manualshive.com logo in svg

3Com 3C17300-US - SuperStack 3 Switch 4226T, Implementation Manual

The 3Com 3C17300-US - SuperStack 3 Switch 4226T is a high-performance networking device designed for seamless data transfer. To ensure efficient product implementation, a comprehensive Implementation Manual is available for free download from manualshive.com, assisting users in setting up and optimizing their network infrastructure.

Share
Download
background image

84

C

HAPTER

 10: M

AKING

 Y

OUR

 N

ETWORK

 S

ECURE

Before you enable Network Login or Rada you must ensure that:

RADIUS has been configured on the Switch.

The RADIUS server in your network is operational.

If the RADIUS server fails or is unavailable, client devices will be unable 
to access the network or be restricted to the default access.

Network Login and Rada are not supported on ports configured to 
operate as members of an aggregated link.

Some client devices that are connected to the Switch port may not 
support network login, for example printers. You should configure the 
Switch port to operate in Automatic Learning mode, so that network 
traffic that does not match the MAC address for the client device is 
filtered, or use the basic Rada mode.

You should enable Network Login or Rada on all relevant Switch ports. 
Failure to enable authentication on a single port could compromise 
the security of the entire network.

RADIUS Server settings for Auto VLAN

When setting up Auto VLAN on a RADIUS server the following attributes 
must be set to supply VLAN data to the Switch:

Table 8   

Setting Auto VLAN attributes

The Tunnel-Private-Group-ID attribute specifies the VLAN to be assigned. 
This can take various forms to indicate if the port is untagged or tagged 
member, for example ‘2u 3t' means that the port is an untagged member 
of VLAN 2 and a tagged member of VLAN 3. 

The switch will assign the first VLAN number with no suffix, or with a ‘U’ 
or ‘u’ suffix, as an untagged VLAN for the port. Any further VLAN 
numbers with no suffix, or with the ‘U’ or ‘u’ suffix, will be assigned as a 
tagged VLAN on the same port. For example; all the following strings are 
identical after processing: “23  7T 88T”, “7T 88t 23u”, “88T 23 7t “, 
”23 7  88”, “7T 23u 88u”.

Attribute

Value

Tunnel-Type

VLAN

Tunnel-Medium-Type

802

Tunnel-Private-Group-ID

<VLAN ID to be assigned>

dua1730-0bAA03.book  Page 84  Monday, July 11, 2005  11:14 AM

Summary of Contents for 3C17300-US - SuperStack 3 Switch 4226T

Page 1: ...Published June 2005 SuperStack 3 Switch 4200 Family Implementation Guide Generic guide for units in the SuperStack 3 Switch 4200 Family 3C17300 3C17302 3C17304 3C17300A 3C17302A 3C17304A dua1730 0bAA03 book Page 1 Monday July 11 2005 11 14 AM ...

Page 2: ...on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com the 3Com logo and SuperStack are all registered trademarks of 3Com Corporation Intel and Pentium are registered trademarks of Intel Corporation...

Page 3: ...icast Filtering 18 Spanning Tree Protocol and Rapid Spanning Tree Protocol 18 Switch Database 19 Traffic Prioritization 19 RMON 20 Broadcast Storm Control 20 VLANs 20 Configuration Save and Restore 20 2 OPTIMIZING BANDWIDTH Port Features 23 Duplex 23 Flow Control 24 Auto negotiation 24 Smart Auto sensing 25 Aggregated Links 26 How 802 3ad Link Aggregation Operates 26 Implementing 802 3ad Aggregate...

Page 4: ...s 43 STP Calculation 43 STP Configuration 44 STP Reconfiguration 44 How RSTP Differs to STP 45 STP Example 45 STP Configurations 46 Using STP on a Network with Multiple VLANs 48 5 USING THE SWITCH DATABASE What is the Switch Database 49 How Switch Database Entries Get Added 49 Switch Database Entry States 50 6 USING TRAFFIC PRIORITIZATION What is Traffic Prioritization 51 How Traffic Prioritizatio...

Page 5: ...reating New VLANs 68 VLANs Tagged and Untagged Membership 68 Placing a Port in a Single VLAN 69 VLAN Configuration Examples 70 Using Untagged Connections 70 Using 802 1Q Tagged Connections 71 9 USING AUTOMATIC IP CONFIGURATION How Your Switch Obtains IP Information 74 How Automatic IP Configuration Works 74 Automatic Process 75 Important Considerations 76 Event Log Entries and Traps 76 10 MAKING Y...

Page 6: ...Rules for Gigabit Ethernet 93 Configuration Rules for Fast Ethernet 94 Configuration Rules with Full Duplex 95 B NETWORK CONFIGURATION EXAMPLES Simple Network Configuration Examples 98 Desktop Switch Example 98 Advanced Network Configuration Examples 99 Improving the Performance and Resilience of Your Network 99 C IP ADDRESSING IP Addresses 101 Simple Overview 101 Advanced Overview 102 Subnets and...

Page 7: ...D STANDARDS SUPPORTED GLOSSARY INDEX dua1730 0bAA03 book Page 7 Monday July 11 2005 11 14 AM ...

Page 8: ...dua1730 0bAA03 book Page 8 Monday July 11 2005 11 14 AM ...

Page 9: ...rations and the command line interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch If release notes are shipped with your product and the information there differs from the information in this guide follow the instructions in the release notes Most user guides and rele...

Page 10: ... use the following syntax system password password In this example you must supply a password for password Commands The word command means that you must enter the command exactly as shown and then press Return or Enter Commands appear in bold Example To display port information enter the following command bridge port detail The words enter and type When you see the word enter in this guide you mus...

Page 11: ...arameters available It is supplied in HTML format on the CD ROM that accompanies your Switch Management Quick Reference Guide You can find this guide on the CD ROM that accompanies your Switch Supplied in PDF format this guide contains A list of the features supported by the Switch A summary of the web interface operations and CLI commands that enable you to manage the Switch Release Notes These n...

Page 12: ...le SuperStack 3 Switch Implementation Guide Part number DUA1730 0BAA0x Page 25 Please note that we can only respond to comments and questions about 3Com product documentation at this e mail address Questions related to technical support or sales should be directed in the first instance to your network supplier dua1730 0bAA03 book Page 12 Monday July 11 2005 11 14 AM ...

Page 13: ...g Resilience Features Chapter 5 Using the Switch Database Chapter 6 Using Traffic Prioritization Chapter 7 Status Monitoring and Statistics Chapter 8 Setting Up Virtual LANs Chapter 9 Using Automatic IP Configuration Chapter 10 Making Your Network Secure Chapter 11 IP Addressing dua1730 0bAA03 book Page 13 Monday July 11 2005 11 14 AM ...

Page 14: ...14 dua1730 0bAA03 book Page 14 Monday July 11 2005 11 14 AM ...

Page 15: ... features offered by the Switch and to change and monitor the way it works you have to access the management software that resides on the Switch This is known as managing the Switch Managing the Switch can help you to improve its efficiency and therefore the overall performance of your network There are several different methods of accessing the management software to manage the Switch These metho...

Page 16: ...een these three automatic configuration methods The Switch tries each method in a specified order For more information about how the automatic IP configuration feature works see Chapter 9 Using Automatic IP Configuration Security Your Switch has the following security features which guard against unauthorized users connecting devices to your network Network Login controls user access at the networ...

Page 17: ...ovide the highest performance supported by the port For details of the auto negotiation features supported by your Switch please refer to the Management Quick Reference Guide supplied in PDF format on the CD ROM that accompanies your Switch Ports operating at 1000 Mbps only support full duplex mode Duplex Full duplex mode allows packets to be transmitted and received simultaneously and in effect d...

Page 18: ... and Rapid Spanning Tree Protocol Spanning Tree Protocol STP and Rapid Spanning Tree Protocol RSTP are bridge based systems that makes your network more resilient to link failure and also provides protection from network loops one of the major causes of broadcast storms STP allows you to implement alternative paths for network traffic in the event of path failure and uses a loop detection process ...

Page 19: ...lower priority traffic High priority traffic is given preference over low priority traffic to ensure that the most critical traffic gets the highest level of service The traffic prioritization feature supported by your Switch using layer 2 information is compatible with the relevant sections of the IEEE 802 1D D17 standard incorporating IEEE 802 1p For more information about 802 1D and traffic pri...

Page 20: ...raffic level rises to a pre defined number of frames per second threshold the broadcast traffic on the port is blocked until the broadcast traffic level drops below the threshold This system prevents the overwhelming broadcast traffic that can result from network equipment which is faulty or configured incorrectly VLANs A Virtual LAN VLAN is a flexible group of devices that can be located anywhere...

Page 21: ...Switch Features Explained 21 For further information about Configuration Save and Restore see Chapter 11 Using Switch Configuration Features dua1730 0bAA03 book Page 21 Monday July 11 2005 11 14 AM ...

Page 22: ...22 CHAPTER 1 SWITCH FEATURES OVERVIEW dua1730 0bAA03 book Page 22 Monday July 11 2005 11 14 AM ...

Page 23: ...tch Port Features The default state for all the features detailed below provides the best configuration for most users In normal operation you do not need to alter the Switch from its default state However under certain conditions you may wish to alter the default state of these ports for example if you want to force a port to operate at 10 Mbps Duplex Full duplex allows packets to be transmitted ...

Page 24: ...egotiation is enabled default a port advertises its maximum capabilities these capabilities are by default the parameters that provide the highest performance supported by the port You can modify the capabilities that a port advertises on a per port basis dependent on the type of port You can disable auto negotiation on all fixed ports on the Switch or on a per port basis You can also modify the c...

Page 25: ... a poor quality cable If both ends of the link support 100 1000 Mbps auto negotiation then auto sensing tunes the link to 100 Mbps to provide an error free 100 Mbps connection to the network An SNMP Trap is sent every time a port is down rated to a lower speed Conditions that affect smart auto sensing Smart auto sensing will not operate on links that do not support auto negotiation or on links whe...

Page 26: ...d Link Aggregation Operates Your Switch supports IEEE 802 3ad standard aggregated links which uses the Link Aggregation Control Protocol LACP LACP provides automatic point to point redundancy between two devices switch to switch or switch to server that have full duplex connections operating at the same speed By default LACP is disabled on the 10 100 1000BASE T and GBIC or SFP ports If you enable ...

Page 27: ... and managed via network management Implementing 802 3ad Aggregated Links LACP can be enabled or disabled on a per port basis You can implement 802 3ad aggregated links in three ways Manual Aggregations You can manually add and remove ports to and from an aggregated link via Web or CLI commands However if a port has LACP enabled if a more appropriate or correct automatic membership is detected by ...

Page 28: ...ing pre configured aggregated links exist LACP will automatically assign a free un configured aggregated link to form an aggregated link with the partner device The aggregated link will inherit its configuration from the first port originally detected against the partner device If you have an existing single port connection between two devices this automatic behavior allows quick and easy addition...

Page 29: ...ated links The remaining devices will each only have one link made active that is passing data All other links will be made inactive to prevent loops occurring LACP detects if one of the existing four aggregated links is removed and will then automatically assign one of the remaining devices to the aggregated link that has become free When multiple links of different speed connect two devices only...

Page 30: ...ation in Figure 4 will not work as Switch A has one aggregated link defined whose member links are then split between two aggregated links defined on Switches B and C Note that this illegal configuration could not occur if LACP is enabled Figure 4 An illegal aggregated link configuration To make this configuration work you need to have two aggregated links defined on Switch A one containing the me...

Page 31: ...hen a packet is made available for transmission down an aggregated link a hardware based traffic distribution mechanism determines which particular port in the link should be used this mechanism uses the MAC address The traffic is distributed among the member links as efficiently as possible To avoid the potential problem of out of sequence packets or packet re ordering the Switch ensures that all...

Page 32: ...ggregated link 4 Add the SFP ports on the lower unit to the aggregated link 5 Connect the 1000BASE T port marked Up on the upper Switch to the 1000BASE T port marked Up on the lower Switch 6 Connect the 1000BASE T port marked Down on the upper Switch to the 1000BASE T port marked Down on the lower Switch 7 Connect the SFP port marked 27 on the upper Switch to the SFP port marked 27 on the lower Sw...

Page 33: ...at is intended for one to many and many to many communication Users explicitly request to participate in the communication by joining an endstation to a specific multicast group If the network is set up correctly a multicast can only be sent to an endstation or a subset of endstations in a LAN or VLAN that belong to the relevant multicast group Multicast group members can be distributed across mul...

Page 34: ...where a multicast approach is more logical and efficient than a unicast approach Application examples include distance learning transmitting stock quotes to brokers and collaborative computing A typical use of multicasts is in video conferencing where high volumes of traffic need to be sent to several endstations simultaneously but where broadcasting that traffic to all endstations would seriously...

Page 35: ...roup and then sets its filters accordingly Query Mode Query mode allows the Switch to function as the Querier if it has the lowest IP address in the subnetwork to which it belongs IGMP querying is disabled by default on the Switch 4200 Family This helps prevent interoperability issues with core products that may not follow the lowest IP address election method You can enable or disable IGMP query ...

Page 36: ... Switch only has an IP address on its default VLAN the Switch will only ever query on the default VLAN VLAN1 Therefore if there are no other queriers on other VLANs the IP multicast traffic will not be forwarded on them 2 When an IP endstation receives a query packet it sends a report packet back that identifies the multicast group that the endstation would like to join 3 When the report packet ar...

Page 37: ...s not enabled then IP multicast traffic is always forwarded that is it floods the network For information about configuring IGMP functionality on an endstation refer to the user documentation supplied with your endstation or the endstation s Network Interface Card NIC dua1730 0bAA03 book Page 37 Monday July 11 2005 11 14 AM ...

Page 38: ...38 CHAPTER 3 USING MULTICAST FILTERING dua1730 0bAA03 book Page 38 Monday July 11 2005 11 14 AM ...

Page 39: ...nt Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch Spanning Tree Protocol STP The Spanning Tree Protocol STP makes your network more resilient to link failure and also provides a protection from loops one of the major causes of broadcast storms STP is enabled by default on your Switch To be fully effective STP must be enabled on all Switches in your net...

Page 40: ...to an endstation to begin forwarding traffic after only four seconds this Auto setting is default for front panel ports During these four seconds RSTP or STP will detect any misconfiguration that may cause a temporary loop and react accordingly If you have Fast Start disabled on a port the Switch will wait for 30 seconds before RSTP or STP lets the port forward traffic If you set Fast Start to Ena...

Page 41: ...parated by three bridges With this configuration each segment can communicate with the others using two paths Without STP enabled this configuration creates loops that cause the network to overload Figure 7 A network configuration that creates loops Figure 8 shows the result of enabling STP on the bridges in the configuration STP detects the duplicate paths and prevents or blocks one of them from ...

Page 42: ...he most efficient path between each bridged segment and a specifically assigned reference point on the network Once the most efficient path has been determined all other paths are blocked Therefore in Figure 7 Figure 8 and Figure 9 STP initially determined that the path through Bridge C was the most efficient and so blocked the path through Bridge B After the failure of Bridge C STP re evaluated t...

Page 43: ... the bandwidth of the link the higher the cost the less efficient the link Table 3 shows the default port costs for a Switch Table 3 Default port costs STP Calculation The first stage in the STP process is the calculation stage During this stage each bridge on the network transmits BPDUs that allow the system to work out Port Speed Link Type Path Cost 802 1D 1998 Path Cost 802 1w 10 Mbps Half Dupl...

Page 44: ...twork have agreed on the identity of the Root Bridge and have established the other relevant parameters each bridge is configured to forward traffic only between its Root Port and the Designated Bridge Ports for the respective network segments All other ports are blocked which means that they are prevented from receiving or forwarding traffic STP Reconfiguration Once the network topology is stable...

Page 45: ... all other bridges in the network have had time to react to the change So the main benefit of RSTP is that the configuration decision is made locally rather than network wide which is why RSTP can carry out automatic configuration and restore a link faster than STP STP Example Figure 10 shows a LAN that has STP enabled The LAN has three segments and each segment is connected using two possible lin...

Page 46: ...100 Port 2 on Bridge C is therefore selected as the Designated Bridge Port for LAN Segment 3 STP Configurations Figure 11 shows three possible STP configurations using SuperStack 3 Switch units Configuration 1 Redundancy for Backbone Link In this configuration the Switches both have STP enabled and are connected by two links STP discovers a duplicate path and blocks one of the links If the enabled...

Page 47: ...How STP Works 47 Figure 11 STP configurations dua1730 0bAA03 book Page 47 Monday July 11 2005 11 14 AM ...

Page 48: ...ween Switch B and Switch C By default this link has a path cost of 100 and is automatically blocked because the other Switch to Switch connections have a path cost of 36 18 18 This means that both VLANs are now subdivided VLAN 1 on Switch units A and B cannot communicate with VLAN 1 on Switch C and VLAN 2 on Switch units A and C cannot communicate with VLAN 2 on Switch B Figure 12 Configuration th...

Page 49: ...e that accompanies your Switch For detailed descriptions of the web interface operations and the command line interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch How Switch Database Entries Get Added Entries are added to the Switch Database in one of two ways The Swi...

Page 50: ...oved from the network its entry is also removed from the database Learned entries are removed from the Switch Database if the Switch is reset or powered down Non aging learned If the aging time is set to 0 seconds all learned entries in the Switch Database become non aging learned entries This means that they are not aged out but they are still removed from the database if the Switch is reset or p...

Page 51: ...iving it a basic capability to prioritize traffic For more granular prioritization and an enhanced Quality of Service support other products are available in the 3Com range of stackable Switches What is Traffic Prioritization Traffic prioritization allows high priority data such as time sensitive and system critical data to be transferred smoothly and with minimal delay over a network Traffic prio...

Page 52: ...g traffic for prioritization Traffic classification is the means of identifying which application generated the traffic so that a service level can be applied to it The two supported methods for classifying traffic are 802 1D classification is done at layer 2 of the OSI model DiffServ code point classification is done at layer 3 of the OSI model 802 1D traffic classification At layer 2 a traffic s...

Page 53: ...ed by the Switch 4200 Series DiffServ traffic classification DiffServ is an alternative method of classifying traffic so that different levels of service can be applied to it on a network DiffServ is a layer 3 function and the service to be applied is contained within the DSCP field which is in the IP header of a packet 802 1p Service levels Classification 802 1D Low Priority Queue Egress Port Bes...

Page 54: ...witch 4200 Family are checked for DSCP classification and IEEE 802 1D priority The Switch 4200 Family does not set or modify priority levels within the packet The transmitting endstation sets the priority of each packet When the packet is received the Switch places the packet into the appropriate queue depending on its priority level for onward transmission across the network The Switch determines...

Page 55: ... traffic prioritization for QoS on a 4200 Family QoS can be configured on your Switch using the 3Com Network Supervisor or via the Command Line Interface CLI You can also configure QoS via the command line interface CLI For a detailed description of the commands that you require refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch Con...

Page 56: ...this setting Data protocols operating window sizes greater that 18 kilobytes will not work efficiently with this setting Data This setting increases the maximum egress buffer per port to 32 kilobytes or 27 packets This setting is suitable if data applications require a window size of up to 32 kilobytes Under these circumstances high priority traffic may not always be able to access sufficient Swit...

Page 57: ...opics What is RMON Benefits of RMON RMON and the Switch What is RMON RMON is a system defined by the IETF Internet Engineering Task Force that allows you to monitor the traffic of LANs or VLANs RMON is an integrated part of the Switch software agent and continually collects statistics about a LAN segment or VLAN and transfers the information to a management workstation on request or when a pre def...

Page 58: ...arms are used to inform you of network performance problems and they can trigger automated responses through the Events group Events The Events group provides you with the ability to create entries in an event log and send SNMP traps to the management workstation Events are the action that can result from an RMON alarm In addition to the standard five traps required by SNMP link up link down warm ...

Page 59: ...ou can analyze the causes of problems It reduces the load on the network and the management workstation Traditional network management involves a management workstation polling network devices at regular intervals to gather statistics and identify problems or trends As network sizes and traffic levels grow this approach places a strain on the management workstation and also generates large amounts...

Page 60: ... Statistics session per port History A new or initialized Switch has two History sessions per port These sessions provide the data for the Web interface history displays 30 second intervals 120 historical samples stored 2 hour intervals 96 historical samples stored Alarms A new or initialized Switch has the following alarm s defined for each port Broadcast bandwidth used Percentage of errors over ...

Page 61: ...and unfilter port Send Trap Stop blocking broadcast and multicast traffic on the port System started Software Upgrade report Table 5 Alarm Events Event Action Table 6 Values for the default alarm s Statistic High Threshold Low Threshold Recovery Period Broadcast bandwidth used Value 20 Action Notify and filter Value 10 Action Notify and unfilter 30 secs Number of errors over 10 seconds Value 8 err...

Page 62: ...ur You can receive notification via email SMS Short Message Service or pager of the event that has occurred This feature uses an SMTP Simple Mail Transfer Protocol email client to send the notification email The Short Message Service SMS and pager messages are constrained on message size so they are sent to a different email address which creates the message to be displayed and then forwards it on...

Page 63: ...link to a server A security violation occurs A resilient link activates System Started Smart Autosensing Activated Temperature Critical Secure address learned Execution of intrusion action Authentication failure POST Failed ports Port access authentication failure Port access logon Port access logoff dua1730 0bAA03 book Page 63 Monday July 11 2005 11 14 AM ...

Page 64: ...64 CHAPTER 7 STATUS MONITORING AND STATISTICS dua1730 0bAA03 book Page 64 Monday July 11 2005 11 14 AM ...

Page 65: ...the CD ROM that accompanies your Switch What are VLANs A VLAN is a flexible group of devices that can be located anywhere in a network but which communicate as if they are on the same physical segment With VLANs you can segment your network without being restricted by physical connections a limitation of traditional network design As an example with VLANs you can segment your network according to ...

Page 66: ...a different subnetwork the addresses of each endstation must be updated manually With a VLAN setup if an endstation in VLAN Marketing for example is moved to a port in another part of the network and retains its original subnet membership you only need to specify that the new port is in VLAN Marketing You do not need to carry out any re cabling VLANs provide extra security Devices within each VLAN...

Page 67: ...about each VLAN on your Switch before the Switch can use it to forward traffic VLAN Name This is a descriptive name for the VLAN for example Marketing or Management 802 1Q VLAN ID This is used to identify the VLAN if you use 802 1Q tagging across your network The Default VLAN A new or initialized Switch contains a single VLAN the Default VLAN This VLAN has the following definition VLAN Name Defaul...

Page 68: ...can be an untagged member but if the port needs to be a member of multiple VLANs tagged membership must be defined Typically endstations for example clients or servers will be untagged members of one VLAN while inter Switch connections will be tagged members of all VLANs The IEEE 802 1Q standard defines how VLANs operate within an open packet switched network An 802 1Q compliant packet carries add...

Page 69: ...any of the VLANs defined on your Switch 802 1Q tagging can only be used if the devices at both ends of a link support IEEE 802 1Q To create an 802 1Q tagged link 1 Ensure that the device at the other end of the link uses the same 802 1Q tags as your Switch that is the same VLAN IDs are configured note that VLAN IDs are global across the network 2 Place the Switch ports in the required VLANs as tag...

Page 70: ...and therefore untagged connections can be used The example shown in Figure 17 illustrates a single Switch connected to endstations and servers using untagged connections Ports 1 2 and 3 of the Switch belong to VLAN 1 ports 10 11 and 12 belong to VLAN 2 VLANs 1 and 2 are completely separate and cannot communicate with each other This provides additional security for your network Figure 17 VLAN conf...

Page 71: ...trates two Switch units Each switch has endstations and a server in VLAN 1 and VLAN 2 All endstations in VLAN 1 need to be able to connect to the server in VLAN1 which is attached to Switch 1 and all endstations in VLAN 2 need to connect to the server in VLAN2 which is attached to Switch 2 Figure 18 VLAN configuration example 802 1Q tagged connections To set up the configuration shown in Figure 18...

Page 72: ...in the appropriate VLANs as untagged members 6 Add port 11 on Switch 2 to the VLANs Add port 11 on Switch 2 as a tagged member of both VLANs 1 and 2 so that all VLAN traffic is passed over the link to Switch 1 7 Check the VLAN membership for both switches The relevant ports should be listed in the VLAN members summary 8 Connect the switches Connect port 12 on Switch 1 to port 11 on Switch 2 The VL...

Page 73: ... setting up your Switch for management see the Getting Started Guide that accompanies your Switch For detailed descriptions of the web interface operations and the command line interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch For background information on IP addre...

Page 74: ...do not have to choose between these three automatic configuration methods The Switch tries each method in a specified order as described in Automatic Process on page 75 Manual IP Configuration you can manually input the IP information IP address subnet mask and default gateway If you select an option for no IP configuration the Switch will not be accessible from a remote management workstation on ...

Page 75: ...e this address is not already in use on the network If not it will allocate this default address to the Switch If this IP address is already in use Auto IP will check once every second for three seconds for an IP address on the 169 254 x y subnet where x 1 254 and y 0 255 Auto IP only uses addresses in the range 169 254 1 0 through to 169 254 254 255 as valid addresses Once Auto IP has ensured tha...

Page 76: ...y change its IP address whilst in use Event Log Entries and Traps An event log will be generated and an SNMP trap will be sent if any of the following changes occur in the IP configuration IP address configuration is changed manually IP address changes from Auto IP to DHCP IP configuration DHCP negotiates a change in the IP configuration from Auto IP BOOTP negotiates a change in the IP configurati...

Page 77: ... Login What is Rada Auto VLAN Assignment What is Disconnect Unauthorized Device DUD What is RADIUS For detailed descriptions of the Web interface operations and the Command Line Interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch dua1730 0bAA03 book Page 77 Monday Ju...

Page 78: ... Disconnect Unauthorized Device DUD on page 85 Learning Off Only traffic received from an authorized address either configured by management or learned while the port was prevously operating in the Automatic Learning mode is forwarded While in this mode the DUD operation is enabled When a port in this mode has learned the maximum number of authorized addresses configured for the port then it will ...

Page 79: ...ting hosts is still required for example client virus isolation This mode is intended to complement 802 1X network login and can be used to authorise host access to any network resource It can only be considered secure if the MAC based authentication is configured to deny access to all secure network resources It is intended to prevent access to secure network resources if a particular edge device...

Page 80: ...witch port no intervening switch or hub as the Switch uses the link status to determine if an authorized client device is connected Network Login will not operate correctly if there is a bridge device between the client device and the Switch port or if there are multiple client devices attached via a hub to the Switch port In addition to providing protection against unauthorized network access Net...

Page 81: ...rity settings Figure 19 Network Login Operation When the client device and RADIUS server have exchanged authentication information the Switch receives either an authentication succeeded or failed message from the server and then configures the port to forward or filter traffic as appropriate If access is granted the Spanning Tree Protocol places the port into the forwarding state and the client de...

Page 82: ...thenticating its MAC address A host is allowed access to the entire network to a restricted network or no access at all The switch obtains the network access authorisation from a centrally located RADIUS server by supplying the MAC address of the host as shown in Figure 20 Figure 20 Network Login Operation via MAC Address For Rada the Switch uses PAP Password Authentication Protocol Rada has an Un...

Page 83: ...assword The username should be set as the MAC address of the device This must be of the form of Hex digits separated by hyphens for example 08 05 54 AB CD EF Table 7 Setting Rada attributes Auto VLAN Assignment Auto VLAN assignment complements the basic Network Login and Rada features It allows an appropriate VLAN configuration to be obtained from a RADIUS server when a user or device authenticate...

Page 84: ...tication on a single port could compromise the security of the entire network RADIUS Server settings for Auto VLAN When setting up Auto VLAN on a RADIUS server the following attributes must be set to supply VLAN data to the Switch Table 8 Setting Auto VLAN attributes The Tunnel Private Group ID attribute specifies the VLAN to be assigned This can take various forms to indicate if the port is untag...

Page 85: ... disabled for 20 seconds When the time period has expired the port is re enabled if the port is set to one of the Network Login security modes the client device is authenticated again Do not disable the port The port is not disabled and data from authorized client devices will continue to be transmitted whilst data from unauthorized client devices will be filtered What is RADIUS Remote Authenticat...

Page 86: ...86 CHAPTER 10 MAKING YOUR NETWORK SECURE dua1730 0bAA03 book Page 86 Monday July 11 2005 11 14 AM ...

Page 87: ... be restored onto the Switch from a remote file The configuration information is stored in an editable ASCII text file as a set of Command Line Interface CLI commands All configuration information that can be set using the Switch s Command Line Interface is saved and restored Sensitive information such as user passwords and the IP address configuration is not saved You can edit the text file and a...

Page 88: ...saved by a single user at a time The system summary CLI command displays the progress of restore and save operations to all other users When using the Configuration Save and Restore feature 3Com recommends that aggregated links are configured as either Manual aggregations with Link Aggregation Configuration Protocol LACP disabled on the ports that are to be manually placed in the aggregated link o...

Page 89: ...re Your Switch has an image of the Switching software residing in Flash memory During the software upgrade process the loading software image will always over write the existing software image In the event of a software upgrade failing you must completely reinstall the image to avoid potential complications You will not be able to run a corrupted or missing software image The CD ROM supplied with ...

Page 90: ...o power up correctly The symptoms of a failed TFTP software upgrade are the PowerOn Self Test POST has failed the Power Self Test LED is yellow all of the Port Status LEDs are Off you cannot access the Switch via Telnet dua1730 0bAA03 book Page 90 Monday July 11 2005 11 14 AM ...

Page 91: ...ES AND INDEX Appendix A Configuration Rules Appendix B Network Configuration Examples Appendix C IP Addressing Appendix D Standards Supported Glossary Index dua1730 0bAA03 book Page 91 Monday July 11 2005 11 14 AM ...

Page 92: ...92 dua1730 0bAA03 book Page 92 Monday July 11 2005 11 14 AM ...

Page 93: ...h connections up to 100 m 328 ft The different types of Gigabit Ethernet media and their specifications are detailed in Table 9 Table 9 Gigabit Ethernet cabling Gigabit Ethernet Transceivers Fiber Type Modal Bandwidth MHz km Lengths Supported Specified by IEEE meters 1000BASE LX 1000BASE SX 1000BASE T MM Multimode 62 5 µm MM 50 µm MM 50 µm MM 10 µm SM 62 5 µm MM 62 5 µm MM 50 µm MM 50 µm MM N A SM...

Page 94: ... Fast Ethernet networks Figure 21 Fast Ethernet configuration rules The key topology rules are Maximum UTP cable length is 100 m 328 ft over Category 5 cable A 412 m 1352 ft fiber link is allowed for connecting switch to switch or endstation to switch using half duplex 100BASE FX A total network span of 325 m 1066 ft is allowed in single repeater topologies one hub stack per wiring closet with a f...

Page 95: ...for all its ports including Expansion Module ports Full duplex allows packets to be transmitted and received simultaneously and in effect doubles the potential throughput of a link With full duplex the Ethernet topology rules are the same but the Fast Ethernet rules are Maximum UTP cable length is 100 m 328 ft over Category 5 cable A 2 km 6562 ft fiber link is allowed for connecting switch to swit...

Page 96: ...96 APPENDIX A CONFIGURATION RULES dua1730 0bAA03 book Page 96 Monday July 11 2005 11 14 AM ...

Page 97: ... contains the following sections Simple Network Configuration Examples Desktop Switch Example Advanced Network Configuration Examples Improving the Performance and Resilience of Your Network dua1730 0bAA03 book Page 97 Monday July 11 2005 11 14 AM ...

Page 98: ...ted 10 Mbps or 100 Mbps connections to the desktop The Switch 4200 Family stack uses one of its built in 1000BASE T ports to provide a Gigabit Ethernet link to a Switch 3870 in the basement Figure 22 Using the Switch 4200 Family in a desktop environment Switch 4200 Family stack Endstations on 10 Mbps 100 Mbps connections Local server on a switched 100 Mbps connection Local server on a switched 100...

Page 99: ...bandwidth available for the backbone connection and also provides extra resilience Figure 23 Network set up to provide resilience Endstations on 10 100 Mbps connections 100 Mbps Servers on 1000 Mbps connections with resilient links set up 1000 Mbps with aggregated links set up Server on 1000 Mbps connection with aggregated links Server on 1000 Mbps connection with aggregated links Core Switch Stac...

Page 100: ...100 APPENDIX B NETWORK CONFIGURATION EXAMPLES dua1730 0bAA03 book Page 100 Monday July 11 2005 11 14 AM ...

Page 101: ...ves a more in depth explanation of IP addresses and the way they are structured Simple Overview To operate correctly each device on your network must have a unique IP address IP addresses have the format n n n n where n is a decimal number between 0 and 255 An example IP address is 192 168 100 8 The IP address can be split into two parts The first part called the network part 192 168 in the exampl...

Page 102: ... organization responsible for supplying registered IP addresses The following contact information is correct at time of publication World Wide Web site http www internic net Advanced Overview IP addresses are 32 bit addresses that consist of a network part the address of the network where the host is located and a host part the address of the host on that network Figure 24 IP Address Network Part ...

Page 103: ...s follows Class A address Uses 8 bits for the network part and 24 bits for the host part Although only a few Class A networks can be created each can contain a very large number of hosts Class B address Uses 16 bits for the network part and 16 bits for the host part Class C address Uses 24 bits for the network part and 8 bits for the host part Each Class C network can contain only 254 hosts but ma...

Page 104: ... mask identifies the bits that constitute the subnetwork address and the bits that constitute the host address A subnet mask is a 32 bit number in the IP address format The 1 bits in the subnet mask indicate the network and subnetwork part of the address The 0 bits in the subnet mask indicate the host part of the IP address as shown in Figure 26 Figure 26 Subnet Masking Figure 27 shows an example ...

Page 105: ...th the Class B natural network mask 255 255 and the subnet mask 255 240 is sometimes called the extended network prefix Continuing with the previous example the subnetwork part of the mask uses 12 bits and the host part uses the remaining 4 bits Because the octets are actually binary numbers the number of subnetworks that are possible with this mask is 4 096 212 and the number of hosts that are po...

Page 106: ...P packets the gateway determines the next network hop on the path to the remote destination and sends the packets to that hop This could either be the remote destination or another gateway closer towards the destination This hop by hop process continues until the IP packets reach the remote destination If manually configuring IP information for the Switch enter the IP address of the default gatewa...

Page 107: ...II RFC 1213 Bridge MIB RFC 1493 RMON MIB II RFC2021 Remote Monitoring MIB RFC 1757 MAU MIB RFC 2239 Administration UDP RFC 768 IP RFC 791 ICMP RFC 792 TCP RFC 793 ARP RFC 826 TFTP RFC 783 DHCP RFC 2131 RFC 2132 RFC 1534 BOOTP RFC 951 RFC 1497 Terminal Emulation TELNET RFC 854 Network Login Network Login IEEE 802 1X RADIUS RFC 2618 2620 dua1730 0bAA03 book Page 107 Monday July 11 2005 11 14 AM ...

Page 108: ...108 APPENDIX D STANDARDS SUPPORTED dua1730 0bAA03 book Page 108 Monday July 11 2005 11 14 AM ...

Page 109: ...val of dynamic entries from the Switch Database which have timed out and are no longer valid Aggregated Links Aggregated links allow a user to increase the bandwidth and resilience between switches by using a group of ports to carry traffic between the switches auto negotiation A feature on twisted pair ports that allows them to advertise their capabilities for speed duplex and flow control When c...

Page 110: ... a network to fail Broadcast storms can be due to faulty network devices cache Stores copies of frequently accessed objects locally to users and serves them to users when requested Classifier Classifies the traffic on the network Traffic classifications are determined by protocol application source destination and so on You can create and modify classifications The Switch then groups classified tr...

Page 111: ...rox Intel and Digital Equipment Corporation Ethernet networks use CSMA CD to transmit packets at a rate of 10 Mbps over a variety of cables Ethernet address See MAC address Fast Ethernet An Ethernet system that is designed to operate at 100Mbps forwarding The process of sending a packet toward its destination using a networking device Forwarding Database See Switch Database filtering The process o...

Page 112: ...changing files text graphic images sound video and other multimedia files on the World Wide Web IEEE Institute of Electrical and Electronics Engineers This American organization was founded in 1963 and sets standards for computers and communications IEEE 802 1D A standard that defines the behavior of bridges in an Ethernet network IEEE 802 1p A standard that defines traffic prioritization 802 1p i...

Page 113: ...r 3 network protocol that is the standard for sending data through a network IP is part of the TCP IP set of protocols that describe the routing of packets to addressed devices IPX Internetwork Packet Exchange IPX is a layer 3 and 4 network protocol designed for networks that use Novell Netware IP address Internet Protocol address A unique identifier for a device attached to a network using TCP IP...

Page 114: ...nterface An Ethernet port connection where the transmitter of one device is connected to the receiver of another device MDI X Medium Dependent Interface Cross over An Ethernet port connection where the internal transmit and receive lines are crossed MIB Management Information Base A collection of information about the management characteristics and parameters of a networking device MIBs are used b...

Page 115: ...ion between a network device and a shared authentication server Rapid Spanning Tree Protocol An enhanced version of the Spanning Tree Protocol that allows faster determination of Spanning Tree topology throughout the bridged network repeater A simple device that regenerates LAN traffic so that the transmission distance of that signal can be extended Repeaters are used to connect two LANs of the sa...

Page 116: ...iably and efficiently as defined in RFC 821 SNMP Simple Network Management Protocol The current IETF standard protocol for managing devices on an TCP IP network Spanning Tree Protocol STP A bridge based system for providing fault tolerance on networks STP works by allowing you to implement parallel paths for network traffic and ensure that redundant paths are disabled when the main paths are opera...

Page 117: ...a virtual terminal service letting a user log into another computer system and access a device as if the user were connected directly to the device TFTP Trivial File Transfer Protocol Allows you to transfer files such as software upgrades from a remote device using the local management capabilities of the Switch traffic classification Traffic can be classified using one or more of types of traffic...

Page 118: ...ache A device that is installed on the network to cache frequently accessed Web pages from which they can be retrieved thus reducing network traffic over the WAN dua1730 0bAA03 book Page 118 Monday July 11 2005 11 14 AM ...

Page 119: ...ON group 60 Configuration Restore 20 87 Save 20 87 conventions notice icons About This Guide 10 text About This Guide 10 D default gateway 106 Default VLAN 67 Designated Bridge 44 Designated Bridge Port 44 DHCP 16 74 Disconnect Unauthorized Device DUD 16 85 E event notification 20 62 Events RMON group 58 60 extended network prefix 105 F Fast Ethernet configuration rules 94 Filter RMON group 58 60 ...

Page 120: ...ts permanent SDB entries 50 port costs default 43 port security 16 77 78 priority in STP 43 priority levels 802 1D 52 Q QoS apply QoS profile 56 configuring traffic on a Switch 4200 55 creating profiles 56 How traffic is processed to provide QoS 55 service levels 55 traffic classification 55 Quality of Service 19 R RADA 16 82 RADIUS 85 Rapid Spanning Tree Protocol RSTP 18 40 registered IP address ...

Page 121: ...b networks See subnets Switch Database 49 switch management login 77 T topology rules for Fast Ethernet 94 topology rules with full duplex 95 traffic classification 802 1D 52 traffic prioritization 51 802 1D 52 Trusted IP 85 U upgrade software 89 Upgrading Flash Images 89 Upgrading Management Software 89 Upgrading the Switch 4400 SE 89 V VLANs 65 802 1Q tagging 69 benefits 66 communication between...

Page 122: ...122 INDEX dua1730 0bAA03 book Page 122 Monday July 11 2005 11 14 AM ...

Reviews:

No comments

Related manuals for 3C17300-US - SuperStack 3 Switch 4226T

OEZ PS-LT Instructions For Use preview
PS-LT
Brand: OEZ Pages: 5
Xantech AC1 Installation Instructions preview
AC1
Brand: Xantech Pages: 2
AVE 8PSWT Specification preview
8PSWT
Brand: AVE Pages: 2
Audio Authority HMX-244 Installation And Operation Manual preview
HMX-244
Brand: Audio Authority Pages: 12
steute EX ZS 92 S 22 VD F Mounting And Wiring Instructions preview
EX ZS 92 S 22 VD F
Brand: steute Pages: 28
Thinklogical TXL 640 User Manual preview
TXL 640
Brand: Thinklogical Pages: 27
Xantech 680-10 Installation Instructions preview
680-10
Brand: Xantech Pages: 4
Enterasys SecureStack C3K-2XFP IOM Hardware Installation Manual preview
SecureStack C3K-2XFP IOM
Brand: Enterasys Pages: 72
SICK MSL Series Operating Instructions Manual preview
MSL Series
Brand: SICK Pages: 299
Cabletron Systems 42T User Manual preview
42T
Brand: Cabletron Systems Pages: 105
IPGARD SDHN-4D-P Quick Start Manual preview
SDHN-4D-P
Brand: IPGARD Pages: 2
ALFAtron SC61E Manual preview
SC61E
Brand: ALFAtron Pages: 23
LevelOne IGP-0401 User Manual preview
IGP-0401
Brand: LevelOne Pages: 6
MicroNet SP684C User Manual preview
SP684C
Brand: MicroNet Pages: 74
Hored AI1010G-Apollo User Manual preview
AI1010G-Apollo
Brand: Hored Pages: 4
MCOHome MH-S312 User Manual preview
MH-S312
Brand: MCOHome Pages: 3
SmartThings STH-ETH-250 Quick Start Manual preview
STH-ETH-250
Brand: SmartThings Pages: 2
ATEN Master View CS-102 User Manual preview
Master View CS-102
Brand: ATEN Pages: 11

Brands by name

Popular brands

Load more brands