3Com 2928 - Baseline Plus Switch PWR User Manual Download Page 421 | Manualshive

Page: 421 / 505

background image

1-2

Architecture of PKI

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository, as shown in

Figure 1-1

.

Figure 1-1

PKI architecture

Entity

An entity is an end user of PKI products or services, such as a person, an organization, a device like a
router or a switch, or a process running on a computer.

CA

A certificate authority (CA) is a trusted authority responsible for issuing and managing digital certificates.
A CA issues certificates, specifies the validity periods of certificates, and revokes certificates as needed
by publishing CRLs.

RA

A registration authority (RA) is an extended part of a CA or an independent authority. An RA can
implement functions including identity authentication, CRL management, key pair generation and key
pair backup. It only examines the qualifications of users; it does not sign certificates. Sometimes, a CA
assumes the registration management responsibility and therefore there is no independent RA. The
PKI standard recommends that an independent RA be used for registration management to achieve
higher security of application systems.

PKI repository

A PKI repository can be a Lightweight Directory Access Protocol (LDAP) server or a common database.
It stores and manages information like certificate requests, certificates, keys, CRLs and logs while
providing a simple query function.
LDAP is a protocol for accessing and managing PKI information. An LDAP server stores user
information and digital certificates from the RA server and provides directory navigation service. From
an LDAP server, an entity can retrieve digital certificates of its own and other entities.

Applications of PKI

The PKI technology can satisfy the security requirements of online transactions. As an infrastructure,
PKI has a wide range of applications. Here are some application examples.

«
...
419
420
421
422
423
...
»

Summary of Contents for 2928 - Baseline Plus Switch PWR

Page 1: ...ne Switch 2920 SFP Plus Baseline Switch 2928 SFP Plus Baseline Switch 2952 SFP Plus Baseline Switch 2928 PWR Plus Baseline Switch 2928 HPWR Plus Manual Version 6W102 20090810 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...rcial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered tr...

Page 3: ...o the configuration file to be used at the next startup Restore the factory default settings 9 Device Maintenance Configure to upload upgrade file from local host and upgrade the system software Configure to reboot the device Display the electronic label of the device Generate diagnostic information file and view or save the file to local host 10 File Management Manage files on the device such as ...

Page 4: ... IPv4 static routes and display the IPv4 active route table 31 DHCP Configure DHCP Relay or DHCP Snooping 32 Service Management Enable or disable services set related parameters and displays the states of services 33 Diagnostic Tools Ping an IPv4 address or perform trace route operations 34 ARP Add modify remove and display ARP entries Configure and display gratuitous ARP 35 802 1X Configure 802 1...

Page 5: ...n be selected x y Optional alternative items are grouped in square brackets and separated by vertical bars Many or none can be selected 1 n The argument s before the ampersand sign can be entered 1 to n times A line starting with the sign is comments GUI conventions Convention Description Button names are inside angle brackets For example click OK Window names menu items data table and field names...

Page 6: ...ng Manual Description 3Com Baseline Switch 2900 Family Getting Started Guide This guide provides all the information you need to install and use the 3Com Baseline Switch 2900 Family Obtaining Documentation You can access the most up to date 3Com product documentation on the World Wide Web at this URL http www 3com com ...

Page 7: ...ction to the Web Based NM Functions 2 4 Introduction to the Controls on the Web Pages 2 11 Configuration Guidelines 2 13 3 Configuration Through the Command Line Interface 3 1 Getting Started with the Command Line Interface 3 1 Setting Up the Configuration Environment 3 1 Setting Terminal Parameters 3 2 Logging In to the CLI 3 6 CLI Commands 3 6 initialize 3 6 ipsetup 3 7 password 3 8 ping 3 8 qui...

Page 8: ...erface and SNMP MIB These configuration methods are suitable for different application scenarios z The web interface supports all switch 2900 series configurations z The CLI provides some configuration commands to facilitate your operation To perform other configurations not supported by the CLI use the web interface ...

Page 9: ...vice is provided with the default Web login information You can use the default information to log in to the Web interface Table 2 1 The default Web login information Information needed at login Default value Username admin Password None IP address of the device VLAN interface 1 Default IP address of the device depending on the status of the network where the device resides 1 The device is not con...

Page 10: ... the Web interface z Connect the device to a PC Connect the GigabitEthernet interface of the device to a PC by using a crossover Ethernet cable by default all interfaces belong to VLAN 1 z Configure an IP address for the PC and ensure that the PC and device can communicate with each other properly Select an IP address for the PC from network segment 169 254 0 0 16 except for the default IP address...

Page 11: ...rface For detailed configuration refer to the corresponding configuration manuals of these modules z If you click the verification code displayed on the Web login page you can get a new verification code z Up to five users can concurrently log in to the device through the Web interface Logging Out of the Web Interface Click Logout in the upper right corner of the Web interface as shown in Figure 2...

Page 12: ...n the navigation tree Web User Level Web user levels from low to high are visitor monitor configure and management A user with a higher level has all the operating rights of a user with a lower level z Visitor Users of this level can only use the network diagnostic tools ping and Trace Route They can neither access the device data nor configure the device z Monitor Users of this level can only acc...

Page 13: ... Display and configure the idle timeout period for logged in users Configure Software Upgrade Configure to upload upgrade file from local host and upgrade the system software Management Reboot Configure to reboot the device Management Electronic Label Display the electronic label of the device Monitor Device Mainten ance Diagnostic Information Generate diagnostic information file and view or save ...

Page 14: ...or a lower level user to switch from the current access level to the management level Management Create Create an FTP or Telnet user Management Modify Modify FTP or Telnet user information Management Remove Remove an FTP or a Telnet user Management Users Switch To Manageme nt Switch the current user level to the management level Visitor Loopbac k Loopback Perform loopback tests on Ethernet interfa...

Page 15: ...e Display SNMP view information Monitor SNMP View Create modify and delete an SNMP view Configure Interface Statistics Interface Statistics Display and clear the statistics information of an interface Configure Select VLAN Select a VLAN range Monitor Create Create VLANs Configure Port Detail Display the VLAN related details of a port Monitor Detail Displays the member port information of a VLAN Mo...

Page 16: ...egation groups Configure Summary Display information about LACP enabled ports and their partner ports Monitor LACP Setup Set LACP priorities Configure Display the LLDP configuration information local information neighbor information statistics information and status information of a port Monitor Port Setup Modify LLDP configuration on a port Configure Display global LLDP configuration information ...

Page 17: ...isplay ARP table information Monitor ARP Table Add modify and remove ARP entries Configure Displays the configuration information of gratuitous ARP Monitor ARP Manage ment Gratuitous ARP Configure gratuitous ARP Configure Display ARP detection configuration information Monitor ARP Anti Atta ck ARP Detection Configure ARP detection Configure Display 802 1X configuration information globally or on a...

Page 18: ...L of a domain Configure Summary Display port isolation group information Monitor Port Isolate Group Modify Configure a port isolation group Configure Summary Display the configurations of authorized IP the associated IPv4 ACL list and the associated IPv6 ACL list Management Sec urity Authoriz ed IP Setup Configure authorized IP Management Summary Display time range configuration information Monito...

Page 19: ...licy or its classifier behavior associations Configure Summary Display the QoS policy applied to a port Monitor Setup Apply a QoS policy to a port Configure Port Policy Remove Remove the QoS policy from the port Configure Display priority mapping table information Monitor Priority Mapping Priority Mapping Modify the priority mapping entries Configure Display port priority and trust mode informatio...

Page 20: ...on to remove the selected items Select All button Click the button to select all the items in a list or all the ports on the device panel Select None button Click the button to deselect all the items in a list or all the ports on the device panel Restore button Click the button to restore all the items in the current configuration page to the system default Expand button As shown in Figure 2 6 cli...

Page 21: ...t does not support the Back Next Refresh buttons provided by the browser Using these buttons may result in abnormal display of Web pages z When the device is performing spanning tree calculation you cannot log in to or use the Web interface z As the Windows firewall limits the number of TCP connections when you use IE to log in to the Web interface sometimes you may be unable to open the Web inter...

Page 22: ...tware version of the device changes when you log in to the device through the Web interface you are recommended to delete the temporary Internet files of IE otherwise the Web page content may not be displayed correctly ...

Page 23: ...user view Getting Started with the Command Line Interface As a supplementary to the web interface the CLI provides some configuration commands to facilitate your operation For example if you forget the IP address of VLAN interface 1 and cannot log in to the device through the Web interface you can connect the console port of the device to a PC and reconfigure the IP address of VLAN interface 1 thr...

Page 24: ...o a powered on switch you are recommended to connect the DB 9 connector of the console cable to the PC before connecting the RJ 45 connector to the switch z When disconnecting a PC from a powered on switch you are recommended to disconnect the DB 9 connector of the console cable from the PC after disconnecting the RJ 45 connector from the switch Setting Terminal Parameters When setting up the conf...

Page 25: ...s as follows z Bits per second 38 400 z Data bits 8 z Parity None z Stop bits 1 z Flow control None z Emulation VT100 The specific procedure is as follows Step1 Select Start Programs Accessories Communications HyperTerminal to enter the HyperTerminal window The Connection Description dialog box appears as shown below Figure 3 3 Connection description of the HyperTerminal Step2 Type the name of the...

Page 26: ... a serial port The following dialog box appears Set Bits per second to 38400 Data bits to 8 Parity to None Stop bits to 1 and Flow control to None Figure 3 5 Set the serial port parameters Step4 Click OK after setting the serial port parameters and the system enters the HyperTerminal window shown below ...

Page 27: ...indow Step5 Click Properties in the HyperTerminal window to enter the Switch Properties dialog box Click the Settings tab set the emulation to VT100 and then click OK Figure 3 7 Set terminal emulation in Switch Properties dialog box ...

Page 28: ...ss restarts Login failed CLI Commands This Command section contains the following commands To do Use the command Displays a list of CLI commands on the device Reboot the device and run the default configuration initialize Specify VLAN interface 1 to obtain an IP address through DHCP or manual configuration ipsetup dhcp ip address ip address mask mask length default gateway ip address Modify the lo...

Page 29: ...bnet mask length the number of consecutive ones in the mask in the range of 0 to 32 default gateway ip address Specifies the IP address of the default gateway or the IP address of the outbound interface With this argument and keyword combination configured the command not only assigns an IP address to the interface but also specifies a default route for the device Description Use the ipsetup dhcp ...

Page 30: ...string of 1 to 20 characters Description Use the ping command to ping a specified destination You can enter Ctrl C to terminate a ping operation Examples Ping IP address 1 1 2 2 Sysname ping 1 1 2 2 PING 1 1 2 2 56 data bytes press CTRL_C to break Reply from 1 1 2 2 bytes 56 Sequence 1 ttl 254 time 205 ms Reply from 1 1 2 2 bytes 56 Sequence 2 ttl 254 time 1 ms Reply from 1 1 2 2 bytes 56 Sequence...

Page 31: ...ftware is protected by copyright law and international treaties Without the prior written permission of 3Com Corporation and its licensors any reproduction republication redistribution decompiling reverse engineering is strictly prohibited Any unauthorized use of this software or any portion of it may result in severe civil and criminal penalties and will be prosecuted to the maximum extent possib...

Page 32: ...N y Now rebooting please wait If the configuration changes reboot the device Sysname reboot Start to check configuration with next startup configuration file please wait DONE This command will reboot the device Current configuration will be lost in next startup if you continue Continue Y N y Now rebooting please wait summary Syntax summary Parameters None Description Use the summary command to vie...

Page 33: ...e software package to be used at the next startup Description Use the upgrade server address source filename bootrom command to upgrade the Boot ROM file If the Boot ROM file in the downloaded software package is not applicable the original Boot ROM program is still used at the next startup Use the upgrade server address source filename runtime command to upgrade the boot file If the boot file in ...

Page 34: ...TP server program on the TFTP server and specify the path of the program to be loaded Omitted 2 Perform the following configurations on the switch Configure the IP address of VLAN interface 1 of the switch as 192 168 1 2 24 and specify the default gateway as 192 168 1 1 Switch ipsetup ip address 192 168 1 2 24 default gateway 192 168 1 1 Download the host software package Switch2900 bin on the TFT...

Page 35: ...ded successfully The specified file will be used as the boot file at the next reboot Reboot the switch Switch reboot After getting the new application file reboot the switch to have the upgraded application take effect ...

Page 36: ...1 Configuration Wizard 1 1 Overview 1 1 Basic Service Setup 1 1 Entering the Configuration Wizard Homepage 1 1 Configuring System Parameters 1 1 Configuring Management IP Address 1 3 Finishing Configuration Wizard 1 4 i ...

Page 37: ...r uration wizard homepage as shown in rview system location contact information an Basic Service Setup ing the Configuration Wizard Homepage From the navigation tree select Wizard to enter the config Figure 1 1 Figure 1 1 Configuration wizard homepage Conf In the wizard homepage click Next to enter the system parameter configuration page as shown in Figure 1 2 iguring System Parameters ...

Page 38: ... page you enter by selecting Device Basic For details refer to Device Basic Information Configuration Syslocation Specify the physical location of the system You can also set the physical location in the setup page you enter by selecting Device SNMP For details refer to SNMP Configuration Syscontact Set the contact information for users to get in touch with the device vendor for help You can also ...

Page 39: ...can be used to access the device You can also set configure a VLAN interface and its IP address in the page you enter by selecting Network VLAN Interface For configuration details refer to VLAN Interface Configuration After finishing the configuration click Next to enter the management IP address configuration page as shown in Figure 1 3 Figure 1 3 Management IP address configuration page Table 1 ...

Page 40: ...g the VLAN interface does not affect the status of the Ethernet ports in the VLAN That is the port status does not change with the VLAN interface status DHCP BOOTP Manual Configure how the VLAN interface obtains an IPv4 address z DHCP Specifies the VLAN interface to obtain an IPv4 address by DHCP z BOOTP Specifies the VLAN interface to obtain an IPv4 address through BOOTP z Manual Allows you to sp...

Page 41: ...ion finishe The page displays your configurations Review the configurations and if you want to modify the settings click Back to go back to the page Click Finish to confirm your settings and the system performs the configurations ...

Page 42: ... IRF Stack 1 2 Configuration Task List 1 2 Configuring Global Parameters of a Stack 1 3 Configuring Stack Ports 1 4 Displaying Topology Summary of a Stack 1 4 Displaying Device Summary of a Stack 1 5 Logging Into a Slave Device From the Master 1 5 IRF Stack Configuration Example 1 6 Configuration Guidelines 1 11 ...

Page 43: ...network diagram for stack management Figure 1 1 Network diagram for stack management z Master device In a stack the master device acts as the configuration interface in stack management Management and monitoring of all the devices in the stack are performed through the master device z Slave devices Managed devices in a stack z Stack port Ports between stack devices Establishing a Stack An administ...

Page 44: ...ort of a slave device that connects to the master device or another slave device as a stack port By default a port is not a stack port Displaying Topology Summary of a Stack Optional Display the information of stack members Displaying Device Summary of a Stack Optional Display the control panels of stack members Before viewing the control panel of a slave device you must ensure that the username p...

Page 45: ...f a Stack Select IRF from the navigation tree to enter the page shown in Figure 1 2 You can configure global parameters of a stack in the Global Settings area Figure 1 2 Set up Table 1 2 describes configuration items of global parameters ...

Page 46: ...ablish a stack the device becomes the master device of the stack and automatically adds the devices connected to its stack ports to the stack You can delete a stack only on the master device of the stack The Global Settings area on a slave device is grayed out Return to Stack configuration task list Configuring Stack Ports Select IRF from the navigation tree to enter the page shown in Figure 1 2 Y...

Page 47: ...the navigation tree and click the Device Summary tab to enter the page shown in Figure 1 4 On this page you can view interfaces and power socket layout on the panel of each stack member by clicking the tab of the corresponding member device Figure 1 4 Device summary the master device Return to Stack configuration task list Logging Into a Slave Device From the Master Select IRF from the navigation ...

Page 48: ...istrator can log in to Switch B Switch C and Switch D through Switch A to perform remote configurations Figure 1 6 Network diagram for IRF stack GE1 0 1 GE1 0 3 SwitchB Slave device GE1 0 1 GE1 0 1 SwitchC Slave device SwitchD Slave device Stack GE1 0 1 GE1 0 2 SwitchA Master device Configuration procedure 1 Configure the master device Configure global parameters for the stack on Switch A z Select...

Page 49: ...t box of Private Net IP z Type 255 255 255 0 in the text box of Mask z Select Enable from the Build Stack drop down list z Click Apply Now switch A becomes the master device Configure a stack port on Switch A z On the page of the Setup tab perform the following configurations as shown in Figure 1 8 ...

Page 50: ...lave devices On Switch B configure local ports GigabitEthernet 1 0 2 connecting with switch A GigabitEthernet 1 0 1 connecting with Switch C and GigabitEthernet 1 0 3 connecting with Switch D as stack ports z Select IRF from the navigation tree of Switch B to enter the page of the Setup tab and then perform the following configurations as shown in Figure 1 9 ...

Page 51: ...abitEthernet1 0 2 and GigabitEthernet1 0 3 z Click Enable Now switch B becomes a slave device On Switch C configure local port GigabitEthernet 1 0 1 connecting with Switch B as a stack port z Select IRF from the navigation tree of Switch C to enter the page of the Setup tab and then perform the following configurations as shown in ...

Page 52: ...omes a slave device On Switch D configure local port GigabitEthernet 1 0 1 connecting with Switch B as a stack port z Select IRF from the navigation tree of Switch D to enter the page of the Setup tab and then perform the following configurations as shown in Figure 1 10 z In the Port Settings area select the check box before GigabitEthernet1 0 1 z Click Enable ...

Page 53: ...w the information as shown in Figure 1 11 Figure 1 11 Verify the configuration Configuration Guidelines When configuring an IRF stack note that 1 If a device is already configured as the master device of a stack you are not allowed to modify the private IP address pool on the device 2 If a device is already configured as a slave device of a stack the Global Settings area on the slave device is gra...

Page 54: ...i Table of Contents 1 Summary 1 1 Overview 1 1 Displaying Device Summary 1 1 Displaying System Information 1 1 Displaying Device Information 1 2 ...

Page 55: ...ter you log in to the Web interface the System Information page appears by default as shown in Figure 1 1 Figure 1 1 System information Select from the Refresh Period drop down list z If you select a certain period the system refreshes the system information at the specified interval z If you select Manual the system refreshes the information only when you click the Refresh button The system infor...

Page 56: ...plays the time when the system operation logs are generated Level This field displays the severity of the system operation logs Description This field displays the description of the system operation logs z The Summary page displays up to five the most recent system operation logs about the login and logout events z For more system operation logs you can click More to enter the Log List page You c...

Page 57: ...lect from the Refresh Period drop down list z If you select a certain period the system refreshes the information at the specified interval z If you select Manual the system refreshes the information only when you click the Refresh button ...

Page 58: ...i Table of Contents 1 Device Basic Information Configuration 1 1 Overview 1 1 Configuring Device Basic Information 1 1 Configuring System Name 1 1 Configuring Idle Timeout Period 1 1 ...

Page 59: ... idle user off the Web for security purpose after the configured period Configuring Device Basic Information Configuring System Name Select Device Basic from the navigation tree to enter the system name page as shown in Figure 1 1 Figure 1 1 System name Table 1 1 describes the system name configuration item Table 1 1 System name configuration item Item Description Sysname Set the system name Confi...

Page 60: ...figuring idle timeout period Table 1 2 describes the idle timeout period configuration item Table 1 2 Idle timeout period configuration item Item Description Idle timeout Set the idle timeout period for a logged in user ...

Page 61: ...i Table of Contents 1 System Time Configuration 1 1 Overview 1 1 Configuring System Time 1 1 System Time Configuration Example 1 2 Configuration Guidelines 1 3 ...

Page 62: ...in RFC 1305 the Network Time Protocol NTP synchronizes timekeeping among distributed time servers and clients NTP allows quick clock synchronization within the entire network and ensures a high clock precision so that the devices can provide diverse applications based on the consistent time Configuring System Time Select System System Time from the navigation tree to enter the system time configur...

Page 63: ...You can set two authentication keys each of which is composed of a key ID and key string z ID is the ID of a key z Key string is a character string for MD5 authentication key NTP Server 1 Reference Key ID NTP External Reference Source NTP Server 2 Reference Key ID Specify the IP address of an NTP server and configure the authentication key ID used for the association with the NTP server Only if th...

Page 64: ...em Time from the navigation tree and perform the configurations as shown in Figure 1 3 Figure 1 3 Configure Device A as the NTP server of Switch B z Select NTP z Type 24 in the ID box and type aNiceKey in the Key String text box for key 1 z Type 1 0 1 11 in the NTP Server 1 text box and type 24 in the Reference Key ID text box z Click Apply 3 Verify the configuration After the above configuration ...

Page 65: ...ver has a stratum level higher than or equal to that of a client s clock the client will not synchronize its clock to the server s z The synchronization process takes a period of time Therefore the clock status may be unsynchronized after your configuration In this case you can click Refresh to view the clock status and system time later on ...

Page 66: ...i Table of Contents 1 Log Management 1 1 Overview 1 1 Configuring Log Management 1 1 Configuration Task List 1 1 Setting Syslog Related Parameters 1 1 Displaying Syslog 1 2 Setting Loghost 1 4 ...

Page 67: ...Management Configuration Task List Perform the tasks in Table 1 1 to configure log management Table 1 1 Log management configuration task list Task Description Setting Syslog Related Parameters Optional z Set the number of logs that can be stored in the log buffer z Set the refresh period of the log information displayed on the Web interface Displaying Syslog Display detailed information of system...

Page 68: ...od on the log information displayed on the Web interface You can select manual refresh or automatic refresh z Manual You need to click Refresh to refresh the Web interface when displaying log information z Automatic You can select to refresh the Web interface every 1 minute 5 minutes or 10 minutes Return to Log management configuration task list Displaying Syslog Select Device Syslog from the navi...

Page 69: ...ts of system logs You can perform the following operations in the syslog display page z Click Clear to clear the log buffer z Click Sequential Display to change the order in which system logs are displayed and then the Sequential Display button will be changed to Reverse Display After you change the order in which system logs are displayed the system logs are displayed in this order unless you cha...

Page 70: ... management configuration task list Setting Loghost Select Device Syslog from the navigation tree and click the Loghost tab to enter the loghost configuration page as shown in Figure 1 3 Figure 1 3 Set loghost Table 1 5 describes the loghost configuration item Table 1 5 Loghost configuration item Item Description Loghost IP IP address of the loghost z You can specify up to four loghosts z You must...

Page 71: ...i Table of Contents 1 Configuration Management 1 1 Back Up Configuration 1 1 Restore Configuration 1 1 Save Configuration 1 2 Initialize 1 3 ...

Page 72: ...ckup button in this figure a file download dialog box appears You can select to view the xml file or to save the file locally The switch uses both cfg and xml configuration files to save different types of configurations When backing up or restoring the configuration file you are recommended to back up or restore both of the two configuration files Restore Configuration Configuration restore provi...

Page 73: ...n to save the current configuration to the configuration file cfg file or xml file for the next startup Select Device or Configuration from the navigation tree and then click the Save tab to enter the save configuration confirmation page as shown in Figure 1 3 Figure 1 3 Save configuration confirmation Click the Save Current Settings button to save the current configuration to the configuration fi...

Page 74: ... and reboot the device Select Device Configuration from the navigation tree and then click the Initialize tab to enter the initialize confirmation page as shown in Figure 1 4 Figure 1 4 Initialize confirmation dialog box Click the Restore Factory Default Settings button to restore the system to factory defaults ...

Page 75: ...i Table of Contents 1 Device Maintenance 1 1 Software Upgrade 1 1 Device Reboot 1 2 Electronic Label 1 3 Diagnostic Information 1 3 ...

Page 76: ...A main boot file is used to boot a device and a backup boot file is used to boot a device only when the main boot file is unavailable The software upgrade will take a period of time During upgrading do not perform any operation on the Web page Otherwise the software upgrade is interrupted Select Device Device Maintenance from the navigation tree to enter the software upgrade configuration page as ...

Page 77: ...ists a dialog box appears telling you that the file already exists and you can not continue the upgrade Reboot after the upgrading finished Specifies whether to reboot the device to make the upgraded software take effect after the application file is uploaded Device Reboot Before rebooting the device save the configuration otherwise all unsaved configuration will be lost after device reboot After ...

Page 78: ...duct bar code MAC address debugging and testing date s manufacture name and so on Select Device Device Maintenance from the navigation tree and click the Electronic Label tab to enter the page as shown in Figure 1 3 Figure 1 3 Electronic label Diagnostic Information Each functional module has its own running information and generally you need to view the output information for each module one by o...

Page 79: ...is file to the local host z The generation of the diagnostic file will take a period of time During this process do not perform any operation on the Web page z After the diagnostic file is generated successfully you can view this file by selecting Device File Management or downloading this file to the local host For the details refer to File Management Configuration ...

Page 80: ...i Table of Contents 1 File Management 1 1 Overview 1 1 File Management Configuration 1 1 Displaying File List 1 1 Downloading a File 1 1 Uploading a File 1 2 Removing a File 1 2 ...

Page 81: ...ile Management from the navigation tree to enter the file management page as shown in Figure 1 1 On the top of this page select a disk from the Please select disk drop down list and the used space available space and capacity of the disk will be displayed at the right of the drop down list The area below the drop down list displays all files displayed in the format of path filename saved on the di...

Page 82: ...ile path and filename in the File box or click Browse to select a file Click Apply to upload the file to the specified storage device Upload a file will take a period of time During uploading do not perform any operation on the Web page Otherwise the file upload is interrupted Removing a File Select Device File Management from the navigation tree to enter the file management page as shown in Figur...

Page 83: ...Contents 1 Port Management Configuration 1 1 Overview 1 1 Configuring a Port 1 1 Setting Operation Parameters for a Port 1 1 Viewing the Operation Parameters of a Port 1 5 Port Management Configuration Example 1 6 ...

Page 84: ...ot limited to its state rate duplex mode link type PVID MDI mode flow control settings MAC learning limit and storm suppression ratios Configuring a Port Setting Operation Parameters for a Port Select Device Port Management from the navigation tree and then select the Setup tab on the page that appears to enter the page as shown in Figure 1 1 Figure 1 1 The Setup tab ...

Page 85: ... 1000 auto negotiated to 100 or 1000 Mbps z Auto 10 100 1000 auto negotiated to 10 100 or 1000 Mbps SFP optical ports do not support the 10 or 100 option Duplex Set the duplex mode of the port z Auto auto negotiation z Full full duplex z Half half duplex Ethernet electrical ports whose transmission rate is configured as 1000 Mbps and SFP optical ports do not support the half option Link Type Set t...

Page 86: ...ode is recommended The other two modes are used only when the device cannot determine the cable type z When straight through cables are used the local MDI mode must be different from the remote MDI mode z When crossover cables are used the local MDI mode must be the same as the remote MDI mode or the MDI mode of at least one end must be set to auto SFP optical ports do not support this feature Flo...

Page 87: ...t per second When this option is selected you need to input a number in the box below z kbps Sets the maximum number of multicast kilobits that can be forwarded on an Ethernet port per second When this option is selected you need to input a number in the box below Do not configure this item if the storm constrain function for multicast traffic is enabled on the port Otherwise the suppression resul...

Page 88: ...ts in the lower part of the page as shown in Figure 1 2 Figure 1 2 The Summary tab Select Device Port Management from the navigation tree select the Details tab on the page that appears and then click the port whose operation parameters you want to view in the chassis front panel as shown in Figure 1 3 The operation parameter settings of the selected port are displayed on the lower part of the pag...

Page 89: ...the switch respectively The rates of the network adapters of these servers are all 1000 Mbps z The switch connects to the external network through GigabitEthernet 1 0 4 whose rate is 1000 Mbps z To avoid congestion at the egress port GigabitEthernet 1 0 4 configure the auto negotiation rate range on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as 100 Mbps Figure 1 4 Networ...

Page 90: ... 4 z Select 100 in the Speed dropdown list z Select GigabitEthernet 1 0 4 on the chassis front panel z Click Apply to end the operation Batch configure the auto negotiation rate range on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as 100 Mbps z Select Auto 100 in the Speed dropdown list on the page shown in Figure 1 6 z Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 a...

Page 91: ...1 6 Batch configure port rate Display the rate settings of ports z Click the Summary tab z Select the Speed option to display the rate information of all ports on the lower part of the page as shown in Figure 1 7 ...

Page 92: ...1 9 Figure 1 7 Display the rate settings of ports ...

Page 93: ...rroring 1 1 Implementing Port Mirroring 1 1 Configuring Port Mirroring 1 1 Configuration Task List 1 1 Creating a Mirroring Group 1 2 Configuring Ports for a Mirroring Group 1 3 Configuration Examples 1 4 Local Port Mirroring Configuration Example 1 4 Configuration Guidelines 1 7 ...

Page 94: ...rroring In local port mirroring all packets including protocol and data packets passing through a port can be mirrored Local port mirroring is implemented through a local mirroring group As shown in Figure 1 1 packets on the mirroring port are mirrored to the monitor port for the data monitoring device to analyze Figure 1 1 Local port mirroring implementation PC Mirroring port Monitor port Data mo...

Page 95: ...rt type Mirror Port You can configure multiple mirroring ports for a mirroring group Configure the monitor port Required Refer to section Configuring Ports for a Mirroring Group for details During configuration you need to select the port type Monitor Port You can configure one only monitor port for a mirroring group Creating a Mirroring Group Select Device Port Mirroring from the navigation tree ...

Page 96: ...age for configuring ports for a mirroring group as shown in Figure 1 3 Figure 1 3 The Modify Port tab Table 1 3 describes the configuration items of configuring ports for a mirroring group Table 1 3 Configuration items of configuring ports for a mirroring group Item Description Mirroring Group ID ID of the mirroring group to be configured The available groups were created previously Port Type Set ...

Page 97: ...r network is as described below z Department 1 accesses Switch C through GigabitEthernet 1 0 1 z Department 2 accesses Switch C through GigabitEthernet 1 0 2 z Server is connected to GigabitEthernet 1 0 3 of Switch C Configure port mirroring to monitor the bidirectional traffic of Department 1 and Department 2 on the server To satisfy the above requirement through local port mirroring perform the ...

Page 98: ...in mirroring group ID 1 z Select Local in the Type drop down list z Click Apply Configure the mirroring ports Click Modify Port to enter the page for configuring ports for the mirroring group as shown in Figure 1 6 Figure 1 6 Configure the mirroring ports ...

Page 99: ...ress dialog box appears as shown in Figure 1 7 Figure 1 7 Configuration progress dialog box z After the configuration process is complete click Close Configure the monitor port Click Modify Port to enter the page for configuring ports for the mirroring group as shown in Figure 1 8 Figure 1 8 Configure the monitor port z Select 1 Local in the Mirroring Group ID drop down list z Select Monitor Port ...

Page 100: ...Close in the dialog box Configuration Guidelines Pay attention to the following points during local port mirroring configuration z To ensure operation of your device do not enable STP MSTP or RSTP on the monitor port z You can configure multiple mirroring ports but only one monitor port for a local mirroring group ...

Page 101: ...i Table of Contents 1 User Management 1 1 Overview 1 1 Users 1 1 Creating a User 1 1 Setting the Super Password 1 2 Switching the User Access Level to the Management Level 1 3 ...

Page 102: ...tching the current Web user level to the management level z Switch the current Web user access level to the management level Users Creating a User Select Device Users from the navigation tree and click the Create tab to enter the page for creating local users as shown in Figure 1 1 Figure 1 1 Create a user Table 1 1 describes the configuration items for creating a user ...

Page 103: ... of 88 When the length of the input password is 24 if the system can decrypt the password it considers the password as a ciphertext password if not the system considers the password as a plaintext password When the length of the input password is 88 if the system can decrypt the password it considers the password as a ciphertext password if not the system prompts that the password is invalid Confi...

Page 104: ...assword will be saved in the configuration file in cipher text The plaintext password is not safe and you are recommended to use the ciphertext password Switching the User Access Level to the Management Level This function is provided for a user to switch the current user level to the management level Note the following z Before switching make sure that the super password is already configured A u...

Page 105: ...1 4 Figure 1 3 Switch to the management level ...

Page 106: ...i Table of Contents 1 Loopback Test Configuration 1 1 Overview 1 1 Loopback Operation 1 1 Configuration Guidelines 1 2 ...

Page 107: ... port z In an external loopback test a loopback plug is used on the port Packets forwarded by the port will be received by itself through the loopback plug The external loopback test can be used to check whether there is a hardware failure on the port Loopback Operation Select Device Loopback from the navigation tree to enter the loopback test configuration page as shown in Figure 1 1 Figure 1 1 L...

Page 108: ...tion Guidelines Note the following when performing a loopback test z You can perform an internal loopback test but not an external loopback test on a port that is physically down while you can perform neither test on a port that is manually shut down z The system does not allow Rate Duplex Cable Type and Port Status configuration on a port under a loopback test z An Ethernet port works in full dup...

Page 109: ...i Table of Contents 1 VCT 1 1 Overview 1 1 Testing Cable Status 1 1 ...

Page 110: ... is returned in less than 5 seconds The test covers whether short circuit or open circuit occurs on the cable and the length of the faulty cable Testing Cable Status Select Device VCT from the navigation tree to enter the page for testing cable status Select the port you want to test in the chassis front panel and then click Test The test result is returned in less than 5 seconds and displayed in ...

Page 111: ...be normal abnormal abnormal open abnormal short or failure z When a cable is normal the cable length displayed is the total length of the cable z When a cable is not normal the cable length displayed is the length of the cable between the current port and the location where fault occurs The error of the length detected is within 5 meters ...

Page 112: ...i Table of Contents 1 Flow Interval Configuration 1 1 Overview 1 1 Monitoring Port Traffic Statistics 1 1 Setting the Traffic Statistics Generating Interval 1 1 Viewing Port Traffic Statistics 1 1 ...

Page 113: ...rating interval Table 1 1 describes the traffic statistics generating interval configuration items Table 1 1 Traffic statistics generating interval configuration items Item Remarks Interval for generating traffic statistics Set the interval for generating port traffic statistics Select ports Select ports from the chassis front panel to apply the interval to them Viewing Port Traffic Statistics Sel...

Page 114: ...1 2 Figure 1 2 Port traffic statistics ...

Page 115: ...i Table of Contents 1 Storm Constrain Configuration 1 1 Overview 1 1 Configuring Storm Constrain 1 1 Setting the Traffic Statistics Generating Interval 1 1 Configuring Storm Constrain 1 2 ...

Page 116: ...gured in Device Port Management For details refer to Port Management With storm constrain enabled on a port you can specify the system to act as follows when a certain type of traffic broadcast multicast or unicast exceeds the corresponding upper threshold z Block Block the port In this case the port is blocked and thus stops forwarding the traffic of this type until the type of traffic drops down...

Page 117: ...ffic sending and receiving rates over a specific interval z For network stability sake set the traffic statistics generating interval for the storm constrain function to the default or a greater value Configuring Storm Constrain Select Device Storm Constrain from the navigation tree to enter the page shown in Figure 1 1 In the Port Storm Constrain area the configured port storm constrain settings ...

Page 118: ...nalyzes the data in the next interval Thus it is normal that a period longer than one traffic statistics generating interval is waited for a control action to happen if you enable the function while the packet storm is present Nevertheless the action will be taken within two intervals Broadcast Threshold Multicast Threshold Unicast Threshold Set the broadcast multicast and unicast thresholds z Non...

Page 119: ...d when the corresponding lower threshold is crossed after that Log Select or clear the option to enable or disable the system to output logs both when an upper threshold is crossed and when the corresponding lower threshold is crossed after that Select ports Select ports from the chassis front panel to apply the storm constrain settings to them ...

Page 120: ...nfiguration Task List 1 3 Configuring a Statistics Entry 1 5 Configuring a History Entry 1 6 Configuring an Event Entry 1 7 Configuring an Alarm Entry 1 7 Displaying RMON Statistics Information 1 9 Displaying RMON History Sampling Information 1 11 Displaying RMON Event Logs 1 13 RMON Configuration Example 1 13 ...

Page 121: ...tents z RMON provides an efficient means of monitoring subnets and allows SNMP to monitor remote network devices in a more proactive and effective way The RMON protocol defines that when an alarm threshold is reached on a managed device the managed device sends a trap to the management device automatically so the management device has no need to get the values of MIB variables for multiple times a...

Page 122: ...ackets received on the interface during each period which can be configured through the command line interface CLI Alarm group The RMON alarm group monitors specified alarm variables such as total number of received packets etherStatsPkts on an interface After you define an alarm entry the system gets the value of the monitored alarm variable at the specified interval when the value of the monitor...

Page 123: ... function Table 1 1 RMON statistics group configuration task list Task Remarks Configuring a Statistics Entry Required You can create up to 100 statistics entries in a statistics table After a statistics entry is created on an interface the system collects statistics on various traffic information on the interface It provides statistics about network collisions CRC alignment errors undersize overs...

Page 124: ...xisting entry in the system Configuring an Alarm Entry Required You can create up to 60 alarm entries for an alarm table With an alarm entry created the specified alarm event will be triggered when an abnormity occurs and the alarm event defines how to deal with the abnormity An entry cannot be created if the values of the specified event description owners and actions are identical to those of an...

Page 125: ... the Statistics tab as shown in Figure 1 1 Click Add to enter the page for adding a statistics entry as shown in Figure 1 2 Figure 1 1 Statistics entry Figure 1 2 Add a statistics entry Table 1 5 describes the items for configuring a statistics entry Table 1 5 Statistics entry configuration items Item Description Interface Name Select the name of the interface on which the statistics entry is crea...

Page 126: ...ich the history entry is created Buckets Granted Set the capacity of the history record list corresponding to this history entry namely the maximum number of records that can be saved in the history record list If the current number of the entries in the table has reached the maximum number the system will delete the earliest entry to save the latest one The statistics include total number of rece...

Page 127: ...or the event Owner Set the owner of the entry Event Type Set the actions that the system will take when the event is triggered z Log The system will log the event z Trap The system will send a trap in the community name of null If both Log and Trap are selected the system will log the event and send a trap If none of them is selected the system will take no action Return to RMON alarm configuratio...

Page 128: ...uring an alarm entry Table 1 8 Alarm entry configuration items Item Description Statics Item Set the traffic statistics that will be collected and monitored see Table 1 9 for details Alarm variable Interface Name Set the name of the interface whose traffic statistics will be collected and monitored ...

Page 129: ...alling threshold the system will adopt the default action that is log and trap Rising Threshold Set the alarm rising threshold Rising Event Set the action that the system will take when the value of the alarm variable is higher than the alarm rising threshold If the Create Default Event check box is selected this option is not configurable Falling Threshold Set the alarm falling threshold Alarm Fa...

Page 130: ...the interface corresponding to the MIB node etherStatsPkts Number of Received Broadcasting Packets Total number of broadcast packets received by the interface corresponding to the MIB node etherStatsBroadcastPkts Number of Received Multicast Packets Total number of multicast packets received by the interface corresponding to the MIB node etherStatsMulticastPkts Number of Received Packets With CRC ...

Page 131: ...number of received packets with 64 octets on the interface corresponding to the MIB node etherStatsPkts64Octets Number of Received 65 to 127 Bytes Packets Total number of received packets with 65 to 127 octets on the interface corresponding to the MIB node etherStatsPkts65to127Octets Number of Received 128 to 255 Bytes Packets Total number of received packets with 128 to 255 octets on the interfac...

Page 132: ...ring the sampling period corresponding to the MIB node etherHistoryMulticastPkts CRCAlignErrors Number of packets received with CRC alignment errors during the sampling period corresponding to the MIB node etherHistoryCRCAlignErrors UndersizePkts Number of undersize packets received during the sampling period corresponding to the MIB node etherHistoryUndersizePkts OversizePkts Number of oversize p...

Page 133: ...ross the Internet Create an entry in the RMON Ethernet statistics table to gather statistics on Ethernet 1 0 1 and perform corresponding configurations so that the system will log the event when the number of bytes received on the interface exceed the specified threshold Figure 1 12 Network diagram for RMON Configuration procedure Configure RMON to gather statistics for interface Ethernet 1 0 1 z ...

Page 134: ...t1 0 1 from the Interface Name drop down box z Type user1 rmon in the text box of Owner z Click Apply Display RMON statistics for interface Ethernet 1 0 1 z Click the icon corresponding to GigabitEthernet 1 0 1 z You can view the information as shown in Figure 1 14 ...

Page 135: ...play RMON statistics Create an event to start logging after the event is triggered z Click the Event tab click Add and then perform the following configurations as shown in Figure 1 15 Figure 1 15 Configure an event group ...

Page 136: ...x of the new event is 1 as shown in Figure 1 16 Figure 1 16 Display the index of a event entry Configure an alarm group to sample received bytes on Ethernet 1 0 1 When the received bytes exceed the rising or falling threshold logging is enabled z Click the Alarm tab click Add and then perform the following configurations as shown in Figure 1 17 Figure 1 17 Configure an alarm group ...

Page 137: ...wn box z Type 10 in the text box of Interval z Select Delta from the Simple Type drop down box z Type 1 rmon in the text box of Owner z Type 1000 in the text box of Rising Threshold z Select 1 from the Rising Event drop down box z Type 100 in the text box of Falling Threshold z Select 1 from the Falling Event drop down box z Click Apply ...

Page 138: ...i Table of Contents 1 Energy Saving Configuration 1 1 Overview 1 1 Configuring Energy Saving on a Port 1 1 ...

Page 139: ...ng configuration page Table 1 1 describes the configuration items for configuring energy saving on a port Table 1 1 Configuration items for configuring energy saving on a port Item Description Time Range Sun through Sat Set the time period when the port is in the state of energy saving z Up to five energy saving policies with different time ranges can be configured on a port z Specify the start ti...

Page 140: ...ed If you configure the lowest speed limit on a port that does not support 10 Mbps the configuration cannot take effect Shutdown Shut down the port An energy saving policy can have all the three energy saving schemes configured of which the shutdown scheme takes the highest priority ...

Page 141: ...rsion 1 1 MIB Overview 1 2 SNMP Configuration 1 3 Configuration Task List 1 3 Enabling SNMP 1 4 Configuring an SNMP View 1 5 Configuring an SNMP Community 1 7 Configuring an SNMP Group 1 8 Configuring an SNMP User 1 10 Configuring SNMP Trap Function 1 11 SNMP Configuration Example 1 13 ...

Page 142: ...istrators to perform most network management tasks z An agent is a program on the device It receives and handles requests sent from the NMS Only under certain circumstances such as interface state change will the agent inform the NMS NMS manages an SNMP enabled network whereas agents are the managed network device NMS and agents exchange management information through the SNMP protocol SNMP provid...

Page 143: ...e can be identified as an object which is known as the managed object Management Information Base MIB is a collection of all the managed objects It defines the hierarchy of the objects and a set of characteristics associated with the managed objects such as the object identifier OID access right and data type Each agent has its own MIB NMS can read or write the managed objects in the MIB TheFigure...

Page 144: ...n the number of nodes of the OID the excessive bits of the subtree mask will be ignored during subtree mask OID matching z If the number of bits in the subtree mask is smaller than the number of nodes of the OID the short bits of the subtree mask will be set to 1 during subtree mask OID matching z If no subtree mask is specified the default subtree mask all Fs will be used for mask OID matching SN...

Page 145: ...P group you can add SNMP users to the group when creating the users Therefore you can realize centralized management of users in the group through the management of the group Configuring an SNMP User Required Before creating an SNMP user you need to create the SNMP group to which the user belongs Configuring SNMP Trap Function Optional Allows you to configure that the agent can send SNMP traps to ...

Page 146: ...onfigure the maximum size of an SNMP packet that the agent can receive send Contact Set a character string to describe the contact information for system maintenance If the device is faulty the maintainer can contact the manufacture factory according to the contact information of the device Location Set a character string to describe the physical location of the device SNMP Version Set the SNMP ve...

Page 147: ...re 1 7 Figure 1 6 Create an SNMP view 1 Figure 1 7 Create an SNMP view 2 Table 1 4 describes the configuration items for creating an SNMP view After configuring the parameters of a rule click Add to add the rule into the list box at the lower part of the page After configuring all rules click Apply to crate an SNMP view Note that the view will not be created if you click Cancel ...

Page 148: ...he icon corresponding to the specified view on the page as shown in Figure 1 5 the Add rule for the view ViewDefault window appears as shown in Figure 1 8 After configuring the parameters click Apply to add the rule for the view Table 1 4 describes the configuration items for creating an SNMP view Figure 1 8 Add rules to an SNMP view You can also click the icon corresponding to the specified view ...

Page 149: ...gent z Read and write The NMS can perform both read and write operations to the MIB objects when it uses this community name to access the agent View Specify the view associated with the community to limit the MIB objects that can be accessed by the NMS ACL Associate the community with a basic ACL to allow or prohibit the access to the agent from the NMS with the specified source IP address Return...

Page 150: ... authentication no privacy z Auth NoPriv Authentication without privacy z Auth Priv Authentication and privacy For an existing SNMP group its security level cannot be modified Read View Select the read view of the SNMP group Write View Select the write view of the SNMP group If no write view is configured the NMS cannot perform the write operations to all MIB objects on the device Notify View Sele...

Page 151: ...ict the intercommunication between the NMS and the agent Return to SNMPv3 configuration task list Configuring an SNMP User Select Device SNMP from the navigation tree then click the User tab to enter the page as shown in Figure 1 13 Click Add to enter the Add SNMP User page as shown in Figure 1 14 Figure 1 13 SNMP user Figure 1 14 Create an SNMP user Table 1 7 describes the configuration items for...

Page 152: ...ntication password when the security level is Auth NoPriv or Auth Priv The confirm authentication password must be the same with the authentication password Privacy Mode Select a privacy mode including DES56 AES128 and 3DES when the security level is Auth Priv Privacy Password Confirm Privacy Password Set the privacy password when the security level is Auth Priv The confirm privacy password must b...

Page 153: ...ty name which can be an SNMPv1 community name an SNMPv2c community name or an SNMPv3 user name UDP Port Set UDP port number Security Model Select the security model that is the SNMP version Ensure that the SNMP version is the same with that on the NMS otherwise the NMS cannot receive any trap Security Level Set the authentication and privacy mode for SNMP traps when the security model is selected ...

Page 154: ...using SNMPv3 The agent reports errors or faults to the NMS The NMS uses port 5000 to receive traps Figure 1 17 Network diagram for SNMP configuration Configuration procedure 1 Configure Agent Configuration IP addresses for the interfaces Omitted Enable SNMP Select Device SNMP from the navigation tree and you will enter the Setup page as shown in Figure 1 18 Figure 1 18 Enable SNMP z Select the Ena...

Page 155: ...Figure 1 20 Figure 1 20 Create an SNMP view 2 z Select the Included radio box z Type the MIB subtree OID interfaces z Click Add z Click Apply A configuration progress dialog box appears as shown in Figure 1 21 Figure 1 21 Configuration progress dialog box z After the configuration process is complete click Close Configure an SNMP group ...

Page 156: ...ew1 from the Read View drop down box z Select view1 from the Write View drop down box z Click Apply Configure an SNMP user z Click the User tab and then click Add to enter the page as shown in Figure 1 23 Figure 1 23 Create an SNMP user z Type user1 in the text box of User Name z Select group1 from the Group Name drop down box z Click Apply Enable the agent to send SNMP traps ...

Page 157: ... Click Apply Add target hosts of SNMP traps z Click Add to enter the page as shown in Figure 1 25 Figure 1 25 Add target hosts of SNMP traps z Select the destination IP address type as IPv4 z Type the destination address 1 1 1 2 z Type the user name user1 z Type the UDP port 5000 z Select v3 from the Security Model drop down box z Click Apply 2 Configure NMS ...

Page 158: ...assword privacy mode privacy password and so on Besides you need to configure the aging time and retry times After the above configurations you can configure the device as needed through the NMS For related configurations refer to the manual provided for NMS Configuration verification z After the above configuration the NMS can establish an SNMP connection with the agent and query and reconfigure ...

Page 159: ...i Table of Contents 1 Interface Statistics 1 1 Overview 1 1 Displaying Interface Statistics 1 1 ...

Page 160: ...ics display page Table 1 1 describes the details about the interface statistics Table 1 1 Details about the interface statistics Field Description InOctets Total octets of all packets received on the interface InUcastPkts Number of received unicast packets InNUcastPkts Number of received non unicast packets InDiscards Number of valid packets discarded in the inbound direction InErrors Number of re...

Page 161: ...nicast packets sent through the interface OutNUcastPkts Number of non unicast packets sent through the interface OutDiscards Number of valid packets discarded in the outbound direction OutErrors Number of invalid packets sent through the interface ...

Page 162: ...to VLAN 1 1 How VLAN Works 1 1 VLAN Types 1 2 Introduction to Port Based VLAN 1 3 Configuring a VLAN 1 4 Configuration Task List 1 4 Creating VLANs 1 4 Selecting VLANs 1 5 Modifying a VLAN 1 6 Modifying Ports 1 8 VLAN Configuration Example 1 9 Configuration Guidelines 1 13 ...

Page 163: ... rather than on a physical basis For example all workstations and servers used by a particular workgroup can be connected to the same LAN regardless of their physical locations VLAN technology delivers the following benefits z Confining broadcast traffic within individual VLANs This reduces bandwidth waste and improves network performance z Improving LAN security By assigning user groups to differ...

Page 164: ...CFI field specifies whether the MAC addresses are encapsulated in the canonical format for the receiving device to correctly interpret the MAC addresses Value 0 indicates that the MAC addresses are encapsulated in canonical format value 1 indicates that the MAC addresses are encapsulated in non canonical format The field is set to 0 by default z The 12 bit VLAN ID field identifies the VLAN the fra...

Page 165: ...is follow these guidelines z Because an access port can join only one VLAN its default VLAN is the VLAN to which it belongs and cannot be configured z Because a trunk or hybrid port can join multiple VLANs you can configure a default VLAN for the port A port configured with a default VLAN handles a frame as follows Actions in the inbound direction Port type Untagged frame Tagged frame Actions in t...

Page 166: ... configure a subset of all existing VLANs This step is required before displaying modifying or removing a VLAN Modifying a VLAN Required Configure the untagged member ports and tagged member ports of the VLAN or remove the specified ports from the VLAN Table 1 2 VLAN configuration task list approach II Task Remarks Creating VLANs Required Create one or multiple VLANs Modifying Ports Required Confi...

Page 167: ...VLAN to be modified in the list in the middle of the page Modify the description of the selected VLAN Description Set the description string of the selected VLAN By default the description string of a VLAN is its VLAN ID such as VLAN 0001 Return to VLAN configuration task list approach I Return to VLAN configuration task list approach II Selecting VLANs Select Network VLAN from the navigation tree...

Page 168: ...a subnet of all configured VLANs Select one of the two radio buttons z Display all VLANs displays all configured VLANs z Display a subnet of all configured VLANs type the VLAN ID s to be displayed Return to VLAN configuration task list approach I Modifying a VLAN Select Network VLAN from the navigation tree and click Modify VLAN to enter the page for modifying a VLAN as shown in Figure 1 6 ...

Page 169: ...ember Set the member type of the port to be modified in the VLAN Select the Untagged Tagged or Not A Member radio button z Untagged Indicates that the port sends the traffic of the VLAN with the VLAN tag removed z Untagged Indicates that the port sends the traffic of the VLAN without removing the VLAN tag z Not a Member Removes the port from the VLAN Select ports to be modified and assigned to thi...

Page 170: ...rom this list Untagged Tagged Select memb ership type Not A Member Set the member type of the ports to be modified in the specified VLANs Select the Untagged Tagged or Not A Member radio button z Untagged Assigns the selected prots to the specified VLANs as untagged members After that the ports send the traffic of those VLANs with the VLAN tags removed z Tagged Assigns the selected prots to the sp...

Page 171: ...st approach II VLAN Configuration Example Network requirements z Trunk port GigabitEthernet 1 0 1 of Switch A is connected to trunk port GigabitEthernet 1 0 1 of Switch B z The default VLAN of GigabitEthernet 1 0 1 is VLAN 100 z GigabitEthernet 1 0 1 permits packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass through Figure 1 8 Network diagram for VLAN configuration Configuration procedu...

Page 172: ...rop down list z Select the PVID check box and then type in PVID 100 z Select GigabitEthernet 1 0 1 on the chassis front device panel z Click Apply Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 Select Network VLAN from the navigation tree and click Create to enter the page for creating VLANs as shown in Figure 1 10 ...

Page 173: ...100 z Click Apply Assign GigabitEthernet 1 0 1 to VLAN 100 as an untagged member Click Select VLAN to enter the page for selecting VLANs as shown in Figure 1 11 Figure 1 11 Set a VLAN range z Select the radio button before Display a subnet of all configured VLANs and type 1 100 in the text box ...

Page 174: ...he Please select a VLAN to modify drop down list z Select the Untagged radio button z Select GigabitEthernet 1 0 1 on the chassis front device panel z Click Apply A configuration progress dialog box appears as shown in Figure 1 13 Figure 1 13 Configuration progress dialog box z After the configuration process is complete click Close Assign GigabitEthernet 1 0 1 to VLAN2 and VLAN 6 through VLAN 50 ...

Page 175: ...ocess is complete click Close in the dialog box 2 Configure Switch B Configure Switch B as you configure Switch A Configuration Guidelines When configuring VLAN note that 1 VLAN 1 is the default VLAN which can be neither created nor removed manually 2 Some VLANs are reserved for some special purposes You can neither create nor remove them manually 3 Dynamic VLANs cannot be removed on the page for ...

Page 176: ...i Table of Contents 1 VLAN Interface Configuration 1 1 Overview 1 1 Configuring VLAN Interfaces 1 1 Configuration Task List 1 1 Creating a VLAN Interface 1 1 Modifying a VLAN Interface 1 3 ...

Page 177: ...fferent from that of the VLAN Configuring VLAN Interfaces Configuration Task List Perform the tasks in Table 1 1 to configure a VLAN interface Table 1 1 VLAN interface configuration task list Task Remarks Creating a VLAN Interface Required Create a VLAN interface You can select to assign an IPv4 address to the VLAN interface in this step or in a separate step Before creating a VLAN interface for a...

Page 178: ...n IPv4 address Allow the VLAN interface to automatically obtain an IP address by selecting the DHCP or BOOTP option or manually assign the VLAN interface an IP address by selecting the Manual option IPv4 Address Configure an IPv4 address for the VLAN interface This option is available after you select the Manual option Config ure Primar y IPv4 Addres s Mask Length Select the subnet mask length Thi...

Page 179: ...n use the changed IP address to re log in Select Network VLAN Interface from the navigation tree and click Modify to enter the page for modifying a VLAN interface as shown in Figure 1 2 Figure 1 2 The Modify tab Table 1 3 describes the configuration items of modifying a VLAN interface Table 1 3 Configuration items of modifying a VLAN interface Item Description Select VLAN Interface Select the VLAN...

Page 180: ...op down list to bring up or shut down the selected VLAN interface When the VLAN interface fails you can shut down and then bring up the VLAN interface which may restore it By default a VLAN interface is down if all Ethernet ports in the VLAN are down otherwise the VLAN interface is up z The current VLAN interface state in the Modify IPv4 Address frames changes as the VLAN interface state is modifi...

Page 181: ...AN 1 4 Configuration Task List 1 4 Configuring Voice VLAN Globally 1 5 Configuring Voice VLAN on a Port 1 6 Adding OUI Addresses to the OUI List 1 7 Voice VLAN Configuration Examples 1 8 Configuring Voice VLAN on a Port in Automatic Voice VLAN Assignment Mode 1 8 Configuring a Voice VLAN on a Port in Manual Voice VLAN Assignment Mode 1 13 Configuration Guidelines 1 18 ...

Page 182: ...he default OUI list Number OUI Address Vendor 1 0001 e300 0000 Siemens phone 2 0003 6b00 0000 Cisco phone 3 0004 0d00 0000 Avaya phone 4 00d0 1e00 0000 Pingtel phone 5 0060 b900 0000 Philips NEC phone 6 00e0 7500 0000 Polycom phone 7 00e0 bb00 0000 3com phone z Generally an OUI is the first 24 bits of a MAC address in binary format It is a globally unique identifier assigned to a vendor by the IEE...

Page 183: ...able 1 2 Co relation Port link type Voice VLAN assignmen t mode Voice traffic type Access Trunk Hybrid Tagged voice traffic Not supported Supported but you must ensure that the default VLAN of the port has been created and is not the voice VLAN and the traffic of the default VLAN can pass through the port Supported but you must ensure that the default VLAN of the port has been created and is not t...

Page 184: ... packets in the voice VLAN In normal mode the voice VLANs are vulnerable to traffic attacks Vicious users can forge a large amount of voice packets and send them to voice VLAN enabled ports to consume the voice VLAN bandwidth affecting normal voice communication z Security mode In this mode only voice packets whose source MAC addresses comply with the recognizable OUI addresses can pass through th...

Page 185: ...ment mode Perform the tasks described in Table 1 4 to configure the voice VLAN function on a port working in automatic voice VLAN assignment mode Table 1 4 Voice VLAN configuration task list for a port in automatic voice VLAN assignment mode Task Remarks Configuring Voice VLAN Globally Optional Configure the voice VLAN to operate in security mode and configure the aging timer Configuring Voice VLA...

Page 186: ... Port Management Configuration Configuring Voice VLAN on a Port Required Configure the voice VLAN assignment mode of a port as manual and enable voice VLAN on the port By default the voice VLAN assignment mode of a port is automatic and voice VLAN is disabled on a port Adding OUI Addresses to the OUI List Optional You can configure up to 16 OUI addresses By default the system is configured with th...

Page 187: ...ree and click the Port Setup tab on the displayed page to enter the page shown in Figure 1 2 Figure 1 2 Configure voice VLAN on a port Table 1 7 describes the configuration items of configuring voice VLAN for a port Table 1 7 Configuration items of configuring Voice VLAN for a port Item Description Voice VLAN port mode Set the voice VLAN assignment mode of a port to z Auto that is automatic voice ...

Page 188: ...AN Return to Configuring voice VLAN on a port in automatic voice VLAN assignment mode Return to Configuring voice VLAN on a port working in manual voice VLAN assignment mode Adding OUI Addresses to the OUI List Select Network Voice VLAN from the navigation tree and click the OUI Add tab on the displayed page to enter the page shown in Figure 1 3 Figure 1 3 Add OUI addresses to the OUI list Table 1...

Page 189: ... voice traffic z GigabitEthernet 1 0 1 operates in automatic VLAN assignment mode Set the voice VLAN aging timer to 30 minutes z Configure GigabitEthernet 1 0 1 to allow voice packets whose source MAC addresses match the OUI addresses specified by OUI address 0011 2200 0000 and mask ffff ff00 0000 The description of the OUI address entry is test Figure 1 4 Network diagram for configuring voice VLA...

Page 190: ...VLAN 2 z Type in VLAN ID 2 z Click Create Configure GigabitEthernet 1 0 1 as a hybrid port z Select Device Port Management from the navigation tree and click Setup on the displayed page to enter the page shown in Figure 1 6 ...

Page 191: ...ist z Select GigabitEthernet 1 0 1 from the chassis front panel z Click Apply Configure the voice VLAN function globally z Select Network Voice VLAN from the navigation tree and click the Setup tab on the displayed page to enter the page shown in Figure 1 7 Figure 1 7 Configure the voice VLAN function globally ...

Page 192: ...rnet 1 0 1 z Click the Port Setup tab to enter the page shown in Figure 1 8 Figure 1 8 Configure voice VLAN on GigabitEthernet 1 0 1 z Select Auto in the Voice VLAN port mode drop down list z Select Enable in the Voice VLAN port state drop down list z Type in voice VLAN ID 2 z Select GigabitEthernet 1 0 1 on the chassis front panel z Click Apply Add OUI addresses to the OUI list z Click the OUI Ad...

Page 193: ...k Apply Verify the configuration z When the configurations described above are completed the OUI Summary tab is displayed by default as shown in Figure 1 10 You can view the information about the newly added OUI address Figure 1 10 Current OUI list of the device z Click the Summary tab to enter the page shown in Figure 1 11 where you can view the current voice VLAN information ...

Page 194: ...ws voice packets whose source MAC addresses match the OUI addresses specified by OUI address 0011 2200 0000 and mask ffff ff00 0000 to pass through The description of the OUI address entry is test Figure 1 12 Network diagram for voice VLAN configuration on a port in manual voice VLAN assignment mode Switch A Switch B GE1 0 3 GE1 0 1 VLAN 2 VLAN 2 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 075...

Page 195: ...N ID 2 z Click Create Configure GigabitEthernet 1 0 1 as a hybrid port and configure its default VLAN as VLAN 2 z Select Device Port Management from the navigation tree and click Setup on the displayed page to enter the page shown in Figure 1 14 ...

Page 196: ...z Select the PVID option and type 2 in the text box z Select GigabitEthernet 1 0 1 from the chassis front panel z Click Apply Assign GigabitEthernet 1 0 1 to VLAN 2 as an untagged member z Select Network VLAN from the navigation tree and click Modify Port on the displayed page to enter the page shown in Figure 1 15 ...

Page 197: ... VLAN ID 2 z Click Apply A configuration progress dialog box appears as shown in Figure 1 16 Figure 1 16 Configuration progress dialog box z After the configuration process is complete click Close Configure voice VLAN on GigabitEthernet 1 0 1 z Select Network Voice VLAN from the navigation tree and click Port Setup on the displayed page to enter the page shown in Figure 1 17 ...

Page 198: ...ice VLAN port state drop down list z Type in voice VLAN ID 2 z Select GigabitEthernet 1 0 1 on the chassis front panel z Click Apply Add OUI addresses to the OUI list z Click the OUI Add tab to enter the page shown in Figure 1 18 Figure 1 18 Add OUI addresses to the OUI list z Type in OUI address 0011 2200 0000 z Select FFFF FF00 0000 as the mask ...

Page 199: ...nformation about the newly added OUI address Figure 1 19 Current OUI list of the device z Click the Summary tab to enter the page shown in Figure 1 20 where you can view the current voice VLAN information Figure 1 20 Current voice VLAN information Configuration Guidelines When configuring the voice VLAN function follow these guidelines z To remove a VLAN functioning as a voice VLAN disable its voi...

Page 200: ...N and a protocol based VLAN at the same time the protocol based VLAN cannot be associated with the port z At present only one VLAN is supported and only an existing static VLAN can be configured as the voice VLAN z If Link Aggregation Control Protocol LACP is enabled on a port the voice VLAN function cannot be enabled on it z After you assign a port working in manual voice VLAN assignment mode to ...

Page 201: ...of Contents 1 MAC Address Configuration 1 1 Overview 1 1 Configuring MAC Addresses 1 2 Configuring a MAC Address Entry 1 2 Setting the Aging Time of MAC Address Entries 1 4 MAC Address Configuration Example 1 5 ...

Page 202: ... from a port port A for example 1 Checks the frame for the source MAC address MAC SOURCE for example 2 Looks up the MAC address table for an entry corresponding to the MAC address and do the following z If an entry is found for the MAC address updates the entry z If no entry containing the MAC address is found adds an entry that contains the MAC address and the receiving port port A to the MAC add...

Page 203: ...Configuring MAC Addresses MAC addresses configuration includes the configuring and displaying of MAC address entries and the setting of MAC address entry aging time Configuring a MAC Address Entry Select Network MAC from the navigation tree The system automatically displays the MAC tab which shows all the MAC address entries on the device as shown in Figure 1 2 Click Add in the bottom to enter the...

Page 204: ...1 3 Figure 1 2 The MAC tab Figure 1 3 Create a MAC address entry Table 1 1 shows the detailed configuration of creating a MAC address entry ...

Page 205: ...s blackhole MAC address entries z Learned indicates dynamic MAC address entries learned by the device z Other indicates types other than the ones mentioned above VLAN Set the ID of the VLAN to which the MAC address belongs Port Set the port to which the MAC address belongs Setting the Aging Time of MAC Address Entries Select Network MAC from the navigation tree and then select the Setup tab to ent...

Page 206: ... MAC address entry Select Network MAC from the navigation tree to enter the MAC tab and then click Add as shown in Figure 1 2 The page shown in Figure 1 5 appears Figure 1 5 Create a static MAC address entry Make the following configurations on the page shown in Figure 1 5 z Type in MAC address 00e0 fc35 dc71 z Select static in the Type drop down list z Select 1 in the VLAN drop down list z Select...

Page 207: ...oduction to MSTP 1 9 Why MSTP 1 9 Basic Concepts in MSTP 1 10 How MSTP Works 1 14 Implementation of MSTP on Devices 1 14 Protocols and Standards 1 15 Configuring MSTP 1 15 Configuration Task List 1 15 Configuring an MST Region 1 15 Configuring MSTP Globally 1 16 Configuring MSTP on a Port 1 19 Displaying MSTP Information of a Port 1 21 MSTP Configuration Example 1 23 Guidelines 1 28 ...

Page 208: ...o the IEEE 802 1d STP in the broad sense STP refers to the IEEE 802 1d STP and various enhanced spanning tree protocols derived from that protocol Protocol Packets of STP STP uses bridge protocol data units BPDUs also known as configuration messages as its protocol packets STP enabled network devices exchange BPDUs to establish a spanning tree BPDUs contain sufficient information for the network d...

Page 209: ...ble for forwarding BPDUs to this LAN segment The port through which the designated bridge forwards BPDUs to this LAN segment As shown in Figure 1 1 AP1 and AP2 BP1 and BP2 and CP1 and CP2 are ports on Device A Device B and Device C respectively z If Device A forwards BPDUs to Device B through AP1 the designated bridge for Device B is Device A and the designated port of Device B is port AP1 on Devi...

Page 210: ...an be maintained on a device z Hello time configuration BPDU interval z Forward delay the delay used by STP bridges to transit the state of the root and designated ports to forwarding For simplicity the descriptions and examples below involve only four fields in the configuration BPDUs z Root bridge ID represented by device priority z Root path cost z Designated bridge ID represented by device pri...

Page 211: ...ority z If all configuration BPDUs have the same S value their designated bridge IDs designated port IDs and the IDs of the receiving ports are compared in sequence The configuration BPDU containing a smaller ID wins out z Selection of the root bridge Initially each STP enabled device on the network assumes itself to be the root bridge with the root bridge ID being its own device ID By exchanging ...

Page 212: ...pology is stable only the root port and designated ports forward traffic while other ports are all in the blocked state they receive BPDUs but do not forward BPDUs or user traffic A tree shape topology forms upon successful election of the root bridge the root port on each non root bridge and the designated ports The following is an example of how the STP algorithm works As shown in Figure 1 2 ass...

Page 213: ...lly AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 z Port BP2 receives the configuration BPDU of Device C 2 0 2 CP2 Device B finds that the configuration BPDU of the local port 1 0 1 BP2 is supe...

Page 214: ...2 z Then port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its own configuration BPDU Device C launches a BPDU update process z At the same time port CP1 receives periodic configuration BPDUs from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device C After comparison z Be...

Page 215: ...se z If a path becomes faulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device will generate configuration BPDUs with itself as the root This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity However the newly calculated config...

Page 216: ...n is met The designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the forwarding state directly if the designated port is connected with a point to point link it can enter the forwarding state immediately after the device undergoes handshake with the downstream device and gets a response Introduction to MSTP Why MSTP Wea...

Page 217: ...concepts of MSTP based on the figure Figure 1 4 Basic concepts in MSTP CST Region A0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST Region B0 VLAN 1 mapped to instance 1 VLAN 2 mapped to instance 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to instance 1 VLAN 2 3 mapped to instance 2 Other VLANs mapped to CIST Region D0 VLAN 1 mapped to instance 1 B as r...

Page 218: ...cial MSTI In Figure 1 4 for example the CIST has a section in each MST region and this section is the IST in the respective MST region CST The CST is a single spanning tree that connects all MST regions in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP CSTs are indicated by red lines in Figure 1 4 CIST Jointly...

Page 219: ...t master port boundary port alternate port backup port and so on z Root port a port responsible for forwarding data to the root bridge z Designated port a port responsible for forwarding data to the downstream network segment or device z Master port a port on the shortest path from the current region to the common root bridge connecting the MST region to the common root bridge If the region is see...

Page 220: ...T regions Port states In MSTP port states fall into the following three z Forwarding the port learns MAC addresses and forwards user traffic z Learning the port learns MAC addresses but does not forward user traffic z Discarding the port does not learn MAC addresses or forwards user traffic A port can have different port states in different MSTIs A port state is not exclusively associated with a p...

Page 221: ...culation and at the same time MSTP regards each MST region as a single device and generates a CST among these MST regions through calculation The CST and ISTs constitute the CIST of the entire network MSTI calculation Within an MST region MSTP generates different MSTIs for different VLANs based on the VLAN to MSTI mappings MSTP performs a separate calculation process which is similar to spanning t...

Page 222: ...apped to MSTI 0 Configuring MSTP Globally Required Enable MSTP globally and configure MSTP parameters By default MSTP is enabled globally and all MSTP parameters have default values Configuring MSTP on a Port Optional Enable MSTP on a port and configure MSTP parameters By default MSTP is enabled on a port and all MSTP parameters adopt the default values Displaying MSTP Information of a Port Option...

Page 223: ...ision Level Revision level of the MST region Instance ID Manual VLAN ID Manually add VLAN to MSTI mappings Click Apply to add the VLAN to MSTI mapping entries to the list below Modulo Modulo Value The device automatically maps 4094 VLANs to the corresponding MSTIs based on the modulo value Return to MSTP configuration task list Configuring MSTP Globally Select Network MSTP from the navigation tree...

Page 224: ...n be STP RSTP or MSTP z STP Each port on a device sends out STP BPDUs z RSTP Each port on a device sends out RSTP BPDUs and automatically migrates to STP compatible mode when detecting that it is connected with a device running STP z MSTP Each port on a device sends out MSTP BPDUs and automatically migrates to STP compatible mode when detecting that it is connected with a device running STP The wo...

Page 225: ...e diameter cannot be configured together with the timers Instance ID Root Type Instance Bridge Priority Set the role of the device in the MSTI or the bridge priority of the device which is one of the factors deciding whether the device can be elected as the root bridge Role of the device in the MSTI z Not Set Not set you can set the bridge priority of the device when selecting this role z Primary ...

Page 226: ...figuration on a port Table 1 10 describes the configuration items of configuring MSTP on a port Table 1 10 Configuration items of configuring MSTP on a port Item Description STP Select whether to enable STP on the port Protection Set the type of protection to be enabled on the port z Not Set No protection is enabled on the port z Edged Port Root Protection Loop Protection Refer to Table 1 11 ...

Page 227: ...nt z Force False Specifies that the link type for the port is not point to point link z Force True Specifies that the link type for the port is point to point link If a port is configured as connecting to a point to point link the setting takes effect for the port in all MSTIs If the physical link to which the port connects is not a point to point link and you force it to be a point to point link ...

Page 228: ... a root bridge which causes a new root bridge to be elected and network topology change to occur The root guard function is used to address such a problem Loop Protection Enable the loop guard function By keeping receiving BPDUs from the upstream device a device can maintain the state of the root port and other blocked ports These BPDUs may get lost because of network congestion or unidirectional ...

Page 229: ...le of the port which can be Alternate Backup Root Designated Master or Disabled Port Priority The priority of the port Port Cost Legacy Path cost of the port The field in the bracket indicates the standard used for port path cost calculation which can be legacy dot1d 1998 or dot1t Config indicates the configured value and Active indicates the actual value Desg Bridge Port Designated bridge ID and ...

Page 230: ...ransmission interval in seconds Max hops Maximum hops of the current MST region Return to MSTP configuration task list MSTP Configuration Example Network requirements Configure MSTP in the network shown in Figure 1 11 to enable packets of different VLANs to be forwarded along different MSTIs The detailed configurations are as follows z All devices on the network are in the same MST region z Packet...

Page 231: ...the packets of which are permitted to pass this link Configuration procedure 1 Configure Switch A Configure an MST region z Select Network MSTP from the navigation tree to enter the page shown in Figure 1 12 Figure 1 12 The Region tab z Click Modify to enter the page for configuring MST regions as shown in Figure 1 13 ...

Page 232: ...o map VLAN 10 to MSTI 1 and add the VLAN to MSTI mapping entry to the VLAN to MSTI mapping list z Repeat the steps above to map VLAN 20 to MSTI 2 and VLAN 30 to MSTI 3 and add the VLAN to MSTI mapping entries to the VLAN to MSTI mapping list z Click Activate Configure MSTP globally z Select Network MSTP from the navigation tree and then click Global to enter the page for configuring MSTP globally ...

Page 233: ...Click Apply 2 Configure Switch B Configure an MST region The procedure here is the same as that of configuring an MST region on Switch A Configure MSTP globally z Select Network MSTP from the navigation tree and then click Global to enter the page for configuring MSTP globally See Figure 1 14 z Select Enable in the Enable STP Globally drop down list z Select MSTP in the Mode drop down list z Selec...

Page 234: ...e Figure 1 14 z Select Enable in the Enable STP Globally drop down list z Select MSTP in the Mode drop down list z Select the check box before Instance z Set the Instance ID field to 3 z Set the Root Type field to Primary z Click Apply 4 Configure Switch D Configure an MST region The procedure here is the same as that of configuring an MST region on Switch A Configure MSTP globally z Select Networ...

Page 235: ...rough physical links and share the same region name the same MSTP revision level and the same VLAN to MSTI mappings z If two or more devices have been designated to be root bridges of the same spanning tree instance MSTP will select the device with the lowest MAC address as the root bridge z If the device is not enabled with BPDU guard when a boundary port receives a BPDU from another port it tran...

Page 236: ...nfigure ports that are directly connected to terminals as boundary ports and enable BPDU guard for them In this way these ports can rapidly transit to the forwarding state and the network security can be ensured ...

Page 237: ...ing Mode of an Aggregation Group 1 4 Configuring Link Aggregation and LACP 1 4 Configuration Task List 1 4 Creating a Link Aggregation Group 1 5 Displaying Information of an Aggregate Interface 1 7 Setting LACP Priority 1 7 Displaying Information of LACP Enabled Ports 1 8 Link Aggregation and LACP Configuration Example 1 10 Configuration Guidelines 1 12 ...

Page 238: ...gation group is a collection of Ethernet interfaces When you create an aggregate interface an aggregation group numbered the same is created automatically depending on the type of the aggregate interface z If the aggregate interface is a Layer 2 interface a Layer 2 aggregation group is created You can assign only Layer 2 Ethernet interfaces to the group z If the aggregate interface is a Layer 3 in...

Page 239: ...rational key based on port attributes including the port rate duplex mode and link state configuration In an aggregation group all selected ports are assigned the same operational key Class two configurations The contents of class two configurations are listed in Table 1 1 In an aggregation group a member port different from the aggregate interface in the class two configurations cannot be a selec...

Page 240: ...te selected ports become selected ports When the limit is exceeded set the candidate selected ports with smaller port numbers in the selected state and those with greater port numbers in the unselected state z If all the member ports are down set their states to unselected z Set the ports that cannot aggregate with the reference port to the unselected state A port that joins the aggregation group ...

Page 241: ...ndidate selected ports is under the limit all the candidate selected ports are set to selected state When the limit is exceeded the system selects the candidate selected ports with smaller port IDs as the selected ports and set other candidate selected ports to unselected state At the same time the peer device being aware of the changes changes the state of its ports accordingly 2 Set the ports th...

Page 242: ...orts for the dynamic aggregation group automatically created by the system when you create the aggregate interface LACP is enabled automatically on all the member ports By default no link aggregation group exists Displaying Information of an Aggregate Interface Optional Perform this task to view detailed information of an existing aggregation group Setting LACP Priority Optional Perform the task t...

Page 243: ...lt in the Summary list box at the bottom of the page Specify Interface Type Set the type of the link aggregation interface to be created z Static LACP Disabled z Dynamic LACP Enabled Select port s for the link aggregation interface Select one or multiple ports to be assigned to the link aggregation group from the chassis front panel You can view the result in the Summary list box at the bottom of ...

Page 244: ...ace Link Type Type of the aggregate interface which can be static or dynamic Partner ID ID of the remote device including its LACP priority and MAC address Selected Ports Number of selected ports in each link aggregation group Only selected ports can transmit and receive user data Standby Ports Number of unselected ports in each link aggregation group Unselected ports cannot transmit or receive us...

Page 245: ...ity Select port s to apply Port Priority Select the ports where the port LACP priority you set will apply on the chassis front panel You can set LACP priority not only on LACP enabled ports but also on LACP disabled ports System Priority Set the LACP priority of the local system Return to Dynamic aggregation group configuration task list Displaying Information of LACP Enabled Ports Select Network ...

Page 246: ...led information about the peer port will be displayed on the lower part of the page Table 1 7 describes the fields on the Summary tab Table 1 7 Fields in the LACP enabled port summary table Field button Description Unit The ID of a device in a stack Port Port where LACP is enabled LACP State State of LACP on the port Port Priority LACP priority of the port State Active state of the port If a port ...

Page 247: ...is enabled on the link z G indicates that the receive state machine of the sending system is using the default operational partner information z H indicates that the receive state machine of the sending system is in the expired state Oper Key Operational key of the local port Table 1 8 describes the fields in the Partner Port Details table Table 1 8 Fields in the Partner Port Details table Field D...

Page 248: ...g 1 Approach 1 Create a static link aggregation group Create static link aggregation group 1 Select Network Link Aggregation from the navigation tree and then click Create to enter the page as shown in Figure 1 6 Figure 1 6 Create static link aggregation group 1 z Set the link aggregation interface ID to 1 z Select the Static LACP Disabled option for the aggregate interface type ...

Page 249: ... aggregation group 1 z Set the link aggregation interface ID to 1 z Select the Dynamic LACP Enabled option for aggregate interface type z Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 on the chassis front panel z Click Apply Configuration Guidelines Follow these guidelines when configuring a link aggregation group z In an aggregation group the port to be a selected p...

Page 250: ...n includes the configuration of the port rate duplex mode and link state z For details about class two configurations see section Class two configurations z To guarantee a successful static aggregation ensure that the ports at the two ends of each link to be aggregated are consistent in the selected unselected state to guarantee a successful dynamic aggregation ensure that the peer ports of the po...

Page 251: ...ion Task List 1 6 Enabling LLDP on Ports 1 7 Configuring LLDP Settings on Ports 1 8 Configuring Global LLDP Setup 1 12 Displaying LLDP Information for a Port 1 14 Displaying Global LLDP Information 1 19 Displaying LLDP Information Received from LLDP Neighbors 1 20 LLDP Configuration Examples 1 20 LLDP Basic Settings Configuration Example 1 20 CDP Compatible LLDP Configuration Example 1 25 LLDP Con...

Page 252: ... to the directly connected devices and at the same time stores the device information received in LLDPDUs sent from the LLDP neighbors in a standard management information base MIB It allows a network management system to fast detect Layer 2 network topology change and identify what the change is Basic Concepts LLDPDUs LLDP sends device information in LLDP data units LLDPDUs LLDPDUs are encapsulat...

Page 253: ...iption of the fields in a SNAP encapsulated LLDPDU Field Description Destination MAC address The MAC address to which the LLDPDU is advertised It is fixed to 0x0180 C200 000E a multicast MAC address Source MAC address The MAC address of the sending port If the port does not have a MAC address the MAC address of the sending bridge is used Type The SNAP encoded LLDP Ethernet type for the upper layer...

Page 254: ...ed in every LLDPDU Table 1 3 Basic LLDP TLVs Type Description Remarks Chassis ID Bridge MAC address of the sending device Port ID ID of the sending port If MED TLVs are included in the LLDPDU the port ID TLV carries the MAC address of the sending port or the bridge MAC in case the port does not have a MAC address If no MED TLVs are included the port ID TLV carries the port name Time To Live Life o...

Page 255: ...oice over IP VoIP such as basic configuration network policy configuration and address and directory management LLDP MED TLVs satisfy the voice device vendors requirements for cost effectiveness ease of deployment and ease of management In addition LLDP MED TLVs make deploying voice devices in Ethernet easier LLDP MED TLVs are shown in Table 1 6 Table 1 6 LLDP MED TLVs Type Description LLDP MED Ca...

Page 256: ...PDUs z Tx mode A port in this mode only sends LLDPDUs z Rx mode A port in this mode only receives LLDPDUs z Disable mode A port in this mode does not send or receive LLDPDUs Each time the LLDP operating mode of a port changes its LLDP protocol state machine re initializes To prevent LLDP from being initialized too frequently at times of frequent operating mode change an initialization delay which ...

Page 257: ... device to differentiate voice traffic from other types of traffic By configuring CDP compatibility you can enable LLDP on your device to receive and recognize CDP packets from Cisco IP phones and respond with CDP packets carrying the voice VLAN configuration TLV for the IP phones to configure the voice VLAN automatically Thus the voice traffic is confined in the configured voice VLAN to be differ...

Page 258: ...t where z The local LLDP information refers to the TLVs to be advertised by the local device to neighbors z The neighbor information refers to the TLVs received from neighbors Displaying Global LLDP Information Optional You can display the local global LLDP information and statistics Displaying LLDP Information Received from LLDP Neighbors Optional You can display the LLDP information received fro...

Page 259: ...Return to LLDP Configuration Task List Configuring LLDP Settings on Ports Select Network LLDP from the navigation tree to enter the Port Setup tab as shown in Figure 1 4 You can configure LLDP settings on ports individually or in batch ...

Page 260: ...guring On the page displayed as shown in Figure 1 5 you can modify or view the LLDP settings of the port Figure 1 5 The page for modifying LLDP settings on a port z To configure LLDP settings on ports in batch select one or more ports and click Modify Selected The page shown in Figure 1 6 appears ...

Page 261: ...ting mode on the port or ports you are configuring Available options include z TxRx Sends and receives LLDPDUs z Tx Sends but not receives LLDPDUs z Rx Receives but not sends LLDPDUs z Disable Neither sends nor receives LLDPDUs Basic Settings Encapsulation Format Set the encapsulation for LLDPDUs Available options include z ETHII Encapsulates outgoing LLDPDUs in Ethernet II frames and processes an...

Page 262: ...the Global Setup tab Port Description Select to include the port description TLV in transmitted LLDPDUs System Capabilities Select to include the system capabilities TLV in transmitted LLDPDUs System Description Select to include the system description TLV in transmitted LLDPDUs System Name Select to include the system name TLV in transmitted LLDPDUs Base TLV Settings Management Address Select to ...

Page 263: ...ber in the location identification TLV in transmitted LLDPDUs and set the emergency call number Address MED TLV Setting Network Device Address Select Address to encode the civic address information of the network connectivity device in the location identification TLV in transmitted LLDPDUs In addition set the device type which can be a DHCP server switch or LLDP MED endpoint country code and netwo...

Page 264: ... of LLDP z To enable LLDP to be compatible with CDP on a port you must set the CDP work mode or the CDP operating mode on the port to TxRx in addition to enabling CDP compatibility on the Global Setup tab z As the maximum TTL allowed by CDP is 255 seconds you must ensure that the product of the TTL multiplier and the LLDPDU transmit interval is less than 255 seconds for CDP compatible LLDP to work...

Page 265: ...uently at times of frequent operating mode change initialization delay is introduced With this delay mechanism a port must wait for the specified interval before it can initialize LLDP after the LLDP operating mode changes Tx Delay Set LLDPDU transmit delay With LLDP enabled a port advertises LLDPDUs to its neighbors both periodically and when the local configuration changes To avoid excessive num...

Page 266: ... name z Agent circuit ID z Locally assigned namely the local configuration Power port class The power over Ethernet port class z PSE indicating a power supply device z PD indicating a powered device Port power classification Port power classification of the PD which can be z Unknown z Class0 z Class1 z Class2 z Class3 z Class4 Media policy type Available options include z Unknown z Voice z Voice s...

Page 267: ...s type Chassis ID type Available options include z Chassis component z Interface alias z Port component z MAC address z Network address z Interface name z Locally assigned namely local configuration Chassis ID Chassis ID depending on the chassis type which can be a MAC address of the device Port ID type Port ID type which can be z Interface alias z Port component z MAC address z Network address z ...

Page 268: ...endpoint device The class II endpoint devices support the media stream capabilities in addition to the capabilities of generic endpoint devices z Class III A communication endpoint device The class III endpoint devices directly support end users of the IP communication system Providing all capabilities of generic and media endpoint devices Class III endpoint devices are used directly by end users ...

Page 269: ...er source advertised by the neighbor which can be z Primary z Backup Port PSE priority Available options include z Unknown which indicates that PSE priority of the port is unknown z Critical which is priority level 1 z High which is priority level 2 z Low which is priority level 3 Figure 1 10 The Statistic Information tab Figure 1 11 The Status Information tab Return to LLDP Configuration Task Lis...

Page 270: ...network function advertised by the local device which can be z Bridge z Router Device class The device class advertised by the local device which can be z Connectivity device An intermediate device that provide network connectivity z Class I a generic endpoint device All endpoints that require the discovery service of LLDP belong to this category z Class II A media endpoint device The class II end...

Page 271: ...ation Task List LLDP Configuration Examples LLDP Basic Settings Configuration Example Network requirements As shown in Figure 1 14 a network management station is connected to Switch A over Ethernet and Switch A is connected to a MED device and Switch B through ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 respectively Configure LLDP on Switch A and Switch B so that the network management ...

Page 272: ... Ethernet ports Set the LLDP operating mode to Rx on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 z Select Network LLDP from the navigation tree to enter the Port Setup tab as shown in Figure 1 15 Select port GigabitEthernet1 0 1 and GigabitEthernet1 0 2 and click Modify Selected The page shown in Figure 1 16 appears Figure 1 15 The Port Setup tab ...

Page 273: ... The page for setting LLDP on multiple ports z Select Rx from the LLDP Operating Mode dropdown list z Click Apply Enable global LLDP z Click the Global Setup tab as shown in Figure 1 17 Figure 1 17 The Global Setup tab ...

Page 274: ...Ethernet 1 0 1 z Select Network LLDP from the navigation tree to enter the Port Setup tab as shown in Figure 1 18 Click the icon for port GigabitEthernet1 0 1 The page shown in Figure 1 19 is displayed Figure 1 18 The Port Setup tab Figure 1 19 The page for configuring LLDP on the selected port z Select Tx from the LLDP Operating Mode dropdown list z Click Apply Enable global LLDP and configure th...

Page 275: ...ab at the lower half of the page The output shows that port GigabitEthernet 1 0 2 is connected to a non MED neighbor device that is Switch B as shown in Figure 1 20 Figure 1 20 The Status Information tab Tear down the link between Switch A and Switch B Display the status information of port GigabitEthernet1 0 2 on Switch A z Click Refresh The updated status information of port GigabitEthernet 1 0 ...

Page 276: ...in the voice VLAN to be separate from other types of traffic Figure 1 22 Network diagram for CDP compatible LLDP configuration Configuration procedure Create VLAN 2 z Select Network VLAN from the navigation bar and click Create to enter the page for creating VLANs shown in Figure 1 23 Figure 1 23 The page for creating VLANs z Type 2 in the VLAN IDs field z Click Create Configure GigabitEthernet 1 ...

Page 277: ...rt GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel z Click Apply Configure the voice VLAN function on the two ports z Select Network Voice VLAN from the navigation bar and click the Port Setup tab to enter the page for configuring the voice VLAN function on ports as shown in Figure 1 25 ...

Page 278: ... chassis front panel z Click Apply Enable LLDP on ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 If LLDP is enabled the default skip this step Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 z Select Network LLDP from the navigation tree to enter the Port Setup tab Select port GigabitEthernet1 0 1 and GigabitEthern...

Page 279: ...1 28 Figure 1 26 The Port Setup tab ...

Page 280: ...s z Select TxRx from the LLDP Operating Mode dropdown list z Select TxRx from the CDP Operating Mode dropdown list z Click Apply Enable global LLDP and CDP compatibility of LLDP z Click the Global Setup tab as shown in Figure 1 28 Figure 1 28 The Global Setup tab ...

Page 281: ... 0 2 and obtained their device information LLDP Configuration Guidelines When configuring LLDP follow these guidelines 1 To make LLDP take effect you must enable it both globally and at port level 2 When selecting TLVs to send in LLDPDUs note that z To advertise LLDP MED TLVs you must include the LLDP MED capabilities set TLV z To remove the LLDP MED capabilities set TLV you must remove all other ...

Page 282: ...nism of IGMP Snooping 1 2 Protocols and Standards 1 4 Configuring IGMP Snooping 1 4 Configuration Task List 1 4 Enabling IGMP snooping Globally 1 5 Configuring IGMP Snooping in a VLAN 1 6 Configuring IGMP Snooping Port Functions 1 7 Display IGMP Snooping Multicast Entry Information 1 8 IGMP Snooping Configuration Examples 1 9 ...

Page 283: ...yer 2 However when IGMP snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 Figure 1 1 Multicast forwarding before and after IGMP snooping runs Multicast packet transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiver Multicast packets Layer 2 switch Mult...

Page 284: ...the switch to a multicast group member In the figure GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Switch A and GigabitEthernet 1 0 2 of Switch B are member ports A switch registers all its member ports in the IGMP snooping forwarding table z Whenever mentioned in this document a router port is a port on the switch that leads the switch to a Layer 3 multicast device rather than a port on a ro...

Page 285: ...he following z If no forwarding table entry exists for the reported group the switch creates an entry adds the port as a member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exists for the reported group but the port is not included in the outgoing port list the switch adds the port as a member port to the outgoing port list and sta...

Page 286: ...roup that the host just left and sends an IGMP group specific query to that multicast group through the port that received the leave group message Upon hearing the IGMP group specific query the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group and performs the following to the port in case it is a dynamic member port before the member port ag...

Page 287: ... Optional Configure the maximum number of multicast groups allowed and the fast leave function for ports in the specified VLAN z IGMP snooping must be enabled globally before IGMP snooping can be enabled on a port z IGMP snooping configured on a port takes effect only after IGMP snooping is enabled in the VLAN Display IGMP Snooping Multicast Entry Information Optional Enabling IGMP snooping Global...

Page 288: ...able 1 3 describes the items for configuring IGMP snooping in a VLAN Table 1 3 Items for configuring IGMP snooping in a VLAN Item Description VLAN ID This field displays the ID of the VLAN to be configured IGMP Snooping Enable or disable IGMP snooping in the VLAN You can proceed with the subsequent configurations only if Enable is selected here Version By configuring an IGMP snooping version you a...

Page 289: ...ork without Layer 3 multicast devices no IGMP querier related function can be implemented because a Layer 2 device does not support IGMP To address this issue you can enable IGMP snooping querier on a Layer 2 device so that the device can generate and maintain multicast forwarding entries at data link layer thereby implementing IGMP querier related functions Query interval Configure the IGMP query...

Page 290: ...rding entries persistent on that port from the IGMP snooping forwarding table and the hosts on this port need to join the multicast groups again Fast Leave Enable or disable the fast leave function for the port With the fast leave function enabled on a port the switch when receiving an IGMP leave message on the port immediately deletes that port from the outgoing port list of the corresponding for...

Page 291: ...ration task list IGMP Snooping Configuration Examples Network requirements z As shown in Figure 1 8 Router A connects to a multicast source Source through Ethernet 1 2 and to Switch A through Ethernet 1 1 z The multicast source sends multicast data to group 224 1 1 1 Host A is a receiver of the multicast group z IGMPv2 runs on Router A and IGMP snooping version 2 runs on Switch A z The function of...

Page 292: ...teps are omitted 2 Configure Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMP on Ethernet 1 1 The detailed configuration steps are omitted 3 Configure Switch A Create VLAN 100 and add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to VLAN 100 z Select Network VLAN in the navigation tree and click the Create tab to enter the configuration page shown in Figur...

Page 293: ...1 11 Figure 1 9 Create VLAN 100 z Type the VLAN ID 100 z Click Apply to complete the operation z Click the Modify Port tab to enter the configuration page shown in Figure 1 10 ...

Page 294: ...n the Select Ports field z Select the Untagged radio button for Select membership type z Type the VLAN ID 100 z Click Apply to complete the operation Enable IGMP snooping globally z Select Network IGMP snooping in the navigation tree to enter the basic configuration page and perform the following as shown in Figure 1 11 ...

Page 295: ...age and perform the following configurations as shown in Figure 1 12 Figure 1 12 Configure IGMP snooping in the VLAN z Select the Enable radio buttion for IGMP snooping and 2 for Version z Select the Enable radio buttion for Drop Unknown z Select the Disable radio button for Querier z Click Apply to complete the operation Enable the fast leave function for GigabitEthernet 1 0 3 z Click the Advance...

Page 296: ...ve z Click Apply to complete the operation Configuration verification Display the IGMP snooping multicast entry information on Switch A z Select Network IGMP Snooping in the navigation tree to enter the basic configuration page z Click the plus sign in front of Show Entries in the basic VLAN configuration page to display information about IGMP snooping multicast entries as shown in Figure 1 14 ...

Page 297: ... corresponding to the multicast entry 0 0 0 0 224 1 1 1 to view details about this entry as shown in Figure 1 15 Figure 1 15 Details about an IGMP snooping multicast entry As shown above GigabitEthernet 1 0 3 of Switch A is listening to multicast streams destined for multicast group 224 1 1 1 ...

Page 298: ...ration 1 1 Overview 1 1 Routing Table 1 1 Static Route 1 1 Default Route 1 2 Configuring IPv4 Routing 1 2 Displaying the IPv4 Active Route Table 1 2 Creating an IPv4 Static Route 1 3 Static Route Configuration Examples 1 4 Precautions 1 8 ...

Page 299: ...ress Destination IP address or destination network z Mask Specifies together with the destination address the address of the destination network z Outbound interface Specifies the interface through which a matching IP packet is to be forwarded z Nexthop Specifies the address of the next hop router on the path z Preference for the route Routes to the same destination may be found by various routing...

Page 300: ... If there is no default route the packet will be discarded and an ICMP packet will be sent to the source to report that the destination is unreachable You can configure the default route an IPv4 static default route has both its destination IP address and mask configured as 0 0 0 0 Configuring IPv4 Routing Displaying the IPv4 Active Route Table Select Network IPv4 Routing from the navigation tree ...

Page 301: ...rom the navigation tree and click the Create tab to enter the IPv4 static route configuration page as shown in Figure 1 2 Figure 1 2 Create an IPv4 static route Table 1 2 describes the IPv4 static route configuration items Table 1 2 IPv4 static route configuration items Item Description Destination IP Address Type the destination host or network IP address in dotted decimal notation Mask Type the ...

Page 302: ...sses of devices are shown in Figure 1 3 IPv4 static routes need to be configured on Switch A Switch B and Switch C for any two hosts to communicate with each other Figure 1 3 Network diagram for IPv4 static route configuration Configuration outlines 1 On Switch A configure a default route with Switch B as the next hop 2 On Switch B configure one static route with Switch A as the next hop and the o...

Page 303: ...elect 0 0 0 0 0 from the Mask drop down list z Type 1 1 4 2 for Next Hop z Click Apply Configure a static route to Switch A and Switch C respectively on Switch B z After you log in to the Web interface of Switch B select Network IPv4 Routing from the navigation tree and then click the Create tab to enter the page shown in Figure 1 5 ...

Page 304: ...4 1 for Next Hop z Click Apply z Type 1 1 3 0 for Destination IP Address z Select 24 255 255 255 0 from the Mask drop down list z Type 1 1 5 6 for Next Hop z Click Apply Configure a default route to Switch B on Switch C z After you log in to the Web interface of Switch C select Network IPv4 Routing from the navigation tree and then click the Create tab to enter the page as shown in Figure 1 6 ...

Page 305: ...the newly configured static routes are displayed as active routes on the page Use the ping command for verification Ping Host B from Host A assuming both hosts run Windows XP C Documents and Settings Administrator ping 1 1 3 2 Pinging 1 1 3 2 with 32 bytes of data Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 ...

Page 306: ...efault preference 2 When configuring a static route the static route does not take effect if you specify the next hop address first and then configure it as the IP address of a local interface such as a VLAN interface 3 When specifying the output interface note that z If NULL 0 interface is specified as the output interface there is no need to configure the next hop address z If you want to specif...

Page 307: ... Agent Configuration Task List 2 2 Enabling DHCP and Configuring Advanced Parameters for the DHCP Relay Agent 2 3 Creating a DHCP Server Group 2 4 Enabling the DHCP Relay Agent on an Interface 2 5 Configuring and Displaying Clients IP to MAC Bindings 2 6 DHCP Relay Agent Configuration Example 2 6 3 DHCP Snooping Configuration 3 1 DHCP Snooping Overview 3 1 Functions of DHCP Snooping 3 1 Applicatio...

Page 308: ...rations on hosts become more complex The Dynamic Host Configuration Protocol DHCP was introduced to solve these problems DHCP is built on a client server model in which a client sends a configuration request and then the server returns a reply to send configuration parameters such as an IP address to the client A typical DHCP application as shown in Figure 1 1 includes a DHCP server and multiple c...

Page 309: ... DHCP OFFER is determined by the flag field in the DHCP DISCOVER message 3 If several DHCP servers send offers to the client the client accepts the first received offer and broadcasts it in a DHCP REQUEST message to request the IP address formally 4 All DHCP servers receive the DHCP REQUEST message but only the server from which the client accepts the offered IP address returns a DHCP ACK message ...

Page 310: ...in bytes Figure 1 3 DHCP message format op 1 0 7 15 htype 1 hlen 1 hops 1 xid 4 23 31 secs 2 flags 2 ciaddr 4 yiaddr 4 siaddr 4 giaddr 4 chaddr 16 sname 64 file 128 options variable z op Message type defined in option field 1 REQUEST 2 REPLY z htype hlen Hardware address type and length of a DHCP client z hops Number of relay agents a request message traveled z xid Transaction ID a random number c...

Page 311: ... option z Option 53 DHCP message type option It identifies the type of the DHCP message z Option 55 Parameter request list option It is used by a DHCP client to request specified configuration parameters The option contains values that correspond to the parameters requested by the client z Option 66 TFTP server name option It specifies a TFTP server to be assigned to the client z Option 67 Bootfil...

Page 312: ... specify the code type for the sub options as ASCII or HEX The padding contents for sub options in the normal padding format are as follows z Sub option 1 Padded with the VLAN ID and interface number of the interface that received the client s request The following figure gives its format The value of the sub option type is 1 and that of the circuit ID type is 0 Figure 1 5 Sub option 1 in normal p...

Page 313: ...t to obtain configuration parameters Thus DHCP clients on different subnets can contact the same DHCP server and centralized management and cost reduction are achieved Fundamentals Figure 2 1 shows a typical application of the DHCP relay agent Figure 2 1 DHCP relay agent application IP network DHCP server DHCP relay agent DHCP client DHCP client DHCP client DHCP client No matter whether a relay ag...

Page 314: ... DHCP Relay Agent Required Enable DHCP globally and configure advanced DHCP parameters By default global DHCP is disabled Creating a DHCP Server Group Required To improve reliability you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group When the interface receives requesting messages from clients the relay agent will for...

Page 315: ...so that users can access external network using fixed IP addresses By default no static binding is created Enabling DHCP and Configuring Advanced Parameters for the DHCP Relay Agent Select Network DHCP from the navigation tree to enter the default DHCP Relay page Enable or disable DHCP in the DHCP Service field Click Display Advanced Configuration to expand the advanced DHCP relay agent configurat...

Page 316: ...P server to relinquish its IP address In this case the DHCP relay agent simply conveys the message to the DHCP server thus it does not remove the IP address from dynamic client entries To solve this problem the periodic refresh of dynamic client entries feature is introduced With this feature the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay agent interface...

Page 317: ...face to enter the page shown in Figure 2 5 Figure 2 5 Configure a DHCP relay agent interface Table 2 3 describes the DHCP relay agent interface configuration items Table 2 3 DHCP relay agent interface configuration items Item Description Interface Name This field displays the name of a specific interface DHCP Relay Enable or disable the DHCP relay agent on the interface Address Match Check Enable ...

Page 318: ...tems Table 2 4 Static IP to MAC binding configuration items Item Description IP Address Type the IP address of a DHCP client MAC Address Type the MAC address of the DHCP client Interface Name Select the Layer 3 interface connected with the DHCP client The interface of a static binding entry must be configured as a DHCP relay agent otherwise address entry conflicts may occur Return to DHCP Relay Ag...

Page 319: ...en DHCP clients and the DHCP server Figure 2 8 Network diagram for DHCP relay agent configuration Configuration procedure 1 Specify IP addresses for interfaces omitted 2 Configure the DHCP relay agent Enable DHCP z Select Network DHCP from the navigation tree to enter the default DHCP Relay page Perform the following operations as shown in Figure 2 9 ...

Page 320: ...ply Configure a DHCP server group z In the Server Group field click Add and then perform the following operations as shown in Figure 2 10 Figure 2 10 Add a DHCP server group z Type 1 for Server Group ID z Type 10 1 1 1 for IP Address z Click Apply Enable the DHCP relay agent on VLAN interface 1 ...

Page 321: ...1 Enable the DHCP relay agent on an interface and correlate it with a server group z Click on the Enable radio button next to DHCP Relay z Select 1 for Server Group ID z Click Apply Because the DHCP relay agent and server are on different subnets you need to configure a static route or dynamic routing protocol to make them reachable to each other ...

Page 322: ...P servers Recording IP to MAC mappings of DHCP clients DHCP snooping reads DHCP REQUEST messages and DHCP ACK messages from trusted ports to record DHCP snooping entries including MAC addresses of clients IP addresses obtained by the clients ports that connect to DHCP clients and VLANs to which the ports belong Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is a...

Page 323: ...ient can obtain an IP address from the authorized DHCP server Configuring trusted ports in a cascaded network In a cascaded network involving multiple DHCP snooping devices the ports connected to other DHCP snooping devices should be configured as trusted ports To save system resources you can disable the trusted ports which are indirectly connected to DHCP clients from recording clients IP to MAC...

Page 324: ...vice will remove the Option 82 before forwarding the reply to the client If the reply contains no Option 82 the DHCP snooping device forwards it directly If a client s requesting message has Handling strategy The DHCP snooping device will Drop Drop the message Keep Forward the message without changing Option 82 Option 82 Replace Forward the message after replacing the original Option 82 with the O...

Page 325: ...en click the DHCP Snooping tab to enter the page shown in Figure 3 3 You can enable or disable DHCP snooping in the DHCP Snooping field Figure 3 3 DHCP snooping configuration page z To enable DHCP snooping click on the Enable radio button in the DHCP Snooping field z To disable DHCP snooping click on the Disable radio button in the DHCP Snooping field Return to DHCP Snooping Configuration Task Lis...

Page 326: ...82 Support Configure DHCP snooping to support Option 82 or not Option 82 Strategy Select the handling strategy for DHCP requests containing Option 82 The strategies include z Drop The message is discarded if it contains Option 82 z Keep The message is forwarded without its Option 82 being changed z Replace The message is forwarded after its original Option 82 is replaced with the Option 82 padded ...

Page 327: ...onfiguration Example Network requirements As shown in Figure 3 6 a DHCP snooping device Switch B is connected to a DHCP server through GigabitEthernet 1 0 1 and to DHCP clients through GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 z Enable DHCP snooping on Switch B and configure DHCP snooping to support Option 82 Configure the handling strategy for DHCP requests containing Option 82 as replace z...

Page 328: ...radio button next to DHCP Snooping Configure DHCP snooping functions on GigabitEthernet 1 0 1 z Click the icon of GigabitEthernet 1 0 1 on the interface list Perform the following operations on the DHCP Snooping Interface Configuration page shown in Figure 3 8 ...

Page 329: ...own in Figure 3 9 Figure 3 9 Configure DHCP snooping functions on GigabitEthernet 1 0 2 z Click on the Untrust radio button for Interface State z Click on the Enable radio button next to Option 82 Support z Select Replace for Option 82 Strategy z Click Apply Configure DHCP snooping functions on GigabitEthernet 1 0 3 z Click the icon of GigabitEthernet 1 0 3 on the interface list Perform the follow...

Page 330: ...3 9 z Click on the Untrust radio button for Interface State z Click on the Enable radio button next to Option 82 Support z Select Replace for Option 82 Strategy z Click Apply ...

Page 331: ...i Table of Contents 1 Service Management 1 1 Overview 1 1 Configuring Service Management 1 2 ...

Page 332: ... it protects devices against attacks such as IP spoofing and plain text password interception SFTP service The secure file transfer protocol SFTP is a new feature in SSH2 0 SFTP uses the SSH connection to provide secure data transfer The device can serve as the SFTP server allowing a remote user to log in to the SFTP server for secure file management and transfer The device can also serve as an SF...

Page 333: ...ure 1 1 Service management Table 1 1 shows the detailed configuration for service management Table 1 1 Service management configuration items Item Description Enable FTP service Specifies whether to enable the FTP service The FTP service is disabled by default FTP ACL Associates the FTP service with an ACL Only the clients that pass the ACL filtering are permitted to use the FTP service You can vi...

Page 334: ...configuration item by clicking the expanding button in front of HTTP Enable HTTPS service Specifies whether to enable the HTTPS service The HTTPS service is disabled by default Port Number Sets the port number for HTTPS service You can view this configuration item by clicking the expanding button in front of HTTPS When you modify a port ensure that the port is not used by other service ACL Associa...

Page 335: ...i Table of Contents 1 Diagnostic Tools 1 1 Overview 1 1 Ping 1 1 Trace Route 1 1 Diagnostic Tool Operations 1 2 Ping Operation 1 2 Trace Route Operation 1 3 ...

Page 336: ...ing operation include number of packets sent number of echo reply messages received percentage of messages not received and the minimum average and maximum response time Trace Route By using the trace route command you can display the Layer 3 devices involved in delivering a packet from source to destination This function is useful for identification of failed node s in the event of network failur...

Page 337: ...gnostic Tools from the navigation tree to enter the ping configuration page as shown in Figure 1 1 Figure 1 1 Ping configuration page Type the IPv4 address of the destination device in the Ping text box and click Start to execute the ping command You will see the result in the Summary area Figure 1 2 Ping operation result ...

Page 338: ... of ICMP timeout and destination unreachable packets Select Network Diagnostic Tools from the navigation tree and then select the Trace Route to enter the Trace Route configuration page as shown in Figure 1 3 Figure 1 3 Trace Route configuration page Type the destination IP address in the Trace Route text box and click Start to execute the trace route command You will see the result in the Result ...

Page 339: ...tries 1 3 Displaying ARP Entries 1 3 Creating a Static ARP Entry 1 4 Static ARP Configuration Example 1 4 Gratuitous ARP 1 8 Introduction to Gratuitous ARP 1 8 Configuring Gratuitous ARP 1 8 2 ARP Attack Defense Configuration 2 1 ARP Detection 2 1 Introduction to ARP Detection 2 1 Configuring ARP Detection 2 4 Creating a Static Binding Entry 2 5 ...

Page 340: ...e mapped The hexadecimal value 0x0800 represents IP z Hardware address length and protocol address length They respectively specify the length of a hardware address and a protocol address in bytes For an Ethernet address the value of the hardware address length field is 6 For an IP v4 address the value of the protocol address length field is 4 z OP Operation code This field specifies the type of t...

Page 341: ... the reply to Host A z After receiving the ARP reply Host A adds the MAC address of Host B to its ARP table Meanwhile Host A encapsulates the IP packet and sends it out Figure 1 2 ARP address resolution process If Host A is not on the same subnet with Host B Host A first sends an ARP request to the gateway The target IP address in the ARP request is the IP address of the gateway After obtaining th...

Page 342: ... IP address and the MAC address z A non permanent static ARP entry has only an IP address and a MAC address configured It cannot be directly used for forwarding data If a non permanent static ARP entry matches an IP packet to be forwarded the device sends an ARP request first If the sender IP and MAC addresses in the received ARP reply are the same as those in the non permanent static ARP entry th...

Page 343: ...ddress Type a MAC address for the static ARP entry VLAN ID Advanced Options Port Type a VLAN ID and specify a port for the static ARP entry The VLAN ID must be the ID of the VLAN that has already been created and the port must belong to the VLAN The corresponding VLAN interface must have been created Static ARP Configuration Example Network Requirements As shown in Figure 1 5 hosts are connected t...

Page 344: ...om the navigation tree click the Add tab and then perform the following operations as shown in Figure 1 6 Figure 1 6 Create VLAN 100 z Type 100 for VLAN ID z Click Create to complete the configuration Add GigabitEthernet 1 0 1 to VLAN 100 z Click the Modify Port tab and then perform the following operations as shown in Figure 1 7 ...

Page 345: ...pe field z Type 100 for VLAN IDs z Click Apply A configuration progress dialog box appears as shown in Figure 1 8 Figure 1 8 Configuration progress dialog box z After the configuration process is complete click Close Create VLAN interface 100 z Select Network VLAN Interface from the navigation tree click the Create tab and then perform the following operations as shown in Figure 1 9 ...

Page 346: ...ess z Select 24 255 255 255 0 for Mask Length z Click Apply to complete the configuration Create a static ARP entry z Select Network ARP Management from the navigation tree to enter the default ARP Table page Click Add Perform the following operations as shown in Figure 1 10 Figure 1 10 Create a static ARP entry z Type 192 168 1 1 for IP Address z Type 00e0 fc01 0000 for MAC Address ...

Page 347: ...so that they can update their ARP entries A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry exists in the cache An attacker sends spoofed gratuitous ARP packets to hosts on a network As a result traffic that the hosts want to send to the gateway is sent to the attacker instead and the hosts cann...

Page 348: ...ous ARP packets sending settings Select interfaces for sending gratuitous ARP packets and type the sending period To add an interface to the Sending Interfaces Period list box select the interface from the Available Interfaces list box type the sending period and click the button To remove an interface from the Sending Interfaces Period list box select the interface from the list box and click the...

Page 349: ...mapping table This design reduces the ARP traffic on the network but also makes ARP spoofing possible As shown in Figure 2 1 Host A communicates with Host C through a switch After intercepting the traffic between Host A and Host C a hacker Host B forwards forged ARP replies to Host A and Host C respectively Upon receiving the ARP replies the two hosts update the MAC address corresponding to the pe...

Page 350: ...VLAN z Upon receiving an ARP packet from an ARP untrusted port the device compares the ARP packet against the DHCP snooping entries If a match is found that is the parameters such as IP address MAC addresses port index and VLAN ID are consistent the ARP packet passes the check if not the ARP packet cannot pass the check z Upon receiving an ARP packet from an ARP trusted port the device does not ch...

Page 351: ...and ARP detection based on 802 1X security entries on your access device After that the access device uses mappings between IP addresses MAC addresses VLAN IDs and ports of 802 1X authentication clients for ARP detection If all the detection types are specified the system uses IP to MAC bindings first then DHCP snooping entries and then 802 1X security entries If an ARP packet fails to pass ARP de...

Page 352: ... the default ARP Detection page shown in Figure 2 2 Figure 2 2 ARP Detection configuration page Table 2 1 describes the ARP Detection configuration items Table 2 1 ARP Detection configuration items Item Description VLAN Settings Select VLANs on which ARP detection is to be enabled To add VLANs to the Enabled VLAN list box select one or multiple VLANs from the Disabled VLAN list box and click the b...

Page 353: ...ty entries If a match is found the packet is considered to be valid otherwise the packet is discarded If none of the above is selected all ARP packets are considered to be invalid z Before enabling ARP detection based on DHCP snooping entries make sure that DHCP snooping is enabled z Before enabling ARP detection based on 802 1X security entries make sure that 802 1X is enabled and the 802 1X clie...

Page 354: ...ching IP address but a different MAC address is found the ARP packet is considered invalid and discarded If an entry with both matching IP and MAC addresses is found the ARP packet is considered valid and can pass the detection ...

Page 355: ...ation Triggering 1 5 Authentication Process of 802 1X 1 5 802 1X Timers 1 8 802 1X Extensions 1 9 Features Working Together with 802 1X 1 9 Configuring 802 1X 1 10 Configuration Task List 1 10 Configuring 802 1X Globally 1 11 Configuring 802 1X on a Port 1 12 Configuration Examples 1 14 802 1X Configuration Example 1 14 ACL Assignment Configuration Example 1 20 Configuration Guidelines 1 28 ...

Page 356: ...ent Client is usually a user end device such as a PC 802 1X authentication is triggered when an 802 1X capable client program is launched on Client The client program must support Extensible Authentication Protocol over LAN EAPOL z Device residing at the other end of the LAN segment authenticates connected clients Device is usually an 802 1X enabled network device and provides access ports physica...

Page 357: ...orts z The uncontrolled port is always open in both the inbound and outbound directions to allow EAPOL protocol packets to pass guaranteeing that the client can always send and receive authentication packets z The controlled port is open to allow data traffic to pass only when it is in the authorized state Authorized state and unauthorized state A controlled port can be in either authorized state ...

Page 358: ... types that the device currently supports Table 1 1 Types of EAPOL frames Type Description EAP Packet a value of 0x00 Packet for carrying authentication information present between the device and the authentication server A packet of this type is repackaged and transferred by RADIUS on the device to get through complex networks to reach the authentication server EAPOL Start a value of 0x01 Packet ...

Page 359: ...he Data field in an EAP request response packet Identifier Helps match responses with requests Length Length of the EAP packet including the Code Identifier Length and Data fields in bytes Data Content of the EAP packet Its format is determined by the Code field EAP over RADIUS Two attributes of RADIUS are intended for supporting EAP authentication EAP Message and Message Authenticator For informa...

Page 360: ...C address as the destination address This solution requires the iNode 802 1X client Unsolicited triggering of the device The device can trigger authentication by sending EAP Request Identity packets to unauthenticated clients periodically every 30 seconds by default This method can be used to authenticate clients that cannot send EAPOL Start packets unsolicitedly to trigger authentication for exam...

Page 361: ...ntity packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the device 4 Upon receiving the EAP Response Identity packet the device relays the packet in a RADIUS Access Request packet to the authentication server 5 When receiving the RADIUS Access Request packet the RADIUS server compares the identify information against its user information table to obtain...

Page 362: ... concludes that the client has gone offline and performs the necessary operations guaranteeing that the device always knows when a client goes offline 11 The client can also send an EAPOL Logoff frame to the device to go offline unsolicitedly In this case the device changes the status of the port from authorized to unauthorized and sends an EAP Failure packet to the client In EAP relay mode a clie...

Page 363: ...This section describes the timers used on an 802 1X device to guarantee that the client the device and the RADIUS server can interact with each other in a reasonable manner z Username request timeout timer This timer is triggered by the device in two cases The first case is when the client requests for authentication The device starts this timer when it sends an EAP Request Identity packet to a cl...

Page 364: ...the port passes authentication all subsequent users of the port can access network resources without authentication However when the authenticated user goes offline the others are denied as well Features Working Together with 802 1X VLAN assignment After an 802 1X user passes the authentication the server will send an authorization message to the device If the server is configured with the VLAN as...

Page 365: ...02 1X cannot implement the authentication method solely by itself RADIUS or local authentication must be configured to work with 802 1X Therefore before the 802 1X configuration you need to configure the following z Configure the ISP domain to which the 802 1X user belongs and the AAA method to be used that is local authentication or RADIUS authentication z For remote RADIUS authentication the use...

Page 366: ...own in Figure 1 10 In the 802 1X Configuration area you can view and configure the 802 1X feature globally Figure 1 10 802 1X configuration page Table 1 3 lists global 802 1X configuration items Table 1 3 Global 802 1X configuration items Item Description Enable 802 1X Enable or disable 802 1X authentication globally Authentication Method Specify the authentication method for 802 1X users Options ...

Page 367: ...evice will send an authentication request only once even if it does not receive any response from the client within the set interval 2 means that the device will send an authentication request again if it does not receive any response from the client within the set interval and so forth TX Period Specify the transmission interval Handshake Period Specify the handshake interval Re Authenticati on P...

Page 368: ...ified port is unauthorized and becomes authorized when the authentication is successful This mode is commonly applied z Force Authorized The specified port is always in the authorized state z Force Unauthorized The specified port is always in the unauthorized state Max Number of Users Specify the maximum number of users allowed on the specified port HandShake Specify whether to enable the online u...

Page 369: ... authentication primary accounting server z Set the shared key for the device to exchange packets with the authentication server as name and that for the device to exchange packets with the accounting server as money z Specify the device to try up to five times at an interval of 5 seconds in transmitting a packet to the RADIUS server until it receives a response from the server and to send real ti...

Page 370: ...ration Enable and configure 802 1X on port GigabitEthernet 1 0 1 z In the Ports With 802 1X Enabled area click Add Figure 1 14 802 1X configuration of GigabitEthernet 1 0 1 Perform the following configurations as shown in Figure 1 14 z Select port GigabitEthernet1 0 1 from the port drop down list z Select the checkbox before Enable Re Authentication z Click Apply to finish the operation 3 Configur...

Page 371: ...rver type z Enter the primary server IP address 10 1 1 1 z Select active as the primary server s status z Enter the secondary server IP address 10 1 1 2 z Select active as the secondary server s status z Click Apply Configure the RADIUS accounting servers Figure 1 16 RADIUS accounting server configuration Perform the following configurations as shown in Figure 1 16 z Select Accounting Server as th...

Page 372: ... parameter configuration z Select extended as the server type z Select the Authentication Server Shared Key checkbox and enter name in the textbox z Enter name again in the Confirm Authentication Shared Key textbox z Select the Accounting Server Shared Key checkbox and enter money in the textbox z Enter money again in the Confirm Accounting Shared Key textbox z Enter 5 in the Timeout Interval text...

Page 373: ...lect Enable to use the domain as the default domain z Click Apply to finish the operation Configure the AAA authentication method for the ISP domain z Select the Authentication tab Perform the following configurations as shown in Figure 1 19 Figure 1 19 Configure the AAA authentication method for the ISP domain z Select the domain name test z Select the Default AuthN checkbox and then select RADIU...

Page 374: ... following configuration as shown in Figure 1 21 Figure 1 21 Configure the AAA authorization method for the ISP domain z Select the domain name test z Select the Default AuthZ checkbox and then select RADIUS as the authorization mode z Select system from the Name drop down list to use it as the authorization scheme z Click Apply A configuration progress dialog box appears z After the configuration...

Page 375: ...ication servers iMC servers work together to authenticate the host that is to access the Internet An FTP server is on the Internet and its IP address is 10 0 0 1 z Configure the authentication server to assign ACL 3000 z Enable 802 1X for port GigabitEthernet 1 0 1 and configure ACL 3000 on the switch After a user passes authentication the authentication server assigns ACL 3000 At this time ACL 30...

Page 376: ...ration Perform the following configurations as shown in Figure 1 24 z Select Authentication Server as the server type z Enter the primary server IP address 10 1 1 1 z Enter the primary server UDP port number 1812 z Select active as the primary server status z Click Apply Configure the RADIUS accounting server Figure 1 25 RADIUS accounting server configuration Perform the following configurations a...

Page 377: ...configurations as shown in Figure 1 26 z Select extended as the server type z Select the Authentication Server Shared Key checkbox and enter abc in the textbox z Enter abc again in the Confirm Authentication Shared Key textbox z Select the Accounting Server Shared Key checkbox and enter abc in the textbox z Enter abc again in the Confirm Accounting Shared Key textbox z Select without domain as the...

Page 378: ... Select Enable to use the domain the default domain z Click Apply to finish the operation Configure the AAA authentication method for the ISP domain z Select the Authentication tab Figure 1 28 Configure the AAA authentication method for the ISP domain Perform the following configurations as shown in Figure 1 28 z Select the domain name test ...

Page 379: ... the ISP domain z Select the Authorization tab Figure 1 30 Configure the AAA authorization method for the ISP domain Perform the following configuration as shown in Figure 1 30 z Select the domain name test z Select the Default AuthZ checkbox and then select RADIUS as the authorization mode z Select system from the Name drop down list to use it as the authorization scheme z Click Apply The configu...

Page 380: ...stem from the Name drop down list to use it as the accounting scheme z Click Apply The configuration progress dialog box appears z After seeing the prompt of configuration success click Close to finish the operation 4 Configure an ACL Create ACL 3000 that denies packets with destination IP address 10 0 0 1 z From the navigation tree select QoS ACL IPv4 to enter the IPv4 ACL configuration page and ...

Page 381: ...ACL rule configuration Perform the following configurations as shown in Figure 1 33 z Select 3000 from the Select Access Control List ACL drop down list z Select the Rule ID check box and enter 0 as the rule ID z Select Deny as the operation action z In the IP Address Filter area select the Destination IP Address check box and enter 10 0 0 1 in the text box ...

Page 382: ... 1X to enter the 802 1X configuration page Figure 1 34 Global 802 1X globally Perform the following configuration as shown in Figure 1 34 z Select the check box before Enable 802 1X z Select the authentication method as CHAP z Click Apply to finish the operation Enable 802 1X on port GigabitEthernet 1 0 1 z In the Ports With 802 1X Enabled area click Add Figure 1 35 802 1X configuration of Gigabit...

Page 383: ...02 1X and 802 1X on the specific port are enabled 2 Do not change the timer parameters of global 802 1X from their default values unless you have determined that the changes would better the interaction process in some special network environment 3 A port enabled with 802 1X cannot be added to an aggregation group Meanwhile it is prohibited to enable 802 1X on a port that belongs to an aggregation...

Page 384: ... 2 Configuring AAA 1 2 Configuration Prerequisites 1 2 Configuration Task List 1 2 Configuring an ISP Domain 1 3 Configuring Authentication Methods for the ISP Domain 1 4 Configuring Authorization Methods for the ISP Domain 1 6 Configuring Accounting Methods for the ISP Domain 1 7 AAA Configuration Example 1 8 ...

Page 385: ...ver exchange user information between them In the AAA network shown in Figure 1 1 there are two RADIUS servers You can determine which of the authentication authorization and accounting functions should be assumed by which servers For example you can use RADIUS server 1 for authentication and authorization and RADIUS server 2 for accounting The three security functions are described as follows z A...

Page 386: ...erid part the username for authentication and the isp name part the ISP domain name In a networking scenario with multiple ISPs an access device may connect users of different ISPs As users of different ISPs may have different user attributes such as username and password structure service type and rights you need to configure ISP domains to distinguish the users In addition you need to configure ...

Page 387: ...ization Methods for the ISP Domain Optional Specify the authorization methods for various types of users By default all types of users use local authorization Configuring Accounting Methods for the ISP Domain Required Specify the accounting methods for various types of users By default all types of users use local accounting AAA user types include LAN access users such as 802 1X authentication use...

Page 388: ...Domain Specify whether to use the ISP domain as the default domain z Enable Uses the domain as the default domain z Disable Uses the domain as a non default domain There can only be one default domain at a time If you specify a second domain as the default domain the original default domain will become a non default domain Return to Configuration Task List Configuring Authentication Methods for th...

Page 389: ...tore the default that is local authentication LAN access AuthN Name Secondary Method Configure the authentication method and secondary authentication method for LAN access users Options include z Local Performs local authentication z None All users are trusted and no authentication is performed Generally this mode is not recommended z RADIUS Performs RADIUS authentication You need to specify the R...

Page 390: ...uthorization method and secondary authorization method for all types of users Options include z Local Performs local authorization z None All users are trusted and authorized A user gets the corresponding default rights of the system z RADIUS Performs RADIUS authorization You need to specify the RADIUS scheme to be used z Not Set Restore the default that is local authorization LAN access AuthZ Nam...

Page 391: ... 5 Figure 1 5 Accounting method configuration page Table 1 5 describes the configuration items for configuring the accounting methods for an ISP domain Table 1 5 Accounting method configuration items Item Description Select an ISP domain Select the ISP domain for which you want to specify authentication methods Accounting Optional Specify whether to enable the accounting optional feature z With th...

Page 392: ...y Method Configure the accounting method and secondary accounting method for login users Options include z Local Performs local accounting z None Performs no accounting z RADIUS Performs RADIUS accounting You need to specify the RADIUS scheme to be used z Not Set Uses the default accounting methods Return to Configuration Task List AAA Configuration Example Network requirements As shown in Figure ...

Page 393: ...ser z Enter telnet as the username z Select Management as the access level z Enter abcd as the password z Enter abcd to confirm the password z Select Telnet Service as the service type z Click Apply Configure ISP domain test z Select Authentication AAA from the navigation tree The domain configuration page appears Perform the configurations shown in Figure 1 8 ...

Page 394: ... from the navigation tree and then select the Authentication tab and configure AAA authentication as shown in Figure 1 9 Figure 1 9 Configure the ISP domain to use local authentication z Select the domain test z Select the Login AuthN check box and select the authentication method Local z Click Apply A configuration progress dialog box appears as shown in Figure 1 10 ...

Page 395: ...own in Figure 1 11 Figure 1 11 Configure the ISP domain to use local authorization z Select the domain test z Select the Login AuthZ check box and select the authorization method Local z Click Apply A configuration progress dialog box appears z After the configuration progress is complete click Close Configure the ISP domain to use local accounting z Select Authentication AAA from the navigation t...

Page 396: ...gin Accounting check box and select the accounting method Local z Click Apply A configuration progress dialog box appears z After the configuration process is complete click Close Now if you telnet to the switch and enter username telnet test and password abcd you should be serviced as a user in domain test ...

Page 397: ...n Mechanisms 1 2 Basic Message Exchange Process of RADIUS 1 2 RADIUS Packet Format 1 3 Extended RADIUS Attributes 1 5 Protocols and Standards 1 6 Configuring RADIUS 1 6 Configuration Task List 1 6 Configuring RADIUS Servers 1 7 Configuring RADIUS Parameters 1 8 RADIUS Configuration Example 1 11 Configuration Guidelines 1 16 ...

Page 398: ...ces and uses accounting to collect and record usage information of network resources Client Server Model z Client The RADIUS client runs on the NASs located throughout the network It passes user information to designated RADIUS servers and acts on the responses for example rejects or accepts user access requests z Server The RADIUS server runs on the computer or workstation at the network center a...

Page 399: ...rmination Host 6 The host accesses the resources The following is how RADIUS operates 1 The host initiates a connection request carrying the username and password to the RADIUS client 2 Having received the username and password the RADIUS client sends an authentication request Access Request to the RADIUS server with the user password encrypted by using the Message Digest 5 MD5 algorithm and the s...

Page 400: ...er to authenticate the user It must contain the User Name attribute and can optionally contain the attributes of NAS IP Address User Password and NAS Port 2 Access Accept From the server to the client If all the attribute values carried in the Access Request are acceptable that is the authentication succeeds the server sends an Access Accept response 3 Access Reject From the server to the client I...

Page 401: ...nted in triplets of Type Length and Value z Type One byte in the range 1 to 255 It indicates the type of the attribute Commonly used attributes for RADIUS authentication authorization and accounting are listed in Table 1 2 z Length One byte for indicating the length of the attribute in bytes including the Type Length and Value fields z Value Value of the attribute up to 253 bytes Its format and co...

Page 402: ...38 Framed AppleTalk Network 85 Acct Interim Interval 39 Framed AppleTalk Zone 86 Acct Tunnel Packets Lost 40 Acct Status Type 87 NAS Port Id 41 Acct Delay Time 88 Framed Pool 42 Acct Input Octets 89 unassigned 43 Acct Output Octets 90 Tunnel Client Auth id 44 Acct Session Id 91 Tunnel Server Auth id The attribute types listed in Table 1 2 are defined by RFC 2865 RFC 2866 RFC 2867 and RFC 2868 Exte...

Page 403: ...cols and standards related to RADIUS include z RFC 2865 Remote Authentication Dial In User Service RADIUS z RFC 2866 RADIUS Accounting z RFC 2867 RADIUS Accounting Modifications for Tunnel Protocol Support z RFC 2868 RADIUS Attributes for Tunnel Protocol Support z RFC 2869 RADIUS Extensions Configuring RADIUS Configuration Task List z The RADIUS scheme configured through the Web interface is named...

Page 404: ... primary and secondary RADIUS accounting servers By default no RADIUS accounting server is configured For configuration details refer to Configuring RADIUS Servers Configuring RADIUS Parameters Required Configure the parameters that are necessary for information exchange between the device and RADIUS servers Configuring RADIUS Servers From the navigation tree select Authentication RADIUS The RADIU...

Page 405: ...r the specified IP address is to be removed the status is blocked Secondary Server IP Specify the IP address of the secondary server If no secondary server is specified the text box displays 0 0 0 0 To remove the previously configured secondary server enter 0 0 0 0 in the text box The specified IP address of the secondary server cannot be the same as that of the primary server Secondary Server UDP...

Page 406: ...at defined in RFC 2138 2139 or later Authentication Server Shared Key Confirm Authentication Shared Key Specify and confirm the shared key for the authentication server These two parameters must have the same values Accounting Server Shared Key Confirm Accounting Shared Key Specify and confirm the shared key for the accounting server These two parameters must have the same values NAS IP Specify th...

Page 407: ... Stop Accounting Buffer Enable or disable buffering stop accounting requests without responses in the device Stop Accounting Packet Retransmission Times Set the maximum number of transmission attempts if no response is received for the stop accounting packet Quiet Interval Specify the interval the primary server has to wait before being active Username Format Set the format of username sent to the...

Page 408: ...nting the Telnet user s username and password and the shared key expert have been configured for packet exchange with the switch On the switch it is required to configure the shared key for packet exchange with the RADIUS server as expert and configure the system to remove the domain name of a username before sending it to the RADIUS server Figure 1 7 Network diagram for RADIUS server configuratio...

Page 409: ...y Configure the RADIUS accounting server Figure 1 9 Configure the RADIUS accounting server Perform the following configurations as shown in Figure 1 9 z Select Accounting Server as the server type z Enter 10 110 91 146 as the IP address of the primary accounting server z Enter 1813 as the UDP port of the primary accounting server z Select active as the primary server status z Click Apply Configure...

Page 410: ...expert in the Confirm Authentication Shared Key text box z Select the Accounting Server Shared Key check box and enter expert in the text box z Enter expert in the Confirm Accounting Shared Key text box z Select without domain for Username Format z Click Apply 3 Configure AAA Create an ISP domain z From the navigation tree select Authentication AAA The domain setup page appears ...

Page 411: ... ISP domain z Select the Authentication tab Figure 1 12 Configure the AAA authentication method for the ISP domain Perform the following configurations as shown in Figure 1 12 z Select the domain name test z Select the Default AuthN checkbox and then select RADIUS as the authentication mode z Select system from the Name drop down list to use it as the authentication scheme z Click Apply A configur...

Page 412: ...he following configurations as shown in Figure 1 14 z Select the domain name test z Select the Default AuthZ checkbox and then select RADIUS as the authorization mode z Select system from the Name drop down list to use it as the authorization scheme z Click Apply A configuration progress dialog box appears z After the configuration process is complete click Close Configure the AAA accounting metho...

Page 413: ...nfiguring the RADIUS client note that 1 When you modify the parameters of the RADIUS scheme the system does not check whether the scheme is being used by users 2 After accounting starts update accounting and stop accounting packets will be sent to the designated server and no primary secondary server switchover will take place even if the designated server fails Such a switchover can take place on...

Page 414: ...i Table of Contents 1 Users 1 1 Overview 1 1 Configuring Users 1 1 Configuring a Local User 1 1 Configuring a User Group 1 3 ...

Page 415: ...et of local user attributes You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group All local users in a user group inherit the user attributes of the group but if you configure user attributes for a local user the settings of the local user take precedence over the settings for the user group By default every...

Page 416: ...tion refer for Configuring a User Group Service type Select the service types for the local user to use including FTP Telnet LAN access accessing through the Ethernet such as 802 1x users and SSH If you do not specify any service type for a local user who uses local authentication the user cannot pass authentication and therefore cannot log in Expire time Specify an expiration time for the local u...

Page 417: ... switch 2900 series do not support user profile configuration Every authorization attribute has its definite application environments and purposes Therefore when configuring authorization attributes for a local user determine what attributes are needed first Configuring a User Group Select Authentication Users from the navigation tree and then select the User Group tab to display the existing user...

Page 418: ...anagement in ascending order of priority VLAN Specify the VLAN to be authorized to users of the user group after the users pass authentication ACL Specify the ACL to be used by the access device to control the access of users of the user group after the users pass authentication User profile Specify the user profile for the user group Currently switch 2900 series do not support user profile config...

Page 419: ...iguration Task List 1 3 Creating a PKI Entity 1 6 Creating a PKI Domain 1 7 Generating an RSA Key Pair 1 10 Destroying the RSA Key Pair 1 11 Retrieving a Certificate 1 11 Requesting a Local Certificate 1 13 Retrieving and Displaying a CRL 1 14 PKI Configuration Example 1 15 Configuring a PKI Entity to Request a Certificate from a CA 1 15 Configuration Guidelines 1 20 ...

Page 420: ...ertificates local certificate and CA certificate A local certificate is a digital certificate signed by a CA for an entity while a CA certificate also known as a root certificate is signed by the CA for itself CRL An existing certificate may need to be revoked when for example the user name changes the private key leaks or the user stops the business Revoking a certificate is to remove the binding...

Page 421: ...ns of users it does not sign certificates Sometimes a CA assumes the registration management responsibility and therefore there is no independent RA The PKI standard recommends that an independent RA be used for registration management to achieve higher security of application systems PKI repository A PKI repository can be a Lightweight Directory Access Protocol LDAP server or a common database It...

Page 422: ... RA verifies the identity of the entity and then sends the identity information and the public key with a digital signature to the CA 3 The CA verifies the digital signature approves the application and issues a certificate 4 The RA receives the certificate from the CA sends it to the LDAP server to provide directory navigation service and notifies the entity that the certificate is successfully i...

Page 423: ...ey Pair Required Generate a local RSA key pair By default no local RSA key pair exists Generating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information If there is already a local certificate you need to remove the certificat...

Page 424: ...sting certificate Retrieving and Displaying a CRL Optional Retrieve a CRL and display its contents Requesting a Certificate Automatically Perform the tasks in Table 1 2 to configure the PKI system to request a certificate automatically Table 1 2 Configuration task list for requesting a certificate automatically Task Remarks Creating a PKI Entity Required Create a PKI entity and configure the ident...

Page 425: ...PKI entity list page is displayed by default as shown in Figure 1 2 Click Add on the page to enter the PKI entity configuration page as shown in Figure 1 3 Figure 1 2 PKI entity list Figure 1 3 PKI entity configuration page Table 1 3 describes the configuration items for creating a PKI entity Table 1 3 PKI entity configuration items Item Description Entity Name Type the name for the PKI entity Com...

Page 426: ... for the entity Locality Type the locality for the entity Organization Type the organization name for the entity Organization Unit Type the unit name for the entity Return to Configuration task list for requesting a certificate manually Return to Configuration task list for requesting a certificate automatically Creating a PKI Domain Select Authentication PKI from the navigation tree and then sele...

Page 427: ...sibility of certificate registration distribution and revocation and query In offline mode this item is optional while in other modes this item is required Entity Name Select the local PKI entity When submitting a certificate request to a CA an entity needs to show its identity information Available PKI entities are those that have been configured Institution Select the authority for certificate r...

Page 428: ...the fingerprint of the root certificate namely the hash value of the root certificate content This hash value is unique to every certificate If the fingerprint of the root certificate does not match the one configured for the PKI domain the entity will reject the root certificate The fingerprint of the CA root certificate is required when the certificate request mode is Auto and can be omitted whe...

Page 429: ...guration task list for requesting a certificate manually Return to Configuration task list for requesting a certificate automatically Generating an RSA Key Pair Select Authentication PKI from the navigation tree and then select the Certificate tab to enter the page displaying existing PKI certificates as shown in Figure 1 6 Then click Create Key to enter RSA key pair parameter configuration page a...

Page 430: ...uration task list for requesting a certificate manually Return to Configuration task list for requesting a certificate automatically Retrieving a Certificate You can download an existing CA certificate or local certificate from the CA server and save it locally To do so you can use two ways online and offline In offline mode you need to retrieve a certificate by an out of band means like FTP disk ...

Page 431: ...ecify the path and name of the certificate file z If the certificate file is saved on the device select Get File From Device and then specify the path of the file on the device z If the certificate file is saved on a local PC select Get File From PC and then specify the path to the file and select the partition of the device for saving the file Password Enter the password for protecting the privat...

Page 432: ...a local certificate Table 1 7 Configuration items for requesting a local certificate Item Description Domain Name Select the PKI domain for the certificate Password Type the password for certificate revocation Enable Offline Mode Select this check box to request a certificate in offline mode that is by an out of band means like FTP disk or e mail If you select the offline mode and click Apply the ...

Page 433: ...iew CRL for the domain to display the contents of the CRL as shown in Figure 1 14 Figure 1 14 CRL details Table 1 8 describes some fields of the CRL details Table 1 8 Description about some fields of the CRL details Field Description Version CRL version number Signature Algorithm Signature algorithm that the CRL uses Issuer CA that issued the CRL X509v3 Authority Key Identifier Identifier of the C...

Page 434: ...onfiguration procedure 1 Configure the CA server Create a CA server named myca In this example you need to configure the basic attributes of Nickname and Subject DN on the CA server at first z Nickname Name of the trusted CA z Subject DN DN information of the CA including the Common Name CN z Organization Unit OU z Organization O and z Country C The other attributes may use the default values Conf...

Page 435: ...ion tree The PKI entity list page is displayed by default Click Add on the page as shown in Figure 1 16 and then perform the following configurations as shown in Figure 1 17 Figure 1 16 PKI entity list Figure 1 17 Configure a PKI entity z Type aaa as the PKI entity name z Type ac as the common name z Click Apply Create a PKI domain z Select the Domain tab and then click Add as shown in Figure 1 18...

Page 436: ... must be in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is the hexadecimal string generated on the CA z Select Manual as the certificate request mode z Click Display Advanced Config to display the advanced configuration items z Select the Enable CRL Checking check box z Type http 4 4 4 133 447 myca crl as the CRL URL z Click Apply A dialog box appears asking ...

Page 437: ...Figure 1 21 Figure 1 20 Certificate list Figure 1 21 Generate an RSA key pair z Click Apply to generate an RSA key pair Retrieve the CA certificate z Select the Certificate tab and then click Retrieve Cert as shown in Figure 1 22 and then perform the following configurations as shown in Figure 1 23 Figure 1 22 Certificate list ...

Page 438: ...l certificate z Select the Certificate tab and then click Request Cert as shown in Figure 1 24 and then perform the following configurations as shown in Figure 1 25 Figure 1 24 Certificate list Figure 1 25 Request a local certificate z Select torsa as the PKI domain z Select Password and then type challenge word as the password z Click Apply ...

Page 439: ...rver has some restrictions on the data length of a certificate request If the PKI entity identity information in a certificate request goes beyond a certain limit the server will not respond to the certificate request 3 The SCEP plug in is required when you use the Windows Server as the CA In this case you need to specify RA as the authority for certificate request when configuring the PKI domain ...

Page 440: ...i Table of Contents 1 Port Isolation Group Configuration 1 1 Overview 1 1 Configuring a Port Isolation Group 1 1 Port Isolation Group Configuration Example 1 2 ...

Page 441: ...he isolation group nor create other isolation groups on such devices z There is no restriction on the number of ports assigned to an isolation group Usually Layer 2 traffic cannot be forwarded between ports in different VLANs However the Layer 2 data transmission between ports within and outside the isolation group is supported Configuring a Port Isolation Group Select Security Port Isolate Group ...

Page 442: ...s z Campus network users Host A Host B and Host C are connected to GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch z Switch is connected to the Internet through GigabitEthernet 1 0 1 z GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 belong to the same VLAN It is required that Host A Host B and Host C can access the Interne...

Page 443: ...k Apply A configuration progress dialog box appears z After the configuration process is complete click Close in the dialog box View information about the isolation group Click Summary The page shown in Figure 1 4 appears Figure 1 4 Information about port isolation group 1 As shown on the page port isolation group 1 contains these isolated ports GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and Giga...

Page 444: ...i Table of Contents 1 Authorized IP Configuration 1 1 Overview 1 1 Configuring Authorized IP 1 1 Authorized IP Configuration Example 1 2 Authorized IP Configuration Example 1 2 ...

Page 445: ...own in Figure 1 1 Figure 1 1 Authorized IP configuration page Table 1 1 describes the authorized IP configuration items Table 1 1 Authorized IP configuration items Item Description IPv4 ACL Associate the Telnet service with an IPv4 ACL You can configure the IPv4 ACL to be selected by selecting QoS ACL IPv4 Telnet IPv6 ACL Not Supported Associate the Telnet service with an IPv6 ACL You can configur...

Page 446: ...re 1 2 Network diagram for authorized IP Configuration procedure Create an ACL z Select QoS ACL IPv4 from the navigation tree and then click the Create tab to enter the ACL configuration page shown in Figure 1 3 Figure 1 3 Create an ACL Make the following configurations on the page z Type 2001 for ACL Number z Click Apply Configure an ACL rule to permit Host B z Click the Basic Setup tab to enter ...

Page 447: ... down list z Select Permit from the Operation drop down list z Select the Source IP Address check box and then type 10 1 1 3 z Type 0 0 0 0 in the Source Wildcard text box z Click Add Configure authorized IP z Select Security Authorized IP from the navigation tree and then click the Setup tab to enter the authorized IP configuration page shown in Figure 1 5 ...

Page 448: ...1 4 Figure 1 5 Configure authorized IP Make the following configurations on the page z Select 2001 for IPv4 ACL in the Telnet field z Select 2001 for IPv4 ACL in the Web HTTP field z Click Apply ...

Page 449: ...c Classification 2 3 Packet Precedences 2 4 Queue Scheduling 2 6 Line Rate 2 8 Priority Mapping 2 10 Introduction to Priority Mapping Tables 2 11 QoS Configuration 2 12 Configuration Task Lists 2 12 Creating a Class 2 14 Configuring Classification Rules 2 15 Creating a Traffic Behavior 2 17 Configuring Traffic Mirroring and Traffic Redirecting for a Traffic Behavior 2 18 Configuring Other Actions ...

Page 450: ...es as shown in Table 1 1 Table 1 1 IPv4 ACL categories Category ACL number Matching criteria Basic IPv4 ACL 2000 to 2999 Source IP address Advanced IPv4 ACL 3000 to 3999 Source IP address destination IP address protocol carried over IP and other Layer 3 or Layer 4 protocol header information Ethernet frame header ACL 4000 to 4999 Layer 2 protocol header fields such as source MAC address destinatio...

Page 451: ...he rule configured first Ethernet frame header ACL 1 Sort rules by source MAC address mask first and compare packets against the rule configured with more ones in the source MAC address mask 2 If two rules are present with the same number of ones in their source MAC address masks look at the destination MAC address masks Then compare packets against the rule configured with more ones in the destin...

Page 452: ...xample with a step of five if the biggest number is currently 28 the newly defined rule will get a number of 30 If the ACL has no rule defined already the first defined rule will get a number of 0 Another benefit of using the step is that it allows you to insert new rules between existing ones as needed For example after creating four rules numbered 0 5 10 and 15 in an ACL with a step of five you ...

Page 453: ...iodic Time Range Sun Mon Tue Wed Thu Fri and Sat Select the day or days of the week on which the periodic time range is valid You can select any combination of the days of the week From Set the start time and date of the absolute time range The time of the day is in the hh mm format 24 hour clock and the date is in the MM DD YYYY format Absolute Time Range To Set the end time and date of the absol...

Page 454: ...uration items Item Description ACL Number Set the number of the IPv4 ACL Match Order Set the match order of the ACL Available values are z Config Packets are compared against ACL rules in the order that the rules are configured z Auto Packets are compared against ACL rules in the depth first match order Return to IPv4 ACL configuration task list Configuring a Rule for a Basic IPv4 ACL Select QoS A...

Page 455: ...eration Select the operation to be performed for IPv4 packets matching the rule z Permit Allows matched packets to pass z Deny Drops matched packets Check Fragment Select this option to apply the rule to only non first fragments If you do no select this option the rule applies to all fragments and non fragments Check Logging Select this option to keep a log of matched IPv4 packets A log entry cont...

Page 456: ...ve been configured Return to IPv4 ACL configuration task list Configuring a Rule for an Advanced IPv4 ACL Select QoS ACL IPv4 from the navigation tree and then select the Advance Setup tab to enter the rule configuration page for an advanced IPv4 ACL as shown in Figure 1 4 Figure 1 4 The page for configuring an advanced IPv4 ACL ...

Page 457: ...ontains the ACL rule number operation for the matched packets protocol that IP carries source destination address source destination port number and number of matched packets Source IP Address Source Wildcard Select the Source IP Address option and type a source IPv4 address and a source wildcard mask in dotted decimal notation Destination IP Address IP Address Filter Destination Wildcard Select t...

Page 458: ...configured z Range The following port number fields must be configured to define a port range z Other values The first port number field must be configured and the second must not DSCP Specify the DSCP priority TOS Specify the ToS preference Precedence Filter Precedence Specify the IP precedence If you specify the ToS precedence or IP precedence when you specify the DSCP precednece the specified T...

Page 459: ...that have been configured Rule ID Select the Rule ID option and type a number for the rule If you do not specify the rule number the system will assign one automatically Operation Select the operation to be performed for packets matching the rule z Permit Allows matched packets to pass z Deny Drops matched packets Source MAC Address Source Mask Select the Source MAC Address option and type a sourc...

Page 460: ...e ranges are those that have been configured Return to IPv4 ACL configuration task list Configuration Guidelines When configuring an ACL note that 1 When defining rules in an ACL you do not necessarily assign them numbers the system can do this automatically Refer to ACL Step 2 You cannot create a rule with or modify a rule to have the same permit deny statement as an existing rule in the ACL 3 Yo...

Page 461: ...s traditional applications such as WWW E Mail and FTP network users are experiencing new services such as tele education telemedicine video telephone videoconference and Video on Demand VoD Enterprise users expect to connect their regional branches together with VPN technologies to carry out operational applications for instance to access the database of the company or to monitor remote devices th...

Page 462: ...nsmission z Decreased network throughput and resource use efficiency z Network resource memory in particular exhaustion and even system breakdown It is obvious that congestion hinders resource assignment for traffic and thus degrades service performance Congestion is unavoidable in switched networks and multi user application environments To improve the service performance of your network you must...

Page 463: ...ts when congestion occurs Congestion management is usually applied in the outbound direction of a port z Congestion avoidance monitors the usage status of network resources and is usually applied in the outbound direction of a port As congestion becomes worse it actively reduces the amount of traffic by dropping packets Among these QoS technologies traffic classification is the basis for providing...

Page 464: ...es codepoint DSCP values and 802 1p precedence 1 IP precedence ToS precedence and DSCP values Figure 2 3 DS field and ToS bytes As shown in Figure 2 3 the ToS field of the IP header contains eight bits the first three bits 0 to 2 represent IP precedence from 0 to 7 the subsequent four bits 3 to 6 represent a ToS value from 0 to 15 According to RFC 2474 the ToS field of the IP header is redefined a...

Page 465: ...ss This class is a special CS class that does not provide any assurance AF traffic exceeding the limit is degraded to the BE class Currently all IP network traffic belongs to this class by default Table 2 2 Description on DSCP values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31...

Page 466: ...fined in IEEE 802 1p Table 2 3 presents the values for 802 1p precedence Table 2 3 Description on 802 1p precedence 802 1p precedence decimal 802 1p precedence binary Description 0 000 best effort 1 001 background 2 010 spare 3 011 excellent effort 4 100 controlled load 5 101 video 6 110 voice 7 111 network management Queue Scheduling In general congestion management adopts queuing technology The ...

Page 467: ...st priority first When the queue with the highest priority is empty it sends packets in the queue with the second highest priority and so on Thus you can assign mission critical packets to the high priority queue to ensure that they are always served first and common service such as Email packets to the low priority queues to be transmitted when the high priority queues are empty The disadvantage ...

Page 468: ...dwidth resource use efficiency You can assign the output queues to WRR priority queue group 1 and WRR priority queue group 2 Round robin queue scheduling is performed for group 1 first If group 1 is empty round robin queue scheduling is performed for group 2 You can implement SP WRR queue scheduling on a port by assigning some queues on the port to the SP scheduling group when configuring WRR Pack...

Page 469: ...fic It is usually set to the committed information rate CIR z Burst size the capacity of the token bucket namely the maximum traffic size that is permitted in each burst It is usually set to the committed burst size CBS The set burst size must be greater than the maximum packet size One evaluation is performed on each arriving packet In each evaluation if the number of tokens in the bucket is enou...

Page 470: ...device assigns to the packet a set of predefined parameters including the 802 1p precedence DSCP values IP precedence and local precedence z For more information about 802 1p precedence DSCP values and IP precedence refer to Packet Precedences z Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds to an output queue Packets w...

Page 471: ...P to DSCP DSCP to DSCP mapping table which is applicable to only IP packets z DSCP to Queue DSCP to local precedence mapping table which is applicable to only IP packets Table 2 4 through Table 2 5 list the default priority mapping tables Table 2 4 The default CoS to DSCP CoS to Queue mapping table Input CoS value Local precedence Queue DSCP 0 2 0 1 0 8 2 1 16 3 3 24 4 4 32 5 5 40 6 6 48 7 7 56 Ta...

Page 472: ...to a class only when the packet matches all the criteria in the class z or The device considers a packet belongs to a class as long as the packet matches one of the criteria in the class 2 Traffic behavior A traffic behavior identified by a name defines a set of QoS actions for packets 3 Policy You can apply a QoS policy to a port Applies a QoS policy to a port to regulate the inbound traffic of t...

Page 473: ...cy Therefore associating a class that is already associated with a traffic behavior will overwrite the old association Apply the policy Applying a Policy to a Port Required Apply the QoS policy to a port Configuring queue scheduling Perform the task in Table 2 7 to configure queue scheduling Table 2 7 Queue scheduling configuration task list Task Remarks Configuring Queue Scheduling on a Port Opti...

Page 474: ... priority trust mode Table 2 10 Priority trust mode configuration task list Task Remarks Configuring Priority Trust Mode on a Port Required Set the priority trust mode of a port Creating a Class Select QoS Classifier from the navigation tree and click Create to enter the page for creating a class as shown in Figure 2 11 Figure 2 11 The page for creating a class Table 2 11 shows the configuration i...

Page 475: ...belongs to a class only when the packet matches all the rules in the class z or Specifies the relationship between the rules in a class as logic OR That is the device considers a packet belongs to a class as long as the packet matches one of the rules in the class Return to QoS policy configuration task list Configuring Classification Rules Select QoS Classifier from the navigation tree and click ...

Page 476: ...specified the system considers them as one The relationship between different IP precedence values is OR After such configurations all the IP precedence values are arranged in ascending order automatically Customer 802 1p Define a rule to match the customer 802 1p precedence values If multiple such rules are configured for a class the new configuration does not overwrite the previous one You can c...

Page 477: ...red for a class the new configuration does not overwrite the previous one You can configure multiple VLAN IDs each time If the same VLAN ID is specified multiple times the system considers them as one The relationship between different VLAN IDs is logical OR You can specify VLAN IDs in two ways z Enter a range of VLAN IDs such as 10 500 The number of VLAN IDs in the range is not limited z Specify ...

Page 478: ... Figure 2 14 Figure 2 14 Port setup page for a traffic behavior Table 2 14 describes the traffic mirroring and traffic redirecting configuration items Table 2 14 Traffic mirroring and traffic redirecting configuration items Item Description Please select a behavior Select an existing behavior in the drop down list Redirect Set the action of redirecting traffic to the specified destination port Ple...

Page 479: ...havior from the navigation tree and click Setup to enter the page for setting a traffic behavior as shown in Figure 2 15 Figure 2 15 The page for setting a traffic behavior Table 2 15 describes the configuration items of configuring other actions for a traffic behavior ...

Page 480: ...figuration task list Creating a Policy Select QoS QoS Policy from the navigation tree and click Create to enter the page for creating a policy as shown in Figure 2 16 Figure 2 16 The page for creating a policy Table 2 16 describes the configuration items of creating a policy Table 2 16 Configuration items of creating a policy Item Description Policy Name Specify a name for the policy to be created...

Page 481: ...own list Classifier Name Select an existing classifier in the drop down list The classifiers available for selection are created on the page for creating a classifier Behavior Name Select an existing behavior in the drop down list The behaviors available for selection are created on the page for creating a behavior Return to QoS policy configuration task list Applying a Policy to a Port Select QoS...

Page 482: ... direction in which the policy is to be applied Inbound Applies the policy to the incoming packets of the specified ports Please select port s Click to select ports to which the QoS policy is to be applied on the chassis front panel Return to QoS policy configuration task list Configuring Queue Scheduling on a Port Select QoS Queue from the navigation tree and click Setup to enter the queue schedu...

Page 483: ...ed Group Specify the group the current queue is to be assigned to This drop down list is available after you select a queue ID The following groups are available for selection z SP Assigns a queue to the SP group z 1 Assigns a queue to WRR group 1 z 2 Assigns a queue to WRR group 2 WRR Setup Weight Set a weight for the current queue This option is available when group 1 or group 2 is selected Plea...

Page 484: ... a direction in which the line rate is to be applied z Inbound Limits the rate of packets received on the specified port z Outbound Limits the rate of packets sent by the specified port z Both Limits the rate of packets received on and sent by the specified port CIR Set the committed information rate CIR the average traffic rate Please select port s Specify the ports to be configured with line rat...

Page 485: ...ter the page shown in Table 2 22 Input Priority Value Output Priority Value Set the output priority value for an input priority value Restore Click Restore to display the default settings of the current priority mapping table on the page To restore the priority mapping table to the default click Apply Figure 2 22 The page for configuring DSCP to DSCP mapping table Return to Priority mapping table ...

Page 486: ... Description Interface The interface to be configured Priority Set a local precedence value for the port Trust Mode Select a priority trust mode for the port which can be z Untrust where packet priority is not trusted z CoS where the 802 1p precedence of the incoming packets is trusted and used for priority mapping z DSCP where the DSCP precedence of the incoming packets is trusted and used for pr...

Page 487: ...figuration Guidelines When configuring QoS note that When an ACL is referenced to implement QoS the actions defined in the ACL rules deny or permit do not take effect actions to be taken on packets matching the ACL depend on the traffic behavior definition in QoS ...

Page 488: ...e FTP server from 8 00 to 18 00 every day 1 Create an ACL to prohibit the hosts from accessing the FTP server from 8 00 to 18 00 every day 2 Configure a QoS policy to drop the packets matching the ACL 3 Apply the QoS policy in the inbound direction of GigabitEthernet 1 0 1 Figure 3 1 Network diagram for ACL QoS configuration Configuration procedure 1 Configure the time range Define a time range co...

Page 489: ...odic Time Range option set the Start Time to 8 00 and the End Time to 18 00 and then select the checkboxes Sun through Sat z Click Apply 2 Define an IPv4 ACL for traffic to the FTP server Create an advanced IPv4 ACL z Select QoS ACL IPv4 from the navigation tree and click Create Perform configuration as shown in Figure 3 3 ...

Page 490: ...3 3 Figure 3 3 Create an advanced IPv4 ACL z Type the ACL number 3000 z Click Apply Define an ACL rule for traffic to the FTP server z Click Advance Setup Perform configuration as shown in Figure 3 4 ...

Page 491: ... Select the Rule ID option and type rule ID 2 z Select Permit in the Operation drop down list z Select the Destination IP Address option and type IP address 10 1 1 1 and destination wildcard mask 0 0 0 0 z Select test time in the Time Range drop down list z Click Add 3 Configure a QoS policy Create a class ...

Page 492: ...e navigation tree and click Create Perform configuration as shown in Figure 3 5 Figure 3 5 Create a class z Type the class name class1 z Click Create Define classification rules z Click Setup Perform configuration as shown in Figure 3 6 ...

Page 493: ...fication rules z Select the class name class1 in the drop down list z Select the ACL IPv4 option and select ACL 3000 in the following drop down list z Click Apply A configuration progress dialog box appears as shown in Figure 3 7 ...

Page 494: ...eate a traffic behavior z Select QoS Behavior from the navigation tree and click Create Perform configuration as shown in Figure 3 8 Figure 3 8 Create a traffic behavior z Type the behavior name behavior1 z Click Create Configure actions for the traffic behavior z Click Setup Perform configuration as shown in Figure 3 9 ...

Page 495: ...on and then select Deny in the following drop down list z Click Apply A configuration progress dialog box appears z After the configuration is complete click Close on the dialog box Create a policy z Select QoS QoS Policy from the navigation tree and click the Create tab Perform configuration as shown in Figure 3 10 ...

Page 496: ...igure 3 11 Configure classifier behavior associations for the policy z Select policy1 z Select class1 in the Classifier Name drop down list z Select behavior1 in the Behavior Name drop down list z Click Apply Apply the QoS policy in the inbound direction of GigabitEthernet 1 0 1 z Select QoS Port Policy from the navigation tree and click the Setup tab Perform configuration as shown in Figure 3 12 ...

Page 497: ...et 1 0 1 z Select policy1 in the Please select a policy drop down list z Select Inbound in the Direction drop down list z Select port GigabitEthernet 1 0 1 z Click Apply A configuration progress dialog box appears z After the configuration is complete click Close on the dialog box ...

Page 498: ...PoE Configuration 1 1 PoE Overview 1 1 Advantages 1 1 Composition 1 1 Protocol Specification 1 2 Configuring PoE 1 2 Configuring PoE Ports 1 3 Displaying Information About PSE and PoE Ports 1 4 PoE Configuration Example 1 5 ...

Page 499: ...rgers card readers web cameras and data collectors Composition As shown in Figure 1 1 a PoE system consists of PoE power PSE power interface PI and PD Figure 1 1 PoE system diagram PoE power The whole PoE system is powered by the PoE power PSE A PSE is a device supplying power for PDs A PSE can be built in Endpoint or external Midspan A built in PSE is integrated in a switch or router and an exter...

Page 500: ...a category 3 5 twisted pair cable to supply DC power while transmitting data to PDs z Over spare wires The PSE uses the pairs 4 5 7 8 not transmitting data in a category 3 5 twisted pair cable to supply DC power to PDs 3Com Baseline Switch 2920 SFP Plus only support for signal mode PD A PD is a device accepting power from the PSE including IP phones wireless APs chargers of portable devices POS an...

Page 501: ... is not enabled with the PoE function z You are allowed to enable PoE for a PoE port if the PoE port will not result in PoE power overload otherwise you are not allowed to enable PoE for the PoE port By default PoE is disabled on a PoE port PSE power overload When the sum of the power consumption of all ports exceeds the maximum power of PSE the system considers the PSE is overloaded Power Max Set...

Page 502: ...se power is preempted will be powered off but their configurations will remain unchanged When you change the priority of a PoE port from critical to a lower level the PDs connecting to other PoE ports will have an opportunity of being powered By default the power priority of a PoE port is low z 19 watts guard band is reserved for each PoE port on the device to prevent a PD from being powered off b...

Page 503: ...connected to IP telephones z GigabitEthernet 1 0 11 is connected to AP whose maximum power does not exceed 9000 milliwatts z The power supply priority of IP telephones is higher than that of AP therefore the PSE supplies power to IP telephones first when the PSE power is overloaded Figure 1 4 Network diagram for PoE GE 1 0 1 GE 1 0 11 G E 1 0 2 AP PSE ...

Page 504: ...ure 1 5 Configure the PoE ports supplying power to the IP telephones z Click to select ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel z Select Enable from the Power State drop down list z Select Critical from the Power Priority drop down list z Click Apply Enable PoE on GigabitEthernet 1 0 11 and configure the maximum power of the port to 9000 milliwatts z Click...

Page 505: ...ect port GigabitEthernet 1 0 11 from the chassis front panel z Select Enable from the Power State drop down list z Select the check box before Power Max and type 9000 z Click Apply After the configuration takes effect the IP telephones and AP are powered and can work normally ...

Reviews:

No comments

Related manuals for 2928 - Baseline Plus Switch PWR

Brand: Gavita Pages: 12

Brand: vantiva Pages: 58

Underwater Switch 24V DC/DMX/02

Brand: Oase Pages: 40

Brand: Eaton Pages: 43

S6520X-EI Series

Brand: H3C Pages: 34

Brand: Watchguard Pages: 26

Brand: Hamlet Pages: 2

Brand: Nextech Pages: 4

Brand: Scame electrical solutions Pages: 68

Brand: Lantech Pages: 29

Brand: TRENDnet Pages: 2

Brand: T.I.P. Pages: 42

Brand: Orbis Pages: 2

Giga-AcessEtherLinx-II

Brand: IMC Networks Pages: 40

Brand: Xantech Pages: 32

Brand: Ortech Pages: 3

Grid Director 4700

Brand: Mellanox Technologies Pages: 88

Brand: Belkin Pages: 288

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands