manualshive.com logo in svg

3Com 3CR17501-91 - SuperStack 3 Switch 3250, Implementation Manual

Introducing the 3Com 3CR17501-91 - SuperStack 3 Switch 3250! Enhance your network with this powerful switch. Get the most out of your device with the comprehensive Implementation Manual available for download, free of charge, exclusively at manualshive.com. Harness the full potential of this product with our user-friendly manual.

Share
Download
background image

74

C

HAPTER

 10: M

AKING

 Y

OUR

 N

ETWORK

 S

ECURE

A maximum of 32 access lists can be applied under the current operating 
system. Access list rules can be applied and traffic is forwarded at wire 
speed using layer 3 destination IP addresses and network ports.

How Access Control

List Rules Work

When a packet is received on a port, it is compared against the ACL 
bound to that port. If the destination address of the packet lies within the 
address range of one of the ACL’s rules then that rule is applied. By 
default, if no access list has been defined for a network port, all IP traffic 
will be permitted. Denial is based on a pre-defined rule.

For example:

Packet destination IP address: 10.101.67.45

Rule destination address: 10.101.67.0

Rule destination mask: 255.255.255.0

Rule action: deny

As a result of the above rule, the packet matches the parameters of the 
rule and will be blocked.

Port Security

The Switch 3226 and Switch 3250 support the following port security 
modes, which you can set for an individual port or a range of ports:

No Security

Port security is disabled and all network traffic is forwarded through 
the port without any restrictions.

Static

Access will be restricted to MAC addresses that have already 
connected to the port. To add a new device, change the security 
setting for the port to 

No Security

, connect the device and change the 

setting back to 

Static

.

Network Login

When the user has been successfully authorized, all network traffic is 
forwarded through the port without any restrictions. For further 
information see 

“What is Network Login?”

 on 

page 75

.

Network Login (Secure)

When the user has been successfully authorized, only network traffic 
that is received from the authorized client device is forwarded through 

Summary of Contents for 3CR17501-91 - SuperStack 3 Switch 3250

Page 1: ...http www 3com com Part No DUA1750 0BAA01 Published December 2003 SuperStack 3 Switch 3226 and Switch 3250 Implementation Guide 3CR17500 91 3CR17501 91 ...

Page 2: ...ined in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com SuperStack and the 3Com logo are registered trademarks of 3Com Corporation Intel and Pentium are registered trademarks of Intel Corporation Microsoft MS DOS Windows and Windows NT are regis...

Page 3: ...Configuration Save and Restore 15 Multicast Filtering 16 Rapid Spanning Tree Protocol 16 Switch Database 17 Traffic Prioritization 17 Rate Limiting 17 RMON 17 Broadcast Storm Control 18 VLANs 18 Automatic IP Configuration 18 Port Security 18 IP Routing 19 Dynamic Routing 19 2 OPTIMIZING BANDWIDTH Port Features 21 Duplex 21 Flow Control 22 Auto negotiation 22 Aggregated Links 23 How 802 3ad Link Ag...

Page 4: ...ltering 34 4 USING RESILIENCE FEATURES Rapid Spanning Tree Protocol 35 Rapid Spanning Tree Protocol RSTP 36 What is STP 36 How STP Works 38 STP Requirements 38 STP Calculation 39 STP Configuration 39 STP Reconfiguration 40 How RSTP Differs to STP 40 STP Example 40 STP Configurations 42 Using STP on a Network with Multiple VLANs 44 5 USING THE SWITCH DATABASE What is the Switch Database 45 How Swit...

Page 5: ...MON and the Switch 57 Alarm Events 58 8 SETTING UP VIRTUAL LANS What are VLANs 59 Benefits of VLANs 60 VLANs and Your Switch 61 The Default VLAN 61 Communication Between VLANs 61 Creating New VLANs 63 VLANs Tagged and Untagged Membership 63 VLAN Configuration Examples 64 Using Untagged Connections 64 Using 802 1Q Tagged Connections 65 9 USING AUTOMATIC IP CONFIGURATION How Your Switch Obtains IP I...

Page 6: ...n 77 How RADIUS Authentication Works 78 Important Considerations 79 What is RADIUS 80 11 IP ROUTING What is Routing 82 Routing in a Subnetworked Environment 82 What is IP Routing 83 Benefits of IP Routing 84 IP Routing Concepts 84 Router Interfaces 84 Routing Tables 85 Layer 3 Switching 86 Multiple IP Interfaces per VLAN 87 Implementing IP Routing 88 Configuring IP VLANs 88 Establishing IP Interfa...

Page 7: ...N EXAMPLES Simple Network Configuration Example 104 Desktop Switch Example 104 Advanced Network Configuration Example 105 Edge Switch Example 105 C IP ADDRESSING IP Addresses 107 Simple Overview 107 Advanced Overview 108 Subnets and Subnet Masks 110 Default Gateways 112 D ADVANCED IP ROUTING CONCEPTS Variable Length Subnet Masks VLSMs 113 Supernetting 114 GLOSSARY INDEX ...

Page 8: ......

Page 9: ...nistrator who is responsible for configuring using and managing the Switches It assumes a working knowledge of local area network LAN operations and familiarity with communication protocols that are used to interconnect LANs For detailed descriptions of the Web interface operations and the Command Line Interface CLI commands that you require to manage the Switch please refer to the Management Inte...

Page 10: ...ample To change your password use the following syntax system password password In this example you must supply a password for password Commands The word command means that you must enter the command exactly as shown and then press Return or Enter Commands appear in bold Example To display port information enter the following command bridge port detail The words enter and type When you see the wor...

Page 11: ...s supplied in HTML format on the CD ROM that accompanies your Switch SuperStack 3 Switch 3226 and SuperStack 3 Switch 3250 Management Quick Reference Guide This guide contains a list of the features supported by your Switch a summary of the Web interface and Command Line Interface commands for the Switch Release Notes These notes provide information about the current software release including new...

Page 12: ... appropriate Example SuperStack 3 Switch 3226 and Switch 3250 Implementation Guide Part number DUA1750 0BAA01 Page 25 Please note that we can only respond to comments and questions about 3Com product documentation at this e mail address Questions related to technical support or sales should be directed in the first instance to your network supplier ...

Page 13: ...monitor the way it works you have to access the management software that resides on the Switch This is known as managing the Switch Managing the Switch can help you to improve its efficiency and therefore the overall performance of your network There are several different methods of accessing the management software to manage the Switch These methods are explained in Chapter 3 of the Getting Start...

Page 14: ... control When auto negotiation is enabled default a port advertises its maximum capabilities these capabilities are by default the parameters that provide the highest performance supported by the port SFP ports do not support auto negotiation of port speed Ports operating at 1000 Mbps only support full duplex mode For details of the auto negotiation features supported by your Switch please refer t...

Page 15: ...he configuration file You must have read write management access level to be able to save and restore the Switch configuration Important Considerations 3Com recommends the Switch unit is reset to its factory default settings before you restore a configuration onto it You can reset the Switch using the system control initialize CLI command or the System Control Initialize Web interface operation Th...

Page 16: ...HTML format on the CD ROM that accompanies your Switch Multicast Filtering Multicast filtering allows the Switch to forward multicast traffic to only the endstations that are part of a predefined multicast group rather than broadcasting the traffic to the whole network The multicast filtering system supported by your Switch uses IGMP Internet Group Management Protocol snooping to detect the endsta...

Page 17: ...apter 5 Using the Switch Database Traffic Prioritization The traffic prioritization capabilities of your Switch provides Class of Service CoS prioritization to your network You can prioritize traffic on your network to ensure that high priority data is transmitted with minimum delay For more information about traffic prioritization see Chapter 6 Using Traffic Management Rate Limiting Rate limiting...

Page 18: ...ices that can be located anywhere in a network but which communicate as if they are on the same physical segment With VLANs you can segment your network without being restricted by physical connections a limitation of traditional network design As an example with VLANs you can segment your network according to Departmental groups Hierarchical groups Usage groups For more information about VLANs se...

Page 19: ...throughout an IP network It is used to join LANs at the network layer that is Layer 3 of the OSI Open Systems Interconnection model Your Switch is optimized for Layer 3 edge configurations and has only limited functionality as a core switch Dynamic Routing Dynamic routing allows the Switch to adjust automatically to changes in network topology or traffic Routing Information Protocol RIP RIP is a d...

Page 20: ...20 CHAPTER 1 SWITCH FEATURES OVERVIEW ...

Page 21: ... Features The default state for all the features detailed below provides the best configuration for most users In normal operation you do not need to alter the Switch from its default state However under certain conditions you may wish to alter the default state of these ports for example if you are connecting to old equipment that does not comply with the IEEE 802 3x standard Duplex Full duplex a...

Page 22: ... allows ports to automatically determine the best port speed duplex mode only at 10 Mbps and 100 Mbps and flow control When auto negotiation is enabled default a port advertises its maximum capabilities these capabilities are by default the parameters that provide the highest performance supported by the port You can modify the capabilities that a port advertises on a per port basis dependant on t...

Page 23: ...0 ports When an SFP module is inserted it has priority over the 10 100 1000 port of the same number 25 26 on the Switch 3226 49 50 on the Switch 3250 The corresponding 10 100 1000 port is disabled when an SFP module is present Figure 1 shows two Switches connected using an aggregated link containing two member links If both ports on both Switch units are configured as 1000BASE TX and they are oper...

Page 24: ...sult aggregated link configurations are extremely resilient and fault tolerant Figure 2 Dynamic Reassignment of Traffic Flows The key benefits of 802 3ad link aggregation are Automatic configuration network management does not need to be used to manually aggregate links Rapid configuration and reconfiguration approximately one to three seconds Compatibility non 802 3ad devices can interoperate wit...

Page 25: ...by simply adding an extra physical link between the units The Spanning Tree costs for a port running LACP is the cost assigned for an aggregated link running at that speed As required by the IEEE Std 802 3 2002 incorporating 802 3ad no changes in cost are made according to the number of member links in the aggregated link Aggregated Links and Your Switch When any port is assigned to an aggregated ...

Page 26: ...ust not be physically connected together until the aggregated link has been correctly configured at both ends of the link Failure to configure the aggregated link at both ends before physically connecting the ports can result in a number of serious network issues such as lost packets and network loops Traffic Distribution and Link Failure on Aggregated Links To maximize throughput all traffic is d...

Page 27: ...2 Gbps aggregated link between two Switch units To manually set up this configuration 1 Prepare ports 5 and 7 on the core Switch for aggregated links To do this a Check that the ports have an identical configuration using your preferred management interface b Add the ports 5 and 7 on the specified unit to the aggregated link 2 Prepare ports 25 and 26 on the Switch 3226 or ports 49 and 50 if you ar...

Page 28: ...28 CHAPTER 2 OPTIMIZING BANDWIDTH 3 Connect port 5 on the core Switch to port 25 on the Switch 3226 4 Connect port 7 on the upper Switch to port 26 on the Switch 3226 ...

Page 29: ...lticast A multicast is a packet that is intended for one to many and many to many communication Users explicitly request to participate in the communication by joining an endstation to a specific multicast group If the network is set up correctly a multicast can only be sent to an endstation or a subset of endstations in a LAN or VLAN that belong to the relevant multicast group Multicast group mem...

Page 30: ...more logical and efficient than a unicast approach Application examples include distance learning transmitting stock quotes to brokers and collaborative computing A typical use of multicasts is in video conferencing where high volumes of traffic need to be sent to several endstations simultaneously but where broadcasting that traffic to all endstations would seriously reduce network performance Mu...

Page 31: ...ce typically a router to find out the ports that wish to join a multicast group and then sets its filters accordingly The Switch 3226 and Switch 3250 are compatible with any device that conforms to the IGMP v2 protocol The Switch does not support IGMP v3 If you have an IGMP v3 network you should disable IGMP snooping for the Switch using the snoopMode command on the Web Interface IGMP Multicast Fi...

Page 32: ...that received a report packet Enabling IGMP Multicast Learning You can enable or disable multicast learning using the Bridge Multicast Filtering IGMP snoopMode command on the Web interface For more information about enabling IGMP multicast learning please refer to the Management Interface Reference Guide supplied on your Switch CD ROM If IGMP multicast learning is not enabled then IP multicast tra...

Page 33: ...ts do not travel beyond their origin subnetworks and hosts send them at random intervals to prevent the querier from being overwhelmed A host sends a separate report for each group that it wants to join or to which it currently belongs Hosts do not send reports if they are not group members If a router does not receive at least one host report for a particular group after two queries the router as...

Page 34: ... process conserves bandwidth The alternative is for the router to wait for at least two queries to go unanswered before pruning that subnetwork from the delivery tree Role of IGMP in IP Multicast Filtering To further refine the IP multicast delivery process and maximize bandwidth efficiency the Switch filters IP multicast packets on appropriate ports using a process called IGMP snooping Both bridg...

Page 35: ... please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch Rapid Spanning Tree Protocol The Rapid Spanning Tree Protocol makes your network more resilient to link failure and also provides a protection from loops one of the major causes of broadcast storms RSTP is enabled by default on your Switch To be fully effective RSTP or STP m...

Page 36: ...ds RSTP or STP will detect any misconfiguration that may cause a temporary loop and react accordingly Easy deployment throughout a legacy network through backward compatibility it will default to sending 802 1D style BPDU s on a port if it receives packets of this format it is possible for some ports on a Switch to operate in RSTP 802 1w mode and other ports for example those connected to a legacy...

Page 37: ...network configuration that creates loops Figure 6 shows the result of enabling STP on the bridges in the configuration STP detects the duplicate paths and prevents or blocks one of them from forwarding traffic so this configuration will work satisfactorily STP has determined that traffic from LAN segment 2 to LAN segment 1 can only flow through Bridges C and A because for example this path has a g...

Page 38: ... re evaluated the situation and opened the path through Bridge B How STP Works When enabled STP determines the most appropriate path for traffic through a network It does this as outlined in the sections below STP Requirements Before it can configure the network the STP system requires Communication between all the bridges This communication is carried out using Bridge Protocol Data Units BPDUs wh...

Page 39: ...the one that has the lowest Root Path Cost Note that the Root Bridge does not have a Root Port The identity of the bridge that is to be the Designated Bridge of each LAN segment The Designated Bridge is the one that has the lowest Root Path Cost from that segment Note that if several bridges have the same Root Path Cost the one with the lowest Bridge Identifier becomes the Designated Bridge All tr...

Page 40: ...nks are manually configured incorrectly that is the physical connections do not match the assignment of ports to an aggregated link RSTP and STP may not detect these loops So that RSTP and STP can detect all network loops you must ensure that all aggregated links are configured correctly How RSTP Differs to STP RSTP works in a similar way to STP but it includes additional information in the BPDUs ...

Page 41: ... Bridges B C X and Y have been defined as Root Ports because they are the nearest to the Root Bridge and therefore have the most efficient path Bridges B and X offer the same Root Path Cost for LAN segment 2 however Bridge B has been selected as the Designated Bridge for the segment because it has a lower Bridge Identifier Port 2 on Bridge B is therefore selected as the Designated Bridge Port for ...

Page 42: ...rs a duplicate path and blocks one of the links If the enabled link breaks the disabled link becomes re enabled therefore maintaining connectivity Configuration 2 Redundancy through Meshed Backbone In this configuration four Switch units are connected in a way that creates multiple paths between each one STP discovers the duplicate paths and blocks two of the links If an enabled link breaks one of...

Page 43: ...How STP Works 43 Figure 9 STP configurations ...

Page 44: ... using the 802 1Q tagged link between Switch B and Switch C By default this link has a path cost of 100 and is automatically blocked because the other Switch to Switch connections have a path cost of 36 18 18 This means that both VLANs are now subdivided VLAN 1 on Switch units A and B cannot communicate with VLAN 1 on Switch C and VLAN 2 on Switch units A and C cannot communicate with VLAN 2 on Sw...

Page 45: ...lease refer to Chapter 1 of the Getting Started Guide that accompanies your Switch For detailed descriptions of the Web interface operations and the Command Line Interface CLI commands that you require to manage the Switch please refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch How Switch Database Entries Get Added Entries are add...

Page 46: ...ion is removed from the network its entry is also removed from the database Learned entries are removed from the Switch Database if the Switch is reset or powered down Non aging learned If the aging time is set to 0 seconds all learned entries in the Switch Database become non aging learned entries This means that they are not aged out but they are still removed from the database if the Switch is ...

Page 47: ...hat is Traffic Prioritization Traffic prioritization allows high priority data such as time sensitive and system critical data to be transferred smoothly and with minimal delay over a network Traffic prioritization is most useful for critical applications that require a high level of service from the network These could include Converged network applications Used by organizations with a converged ...

Page 48: ...sification is the means of identifying which application generated the traffic so that a service level can be applied to it The three supported methods for classifying traffic are 802 1D classification is done at layer 2 of the OSI model DiffServ code point classification is done at layer 3 of the OSI model IP Port classification is done at layer 4 of the OSI model These methods can be used togeth...

Page 49: ...iority levels are fixed to the traffic queues as shown in Figure 11 Figure 11 IEEE 802 1D traffic types Figure 11 illustrates IEEE 802 1D traffic types as well as associated priority levels and how they are mapped to the four supported traffic queues DiffServ traffic classification DiffServ is an alternative method of classifying traffic so that different levels of service can be applied to it on ...

Page 50: ...ransmitted it is always tagged with a source and a destination IP port number These numbers represent the type of application that created the packet and can be used to prioritize traffic originating from different applications The transmitting endstation tags a packet with source and destination port numbers When the packet is received the Switch places the packet in the queue that corresponds to...

Page 51: ...the transmitting endstation sets the priority of each packet When the packet is received the Switch places the packet into the appropriate queue depending on its priority level for onward transmission across the network The Switch determines which queue to service next through its Weighted Round Robin queuing mechanism This method services all traffic queues giving priority to the highest priority...

Page 52: ... to prioritize the packet Configuring traffic prioritization CoS can be configured on your Switch using the Web interface or via the Command Line Interface CLI For a detailed description of the commands that you require to configure CoS refer to the Management Interface Reference Guide supplied in HTML format on the CD ROM that accompanies your Switch Limiting the Rate of a Port Limiting the rate ...

Page 53: ...age the traffic on your network Rate limiting will ensure that the traffic on a connection never exceeds the rate you specify Traffic prioritization will ensure that any packets dropped at times of network congestion are of the lowest priority Traffic prioritization and rate limiting are most effective together if the egress rate rather than the ingress rate is limited on a port that is the traffi...

Page 54: ...54 CHAPTER 6 USING TRAFFIC MANAGEMENT ...

Page 55: ...ains more about RMON It covers the following topics What is RMON Benefits of RMON RMON and the Switch What is RMON RMON is a system defined by the IETF Internet Engineering Task Force that allows you to monitor the traffic of LANs or VLANs RMON is an integrated part of the Switch software agent and continually collects statistics about a LAN segment or VLAN and transfers the information to a manag...

Page 56: ...setting thresholds and sampling intervals to generate events on any RMON variable Alarms are used to inform you of network performance problems and they can trigger automated responses through the Events group Events The Events group provides you with the ability to create entries in an event log and send SNMP traps to the management workstation Events are the action that can result from an RMON a...

Page 57: ...etwork devices at regular intervals to gather statistics and identify problems or trends As network sizes and traffic levels grow this approach places a strain on the management workstation and also generates large amounts of traffic RMON however autonomously looks at the network on behalf of the management workstation without affecting the characteristics and performance of the network RMON repor...

Page 58: ...listed in Table 5 Alarms A new or initialized Switch has the following alarm s defined for each port For more information about the alarms setup on the Switch see Alarm Events on page 58 Events A new or initialized Switch has Events defined for use with the default alarm system Table 4 RMON support supplied by the Switch RMON group Support supplied by the Switch Table 5 Alarm Events Event Action N...

Page 59: ...e Guide supplied in HTML format on the CD ROM that accompanies your Switch What are VLANs A VLAN is a flexible group of devices that can be located anywhere in a network but which communicate as if they are on the same physical segment With VLANs you can segment your network without being restricted by physical connections a limitation of traditional network design As an example with VLANs you can...

Page 60: ...ust be updated manually With a VLAN setup if an endstation in VLAN Marketing for example is moved to a port in another part of the network and retains its original subnet membership you only need to specify that the new port is in VLAN Marketing You do not need to carry out any re cabling VLANs provide extra security Devices within each VLAN can only communicate with other devices in the same VLAN...

Page 61: ...n about each VLAN on your Switch before the Switch can use it to forward traffic VLAN Name This is a descriptive name for the VLAN for example Marketing or Management 802 1Q VLAN ID This is used to identify the VLAN if you use 802 1Q tagging across your network The Default VLAN A new or initialized Switch contains a single VLAN the Default VLAN This VLAN has the following definition VLAN Name Defa...

Page 62: ...wo VLANs Figure 15 Two VLANs connected to a core switch using a third VLAN The Switch can also be used to route traffic between VLANs on a Layer 2 switch Figure 16 shows how a Layer 3 switch can be used to redirect traffic from one VLAN to another The Switch 3226 and Switch 3250 are optimized for edge switching and are not suitable as core switches in large or complex networks ...

Page 63: ... VLAN it can be an untagged member but if the port needs to be a member of multiple VLANs it must be a tagged member of all those VLANs except its default VLAN Typically endstations for example clients will be untagged members of one VLAN while inter Switch connections will be tagged members of all VLANs A port must always be an untagged member of one VLAN If a port has its untagged membership rem...

Page 64: ... Connections The simplest VLAN operates in a small network using a single switch In this network there is no requirement to pass traffic for multiple VLANs across a link All traffic is handled by the single Switch and therefore untagged connections can be used The example shown in Figure 17 illustrates a single Switch connected to endstations and servers using untagged connections Ports 1 2 and 3 ...

Page 65: ... are distributed amongst more than one Switch you must use 802 1Q tagged connections so that all VLAN traffic can be passed along the links between the Switches 802 1Q tagging can only be used if the devices at both ends of a link support IEEE 802 1Q The example shown in Figure 18 illustrates two Switch units Each Switch has endstations and a server in VLAN 1 and VLAN 2 All endstations in VLAN 1 n...

Page 66: ...66 CHAPTER 8 SETTING UP VIRTUAL LANS ...

Page 67: ...in HTML format on the CD ROM that accompanies your Switch For background information on IP addressing see Appendix C IP Addressing Automatic IP configuration only operates on the first IP interface of the Switch Additional interfaces must be configured manually How Your Switch Obtains IP Information Your Switch has two ways to obtain its IP address information Automatic IP Configuration default th...

Page 68: ...erver is on the network and working correctly it responds to the clients request with an IP address allocated from a pool of available addresses and other parameters such as a subnet mask default gateway lease time and any other options configured in the DHCP server The way a DHCP server responds is dependent on the DHCP server settings Therefore the way your DHCP server responds may be different ...

Page 69: ...Important Considerations 69 If you want DHCP to be the method for automatic configuration make sure that your DHCP servers are operating normally before you power on your Switch ...

Page 70: ...70 CHAPTER 9 USING AUTOMATIC IP CONFIGURATION ...

Page 71: ...itch 3250 can restrict management access to an IP address or range of IP addresses using the trusted IP feature You can allow an IP address or range of addresses access to one or more of the following interfaces HTTP SSL HTTPS SNMP SSH Telnet Once you enable trusted IP only those methods and IP addresses that you have allowed access will be able to manage the Switch Attempts to access a management...

Page 72: ...y and your browser may warn you that certificate has not been certified Using a properly validated certificate provides a higher level of security than the default certificate You can securely browse your Switch by using the HTTPS HTTP over SSL protocol To access the Web interface securely enter the following into your browser https xxx xxx xxx xxx where xxx xxx xxx xxx is the IP address of your S...

Page 73: ...administer your Switch using SSH start your Telnet SSH client and enter the IP address of your Switch If your Telnet SSH application supports both encrypted and unencrypted modes make sure that you have SSH encryption set At time of writing the Telnet client supplied with Windows does not support SSH Access Control Lists Access Control Lists ACLs are layer 3 instructions that can be used to filter...

Page 74: ...Rule action deny As a result of the above rule the packet matches the parameters of the rule and will be blocked Port Security The Switch 3226 and Switch 3250 support the following port security modes which you can set for an individual port or a range of ports No Security Port security is disabled and all network traffic is forwarded through the port without any restrictions Static Access will be...

Page 75: ...work Login will not operate correctly if there is a bridge device between the client device and the Switch port or if there are multiple client devices attached via a hub to the Switch port In addition to providing protection against unauthorized network access Network Login also allows the user of a port to be identified This user identification information can be used for service accounting or b...

Page 76: ...ng state and the client device can obtain an IP address If possible when a port is configured for Network Login it should also be configured to be a Spanning Tree Protocol STP edge port This minimizes the delay before STP places the port into the forwarding state For further information about RADIUS see What is RADIUS on page 80 Important Considerations This section contains some important conside...

Page 77: ... using the Web interface or the Command Line Interface you need to log in with a valid user name and password For further information on managing the Switch see the Setting Up For Management chapter in the Getting Started Guide The user name and password information can be stored in either a RADIUS server recommended If you enable RADIUS as the authentication mode of Switch Management Login the us...

Page 78: ...er names and passwords require only a single action on the RADIUS database and are reflected immediately The Switch 3226 and Switch 3250 are fully compliant with the industry standard RADIUS protocol For further information about RADIUS see What is RADIUS on page 80 How RADIUS Authentication Works When RADIUS authentication of Switch Management Login is enabled the Switch obtains the user s name a...

Page 79: ... to using the local Switch database for user authentication This allows a user with admin access to login to the Switch via the console port and continue to manage it The Web interface and Telnet do not revert to the local database and the user will not be able to log in to the Switch via the Web interface or Telnet The user names and passwords stored in the local Switch database may not be the sa...

Page 80: ...ransactions between each network device and the server are authenticated by the use of a shared secret Additional security is provided by encryption of passwords to prevent interception by a network snooper RADIUS is defined in the RFCs 2865 and 2866 Remote Authentication Dial in User Service RADIUS and RADIUS Accounting Network Login a method of port based access control and Switch Management Log...

Page 81: ...What is IP Routing Benefits of IP Routing IP Routing Concepts Multiple IP Interfaces per VLAN Implementing IP Routing IP Routing Protocols User Datagram Protocol UDP Helper Advanced IP Routing Options For detailed information on setting up your Switch for management see the Getting Started Guide that accompanies your Switch For detailed descriptions of the web interface operations and the command ...

Page 82: ...r networks to the main network Routing in a Subnetworked Environment Your Switch allows you to both perform routing and switching within your network You can streamline your network architecture by routing between subnetworks and switching within subnetworks In the example shown in Figure 21 one of the Layer 3 Switches is forwarding traffic between the Engineering and Marketing subnets reducing th...

Page 83: ...packet it does not know the complete path to a destination only the next hop the next device on the path to the destination Each hop involves three steps 1 The IP routing algorithm computes the next hop IP address and the next router interface using routing table entries 2 The Address Resolution Protocol ARP translates the next hop IP address into a physical MAC address 3 The router sends the pack...

Page 84: ...n a typical case there is no need for you to manually intervene IP Routing Concepts IP routers use the following elements to transmit packets Router Interfaces Routing Tables Layer 3 Switching Multiple IP Interfaces per VLAN Router Interfaces A router interface connects the router to a subnetwork On your Switch more than one port can connect to the same subnetwork Each router interface has an IP a...

Page 85: ...at can forward the packet toward its destination The routing table consists of the following elements Destination IP address The destination network subnetwork or host Subnet mask The subnet mask for the destination network Metric A measure of the distance to the destination In the Routing Information Protocol RIP the metric is the number of hops through routers Gateway The IP address of the route...

Page 86: ...Pv2 Default Route In addition to the routes to specific destinations a routing table can contain a default route The router uses the default route to forward packets that do not match any other routing table entry A default route is often used in place of static routes to numerous destinations that all have the same gateway IP address and interface number The default route can be configured static...

Page 87: ...own IP interface on the Switch See Chapter 8 for more information on VLANs Multiple IP Interfaces per VLAN You can overlap IP interfaces without configuring a separate VLAN for each subnet This is called multinetting Multiple IP interfaces can share the same VLAN allowing multiple subnets to be routed on the same 802 1Q VLAN You can define up to 32 IP interfaces on the Switch that is IP routing in...

Page 88: ...ng Task Force IETF assigns to your organization This address is specific to your network and Switch Refer to Appendix C for details on IP Addressing Subnet mask The 32 bit number that uses the same format and representation as an IP address The subnet mask determines which bits in the IP address are interpreted as the network number subnetwork number and the host number Each IP address bit that co...

Page 89: ... use the Routing Information Protocol RIP protocol to take advantage of routing capabilities RIP is discussed in this chapter Administering IP Routing Keep these points in mind while you administer the IP network Flush the ARP cache regularly if you set the age time to 0 Set up a default route The Switch uses the default route to forward packets that do not match any other routing table entry You ...

Page 90: ...ation of a route request Each device keeps its own set of routes in its routing table RIP is an Interior Gateway Protocol IGP for TCP IP networks RIP operates using both active and passive devices Active devices usually routers broadcast RIP messages to all devices in a network or subnetwork and update their internal routing tables when they receive a RIP message Passive devices usually hosts list...

Page 91: ... modify the update time if needed to adjust performance Send and Receive Modes The following RIP send and receive modes are supported by the Switch Table 6 RIP Parameters RIP Parameter Default Value Router Mode These RIP parameters apply to the entire Switch All other parameters are defined per interface disabled Cost The Cost value cannot be altered it is fixed at 1 1 Update Time 30 seconds Send ...

Page 92: ...Reverse Poison Reverse is a RIP feature that you use specifically with a scheme called Split Horizon The Switch disables Poison Reverse by default Split Horizon avoids the problems that reverse route updates can cause Reverse route updates are sent to a neighboring router and include the routes that are learned from that router Split Horizon omits the routes that are learned from one neighbor in t...

Page 93: ...was advertised Important Considerations Note the following considerations when you implement RIP on your Switch Use RIP 2 rather than RIP 1 if possible because RIP 2 uses subnet masking and the next hop field Subnet mask advertising allows you to use VLSM Variable Length Subnet Mask Where possible set RIP as follows Send Mode RIPv2 Receive Mode RIPv1OrRIPv2 In this way the Switch keeps track of th...

Page 94: ...mbers and IP forwarding addresses You can also have up to 4 IP address entries for the same ports You need to have a thorough understanding of your network configuration to use UDP Helper Review the network topology before you implement UDP Helper Address Resolution Protocol ARP ARP is a low level protocol that locates the MAC address that corresponds to a given IP address This protocol allows a h...

Page 95: ...ss they discard the packet When a device receives the packet and confirms that its IP address matches the target protocol address the receiving device places its MAC address in the target hardware address field and exchanges both source and target fields This packet is then sent back to the source device When the originating host or router receives this ARP reply it places the new MAC address in i...

Page 96: ...workstation then sends the frames for the remote destination to the Switch which uses its own routing table to reach the destination on the other network Example In the following example Server A cannot use the router as a gateway to Server B because Server A has its subnet mask set to broadcast using ARP its IP network address as 158 101 0 0 while the IP network address of the router is 158 101 1...

Page 97: ... reports errors back to the source when routing problems occur With ICMP you can determine whether a delivery failure resulted from a local or a remote problem Advanced IP Routing Options Your Switch has several features which further extend the networking capabilities of the device Refer to Appendix D for more information on the following Variable Length Subnet Masks VLSMs Supernetting Server A S...

Page 98: ...98 CHAPTER 11 IP ROUTING ...

Page 99: ...04 ft Category 5 cabling with connections up to 100 m 328 ft The different types of Gigabit Ethernet media and their specifications are detailed in Table 8 Table 8 Gigabit Ethernet cabling Gigabit Ethernet Transceivers Fiber Type Modal Bandwidth MHz km Lengths Supported Specified by IEEE meters 1000BASE LX 1000BASE SX 1000BASE T MM Multimode 62 5 µm MM 50 µm MM 50 µm MM 10 µm SM 62 5 µm MM 62 5 µm...

Page 100: ...ure 29 illustrates the key topology rules and provides examples of how they allow for large scale Fast Ethernet networks Figure 29 Fast Ethernet configuration rules The key topology rules are Maximum UTP cable length is 100 m 328 ft over Category 5 cable A 412 m 1352 ft fiber link is allowed for connecting switch to switch or endstation to switch using half duplex 100BASE FX ...

Page 101: ...e endstations Configuration Rules with Full Duplex The Switch provides full duplex support for all its ports excluding ports operating at Gigabit speeds Full duplex allows packets to be transmitted and received simultaneously and in effect doubles the potential throughput of a link With full duplex the Ethernet topology rules are the same but the Fast Ethernet rules are Maximum UTP cable length is...

Page 102: ...102 APPENDIX A CONFIGURATION RULES ...

Page 103: ...B NETWORK CONFIGURATION EXAMPLES This chapter contains the following sections Simple Network Configuration Example Desktop Switch Example Advanced Network Configuration Example Edge Switch Example ...

Page 104: ...tch Example The example in Figure 30 shows how a Switch 3226 can be used for a group of users that require dedicated 10 Mbps or 100 Mbps connections to the desktop It illustrates the use of VLANs to separate an area of the network and the use of an aggregated link to increase the bandwidth on key links in your network Figure 30 Using the Switch 3226 and Switch 3250 in a desktop environment ...

Page 105: ...the features supported by your Switch Edge Switch Example The example in Figure 31 shows how you can use a Switch 3250 as an edge switch in a large network It shows how you can use aggregated links to increase the bandwidth to your core network In this network end to end security can be implemented using a VLAN architecture and core traffic reduced by using Layer 3 switching at the edge Figure 31 ...

Page 106: ...106 APPENDIX B NETWORK CONFIGURATION EXAMPLES ...

Page 107: ...dress is Advanced Overview Gives a more in depth explanation of IP addresses and the way they are structured Simple Overview To operate correctly each device on your network must have a unique IP address IP addresses have the format n n n n where n is a decimal number between 0 and 255 An example IP address is 192 168 100 8 The IP address can be split into two parts The first part called the netwo...

Page 108: ...rect at time of publication World Wide Web site http www internic net Advanced Overview IP addresses are 32 bit addresses that consist of a network part the address of the network where the host is located and a host part the address of the host on that network Figure 32 IP Address Network Part and Host Part IP addresses differ from Ethernet MAC addresses which are unique hardware configured 48 bi...

Page 109: ...k part and 24 bits for the host part Although only a few Class A networks can be created each can contain a very large number of hosts Class B address Uses 16 bits for the network part and 16 bits for the host part Class C address Uses 24 bits for the network part and 8 bits for the host part Each Class C network can contain only 254 hosts but many such networks can be created The high order bits ...

Page 110: ...ns a subnetwork part a subnet mask identifies the bits that constitute the subnetwork address and the bits that constitute the host address A subnet mask is a 32 bit number in the IP address format The 1 bits in the subnet mask indicate the network and subnetwork part of the address The 0 bits in the subnet mask indicate the host part of the IP address as shown in Figure 34 Figure 34 Subnet Maskin...

Page 111: ...0 The number that includes both the Class B natural network mask 255 255 and the subnet mask 255 240 is sometimes called the extended network prefix Continuing with the previous example the subnetwork part of the mask uses 12 bits and the host part uses the remaining 4 bits Because the octets are actually binary numbers the number of subnetworks that are possible with this mask is 4 096 212 and th...

Page 112: ...ch is attached to multiple segments When it receives the IP packets the gateway determines the next network hop on the path to the remote destination and sends the packets to that hop This could either be the remote destination or another gateway closer towards the destination This hop by hop process continues until the IP packets reach the remote destination If manually configuring IP information...

Page 113: ...mask imposes on the network One subnet mask per IP network address fixes the number of subnetworks and the number of hosts per subnetwork For example if you decide to configure the 158 100 0 0 16 network with a 23 extended network prefix you can create 128 subnetworks with each having up to 510 hosts If some of the subnetworks do not need that many hosts you would assign many host IP addresses but...

Page 114: ... 16 158 101 26 32 16 158 95 80 0 8 The router selects the route to 158 101 26 0 24 because its extended network prefix has the greatest number of bits that correspond to the destination IP address of the packet See RFCs 1219 and 1878 for information about understanding and using VLSMs Supernetting Because Class B Internet addresses are in short supply larger networks are now usually granted a cont...

Page 115: ...to be the same as the netmask for any other supernet As in subnetting a netmask creates a division between the network portion of an address and the host portion of an address However since the network you are defining is larger than a Class C network the division you are creating is not in the fourth octet of the address This example creates supernets composed of fewer than 254 Class C networks S...

Page 116: ...er supernet the portion of that address space that the larger supernet was not using Because the smaller supernet netmask has more 1 bits packets whose address was part of its address space would be routed to the smaller supernet even though the address is also part of the address space dictated by the larger supernet netmask Step 2 Select a range of addresses for each supernet The range of addres...

Page 117: ...s 4 22 in the third octet This yields a netmask of 255 255 252 0 255 255 252 0 11111100 These zeros must be in the first address 255 255 252 0 11111100 Netmask First Address in Supernet 234 170 160 0 255 255 252 0 Supernet 1 10100000 11111100 234 170 164 0 255 255 252 0 Supernet 2 10100100 11111100 234 170 168 0 255 255 248 0 Supernet 3 10101000 11111000 234 170 175 0 255 255 255 0 Supernet 4 1010...

Page 118: ... of 4 so the ISP grants an address range starting at 234 170 160 0 and hopes that the block between 158 and 160 can be filled in later Supernet 2 must also begin on an even multiple of 4 The first available address after Supernet 1 conveniently fits the bill So supernet 2 extends from 234 170 164 1 to 234 170 167 254 Supernet 3 requires an even multiple of 8 It also can begin on the next available...

Page 119: ...ic cable Access Control List ACL A permission system used to restrict access to a resource An ACL comprises a list of authorized users aging The automatic removal of dynamic entries from the Switch Database which have timed out and are no longer valid Aggregated Links Aggregated links allow a user to increase the bandwidth and resilience between switches by using a group of ports to carry traffic ...

Page 120: ...work to fail Broadcast storms can be due to faulty network devices CA See Certificate Authority cache Stores copies of frequently accessed objects locally to users and serves them to users when requested Certificate Authority An organization that issues Digital Certificates Classless InterDomain Routing CIDR Routing between two subnets where the size of the subnet is explicitly stated using a Vari...

Page 121: ...s IP address endstation A computer printer or server that is connected to a network Ethernet A LAN specification developed jointly by Xerox Intel and Digital Equipment Corporation Ethernet networks use CSMA CD to transmit packets at a rate of 10 Mbps over a variety of cables Ethernet address See MAC address Fast Ethernet An Ethernet system that is designed to operate at 100Mbps forwarding The proc...

Page 122: ...s for exchanging files text graphic images sound video and other multimedia files on the World Wide Web HTTPS Hypertext Transfer Protocol over SSL The term is used to describe HTTP transfers that are encrypted using the SSL protocol IEEE Institute of Electrical and Electronics Engineers This American organization was founded in 1963 and sets standards for computers and communications IEEE Std 802 ...

Page 123: ... router that it wishes to receive transmissions addressed to a specific multicast group Based on group membership information learned from the IGMP a router is able to determine which if any multicast traffic needs to be forwarded to each of its subnetworks Intranet An Intranet is an organization wide network using Internet protocols such as web services TCP IP HTTP and HTML An Intranet is normall...

Page 124: ... protocol specified by the IEEE for determining which devices have access to a network at any one time MAC address Media Access Control address also called hardware or physical address A layer 2 address associated with a particular network device Most devices that connect to a LAN have a MAC address assigned to them as they are used to identify other devices in a network MAC addresses are 6 bytes ...

Page 125: ...ording to the type of data it carries and its progress though the network RADIUS Remote Authentication Dial In User Service An industry standard protocol for carrying authentication authorization and configuration information between a network device and a shared authentication server Rapid Spanning Tree Protocol An enhanced version of the Spanning Tree Protocol that allows faster determination of...

Page 126: ... using a switch or bridge server A computer in a network that is shared by multiple endstations Servers provide endstations with access to shared network services such as computer files and printer queues SMTP Simple Mail Transfer Protocol An IETF standard protocol used for transferring mail across a network reliably and efficiently as defined in RFC 821 SNMP Simple Network Management Protocol The...

Page 127: ... which port should forward the packet if it is to be forwarded Also known as Forwarding Database TCP IP Transmission Control Protocol Internet Protocol This is the name for two of the most well known protocols developed for the interconnection of networks Originally a UNIX standard TCP IP is now supported on almost all platforms and is the protocol of the Internet TCP relates to the content of the...

Page 128: ...bits of the address form the network part of the address VLAN Virtual LAN A group of location and topology independent devices that communicate as if they are on the same physical LAN VLAN tagging A system that allows traffic for multiple VLANs to be carried on a single link WAN Wide Area Network A communications network that covers a wide area A WAN can cover a large geographic area and may conta...

Page 129: ...57 CIDR Classless InterDomain Routing 114 Configuration Restore 15 Save 15 conventions notice icons About This Guide 10 text About This Guide 10 CoS configuring traffic 52 How traffic is processed to provide CoS 51 D data link layer IP 83 default gateway 112 default route IP 86 gateway address 89 Default VLAN 61 defining IP interfaces 89 Designated Bridge 39 Designated Bridge Port 39 disabled RIP ...

Page 130: ...res and benefits 84 OSI reference model 83 router interface 84 routing table 85 86 transmission process 83 types of routes 89 L learn RIP mode 91 learned SDB entries 46 M MAC Media Access Control addresses IP address 108 located with ARP 94 use in IP routing 96 management IP interface 85 manual configuration 67 masks subnet 88 110 Matrix RMON group 57 Max Age 40 metric RIP 85 multicast filtering 2...

Page 131: ...TP 35 avoiding the subdivision of VLANs 44 Bridge Identifier 38 Bridge Protocol Data Units 38 default port costs 39 default priority 38 Designated Bridge 39 Designated Bridge Port 39 example 40 Hello BPDUs 40 Max Age 40 priority 38 Root Bridge 38 Root Path Cost 39 Root Port 39 using on a network with multiple VLANs 44 subnet mask 110 defined 110 example 110 IP interface parameter 88 numbering 111 ...

Page 132: ...132 INDEX ...

Reviews:

No comments

Related manuals for 3CR17501-91 - SuperStack 3 Switch 3250

Raritan IP-Reach IPR-M1 Specifications preview
IP-Reach IPR-M1
Brand: Raritan Pages: 4
Intermatic T7802BC Supplementary Manual preview
T7802BC
Brand: Intermatic Pages: 1
Cabletron Systems 9F426-03 Appendix preview
9F426-03
Brand: Cabletron Systems Pages: 14
CYP CPLUS-662CVEA Operation Manual preview
CPLUS-662CVEA
Brand: CYP Pages: 68
tactio INEO-SU2402G User Manual preview
INEO-SU2402G
Brand: tactio Pages: 2
Dusun DSW-080 User Manual preview
DSW-080
Brand: Dusun Pages: 18
Enable-IT 8808F Installation Manual Manual preview
8808F
Brand: Enable-IT Pages: 49
BJ Live BJ-277 User Manual preview
BJ-277
Brand: BJ Live Pages: 2
IMI SENSORS 686B0X-0003 Installation And Operating Manual preview
686B0X-0003
Brand: IMI SENSORS Pages: 41
Oehlbach 6047 HighWay Switch User Manual preview
6047 HighWay Switch
Brand: Oehlbach Pages: 22
Omron G3M Specification Sheet preview
G3M
Brand: Omron Pages: 8
DeviceWell HDS9326 User Manual preview
HDS9326
Brand: DeviceWell Pages: 32
Festo 150860 Operating Instructions Manual preview
150860
Brand: Festo Pages: 12
Pilz 542 183 Operating Manual preview
542 183
Brand: Pilz Pages: 41
UGREEN CM416 User Manual preview
CM416
Brand: UGREEN Pages: 27
StarTech.com HB30C5A2CSC Quick Start Manual preview
HB30C5A2CSC
Brand: StarTech.com Pages: 2
GE Cync Installation Manual preview
Cync
Brand: GE Pages: 21
GE SBM Instructions Manual preview
SBM
Brand: GE Pages: 18

Brands by name

Popular brands

Load more brands