the nex
Before rebooting, the system checks whether there is any configuration change. If yes, it prompts whether or not to proceed.
Enabling of this function consumes some amounts of CPU resources. Therefore, if your network has a high CPU usage requirement, you can disable this function to release your CPU resources. Specifying the APP to be Used at Reboot APP is the host software of the switch. If multiple APPs exist in the Flash memory, you can use the command here to specify the one that will be used when the switch reboots.
Table 4-1 Commonly used pluggable transceivers Transceiver type Applied environment Whether can be an optical transceiver Whether can be an electrical transceiver SFP (Small Form-factor Pluggable) Generally used for 100M/1000M Ethernet interfaces or POS 155M/622M/2.
To do… Use the command… Remarks Display the current alarm information of the pluggable transceiver(s) display transceiver alarm interface [ interface-type interface-number ] Available for all pluggable transceivers Display the currently measured value of the digital diagnosis parameters of the anti-spoofing optical transceiver(s) customized by H3C display transceiver diagnosis interface [ interface-type interface-number ] Available for anti-spoofing pluggable optical transceiver(s) customized by H3C
z Make configuration so that the IP address of a VLAN interface on the switch is 1.1.1.1, the IP address of the PC is 2.2.2.2, and the switch and the PC is reachable to each other. The host software switch.app and the Boot ROM file boot.btm of the switch are stored in the directory switch on the PC. Use FTP to download the switch.app and boot.btm files from the FTP server to the switch.
331 Give me your password, please Password: 230 Logged in successfully [ftp] 5) Enter the authorized path on the FTP server. [ftp] cd switch 6) Execute the get command to download the switch.app and boot.btm files on the FTP server to the Flash memory of the switch. [ftp] get switch.app [ftp] get boot.btm 7) Execute the quit command to terminate the FTP connection and return to user view. [ftp] quit 8) Upgrade the Boot ROM. boot bootrom boot.
Table of Contents 1 VLAN-VPN Configuration··························································································································1-1 VLAN-VPN Overview ······························································································································1-1 Introduction to VLAN-VPN···············································································································1-1 Implementation of VLAN-VPN·······························
1 VLAN-VPN Configuration When configuring VLAN-VPN, go to these sections for information you are interested in: z VLAN-VPN Overview z VLAN-VPN Configuration z Displaying and Maintaining VLAN-VPN Configuration z VLAN-VPN Configuration Example VLAN-VPN Overview Introduction to VLAN-VPN Virtual private network (VPN) is a new technology that emerges with the expansion of the Internet. It can be used for establishing private networks over the public network.
Figure 1-2 Structure of packets with double-layer VLAN tags 31 15 0 Destination MAC address Source MAC address Outer VLAN Tag Inner VLAN Tag Data Compared with MPLS-based Layer 2 VPN, VLAN-VPN has the following features: z It provides Layer 2 VPN tunnels that are simpler. z VLAN-VPN can be implemented through manual configuration. That is, signaling protocol-related configuration is not needed. The VLAN-VPN feature provides you with the following benefits: z Saves public network VLAN ID resource.
frame as needed. When doing that, you should set the same TPID on both the customer-side port and the service provider-side port. The TPID in an Ethernet frame has the same position with the protocol type field in a frame without a VLAN tag. To avoid problems in packet forwarding and handling, you cannot set the TPID value to any of the values in the table below.
Task Remarks Enabling the VLAN-VPN Feature for a Port Required Configuring the TPID Value for VLAN-VPN Packets on a Port Optional Configuring the Inner-to-Outer Tag Priority Replicating and Mapping Feature Optional As XRN fabric is mutually exclusive with VLAN-VPN, make sure that XRN fabric is disabled on the switch before performing any of the configurations listed in the above table. For information about XRN fabric, refer to XRN Fabric Configuration in this manual.
z Besides the default TPID 0x8100, you can configure only one TPID value on a Switch 4500 switch. z For the Switch 4500 series to exchange packets with the public network device properly, you should configure the TPID value used by the public network device on both the customer-side port and the service provider-side port.
VLAN-VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN-VPN Network requirements As shown in Figure 1-4, Switch A and Switch B are both Switch 4500 series switches. They connect the users to the servers through the public network. z PC users and PC servers are in VLAN 100 created in the private network, while terminal users and terminal servers are in VLAN 200, which is also created in the private network.
[SwitchA-Ethernet1/0/11] vlan-vpn enable [SwitchA-Ethernet1/0/11] quit # Set the TPID value of Ethernet 1/0/12 to 0x9200 (for intercommunication with the devices in the public network) and configure the port as a trunk port permitting packets of VLAN 1040. [SwitchA] interface Ethernet 1/0/12 [SwitchA-Ethernet1/0/12] vlan-vpn tpid 9200 [SwitchA-Ethernet1/0/12] port link-type trunk [SwitchA-Ethernet1/0/12] port trunk permit vlan 1040 z Configure Switch B.
2) The TPID value of the outer VLAN tag is set to 0x9200 before the packet is forwarded to the public network through Ethernet1/0/12 of Switch A. 3) The outer VLAN tag of the packet remains unchanged while the packet travels in the public network, till it reaches Ethernet1/0/22 of Switch B. 4) After the packet reaches Switch B, it is forwarded through Ethernet1/0/21 of Switch B.
2 Selective QinQ Configuration When configuring selective QinQ, go to these sections for information you are interested in: z Selective QinQ Overview z Selective QinQ Configuration z Selective QinQ Configuration Example Selective QinQ Overview Selective QinQ Overview Selective QinQ is an enhanced application of the VLAN-VPN feature.
telephone users (in VLAN 201 to VLAN 300). Packets of all these users are forwarded by Switch A to the public network. After the selective QinQ feature and the inner-to-outer tag mapping feature are enabled on the port connecting Switch A to these users, the port will add different outer VLAN tags to the packets according to their inner VLAN tags.
device receives a packet from the service provider network, this device will find the path for the packet by searching the MAC address table of the VLAN corresponding to the outer tag and unicast the packet. Thus, packet broadcast is reduced in selective QinQ applications.
Do not enable both the selective QinQ function and the DHCP snooping function on a switch. Otherwise, the DHCP snooping function may operate improperly. Enabling the Inter-VLAN MAC Address Replicating Feature Follow these steps to enable the inter-VLAN MAC address replicating feature: To do... z Use the command...
z The public network permits packets of VLAN 1000 and VLAN 1200. Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200. That is, packets of VLAN 1200 have higher transmission priority over packets of VLAN 1000. z Employ the selective QinQ feature on Switch A and Switch B to differentiate traffic of PC users from that of IP phone users, for the purpose of using QoS policies to guarantee higher priority for voice traffic.
[SwitchA-Ethernet1/0/5] port hybrid vlan 5 1000 1200 tagged [SwitchA-Ethernet1/0/5] quit # Configure Ethernet 1/0/3 as a hybrid port and configure VLAN 5 as its default VLAN. Configure Ethernet 1/0/3 to remove VLAN tags when forwarding packets of VLAN 5, VLAN 1000, and VLAN 1200.
[SwitchB] interface Ethernet 1/0/11 [SwitchB-Ethernet1/0/11] port link-type hybrid [SwitchB-Ethernet1/0/11] port hybrid vlan 12 13 1000 1200 tagged # Configure Ethernet1/0/12 as a hybrid port and configure VLAN 12 as its default VLAN . Configure Ethernet 1/0/12 to remove VLAN tags when forwarding packets of VLAN 12 and VLAN 1000.
Table of Contents 1 Remote-ping Configuration ······················································································································1-1 Introduction to remote-ping ·····················································································································1-1 remote-ping Configuration ······················································································································1-1 Introduction to remote-ping Configuration ·····
1 Remote-ping Configuration Introduction to remote-ping remote-ping is a network diagnostic tool used to test the performance of protocols (only ICMP by far) running on network. It is an enhanced alternative to the ping command. remote-ping test group is a set of remote-ping test parameters. A test group contains several test parameters and is uniquely identified by an administrator name plus a test tag. You can perform an remote-ping test after creating a test group and configuring the test parameters.
This parameter is used to enable the system to automatically perform the same test at regular intervals. 5) Test timeout time Test timeout time is the duration while the system waits for an ECHO-RESPONSE packet after it sends out an ECHO-REQUEST packet. If no ECHO-RESPONSE packet is received within this duration, this test is considered a failure.
Table 1-2 Display remote-ping configuration Operation Command Display the information of remote-ping test history display remote-ping history [ administrator-name operation-tag ] Display the latest remote-ping test results display remote-ping results [ administrator-name operation-tag ] Description The display command can be executed in any view. Configuration Example Network requirement Perform an remote-ping ICMP test between two switches.
Packet lost in test: 0% Disconnect operation number: 0 Operation timeout number: 0 System busy operation number: 0 Connection fail number: 0 Operation sequence errors: 0 Drop operation number: 0 Other operation errors: 0 [Sysname-remote-ping-administrator-icmp] display remote-ping history administrator icmp remote-ping entry(admin administrator, tag icmp) history record: Index Response Status LasrRC Time 1 1 1 0 2004-11-25 16:28:55.0 2 1 1 0 2004-11-25 16:28:55.
Table of Contents 1 IPv6 Configuration·····································································································································1-1 IPv6 Overview ·········································································································································1-1 IPv6 Features ··································································································································1-1 Introduction to IPv6 Address ·····
1 IPv6 Configuration When configuring IPv6, go to these sections for information you are interested in: z IPv6 Overview z IPv6 Configuration Task List z IPv6 Configuration Example z The term “router” in this document refers to a router in a generic sense or an Ethernet switch running a routing protocol. z The 3com switch 4500 supports IPv6 management features, but does not support IPv6 forwarding and related features.
Figure 1-1 Comparison between IPv4 header format and IPv6 header format Adequate address space The source IPv6 address and the destination IPv6 address are both 128 bits (16 bytes) long. IPv6 can provide 3.4 x 1038 addresses to completely meet the requirements of hierarchical address division as well as allocation of public and private addresses.
Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented by a group of Internet Control Message Protocol Version 6 (ICMPv6) messages. The IPv6 neighbor discovery protocol manages message exchange between neighbor nodes (nodes on the same link). The group of ICMPv6 messages takes the place of Address Resolution Protocol (ARP), Internet Control Message Protocol Version 4 (ICMPv4), and ICMPv4 redirect messages to provide a series of other functions.
z Multicast address: An identifier for a set of interfaces (typically belonging to different nodes), similar to an IPv4 multicast address. A packet sent to a multicast address is delivered to all interfaces identified by that address. z Anycast address: An identifier for a set of interfaces (typically belonging to different nodes).A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the nearest one, according to the routing protocols’ measure of distance).
z Unassigned address: The unicast address :: is called the unassigned address and may not be assigned to any node. Before acquiring a valid IPv6 address, a node may fill this address in the source address field of an IPv6 packet, but may not use it as a destination IPv6 address. Multicast address Multicast addresses listed in Table 1-2 are reserved for special purpose.
Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discovery Protocol (NDP) uses five types of ICMPv6 messages to implement the following functions: z Address resolution z Neighbor unreachability detection z Duplicate address detection z Router/prefix discovery z Address autoconfiguration z Redirection Table 1-3 lists the types and functions of ICMPv6 messages used by the NDP.
Address resolution Similar to the ARP function in IPv4, a node acquires the link-layer address of neighbor nodes on the same link through NS and NA messages. Figure 1-3 shows how node A acquires the link-layer address of node B. Figure 1-3 Address resolution The address resolution procedure is as follows: 1) Node A multicasts an NS message. The source address of the NS message is the IPv6 address of the interface of node A and the destination address is the solicited-node multicast address of node B.
Figure 1-4 Duplicate address detection The duplicate address detection procedure is as follows: 1) Node A sends an NS message whose source address is the unassigned address :: and the destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message also contains the IPv6 address. 2) If node B uses this IPv6 address, node B returns an NA message. The NA message contains the IPv6 address of node B.
Task Remarks Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time Optional Configuring the Hop Limit of ICMPv6 Reply Packets Optional Displaying and Maintaining IPv6 Optional Configuring an IPv6 Unicast Address z An IPv6 address is required for a host to access an IPv6 network. A host can be assigned a global unicast address, a site-local address, or a link-local address.
To do... Configure an IPv6 link-local address z Use the command... Automatically generate a link-local address ipv6 address auto link-local Manually assign a link-local address for an interface. ipv6 address ipv6-address link-local Remarks Optional By default, after an IPv6 site-local address or global unicast address is configured for an interface, a link-local address will be generated automatically.
Follow these steps to configure a static neighbor entry: To do... Use the command... Remarks Enter system view system-view — Configure a static neighbor entry ipv6 neighbor ipv6-address mac-address { vlan-id port-type port-number | interface interface-type interface-number } Required Configuring the maximum number of neighbors dynamically learned The device can dynamically acquire the link-layer address of a neighbor node through NS and NA messages and add it to the neighbor table.
Configuring the NS Interval After a device sends an NS message, if it does not receive a response within a specific period, the device will send another NS message. You can configure the interval for sending NS messages. Follow these steps to configure the NS interval: To do… Use the command… Remarks Enter system view system-view — Enter VLAN interface view interface interface-type interface-number — Specify the NS interval ipv6 nd ns retrans-timer value Optional 1,000 milliseconds by default.
packets are received, the IPv6 TCP connection status becomes TIME_WAIT. If other packets are received, the finwait timer is reset from the last packet and the connection is terminated after the finwait timer expires. z Size of IPv6 TCP receiving/sending buffer.
To do… Use the command… Enter system view system-view Configure the hop limit of ICMPv6 reply packets ipv6 nd hop-limit value Remarks — Optional 64 by default.
IPv6 Configuration Example IPv6 Unicast Address Configuration Network requirements Two switches are directly connected through two Ethernet ports. The Ethernet ports belong to VLAN 2. Different types of IPv6 addresses are configured for the interface VLAN-interface 2 on each switch to verify the connectivity between the two switches. The IPv6 prefix in the EUI-64 format is 2001::/64, the global unicast address of Switch A is 3001::1/64, and the global unicast address of Switch B is 3001::2/64.
Global unicast address(es): 2001::20F:E2FF:FE49:8048, subnet is 2001::/64 3001::1, subnet is 3001::/64 Joined group address(es): FF02::1:FF00:1 FF02::1:FF49:8048 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Display the brief IPv6 information of the interface on Switch B.
Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=3 hop limit=255 time = 60 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=4 hop limit=255 time = 70 ms Reply from FE80::20F:E2FF:FE00:1 bytes=56 Sequence=5 hop limit=255 time = 60 ms --- FE80::20F:E2FF:FE00:1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
0.
2 IPv6 Application Configuration When configuring IPv6 application, go to these sections for information you are interested in: z Introduction to IPv6 Application z Configuring IPv6 Application z IPv6 Application Configuration Example z Troubleshooting IPv6 Application Introduction to IPv6 Application IPv6 are supporting more and more applications. Most of IPv6 applications are the same as those of IPv4.
IPv6 Traceroute The traceroute ipv6 command is used to record the route of IPv6 packets from source to destination, so as to check whether the link is available and determine the point of failure. Figure 2-1 Traceroute process As Figure 2-1 shows, the traceroute process is as follows: z The source sends an IP datagram with the Hop Limit of 1. z If the first hop device receiving the datagram reads the Hop Limit of 1, it will discard the packet and return an ICMP timeout error message.
To do… Download/Upload files from TFTP server Use the command… tftp ipv6 remote-system [ -i interface-type interface-number ] { get | put } source-filename [ destination-filename ] Remarks Required Available in user view When you use the tftp ipv6 command to connect to the TFTP server, you must specify the “–i” keyword if the destination address is a link-local address.
Displaying and maintaining IPv6 Telnet To do… Use the command… Display the use information of the users who have logged in display users [ all ] Remarks Available in any view IPv6 Application Configuration Example IPv6 Applications Network requirements In Figure 2-3, SWA, SWB, and SWC are three switches, among which SWA is a 3com switch 4500, SWB and SWC are two switches supporting IPv6 forwarding.
bytes=56 Sequence=2 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=3 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=4 hop limit=64 time = 31 ms Reply from 3003::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 3003::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 31/46/110 ms # On SWA, configure static routes to SWC, the Telnet Server, and the TFTP Server.
Solution z Check that the IPv6 addresses are configured correctly. z Use the display ipv6 interface command to determine the interfaces of the source and the destination and the link-layer protocol between them are up. z Use the display ipv6 route-table command to verify that the destination is reachable.
Table of Contents 1 Access Management Configuration ·············································································· 1-1 Access Management Overview ···················································································· 1-1 Configuring Access Management ················································································· 1-2 Access Management Configuration Examples ······························································ 1-3 Access Management Configuration Examp
1 Access Management Configuration When configuring access management, go to these sections for information you are interested in: z Access Management Overview z Configuring Access Management z Access Management Configuration Examples Access Management Overview Normally, client PCs in a network are connected to switches operating on the network access layer (also referred to as access switches) through Layer 2 switches; and the access switches provide external network accesses for the client PCs throu
z A port without an access management IP address pool configured allows the hosts to access external networks only if their IP addresses are not in the access management IP address pools of other ports of the switch. Note that the IP addresses in the access management IP address pool configured on a port must be in the same network segment as the IP address of the VLAN (where the port belongs to) interface.
Access Management Configuration Examples Access Management Configuration Example Network requirements Client PCs are connected to the external network through Switch A (an Ethernet switch). The IP addresses of the PCs of Organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24. The IP address of PC 2 is 202.10.20.100/24, and that of PC 3 is 202.10.20.101/24. z Allow the PCs of Organization 1 to access the external network through Ethernet 1/0/1 on Switch A.
[Sysname-Ethernet1/0/1] am ip-pool 202.10.20.1 20 Combining Access Management with Port Isolation Network requirements Client PCs are connected to the external network through Switch A (an Ethernet switch). The IP addresses of the PCs of Organization 1 are in the range 202.10.20.1/24 to 202.10.20.20/24, and those of the PCs in Organization 2 are in the range 202.10.20.25/24 to 202.10.20.50/24 and the range 202.10.20.55 to 202.10.20.65/24.
# Set the IP address of VLAN-interface 1 to 202.10.20.200/24. [Sysname] interface Vlan-interface 1 [Sysname-Vlan-interface1] ip address 202.10.20.200 24 [Sysname-Vlan-interface1] quit # Configure the access management IP address pool on Ethernet 1/0/1. [Sysname] interface Ethernet 1/0/1 [Sysname-Ethernet1/0/1] am ip-pool 202.10.20.1 20 # Add Ethernet 1/0/1 to the port isolation group.
Table of Contents Appendix A Acronyms ································································································································ A-1 i
Appendix A Acronyms A AAA Authentication, Authorization and Accounting ABR Area Border Router ACL Access Control List ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DLDP Device Link Detection Protocol DR Designated Router D-V Distance Vector Routing Algorithm E EGP Exterior Gateway Protoco
LSDB Link State DataBase M MAC Medium Access Control MIB Management Information Base N NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NTP Network Time Protocol NVRAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Independent Multicast-Sparse Mode PoE Power over Ethernet Q QoS Quality of Service R RIP Routing Information Protocol RMO
VPN Virtual private network W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking A-3
