background image

Defining Advanced ACLs

205

Configuration

Preparation

Before configuring an ACL rule containing time range arguments, you need to 
configure define the corresponding time ranges. For the configuration of time ranges, 
refer to ?Advanced ACL.

The values of source and destination IP addresses, the type of protocol over IP, and 
protocol-specific features in the rule have been defined. 

Configuration Procedure

In the case that you specify the rule ID when defining a rule: 

If the rule corresponding to the specified rule ID already exists, you will edit the 
rule, and the modified part in the rule will replace the original content, while other 
parts remain unchanged. 

If the rule corresponding to the specified rule ID does not exists, you will create 
and define a new rule. 

The content of a modified or created rule must not be identical with the content 
of any existing rule; otherwise the rule modification or creation will fail, and the 
system will prompt that the rule already exists. 

If you do not specify a rule ID, you will create and define a new rule, and the system 
will assign an ID for the rule automatically. 

rule-string

: rule information, which can be combination of the parameters given in 

Table 175. Table 175 describes the specific parameters. You must configure the 

protocol

 argument in the rule information before you can configure other arguments. 

Table 174   

Configure an advanced ACL rule

Operation

Command

Description 

Enter system view 

system-view

-

Enter advanced ACL 
view 

acl number

 

acl-number 

[  

match-order

 

{

config

 | 

auto

} ]

By the default, the match order 
is 

config

Define an rule 

rule

  [  

rule-id

] {

permit

 | 

deny

rule-string

Required 

Define the comment 
string of the ACL rule 

rule

 

rule-id

 

comment

 

text

Optional 

Define the description 
information of the 
ACL 

description

 

text

Optional 

Display ACL 
information 

display

 

acl

 {

all

 | 

acl-number

}

Optional 
The 

display 

command can be 

executed in any view

Table 175   

Rule information

Parameter 

Type 

Function 

Description 

protocol

Protocol type 

Type of protocol 
over IP 

When expressed in numerals, the 
value range is 1 to 255 

When expressed with a name, the 
value can be GRE, ICMP, IGMP, IP, 
IPinIP, OSPF, TCP, and UDP

source

 {

sour-addr 

sour-wildcard

 | 

any

}

Source address 
information 

Specifies the source 
address information 
in the rule 

sour-addr sour-wildcard

 is used to 

specify the source address of the 
packet, expressed in dotted 
decimal notation 

any

 represents any source address

Summary of Contents for 3CR17660-91

Page 1: ...3Com Switch 4200G Family Configuration Guide 4200G 12 Port 3CR17660 91 4200G 24 Port 3CR17661 91 4200G 48 Port 3CR17662 91 www 3Com com Part Number 10014915 Rev AD Published May 2007 ...

Page 2: ...2 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com and...

Page 3: ...thentication Mode Being None 15 Console Port Login Configuration with Authentication Mode Being Password 18 Console Port Login Configuration with Authentication Mode Being Scheme 21 4 LOGGING IN USING MODEM Introduction 25 Configuration on the Administrator Side 25 Configuration on the Switch Side 25 Modem Connection Establishment 26 5 LOGGING IN THROUGH WEB BASED NETWORK MANAGEMENT SYSTEM Introdu...

Page 4: ...ient Configuration 53 12 VOICE VLAN CONFIGURATION Voice VLAN Configuration 55 Voice VLAN Configuration 57 Voice VLAN Displaying and Debugging 59 Voice VLAN Configuration Example 59 13 GVRP CONFIGURATION Introduction to GVRP 61 GVRP Configuration 63 Displaying and Maintaining GVRP 65 14 BASIC PORT CONFIGURATION Ethernet Port Overview 67 Configuring Ethernet Ports 69 Ethernet Port Configuration Exam...

Page 5: ...102 Telnet Configuration with Authentication Mode Being Scheme 105 Telnet Connection Establishment 109 20 MSTP CONFIGURATION MSTP Overview 113 Root Bridge Configuration 118 Leaf Node Configuration 131 The mCheck Configuration 135 Protection Function Configuration 136 BPDU Tunnel Configuration 139 Digest Snooping Configuration 141 Rapid Transition Configuration 142 MSTP Displaying and Debugging 145...

Page 6: ... Example 194 25 ARP CONFIGURATION Introduction to ARP 195 Introduction to Gratuitous ARP 197 ARP Configuration 198 Gratuitous ARP Packet Learning configuration 199 Displaying and Debugging ARP 199 26 ACL CONFIGURATION ACL Overview 201 Configuring Time Ranges 202 Defining Basic ACLs 203 Defining Advanced ACLs 204 Defining Layer 2 ACLs 207 Applying ACLs on Ports 209 Displaying and Debugging ACL Conf...

Page 7: ...Y CONFIGURATION Introduction 263 Configuring a Multicast MAC Address Entry 263 Displaying Multicast MAC Address Configuration 264 32 CLUSTER CONFIGURATION Cluster Overview 265 Management Device Configuration 268 Member Device Configuration 271 Intra Cluster Configuration 272 Displaying and Maintaining a Cluster 272 HGMP V2 Configuration Example 273 33 SNMP CONFIGURATION SNMP Overview 277 Configuri...

Page 8: ... TFTP Configuration 339 39 INFORMATION CENTER Information Center Overview 343 Information Center Configuration 345 Displaying and Debugging Information Center 350 Information Center Configuration Example 350 40 BOOTROM AND HOST SOFTWARE LOADING Introduction to Loading Approaches 353 Local Software Loading 353 Remote Software Loading 361 41 Basic System Configuration and Debugging Basic System Conf...

Page 9: ...on Example for Newly Added Cluster Functions 390 46 DHCP RELAY CONFIGURATION Introduction to DHCP Relay 393 DHCP Relay Configuration 395 Option 82 Supporting Configuration 397 DHCP Relay Displaying 399 DHCP Relay Configuration Example 399 Troubleshooting DHCP Relay 400 47 STATIC ROUTE CONFIGURATION Introduction to Static Route 401 Static Route Configuration 402 Displaying and Debugging Static Rout...

Page 10: ...8 CONTENTS ...

Page 11: ...ation information to create Voice VLAN GVRP Configuration Details GARP VLAN Registration Protocol configuration Port Operation Details how to configure Ethernet ports Link Aggregation Details how to aggregating several ports together Port Isolation Details how to configure ports to be controlled on Layer 2 DLDP Details overview and fundamentals for Device Link Detection Protocol MAC Address Table ...

Page 12: ...ls how to how to configure a basic system IP Performance Configuration Details how to configure routing protocols Network Protocol Operation Details how to configure network protocols Network Connectivity Tests Details how to perform a connectivity test Device Management Details how to manage devices VLAN VPN Details configuration information to create VLAN VPNs DHCP Relay Details Dynamic Host Con...

Page 13: ...e here and press Return or Enter when you are ready to enter the command Example in the command super level a value in the range 0 to 3 must be entered in the position indicated by level x y Alternative items one of which must be entered are grouped in braces and separated by vertical bars You must select and enter one of the items Example in the command flow control hardware none software the bra...

Page 14: ...4 ABOUT THIS GUIDE ...

Page 15: ...e the ping tracert and language mode commands are at this level Monitor level Commands at this level are mainly used to maintain the system and diagnose service problems and cannot be saved to configuration files For example the display and debugging commands are at this level System level Commands at this level are mainly used to configure services Commands concerning routing and network layers a...

Page 16: ... And by executing the system view command you can enter system view where you can enter other views by executing the corresponding commands The following CLI views are provided User view Table 1 Set a user level switching password Operation Command Description Enter system view system view Set a password for switching from a lower user level to the user level identified by the level argument super...

Page 17: ... Prompt example Enter method Quit method User view Display operation status and statistical information S4200G Enter user view once logging into the switch Execute the quit command in user view to log out of the switch System view Configure system parameters 4200G Execute the system view command in user view Execute the quit or return command to return to user view Ethernet port view ConfigureEthe...

Page 18: ...r1 Execute the local user user1 command in system view Execute the quit command to return to system view Execute the return command to return to user view User interface view Configure user interface parameters 4200G ui0 Execute the user interface 0 command in system view Execute the quit command to return to system view Execute the return command to return to user view FTP client view Configure F...

Page 19: ...n to user view Advanced ACL view Define rules for an advanced ACL ACLs with their IDs ranging from 3000 to 3999 are advanced ACLs 4200G acl adv 3000 Execute the acl number 3000 command in system view Execute the quit command to return to system view Execute the return command to return to user view Layer 2 ACL view Define the sub rules of Layer 2 ACLs which is numbered from 4000 to 4999 4200G acl ...

Page 20: ...brief descriptions The following takes the clock command as an example S4200G clock datetime Specify the time and date summer time Configure summer time timezone Configure time zone Enter a command a space and a character instead of an argument available in this position of the command on your terminal to display all the available arguments and their brief descriptions The following takes the inte...

Page 21: ...sages If the command you enter passes the syntax check it will be successfully executed otherwise an error message will appear Table 7 lists the common error messages Table 5 Displaying related operations Operation Function Press Ctrl C Suspend displaying and executing Press the space key Scroll the output information up by one page Press Enter Scroll the output information up by one line Table 6 ...

Page 22: ... the cursor one character to the left The left arrow key or Ctrl B Move the cursor one character to the left The right arrow key or Ctrl F Move the cursor one character to the right The up arrow key or Ctrl P The down arrow key or Ctrl N Access history commands The Tab key Utilize the partial online help That is when you enter an incomplete keyword and the Tab key if the entered keyword uniquely i...

Page 23: ...rough this port User Interface Number Two kinds of user interface index exist absolute user interface index and relative user interface index 1 The absolute user interface indexes are as follows AUX user interface 0 VTY user interfaces Numbered after AUX user interfaces and increases in the step of 1 2 A relative user interface index can be obtained by appending a number to the identifier of a use...

Page 24: ...pecified user interface send all number type number Optional Execute this command in user view Disconnect a specified user interface free user interface type number Optional Execute this command in user view Enter system view system view Enter user interface view user interface type first number last number Set the command that is automatically executed when a user logs into the user interface aut...

Page 25: ...etting up the Connection to the Console Port Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 1 Figure 1 Diagram for setting the connection to the Console port If you use a PC to connect to the Console port launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 9X and perform the configuration shown in Figure ...

Page 26: ...12 CHAPTER 3 LOGGING IN THROUGH THE CONSOLE PORT Figure 2 Create a connection Figure 3 Specify the port used to establish the connection ...

Page 27: ... 12 lists the common configuration of Console port login Table 12 Common configuration of Console port login Configuration Description Console port configuration Baud rate Optional The default baud rate is 9 600 bps Check mode Optional By default the check mode of the Console port is set to none which means no check bit Stop bits Optional The default stop bits of a Console port is 1 Data bits Opti...

Page 28: ... the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain up to 10 commands Set the timeout time of a user interface Optional The default timeout time is 10 minutes Table 12 Common configuration of Console port login Continued Configuration Description Table 13 Console port login conf...

Page 29: ... password of a local user are configured on the switch The user name and password of a remote user are configured on the RADIUS server Refer to user manual of RADIUS server for more Manage AUX users Set service type for AUX users Required Perform common configuration Perform common configuration for Console port login Optional Refer to Common Configuration for more Table 13 Console port login conf...

Page 30: ...erminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffe...

Page 31: ...e port is 19 200 bps The screen can contain up to 30 lines The history command buffer can contain up to 20 commands The timeout time of the AUX user interface is 6 minutes Network diagram Figure 5 Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure 1 Enter system view S4200G system view 2 Enter AUX user interface view 4200G user inte...

Page 32: ...guration with the authentication mode being password Operation Command Description Enter system view system view Enter AUX user interface view user interface aux 0 Configure to authenticate users using the local password authentication mode password Required Set the local password set authentication password cipher simple password Required Configure the Console port Set the baud rate speed speed v...

Page 33: ...ength Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle t...

Page 34: ...n mode password 4 Set the local password to 123456 in plain text 4200G ui aux0 set authentication password simple 123456 5 Specify commands of level 2 are available to users logging into the AUX user interface 4200G ui aux0 user privilege level 2 6 Set the baud rate of the Console port to 19 200 bps 4200G ui aux0 speed 19200 7 Set the maximum number of lines the screen can contain to 30 4200G ui a...

Page 35: ...l Perform AAA RADIUS configuration on the switch Refer to AAA RADIUS Configuration for more Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Specify the AAA scheme to be applied to the domain scheme local radius scheme radius scheme name local none Quit to system view quit Create a local user Enter local user view local user user name Requir...

Page 36: ...tional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set history command buffer size history command max size value Optional The default histor...

Page 37: ...port is 19 200 bps The screen can contain up to 30 lines The history command buffer can store up to 20 commands The timeout time of the AUX user interface is 6 minutes Table 19 Determine the command level Scenario Command level Authentication mode User type Command authentication mode scheme Users logging into the Console port and pass AAA RADIUS or local authentication The user privilege level le...

Page 38: ... user interface aux 0 6 Configure to authenticate users logging in through the Console port in the scheme mode 4200G ui aux0 authentication mode scheme 7 Specify commands of level 2 are available to users logging into the AUX user interface 4200G ui aux0 user privilege level 2 8 Set the baud rate of the Console port to 19 200 bps 4200G ui aux0 speed 19200 9 Set the maximum number of lines the scre...

Page 39: ...re the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Set DSR to high level by force ATEQ1 W Disable the modem from returning command response and the result save the changes You can verify your configuration by executing the AT V command The above configuration is unnecessary to the mod...

Page 40: ... mode is password Configuration on switch when the authentication mode is scheme Refer to Configuration on switch when the authentication mode is scheme Modem Connection Establishment 1 Configure the user name and password on the switch Refer to Console Port Login Configuration with Authentication Mode Being None Configuration on switch when the authentication mode is password and Configuration on...

Page 41: ...telephone number to call the modem directly connected to the switch as shown in Figure 9 and Figure 10 Note that you need to set the telephone number to that of the modem directly connected to the switch Figure 9 Set the telephone number Modem Telephone line Modem Serial cable Telephone number 82882285 Console port PSTN PC Modem Telephone line Modem Serial cable Telephone number 82882285 Console p...

Page 42: ...rrect the prompt such as S4200G appears You can then configure or manage the switch You can also enter the character at anytime for help If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI Overview module for information about command level ...

Page 43: ...sole port To log into a switch through the Console port you need to connect the serial port of your PC or terminal to the Console port of the switch using a configuration cable as shown in Figure 11 Figure 11 Connect to the Console port Table 21 Requirements for logging into a switch through the Web based network management system Item Requirement Switch The management VLAN of the switch is config...

Page 44: ...e of the switch S4200G system a Enter management VLAN interface view 4200G interface vlan interface 1 b Remove the existing IP address of the management VLAN interface 4200G VLAN interface1 undo ip address c Configure the IP address of the management VLAN interface to be 10 153 17 82 4200G VLAN interface1 ip address 10 153 17 82 255 255 255 0 2 Configure the user name and the password for the Web ...

Page 45: ...s http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available 5 When the login interface shown in Figure 14 appears enter the user name and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Figure 14 The login page of the Web based network management system PC HTTP Connectio...

Page 46: ...32 CHAPTER 5 LOGGING IN THROUGH WEB BASED NETWORK MANAGEMENT SYSTEM ...

Page 47: ... to perform related configuration on both the NMS and the switch Connection Establishment Using NMS Figure 15 Network diagram for logging in through an NMS Table 23 Requirements for logging into a switch through an NMS Item Requirement Switch The management VLAN of the switch is configured The route between the NMS and the switch is available Refer to the Management VLAN Configuration module for m...

Page 48: ...34 CHAPTER 6 LOGGING IN THROUGH NMS ...

Page 49: ...addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses WEB By source IP addresses Through basic ACLs Controlling Web Users by Source IP Address Disconnect Web users by force By executing commands in CLI Disconnecting a Web User by Force Table 25 Control Telnet users by source IP addresses Operation Command Description Enter system view system view Create a basic A...

Page 50: ... 3 deny source any 4200G acl basic 2000 quit 2 Apply the ACL 4200G user interface vty 0 4 4200G ui vty0 4 acl 2000 inbound Table 26 Define an advanced ACL Operation Command Description Enter system view system view Create an advanced ACL or enter advanced ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for...

Page 51: ...Table 27 Control network management users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragmen...

Page 52: ...ify ACLs in the two operations the switch will filter network management users by both SNMP group name and SNMP user name Configuration Example Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are permitted to access the switch Network diagram Figure 17 Network diagram for controlling SNMP users using ACLs Configuration procedure 1 Define a basi...

Page 53: ...by force using the related command Configuration Example Network requirements Only the users sourced from the IP address of 10 110 100 46 are permitted to access the switch Network diagram Figure 18 Network diagram for controlling Web users using ACLs Table 28 Control Web users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL ...

Page 54: ... system view 4200G acl number 2030 match order config 4200G acl basic 2030 rule 1 permit source 10 110 100 46 0 4200G acl basic 2030 rule 2 deny source any 2 Apply the ACL to only permit the Web users sourced from the IP address of 10 110 100 46 to access the switch 4200G ip http acl 2030 ...

Page 55: ...rts with the character The sections are listed in this order system configuration section physical port configuration section logical interface configuration section routing protocol configuration section and so on A configuration file ends with a return Configuration File Related Configuration You can perform the following operations on an S4200G series switch Saving the current configuration to ...

Page 56: ...display saved configuration unit unit id by linenum Optional This command can be executed in any view Check the current configuration display current configuration configuration configuration type interface interface type interface number vlan vlan id by linenum begin include exclude regular expression Display the configuration performed in the current view display this by linenum Display the info...

Page 57: ... is hosts in a VLAN can belong to different physical network segment VLAN enjoys the following advantages 1 Broadcasts are confined to VLANs This decreases bandwidth utilization and improves network performance 2 Network security is improved VLANs cannot communicate with each other directly That is hosts in different VLANs cannot communicate with each other directly To enable communications betwee...

Page 58: ...y command in any view to view the running of the VLAN configuration and to verify the effect of the configuration Table 31 Basic VLAN configuration Operation Command Description Enter system view system view Create a VLAN and enter VLAN view vlan vlan id Required The vlan id argument ranges from 1 to 4094 Assign a name for the VLAN name Optional By default the name of a VLAN is its VLAN ID Specify...

Page 59: ...ription string of VLAN 2 to be home 4200G vlan2 description home 4 Add GigabitEthernet1 0 1 and GigabitEthernet1 0 2 ports to VLAN 2 4200G vlan2 port GigabitEthernet1 0 1 GigabitEthernet1 0 2 5 Create VLAN 3 and enter VLAN view 4200G vlan2 vlan 3 6 Add GigabitEthernet1 0 3 and GigabitEthernet1 0 4 ports to VLAN 3 4200G vlan3 port GigabitEthernet1 0 3 GigabitEthernet1 0 4 VLAN3 Switch VLAN2 VLAN3 G...

Page 60: ...46 CHAPTER 9 VLAN CONFIGURATION ...

Page 61: ...ng commands and then apply for another IP address through BOOTP using the ip address bootp alloc command the former IP address will be removed and the final IP address of the VLAN interface is the one obtained through BOOTP Static Route A static route is configured manually by an administrator You can make a network with relatively simple topology to operate properly by simply configuring static r...

Page 62: ...nt VLAN Operation Command Description Enter system view system view Configure a specified VLAN to be the management VLAN management vlan vlan id Required By default VLAN 1 operates as the management VLAN Create the management VLAN interface and enter VLAN interface view interface vlan interface vlan id Required Assign an IP address to the management VLAN interface ip address ip address net mask bo...

Page 63: ...terface vlan id Optional You can execute the display commands in any view Display the information about a management VLAN interface display interface vlan interface vlan id Display summary information about the routing table display ip routing table Display detailed information about the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip ...

Page 64: ...50 CHAPTER 10 MANAGEMENT VLAN CONFIGURATION ...

Page 65: ...st configuration protocol DHCP is developed to meet these requirements It adopts the client server model The DHCP client requests configuration information from the DHCP server dynamically and the DHCP server returns corresponding configuration information based on policies A typical DHCP implementation usually involves a DHCP server and multiple clients such as PCs and portable computers as shown...

Page 66: ...ervers and broadcasts a DHCP_Request packet to each DHCP server The packet contains the IP address carried by the DHCP_Offer packet Acknowledgement Upon receiving the DHCP_Request packet the DHCP server that owns the IP address the DHCP_Request packet carries sends a DHCP_ACK packet to the DHCP client In this way the DHCP client binds TCP IP protocol components to its network adapter IP addresses ...

Page 67: ...ires The DHCP server in turn responds with a DHCP_ACK packet to notify the DHCP client of the new lease if the IP address is still available The DHCP clients implemented by the switches support this lease auto update process Introduction to BOOTP Client A BOOTP client can request the server for an IP address through BOOTP It goes through the following two phases to apply for an IP address Sending ...

Page 68: ...rface 10 4 Configure the management VLAN interface to obtain an IP address through DHCP 4200GA Vlan interface10 ip address dhcp alloc 4200GA Vlan interface10 quit 5 Configure a default route 4200GA ip route static 0 0 0 0 0 0 0 0 1 1 1 2 Table 36 Configure DHCP BOOTP client Operation Command Description Enter system view system view Required Configure a specified VLAN to be the management VLAN man...

Page 69: ...matic mode and manual mode You can configure the operation mode for a voice VLAN according to data stream passing through the ports of the voice VLAN When a voice VLAN operates in the automatic mode the switch learns source MAC addresses from untagged packets sent by IP phones an IP phone sends untagged packets when powered on and adds the port with the IP phones attached to the voice VLAN A port ...

Page 70: ...voice VLAN And the access port permits the packets of the default VLAN Hybrid Supported Make sure the default VLAN of the port exists and is in the list of the tagged VLANs whose packets are permitted by the access port Untagged voice stream Access Not supported because the default VLAN of the port must be a voice VLAN and the access port is in the voice VLAN To do so you can also add the port to ...

Page 71: ... Quit to system view quit Set an OUI address that can be identified by the voice VLAN voice vlan mac address oui mask oui mask description string Optional If you do not set the OUI address the default OUI address is used Enable the voice VLAN security mode voice vlan security enable Optional By default the voice VLAN security mode is enabled Set the aging time for the voice VLAN voice vlan aging m...

Page 72: ...equired Add the port to the VLAN port port type port num Trunk or hybrid port Enter port view interface interface type interface num Add the port to the voice VLAN port trunk permit vlan vlan id port hybrid vlan vlan id tagged untagged Configure the voice VLAN to be the default VLAN of the port port trunk pvid vlan vlan id port hybrid pvid vlan vlan id Optional Refer to Table 37 to determine wheth...

Page 73: ...GigabitEthernet1 0 3 port trunk pvid vlan 6 3 Enable the voice VLAN function for the port and configure the port to operate in automatic mode 4200G GigabitEthernet1 0 1 voice vlan enable 4200G GigabitEthernet1 0 1 voice vlan mode auto 4 Enable the voice VLAN function globally 4200G GigabitEthernet1 0 1 quit 4200G voice vlan 2 enable Voice VLAN Configuration Example Manual Mode Network requirements...

Page 74: ...0 3 voice vlan enable 4200G GigabitEthernet1 0 3 undo voice vlan mode auto 4200G GigabitEthernet1 0 3 quit 4 Specify an OUI address 4200G voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test 5 Enable the voice VLAN function globally 4200G voice vlan 3 enable 6 Display voice VLAN related configurations 4200G display voice vlan status Voice Vlan status ENABLE Voice Vlan ID 3 Vo...

Page 75: ...orming important functions for GARP fall into three types Join Leave and LeaveAll When a GARP entity expects other switches to register certain attribute information of its own it sends out a Join message When a GARP entity expects other switches to unregister certain attribute information of its own it sends out a Leave message Once a GARP entity starts up it starts the LeaveAll timer After the t...

Page 76: ...RP cannot learn dynamic VLAN through this port and the dynamic VLANs learned through other ports on this switch cannot be pronounced through this port Forbidden In this mode all the VLANs except VLAN 1 are unregistered on the port and no other VLANs can be created or registered on the port GARP operation procedure Through the mechanism of GARP the configuration information on a GARP member will be...

Page 77: ... three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attribute Length The length of the attribute 2 to 255 Attribute Event The event described by the attribute 0 LeaveAll Event 1 JoinEmpty 2 JoinIn 3 LeaveEmpty 4 LeaveIn 5 Empty Attribute Value The value of the attribute The attribute value of GVRP is th...

Page 78: ...to a different type Configure GVRP port registration mode gvrp registration normal fixed forbidden Optional You can choose one of the three modes By default GVRP port registration mode is normal Table 43 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one half of the timeout time of the Join timer You can change ...

Page 79: ...k type trunk 4200G GigabitEthernet1 0 2 port trunk permit vlan all c Enable GVRP on the trunk port 4200G GigabitEthernet1 0 2 gvrp Displaying and Maintaining GVRP After the above configuration you can use the display commands in any view to display the configuration information and operating status of GVRP and thus verify your configuration You can use the reset garp statistics command in user vie...

Page 80: ...66 CHAPTER 13 GVRP CONFIGURATION ...

Page 81: ...used to connect user PCs Trunk A trunk port can belong to more than one VLAN It can receive send packets from to multiple VLANs and is generally used to connect another switch Hybrid A hybrid port can belong to more than one VLAN It can receive send packets from to multiple VLANs and can be used to connect either a switch or user PCs A hybrid port allows the packets of multiple VLANs to be sent wi...

Page 82: ... that the port shall be added to an existing VLAN Table 46 Processing of incoming outgoing packet Port type Processing of an incoming packet Processing of an outgoing packet If the packet does not carry a VLAN tag If the packet carries a VLAN tag Access Receive the packet and add the default tag to the packet If the VLAN ID is just the default VLAN ID receive the packet If the VLAN ID is not the d...

Page 83: ...services You can execute the broadcast suppression command in system view or Ethernet port view If you execute the command in system view the command takes effect on all ports Table 47 Make basic port configuration Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the Ethernet port undo shutdown By default the port is ...

Page 84: ... ratio pps max pps By default the ratio is 100 that is the system does not suppress broadcast traffic on the port Table 49 Enable flow control on a port Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable flow control on the Ethernet port flow control By default flow control is not enabled on the port Table 50 Configure ...

Page 85: ...e configuration of the source port will be copied to all ports in the aggregation group Add the current hybrid port into the specified VLAN port hybrid vlan vlan id list tagged untagged Optional For a hybrid port you can configure to tag the packets of specific VLANs based on which the packets of those VLANs can be processed in differently ways Table 51 Configure hybrid port attribute Table 52 Con...

Page 86: ... the Ethernet port to run loopback test to check if it operates normally The port running loopback test cannot forward data packets normally The loopback test terminates automatically after a specific period Table 54 Set loopback detection for an Ethernet port Operation Command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Optional By default lo...

Page 87: ...tch A is connected to Switch B through trunk port GigabitEthernet1 0 1 Configure the default VLAN ID for the trunk port as 100 Allow the packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass the port Configure the Ethernet port to run loopback test loopback external internal Optional Table 55 Configure the Ethernet port to run loopback test Table 56 Enable the system to test connected cabl...

Page 88: ...100 to pass the port 4200G GigabitEthernet1 0 1 port link type trunk 4200G GigabitEthernet1 0 1 port trunk permit vlan 2 6 to 50 100 3 Create VLAN 100 4200G vlan 100 4 Configure the default VLAN ID of GigabitEthernet1 0 1 as 100 4200G GigabitEthernet1 0 1 port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom Default VLAN ID configuration failed Solution Take the following st...

Page 89: ...ttribute configuration including port rate duplex mode and link type Trunk Hybrid or Access Introduction to LACP The purpose of link aggregation control protocol LACP is to implement dynamic link aggregation and deaggregation This protocol is based on IEEE802 3ad and uses LACPDUs link aggregation control protocol data units to interact with its peer After LACP is enabled on a port LACP notifies th...

Page 90: ...that is the ports take most precedence over other ports to selected state and others to unselected state Port precedence descends in the following order full duplex high speed full duplex low speed half duplex high speed half duplex low speed The system sets the ports unable to aggregate with the master port due to some hardware limit for example cross board aggregation unavailability to unselecte...

Page 91: ...rts take most precedence over other ports to selected state and others to unselected state Port precedence descends in the following order full duplex high speed full duplex low speed half duplex high speed half duplex low speed The system sets the following ports to unselected state ports that are not connect to the same peer device as that of the master port and ports that are connected to the s...

Page 92: ... the latter following the former between the two parties First compare the two system priorities then the two system MAC addresses if the system priorities are equal The device with smaller device ID will be considered as the preferred one 2 Compare port IDs consist of two bytes port priority and two bytes port number with the latter following the former on the preferred device The comparison betw...

Page 93: ...n higher speed if resources were allocated to it has higher priority than the other one If the two groups can gain the same speed the one with smaller master port number has higher priority than the other one When an aggregation group of higher priority appears the aggregation groups of lower priorities release their hardware resources For single port aggregation groups if they can transceive pack...

Page 94: ...regation group after that the system will re aggregate the original member ports in the group to form one or more dynamic aggregation groups You can manually add remove a port to from a static aggregation group and a port can only be manually added removed to from a static aggregation group When you add an LACP enabled port to a manual aggregation group the system will automatically disable LACP o...

Page 95: ...n execute the display commands in any view to display link aggregation conditions and verify your configuration Add the port to the aggregation group port link aggregation group agg id Required Enable LACP on the port lacp enable Optional the system will automatically enable LACP on the port added to a static aggregation group The default LACP state on a port is disabled Table 60 Configure a stati...

Page 96: ...manual b Add ports GigabitEthernet1 0 1 through GigabitEthernet1 0 3 to aggregation group 1 4200G interface GigabitEthernet1 0 1 4200G GigabitEthernet1 0 1 port link aggregation group 1 4200G GigabitEthernet1 0 1 interface GigabitEthernet1 0 2 4200G GigabitEthernet1 0 2 port link aggregation group 1 4200G GigabitEthernet1 0 2 interface GigabitEthernet1 0 3 4200G GigabitEthernet1 0 3 port link aggr...

Page 97: ...net1 0 2 interface GigabitEthernet1 0 3 4200G GigabitEthernet1 0 3 port link aggregation group 1 3 Adopting dynamic LACP aggregation mode a Enable LACP on ports GigabitEthernet1 0 1 through GigabitEthernet1 0 3 S4200G system view 4200G interface GigabitEthernet1 0 1 4200G GigabitEthernet1 0 1 lacp enable 4200G GigabitEthernet1 0 1 interface GigabitEthernet1 0 2 4200G GigabitEthernet1 0 2 lacp enab...

Page 98: ...84 CHAPTER 15 LINK AGGREGATION CONFIGURATION ...

Page 99: ...ions to add an Ethernet ports to an isolation group Displaying Port Isolation After the above configuration you can execute the display command in any view to display the information about the Ethernet ports added to the isolation group Port Isolation Configuration Example Network requirements PC 2 PC 3 and PC 4 are connected to GigabitEthernet1 0 2 GigabitEthernet1 0 3 and GigabitEthernet1 0 4 po...

Page 100: ...igabitEthernet1 0 2 quit 4200G interface GigabitEthernet1 0 3 4200G GigabitEthernet1 0 3 port isolate 4200G GigabitEthernet1 0 3 quit 4200G interface GigabitEthernet1 0 4 4200G GigabitEthernet1 0 4 port isolate 4200G GigabitEthernet1 0 4 quit 4200G 2 Display the information about the ports in the isolation group S4200G display isolate port Isolated port s on UNIT 1 GigabitEthernet1 0 2 GigabitEthe...

Page 101: ...s due to illegal intrusion improper manner of logging on and off are transmitted the switch will send Trap message to help the network administrators monitor and control such actions 4 Binding of MAC and IP addresses to ports Binding the MAC addresses and IP addresses of authorized users to designated ports of a switch so that only authorized users can access the ports and thereby enhances the sys...

Page 102: ...performed simultaneously If both kinds of authentication succeed the userlogin secure mode takes precedence over the mac authentication mode mac else userlogin In this mode first the MAC based authentication is performed If this authentication succeeds the mac authentication mode is adopted or else the authentication in userlogin secure mode is performed userlogin secure ext This mode is similar t...

Page 103: ...port in the same VLAN Using this feature you can bind a MAC address with a port in the same VLAN Set the security mode of a port port security port mode mode Required Users can choose the optimal mode as necessary Set the maximum number of MAC addresses that can be accommodated by a port port security max mac count count value Optional By default there is no limit on the number of MAC addresses Se...

Page 104: ...t be configured with mac address max mac count count Displaying Port Security To display port security related information after the above configuration enter the following command in any view Table 67 Configure Security MAC address Operation Command Description Enter system view system view Enable the port security port security enable Required Enter Ethernet port view interface interface type in...

Page 105: ...t the port mode to MAC authentication 4200G GigabitEthernet1 0 1 port security port mode mac authentication 5 Set the maximum number of MAC addresses accommodate by the port to 80 4200G GigabitEthernet1 0 1 port security max mac count 80 6 Set the NTK packet transmission mode to ntk withbroadcasts 4200G GigabitEthernet1 0 1 port security ntk mode ntk withbroadcasts 7 Set the Intrusion Protection m...

Page 106: ...able the sending of intrusion trap messages 4200G port security trap intrusion 10 Bind the MAC and IP addresses of PC1 to GigabitEthernet1 0 1 port 4200G am user bind mac address 00e0 fc00 4200G ip address 10 153 1 1 interface GigabitEthernet1 0 1 ...

Page 107: ...ddress entry Also known as permanent MAC address entry This type of MAC address entries are added removed manually and can not age out by themselves Using static MAC address entries can reduce broadcast packets remarkably and are suitable for networks where network devices seldom change Dynamic MAC address entry This type of MAC address entries are generated by the MAC address learning mechanism a...

Page 108: ...ble After that the switch can directly forward other packets destined for the same network device by the newly added MAC address entry Among the three types of packets unicast packets multicast packets and broadcast packets the MAC address learning mechanism enables a switch to learn MAC addresses from only unicast packets Aging Time of MAC Address Entries As mentioned previously an Ethernet switc...

Page 109: ... type of MAC address entries such as dynamic or static MAC address entries Setting the Maximum Number of MAC Addresses a Port can Learn A MAC address table too big in size may decrease the forwarding performance of the switch By setting the maximum number of MAC addresses each port can learn you can limit the number of MAC address entries a switch maintains A port stops learning MAC addresses if t...

Page 110: ...et1 0 2 port assuming that the port belongs to VLAN 1 with the MAC address of 00e0 fc35 dc71 Network diagram Figure 29 Network diagram for MAC address table configuration Table 72 Disable MAC address learning for a VLAN Operation Command Description Enter system view system view Enter VLAN view vlan vlan id Disable the switch from learning MAC addresses in the VLAN mac address max mac count 0 Requ...

Page 111: ...dress timer aging 500 4 Display the information about the MAC address table 4200G display mac address interface GigabitEthernet1 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 00 e0 fc 35 dc 71 1 Static GigabitEthernet1 0 2 NOAGED 00 e0 fc 17 a7 d6 1 Learned GigabitEthernet1 0 2 AGING 00 e0 fc 5e b1 fb 1 Learned GigabitEthernet1 0 2 AGING 00 e0 fc 55 f1 16 1 Learned GigabitEthernet1 0 2 AGING 4 ...

Page 112: ...98 CHAPTER 18 MAC ADDRESS TABLE MANAGEMENT ...

Page 113: ...igure the command level available to users logging into the VTY user interface Optional By default commands of level 0 is available to users logging into a VTY user interface Configure the protocols the user interface supports Optional By default Telnet and SSH protocol are supported VTY terminal configuration Make terminal services available Optional By default terminal services are available in ...

Page 114: ...elnet configuration Description Table 77 Telnet configuration with the authentication mode being none Operation Command Description Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure not to authenticate users logging into VTY user interfaces authentication mode none Required By default VTY users are authenticated after log...

Page 115: ...r size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time of the VTY user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if ...

Page 116: ...col is supported 4200G ui vty0 protocol inbound telnet 6 Set the maximum number of lines the screen can contain to 30 4200G ui vty0 screen length 30 7 Set the maximum number of commands the history command buffer can store to 20 4200G ui vty0 history command max size 20 8 Set the timeout time to 6 minutes 4200G ui vty0 idle timeout 6 Telnet Configuration with Authentication Mode Being Password Con...

Page 117: ...ines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by defa...

Page 118: ...ocedure 1 Enter system view S4200G system view 2 Enter VTY 0 user interface view 4200G user interface vty 0 3 Configure to authenticate users logging into VTY 0 using the local password 4200G ui vty0 authentication mode password 4 Set the local password to 123456 in plain text 4200G ui vty0 set authentication password simple 123456 5 Specify commands of level 2 are available to users logging into ...

Page 119: ...local radius scheme radius scheme name local none Quit to system view quit Create a local user and enter local user view local user user name No local user exists by default Set the authentication password for the local user password simple cipher password Required Specify the service type for VTY users service type telnet level level Required Quit to system view quit Enter one or more VTY user in...

Page 120: ...mand buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can...

Page 121: ...ted and the service type command specifies the available command level Determined by the service type command VTY users that are authenticated in the RSA mode of SSH The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user privilege level level command is not executed and the service type command specifies the...

Page 122: ...0 lines The history command buffer can store up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 32 Network diagram for Telnet configuration with the authentication mode being scheme Configuration procedure 1 Enter system view S4200G system view 2 Create a local user named guest and enter local user view 4200G local user guest 3 Set the authentication password of the lo...

Page 123: ...and execute the ip address command Following are procedures to establish a Telnet connection to a switch 1 Configure the user name and password for Telnet on the switch Refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication Mode Being Scheme for more 2 Connect your PC to the Switch ...

Page 124: ...urrent Switch You can Telnet to another switch from the current switch In this case the current switch operates as the client and the other operates as the server If the interconnected Ethernet ports of the two switches are in the same LAN segment make sure the IP addresses of the two management VLAN interfaces to which the two Ethernet ports belong to are of the same network segment or the route ...

Page 125: ...ord is correct the CLI prompt such as S4200G appears If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later 5 After successfully Telneting to the switch you can configure the switch or display the information about the switch by executing corresponding commands You can also type a...

Page 126: ...112 CHAPTER 19 LOGGING IN THROUGH TELNET ...

Page 127: ...balances the forwarding loads of different VLANs MSTP is compatible with both STP and RSTP It overcomes the drawback of STP and RSTP It not only enables spanning trees to converge rapidly but also enables packets of different VLANs to be forwarded along their respective paths to provide a better load balancing mechanism with redundant links MSTP Protocol Data Unit Bridge protocol data unit BPDU is...

Page 128: ...s mapped to spanning tree instance 1 VLAN 2 is mapped to spanning tree instance 2 and other VLANs are mapped to CIST the same MSTP revision level not shown in Figure 36 MSTI A multiple spanning tree instance MSTI refers to a spanning tree in a MST region Multiple spanning trees can be established in one MST region These spanning trees are independent of each other For example each region in Figure...

Page 129: ...rent region roots In region D0 shown in Figure 36 the region root of MSTI 1 is switch B and the region root of MSTI 2 is switch C Common root bridge The common root bridge is the root of the CIST The common root bridge of the network shown in Figure 36 is a switch in region A0 Region edge port A region edge port is located on the edge of an MST region and is used to connect the MST region to anoth...

Page 130: ...7 is a region edge port and it is a master port in the CIST So it is a master port in all MSTIs in the region Figure 37 Port roles Port states Ports can be in the following three states Forwarding state Ports in this state can forward user packets and receive send BPDU packets Learning state Ports in this state can receive send BPDU packets Discarding state Ports in this state can only receive BPD...

Page 131: ...ing a configuration BPDU on one of its ports from another switch If the priority of the configuration BPDU is lower than that of the configuration BPDU of the port itself the switch discards the BPDU and does not change the configuration BPDU of the port If the priority of the configuration BPDU is higher than that of the configuration BPDU of the port itself the switch replaces the configuration ...

Page 132: ...with both STP and RSTP That is switches with MSTP employed can recognize the protocol packets of STP and RSTP and use them to generate spanning trees In addition to the basic MSTP functions S4200G series switches also provide the following other functions for the convenience of users to manage their switches Root bridge retaining Root bridge backup Root protection BPDU protection Loop prevention D...

Page 133: ...witch in each spanning tree instance is determined Network diameter configuration Optional The default is recommended Network Diameter Configuration MSTP time related configuration Optional The defaults are recommended MSTP Time related Configuration Timeout time factor configuration Optional Timeout Time Factor Configuration Maximum transmitting speed configuration Optional The default is recomme...

Page 134: ...uration 4200G mst region region name info 4200G mst region instance 1 vlan 2 to 10 4200G mst region instance 2 vlan 20 to 30 4200G mst region revision level 1 4200G mst region active region configuration 2 Verify the above configuration 4200G mst region check region configuration Table 85 Configure an MST region Operation Command Description Enter system view system view Enter MST region view stp ...

Page 135: ...he root bridge and the secondary root bridge simultaneously When the root bridge fails or is turned off the secondary root bridge becomes the root bridge if no new root bridge is configured If you configure multiple secondary root bridges for a spanning tree instance the one with the least MAC address replaces the root bridge when the latter fails You can specify the network diameter and the Hello...

Page 136: ...ot bridge by set a higher bridge priority for the switch Note that a smaller bridge priority value indicates a higher bridge priority A MSTP enabled switch can have different bridge priorities in different spanning tree instances Configuration procedure CAUTION Once you specify a switch as the root bridge or a secondary root bridge by using the stp root primary or stp root secondary command the br...

Page 137: ...in a MST region the value of the remaining hops field in the configuration BPDU is decreased by 1 every time the configuration BPDU passes a switch Such a mechanism disables the switches that are beyond the maximum hops from participating in spanning tree generation and thus limits the size of an MST region With such a mechanism the maximum hops configured on the switch operating as the root bridg...

Page 138: ...ation You can configure three MSTP time related parameters for a switch Forward delay Hello time and Max age The Forward delay parameter sets the delay of state transition Link problems occurred in a network results in the spanning trees being regenerated and original spanning tree structures being changed As the newly generated configuration BPDUs cannot be propagated across the entire network im...

Page 139: ...mended As for the Max age parameter if it is too small network congestions may be falsely regarded as link problems which results in spanning trees being frequently regenerated If it is too large link problems may be unable to be found in time which in turn handicaps spanning trees being regenerated in time and makes the network less adaptive The default is recommended As for the configuration of ...

Page 140: ...trees may be regenerated even in a steady network if an upstream switch continues to be busy You can configure the timeout time factor to a larger number to avoid this Normally the timeout time can be four or more times of the Hello time For a steady network the timeout time can be five to seven times of the Hello time Configuration procedure Configuration example 1 Configure the timeout time fact...

Page 141: ... neither directly connects to other switches nor indirectly connects to other switches through network segments After a port is configured as an edge port rapid transition is applicable to the port That is when the port changes from blocking state to forwarding state it does not have to wait for a delay You can configure a port as an edge port in the following two ways Table 94 Configure the maxim...

Page 142: ...ernet1 0 1 stp edged port enable Point to point Link Related Configuration A point to point link directly connects two switches If the roles of the two ports at the two ends of a point to point link meet certain criteria the two ports can transit to the forwarding state rapidly by exchanging synchronization packets eliminating the forwarding delay You can specify whether or not the link connected ...

Page 143: ...oint to point links stp interface interface list point to point force true force false auto Required The auto keyword is adopted by default The force true keyword specifies that the links connected to the specified ports are point to point links The force false keyword specifies that the links connected to the specified ports are not point to point links The auto keyword specifies to automatically...

Page 144: ... view system view Enable MSTP stp enable Required MSTP is disabled by default Disable MSTP on specified ports stp interface interface list disable Optional By default MSTP is enabled on all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree generation this operation...

Page 145: ...ion Configuration MSTP Operation Mode Configuration Refer to MSTP Operation Mode Configuration Timeout Time Factor Configuration Refer to Timeout Time Factor Configuration Table 102 Leaf node configuration Operation Description Related section MSTP configuration Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after performing ot...

Page 146: ...egacy Adopts the standard defined by 3Com to calculate the default path costs of ports Table 103 Specify the standard for calculating path costs Operation Command Description Enter system view system view Specify the standard to be used to calculate the default path costs of the links connected to the switch stp pathcost standard dot1d 1998 dot1t legacy Optional By default the legacy standard is u...

Page 147: ...stance 1 to be 2 000 Configure in system view S4200G system view System View return to User View with Ctrl Z 4200G stp interface GigabitEthernet1 0 1 instance 1 cost 2000 10 Gbps Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link 4 ports 2 1 1 1 2 000 1 000 666 500 2 1 1 1 Table 105 Configure the path cost for specified ports in system view Operation Command Description En...

Page 148: ...ial to become the root port than another port with lower priority A port on a MSTP enabled switch can have different port priorities and play different roles in different spanning tree instances This enables packets of different VLANs to be forwarded along different physical paths so that load balancing can be achieved by VLANs You can configure port priority in the following two ways Configuring ...

Page 149: ...ew with Ctrl Z 4200G interface GigabitEthernet1 0 1 4200G GigabitEthernet1 0 1 stp instance 1 port priority 16 Point to point Link Related Configuration Refer to Point to point Link Related Configuration MSTP Configuration Refer to MSTP Configuration The mCheck Configuration As mentioned previously ports on an MSTP enabled switch can operate in three modes STP RSTP and MSTP A port on an MSTP enabl...

Page 150: ...ices operating on the access layer directly connect to terminals such as PCs or file servers These ports are usually configured as edge ports to achieve rapid transition But they resume non edge ports automatically upon receiving configuration BPDUs which causes spanning tree regeneration and network topology jitter Normally no configuration BPDU will reach edge ports But malicious users can attac...

Page 151: ...ause of network congestions and link failures If a switch does not receive BPDUs from the upstream switch for certain period the switch selects a new root port the original root port becomes a designated port and the blocked ports transit to forwarding state This may cause loops in the network The loop prevention function suppresses loops With this function enabled a root port does not gives up it...

Page 152: ...et1 0 1 stp root protection Loop Prevention Configuration You can configure the loop prevention function in the following two ways Table 111 Enable the BPDU protection function Operation Command Description Enter system view system view Enable the BPDU protection function stp bpdu protection Required The BPDU protection function is disabled by default Table 112 Enable the root protection function ...

Page 153: ...orks through which spanning trees can be generated across these user networks and are independent of those of the operator s network Table 114 Enable the loop prevention function on specified ports in system view Operation Command Description Enter system view system view Enable the loop prevention function on specified ports stp interface interface list loop protection Required By default the loo...

Page 154: ...rks are trunk links As the VLAN VPN function is unavailable on ports with 802 1x GVRP GMRP STP or NTDP employed the BPDU Tunnel function is not applicable to these ports Packet ingress egress device N etw orkB N etw orkA N etw ork Packet ingress egress device O perator s N etw ork U sers N etw ork Packet ingress egress device N etw orkB N etw orkA N etw ork Packet ingress egress device O perator s...

Page 155: ...witch In this way the S4200G series switches can interwork with the partners switches in the same MST region Digest Snooping Configuration Configure the digest snooping feature on a switch to enable it to interwork with other switches that adopt proprietary protocols to calculate configuration digests in the same MST region through MSTIs Prerequisites The switch to be configured is connected to a ...

Page 156: ...stream switch A RSTP upstream switch does not send agreement packets to the downstream switch Figure 39 and Figure 40 illustrate the RSTP and MSTP rapid transition mechanisms Figure 39 The RSTP rapid transition mechanism Designated port Root port Upstream sw itch Dow nstream switch Sends proposal packets to request rapid transition Sends agreement packets Root port blocks other non changes to Forw...

Page 157: ...rts those operating as the root ports will then send agreement packets to their upstream ports after they receive proposal packets from the upstream designated ports instead of waiting for agreement packets from the upstream switch This enables designated ports of the upstream switch to change their states rapidly Rapid Transition Configuration Prerequisites As shown in Figure 41 an S4200G series ...

Page 158: ...terface interface type interface number no agreement check Required By default the rapid transition feature is disabled on a port Table 120 Configure the rapid transition feature in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable the rapid transition feature stp no agreement check Required By d...

Page 159: ...ges of spanning tree instance 1 and spanning tree instance 3 respectively Switch C is configured as the root bridge of spanning tree instance 4 Network diagram Figure 42 Network diagram for implementing MSTP The Permit shown in Figure 42 means the corresponding link permits packets of specific VLANs Configuration procedure 1 Configure Switch A a Enter MST region view S4200G system view System View...

Page 160: ...gion instance 4 vlan 40 4200G mst region revision level 0 c Activate the settings of the MST region 4200G mst region active region configuration d Specify Switch B as the root bridge of spanning tree instance 3 4200G stp instance 3 root primary 3 Configure Switch C a Enter MST region view S4200G system view System View return to User View with Ctrl Z 4200G stp region configuration b Configure the ...

Page 161: ...00G mst region region name example 4200G mst region instance 1 vlan 10 4200G mst region instance 3 vlan 30 4200G mst region instance 4 vlan 40 4200G mst region revision level 0 c Activate the settings of the MST region 4200G mst region active region configuration ...

Page 162: ...148 CHAPTER 20 MSTP CONFIGURATION ...

Page 163: ...rotocol over LANs The authenticator system authenticates the supplicant system The authenticator system is usually an 802 1x supported network device such as a S4200G series switch It provides the port physical or logical for the supplicant system to access the LAN The authentication server system is an entity that provides authentication service to the authenticator system Normally in the form of...

Page 164: ...ontrolled port When a controlled port is in unauthorized state you can configure it to be a unidirectional port which sends packets to supplicant systems only By default a controlled port is a unidirectional port IV The way a port is controlled A port of a S4200G series switch can be controlled in the following two ways Port based authentication When a port is controlled in this way all the suppli...

Page 165: ...cator systems through LANs EAP protocol packets are encapsulated in EAPoL format Figure 45 illustrates the structure of an EAPoL packet Figure 45 The format of an EAPoL packet In an EAPoL packet The PAE Ethernet type field holds the protocol identifier The identifier for 802 1x is 888E The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet The Type...

Page 166: ...de Identifier Length and Data fields The Data field differs with the Code field A Success or Failure packet whose format is shown in Figure 47 does not contain the Data field so has the Length field of 4 Figure 47 Data fields In a Success or Failure packet the Type field specifies the EAP authentication type A Type value of 1 indicates Identity and that the packet is used to query the identity of ...

Page 167: ...ode normally requires the RADIUS server to support the two newly added fields the EAP message field with a value of 79 and the Message authenticator field with a value of 80 Three authentication ways EAP MD5 EAP TLS transport layer security and PEAP protected extensible authentication protocol are available for the EAP relay mode EAP MD5 authenticates the supplicant system The RADIUS server sends ...

Page 168: ...ng packet EAP Request Identity Handshake response packet EAP Response Identity Logoff Supplicant system Sw itch RADIUS server Start EAP Request Identity EAP Response Identity EAP Request MD5 Challenge EAP Success EAP Response MD5 Challenge RADIUS Access Request EAP Response Identity RADIUS Access Challenge EAP Request MD5 Challenge RADIUS Access Accept EAP Success RADIUS Access Request EAP Respons...

Page 169: ...om accepted to rejected In EAP relay mode packets are not modified during transmission Therefore if one of the three ways are used that is PEAP EAP TLS or EAP MD5 to authenticate ensure that the authenticating ways used on the supplicant system and the RADIUS server are the same However for the switch you can simply enable the EAP relay mode by using the dot1x authentication method eap command EAP...

Page 170: ...Authentication server timer This timer sets the server timeout period The switch sends another authentication request packet if the authentication server fails to respond when this timer times out Sup plicant system Switc h RADIUS ser ver EAPOL RADIUS EAPOL Start EAP Request Identity EAP Response Identity EAP Request MD5 Challenge EAP Success EAP Response MD5 Challenge RADIUS Access Request CHAP R...

Page 171: ...ent It enables a network to operate in the desired way and enables you to manage a network in a easy way It also ensures network security Checking the supplicant system An S4200G series switch checks Whether or not a supplicant system logs in through more than one network cards that is whether or not more than one network adapters are active in a supplicant system when the supplicant system logs i...

Page 172: ...f you specify to use the RADIUS scheme that is to say the supplicant systems are authenticated by a remote RADIUS server you need to configure the related user names and passwords on the RADIUS server and perform RADIUS client related configuration on the switches If you specify to adopt a local authentication scheme you need to configure user names and passwords manually on the switches Users can...

Page 173: ...t1x Set port access control mode for specified ports dot1x port control authorized force unauthorized force auto interface interface list Optional By default an 802 1x enabled port operates in an auto mode Set port access method for specified ports dot1x port method macbased portbased interface interface list Optional The default port access method is MAC address based that is the macbased keyword...

Page 174: ...ver or an IE proxy By default the use of multiple network cards proxy server and IE proxy are allowed on 802 1x client If you specify CAMS to disable use of multiple network cards proxy server and IE proxy CAMS sends messages to 802 1x client to request the latter to disable the use of multiple network cards proxy server and IE proxy when a user passes the authentication Configure 802 1x timers do...

Page 175: ...ration Command Description Enter system view system view Enable 802 1x client version checking dot1x version check interface interface list Required By default 802 1x client version checking is disabled on a port Configure the maximum number of retires to send version checking request packets dot1x retry version max max retry version value Optional Defaults to 3 Configure the client version checki...

Page 176: ...ounting fails the connected user has not included the domain name in the username and there is a continuous below 2000 bytes of traffic for over 20 minutes The switch is connected to a server comprising of two RADIUS servers whose IP addresses are 10 11 1 1 and 10 11 1 2 The RADIUS server with an IP address of 10 11 1 1 operates as the primary authentication server and the secondary accounting ser...

Page 177: ...3 Network diagram for AAA configuration with 802 1x and RADIUS enabled Configuration procedure Following configuration covers the major AAA RADIUS configuration commands You can refer to AAA RADIUS Operation Manual for the information about these commands Configuration on the client and the RADIUS servers is omitted 1 Enable 802 1x globally S4200G system view System View return to User View with C...

Page 178: ... radius radius1 timer realtime accounting 15 11 Specify to send user names to the RADIUS servers with the domain name truncated Configure to send the user name to the RADIUS server with the domain name removed beforehand 4200G radius radius1 user name format without domain 4200G radius radius1 quit 12 Create the default user domain named aabbcc net and enter user domain view 4200G domain default e...

Page 179: ... Normally an HABP server sends HABP request packets regularly to HABP clients to collect the MAC addresses of the attached switches HABP clients respond to the HABP request packets and forward the HABP request packets to lower level switches HABP servers usually reside on management devices and HABP clients usually on attached switches For ease of switch management it is recommended that you enabl...

Page 180: ...cute the display command in any view Table 130 Configure an HABP client Operation Command Description Enter system view system view Enable HABP habp enable Optional HABP is enabled by default And a switch operates as an HABP client after you enable HABP for it Table 131 Display and debug HABP Operation Command Display HABP configuration and status information display habp Display the MAC address t...

Page 181: ...evice Local authentication is fast and requires lower operational cost But the information storage capacity is limited by device hardware Remote authentication Users are authenticated remotely through the RADIUS protocol both standard and extended RADIUS protocols can be used This device for example a S4200G series switch acts as the client to communicate with the RADIUS server Authorization AAA s...

Page 182: ... information interacting protocol in client server structure It can prevent unauthorized access to the network and is commonly used in network environments where both high security and remote user access service are required The RADIUS service involves three components Protocol Based on the UDP IP layer RFC 2865 and 2866 define the frame format and message transfer mechanism of RADIUS and define 1...

Page 183: ...er Users Clients Dictionary RADIUS Server 1 The user inputs the user name and password 2 Access Request PC RADIUS Client 3 Access Accept 4 Accounting Request start 5 Accounting Response 7 Accounting Request stop 8 Accounting Response 9 Inform the user the access is ended 6 The user starts to access the resources RADIUS server 1 The user inputs the user name and password 2 Access Request PC RADIUS ...

Page 184: ...ture RADIUS uses UDP to transmit messages It ensures the correct message exchange between RADIUS server and client through the following mechanisms timer management retransmission and backup server Figure 56 depicts the structure of the RADIUS packets Figure 56 RADIUS packet structure 1 The Code field decides the type of the RADIUS packet as shown in Table 132 Code Identifier Length Authenticator ...

Page 185: ...the total length of the Attribute field in bytes including the Type Length and Value fields The Value field up to 253 bytes contains the information about the attribute Its content and format are determined by the Type and Length fields 4 Accounting Request Direction client server The client transmits this packet to the server to request the server to start or end the accounting whether to start o...

Page 186: ...S implementation Figure 57 Part of the RADIUS packet containing extended attribute 13 Framed Compression 35 Login LAT Node 14 Login IP Host 36 Login LAT Group 15 Login Service 37 Framed AppleTalk Link 16 Login TCP Port 38 Framed AppleTalk Network 17 unassigned 39 Framed AppleTalk Zone 18 Reply_Message 40 59 reserved for accounting 19 Callback Number 60 CHAP Challenge 20 Callback ID 61 NAS Port Typ...

Page 187: ...US accounting servers Required Configuring RADIUS Accounting Servers Configure shared keys for RADIUS packets Optional Configuring Shared Keys for RADIUS Packets Configure the maximum number of transmission attempts of RADIUS requests Optional Configuring the Maximum Number of Transmission Attempts of RADIUS Requests Configure the supported RADIUS server type Optional Configuring the Supported RAD...

Page 188: ...he attributes of an ISP domain Operation Command Description Enter system view system view Create an ISP domain or enter the view of an existing ISP domain domain isp name Required Activate deactivate the ISP domain state active block Optional By default once an ISP domain is created it is in the active state and all the users in this domain are allowed to access the network Set the maximum number...

Page 189: ... you specify a RADIUS scheme the authentication authorization and accounting will be uniformly implemented by the RADIUS server specified in the RADIUS scheme In this way you can specify only one scheme to implement all the three AAA functions and do not need to specify different schemes for authentication authorization and accounting respectively CAUTION You can execute the scheme command with th...

Page 190: ...entication authorization and accounting schemes the separate ones will be adopted in precedence RADIUS scheme and local scheme do not support the separation of authentication and authorization Therefore pay attention when you make authentication and authorization configuration for a domain if the scheme radius scheme or scheme local command is executed the authorization none command is executed wh...

Page 191: ...the corresponding VLAN Otherwise the VLAN assignment fails and the user cannot pass the authentication In actual applications to use this feature together with Guest VLAN you should better set port control to port based mode if you set port control to MAC address based mode each port can be connected to only one user CAUTION In string mode if the VLAN ID assigned by the RADIUS server is a characte...

Page 192: ... local user user name Required By default there is no local user in the system Set a password for the specified user password simple cipher password Optional Set the password display mode of all local users local user password display mode cipher force auto Optional By default the password display mode of all access users is auto indicating the passwords of access users are displayed in the modes ...

Page 193: ...er and at the same time you should keep the RADIUS service port settings on the switch consistent with those on the RADIUS servers Actually the RADIUS protocol configuration only defines the parameters used for information exchange between the switch and the RADIUS servers To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP domain vi...

Page 194: ...e primary server are 0 0 0 0 and 1812 respectively Set the IP address and port number of the secondary RADIUS authentication authorization server secondary authentication ip address port number Optional By default the IP address and UDP port number of the secondary server are 0 0 0 0 and 1812 respectively Table 144 Configure RADIUS accounting server Operation Command Description Enter system view ...

Page 195: ...s and the port number of the default primary accounting server system are 127 0 0 1 and 1646 Currently RADIUS does not support the accounting of FTP users Configuring Shared Keys for RADIUS Packets The RADIUS client and server adopt MD5 algorithm to encrypt the RADIUS packets exchanged with each other The two parties verify the validity of the exchanged packets by using the shared keys that have b...

Page 196: ...ds the time set with the timer quiet command the switch will try to communicate with the primary server again when it receives a RADIUS request If the primary server recovers the switch immediately restores the communication with the primary server instead of communicating with the secondary server and at the same time restores the status of the primary server to the active state while keeping the...

Page 197: ... are in the active state and the RADIUS servers in the default RADIUS scheme system are in the block state Set the status of the primary RADIUS accounting server state primary accounting block active Set the status of the secondary RADIUS authentication authori zation server state secondary authentication block active Set the status of the secondary RADIUS accounting server state secondary account...

Page 198: ... out a RADIUS request authentication authorization request or accounting request and waiting for a period of time it should retransmit the packet to ensure that the user can obtain the RADIUS service This wait time is called response timeout time of RADIUS servers and the timer in the switch system that is used to control this wait time is called the response timeout timer of RADIUS servers For th...

Page 199: ...this case the user can access the network again only after the CAMS administrator manually removes the online information of the user Table 151 Set the timers of RADIUS server Operation Command Description Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system S...

Page 200: ...he attribute be sure to configure an appropriate and legal IP address If this attribute is not configured the switch will automatically use the IP address of the VLAN interface as the NAS IP address Displaying AAA RADIUS Information After the above configurations you can execute the display commands in any view to view the operation of AAA and RADIUS and verify your configuration You can use the r...

Page 201: ...shared key it uses to exchange packets with the switch to expert Set the port number for authentication Add Telnet user names and login passwords The Telnet user name added to the RADIUS server must be in the format of userid isp name if you have configure the switch to include domain names in the user names to be sent to the RADIUS server Table 155 Display RADIUS protocol information Operation Co...

Page 202: ...00G domain cams 4200G isp cams scheme radius scheme cams A Telnet user logging into the switch by a name in the format of userid cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain Local Authentication of FTP Telnet Users The configuration procedure for the local authentication of FTP users is similar to that of Telnet users The following des...

Page 203: ...stem scheme local A Telnet user logging into the switch with the name telnet system belongs to the system domain and will be authenticated according to the configuration of the system domain 2 Method 2 using a local RADIUS server This method is similar to the remote authentication method described in Remote RADIUS Authentication of Telnet SSH Users You only need to change the server IP address the...

Page 204: ...DIUS packets cannot be sent to the RADIUS server Possible reasons and solutions The communication links physical link layer between the switch and the RADIUS server is disconnected blocked Take measures to make the links connected unblocked None or incorrect RADIUS server IP address is set on the switch Be sure to set a correct RADIUS server IP address One or all AAA UDP port settings are incorrec...

Page 205: ...C address mode a switch sends user MAC addresses detected to the RADIUS serve as both user names and passwords The rest handling procedures are the same as that of 802 1x In fixed mode a switch sends the user name and password previously configured for the user to be authenticated to the RADIUS server and inserts the MAC address of the user in the calling station id field of the RADIUS packet The ...

Page 206: ...em view system view Enable centralized MAC address authentication globally mac authentication Required By default centralized MAC address authentication is globally disabled Enable centralized MAC address authentication for specified ports mac authentication interface interface list Required By default centralized MAC address authentication is disabled on a port Table 157 Configure centralized MAC...

Page 207: ...n Displaying and Debugging Centralized MAC Address Authentication After the above configuration you can execute the display command in any view to display system running of centralized MAC address authentication configuration and to verify the effect of the configuration Table 159 Configure the ISP domain for MAC address authentication users Operation Command Description Enter system view system v...

Page 208: ...onfigure a local user For other related configuration refer to the configuration examples in Chapter 21 1 Enable centralized MAC address authentication for GigabitEthernet 1 0 2 port S4200G system view 4200G mac authentication interface GigabitEthernet 1 0 2 2 Configure centralized MAC address authentication mode as MAC address mode 4200G mac authentication authmode usernameasmacaddress 3 Add a lo...

Page 209: ...quest for As for an ARP reply packets all the fields are set Table 163 describes the fields of an ARP packet Table 162 Structure of an ARP request reply packet Hardware type 16 bits Protocol type 16 bits Length of hardware address Length of protocol address Operator 16 bits IP Address of the sender Hardware address of the sender IP Address of the receiver Hardware address of the receiver Table 163...

Page 210: ... with the local host Figure 60 An ARP table Hardware address of the receiver For an ARP request packet this field is null For an ARP reply packet this field carries the hardware address of the receiver IP address of the receiver IP address of the receiver Table 164 Description on the values of the hardware type field Type Description 1 Ethernet 2 Experimental Ethernet 3 X 25 4 Proteon ProNET 5 Cha...

Page 211: ...ss carried in the request packet that is the IP address and the MAC address of the sender Host A to its ARP mapping table and then sends a ARP reply packet to the sender Host A with its MAC address inserted to the packet Note that the ARP reply packet is a unicast packet instead of a broadcasted packet Upon receiving the ARP reply packet Host A extracts the IP address and the corresponding MAC add...

Page 212: ...ing ports from VLANs may cause the corresponding ARP entries being removed automatically As for the arp static command the value of the vlan id argument must be the ID of an existing VLAN and the port identified by the interface type and interface number arguments must belong to the VLAN Configuring the ARP Aging Timer for Dynamic ARP Entries The ARP aging timer applies to all dynamic ARP mapping ...

Page 213: ... function Operation Command Description Enter system view system view Enable the ARP entry checking function that is disable the switch from creating multicast MAC address ARP entries for MAC addresses learned arp check enable Optional By default the ARP entry checking function is enabled Table 170 Configure the gratuitous ARP packet learning function Operation Command Description Enter system vie...

Page 214: ... setting of the ARP aging timer display arp timer aging This command can be executed in any view Clear ARP mapping entries reset arp dynamic static interface interface type interface number Table 171 Display and debug ARP Operation Command Remark ...

Page 215: ...mation such as the source and destination MAC address information VLAN priority Layer 2 protocol and so on ACL Application on the Switch ACLs activated directly on the hardware In the switch an ACL can be directly activated on the switch hardware for packet filtering and traffic classification in the data forwarding process In this case the match order of multiple rules in an ACL is determined by ...

Page 216: ...packets by differentiating the time ranges A time range can be specified in each rule in an ACL If the time range specified in a rule is not configured the system will give a prompt message and allow the rule to be successfully created However the rule does not take effect immediately It takes effect only when the specified time range is configured and the system time is within the time range Ther...

Page 217: ...guration Example Define a time range that will be active from 8 00 to 18 00 Monday through Friday S4200G system view 4200G time range test 8 00 to 18 00 working day 4200G display time range test Current time is 13 27 32 4 16 2005 Saturday Time range test Inactive 08 00 to 18 00 working day Defining Basic ACLs A basic ACL defines rules only based on the L3 source IP addresses to analyze and process...

Page 218: ...step is 1 rule 0 deny source 1 1 1 1 0 0 times matched Defining Advanced ACLs Advanced ACLs define classification rules according to the source and destination IP addresses of packets the type of protocol over IP and protocol specific features such as TCP UDP source and destination ports TCP flag bit ICMP protocol type code and so on The value range for advanced ACL numbers is 3 000 to 3 999 Advan...

Page 219: ...atically rule string rule information which can be combination of the parameters given in Table 175 Table 175 describes the specific parameters You must configure the protocol argument in the rule information before you can configure other arguments Table 174 Configure an advanced ACL rule Operation Command Description Enter system view system view Enter advanced ACL view acl number acl number mat...

Page 220: ...ption source portoperator port1 port2 Source port s Defines the source port information of UDP TCP packets The value of operator can be lt less than gt greater than eq equal to neq not equal to or range within the range of Only the range operator requires two port numbers as the operands and other operators require only one port number as the operand port1 and port2 TCP UDP port number s expressed...

Page 221: ...an ACL rule containing time range arguments you need to configure define the corresponding time ranges For the configuration of time ranges refer to Advanced ACL The values of the source and destination MAC addresses VLAN priority and Layer 2 protocol in the rule have been defined Table 178 ICMP messages Name ICMP TYPE ICMP CODE echo Type 8 Code 0 echo reply Type 0 Code 0 fragmentneed DFset Type 3...

Page 222: ... Define an rule rule rule id permit deny rule string Required Define the comment string of the ACL rule rule rule id comment text Optional Define the description information of the ACL description text Optional Display ACL information display acl all acl number Optional The display command can be executed in any view Table 180 Rule information Parameter Type Function Description format type Link l...

Page 223: ...7 time range time name Time range information Specifies the time range in which the rule is active time name specifies the name of the time range in which the rule is active a string of 1 to 32 characters type protocol type protocol mask Protocol type of Ethernet frames Defines the protocol type of Ethernet frames protocol type protocol type protocol mask protocol type mask Table 180 Rule informat...

Page 224: ...t departments are interconnected on the intranet through the ports of the Switch The wage query server of the financial department is accessed through GigabitEthernet1 0 1 the subnet address is 129 110 1 2 It is required that an ACL be correctly configured to prohibit access to the wage server by other departments during the working hours 8 00 to 18 00 Network diagram Figure 61 Network diagram for...

Page 225: ...k requirements Through basic ACL configuration packets from the host with the source IP address of 10 1 1 1 the host is connected to the switch through Ethernet1 0 1 are to be filtered within the time range from 8 00 to 18 00 everyday Network diagram Figure 62 Network diagram for basic ACL configuration Configuration procedure Only the commands related to the ACL configuration are listed below 1 D...

Page 226: ...ge from 8 00 to 18 00 S4200G system view 4200G time range test 8 00 to 18 00 daily 2 Define an ACL for packets with the source MAC address of 00e0 fc01 0101 and destination MAC address of 00e0 fc01 0303 Enter Layer 2 ACL view of ACL 4000 4200G acl number 4000 3 Define a traffic classification rule for packets with the source MAC address of 00e0 fc01 0101 and destination MAC address of 00e0 fc01 03...

Page 227: ...ification Traffic classification means to identify packets conforming to certain characters according to certain rules A classification rule is a filter rule configured to meet your management requirements It can be very simple For example you can use a classification rule to identify traffic with different priorities according to the ToS field in the IP packet header It can be very complicated to...

Page 228: ...ual leased line Assured forwarding AF class This class is further divided into four subclasses AF1 2 3 4 and a subclass is further divided into three drop priorities so the AF service level can be segmented The QoS rank of the AF class is lower than that of the EF class Class selector CS class This class comes from the IP TOS field and includes 8 classes Best Effort BE class This class is a specia...

Page 229: ...class defined by IEEE to indicate a packet with an 802 1Q tag Figure 66 describes the detailed contents of an 802 1Q tag header Figure 66 802 1Q tag headers In Figure 66 the 3 bit priority field in TCI is 802 1p priority in the range of 0 to 7 The 3 bits specify the precedence of the frame 8 classes of precedence are used to determine which packet is sent preferentially when the switch is congeste...

Page 230: ...P and TS The network will be made more congested by plenty of continuous burst packets if the traffic of each user is not limited The traffic of each user must be limited in order to make better use of the limited network resources and provide better service for more users For example the traffic can only get its committed resources in an interval to avoid network congestion caused by excess burst...

Page 231: ...some tokens whose number is corresponding to the packet forwarding authority if the number of tokens in the bucket is not enough it means that too many tokens have been used and the traffic is excess 2 Complicated evaluation You can set two token buckets in order to evaluate more complicated conditions and implement more flexible regulation policies For example TP includes 4 parameters CIR CBS PIR...

Page 232: ...f internet service providers ISP TP can classify the policed traffic and perform pre defined policing actions according to different evaluation results These actions include Forward Forward the packet whose evaluation result is conforming or mark DSCP precedence for Diff Serv packets and then forward them Drop Drop the packet whose evaluation result is nonconforming Modify the precedence and forwa...

Page 233: ... is that they demand preferential service in congestion in order to reduce the response delay Assume that there are 8 output queues on the port and the preferential queue classifies the 8 output queues on the port into 8 classes which are queue7 queue6 queue5 queue4 queue3 queue2 queue1 and queue0 Their priorities decrease in order In the queue scheduling SP sends packets in the queue with higher ...

Page 234: ... a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use of SDWRR queue Comparing with WRR queue SDWRR queue further optimizes the delay and variation for different queues For example configure the weight value of queue0 and queue1 to 5 and 3 respectively The processing procedures of WRR and SDWRR are as follows WRR The packets whose weight value is ...

Page 235: ... port and search the precedence mapping and assign local precedence and drop precedence for the packet Y N Receiving port Packets Y N according to the precedence of the packets following the priority trust mode on the receiving port the packet with the precedence of the receiving port and search the precedence mapping and precedence for the packet Y N Receiving port Packets Y N according to the pr...

Page 236: ...kets 48 0 6 6 56 0 7 7 40 0 5 5 32 0 4 4 24 0 3 3 8 0 1 2 0 0 0 1 16 0 2 0 DSCP Drop Local pre 802 1p 48 0 6 6 56 0 7 7 40 0 5 5 32 0 4 4 24 0 3 3 8 0 1 2 0 0 0 1 16 0 2 0 DSCP Drop Local pre 802 1p COS according to the COS 802 1p precedence and assign other precedence for the packet Packets Packets 48 0 6 6 56 0 7 7 40 0 5 5 32 0 4 4 24 0 3 3 8 0 1 2 0 0 0 1 16 0 2 0 DSCP Drop Local pre 802 1p 48...

Page 237: ...SCP precedence by DSCP DSCP mapping then searches DSCP other precedence mapping table through the new DSCP precedence and replaces the precedence carried in the packet with the mapped precedence 18 63 16 62 8 2 2 1 1 0 DSCP DSCP 18 63 16 62 8 2 2 1 1 0 DSCP DSCP DSCP DSCP mapping table Packets Packets 7 0 6 62 7 0 7 63 1 0 1 2 1 0 0 1 1 0 2 0 802 1p Drop Local pre DSCP 7 0 6 62 7 0 7 63 1 0 1 2 1 ...

Page 238: ...rface gigabitethernet1 0 1 4200G GigabitEthernet1 0 1 undo priority trust 4200G GigabitEthernet1 0 1 priority 7 Setting to Trust the 802 1p priority of the Packets Refer to Trusting the 802 1p priority of the Packets for the description on trusting the 802 1p priority of the packets You can modify the COS other precedence mapping relationship as required Traffic statistics Supported traffic statis...

Page 239: ...specified to trusting the 802 1p priority of the packets The value of the COS other precedence mapping table is specified Table 190 The COS other precedence mapping table and its default value 802 1p Local pre Drop DSCP 0 2 0 16 1 0 0 0 2 1 0 8 3 3 0 24 4 4 0 32 5 5 0 40 6 6 0 48 7 7 0 56 ...

Page 240: ...ault value Modify the COS Drop precedence mapping relationship qos cos drop precedence map cos0 map drop prec cos1 map drop prec cos2 map drop prec cos3 map drop prec cos4 map drop prec cos5 map drop prec cos6 map drop prec cos7 map drop prec Modify the COS DSCP precedence mapping relationship qos cos dscp map cos0 map dscp cos1 map dscp cos2 map dscp cos3 map dscp cos4 map dscp cos5 map dscp cos6...

Page 241: ...w DSCP precedence and assign other precedence for the packets Configuration prerequisites The priority trust mode is specified to trusting the DSCP precedence of the packets The mode adopted in trusting the DSCP precedence automap remap or the default mode is specified The value of the DSCP other precedence mapping table is specified If the remap mode is adopted the value of the DSCP DSCP mapping ...

Page 242: ...cedence mapping relationship qos dscp dscp map dscp list dscp value Enter Ethernet port view interface interface type interface number Set to trust the DSCP precedence of the packets priority trust dscp automap remap Required In the default mode the switch does not replace the precedence carried in the packet with the mapped priority In the automap mode the switch replaces the precedence carried i...

Page 243: ...nbound acl rule target rate Display the parameter configurations of traffic policing display qos interface interface type interface num unit id traffic limit Optional You can execute the display command in any view Display all the QoS settings of the port display qos interface interface type interface num unit id all Table 196 The ways of issuing combined ACLs The way of combination The form of ac...

Page 244: ...r to T for the introduction to TS Configuration Prerequisites Whether the TS is performed on all the traffic on the port or the specified output queues on the port is determined The max rate and burst size of the port in the TS are specified The ports that needs this configuration is specified Configuration Procedure Display the statistics of TP display qos interface interface type interface num u...

Page 245: ...ate burst size Required The switch supports two forms of TS TS for all the traffic on the port The function can be implemented when the queue queue id keyword is not specified in the traffic command The function of TS for the specified output queues can be implemented when the queue queue id keyword is specified in the traffic shape command Display the parameter configurations of TS display qos in...

Page 246: ...ds this configuration are specified Configuration Procedure of Traffic Statistics Table 200 Configuring the SDWRR queue scheduling Operation Command Description Enter system view system view Set the SDWRR queue scheduling algorithm and its parameters queue scheduler wrr group1 queue id queue weight 1 8 group2 queue id queue weight 1 8 Required Display the queue scheduling mode and related paramete...

Page 247: ...g QoS operation on the protocol packet Configuration Prerequisites The protocol type whose precedence needs modification is specified The precedence value after modification is specified Configuration Procedure Table 202 The ways of issuing combined ACLs The way of combination The form of acl rule Issue all the rules in an IP ACL separately ip group acl number Issue a rule in an IP ACL separately ...

Page 248: ...ocol packet Table 205 Displaying and maintaining QoS Operation Command Display the parameter configurations of the mirroring group display mirroring group group id all local remote destination remote source Display the precedence of the protocol packet display protocol priority Display the COS Drop precedence mapping relationship display qos cos drop precedence map Display the COS DSCP mapping rel...

Page 249: ...ation any Display the parameter configurations of traffic policing display qos interface interface type interface num unit id traffic limit Display the parameter configurations of TS display qos interface interface type interface num unit id traffic shape Display the traffic statistics display qos interface interface type interface num unit id traffic statistic Display the queue scheduling mode an...

Page 250: ...ffic of the salary query server a Limit the average rate of outbound traffic within 640kbps and set the precedence of packets exceeding the specification to 4 4200G interface gigabitEthernet1 0 1 4200G GigabitEthernet1 0 1 traffic limit inbound ip group 3000 640 exceed remark dscp 4 ...

Page 251: ...ote port mirroring It eliminates the limitation that the mirrored port and the mirroring port must be located on the same switch This feature makes it possible for the mirrored port and the mirroring port to be located across several devices in the network and facilitates the network administrator to manage remote switches The application of RSPAN is illustrated in Figure 76 Figure 77 RSPAN applic...

Page 252: ...not recommended to perform any of the following operations on the remote probe VLAN Configuring a source port to the remote probe VLAN that is used by the local mirroring group Configuring a Layer 3 interface Running other protocol packets or bearing other service packets Using remote probe VLAN as a special type of VLAN such as sub VLAN voice VLAN or protocol VLAN Table 206 Ports involved in the ...

Page 253: ...ption on the ACL module in this manual The destination port has been defined The port on which to perform this configuration has been determined Table 207 Mirroring functions supported by S4200G and related command Function Specificati ons Related command Link Mirroring Supports traffic mirroring monitor port mirrored to Configuring Traffic Mirroring Supports port mirroring mirroring group mirrori...

Page 254: ...ew of the destination port interface interface type interface number Define the current port as the destination port monitor port Required Exit current view quit Enter Ethernet port view of traffic mirroring configuration interface interface type interface number Reference ACLs for identifying traffic flows and perform traffic mirroring for packets that match mirrored to inbound acl rule monitor i...

Page 255: ...t view of the source port interface interface type interface number Configure the source port and specify the direction of the packets to be mirrored mirroring port inbound outbound both Required The source port of mirroring group 1 is configured in this mode Display parameter settings of the mirroring display mirroring group all local Optional The display command can be executed in any view Table...

Page 256: ...g configured the device mirrors the following packets to the destination port Packets whose source MAC addresses match the specified MAC addresses Packets whose destination MAC addresses match the specified MAC addresses Configuration prerequisites The MAC address you enter must be a static MAC address that already exists in the MAC address entries The destination port is specified Table 212 Confi...

Page 257: ...ng allows you to mirror packets received by all ports that belong to the VLAN to the destination port Configuration prerequisites The ID of the VLAN to be configured with VLAN based mirroring has been determined The destination port is specified Table 213 Configure MAC based mirroring Operation Command Description Enter system view system view Define a MAC based local mirroring group mirroring gro...

Page 258: ...tion port and the Remote probe VLAN have been determined The direction of the packets to be monitored has been determined Intermediate switch and source switch support the function of MAC learning disabled based on VLAN which also is enabled for Remote probe VLAN If you are configuring MAC based remote mirroring verify that the MAC address you enter is a static MAC address that already exists in t...

Page 259: ...oup group id mirroring mac mac vlan vlan id Optional Configure VLAN based mirroring mirroring group group id mirroring vlan vlan id inbound Optional Configure a remote reflector port mirroring group group id reflector port reflector port Required After a port is configured as a reflector port the device does not allow you to perform any of the following configurations Configuring broadcast storm s...

Page 260: ...is the ID of the Remote probe VLAN Define the current VLAN as a remote probe VLAN remote probe vlan enable Required Exit the current view quit Enter Ethernet port view of Trunk port interface interface type interface number Configure Trunk port to permit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required Exit current view quit Configure the remote destination m...

Page 261: ...vlan10 remote probe vlan enable 4200G vlan10 quit 4200G interface gigabitethernet1 0 1 4200G GigabitEthernet1 0 1 port trunk permit vlan 10 4200G GigabitEthernet1 0 1 quit 4200G mirroring group 1 remote source 4200G mirroring group 1 mirroring port gigabitethernet1 0 2 outbound 4200G mirroring group 1 reflector port gigabitethernet1 0 5 4200G mirroring group 1 remote probe vlan 10 4200G display mi...

Page 262: ...roring group 1 monitor port gigabitethernet1 0 2 4200G mirroring group 1 remote probe vlan 10 4200G display mirroring group remote destination mirroring group 1 type remote destination status active monitor port GigabitEthernet1 0 2 remote probe vlan 10 Displaying and Debugging Mirroring After the above mentioned configuration you can use the display command in any view to view the mirroring runni...

Page 263: ...ernet sw itch Muliticast router Video stream Video stream Video stream Multicast group member Non group member Non group member Video stream Video stream Internet Video stream VOD server Layer 2 Ethernet sw itch Muliticast router Video stream Multicast group member Non group member Non group member Video stream Video stream Multicast packet transmission without IGMP Snooping Multicast packet trans...

Page 264: ...IGMP messages and map the hosts and the ports that connect the hosts to the corresponding multicast group addresses Figure 80 IGMP Snooping implementation Table 220 IGMP Snooping timers Timer Setting Message normally received before timeout Timeout action on the switch Router port aging timer Aging time of the router port IGMP general query message Consider that this port is not a router port any ...

Page 265: ...cast group trigger the aging timer of the port and check if the corresponding IP multicast group exists If yes add the port to the IP multicast group If not create an IP multicast group and add the port to it If not Create a MAC multicast group and notify the multicast router that a member is ready to join the multicast group Add the port to the MAC multicast group and start the aging timer of the...

Page 266: ...re to enable IGMP Snooping so that it can establish and maintain MAC multicast forwarding tables at layer 2 CAUTION Although both Layer 2 and Layer 3 multicast protocols can run on the same switch simultaneously they cannot run simultaneously on a VLAN and its corresponding VLAN interface IGMP Snooping functions on a VLAN only when it is first enabled globally in system view and then enabled in th...

Page 267: ...iately removes the port from the multicast group When a port has only one user enabling IGMP fast leave processing on the port can save bandwidth Configuring IGMP Snooping Filtering ACL You can configure multicast filtering ACLs globally or on the switch ports connected to user ends so as to use the IGMP Snooping filter function to limit the multicast streams that the users can access With this fu...

Page 268: ...the multicast VLAN and enabling IGMP Snooping you can make users in different VLANs share the same multicast VLAN This saves bandwidth since multicast streams are transmitted only within the multicast VLAN and also guarantees security because the multicast VLAN is isolated from user VLANs Table 225 Configure IGMP Snooping filtering ACL Operation Command Description Enter system view system view En...

Page 269: ...igure multicast VLAN on Layer 2 switch Operation Command Description Enter system view system view Enable IGMP Snooping globally igmp snooping enable Required Enter VLAN view vlan vlan id vlan id is a VLAN ID Enable IGMP Snooping on the VLAN igmp snooping enable Required Enable multicast VLAN service type multicast Required Exit the VLAN view quit Enter the view of the Ethernet port connected to t...

Page 270: ...e IGMP Snooping on the switch Network diagram Figure 81 Network diagram for IGMP Snooping configuration Configuration procedure 1 Enable IGMP Snooping in system view S4200G system view System View return to User View with Ctrl Z 4200G igmp snooping enable Table 229 Display information about IGMP Snooping Operation Command Description Display the current IGMP Snooping configuration display igmp sno...

Page 271: ...nfigurations Device Description Switch A Layer 3 switch The interface IP address of VLAN 20 is 168 10 1 1 The GigabitEthernet1 0 1 port is connected to the workstation and belongs to VLAN 20 VLAN 10 is the multicast VLAN The GigabitEthernet1 0 10 port is connected to Switch B Switch B Layer 2 switch VLAN 2 contains the GigabitEthernet1 0 1 port and VLAN 3 contains the GigabitEthernet1 0 2 port The...

Page 272: ...P on VLAN 10 Switch A multicast routing enable Switch A interface Vlan interface 10 Switch A Vlan interface10 pim dm Switch A Vlan interface10 igmp enable 2 Configure Switch B a Enable IGMP Snooping globally Switch B system view Switch B igmp snooping enable b Configure VLAN 10 as a multicast VLAN and enable IGMP Snooping on it Switch B vlan 10 Switch B vlan10 service type multicast Switch B vlan1...

Page 273: ...whether it is disabled globally or on the corresponding VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN If it is only disabled on the VLAN use the igmp snooping enable command in VLAN view to enable it on the corresponding VLAN 2 Multicast forwarding table set up by IGMP Snooping is wron...

Page 274: ...260 CHAPTER 29 IGMP SNOOPING CONFIGURATION ...

Page 275: ...packets it will respond thus ensuring that the network segment of the interface can normally receive multicast packets Configuring Routing Port to Join to Multicast Group By default a routing port does not join any multicast group Note that the Ethernet port must belong to the VLAN otherwise your configuration cannot take effect Table 231 Configure routing port to join to multicast group Operation...

Page 276: ...262 CHAPTER 30 ROUTING PORT JOIN TO MULTICAST GROUP CONFIGURATION ...

Page 277: ...t command can only remove manually created multicast MAC address entries and cannot remove those learned by the switch To add a port to a manually created multicast MAC address entry first remove the entry and then re create the entry and specify the port as the forward port of the entry The system does not support the configuration of multicast MAC address on an IRF port If you do this the system...

Page 278: ...cast MAC Address Configuration You can use the following display command in any view to display the multicast MAC address entry entries you configured manually Table 233 Display the multicast MAC address entry entries manually configured Operation Command Description Display the multicast MAC address entry entries manually configured display mac address multicast static mac address vlan vlan id Yo...

Page 279: ...y simplified When the management device is assigned a public IP address you can configure manage a specific member device on the management device instead of logging into it in advance Functions of topology discovery and display provided which assist network monitoring and debugging Software upgrading and parameter configuring can be performed simultaneously on multiple switches Free of topology a...

Page 280: ...ibed in the following sections Cluster Roles According to their functions and status in a cluster switches in the cluster play different roles You can specify the role a switch plays A switch also changes its role according to specific rules Following three cluster roles exist management device member device and candidate device Figure 84 shows the role changing rule Table 234 Cluster role Role Co...

Page 281: ... which indicates the period for the receiving devices to keep the information the packet carries Receiving devices only store the information carried in the received NDP packets rather than forward them The corresponding data entry in the NDP table is updated when the information carried in a received NDP packet if the received information differs from the existing one otherwise only the holdtime ...

Page 282: ...ment device The management device of a cluster recognizes and controls all the member devices in the cluster no matter where they are located on the network or how they are connected The management device collects topology information about all the member and candidate devices to provide useful information for users to establish a cluster A management device manages and monitors the devices in the...

Page 283: ... the interval to send NDP packets ndp timer hello seconds Required Table 237 Enable NTDP globally and for specific ports Operation Command Description Enter system view system view Enable NTDP globally ntdp enable Required Enter Ethernet port view interface interface type interface number Enable NTDP for the Ethernet port ntdp enable Required Table 238 Configure NTDP related parameters Operation C...

Page 284: ...evice build name Optional The name argument is the name to be assigned to the cluster Configure a multicast MAC address for the cluster cluster mac H H H Optional This is to set a multicast MAC address for the cluster Set the interval for the management device to send multicast packets cluster mac syn interval time interval Optional Configure the holdtime for a switch holdtime seconds Optional The...

Page 285: ...nfigure a TFTP server for the cluster tftp server ip address Optional Configure a log host for the cluster logging host ip address Optional Configure an SNMP host for the cluster snmp host ip address Optional Table 243 Enable NDP globally and for specific ports Operation Command Description Enter system view system view Enable NDP globally ndp enable Required Enable NDP for specified ports ndp ena...

Page 286: ...ber member number Optional This is to remove a member device from the cluster Reboot a specified member device reboot member member number mac address H H H eraseflash Optional Quit cluster view Quit Quit system view Quit Switch between the management device and a member device cluster switch to member number mac address H H H administrator Optional This is to switch to the member device identifie...

Page 287: ...face IP address is 163 172 55 1 All the devices in the cluster use the same FTP server and TFTP server The FTP server and TFTP server share one IP address 63 172 55 1 The SNMP site and log host share one IP address 69 172 55 4 Display state and statistics information about a cluster display cluster Optional This command can be executed in any view Display the information about the candidate device...

Page 288: ...ember Device MAC address 00e0 fc01 0011 SNMP host log host 69 172 55 4 Cluster Network FTP server TFTP server 63 172 55 1 GE1 0 3 GE1 0 2 GE1 1 GE1 1 GE1 0 1 VLAN interface 2 163 172 55 1 Member Device MAC address 00e0 fc01 0012 Management Device Member Device MAC address 00e0 fc01 0011 69 172 55 4 Cluster Network FTP server TFTP server 63 172 55 1 GE1 0 3 GE1 0 2 GE1 1 GE1 1 GE1 0 1 VLAN interfac...

Page 289: ... add member 1 mac address 00e0 fc01 0011 aaa_0 S4200G cluster add member 17 mac address 00e0 fc01 0012 n Configure the holdtime of the member device information to be 100 seconds aaa_0 S4200G cluster holdtime 100 o Configure the interval to send handshake packets to be 10 seconds aaa_0 S4200G cluster timer 10 p Configure the FTP Server TFTP Server Log host and SNMP host for the cluster aaa_0 S4200...

Page 290: ...h to member number mac address H H H command on the management device to switch to member device view to maintain and manage a member device You can then execute the cluster switch to administrator command to resume the management device view You can also reboot a member device by executing the reboot member member number mac address H H H eraseflash command on the management device For detailed i...

Page 291: ...ger and IBM NetView Agent is the server software operated on network devices The NMS can send GetRequest GetNextRequest and SetRequest messages to the Agent Upon receiving the requests from the NMS Agent will perform Read or Write operation according to the message types generate and return the Response message to the NMS Agent will send Trap message on its own initiative to the NMS to report the ...

Page 292: ...itecture of the MIB tree The management information base MIB is used to describe the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device In Figure 86 the managed object B can be uniquely specified by a string of numbers 1 2 1 1 The number string is the Object Identifier of the managed object The common MIBs supported by the syst...

Page 293: ...B Device management Interface management Table 248 Common MIBs Continued MIB attribute MIB content References Table 249 Configure SNMP basic functions for SNMP V1 and SNMP V2C Operation Command Description Enter system view system view Enable SNMP Agent snmp agent Optional By default SNMP Agent is disabled To enable SNMP Agent you can execute this command or those commands used to configure SNMP A...

Page 294: ...vice engine ID is Enterprise Number device information Create or update the view information snmp agent mib view included excluded view name oid tree Optional By default the view name is ViewDefault and OID is 1 Table 250 Configure SNMP basic functions SNMP V3 Operation Command Description Enter system view system view Enable SNMP Agent snmp agent Required By default SNMP Agent is disabled Set sys...

Page 295: ...n Table 251 Configure Trap Operation Command Description Enter system view system view Enable the device to send Trap packets snmp agent trap enable configuration flash standard authentication coldstart linkdown linkup warmstart system Optional By default the port is enabled to send Trap packets Enable the port to send Trap packets Enter port view interface interface type interface number Enable t...

Page 296: ...ging function for network management Operation Command Description Enter system view system view Set the logging function for network management snmp agent log set operation get operation all Optional By default the logging function for SNMP is disabled Table 253 Display SNMP Operation Command Display system information of the current SNMP device display snmp agent sys info contact location versio...

Page 297: ... is 10 10 10 1 The SNMP community is public 4200G snmp agent trap enable standard authentication 4200G snmp agent trap enable standard coldstart 4200G snmp agent trap enable standard linkup 4200G snmp agent trap enable standard linkdown 4200G snmp agent target host trap address udp domain 10 10 10 1 udp port 5000 params securityname public Configuring NMS The Ethernet Switch supports 3Com s Quidvi...

Page 298: ...284 CHAPTER 33 SNMP CONFIGURATION ...

Page 299: ...king Mechanism of RMON RMON allows multiple monitors It collects data in one of the following two ways Using the dedicated RMON probe When an ROM system operates in this way the NMS directly obtains management information from the RMON probes and controls the network resources In this case all information in the RMON MIB can be obtained Embedding RMON agents into network devices such as routers sw...

Page 300: ...extended alarm group the network devices perform the following operations accordingly Sampling the alarm variables referenced in the defined extended alarm expressions once in each specified period Performing operations on sampled values according to the defined operation formulas Comparing the operation result with the set thresholds and triggering corresponding events if the former exceeds the l...

Page 301: ...ription string log trap trap community log trap log trapcommunity none owner text Optional Add an alarm entry rmon alarm entry number alarm variable sampling time delta absolute rising threshold threshold value1 event entry1 falling threshold threshold value2 event entry2 owner text Optional Before adding an alarm entry you need to use the rmon event command to define the event referenced by the a...

Page 302: ...etwork diagram Figure 88 Network diagram for RMON configuration Configuration procedures 1 Configure RMON S4200G system view 4200G interface GigabitEthernet1 0 1 4200G GigabitEthernet1 0 1 rmon statistics 1 owner user1 rmon Table 255 Display and debug RMON Operation Command Display RMON statistics display rmon statistics interface type interface number unit unit number Display RMON history informa...

Page 303: ...thernet1 0 1 ifIndex 4227817 etherStatsOctets 0 etherStatsPkts 0 etherStatsBroadcastPkts 0 etherStatsMulticastPkts 0 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 etherStatsFragments 0 etherStatsJabbers 0 etherStatsCRCAlignErrors 0 etherStatsCollisions 0 etherStatsDropEvents insufficient resources 0 Packets received according to length 64 0 65 127 0 128 255 0 256 511 0 512 1023 0 1024 1518 0 ...

Page 304: ...290 CHAPTER 34 RMON CONFIGURATION ...

Page 305: ...ng all the network devices in a network simultaneously require that they adopt the same time When multiple systems cooperate to handle a rather complex event to ensure a correct execution order they must adopt the same time To perform incremental backup operations between a backup server and a host you must make sure they adopt the same time As setting the system time manually in a network with ma...

Page 306: ... 3 4 LS_A LS_A LS_A LS_A LS_B LS_B LS_B LS_B NTP Packet NTP Packet Netw ork Netw ork NTP Packet10 00 00 am Netw ork Netw ork 11 00 01 am 10 00 00 am 11 00 01 am 11 00 02 am 10 00 00 am NTP Packet received at 10 00 03 am 1 2 3 4 LS_A LS_A LS_A LS_A LS_B LS_B LS_B LS_B NTP Packet NTP Packet Netw ork Netw ork NTP Packet10 00 00am Netw ork Netw ork 11 00 01am 10 00 00am 11 00 01am 11 00 02am 10 00 00a...

Page 307: ...rk Response packet Synchronize Active peer Passive peer Netw ork Clock synchronization request packet Operates in the passive peer mode automatically Netw ork Response packet Synchronize Active peer Passive peer Netw ork Clock synchronization request packet Operates in the passive peer mode automatically Netw ork Response packet Synchronize Active peer Passive peer Netw ork Clock synchronization r...

Page 308: ...n the delay betw een the client and the server andwork as a client in broadcast mode Broadcast clock synchronization packets periodically Work as a server automatically and send response packets Receive broadcast packets and synchronize its local clock Netw ork Client Server Broadcast clock synchronization packets periodically request after receiving the first broadcast packet Response packet Obta...

Page 309: ... multicast client mode In this case the S4200G switch receives multicast NTP packets through the VLAN interface configure on it Table 256 NTP implementation modes on an S4200G series switch Continued NTP implementation mode Configuration on S4200G switches Table 257 Configure NTP implementation modes Operation Command Description Enter system view system view Configure the maximum number of dynami...

Page 310: ...d to be in the NTP broadcast client mode will response this packet and start the clock synchronization procedure NTP multicast server mode When an S4200G series switch operates in NTP multicast server mode it multicasts a clock synchronization packet periodically The devices which are configured to be in the NTP multicast client mode will response this packet and start the clock synchronization pr...

Page 311: ...erform authentications when enabling NTP With the authentications performed on both the client side and the server side the client is synchronized only to the server that passes the authentication This improves network security Prerequisites NTP authentication configuration involves Configuring NTP authentication on the client Configuring NTP authentication on the server Note the following when pe...

Page 312: ...n globally ntp service authentication enable Required By default the NTP authentication is disabled Configure the NTP authentication key ntp service authentication keyid key id authentication model md5 value Required By default the NTP authentication key is not configured Configure the specified key to be a trusted key ntp service reliable authentication keyid key id Required By default no trusted...

Page 313: ...entication keyid key id Required By default an authentication key is not a trusted key Enter VLAN interface view interface vlan interface vlan id Associate a specified key with the corresponding NTP server Broadcast server mode ntp service broadcast server authentication keyid key id In NTP broadcast server mode and NTP multicast server mode you need to associate the specified key with the corresp...

Page 314: ...g 2 S4200G1 is a switch that allows the local clock to be the master clock A S4200G 1 series switch operates in client mode with S4200G2 as the time server S4200G 2 operates in server mode automatically The 1 2 3 etc destinations in the switch names are for explanation purposes only and are not part of the command structure Disable the interface from receiving NTP packets ntp service in interface ...

Page 315: ... 11 3 After the above configuration the S4200G 1 switch is synchronized to S4200G 2 Display the NTP status of the S4200G 1 series switch S4200G display ntp service status clock status synchronized clock stratum 3 reference clock ID 1 0 1 11 nominal frequence 250 0000 Hz actual frequence 249 9992 Hz clock precision 2 19 clock offset 0 66 ms root delay 27 47 ms root dispersion 208 39 ms peer dispers...

Page 316: ...Network diagram for NTP peer mode configuration Configuration procedures 1 Configure the S4200G 1 series switch a Set S4200G 2 to be the time server S4200G system view System View return to User View with Ctrl Z S4200G ntp service unicast server 3 0 1 31 2 Configure S4200G 3 after the S4200G 1 series switch is synchronized to S4200G 2 a Enter system view S4200G system view System View return to Us...

Page 317: ...e information about the NTP sessions of the S4200G 1 series switch and you can see that a connection is established between the S4200G 1 series switch and S4200G 3 S4200G display ntp service sessions source reference stra reach poll now offset delay disper 2 3 0 1 32 0 0 0 0 1 1 64 1 350 1 15 1 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured NTP Broadcast Mode Configurat...

Page 318: ...er system view S4200G system view System View return to User View with Ctrl Z S4200G b Enter VLAN interface 2 view S4200G interface vlan interface 2 S4200G Vlan Interface2 c Configure S4200G 2 to be a broadcast client S4200G Vlan interface2 ntp service broadcast client The above configuration configures S4200G 1 to listen to broadcast packets through their VLAN interface 2 and S4200G 3 to send bro...

Page 319: ...rce peer 3 selected 4 candidate 5 configured NTP Multicast Mode Configuration Network requirements S4200G3 sets the local clock to be NTP master clock with the clock stratum of 2 It advertises multicast packets through VLAN interface 2 Configure S4200G 1 to listen multicast packets through their VLAN interface 2 This example assumes that S4200G 3 is a switch that supports the local clock being the...

Page 320: ...the former cannot receive multicast packets sent by S4200G 3 while S4200G 1 is synchronized to S4200G 3 after receiving multicast packets sent by S4200G 3 Display the status of S4200G 1 after the synchronization S4200G display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 250 0000 Hz Actual frequency 249 9992 Hz Clock precision 2 19 Cloc...

Page 321: ...nfigure S4200G 1 to be the time server S4200G ntp service unicast server 1 0 1 11 c Enable NTP authentication S4200G ntp service authentication enable d Set the authentication key S4200G ntp service authentication keyid 42 authentication mode md5 aNiceKey e Specify the key to be a trusted key S4200G ntp service reliable authentication keyid 42 S4200G ntp service unicast server 1 0 1 11 authenticat...

Page 322: ...s synchronized clock stratum 3 reference clock ID 1 0 1 11 nominal frequence 250 0000 Hz actual frequence 249 9992 Hz clock precision 2 19 clock offset 0 66 ms root delay 27 47 ms root dispersion 208 39 ms peer dispersion 9 63 ms reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that S4200G 2 is synchronized to S4200G 1 with the clock stratum being 3...

Page 323: ...o multiple SSH clients SSH2 0 and SSH1 x are currently available SSH client functions to enable SSH connections between users and the Switch or UNIX host that support SSH server Figure 99and Figure 100 shows respectively SSH connection establishment for client and server SSH connections through LAN Figure 99 Establish SSH channels through LAN SSH connections through WAN 100BASE TX Server PC SSH Cl...

Page 324: ... same session key without data transfer over the network while the key is used at both ends for encryption and decryption 3 Authentication method negotiation stage These operations are completed at this stage The client sends its username information to the server The server authenticates the username information from the client If the user is configured as no authentication on the server authenti...

Page 325: ...es it with its authentication data obtained locally If they match exactly the user is allowed to access the switch 4 Session request stage The client sends session request messages to the server which processes the request messages 5 Interactive session stage Both ends exchange data till the session ends SSH Server Configuration Table 263 describes SSH server configuration tasks Table 263 Configur...

Page 326: ...compatible 512 to 2 048 bit keys are allowed on clients but the length of server keys must be more than 1 024 bits Otherwise clients cannot be authenticated CAUTION For a successful SSH login you must generate a local RSA key pair first You just need to execute the command once with no further action required even after the system is rebooted If you use this command to generate an RSA key provided...

Page 327: ... randomly by the SSH2 0 client software This operation is not required for password authentication type Table 266 Configure authentication type Operation Command Remarks Enter system view system view Configure authentication type for SSH users ssh user username authentication type password password publickey rsa all Required Table 267 Configure server SSH attributes Operation Command Remarks Enter...

Page 328: ...Enable the connection between SSH client and server ssh2 host ipaddr port prefer_kex dh_group1 dh_exchange_group prefer_ctos_cipher des aes128 prefer_stoc_cipher des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required You can use this command to enable the connection between SSH client and server define key exchange algorithm preference encryption algo...

Page 329: ...et the user interfaces to support SSH 4200G ui vty0 4 protocol inbound ssh Configure the login protocol for the clinet001 user as SSH and authentication type as password 4200G local user client001 4200G luser client001 password simple abc 4200G luser client001 service type ssh 4200G luser client001 quit 4200G ssh user client001 authentication type password Select the default SSH authentication tim...

Page 330: ...A36F1CDDC4BB45504F020125 4200G rsa key code public key code end 4200G rsa public key peer public key end 4200G ssh user client002 assign rsa key S4200G002 Start the SSH client software on the host which stores the RSA private keys and make corresponding configuration to establish an SSH connection SSH Client Configuration Example Network Requirements As shown in Figure 102 Switch A serves as an SS...

Page 331: ...rver s public key Y N y Enter password All rights reserved 1997 2005 Without the owner s prior written consent no decompiling or reverse engineering shall be allowed S4200G Start the client and use the RSA public key authentication according to the encryption algorithm defined 4200G ssh2 10 165 87 136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_ctos_hmac md5 perfer_stoc_hmac md5 username...

Page 332: ...p Table 271 Configure service type for an SSH user Operation Command Remarks Enter system view system view Configure service type for an SSH user ssh user username service type stelnet sftp all Optional By default the SSH service type is stelnet Table 272 Enable the SFTP server Operation Command Remarks Enter system view system view Enable the SFTP server sftp server enable Required By default the...

Page 333: ...pwd Display the list of the files in a directory dir ls Create a new directory mkdir Delete a directory rmdir 4 SFTP file related operations Rename a file on the SFTP server rename SFTP client view Optional Download a file from the remote SFTP server get Upload a local file to the remote SFTP server put Display the list of the files in a directory dir ls Delete a file from the SFTP server delete r...

Page 334: ...ame Change the current directory cd remote path Return to the upper directory cdup Display the current directory pwd Display the list of the files in a directory dir remote path Optional The dir and ls commands have the same function ls remote path Create a directory on the SFTP server mkdir remote path Optional Delete a directory from the SFTP server rmdir remote path Table 278 Operate with SFTP ...

Page 335: ...procedure 1 Configure Switch B SFTP server a Enable the SFTP server 4200G sftp server enable b Specify SFTP service for SSH user abc 4200G ssh user abc service type sftp 2 Configure Switch A SFTP client a Establish a connection to the remote SFTP server and enter SFTP client view 4200G sftp 10 111 27 91 Table 279 Display help information about SFTP client commands Operation Command Remarks Enter s...

Page 336: ...nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 d Change the name of directory new1 to new2 and verify the operation sftp client rename new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 2...

Page 337: ...SFTP Service 323 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk sftp client g Exit from SFTP sftp client quit Bye 4200G ...

Page 338: ...324 CHAPTER 36 SSH TERMINAL SERVICES ...

Page 339: ...e if you delete a file with the main attribute from the Flash the main attribute is not deleted It becomes the attribute of a valid file that is later downloaded to the Flash and has same name as the previously deleted one The file attributes are compatible with that of the previous versions After the BootROM of a switch is upgraded the previous default app startup file will have the main attribut...

Page 340: ...t a switch prompts for confirmation before executing the commands which have potential risks for example deleting and overwriting files Table 281 Configure file attributes Operation Command Description Configure the app file with the main attribute for the next startup boot boot loader file url Optional Configure the app file with the backup attribute for the next startup boot boot loader backup a...

Page 341: ...tory Directory Operations The file system provides directory related functions such as Creating deleting a directory Displaying the information about the files or the directories in the current work directory or a specified directory Table 282 describes the directory related operations Perform the following configuration in user view In the output information of the dir all command deleted files t...

Page 342: ...les in the Flash are not compatible with the system software This may occur after you upgrade the system software of the switch The configuration files are corrupted This is usually because a wrong configuration file is loaded Table 283 File operations Operation Command Description Delete a file delete unreserved file url delete running files standby files unreserved Optional A deleted file can be...

Page 343: ...t configuration is saved in the default configuration file To make a switch to adopt the current configuration when it starts the next time save the current configuration using the save command before restarting the switch Storage Device Operations With the file system you can format a storage device Note that the format operation leads to the loss of all files on the storage device and is irretri...

Page 344: ...updt_backup cfg Y N y Copy file unit1 flash updt cfg to unit1 flash test updt_backup cfg Done 4200G dir Directory of unit1 flash 1 b rw 4560196 Apr 16 2000 23 18 23 s3t03_01_00s168c03 app 2 rwh 4 Apr 01 2000 23 55 50 snmpboots 3 rw 5074 Apr 01 2000 23 57 27 updtcfg old 4 rw 4560582 Apr 02 2000 00 33 41 s3t03_01_00s168c04 app 5 rwh 151 Apr 02 2000 00 42 45 private data txt 6 rw 4559103 Apr 02 2000 ...

Page 345: ...ch sent out and received the packet loss ratio the round trip time in its minimum value mean value and maximum value Test Periodically if the IP Address is Reachable You can use the end station polling ip address command in System View to configure the IP address requiring periodical testing Perform the following configuration in System View Table 287 Test Periodically if the IP address is Reachab...

Page 346: ... and the first hop sends back an ICMP error message indicating that the packet cannot be sent for the TTL is timeout Re send the packet with TTL value as 2 and the second hop returns the TTL timeout message The process is carried over and over until the packet reaches the destination The purpose to carry out the process is to record the source address of each ICMP TTL timeout message so as to prov...

Page 347: ... ftp X X X X command on your PC X X X X is the IP address of an FTP server FTP Server A switch can also operate as an FTP server to provide file transmission services for FTP clients You can log into a switch operating as an FTP server by running an FTP client program on your PC to access files on the FTP server In this case the FTP server must be configured with an IP address Figure 105 Network d...

Page 348: ... given time when the latter operates as an FTP server Table 289 Configurations needed when a switch operates as an FTP server Device Configuration Default Description Switch Enable the FTP server function The FTP function is disabled by default You can run the display ftp server command to view the FTP server configuration on the switch Perform the authentication and authorization configurations C...

Page 349: ...ch can operate as an FTP client without any configuration You can perform FTP related operations such as creating removing a directory by executing FTP client commands on a switch operating as an FTP client Table 292 lists the operations that can be performed on an FTP client Table 291 Display and debug an FTP server Operation Command Display the information about an FTP server display ftp server ...

Page 350: ...fied remote file ls remotefile localfile Optional Download a remote file get remotefile localfile Optional Upload a local file to the remote FTP server put localfile remotefile Optional Rename a file on a remote host rename remote source remote dest Optional Switch to another FTP user user username password Optional Connect to a remote FTP server open ip address server name port Optional Terminate...

Page 351: ...h is insufficient to hold the file to be downloaded you need to delete useless files in the flash to make room for the file 1 Connect to the FTP server using the ftp command You need to provide the IP address of the FTP server the user name and the password as well S4200G ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User non...

Page 352: ...h to backup the configuration file Network diagram Figure 107 Network diagram for FTP configuration B Configuration procedure 1 Configure the switch a Log into the switch You can log into a switch through the Console port or by Telneting to the switch See Chapter 2 for detailed information S4200G b Start the FTP service on the switch and create a user account and a password S4200G system view Syst...

Page 353: ...ts as described in the following To download a file a client sends read request packets to the TFTP server receives data from the TFTP server and then sends acknowledgement packets to the TFTP server To upload a file a client sends writing request packets to the TFTP server sends data to the TFTP server and then receives acknowledgement packets from the TFTP server TFTP based file transmission can...

Page 354: ...o backup the configuration file Table 293 Configurations needed when a switch operates as a TFTP client Device Configuration Default Description Switch Configure an IP address for the VLAN interface of the switch so that it is reachable for TFTP server TFTP applies to networks where client server interactions are comparatively simple It requires the routes between TFTP clients TFTP servers are rea...

Page 355: ...ddress of a VLAN interface on the switch to be 1 1 1 1 and ensure that the port through which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 4200G interface vlan 1 4200G vlan interface1 ip address 1 1 1 1 255 255 255 0 4200G vlan interface1 quit d Download the application named switch bin from the TFTP server to the switch S4200G tftp 1 1 ...

Page 356: ...342 CHAPTER 38 FTP AND TFTP CONFIGURATION ...

Page 357: ...item 1 Priority The calculation formula for priority is priority facility 8 severity 1 For VRP the default facility value is 23 and severity ranges from one to eight See Table 296 for description of severity levels Note that no character is permitted between the priority and time stamp The priority takes effect only when the information is sent to the log host 2 Time stamp The data type of the tim...

Page 358: ...formation will be output See Table 296 for description of severities and corresponding levels Note that a slash separates the level and digest 6 Digest It is a phrase within 32 characters abstracting the information contents A colon separates the digest and information contents Table 295 Examples of some module names Module name Module and description 8021X 802 1x ACL Access control list ARP Addre...

Page 359: ...output Enabling Synchronous Terminal Output To avoid user s input from being interrupted by system information output you can enable the synchronous terminal output function which echoes user s input after each system output This makes users work with ease for they no longer worry about losing uncompleted inputs Running the info center synchronous command during debug information collection may re...

Page 360: ...nter system view system view Enable the information center info center enable Optional By default the information center is enabled Define an information source info center source modu name default channel channel number channel name log trap debug level severity state state Required Table 300 Enable information output to the console Operation Command Description Enter system view system view Enab...

Page 361: ...debug terminal display terminal debugging Optional By default debug terminal display is disabled for terminal users Enable log terminal display terminal logging Optional By default log terminal display is enabled for console users Enable trap terminal display terminal trapping Optional By default trap terminal display is enabled for terminal users Table 301 Enable debug log trap terminal display O...

Page 362: ...le trapping terminal display terminal trapping Optional By default trapping terminal display is enabled for terminal users Table 304 Enable information output to the log buffer Operation Command Description Enter system view system view Enable the information center info center enable Optional By default the information center is enabled Enable information output to the log buffer info center logb...

Page 363: ...urce modu name default channel channel number channel name log trap debug level severity state state Required Set the format of time stamp info center timestamp log trap debugging boot date none Optional This is to set the time stamp format for log debug trap information output This determines how the time stamp is presented to users Table 305 Enable information output to the trap buffer Operation...

Page 364: ...ion output from the ARP and IP modules 4200G info center console channel console 4200G info center source arp channel console log level informational 4200G info center source ip channel console log level informational 3 Enable terminal display S4200G terminal monitor Table 307 Display and debug information center Operation Command Display the settings of one or all information channels display cha...

Page 365: ...Information Center Configuration Example 351 S4200G terminal logging ...

Page 366: ...352 CHAPTER 39 INFORMATION CENTER ...

Page 367: ...u can load software remotely by using FTP TFTP The BootROM software version should be compatible with the host software version when you load the BootROM and host software Local Software Loading If your terminal is directly connected to the switch you can load the BootROM and host software locally Before loading the software make sure that your terminal is correctly connected to the switch to insu...

Page 368: ...rtup mode 0 Reboot Enter your choice 0 9 Loading Software Using XMODEM Through Console Port Introduction to XMODEM XMODEM is a file transfer protocol that is widely used due to its simplicity and good performance XMODEM transfers files using Console port It supports two types of data packets 128 bytes and 1 KB two check methods checksum and CRC and multiple attempts of error packet retransmission ...

Page 369: ...38400 4 57600 5 115200 0 Return Enter your choice 0 5 3 Choose an appropriate download baud rate For example if you enter 5 the baud rate 115200 bps is chosen and the system displays the following information Download baudrate is 115200 bps Please change the terminal s baudrate to 115200 bps and select XMODEM protocol Press enter key when ready Now press Enter If you have chosen 9600 bps as the do...

Page 370: ...ADING Figure 111 Properties dialog box Figure 112 Console port configuration dialog box 5 Click the Disconnect button to disconnect the HyperTerminal from the switch and then click the Connect button to reconnect the HyperTerminal to the switch ...

Page 371: ...m The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC 7 Choose Transfer Send File in the HyperTerminal s window and in the following pop up dialog box click Browse select the software you need to download and set the protocol to XMODEM Figure 114 Send file dialog box 8 Click Send The system displays t...

Page 372: ...o 9600 bps refer to step 4 and step 5 Then press any key as prompted The system will display the following information when it completes the loading Bootrom updating done Loading host software Follow these steps to load the host software 1 Select 1 in Boot Menu The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0...

Page 373: ...witch Then enter the Boot Menu At the prompt Enter your choice 0 9 in the Boot Menu press 6 or Ctrl U and then press Enter to enter the BootROM update menu shown below Bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 4 Enter 1 to in the above menu to download the BootROM software using TFTP Th...

Page 374: ...d download software to the switch through an Ethernet port The following is an example Loading BootROM software Figure 117 Local loading using FTP 1 As shown in Figure 117 connect the switch through an Ethernet port to the FTP server and connect the switch through the Console port to the configuration PC You can use one computer as both configuration device and FTP server 2 Run the FTP server prog...

Page 375: ... Menu The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 2 Enter 2 in the above menu to download the host software using FTP The subsequent steps are the same as those for loading the BootROM program except for that the system gives the prompt for host software loading ...

Page 376: ...will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded 3 Update the host program on the switch S4200G boot boot loader S4200G bin The specified file will be booted next time on unit 1 S4200G display boot loader Unit 1 The current boot app is S4200G bin The main boot app is S4200G bin The backup boot app is Restart the switch S4200G reboot Before r...

Page 377: ...h the reboot command If the space of the Flash memory is not enough you can delete the useless files in the Flash memory before software downloading No power down is permitted during software loading Remote Loading Using TFTP The remote loading using TFTP is similar to that using FTP The only difference is that TFTP is used instead off FTP to load software to the switch and the switch can only act...

Page 378: ...364 CHAPTER 40 BOOTROM AND HOST SOFTWARE LOADING ...

Page 379: ...when the system is booted or power is cycled In environments that require exact absolute time NTP network time protocol must be used to obtain and set the current date and time of the Switch Setting the Date and Time of the System Perform the following configuration in user view Setting the Local Time Zone This configuration task is to set the name of the local time zone and the difference between...

Page 380: ... system view Returning from Current View to User View Perform the following operation in any view Table 310 Set the local time zone Operation Command Description Set the local time zone clock timezone zone name add minus HH MM SS Optional By default it is the UTC time zone Table 311 Set the summer time Operation Command Description Set the name and time range of the summer time clock summer time z...

Page 381: ...e a great help for you to diagnose and troubleshoot your switch system The output of debugging information is controlled by two kinds of switches Protocol debugging which controls whether the debugging information of a protocol is output Terminal display which controls whether the debugging information is output to a user screen Table 315 Enter system view from user view Operation Command Descript...

Page 382: ...tput of debugging information will affect the efficiency of the system disable your debugging after you finish it Enable terminal display for debugging terminal debugging By default terminal display for debugging is disabled 1 2 3 Protocol debugging switches ON ON OFF ON OFF 1 3 1 3 Terminal display switches 1 3 Debugging information 1 2 3 Protocol debugging switches ON ON OFF ON OFF 1 3 1 3 Termi...

Page 383: ...e current operating information about the modules settled when this command is designed in the system for troubleshooting your system Perform the following operation in any view Table 319 Display the current operation information about the modules in the system Operation Command Description Display the current operation information about the modules in the system display diagnostic information You...

Page 384: ...370 CHAPTER 41 Basic System Configuration and Debugging ...

Page 385: ... to 675 seconds The sizes of receiving and sending buffers of connection oriented sockets which range from 1 KB to 32 KB and default to 8 KB Configuring TCP Attributes Displaying and Debugging IP Performance After the above IP performance configuration you can execute the display commands in any view to display the system operating status and thus verify the IP performance configuration Table 320 ...

Page 386: ...command to enable UDP debugging to track UDP data packets Table 321 Display and debug the IP performance Operation Command Description Display the TCP connection status display tcp status You can execute the display commands in any view Display the TCP traffic statistics display tcp statistics Display the UDP traffic statistics display udp statistics Display the IP traffic statistics display ip st...

Page 387: ...tracert command is as follows First the source host sends a data packet with the TTL of 1 and the first hop device returns an ICMP error message indicating that it cannot forward this packet because of TTL timeout Then the source host resends the packet with the TTL of 2 and the second hop device also returns an ICMP TTL timeout message This procedure goes on and on until the packet gets to the de...

Page 388: ...374 CHAPTER 43 NETWORK CONNECTIVITY TEST ...

Page 389: ...ere is any configuration change If there is it prompts you to indicate whether or not to proceed This prevents you from losing your original configuration due to oblivion after system reboot Schedule a Reboot on the Switch After you schedule a reboot on the switch the switch will reboot at the specified time There is at most one minute defer for scheduled reboot that is the switch will reboot with...

Page 390: ...o remotely update the switch software by using the device management commands through CLI The switch acts as the FTP client and the remote PC serves as both the configuration PC and the FTP server Table 326 Specify the APP to be adopted at reboot Operation Command Description Specify the APP to be adopted at reboot boot boot loader backup attribute file url device name Table 327 Update the BootROM...

Page 391: ...d as switch and hello respectively being authorized with the read write right of the Switch directory on the PC The detailed configuration is omitted here 2 Configure the switch as follows a On the switch configure a level 3 telnet user with the username and password as user and hello respectively Authentication by user name and password is required for the user b Execute the telnet command on the...

Page 392: ...S4200G g Update the BootROM S4200G boot bootrom boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded h Specify the downloaded application as the one to be adopted when the switch starts next time Then restart the switch to update the switch application S4200G boot boot loader switch bin The specified file will be booted next time o...

Page 393: ...ding software of the member devices in a cluster through Web Member device configuration backup restoration through Web These functions enrich the Ethernet switch cluster management technology and significantly relieve network administration workload They also provide common users with a simple and intuitive way for managing switch clusters Notes You need to enable the cluster function before conf...

Page 394: ...P configurations are performed on the related cluster devices The cluster is created and enabled That is you can manage cluster members through the master device Configuration procedure Table 329 Configure a TFTP server and SNMP host for a cluster Operation Command Description Enter system view system view Enter cluster view cluster Configure a TFTP Server for cluster tftp server ip address Requir...

Page 395: ...ion procedure Enable NDP and NTDP S4200G system view System View return to User View with Ctrl Z S4200G ndp enable Create a cluster S4200G cluster S4200G cluster ip pool 168 192 0 1 24 S4200G cluster build chwn chwn_0 S4200G cluster Configure a TFTP server and an SNMP host for the cluster chwn_0 S4200G cluster tftp server 1 1 1 66 chwn_0 S4200G cluster snmp host 1 1 1 66 Member devices join the cl...

Page 396: ... 192 0 0 0 0 0 255 rule 1 permit ip destination 168 192 0 0 0 0 0 255 vlan 1 cluster ip pool 168 192 0 1 255 255 255 0 build chwn tftp server 1 1 1 66 snmp host 1 1 1 66 snmp agent snmp agent local engineid 800007DB000FE22405626877 snmp agent sys info version all snmp agent target host trap address udp domain 1 1 1 66 params securityname clu ster undo snmp agent trap enable standard user interface...

Page 397: ...Display the current configuration on the master switch chwn_0 S4200G cluster display current configuration sysname S4200G radius scheme system domain system acl number 3998 rule 0 deny ip destination 168 192 0 0 0 0 0 255 rule 1 permit ip source 168 192 0 0 0 0 0 255 acl number 3999 rule 0 deny ip source 168 192 0 0 0 0 0 255 rule 1 permit ip destination 168 192 0 0 0 0 0 255 vlan 1 cluster ip poo...

Page 398: ... prompt Control the member device remotely through the remote control function of the management device if a member device fails due to incorrect configuration For example you can delete the boot file and restart the member device to bring the management device and the member device back to normal communication Manage blacklists Locate a device through the MAC address or the IP address Configure t...

Page 399: ...is kind of nodes is newly added nodes which are not confirmed by the network administrator White list and black list are saved in the flash of the management device They still exist after the management device is powered off You need to resume the white list and the black list manually When you restart the management device or rebuild the cluster the white list and the blacklist can be resumed fro...

Page 400: ...he standard topology information into the local flash topology save to local flash Optional Obtain and restore the standard topology information from the local flash topology restore from local flash Optional If the saved standard topology is incorrect the management device cannot accept it so you must ensure that the saved topology is correct Table 332 Configure topology management Continued Oper...

Page 401: ...from the white list Configuration example Configure a web users chwn_0 S4200G cluster cluster loca www password simple 12345678 Member 1 succeeded in the web user configuration Member 2 succeeded in the web user configuration Finish to synchronize the command Display the current configuration on the master switch Configuration resulted from the command is reserved below chwn_0 S4200G cluster displ...

Page 402: ... fail to pass the topology authentication Thereafter each time a device attempts to join a cluster the master device automatically initiates topological authentication based on the reference topology file If the device is in the black list the master device denies the device If the device is in the white list the master device adds the device to the cluster and automatically delivers the private c...

Page 403: ...r id to black list Optional Add the device with the specified MAC address to the black list black list add mac mac address Optional Remove the device with the specified MAC address from the black list black list delete mac mac address all Optional Table 336 Display and debug a cluster Operation Command Display cluster members display cluster members member num verbose Display the MAC addresses nam...

Page 404: ...on the Flash of a member device Log into the Web page of the master switch and upgrade software Log in to the Web page of the master switch and restore the configuration Remove the member device numbered 3 from the cluster and add it to the black list Network diagram Figure 122 Network diagram for HGMP cluster management Sw itch A Management Device SNMPhost 10 1 1 16 Cluster TFTP server 10 1 1 15 ...

Page 405: ...luster tftp server 10 1 1 15 S4200G cluster snmp host 10 1 1 16 S4200G cluster topology accept all save to local flash Remove the member device numbered 3 from the cluster and add it to the black list S4200G cluster delete member 3 to black list Log into the Web page of the master switch for querying files upgrading software and restoring the configuration For details see Batch Upgrade of COMWARE ...

Page 406: ...392 CHAPTER 45 CONFIGURATION OF NEWLY ADDED CLUSTER FUNCTIONS ...

Page 407: ... in the local network it processes the configuration request packet directly without the help of a DHCP relay If no DHCP server exists in the local network the network device serving as a DHCP relay on this network appropriately processes the configuration request packet and forwards it to a specified DHCP server located on another network When the DHCP server receives the packet it generates conf...

Page 408: ...includes at least one sub option and at most 255 sub options Currently the commonly used sub options in option 82 are sub option 1 sub option 2 and sub option 5 Sub option 1 A sub option of option 82 Sub option 1 represents the agent circuit ID namely Circuit ID It holds the VLAN ID and MAC address of the switch port connected to the DHCP client and is usually configured on the DHCP relay Generall...

Page 409: ...EQUEST packets As DHCP servers coming from different manufacturers process DHCP request packets in different ways that is some DHCP servers process option 82 in DHCP DISCOVER packets whereas the rest process option 82 in DHCP REQUEST packets a DHCP relay adds option 82 to both types of packets to accommodate to DHCP servers of different manufacturers DHCP Relay Configuration If a switch belongs to...

Page 410: ...n DHCP relay is to prevent unauthorized users from statically configuring IP addresses to access external networks With this function enabled a DHCP relay inhibits a user from accessing external networks if the IP address configured on the user end and the MAC address of the user end do not match any entries including the entries dynamically tracked by the DHCP relay and the manually configured st...

Page 411: ...ins the corresponding user address entry unchanged Option 82 Supporting Configuration Prerequisites Before configuring option 82 supporting on a DHCP relay make sure that the DHCP relay is configured and operates properly The DHCP server operates properly Address allocation policy related configurations such as address pools and the lease time are performed The routes between the DHCP relay and th...

Page 412: ...P address of the DHCP server by configuring the IP address of the DHCP server to be used by DHCP server group 1 4200G dhcp server 1 ip address 202 38 1 2 5 Map VLAN 100 interface to DHCP server group1 4200G Vlan interface100 dhcp server 1 4200G vlan interface100 quit 6 Return to system view 4200G vlan interface 100 quit 7 Enable option 82 supporting on the DHCP relay with the keep keyword specifie...

Page 413: ...p server 1 ip 202 38 1 2 4 Map VLAN 2 interface to DHCP server group 1 4200G interface vlan interface 2 4200G Vlan interface2 dhcp server 1 5 Configure an IP address for VLAN 2 interface so that this interface is on the same network segment with the DHCP clients 4200G Vlan interface2 ip address 10 110 1 1 255 255 0 0 Table 343 Display DHCP relay information Operation Command Display information ab...

Page 414: ...uration When a DHCP relay operates improperly you can locate the problem by enabling debugging and checking the information about debugging and interface state You can display the information by executing the corresponding display command Solution Check if an address pool that is on the same network segment with the DHCP clients is configured on the DHCP server Check if a reachable route is config...

Page 415: ... to this destination are dropped without notifying the source host The attributes reject and blackhole are usually used to control the range of reachable destinations of this router and help troubleshooting the network Default Route A default route is a static route too A default route is a route used only when no suitable routing table entry is matched and when no proper route is found the defaul...

Page 416: ... the next hop address of the route is specified can the link layer find the corresponding link layer address and then forward the packet according to this address You cannot specify an interface address of the local switch as the next hop address of an static route The packets sent to NULL interface a kind of virtual interface will be discarded at once This can decrease the system load Preference ...

Page 417: ...e ip route static 0 0 0 0 0 0 0 0 0 interface type interface number next hop preference value reject blackhole Delete a default route undo ip route static 0 0 0 0 0 0 0 0 0 interface type interface number next hop preference value reject blackhole Table 346 Deleting all static routes Operation Command Delete all static routes delete static routes all Table 347 Displaying and debugging the routing ...

Page 418: ...1 1 3 2 4 Configure the default gateway of the Host A to be 1 1 5 1 5 Configure the default gateway of the Host B to be 1 1 4 1 6 Configure the default gateway of the Host C to be 1 1 1 1 By then all the hosts or Ethernet Switches in the figure can be interconnected in pairs Static Route Fault Diagnosis and Troubleshooting Fault the S4200G Series Ethernet Switch is not configured with the dynamic ...

Page 419: ...DP Helper function is enabled you can configure the UDP ports where UDP function is required and the relay function is enabled at UDP ports 69 53 37 137 138 and 49 When the function is disabled Relay function configured at all UDP ports including the default six ports shall be disabled Perform the following configuration in system view By default UDP Helper function is disabled Configuring UDP Por...

Page 420: ...erver command without any parameter deletes all destination servers configured on the interface By default no relay destination server for UDP broadcast packets is configured Displaying and Debugging UDP Helper Configuration After the above configuration execute display command in any view to display the running of UDP Helper destination server and to verify the effect of the configuration Execute...

Page 421: ...nation server 202 38 1 2 Networking diagram Figure 127 Networking for UDP Helper configuration Configuration procedure 1 Enable UDP Helper function 4200G udp helper enable 2 Set to relay forward the broadcast packets with destination UDP port 55 4200G udp helper port 55 3 Set the IP address of the destination server corresponding to VLAN interface 2 as 202 38 1 2 4200G interface vlan 2 4200G Vlan ...

Page 422: ...408 CHAPTER 48 UDP HELPER CONFIGURATION ...

Reviews: