3Com 4210 PWR Configuration Manual Download

Page: 401 / 567

Configuring the SSH Client

399

Likewise, to save the private key, click

Save private key

. A warning window pops

up to prompt you whether to save the private key without any precaution. Click

Yes

and enter the name of the file for saving the private key ("private" in this

case) to save the private key.

Figure 123

Generate the client keys (4)

To generate RSA public key in PKCS format, run SSHKEY.exe, click

Browse

and

select the public key file, and then click

Convert

Figure 124

Generate the client keys (5)

Specify the IP address of the Server

Launch PuTTY.exe. The following window appears.

Summary of Contents for 4210 PWR

Page 1: ...amily Configuration Guide Switch 4210 PWR 9 port Switch 4210 PWR 18 port Switch 4210 PWR 26 port Switch 4210 9 port Switch 4210 18 port Switch 4210 26 port www 3Com com Part Number 10016117 Rev AA Pub...

Page 2: ...252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or d...

Page 3: ...entication Mode Being Scheme 44 Logging in Using a Modem 52 Logging in through the Web based Network Management System 56 Managing from an NMS 59 User Control 60 3 CONFIGURATION FILE MANAGEMENT Introd...

Page 4: ...10 LINK AGGREGATION CONFIGURATION Overview 107 Link Aggregation Classification 108 Aggregation Group Categories 110 Link Aggregation Configuration 111 Displaying and Maintaining Link Aggregation Confi...

Page 5: ...cast Models 189 Multicast Architecture 189 Multicast Packet Forwarding Mechanism 195 16 IGMP SNOOPING CONFIGURATION IGMP Snooping Overview 197 IGMP Snooping Configuration 200 Displaying and Maintainin...

Page 6: ...AC Authentication Functions 270 MAC Address Authentication Enhanced Function Configuration 271 Displaying and Debugging MAC Authentication 274 MAC Authentication Configuration Example 275 23 ARP CONFI...

Page 7: ...30 CLUSTER Cluster Overview 317 Cluster Configuration Tasks 325 Displaying and Maintaining Cluster Configuration 333 Cluster Configuration Example 333 31 POE CONFIGURATION PoE Overview 339 PoE Config...

Page 8: ...GURATION SSH Overview 387 Configuring the SSH Server 390 Configuring the SSH Client 396 Displaying SSH Configuration 406 SSH Configuration Examples 406 37 FILE SYSTEM MANAGEMENT CONFIGURATION File Sys...

Page 9: ...Example 491 45 REMOTE PING CONFIGURATION Remote Ping Overview 495 Remote Ping Configuration 498 Remote Ping Configuration Example 511 46 IPV6 MANGEMENT CONFIGURATION IPv6 Overview 525 IPv6 Configurat...

Page 10: ...Password Control Configuration 556 Displaying Password Control 563 Password Control Configuration Example 564...

Page 11: ...sts icon conventions that are used throughout this guide Table 2 lists text conventions that are used throughout this guide Table 1 Notice Icons Icon Notice Type Description n Information note Informa...

Page 12: ...nformation in this guide differs from information in the release notes use the information in the Release Notes These documents are available in Adobe Acrobat Reader Portable Document Format PDF on th...

Page 13: ...to enter partially matching text to search for commands This allows you to execute a command by entering partially spelled command keywords as long as the system can uniquely identify the keywords ent...

Page 14: ...ation for user level switching Switching to a specific user level n If no user level is specified in the super password command or the super command level 3 is used by default For security purposes th...

Page 15: ...perating and maintaining the switch When you change the level of a command with multiple keywords you should input the keywords one by one in the order they appear in the command syntax Otherwise your...

Page 16: ...switch To enter the system view execute the system view command Table 4 lists the CLI views provided by the Switch 4210 Family operations that can be performed in each view and the commands used to e...

Page 17: ...Configure user interface parameters 4210 ui aux0 Execute the user interface command in system view FTP client view Configure FTP client parameters ftp Execute the ftp command in user view SFTP client...

Page 18: ...ll available keywords at the position and their descriptions will be displayed on your terminal Basic ACL view Define rules for a basic ACL with ID ranging from 2000 to 2999 4210 acl basic 2000 Execut...

Page 19: ...u udp unit user interface users 3 Enter the first several characters of a command s keyword and then press Tab If there is a unique keyword beginning with the characters just typed the unique keyword...

Page 20: ...t executed history commands Execute the display history command command This command displays the command history Recall the previous history command Press the up arrow key or Ctrl P This operation re...

Page 21: ...keyword and press Tab if the input parameter uniquely identifies a complete keyword the system substitutes the complete keyword for the input parameter if more than one keywords match the input parame...

Page 22: ...20 CHAPTER 1 CLI CONFIGURATION...

Page 23: ...Ethernet port or remotely over the network using Telnet or SSH The VTY port is the logical port associated with your management session User Interface Index Index numbers are used to distinguish betwe...

Page 24: ...e user interface type number Optional Execute this command in user view Enter system view system view Set the banner header incoming legal login shell text Optional By default no banner is configured...

Page 25: ...ng into a switch you can perform configuration for AUX users Refer to Common Configurations on page 26 Following are the procedures to connect to a switch through the Console port 1 Connect the serial...

Page 26: ...24 CHAPTER 2 LOGGING INTO AN ETHERNET SWITCH Figure 2 Create a connection Figure 3 Specify the port used to establish the connection...

Page 27: ...key if the switch successfully completes POST power on self test The prompt such as 4210 appears after you press the Enter key as shown in Figure 5 Figure 5 HyperTerminal CLI 4 You can then configure...

Page 28: ...Check mode Optional By default the check mode of the Console port is set to none which means no check bit Stop bits Optional The default stop bits of a Console port is 1 Data bits Optional The default...

Page 29: ...ure user names and passwords for local RADIUS users Required The user name and password of a local user are configured on the switch The user name and password of a RADIUS user are configured on the R...

Page 30: ...of level 3 are available to users logging into the AUX user interface and commands of level 0 are available to users logging into the VTY user interface Enable terminal services shell Optional By def...

Page 31: ...onsole port is 19 200 bps The screen can contain up to 30 lines The history command buffer can contain up to 20 commands The timeout time of the AUX user interface is 6 minutes Set the timeout time fo...

Page 32: ...gh the Console port 4210 ui aux0 authentication mode none Specify commands of level 2 are available to users logging into the AUX user interface 4210 ui aux0 user privilege level 2 Set the baud rate o...

Page 33: ...simple password Required Configure the Console port Set the baud rate speed speed value Optional The default baud rate of an AUX port also the Console port is 9 600 bps Set the check mode parity even...

Page 34: ...buffer can store up to 20 commands The timeout time of the AUX user interface is 6 minutes Set history command buffer size history command max size value Optional The default history command buffer si...

Page 35: ...ssword 4210 ui aux0 authentication mode password Set the local password to 123456 in plain text 4210 ui aux0 set authentication password simple 123456 Specify commands of level 2 are available to user...

Page 36: ...name argument you need to perform the following configuration as well Perform AAA RADIUS configuration on the switch Refer to AAA Configuration on page 245 for more information Configure the user name...

Page 37: ...ging into the AUX user interface Make terminal services available to the user interface shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines...

Page 38: ...ure to authenticate the users in the scheme mode The baud rate of the Console port is 19 200 bps The screen can contain up to 30 lines The history command buffer can store up to 20 commands The timeou...

Page 39: ...C accordingly in the dialog box shown in Figure 4 to log into the switch successfully Logging in through Telnet The Switch 4210 Family supports Telnet You can manage and maintain a switch remotely by...

Page 40: ...be executed automatically after a user log into the user interface successfully Optional By default no command is executed automatically after a user logs into the VTY user interface VTY terminal conf...

Page 41: ...on specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by default Refer to AAA Configuration on page 245 Configure user name and passw...

Page 42: ...user interface successfully auto execute command text Optional By default no command is executed automatically after a user logs into the VTY user interface Make terminal services available shell Opti...

Page 43: ...e vty 0 Configure not to authenticate Telnet users logging into VTY 0 4210 ui vty0 authentication mode none Specify commands of level 2 are available to users logging into VTY 0 4210 ui vty0 user priv...

Page 44: ...er interface Configure the protocol to be supported by the user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the commands to be...

Page 45: ...contain up to 30 lines The history command buffer can contain up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 10 Network diagram for Telnet configuration with the auth...

Page 46: ...i vty0 user privilege level 2 Configure Telnet protocol is supported 4210 ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 4210 ui vty0 screen length 30 Set...

Page 47: ...d Specify the service type for VTY users service type telnet level level Required Quit to system view quit Enter one or more VTY user interface views user interface vty first number last number Config...

Page 48: ...disable the function to display information in pages Set history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buf...

Page 49: ...users that are authenticatedin the RSA mode of SSH The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user pr...

Page 50: ...ommand buffer can store up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 11 Network diagram for Telnet configuration with the authentication mode being scheme Configurat...

Page 51: ...n IP address to VLAN interface 1 of the switch VLAN 1 is the default VLAN of the switch Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 12 Figure 12 Di...

Page 52: ...ing to instructions earlier in this chapter 3 Connect your PC terminal and the switch to an Ethernet as shown in Figure 14 Make sure the port through which the switch is connected to the Ethernet belo...

Page 53: ...Refer to Command Hierarchy on page 11 and CLI Views on page 14 for information about command hierarchy Telnetting to another Switch from the Current Switch You can Telnet to another switch from the cu...

Page 54: ...to configure the administrator side and the switch properly as listed in the following table Configuring the Switch Modem Configuration Perform the following configuration on the modem directly conne...

Page 55: ...on mode is none Refer to Configuring Console Port Login with no Authentication on page 27 Configuration on switch when the authentication mode is password Refer to Configuring Console Port Login to Re...

Page 56: ...Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 18 through Figure 20 Note that you need to set the tel...

Page 57: ...mpted If the password is correct the prompt such as 4210 appears You can then configure or manage the switch You can also enter the character at anytime for help n If you perform no AUX user related c...

Page 58: ...or telnet This is an example of creating a Web user account with the user name and password set to admin with level 3 priviledges 4210 system view 4210 local user admin 4210 luser admin service type...

Page 59: ...onfigured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The contents of the banner page are the login banner informatio...

Page 60: ...ss of the switch in the address bar of the browser running on the user terminal and press Enter the browser will display the banner page as shown in Figure 24 Figure 24 Banner page displayed when a us...

Page 61: ...RMON Configuration on page 361 for related information To manage your switch from an NMS you need to perform related configuration on both the NMS and the switch Figure 25 Network diagram for logging...

Page 62: ...h basic ACL Controlling Telnet Users by Source IP Addresses By source and destination IP address Through advanced ACL Controlling Telnet Users by Source and Destination IP Addresses By source MAC addr...

Page 63: ...er config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id deny permit protocol rule string Required You can define rules as needed t...

Page 64: ...ntrolling Network Management Users by Source IP Addresses You can manage a Switch 4210 through network management software Network management users can access switches through SNMP You need to perform...

Page 65: ...ntrol network management users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config au...

Page 66: ...52 to access the switch 4210 snmp agent community read aaa acl 2000 4210 snmp agent group v2c groupa acl 2000 4210 snmp agent usm user v2c usera groupa acl 2000 Controlling Web Users by Source IP Addr...

Page 67: ...t Table 34 Control Web users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto...

Page 68: ...66 CHAPTER 2 LOGGING INTO AN ETHERNET SWITCH Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch 4210 ip http acl 2030...

Page 69: ...onfiguration settings commands are grouped into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a...

Page 70: ...ort def This has factory loaded default settings recommended by 3Com There is a specific def file for each switch type Management of Configuration File If the default def configuration file does not e...

Page 71: ...attribute the file will have both main and backup attributes after execution of this command If the filename you entered is different from that existing in the system this command will erase its back...

Page 72: ...file as the main startup configuration file You can also use the startup saved configuration cfgfile main command to set the file as main startup configuration file Assign backup attribute to the sta...

Page 73: ...view Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the device display current configuration vlan vlan id by linen...

Page 74: ...72 CHAPTER 3 CONFIGURATION FILE MANAGEMENT...

Page 75: ...resources A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolating broadcast domains is the solution for the abov...

Page 76: ...ss the network without changing its network configuration VLAN Principles VLAN tag VLAN tags in the packets are necessary for a switch to identify packets of different VLANs A switch works at the data...

Page 77: ...e of 1 to 4 094 VLAN ID identifies the VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN tag with the default VLAN ID of the inbound po...

Page 78: ...LAN Port based VLAN technology introduces the simplest way to classify VLANs You can assign the ports on the device to different VLANs Thus packets received on a port will be transmitted through the c...

Page 79: ...VLAN configuration Optional Displaying VLAN Configuration Table 42 Basic VLAN configuration Operation Command Description Enter system view system view Create multiple VLANs in batch vlan vlan id1 to...

Page 80: ...erface Vlan interface vlan id Required By default there is no VLAN interface on a switch Specify the description string for the current VLAN interface description text Optional By default the descript...

Page 81: ...e 32 Switch A and Switch B each connect to a server and a workstation PC For data security concerns the two servers are assigned to VLAN 101 with the descriptive string being DMZ and the PCs are assig...

Page 82: ...hB vlan101 quit Create VLAN 201 and add Ethernet1 0 12 to VLAN 201 SwitchB vlan 201 SwitchB vlan201 port Ethernet 1 0 12 SwitchB vlan201 quit Configure the link between Switch A and Switch B Because t...

Page 83: ...ased VLAN 81 n For the command of configuring a port link type port link type and the command of allowing packets of certain VLANs to pass through a port port trunk permit refer to Ethernet Port Confi...

Page 84: ...82 CHAPTER 5 VLAN CONFIGURATION...

Page 85: ...of the VLAN interface is the one obtained through BOOTP n For details of DHCP refer to the DHCP module Static Route A static route is configured manually by an administrator You can make a network wit...

Page 86: ...through Telnet these requirements are to be met Switch A has an IP address and the remote Telnet user is reachable You need to configure the switch as follows Assigning an IP address to the management...

Page 87: ...anagement VLAN 4210 vlan 10 4210 vlan10 quit 4210 management vlan 10 Create the VLAN 10 interface and enter VLAN interface view 4210 interface vlan interface 10 Configure the IP address of VLAN 10 int...

Page 88: ...t the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading to a...

Page 89: ...nto two parts Net ID The first several bits of the IP address defining a network also known as class bits Host ID Identifies a host on a network For administration sake IP addresses are divided into f...

Page 90: ...s related to the corresponding bits in an IP address In a subnet mask the section containing consecutive ones identifies the combination of net ID and subnet ID whereas the section containing consecut...

Page 91: ...bnet The maximum number of hosts is thus 64 512 512 126 1022 less after the network is subnetted Class A B and C networks before being subnetted use these default masks also called natural masks 255 0...

Page 92: ...tch Network diagram Figure 36 Network diagram for IP address configuration Configuration procedure Configure an IP address for VLAN interface 1 4210 system view 4210 interface Vlan interface 1 4210 Vl...

Page 93: ...rmally the contents of the FIB and the routing table are the same Configuring IP Performance Introduction to IP Performance Configuration Tasks Configuring TCP Attributes TCP optional parameters that...

Page 94: ...n increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large If a host sends malicious ICMP destination unreachable packets end users may...

Page 95: ...cs Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket socktype sock type task id socket id Display the forwarding informatio...

Page 96: ...94 CHAPTER 8 IP PERFORMANCE CONFIGURATION...

Page 97: ...s but a trunk port only allows the packets of the default VLAN to be sent without tags You can configure all the three types of ports on the same device However note that you cannot directly switch a...

Page 98: ...the packet carries a VLAN tag Access Receive the packet and add the default tag to the packet If the VLAN ID is just the default VLAN ID receive the packet If the VLAN ID is not the default VLAN ID di...

Page 99: ...and to disable the port Set the description string for the Ethernet port description text Optional By default the description string of an Ethernet port is null Set the duplex mode of the Ethernet por...

Page 100: ...ling Flow Control on a Port Flow control is enabled on both the local and peer switches If congestion occurs on the local switch Configure the available auto negotiation speed s for the port speed aut...

Page 101: ...Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the link type of the port to access port link type access Optional By default the link type...

Page 102: ...back Detection for an Ethernet Port Loopback detection is used to monitor if loopback occurs on a switch port After you enable loopback detection on Ethernet ports the switch can monitor if external l...

Page 103: ...ic period Table 64 Configure loopback detection for an Ethernet port Operation Command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Required By de...

Page 104: ...st these attributes of the cable Receive and transmit directions RX and TX short circuit open circuit or not the length of the faulty cable n Currently the device is only capable of testing the cable...

Page 105: ...By default a port is allowed to output the Up Down log information Execute the shutdown command or the undo shutdown command on Ethernet 1 0 1 and the system outputs Up Down log information of Etherne...

Page 106: ...configuration Operation Command Remarks Display port configuration information display interface interface type interface type interface number You can execute the display commands in any view Displa...

Page 107: ...pe trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet1 0 1 4210 Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet1 0 1 to 100...

Page 108: ...106 CHAPTER 9 PORT BASIC CONFIGURATION...

Page 109: ...compares the information with the information of other ports on the peer device to determine the ports that can be aggregated In this way the two parties can reach an agreement in adding removing the...

Page 110: ...e the system determines the mater port with one of the following settings being the highest in descending order as the master port full duplex high speed full duplex low speed half duplex high speed h...

Page 111: ...rest are unselected ports The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port t...

Page 112: ...as the preferred one 2 Compare port IDs port priority port number on the preferred device The comparison between two port IDs is as follows First compare the two port priorities then the two port numb...

Page 113: ...ng aggregation resources c CAUTION A load sharing aggregation group contains at least two selected ports but a non load sharing aggregation group can only have one selected port at most while others a...

Page 114: ...cannot remove the port unless you remove the whole aggregation group Configuring a Static LACP Aggregation Group You can create a static LACP aggregation group or remove an existing static LACP aggreg...

Page 115: ...s already in a manual aggregation group n Changing the system priority may affect the priority relationship between the aggregation peers and thus affect the selected unselected status of member ports...

Page 116: ...three ports Adopt three different aggregation modes to implement link aggregation on the three ports between switch A and B Configure a description for an aggregation group link aggregation group agg...

Page 117: ...net1 0 1 port link aggregation group 1 4210 Ethernet1 0 1 quit 4210 interface Ethernet1 0 2 4210 Ethernet1 0 2 port link aggregation group 1 4210 Ethernet1 0 2 quit 4210 interface Ethernet1 0 3 4210 E...

Page 118: ...e Ethernet1 0 1 4210 Ethernet1 0 1 lacp enable 4210 Ethernet1 0 1 quit 4210 interface Ethernet1 0 2 4210 Ethernet1 0 2 lacp enable 4210 Ethernet1 0 2 quit 4210 interface Ethernet1 0 3 4210 Ethernet1 0...

Page 119: ...olation group n When a member port of an aggregation group joins leaves an isolation group the other ports in the same aggregation group on the local device will join leave the isolation group at the...

Page 120: ...so that they cannot communicate with each other Network diagram Figure 39 Network diagram for port isolation configuration Configuration procedure Add Ethernet1 0 2 Ethernet1 0 3 and Ethernet1 0 4 to...

Page 121: ...0 interface ethernet1 0 4 4210 Ethernet1 0 4 port isolate 4210 Ethernet1 0 4 quit 4210 quit Display information about the ports in the isolation group 4210 display isolate port Isolated port s on UNIT...

Page 122: ...120 CHAPTER 11 PORT ISOLATION CONFIGURATION...

Page 123: ...system security and manageability Port Security Features The following port security features are provided NTK need to know feature By checking the destination MAC addresses in outbound data frames on...

Page 124: ...s the maximum number configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC a...

Page 125: ...user on the port userLoginWithOUI This mode is similar to the userLoginSecure mode except that besides the packets of the single 802 1x authenticated user the packets whose source MAC addresses have a...

Page 126: ...oginSecu re mode except that there can be more than one authenticated user on the port macAddressAndUserLo ginSecure To perform 802 1x authentication on the access user MAC authentication must be perf...

Page 127: ...s Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed however cannot exceed the configured upper limit By setting the maxi...

Page 128: ...d to set the maximum number of MAC addresses allowed on the port with the port security max mac count command When the port operates in the autoLearn mode you cannot change the maximum number of MAC a...

Page 129: ...ty intrusion mode blockmac command on the same port the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port that is the NTK feature conf...

Page 130: ...not yet reach the maximum number the port will learn new MAC addresses and turn them to security MAC addresses If the amount of security MAC addresses reaches the maximum number the port will not be a...

Page 131: ...ecurity MAC address to the port in VLAN 1 After the number of security MAC addresses reaches 80 the port stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protect...

Page 132: ...net1 0 1 port security max mac count 80 Set the port security mode to autolearn 4210 Ethernet1 0 1 port security port mode autolearn Add the MAC address 0001 0002 0003 of Host as a security MAC addres...

Page 133: ...ch adopts one of the two forwarding methods based upon the MAC address table entries Unicast forwarding If the destination MAC address carried in the packet is included in a MAC address table entry th...

Page 134: ...ess table the switch forwards the packet to all ports except Ethernet 1 0 1 to ensure that User B can receive the packet Figure 43 MAC address learning diagram 2 3 Because the switch broadcasts the pa...

Page 135: ...e special circumstances for example User B is unreachable or User B receives the packet but does not respond to it the switch cannot learn the MAC address of User B Hence the switch still broadcasts t...

Page 136: ...ets destined for or originated from the MAC addresses contained in blackhole MAC address entries Table 88 lists the different types of MAC address entries and their characteristics Configuring MAC Add...

Page 137: ...ument is a dynamic VLAN after a static MAC address is added it will become a static VLAN Setting the Aging Time of MAC Address Entries Setting aging time properly helps effective utilization of MAC ad...

Page 138: ...able can dynamically maintain When the number of the MAC address entries learnt from a port reaches the set value the port stops learning MAC addresses Displaying MAC Address Table Information To veri...

Page 139: ...ver is 000f e20f dc71 Port Ethernet 1 0 2 belongs to VLAN 1 Configuration procedure Enter system view 4210 system view 4210 Add a MAC address with the VLAN ports and states specified 4210 mac address...

Page 140: ...138 CHAPTER 13 MAC ADDRESS TABLE MANAGEMENT...

Page 141: ...transmitting BPDUs between STP compliant network devices BPDUs contain sufficient information for the network devices to complete the spanning tree calculation In STP BPDUs come in two types Configura...

Page 142: ...ated port is the port BP2 on Device B Figure 46 A schematic diagram of designated bridges and designated ports n All the ports on the root bridge are designated ports 4 Path cost Path cost is a value...

Page 143: ...name 1 Detailed calculation process of the STP algorithm Initial state Upon initialization of a device each device generates a BPDU with itself as the root bridge in which the root path cost is 0 des...

Page 144: ...they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully elected the entire tree shaped topo...

Page 145: ...TP algorithm Initial state of each device The following table shows the initial state of each device Comparison process and result on each device The following table shows the comparison process and r...

Page 146: ...PDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 Port BP2 recei...

Page 147: ...iguration BPDU Root port CP1 0 0 0 AP2 Designated port CP2 0 10 2 CP2 Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to...

Page 148: ...mes faulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BP...

Page 149: ...imized version of STP RSTP allows a newly elected root port or designated port to enter the forwarding state much quicker under certain conditions than in STP As a result it takes a shorter time for t...

Page 150: ...ing packets from being duplicated and forwarded in a network endlessly Furthermore it offers multiple redundant paths for forwarding data and thus achieves load balancing for forwarding VLAN data MSTP...

Page 151: ...information about how VLANs are mapped to MSTIs For example in Figure 49 the VLAN mapping table of region A0 is VLAN 1 is mapped to MSTI 1 VLAN 2 is mapped to MSTI 2 and other VLANs are mapped to CIS...

Page 152: ...er MST region an STP enabled region or an RSTP enabled region An alternate port is a secondary port of a root port or master port and is used for rapid transition With the root port or master port bei...

Page 153: ...of the highest priority in the network is selected as the root of the CIST In each MST region an IST is calculated by MSTP At the same time MSTP regards each MST region as a switch to calculate the C...

Page 154: ...as follows For MSTP CIST configuration information is generally expressed as follows Root bridge ID External path cost Master bridge ID Internal path cost Designated bridge ID ID of sending port ID o...

Page 155: ...witch If the latter takes precedence over the former the switch blocks the local port and keeps the port s configuration BPDU unchanged so that the port can only receive configuration messages and can...

Page 156: ...nged after the switch is specified as the root bridge or a secondary root bridge Configuring the Bridge Priority of the Current Switch Configure the mode a port recognizes and sends MSTP packets Optio...

Page 157: ...h VLAN 10 being mapped to spanning tree instance 1 and VLAN 20 through VLAN 30 being mapped to spanning tree 2 4210 system view 4210 stp region configuration 4210 mst region region name info 4210 mst...

Page 158: ...If the value of the instance id argument is set to 0 the stp root primary stp root secondary command specify the current switch as the root bridge or the secondary root bridge of the CIST A switch can...

Page 159: ...hes using the stp root secondary command You can also configure the current switch as the root bridge by setting the priority of the switch to 0 Note that once a switch is configured as the root bridg...

Page 160: ...rmines the format legacy or dot1s of received MSTP packets and then determines the format of the packets to be sent accordingly thus communicating with the peer devices If the format of the received p...

Page 161: ...RSTP compatible mode MSTP mode where the ports of a switch send MSTP BPDUs or STP BPDUs if the switch is connected to STP enabled switches to neighboring devices In this case the switch is MSTP capabl...

Page 162: ...ism the maximum hop count configured on the switch operating as the root bridge of the CIST or an MSTI in an MST region becomes the network diameter of the spanning tree which limits the size of the s...

Page 163: ...ew 4210 stp bridge diameter 6 Configuring the MSTP Time related Parameters Three MSTP time related parameters exist forward delay hello time and max age You can configure the three parameters to contr...

Page 164: ...guration of the three time related parameters that is the hello time forward delay and max age parameters the following formulas must be met to prevent frequent network jitter 2 x forward delay 1 seco...

Page 165: ...et port view As the maximum transmitting speed parameter determines the number of the configuration BPDUs transmitted in each hello time set it to a proper value to Table 112 Configure the timeout tim...

Page 166: ...in one of the following two ways Configure a port as an edge port in system view Configure a port as an edge port in Ethernet port view On a switch with BPDU guard disabled an edge port becomes a non...

Page 167: ...onfigure the link connected to a port in an aggregation group as a point to point link the configuration will be synchronized to the rest ports in the same aggregation group If an auto negotiating por...

Page 168: ...procedure Table 119 Enable MSTP in system view Operation Command Description Enter system view system view Enable MSTP stp enable Required MSTP is disabled by default Disable MSTP on specified ports s...

Page 169: ...able MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculation this operation saves CPU resources of the switch Table 120 Enable MSTP in Ethernet port view Operatio...

Page 170: ...ting Speed on the Current Port on page 163 Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port on page 164 Configuring the Path Cost for a Port The path cost param...

Page 171: ...the standard for calculating the default path costs of the links connected to the ports of the switch stp pathcost standard dot1d 1998 dot1t legacy Optional By default the legace standard is used to...

Page 172: ...0000000 With the proprietary standard adopted the path cost ranges from 1 to 200000 Configuration example A Configure the path cost of Ethernet 1 0 1 in spanning tree instance 1 to be 2 000 1 Perform...

Page 173: ...h can have different port priorities and play different roles in different spanning tree instances This enables packets of different VLANs to be forwarded along different physical paths so that VLAN b...

Page 174: ...166 Performing mCheck Operation Ports on an MSTP enabled switch can operate in three modes STP compatible RSTP compatible and MSTP A port on an MSTP enabled switch operating as an upstream switch tra...

Page 175: ...me non edge ports automatically upon receiving configuration BPDUs which causes spanning tree recalculation and network topology jitter Normally no configuration BPDU will reach edge ports But malicio...

Page 176: ...ops in the network The loop guard function suppresses loops With this function enabled if link congestions or unidirectional link failures occur both the root port and the blocked ports become designa...

Page 177: ...thernet1 0 1 root protection 2 Perform this configuration in Ethernet port view Table 130 Configure BPDU guard Operation Command Description Enter system view system view Enable the BPDU guard functio...

Page 178: ...switch to remove the MAC address table within 10 seconds to 5 4210 system view 4210 stp tc protection threshold 5 Table 133 Configure loop guard Operation Command Description Enter system view system...

Page 179: ...nufacturer s switch as in the same region it records the configuration digests carried in the BPDUs received from another manufacturer s switch and put them in the BPDUs to be sent to the other manufa...

Page 180: ...in the same MST region When the digest snooping feature is enabled globally the VLAN to MSTI mapping table cannot be modified The digest snooping feature is not applicable to boundary ports in an MST...

Page 181: ...om the upstream switch and thus sends no agreement packets to the upstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding st...

Page 182: ...latter operates as the upstream switch The network operates normally The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transiti...

Page 183: ...f all instances 4210 system view 4210 stp portlog all Enabling Trap Messages Conforming to 802 1d Standard A switch sends trap messages conforming to 802 1d standard to the network management device i...

Page 184: ...respectively In this network Switch A and Switch B operate on the convergence layer Switch C and Switch D operate on the access layer VLAN 10 and VLAN 30 are limited in the convergence layer and VLAN...

Page 185: ...T region 4210 mst region region name example 4210 mst region instance 1 vlan 10 4210 mst region instance 3 vlan 30 4210 mst region instance 4 vlan 40 4210 mst region revision level 0 Activate the sett...

Page 186: ...ce 4 vlan 40 4210 mst region revision level 0 Activate the settings of the MST region manually 4210 mst region active region configuration Specify Switch C as the root bridge of spanning tree instance...

Page 187: ...teraction processes in unicast broadcast and multicast Information Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this...

Page 188: ...e from the information transmission process the security and legal use of paid service cannot be guaranteed In addition when only a small number of users on the same network need the information the u...

Page 189: ...d E The advantages of multicast over unicast are as follows No matter how many receivers exist there is only one copy of the same multicast data flow on each link With the multicast mode used to trans...

Page 190: ...raffic Distributive application Multicast makes multiple point application possible Application of multicast The multicast technology effectively addresses the issue of point to multipoint data transm...

Page 191: ...t data from only certain multicast sources The SSM model provides a transmission service that allows users to specify the multicast sources they are interested in at the client side The radical differ...

Page 192: ...hority IANA categorizes IP addresses into five classes A B C D and E Unicast packets use IP addresses of Class A B and C based on network scales Class D IP addresses are used as destination addresses...

Page 193: ...otocols 224 0 1 0 to 231 255 255 255 233 0 0 0 to 238 255 255 255 Available any source multicast ASM multicast addresses IP addresses for temporary groups They are valid for the entire network 232 0 0...

Page 194: ...bits are mapped to a MAC address Thus five bits of the multicast IP address are lost As a result 32 IP multicast addresses are mapped to the same MAC address Multicast Protocols This section provides...

Page 195: ...e flooding of multicast data in a Layer 2 network Layer 3 multicast protocols n We refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as...

Page 196: ...es and inter domain routes An intra domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an autonomous system AS so as to deliver multi...

Page 197: ...cast source S sends to a multicast group G the multicast device first searches its multicast forwarding table If the corresponding S G entry exists and the interface on which the packet actually arriv...

Page 198: ...gure 59 Multicast packets travel along the SPT from the multicast source to the receivers Figure 61 RPF check process A multicast packet from Source arrives to VLAN interface 1 of Switch C and the cor...

Page 199: ...n IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are mult...

Page 200: ...and related messages and actions Work Mechanism of IGMP Snooping A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows When receiving a general...

Page 201: ...g table the switch installs an entry for this port in the forwarding table and starts the member port aging timer of this port n A switch will not forward an IGMP report through a non router port for...

Page 202: ...f that multicast group still exist under the port the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires c Caution After an Ethernet s...

Page 203: ...ing version is version 2 c Caution Before configuring related IGMP Snooping functions you must enable IGMP Snooping in the specified VLAN Different multicast group addresses should be configured for d...

Page 204: ...f one or more VLANs are specified the configuration takes effect on the port only if the port belongs to the specified VLAN s If fast leave processing and unknown multicast packet dropping are enabled...

Page 205: ...cast unknown multicast packets by default this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown mult...

Page 206: ...case the multicast packets for the removed multicast group s will be flooded in the VLAN as unknown multicast packets As a result non member ports can receive multicast packets within a period of time...

Page 207: ...iew interface interface type interface number Configure the current port as a static member port for a multicast group in a VLAN multicast static group group address vlan vlan id Required By default n...

Page 208: ...simulated host responds with an IGMP report Meanwhile the switch sends the same IGMP report to itself to ensure that the IGMP entry does not age out When the simulated joining function is disabled on...

Page 209: ...uration above you can execute the following display commands in any view to verify the configuration by checking the displayed information You can execute the reset command in user view to clear the s...

Page 210: ...1 Host A and Host B are receivers of the multicast group 224 1 1 1 Network diagram Figure 64 Network diagram for IGMP Snooping configuration Configuration procedure 1 Configure the IP address of each...

Page 211: ...chA vlan100 port Ethernet 1 0 1 to Ethernet 1 0 4 SwitchA vlan100 igmp snooping enable SwitchA vlan100 quit 4 Verify the configuration View the detailed information of the multicast group in VLAN 100...

Page 212: ...ping is wrong Use the display igmp snooping group command to check if the multicast groups are expected ones If the multicast group set up by IGMP Snooping is not correct contact your technical suppor...

Page 213: ...ontrol protocol It authenticates and controls devices requesting for access in terms of the ports of LAN access devices With the 802 1x protocol employed a user side device can access the LAN only whe...

Page 214: ...PAE authenticates the supplicant systems when they log into the LAN and controls the status authorized unauthorized of the controlled ports according to the authentication result The supplicant system...

Page 215: ...s EAPoL packets EAP protocol packets transmitted between the authenticator system PAE and the RADIUS server can either be encapsulated as EAP over RADIUS EAPoR packets or be terminated at system PAEs...

Page 216: ...size of the Packet body field A value of 0 indicates that the Packet Body field does not exist The Packet body field differs with the Type field Note that EAPoL Start EAPoL Logoff and EAPoL Key packe...

Page 217: ...t and Response packets Newly added fields for EAP authentication Two fields EAP message and Message authenticator are added to a RADIUS protocol packet for EAP authentication The EAP message field who...

Page 218: ...ation protocol are available in the EAP relay mode EAP MD5 authenticates the supplicant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system...

Page 219: ...st packet and forwards it to the RADIUS server Upon receiving the packet from the switch the RADIUS server retrieves the user name from the packet finds the corresponding password by matching the user...

Page 220: ...cess the network The supplicant system can also terminate the authenticated state by sending EAPoL Logoff packets to the switch The switch then changes the port state from accepted to rejected n In EA...

Page 221: ...You can set the number of retries by using the dot1x retry command An online user will be considered offline when the switch has not received any response packets after a certain number of handshake...

Page 222: ...for authentication actively The switch sends multicast request identity packets periodically through the port enabled with 802 1x function In this case this timer sets the interval to send the multica...

Page 223: ...g function on the switch by using the dot1x version check command Checking the client version With the 802 1x client version checking function enabled a switch checks the version and validity of an 80...

Page 224: ...ect to the switch again the user needs to initiate 802 1x authentication with the client software again Figure 74 802 1x re authentication 802 1x re authentication can be enabled in one of the followi...

Page 225: ...configure the user names and passwords on the RADIUS server and perform RADIUS client related configuration on the switch You can also specify to adopt the RADIUS authentication scheme with a local au...

Page 226: ...andshaking function switches cannot receive handshaking acknowledgement packets Enable 802 1x for specified ports In system view dot1x interface interface list Required By default 802 1x is disabled o...

Page 227: ...iew Set the maximum number of concurren t on line users for specified ports In system view dot1x max user user number interface interface list Optional By default a port can accommodate up to 256 user...

Page 228: ...detecting function you need to enable the online user handshaking function first The configuration listed in Table 164 takes effect only when it is performed on CAMS as well as on the switch In addit...

Page 229: ...ng request packets dot1x retry version max max retry version value Optional By default the maximum number of retires to send version checking request packets is 3 Set the client version checking perio...

Page 230: ...e re authentication interval for access users Note the following During re authentication the switch always uses the latest re authentication interval configured no matter which of the above mentioned...

Page 231: ...hose IP addresses are 10 11 1 1 and 10 11 1 2 The RADIUS server with an IP address of 10 11 1 1 operates as the primary authentication server and the secondary accounting server The other operates as...

Page 232: ...sed This operation can be omitted as MAC address based is the default 4210 dot1x port method macbased interface Ethernet 1 0 1 Create a RADIUS scheme named radius1 and enter RADIUS scheme view 4210 ra...

Page 233: ...without domain 4210 radius radius1 quit Create the domain named aabbcc net and enter its view 4210 domain enable aabbcc net Specify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS s...

Page 234: ...232 CHAPTER 17 802 1X CONFIGURATION...

Page 235: ...ts to collect the MAC addresses of the attached switches HABP clients respond to the HABP request packets and forward the HABP request packets to lower level switches HABP servers usually reside on ma...

Page 236: ...st packets habp timer interval Optional The default interval for an HABP server to send HABP request packets is 20 seconds Table 171 Configure an HABP server Operation Command Remarks Table 172 Config...

Page 237: ...unction Configuring System Guard Related Parameters Table 175 lists the operations to configure system guard related parameters including system guard mode checking interval threshold in terms of the...

Page 238: ...the threshold of inbound rate limit any service packets including BPDU packets are possible to be dropped at random which may result in state transition of STP Displaying and Maintaining the System Gu...

Page 239: ...on this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storag...

Page 240: ...nly one protocol But in practice the most commonly used service for AAA is RADIUS What is RADIUS RADIUS remote authentication dial in user service is a distributed service based on client server struc...

Page 241: ...ages exchanged between a RADIUS client a switch for example and a RADIUS server are verified through a shared key This enhances the security The RADIUS protocol combines the authentication and authori...

Page 242: ...epending on the received authentication result If it accepts the user the RADIUS client sends a start accounting request Accounting Request with the Status Type attribute value start to the RADIUS ser...

Page 243: ...P Address User Password and NAS Port 2 Access Accept Direction server client The server transmits this message to the client if all the attribute values carried in the Access Request message are accep...

Page 244: ...bytes including the Type Length and Value fields The Value field up to 253 bytes contains the information of the attribute Its format is determined by the Type and Length fields The RADIUS protocol h...

Page 245: ...rst byte is 0 and the other three bytes are defined in RFC 1700 Here the vendor can encapsulate multiple customized sub attributes containing vendor specific Type Length and Value to implement a RADIU...

Page 246: ...244 CHAPTER 20 AAA OVERVIEW...

Page 247: ...authentication Local authentication RADIUS authentication Configuring Dynamic VLAN Assignment Optional Configuring the Attributes of a Local User Optional Cutting Down User Connections Forcibly Option...

Page 248: ...By default the delimiter between the user name and the ISP domain name is Create an ISP domain or set an ISP domain as the default ISP domain domain isp name default disable enable isp name Required I...

Page 249: ...CAUTION You can execute the scheme radius scheme radius scheme name command to adopt an already configured RADIUS scheme to implement all the three AAA functions If you adopt the local scheme only th...

Page 250: ...e scheme radius scheme or scheme local command is executed and the authentication command is not executed the authorization information returned from the RADIUS or local scheme still takes effect even...

Page 251: ...ned by the RADIUS server is a character string containing only digits for example 1024 the switch first regards it as an integer VLAN ID the switch transforms the string to an integer value and judges...

Page 252: ...ocal user in the system Set a password for the local user password simple cipher password Required Set the status of the local user state active block Optional By default the user is in active state t...

Page 253: ...ress authentication user or multiple users with the same authorization VLAN to a port For local RADIUS authentication or local authentication to take effect the VLAN assignment mode must be set to str...

Page 254: ...onfiguring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configu...

Page 255: ...t one authentication authorization server and one accounting server and you should keep the RADIUS server port settings on the switch consistent with those on the RADIUS servers Table 189 RADIUS confi...

Page 256: ...view system view Enable RADIUS authentication port radius client enable Optional By default RADIUS authentication port is enabled Create a RADIUS scheme and enter its view radius scheme radius scheme...

Page 257: ...eme name Required By default a RADIUS scheme named system has already been created in the system Set the IP address and port number of the primary RADIUS accounting server primary accounting ip addres...

Page 258: ...the same shared key c CAUTION The authentication authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication...

Page 259: ...g with the secondary server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged When both the primary and secondary serv...

Page 260: ...ive Table 196 Set the status of RADIUS servers Operation Command Remarks Table 197 Configure the attributes of data to be sent to RADIUS servers Operation Command Remarks Enter system view system view...

Page 261: ...witch provides the local RADIUS server function including authentication and authorization also known as the local RADIUS authentication server function in addition to RADIUS client service where sepa...

Page 262: ...o communicate with the primary server again when it has a RADIUS request If it finds that the primary server has recovered the switch immediately restores the communication with the primary server ins...

Page 263: ...ounting On message which mainly contains the following information NAS ID NAS IP address source IP address and session ID 2 The switch sends the Accounting On message to the CAMS at regular intervals...

Page 264: ...user re authentication at restart function accounting on enable send times interval interval By default this function is disabled If you use this command without any parameter the system will try at...

Page 265: ...IUS server You can select extended as the server type in a RADIUS scheme Table 203 Display and maintain RADIUS protocol information Operation Command Remarks Display RADIUS message statistics about lo...

Page 266: ...Enter system view 4210 system view Adopt AAA authentication for Telnet users 4210 user interface vty 0 4 4210 ui vty0 4 authentication mode scheme 4210 ui vty0 4 quit Configure an ISP domain 4210 dom...

Page 267: ...thenticated locally Network diagram Figure 82 Local authentication of Telnet users Configuration procedure Method 1 Using local authentication scheme Enter system view 4210 system view Adopt AAA authe...

Page 268: ...in the database of the RADIUS server Check the database of the RADIUS server make sure that the configuration information about the user exists The user input an incorrect password Be sure to input t...

Page 269: ...the authentication authorization server and the accounting server use the same device with the same IP address but in fact they are not resident on the same device Be sure to configure the RADIUS ser...

Page 270: ...268 CHAPTER 21 AAA CONFIGURATION...

Page 271: ...ntication For details refer to AAA Configuration on page 245 for information about local user attributes Performing MAC Authentication on a RADIUS Server When authentications are performed on a RADIUS...

Page 272: ...et MAC address which means that any packets from the MAC address will be discarded simply by the switch until the quiet timer expires This prevents an invalid user from being authenticated repeatedly...

Page 273: ...user name is mac and no password is configured Configure the user name mac authentica tion authusername username Configure the password mac authentica tion authpassword password Specify an ISP domain...

Page 274: ...re authenticate the first access user of this port namely the first user whose unicast MAC address is learned by the switch periodically If this user passes the re authentication this port will exit...

Page 275: ...on for MAC authentication does not take effect when port security is enabled Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port You can configure the maximum n...

Page 276: ...the display command in any view to display system running of MAC Authentication configuration and to verify the effect of the configuration You can execute the reset command in user view to clear the...

Page 277: ...n interface Ethernet 1 0 2 Set the user name in MAC address mode for MAC authentication requiring hyphened lowercase MAC addresses as the usernames and passwords 4210 mac authentication authmode usern...

Page 278: ...trol related features Otherwise a user may be denied of access to the networks because of incomplete configuaration 4210 mac authentication After doing so your MAC authentication configuration will ta...

Page 279: ...P reply messages Figure 84 illustrates the format of these two types of ARP messages As for an ARP request all the fields except the hardware address of the receiver field are set The hardware address...

Page 280: ...ss length in bytes Length of protocol address Protocol address length in bytes Operator Indicates the type of a data packets which can be 1 ARP request packets 2 ARP reply packets 3 RARP request packe...

Page 281: ...dress into its ARP mapping table encapsulates its MAC address into an ARP reply and unicasts the reply to Host A 4 After receiving the ARP reply Host A adds the MAC address of Host B into its ARP mapp...

Page 282: ...1 00e0 fc01 0000 1 Ethernet1 0 10 Table 213 Display and debug ARP Operation Command Remarks Display specific ARP mapping table entries display arp static dynamic ip address Available in any view Displ...

Page 283: ...ervers return the corresponding configuration information such as IP addresses to implement dynamic allocation of network resources A typical DHCP application includes one DHCP server and multiple cli...

Page 284: ...a DHCP ACK packet to the DHCP client to confirm the assignment of the IP address to the client or returns a DHCP NAK packet to refuse the assignment of the IP address to the client When the client rec...

Page 285: ...n Hardware address type and length of the DHCP client hops Number of DHCP relay agents which a DHCP packet passes For each DHCP relay agent that the DHCP request packet passes the field value increase...

Page 286: ...ength fields including packet type valid lease time IP address of a DNS server and IP address of the WINS server Protocol Specification Protocol specifications related to DHCP include RFC2131 Dynamic...

Page 287: ...relay agent operating at the network layer Switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer Figure 87 illustrates a typical network diagram for D...

Page 288: ...C Enable DHCP snooping on the switch Network diagram Figure 88 Network diagram for DHCP snooping configuration Configuration procedure Enable DHCP snooping on the switch 4210 system view 4210 dhcp sn...

Page 289: ...ddress and IP address of a BOOTP client When a BOOTP client sends a request to the BOOTP server the BOOTP server will search for the BOOTP parameter file and return it to the client A BOOTP client dyn...

Page 290: ...bles the DHCP client and UDP port 68 Using the undo ip address dhcp alloc command disables the DHCP client and UDP port 68 Displaying DHCP BOOTP Client Configuration DHCP Client Configuration Example...

Page 291: ...cribes only the configuration on Switch A serving as a DHCP client Configure VLAN interface 1 to dynamically obtain an IP address by using DHCP 4210 system view 4210 interface Vlan interface 1 4210 Vl...

Page 292: ...290 CHAPTER 26 DHCP BOOTP CLIENT CONFIGURATION...

Page 293: ...d port numbers carried in the packets According to their application purposes ACLs fall into the following four types Basic ACL Rules are created based on source IP addresses only Advanced ACL Rules a...

Page 294: ...rinciples will be used in deciding their priority order Each parameter is given a fixed weighting value This weighting value and the value of the parameter itself will jointly decide the final matchin...

Page 295: ...pper layer software for packet filtering They cannot be applied to hardware ACL Configuration Configuring a Time Range Time ranges can be used to filter packets You can specify a time range for each r...

Page 296: ...s within the range from 12 00 to 14 00 on every Wednesday in 2004 If the start time is not specified the time section starts from 1970 1 1 00 00 and ends on the specified end date If the end date is n...

Page 297: ...stent rules are unaltered Configuration Example Configure ACL 2000 to deny packets whose source IP addresses are 192 168 0 1 4210 system view 4210 acl number 2000 4210 acl basic 2000 rule deny source...

Page 298: ...the ACL you cannot modify any existent rule otherwise the system prompts error information If you do not specify the rule id argument when creating an ACL rule the rule will be numbered automatically...

Page 299: ...160 0 0 0 0 255 destination port eq www 0 times matched Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information...

Page 300: ...trolling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source IP address of 10 110 100 46 to log in to the switch through HTTP Network diagram Figure 91 N...

Page 301: ...ey arrive This service policy is known as Best effort which delivers the packets to their destination with the best effort with no assurance and guarantee for delivery delay jitter packet loss ratio r...

Page 302: ...nagement handles resource competition during network congestion Generally it adds packets to queues first and then forwards the packets by using a scheduling algorithm Congestion avoidance monitors th...

Page 303: ...ccording to their DSCP values Expedited Forwarding EF class In this class packets can be forwarded regardless of link share of other traffic The class is suitable for preferential services with low de...

Page 304: ...e with an 802 1Q tag header As shown in the figure above each host supporting 802 1Q protocol adds a 4 byte 802 1Q tag header after the source address of the former Ethernet frame header when sending...

Page 305: ...s and will be processed preferentially By default a Switch 4210 processes a received packet as follows For a packet without an 802 1q tag header the switch uses the priority of the receiving port as t...

Page 306: ...precedence to the packet With the IP precedence trusted the switch obtains the corresponding local precedence by looking up the IP precedence of the packet in the IP precedence to local precedence map...

Page 307: ...gram for LR If you perform port rate limiting configuration for a port the token bucket determines the way to process the packets to be sent by this port or packets reaching the port Packets can be se...

Page 308: ...t fixed that is to say if a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use HQ WRR queuing HQ WRR is an improvement over WRR With queue 3 allocate...

Page 309: ...is to be configured is determined The target priority value is determined Configuration procedure Configuration example Configure port priority on Ethernet 1 0 1 and set the priority of Ethernet 1 0 1...

Page 310: ...e Configuration example Configure the switch to trust the DSCP precedence of the received packets 4210 system view 4210 priority trust dscp Table 228 Configure to trust the 802 1p precedence of the re...

Page 311: ...edence to local precedence mapping table Operation Command Description Enter system view system view Configure COS precedence to local pre cedence mapping table qos cos local precedence map cos0 map l...

Page 312: ...or inbound packets on Ethernet 1 0 1 The rate limit is 1 024 Kbps Configuration procedure 4210 system view 4210 interface Ethernet1 0 1 4210 Ethernet1 0 1 line rate inbound 1024 Configuring Queue Sche...

Page 313: ...on Configuration prerequisites The burst function is required Configuration procedure Configuration example Enable the burst function 4210 system view 4210 burst mode enable Table 234 Configure queue...

Page 314: ...relationship display qos dscp local precedence map Available in any view Display the IP precedence to local preceden ce mapping relationship display qos ip precedence local precedenc e map Available...

Page 315: ...re source ports of a device are copied to the destination port on the same device for packet analysis and monitoring In this case the source ports and the destination port must be located on the same...

Page 316: ...rom the R D department and the marketing department through the data detection device Configure the source port for the port mirroring group In system view mirroring group group id mirroring port mirr...

Page 317: ...e source ports and destination port for the local mirroring group 4210 mirroring group 1 mirroring port Ethernet 1 0 1 Ethernet 1 0 2 both 4210 mirroring group 1 monitor port Ethernet 1 0 3 Display co...

Page 318: ...316 CHAPTER 29 MIRRORING CONFIGURATION...

Page 319: ...nt A switch in a cluster plays one of the following three roles Management device Member device Candidate device A cluster comprises of a management device and multiple member devices To manage the de...

Page 320: ...toring and maintaining the network It allows you to configure and upgrade multiple switches at the same time It enables you to manage your remotely devices conveniently regardless of network topology...

Page 321: ...logy manages and maintains the cluster Management device also supports FTP server and SNMP host proxy Processes the commands issued by users through the public network Member device Normally a member...

Page 322: ...ollect network topology information is determined by the NTDP timer If you do not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 b...

Page 323: ...g the receiving devices will keep the NDP packet data The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet When they receive anoth...

Page 324: ...enabled port on a device to forward an NTDP topology collection request after a specific period since the previous port on the device forwards the NTDP topology collection request n To implement NTDP...

Page 325: ...ce is added to the cluster as a member device both the management device and the member device store the state information of the member device and mark the member device as Active The management devi...

Page 326: ...unctions can be implemented Enabling the management packets including NDP packets NTDP packets and handshake packets to be transmitted in the management VLAN only through which the management packets...

Page 327: ...When you remove a cluster by using the undo build or undo cluster enable command UDP port 40000 is closed at the same time Enabling NDP globally and on specific ports Table 240 Cluster configuration t...

Page 328: ...al By default the holdtime of NDP information is 180 seconds Configure the interval to send NDP packets ndp timer hello seconds Optional By default the interval to send NDP packets is 60 seconds Table...

Page 329: ...ptional Table 246 Enable the cluster function Operation Command Description Enter system view system view Enable the cluster function globally cluster enable Required By default the cluster function i...

Page 330: ...60 seconds Set the interval to send handshake packets timer interval Optional By default the interval to send handshake packets is 10 seconds Table 247 Establish a cluster and configure cluster param...

Page 331: ...the member devices in the cluster is closed at the same time When you execute the undo administrator address command on a member device UDP port 40000 of the member device is closed at the same time E...

Page 332: ...tination file Optional Table 252 Enable the cluster function Operation Command Description Table 254 Manage a cluster through management devices Operation Command Description Enter system view system...

Page 333: ...d restore the administrative device using the backup topology on the Flash memory so that the devices in the cluster can resume normal operation With the display cluster current topology command the s...

Page 334: ...tive device topology save to local flash Required Restore the standard topology from the Flash memory of the administrative device topology restore from local flash Optional Display the detailed infor...

Page 335: ...57 Configure the cluster device blacklist Operation Command Description Table 258 Display and maintain cluster configuration Operation Command Description Display all NDP configuration and running inf...

Page 336: ...s 163 172 55 1 All the devices in the cluster share the same FTP server and TFTP server The FTP server and TFTP server use the same IP address 63 172 55 1 The NMS and logging host use the same IP addr...

Page 337: ...and on Ethernet 1 0 2 and Ethernet 1 0 3 4210 ntdp enable 4210 interface Ethernet 1 0 2 4210 Ethernet1 0 2 ntdp enable 4210 Ethernet1 0 2 quit 4210 interface Ethernet 1 0 3 4210 Ethernet1 0 3 ntdp ena...

Page 338: ...r device to the remote shared FTP server of the cluster aaa_1 3Com ftp cluster Download the file named aaa txt from the shared TFTP server of the cluster to the member device aaa_1 3Com tftp cluster g...

Page 339: ...d save it in the flash of the local management device in the cluster Network diagram Figure 103 Network diagram for the enhanced cluster feature configuration Configuration procedure Enter cluster vie...

Page 340: ...338 CHAPTER 30 CLUSTER...

Page 341: ...applied to IP phones wireless access points APs chargers for portable devices card readers network cameras and data collection system PoE components PoE consists of three components power sourcing eq...

Page 342: ...e that is different PoE policies can be set for different user groups These PoE policies are each saved in the corresponding PoE profile and applied to ports of the user groups n When you use the PoE...

Page 343: ...default auto When the switch is close to its full load in supplying power it will first supply power to the PDs that are connected to the ports with critical priority and then supply power to the PDs...

Page 344: ...two types signal mode and spare mode Signal mode DC power is carried over the data pairs 1 2 3 6 of category 3 5 twisted pairs Spare mode DC power is carried over the spare pairs 4 5 7 8 of category...

Page 345: ...n disabled on all the ports When the internal temperature of the switch increases from X X 60 C or X 140 F to Y 60 C Y 65 C or 140 F Y 149 F the switch still keeps the PoE function enabled on all the...

Page 346: ...y command in any view to see the operation of the PoE feature and verify the effect of the configuration PoE Configuration Example PoE Configuration Example Networking requirements Switch A is a Switc...

Page 347: ...uration procedure Upgrade the PSE processing software online SwitchA system view SwitchA poe update refresh 0290_021 s19 Enable the PoE feature on Ethernet 1 0 1 and set the PoE maximum output power o...

Page 348: ...t the PoE management mode on the switch to auto it is the default mode so this step can be omitted SwitchA poe power management auto Enable the PD compatibility detect of the switch to allow the switc...

Page 349: ...the PoE configurations in the PoE profile will be enabled on the port PoE Profile Configuration Configuring PoE Profile Table 270 Configure PoE profile Operation Command Description Enter system view...

Page 350: ...ent framework IRF system 3 Combination of Unit creates a new Fabric In the newly created Fabric the PoE profile configuration of the Unit with the smallest Unit ID number will become the PoE profile c...

Page 351: ...0 5 is Critical whereas the PoE priority for Ethernet 1 0 6 through Ethernet 1 0 10 is High The maximum power for Ethernet 1 0 1 through Ethernet 1 0 5 ports is 3 000 mW whereas the maximum power for...

Page 352: ...Create Profile2 and enter PoE profile view SwitchA poe profile Profile2 In Profile2 add the PoE policy configuration applicable to Ethernet 1 0 6 through Ethernet 1 0 10 ports for users of group A Sw...

Page 353: ...Request GetNextRequest and SetRequest messages to the agents Upon receiving the requests from the NMS an agent performs Read or Write operation on the managed object MIB Management Information Base ac...

Page 354: ...be uniquely identified by a path starting from the root Figure 106 Architecture of the MIB tree The management information base MIB describes the hierarchical architecture of the tree and it is the se...

Page 355: ...B attribute MIB content Related RFC Table 273 Configure basic SNMP functions SNMPv1 and SNMPv2c Operation Command Description Enter system view system view Enable SNMP agent snmp agent Optional Disabl...

Page 356: ...ricid Optional By default the device switch fabric ID is enterprise number device information Create Update the view information snmp agent mib view included excluded view name oid tree mask mask valu...

Page 357: ...t calculate password plain password mode md5 sha local switch fabricid specified switch fabricid switch fabricid Optional This command is used if password in cipher text is needed for adding a new use...

Page 358: ...view interface interface type interface number Enable the port or interface to send Trap messages enable snmp trap updown Quit to system view quit Set the destination for Trap messages snmp agent targ...

Page 359: ...etwork management Operation Command Description Enter system view system view Enable logging for network management snmp agent log set operation get operation all Optional Disabled by default Table 27...

Page 360: ...on protocol to HMAC MD5 authentication password to passmd5 encryption protocol to DES encryption password to cfb128cfb128 4210 snmp agent group v3 managev3group privacy write view internet 4210 snmp a...

Page 361: ...ame and password authentication When you use 3Com s NMS you need to set user names and choose the security level in Authentication Parameter For each security level you need to set authorization mode...

Page 362: ...360 CHAPTER 33 SNMP CONFIGURATION...

Page 363: ...ts can be reduced thus facilitating the management of large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways Using the dedicate...

Page 364: ...e following operations accordingly Sampling the defined alarm variables periodically Comparing the samples with the threshold and triggering the corresponding events if the former exceed the latter Ex...

Page 365: ...eration Command Description Enter system view system view Add an event entry rmon event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add a...

Page 366: ...table to monitor the information of statistics on the Ethernet port if the change rate of which exceeds the set threshold the alarm events will be triggered Network diagram Figure 108 Network diagram...

Page 367: ...very 10 seconds When the change ratio between samples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered 4210 rmon pri...

Page 368: ...366 CHAPTER 34 RMON CONFIGURATION...

Page 369: ...onfiguration NTP is mainly applied to synchronizing the clocks of all devices in a network For example In network management the analysis of the log information and debugging information collected fro...

Page 370: ...ple we suppose that Before the system clocks of Device A and Device B are synchronized the clock of Device A is set to 10 00 00 am and the clock of Device B is set to 11 00 00 am Device B serves as th...

Page 371: ...me offset of Device A relative to Device B Offset T2 T1 T3 T4 2 Device A can then set its own clock according to the above information to synchronize its clock to that of Device B For detailed informa...

Page 372: ...ronization packets periodically Network Server Initiates a client server mode request after receiving the first multicast packet Works in the server mode automatically and sends responses Client serve...

Page 373: ...l Switch 4210 to work in NTP symmetric peer mode In this mode the remote server serves as the symmetric passive peer of the Switch 4210 and the local switch serves as the symmetric active peer Broadca...

Page 374: ...n the clients and not on the servers n The remote server specified by remote ip or server name serves as the NTP server and the local switch serves as the NTP client The clock of the NTP client will b...

Page 375: ...first otherwise the clock synchronization will not proceed You can configure multiple symmetric passive peers for the local switch by repeating the ntp service unicast peer command The clock of the p...

Page 376: ...ients Configuring a switch to work in the multicast server mode Table 285 Configure a switch to work in the NTP broadcast server mode Operation Command Description Enter system view system view Enter...

Page 377: ...e to perform synchronization and control query to the local switch and also permits the local switch to synchronize its clock to the peer device From the highest NTP service access control right to th...

Page 378: ...ated configurations are properly performed For the NTP authentication function to take effect a trusted key needs to be configured on both the client and server after the NTP authentication is enabled...

Page 379: ...no trusted key is configured Associate the specified key with the correspo nding NTP server Configure on the client in the server client mode ntp service unicast server remote ip server name authenti...

Page 380: ...em will create a static association and the server will just respond passively Associate the specified key with the correspondin g broadcast m ulticast client Configure on the NTP broadcast server ntp...

Page 381: ...rver of Device B a Switch 4210 Table 295 Configure the number of dynamic sessions allowed on the local switch Operation Command Description Enter system view system view Configure the maximum number o...

Page 382: ...000 00000000 Set Device A as the NTP server of Device B DeviceB system view DeviceB ntp service unicast server 1 0 1 11 After the above configurations Device B is synchronized to Device A View the NTP...

Page 383: ...e 115 Network diagram for NTP peer mode configuration Configuration procedure 1 Configure Device C Set Device A as the NTP server DeviceC system view DeviceC ntp service unicast server 3 0 1 31 2 Conf...

Page 384: ...offset delay disper 1234 3 0 1 32 LOCL 1 95 64 42 14 3 12 9 2 7 25 3 0 1 31 127 127 1 0 2 1 64 1 4408 6 38 7 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associatio...

Page 385: ...0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17...

Page 386: ...ice multicast client After the above configurations Device A and Device D respectively listen to multicast messages through their own Vlan interface2 and Device C advertises multicast messages through...

Page 387: ...the NTP server Device B is set to work in client mode while Device A works in server mode automatically The NTP authentication function is enabled on Device A and Device B Network diagram Figure 118...

Page 388: ...tatus Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 100 0000 Hz Actual frequency 100 1000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Roo...

Page 389: ...rently the Switch 4210 device supports only SSH2 when functioning as either an SSH client or an SSH server Unless otherwise noted SSH refers to SSH2 throughout this document Algorithm and Key Algorith...

Page 390: ...version identification string in the format of SSH primary protocol version number secondary protocol version number software version number The primary and secondary protocol version numbers constitu...

Page 391: ...tication type from the method list to perform authentication again The above process repeats until the authentication succeeds or the connection is torn down when the authentication times reach the up...

Page 392: ...configuration does not take effect immediately but will be effective for subsequent login requests Table 299 SSH server configuration tasks Tasks Description Configuring the SSH server Configuring th...

Page 393: ...to replace the existing key pair n The command for generating a key pair can survive a reboot You only need to configure it once Some third party software for example WinSCP requires that the modulo o...

Page 394: ...password and remote authentication RADIUS authentication for example is adopted you need not use the ssh user command to create an SSH user because it is created on the Table 302 Export the RSA public...

Page 395: ...h a username that does not exist the system will automatically create the SSH user However the user cannot log in unless you specify an authentication type for it Configuring SSH Management The SSH se...

Page 396: ...TFTP You can also use the following commands to configure the client s RSA public key on the server Table 307 Configure the client s public key manually Operation Command Description Enter system view...

Page 397: ...Configure the client RSA public key manually Operation Command Description Enter system view system view Enter public key view rsa peer public key keyname Required Enter public key edit view public ke...

Page 398: ...pairs and DSA key pairs are generated by a tool of the client software The following takes the client software of PuTTY PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client G...

Page 399: ...ent key 1 Note that while generating the key pair you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 121 Otherwise the process bar sto...

Page 400: ...N Figure 121 Generate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key Figure...

Page 401: ...es and enter the name of the file for saving the private key private in this case to save the private key Figure 123 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe...

Page 402: ...s of the server Note that there must be a route available between the IP address of the server and the client Select a protocol for remote connection As shown in Figure 125 select SSH under Protocol S...

Page 403: ...m only when the ssh1 version is selected The PuTTY client software supports DES algorithm negotiation ssh2 Open an SSH connection with publickey authentication If a user needs to be authenticated with...

Page 404: ...3 Click Browse to bring up the file selection window navigate to the private key file and click Open to enter the following SSH client interface If the connection is normal a user will be prompted fo...

Page 405: ...rface 1 Open an SSH connection with password authentication From the window shown in Figure 127 click Open The following SSH client interface appears If the connection is normal you will be prompted t...

Page 406: ...and is not configured with the server host public key the user can continue accessing the server and will save the host public key on the client for use in subsequent authentications When first time...

Page 407: ...lient first time Required By default the client is enabled to run first time authentication Configure server public key Refer to Configuring the Client Public Key on the Server on page 394 Required Th...

Page 408: ...e SSH client will use as the destination for SSH connection 4210 system view 4210 interface vlan interface 1 4210 Vlan interface1 ip address 192 168 0 1 255 255 255 0 4210 Vlan interface1 quit n Gener...

Page 409: ...n password to abc protocol type to SSH and command privilege level to 3 for the client 4210 local user client001 4210 luser client001 password simple abc 4210 luser client001 service type ssh level 3...

Page 410: ...TY exe to enter the following configuration interface Figure 131 SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH server 2 From the category o...

Page 411: ...rotocol options select 2 from Preferred SSH protocol version 3 As shown in Figure 131 click Open to enter the following interface If the connection is normal you will be prompted to enter the user nam...

Page 412: ...Configuration procedure n Under the publickey authentication mode either the RSA or DSA public key can be generated for the server to authenticate the client Here takes the RSA public key as an examp...

Page 413: ...authentication type of the SSH client named client 001 as publickey 4210 ssh user client001 authentication type publickey n Before performing the following steps you must generate an RSA public key p...

Page 414: ...n exe choose SSH2 RSA and click Generate Figure 135 Generate a client key pair 1 n While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown...

Page 415: ...mples 413 Figure 136 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 137 Generate...

Page 416: ...to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with the SSH server The foll...

Page 417: ...H Configuration Examples 415 Figure 140 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 3 Select Connection SSH Auth The following window appea...

Page 418: ...rowse to bring up the file selection window navigate to the private key file and click OK 4 From the window shown in Figure 141 click Open The following SSH client interface appears If the connection...

Page 419: ...red Network diagram Figure 143 Network diagram of SSH client configuration when using password authentication Configuration procedure Configure Switch B Create a VLAN interface on the switch and assig...

Page 420: ...nd assign an IP address which serves as the SSH client s address in an SSH connection 4210 system view 4210 interface vlan interface 1 4210 Vlan interface1 ip address 10 165 87 137 255 255 255 0 4210...

Page 421: ...nterfaces to AAA 4210 user interface vty 0 4 4210 ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH 4210 ui vty0 4 protocol inbound ssh Set the user command privilege leve...

Page 422: ...to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s public key Y N n Copyright c 2004 2007 3Com Corporation Without...

Page 423: ...he file to the SSH server through FTP or TFTP For details refer to the following Configure Switch A Import the client s public key file Switch001 and name the public key as Switch001 4210 public key p...

Page 424: ...upload the file to the SSH client through FTP or TFTP For details refer to the above section Configure Switch B Import the public key named Switch002 from the file Switch002 4210 public key peer Swit...

Page 425: ...s method can be used to specify a path or a file in the current work directory Directory Operations The file system provides directory related functions such as Creating deleting a directory Displayin...

Page 426: ...rackets If the configuration files are deleted the switch adopts the null configuration when it starts up next time Table 320 File operations To do Use the command Remarks Delete a file delete unreser...

Page 427: ...ig cfg 3 rwh 151 Apr 03 2000 16 04 55 private data txt 4 rwh 716 Apr 04 2000 17 27 35 hostkey 5 rwh 572 Apr 04 2000 17 27 41 serverkey 6 rwh 548 Apr 04 2000 17 30 06 dsakey 7 drw Apr 04 2000 23 04 21...

Page 428: ...ree startup files support file attribute configuration App files An app file is an executable file with bin as the extension Configuration files A configuration file is used to store and restore confi...

Page 429: ...tributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch and change the main or backup attribute of the file Perform the con...

Page 430: ...and Otherwise Web server cannot function normally Currently a configuration file has the extension of cfg and resides in the root directory of the Flash memory For the detailed configuration of config...

Page 431: ...for program file transfer ASCII mode for text file transfer A 3Com Switch 4210 can operate as an FTP client or the FTP server in FTP employed data transmission Table 325 The Switch 4210 FTP Roles Item...

Page 432: ...tes as an FTP server Table 326 FTP configuration tasks Item Configuration task Description FTP Configuration A Switch Operating as an FTP Server Creating an FTP user Required Enabling an FTP server Re...

Page 433: ...long time without performing any operation Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the FTP server through FTP the confi...

Page 434: ...ons such as creating removing a directory by executing commands on the switch Table 332 lists the operations that can be performed on an FTP client Table 330 Configure the banner display for an FTP se...

Page 435: ...current directory are displayed The difference between these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can display only t...

Page 436: ...figure Switch A the FTP server Log in to the switch and enable the FTP server function on the switch Configure the user name and password used to access FTP services and specify the service type as FT...

Page 437: ...ON If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then uploa...

Page 438: ...figuration Configuration procedure 1 Configure the switch FTP server Configure the login banner of the switch as login banner appears and the shell banner as shell banner appears For detailed configur...

Page 439: ...client Configuration procedure 1 Configure the PC FTP server Perform FTP server related configurations on the PC that is create a user account on the FTP server with user name switch and password hell...

Page 440: ...on is upgraded 4210 boot boot loader switch bin 4210 reboot n For information about the boot boot loader command and how to specify the startup file for a switch refer to Basic System Configuration an...

Page 441: ...t only the first user can log in to the SFTP user The subsequent connection will fail When you upload a large file through WINSCP if a file with the same name exists on the server you are recommended...

Page 442: ...rmdir pathname Delete a specified file delete remotefile Optional Both commands have the same effect remove remote file Query a specified file on the SFTP server dir remotefile localfile Optional If n...

Page 443: ...iagram for SFTP configuration Configuration procedure 1 Configure the SFTP server switch B Create key pairs 4210 system view 4210 public key local create rsa 4210 public key local create dsa Create a...

Page 444: ...me client001 and the password abc and then enter SFTP client view 4210 sftp 192 168 0 1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not aut...

Page 445: ...and then verify the result sftp client rename new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubk...

Page 446: ...y1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk Received s...

Page 447: ...server he Switch 4210 can operate as a TFTP client only When you download a file that is larger than the free space of the switch s flash memory If the TFTP server supports file size negotiation file...

Page 448: ...figure the IP addresses of a VLAN interface on the switch and the PC as 1 1 1 1 and 1 1 1 2 respectively The port through which the switch connects with the PC belongs to the VLAN Network diagram Figu...

Page 449: ...ugh which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 4210 interface Vlan interface 1 4210 Vlan interface1 ip address 1 1 1 1 255 255 255...

Page 450: ...448 CHAPTER 39 TFTP CONFIGURATION...

Page 451: ......

Page 452: ...450 CHAPTER 39 TFTP CONFIGURATION...

Page 453: ...nformation Debugging information Eight levels of system information The information is classified into eight levels by severity and can be filtered by level More emergent information has a smaller sev...

Page 454: ...information center is enabled Table 339 Information channels and output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debu...

Page 455: ...module HABP 3Com authentication bypass protocol module HTTPD HTTP server module HWCM 3Com Configuration Management private MIB module HWP Remote Ping module IFNET Interface management module IGSP IGM...

Page 456: ...ailed explanation of the fields involved Priority The priority is calculated using the following formula facility 8 severity 1 in which facility the device name defaults to local7 with the value being...

Page 457: ...o that you can know the standard time when the information center processing each piece of information That is you can know the Greenwich standard time of each switch in the network based on the UTC r...

Page 458: ...information output refers to the feature that if the system information such as log trap or debugging information is output when the user is inputting commands the command line prompt in command editi...

Page 459: ...ole Table 342 Configure synchronous information output Operation Command Description Enter system view system view Enable synchronous information output info center synchronous Required Disabled by de...

Page 460: ...nfo center timestamp log trap debugging boot date none Optional By default the time stamp format of the log and trap output information is date and that of the debugging output information is boot Tab...

Page 461: ...ugging Optional Disabled by default Enable log information terminal display function terminal logging Optional Enabled by default Enable trap information terminal display function terminal trapping Op...

Page 462: ...le debugging information terminal display function terminal debugging Optional Disabled by default Enable log information terminal display function terminal logging Optional Enabled by default Enable...

Page 463: ...center enable Optional Enabled by default Enable system information output to the trap buffer info center trapbuffer channel channel number channel name size buffersize Optional By default the switch...

Page 464: ...fo center timestamp log trap debugging boot date none Optional By default the time stamp format of the output log information is date Table 351 Set to output system information to the log buffer Opera...

Page 465: ...r Operation Command Description Display information on an information channel display channel channel number channel name Available in any view Display the operation status of information center the c...

Page 466: ...ing with a sign In each pair a tab should be used as a separator instead of a space No space is allowed at the end of a file name The device name facility and received log information severity level s...

Page 467: ...action pairs Switch configuration messages local7 info var log Switch information n Note the following items when you edit file etc syslog conf A note must start in a new line starting with a sign In...

Page 468: ...ble Disable the function of outputting information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules...

Page 469: ...4210 clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date 4210 system view System View return to User View with Ctrl Z 4210 info center...

Page 470: ...468 CHAPTER 40 INFORMATION CENTER...

Page 471: ...thernet port You can load software remotely by using FTP TFTP n The Boot ROM software version should be compatible with the host software version when you load the Boot ROM and host software Local Boo...

Page 472: ...t bootrom password recovery 9 Set switch startup mode 0 Reboot Enter your choice 0 9 Loading by XModem through Console Port Introduction to XModem XModem protocol is a file transfer protocol that is w...

Page 473: ...Choose an appropriate baudrate for downloading For example if you press 5 the baudrate 115200 bps is chosen and the system displays the following information Download baudrate is 115200 bps Please ch...

Page 474: ...472 CHAPTER 41 BOOT ROM AND HOST SOFTWARE LOADING Figure 157 Properties dialog box Figure 158 Console port configuration dialog box...

Page 475: ...the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Pre...

Page 476: ...e system prompts Your baudrate should be set to 9600 bps again Press enter key when ready You need not reset the HyperTerminal s baudrate and can skip the last step if you have chosen 9600 bps In this...

Page 477: ...on to TFTP TFTP a protocol in TCP IP protocol suite is used for trivial file transfer between client and server It is over UDP to provide unreliable data stream transfer service Loading the Boot ROM F...

Page 478: ...s the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 3 Step 2 Enter 1 in the above menu to...

Page 479: ...et XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 4 Enter 2 in the above menu to download the Boot ROM using FTP Then set the following FTP related parameters as required Load F...

Page 480: ...oading the Boot ROM As shown in Figure 164 a PC is used as both the configuration device and the FTP server You can telnet to the switch and then execute the FTP commands to download the Boot ROM prog...

Page 481: ...g files refer to File System Management Configuration on page 423 Ensure that the power supply is available during software loading Loading Procedure Using FTP Server As shown in Figure 165 the switch...

Page 482: ...st New local user added 4210 luser test password simple pass 4210 luser test service type ftp d Enable FTP client software on the PC Refer to Figure 166 for the command line interface in Windows opera...

Page 483: ...ot ROM directory f Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 168 to log on to the FTP server Figure 168 Log on to the FTP server g Use the put command to upl...

Page 484: ...oading the host software is the same as loading the Boot ROM program except that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the...

Page 485: ...e end time end date offset time Optional Execute this command in user view When the system reaches the specified start time it automatically adds the specified offset to the current time so as to togg...

Page 486: ...lay of debugging information Protocol debugging switch which controls protocol specific debugging information Screen output switch which controls whether to display the debugging information on a cert...

Page 487: ...OFF ON Debugging information Protocol debugging switch Screen output switch 1 3 1 2 3 OFF ON ON Debugging information Protocol debugging switch Screen output switch 1 3 1 2 3 1 3 Table 356 Enable debu...

Page 488: ...an use the command here to display the current operating information about the modules in the system for troubleshooting your system Table 358 Display the current operation information about the modul...

Page 489: ...ed to check the network connectivity It can also be used to help locate the network faults The executing procedure of the tracert command is as follows First the source host sends a data packet with t...

Page 490: ...e tracert command Operation Command Description View the gateways that a packet passes from the source host to the destination tracert a source ip f first ttl m max ttl p port q num packet w timeout s...

Page 491: ...tasks Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Optional Configuring Real time Monitoring of the Running Status of the System Optional Specifying the APP to...

Page 492: ...e to specify the one that will be used when the switch reboots Upgrading the Boot ROM You can use the Boot ROM program saved in the Flash memory of the switch to upgrade the running Boot ROM With this...

Page 493: ...e PC is reachable to each other The host software switch bin and the Boot ROM file boot btm of the switch are stored in the directory switch on the PC Use FTP to download the switch bin and boot btm f...

Page 494: ...pears 4210 c CAUTION If the Flash memory of the switch is not sufficient delete the original applications before downloading the new ones 4 Initiate an FTP connection with the following command in use...

Page 495: ...booted next time on unit 1 4210 display boot loader Unit 1 The current boot app is switch bin The main boot app is switch bin The backup boot app is Reboot the switch to upgrade the Boot ROM and host...

Page 496: ...494 CHAPTER 44 DEVICE MANAGEMENT...

Page 497: ...iated by Remote Ping client and you can view the test results on Remote Ping client only When performing a Remote Ping test you need to configure a Remote Ping test group on the Remote Ping client A R...

Page 498: ...ll known port 1 to 1023 being unavailable TCP test Tcppublic test Tcpprivate test UDP test Udppublic test Udpprivate test Table 369 Remote Ping test parameters Test parameter Description Destination a...

Page 499: ...ing IP and ICMP headers Maximum number of history records that can be saved history records This parameter is used to specify the maximum number of history records that can be saved in a test group Wh...

Page 500: ...obe the Remote Ping client sends a series of packets to the Remote Ping server at regular intervals you can set the interval Once receiving such a packet the Remote Ping server marks it with a timesta...

Page 501: ...for jitter TCP and UDP tests Remote Ping server configuration Configure a listening service on the Remote Ping server You can configure multiple TCP UDP listening services on one Remote Ping server w...

Page 502: ...type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes C...

Page 503: ...r Figure 173 Optional By default the maximum number is 50 Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Start the test test enable Required Displ...

Page 504: ...a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Configure the type of FTP operation ftp operation get put Optional By default t...

Page 505: ...s host name Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source...

Page 506: ...nable the Remote Ping client function Remote Ping agent enable Required By default the Remote Ping client function is disabled Create a Remote Ping test group and enter its view Remote Ping administra...

Page 507: ...l be sent in each jitter probe jitter packetnum number Optional By default each jitter probe will send 10 packets Configure the interval to send test packets in the jitter test jitter interval interva...

Page 508: ...t the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure t...

Page 509: ...s Optional By default the source IP address is not specified Configure the source port source port port number Optional By default no source port is specified Configure the test type test type tcppriv...

Page 510: ...address Required This IP address and the one configured on the Remote Ping server for listening service must be the same By default no destination address is configured Configure the destination port...

Page 511: ...he service type is zero Start the test test enable Required Display test results display Remote Ping results admin name operation tag Required The display command can be executed in any view Table 379...

Page 512: ...t specified Configure the IP address of the DNS server dns server ip address Required By default no DNS server address is configured Start the test test enable Required Display test results display Re...

Page 513: ...able Remote Ping client 4210 system view 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrator name to administrator and test tag to ICMP 4210 Remote Ping administrat...

Page 514: ...test time 2000 4 2 20 55 12 3 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connect...

Page 515: ...splay Remote Ping results administra tor dhcp Remote Ping entry admin administrator tag dhcp test result Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 1018 1037 102...

Page 516: ...stem view 4210 interface Vlan interface 1 4210 Vlan interface1 ip address 10 1 1 1 8 Enable the Remote Ping client 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrat...

Page 517: ...ther operation errors 0 4210 Remote Ping administrator ftp display Remote Ping history administrat or ftp Remote Ping entry admin administrator tag ftp history record Index Response Status LastRC Time...

Page 518: ...ator http timeout 30 Start the test 4210 Remote Ping administrator http test enable Display test results 4210 Remote Ping administrator http display Remote Ping results administrator h ttp Remote Ping...

Page 519: ...e DNS server to resolve the host name into an IP address which is the destination IP address of this HTTP test Jitter Test Network requirements Both the Remote Ping client and the Remote Ping server a...

Page 520: ...0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Jitter result RTT Number 100 Min Posit...

Page 521: ...gent community write private n The SNMP network management function must be enabled on SNMP agent before it can receive response packets The SNMPv2c version is used as reference in this example This c...

Page 522: ...admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19...

Page 523: ...rator tcpprivate test enable Display test results 4210 Remote Ping administrator tcpprivate display Remote Ping results administr ator tcpprivate Remote Ping entry admin administrator tag tcpprivate t...

Page 524: ...onfigure Remote Ping Client Switch A Enable the Remote Ping client 4210 system view 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrator name to administrator and te...

Page 525: ...04 02 08 29 45 4 4 11 1 0 2000 04 02 08 29 45 4 5 11 1 0 2000 04 02 08 29 45 4 6 11 1 0 2000 04 02 08 29 45 4 7 10 1 0 2000 04 02 08 29 45 3 8 10 1 0 2000 04 02 08 29 45 3 9 10 1 0 2000 04 02 08 29 45...

Page 526: ...Square Sum of Round Trip Time 756 Last complete test time 2006 11 28 11 50 40 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeo...

Page 527: ...header thus making IPv6 packet handling simple and improving the forwarding efficiency Although the IPv6 address size is four times that of IPv4 addresses the size of basic IPv6 headers is only twice...

Page 528: ...the IPv6 header allows the device to label packets in a flow and provide special handling for these packets Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented b...

Page 529: ...nly fall into three types unicast address multicast address and anycast address Unicast address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast addre...

Page 530: ...et to itself Unassigned address The unicast address is called the unassigned address and may not be assigned to any node Before acquiring a valid IPv6 address a node may fill this address in the sourc...

Page 531: ...Thus an interface identifier in EUI 64 format is obtained Figure 190 Convert a MAC address into an EUI 64 address Introduction to IPv6 Neighbor Discovery Protocol The IPv6 neighbor discovery protocol...

Page 532: ...n address is the Neighbor advertisement NA message Used to respond to a neighbor solicitation message When the link layer address changes the local node initiates a neighbor advertisement message to n...

Page 533: ...herwise node B is unreachable Duplicate address detection After a node acquires an IPv6 address it should perform the duplicate address detection to determine whether the address is being used by othe...

Page 534: ...81 Path MTU Discovery for IP version 6 RFC 2375 IPv6 Multicast Address Assignments RFC 2460 Internet Protocol Version 6 IPv6 Specification RFC 2461 Neighbor Discovery for IP Version 6 IPv6 RFC 2462 IP...

Page 535: ...configured for an interface a link local address will be generated automatically The automatically generated link local address is the same as the one generated by using the ipv6 address auto link loc...

Page 536: ...resolved into a link layer address dynamically through NS and NA messages or statically through manual configuration You can configure a static neighbor entry in two ways Mapping a VLAN interface to a...

Page 537: ...ssage You can configure the interval for sending NS messages Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynamically learned by an int...

Page 538: ...ved before the finwait timer expires the IPv6 TCP connection is terminated If FIN packets are received the IPv6 TCP connection status becomes TIME_WAIT If other packets are received the finwait timer...

Page 539: ...host name to IPv6 address mapping You can directly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address Each host name can correspond to on...

Page 540: ...upport at most 10 domain name suffixes n The dns resolve and dns domain commands are the same as those of IPv4 DNS For details about the commands refer to DNS Configuration on page 549 Table 398 Confi...

Page 541: ...xclude include text Display the total number of neighbor entries satisfying the specified conditions display ipv6 neighbors all dynamic static interface interface type interface number vlan vlan id co...

Page 542: ...erface Vlan interface 2 SwitchA Vlan interface2 ipv6 address auto link local Configure a global unicast address for the interface Vlan interface2 SwitchA Vlan interface2 ipv6 address 3001 1 64 2 Confi...

Page 543: ...pes of IPv6 addresses can be pinged c CAUTION When you use the ping ipv6 command to verify the reachability of the destination you must specify the i keyword if the destination address is a link local...

Page 544: ...hop limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 5 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 6 ms 3001 2 ping statistics 5 packet s transmitted 5 packet...

Page 545: ...be received For details about the ping command refer to Basic System Configuration and Debugging on page 483 c CAUTION When you use the ping ipv6 command to verify the reachability of the destination...

Page 546: ...ort unreachable ICMP error message and understands that the packet has reached the destination and thus determines the route of the packet from source to destination IPv6 TFTP IPv6 supports TFTP Trivi...

Page 547: ...For details refer to You can log into a Switch 4210 in one of the following ways on page 21 c CAUTION When you use the telnet ipv6 command to connect to the Telnet server you must specify the i keywo...

Page 548: ...s Configuration procedure n You need configure IPv6 address at the switch s and server s interfaces and ensure that the route between the switch and the server is accessible before the following confi...

Page 549: ...wait TFTP 13 bytes received in 1 243 second s File downloaded successfully SWA Connect to Telnet server 3001 2 SWA telnet ipv6 3001 2 Trying 3001 2 Press CTRL K to abort Connected to 3001 2 Telnet Se...

Page 550: ...ptom Unable to download and upload files by performing TFTP operations Solution Check that the route between the device and the TFTP server is up Check that the file system of the device is usable You...

Page 551: ...Switch 4210 supports both static and dynamic DNS clients Static Domain Name Resolution The static domain name resolution means manually setting up mappings between domain names and IP addresses IP add...

Page 552: ...ges DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resolved is not complete The resolver can supply the missing part automat...

Page 553: ...in user view to clear the information stored in the dynamic domain name resolution cache Table 405 Configure static domain name resolution Operation Command Remarks Enter system view system view Confi...

Page 554: ...to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 127 time 2 ms Reply from 10 1...

Page 555: ...ons are done on the devices For the IP addresses of the interfaces see the figure above There is a mapping between domain name host and IP address 3 1 1 1 16 on the DNS server The DNS server works nor...

Page 556: ...ceived 100 00 packet loss Troubleshooting DNS Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution Use the display dns dynamic host command to...

Page 557: ...he system when the password is about to age out that is the remaining usable time of the password is no more than the set alert time the switch will alert the user to the forthcoming expiration and pr...

Page 558: ...allowed to log into the switch again only after the administrator manually removes the user from the user blacklist Allow the user to log in again without any inhibition User blacklist If the maximum...

Page 559: ...blacklist command in any view to check the names and the IP addresses of such users Configuring Password Aging n In this section you must note the effective range of the same commands when executed i...

Page 560: ...chooses not to change the password the system allows the user to log in If the user chooses to change the password but fails in modification the system logs out the user after the maximum number of a...

Page 561: ...ng one single password or using an old password for a long time to enhance the security Enable the limitation of minimum password length password control length enable Optional By default the limitati...

Page 562: ...password must conform to the related configuration of password control when you set the local user password in interactive mode Table 412 Manually remove history password records Operation Command Des...

Page 563: ...actions to be taken when the number of retries to enter the SSH password exceeds the configured value Refer to SSH Configuration on page 387 for information about SSH server If a user in the blacklist...

Page 564: ...ory Password combination falls into four levels 1 2 3 and 4 each representing the number of categories that a password should at least contain Level 1 means that a password must contain characters of...

Page 565: ...n enable Optional By default the password composition check function is enabled Configure the password composition policy globally password control composition type number policy type type length type...

Page 566: ...and the minimum number of characters in each composition type to 3 4210 password control super composition type number 3 type length 3 Configure a super password 4210 super password level 3 simple 111...

Page 567: ...Control Configuration Example 565 Set the aging time for the local user password to 20 days 4210 luser test password control aging 20 Configure the password of local user 4210 luser test password simp...

Search results

Summary of Contents for 4210 PWR

Reviews:

Related manuals for 4210 PWR

Brands by name

Popular brands

3Com 4210 PWR, Configuration Manual

Search results

Summary of Contents for 4210 PWR

Reviews:

Related manuals for 4210 PWR

Brands by name

Popular brands