3Com® Switch 5500 Family Configuration Guide Switch 5500-SI Switch 5500-EI Switch 5500G-EI www.3Com.com Part Number: 10014922 Rev.
3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064 Copyright © 2006, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.
CONTENTS CONTENTS ABOUT THIS GUIDE Organization of the Manual Intended Readership 22 Conventions 22 Related Manuals 23 1 21 GETTING STARTED Product Overview 25 XRN Overview 26 Major Technologies 26 Typical Networking Topology 26 Product Features 27 Logging in to the Switch 29 Setting up Configuration Environment through the Console Port Setting up Configuration Environment through Telnet 31 Setting up Configuration Environment through a Dial-up Modem Command Line Interface 37 Command Line View 37 Fea
CHAPTER : CONTENTS Displaying Port Configuration Information in Brief 67 Ethernet Port Configuration Example 67 Ethernet Port Troubleshooting 68 Link Aggregation Configuration 68 Link Aggregation Configuration 71 Displaying and Debugging Link Aggregation 74 Link Aggregation Configuration Example 75 Global Broadcast Suppression Feature 76 Configuring Global Broadcast Suppression 76 Global Broadcast Suppression Configuration Example 76 Configuration procedure 76 Displaying Information About a Specified Op
Protocol-Based VLAN Configuration 100 Configuring Protocol-Based VLANs 100 Displaying the Information about Protocol-Based VLANs Voice VLAN Configuration 102 Voice VLAN Configuration 102 Displaying and Debugging of Voice VLAN 106 Voice VLAN Configuration Example 106 Creating VLANs in Batches 107 Voice VLAN Configuration 107 Configuring the Voice VLAN Function 108 Voice VLAN Displaying and Debugging 109 Voice VLAN Configuration Example 109 7 101 GVRP CONFIGURATION Introduction to GVRP 111 GVRP Working
CHAPTER : CONTENTS 10 DHCP SERVER CONFIGURATION Introduction to DHCP Server 125 Usage of DHCP Server 125 DHCP Fundamentals 125 DHCP Packet Processing Modes 127 DHCP Address Pool 127 Global Address Pool-Based DHCP Server Configuration 128 Configuration Overview 128 Enabling DHCP 128 Configuring Global Address Pool Mode on Interface(s) 129 Configuring How to Assign IP Addresses in a Global Address Pool 129 Configuring DNS Services for DHCP Clients 130 Configuring NetBIOS Services for DHCP Clients 131 Cus
12 VRRP CONFIGURATION VRRP Overview 151 Virtual Router Overview 152 Introduction to Backup Group 153 VRRP Configuration 155 Configuring a Virtual Router IP address 155 Configuring Backup Group-Related Parameters 156 Displaying and Clearing VRRP Information 157 VRRP Configuration Example 157 Single-VRRP Backup Group Configuration Example 157 VRRP Tracking Interface Example 158 Multiple-VRRP Backup Group Configuration Example 160 Troubleshooting VRRP 162 13 MSTP CONFIGURATION MSTP Overview 163 MSTP Prot
CHAPTER : CONTENTS Introduction to the Protection Functions Prerequisites 186 Configuring BPDU Protection 187 Configuring Root Protection 187 Configuring Loop Prevention 188 Configuring TC-BPDU Attack Prevention BPDU Tunnel Configuration 188 Introduction to BPDU Tunnel 188 Configuring BPDU Tunnel 189 Displaying and Debugging MSTP 190 MSTP Configuration Example 190 BPDU Tunnel Configuration Example 192 14 185 188 CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Introduction to Centralized MAC Add
Displaying and Debugging RIP 233 Example: Typical RIP Configuration 233 Troubleshooting RIP 234 OSPF Configuration 235 Calculating OSPF Routes 235 Basic Concepts Related to OSPF 236 Configuring OSPF 237 Displaying and Debugging OSPF 253 254 Example: Configuring DR Election Based on OSPF Priority Example: Configuring OSPF Virtual Link 256 Troubleshooting OSPF 257 IP Routing Policy 258 Configuring an IP Routing Policy 259 Forwarding Layer 3 Broadcast Packets 263 Displaying and Debugging the Routing Policy
CHAPTER : CONTENTS Option 82 Supporting Configuration 288 Prerequisites 288 Enabling Option 82 Supporting on a DHCP Relay 288 Option 82 Supporting Configuration Example 289 Introduction to DHCP Snooping 290 DHCP Snooping Configuration 291 Configuration Example 292 Introduction to DHCP Accounting 292 Structure of the DHCP Accounting Packets 292 DHCP Accounting Fundamentals 294 DHCP Accounting Configuration 294 Displaying and Debugging DHCP Configuration 296 DHCP Relay Configuration Example One 297 DHCP
Displaying Multicast MAC Address Configuration 324 Multicast Source Deny Configuration 325 Clearing MFC Forwarding Entries or Statistics Information 325 Clearing Route Entries From The Core Multicast Routing Table 325 Displaying and Debugging Common Multicast Configuration 326 Internet Group Management Protocol (IGMP) 326 Configuring IGMP 328 Displaying and debugging IGMP 333 PIM-DM Overview 333 Configuring PIM-DM 335 Displaying and Debugging PIM-DM 338 PIM-DM Configuration Example 338 PIM-SM Overview 3
CHAPTER : CONTENTS Applying QoS Profile to the Port 374 QoS Profile Configuration Example 374 ACL Control Configuration 376 Configuring ACL for Telnet Users 376 Defining ACL 376 Importing ACL 377 Configuration Example 377 Configuring ACL for SNMP Users 377 Configuration Example 379 Configuring ACL Control over the HTTP Users Defining ACL 379 Calling ACL to Control HTTP Users 379 Configuration Example 380 20 379 CONFIGURATION FOR QOS FEATURES RSPAN Features 381 Configuration Prerequisite 382 Configur
Configuring Timers 398 Enabling/Disabling a Quiet-Period Timer 399 802.1x Client Version Checking Configuration 399 Enabling the 802.1x Client Version Checking Function 399 Configuring the Maximum Number of Retires to Send Version Checking Request Packets 399 Configuring the Version Checking Timer 400 802.
CHAPTER : CONTENTS Configuring User Re-authentication at Reboot 425 Configuration Example for User Re-authentication at Reboot 425 Setting the RADIUS Packet Encryption Key 425 Tag VLAN Assignment on Trunk/Hybrid Port Supported by 802.
MAC Address Table Management 451 MAC Address Table Configuration 452 Displaying MAC Address Table 454 MAC Address Table Management Display Example 454 MAC Address Table Management Configuration Example 455 Device Management 456 Device Management Configuration 456 Device Management Configuration Example 457 System Maintenance and Debugging 459 Setting the Daylight Saving Time 459 459 Telneting with Specified Source IP Address/Source Interface IP Address 460 Basic System Configuration 460 Terminating the
CHAPTER : CONTENTS Configure NTP Broadcast Mode 502 Configure NTP Multicast Mode 504 Configure Authentication-enabled NTP Server Mode SSH Terminal Services 506 Configuring SSH Server 507 Setting System Protocol 507 Configuring SSH Client 510 SSH Configuration Example 515 File System Configuration 516 Introduction to File System 516 File System Configuration 517 FTP Lighting Configuration 518 Introduction to FTP 518 FTP Lighting Procedure 518 TFTP Lighting Configuration 520 TFTP Lighting Procedure 521
26 RSTP CONFIGURATION STP Overview 539 Implement STP 539 Configuration BPDU Forwarding Mechanism in STP 543 Implement RSTP on the Switch 543 RSTP Configuration 544 Enable/Disable RSTP on a Switch 547 Enable/Disable RSTP on a Port 547 Configure RSTP Operating Mode 548 Configure the STP-Ignore attribute of VLANs on a Switch 548 Set Priority of a Specified Bridge 549 Specify the Switch as Primary or Secondary Root Bridge 549 Set Forward Delay of a Specified Bridge 550 Set Hello Time of the Specified Bridg
CHAPTER : CONTENTS Network Management Operation Logging Configuration Displaying and Debugging SNMP 570 SNMP Configuration Example 570 Reading Usmusr Table Configuration Example 571 29 569 SOURCE IP ADDRESS CONFIGURATION Configuring Source IP Address for Service Packets 573 Displaying the Source IP Address Configuration 574 30 PASSWORD CONTROL CONFIGURATION OPERATIONS Introduction to Password Control Configuration 575 Password Control Configuration 576 Configuration Prerequisites 576 Configuration
32 CLUSTERING Clustering Overview 601 Switch Roles 602 Introduction to NDP 603 Introduction to NTDP 603 Introduction to Cluster Roles 604 Management Device Configuration 605 Enabling System and Port NDP 605 Configuring NDP Parameters 605 Enabling System and Port NTDP 605 Configuring NTDP Parameters 605 Configuring Cluster Parameters 606 Configuring Internal-External Interaction 607 NM Interface for Cluster Management Configuration 607 Member Device Configuration 608 Enabling System and Port NDP 608 Ena
CHAPTER : CONTENTS B RADIUS SERVER AND RADIUS CLIENT SETUP Setting Up A RADIUS Server 627 Configuring Microsoft IAS RADIUS 627 Configuring Funk RADIUS 652 Configuring FreeRADIUS 656 Setting Up the RADIUS Client 658 Windows 2000 built-in client 658 Windows XP built-in client 658 Aegis Client Installation 659 C AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS Cisco Secure ACS (TACACS+) and the 3Com Switch 5500 Setting Up the Cisco Secure ACS (TACACS+) server 661 Adding a 3Com Switch 5500 as a RADI
ABOUT THIS GUIDE This guide provides information about configuring your network using the commands supported on the 3Com® Switch 5500 Family. The descriptions in this guide apply to the Switch 5500-SI and Switch 5500-EI. Differences between the models are noted in the text. Organization of the Manual The Switch 5500 Family Configuration Guide consists of the following chapters: ■ Getting Started—Details the main features and configurations of the Switch 5500.
ABOUT THIS GUIDE Intended Readership Conventions ■ ACL by RADIUS—Details ACL by RADUIS Configuration. ■ Auto Detect—Details Auto Detect Configuration. ■ RSTP—Details Spanning Tree Protocol Configuration. ■ PoE—Details PoE profile Configuration. ■ SNMP—Details Simple Network Management Protocol Configuration. ■ Source IP Address—Details Source IP Address Configuration for the FTP client and server . ■ Password Control—Details Password Control Configuration.
Related Manuals 23 Table 2 Text conventions (continued) Convention Description Variable command text This typeface indicates the variable part of a command text. You must type a value here, and press Return or Enter when you are ready to enter the command. Example: in the command super level, a value in the range 0 to 3 must be entered in the position indicated by level { x | y | ... } Alternative items, one of which must be entered, are grouped in braces and separated by vertical bars.
ABOUT THIS GUIDE
1 GETTING STARTED This chapter covers the following topics: Product Overview ■ Product Overview ■ XRN Overview ■ Product Features ■ Logging in to the Switch ■ Command Line Interface ■ User Interface Configuration The Switch 5500 Family are Layer 3 switching products supporting expandable resilient networking (XRN). The Switch 5500 can be one of two series: Switch 5500-SI or the Switch 5500-EI.
CHAPTER 1: GETTING STARTED Table 3 Models in the Switch 5500 family (continued) Model Power Number of Number of 100 supply unit service Mbps ports (PSU) ports Number of 1000 Mbps uplink ports 5500G-EI PWR 48-Port AC-input, 48 DC-input — 44 10/100/1000 1 Mbps plus 4 10/100/1000 or SFP 5500G-EI 24-Port SFP AC-input, 24 DC-input — 20 10/100/1000 1 Mbps plus 4 10/100/1000 or SFP Console port The Switch 5500 family supports the following services: XRN Overview Major Technologies ■ Internet
Product Features Figure 1 Networking Topology with XRN Server Unit 1 Core switches Unit3 Fabric Unit 2 Unit 4 Workgroup switches Desktop PCs Product Features Table 4 describes the features: Table 4 Function Features Features Description Port 802.1D Learning Static MAC (unicast/multicast) Jumbo Frame (9k) (EI models only) Unidirectional Link Detection (UDLD) VLAN VLAN compliant with IEEE 802.1Q Standard Port-based VLAN Protocol Based VLAN, compliant with IEEE 802.
CHAPTER 1: GETTING STARTED Table 4 Function Features (continued) Features Description Multicast Internet Group Management Protocol (IGMP) Snooping Multicast VLAN Registration (MVR) Internet Group Management Protocol (IGMP) (EI models only) Protocol-Independent Multicast-Dense Mode (PIM-DM) (EI models only) Protocol-Independent Multicast-Sparse Mode (PIM-SM) (EI models only) Mulitcast Source Discovery Protocol (MSDP) (EI models only) IP routing Static route RIP V1/v2 OSPF (EI models only) IP routin
Logging in to the Switch 29 Table 4 Function Features (continued) Features Description Management and Maintenance Command line interface configuration Configuration through console port Remote configuration through Telnet or SSH Configuration through dialing the Modem SNMP v1/2c/3 System log Level alarms Output of debugging information Ping and Tracert Remote maintenance with Telnet, Modem and SSHv2 Loading and updates Loading and upgrading of software through the XModem protocol Loading and upgradin
CHAPTER 1: GETTING STARTED Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection
Logging in to the Switch 31 Figure 5 Setting Communication Parameters 3 The Switch is powered on and it displays self-test information. Press < Enter> to show the command line prompt such as . 4 Enter a command to configure the Switch or view the operation state. Enter a ? to view online help. For details of specific commands, refer to the following sections.
CHAPTER 1: GETTING STARTED Figure 6 Setting up the Configuration Environment through Telnet Workstation Ethernet port Ethernet Server Workstation PC ( for configuring the switch via Telnet ) 3 Run Telnet on the PC and enter the IP address of the VLAN connected to the network port on the PC. Figure 7 Running Telnet 4 The terminal displays Login authentication and prompts the user to enter the logon password.
Logging in to the Switch 33 Figure 8 Providing Telnet Client Service PC Telnet Client Telnet Server 1 Authenticate the Telnet user through the console port on the Telnet Server (a Switch) before login. By default, the password is required to authenticate Telnet users and to enable them to log on to the Switch. If a user logs in through Telnet without the password, the unit displays an error prompt .
CHAPTER 1: GETTING STARTED 2 Perform the following configurations on the Modem that is directly connected to the Switch. (You are not required to configure the Modem connected to the terminal.
Logging in to the Switch 35 Figure 9 Setting up Remote Configuration Environment Modem serial port line Modem Telephone line PSTN Modem Console port Remote tel: 1234567 4 Dial for connection to the Switch, using the terminal emulator and Modem on the remote end. The number you dial is the telephone number of the Modem connected to the Switch. See Figure 10 and Figure 11.
CHAPTER 1: GETTING STARTED Figure 11 Dialing on the Remote PC 5 Enter the preset login password on the remote terminal emulator and wait for the prompt . Then you can configure and manage the Switch. Enter ? to view online help. For details of specific commands, refer to the following chapters. By default, after login, a modem user can access the commands at Level 0.
Command Line Interface Command Line Interface Command Line View 37 The Switch 5500 family provide a series of configuration commands and command line interfaces for configuring and managing the Switch. The command line interface has the following characteristics: ■ Local configuration through the console port. ■ Local or remote configuration through Telnet or SSH. ■ Remote configuration through a dial-up Modem to log in to the Switch.
CHAPTER 1: GETTING STARTED user has entered super password [ level level ] { simple | cipher } password..) For the sake of confidentiality, on the screen the user cannot see the password that they entered. Only when correct password is input three times, can the user switch to the higher level. Otherwise, the original user level will remain unchanged. Different command views are implemented according to different requirements. They are related to one another.
Command Line Interface 39 Table 5 Features of Command Views (continued) Command view Function Prompt Command to enter Command to exit VLAN Interface Configure IP View interface parameters for a VLAN or a VLAN aggregation [SW5500-Vlan-interface1] Enter interface vlan-interface 1 in System View quit returns to System View Local-User View [SW5500-luser-user1] Configure local user parameters return returns to User View Enter local-user user1 quit returns to in System View System View return retur
CHAPTER 1: GETTING STARTED Table 5 Features of Command Views (continued) Command view Function Prompt Command to enter Command to exit User-defined ACL View Define the rule of user-defined ACL [SW5500-acl-user-5000] Enter acl number 5000 in System View quit returns to System View return returns to User View QoS profile View Define QoS profile [SW5500-qos-profile-h3c] Enter qos-profile h3c in System View quit returns to System View return returns to User View RADIUS Server Group View Conf
Command Line Interface 41 Displaying Characteristics of the Command Line The command line interface provides a pausing function. If the information to be displayed exceeds one screen, users have three choices, as shown in Table 6. Table 6 Functions of Displaying Key or Command Function Press when the display pauses Stop displaying and executing command. Enter a space when the display pauses Continue to display the next screen of information.
CHAPTER 1: GETTING STARTED Editing Characteristics of Command Line The command line interface provides basic command editing and supports the editing of multiple lines. A command cannot be longer than 256 characters. See Table 9. Table 9 Editing Functions Key Function Common keys Insert from the cursor position and the cursor moves to the right, if the edition buffer still has free space. Backspace Delete the character preceding the cursor and the cursor moves backward.
User Interface Configuration 43 To number the user interface by relative number, represented by interface + number assigned to each type of user interface: User Interface Configuration ■ AUX user interface = AUX 0. ■ The first VTY interface = VTY 0, the second one = VTY 1, and so on.
CHAPTER 1: GETTING STARTED Configuring the Attributes of AUX (Console) Port Use the speed, flow control, parity, stop bit, and data bit commands to configure these attributes of the AUX (console) port. Perform the following configurations in User Interface (AUX user interface only) View.
User Interface Configuration 45 Configuring the Terminal Attributes The following commands can be used for configuring the terminal attributes, including enabling/disabling terminal service, disconnection upon timeout, lockable user interface, configuring terminal screen length, and history command buffer size. Perform the following configuration in User Interface View. Perform the lock command in User View.
CHAPTER 1: GETTING STARTED Setting the Screen Length If a command displays more than one screen of information, you can use the following command to set how many lines to be displayed in a screen, so that the information can be separated in different screens and you can view it more conveniently.
User Interface Configuration 47 Perform the following configuration in User Interface View. Table 23 Configuring the local authentication password Operation Command Configure the local authentication password set authentication password { cipher | simple }password Remove the local authentication password undo set authentication password Configure for password authentication when a user logs in through a VTY 0 user interface and set the password to 3Com.
CHAPTER 1: GETTING STARTED By default, the specified logged-in user can access the commands at Level 1. Setting the Command Level used after a User Logs In from a User Interface You can use the following command to set the command level after a user logs in from a specific user interface, so that a user is able to execute the commands at such command level. Perform the following configuration in User Interface View.
User Interface Configuration 49 auto-execute command The following command is used to automatically run a command after you log in. After a command is configured to be run automatically, it will be automatically executed when you log in again. This command is usually used to automatically execute the telnet command on the terminal, which will connect the user to a designated device automatically. Perform the following configuration in User Interface View.
CHAPTER 1: GETTING STARTED
2 ADDRESS MANAGEMENT CONFIGURATION Introduction to Address Management You can easily configure the switch on which the Address Manage (AM) feature is enabled to allow a user with the specified MAC address to gain network access through the specified IP address in a small network, such as a campus network. This facilitates the implementation of user management and accounting.
CHAPTER 2: ADDRESS MANAGEMENT CONFIGURATION Perform the following operations to bind the MAC address and IP address of a legal user to the specified port; no other configuration is required.
Address Management Configuration Example 53 To configure an address management IP address pool on GigabitEthernet 1/0/1, allowing 20 IP addresses starting from 202.10.20.1 to 202.10.20.20 to access the network, enter the following: [S5500] interface GigabitEthernet 1/0/1 [S5500-GigabitEthernet 1/0/1] am ip-pool 202.10.20.1 20 Configuration Example of Binding the MAC Address and IP Address of a Legal User Network requirements The GigabitEthernet1/0/1 port of the switch is connected to multiple PCs.
CHAPTER 2: ADDRESS MANAGEMENT CONFIGURATION
PORT OPERATION 3 This chapter covers the following topics: Ethernet Port Configuration Introduction Ethernet Port Configuration ■ Ethernet Port Configuration Introduction ■ Link Aggregation Configuration ■ Global Broadcast Suppression Feature ■ Configuring VCT ■ Global Broadcast Suppression Feature ■ Displaying Port Configuration Information in Brief ■ Displaying Information About a Specified Optical Port The following features are found in the Ethernet ports of the Switch 5500 ■ 10/100B
CHAPTER 3: PORT OPERATION Entering Ethernet Port View Before configuring an Ethernet port, enter Ethernet Port View. Perform the following configuration in System View. Table 32 Entering Ethernet Port View Operation Command Enter Ethernet Port View interface { interface_type interface_num | interface_name } Enabling/Disabling an Ethernet Port Use the following command to disable or enable the port.
Ethernet Port Configuration Introduction 57 duplex and can be configured to operate in full (full duplex) or auto (auto-negotiation) mode. The port defaults to auto (auto-negotiation) mode. Setting Speed on the Ethernet Port Use the following command to set the speed of the Ethernet port. If the speed is set to auto-negotiation mode, the local and peer ports will automatically negotiate the port speed. Perform the following configuration in Ethernet Port View.
CHAPTER 3: PORT OPERATION Permitting/Forbidding Jumbo Frames to Pass through an Ethernet Port An Ethernet port may encounter jumbo frames exceeding the standard frame length, when switching large throughput data like transmitting files. This command can forbid or permit jumbo frames to pass through an Ethernet port. Perform the following configuration in Ethernet Port View.
Ethernet Port Configuration Introduction 59 Perform the following configuration in Ethernet Port View.
CHAPTER 3: PORT OPERATION can configure to tag some VLAN packets, based on which the packets can be processed differently. Setting the Default VLAN ID for the Ethernet Port Because the access port can only be included in one VLAN, its default VLAN is the one to which it belongs. Because a hybrid port and a trunk port can be included in several VLANs, you must configure the default VLAN ID.
Ethernet Port Configuration Introduction 61 Table 44 Configure loopback detection for Ethernet port (continued) Operation Command Description Enter the Ethernet port view interface interface-type interface-number - Enable the loopback detection loopback-detection function for a specified port enable Optional.By default, the loopback detection function is disabled. Enable the loopback detection loopback-detection and control function for Trunk control enable ports and Hybrid ports Optional.
CHAPTER 3: PORT OPERATION By default, port loopback detection and the loopback detection control function on trunk and hybrid ports are disabled. The detection interval is 30 seconds, and the system detects the default VLAN on the trunk and hybrid ports. Configuring VCT You can start the virtual cable test (VCT) to make the system test the cable connected to the current electrical Ethernet port, and the system will return the test results in five seconds.
Ethernet Port Configuration Introduction 63 authenticated devices can obtain data frames from the port so as to prevent illegal devices from filching network data. 2 Intrusion Protection: By way of checking the source MAC addresses of the data frames received on a port, this feature discovers illegal packets and takes appropriate action (temporarily/permanently disabling the port, or filtering out the packets with these MAC addresses) to guarantee the security on the port.
CHAPTER 3: PORT OPERATION Table 47 Configure port security (continued) Bind the MAC and IP am user-bind mac-addr addresses of a legal user to a mac-address ip-addr specified port ip-address [ interface interface-type interface-number ] Optional You need to specify the bound port if you use this command in system view.You do not need to specify the bound port if you use this command in Ethernet port view, because the MAC and IP address will be bound to the current port.
Ethernet Port Configuration Introduction 65 Network diagram Figure 14 Network diagram for port security configuration Switch A Switch B GigabitEthernet1/0/1 PC1 PC2 IP Address: 10.153.1.1 MAC Address: 00e0-fc00- 3900 Configuration procedure Configure switch A as follows: 1 Enter the system view. system-view 2 Enable port security. [S5500] port-security enable 3 Enter Ethernet1/0/1 port view. [S5500] interface Ethernet1/0/1 4 Adopt MAC address authentication mode on the port.
CHAPTER 3: PORT OPERATION statistics. The VLAN setting includes permitted VLAN types, and default VLAN ID. The port setting includes port link type, port speed, and duplex mode. LACP setting includes LACP enabling/disabling. Perform the following configuration in System View.
Ethernet Port Configuration Introduction Displaying Port Configuration Information in Brief 67 This S5500 version has a new command, display brief interface for you to display the port configuration information in brief, including the port type, link state, link rate, duplex attribute, link type and default VLAN ID.
CHAPTER 3: PORT OPERATION Ethernet Port Troubleshooting Fault: Default VLAN ID configuration failed. Troubleshooting: Take the following steps. 1 Use the display interface or display port command to check if the port is a trunk port or a hybrid port. If it is neither, configure it as a trunk port or a hybrid port. 2 Configure the default VLAN ID.
Link Aggregation Configuration 69 Types of Link Aggregation The types of link aggregation are described in the following sections: ■ Manual Aggregation and Static LACP Aggregation ■ Dynamic LACP Aggregation Manual Aggregation and Static LACP Aggregation Both manual aggregation and static LACP aggregation require manual configuration of aggregation groups and prohibit automatic adding or deleting of member ports by the system.
CHAPTER 3: PORT OPERATION ■ The system sets to inactive state the ports with basic configurations different from that of the active port with minimum port number. Because only a defined number of ports can be supported in an aggregation group, if the active ports in an aggregation group exceed the port quantity threshold for that group, the system shall set some ports with smaller port numbers (in ascending order) as selected ports and others as standby ports.
Link Aggregation Configuration ■ 71 Aggregation groups with the minimum master port numbers if they reach the equal rate with other groups after the resources are allocated to them When aggregation groups of higher priority levels appear, the aggregation groups of lower priority levels release their hardware resources. For single-port aggregation groups, if they can transceive packets normally without occupying hardware resources, they shall not occupy the resources.
CHAPTER 3: PORT OPERATION Creating/Deleting an Aggregation Group Use the following command to create a manual aggregation group or static LACP aggregation group, but the dynamic LACP aggregation group is established by the system when LACP is enabled on the ports.
Link Aggregation Configuration ■ ■ port with static ARP configured ■ port with 802.1x enabled. 73 You must delete the aggregation group, instead of the port, if the manual or static LACP aggregation group contains only one port. Setting/Deleting the Aggregation Group Descriptor Perform the following configuration in System View.
CHAPTER 3: PORT OPERATION Perform the following configuration in Ethernet Port View. Table 56 Configuring Port Priority Operation Command Configure port priority lacp port-priority port_priority_value Restore the default port priority undo lacp port-priority By default, port priority is 32768.
Link Aggregation Configuration Link Aggregation Configuration Example 75 Networking Requirement Switch A connects Switch B with three aggregation ports, numbered as Ethernet1/0/1 to Ethernet1/0/3, so that incoming/outgoing load can be balanced among the member ports. Networking Diagram Figure 16 Networking for Link Aggregation Switch A Link aggregation Switch B Configuration Procedure The following only lists the configuration for Switch A; configure Switch B similarly.
CHAPTER 3: PORT OPERATION Only when the three ports are configured with identical basic configuration, rate and duplex mode, can they be added into a same dynamic aggregation group after LACP is enabled on them, for load sharing. Global Broadcast Suppression Feature Configuring Global Broadcast Suppression This section describes how to configure the Global Broadcast Suppression feature.
Displaying Information About a Specified Optical Port Displaying Information About a Specified Optical Port 77 You can use the display transceiver-information interface command to display the following information about a specified optical port: ■ Hardware type ■ Interface type ■ Wavelength ■ Vender ■ Serial number Transfer distance Table 59 Display information about a specified optical port ■ Operation Command Description Display information about a specified optical port display transcei
CHAPTER 3: PORT OPERATION
4 XRN CONFIGURATION This chapter covers the following topics: Introduction to XRN n Introduction to XRN n Configuring an XRN Fabric n Fabric Configuration Example Several XRN Switches of the same model can be interconnected to create a “Fabric”, in which each Switch is a unit. The ports used to interconnect all the units are called Fabric ports, while the other ports that are used to connect the Fabric to users are called user ports.
CHAPTER 4: XRN CONFIGURATION Table 60 Configuring FTM Device Configuration Default Settings Comment Switch Specify the stacking VLAN of the Switch The stacking VLAN is VLAN 4093 You should specify the stacking VLAN before the Fabric is established. Set unit IDs for the Switches The unit ID of a Switch is set to 1 Make sure that you have set different unit IDs to different Switches, so that the Fabric can operate normally after all the Switches are interconnected.
Configuring an XRN Fabric 81 If the modified unit ID is an existing one, the Switch prompts you to confirm if you really want to change the unit ID. If you choose to change, the existing unit ID is replaced and the priority is set to 5. Then you can use the fabric save-unit-id command to save the modified unit ID into the unit Flash memory and clear the information about the existing one. n If auto-numbering is selected, the system sets the unit ID priority to 10.
CHAPTER 4: XRN CONFIGURATION Table 66 Setting a Fabric Name for Switches Operation Command Set a Fabric name for Switches sysname sysname Restore the default Fabric name undo sysname By default, the Fabric name is “5500-EI”. Setting an XRN Authentication Mode for Switches Only the Switches with the same Fabric name and XRN authentication mode can constitute a Fabric. You can use the commands in the following table to set an authentication mode for the Switches.
RMON on XRN 83 Networking Diagram Figure 18 Networking Diagram of a Fabric Fabric Switch A Switch B user port Fabric port Switch C Switch D Configuration Procedure Configure Switch A: [SW5500]change unit-id 1 to 1 [SW5500]fabric-port gigabitethernet1/0/51 enable [SW5500]fabric-port gigabitethernet1/0/52 enable [SW5500]sysname hello [hello]xrn-fabric authentication-mode simple welcome Configure Switch B: [SW5500]change unit-id 1 to auto-numbering [SW5500]fabric-port gigabitethernet2/0/51 enable [S
CHAPTER 4: XRN CONFIGURATION If you configure the same entry in the same ROM group for devices of a fabric to be different values, the entry values of all the conflicting devices will adopt that of the conflicting device with the smallest Unit ID when you synchronize the devices. Such a mechanism eliminates configuration conflicts between the devices in a fabric. After the device configurations converge, you can collect RMON history and statistics data of any units from any switch in the fabric.
Peer Fabric Port Detection If the switch can receive DISC packets sent by the peer, the FTM module determines whether peer sending ports correspond to local receiving ports according to information in the packet. That is, if a DISC packet received by the left port of the switch is sent by the right port of the peer device, the packet is regarded legal. Otherwise, the packet is regarded illegal and is discarded.
CHAPTER 4: XRN CONFIGURATION reached max units Analysis: The "reached max units" message indicates that the maximum number of units allowed by the current fabric is reached. You will fail to add new devices to the fabric in this case. Solution: Remove the new device or existing devices in the fabric. Up to eight devices can be in an XRN fabric at a time.
Multiple Fabric Port Candidates 87 A port cannot be a fabric port if the jumboframe function is enabled on the port. So make sure the jumboframe function is disabled on a port if you want to configure the port to be a fabric port. With a port group of a switch being the current fabric port group, you need to invalidate the current fabric port group before configuring the other port group to be a fabric port group.
CHAPTER 4: XRN CONFIGURATION
5 DLDP CONFIGURATION This chapter contains DLDP overview, fundamentals, precautions during configuration, and configuration information. DLDP Overview You may have encountered unidirectional links in networking. When a unidirectional link occurs, the local device can receive packets from the peer device through the link layer, but the peer device cannot receive packets from the local device. See Figure 20 and Figure 20.
CHAPTER 5: DLDP CONFIGURATION DLDP provides the following features: As a link layer protocol, it works together with the physical layer protocol to monitor the link status of a device. n While the auto-negotiation mechanism on the physical layer detects physical signals and faults; DLDP identifies peer devices and unidirectional links, and disables unreachable ports.
DLDP Overview 91 Table 72 DLDP timers (continued) Timer Description Entry aging timer When a new neighbor joins, a neighbor entry is created, and the corresponding entry aging timer is enabled.When an advertisement packet is received from a neighbor, the neighbor entry is updated, and the corresponding entry aging timer is reset.In normal mode, if no packet is received from the neighbor when the entry aging timer expires, DLDP sends an advertisement packet with RSY tag, and deletes the neighbor entry.
CHAPTER 5: DLDP CONFIGURATION 2 DLDP analyzes and processes received packets as follows: In authentication mode, DLDP authenticates the packets on the port, and discards those do not pass the authentication.
DLDP Configuration Precautions During DLDP Configuration 93 It is recommended that the following precautions be taken during DLDP configuration: DLDP works only when the link is up. n To ensure unidirectional links can be detected, you should make sure: DLDP is enabled on both ends, and the time interval for sending advertisement packets, authentication mode and password are set consistent on both ends.
CHAPTER 5: DLDP CONFIGURATION Table 77 DLDP configuration tasks (continued) Operation Command Description Set the DLDP handling mode when an unidirectional link is detected dldp Optional, by default, the unidirectional-shutdown { handling mode is auto. auto | manual } Set the DLDP operating mode dldp work-mode { enhance | normal } Optional; by default, DLDP works in normal mode.
DLDP Configuration Example Network diagram Figure 21 Fiber cross-connection Figure 22 Correct connection/disconnection in one direction Configuration procedure 1 1Configure SwitchA a Configure the ports to work in mandatory full duplex mode system-view [S5500A] interface gigabitethernet 2/0/3 [S5500A-GigabitEthernet2/0/3] duplex full [S5500A-GigabitEthernet2/0/3] speed 1000 [S5500A-GigabitEthernet2/0/3] quit [S5500A] interface gigabitethernet 2/0/4 [S5500A-GigabitEthernet2/0/4] duplex full [S550
CHAPTER 5: DLDP CONFIGURATION e Set the DLDP handling mode for unidirectional links to auto [S5500A] dldp unidirectional-shutdown auto f Display the DLDP status on Switch A [S5500A] display dldp 2 If the fibers are correctly connected between the two switches, the system displays the connections with the neighbor as bidirectional links, or else, it displays the connections with the neighbor as unidirectional links.
6 VLAN OPERATION This chapter covers the following topics: VLAN Configuration VLAN Overview ■ VLAN Configuration ■ Voice VLAN Configuration This chapter describes how to configure a VLAN A virtual local area network (VLAN) creates logical groups of LAN devices into segments to implement virtual workgroups. IEEE issued the IEEE 802.1Q in 1999, which was intended to standardize VLAN implementation solutions.
CHAPTER 6: VLAN OPERATION Adding Ethernet Ports to a VLAN Use the following command to add Ethernet ports to a VLAN. Perform the following configuration in VLAN View. Table 80 Adding Ethernet Ports to a VLAN Operation Command Add Ethernet ports to a VLAN port interface_list Remove Ethernet ports from a VLAN undo port interface_list By default, the system adds all the ports to a default VLAN, whose ID is 1.
VLAN Configuration 99 Shutting Down/Enabling the VLAN Interface Use the following command to shut down/enable a VLAN interface. Perform the following configuration in VLAN Interface View. Table 83 Shutting Down/Enabling the VLAN Interface Operation Command Shut down the VLAN interface shutdown Enabling the VLAN interface undo shutdown The operation of shutting down or enabling the VLAN interface has no effect on the UP/DOWN status of the Ethernet ports on the local VLAN.
CHAPTER 6: VLAN OPERATION Configuration Procedure 1 Create VLAN 2 and enter its view. [SW5500]vlan 2 2 Add Ethernet1/0/1 and Ethernet1/0/2 to VLAN2. [SW5500-vlan2]port ethernet1/0/1 to ethernet1/0/2 3 Create VLAN 3 and enter its view. [SW5500-vlan2]vlan 3 4 Add Ethernet1/0/3 and Ethernet1/0/4 to VLAN3. [SW5500-vlan3]port ethernet1/0/3 to ethernet1/0/4 VLAN Configuration Example Two Networking Requirements Configure an IP address on a VLAN interface.
Protocol-Based VLAN Configuration 101 I. Creating a VLAN protocol type Table 85 lists the operations to create a VLAN protocol type.
CHAPTER 6: VLAN OPERATION Voice VLAN Configuration Voice VLAN is specially designed for users’ voice flow, and it distributes different port precedence in different cases. The system uses the source MAC of the traffic travelling through the port to identify the IP Phone data flow. You can either preset an OUI address or adopt the default OUI address as the standard. Here the OUI address refers to that of a vendor. Voice VLAN can be configured either manually or automatically.
Voice VLAN Configuration 103 Enabling/Disabling Voice VLAN Features Enable/disable the Voice VLAN in System View. Table 89 Configuring Voice VLAN Features Operation Command Enable Voice VLAN features voice vlan vlan_id enable Disable Voice VLAN features undo voice vlan enable The VLAN must already exist before you can enable Voice VLAN features. You cannot delete a specified VLAN that has enabled Voice VLAN features and only one VLAN can enable Voice VLAN at one time.
CHAPTER 6: VLAN OPERATION Enabling/Disabling Voice VLAN Security Mode In security mode, the system can filter out the traffic whose source MAC is not OUI within the Voice VLAN, while the other VLANs are not influenced. If security mode is disabled, the system cannot filter anything. Perform the following configuration in System View.
Voice VLAN Configuration 105 Configuring a voice VLAN to operate in manual mode Refer to Table 96 to configure a VLAN in manual mode. Table 96 Configure a voice VLAN to operate in manual mode Operation Command Description Enter system view system-view - Enter port view interface interface-type interface-number Required Enable the voice VLAN function for voice vlan the port enable Required By default, the voice VLAN function is disabled.
CHAPTER 6: VLAN OPERATION Displaying and Debugging of Voice VLAN Voice VLAN Configuration Example After completing the above configuration, enter the display command in any view to view the configuration and running state of Voice VLAN.
Creating VLANs in Batches 107 Creating VLANs in Batches To improve efficiency, you can create VLANs in batches by performing the operations listed in Table 98. Table 98 Create VLANs in batches Operation Command Description Enter system view system-view - Create VLANs by specifying a vlan { vlan-id1 to vlan-id2 | all } VLAN ID range Voice VLAN Configuration Required Voice VLANs are VLANs configured specially for voice data stream.
CHAPTER 6: VLAN OPERATION As multiple types of IP phones exist, you need to match port mode with types of voice stream sent by IP phones, as listed in Table 99T Table 99 Port modes and types of voice stream types Port voice VLAN mode Voice stream type Port type Supported or not Automatic mode Tagged voice stream Untagged voice stream Manual mode Tagged voice stream Untagged voice stream Configuring the Voice VLAN Function Access Not supported Trunk Supported Make sure the default VLAN of th
Voice VLAN Configuration 109 Configuring a voice VLAN to operate in automatic mode Table 100 Configure a voice VLAN to operate in automatic mode Voice VLAN Displaying and Debugging Voice VLAN Configuration Example Operation Command Description Enter system view system-view - Enter port view interface interface-type interface-number Required Enable the voice VLAN function for the port voice vlan enable Required By default, the voice VLAN function is disabled.
CHAPTER 6: VLAN OPERATION 3 Enable the voice VLAN function for the port and configure the port to operate in manual mode. [S5500-vlan3] quit [S5500] interface Ethernet1/0/3 [S5500-Ethernet1/0/3] voice vlan enable [S5500-Ethernet1/0/3] undo voice vlan mode auto [S5500-Ethernet1/0/3] quit 4 Specify the OUI address. [S5500] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test 5 Enable the voice VLAN function globally. [S5500] voice vlan 3 enable 6 Display the configuration.
7 GVRP CONFIGURATION This chapter contains GVRP configuration information. Introduction to GVRP GVRP (GARP VLAN Registration Protocol) is an application of GARP (Generic Attribute Registration Protocol). GVRP is based on the work scheme of GARP; it maintains dynamic VLAN registration information and propagates the information to other switches. GARP is a generic attribute registration protocol.
CHAPTER 7: GVRP CONFIGURATION ■ Leave: When a GARP entity expects to unregister a piece of attribute information, it sends out a Leave message. Any GARP entity receives this message starts its Leave timer, and unregister the attribute information after the timer times out if it does not receives a Join message again before the timeout.
Introduction to GVRP 113 GVRP Packet Format The GVRP packets are in the following format: Figure 26 Format of GVRP packets Table 102 describes the packet fields in Figure 26. Table 102 Description of the packet fields Protocol Specifications Field Description Value Protocol ID Protocol ID 1 Message Each message consists of two parts: Attribute Type and Attribute List. - Attribute Type It is defined by specific GARP application. The attribute type of GVRP is 0x01.
CHAPTER 7: GVRP CONFIGURATION GVRP Configuration Configuration Prerequisite Configuration Procedure The GVRP configuration tasks include configuring the timers, enabling GVRP, and configuring the GVRP port registration mode. The port on which GVRP will be enabled must be configured to the Trunk port. Refer to Table 103 for configuration procedures Table 103 Configuration procedure Operation Command Description Enter system view system-view - Enable GVRP globally.
GVRP Configuration 115 Table 104 describes the relations between the timers: Table 104 Relations between the timers Configuration Example Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one-half of the value of the Join timer. You can change the threshold by changing the value of the Join timer. Join This lower threshold is greater than or equal to twice the value of the Hold timer.
CHAPTER 7: GVRP CONFIGURATION b Configure the port Ethernet1/0/2 to the Trunk port, and allow all VLAN packets to pass [S5500] interface Ethernet1/0/2 [S5500-Ethernet1/0/2] port link-type trunk [S5500-Ethernet1/0/2] port trunk permit vlan all c Enable GVRP on the Trunk port. [S5500-Ethernet1/0/2] gvrp Displaying GVRP You can use the display commands here to display the GVRP configuration. You can execute the display commands in any view.
8 VLAN-VPN CONFIGURATION This chapter contains configuration information to create VLAN-VPNs. VLAN-VPN Overview The VLAN-VPN function enables packets to be transmitted across the operators' backbone networks with VLAN tags of private networks nested in those of public networks. In public networks, packets of this type are transmitted by their outer VLAN tags (that is, the VLAN tags of public networks). And those of private networks, which are nested in the VLAN tags of public networks, remain intact.
CHAPTER 8: VLAN-VPN CONFIGURATION Adjusting the TPID Values of VLAN-VPN Packet Tag protocol identifier (TPID) is a portion of the VLAN tag field. IEEE 802.1Q specifies the value of TPID to be 0x8100. Figure 30 illustrates the structure of the Tag field of an Ethernet frame defined by IEEE 802.1Q. Figure 30 The structure of the Tag field of an Ethernet frame As for S5600 series switches, the value of the TPID field is 0x8100, which is defined by IEEE 802.1Q.
Inner VLAN Tag Priority Replication Configuration 119 Table 106 Configure the VLAN-VPN function for a port (continued) Operation Command Description Display VLAN VPN display port vlan-vpn configuration information about all ports You can execute the display command in any view. The VLAN-VPN function is unavailable if the port has any of the protocols among GVRP, GMRP, XRN, NTDP, STP and 802.1x enabled.
CHAPTER 8: VLAN-VPN CONFIGURATION Table 108 Adjust TPID values for VLAN-VPN packets (continued) Operation Command Description Display VLAN-VPN configuration information about all ports display port vlan-vpn You can execute the display command in any view. You can execute the vlan-vpn enable or vlan-vpn uplink enable command for a port, but do not execute both of the two commands for a port.
VLAN-VPN Configuration Example 121 Configuration Procedure Perform the following procedure to configure switches A and C. 1 Configure Switch A and Switch C. As the configuration performed on Switch A and Switch C is the same, configuration on Switch C is omitted. a Configure Ethernet1/0/2 port of Switch A to be a VLAN-VPN uplink port and add it to VLAN 10. Set the TPID value of the port to 0x9100. system-view System View: return to User View with Ctrl+Z.
CHAPTER 8: VLAN-VPN CONFIGURATION
9 Introduction to DHCP DHCP OVERVIEW With networks getting larger in size and more complicated in structure, lack of available IP addresses becomes the common situation the network administrators have to face, and network configuration becomes a tough task for the network administrators. With the emerging of wireless networks and the using of laptops, the position change of hosts also requires new technology. Dynamic host configuration protocol (DHCP) is developed in this background.
CHAPTER 9: DHCP OVERVIEW DHCP IP Address Assignment IP Address Assignment Policy DHCP IP Address Preferences Sending Device Information through DHCP Option60 This section contains information on DHCP IP Address Assignments. Currently, DHCP provides the following three IP address assignment policies to meet the requirements of different clients: ■ Manual assignment. The administrator statically binds IP addresses to the few clients with special uses (such as WWW server).
10 Introduction to DHCP Server Usage of DHCP Server DHCP Fundamentals DHCP SERVER CONFIGURATION This section contains configuration introduction on DHCP Server. Generally, DHCP servers are used in the following networks to assign IP addresses: ■ Large-sized networks, where manual configuration method bears heavy load and is difficult to manage the whole network in centralized way. ■ Networks where the number of available IP addresses is less than that of the hosts.
CHAPTER 10: DHCP SERVER CONFIGURATION IP address lease update After a DHCP server dynamically assigns an IP address to a DHCP client, the IP address keeps valid only within a specified lease time and will be reclaimed by the DHCP server when the lease expires. If the DHCP client wants to use the IP address for a longer time, it must update the IP lease.
Introduction to DHCP Server 127 DHCP Packet Processing Modes ■ Global address pool: In response to the DHCP packets received from DHCP clients, the DHCP server picks IP addresses from its global address pools and assigns them to the DHCP clients. ■ Interface address pool: In response to the DHCP packets received from DHCP clients, the DHCP server picks IP addresses from the interface-based address pools and assigns them to the DHCP clients.
CHAPTER 10: DHCP SERVER CONFIGURATION (such as domain name), you just need to configure them on the network segment or the corresponding subnets. The following is the details of configuration inheritance. ■ A newly created child address pool inherits the configurations of its parent address pool.
Global Address Pool-Based DHCP Server Configuration 129 Configuring Global Address Pool Mode on Interface(s) You can configure the global address pool mode on the specified or all interfaces of a DHCP server. After that, when the DHCP server receives DHCP packets from DHCP clients through these interfaces, it assigns IP addresses in local global address pools to the DHCP clients.
CHAPTER 10: DHCP SERVER CONFIGURATION The static-bind ip-address command and the static-bind mac-address command can be executed repeatedly. In this case, the new configuration overwrites the previous one. Configuring to assign IP addresses dynamically IP addresses dynamically assigned to DHCP clients (including those that are permanently leased and those that are temporarily leased) belong to addresses segments that are previously specified.
Global Address Pool-Based DHCP Server Configuration 131 You can configure domain names to be used by DHCP clients for address pools. After you do this, the DHCP server provides the domain names to the DHCP clients as well while the former assigns IP addresses to the DHCP clients.
CHAPTER 10: DHCP SERVER CONFIGURATION Customizing DHCP Service With the evolution of DHCP, new options are constantly coming into being. You can add the new options as the properties of DHCP servers by performing the following configuration.
Interface Address Pool-based DHCP Server Configuration 133 interfaces eases configuration work load and makes you to configure in a more convenient way.
CHAPTER 10: DHCP SERVER CONFIGURATION bound to a DHCP client to come from a special DHCP address pool that contains only the IP address. Configuring to assign IP addresses by static binding Some DHCP clients, such as WWW servers, need to be assigned fixed IP addresses. This is achieved by binding IP addresses to the MAC addresses of these DHCP clients.
Interface Address Pool-based DHCP Server Configuration 135 Table 123 Configure to assign IP addresses dynamically (continued) Operation Command Description Specify the IP addresses that are not dynamically assigned dhcp server forbidden-ip low-ip-address [ high-ip-address ] Optional By default, all IP addresses in a DHCP address pool are available for being dynamically assigned. The dhcp server forbidden-ip command can be executed repeatedly.
CHAPTER 10: DHCP SERVER CONFIGURATION Configuring NetBIOS Services for DHCP Clients For Microsoft Windows-based DHCP clients that communicate through NetBIOS protocol, the host name-to-IP address translation is carried out by WINS servers. So you need to perform WINS-related configuration for most Windows-based hosts. Currently, you can configure up to eight NetBIOS addresses for a DHCP address pool. Host name-to-IP address mappings are needed for DHCP clients communicating through NetBIOS protocol.
DHCP Security Configuration 137 Customizing DHCP Service With the evolution of DHCP, new options are constantly coming into being. You can add the new options as the properties of DHCP servers by performing the following configuration. Table 126 Customize DHCP service Operation Command Description Enter system view system-view - interface interface-type interface-number Required By default, no customized option is configured.
CHAPTER 10: DHCP SERVER CONFIGURATION receives a response or the number of the sent ICMP packets reaches the specified maximum number. The DHCP server assigns the IP address to the DHCP client only when no response is received during the whole course. Such a mechanism ensures an IP address is assigned to one DHCP client exclusively. A DHCP server performs ping tests to detect potential IP address conflicts, while a DHCP client uses ARP packets to detect IP address conflicts .
Option 184 Supporting Configuration 139 The sub-option 3 of option 184 comprises two parts, which carry the previously mentioned two items respectively. A flag value of 0 indicates that the voice VLAN identification function is not enabled, in which case the information carried by the VLAN ID part will be neglected. A flag value of 1 indicates that the voice VLAN identification function is enabled.
CHAPTER 10: DHCP SERVER CONFIGURATION Configuring the option 184 supporting function in system view Table 129 Configure the option 184 supporting function in system view Operation Command Description Enter system view system-view - Configure the interface to dhcp select interface { all | interface Required operate in DHCP server interface-type interface-number [ to mode and assign the IP interface-type interface-number ] } addresses of a specified interface-based address pool to DHCP clients Con
Option 184 Supporting Configuration 141 Configuring the option 184 supporting function in interface view Table 130 Configure the option 184 supporting function in interface view Operation Command Description Enter system view System-view - Enter interface view interface interface-type interface-number - Configure an IP address for the interface ip address ip-address net-mask - Configure the interface to operate in DHCP server mode and assign the IP addresses of an interface-based address pool
CHAPTER 10: DHCP SERVER CONFIGURATION Configuring the option 184 supporting function in global DHCP address pool view Table 131 Configure the option 184 supporting function in global DHCP address pool view Operation Command Description Enter system view system-view - Configure the interface to operate in DHCP server mode and assign the IP addresses of an interface-based address pool to DHCP clients dhcp select global [ Required subaddress ] { all | interface interface-type interface-number [ to
Option 184 Supporting Configuration 143 Network diagram Figure 33 Network diagram for option 184 supporting configuration DHCP client DHCP server LAN LAN 局 域网 GigabitEthernet1/0/1 10.1.1.1/24 DHCP client 3COM VCX Configuration procedure 1 Configure the DHCP client Configure the 3COM VCX device to operate as a DHCP client and to request for all sub-options of option 184. (Omitted) 2 Configure the DHCP server. a Enter system view.
CHAPTER 10: DHCP SERVER CONFIGURATION DHCP Server Displaying and Debugging You can verify your DHCP-related configuration by executing the display command in any view. To clear the information about DHCP servers, execute the reset command in user view.
DHCP Server Configuration Example 145 The DHCP settings of the 10.1.1.0/25 network segment are as follows: ■ Lease time: 10 days plus 12 hours ■ Domain name: aabbcc.com ■ DNS server: 10.1.1.2 ■ NetBIOS server: none ■ Gateway: 10.1.1.126 The DHCP settings of the 10.1.1.128/25 network segment are as follows: ■ Lease time: 5 days ■ Domain name: aabbcc.com ■ DNS server: 10.1.1.2 ■ NetBIOS server: 10.1.1.4 ■ Gateway: 10.1.1.
CHAPTER 10: DHCP SERVER CONFIGURATION 5 Return to system view. [S5500-dhcp-pool-1] quit 6 Configure DHCP address pool 2, including address range, domain name, DNS server address, lease time, NetBIOS server address, and gateway address. [S5500] dhcp server [S5500-dhcp-pool-2] [S5500-dhcp-pool-2] [S5500-dhcp-pool-2] [S5500-dhcp-pool-2] [S5500-dhcp-pool-2] [S5500-dhcp-pool-2] Troubleshooting DHCP Server ip-pool 2 network 10.1.1.128 mask 255.255.255.128 domain-name aabbcc.com dns-list 10.1.1.
11 Introduction to DHCP Relay Usage of DHCP Relay DHCP RELAY CONFIGURATION This section contains an introduction to DHCP Relay Early DHCP implementations assumes that DHCP clients and DHCP servers are on the same network segment, that is, you need to deploy at least one DHCP server for each network segment, which is far from economical. DHCP Relay is designed to address this problem.
CHAPTER 11: DHCP RELAY CONFIGURATION Actually, a DHCP relay enables DHCP clients and DHCP servers on different networks to communicate with each other by forwarding the DHCP broadcasting packets transparently between them. DHCP Relay Configuration DHCP Relay Configuration Tasks Enabling DHCP If a switch belongs to a fabric, you need to enable the UDP-helper function on it before configure it to be a DHCP relay.
DHCP Relay Displaying 149 The group number referenced in the dhcp-server groupNo command must has already been configured by using the dhcp-server groupNo ip ipaddress1 [ ipaddress-list ] command. DHCP Relay Displaying You can verify your DHCP relay-related configuration by executing the following display commands in any view.
CHAPTER 11: DHCP RELAY CONFIGURATION 5 Configure an IP address for VLAN 2 interface, so that this interface is on the same network segment with the DHCP clients.) [S5500-Vlan-interface2] ip address 10.110.1.1 255.255.0.0 You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server. The DHCP server configurations differ depending on different DHCP server devices and are thus omitted.
12 VRRP Overview VRRP CONFIGURATION Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. As shown in Figure 37, in general, ■ A default route (for example, the next hop address of the default route is 10.100.10.1, as shown in Figure 37) is configured for every host on a network.
CHAPTER 12: VRRP CONFIGURATION Figure 38 Virtual router The switches in the backup group have the following features: ■ This virtual router has its own IP address: 10.100.10.1 (which can be the interface address of a switch within the backup group). ■ The switches within the backup group have their own IP addresses (such as 10.100.10.2 for the master switch and 10.100.10.3 for the backup switch). ■ Hosts on the LAN only know the IP address of this virtual router, that is, 10.100.10.
VRRP Overview 153 ■ The virtual router IP addresses and the real IP addresses used by the member switches in the backup group must belong to the same network segment. If they are not in the same network segment, the backup group will be in initial state. ■ A backup group is removed if its last virtual router IP address is removed from the backup group. If a backup group is removed, all its configurations get ruined.
CHAPTER 12: VRRP CONFIGURATION Configuring switch priority The status of each switch in a backup group is determined by its priority. The master switch in a backup group is the one currently with the highest priority. Switch priority ranges from 0 to 255 (a larger number indicates a higher switch priority) and defaults to 100. Note that only 1 through 254 are available to users. Switch priority of 255 is reserved for IP address owners. The switch priority of an IP address owner is fixed to 255.
VRRP Configuration 155 Configuring VRRP timer The master switch advertises its normal operation state to the switches within the VRRP backup group by sending VRRP packets once in each specified interval (determined by the adver-interval argument). If the backup switches do not receive VRRP packets from the master after a specific period (determined by the master-down-interval argument), they consider the master is down and initiates the process to determine the master switch.
CHAPTER 12: VRRP CONFIGURATION Table 137 Configure a virtual router IP address (continued) Operation Command Description Configure a virtual router IP address vrrp vrid virtual-router-ID virtual-ip virtual-address Optional virtual-router-ID: VRRP backup group ID. virtual-address: Virtual router IP address to be configured. Configuring Backup Group-Related Parameters Table 138 lists the operations to configure a switch in a backup group.
Displaying and Clearing VRRP Information 157 Displaying and Clearing VRRP Information VRRP Configuration Example Single-VRRP Backup Group Configuration Example You can execute the display command in any view to view VRRP configuration.
CHAPTER 12: VRRP CONFIGURATION Configuration procedure 1 Configure Switch A. a Configure VLAN 2. system-view System View: return to User View with Ctrl+Z. [LSW-A] vlan 2 [LSW-A-vlan2] port Ethernet 1/0/6 [LSW-A-vlan2] quit [LSW-A] interface vlan-interface 2 [LSW-A-Vlan-interface2] ip address 202.38.160.1 255.255.255.0 [LSW-A-Vlan-interface2] quit b Configure VRRP. [LSW-A] vrrp ping-enable [LSW-A] interface vlan 2 [LSW-A-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.
VRRP Configuration Example 159 Network diagram Figure 40 Network diagram for interface tracking configuration 10.2.3.1 Host B Internet Vlan-interface3: 10.100.10.2 Switch_A Vlan-interface2: 202.38.160.1 - Switch_B Virtual IP address: 202.38.160.111 Vlan-interface2: 202.38.160.2 - 202.38.160.3 Host A Configuration procedure 1 Configure Switch A. a Configure VLAN 2. system-view System View: return to User View with Ctrl+Z.
CHAPTER 12: VRRP CONFIGURATION 2 Configure switch B. a Configure VLAN 2. system-view System View: return to User View with Ctrl+Z. [LSW-B] vlan 2 [LSW-B-vlan2] port Ethernet 1/0/5 [LSW-B-vlan2] quit [LSW-B] interface vlan-interface 2 [LSW-B-Vlan-interface2] ip address 202.38.160.2 255.255.255.0 [LSW-B-Vlan-interface2] quit b Configure that the virtual router can be pinged. [LSW-B] vrrp ping-enable c Create a backup group.
VRRP Configuration Example 161 Network diagram Figure 41 Network diagram for multiple-VRRP backup group configuration 10.2.3.1 Host B Internet Vlan-interface3: 10.100.10.2 Switch_A Switch_B Vlan-interface2: 202.38.160.2 - Vlan-interface2: - 202.38.160.1 Backup goup 2: Virtual IP address: 202.38.160.112 Backup goup 1: Virtual IP address: 202.38.160.111 202.38.160.3 Host A Configuration procedure 1 Configure Switch A. a Configure VLAN 2.
CHAPTER 12: VRRP CONFIGURATION b Create backup group 1. [LSW-B-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111 c Create backup group 2. [LSW-B-Vlan-interface2] vrrp vrid 2 virtual-ip 202.38.160.112 d Set the priority for backup group 2. [LSW-B-Vlan-interface2] vrrp vrid 2 priority 110 Normally, multiple backup groups are used in actual use.
13 MSTP Overview MSTP CONFIGURATION Spanning tree protocol (STP) cannot enable Ethernet ports to transit their states rapidly. It costs two times of the forward delay for a port to transit to the forwarding state even if the port is on a point-to-point link or is an edge port. Rapid spanning tree protocol (RSTP) supports rapid convergence.
CHAPTER 13: MSTP CONFIGURATION Basic MSTP Terminologies Figure 42 illustrates primary MSTP terms (assuming that each switch in it has MSTP employed). Figure 42 Basic MSTP terminologies MST region A multiple spanning tree (MST) region comprises multiple switches and the connected network segments. The switches are all MSTP-enabled and physically connected. They have the same region name, the same VLAN-to-spanning tree mapping configuration, and the same MSTP revision level configuration.
MSTP Overview 165 IST An internal spanning tree (IST) is a spanning tree in an MST region. ISTs, along with the common spanning tree (CST), form the common and internal spanning tree (CIST) of the entire switched network. An IST is a branch of CIST and is a special MSTI. In Figure 42, CIST has a branch in each MST region, which is the IST in the region. CST A CST is the spanning tree connecting all the MST regions in a switched network.
CHAPTER 13: MSTP CONFIGURATION The role of a region edge port is consistent with that of the port in the CIST. For example, port 1 on switch A shown in Figure 43 is a region edge port, and it is a master port in the CIST. Therefore, it is a master port in all MSTIs in the region.
MSTP Overview 167 Determining an MSTI In an MST region, MSTP generates different MSTIs for different VLANs according to VLAN-to-spanning tree mappings. MSTP calculates each spanning tree independently in the same way as STP/RSTP does. Implementation of STP algorithm In the beginning, each of the ports on each switch generate its own BPDU, taking the switch as the root, setting the root path cost to 0, the ID of the designated bridge to that of the switch, and the designated port to itself.
CHAPTER 13: MSTP CONFIGURATION MSTP Implementation on Switches Root Bridge Configuration MSTP is compatible with both STP and RSTP. That is, switches running MSTP can recognize STP and RSTP packets and use them to calculate spanning trees. In addition to the basic MSTP functions, a S5500 series switch also provides many special functions for ease of management to further meet the needs of users, as listed in the following.
Root Bridge Configuration 169 Prerequisites Before configuration, determine what roles the switches will play in the spanning trees, that is, whether a switch will be the root, a branch, or a leaf in a spanning tree.
CHAPTER 13: MSTP CONFIGURATION Configuration example 1 Configure an MST region, with the name being info, the MSTP revision level being level 1, VLAN 2 through VLAN 10 being mapped to MSTI 1, and VLAN 20 through VLAN 30 being mapped to MSTI 2. system-view System View: return to User View with Ctrl+Z.
Root Bridge Configuration 171 A secondary root bridge becomes a root bridge if the original root bridge fails or is turned off. A secondary root bridge remains unchanged if a new root bridge is configured. If you configure multiple secondary root bridges for a spanning tree instance, the one with the least MAC address replaces the root bridge if the latter goes down. You can specify the network diameter and the Hello time parameters while configuring a root bridge/secondary root bridge.
CHAPTER 13: MSTP CONFIGURATION Configuration example Configure the bridge priority of the current switch to be 4,096 in spanning tree instance 1. system-view System View: return to User View with Ctrl+Z. [S5500] stp instance 1 priority 4096 Configuring MSTP Operation Mode A switch running MSTP can operate in one of these three modes: ■ STP mode: In this mode, ports of the switch send STP packets.
Root Bridge Configuration 173 Configuration procedure Table 147 Configure the maximum hop count of an MST region Operation Command Description Enter system view system-view — Configure the maximum hop stp max-hops hops count of an MST region Required By default, the maximum hop count of an MST region is 20. Note that only the maximum hop count setting configured on a switch acting as the region root limits the size of the MST region.
CHAPTER 13: MSTP CONFIGURATION To solve this problem, MSTP adopts the state transition mechanism. With this mechanism, new root ports and designated ports must go through an intermediate state to the forwarding state, so that the new BPDUs can be advertised throughout the network. The introduced delay is dictated by the Forward delay argument. ■ Hello time: Indicates the interval in which the switch checks the connectivity of links.
Root Bridge Configuration 175 It is recommended that you specify the network diameter and the Hello time by using the stp root primary or stp root secondary command. MSTP will then automatically calculate the optimal values of the three parameters. Configuration example Set the Forward delay to 1,600 centiseconds, the Hello time to 300 centiseconds, and the Max age to 2,100 centiseconds on the future CIST root bridge. system-view System View: return to User View with Ctrl+Z.
CHAPTER 13: MSTP CONFIGURATION Configuration procedure in system view Table 151 Configure the maximum transmission speed of specified ports in system view Operation Command Description Enter system view system-view - Configure the maximum transmission speed of specified ports stp interface interface-list transmit-limit packetnum Required The maximum transmission speed of all Ethernet ports on a switch defaults to 3.
Root Bridge Configuration 177 Configuration procedure in system view Table 153 Set a port as an edge port in system view Operation Command Description Enter system view system-view - Configure the specified ports to be edge ports stp interface interface-list edged-port enable Required By default, all Ethernet ports of a switch are non-edge ports.
CHAPTER 13: MSTP CONFIGURATION Configuration procedure in system view Table 155 Configure a port to connect to a point-to-point link in system view Operation Command Description Enter system view system-view - Specify whether the specified ports connect to point-to-point links or not stp interface interface-list Required point-to-point { force-true | The auto keyword is specified by force-false | auto } default.
Root Bridge Configuration 179 Configuration example Configure Ethernet1/0/1 port to connect to point-to-point link. 1 Configure in system view. system-view System View: return to User View with Ctrl+Z. [S5500] stp interface ethernet1/0/1 point-to-point force-true 2 Configure in Ethernet port view. system-view System View: return to User View with Ctrl+Z.
CHAPTER 13: MSTP CONFIGURATION Configuration example Enable MSTP on the switch and disable MSTP on port Ethernet1/0/1. 1 Configure in system view. system-view System View: return to User View with Ctrl+Z. [S5500] stp enable [S5500] stp interface ethernet1/0/1 disable 2 Configure in Ethernet port view. system-view System View: return to User View with Ctrl+Z.
Leaf Node Configuration 181 Configuring MSTP Operation Mode Configuring the Timeout Time Factor Configuring the Maximum Transmission Speed of a Port Setting a Port as an Edge Port Configuring the Path Cost of a Port Refer to “Configuring MSTP Operation Mode”. Refer to “Configuring the Timeout Time Factor”. Refer to “Configuring the Maximum Transmission Speed of a Port”. Refer to “Setting a Port as an Edge Port”. The path cost of a port is related with the speed of the connected link.
CHAPTER 13: MSTP CONFIGURATION Table 161 Transmission speeds and the corresponding path costs (continued) Transmission Operation mode speed (half-/full-duplex) 802.1D-1998 IEEE 802.
Leaf Node Configuration 183 Configuration example (A) Configure the path cost of port Ethernet1/0/1 in spanning tree instance 1 to be 2,000. 1 Configure in system view. system-view System View: return to User View with Ctrl+Z. [S5500] stp interface ethernet1/0/1 instance 1 cost 2000 2 Configure in Ethernet port view. system-view System View: return to User View with Ctrl+Z.
CHAPTER 13: MSTP CONFIGURATION Configuring the priority of a port in Ethernet port view Table 165 Configure the priority of a port in Ethernet port view Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Configure the port priority of the port stp [ instance instance-id ] port priority priority Required. By default, all Ethernet ports of a switch have the same priority, namely 128.
Protection Functions Configuration 185 Configuration Procedure You can perform the mCheck operation in the following two ways.
CHAPTER 13: MSTP CONFIGURATION automatically shut it down and notifies the network administrator of the situation. Only the administrator can restore edge ports that are shut down. Root protection A root bridge and its secondary root bridges must reside in the same region. Particularly, a CIST and its secondary root bridges are usually located in the core region, which is equipped with high bandwidth.
Protection Functions Configuration 187 Configuring BPDU Protection Configuration procedure Table 168 Enable the BPDU protection function Operation Command Description Enter system view system-view - Enable the BPDU protection function stp bpdu-protection Required The BPDU protection function is disabled by default. Configuration example Enable the BPDU protection function. system-view System View: return to User View with Ctrl+Z.
CHAPTER 13: MSTP CONFIGURATION Configuring Loop Prevention Configuration procedure Table 171 Enable the loop prevention function Operation Command Description Enter system view system-view - Enter Ethernet port view interface interface-type interface-number - Enable the loop prevention function stp loop-protection Required The loop prevention function is disabled by default. Configuration example Enable the loop prevention function on port Ethernet1/0/1.
BPDU Tunnel Configuration 189 Figure 44 BPDU Tunnel network hierarchy Configuring BPDU Tunnel Table 173 Configure the BPDU tunnel function Operation Command Description Enter system view system-view - Enable MSTP stp enable - Enable the BPDU tunnel function vlan-vpn tunnel Required Enter Ethernet port view Interface interface-type interface-number Make sure that you enter the Ethernet port view of the port on which you want to enable the BPDU tunnel function.
CHAPTER 13: MSTP CONFIGURATION Displaying and Debugging MSTP After completing the above configurations, you can display MSTP operation and verify your configuration by executing the display command in any view. You can also clear MSTP-related statistics by executing the reset command in user view or debug the MSTP module by executing the debugging command in user view.
MSTP Configuration Example 191 Configuration procedure 1 Configure Switch A. a Enter MST region view. system-view System View: return to User View with Ctrl+Z. [S5500] stp region-configuration b Configure the MST region. [S5500-mst-region] [S5500-mst-region] [S5500-mst-region] [S5500-mst-region] [S5500-mst-region] region-name example instance 1 vlan 10 instance 3 vlan 30 instance 4 vlan 40 revision-level 0 c Activate the settings of the MST region.
CHAPTER 13: MSTP CONFIGURATION 4 Configure Switch D. a Enter MST region view. system-view System View: return to User View with Ctrl+Z. [S5500] stp region-configuration b Configure the MST region. [S5500-mst-region] [S5500-mst-region] [S5500-mst-region] [S5500-mst-region] [S5500-mst-region] region-name example instance 1 vlan 10 instance 3 vlan 30 instance 4 vlan 40 revision-level 0 c Activate the settings of the MST region.
BPDU Tunnel Configuration Example 193 2 Configure Switch B. a Enable RSTP. system-view System View: return to User View with Ctrl+Z. [S5500] stp enable b Add Ethernet0/1 port to VLAN 10. [S5500] vlan 10 [S5500-Vlan10] port Ethernet 0/1 3 Configure Switch C. a Enable MSTP. system-view System View: return to User View with Ctrl+Z. [S5500] stp enable b Enable the BPDU tunnel function. [S5500] vlan-vpn tunnel c Add Ethernet1/0/1 port to VLAN 10.
CHAPTER 13: MSTP CONFIGURATION f Add the trunk port to all VLANs. [S5500-Ethernet1/0/1] port trunk permit vlan all Notes: ■ You must enable STP on a device before enabling the BPDU tunnel function on it. ■ The BPDU tunnel function is only available to access ports. ■ To implement the BPDU tunnel function, the links between operator networks must be trunk links. ■ As the VLAN VPN function is unavailable to the ports with 802.
14 Introduction to Centralized MAC Address Authentication CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Centralized MAC address authentication controls accesses to a network through ports and MAC addresses. This kind of authentication requires no client software. When operating in centralized MAC address authentication mode, a switch begins to authenticate the user if it detects a new user MAC address.
CHAPTER 14: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION Centralized MAC Address Authentication Configuration The following sections describe centralized MAC address authentication configuration tasks: ■ Enabling Global/Port-based Centralized MAC Address Authentication ■ Setting Centralized MAC Address Authentication Timers ■ Setting Centralized MAC Address Authentication Timers ■ Displaying and Debugging Centralized MAC Address Authentication ■ Centralized MAC Address Authentication
Centralized MAC Address Authentication Configuration 197 ■ Server-timeout timer. If the connection between a switch and a RADIUS server times out when the switch authenticates a user on one of its ports, the switch turns down the user. You can use the server-timeout timer to set the time out time. ■ Table 177 lists the operations to set centralized MAC address authentication timers.
CHAPTER 14: CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION 4 Enable global centralized MAC address authentication. [S5500] mac-authentication 5 Configure the domain name for centralized MAC address authentication user to be aabbcc163.net. [S5500] mac-authentication domain aabbcc163.
15 SSH Terminal Services Introduction to SSH SSH TERMINAL SERVICES This section contains information for SSH Terminal Services. Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely using an insecure network environment. ■ A Switch can connect to multiple SSH clients. SSH 2.0 and SSH1.x are currently available.
CHAPTER 15: SSH TERMINAL SERVICES Figure 48 Establish SSH channels through WAN Workstation Local Switch Local Ethernet Laptop Server PC SSH-Client Workstation WAN Remote Ethernet Remote Switch ssh-server Laptop PC Server The communication process between the server and client includes these five stages: 1 Version negotiation stage. These operations are completed at this stage: ■ The client sends TCP connection requirement to the server.
SSH Terminal Services 201 ■ The client authenticates information from the user at the server till the authentication succeeds or the connection is turned off due to authentication timeout. SSH supports two authentication types: password authentication and RSA authentication. 1 Password authentication works as follows: ■ The client sends its username and password to the server. ■ The server compares the username and password received with those configured locally.
CHAPTER 15: SSH TERMINAL SERVICES Configuring supported protocols Table 180 Configure supported protocols Operation Command Description Enter system view system-view - Enter one or multiple user interface views user-interface [ type-keyword ] number [ ending-number ] Required Configure the protocols supported protocol inbound { all |ssh | in the user interface view(s) telnet } Optional By default, the system supports both Telnet and SSH.
SSH Terminal Services 203 Configuring authentication type New users must specify authentication type. Otherwise, they cannot access the switch. Table 182 Configure authentication type Operation Command Description Enter system view system-view - Configure authentication type for SSH users ssh user username authentication-type { password | password-publickey | rsa | all } Required If RSA authentication type is defined, then the RSA public key of the client user must be configured on the switch.
CHAPTER 15: SSH TERMINAL SERVICES Table 184 Configure client public keys Operation Command Description Enter system view system-view - Enter public key view rsa peer-public-key key-name Required Enter public key edit view public-key-code begin Required You can key in a blank space between characters, since the system can remove the blank space automatically. But the public key should be composed of hexadecimal characters.
SSH Terminal Services 205 SSH Client Configuration Table 186 describes SSH configuration tasks.
CHAPTER 15: SSH TERMINAL SERVICES SSH Server Configuration Example Network requirements As shown in Figure 49, configure a local connection from the SSH client to the switch. The PC runs the SSH 2.0-supported client software. Network diagram Figure 49 Network diagram for SSH server configuration S w itch P C S S HS e rve r S S HC lie n t Configuration procedure 1 Generate a local RSA key pair.
SSH Terminal Services 207 RSA public key authentication 1 Set AAA authentication on the user interfaces. [S5500] user-interface vty 0 4 [S5500-ui-vty0-4] authentication-mode scheme 2 Set the user interfaces to support SSH. [S5500-ui-vty0-4] protocol inbound ssh 3 Configure the login protocol for the client002 user as SSH and authentication type as RSA public key. [S5500] ssh user client002 authentication-type rsa 4 Generate randomly RSA key pairs on the SSH 2.
CHAPTER 15: SSH TERMINAL SERVICES Network diagram Figure 50 Network diagram for SSH client configuration Switch B SSH Server IP address : 10.165.87.136 Switch A SSH Client PC Configuration procedure 1 Configure the client to run the initial authentication. [S5500] ssh client first-time enable 2 Configure server public keys on the client.
SSH Terminal Services 209 b Start the client and use the RSA public key authentication according to the encryption algorithm defined. [S5500] ssh2 10.165.87.136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_ctos_hmac md5 perfer_stoc_hmac md5 username: client003 Trying 10.165.87.136... Press CTRL+K to abort Connected to 10.165.87.136... The Server is not autherncated.
CHAPTER 15: SSH TERMINAL SERVICES BOTH the private AND public key MUST be in /home/user/ for OpenSSH to work. result: [root@localhost openssh-4.2p1]# ./ssh -2 -l 1 -i /home/user/ssh_rsa_key 192.168.0.131 SFTP Service SFTP Overview The following sections describe SFTP service. Secure FTP (SFTP) is a new feature introduced in SSH 2.0.
SFTP Service 211 SFTP Client Configuration The following sections describe SFTP client configuration tasks: ■ Configuring SFTP client ■ Enabling the SFTP client ■ Disabling the SFTP client ■ Operating with SFTP directories ■ Operating with SFTP files Configuring SFTP client Table 191 Configuring SFTP client Serial No Operation Command View Description 1 Enable the SFTP client sftp System view Required 2 Disable the SFTP client bye SFTP client view Optional exit quit 3 4 SFTP direc
CHAPTER 15: SSH TERMINAL SERVICES Disabling the SFTP client Table 193 Disable the SFTP client Operation Command Description Enter system view system-view - Enter SFTP client view sftp { host-ip | host-name } - Disable the SFTP client bye The three commands have the same function.
SFTP Service 213 Displaying help information You can display help information about a command, such as syntax and parameters.
CHAPTER 15: SSH TERMINAL SERVICES 2 Configure Switch A (SFTP client) a Establish a connection to the remote SFTP server and enter SFTP client view. [S5500] sftp 10.111.27.91 b Display the current directory on the SFTP server, delete file z and verify the operation.
SFTP Service 215 f Upload file pu to the SFTP server and rename it to puk. Verify the operations. sftp-client> put pu puk Local file: pu ---> Remote file: flash:/puk Uploading file successfully ended sftp-client> dir -rwxrwxrwx 1 noone nogroup 1759 Aug -rwxrwxrwx 1 noone nogroup 225 Aug -rwxrwxrwx 1 noone nogroup 283 Aug drwxrwxrwx 1 noone nogroup 0 Sep drwxrwxrwx 1 noone nogroup 0 Sep -rwxrwxrwx 1 noone nogroup 283 Sep -rwxrwxrwx 1 noone nogroup 283 Sep sftp-client> g Exit from SFTP.
CHAPTER 15: SSH TERMINAL SERVICES
16 IP Routing Protocol Overview IP ROUTING PROTOCOL OPERATION Routers select an appropriate path through a network for an IP packet according to the destination address of the packet. Each router on the path receives the packet and forwards it to the next router. The last router in the path submits the packet to the destination host. In a network, the router regards a path for sending a packet as a logical route unit, and calls it a hop.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Configuring the IP Routing Protocol is described in the following sections: Selecting Routes Through the Routing Table ■ Selecting Routes Through the Routing Table ■ Routing Management Policy For a router, the routing table is the key to forwarding packets. Each router saves a routing table in its memory, and each entry in this table specifies the physical port of the router through which a packet is sent to a subnet or a host.
IP Routing Protocol Overview 219 Figure 53 The routing table 16.0.0.2 15.0.0.2 16.0.0.3 16.0.0.0 R7 R6 16.0.0.2 15.0.0.0 R5 10.0.0.2 10.0.0.0 13.0.0.3 13.0.0.2 2 10.0.0.1 15.0.0.1 3 R8 13.0.0.0 R2 1 14.0.0.2 13.0.0.4 11.0.0.1 11.0.0.0 13.0.0.1 14.0.0.0 R3 14.0.0.1 R1 12.0.0.2 12.0.0.3 12.0.0.0 11.0.0.2 R4 The routing table of router R8 Destination host location 10.0.0.0 Forwarding router Directly Port passed 2 1 11.0.0.0 Directly 12.0.0.0 11.0.0.2 Directly 1 14.0.0.0 13.0.0.2 15.0.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Supporting Load Sharing and Route Backup I. Load sharing Supports multi-route mode, allowing the user to configure multiple routes that reach the same destination and use the same precedence. The same destination can be reached using multiple different paths, whose precedences are equal.
Static Routes 221 The following routes are static routes: ■ Reachable route—The IP packet is sent to the next hop towards the destination. This is a common type of static route. ■ Unreachable route—When a static route to a destination has the reject attribute, all the IP packets to this destination are discarded, and the originating host is informed that the destination is unreachable.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION The parameters are explained as follows: ■ IP address and mask The IP address and mask use a decimal format. Because the 1s in the 32-bit mask must be consecutive, the dotted decimal mask can also be replaced by the mask-length which refers to the digits of the consecutive 1s in the mask.
Static Routes 223 Displaying and Debugging Static Routes After you configure static and default routes, execute the display command in any view to display the static route configuration, and to verify the effect of the configuration.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION 2 Configure the static route for Ethernet Switch B [Switch B]ip route-static 1.1.2.0 255.255.255.0 1.1.3.1 [Switch B]ip route-static 1.1.5.0 255.255.255.0 1.1.3.1 [Switch B]ip route-static 1.1.1.0 255.255.255.0 1.1.3.1 3 Configure the static route for Ethernet Switch C [Switch C]ip route-static 1.1.1.0 255.255.255.0 1.1.2.1 [Switch C]ip route-static 1.1.4.0 255.255.255.0 1.1.3.2 4 Configure the default gateway of the Host A to be 1.1.5.
RIP 225 ■ Cost—The cost for the router to reach the destination, which should be an integer in the range of 0 to 16. ■ Timer—The length of time from the last time that the routing entry was modified until now. The timer is reset to 0 whenever a routing entry is modified. ■ Route tag—The indication whether the route is generated by an interior routing protocol or by an exterior routing protocol.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION ■ Enabling RIP to Import Routes of Other Protocols ■ Configuring the Default Cost for the Imported Route ■ Setting the RIP Preference ■ Setting Additional Routing Metrics ■ Configuring Route Filtering Enabling RIP and Entering the RIP View Perform the following configurations in System View Table 202 Enabling RIP and Entering the RIP View Operation Command Enable RIP and enter RIP view rip Disable RIP undo rip By default, RIP is not enabled.
RIP 227 3Com does not recommend the use of this command, because the destination address does not need to receive two copies of the same message at the same time. Note that peer should be restricted using the following commands: rip work, rip output, rip input and network. Specifying the RIP Version RIP has two versions, RIP-1 and RIP-2. You can specify the version of the RIP packet used by the interface. RIP-1 broadcasts the packets. RIP-2 can transmit packets by both broadcast and multicast.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION By default, the values of the period update and timeout timers are 30 seconds and 180 seconds respectively. The value of the garbage-collection timer is four times of that of Period Update timer: 120 seconds. In fact, you may find that the timeout time of the garbage-collection timer is not fixed. If the period update timer is set to 30 seconds, the garbage-collection timer might range from 90 to 120 seconds.
RIP 229 In addition, the rip work command is functionally equivalent to both the rip input and rip output commands. By default, all interfaces except loopback interfaces both receive and transmit RIP update packets. Disabling Host Route In some cases, the router can receive many host routes from the same segment, and these routes are of little help in route addressing but consume a lot of network resources. Routers can be configured to reject host routes by using the undo host-route command.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Perform the following configuration in Interface View: Table 211 Setting RIP-2 Packet Authentication Operation Command Configure RIP-2 simple authentication key rip authentication-mode simple password_string Configure RIP-2 MD5 authentication with packet type following RFC 1723 rip authentication-mode md5 usual key_string Configure RIP-2 MD5 authentication with packet type following RFC 2082 rip authentication-mode md5 nonstandard key_string key_id Can
RIP 231 Perform the following configurations in RIP View. Table 214 Configuring the Default Cost for the Imported Route Operation Command Configure default cost for the imported route default cost value Restore the default cost of the imported route undo default cost By default, the cost value for the RIP imported route is 1. Setting the RIP Preference Each routing protocol has its own preference by which the routing policy selects the optimal route from the routes of different protocols.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Perform the following configurations in RIP View.
RIP 233 Traffic Sharing Across RIP Interfaces Equal-cost routes are routes with the same destination but different next hop addresses in a routing table. After traffic sharing across RIP interfaces is enabled, the system averagely distributes the traffic to its RIP interfaces through equal-cost routes. Configuration Procedure You can perform the following operations to configure traffic sharing across RIP interfaces.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Networking Diagram Figure 55 RIP configuration networking Network address: 155.10.1.0/24 Interface address: 155.10.1.1/24 SwitchA Ethernet Interface address: 110.11.2.1/24 Network address: 110.11.2.2/24 SwitchC Interface address: 117.102.0.1/16 SwitchB Interface address: 196.38.165.1/24 Network address: 117.102.0.0/16 Network address: 196.38.165.0/24 Configuration Procedure The following configuration only shows the operations related to RIP.
OSPF Configuration 235 OSPF Configuration Open Shortest Path First (OSPF) is an Interior Gateway Protocol based on the link state developed by IETF. Only the Switch 5500-EI supports the OSPF protocol. The Switch 5500 uses OSPF version 2 (RFC2328), which has the following features: Calculating OSPF Routes ■ Scope—Supports networks of various sizes and can support several hundred routers.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION OSPF Packets OSPF uses five types of packets: ■ Hello Packet. The Hello Packet is the most common packet sent by the OSPF protocol. A router periodically sends it to its neighbor. It contains the values of some timers, DR, BDR and the known neighbor. ■ Database Description (DD) Packet. When two routers synchronize their databases, they use DD packets to describe their own LSDBs, including the digest of each LSA.
OSPF Configuration 237 ■ Backup Designated Router (BDR) If the DR fails, a new DR must be elected and synchronized with the other routers on the segment. This process will take a relatively long time, during which the route calculation is incorrect. To shorten the process, OSPF creates a BDR as backup for the DR. A new DR and BDR are elected in the meantime. The adjacencies are also established between the BDR and all the routers on the segment, and routing information is also exchanged between them.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION ■ Setting the Interface Priority for DR Election ■ Configuring the Peer ■ Setting the Interval of Hello Packet Transmission ■ Setting a Dead Timer for the Neighboring Routers ■ Configuring an Interval Required for Sending LSU Packets ■ Setting an Interval for LSA Retransmission between Neighboring Routers ■ Setting a Shortest Path First (SPF) Calculation Interval for OSPF ■ Configuring STUB Area of OSPF ■ Configuring the NSSA of OSPF ■ Config
OSPF Configuration 239 Entering OSPF Area View Perform the following configurations in OSPF View. Table 222 Entering OSPF Area View Operation Command Enter an OSPF Area View area area_id Delete a designated OSPF area undo area area_id area_id is the ID of the OSPF area, which can be a decimal integer or in IP address format. Specifying the Interface OSPF divides the AS into different areas. You must configure each OSPF interface to belong to a particular area, identified by an area ID.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Configuring the Network Type on the OSPF Interface The route calculation of OSPF is based upon the topology of the adjacent network of the local router. Each router describes the topology of its adjacent network and transmits it to all the other routers. OSPF divides networks into four types by link layer protocol: ■ Broadcast—If Ethernet or FDDI is adopted, OSPF defaults the network type to broadcast.
OSPF Configuration 241 Configuring the Cost for Sending Packets on an Interface You can control network traffic by configuring different message sending costs for different interfaces. Otherwise, OSPF automatically calculates the cost according to the baud rate on the current interface.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Perform the following configuration in Interface View: Table 227 Setting the Interface Priority for DR Election Operation Command Configure the interface with a priority for DR election ospf dr-priority priority_num Restore the default interface priority undo ospf dr-priority By default, the priority of the Interface is 1 in the DR election. The value can be taken from 0 to 255.
OSPF Configuration 243 Setting a Dead Timer for the Neighboring Routers If hello packets are not received from a neighboring router, that router is considered dead. The dead timer of neighboring routers refers to the interval after which a router considers a neighboring router dead. You can set a dead timer for the neighboring routers.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION The value of interval should be bigger than the interval in which a packet can be transmitted and returned between two routers. An LSA retransmission interval that is too small will cause unnecessary retransmission. Setting a Shortest Path First (SPF) Calculation Interval for OSPF Whenever the OSPF LSDB changes, the shortest path requires recalculation.
OSPF Configuration 245 By default, the STUB area is not configured, and the cost of the default route to the STUB area is 1. Configuring the NSSA of OSPF To keep the advantages of stub areas and simultaneously improve the networking flexibility, RFC1587 (OSPF NSSA Option) defines a new type of area, namely NSSA, which has the capability of importing external routes in a limited way. An NSSA is similar to a Stub area.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION generated on the ABR, even though the default route 0.0.0.0 is not in the routing table. On an ASBR, however, the default type-7 LSA route can be generated only if the default route 0.0.0.0 is in the routing table. Executing the no-import-route command on the ASBR prevents the external routes that OSPF imported through the import-route command from advertising to the NSSA. Generally, if an NSSA router is both ASBR and ABR, this argument is used.
OSPF Configuration 247 After the summarization of imported routes is configured, if the local router is an autonomous system border router (ASBR), this command summarizes the imported Type-5 LSAs in the summary address range. When NSSA is configured, this command will also summarize the imported Type-7 LSA in the summary address range. If the local router works as an area border router (ABR) and a router in the NSSA, this command summarizes Type-5 LSAs translated from Type-7 LSAs.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Configuring the OSPF Area to Support Packet Authentication All the routers in an area must use the same authentication mode. In addition, all routers on the same segment must use the same authentication key password. Use the authentication-mode simple command to configure a simple authentication password for the area, and the authentication-mode md5 command to configure the MD5 authentication password. Perform the following configuration in OSPF Area View.
OSPF Configuration 249 Intra-area and inter-area routes describe the internal AS topology whereas the external routes describes how to select the route to the destinations beyond the AS. The external type-1 routes refer to imported IGP routes (such as static route and RIP). Since these routes are more reliable, the calculated cost of the external routes is the same as the cost of routes within the AS. Also, this route cost and the route cost of the OSPF itself are comparable.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Table 242 Configuring Parameters for OSPF to Import External routes (continued) Operation Command Restore the default upper limit to the external routes that can be imported at a time undo default limit Configure the default cost for the OSPF to import external routes default cost value Restore the default cost for the OSPF to import external routes undo default cost Configure the default tag for the OSPF to import external routes default tag tag Res
OSPF Configuration 251 Configuring OSPF Route Filtering Perform the following configuration in OSPF View.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Disabling the Interface to Send OSPF Packets Use the silent-interface command to prevent the interface from transmitting OSPF packets. Perform the following configuration in OSPF View.
OSPF Configuration 253 Perform the following configuration in System View.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Table 252 Displaying and debugging OSPF Operation Command Display OSPF routing table display ospf [ process_id ] routing Display OSPF virtual links display ospf [ process_id ] vlink Display OSPF request list display ospf [ process_id ] request-queue Display OSPF retransmission list display ospf [ process_id ] retrans-queue Display the information of OSPF ABR and ASBR display ospf [ process_id ] abr-asbr Display the summary information of display os
OSPF Configuration 255 The commands listed in the following examples enable Switch A and Switch C to be DR and BDR, respectively. The priority of Switch A is 100, which is the highest on the network, so it is elected as the DR. Switch C has the second highest priority, so it is elected as the BDR. The priority of Switch B is 0, which means that it cannot be elected as the DR, and Switch D does not have a priority, and therefore takes priority 1 by default.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Only when the current DR is offline does the DR change. Shut down Switch A, and run display ospf peer command on Switch D to display its neighbors. Note that the original BDR (Switch C) becomes the DR, and Switch B is the new BDR. If all Ethernet Switches on the network are removed and added again, Switch B is elected as the DR (with a priority of 200), and Switch A becomes the BDR (with a priority of 100).
OSPF Configuration 257 [Switch B-ospf-1]area 1 [Switch B-ospf-1-area-0.0.0.1]network 197.1.1.0 0.0.0.255 [Switch B-ospf-1-area-0.0.0.1]vlink-peer 3.3.3.3 3 Configure Switch C: [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch [Switch Troubleshooting OSPF C]interface Vlan-interface 1 C-Vlan-interface1]ip address 152.1.1.1 255.255.255.0 C]interface Vlan-interface 2 C-Vlan-interface2]ip address 197.1.1.1 255.255.255.0 C]router id 3.3.3.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION ■ Ensure the backbone area connects with all other areas. ■ The virtual links cannot pass through the STUB area. Troubleshooting globally: If OSPF cannot discover the remote routes and you have checked all troubleshooting items listed above, check the following configurations: ■ If more than two areas are configured on a router, at least one area should be configured as the backbone area.
IP Routing Policy 259 and the matching objects are attributes of routing information. The relationship of if-match clauses for a node uses a series of Boolean “AND” statements. As a result, a match is found unless all the matching conditions specified by the if-match clauses are satisfied. The apply clause specifies the actions that are performed after the node match test concerning the attribute settings of the route information.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Defining a Route Policy A route policy can include multiple nodes. Each node is a unit for the matching operation. The nodes are tested against the node_number. Perform the following configurations in System View.
IP Routing Policy 261 Table 254 Defining if-match Conditions (continued) Operation Command Cancel the matched next-hop of the routing information set by ACL undo if-match ip next-hop Cancel the matched next-hop of the routing information set by the address prefix list undo if-match ip next-hop ip-prefix Match the routing cost of the routing information if-match cost cost Cancel the matched routing cost of undo if-match cost the routing information Match the tag domain of the OSPF routing informatio
CHAPTER 16: IP ROUTING PROTOCOL OPERATION Perform the following configuration in Routing Protocol View. Table 256 Configuring to import the routes of other protocols Operation Command Import routes of other protocols import-route protocol [ cost cost ] [ tag value ] type { 1 | 2 } [ route-policy route_policy_name ] Do not import routes of other protocols undo import-route protocol By default, the routes discovered by other protocols will not be distributed.
IP Routing Policy 263 Table 258 Configuring the Filtering of Received Routes Operation Command Configure to filter the received routing information distributed by the specified address filter-policy gateway ip_prefix_name import Cancel the filtering of the received routing information distributed by the specified address undo filter-policy gateway ip_prefix_name import Configure to filter the received global routing information filter-policy { acl_number | ip-prefix ip_prefix_name } [ gateway ] impo
CHAPTER 16: IP ROUTING PROTOCOL OPERATION stop forwarding the packet to the network. Using the following configuration tasks, you can choose to forward the broadcast packet to the network for broadcast. Perform the following configuration in system view.
Route Capacity Configuration 265 c Enable OSPF protocol and specifies the number of the area to which the interface belongs. [Switch [Switch [Switch [Switch A]router id 1.1.1.1 A]ospf A-ospf-1]area 0 A-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255 d Import the static routes [Switch A-ospf-1]import-route static 2 Configure Switch B: a Configure the IP address of VLAN interface. [Switch B]interface vlan-interface 100 [Switch B-Vlan-interface100]ip address 10.0.0.2 255.0.0.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION to add new routes to the routing table and whether or not to keep connection with a routing protocol. The default value normally meets the network requirements. You must be careful when modifying the configuration to avoid reducing the stability of the network. Limiting Route Capacity The size of the routing table is determined by OSPF routes.
Route Capacity Configuration 267 Displaying and Debugging Route Capacity Enter the display command in any view to display the operation of the Route Capacity configuration.
CHAPTER 16: IP ROUTING PROTOCOL OPERATION
17 NETWORK PROTOCOL OPERATION This chapter covers the following topics: IP Address Configuration IP Address Overview ■ IP Address Configuration ■ ARP Configuration ■ Resilient ARP Configuration ■ BOOTP Client Configuration ■ DHCP Configuration ■ Access Management Configuration ■ UDP Helper Configuration ■ IP Performance Configuration This section contains IP Address Configuration information.
CHAPTER 17: NETWORK PROTOCOL OPERATION When using IP addresses, note that some of them are reserved for special uses, and are seldom used. The IP addresses you can use are listed in Table 265. Table 265 IP Address Classes and Ranges Network class A Address range IP network range Note 0.0.0.0 to 127.255.255.255 1.0.0.0 to 126.0.0.0 Host ID with all the digits being 0 indicates that the IP address is the network address, and is used for network routing.
IP Address Configuration 271 address. If there is no subnet division, then its subnet mask is the default value and the length of "1" indicates the net-id length. Therefore, for IP addresses of classes A, B and C, the default values of corresponding subnet mask are 255.0.0.0, 255.255.0.0 and 255.255.255.0 respectively. The mask can be used to divide a Class A network containing more than 16,000,000 hosts or a Class B network containing more than 60,000 hosts into multiple small networks.
CHAPTER 17: NETWORK PROTOCOL OPERATION Perform the following configuration in System View. Table 266 Configuring the Host Name and the Corresponding IP Address Operation Command Configure the hostname and the corresponding ip host hostname ip_address IP address Delete the hostname and the corresponding IP address undo ip host hostname [ ip_address ] By default, there is no host name associated to any host IP address.
ARP Configuration 273 IP Address Configuration Example Networking Requirements Configure the IP address as 129.2.2.1 and subnet mask as 255.255.255.0 for VLAN interface 1 of the Switch. Networking Diagram Figure 63 IP Address Configuration Networking C o n s o lec a b le S w itc h PC Configuration Procedure 1 Enter VLAN interface 1. [SW5500]interface vlan-interface 1 2 Configure the IP address for VLAN interface 1. [SW5500-vlan-interface1]ip address 129.2.2.1 255.255.255.
CHAPTER 17: NETWORK PROTOCOL OPERATION Suppose there are two hosts on the same network segment: Host A and Host B. The IP address of Host A is IP_A and the IP address of Host B is IP_B. Host A will transmit messages to Host B. Host A checks its own ARP mapping table first to make sure whether there are corresponding ARP entries of IP_B in the table.
Introduction to Gratuitous ARP 275 Note that: ■ Static ARP map entry will be always valid as long as the Switch works normally. But if the VLAN corresponding to the ARP mapping entry is deleted, the ARP mapping entry will be also deleted. The valid period of dynamic ARP map entries will last only 20 minutes by default. ■ The parameter vlan-id must be the ID of a VLAN that has been created by the user, and the Ethernet port specified behind this parameter must belong to the VLAN.
CHAPTER 17: NETWORK PROTOCOL OPERATION By sending gratuitous ARP packets, a network device can: ■ Determine whether or not IP address conflicts exist between it and other network devices. ■ Trigger other network devices to update its hardware address stored in their caches.
Introduction to Gratuitous ARP 277 Resilient ARP Configuration This section contains configuration information for Resilient ARP. Overview of Resilient ARP To support resilient networking in XRN applications, redundant links are required between the XRN fabric and other devices.
CHAPTER 17: NETWORK PROTOCOL OPERATION You can use the following command to configure through which VLAN interface the resilient ARP packet is sent. The system provides a default VLAN interface to send resilient ARP packets. Perform the following configuration in System View.
BOOTP Client Configuration 279 Networking Diagram Figure 64 Networking for Resilient ARP Configuration S w itc h U n it 1 U n it3 XRN U n it 2 U n it 4 Configuration Procedure 1 Enable resilient ARP function. [SW5500]resilient-arp enable 2 Set VLAN interface 2 to send resilient ARP packets. [SW5500]resilient-arp interface vlan-interface 2 BOOTP Client Configuration Overview of BOOTP Client This section contains configuration information for BOOTP Client.
CHAPTER 17: NETWORK PROTOCOL OPERATION BOOTP Client Configuration BOOTP client is described in the following section. Configuring a VLAN Interface to Obtain the IP Address Using BOOTP Perform the following configuration in VLAN Interface View.
DHCP Configuration 281 Figure 65 Typical DHCP Application. DHCP Client DHCP Client DHCP Server LAN DHCP Client DHCP Client To obtain valid dynamic IP addresses, the DHCP client exchanges different types of information with the server at different stages.
CHAPTER 17: NETWORK PROTOCOL OPERATION ■ A DHCP client extends its IP lease period There is a time limit for the IP addresses leased to DHCP clients. The DHCP server shall withdraw the IP addresses when their lease period expires. If the DHCP client wants to continue use of the old IP address, it has to extend the IP lease. In practice, the DHCP client, by default, shall originate the DHCP_Request message to the DHCP server right in the middle of the IP lease period, to update the IP lease.
DHCP Configuration Option 82 supporting 283 Introduction to option 82 supporting Option 82 is a relay agent information option in DHCP packets. When a request packet from a DHCP client travels through a DHCP relay on its way to the DHCP server, the DHCP relay adds option 82 into the request packet. Option 82 includes many sub-options, but the DHCP server supports only sub-option 1 and sub-option 2 at present.
CHAPTER 17: NETWORK PROTOCOL OPERATION ■ Len: Specifies the Length of the agent information field. ■ Agent information field: Specifies the sub-options used. 2 Sub-option format Figure 68 illustrates the sub-option format. Figure 68 Sub-option format ■ SubOpt: Sub-option number.
DHCP Configuration 285 Mechanism of option 82 supporting on DHCP relay The procedure for a DHCP client to obtain an IP address from a DHCP server through a DHCP relay is exactly the same as that for the client to obtain an IP address from a DHCP server directly. The following are the mechanism of option 82 supporting on DHCP relay. 1 A DHCP client broadcasts a request packet when it initiates. 2 If a DHCP server exists in the local network, it assigns an IP address to the DHCP client directly.
CHAPTER 17: NETWORK PROTOCOL OPERATION DHCP Relay Configuration Enabling DHCP DHCP relay configuration is described in the following sections: ■ Enabling DHCP ■ Enabling DHCP ■ Configuring the DHCP Server Group for the VLAN Interfaces ■ Configuring the User Address Entry for the DHCP Server Group ■ Enabling/Disabling the DHCP Security Feature on the VLAN interface Be sure to enable DHCP before you perform other DHCP relay-related configuration, for other DHCP-related configurations cannot
DHCP Configuration 287 Configuring the User Address Entry for the DHCP Server Group To ensure that a valid user with a fixed IP address in a VLAN configured with DHCP Relay passes the address validity check of the DHCP security feature, you must add a static address entry which indicates the correspondence between an IP address and a MAC address.
CHAPTER 17: NETWORK PROTOCOL OPERATION to DHCP servers by DHCP clients through unicast when the DHCP clients release IP addresses, the user address entries maintained by the DHCP cannot be updated in time. The dynamic user address entry updating function is developed to resolve this problem.
DHCP Configuration 289 Table 287 Enable option 82 supporting on a DHCP relay Operation Option 82 Supporting Configuration Example Command Description Enable option 82 supporting dhcp relay on the DHCP relay information enable Required By default, this function is disabled.
CHAPTER 17: NETWORK PROTOCOL OPERATION 6 Return to system view. [S5500-vlan-interface 100] quit 7 Enable option 82 supporting on the DHCP relay, with the keep keyword specified.
DHCP Configuration 291 Figure 71 Interaction between a DHCP client and a DHCP server. DHCP Snooping Configuration ■ DHCP snooping listens the following two types of packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients: ■ DHCP-ACK packet ■ DHCP-REQUEST packet Table 288 shows the configuration specifications for DHCP snooping.
CHAPTER 17: NETWORK PROTOCOL OPERATION Configuration Example I. Network requirements As shown in Figure 71, the Ethernet1/0/1 port of Switch A (an S5500 series switch) is connected to Switch B (acting as a DHCP relay). A network segment containing some DHCP clients is connect to the Ethernet1/0/2 port of Switch A. ■ The DHCP snooping function is enabled on Switch A. ■ The GigabitEthernet1/0/1 port of Switch A is a trusted port. Configuration procedure 1 Enter system view.
Introduction to DHCP Accounting 293 ■ Length: Two bytes, identifying the total length of the accounting packet. ■ Authenticator: 16 bytes, identifying the information between the RADIUS server and client. The Attributes field contains multiple sub-fields. The content of the Attributes field is slightly different between an Accounting START packet and an Accounting STOP packet, as described in the following text.
CHAPTER 17: NETWORK PROTOCOL OPERATION DHCP Accounting Fundamentals DHCP Accounting Configuration After you complete AAA and RADIUS configuration on a switch with the DHCP server function enabled, the DHCP server acts as a RADIUS client. For the authentication process of the DHCP server acting as a RADIUS client. The following describes only the accounting interaction between DHCP server and RADIUS server.
Introduction to DHCP Accounting 295 ■ DHCP accounting is enabled on the DHCP server. ■ The IP addresses of the global DHCP address pool belongs to the network segment 10.1.1.0/24. The DHCP server operates as a RADIUS client and adopts AAA for authentication. Network diagram Figure 73 Network diagram for DHCP accounting configuration Gigabit Ethernet 1/0/2 GigabitEthernet 1/0/1 VLAN 2 VLAN 3 10.1.1. 1/24 10.1.2.1/24 D H CP Serv er DH CP C lient RADI US Serv er 10. 1.2.
CHAPTER 17: NETWORK PROTOCOL OPERATION 11 Enter VLAN 3 interface view and assign the IP address 10.1.2.1/24 to the VLAN interface. [S5500] interface vlan-interface 3 [S5500-Vlan-interface3] ip address 10.1.2.1 24 12 Return to system view. [S5500-Vlan-interface3] quit 13 Create a domain and a RADIUS scheme. Associate the domain with the RADIUS scheme. [S5500] radius scheme 123 [S5500-radius-123] primary authentication 10.1.2.2 [S5500-radius-123] primary accounting 10.1.2.
Introduction to DHCP Accounting 297 DHCP Relay Displaying You can verify your DHCP relay-related configuration by executing the following display commands in any view.
CHAPTER 17: NETWORK PROTOCOL OPERATION Configuration Procedure 1 Create a DHCP server group that will use two DHCP servers (a master and an optional backup) and assign it the IP addresses of the two DHCP servers (the first IP address is the master). [SW5500]dhcp-server 0 ip 192.168.1.1 192.168.2.1 2 Configure the Switch so all clients use DHCP server group '0'.
Access Management Configuration 299 Troubleshooting DHCP Relay Configuration Perform the following procedure if a user cannot apply for an IP address dynamically: 1 Use the display dhcp-server groupNo command to check if the IP address of the corresponding DHCP Server has been configured. 2 Use the display vlan and display ip interface vlan-interface commands to check if the VLAN and the corresponding interface IP address have been configured.
CHAPTER 17: NETWORK PROTOCOL OPERATION Table 293 Enabling/Disabling the Access Management Function Operation Command Disable access management function undo am enable By default, the system disables the access management function. Configuring the Access Management IP Address Pool Based on the Port You can use the following command to set the IP address pool for access management on a port.
Access Management Configuration 301 ■ ■ ■ ■ In the same aggregation group, the port isolation feature on one unit is consistent. If a port is removed from an aggregation group, its port isolation configuration will not change. If a port of an aggregation group is isolated on unit 1, then you can achieve port-to-port isolation between this aggregation group and all the ports of the isolation group on unit 1.
CHAPTER 17: NETWORK PROTOCOL OPERATION Access Management Configuration Example Networking Requirements Organization 1 is connected to port 1 of the Switch, and organization 2 to port 2. Ports 1 and 2 belong to the same VLAN. The IP addresses range 202.10.20.1 to 202.10.20.20 can be accessed from port 1 and the range 202.10.20.21 to 202.10.20.50 from the port 2. Organization 1 and organization 2 cannot communicate with each other.
UDP Helper Configuration 303 To delete this feature, enter: system-view [SW5500]acl number 2500 [SW5500-acl-basic-2500]undo rule 0 UDP Helper Configuration This section contains UDP Helper configuration information. Overview of UDP Helper The major function of the UDP Helper is to relay-forward UDP broadcast packets, that is, it can convert UDP broadcast packets into unicast packets and send them to the designated server, as a relay.
CHAPTER 17: NETWORK PROTOCOL OPERATION Table 300 Default UDP Ports List Protocol UDP port ID NetBIOS Name Service (NetBIOS-NS) 137 NetBIOS Datagram Service (NetBIOS-DS) 138 Terminal Access Controller Access Control System (TACACS) 49 Perform the following configuration in System View.
IP Performance Configuration 305 Displaying and Debugging UDP Helper Configuration After the above configuration, enter the display command in any view to display the running of the UDP Helper destination server, and to verify the effect of the configuration. Enter the debugging command in User View to debug UDP Helper configuration.
CHAPTER 17: NETWORK PROTOCOL OPERATION be terminated. The timeout of synwait timer range is 2 to 600 seconds and it is 75 seconds by default. ■ finwait timer: When the TCP connection state turns from FIN_WAIT_1 to FIN_WAIT_2, finwait timer will be started. If FIN packets are not received before finwait timer timeout, the TCP connection will be terminated. Finwait timer range is 76 to 3600 seconds. By default, finwait timer is 675 seconds.
IP Performance Configuration 307 Table 305 Displaying and Debugging IP Performance Troubleshooting IP Performance Operation Command Display the total number of FIB entries display fib statistics[{begin|include |exclude}text] Reset IP statistics information reset ip statistics Reset TCP statistics information reset tcp statistics Reset UDP statistics information reset udp statistics Fault: IP layer protocol works normally but TCP and UDP cannot work normally.
CHAPTER 17: NETWORK PROTOCOL OPERATION
18 MULTICAST PROTOCOL This chapter includes information on the following: IP Multicast Overview ■ IP Multicast Overview ■ IGMP Snooping ■ Common Multicast Configuration ■ Internet Group Management Protocol (IGMP) ■ PIM-DM Overview ■ PIM-SM Overview The Switch 5500-EI supports all of the multicast protocols listed in this manual; however, the Switch 5500-SI only supports the IGMP Snooping protocol.
CHAPTER 18: MULTICAST PROTOCOL Figure 78 Comparison between the unicast and multicast transmission Unicast Receiver Receiver Server Receiver Receiver Server Receiver Multicast Receiver A multicast source does not necessarily belong to a multicast group. It only sends data to the multicast group and it is not necessarily a receiver. Multiple sources can send packets to a multicast group simultaneously. A router that does not support multicast may exist on the network.
IP Multicast Overview 311 Ranges and meanings of Class D addresses are shown in Table 306 Table 306 Ranges and meaning of Class D addresses Class D address range Meaning 224.0.0.0~224.0.0.255 Reserved multicast addresses (addresses of permanent groups). Address 224.0.0.0 is reserved. The other addresses can be used by routing protocols. 224.0.1.0~238.255.255.255 Multicast addresses available for users (addresses of temporary groups). They are valid in the entire network. 239.0.0.0~239.255.255.
CHAPTER 18: MULTICAST PROTOCOL Figure 79 Mapping between the multicast IP address and the Ethernet MAC address 32bitsIPaddress 1110XXXX XXXXXXXX XXXXXXXX XXXXXXXX 5bitsnotm apped Low er23bitsdirectlym apped 48bitsM ACaddress XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX Only 23 bits of the last 28 bits in the IP multicast address are mapped to the MAC address. Therefore, the 32 IP multicast addresses are mapped to the same MAC address.
IP Multicast Overview 313 PIM-DM (Protocol-Independent Multicast Dense Mode, PIM-DM) PIM dense mode is suitable for small networks. It assumes that each subnet in the network contains at least one receiver interested in the multicast source. As a result, multicast packets are flooded to all points of the network, consuming network bandwidth and increasing router processing.
CHAPTER 18: MULTICAST PROTOCOL Applying Multicast IP multicast technology effectively solves the problem of packet forwarding from single-point to multi-point. It implements highly-efficient data transmission from single-point to multi-point in IP networks and can save a large amount of network bandwidth and reduce network loads.
IGMP Snooping 315 Figure 81 Multicast packet transmission when IGMP Snooping runs Video stream Internet / Intranet Multicast router Video stream VOD Server Layer 2 Ethernet Switch Switch 5500 Video stream Multicast group member Video stream Video stream Non-multicast group member Non-multicast group member IGMP Snooping Terminology Table 308 explains switching terminology relevant to IGMP Snooping.
CHAPTER 18: MULTICAST PROTOCOL Figure 82 Implementing IGMP Snooping Internet A router running IGM P IGM P packets Switch 5500 running AIGMP Ethernet Switch Snooping running IGM P Snooping IGMP packets Table 309 explains IGMP Snooping terminology. Table 309 IGMP Snooping Terminology Term Meaning IGMP general query message Transmitted by the multicast router to query which multicast group contains member.
IGMP Snooping 317 Table 309 IGMP Snooping Terminology (continued) Configuring IGMP Snooping Term Meaning IGMP leave message Transmitted from the multicast group member to the multicast router, to notify that a host has left the multicast group. The Switch 5500 transmits the specific query message, concerning the group, to the port that received the message in an effort to check if the host still has other members of this group, and then starts a maximum response timer.
CHAPTER 18: MULTICAST PROTOCOL Perform the following configuration in system view. Table 311 Configuring router port aging time Operation Command Configure router port aging time igmp-snooping router-aging-time seconds Restore the default aging time undo igmp-snooping router-aging-time By default, the port aging time is 105 seconds. Configuring Maximum Response Time Use the commands in Table 312 to manually configure the maximum response time.
IGMP Snooping 319 If IGMP fast leave processing is enabled, when receiving an IGMP Leave message, IGMP Snooping immediately removes the port from the multicast group. When a port has only one user, enabling IGMP fast leave processing on the port can save bandwidth.
CHAPTER 18: MULTICAST PROTOCOL Table 316 Configure the maximum number of multicast groups on a port (continued) Configuring Multicast VLAN Operation Command Description Configure the maximum number of multicast groups the port can join. igmp-snooping group-limit [ Required vlan vlan-list | By default, there is no limit on overflow-replace ] the number of the multicast groups the port can join.
IGMP Snooping 321 Table 318 Configure multicast VLAN on Layer 2 switch (continued) Operation Command Description Enable multicast VLAN service-type multicast Required Exit the VLAN view quit — Enter the view of the Ethernet port connected to the Layer 3 switch interface interface-type interface-num — Define the port as a trunk or hybrid port port link-type { trunk | hybrid } — Set the VLAN IDs allowed for the Ethernet port hybrid vlan vlan-id-list { tagged | untagged } The multicast VLAN m
CHAPTER 18: MULTICAST PROTOCOL Configuration Example—Enable IGMP Snooping Networking Requirements To implement IGMP Snooping on the switch, first enable it. The switch is connected to the router via the router port, and with user PCs through the non-router ports on vlan 10. Networking Diagram Figure 83 IGMP Snooping configuration network Internet Router Multicast Switch Configuration Procedure Enable IGMP Snooping globally. [SW5500]igmp-snooping enable Enable IGMP Snooping on VLAN 10.
Common Multicast Configuration 323 Diagnosis 3: Multicast forwarding table set up on the bottom layer is wrong. 1 Enable IGMP Snooping group in user view and then input the command display igmp-snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent. You may also input the display mac vlan command in any view to check if MAC multicast forwarding table under vlanid in the bottom layer and that created by IGMP Snooping is consistent.
CHAPTER 18: MULTICAST PROTOCOL Multicast MAC Address Entry Configuration In Layer 2 multicast, the system can add multicast forwarding entries dynamically through Layer 2 multicast protocol. However, you can also manually create a static multicast address entry to bind a port to a multicast address. Generally, when receiving a multicast packet whose multicast address has not yet been registered on the switch, the switch broadcasts the packet in the VLAN.
Common Multicast Configuration 325 Multicast Source Deny Configuration The purpose of the multicast source deny feature is to filter out multicast packets on an unauthorized multicast source port to prevent the user connected to the port from setting up a multicast server without permission.
CHAPTER 18: MULTICAST PROTOCOL The forwarding entries in MFC are deleted along with the routing entries in the multicast kernel routing table. Displaying and Debugging Common Multicast Configuration Execute display command in any view to display the running of the multicast configuration, and to verify the effect of the configuration. Execute debugging command in User View to debug multicast.
Internet Group Management Protocol (IGMP) 327 IGMP is not symmetric on hosts and routers. Hosts need to respond to IGMP query messages from the multicast router, —, report the group membership to the router. The router needs to send membership query messages periodically to discover whether hosts join the specified group on its subnets according to the received response messages.
CHAPTER 18: MULTICAST PROTOCOL Configuring IGMP Basic IGMP configuration includes: ■ Enabling Multicast ■ Enabling IGMP on an Interface Advanced IGMP configuration includes: ■ Configuring the IGMP Version ■ Configuring the Interval and the Number of IGMP Query Packets ■ Configuring the Limit of IGMP Groups on an Interface ■ Configuring a Router to Join Specified Multicast Group ■ Limiting Multicast Groups An Interface Can Access ■ Configuring the Interval to Send IGMP Query Message ■
Internet Group Management Protocol (IGMP) 329 Configuring the Interval for Querying IGMP Packets The router finds out which multicast groups on its connected network segment have members by sending IGMP query messages periodically. Upon the reception of a response message, the router refreshes the membership information of the corresponding multicast group. Perform the following configurations in Interface View.
CHAPTER 18: MULTICAST PROTOCOL Table 331 Configuring interval for querying IGMP packets Operation Command Configure interval for querying IGMP packets igmp lastmember-queryinterval seconds Restore the default query interval undo igmp lastmember-queryinterval Table 332 Configure the number of last member querying Operation Command Configure number of last member querying igmp robust-count robust-value Restore the default number of querying undo igmp robust-count Configuring the Limit of IGM
Internet Group Management Protocol (IGMP) 331 Table 334 Configuring a router to join specified multicast group Operation Command Configure a router to join specified multicast group (VLAN Interface View) igmp host-join group_address port { interface_type interface_ num | interface_name } [ to { interface_type interface_ num | interface_name } ] Quit from specified multicast group (VLAN Interface View) undo igmp host-join group-address port { interface_type interface_ num | interface_name } [ to { inte
CHAPTER 18: MULTICAST PROTOCOL Configuring the Present Time of IGMP Querier The IGMP querier present timer defines the period of time before the router takes over as the querier sending query messages, after the previous querier has stopped doing so. Perform the following configuration in Interface view.
PIM-DM Overview 333 Displaying and debugging IGMP After the above configuration, execute display command in any view to display the running of IGMP configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of IGMP.
CHAPTER 18: MULTICAST PROTOCOL This process is called “flood & prune” process. In addition, nodes that are pruned provide timeout mechanism. Each router re-starts the “flood & prune” process upon pruning timeout. The consistent “flood & prune” process of PIM-DM is performed periodically. During this process, PIM-DM uses the RPF check and the existing unicast routing table to build a multicast forwarding tree rooted at the data source.
PIM-DM Overview 335 Configuring PIM-DM PIM-DM basic configuration includes: ■ Enabling Multicast ■ Enabling PIM-DM PIM-DM advanced configuration includes: ■ Entering the PIM View ■ Configuring Sending Interval for the Hello Packets ■ Configuring the Filtering of Multicast Source/Group ■ Configuring the Filtering of PIM Neighbor ■ Configuring the Maximum Number of PIM Neighbor on an Interface ■ Clearing Multicast Route Entries from PIM Routing Table ■ Clearing PIM Neighbors When the route
CHAPTER 18: MULTICAST PROTOCOL Using undo pim command, you can clear the configuration in PIM view, and back to system view. Configuring Sending Interval for the Hello Packets After PIM is enabled on an interface, it will send Hello messages periodically on the interface. The interval at which Hello messages are sent can be modified according to the bandwidth and type of the network connected to the interface. Perform the following configuration in Interface view.
PIM-DM Overview 337 Only the routers that match the filtering rule in the ACL can serve as a PIM neighbor of the current interface. Configuring the Maximum Number of PIM Neighbor on an Interface The maximum number of PIM neighbors of a router interface can be configured to avoid exhausting the memory of the router or router faults. The maximum number of PIM neighbors of a router is defined by the system, and is not open for modification. Perform the following configuration in the PIM view.
CHAPTER 18: MULTICAST PROTOCOL Displaying and Debugging PIM-DM After the above configuration, execute the display command in any view to display the running of PIM-DM configuration, and to verify the effect of the configuration. Execute the debugging command in user view for the debugging of PIM-DM.
PIM-SM Overview 339 Configuration Procedure This section only describes the configuration procedure for Switch_A. Follow a similar configuration procedure for Switch_B and Switch_C. 1 Enable the multicast routing protocol. [SW5500]multicast routing-enable 2 Enable IGMP and PIM-DM.
CHAPTER 18: MULTICAST PROTOCOL PIM-SM Operating Principle The working procedures for PIM-SM include: neighbor discovery, building the RP-rooted shared tree (RPT), multicast source registration and switch over to the SPT. Neighbor Discovery The PIM-SM router uses Hello messages to perform neighbor discovery when it is started. All network nodes running PIM-SM stay in touch with one another by periodically sending Hello messages.
PIM-SM Overview 341 Preparations before Configuring PIM-SM Configuring Candidate RPs In a PIM-SM network, multiple RPs (candidate-RPs) can be configured. Each Candidate-RP (C-RP) is responsible for forwarding multicast packets with the destination addresses in a certain range. Configuring multiple C-RPs is to implement load balancing of the RP. These C-RPs are equal.
CHAPTER 18: MULTICAST PROTOCOL ■ Clearing PIM Neighbors It should be noted that at least one router in an entire PIM-SM domain should be configured with Candidate-RPs and Candidate-BSRs. Enabling Multicast Refer to “Common Multicast Configuration” on page 323. Enabling PIM-SM This configuration can be effective only after multicast is enabled. Perform the following configuration in Interface view.
PIM-SM Overview 343 Configuring Candidate-BSRs In a PIM domain, one or more candidate BSRs should be configured. A BSR (Bootstrap Router) is elected among candidate BSRs. The BSR takes charge of collecting and advertising RP information. The automatic election among candidate BSRs operates as follows: ■ One interface which has started PIM-SM must be specified when configuring the router as the candidate BSR.
CHAPTER 18: MULTICAST PROTOCOL Configuring Static RP Static RP serves as the backup of dynamic RP, so as to improve network robusticity. Perform the following configuration in PIM view. Table 355 Configuring static RP Operation Command Configure static RP static-rp rp_address [ acl_number ] Remove the configured static RP undo static-rp rp_address Basic ACL can control the range of multicast group served by static RP.
PIM-SM Overview 345 Perform the following configuration in PIM view.
CHAPTER 18: MULTICAST PROTOCOL In BSR mechanism, a C-RP router unicasts C-RP messages to the BSR, which then propagates the C-RP messages among the network by BSR message. To prevent C-RP spoofing, you need to configure crp-policy on the BSR to limit legal C-RP range and their service group range. Since each C-BSR has the chance to become BSR, you must configure the same filtering policy on each C-BSR router. Perform the following configuration in PIM view.
PIM-SM Overview 347 Networking Diagram Figure 87 PIM-SM configuration networking Host A VLAN11 Host B VLAN12 VLAN12 Switch_A VLAN10 Switch_C LS_A LS_C VLAN10 VLAN11 VLAN11 VLAN10 Switch_B VLAN12 LS_B Switch_D LSD Configuration Procedure 1 On Switch_A: a Enable PIM-SM.
CHAPTER 18: MULTICAST PROTOCOL [SW5500]vlan 11 [SW5500-vlan11]port ethernet 1/0/4 to ethernet 1/0/5 [SW5500-vlan11]quit [SW5500]interface vlan-interface 11 [SW5500-vlan-interface11]igmp enable [SW5500-vlan-interface11]pim sm [SW5500-vlan-interface11]quit [SW5500]vlan 12 [SW5500-vlan12]port ethernet 1/0/6 to ethernet 1/0/7 [SW5500-vlan12]quit [SW5500]interface vlan-interface 12 [SW5500-vlan-interface12]igmp enable [SW5500-vlan-interface12]pim sm [SW5500-vlan-interface12]quit b Configure the C-BSR.
CHAPTER 18: MULTICAST PROTOCOL
19 ACL CONFIGURATION This chapter covers the following topics: Brief Introduction to ACL ■ Brief Introduction to ACL ■ QoS Configuration ■ QoS Profile Configuration ■ ACL Control Configuration ■ ACL Control Configuration A series of matching rules are required for the network devices to identify the packets to be filtered. After identifying the packets, the Switch can permit or deny them to pass through according to the defined policy.
CHAPTER 19: ACL CONFIGURATION The depth-first principle is to put the statement specifying the smallest range of packets on the top of the list. This can be implemented through comparing the wildcards of the addresses. The smaller the wildcard is, the less hosts it can specify. For example, 129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255 specifies a network segment, 129.102.0.1 through 129.102.255.255. Obviously, the former one is listed ahead in the access control list.
Brief Introduction to ACL 353 Table 362 Set the Absolute Time Range Operation Command Set the time range time-range time-name { start_time to end_time days_of_the_week [ from start_time start_date ] [ to end_time end_date ] | from start_time start_date [ to end_time end_date ] | to end_time end_date } Delete the time range undo time-range time-name [ start_time to end_time days_of_the_week [ from start_time start_date ] [ to end_time end_date ] | from start_time start_date [ to end_time end_date ] | t
CHAPTER 19: ACL CONFIGURATION Table 363 Define Basic ACL Operation Command Enter basic ACL view (from System View) acl number acl_number [ match-order { config | auto } ] add a sub-item to the ACL (from Basic ACL View) rule [ rule_id ] { permit | deny } [ source { source_addr wildcard | any } | fragment | logging | time-range name ]* delete a sub-item from the ACL (from undo rule rule_id [ source | fragment | Basic ACL View) logging | time-range ]* Delete one ACL or all the ACL (from System View
Brief Introduction to ACL 355 Table 365 Define Layer-2 ACL Operation Command Enter Layer-2 ACL view (from System View) acl number acl_number [ match-order { config | auto } Add a sub-item to the ACL (from Layer-2 ACL View) rule [ rule_id ] { permit | deny } [ [ type protocol_type type_mask | lsap lsap_type type_mask ] | format_type | cos cos | source { source_vlan_id | source_mac_addr source_mac_wildcard }* | dest { dest_mac_addr dest_mac_wildcard } | time-range name ]* Delete a sub-item from the ACL
CHAPTER 19: ACL CONFIGURATION Table 367 Activate ACL Operation Command Activate an ACL packet-filter { inbound | outbound } { user-group acl_number [ rule rule ] | ip-group acl_number [ rule rule [ link-group acl_number rule rule ] ] | link-group acl_number [ rule rule ] } Deactivate an ACL undo packet-filter { inbound | outbound } { user-group acl_number [ rule rule ] | ip-group acl_number [ rule rule [ link-group acl_number rule rule ] ] | link-group acl_number [ rule rule ] } Displaying and De
Brief Introduction to ACL 357 Configuration Procedure In the following configurations, only the commands related to ACL configurations are listed. 1 Define the work time range Define time range from 8:00 to 18:00. [SW5500]time-range 3Com 8:00 to 18:00 working-day 2 Define the ACL to access the payment server. a Enter the numbered advanced ACL, number as 3000. [SW5500]acl number 3000 match-order config b Define the rules for other department to access the payment server.
CHAPTER 19: ACL CONFIGURATION [SW5500]acl number 2000 b Define the rules for packet which source IP is 10.1.1.1. [SW5500-acl-basic-2000]rule 1 deny source 10.1.1.1 0 time-range 3Com 3 Activate ACL. Activate the ACL 2000.
QoS Configuration 359 QoS Configuration Traffic Traffic refers to all packets passing through a Switch. Traffic Classification Traffic classification means identifying the packets with certain characteristics, using the matching rule called classification rule, set by the configuration administrator based on the actual requirements. The rule can be very simple. For example, the traffic with different priorities can be identified according to the ToS field in IP packet header.
CHAPTER 19: ACL CONFIGURATION Figure 91 SP high priority Packets sent via this interface queue 7 queue 6 Packets sent queue 5 queue 4 Classify Dequeue Sending queue queue 3 queue 2 queue 1 Low priority queue 0 The SP is designed for the key service application. A significant feature of the key service is the need for priority to enjoy the service to reduce the responding delay when congestion occurs.
QoS Configuration 361 QoS Configuration The process of QoS based traffic: 1 Identify the traffic by ACL 2 Perform the QoS operation to the traffic. The configuration steps of QoS based traffic: 1 Define the ACL 2 Configure the QoS operation If QoS is not based on traffic, you need not define ACL first. See “Configuring ACL” for information on how to define ACL. This section mainly describes how to configure QoS operation. Setting Port Priority By default, the switch trusts the 802.
CHAPTER 19: ACL CONFIGURATION Configuration example for setting priority of a protocol packet 1 Change OSPF protocol packets’ IP priority to be 3.Enter system view. system-view [S5500] 2 Set OSPF protocol packets’ IP priority to be 3. [S5500] protocol-priority protocol-type OSPF ip-precedence 3 3 Display the priority of protocol packets.
QoS Configuration 363 Configure Traffic Mirroring 1 Configure monitor port Perform the following configuration in the Ethernet Port View. Table 375 Configure Monitor Port Operation Command Configure a monitor port. monitor-port Only one monitor port can be configured on one Switch. If a group of Switches form a Fabric, only one monitor port can be configured on one Fabric. 2 Configure traffic mirroring Perform the following configuration in the Ethernet Port View.
CHAPTER 19: ACL CONFIGURATION 802.1p priority level Queues 5 5 6 6 7 7 Configuring the Mapping Relationship Between COS and Local Precedence Using the following commands, you can configure the maps. Perform the following configuration in System View.
QoS Configuration 365 Operation Command Remove traffic limit undo traffic-limit inbound { user-group acl_number [ rule rule ] | ip-group acl-number [ rule rule [ link-group acl_number rule rule ] ] | link-group acl_number [ rule rule ] } You should first define an ACL before this configuration task. The granularity of traffic limit is 64kbps. If the target-rate user input is in ( N*64, (N+1)*64], in which N is a natural number, Switch automaticaly sets (N+1)*64 as the parameter value.
CHAPTER 19: ACL CONFIGURATION Table 385 Configuring Traffic Statistics Operation Command Configure traffic statistics traffic-statistic inbound { user-group acl_number [ rule rule ] | ip-group acl_number [ rule rule [ link-group acl_number rule rule ] ] | link-group acl_number [ rule rule ] } Cancel the undo traffic-statistic inbound { user-group configuration of traffic acl_number [ rule rule ] | ip-group acl_number [ rule statistics rule [ link-group acl_number rule rule ] ] | link-group acl_num
QoS Configuration 367 Table 388 Control Telnet using source IP Configuration Procedure Command Description Create or enter basic ACL view acl number acl-number [ By default, the matching order is match-order { config | auto } config. ] Define the rule rule [ rule-id ] { permit | deny Required.
CHAPTER 19: ACL CONFIGURATION Controlling Telnet using Source MAC This configuration can be implemented by means of Layer 2 ACL, which ranges from 4000 to 4999. For the definition of ACL, refer to ACL part.
QoS Configuration 369 Displaying and Debugging QoS Configuration You can use the display command in any view to see the QoS operation and to check the status of the configuration. You can also clear the statistic information using the reset command in the Ethernet Interface View.
CHAPTER 19: ACL CONFIGURATION Networking Diagram Figure 93 QoS Configuration Example Wage server 129.110.1.2 GE2/0/1 Switch To switch Configuration Procedure Only the commands concerning QoS/ACL configuration are listed here. 1 Define outbound traffic for the wage server. a Enter numbered advanced ACL view. [SW5500]acl number 3000 b Define the traffic-of-payserver rule in the advanced ACL 3000. [SW5500-acl-adv-3000]rule 1 permit ip source 129.110.1.2 0.0.0.
QoS Configuration 371 Networking Diagram Figure 94 QoS Configuration Example E3/0/1 E3/0/8 Server E3/0/2 Configuration Procedure Define port mirroring, with monitoring port being Ethernet3/0/8. [SW5500-Ethernet3/0/8]monitor-port [SW5500-Ethernet3/0/1]mirroring-port both Priority Relabeling Configuration Example Networking Requirement In this example, ef labels are appended on packets sent between 8:00 and 18:00 each day from PC1 (IP 1.0.0.
CHAPTER 19: ACL CONFIGURATION QoS Profile Configuration When used together with the 802.1x authentication function, the QoS profile function can offer preconfigured QoS settings for a qualified user in authentication (or a group of users). When the user passes the 802.1x authentication, the Switch delivers the right profile dynamically to the port from which the user is accessed after referring to the mapping between user names and profiles stored on the AAA server.
QoS Profile Configuration 373 Perform the following configuration in System View. Table 393 Entering QoS Profile View Operation Command Enter QoS profile view qos-profile profile-name Delete the QoS profile undo qos-profile profile-name You cannot delete the specific QoS profile which has been applied to the port. Adding/Removing Traffic Action to a QoS Profile From the QoS Profile View, you can configure the QoS actions for current QoS profile. The maximum action numbers in one QoS profile is 32.
CHAPTER 19: ACL CONFIGURATION ■ Port-based mode: The Switch delivers the traffic actions in the QoS profile directly to the user port. Perform the following configuration in Ethernet Port View. Table 395 Configuring Profile Application Mode Operation Command Configure the user-based mode on the port qos-profile user-based Restore the default (port-based) mode on the port undo qos-profile profile_name By default, port-based mode is enabled on the port.
QoS Profile Configuration 375 The user (with user name someone and authentication password hello) is accessed from the Ethernet1/0/1 port into the Switch. The user is assigned into the 3com163.net domain. The QoS profile example references the ACL with bandwidth limited to 128 kbps and new DSCP preference value 46.
CHAPTER 19: ACL CONFIGURATION g Configure the QoS profile [SW5500]qos-profile example [SW5500-qos-profile-example]traffic-limit inbound ip-group 3000 128 exceed drop [SW5500-qos-profile-example]traffic-priority inbound ip-group 3000 dscp 46 [SW5500-qos-profile-example]quit h Set user based mode on the Ethernet1/0/1 port [SW5500]interface ethernet1/0/1 [SW5500-Ethernet1/0/1]qos-profile user-based ACL Control Configuration The Switch supports three major access modes: SNMP (Simple Network Management
ACL Control Configuration 377 Importing ACL You can import a defined ACL in User Interface View to achieve ACL control. Perform the following configurations respectively in System View and User Interface View. Table 400 Importing ACL Operation Command Enter user interface view (System View) user-interface [ type ] first_number [ last_number ] Import the ACL (User Interface View) acl acl_number { inbound | outbound } See the Command Reference Manual for details about these commands.
CHAPTER 19: ACL CONFIGURATION Importing ACL Import the defined ACL into the commands with SNMP community, username and group name configured, to achieve ACL control over SNMP users. Perform the following configurations in System View.
ACL Control Configuration 379 Configuration Example Networking Requirement Only SNMP users from 10.110.100.52 and 10.110.100.46 can access the Switch. Networking Diagram Figure 99 ACL Configuration for SNMP Users Internet Switch Configuration Procedure 1 Define a basic ACL. [SW5500]acl number 2000 match-order config [SW5500-acl-baisc-2000]rule 1 permit source 10.110.100.52 0 [SW5500-acl-baisc-2000]rule 2 permit source 10.110.100.46 0 [SW5500-acl-baisc-2000]quit 2 Import the ACL.
CHAPTER 19: ACL CONFIGURATION Table 402 Calling ACL to Control HTTP Users Operation Command Call an ACL to control the WEB NM users. ip http acl acl_number Cancel the ACL control function. undo ip http acl For more about the commands, refer to the Command Reference Manual. Only the numbered basic ACL can be called for WEB NM user control. Configuration Example Networking Requirements Only permit Web NM user from 10.110.100.46 access Switch.
20 RSPAN Features CONFIGURATION FOR QOS FEATURES Remote switched port analyzer (RSPAN) refers to remote port mirroring. It breaks through the limitation that the mirrored port and the mirroring port have to be located in the same switch, and makes it possible that the mirrored and mirroring ports be located across several devices in the network, and greatly enhances the way that the network administrator can manage the switch. The application of RSPAN is illustrated in Figure 101.
CHAPTER 20: CONFIGURATION FOR QOS FEATURES To implement the remote port management, a special VLAN, called Remote-probe VLAN, needs to be defined in all three types of switches. All the mirrored packets will be forwarded to destination switch from the source switch using this VLAN, and therefore the destination switch can monitor the port packets sent from the source switch.
RSPAN Features 383 Configuration Procedures in the Source Switch Table 404 Configuration procedures in the source switch Operation Command Description Enter system view system-view — Establish Remote-probe VLAN, and enter VLAN view vlan vlan-id The parameter vlan-id represents the ID of the Remote-probe VLAN. Define the current VLAN as Remote-probe VLAN remote-probe vlan enable Required.
CHAPTER 20: CONFIGURATION FOR QOS FEATURES Configuration Procedures in the Source Switch Table 406 Configuration procedures in the source switch Operation Command Description Enter system view system-view — Establish remote-probe VLAN, vlan vlan-id and enter VLAN view The parameter vlan-id represents the ID of the remote-probe VLAN. Define the current VLAN as remote-probe VLAN. remote-probe vlan enable Required.
RSPAN Features 385 ■ Configure Switch C to be the source switch, Ethernet1/0/2 to be the source port of remote mirroring, and Ethernet1/0/5 to be the reflector port. Set Ethernet1/0/5 to be Access port, with STP disabled. Network Diagram Figure 102 Network diagram for RSPAN Configuration Procedure 1 Configure Switch C.
CHAPTER 20: CONFIGURATION FOR QOS FEATURES [S5500-Ethernet1/0/1] port trunk permit vlan 10 [S5500-Ethernet1/0/1] quit [S5500] mirroring-group 1 remote-destination [S5500] mirroring-group 1 monitor-port ethernet1/0/2 [S5500] mirroring-group 1 remote-probe vlan 10 [S5500] display mirroring-group remote-destination Features of Traffic Statistics Traffic statistics is employed to count data packets within a specified traffic flow.
Displaying Information of the display acl command 387 ■ A fixed weighting value is deducted from the weighting value of each element of the rule. The rule with the smallest weighting value left has the highest priority. ■ If the number and type of elements are the same for all rules, then the rule with the smallest sum value of all its elements has the highest priority. For more ACL configuration, refer to the QoS/ACL part of the Switch 5500 Series Ethernet Operation Manual.
CHAPTER 20: CONFIGURATION FOR QOS FEATURES The Synchronization Feature of Queue Scheduling for Aggregation Ports This feature provides the synchronization function of queue scheduling on each individual port of the aggregation port group, as illustrated as follows: 1 The new feature supports the synchronization of queue scheduling within the aggregation port group.
Configuring Control Over Telnet 389 Controlling Telnet using Source IP This configuration can be implemented by means of basic ACL, which ranges from 2000 to 2999. Table 409 Control Telnet using source IP Configuration Procedure Command Description Enter system view system-view — Create or enter basic ACL view acl number acl-number [ By default, the matching order is match-order { config | auto } config. ] Define the rule rule [ rule-id ] { permit | deny Required.
CHAPTER 20: CONFIGURATION FOR QOS FEATURES Controlling Telnet using Source MAC This configuration can be implemented by means of Layer 2 ACL, which ranges from 4000 to 4999. For the definition of ACL, refer to ACL part.
21 802.1X CONFIGURATION This chapter covers the following topics: ■ IEEE 802.1x Overview ■ Configuring 802.1x ■ Centralized MAC Address Authentication ■ AAA and RADIUS Protocol Configuration For information on setting up a RADIUS server and RADIUS client refer to Appendix B. For details on how to authenticate the Switch5500 with a Cisco Secure ACS server with TACACS+, refer to Appendix C. IEEE 802.1x Overview IEEE 802.1x (hereinafter simplified as 802.
CHAPTER 21: 802.1X CONFIGURATION Authenticator and Authentication Server exchange information through EAP (Extensible Authentication Protocol) frames. The user and the Authenticator exchange information through the EAPoL (Extensible Authentication Protocol over LANs) frame defined by IEEE 802.1x.
Configuring 802.1x 393 Implementing 802.1x on the Switch Configuring 802.1x The Switch 5500 Family not only supports the port access authentication method regulated by 802.1x, but also extends and optimizes it in the following way: ■ Support to connect several End Stations in the downstream using a physical port. ■ The access control (or the user authentication method) can be based on port or MAC address. ■ In this way, the system becomes much securer and easier to manage.
CHAPTER 21: 802.1X CONFIGURATION Setting the Port Access Control Mode The following commands can be used for setting 802.1x access control mode on the specified port. When no port is specified, the access control mode of all ports is configured. Perform the following configurations in System View or Ethernet Port View. Table 413 Setting the Port Access Control Mode. Operation Command Set the port access control mode.
Configuring 802.1x 395 Setting the User Number on a Port The following commands are used for setting the number of users allowed by 802.1x on a specified port. When no port is specified, all the ports accept the same number of users. Perform the following configurations in System View or Ethernet Port View.
CHAPTER 21: 802.1X CONFIGURATION The EAP-TLS mode authenticates supplicant systems by authenticating licenses of both authentication servers and supplicant systems on both sides. In this mode, supplicant systems are authenticated by their licenses only, which are applied for from authentication servers. User name and password are not needed.
Configuring 802.1x 397 Network diagram Figure 105 Network diagram for 802.1x PEAP configuration Authentication Servers (RADIUS Server Cluster IP Address: 10.11.1.1 10.11.1.2) Sw itch Internet Internet E1/0/1 Supplicant system Authenticator Configuration procedure The following configurations assume that PEAP is selected on 802.1x clients and the RADIUS server to authenticate 802.1x supplicant systems. Configure the switch. 1 Enter system view. system-view 2 Enable 802.1x globally.
CHAPTER 21: 802.1X CONFIGURATION Configuring Timers The following commands are used for configuring the 802.1x timers. Perform the following configurations in System View.
802.1x Client Version Checking Configuration 399 Enabling/Disabling a Quiet-Period Timer You can use the following commands to enable/disable a quiet-period timer of an Authenticator (which can be a Switch 5500). If an 802.1x user has not passed the authentication, the Authenticator will keep quiet for a while (which is specified by dot1x timer quiet-period command) before launching the authentication again. During the quiet period, the Authenticator does not do anything related to 802.1x authentication.
CHAPTER 21: 802.1X CONFIGURATION the supplicant system. Such a process goes on and on until the maximum number of retries is reached. If the maximum number of retries is reached and the supplicant system still does not respond, the switch ceases checking the client version of the supplicant system and continues the followed authentication procedures.
802.1x Client Version Checking Configuration 401 When the Guest VLAN function is enabled: ■ The switch broadcasts active authentication packets to all 802.1x-enabled ports. ■ The switch adds the ports that do not return response packets to Guest VLAN When the maximum number of authentication retries is reached. ■ Users belonging to the Guest VLAN can access the resources of the Guest VLAN without being authenticated. But they need to be authenticated before accessing external resources.
CHAPTER 21: 802.1X CONFIGURATION Configuration procedure 1 Enter system view. system-view 2 Create VLAN 2. [S5500] vlan 2 3 Enter Ethernet1/0/1 port view. [S5500] interface ethernet1/0/1 4 Configure the port to operate in port-based authentication mode. [S5500-Ethernet1/0/1] dot1x port-method portbased 5 Configure Guest VLAN for the port. [S5500-Ethernet1/0/1] dot1x guest-vlan 2 The 802.1x Trusted MAC Address Synchronization Function 802.
802.1x Client Version Checking Configuration 403 ■ CAMS is configured to disable use of multiple network adapters, proxies, or IE proxies. By default, an 802.1x client allows the use of multiple network adapters, proxies, and IE proxies. If CAMS is configured to disable the use of multiple network adapters, proxies, or IE proxies, it prompts the 802.1x client to disable use of multiple network adapters, proxies, or IE proxies through messages after the supplicant system passes the authentication.
CHAPTER 21: 802.1X CONFIGURATION A server group, consisting of two RADIUS servers at 10.11.1.1 and 10.11.1.2 respectively, is connected to the switch. The former one acts as the primary-authentication/second-accounting server. The latter one acts as the secondary-authentication/primary-accounting server. Set the encryption key as “name” when the system exchanges packets with the authentication RADIUS server and “money” when the system exchanges packets with the accounting RADIUS server.
Centralized MAC Address Authentication 405 6 Set the encryption key when the system exchanges packets with the authentication RADIUS server. [SW5500-radius-radius1]key authentication name 7 Set the encryption key when the system exchanges packets with the accounting RADIUS server. [SW5500-radius-radius1]key accounting money 8 Set the timeouts and times for the system to retransmit packets to the RADIUS server.
CHAPTER 21: 802.
Centralized MAC Address Authentication 407 Configuring the User Name and Password for Fixed Mode Configuring Domain Name Used by the MAC Address Authentication User If you configure the centralized MAC address authentication mode to be fixed mode, you need to configure the user name and password for fixed mode.
CHAPTER 21: 802.1X CONFIGURATION Displaying and Debugging Centralized MAC Address Authentication After the above configuration, perform the display command in any view, you can view the centralized MAC address authentication running state and check the configuration result. Perform the debugging command in User View, you can debug the centralized MAC address authentication.
AAA and RADIUS Protocol Configuration 409 2 Add local access user. a Set the user name and password. [SW5500]local-user 00e0fc010101 [SW5500-luser-00e0fc010101]password simple 00e0fc010101 b Set the service type of the user to lan-access. [SW5500-luser-00e0fc010101]service-type lan-access 3 Enable the MAC address authentication globally. [SW5500]mac-authentication 4 Configure the ISP domain used by the user. [SW5500]mac-authentication domain 3com163.net For the configuration of the domain 3com163.
CHAPTER 21: 802.1X CONFIGURATION returns the configuration information and accounting data to NAS. Here, NAS controls users and corresponding connections, while the RADIUS protocol regulates how to transmit configuration and accounting information between NAS and RADIUS. NAS and RADIUS exchange the information with UDP packets. During the interaction, both sides encrypt the packets with keys before uploading user configuration information (for example, password) to avoid being intercepted or stolen.
AAA and RADIUS Protocol Configuration 411 Among the above configuration tasks, creating ISP domain is compulsory, otherwise the user attributes cannot be distinguished. The other tasks are optional. You can configure them at requirements. Creating/Deleting an ISP Domain What is Internet Service Provider (ISP) domain? To make it simple, ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, taking gw20010608@3com163.
CHAPTER 21: 802.1X CONFIGURATION ■ None—no authentication and accounting. Table 438 Configuring AAA Scheme Adopted by the ISP Domain Operation Command Configure an AAA scheme for the domain. scheme { radius-scheme radius_scheme_name | local | none } Configure a RADIUS scheme radius-scheme radius_scheme_name Restore the default AAA scheme. undo scheme { radius-scheme radius_scheme_name | none } By default, after an ISP domain is created, the default AAA scheme is local.
AAA Separation 413 Enabling the Selection of the RADIUS Accounting Option If no RADIUS server is available or if the RADIUS accounting server fails when the accounting optional is configured, the user can still use the network resource, otherwise, the user will be disconnected. The user configured with the accounting optional command in RADIUS scheme will no longer send real-time accounting update packets or offline accounting packets. Perform the following configurations in ISP Domain View.
CHAPTER 21: 802.1X CONFIGURATION Configuring Separate AAA Schemes Table 443 Configure separate AAA schemes Operation Command Description Enter system view system-view — Create an ISP domain or enter an existing ISP domain view domain isp-name Required Configure an authentication scheme for the ISP domain authentication { Optional radius-scheme By default, no separate radius-scheme-name [ local authentication scheme is configured.
AAA Separation 415 Network diagram Figure 108 Network diagram for separate AAA schemes Authentication Servers Authentication server Authentication server (IPIPaddress: address:10.110.91.164 ) IP address: 10.110.91.164 10.110.91.164 Switch Switch Switch Internet Internet Remote user User Remote enduser Configuration procedure 1 Enter system view. system-view 2 Create an ISP domain named cams. [S5500] domain cams 3 Return to system view.
CHAPTER 21: 802.1X CONFIGURATION ■ If the threshold is reached, the switch sends messages containing the user's remaining online time to the client at the interval you configured. ■ The client keeps the user informed of the updated remaining online time through a dialog box. Perform the following configuration in ISP domain view.
Dynamic VLAN Assignment 417 Dynamic VLAN Assignment Through dynamic VLAN assignment, the Ethernet switch dynamically adds the ports of the successfully authenticated users to different VLANs depending on the attribute values assigned by RADIUS server, so as to control the network resources the users can access.
CHAPTER 21: 802.1X CONFIGURATION Network diagram Figure 109 Network diagram for dynamic VLAN assignment RADIUS authentication servers IP address: 1.11.1.1 Switch Ethernet0/1 Internet Authenticator Supplicant Configuration procedure 1 Create a RADIUS scheme. [S5500] radius scheme ias [S5500-radius-ias] primary authentication 1.11.1.1 [S5500-radius-ias] primary accounting 1.11.1.
Dynamic VLAN Assignment 419 Setting Attributes of the Local User The attributes of a local user include its password display mode, state, service type and some other settings. Setting the Password Display Mode Perform the following configurations in System View.
CHAPTER 21: 802.1X CONFIGURATION However, the user-privilege level is a global value for all service types. Entering the following two commands will result in the user having a level of 3 for all service types. In this case both telnet and SSH: [5500-SI-luser-adminpwd]service-type telnet level 1 [5500-SI-luser-adminpwd]service-type ssh level 3 You can use either level or service-type command to specify the level for a local user.
Dynamic VLAN Assignment 421 Among the above tasks, creating the RADIUS scheme and setting the IP address of the RADIUS server are required, while other tasks are optional and can be performed as per your requirements. Creating/Deleting a RADIUS Scheme As mentioned above, RADIUS protocol configurations are performed on the per RADIUS scheme basis. Therefore, before performing other RADIUS protocol configurations, it is essential to create the RADIUS scheme and enter its view to set its IP address.
CHAPTER 21: 802.1X CONFIGURATION The authorization information from the RADIUS server is sent to RADIUS clients in authentication response packets, so you do not need to specify a separate authorization server. In real networking environments, you may specify two RADIUS servers as primary and secondary authentication/authorization servers respectively, or specify one server to function as both.
Dynamic VLAN Assignment 423 Setting the Maximum Times of Real-time Accounting Request Failing to be Responded to A RADIUS server usually checks if a user is online with a timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS for a while, it will consider that there is device failure and stop accounting. It is necessary to disconnect the user at the NAS end and on the RADIUS server synchronously when some unpredictable failure occurs.
CHAPTER 21: 802.1X CONFIGURATION Table 455 Setting the Maximum Retransmitting Times of Stopping Accounting Request Operation Command Set the maximum retransmitting times of stopping accounting request retry stop-accounting retry_times Restore the maximum retransmitting times of stopping accounting request to the default value undo retry stop-accounting By default, the stopping accounting request can be retransmitted up to 500 times.
User Re-authentication at Reboot 425 The switch can automatically generate the main attributes (NAS-ID, NAS-IP and session ID) of the Accounting-On packets. However, you can also manually configure the NAS-IP attribute with the nas-ip command. When doing this, be sure to configure a correct and valid IP address. If this attribute is not manually configured, the switch will automatically select the IP address of the VLAN interface as the NAS-IP address.
CHAPTER 21: 802.1X CONFIGURATION By default, the keys of RADIUS authentication/authorization and accounting packets are all “3com”. Tag VLAN Assignment on Trunk/Hybrid Port Supported by 802.1x Authentication Identifier Authentication Method Attribute in RADIUS Currently, the 802.1x authentication module supports Tag VLAN assignment only on Access port. But some applications (for example, this kind of connection: switch—IP phone—PC) needs 802.1x authentication on Trunk/Hybrid port.
User Re-authentication at Reboot 427 By default, the newly created RADIUS scheme supports the server type standard, while the "system" RADIUS scheme created by the system supports the server type 3com. Setting the RADIUS Server State For the primary and secondary servers (no matter if they are an authentication/authorization server or accounting server), if the primary server is disconnected from the NAS for some fault, the NAS will automatically turn to exchange packets with the secondary server.
CHAPTER 21: 802.1X CONFIGURATION Setting the Unit of Data Flow that Transmitted to the RADIUS Server The following command defines the unit of the data flow sent to RADIUS server.
User Re-authentication at Reboot 429 Setting the Timers of the RADIUS Server Setting the Response Timeout Timer of the RADIUS Server After RADIUS (authentication/authorization or accounting) request packet has been transmitted for a period of time, if NAS has not received the response from the RADIUS server, it has to retransmit the request to guarantee RADIUS service for the user. You can use the following command to set response timeout timer of RADIUS server.
CHAPTER 21: 802.1X CONFIGURATION Configure the RADIUS Server Response Timer If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period of time, the NAS resends the request, thus ensuring the user can obtain the RADIUS service. You can specify this period by setting the RADIUS server response timeout timer, taking into consideration the network condition and the desired system performance.
User Re-authentication at Reboot 431 Table 470 Displaying and Debugging AAA and RADIUS Protocol (continued) AAA and RADIUS Protocol Configuration Example Operation Command Clear stop-accounting packets from the buffer. reset stop-accounting-buffer { radius-scheme radius_scheme_name | session-id session_id | time-range start_time stop_time | user-name user_name } Reset the statistics of RADIUS server.
CHAPTER 21: 802.1X CONFIGURATION Configuration Procedure 1 Add a Telnet user. For details about configuring FTP and Telnet users, refer to User Interface Configuration in the Getting Started chapter. 2 Configure remote authentication mode for the Telnet user, that is, scheme mode. [SW5500-ui-vty0-4]authentication-mode scheme 3 Configure domain. [SW5500]domain cams [SW5500-isp-cams]quit 4 Configure RADIUS scheme. [SW5500]radius scheme cams [SW5500-radius-cams]primary authentication 10.110.91.
User Re-authentication at Reboot 433 2 Method 2: Using Local RADIUS authentication server. Local server method is similar to remote RADIUS authentication. But you should modify the server IP address to 127.0.0.1, authentication password to 3com, the UDP port number of the authentication server to 1645. Configuring the Switch 5500 General RADIUS setup The Switch 5500 supports multiple RADIUS schemes, which can be assigned to a domain.
CHAPTER 21: 802.1X CONFIGURATION And that completes the configuration of the new radius server and associating it with a domain. Network Login Network login must first be enabled globally by issuing the command dot1x: [5500-xx]dot1x 802.1x is enabled globally (where xx is either EI or SI) Once enabled globally, the network login needs to be enabled on a per port basis. This can be done in one of two ways: ■ To enable dot1x on one port, enter the interface of the port and enable dot1x on the port.
User Re-authentication at Reboot 435 Once the RADIUS scheme and domain have been set up, see Domain and RADIUS scheme creation, then switch login is enabled. By default, when you use the username admin to login, you are actually logging in as "admin@local". If no domain is given, the "@local" is automatically added at the end of the username. This states the user is a member of the local domain, and as a result uses the local RADIUS server.
CHAPTER 21: 802.1X CONFIGURATION Fault Three: After being authenticated and authorized, the user cannot send charging bill to the RADIUS server. Troubleshooting: Problem Diagnosis ■ The accounting port number may be set improperly. Please set a proper number. ■ The accounting service and authentication/authorization service are provided on different servers, but NAS requires the services to be provided on one server (by specifying the same IP address).
22 FILE SYSTEM MANAGEMENT This chapter covers the following topics: File System Overview ■ File System Overview ■ File Attribute Configuration ■ Configuring File Management ■ Configuration File Backup and Restoration ■ FTP Overview ■ TFTP Overview ■ MAC Address Table Management ■ Device Management ■ System Maintenance and Debugging ■ Terminating the FTP Connection of a Specified User ■ Restarting the Switch ■ Displaying the State and Information of the System ■ Testing Tools for
CHAPTER 22: FILE SYSTEM MANAGEMENT Based on the operated objects, the file system can be divided as follows: Directory Operation ■ Directory operation ■ File operation ■ Storage device operation ■ Set the prompt mode of the file system You can use the file system to create or delete a directory, display the current working directory, and display the information about the files or directories under a specified directory. You can use the following commands to perform directory operations.
File Attribute Configuration 439 File Attribute Configuration You can assign the main/backup attribute to a file so as to use this file as the main/backup startup file upon next startup of switch, check the main and backup files, and toggle between the main and backup attributes of file. You can use an App, BootROM, or Web file on one unit in the fabric to update all other units in the fabric.
CHAPTER 22: FILE SYSTEM MANAGEMENT File Operation The file system can be used to delete or undelete a file and permanently delete a file. Also, it can be used to display file contents, rename, copy and move a file and display the information about a specified file. Using the delete file-url command to delete a file, leaves the contents of the file on the flash file system and does not free flash space. The file can be recovered using the undelete command.
Configuring File Management 441 Setting the Prompt Mode of the File System The following command can be used for setting the prompt mode of the current file system. Perform the following configuration in System View. Table 477 File System Operation Configuring File Management Operation Command Set the file system prompt mode. file prompt { alert | quiet } The management module of the configuration file provides a user-friendly operation interface.
CHAPTER 22: FILE SYSTEM MANAGEMENT The configuration files are displayed in their corresponding saving formats. Saving the Current-configuration Use the save command to save the current-configuration in the Flash Memory, and the configurations will become the saved-configuration when the system is powered on for the next time. Perform the following configuration in any view.
Configuration File Backup and Restoration 443 Configuration File Backup and Restoration The configuration file backup and restoration feature enables you to perform the following tasks: 1 Copy the current configurations on switch to a file on a TFTP server as a backup. 2 Download the configuration file backed up on the TFTP server to switch, and set this file as the configuration file that will be used upon next start.
CHAPTER 22: FILE SYSTEM MANAGEMENT Table 484 Configuration of the Switch as FTP Client Device Configuration Default Description Switch Log into the remote FTP server directly with the ftp command. -- You need first get FTP user command and password, and then log into the remote FTP server. Then you can get the directory and file authority. PC Start FTP server and make such settings as username, password, authority.
FTP Overview 445 Table 487 Configure source IP address for FTP Server and Client (continued) Operation Command Remarks Use a specified source interface to establish a connection with an FTP server ftp { cluster | remote-server } source-interface interface-type interface-number Optional Specify source IP address for the FTP client ftp source-ip ip-addr Optional Specify source interface for the FTP client ftp source-interface interface-type interface-number Optional If the ip-addr in the command
CHAPTER 22: FILE SYSTEM MANAGEMENT Displaying and Debugging FTP Server After the above configuration, execute display command in all views to display the running of the FTP Server configuration, and to verify the effect of the configuration. Table 490 Display and Debug FTP Server Operation Command Display FTP server display ftp-server Display the connected FTP users.
FTP Overview 447 Displaying the Source IP Address of the FTP Client Use the display command in any view to display the source IP address of the FTP client for service packets. Table 493 Display the source IP address of the FTP Client Operation Command Display the source IP address of the TFTP client display tftp source-ip FTP Client Configuration Example Networking Requirement The Switch serves as the FTP client and the remote PC as the FTP server.
CHAPTER 22: FILE SYSTEM MANAGEMENT Password:***** 230 Logged in successfully [ftp] 3 Type in the authorized directory of the FTP server. [ftp]cd switch 4 Use the put command to upload the config.cfg to the FTP server. [ftp]put config.cfg 5 Use the get command to download the switch.app from the FTP server to the flash directory on the FTP server. [ftp]get switch.app 6 Use the quit command to release FTP connection and return to User View.
TFTP Overview 449 3 Run FTP client on the PC and establish FTP connection. Upload the switch.app to the Switch under the Flash directory and download the config.cfg from the Switch. FTP client is not shipped with the Switch, so you need to buy it separately. If the flash memory of the Switch is not enough, you need to first delete the existing programs in the flash memory and then upload the new ones. 4 When the uploading is completed, initiate the file upgrade on the Switch.
CHAPTER 22: FILE SYSTEM MANAGEMENT Downloading Files by means of TFTP To download a file, the client sends a request to the TFTP server and then receives data from it and sends acknowledgement to it. You can use the following commands to download files by means of TFTP. Perform the following configuration in User View.
MAC Address Table Management 451 3 Enter System View and download the switch.app from the TFTP server to the flash memory of the Switch. system-view [SW5500] 4 Configure IP address 1.1.1.1 for the VLAN interface, ensure the port connecting the PC is also in this VALN (VLAN 1 in this example). [SW5500]interface vlan 1 [SW5500-vlan-interface1]ip address 1.1.1.1 255.255.255.0 [SW5500-vlan-interface1]quit 5 Upload the config.cfg to the TFTP server. tftp 1.1.1.2 put config.cfg config.
CHAPTER 22: FILE SYSTEM MANAGEMENT Figure 117 The Switch Forwards Packets with MAC Address Table MAC Address MACD MACA ...... Port MACA 1 MACB 1 MACC 2 MACD 2 Port 1 MACD MACA ...... Port 2 The Switch also provides the function of MAC address aging. If the Switch receives no packet for a period of time, it will delete the related entry from the MAC address table. However, this function takes no effect on the static MAC addresses.
MAC Address Table Management 453 Setting MAC Address Aging Time Setting an appropriate aging time implements MAC address aging. Too long or too short an aging time set by subscribers will cause the Ethernet switch to flood a large amount of data packets. This affects the switch operation performance. If the aging time is set too long, the Switch will store a great number of out-of-date MAC address tables.
CHAPTER 22: FILE SYSTEM MANAGEMENT Displaying MAC Address Table After the above configuration, execute the display command in all views to display the running of the MAC address table configuration, and to verify the effect of the configuration. Execute the debugging command in User View to debug MAC address table configuration.
MAC Address Table Management 455 Configuration procedure The display command shows a stack wide view of the MAC address table.
CHAPTER 22: FILE SYSTEM MANAGEMENT Device Management With the device management function, the Switch can display the current running state and event debugging information about the unit, thereby implementing the maintenance and management of the state and communication of the physical devices. In addition, there is a command available for rebooting the system, when some function failure occurs. The device management configuration task is simple.
Device Management 457 Upgrading BootROM You can use this command to upgrade the BootROM with the BootROM program in the Flash Memory. This configuration task facilitates the remote upgrade. You can upload the BootROM program file from a remote end to the Switch using FTP and then use this command to upgrade the BootROM. Perform the following configuration in User View.
CHAPTER 22: FILE SYSTEM MANAGEMENT Networking Diagram Figure 120 Networking for FTP Configuration Network Switch PC Configuration Procedure 1 Configure FTP server parameters on the PC. Define a user named as Switch, password hello, read and write authority over the Switch directory on the PC. 2 Configure the Switch The Switch has been configured with a Telnet user named as user, as 3-level user, with password hello, requiring username and password authentication.
System Maintenance and Debugging 459 8 Use the boot boot-loader command to specify the downloaded program as the application at the next login and reboot the Switch. boot boot-loader switch.app display boot-loader The app to boot at the next time is: flash:/Switch.app The app to boot of board 0 at this time is: flash:/PLAT.APP reboot System Maintenance and Debugging Setting the Daylight Saving Time The following section describes System Maintenance and Debugging.
CHAPTER 22: FILE SYSTEM MANAGEMENT Basic System Configuration Setting the System Name for the Switch Perform the operation of sysname command in the System View. Table 508 Set the Name for the Switch Operation Command Set the Switch system name sysname sysname Restore Switch system name to default value undo sysname Setting the System Clock Perform the operation of clock datetime command in the User View.
Terminating the FTP Connection of a Specified User 461 Terminating the FTP Connection of a Specified User By using the following command, the network administrator can forcibly terminate the FTP connection of a specified user on the FTP server, in order to secure the operation of the network.
CHAPTER 22: FILE SYSTEM MANAGEMENT Table 514 The Display Commands of the System (continued) Operation Command Display the current-configuration display current-configuration [ controller | interface interface-type [ interface-number ] | configuration [ configuration ] ] [ | { begin | exclude | include } regular-expression ] display debugging [ interface { interface-name | interface-type interface-number } ] [ module-name ] Display statistics of the configuration agent display config-agent unit-id unit-
Displaying the State and Information of the System 463 Table 515 Enable/Disable the Debugging Operation Command Enable the protocol debugging debugging { all [ timeout interval ] | module-name [ debugging-option ] } Disable the protocol debugging undo debugging { all | { protocol-name | function-name } [ debugging-option ] } Enable the terminal debugging terminal debugging Disable the terminal debugging undo terminal debugging For more about the usage and format of the debugging commands, refer t
CHAPTER 22: FILE SYSTEM MANAGEMENT Testing Tools for Network Connection ping This section contains the tools necessary to test network connections. The ping command can be used to check the network connection and if the host is reachable. Perform the following operation in all views.
Introduction to Remote-ping 465 The execution process of tracert is described as follows: Send a packet with TTL value as 1 and the first hop sends back an ICMP error message indicating that the packet cannot be sent, for the TTL is timeout. Re-send the packet with TTL value as 2 and the second hop returns the TTL timeout message. The process is carried over and over until the packet reaches the destination.
CHAPTER 22: FILE SYSTEM MANAGEMENT Remote-ping Configuration Introduction to Remote-ping Configuration This section contains information on remote-ping. The configuration tasks for remote-ping include: ■ Enabling remote-ping Client ■ Creating test group ■ Configuring test parameters The test parameters that you can configure include: ■ Destination IP address It is equivalent to the destination IP address in the ping command. Test type.
Remote-ping Configuration 467 Table 519 Configure Remote-ping (continued) Operation Configure the test parameters Command Description Configure destination-ip ip-address the destination IP address of the test Required By default, no destination IP address is configured. Configure the type of the test. Optional By default, the test type is ICMP. test-type type Configure count times the packet sending times in each test. Optional By default, the packet sending times in each test is 1.
CHAPTER 22: FILE SYSTEM MANAGEMENT 5 Display the test results. [S5500-remote-ping-administrator-icmp] display remote-ping results administrator icmp [S5500-remote-ping-administrator-icmp] display remote-ping history administrator icmp Logging Function Introduction to Info-center This section contains information on the Logging function. The Info-center serves as an information center of the system software modules.
Logging Function 469 "yyyy" is the year field. If changed to boot format, it represents the milliseconds from system booting. Generally, the data are so large that two 32 bits integers are used, and separated with a dot '.'. For example: <189>0.166970 SW5500 IFNET/6/UPDOWN:Line protocol on interface Ethernet1/0/2, changed state to UP It means that 166970ms (0*2^32+166970) has passed from system booting. If changed to none format, the timestamp field is not present in logging information.
CHAPTER 22: FILE SYSTEM MANAGEMENT Table 520 Module Names in Logging Information Module name Description IP IP module IPC Inter-process communication module IPMC IP multicast module L2INF Interface management module LACL LANswitch ACL module LQOS LANswitch QoS module LS Local server module MPM Multicast port management module NTP Network time protocol module PPRDT Protocol packet redirection module PTVL Driver port, VLAN (Port and VLAN) module QACL QoS/ACL module QOSF Qos pr
Logging Function 471 Table 521 Info-Center-Defined Severity Severity Description emergencies Extremely emergent errors alerts Errors that need to be corrected immediately critical Critical errors errors Errors that need to be addressed but are not critical warnings Warning, there may be some types of errors notifications Information that should be noted informational Common prompting information debugging Debugging information Note that there is a slash between severity and digest.
CHAPTER 22: FILE SYSTEM MANAGEMENT 1 Sending the information to loghost. Table 523 Sending the Information to Loghost Device Configuration Default Value Switch Enable info-center By default, info-center Other configurations are valid only if is enabled. the info-center is enabled.
Logging Function 473 3 Sending the Information to monitor terminal Table 525 Sending the Information to Monitor Terminal Device Configuration Default Value Configuration Description Switch Enable info-center By default, info-center is enabled. Other configurations are valid only if the info-center is enabled.
CHAPTER 22: FILE SYSTEM MANAGEMENT 6 Sending the Information to SNMP Table 528 Sending the Information to SNMP Device Configuration Default value Configuration description Switch Enable info-center By default, info-center is enabled. Other configurations are valid only if the info-center is enabled. Set the information output direction to SNMP - Set information source You can define which modules and information to be sent out and the time-stamp format of information, and so on.
Logging Function 475 Table 530 Configuring to Output Information to Loghost Operation Command Output information to loghost info-center loghost host-ip-addr [ channel { channel-number | channel-name } ] [ facility local-number ] [ language { chinese | english } ] Cancel the configuration of outputting information to loghost undo info-center loghost host-ip-addr Ensure to enter the correct IP address using the info-center loghost command to configure loghost IP address.
CHAPTER 22: FILE SYSTEM MANAGEMENT 4 Configuring loghost The configuration on the loghost must be the same with that on the Switch. For related configuration, see the configuration examples in the latter part of this chapter. Setting Format of Time Stamps Due to be Sent to Log Host Table 532 describes the detailed configuration tasks on the switch.
Logging Function 477 Table 534 Configuring to Output Information to Control Terminal Operation Command Output information to Console info-center console channel{ channel-number | channel-name } Cancel the configuration of undo info-center console channel outputting information to Console 3 Configuring the information source on the Switch.
CHAPTER 22: FILE SYSTEM MANAGEMENT Perform the following operation in User View: Table 537 Enabling Terminal Display Function Sending the Information to Telnet Terminal or Dumb Terminal Operation Command Enable terminal display function of debugging information terminal debugging Disable terminal display function of debugging information undo terminal debugging Enable terminal display function of log information terminal logging Disable terminal display function of log information undo term
Logging Function 479 modu-name specifies the module name; default represents all the modules; level refers to the severity levels; severity specifies the severity level of information. The information with the level below it will not be output. channel-number specifies the channel number and channel-name specifies the channel name. When defining the information sent to Telnet terminal or dumb terminal, channel-number or channel-name must be set to the channel that corresponds to the Console direction.
CHAPTER 22: FILE SYSTEM MANAGEMENT Sending the Information to the Log Buffer Operation Command Disable terminal display function of trap information undo terminal trapping To send information to the log buffer, follow the steps below: 1 Enabling info-center Perform the following operation in System View. Table 543 Enabling/Disabling Info-center Operation Command Enable info-center info-center enable Disable info-center undo info-center enable Info-center is enabled by default.
Logging Function 481 If you want to view the debugging information of some modules on the Switch, you must select debugging as the information type when configuring the information source, meantime using the debugging command to turn on the debugging Switch of those modules. You can use the following commands to configure log information, debugging information and the time-stamp output format of trap information. Perform the following operation in System View.
CHAPTER 22: FILE SYSTEM MANAGEMENT modu-name specifies the module name; default represents all the modules; level refers to the severity levels; severity specifies the severity level of information. The information with the level below it will not be output. channel-number specifies the channel number and channel-name specifies the channel name. When defining the information sent to the trap buffer, channel-number or channel-name must be set to the channel that corresponds to the Console direction.
Logging Function 483 3 Configuring the information source on the Switch. With this configuration, you can define the information that is sent to SNMP NM: generated by which modules, information type, information level, and so on. Perform the following operation in System View.
CHAPTER 22: FILE SYSTEM MANAGEMENT The Switch provides a command to turn on/off the synchronization Switch in every Switch. If the synchronization Switch of a Switch is turned off, it does not send information to other Switches but still receives information from others. 1 Enable info-center Perform the following operation in System View.
Logging Function 485 Configuring Synchronous Information Output Function Synchronous information output function works to prevent users’ input from being interrupted by system output. While enabled, this function allows users to view their input so far after each system output; thus avoids displaying commands on separate lines and increases the system usability.
CHAPTER 22: FILE SYSTEM MANAGEMENT 2 Configuration on the loghost This configuration is performed on the loghost. The following example is performed on SunOS 4.0 and the operation on Unix operation system produced by other manufactures is generally the same to the operation on SunOS 4.0. a Perform the following command as the super user (root). # mkdir /var/log/SW5500 # touch /var/log/SW5500/information b Edit file /etc/syslog.conf as the super user (root), add the following selector/actor pairs.
Logging Function 487 Networking diagram Figure 128 Schematic Diagram of Configuration Network Switch PC Configuration Procedure 1 Enabling info-center [SW5500]info-center enable Set the host with the IP address of 202.38.1.10 as the loghost; set the severity level threshold value as informational, set the output language to English; set all the modules are allowed output information. [SW5500]info-center loghost 202.38.1.
CHAPTER 22: FILE SYSTEM MANAGEMENT c After the establishment of information (log file) and the revision of /etc/syslog.conf, you should view the number of syslogd (system daemon) through the following command, kill syslogd daemon and reuse -r option the start syslogd in daemon. # ps -ae | grep syslogd 147 # kill -9 147 # syslogd -r & For Linux loghost, you must ensure that syslogd daemon is started by -r option. After the above operation, the Switch system can record information in related log files.
RMON Configuration 489 RMON Configuration Remote Network Monitoring (RMON) is a type of IETF-defined MIB. It is the most important enhancement to the MIB II standard. It is mainly used for monitoring the data traffic on a segment and even on a whole network. It is one of the most widely used Network Management standards.
CHAPTER 22: FILE SYSTEM MANAGEMENT You can use the following commands to add/delete an entry to/from the alarm table. Perform the following configuration in System View. Table 558 Add/Delete an Entry to/from the Alarm Table Operation Command Add an entry to the alarm table. rmon alarm entry-number alarm-variable sampling-time { delta | absolute } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 [ owner text ] Delete an entry from the alarm table.
RMON Configuration 491 Table 561 Add/Delete an Entry to/from the Extended RMON Alarm Table Operation Command Add an entry to the extended RMON alarm table. rmon prialarm entry-number alarm-var [ alarm-des ] sampling-timer { delta | absolute | changeratio } rising-threshold threshold-value1 event-entry1 falling-threshold threshold-value2 event-entry2 entrytype { forever | cycle cycle-period } [ owner text ] Delete an entry from the extended RMON alarm table.
CHAPTER 22: FILE SYSTEM MANAGEMENT RMON Configuration Example Networking Requirements Set an entry in RMON Ethernet statistics table for the Ethernet port performance, which is convenient for network administrators’ query. Networking Diagram Figure 130 RMON Configuration Networking Internet Network Port Console Port Switch Configuration Procedure 1 Configure RMON. [SW5500-Ethernet1/0/1]rmon statistics 1 owner 3com-rmon 2 View the configurations in User View.
NTP Overview 493 ■ Record for an application when a user logs in to a system, a file is modified, or Basic Operating Principle of NTP Figure 131 illustrates the basic operating principle of NTP: Figure 131 Basic Operating Principle of NTP NTP消息包 10:00:00am Network 1. LS_A LS_B NTP消息包 10:00:00am 11:00:01am Network 2. LS_B LS_A NTP消息包 10:00:00am 11:00:01am 11:00:02am Network 3. LS_A LS_B NTP Packet received at 10:00:03 Network 4.
CHAPTER 22: FILE SYSTEM MANAGEMENT In this way, Switch A uses the above information to set the local clock and synchronize it with the clock on Switch B. The operating principle of NTP is briefly introduced above. For more information, refer to RFC1305. NTP Configuration Configuring NTP Operating Mode NTP is used for time synchronization throughout a network.
NTP Configuration 495 Table 563 Configure NTP Time Server Operation Command Configure NTP time server ntp-service unicast-server ip-address [ version number ] [ authentication-keyid keyid ] [ source-interface { interface-name | interface-type interface-number } ] [ priority ] Cancel NTP server mode undo ntp-service unicast-server ip-address NTP version number number ranges from 1 to 3 and defaults to 3; the authentication key ID keyid ranges from 0 to 4294967295; interface-name or interface-type interf
CHAPTER 22: FILE SYSTEM MANAGEMENT Configuring NTP Broadcast Client Mode Designate an interface on the local Switch to receive NTP broadcast messages and operate in broadcast client mode. The local Switch listens to the broadcast from the server. When it receives the first broadcast packets, it starts a brief client/server mode to Switch messages with a remote server for estimating the network delay.
NTP Configuration 497 Multicast IP address ip-address defaults to 224.0.1.1. This command can only be configured on the interface where the NTP multicast packets will be received. Configuring NTP ID Authentication Enable NTP authentication, set MD5 authentication key, and specify the reliable key. A client will synchronize itself by a server only if the server can provide a reliable key. Perform the following configurations in System View.
CHAPTER 22: FILE SYSTEM MANAGEMENT Operation Command Cancel the interface to transmit NTP message undo ntp-service source-interface An interface is specified by interface-name or interface-type interface-number. The source address of the packets will be taken from the IP address of the interface. If the ntp-service unicast-server or ntp-service unicast-peer command also designates a transmitting interface, use the one designated by them.
Typical NTP Configuration Examples 499 Setting Maximum Local Sessions This configuration task is to set the maximum local sessions. Perform the following configurations in System View. Table 575 Set the Maximum Local Sessions Operation Command Set the maximum local sessions ntp-service max-dynamic-sessions number Resume the maximum number of local sessions undo ntp-service max-dynamic-sessions number specifies the maximum number of local sessions, ranges from 0 to 100, and defaults to 100.
CHAPTER 22: FILE SYSTEM MANAGEMENT Networking Diagram Figure 132 Typical NTP Configuration Networking Diagram Switch 1 Quidway1 Vlan-interface2: 3.0.1.31 Vlan-interface2: 1.0.1.11 1.0.1.2 3.0.1.2 Vlan-interface2: 3.0.1.32 Switch 0 Quidway0 Vlan-interface2: 1.0.1.12 Switch 2 Quidway2 Switch 3 Quidway3 Switch 4 Quidway4 Vlan-interface2: 3.0.1.33 Switch 5 Quidway5 ...... Configuration Procedure Configure Switch 1: 1 Enter System View.
Typical NTP Configuration Examples 501 After the synchronization, Switch 2 turns into the following status: [switch2]display ntp-service status clock status: synchronized clock stratum: 8 reference clock ID: 1.0.1.11 nominal frequency: 100.0000 Hz actual frequency: 100.0000 Hz clock precision: 2^17 clock offset: 0.0000 ms root delay: 0.00 ms root dispersion: 10.94 ms peer dispersion: 10.00 ms reference time: 20:54:25.156 UTC Mar 7 2002(C0325201.
CHAPTER 22: FILE SYSTEM MANAGEMENT 3 Configure Switch 5: (Switch 4 has been synchronized by Switch 3) a Enter System View. system-view b After performing local synchronization, set Switch 4 as a peer. [switch5]ntp-service unicast-peer 3.0.1.32 The above examples configure Switch 4 and Switch 5 as peers and configures Switch 5 in active peer mode and Switch 4 in passive peer mode. Since Switch 5 is at stratum 1 and Switch 4 is at stratum 3, synchronize Switch 4 by Switch 5.
Typical NTP Configuration Examples 503 c Enter Vlan-interface2 view. [switch3]interface vlan-interface 2 d Set it as broadcast server. [switch3-Vlan-Interface2]ntp-service broadcast-server 2 Configure Switch 4: a Enter System View. system-view b Enter Vlan-interface2 view. [switch4]interface vlan-interface 2 [switch4-Vlan-Interface2]ntp-service broadcast-client 3 Configure Switch 1: a Enter System View. system-view b Enter Vlan-interface2 view.
CHAPTER 22: FILE SYSTEM MANAGEMENT Configure NTP Multicast Mode Network Requirements Switch 3 sets the local clock as the master clock at stratum 2 and multicast packets from Vlan-interface2. Set Switch 4 and Switch 1 to receive multicast messages from their respective Vlan-interface2. (Note that Switch 3 must support setting local clock as the NTP master clock.) Networking Diagram See Figure 132. Configuration Procedure 1 Configure Switch 3: a Enter System View.
Typical NTP Configuration Examples 505 Configure Authentication-enabled NTP Server Mode Network Requirements Switch 1 sets the local clock as the NTP master clock at stratum 2. Switch 2 sets Switch 1 as its time server in server mode and itself in client mode and enables authentication. (Note that Switch 1 must support setting local clock as the NTP master clock.) Networking Diagram See Figure 132. Configuration Procedure 1 Configure Switch 1: a Enter System View.
CHAPTER 22: FILE SYSTEM MANAGEMENT SSH Terminal Services Secure Shell (SSH) can provide information security and powerful authentication to prevent such assaults as IP address spoofing, plain-text password interception when users log on to the Switch remotely from an insecure network environment. A Switch can connect to multiple SSH clients. SSH Client functions to enable SSH connections between users and the Switch or UNIX host that support SSH Server.
SSH Terminal Services 507 way: The RSA public key of the client user is configured at the server. The client first sends the member modules of its RSA public key to the server, which checks its validity. If it is valid, the server generates a random number, which is sent to the client after being encrypted with RSA public key. Both ends calculate authentication data based on the random number and session ID.
CHAPTER 22: FILE SYSTEM MANAGEMENT Configuring and Canceling Local RSA Key Pair In executing this command, if you have configured RSA host key pair, the system gives an alarm after using this command and prompts that the existing one will be replaced. The server key pair is created dynamically by the SSH server. The maximum bit range of both key pairs is 2048 bits and the minimum is 512. Please perform the following configurations in System View.
SSH Terminal Services 509 Defining SSH Authentication Retry Value Setting SSH authentication retry value can effectively prevent malicious registration attempt. Perform the following configurations in System View. Table 582 Defining SSH Authentication Retry Value Operation Command Define SSH authentication retry value ssh server authentication-retries times Restore the default retry value undo ssh server authentication-retries By default, the retry value is 3.
CHAPTER 22: FILE SYSTEM MANAGEMENT Configuring SSH Client There are several types of SSH client software, such as PuTTY and FreeBSD. You should first configure the client’s connection with the server. The basic configuration tasks on the client include: ■ Specifying server IP address. ■ Selecting SSH protocol. The client supports the remote connection protocols link Telnet, Rlogin and SSH. To set up SSH connection, you must select SSH protocol. ■ Choosing SSH version.
SSH Terminal Services 511 Figure 137 SSH key convert. Use the save button to save this converted key to a file. Open the public key file in Notepad and the following lines of text before the existing text: rsa peer-public-key mykey public-key-code begin where myKey is a name used to identify the key within the switch, you may choose any name for this. Then add the following after the existing text: public-key-code end peer end Also remove any blank lines from the file.
CHAPTER 22: FILE SYSTEM MANAGEMENT Figure 138 Text file of myKey Save this to a file ending with a ".bat" extension e.g "keys.bat". This file can be transferred to the switch using FTP or TFTP. The key is installed using the execute command in the System view [SW5500]execute keys.bat Specifying Server IP Address Start PuTTY program and the client configuration interface pops up.
SSH Terminal Services 513 In the Host Name (or IP address) text box key in the IP address of the Switch, for example, 10.110.28.10. You can also input the IP address of an interface in UP state, but its route to SSH client PC must be reachable. Selecting SSH Protocol Select SSH for the Protocol item. Choosing SSH Version Click the left menu [Category/Connection/SSH] to enter the interface shown in Figure 140. Figure 140 SSH Client Configuration Interface (2) You can select 1, as shown in Figure 140.
CHAPTER 22: FILE SYSTEM MANAGEMENT Figure 141 SSH client configuration interface (3) Click Browse to enter the File Select interface. Choose a desired file and click OK. Opening SSH Connection Click Open to enter SSH client interface. If it runs normally, you are prompted to enter username and password. See Figure 142. Figure 142 SSH client interface Key in the correct username and password and log into SSH connection. Log out of SSH connection with the logout command.
SSH Terminal Services 515 Displaying and Debugging SSH Run the display command in any view to view the running of SSH and further to check configuration result. Run the debugging command to debug the SSH. Perform the following configurations in any view.
CHAPTER 22: FILE SYSTEM MANAGEMENT [SW5500-luser-client002]service-type ssh 4 Specify AAA authentication on the user interface. [SW5500]user-interface vty 0 4 [SW5500-ui-vty0-4]authentication-mode scheme 5 Select SSH protocol on the Switch. [SW5500-ui-vty0-4]protocol inbound ssh 6 Specify RSA authentication on the Switch. [SW5500]ssh user client002 authentication-type RSA 7 Configure RSA key pair on the Switch. If you followed the procedure for generating and executing a ".
File System Configuration 517 File System Configuration Perform the following file system configuration in user view.
CHAPTER 22: FILE SYSTEM MANAGEMENT To ensure that the switch can use the current configurations after it restarts, you are recommended to save the current configurations by using the save command before restarting the switch. If multiple switches compose one fabric, executing the save command will make each unit in the fabric save its own startup configuration file FTP Lighting Configuration Introduction to FTP This section contains configuration information for FTP Lighting.
FTP Lighting Configuration 519 Enabling FTP Server on Switch After FTP server is enabled on an SWITCH 5500 switch, the seven-segment digital LED on the front panel of the switch will rotate clockwise when an FTP client is uploading file to the FTP server (the SWITCH 5500 switch), and will stop rotating when the file uploading is finished, as show in Figure 145.
CHAPTER 22: FILE SYSTEM MANAGEMENT Enabling FTP Client on the Switch After FTP client is enabled on an SWITCH 5500 switch, the seven-segment digital LED on the front panel of the switch will rotate clockwise when the FTP client (the SWITCH 5500 switch) is downloading file from a FTP server, and will stop rotating when the file downloading is finished, as show in Figure 145.
TFTP Lighting Configuration 521 The switch can only act as a TFTP client. Figure 146 Network diagram for TFTP configuration Network Switch PC TFTP Lighting Procedure The TFTP server and the TFTP client must be reachable to each other for the TFTP function operates normally.
CHAPTER 22: FILE SYSTEM MANAGEMENT
23 Introduction to the Port Tracking Function PORT TRACKING CONFIGURATION With the port tracking function enabled, you can specify to track the link state of the master’s uplink port and decrease the priority of the switch when the port fails. This in turn triggers the new master to be determined in the backup group. Port Tracking Configuration Configuring the Port Tracking Function This section contains configuration information for Port Tracking.
CHAPTER 23: PORT TRACKING CONFIGURATION Network diagram Figure 147 Network diagram for port tracking configuration Netw ork Network Actual IP address10.100.10.2 Actual IP address10.100.10.3 Master Virtual IP address10.100.10.1 10.100.10.7 Host 1 Backup Ethernet 10.100.10.8 Host 2 Virtual IP address10.100.10.1 10.100.10.9 Host 3 Configuration procedure Configure the master switch. 1 Enter system view. system-view System View: return to User View with Ctrl+Z. 2 Create VLAN 2.
24 Introduction to Dynamically Apply ACL by RADIUS Server DYNAMICALLY APPLY ACL BY RADIUS SERVER CONFIGURATION The switch can dynamically provide pre-defined ACL rules for one or one group of authenticated user(s) through the combination of Dynamically Apply ACL by RADIUS Server function and 802.1x authentication function. After you have passed the 802.
CHAPTER 24: DYNAMICALLY APPLY ACL BY RADIUS SERVER CONFIGURATION Configuration Example Network requirements This section contains a configuration example. The switch implements the Dynamically Apply ACL by RADIUS Server function for the access users. The IP address of the VLAN interface, which connects the switch and the RADIUS Server, is 10.153.1.1. The encryption key of the NAS ( that is the switch ) is aaaa. The user name is test and its authentication password is test.
Configuration Example 527 Configuration procedure Configuration on the RADIUS server 1 Click User/Manage Users. See Figure 150. Figure 150 The first step 2 Create a new user, and then on the General Attributes page input the password of the user, meanwhile set the "Account Expiration Date" as Dec-31-2049. See Figure 151. Figure 151 The second step 3 On the Radius Options page, set the Filter-Id to 3000. See Figure 152.
CHAPTER 24: DYNAMICALLY APPLY ACL BY RADIUS SERVER CONFIGURATION Figure 152 The third step 4 Click Options/Encryption Keys, set the encryption key. See Figure 153. Figure 153 The fourth step 5 Input the NAS IP and the encryption key. See Figure 154.
Configuration Example 529 Figure 154 The fifth step Configuration on the switch 1 Enable 802.1x. system-view [S5500] dot1x [S5500] dot1x interface ethernet 1/0/1 2 Configure the IP address information for the RADIUS server. [S5500] radius scheme radius1 [S5500-radius-radius1] primary authentication 10.153.1.2 1645 [S5500-radius-radius1] primary accounting 10.153.1.
CHAPTER 24: DYNAMICALLY APPLY ACL BY RADIUS SERVER CONFIGURATION On Unit 1:Total 1 connections matched, 1 listed. Total 1 connections matched, 1 listed. [S5500] display connection ucibindex 28 ------------------------Unit 1-----------------------Index=28 , Username=test@test163.net MAC=000a-eb7e-d28e , IP=10.153.1.
25 Introduction to the Auto Detect Function AUTO DETECT CONFIGURATION The auto detect function uses ICMP request/reply packets to test the connectivity of a network regularly. The auto detect function is carried out through detecting groups. A detecting group comprises of a group of the IP addresses to be detected. You can examine the connectivity of a network by checking the results of detecting groups, which in turn enables you to locate network problems in time and take proper measures.
CHAPTER 25: AUTO DETECT CONFIGURATION Network diagram Figure 155 Network diagram for auto detect configuration 192.168.1.2/24 V L A N E th e rn e1 t 1/0/1 Ethernet 1/0/1 11 99 22 .1 66 88 .1 .1 .1 .1 .1/24 10.1.1.3/24 SwitchB SwitchA VLAN2 Ethernet 2/0/1 Ethernet 2/0/1 192 .1 6.1 8.2 .1 1 92 68 .2.1/24 10.1.1.4/24 Sw itchC Sw itchD 192.168.2.2/24 20.1.1.2/24 Configuration procedure 1 Enter system view. system-view 2 Create detecting group 10.
Auto Detect Implementation in Static Routing 533 You can utilize a single detecting group simultaneously in multiple implementations mentioned above. Refer to the Routing Protocol part in Switch 5500 Series Switch Operation Manual for information about static routing. Refer to the Reliability part in Switch 5500 Series Switch Operation Manual for information about VRRP.
CHAPTER 25: AUTO DETECT CONFIGURATION Configuration procedure Configure Switch A. system-view [S5500 A] detect-group 8 [S5500 A-detect-group-8] detect-list 1 ip address 10.1.1.4 nexthop 192.168.1.2 [S5500 A] ip route-static 10.1.1.4 24 192.168.1.
Auto Detect Implementation in VRRP 535 Network diagram Figure 157 Network diagram for VRRP VLAN1 192.168.1.2/24 VLAN1 Ethernet 1/0/1 10.1.1.3/24 Sw itchB Sw itchA 192.168.1.1/24 VLAN1 Ethernet 2/0/1 10.1.1.4/24 Sw itchC 20.1.1.4/24 Sw itchD VLAN1 192.168.1.3/24 20.1.1.3 .2/24 Configuration procedure 1 Configure Switch B. a Create detecting group 9. system-view [S5500 B] detect-group 9 b Specify to detect the reachability of the IP address 10.1.1.4, setting the detect number to 1.
CHAPTER 25: AUTO DETECT CONFIGURATION c Set the backup group preference value of Switch D to 100. [S5500 D-vlan-interface1] vrrp vrid 1 priority 100 Auto Detect Implementation in VLAN Interface Backup Configuring the Auto Detect Function for VLAN Interface Backup Configuration Example The interface backup function is used to back up VLAN interfaces by using the auto detect function.
Auto Detect Implementation in VLAN Interface Backup 537 Network diagram Figure 158 Network diagram for VLAN interface backup 1 1 9 9 2 2 ..16 8 .1.2/2 4 V L A 1 E th e rN n e t1/0/1 E the rnet1/0/1 19 2 .2 1 8 .8 1 1 1 9 .6 1 6 ..1 .1/24 10 .1 1 .1 1 .3 3 /24 S w itchB S w itchA V LA N2 E thernet2 /0 /1 E thern et1/0/2 192 .1 6 8 2 .8 1 1 9 2 .. 1 6 .2.1/24 10.1.1.4/24 S w itchC S w itchD 192 .1 1 6 6 8 8 ..2 ..2/24 20.1.1.4 /24 20.1.1.2/2 4 Configuration procedure 1 Configure Switch C.
CHAPTER 25: AUTO DETECT CONFIGURATION g Add the IP address of 10.1.1.4 to detecting group 10 to detect the reachability of the IP address, with the IP address of 192.168.1.2 as the next hop, and set the detecting number to 1. [S5500 A-detect-group-10] detect-list 1 ip address 10.1.1.4 nexthop 192.168.1.2 [S5500 A-detect-group-10] quit h Specify to enable VLAN 2 interface when the result of detecting group 10 is unreachable.
26 RSTP CONFIGURATION This chapter covers the following topics: STP Overview Implement STP ■ STP Overview ■ RSTP Configuration ■ RSTP Configuration Example Spanning Tree Protocol (STP) is applied in loop networks to block some undesirable redundant paths with certain algorithms and prune the network into a loop-free tree, thereby avoiding the proliferation and infinite cycling of the packet in the loop network.
CHAPTER 26: RSTP CONFIGURATION For a Switch, the designated bridge is a Switch in charge of forwarding BPDU to the local Switch using a port called the designated port. For a LAN, the designated bridge is a Switch that is in charge of forwarding BPDU to the network segment using a port called the designated port. As illustrated in Figure 159, Switch A forwards data to Switch B using the port AP1. So to Switch B, the designated bridge is Switch A and the designated port is AP1.
STP Overview 541 2 Select the optimum configuration BPDU Every Switch transmits its configuration BPDU to others. When a port receives a configuration BPDU with a lower priority than that of its own, it will discard the message and keep the local BPDU unchanged. When a higher-priority configuration BPDU is received, the local BPDU is updated. And the optimum configuration BPDU will be elected through comparing the configuration BPDUs of all the ports.
CHAPTER 26: RSTP CONFIGURATION Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one. Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows. The configuration BPDU of the root port BP1 retains as {0, 0, 0, BP1}. BP2 updates root ID with that in the optimum configuration BPDU, the path cost to root with 5, sets the designated bridge as the local Switch ID and the designated port ID as the local port ID.
STP Overview 543 To facilitate the descriptions, the description of the example is simplified. For example, the root ID and the designated bridge ID in actual calculation should comprise both Switch priority and Switch MAC address. Designated port ID should comprise port priority and port MAC address. In the updating process of a configuration BPDU, other configuration BPDUs besides the first four items will make modifications according to certain rules.
CHAPTER 26: RSTP CONFIGURATION In a Switch equipped with the XRN feature, RSTP has the following characteristics: 1) Processing the whole Fabric as a node; 2) Participation of all ports except those used as Fabric ports in role selection; 3) A single root port and bridge id for the whole Fabric; 4) Distributed saving of RSTP port information RSTP Configuration The configuration of RSTP changes with the position of the Switch in the network, as discussed below.
RSTP Configuration 545 Table 595 RSTP Configuration (continued) Device Switch C and Switch D Configuration Default Value Note Specify a Switch as the root or backup root bridge The role of the A Switch can be made the root bridge by current Switch as the specifying its Bridge preference to 0. root or backup root bridge depends on the STP calculation. Configure the Bridge preference of a Switch The Bridge preference of a Switch is 32768.
CHAPTER 26: RSTP CONFIGURATION Table 595 RSTP Configuration (continued) Device Switch E, Switch F and Switch G Configuration Default Value Note Configure the timeout time factor of a Switch The Switch, if has not received any Hello packet from the upstream Switch for thrice the Hello Time, will consider the upstream Switch failed and recalculate the spanning tree. In a stable network, it is recommended to set the timeout time factor to 5, 6, or 7.
RSTP Configuration 547 Table 595 RSTP Configuration (continued) Device Configuration Default Value Note Specify the maximum transmission rate of STP packets on a port No Ethernet pot can send more than 3 STP packets within one Hello Time. The more STP packets a port sends within one Hello Time, the more resources are consumed. It is therefore recommended to limit the transmission rate of STP packets on a port, preferably to the default value.
CHAPTER 26: RSTP CONFIGURATION Perform the following configurations in Ethernet Port View. Table 597 Enable/Disable RSTP on a Port Operation Command Enable RSTP on a specified port stp enable Disable RSTP on a specified port stp disable Note that the redundancy route may be generated after RSTP is disabled on the Ethernet port. By default, RSTP on all the ports will be enabled after it is enabled on the Switch.
RSTP Configuration 549 Set Priority of a Specified Bridge Whether a bridge can be selected as the “root” of the spanning tree depends on its priority. By assigning a lower priority, a bridge can be artificially specified as the root of the spanning tree. You can use the following command to configure the priority of a specified bridge. Perform the following configurations in System View.
CHAPTER 26: RSTP CONFIGURATION By default, a Switch is neither the primary root nor the secondary root of the spanning tree. Set Forward Delay of a Specified Bridge Link failure will cause recalculation of the spanning tree and change its structure. However, the newly calculated configuration BPDU cannot be propagated throughout the network immediately. If the newly selected root port and designated port begin to forward data frames right away, this can cause an occasional loop.
RSTP Configuration 551 Table 604 Set Max Age of the Specified Bridge Operation Command Set Max Age of the specified bridge stp timer max-age centiseconds Restore the default Max Age of the specified bridge undo stp timer max-age If the Max Age is too short, it will result in frequent calculation of spanning tree or misjudge the network congestion as a link fault. On the other hand, too long Max Age may make the bridge unable to find link failure in time and weaken the network auto-sensing ability.
CHAPTER 26: RSTP CONFIGURATION By default, an Ethernet port can transmit at most 3 STP packets within one Hello Time. Set Specified Port to be an EdgePort EdgePort is not connected to any Switch directly or indirectly using the connected network. You can use the following command to set a specified port as an EdgePort. Perform the following configurations in Ethernet Port View.
RSTP Configuration 553 Specify the standard to be followed in Path Cost calculation The following two standards are currently available on the Switch: ■ dot1d-1998: The Switch calculates the default Path Cost of a port by the IEEE 802.1D-1998 standard. ■ dot1t: The Switch calculates the default Path Cost of a port by the IEEE 802.1t standard. You can specify the intended standard by using the following commands. Perform the following configuration in System View.
CHAPTER 26: RSTP CONFIGURATION Table 611 Configure a Specified Port to be Connected to a Point-to-Point Link Operation Command Configure a specified port to be connected to a point-to-point link stp point-to-point force-true Configure a specified port not to be connected to a point-to-point link stp point-to-point force-false Configure RSTP to automatically detect if the port is connected to a point-to-point link.
RSTP Configuration 555 causes the network topology to reconfigure and may cause links to switch state. In normal cases, these ports will not receive STP BPDU. If someone forges a BPDU to attack the Switch, the network topology to reconfigure. BPDU protection function is used against such network attack. In case of configuration error or malicious attack, the primary root may receive the BPDU with a higher priority and then lose its place, which causes network topology change errors.
CHAPTER 26: RSTP CONFIGURATION For detailed information about the configuration commands, refer to the Command Manual. Display and Debug RSTP After the above configuration, execute display command in all views to display the running of the RSTP configuration, and to verify the effect of the configuration. Execute reset command in User View to clear the statistics of RSTP module. Execute debugging command in User View to debug the RSTP module.
RSTP Configuration Example 557 Configuration Procedure 1 Configure Switch A a Enable RSTP globally. [SW5500]stp enable b The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in the RSTP calculation, however, be careful and do not disable those involved. (The following configuration takes GigabitEthernet 1/0/4 as an example.
CHAPTER 26: RSTP CONFIGURATION b The port RSTP defaults are enabled after global RSTP is enabled. You can disable RSTP on those ports that are not involved in RSTP calculation, however, be careful and do not disable those involved. (The following configuration takes Ethernet 1/0/4 as an example.) [SW5500]interface Ethernet 1/0/4 [SW5500-Ethernet1/0/4]stp disable c Configure Switch C and Switch B to serve as standby of each other and sets the Bridge priority of Switch C to 8192.
POE PROFILE CONFIGURATION 27 Introduction PoE Profile to On a large-sized network or a network with mobile users, to help network administrators to monitor the PoE features of the switch, 3Com Switch 5500 Family have provided PoE Profile features. Features of PoE Profile: PoE Profile Configuration PoE Profile Configuration Tasks ■ Various PoE Profiles can be created. PoE policy configurations applicable to different user groups are stored in the corresponding PoE Profiles.
CHAPTER 27: POE PROFILE CONFIGURATION Table 615 PoE Profile Configuration (continued) Operation Command Description Display detailed configuration information on the existing PoE Profile display poe-profile { all-profile | interface interface-type interface-number | name profilename } You can use the display command under any view. Various PoE features can be configured within one PoE Profile.
PoE Profile Configuration 561 Figure 164 PoE Profile application S3928P-PWR Ethernet1/0/1~Ethernet1/0/5 Network Network Ethernet1/0/6~Ethernet1/0/10 IP phone AP IP phone AP IP phone AP IP phone AP Configuration procedures 1 Create Profile 1, and enter PoE Profile view. system-view [S5500] poe-profile Profile1 2 In Profile 1, add the PoE policy configuration applicable to Ethernet1/0/1 through Ethernet1/0/5 ports for type A group users.
CHAPTER 27: POE PROFILE CONFIGURATION 7 Apply the configured Profile 1 to Ethernet1/0/1 through Ethernet1/0/5 ports. [S5500] apply poe-profile profile1 interface ethernet1/0/1 to ethernet1/0/5 8 Apply the configured Profile 2 to Ethernet1/0/6 through Ethernet1/0/10 ports.
28 SNMP Configuration Introduction SNMP CONFIGURATION The Simple Network Management Protocol (SNMP) has gained the most extensive application in the computer networks. SNMP has been put into use and widely accepted as an industry standard in practice. It is used for ensuring the transmission of the management information between any two nodes. In this way, network administrators can easily search and modify the information on any node on the network.
CHAPTER 28: SNMP CONFIGURATION The current SNMP Agent of the Switch supports SNMP V1, V2C and V3. The MIBs supported are listed in Table 616.
SNMP Configuration Introduction 565 Table 616 MIBs Supported by the Switch (Sheet 2 of 2) MIB attribute MIB content Private MIB Configuration Management MIB References Flash Management MIB System Management MIB MIBs for LGMP Snooping MIBs for DHCP Client MIBs for DHCP Relay MIBs for DHCP Server MIBs for MSTP Entity Environment MIB Topology Management of Fabric Support for Bulk Configuration of user and access levels and trusted IP MAC Address Management QOS QACL MIB ADBM MIB RSTP MIB VLAN MIB Device m
CHAPTER 28: SNMP CONFIGURATION Setting Community Name SNMP V1 and SNMPV2C adopt the community name authentication scheme. The SNMP message incompliant with the community name accepted by the device will be discarded. SNMP Community is named with a character string, which is called Community Name. The various communities can have read-only or read-write access mode.
SNMP Configuration Introduction 567 Setting Lifetime of Trap Message You can use the following command to set the lifetime of a Trap message. A trap message that exists longer than the set lifetime will be dropped. Perform the following configuration in System View. Table 620 Set the Lifetime of Trap Message Operation Command Set lifetime of Trap message snmp-agent trap life seconds Restore lifetime of Trap message undo snmp-agent trap life By default, the lifetime of Trap message is 120 seconds.
CHAPTER 28: SNMP CONFIGURATION Table 623 Set/Delete an SNMP Group Setting the Source Address of Trap Operation Command Setting an SNMP group snmp-agent group { v1 | v2c } group-name [ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-list ] snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view write-view ] [notify-view notify-view ] [ acl acl-list ] Deleting an SNMP group undo snmp-agent group { v1 | v2c } group-name
SNMP Configuration Introduction 569 Table 627 Set the Size of SNMP Packet sent/received by an Agent Operation Command Set the size of SNMP packet sent/received by an agent snmp-agent packet max-size byte-count Restore the default size of SNMP packet sent/received by an agent undo snmp-agent packet max-size The agent can receive/send the SNMP packets of the sizes ranging from 484 to 17940, measured in bytes. By default, the size of SNMP packet is 1500 bytes.
CHAPTER 28: SNMP CONFIGURATION Displaying and Debugging SNMP After the above configuration, execute the display command in all views to display the running of the SNMP configuration, and to verify the effect of the configuration. Execute the debugging command in User View to debug SNMP configuration.
SNMP Configuration Introduction 571 Configuration Procedure 1 Enter the System View. system-view 2 Set the community name , group name and user. [SW5500]snmp-agent [SW5500]snmp-agent [SW5500]snmp-agent [SW5500]snmp-agent [SW5500]snmp-agent sys-info version all community write public mib include internet 1.3.6.1 group v3 managev3group write-view internet usm v3 managev3user managev3group 3 Set the VLAN interface 2 as the interface used by network management.
CHAPTER 28: SNMP CONFIGURATION Networking diagram Figure 167 SNMP configuration example 129.102.149.23 129.102.0.
29 Configuring Source IP Address for Service Packets SOURCE IP ADDRESS CONFIGURATION You can configure source IP address or source interface for the FTP server, FTP client, TFTP client, Telnet server, Telnet client, SSH server, SSH2 client and SFTP client to enhance service manageability. Table 632 shows the source IP address configuration tasks.
CHAPTER 29: SOURCE IP ADDRESS CONFIGURATION Table 632 Configure source IP address for service packets (continued) Operation Command Remarks Specify source IP address for the SFTP client sftp source-ip ip-addr Optional Specify source interface for the SFTP client sftp source-interface interface-type interface-number Optional If the ip-addr in the command is not an address of the device, your configuration fails. If you specify a non-existent interface in the command, your configuration fails.
PASSWORD CONTROL CONFIGURATION OPERATIONS 30 Introduction to Password Control Configuration The password control feature is designed to manage the following passwords: ■ Telnet passwords: passwords for logging into the switch through Telnet. ■ SSH passwords: passwords for logging into the switch through SSH. ■ FTP passwords: passwords for logging into the switch through FTP.
CHAPTER 30: PASSWORD CONTROL CONFIGURATION OPERATIONS Table 634 Functions provided by password control (continued) Function Login attempt limitation and failure processing. Description Application You can use this function to enable the switch to limit the number of login attempts allowed for each user. Telnet, SSH, and FTP passwords: the limitation and all the three modes of processing are applicable.
Password Control Configuration 577 length limitation, the configured minimum password length (if available); the enable/disable state of history password recording, the maximum number of history password records, the time when the password history was last cleared; the timeout time for password authentication; the maximum number of attempts, and the processing mode for login attempt failures. If all the password attempts of a user fail, the system adds the user to the blacklist.
CHAPTER 30: PASSWORD CONTROL CONFIGURATION OPERATIONS After password aging is enabled, the device will decide whether the user password ages out when a user logging into the system is undergoing the password authentication. This has three cases: 1 The password has not expired. The user logs in before the configured alert time. In this case, the user logs in successfully. 2 The password has not expired. The user logs in after the configured alert time.
Password Control Configuration 579 Configuring History Password Recording With this function enabled, when a login password expires, the system requires the user to input a new password and save the old password automatically. You can configure the maximum number of history records allowed for each user. The purpose is to inhibit the users from using one single password or using an old password for a long time to enhance the security.
CHAPTER 30: PASSWORD CONTROL CONFIGURATION OPERATIONS Configuring a User Login Password in Encryption Mode Configuring Login Attempts Limitation and Failure Processing Mode Table 639 Configuring a user login password in encryption mode Operation Command Description Enter system view system-view — Enter the specified user view local-user username — Configure a user login password in encryption mode password Optional Input a password according to the system prompt and ensure the two input p
Displaying Password Control 581 The system administrator can perform the following operations to manually remove one or all user entries in the blacklist. Table 641 Manually remove one or all user entries in the blacklist Operation Command Description Enter system view system-view — Delete one specific or all reset password-control Executing this command without the user entries in the blacklist blacklist [ username username username option removes all username ] the user entries in the blacklist.
CHAPTER 30: PASSWORD CONTROL CONFIGURATION OPERATIONS Password Control Configuration Example Network requirements A PC is connected to the switch to be configured. You can configure the password control parameters as required. Network diagram Figure 168 Network diagram for password control configuration console P C PC L SS wW itch Configuration procedure 1 Configure the system login password. S5500system-view System View: return to User View with Ctrl+Z.
Password Control Configuration Example 583 7 Display the information about the password control for all users. S5500[S5500] display password-control Global password settings for all users: Password Aging: Enabled (90 days) Password Length: Enabled (10 Characters) Password History: Enabled (Max history-record Password alert-before-expire: 7 days Password Authentication-timeout : 60 seconds Password Attemp-failed action : Disable Password History was last reset 38 days ago.
CHAPTER 30: PASSWORD CONTROL CONFIGURATION OPERATIONS
31 MSDP CONFIGURATION Among Switch 5500 Series Ethernet Switches, only Switch 5500-EI Series Ethernet Switches support the configurations described in this chapter. Routers and router icons in this chapter represent routers in the common sense and Ethernet switches running routing protocols. Introduction to MSDP Internet service providers (ISP) are not willing rely on devices of their competitors to forward multicast traffic.
CHAPTER 31: MSDP CONFIGURATION MSDP peers are interconnected over TCP connections (using port 639). A TCP connection can be established between RPs in different PIM-SM domains, between RPs in the same PIM-SM domain, between an RP and a common router, or between common routers. Figure 169 shows the MSDP peering relationship between RPs. Unless otherwise specified, examples in the following descriptions are based on MSDP peering relationship between RPs.
Introduction to MSDP 587 Figure 170 Typical networking of Anycast RP. S2 S1 RP1 SA RP2 MSDP us er us er PIM-SM us er us er us er SA message MSDP peers Typically, a multicast source S registers to the nearest RP to create an SPT, and receivers also send Join messages to the nearest RP to construct an RPT, so it is likely that the RP to which the multicast source has registered is not the RP that receivers Join.
CHAPTER 31: MSDP CONFIGURATION Figure 171 Identifying the multicast source and receiving multicast data RP2 PIM-SM 2 user (4) (5) (4) (4) RP1 Source (2) DR PIM-SM 1 (3) user RP4 PIM-SM 4 (4) (5) (1) (5) (4) RP3 PIM-SM 3 Flow MSDP peers The complete interoperation process between a multicast source S in the PIM-SM1 domain and receivers in the PIM-SM1 and PIM-SM4 domains is as follows: 1 The multicast source S in the PIM-SM1 domain begins to send data packets.
Introduction to MSDP 589 Figure 172 Forwarding SA messages between MSDP peers RP2 AS2 (4) RP4 mesh group static peer Source (1) (6) (2) (3) RP3 RP1 (5) AS1 RP6 AS3 RP5 MSDP peers SA message As shown above, RP1 belongs to AS1. RP2, RP3 and RP4 belong to AS2. RP5 and RP6 belong to AS3. An MSDP peering relationship exists among these RPs. RP2, RP3, and RP4 form a mesh group.
CHAPTER 31: MSDP CONFIGURATION Configuring MSDP Basic Functions To enable exchange of information from the multicast source S between two PIM-SM domains, you need to establish MSDP peering relationships between RPs in these PIM-SM domains, so that the information from the multicast source can be sent through SA messages between the MSDP peers, and the receivers in other PIM-SM domains can finally receive the multicast source information.
Configuring Connection Between MSDP Peers 591 Configuring MSDP Basic Functions Configuring Connection Between MSDP Peers Table 644 Configure MSDP basic functions Operation Command Description Enter system view system-view - Enable IP multicast routing multicast routing-enable Required The multicast function must be enabled before other multicast configurations can take effect. Enable MSDP function and enter MSDP view msdp Required Enable the MSDP function.
CHAPTER 31: MSDP CONFIGURATION Configuring Description Information for MSDP Peers You can configure description information for each MSDP peer to manage and memorize the MSDP peers.
Configuring SA Message Transmission 593 Configuring MSDP Peer Connection Control The connection between MSDP peers can be flexibly controlled. You can disable the MSDP peering relationships temporarily by shutting down the MSDP peers. As a result, SA messages cannot be transmitted between such two peers.
CHAPTER 31: MSDP CONFIGURATION Configuring the Transmission and Filtering of SA Request Messages After you enable sending SA request messages to MSDP peers, when a router receives a Join message, it sends an SA request message to the specified remote MSDP peer, which responds with an SA message that it has cached. After sending an SA request message, the router will get immediately a response from all active multicast sources.
Configuring SA Message Transmission 595 Configuring a Rule for Filtering Received and Forwarded SA Messages Besides the creation of source information, controlling multicast source information allows you to control the forwarding and reception of source information.
CHAPTER 31: MSDP CONFIGURATION Table 652 Configure SA message cache (continued) Displaying and Debugging MSDP Configuration Operation Command Description Configure the maximum number of SA messages cached peer peer-address sa-cache-maximum sa-limit Optional By default, the maximum number of SA messages cached on a router is 2,048. After the above-mentioned configuration, you can use the display command in any view to view the MSDP running information, so as to verify configuration result.
MSDP Configuration Example 597 The PIM-SM network implements OSPF to provide unicast routes and establish MSDP peers between SwitchC and SwitchD. Meanwhile, the Loopback10 interfaces of SwitchC and SwitchD play the roles of C-BSR and C-RP. Network diagram Figure 173 Network diagram for Anycast RP configuration users users S2 Vlan -interface 100 10.110 .3.1/8 SwitchD Loopb ack 0 2.2.2.2/8 Loopb ack 10 10.1.1.1/8 S1 er pe P D MS Vlan-interface 100 Vlan -interface 101 192 .168 .3.
CHAPTER 31: MSDP CONFIGURATION c When the multicast source S1 in the PIM-SM domain sends multicast information, the receivers attached to SwitchD can receive the multicast information and can view the PIM routing information on the switch by using the display pim routing-table command. For example, the following PIM routing information is displayed on SwitchC and SwitchD. [SwitchC] display pim routing-table Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 225.1.1.1), RP: 10.1.1.
Troubleshooting MSDP Configuration 599 Troubleshooting MSDP Configuration MSDP Peer Always in the Down State The following sections provide troubleshooting guidelines for MSDP configuration. Symptom An MSDP peer is configured, but it is always in the down state. Analysis An MSDP peer relationship between the locally configured connect-interface interface address and the configured peer address is based on a TCP connection.
CHAPTER 31: MSDP CONFIGURATION
32 Clustering Overview CLUSTERING Clustering enables the network to manage multiple switches through the public IP address of a switch named the management device. Managed switches in a cluster are member devices, and often may not have an assigned public IP address. Management and maintenance on member devices are made through management device redirection. The management and member devices form a cluster, whose typical application is shown in Figure 174.
CHAPTER 32: CLUSTERING ■ Topology collection: Clustering implements NTDP (Neighbor Topology Discovery Protocol) to collect information on device connections and candidate devices within a specified hop range. ■ Member recognition: Members in the cluster can be located, thus the management device can recognize them and deliver configuration and management commands. ■ Member management: Devices can be added into or removed from a cluster on the management device.
Clustering Overview 603 Figure 175 Role changing rule de ge m en td Ad ev ice Candidate device an a m a a fro m as ov e te d m Re te r l us ac ig na r ste clu rom De s oa clu ste r dt ef ov Introduction to NDP m Re Management device Member device ■ A cluster can have only one management device, which is necessary to the cluster.
CHAPTER 32: CLUSTERING When the NDP on the member device finds changes of neighbors, it will advertise the changes to the management device by handshake packets. The management device can run NTDP to collect the specified topology information and show the network topology changes in time. On a management device, you need to enable system NTDP and port NTDP, and configure the NTDP parameters as well. However, for a member device, you only need to enable system NTDP and the corresponding port NTDP.
Management Device Configuration 605 Management Device Configuration Enabling System and Port NDP Configuring NDP Parameters Enabling System and Port NTDP Configuring NTDP Parameters Management device configuration involves: ■ Enable system and port NDP ■ Configure NDP parameters ■ Enable system and port NTDP ■ Configure NTDP parameters ■ Enable the cluster function ■ Configure cluster parameters ■ Configuring internal-external interaction ■ NM Interface for Cluster Management Configurat
CHAPTER 32: CLUSTERING Table 659 Configure NTDP parameters (continued) Operation Command Remark Configure the time that collected devices wait before forwarding the topology-collection request ntdp timer hop-delay time Optional Argument time is the delay time. Configure the time that a ntdp timer port-delay time Optional port waits before it Argument time is the delay time.
Management Device Configuration 607 Table 661 Configure cluster parameters manually (continued) Operation Command Remark Configure VLAN check port-tagged management-vlan on the management device for the communication inside a cluster Optional Exit system view — quit Configuring a cluster Automatically Table 662 Configure a cluster automatically Configuring Internal-External Interaction NM Interface for Cluster Management Configuration Operation Command Remark Enter system view system-view —
CHAPTER 32: CLUSTERING Member Device Configuration Enabling System and Port NDP Enabling System and Port NTDP Specifying the cluster FTP/TFTP server Member device configuration involves: ■ Enable system and port NDP ■ Enable system and port NTDP ■ Specifying the cluster FTP/TFTP server Table 665 Enable system and port NDP Operation Command Remark Enter system view system-view — Enable system NDP ndp enable Required Enable port NDP ndp enable interface port-list Optional Enter the
Configuring Cluster Parameters 609 Configuring Cluster Parameters Displaying and Maintaining Cluster Configurations Table 668 Configure cluster parameters Operation Command Remark Enter system view system-view — Enter cluster view cluster — Add a candidate device to a cluster add-member [ member-number This is to add a new member. ] mac-address H-H-H [ Arguments member-number, H-H-H password password ] and password are the ID, MAC address and password of the member device respectively.
CHAPTER 32: CLUSTERING Clustering Configuration Example Network requirements Three switches form a cluster, in which: ■ Switch 5500 acts as the management device. ■ Other two switches act as member devices. As the management device, Switch 5500 manages the member devices and is configured as follows: ■ It attaches two member devices through ports Ethernet1/0/2 and Ethernet1/0/3 respectively. ■ It connects with the external network through port Ethernet1/0/1.
Clustering Configuration Example 611 b Configure holdtime of NDP information as 200 seconds. [S5500] ndp timer aging 200 c Configure interval of NDP packets as 70 seconds. [S5500] ndp timer hello 70 d Enable system NTDP and port NTDP on E1/0/2 and E1/0/3. [S5500] ntdp enable [S5500] interface ethernet 1/0/2 [S5500-Ethernet1/0/2] ntdp enable [S5500-Ethernet1/0/2] interface ethernet 1/0/3 [S5500-Ethernet1/0/3] ntdp enable e Configure the topology collection range as two hops.
CHAPTER 32: CLUSTERING 2 Configure member devices (take one member as example) a Enable system NDP and port NDP on port Ethernet1/1. [S5500] ndp enable [S5500] interface ethernet 1/1 [S5500-Ethernet1/1] ndp enable b Enable system NTDP and port NTDP on port Ethernet1/1. [S5500] ntdp enable [S5500] interface ethernet 1/1 [S5500-Ethernet1/1] ntdp enable c Enable the cluster function.
Clustering Configuration Example 613 Network diagram Figure 176 Network diagram for the interfaces of cluster management network S3900 VLAN2 (IPAddress192.168.4.22 Port e1/0/2) VLAN3 (IPAddress192.168.4.30 Port e1/0/1) S3526E FTPSever (IPAddress192.168.4.3) S2403 Configuration procedure Configuring the Switch 5500 switch 1 Enter system view. Specify VLAN 3 as the management VLAN. system-view System View: return to User View with Ctrl+Z.
CHAPTER 32: CLUSTERING
33 Configuring HWTACACS HWTACACS configuration tasks HWTACACS CONFIGURATION This chapter contains information on HWTACACS configuration. Refer to the tasks in Table 671 to configure HWTACACS.
CHAPTER 33: HWTACACS CONFIGURATION Table 671 HWTACACS configuration (continued) Section Task Command Setting the Username Format Acceptable to the TACACS Server Setting the user-nameusername format for format the TACACS server View Description HWTACACS Configuring the format of user name Setting the Unit Setting the data flow data-flow-format HWTACACS of Data Flows unit for the TACACS Destined for the server TACACS Server Configuring flow traffic unit Setting Timers Regarding TACACS Server
Configuring HWTACACS 617 Configuring HWTACACS Authentication Servers Perform the following configuration in HWTACACS view. Table 673 Configuring HWTACACS authentication servers Operation Command Configure the HWTACACS primary authentication server. primary authentication ip-address [ port ] Delete the HWTACACS primary authentication server. undo primary authentication Configure the HWTACACS secondary authentication server.
CHAPTER 33: HWTACACS CONFIGURATION Configuring Source Address for HWTACACS Packets Sent by NAS Perform the following configuration in the corresponding view. Table 676 Configuring source address for HWTACACS packets sent by the NAS Operation Command Configure the source address for HWTACACS packets sent from the NAS (HWTACACS view). nas-ip ip-address Delete the configured source address for HWTACACS packets sent from the NAS (HWTACACS view).
Configuring HWTACACS 619 Setting the Unit of Data Flows Destined for the TACACS Server Perform the following configuration in HWTACACS view.
CHAPTER 33: HWTACACS CONFIGURATION The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). Table 683 lists the numbers of users and the recommended intervals.
HWTACACS Protocol Configuration Example 621 Table 684 Displaying and debugging AAA and RADIUS/HWTACACS protocol (continued) HWTACACS Protocol Configuration Example Configuring the FTP/Telnet User Authentication at a Remote TACACS Server Operation Command Reset the statistics of HWTACACS server reset hwtacacs statistics { accounting | authentication | authorization | all } Enable RADIUS packet debugging debugging radius packet Disable RADIUS packet debugging undo debugging radius packet Enable deb
CHAPTER 33: HWTACACS CONFIGURATION Configuration procedure 1 Configure a HWTACACS scheme. [S5500] hwtacacs scheme hwtac [S5500-hwtacacs-hwtac] primary authentication 10.110.91.164 49 [S5500-hwtacacs-hwtac] primary authorization 10.110.91.164 49 [S5500-hwtacacs-hwtac] key authentication expert [S5500-hwtacacs-hwtac] key authorization expert [S5500-hwtacacs-hwtac] undo user-name-format with-domain [S5500-hwtacacs-hwtac] quit 2 Associate the domain with the HWTACACS.
A Introduction PASSWORD RECOVERY PROCESS The Switch 5500 has two separate password systems: n Passwords which are used by the Web User Interface and the CLI and are stored in the 3comoscfg.cfg file. For more information on this, refer to the Getting Started Guide which accompanies your Switch. n A password system which protects the bootrom and is stored in the bootrom.
CHAPTER A: PASSWORD RECOVERY PROCESS Bootrom Interface During the initial boot phase of the Switch (when directly connected using the console), various messages are displayed and the following prompt is shown with a five second countdown timer: Press Ctrl-B to enter Boot Menu... 4 Before the countdown reaches 0 enter B. The timer is followed by a password prompt. The default is no password. Press Enter to display the following boot menu: BOOT 1. 2. 3. 4. 5. 6. 7. 8. 9. 0.
Bootrom Interface 625 Table 685 Configuration Files Skipping the Current Configuration File Filename Description 3comoscfg.def This file contains the factory default configurations. It is only used if there is no other configuration file present. This file should not be modified. 3comoscfg.cfg This file contains the live configurations and is always used to load the active configuration into the Switch unless the bootrom Skip current configuration file is specified.
CHAPTER A: PASSWORD RECOVERY PROCESS If the user configured bootrom password is lost, a fixed, unit unique password can be provided by 3Com Technical Support to bypass the lost password. Please ensure that the Switch is registered with 3Com promptly as the unit unique password will only be supplied to the registered owner of the Switch. This final password recovery safeguard can be disabled. Bootrom Password Recovery Select option 8 to set the bootrom password discovery.
B RADIUS SERVER AND RADIUS CLIENT SETUP This appendix covers the following topics: Setting Up A RADIUS Server n Setting Up A RADIUS Server n Setting Up the RADIUS Client There are many third party applications available to configure a RADIUS server. 3Com has successfully installed and tested the following applications on networks with the Switch 5500.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP b The server will need to run in Native mode in order to support EAP-TLS which is not available in Mixed mode. To change mode go to the Active Directory Users and Computers window, right-click Domain and choose Properties, select Change Mode. c Add a user that is allowed to use the network. Go to Active Directory Users and Computers, from the left hand window right-click the Users folder and choose New > User, as shown below.
Setting Up A RADIUS Server 629 d Follow the wizard to create a user, enter the required information at each stage e The password for the user must be set to be stored in reversible encryption. Right-click the user account and select Properties. Select the Account tab, check the box labelled Store password using reversible encryption. f Now re-enter the password for the account, right-click the user account and select Reset Password… 3 Enable the server as a certificate server.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP a Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components. The Certificate Services component should be checked. b Select Next and continue through the wizard. In the Certificate Authority Type window select Enterprise root CA Enter information to identify the Certificate Authority on the CA Identifying Information window. Enter the storage location on the Data Storage Location window.
Setting Up A RADIUS Server 631 4 Install the Internet Authentication Service (IAS) program. a Go to Control Panel > Add/Remove Programs > Add/Remove Windows Components. Enable Networking Services and ensure Internet Authentication Service component is checked. b Select OK to end the wizard. 5 Configure a Certificate Authority a Go to Programs > Administrative Tools > Certification Authority and right-click Policy Settings under your Certificate Authority server.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP d Go to Programs > Administrative Tools > Active Directory Users and Computers and right-click your active directory domain. Select Properties e Select the Group Policy tab, and ensure that the Default Domain Policy is highlighted. Click Edit to launch the Group Policy editor. f Go to Computer Configuration > Windows Settings > Security Settings > Public Key Policies, and right-click Automatic Certificate Request Settings.
Setting Up A RADIUS Server 633 g The Certificate Request Wizard will start. Select Next > Computer certificate template and click Next. h Ensure that your Certificate Authority is checked, then click Next. Review the Policy Change Information and click Finish. i Open up a command prompt (Start > Run, enter cmd ). Enter secedit /refreshpolicy machine_policy. The command may take a few minutes to take effect.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP e Give the policy a name, for example EAP-TLS, and select Next. f Click Add... g Set the conditions for using the policy to access the network. Select Day-And-Time-Restrictions, and click Add... Click Permitted, then OK. Select Next. h Select Grant remote access permission, and select Next i Click on Edit Profile... and select the Authentication tab. Ensure Extensible Authentication Protocol is selected, and Smart Card or other Certificate is set.
Setting Up A RADIUS Server 635 k Select the appropriate certificate and click OK. There should be at least one certificate. This is the certificate that has been created during the installation of the Certification Authority Service. Windows may ask if you wish to view the Help topic for EAP. Select No if you want to continue with the installation. l Click Finish. IFor EAP-TLS to work correctly, it is important that there is only one policy configured in IAS. 7 Enable Remote Access Login for Users.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP b When you are prompted for a login, enter the user account name and password that you will be using for the certificate. c Select Request a certificate and click Next > There are two ways to request a certificate: the Advanced Request or the Standard Request. The following steps show an Advanced Request.
Setting Up A RADIUS Server 637 f Either copy the settings from the screenshot below or choose different key options. Click Save to save the PKCS #10 file. The PKCS #10 file is used to generate a certificate. g You will receive this warning messages, select Yes followed by this warning message, select Yes and then OK The PKCS #10 file is now saved to the local drive. h To generate a portable certificate using PKCS #10, click the Home hyperlink at the top right of the CA Webpage.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP j Select the second option as shown in the screenshot below, and click Next > k Open the previously saved PKCS #10 certificate file in Notepad, select all (Control + a) and copy (Control + c), as shown below l Paste the copied information into the Saved Request field as shown below.
Setting Up A RADIUS Server 639 m Download the certificate and certification path. Click on the Download CA Certificate hyperlink to save the certificate. Save the file as DER encoded. Click on the Download CA certification path hyperlink to save the PKCS #7, and select Save The certificate is also installed on the Certification Authority. You can verify this in the CA Administration tool under Issued Certificates The PKCS #7 file is not actually required for IEEE 802.1x functionality.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP p Leave the settings on the next screen as is, click Next > followed by Finish and OK. This will install the certificate, q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder. You should see the newly created certificate. r Double-click the certificate that was generated by the client and select the Details tab s Click Copy to File to save the certificate.
Setting Up A RADIUS Server 641 Save the certificate using DER x.509 encoding, select DER encoded binary followed by Next. Provide a name for the certificate and save it to a specified location. Click Finish and followed by OK. t Exit the Certification Authority management tool and launch the Active Directory Users and Computers management tool. Ensure that the Advanced Features are enabled in the Action menu, as shown below.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP u Select the user that becomes the IEEE 802.1x client. Right-click on the user and select Name mappings. Select Add v Select the certificate that you have just exported and click Open. Click OK w In the Security Identity Mapping screen, click OK to close it. x Close the Active Directory Users and Domains management tool. This completes the configuration of the RADIUS server. 10 Configure Microsoft IAS RADIUS Server for Switch Login.
Setting Up A RADIUS Server 643 b Create a new remote access policy under IAS and name it Switch Login.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP e Use the Edit button to change the Service-Type to Administrative.
Setting Up A RADIUS Server 645 The Value 010600000003 indicates admin privileges for the switch. 01 at the end indicates monitor and 02 indicates manager access. On the Switch 5500, 00 indicates visitor level. 11 Configure the RADIUS client. Refer to “Setting Up the RADIUS Client” for information on setting up the client. 12 Establish an IEEE 802.1x session, using Microsoft's Internet Authentication Service.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP Follow these steps to set up auto VLAN and QoS for use by Microsoft IAS: 1 Define the VLAN Groups on the Active Directory server and assign the user accounts to each VLAN Group.
Setting Up A RADIUS Server 647 d Go to Programs > Administrative Tools > Internet Authentication Service. and select Remote Access Policies. Select the policy that you configured earlier, right-click and select Properties. e Click Add to add policy membership.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP g Select the VLAN group that you have just created and click Add and then OK to confirm. h Click OK again to return you to the Security Policy properties.
Setting Up A RADIUS Server i 649 Click Edit Profile... and select the Advanced tab. Click Add. Refer to Table 686 and Table 687 for the RADIUS attributes to add to the profile. Table 686 Summary of auto VLAN attributes For Auto VLAN Return String Tunnel-Medium-type 802 Tunnel-Private-Group-ID 2 Tunnel-Type VLAN Comment VLAN value Table 687 Summary of QoS attributes j For Auto QoS Return String Comment Filter-id profile=student QoS Profile name Select Tunnel-Medium-Type and click Add.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP m Select the Tunnel-Pvt-Group-ID entry and click Add. n Click Add, ensure that the Attribute value is set to 4 (Attribute value in string format), and click OK. This value represents the VLAN ID. o Click OK again on the Multivalued Attribute Information screen to return to the the Add Attributes screen. Select the Tunnel-Type entry and click Add.
Setting Up A RADIUS Server 651 p Click Add again. In the pull down menu, select Virtual LANs and click OK. q Click OK again and to return to the Add Attributes screen. Click Close. You will now see the added attributes r Click OK to close the Profile screen and OK again to close the Policy screen. This completes the configuration of the Internet Authentication Service. 2 To test the configuration, connect the workstation to a port on the Switch 5500 (the port does not have to be a member of VLAN 4).
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP Configuring Funk RADIUS 3Com has successfully installed and tested Funk RADIUS running on a Windows server in a network with Switch 5500 deployed. Download the Funk Steel-Belted RADIUS Server application from www.funk.com and install the application. Once installed you have a 30 day license to use it. To configure Funk RADIUS as a RADIUS server for networks with the Switch 5500, follow these steps: 1 Open file eap.
Setting Up A RADIUS Server 653 3 Either re-boot the server or stop then restart the RADIUS service. To stop and restart the Steel-Belted RADIUS service, go to Control Panel > Administrative tools > Services. Scroll down to the Steel-Belted service, stop and restart it. Funk RADIUS is now ready to run. If you intend to use auto VLAN and QoS, you will need to create VLAN and QoS profiles on the 3Com Switch 5500 and follow the instructions in Configuring auto VLAN and QoS for Funk RADIUS.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP Passwords are case sensitive. 6 Enter the shared secret to encrypt the authentication data. The shared secret must be identical on the Switch 5500 and the RADIUS Server a Select RAS Clients from the left hand list, enter a Client name , the IP address and the Shared secret.
Setting Up A RADIUS Server 655 Configuring auto VLAN and QoS for Funk RADIUS To set up auto VLAN and QoS using Funk RADIUS, follow these steps: 1 Edit the dictionary file radius.dct so that Return list attributes from the Funk RADIUS server are returned to the Switch 5500. The changes to make are: a Add an R at the end of the correct attributes in the file, see example below. The attributes will now appear as potential Return list attributes for every user. 2 After saving the edited radius.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP The following example shows the User name HOMER with the correct Return list Attributes inserted, The VLANs and QoS profiles must also be created on the 3Com Switch 5500. Configuring FreeRADIUS 3Com has successfully installed and tested FreeRADIUS running on Solaris 2.6 and RedHat Linux servers in networks with the Switch 5500 deployed. Download FreeRADIUS source files from http://www.freeradius.
Setting Up A RADIUS Server 657 2 Update the dictionary for Switch login a In /usr/local/etc/raddb create a new file called dictionary.3Com containing the following information: VENDOR ATTRIBUTE VALUE VALUE VALUE 3Com 3Com-User-Access-Level 3Com-User-Access-Level 3Com-User-Access-Level 3Com-User-Access-Level 43 1 Monitor Manager Administrator Integer 1 2 3 3Com b Edit the existing file dictionary in /usr/local/etc/raddb to add the following line: $INCLUDE dictionary.3Com The new file dictionary.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP In the example above, Tunnel-Medium-Type has been set to TMT802, to force FreeRADIUS to treat 802 as a string requiring to be looked up in the dictionary and return integer 6, rather than return integer 802 which would be the case if Tunnel-Medium-Type was set to 802.
Setting Up the RADIUS Client 659 generate an EAPOL-Logoff message when the user logs-off, which leaves the port authorized. To reduce the impact of this issue, decrease the "session-timeout" return list attribute to force re-authentication of the port more often. Alternatively, use a RADIUS client without this security flaw, for example the Aegis client A patch for the Windows XP RADIUS client may be available from Microsoft since publishing this guide.
CHAPTER B: RADIUS SERVER AND RADIUS CLIENT SETUP b This screen will appear: c Leave the Profile as default. The Identity is an account created on the RADIUS Server with the Password. d Click OK to finish the configuration. e Restart the client either by rebooting, or stopping and re-starting the service. f Click the OK button, then return to the Aegis Client main interface. To restart the client, press the button with the red-cross. If authentication is successful, the icon will turn green.
C AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS This appendix covers the following topics: Cisco Secure ACS (TACACS+) and the 3Com Switch 5500 n Cisco Secure ACS (TACACS+) and the 3Com Switch 5500 n Setting Up the Cisco Secure ACS (TACACS+) server Cisco Secure ACS and TACACS+ are proprietary protocols and software created by Cisco, they provide similar functionality to a RADIUS server.
CHAPTER C: AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS Adding a 3Com Switch 5500 as a RADIUS client Once logged into the Cisco Secure ACS interface, follow these steps: 1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients. 3 Enter the details of the 3Com switch. Spaces are not permitted in the AAA Client Host name. An example is shown below 4 Select Submit.
Setting Up the Cisco Secure ACS (TACACS+) server 5 Select Interface Configuration from the left hand side. 6 Select RADIUS (IETF) from the list under Interface Configuration. 7 Check the RADIUS attributes that you wish to install.
CHAPTER C: AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS 8 Select Submit. 9 Repeat step 1 through step 8 for each Switch 5500 on your network. When all of the Switch 5500s have been added as clients to the Cisco Secure ACS server, restart the Secure ACS server by selecting System Configuration from the left hand side, then select Service Control and click Restart.
Setting Up the Cisco Secure ACS (TACACS+) server 665 The screen below shows specific RADIUS attributes having been selected for the user. The user has the student profile selected and is assigned to VLAN 10 untagged. The RADIUS attributes need to have already been selected, see step 7 in Adding a 3Com Switch 5500 as a RADIUS client. The User can now access the network through Network Login.
CHAPTER C: AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS 1=Monitor 2=Manager 3=Administrator b Locate the application csutil.exe. in the utils directory of the install path (eg. C:\program files\Cisco Secure ACS\utils\). c Copy the 3Com.ini file into the utils directory d At the command prompt enter csutil -addUDV 0 3Com.ini This will stop the Cisco Secure ACS server, add the RADIUS information (by adding the contents of 3Com.
Setting Up the Cisco Secure ACS (TACACS+) server 667 2 To use the new RADIUS attributes, a client needs to be a user of RADIUS (3Com) attributes. Select Network Configuration from the left hand side and select an existing device or add a new device. In the AAA Client Setup window select RADIUS (3COM) from the Authenticate Using pull down list. . 3 Select Submit+Restart The IETF attributes will still be available to the device, the 3Com attributes are simply appended to them.
CHAPTER C: AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS 5 Ensure that the 3Com-User-Access-Level option is selected for both User and Group setup, as shown below 6 Select User Setup and either modify the attributes of an existing user (select Find to display the User List in the right hand window) or Add a new user (see Adding a User for Network Login).
Setting Up the Cisco Secure ACS (TACACS+) server 669 7 In the RADIUS (3Com) Attribute box , check 3Com-User-Access-Level and select Administrator from the pull down list, see below: 8 Select Submit. The Switch 5500 can now be managed by the Network Administrator through the CISCO Secure ACS server.
CHAPTER C: AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS
D 3COM XRN This section explains what 3Com XRN™ (eXpandable Resilient Networking) is and how you can use it to benefit your network. It also explains how to implement XRN on your network.
APPENDIX D: 3COM XRN What is XRN? Supported Switches XRN (eXpandable Resilient Network) is a 3Com LAN technology built into the software and hardware of your Switch that offers high availability, scalability, and connectivity. XRN is supported by the 3Com Operating System on the following Switches installed with Version 1.
Benefits of XRN Benefits of XRN The benefits of XRN include: n Increased environmental resilience provided by: n n Distributed management across the Distributed Fabric. n Distributed Link Aggregation across the Distributed Fabric. n Distributed Resilient Routing across the Distributed Fabric. Increased network performance provided by: n n Switching capacity that increases as you add a Switch to the Fabric. So network performance and resilience expand as the Fabric grows.
APPENDIX D: 3COM XRN Switch units within the Distributed Fabric provide the same router interfaces and mirror each other’s routing tables. This allows each unit to keep the routing local to the unit for locally connected hosts and devices. In the example shown in Figure 178, there is a single logical router across the XRN Distributed Fabric with router interfaces (R1, R2, and R3) shared by both units.
XRN Features 675 Table 691 Aggregated Links and Member Links Supported within a Fabric Switch Family Switch 5500-SI Family Max number of member links Number of Aggregated Links 8 Fast Ethernet or 4 Gigabit Ethernet 14 (28 port) or 26 (52 port) 8 per stack Switch 5500-EI Family 8 Fast Ethernet or 4 Gigabit Ethernet 14 (28 port) or 26 (52 port) 8 per stack Switch 5500G-EI Family 8 Gigabit Ethernet or 4 10Gbps Ethernet 32 per unit/stack Distributed Link Aggregation Example You can also use DLA to
APPENDIX D: 3COM XRN How to Implement XRN—Overview This section provides an overview on how to implement XRN in your network. Following the steps below will ensure that your XRN network operates correctly. 1 Design your network using XRN Distributed Fabrics, taking into account all the important considerations and recommendations (see “Important Considerations and Recommendations” on page 676).
Important Considerations and Recommendations 677 When you create a Distributed Fabric the relevant port-based tables do not double in size, they remain as they were. n When Switch 5500 units are in an XRN Distributed Fabric their unit IDs are user configurable. n The maximum number of Switch units that can be interconnected is shown in Table 693.
APPENDIX D: 3COM XRN n n n n All multihomed links and alternate paths must carry all VLANs, and packets must be tagged. The Distributed Fabric is the STP root bridge. Individual port members of each aggregated link must have VLAN membership manually configured before the aggregated link is set up. You must not rely on port members inheriting VLAN membership configuration from the aggregated link. (See “VLANs” on page 681 for more information.
Network Example using XRN 679 Figure 180 A Dual XRN Distributed Fabric Network VLAN 1 VLAN 1 VLAN2 VLAN2 XRN Distributed Fabric 802.3ad Aggregated Links VLAN ID 1, 2 VLAN ID 1, 2 VLAN ID 1, 2 Switch 5500 units VLAN ID 1, 2 XRN Distributed Fabric Servers on 1000 Mbps connections How to Set up this Network This section provides information on how to configure an XRN network as shown in Figure 180.
APPENDIX D: 3COM XRN Recovering your XRN Network Unit Failure In the event of a failure within your XRN network, 3Com recommends that you follow the recommendations below. The steps below outline the procedure to recover your XRN network in the event of a unit failure within your Distributed Fabric. 1 Obtain a Switch and ensure it is installed with the same software version as the failed Switch. 2 Initialize the new Switch so it is operating with its factory default settings.
How XRN Interacts with other Features How XRN Interacts with other Features VLANs 681 This section provides supplementary information on how XRN interacts with other software features supported by your Switch. Figure 181 shows a single aggregated link, created automatically using LACP, connecting the Switch 5500 stack to the Distributed Fabric. The Distributed Fabric will take its VLAN membership from a port within the Switch 5500 stack .
APPENDIX D: 3COM XRN Figure 182 How XRN interacts with VLANs—Example 2 Legacy Aggregated Links Legacy aggregated links, will react in the normal way if a unit within the Distributed Fabric fails, that is, all traffic will be redirected down the link(s) to the unit that is still operating. However, in Figure 183, if the interconnect fails, the aggregation is still a single logical entity at the legacy Switch end, but it is now split over both units within the Distributed Fabric.
How XRN Interacts with other Features STP/RSTP 683 STP/RSTP should be used for multihomed links if you are not able to use aggregated links. Figure 184 shows how STP will prevent a loop occurring on a multihomed link. STP/RSTP should always be enabled if your multihomed links are aggregated links. Figure 182 shows how, on interconnect failure, STP/RSTP will detect the potential loop caused by the aggregated links splitting and block a path to prevent the loop occurring.
APPENDIX D: 3COM XRN How a Failure affects the Distributed Fabric Loss of a Switch within the XRN Distributed Fabric This section provides supplementary information on how the Distributed Fabric and traffic flow is affected by failure of an Fabric Interconnect and of a unit in the Distributed Fabric.
How a Failure affects the Distributed Fabric 685 Router Switch B will continue to do all the routing. As it was routing prior to Switch A’s failure there will be no change of the router identity, that is, the router interface IP addresses will not change. The router interface MAC addresses may change but this will have no visible impact on your network. Any MAC address change is propagated to your network by the issuing of gratuitous ARP messages.
APPENDIX D: 3COM XRN IEEE802.1D (Legacy STP) and RSTP The Switch 4200 is using legacy STP. STP (and RSTP) will reconfigure the network to open the previously blocked link to Switch B. The STP reconfiguration will cause all Switch forwarding databases (MAC address tables) to be fast aged (if using RSTP, they will be flushed). If STP is enabled throughout the network, it will reconfigure the network to ensure that no loops occur due to split aggregated links.
