3Com 5500 SI - Switch - Stackable Configuration Manual Download Page 1

Page: 1 / 686

3Com

Switch 5500 Family

Configuration Guide

Switch 5500-SI
Switch 5500-EI
Switch 5500G-EI

www.3Com.com
Part Number: 10014922 Rev. AC
Published: December 2006

Summary of Contents for 5500 SI - Switch - Stackable

Page 1: ...3Com Switch 5500 Family Configuration Guide Switch 5500 SI Switch 5500 EI Switch 5500G EI www 3Com com Part Number 10014922 Rev AC Published December 2006...

Page 2: ...or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be r...

Page 3: ...ommand Line 40 User Interface Configuration 42 User Interface Configuration 43 Displaying and Debugging User Interface 49 2 ADDRESS MANAGEMENT CONFIGURATION Introduction to Address Management 51 Confi...

Page 4: ...ving the Unit ID of Each Unit in the Fabric 81 Specifying the Fabric Port of the Switch 81 Setting Unit Names for Switches 81 Setting a Fabric Name for Switches 81 Setting an XRN Authentication Mode f...

Page 5: ...rerequisite 114 Configuration Procedure 114 Configuration Example 115 Displaying GVRP 116 8 VLAN VPN CONFIGURATION VLAN VPN Overview 117 Implementation of VLAN VPN 117 Adjusting the TPID Values of VLA...

Page 6: ...ols to DHCP Clients 133 Configuring to Assign IP Addresses of Interface based Address Pools to DHCP Clients 133 Configuring DNS Services for DHCP Clients 135 Configuring NetBIOS Services for DHCP Clie...

Page 7: ...e Priority of a Switch 171 Configuring MSTP Operation Mode 172 Configuring the Maximum Hop Count of an MST Region 172 Configuring the Diameter of a Switched Network 173 Configuring MSTP Time Parameter...

Page 8: ...Setting Centralized MAC Address Authentication Timers 196 Displaying and Debugging Centralized MAC Address Authentication 197 Centralized MAC Address Authentication Configuration Example 197 15 SSH TE...

Page 9: ...Route Capacity Configuration 266 Displaying and Debugging Route Capacity 267 17 NETWORK PROTOCOL OPERATION IP Address Configuration 269 IP Address Overview 269 Configuring IP Address 271 Displaying an...

Page 10: ...using the Web 302 UDP Helper Configuration 303 Overview of UDP Helper 303 UDP Helper Configuration 303 Displaying and Debugging UDP Helper Configuration 305 UDP Helper Configuration Example 305 IP Per...

Page 11: ...GURATION Brief Introduction to ACL 351 ACL Supported by the Switch 352 Configuring ACL 352 Defining ACL 353 Activating ACL 355 Displaying and Debugging ACL 356 Advanced ACL Configuration Example 356 B...

Page 12: ...on of the display acl command 387 Subdividing DSCP while Defining ACL Rules 387 The Synchronization Feature of Queue Scheduling for Aggregation Ports 388 Configuring Control Over Telnet 388 Configurat...

Page 13: ...7 Configuring Domain Name Used by the MAC Address Authentication User 407 Configuring Centralized MAC Address Authentication Timers 407 Displaying and Debugging Centralized MAC Address Authentication...

Page 14: ...5 Problem Diagnosis 436 3Com User Access Level 436 22 FILE SYSTEM MANAGEMENT File System Overview 437 Directory Operation 438 File Attribute Configuration 438 File Attribute Configuration 439 File Ope...

Page 15: ...ping Configuration 466 Configuring Remote ping 466 Configuration Example 467 Logging Function 468 Introduction to Info center 468 Info Center Configuration 471 Sending the Information to Loghost 474...

Page 16: ...24 DYNAMICALLY APPLY ACL BY RADIUS SERVER CONFIGURATION Introduction to Dynamically Apply ACL by RADIUS Server 525 Introduction to Dynamically Apply ACL by RADIUS Server Configurations 525 Configurat...

Page 17: ...be Connected to Point to Point Link 553 Set mCheck of the Specified Port 554 Configure the Switch Security Function 554 Display and Debug RSTP 556 RSTP Configuration Example 556 27 POE PROFILE CONFIG...

Page 18: ...trol 581 Password Control Configuration Example 582 31 MSDP CONFIGURATION Introduction to MSDP 585 MSDP Working Mechanism 587 Configuring MSDP Basic Functions 590 Configuration Prerequisites 590 Confi...

Page 19: ...Example 612 33 HWTACACS CONFIGURATION Configuring HWTACACS 615 HWTACACS configuration tasks 615 Creating a HWTACAS Scheme 616 Configuring HWTACACS Authentication Servers 617 Configuring HWTACACS Acco...

Page 20: ...N 672 Supported Switches 672 XRN Terminology 672 Benefits of XRN 673 XRN Features 673 Distributed Device Management DDM 673 Distributed Resilient Routing DRR 673 Distributed Link Aggregation DLA 674 H...

Page 21: ...n Details how to configure VLANs GVRP Configuration Details GARP VLAN Registration Protocol configuration VLAN VPN Details configuration information to create VLAN VPNs DHCP Details Dynamic Host Confi...

Page 22: ...ion note Information that describes important features or instructions Caution Information that alerts you to potential loss of data or potential damage to an application system or device Warning Info...

Page 23: ...d the vertical bars combined indicate that you must enter one of the parameters Enter either hardware or none or software Items shown in square brackets are optional Example 1 in the command display u...

Page 24: ...24 ABOUT THIS GUIDE...

Page 25: ...wer network control capacity Table 3 lists the models in the Switch 5500 family Table 3 Models in the Switch 5500 family Model Power supply unit PSU Number of service ports Number of 100 Mbps ports Nu...

Page 26: ...rom any unit in the fabric DRR The multiple units of a Fabric route and forward packets as a single unit and provide uniform VLAN interfaces routing table and L3 forwarding table so the Fabric is rega...

Page 27: ...liant with IEEE 802 1Q Standard Port based VLAN Protocol Based VLAN compliant with IEEE 802 1v Standard EI models only Voice VLAN 8021 Q in Q Double Tagged VLAN Support EI models only STP protocol Spa...

Page 28: ...Link aggregation Link aggregation Link Aggregation Control Protocol LACP compliant with IEEE 802 3ad Standard Mirror Mirror based on the traffic classification Port based mirror VLAN based mirror Remo...

Page 29: ...indows 9X on the PC Set the terminal communication parameters as follows Baud rate 19200 Databit 8 Parity check none Stopbit 1 Flow control none Terminal type VT100 Management and Maintenance Command...

Page 30: ...30 CHAPTER 1 GETTING STARTED Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...

Page 31: ...ort using the ip address command in VLAN Interface View and added the port that connects to a terminal to this VLAN using the port command in VLAN View you can Telnet this Switch and configure it 1 Au...

Page 32: ...Telnet do not modify the IP address of the Switch unnecessarily for the modification might end the Telnet connection By default when a Telnet user passes the password authentication to log on to the...

Page 33: ...and you will see the prompt such SW5500 If the prompt All user interfaces are used please try later appears it indicates that too many users are connected to the Switch through Telnet In this case co...

Page 34: ...W Bar the modem to send command response or execution result and save the configurations After the configuration enter AT V to verify the Modem settings The Modem configuration commands and outputs ma...

Page 35: ...to the Switch using the terminal emulator and Modem on the remote end The number you dial is the telephone number of the Modem connected to the Switch See Figure 10 and Figure 11 Figure 10 Setting th...

Page 36: ...ogin password on the remote terminal emulator and wait for the prompt SW5500 Then you can configure and manage the Switch Enter to view online help For details of specific commands refer to the follow...

Page 37: ...sis tools such as ping and tracert commands for the different language environments of the user interface language mode and the telnet command The saving of the configuration file is not allowed at th...

Page 38: ...w VLAN View VLAN Interface View Local User View User Interface View FTP Client View RSA Public Key View RSA Key Code View PIM View RIP View OSPF View OSPF Area View Route Policy View Basic ACL View Ad...

Page 39: ...ter pim in System View quit returns to System View return returns to User View RIP View Configure RIP parameters SW5500 rip Enter rip in System View quit returns to System View return returns to User...

Page 40: ...tials in the command will be listed SW5500 display ver version 5 Enter the first letters of a keyword of a command and press Tab If no other keywords begin with these letters then this unique keyword...

Page 41: ...es Incorrectly entered commands will cause error messages to be reported to users The common error messages are listed in Table 8 Table 6 Functions of Displaying Key or Command Function Press Ctrl C w...

Page 42: ...ort There is only the one type of AUX user interface The user interface is numbered by absolute number or relative number To number the user interface by absolute number The AUX user interface is the...

Page 43: ...og in to the Switch only through the supported protocol The configuration becomes effective when you log in again Perform the following configurations in User Interface VTY user interface only View By...

Page 44: ...Table 12 Configuring the Transmission Speed on the AUX Console Port Operation Command Configure the transmission speed on the AUX console port speed speed_value Restore the default transmission speed...

Page 45: ...Note the following points For security the undo shell command can only be used on the user interfaces other than AUX user interface You cannot use this command on the user interface through which you...

Page 46: ...ation method to deny the access of an unauthorized user Perform the following configuration in User Interface View By default terminal authentication is not required for users logged in through the co...

Page 47: ...ser zbr service type telnet 3 No authentication SW5500 ui vty0 authentication mode none By default the password is required for authenticating Modem and Telnet users when they log in If the password h...

Page 48: ...nd is used for setting the priority of a specified command in a certain view The command levels include visit monitoring system and management which are identified with 0 through 3 respectively An adm...

Page 49: ...1 after the user logs in through VTY0 automatically SW5500 ui vty0 auto execute command telnet 10 110 100 1 When a user logs on through VTY 0 the system will run telnet 10 110 100 1 automatically Disp...

Page 50: ...50 CHAPTER 1 GETTING STARTED...

Page 51: ...he IP addresses in this IP address pool are those configured in the static ARP on another port the system will prompt you to delete the corresponding static ARP to ensure that the binding takes effect...

Page 52: ...ress management Configuration procedure To enable address management enter the following S5500 system view S5500 am enable Table 31 Bind the MAC address and IP address of a legal user to the specified...

Page 53: ...egal User Network requirements The GigabitEthernet1 0 1 port of the switch is connected to multiple PCs Network diagram Figure 13 Network diagram for address management Configuration procedure To conf...

Page 54: ...54 CHAPTER 2 ADDRESS MANAGEMENT CONFIGURATION...

Page 55: ...eamlined Gigabit SFP ports operate in 1000Mbps full duplex mode The duplex mode can be set to full full duplex and auto auto negotiation and its speed can be set to 1000 1000Mbps and auto auto negotia...

Page 56: ...set it to full duplex To configure a port to either send or receive data packets set it to half duplex If the port has been set to auto negotiation mode the local and peer ports will automatically neg...

Page 57: ...ble type is auto auto recognized That is the system can automatically recognize the type of cable connecting to the port Enabling Disabling Flow Control for the Ethernet Port After flow control is ena...

Page 58: ...ser s computer A trunk port can belong to more than one VLAN and receive send the packets on multiple VLANs used for connection between the Switches A hybrid port can also carry more than one VLAN and...

Page 59: ...d to an existing VLAN other than VLAN 1 The VLAN to which a hybrid port is added must have already exist The one to which a trunk port is added cannot be VLAN 1 After adding an Ethernet port to specif...

Page 60: ...the switch will monitor whether the ports have loopback on a regular basis if the switch detects loopback for a particular port it will put that port under control For Access port If system detects l...

Page 61: ...Trunk ports and Hybrid ports loopback detection per vlan enable Optional By default system only detects loopback for the default VLANs with Trunk ports and Hybrid ports Display the loopback detection...

Page 62: ...et1 0 1 virtual cable test Cable status abnormal open 7 metres Pair Impedance mismatch yes Pair skew 4294967294 ns Pair swap swap Pair polarity normal Insertion loss 7 db Return loss 7 db Near end cro...

Page 63: ...nding ports thus improving the security of the system Configuring Port Security Table 47 Configure port security Operation Command Description Enter system view system view Enable port security port s...

Page 64: ...eature on the port to ntkonly and the action mode of the Intrusion Protection feature on the port to disableport Connect PC1 to the port through switch B Bind the MAC and IP addresses of PC1 to the po...

Page 65: ...fc00 5600 ip address 10 153 1 1 interface Ethernet1 0 1 Copying Port Configuration to Other Ports To keep the configuration of other ports consistent with a specified port you can copy the configurat...

Page 66: ...e that The loopback test cannot be performed on a port disabled by the shutdown command During the loopback test the system will disable speed duplex mdi and shutdown operation on the port Some ports...

Page 67: ...ag and forward the packet Networking Diagram Figure 15 Configuring the Default VLAN for a Trunk Port Configuration Procedure The following configurations are used for Switch A Configure Switch B in th...

Page 68: ...VLAN ID The port setting includes port link type The Switch 5500 SI 28 Port can support up to 14 aggregation groups the Switch 5500 SI 52 Port can support up to 26 aggregation groups and the Switch 5...

Page 69: ...oup the system sets the ports to active or inactive state by using these rules The system sets the port with the highest priority to active state and others to inactive state based on the following de...

Page 70: ...standby ports can transceive LACP protocol but standby ports cannot forward user service packets Among the selected ports of an aggregation group the one with minimum port number serves as the master...

Page 71: ...ion Group Setting Deleting the Aggregation Group Descriptor Configuring System Priority Configuring Port Priority Enabling Disabling LACP You should first enable LACP at the ports before performing dy...

Page 72: ...ts but contains no member port you can overwrite the existing group if it already exists in the system and contains member ports then you can only change a dynamic or static LACP aggregation group to...

Page 73: ...ses The smaller system ID is given priority Changing system priority may affect the priority levels of member ports and further their selected or standby state Perform the following configuration in S...

Page 74: ...a specific aggregation group display link aggregation verbose agg_id Display local system ID display lacp system id Display detailed link aggregation information at the port display link aggregation...

Page 75: ...00 Ethernet1 0 2 port link aggregation group 1 SW5500 Ethernet1 0 2 interface ethernet1 0 3 SW5500 Ethernet1 0 3 port link aggregation group 1 2 Static LACP aggregation a Create static LACP aggregatio...

Page 76: ...red globally with the broadcast suppression command will take effect on all the Ethernet ports in a stack system Global Broadcast Suppression Configuration Example Network requirements Configure the g...

Page 77: ...ollowing information about a specified optical port Hardware type Interface type Wavelength Vender Serial number Transfer distance Table 59 Display information about a specified optical port Operation...

Page 78: ...78 CHAPTER 3 PORT OPERATION...

Page 79: ...ore management cost is reduced n Enables you to purchase devices on demand and expand network capacity smoothly Protects your investment to the full extent during network upgrade n Ensures high reliab...

Page 80: ...oes not exist in the Fabric the Switch sets its priority to 5 and saves it in the unit Flash memory Device Configuration Default Settings Comment Switch Specify the stacking VLAN of the Switch The sta...

Page 81: ...View Table 63 Save the unit ID of each unit in the Fabric Specifying the Fabric Port of the Switch Perform the following configuration in System View Table 64 Specifying the Fabric Port of the Switch...

Page 82: ...e settings Table 68 Displaying and Debugging FTM Fabric Configuration Example Networking Requirements Configure unit ID unit name Fabric name and authentication mode for four Switches and interconnect...

Page 83: ...nfigure Switch D SW5500 change unit id 1 to auto numbering SW5500 fabric port gigabitethernet4 0 51 enable SW5500 fabric port gigabitethernet4 0 52 enable SW5500 sysname hello hello xrn fabric authent...

Page 84: ...Detection As the basis of the XRN function the fabric topology management FTM module manages and maintains the entire topology of a fabric The FTM module also implements the peer fabric port detection...

Page 85: ...authentication will be discarded Prompt Information and Solution normal If the port displays normal it indicates the fabric operates properly temporary If the port displays temporary it indicates the...

Page 86: ...r may occur if the XRN fabric authentication modes configured for the both devices are not the same or the password configured does not match Solution Make sure the XRN fabric authentication modes and...

Page 87: ...eed to invalidate the current fabric port group before configuring the other port group to be a fabric port group After a fabric is configured the master switch synchronizes its configuration file to...

Page 88: ...88 CHAPTER 4 XRN CONFIGURATION...

Page 89: ...the local device See Figure 20 and Figure 20 Unidirectional links can cause many problems spanning tree topology loop for example Device Link Detection Protocol DLDP can detect the link status of the...

Page 90: ...s up or an neighbor entry is cleared Advertisement All neighbors communicate normally in both direction or DLDP remains in active status for more than five seconds and enters this status It is a stabl...

Page 91: ...or the enhanced timer is 10 seconds The enhanced timer then sends two probe packets every one second and totally eight packets continuously to the neighbor If no echo packet is received from the neigh...

Page 92: ...s the neighbor entry if this neighbor entry does not exist on the local device If the neighbor entry already exists on the local device refreshes the entry aging timer Echo packet Checks whether the l...

Page 93: ...e SRPU board switchover the standby board takes over unidirectional link detection In this case the DLDP parameters do not change and DLDP checks every port again for unidirectional links For the conf...

Page 94: ...switches support DLDP n Unidirectional links due to incorrect fiber connections between the two switches including disconnection in one direction and cross connection are expected to be detected and t...

Page 95: ...abitethernet 2 0 3 S5500A GigabitEthernet2 0 3 duplex full S5500A GigabitEthernet2 0 3 speed 1000 S5500A GigabitEthernet2 0 3 quit S5500A interface gigabitethernet 2 0 4 S5500A GigabitEthernet2 0 4 du...

Page 96: ...enable c Set the time interval for sending DLDP packets to 15 seconds S5500B dldp interval 15 d Configure DLDP to work in enhanced mode S5500B dldp work mode enhance S5500B dldp work mode enhance e Se...

Page 97: ...are very helpful in controlling network traffic saving device investment simplifying network management and improving security Configuring a VLAN VLAN configuration is described in the following sect...

Page 98: ...VLAN Interface Use the following command to specify remove the VLAN interface To implement the network layer function on a VLAN interface the VLAN interface must be configured with an IP address and a...

Page 99: ...led Displaying and Debugging VLAN After the above configuration enter the display command in any view to display the running of the VLAN configuration and to verify the effect of the configuration VLA...

Page 100: ...quit 2 Enter the VLAN interface view SW5500 interface vlan interface 3 3 Provide the IP address and subnet mask SW5500 Vlan interface3 ip address 192 168 1 5 255 255 255 SW5500 Vlan interface3 quit Pr...

Page 101: ...ecuting the display command in any view Table 85 Create a VLAN protocol type Operation Command Description Enter system view system view Enter VLAN view vlan vlan id Required Create a VLAN protocol ty...

Page 102: ...etting Removing the OUI Address Learned by Voice VLAN Enabling Disabling Voice VLAN Security Mode Enabling Disabling Voice VLAN Auto Mode Setting the Aging Time of Voice VLAN If you change the status...

Page 103: ...m can learn 16 MAC addresses at most Adding the OUI addresses you need only input the first three byte values of the MAC address Perform the following configuration in System View There are four defau...

Page 104: ...using the follow command you can set the aging time of Voice VLAN After the OUI address the MAC address of IP Phone is aged on the port this port enters the aging phase of Voice VLAN If OUI address i...

Page 105: ...able the voice VLAN function for the port voice vlan enable Required By default the voice VLAN function is disabled Set voice VLAN operation mode to manual mode undo voice vlan mode auto Required The...

Page 106: ...ernet1 0 2 as the IP Phone access port The type of IP Phone is untagged Network Diagram Figure 25 Voice VLAN Configuration Configuration Steps SW5500 vlan 2 SW5500 vlan2 port ethernet1 0 2 SW5500 vlan...

Page 107: ...configure the operation mode for a voice VLAN according to data stream passing through the ports of the voice VLAN When a voice VLAN operates in the automatic mode the switch learns source MAC addres...

Page 108: ...ist of the tagged VLANs whose packets are permitted by the access port Untagged voice stream Access Not supported because the default VLAN of the port must be a voice VLAN and the access port is in th...

Page 109: ...function is disabled Set the voice VLAN operation mode to automatic mode voice vlan mode auto Optional The default voice VLAN operation mode is automatic mode Quit to system view quit Set an OUI addre...

Page 110: ...UI address S5500 voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test 5 Enable the voice VLAN function globally S5500 voice vlan 3 enable 6 Display the configuration S5500 displa...

Page 111: ...Working Scheme GARP Timers The information exchange between GARP members is completed by messages The messages performing important functions for GARP fall into three types Join Leave and LeaveAll Wh...

Page 112: ...the switch joins the current port to this VLAN and add a VLAN entry to the local GVRP database a table maintained by GVRP but GVRP cannot learn dynamic VLAN through this port and the dynamic VLANs le...

Page 113: ...ute Type It is defined by specific GARP application The attribute type of GVRP is 0x01 Attribute List It contains multiple attributes Attribute Each general attribute consists of three parts Attribute...

Page 114: ...r value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number This port must be a Trunk port Enable GVRP on the port gv...

Page 115: ...between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one half of the value of the Join timer You can change the threshold by cha...

Page 116: ...the display commands here to display the GVRP configuration You can execute the display commands in any view Table 105 Displaying GVRP Operation Command Display the GARP statistics display garp stati...

Page 117: ...ags Compared with MPLS based L2VPN VLAN VPN has the following features It allows Layer 2 VPN tunnels that are simpler VLAN VPN can be implemented without the support of signalling protocols You can en...

Page 118: ...tags of the received packets with the user defined TPID value through which the VLAN VPN packets sent to public networks can be recognized by devices of other vendors VLAN VPN Configuration This sect...

Page 119: ...PN function for a port continued Operation Command Description Table 107 Configure to replicate the tag priority of the inner VLAN tag Operation Command Description Enter system view system view Enter...

Page 120: ...on contains a VLAN VPN configuration example Network requirements Switch A and Switch C are S5500 series switches Switch B is a switch comes from another vendor which uses a TPID value of 0x9100 Two n...

Page 121: ...isted as shown below Configure Ethernet3 1 1 and Ethernet3 1 2 ports of Switch B to be trunk ports Add the two ports to VLAN 10 The following describes how a packet is forwarded from Switch A to Switc...

Page 122: ...122 CHAPTER 8 VLAN VPN CONFIGURATION...

Page 123: ...ubnet masks and default gateway IP addresses and the DHCP servers returns the corresponding configuration information Both BOOTP and DHCP are encapsulated with UDP They adopt almost the same packet fo...

Page 124: ...aimed by DHCP servers That is those in the Option fields of DHCP REQUEST packets sent by DHCP clients The IP addresses in the DHCP address pool IP addresses that are expired or conflict Sending Device...

Page 125: ...ies to find a DHCP server by broadcasting a DHCP DISCOVER packet Offer Each DHCP server that receives the DHCP DISCOVER packet chooses an unassigned IP address from the address pool and sends a DHCP O...

Page 126: ...e of the slaves can change to the master and operates as the DHCP server immediately DHCP is an UDP based protocol operating at the application layer When a DHCP server in a fabric system runs on a La...

Page 127: ...lease time of the IP address to the DHCP client You can configure multiple address pools for one DHCP server Currently a DHCP server supports up to 128 global address pools Types of address pool The a...

Page 128: ...P related configurations which take effect only when DHCP is enabled Table 110 Global address pool based DHCP server configuration Operation Description Related section Enable DHCP Required Enabling D...

Page 129: ...of the DHCP client and assigns the IP address to the DHCP client Currently only one IP address in a global DHCP address pool can be statically bound to a MAC address The static bind ip address comman...

Page 130: ...cally assigned to DHCP clients Configuring DNS Services for DHCP Clients If a host accesses the Internet through domain names DNS domain name system is needed to translate the domain names into the co...

Page 131: ...eer to peer M node Nodes of this type are p nodes mixed with broadcasting features The character m stands for the word mixed H node Nodes of this type are b nodes mixed with peer to peer features The...

Page 132: ...address and you execute the dhcp select interface command in interface view The IP addresses contained in it belong to the network segment where the interface resides in and are available to the inter...

Page 133: ...ls to DHCP clients Required Configuring to Assign the IP addresses of Local Interface based address pools to DHCP Clients Configure to assign IP addresses of interface DHCP address pool to DHCP client...

Page 134: ...e IP addresses to be dynamically assigned to DHCP clients are those that are not occupied by specific network devices such as gateways and FTP servers The lease time can differ with address pools But...

Page 135: ...assigned dhcp server forbidden ip low ip address high ip address Optional By default all IP addresses in a DHCP address pool are available for being dynamically assigned Table 123 Configure to assign...

Page 136: ...with broadcasting features The character m stands for the word mixed H node Nodes of this type are b nodes mixed with peer to peer features The character h stands for the word hybrid Table 125 Configu...

Page 137: ...signing the same IP address to multiple DHCP clients simultaneously you can configure a DHCP server to detect an IP address before it assigns the address to a DHCP client IP address detecting is achie...

Page 138: ...CP When used in option 184 this sub option must be the first sub option that is sub option 1 The IP address of the NCP server carried by sub option 1 of option 184 is intended for identifying the serv...

Page 139: ...e the DHCP server to add sub option 1 Mechanism of using option 184 on DHCP server The DHCP server encapsulates the information for option 184 to carry in the response packets sent to the DHCP clients...

Page 140: ...ip address all interface interface type interface number to interface type interface number Required Configure the AS IP sub option dhcp server voice config as ip ip address all interface interface t...

Page 141: ...onfigure the interface to operate in DHCP server mode and assign the IP addresses of an interface based address pool to DHCP clients dhcp select interface Required Configure the NCP IP sub option dhcp...

Page 142: ...em view Configure the interface to operate in DHCP server mode and assign the IP addresses of an interface based address pool to DHCP clients dhcp select global subaddress all interface interface type...

Page 143: ...500 Vlan interface2 quit c Configure VLAN 2 interface to operate in the DHCP server mode S5500 dhcp select global interface vlan interface 2 d Enter DHCP address pool view S5500 dhcp server ip pool 12...

Page 144: ...ynamically to the DHCP clients on the same network segment The network segment 10 1 1 0 24 to which the IP addresses of the address pool belong is divided into two sub network segment 10 1 1 0 25 and...

Page 145: ...00 system view 2 Enable DHCP S5500 dhcp enable 3 Configure the IP addresses that are not dynamically assigned That is the IP addresses of the DNS server NetBIOS server and gateways S5500 dhcp server f...

Page 146: ...ed by IP addresses that are manually configured on hosts Solution Disconnect the DHCP client from the network and then check whether there is a host using the conflicting IP address by performing ping...

Page 147: ...mentals Figure 35 illustrates a typical DHCP relay application Figure 35 Typical DHCP relay application A DHCP relay works as follows A DHCP client broadcasts a configuration request packet in the loc...

Page 148: ...rnal DHCP IP addresses in a DHCP server group You can map multiple VLAN interfaces to one DHCP server group But one VLAN interface can be mapped to only one DHCP server group If you execute the dhcp s...

Page 149: ...ddresses and related configuration information from the DHCP server Network diagram Figure 36 Network diagram for DHCP relay Configuration procedure 1 Enter system view S5500 system view 2 Enable DHCP...

Page 150: ...on through a DHCP relay Analyse This problem may be caused by improper DHCP relay configuration When a DHCP relay operates improperly you can locate the problem by enabling debugging and checking the...

Page 151: ...r 3 Switch implementing communication between these hosts and the external network If Switch fails all the hosts on this segment taking Switch as the next hop through the default routes are cut off fr...

Page 152: ...witch with the highest priority will function as the new master switch to guarantee normal communication between the hosts and the external networks This ensures the communications between the hosts a...

Page 153: ...rtual router IP addresses as needed The MAC address can be a virtual MAC address or the real MAC address of a Layer 3 switch routing interface You need to map the IP addresses of the backup group to t...

Page 154: ...twork congestions even if the master operates properly This causes the master of the backup group being determined frequently With the configuration of delay period the backup switch will wait for a w...

Page 155: ...tracking function expands the backup group function With this function enabled the backup group function is provided not only when the interface where the backup group resides fails but also when othe...

Page 156: ...preemptive mode and delay period for the backup group vrrp vrid virtual router ID preempt mode timer delay delay value Optional virtual router ID Backup group ID delay value Delay value in seconds By...

Page 157: ...Figure 39 Network diagram for single VRRP backup group configuration Table 139 Display and Clear VRRP Information Operation Command Description Display VRRP state information and statistics informatio...

Page 158: ...e2 ip address 202 38 160 2 255 255 255 0 LSW B Vlan interface2 quit b Configure VRRP LSW B vrrp ping enable LSW B interface vlan 2 LSW B Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 LSW B Vla...

Page 159: ...60 111 d Set the priority for the backup group LSW A Vlan interface2 vrrp vrid 1 priority 110 e Set the authentication key for the backup group LSW A Vlan interface2 vrrp authentication mode md5 switc...

Page 160: ...advertise 5 Normally Switch A functions as the gateway but when VLAN 3 interface on Switch A goes down its priority will be reduced by 30 lower than that of Switch B so that Switch B will preempt the...

Page 161: ...lan interface2 vrrp vrid 2 virtual ip 202 38 160 112 2 Configure Switch B a Configure VLAN 2 LSW B system view System View return to User View with Ctrl Z LSW B vlan 2 LSW B vlan2 port Ethernet 1 0 6...

Page 162: ...ond possibility is caused by the malicious attempt of some devices non technical measures should be resorted to Symptom 2 More than one master existing within a backup group There are also 2 reasons O...

Page 163: ...for packet forwarding implementing the forwarding load balancing of VLAN packets MSTP is compatible with both STP and RSTP Moreover it overcomes the drawbacks that STP and RSTP suffer from It allows...

Page 164: ...T region configuration the same region name the same VLAN to spanning tree mapping that is VLAN 1 is mapped to spanning tree instance 1 VLAN 2 is mapped to spanning tree 2 and the other VLANs are mapp...

Page 165: ...e A common root bridge is the root of a CIST The common root bridge of the network shown in Figure 42 is a switch in region A0 Port role In MSTP the following port roles exist root port designated por...

Page 166: ...e combinations of port states and port roles Fundamentals of MSTP MSTP divides a network into multiple MST regions at Layer 2 and calculates the CST of these MST regions In each MST region it generate...

Page 167: ...cost of the port has a higher priority For BPDUs with the same root ID and root path cost the designated bridge ID designated port ID the ID of the port from which the BPDU is received are compared in...

Page 168: ...completing other related configurations Enabling MSTP Configure an MST region Required Configuring an MST Region Set the switch as the root secondary root bridge Required Setting a switch as the root...

Page 169: ...me MST region only when they have the same MST region name the same VLAN mapping table and the same MST region revision level Table 142 Configure an MST region Operation Command Description Enter syst...

Page 170: ...g a switch as a secondary root bridge of a spanning tree Using the stp root primary stp root secondary command you can specify a switch to be the root bridge or a secondary root bridge of the spanning...

Page 171: ...h to be the root bridge by setting the priority of the switch to 0 Note that once a switch is configured to be the root bridge or secondary root bridge its priority cannot be modified Configuration ex...

Page 172: ...he current switch to operate in STP mode S5500 system view System View return to User View with Ctrl Z S5500 stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count of an...

Page 173: ...dingly The network diameter setting only applies to CISTs Configuration example Configure the diameter of the switched network to 6 S5500 system view System View return to User View with Ctrl Z S5500...

Page 174: ...n time without consuming too many network resources A too great Hello time may cause normal links to be regarded as failed when only some packets get lost which in turn causes spanning trees to be rec...

Page 175: ...t the upstream switch is down and recalculates the spanning trees Spanning tree recalculation may also occur in a very stable network where certain upstream switches are busy In this case you can incr...

Page 176: ...ected to them directly or through networks After a port is configured to be an edge port the port can perform rapid transition that is it can move from the blocking state to the forwarding state witho...

Page 177: ...dged port enable Specifying whether a Port Connect to Point to Point Link A point to point link directly connects two switches If the two ports at the two ends of a point to point link meet certain ro...

Page 178: ...rue force false auto Required The auto keyword is specified by default The force true keyword specifies that the specified ports connect to point to point links The force false keyword specifies that...

Page 179: ...Enter system view system view Enable MSTP stp enable Required MSTP is disabled by default Disable MSTP on some ports stp interface interface list disable Optional By default MSTP is enabled on all por...

Page 180: ...in the spanning trees that is whether a switch will be the root a branch or a leaf in a spanning tree Configuring an MST Region Refer to Configuring an MST Region Table 159 Leaf node configuration Op...

Page 181: ...ds are available for calculating path costs of ports on a switch dot1d 1998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports dot1t Adopts the IEEE 802 1t standard to c...

Page 182: ...666 50 000 200 200 180 160 140 1 000 Mbps Full Duplex Aggregated Link 2 Ports Aggregated Link 3 Ports Aggregated Link 4 Ports 4 3 3 3 20 000 10 000 6 666 5 000 20 18 16 14 10 Gbps Full Duplex Aggrega...

Page 183: ...return to User View with Ctrl Z S5500 interface ethernet1 0 1 S5500 Ethernet1 0 1 undo stp instance 1 cost S5500 Ethernet1 0 1 quit S5500 stp pathcost standard dot1d 1998 Configuring the Priority of...

Page 184: ...ty 16 Configuring a Port to Connect to Point to Point Link Refer to Configuring a Port to Connect to Point to Point Link Enabling MSTP Refer to Enabling MSTP mCheck Configuration As mentioned previous...

Page 185: ...U protection root protection loop prevention and TC BPDU attack prevention BPDU protection Typically access ports of access layer devices have terminals such as PCs or file servers directly connected...

Page 186: ...ing BPDUs from the upstream switch However the switch may not receive the BPDUs due to network congestions or unidirectional link failures In this case the switch reelects a root port sets the origina...

Page 187: ...t port view S5500 system view System View return to User View with Ctrl Z S5500 interface ethernet1 0 1 S5500 Ethernet1 0 1 stp root protection Table 168 Enable the BPDU protection function Operation...

Page 188: ...keep independent of those of the operator s networks As shown in Figure 44 the upper part is the operator s network and the lower part is the user network The operator s network comprises packet ingr...

Page 189: ...2 1x GVRP GMRP STP or NTDP employed the BPDU tunnel function is unavailable to these ports Table 173 Configure the BPDU tunnel function Operation Command Description Enter system view system view Enab...

Page 190: ...AN 40 are forwarded along spanning tree instance 4 and those of VLAN 20 are forwarded along spanning tree instance 0 In this network Switch A and Switch B operate at the distribution layer Switch C an...

Page 191: ...Configure the MST region S5500 mst region region name example S5500 mst region instance 1 vlan 10 S5500 mst region instance 3 vlan 30 S5500 mst region instance 4 vlan 40 S5500 mst region revision lev...

Page 192: ...witches Switch C and Switch D shown in Figure 46 operate as the access devices of the operator s network Two S2000 series switches Switch A and Switch B shown in Figure 46 are used as the access devic...

Page 193: ...S5500 Ethernet1 0 1 vlan vpn enable S5500 Ethernet1 0 1 quit e Configure Ethernet1 0 2 port to be a trunk port S5500 interface Ethernet 1 0 2 S5500 Ethernet1 0 2 port link type trunk f Add the trunk...

Page 194: ...tunnel function is only available to access ports To implement the BPDU tunnel function the links between operator networks must be trunk links As the VLAN VPN function is unavailable to the ports wi...

Page 195: ...ized MAC address authentications are carried out as follows In MAC address mode a switch sends newly detected MAC addresses to the RADIUS server as both the user names and passwords The rest handling...

Page 196: ...ed MAC address authentication is also enabled Configuring an ISP Domain for MAC Address Authentication Users Table 176 lists the operations to configure an ISP domain for centralized MAC address authe...

Page 197: ...based and global centralized MAC address authentication and local user configuration 1 Enable centralized MAC address authentication on GigabitEthernet1 0 2 port S5500 system view S5500 mac authentic...

Page 198: ...TICATION CONFIGURATION 4 Enable global centralized MAC address authentication S5500 mac authentication 5 Configure the domain name for centralized MAC address authentication user to be aabbcc163 net S...

Page 199: ...onment A Switch can connect to multiple SSH clients SSH 2 0 and SSH1 x are currently available SSH client functions to enable SSH connections between users and the Switch or UNIX host that support SSH...

Page 200: ...server then decrypts the received data with the server private key to get the client random number The server then uses the same algorithm to work out the session key based on server public key and th...

Page 201: ...ends the authentication data calculated back to the server The server compares it with its authentication data obtained locally If they match exactly the user is allowed to access the switch 3 Session...

Page 202: ...be more than 1 024 bits Otherwise clients cannot be authenticated For a successful SSH login you must generate the local RSA key pairs first You just need to execute the command once with no further a...

Page 203: ...figure server SSH attributes Configuring client public keys This operation is not required for password authentication type You can configure RSA public keys for client users on the server in two ways...

Page 204: ...n key in a blank space between characters since the system can remove the blank space automatically But the public key should be composed of hexadecimal characters Return to public key view and save t...

Page 205: ...oup prefer_ctos_cipher des aes128 prefer_stoc_cipher des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required You can use this command to enable the connec...

Page 206: ...ssword authentication 1 Set AAA authentication on the user interfaces S5500 user interface vty 0 4 S5500 ui vty0 4 authentication mode scheme 2 Set the user interfaces to support SSH S5500 ui vty0 4 p...

Page 207: ...00 rsa key code 308186028180739A291ABDA704F5D93DC8FDF84C427463 S5500 rsa key code 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 S5500 rsa key code D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 S5500...

Page 208: ...de BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 S5500 rsa key code public key code end S5500 rsa public key peer public key end S5500 ssh client 10 165 87 136 assign rsa key public 3 Start SSH client...

Page 209: ...ssh_rsa_key t rsa This will create two files ssh_rsa_key which is the Private key and ssh_rsa_key pub which is the Public key 2 Copy the public key file ssh_rsa_key pub to a windows pc from the linux...

Page 210: ...P server Setting connection timeout time Configuring service type for an SSH user Enabling the SFTP server Setting connection timeout time After you set the timeout time for the SFTP user connection t...

Page 211: ...ptional Return to the upper directory cdup Display the current directory pwd Display the list of the files in a directory dir ls Create a new directory mkdir Delete a directory rmdir 4 SFTP file relat...

Page 212: ...name Change the current directory cd remote path Return to the upper directory cdup Display the current directory pwd Display the list of the files in a directory dir remote path Optional The dir and...

Page 213: ...Figure 51 Network diagram for SFTP configuration Configuration procedure 1 Configure Switch B SFTP server a Enable the SFTP server S5500 sftp server enable b Specify SFTP service for SSH user 8040 S55...

Page 214: ...pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub c Create directory new1 and verify the operation sftp client mkdir new1 New directory created sftp...

Page 215: ...ir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 vrpcfg cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 2...

Page 216: ...216 CHAPTER 15 SSH TERMINAL SERVICES...

Page 217: ...uters are two routers connected to the same network The number of route segments between a router and hosts in the same network is zero A router can be connected to any physical link that constitutes...

Page 218: ...is located is 129 102 0 0 The output interface Indicates an interface through which an IP packet should be forwarded The next hop address Indicates the next router that an IP packet will pass through...

Page 219: ...g and BGP IBGP and EBGP the preferences of various dynamic routing protocols can be manually configured to meet the user requirements The preferences for individual static routes can be different Forw...

Page 220: ...lf and the router will choose from one of the remaining routes as a backup route whose precedence is higher than the others to send data This process is the switchover from the main route to the backu...

Page 221: ...te to forward this packet If there is no default route and the destination address of the packet fails to match any entry in the routing table the packet is discarded and an Internet Control Message P...

Page 222: ...address of the local Switch as the next hop address of an static route Preference For different configurations of preference_value you can flexibly apply the routing management policy Other parameters...

Page 223: ...ting table Operation Command View routing table summary display ip routing table View routing table details display ip routing table verbose View the detailed information of a specific route display i...

Page 224: ...D V algorithm based It uses hop counts to measure the distance to the destination host This is called the routing cost In RIP the hop count from a router to its directly connected network is 0 the ho...

Page 225: ...he updated route globally available RIP uses the timeout mechanism to handle timed out routes to ensure the timeliness and validity of the routes With these mechanisms RIP an interior routing protocol...

Page 226: ...fied network and does not forward its interface route When the network command is used for an address the effect is to enable the interface of the network with this address For example for network 129...

Page 227: ...s and sends the RIP 1 packets It transmits packets in multicast mode when the interface RIP version is set to RIP 2 Configuring RIP Timers As stipulated in RFC1058 RIP is controlled by three timers pe...

Page 228: ...ro processing is refused There are no zero fields in RIP 2 packets so configuring a zero field check is invalid for RIP 2 Perform the following configurations in RIP View Specifying the Operating Stat...

Page 229: ...s with natural mask that is it always sends routes in the route aggregation form RIP 2 supports subnet mask and classless inter domain routing To advertise all the subnet routes the route aggregation...

Page 230: ...ormation of other protocols Configuring the Default Cost for the Imported Route When you use the import route command to import the routes of other protocols you can specify their cost If you do not s...

Page 231: ...router itself which means that it has no effect on the routes imported to RIP by other routing protocols Configuring Route Filtering The Router provides a route filtering function You can configure th...

Page 232: ...uring RIP to Filter the Received Routes Operation Command Filter the received routing information distributed by the specified address filter policy gateway ip_prefix_name import Cancel filtering of t...

Page 233: ...witch B are connected to the networks 155 10 1 0 and 196 38 165 0 respectively Switch C Switch A and Switch B are connected using Ethernet 110 11 2 0 Correctly configure RIP to ensure that Switch C Sw...

Page 234: ...Troubleshooting RIP The Switch 5500 cannot receive the update packets when the physical connection to the peer routing device is normal RIP does not operate on the corresponding interface for example...

Page 235: ...e the security of the route calculation Multicast transmission Uses multicast address to receive and send packets Calculating OSPF Routes The OSPF protocol calculates routes as follows Each OSPF capab...

Page 236: ...peer router It contains a collection of multiple LSAs complete contents Link State Acknowledgment LSAck Packet The packet is used for acknowledging the received LSU packets It contains the HEAD s of L...

Page 237: ...e area is called an area border router ABR An ABR can connect to the backbone area physically or logically Backbone Area After the area division of OSPF one area is different from all the other areas...

Page 238: ...mport Routes of Other Protocols Configuring Parameters for OSPF to Import External routes Configuring OSPF to Import the Default Route Setting OSPF Route Preference Configuring OSPF Route Filtering Co...

Page 239: ...ddress wildcard shielded text similar to the complement of the IP address mask Configuring a Router ID A Router ID is a 32 bit unsigned integer that uniquely identifies a router within an AS A Router...

Page 240: ...ork without multi access capability Configure the interface type to P2MP if not all the routers are directly accessible on an NBMA network Change the interface type to P2P if the router has only one p...

Page 241: ...f a router is 0 it will not be elected as DR or BDR If DR fails the routers on the network must elect a new DR and synchronize with the new DR The process takes a relatively long time during which rou...

Page 242: ...hello timer According to RFC2328 the consistency of hello intervals between network neighbors should be kept The hello interval value is in inverse proportion to the route convergence rate and networ...

Page 243: ...itted every second Setting an Interval for LSA Retransmission between Neighboring Routers If a router transmits an LSA Link State Advertisements to the peer it requires an acknowledgement packet from...

Page 244: ...located at the AS boundaries are those non backbone areas with only one ABR Even if this area has multiple ABRs no virtual links are established between these ABRs To ensure that the routes to destina...

Page 245: ...R generates type 7 LSAs which are propagated in Area 1 When a type 7 LSA reaches the NSSA ABR the NSSA ABR transforms it into a type 5 LSA which is propagated to Area 0 and Area 2 RIP routes of the AS...

Page 246: ...d an aggregate LSA and all the LSAs in the range of the aggregate segment specified by the command are not transmitted separately Once the aggregate segment of a certain network is added to the area a...

Page 247: ...onnection can take effect only when both ends are configured The virtual link is identified by the ID of the remote router The area which provides the ends of the virtual link with a non backbone area...

Page 248: ...formation As far as OSPF is concerned the routes discovered by other routing protocols are always processed as the external routes of AS In the import route commands you can specify the route cost typ...

Page 249: ...es not import the routing information of other protocols The default type of the imported route is 2 cost is 1 and the tag is 1 The protocol variable specifies a source routing protocol that can be im...

Page 250: ...orted external routing protocol is 150 Restore the default upper limit to the external routes that can be imported at a time undo default limit Configure the default cost for the OSPF to import extern...

Page 251: ...ally specify an interface to fill in the MTU field in a DD packet when it transmits the packet The MTU should be set to the real MTU on the interface Perform the following configuration in Interface V...

Page 252: ...anagement System NMS Configuring OSPF MIB binding After multiple OSPF processes are enabled you can configure to which OSPF process MIB is bound Perform the following configuration in System View By d...

Page 253: ...able 250 Enabling disabling OSPF TRAP function Operation Command Enable OSPF TRAP function snmp agent trap enable ospf process_id ifstatechange virifstatechange nbrstatechange virnbrstatechange ifcfge...

Page 254: ...Figure 57 Networking Diagram Figure 57 Networking for configuring DR election based on OSPF priority Display OSPF routing table display ospf process_id routing Display OSPF virtual links display ospf...

Page 255: ...itch C interface Vlan interface 1 Switch C Vlan interface1 ip address 196 1 1 3 255 255 255 0 Switch C Vlan interface1 ospf dr priority 2 Switch C router id 3 3 3 3 Switch C ospf Switch C ospf 1 area...

Page 256: ...g diagram Figure 58 OSPF virtual link configuration networking The following commands configure a virtual link between Switch B and Switch C in Area 1 Configuration procedure 1 Configure Switch A Swit...

Page 257: ...ther routers is in FULL state Execute the display ospf peer command to view neighbors Execute the display ospf interface command to view OSPF information in the interface Use the ping command to check...

Page 258: ...licy When a router distributes or receives routing information it must implement policies to filter the routing information so that it can receive or distribute only the routing information that meets...

Page 259: ...tion refer to Chapter 7 Using QoS ACL Commands IP Prefix The function of the IP Prefix is similar to that of the ACL but it is more flexible and easier for users to understand When the IP Prefix is ap...

Page 260: ...em should be in permit mode Apply the route policy to filter routing information If the routing information does not match any node the routing policy denies the routing information If all the nodes i...

Page 261: ...tribution If the destination routing protocol that imports the routes cannot directly reference the route costs of the source routing protocol you should satisfy the requirement of the destination pro...

Page 262: ...fined to rapidly filter the routing information not satisfying the requirement but if all the items are in the deny mode no route will pass the ip prefix filtering You can define an item of permit 0 0...

Page 263: ...in the subnet segment When a switch forwards this kind of packet the switch cannot tell whether the packet is a broadcast packet if the switch is not connected with the subnet If a broadcast packet re...

Page 264: ...ram Figure 60 Filtering the received routing information Configuration procedure 1 Configure Switch A a Configure the IP address of VLAN interface Switch A interface vlan interface 100 Switch A Vlan i...

Page 265: ...e When a Route Policy is used for the routing information filtering if a piece of routing information does not pass the filtering of any node then it means that the route information does not pass the...

Page 266: ...Safety Value of the Switch Memory When the Switch memory is equal to or lower than the lower limit OSPF is disconnected and OSPF routes are removed from the routing table Perform the following config...

Page 267: ...in any view to display the operation of the Route Capacity configuration Table 264 Displaying and debugging route capacity Operation Command Display the route capacity memory information display memor...

Page 268: ...268 CHAPTER 16 IP ROUTING PROTOCOL OPERATION...

Page 269: ...o fields net id field and host id field There are five types of IP address See Figure 61 Figure 61 Five Classes of IP Address Class A Class B and Class C are unicast addresses while Class D addresses...

Page 270: ...ates the broadcast address that is broadcast to all hosts on the network IP address 0 0 0 0 is used for the host that is not put into use after starting up The IP address with network number as 0 indi...

Page 271: ...figure an IP address with the IP address configuration command The other two methods are described in subsequent chapters The IP address configuration is described in the following sections Configurin...

Page 272: ...dary IP address if its IP address is set to be allocated by BOOTP or DHCP Displaying and Debugging IP Address After the above configuration enter the display command in any view to display the IP addr...

Page 273: ...ck whether the Switch can correctly send and receive ARP packets If it can only send but cannot receive ARP packets there are possibly errors occurring on the Ethernet physical layer ARP Configuration...

Page 274: ...B all the packets standing in the queue Normally dynamic ARP automatically executes and searches for the resolution from the IP address to the Ethernet MAC address without the administrator Configurin...

Page 275: ...whether the Switch should create ARP table entries for multicast MAC addresses Address resolution for multicast packets is not required because the IANA Internet Assigned Numbers Authority have reserv...

Page 276: ...Table 272 describes the procedure to configure the gratuitous ARP packet learning function Displaying and Debugging ARP After the above configuration enter the display command in any view to display t...

Page 277: ...ceiving resilient ARP messages regularly so as to determine if a device serves as a Layer 3 or Layer 2 device Resilient ARP configuration is described in the following sections Enabling Disabling Resi...

Page 278: ...d respectively Unit 1 through Unit 4 in the XRN network Unit 1 and Unit 3 are connected to the Switch in link aggregation mode Resilient ARP runs on the XRN fabric to avoid packet forwarding problems...

Page 279: ...ng an IP address using BOOTP the BOOTP client sends the server the BOOTP Request message Upon receiving the request message the server returns the BOOTP Response message The BOOTP client can then obta...

Page 280: ...Client Server mode With this protocol the DHCP Client can dynamically request configuration information and the DHCP server can configure the information for the Client The DHCP relay serves as condu...

Page 281: ...he message contains the information of the IP address request from the selected DHCP server Acknowledge stage the stage when the DHCP server acknowledges the IP address When receiving the DHCP_Request...

Page 282: ...roduction of DHCP relay has solved this problem the clients in a LAN can communicate with DHCP servers in another subnet through DHCP relay to get valid IP addresses Then DHCP clients of multiple diff...

Page 283: ...s Currently the commonly used sub options in option 82 are sub option 1 sub option 2 and sub option 5 Sub option 1 A sub option of option 82 Sub option 1 represents the agent circuit ID namely Circuit...

Page 284: ...5 which have the following meanings 1 represents this sub option is for agent circuit ID Circuit ID 2 represents this sub option is for remote agent ID Remote ID 5 represents this sub option is for li...

Page 285: ...t packet forwarded by the DHCP relay the DHCP server stores the information contained in the option field and sends a packet that contains DHCP configuration information and option 82 to the DHCP rela...

Page 286: ...re an IP address for the backup DHCP server together with that of the master server Configuring the DHCP Server Group for the VLAN Interfaces Perform the following configuration in VLAN Interface View...

Page 287: ...ser from accessing external networks if the IP address configured on the user end and the MAC address of the user end do not match any entries including the entries dynamically tracked by the DHCP rel...

Page 288: ...DHCP security feature is disabled on the VLAN interface Option 82 Supporting Configuration This section contains supporting configuration information for Option 82 Prerequisites Before configuring opt...

Page 289: ...mask to the VLAN interface so that it is on the same network segment with the two DHCP clients S5500 interface vlan interface 100 S5500 Vlan interface 100 ip address 10 110 1 1 255 255 0 0 4 Specify...

Page 290: ...ens DHCP broadcast packets When an unauthorized DHCP server exists in the network a DHCP client may obtains an illegal IP address To ensure that the DHCP clients obtain IP addresses from valid DHCP se...

Page 291: ...g Configuration Table 288 shows the configuration specifications for DHCP snooping Table 288 Configure the DHCP snooping function Operation Command Description Enter system view system view Enable the...

Page 292: ...nd of accounting when it assigns releases a lease The cooperation of DHCP server and RADIUS server implements the network accounting function and at the same time secures the network to a certain degr...

Page 293: ...s to start account Service Type Type of the service the user applies for NAS IP Address IP address of the network access server NAS Acct Delay Time Time delay in seconds in sending accounting packets...

Page 294: ...counting START packets including the first sending attempt at regular intervals If the three packets bring no response from the RADIUS server the DHCP server does not send Accounting START packets any...

Page 295: ...Client DHCP Server DHCP Server RADI US Server 10 1 2 2 24 DHCP Client RADI US Server 10 1 2 2 24 DHCP Client DHCP Server DHCP Server DHCP Client DHCP Client DHCP Server DHCP Server DHCP Server DHCP S...

Page 296: ...the above configuration enter the display command in any view to display the running of the DHCP configuration and to verify the effect of the configuration Enter the debugging command in User View t...

Page 297: ...hcp server groupNo Display information about the DHCP server group to which a specified VLAN interface is mapped display dhcp server interface vlan interface vlan id Display one or all user address en...

Page 298: ...8 1 2 The DHCP packets should be forwarded using the Switch with DHCP Relay enabled A DHCP Client can get its IP address and other configuration information from the DHCP Server Networking Diagram Fig...

Page 299: ...mmand to output the debugging information to the console In this way you can view the detailed information of all DHCP packets on the console as they apply for the IP address and so locate the problem...

Page 300: ...net Port View By default a port is not in an isolation group that is Layer 2 forwarding is achievable between this port and other ports Note that One unit only supports one isolation group That is a p...

Page 301: ...rts on Layer 2 Enabling Disabling Access Management Trap You can enable the access management trap function using the following commands When this function is enabled the trap information of access ma...

Page 302: ...dd port 1 into isolation group SW5500 Ethernet1 0 1 port isolate 4 Configure the IP address pool for access management on port 2 SW5500 Ethernet1 0 1 interface ethernt1 0 2 SW5500 Ethernet1 0 2 am ip...

Page 303: ...it unicasts the response message UDP Helper Configuration UDP Helper configuration includes Enabling Disabling UDP Helper Function Configuring UDP Port with Replay Function Configuring the Relay Desti...

Page 304: ...is enabled on the VLAN interface then the broadcast packets of a designated UDP port received at the VLAN interface will be unicasted to the destination server Perform the following configuration in V...

Page 305: ...ay forward the broadcast packets with destination UDP port 55 SW5500 udp helper port 55 3 Set the IP address of the destination server corresponding to VLAN interface 2 as 202 38 1 2 SW5500 interface...

Page 306: ...timeout time_value Restore synwait timer undo tcp timer syn timeout Configure FIN_WAIT_2 timer in TCP tcp timer fin timeout time_value Restore FIN_WAIT_2 timer undo tcp timer fin timeout Configure the...

Page 307: ...n port 4296 Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets Operations include SW5500 terminal debugging SW5500 debugging tcp packet Then the TCP packets rece...

Page 308: ...308 CHAPTER 17 NETWORK PROTOCOL OPERATION...

Page 309: ...e can be used if you intend to send the information to all users on the network In either case the end users will receive the information For example if the same information is required by 200 users o...

Page 310: ...239 255 255 255 Class D addresses cannot appear in the source IP address fields of IP packets During unicast data transmission a packet is transmitted from the source address to the destination addre...

Page 311: ...ass D address range Meaning 224 0 0 0 224 0 0 255 Reserved multicast addresses addresses of permanent groups Address 224 0 0 0 is reserved The other addresses can be used by routing protocols 224 0 1...

Page 312: ...t group through IGMP declaration the multicast router on the network will transmit the information sent to the multicast group through the multicast routing protocol Finally the network will be added...

Page 313: ...forwarded along the shared tree rooted at the RP and with members as the branches To prevent the branches of the shared tree from being deleted PIM sparse mode sends join messages to branches periodi...

Page 314: ...It is used for multicast group management and control When receiving IGMP messages transmitted between the host and router the Switch 5500 uses IGMP Snooping to analyze the information carried in the...

Page 315: ...Router port aging time Time set on the router port aging timer If the switch has not received any IGMP general query messages before the timer times out it is no longer considered a router port Multi...

Page 316: ...to the IGMP query message When received the switch checks if the MAC multicast group is ready to join If the corresponding MAC multicast group does not exist the switch notifies the router that a mem...

Page 317: ...th in System View and in VLAN View By default IGMP Snooping is disabled Configuring Router Port Aging Time Use the commands in Table 311 to manually configure the router port aging time If the switch...

Page 318: ...e following configuration in system view By default the aging time of the multicast member is 260 seconds Enabling IGMP Fast Leave Processing Normally when receiving an IGMP Leave message IGMP Snoopin...

Page 319: ...t You can use the command here to limit the number of multicast groups on a switch port After that users on this port cannot unlimitedly order multicast programs because you have limited the number of...

Page 320: ...oin Table 316 Configure the maximum number of multicast groups on a port continued Operation Command Description Table 317 Configure multicast VLAN on Layer 3 switch Operation Command Description Ente...

Page 321: ...LAN service type multicast Required Exit the VLAN view quit Enter the view of the Ethernet port connected to the Layer 3 switch interface interface type interface num Define the port as a trunk or hyb...

Page 322: ...oping is disabled 1 Input the display current configuration command to display the status of IGMP Snooping 2 If the switch disabled IGMP Snooping check whether the IGMP Snooping is enabled globally an...

Page 323: ...on multicast configuration includes Enabling multicast Configuring the multicast route limit Clearing MFC forwarding entries or statistics information Clearing route entries from the core multicast ro...

Page 324: ...f the entry The system does not support the configuring of multicast MAC address on an IRF port If you do this the system will give you a prompt that the multicast MAC address configuration fails You...

Page 325: ...specifying the interface list argument will enable the feature globally that is on all the ports of the switch Executing this command with the interface list argument specified will enable the feature...

Page 326: ...hosts participating in multicast must implement IGMP Hosts participating in IP multicast can join and leave a multicast group at any time The number of members of a multicast group can be any integer...

Page 327: ...ter is necessary to send membership query messages In this case the router election mechanism is required to specify a router as the querier In IGMP Version 1 selection of the querier is determined by...

Page 328: ...figuration on page 323 Enabling IGMP on an Interface You must enable multicast before you can execute the igmp enable command After this you can initiate IGMP feature configuration Perform the followi...

Page 329: ...in igmp robust count with the default value as 1 second and at a time interval defined by the seconds in igmp lastmember queryinterval with the default value as 2 3 When other hosts receive the messa...

Page 330: ...ill cancel the corresponding path Configuring one interface of the router as multicast member can avoid such problem When the interface receives IGMP query packet the router will respond thus ensuring...

Page 331: ...peration Command Configure a router to join specified multicast group VLAN Interface View igmp host join group_address port interface_type interface_ num interface_name to interface_type interface_ nu...

Page 332: ...status of the members of the multicast group Perform the following configuration in Interface view The smaller the maximum query response time value the faster the router prunes groups The actual res...

Page 333: ...router will perform RPF check according to the unicast routing table first If the RPF check is passed the router will create an S G entry and then flood the data to all downstream PIM DM nodes If the...

Page 334: ...y specified unicast routing protocol such as the routing information learned by RIP and OSPF Assert Mechanism As shown in the Figure 84 both routers A and B on the LAN have their own receiving paths t...

Page 335: ...DM needs to be enabled in the configuration of all interfaces After PIM DM is enabled on an interface it will send PIM Hello messages periodically and process protocol packets sent by PIM neighbors P...

Page 336: ...view If resource address filtering is configured as well as basic ACLs then the router filters the resource addresses of all multicast data packets received Those not matched will be discarded If res...

Page 337: ...hen it means only the RP item will be cleared If in this command the group address is any a group address and source address is 0 where group address can have a mask and source address has no mask the...

Page 338: ...source_address mask mask_length mask incoming interface interface type interface_number null dense mode sparse mode Display the PIM interface information display pim interface interface type interface...

Page 339: ...interface12 pim dm PIM SM Overview PIM SM Protocol Independent Multicast Sparse Mode is a multicast routing protocol appropriate for large scale networks for example a WAN where multicast group membe...

Page 340: ...zvous point RP Each router along the path between the leaf routers and the RP will generate G entries in the forwarding table indicating that all packets sent to multicast group G are applicable to th...

Page 341: ...ails you can switch over to another BSR A BSR is elected among the C BSRs automatically The C BSR with the highest priority is elected as the BSR If the priority is the same the C BSR with the largest...

Page 342: ...any direction In this way the PIM SM domain can be split Perform the following configuration in Interface view By default no domain border is set After this configuration is performed a bootstrap mes...

Page 343: ...in PIM view Candidate BSRs should be configured on the routers in the network backbone By default no BSR is set The default priority is 0 One Switch can only be configured with one candidate BSR When...

Page 344: ...erval is 30 seconds Users can configure the value according to different network environments This configuration can be performed only after the PIM PIM DM or PIM SM is enabled in Interface view Confi...

Page 345: ...illegal router is accessed into the network the attacker may set itself as C BSR and try to win the contention and gain authority to advertise RP information among the network Since the router config...

Page 346: ...xecute debugging command in user view for the debugging of PIM SM PIM SM Configuration Example Networking Requirements In actual network we assume that the switches can intercommunicate Suppose that H...

Page 347: ...11 pim sm SW5500 vlan interface11 quit SW5500 vlan 12 SW5500 vlan12 port ethernet 1 0 6 to ethernet 1 0 7 SW5500 vlan12 quit SW5500 interface vlan interface 12 SW5500 vlan interface12 igmp enable SW55...

Page 348: ...e vlan interface 12 SW5500 vlan interface12 pim bsr boundary After VLAN interface 12 is configured as the domain border Switch_D will be excluded from the local PIM domain and will no longer receive t...

Page 349: ...349...

Page 350: ...350 CHAPTER 18 MULTICAST PROTOCOL...

Page 351: ...tching a data packet with the access control rule the issue of match order arises The case of filter or classify the data transmitted by the hardware ACL can be used to filter or classify the data tra...

Page 352: ...head If the port numbers are in the same range follow the configuration sequence ACL Supported by the Switch Table 361 lists the limits to the numbers of different types of ACL on a Switch Table 361 Q...

Page 353: ...by the hardware of the Switch the match order defined in the acl command will not be effective If ACL is used to filter or classify the data treated by the software of the Switch the match order of A...

Page 354: ...lowing command to define the numbered Layer 2 ACL Perform the following configuration in corresponding view Operation Command Enter basic ACL view from System View acl number acl_number match order co...

Page 355: ...ing from the packet and compares it with the user defined rule string to identify and process the matched packets Activating ACL The defined ACL can be active after being activated globally on the Swi...

Page 356: ...e ACL and limit Financial Dept access to the payment query server between 8 00 and 18 00 Networking Diagram Figure 88 Access Control Configuration Example Operation Command Activate an ACL packet filt...

Page 357: ...W5500 acl adv 3000 rule 2 permit ip source 129 111 1 2 0 0 0 0 destination 129 110 1 2 0 0 0 0 3 Activate ACL Activate the ACL 3000 SW5500 GigabitEthernet1 0 50 packet filter inbound ip group 3000 Bas...

Page 358: ...on Example Configuration Procedure In the following configurations only the commands related to ACL configurations are listed 1 Define the time range Define time range from 8 00 to 18 00 SW5500 time r...

Page 359: ...affic classification rule while allowing other traffic to pass through With the complex traffic classification rules the Switch enables the filtering of various information carried in Layer 2 traffic...

Page 360: ...ut the packets of lower priority like e mail in the lower priority queue can guarantee the key service packets of higher priority are transmitted first while the packets of lower service priority are...

Page 361: ...nfigure the port priority to your requirements priority level ranges from 0 to 7 Configuring the Priority for Protocol Packets Each protocol packet has its own priority Users can modify the priority o...

Page 362: ...ew Table 371 Configure Monitor Port Only one monitor port can be configured on one Switch If a group of Switches form a fabric only one monitor port can be configured on one fabric 2 Configure the mir...

Page 363: ...uling is commonly used to resolve the problem that multiple messages compete for resource when the network congestion happens The queue scheduling function puts the packet to the output queue of the p...

Page 364: ...fining their priority levels Perform the following configurations in the Ethernet Port View Table 382 Setting Traffic Limit 5 5 6 6 7 7 Operation Command Configure COS Local precedence map qos cos loc...

Page 365: ...ion is used for counting the data packets of the specified traffic that is this function counts the transmitted data which matches the ACL rules After the traffic statistics function is configured the...

Page 366: ...le rule ip group acl_number rule rule link group acl_number rule rule link group acl_number rule rule Cancel the configuration of traffic statistics undo traffic statistic inbound user group acl_numbe...

Page 367: ...ion Procedure Command Description Enter system view system view Create or enter advanced ACL view acl number acl number match order config auto By default the matching order is config Define the rule...

Page 368: ...face vty 0 4 S5500 ui vty0 4 acl 2000 inbound Table 390 Control Telnet using Source MAC Configuration Procedure Command Description Enter system view system view Create or enter Layer 2 ACL view acl n...

Page 369: ...eration Command Display mirroring configuration display mirror Display queue scheduling mode display queue scheduler Display line rate for outbound packets display qos interface interface_name interfa...

Page 370: ...for the wage server a Limit average traffic from the wage server at 128 Kbps and label over threshold packets with priority level 4 SW5500 Ethernet1 0 1 traffic limit inbound ip group 3000 128 exceed...

Page 371: ...or the upper layer device Networking Diagram Figure 95 QoS Configuration Example Configuration Procedure 1 Define the time range Define the time range 8 00 18 00 SW5500 time range 3Com 8 00 to 18 00 d...

Page 372: ...CLs for the traffic actions before adding the actions to the QoS profile Entering QoS Profile View To configure the QoS profile you must first enter QoS profile view Device Configuration Default Descr...

Page 373: ...profile to the user port Operation Command Enter QoS profile view qos profile profile name Delete the QoS profile undo qos profile profile name Table 394 Adding Removing Traffic Action to QoS Profile...

Page 374: ...mand in any view to check the configuration result of the QoS profile Table 398 Displaying QoS Profile Configuration QoS Profile Configuration Example Networking Requirement The Switch implements the...

Page 375: ...me radius1 SW5500 radius radius1 primary authentication 10 11 1 1 SW5500 radius radius1 primary accounting 10 11 1 2 SW5500 radius radius1 secondary authentication 10 11 1 2 SW5500 radius radius1 seco...

Page 376: ...t passwords can log successfully onto the Switch In this section only the first level security control ACL configuration is detailed See the Getting Started for the second level control Configuring AC...

Page 377: ...2 0 SW5500 acl basic 2000 rule 2 permit source 10 110 100 46 0 SW5500 acl basic 2000 quit 2 Import the ACL SW5500 user interface vty 0 4 SW5500 ui vty0 4 acl 2000 inbound Configuring ACL for SNMP User...

Page 378: ...fferent ACLs in the three commands listed above See the Command Manual for details about these commands You can import only the basic ACLs with digit IDs Operation Command Import the defined ACL into...

Page 379: ...e management through the Web interface The users can access the Switch through HTTP Controlling such users with ACL can help filter the illegal users and prevent them from accessing the local Switch A...

Page 380: ...working Diagram Figure 100 Controlling Web NM users with ACL Configuration Procedure 1 Define the basic ACL SW5500 acl number 2030 match order config SW5500 acl basic 2030 rule 1 permit source 10 110...

Page 381: ...ion switch the switch to which the remote mirroring destination port belong Table 403 gives an illustration of how various ports are involved in the mirroring operation Table 403 The ports involved in...

Page 382: ...ID set as Remote probe VLAN ID All the ports in this VLAN must be Trunk ports rather than Access ports or Hybrid ports The default VLAN Management VLAN Fabric VLAN and Protocol VLAN cannot be configur...

Page 383: ...ts of remote mirroring mirroring group group id reflector port reflector port Required The reflector ports of remote mirroring cannot enable STP and have to be Access ports The reflector ports cannot...

Page 384: ...mand Description Enter system view system view Establish remote probe VLAN and enter VLAN view vlan vlan id The parameter vlan id represents the ID of the remote probe VLAN Define the current VLAN as...

Page 385: ...mit vlan 10 S5500 Ethernet1 0 1 quit S5500 mirroring group 1 remote source S5500 mirroring group 1 mirroring port ethernet1 0 2 outbound S5500 mirroring group 1 reflector port ethernet1 0 5 S5500 mirr...

Page 386: ...protocol range the higher the priority 2 Compare the range of source IP addresses Those with smaller source IP address range have higher priority 3 Compare the range of destination IP addresses Those...

Page 387: ...e 0 permit ip For more information on the display acl command refer to the QoS ACL part of the Switch 5500 Series Ethernet Command Manual Subdividing DSCP while Defining ACL Rules The new version has...

Page 388: ...duling features configured in a static or manual aggregation group This operation can be done either on a local device or in an XRN across various devices The new feature also supports the use of the...

Page 389: ...switch outbound Performs ACL control over users Telnetting to other switches from the local switch Table 410 Control Telnet using source IP and destination IP Configuration Procedure Command Descript...

Page 390: ...r interface vty 0 4 S5500 ui vty0 4 acl 2000 inbound Table 411 Control Telnet using Source MAC Configuration Procedure Command Description Enter system view system view Create or enter Layer 2 ACL vie...

Page 391: ...devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the user can access the resources in the LAN Otherwise the user cannot access t...

Page 392: ...Packet Authentication information frame used to carry the authentication information EAPoL Start Authentication originating frame actively originated by the user EAPoL Logoff Logoff request frame act...

Page 393: ...ach port Setting the Authentication in DHCP Environment Configuring the authentication method for 802 1x user Setting the maximum times of authentication request message retransmission Configuring tim...

Page 394: ...on the port is macbased That is authentication is performed based on MAC addresses Checking the Users that Log on the Switch using Proxy The following commands are used for checking the users that lo...

Page 395: ...the Switch sends authentication information to the RADIUS server in the form of EAP packets directly and the RADIUS server must support EAP authentication Perform the following configurations in Syst...

Page 396: ...extracts the authentication information and delivers it to the AAA server to accomplish the authentication As the four authentication modes that is PEAP EAP TLS EAP TTLS and EAP MD5 are all EAP authe...

Page 397: ...used for setting the maximum retransmission times of the authentication request message that the Switch sends to the user Perform the following configurations in System View Table 420 Setting the Maxi...

Page 398: ...pecify how long the duration of a timeout timer of an Authentication Server is The value ranges from 100 to 300 in units of second and defaults to 100 supp timeout Specify the authentication timeout t...

Page 399: ...end Version Checking Request Packets Configuring the Version Checking Timer Enabling the 802 1x Client Version Checking Function As for the dot1x version check command if you execute it in system view...

Page 400: ...ax 6 4 Set the version checking timer to 5 seconds S5500 dot1x timer ver period 5 Guest VLAN Configuration The Guest VLAN function enables supplicant systems that are not authenticated to access speci...

Page 401: ...configured for a switch Supplicant systems that are not authenticated fail to pass the authentication or are offline belong to Guest VLANs Guest VLAN Configuration Example Network requirements Create...

Page 402: ...units That is the MAC address can only be recognized by the unit the supplicant system directly connected to This may result in broadcast storms in the fabric In an IRF that supports the 802 1x trust...

Page 403: ...tribute Table 429 Auto QoS 802 1x Configuration Example Networking Requirements As shown in the Figure 106 the workstation of a user is connected to the port Ethernet 1 0 1 of the Switch The switch ad...

Page 404: ...ADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted 1 Enable the 802 1x performance on the specified port Ethernet 1 0 1 SW5500 dot1x interf...

Page 405: ...rs to the domain 3com163 net SW5500 isp 3com163 net access limit enable 30 14 Enable idle cut function for the user and set the idle cut parameter in the domain 3com163 net SW5500 isp 3com163 net idle...

Page 406: ...0 Enabling Disabling Centralized MAC Address Authentication You can configure the centralized MAC address authentication status on the ports first However the configuration does not function on each p...

Page 407: ...before it re authenticates The Switch does not authenticate during the quiet time Server timeout During the authentication to the user if the connection between the Switch and the RADIUS server times...

Page 408: ...e 802 1x Configuration Example The configurations of centralized MAC address authentication is similar to 802 1x their differences are 1 Enabling centralized MAC address authentication both globally a...

Page 409: ...specified services Accounting traces network resources consumed by the user RADIUS Protocol Overview As mentioned above AAA is a management framework so it can be implemented by some protocols RADIUS...

Page 410: ...which the ACCEPT message indicates that the user has passed the authentication and the REJECT message indicates that the user has not passed the authentication and needs to input their username and pa...

Page 411: ...plied For the Switch 5500 each user belongs to an ISP domain Up to 16 domains can be configured in the system If a user has not reported their ISP domain name the system will put them into the default...

Page 412: ...any users can be contained in the ISP For any ISP domain there is no limit to the number of users by default Table 440 Setting Access Limit By default there is no limit to the amount of users Enabling...

Page 413: ...ent framework for network access control It provides the following three services Authentication Checks if a user can access the network Authorization Authorizes a user to use a specific service Accou...

Page 414: ...s connected to the switch This server will be used as an authentication server On the switch set the shared key it uses to exchange packets with the RADIUS server to expert Configure the RADIUS scheme...

Page 415: ...tion Servers IP address 10 110 91 164 Internet Switch Remote user Internet Remote user Internet Authentication Servers IP address 10 110 91 164 Internet Switch Authentication Servers IP address 10 110...

Page 416: ...e client opens the default explorer IE or NetScape locate the specified URL page used to change the user password on the self service server Change user password on this page Perform the following con...

Page 417: ...LAN name assigned by the RADIUS server is a string that contains only digital characters for example 1024 and the string can be transformed to an integer number in the valid VLAN range the switch tran...

Page 418: ...Creating a Local User A local user is a group of users set on NAS The user name is the unique identifier of a user A user requesting network service may use local authentication only if its correspond...

Page 419: ...l when you configure a service type If you set multiple service types and specify the user levels then only the last configured user level is valid Some of the service types allow a user privilege lev...

Page 420: ...attributes of every RADIUS scheme include IP addresses of primary and secondary servers shared key and RADIUS server type RADIUS protocol configuration only defines some necessary parameters used for...

Page 421: ...r groups of IP addresses and UDP port numbers However as a minimum you have to set one group of IP address and UDP port number for each pair of primary secondary servers to ensure the normal AAA opera...

Page 422: ...ervers as the primary and the secondary accounting servers respectively or specify one server to function as both To guarantee the normal interaction between NAS and RADIUS server you are supposed to...

Page 423: ...me accounting request can fail to be responded to no more than 5 times Enabling Disabling the Stopping Accounting Request Buffer Because the stopping accounting request concerns the account balance an...

Page 424: ...er s online information The user re authentication at reboot feature is designed to resolve this problem After this feature is enabled every time the switch reboots The switch generates an Accounting...

Page 425: ...5 algorithm to encrypt the exchanged packets The two ends verify the packet through setting the encryption key Only when the keys are identical can both ends accept the packets from each other and giv...

Page 426: ...an RADIUS authentication packet is to fill the Framed Protocol attribute in the RADIUS authentication request packet based on the access mode of the user Setting Retransmission Times of RADIUS Request...

Page 427: ...servers are in the state of active and the secondary accounting authentication servers are in the state of block Setting the Username Format Transmitted to the RADIUS Server As mentioned above the use...

Page 428: ...authorization packet configured by the command key authentication in RADIUS Scheme View Configuring Source Address for RADIUS Packets Sent by NAS Perform the following configurations in the correspond...

Page 429: ...the following command to set a real time accounting interval Perform the following configurations in RADIUS Scheme View Table 467 Setting a Real time Accounting Interval minute specifies the real time...

Page 430: ...ut Table 470 Displaying and Debugging AAA and RADIUS Protocol Operation Command Display the configuration information of the specified or all the ISP domains display domain isp_name Display related in...

Page 431: ...entication server is expert The Switch cuts off the domain name from username and sends the remaining part to the RADIUS server Networking Topology Figure 110 Configuring the Remote RADIUS Authenticat...

Page 432: ...ng the FTP Telnet User Local Authentication Configuring local authentication for FTP users is similar to that for Telnet users The following example is based on Telnet users Networking Requirements Co...

Page 433: ...Disable Self service Disable Messenger Time Disable This system domain uses the local scheme It is not recommended that you change the system domain as it could result in locking all users out of the...

Page 434: ...802 1x is enabled on port Ethernet1 0 11 802 1x is enabled on port Ethernet1 0 12 802 1x is enabled on port Ethernet1 0 14 802 1x is enabled on port Ethernet1 0 15 802 1x is enabled on port Ethernet1...

Page 435: ...d RADIUS server of ISP So it is likely to be invalid Fault One User authentication authorization always fails Troubleshooting The username may not be in the userid isp name format or NAS has not been...

Page 436: ...h 5500 provides debugging of RADIUS Terminal debugging can be enabled with the command 5500 xx terminal debugging Once enabled different debug traces can be enabled to the terminal For example to turn...

Page 437: ...SSH Terminal Services File Attribute Configuration FTP Lighting Configuration TFTP Lighting Configuration File System Overview The Switch provides a flash file system for efficient management of the...

Page 438: ...e separate For example you delete a file with the main attribute from the flash memory however the mapping relationship between the main attribute and the name of this file is not cancelled And after...

Page 439: ...boot boot loader file url fabric Optional Assign the backup attribute to a file so as to use this file as the backup boot file upon next startup boot boot loader backup attribute file url fabric Optio...

Page 440: ...cd directory command for changing focus to a different switches file system or the unit2 flash device name parameter for the command reset recycle You can use the following commands to perform file o...

Page 441: ...on files includes Display the current configuration and saved configuration of the Switch Save the current configuration Erase configuration files from Flash Memory Displaying the Current configuratio...

Page 442: ...rs for initialization when the Switch is powered on for the next time Perform the following configuration in User View Table 480 Erase Configuration Files from Flash Memory You may erase the configura...

Page 443: ...is still used widely while most users transmit files using e mail and Web FTP a TCP IP protocol on the application layer is used for transmitting files between a remote server and a local host The Swi...

Page 444: ...the ftp command You need first get FTP user command and password and then log into the remote FTP server Then you can get the directory and file authority PC Start FTP server and make such settings as...

Page 445: ...Table 489 Configure FTP Server Connection Timeout By default the FTP server connection timeout is 30 minutes Use a specified source interface to establish a connection with an FTP server ftp cluster...

Page 446: ...creating or deleting a directory Configuring Source IP Address for TFTP Service Packets You can configure source IP address or source interface for the TFTP server and TFTP client to enhance service...

Page 447: ...purpose Networking Diagram Figure 113 Networking for FTP Configuration Configuration Procedure 1 Configure the FTP server parameters on the PC a user named as Switch password hello read and write auth...

Page 448: ...TP client The configuration on FTP server Configure a FTP user named as Switch with password hello and with read and write authority over the flash root directory on the PC The IP address of a VLAN in...

Page 449: ...een the clients and server TFTP is implemented on the basis of UDP TFTP transmission is originated from the client end To download a file the client sends a request to the TFTP server and then receive...

Page 450: ...erver The IP address of a VLAN interface on the Switch is 1 1 1 1 and that of the PC is 2 2 2 2 The interface on the Switch connecting the PC belong to the same VLAN The Switch application switch app...

Page 451: ...of a device and the port ID of the Switch connected to it The dynamic entries not configured manually are learned by the Switch The Switch learns a MAC address in the following way after receiving a d...

Page 452: ...can manually add modify or delete the entries in MAC address table according to the actual needs They can also delete all the unicast MAC address table entries related to a specified port or delete a...

Page 453: ...ies Setting the Max Count of MAC Addresses Learned by a Port With the address learning function a Switch can learn new MAC addresses After its received a packet destined for an already learned MAC add...

Page 454: ...nts The user logs into the switch using the Console port to display the MAC address table Switch display the entire MAC address table of the the switch If this switch is a member of a stack then the e...

Page 455: ...0s and add a static address 00e0 fc35 dc71 to Ethernet1 0 2 in vlan1 Networking Diagram Figure 119 Typical Configuration of Address Table Management Configuration Procedure 1 Enter the System View of...

Page 456: ...the following configuration in User View and the display schedule reboot command can be performed in any view Table 502 Reboot the Switch Designating the APP Adopted when Booting the Switch Next Time...

Page 457: ...ote upgrade using the right commands The Switch serves as FTP client and the remote PC as FTP server The configuration on the FTP server Configure an FTP user named as Switch with password hello and w...

Page 458: ...t command in User View to establish FTP connection then enter the correct username and password to log into the FTP server SW5500 ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 servi...

Page 459: ...urce IP Address Source Interface IP Address When you use the telnet ip address port command to log into another device from your current switch that acts as a Telnet client you cannot specify the sour...

Page 460: ...ault the UTC time zone is adopted Setting the Summer Time You can set the name start and end time of the summer time Perform the following operations in the User View Table 511 Setting the Summer Time...

Page 461: ...e relevant chapters The following display commands are used for displaying the system state and the statistics information Configuration agent is one of the XRN features You can log into one Switch of...

Page 462: ...witches Figure 121 Debug Output You can use the following commands to control the above mentioned debugging Perform the following operations in User View Display the current configuration display curr...

Page 463: ...ynchronization switch of the whole fabric If you enabled the information synchronization switch after the synchronization information statistics and detection you must execute the undo info center swi...

Page 464: ...iodical testing Perform the following configuration in System View Table 518 Test Periodically if the IP address is Reachable The Switch can ping an IP address every one minute to test if it is reacha...

Page 465: ...g on network It is an enhanced alternative to the ping command Remote ping test group is a set of remote ping test parameters A test group contains several test parameters and is uniquely identified b...

Page 466: ...is equivalent to the n parameter in the ping command Automatic test interval This parameter is used to allow the system to automatically perform the same test at regular intervals Test timeout time T...

Page 467: ...ount 10 S5500 remote ping administrator icmp timeout 3 4 Enable the test operation S5500 remote ping administrator icmp test enable Configure the test parameters Configure the destination IP address o...

Page 468: ...info center the first part will be Priority For example 187 Jun 7 05 22 03 2003 SW5500 IFNET 6 UPDOWN Line protocol on interface Ethernet1 0 2 changed state to UP The description of the components of...

Page 469: ...ule name 4 Module name The module name is the name of module which created this logging information the following sheet lists some examples Table 520 Module Names in Logging Information Module name De...

Page 470: ...nformation is in Table 521 IP IP module IPC Inter process communication module IPMC IP multicast module L2INF Interface management module LACL LANswitch ACL module LQOS LANswitch QoS module LS Local s...

Page 471: ...tions that is Console monitor to Telnet terminal logbuffer loghost trapbuffer and SNMP The log is divided into 8 levels according to the significance and it can be filtered based on the levels The inf...

Page 472: ...ne which modules and information to be sent out and the time stamp format of information and so on You must turn on the Switch of the corresponding module before defining output debugging information...

Page 473: ...current terminal display function using the terminal monitor command Device Configuration Default Value Configuration Description Switch Enable info center By default info center is enabled Other con...

Page 474: ...d only if the info center is enabled Set the information output direction to SNMP Set information source You can define which modules and information to be sent out and the time stamp format of inform...

Page 475: ...have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one If you want to view the debugging information...

Page 476: ...information classification and outputting 2 Configuring to output information to the control terminal Perform the following operation in Table 534 Table 532 Configure the information to be sent to lo...

Page 477: ...configuring information source meantime using the debugging command to turn on the debugging Switch of those modules You can use the following commands to configure log information debugging informat...

Page 478: ...so on Perform the following operation in System View Table 540 Defining Information Source Operation Command Enable terminal display function of debugging information terminal debugging Disable termi...

Page 479: ...ommands to configure log information debugging information and the time stamp output format of trap information Perform the following operation in System View Table 541 Configuring the Output Format o...

Page 480: ...ow it will not be output channel number specifies the channel number and channel name specifies the channel name When defining the information sent to the log buffer channel number or channel name mus...

Page 481: ...ng operation in System View Table 548 Configuring to Output Information to Trap Buffer 3 Configuring the information source on the Switch With this configuration you can define the information that is...

Page 482: ...se the following commands to configure log information debugging information and the time stamp output format of trap information Perform the following operation in System View Table 550 Configuring t...

Page 483: ...ugging Switch of those modules You can use the following commands to configure log information debugging information and the time stamp output format of trap information Perform the following operatio...

Page 484: ...nter You can also authenticate the effect of the configuration by viewing displayed information By performing the reset command in User View you can clear the statistics of info center Perform the fol...

Page 485: ...ity level above informational will be sent to the loghost The output language is English The modules that allowed to output information are ARP and IP Networking Diagram Figure 127 Schematic Diagram o...

Page 486: ...t be consistent with info center loghost and info center loghost a b c d facility configured on the Switch Otherwise the log information probably cannot be output to the loghost correctly c After the...

Page 487: ...mmand as the super user root mkdir var log SW5500 touch var log SW5500 information b Edit file etc syslog conf as the super user root add the following selector actor pairs SW5500 configuration messag...

Page 488: ...the log information of the Switch to Unix loghost The IP address of the loghost is 202 38 1 10 The information with the severity level above informational will be sent to the loghost The output langua...

Page 489: ...twork devices such as a Switch Hub so that the devices become network facilities with RMON probe function RMON NMS uses the basic SNMP commands to exchange data information with SNMP Agent and collect...

Page 490: ...ds to add delete an entry to from the history control terminal Perform the following configuration in Ethernet Port View Table 560 Add Delete an Entry to from the History Control Terminal Adding Delet...

Page 491: ...onfiguration Display and Debug RMON Operation Command Add an entry to the extended RMON alarm table rmon prialarm entry number alarm var alarm des sampling timer delta absolute changeratio rising thre...

Page 492: ...rs packets 0 CRC alignment errors 0 collisions 0 Dropped packet events due to lack of resources 0 Packets received according to length in octets 64 644 65 127 518 128 255 688 256 511 101 512 1023 3 10...

Page 493: ...system clocks are synchronized as follows Switch A sends an NTP packet to Switch B The packet carries the timestamp 10 00 00am T1 that tells when it left Switch A When the NTP packet arrives at Switc...

Page 494: ...the local Switch the local equipment operates in symmetric active mode If you configure an interface on the local Switch to transmit NTP broadcast packets the local Switch will operate in broadcast mo...

Page 495: ...cal Switch to the peer will be taken priority indicates the peer will be the first choice for the time server Configuring NTP Broadcast Server Mode Designate an interface on the local Switch to transm...

Page 496: ...tication key ID keyid ranges from 0 to 4294967295 ttl number of the multicast packets ranges from 1 to 255 and the multicast IP address defaults to 224 0 1 1 This command can only be configured on the...

Page 497: ...571 Set the Specified Key as Reliable Key number key number ranges from 1 to 4294967295 Designating an Interface to Transmit NTP Message If the local equipment is configured to transmit all the NTP m...

Page 498: ...itation The first matched authority will be given Perform the following configurations in System View Table 574 Set Authority to Access a Local Switch IP address ACL number is specified through the ac...

Page 499: ...typical NTP configurations Configure NTP Server Network Requirements On Switch1 set the local clock as the NTP master clock at stratum 2 On Switch 2 configure Switch 1 as the time server in server mo...

Page 500: ...by Switch 1 Before the synchronization the Switch 2 is shown in the following status switch2 display ntp service status clock status unsynchronized clock stratum 16 reference clock ID none nominal fr...

Page 501: ...5 127 127 1 0 LOCAL 0 7 377 64 57 0 0 0 0 1 0 5 1 0 1 11 0 0 0 016 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 0 0 0 0 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured N...

Page 502: ...811A112 By this time Switch 4 has been synchronized by Switch 5 and it is at stratum 2 or higher than Switch 5 by 1 Display the sessions of Switch 4 and you will see Switch 4 has been connected with S...

Page 503: ...from Switch 3 while Switch 4 is synchronized by Switch 3 after receiving its broadcast packet After the synchronization you can find the state of Switch 4 as follows switch4 display ntp service status...

Page 504: ...t as a multicast server switch3 Vlan Interface2 ntp service multicast server 2 Configure Switch 4 a Enter System View switch4 system view b Enter Vlan interface2 view switch4 interface vlan interface...

Page 505: ...a Enter System View switch2 system view b Set Switch 1 as time server switch2 ntp service unicast server 1 0 1 11 c Enable authentication switch2 ntp service authentication enable d Set the key switc...

Page 506: ...egotiation stage Otherwise the server clears the TCP connection Key negotiation stage Both ends negotiate key algorithm and compute session key The server randomly generates its RSA key and sends the...

Page 507: ...ther a username they key in exists or not This is also a way to protect a username Configuring SSH Server Basic configuration tasks refer to those required for successful connection from SSH client to...

Page 508: ...the client user must be configured on the Switch that is to perform the 7 and 8 serial number marked configuration By default no authentication type is specified for a new user so they cannot access t...

Page 509: ...n characters since the system can remove the blank space automatically But the public key should be composed of hexadecimal characters Terminate public key editing and save the result with the public...

Page 510: ...ivate key file If you specify RSA authentication for the SSH user you must specify RSA private key file The RSA key which includes the public key and private key are generated by the client software T...

Page 511: ...the following lines of text before the existing text rsa peer public key mykey public key code begin where myKey is a name used to identify the key within the switch you may choose any name for this...

Page 512: ...ion e g keys bat This file can be transferred to the switch using FTP or TFTP The key is installed using the execute command in the System view SW5500 execute keys bat Specifying Server IP Address Sta...

Page 513: ...ocol Select SSH for the Protocol item Choosing SSH Version Click the left menu Category Connection SSH to enter the interface shown in Figure 140 Figure 140 SSH Client Configuration Interface 2 You ca...

Page 514: ...Choose a desired file and click OK Opening SSH Connection Click Open to enter SSH client interface If it runs normally you are prompted to enter username and password See Figure 142 Figure 142 SSH cl...

Page 515: ...n mode scheme SW5500 ui vty0 4 protocol inbound ssh SW5500 local user client001 SW5500 luser client001 password simple 3com SW5500 luser client001 service type ssh SW5500 ssh user client001 authentica...

Page 516: ...5500 rsa public peer public key end SW5500 ssh user client002 assign rsa key key002 You need to specify RSA private key which corresponds to the public key for the SSH user client002 Run SSH1 5 client...

Page 517: ...al You can use the undelete command to restore the files which are deleted by using the delete command without the unreserved keyword Delete the files in the recycle bin completely reset recycle bin f...

Page 518: ...ocol in the TCP IP protocol suite It is used for file transfer between remote server and local host The Ethernet switch provides the following FTP services FTP server A user runs FTP client on a PC an...

Page 519: ...g into the remote FTP server Required For detailed configuration refer to the configuration instruction relevant to FTP client Upload file from the FTP client to the FTP server Required For detailed c...

Page 520: ...used to transfer programs ASCII code used to transfer text files Before configuring TFTP the network administrator should first configure the IP addresses of the TFTP client and server and ensure that...

Page 521: ...t the SWITCH 5500 switch is downloading file from a TFTP server and will stop rotating when the file downloading is finished as show in Figure 145 S w itc h P C N e tw o rk S w itc h S w itc h P C N e...

Page 522: ...522 CHAPTER 22 FILE SYSTEM MANAGEMENT...

Page 523: ...port The backup switch is connected to the upstream network through its Ethernet1 0 2 port The virtual router IP address of the backup group is 10 100 10 1 Enable the port tracking function on Ethern...

Page 524: ...w and enable the port tracking function S5500 interface vlan interface2 S5500 Vlan interface2 vrrp vlan Interface 2 vrid 1 track Ethernet Master Host 1 Host 2 Host 3 10 100 10 7 10 100 10 8 10 100 10...

Page 525: ...describes the Dynamically Apply ACL by RADIUS Server configurations Table 590 Configuring Dynamically Apply ACL by RADIUS Server Device Configuration Configuration link RADIUS server Configure user a...

Page 526: ...a The user name is test and its authentication password is test It is accessed on Ethernet1 0 1 of the switch and belongs to the test163 net domain Its corresponding ACL is ACL 3000 and the content of...

Page 527: ...sers See Figure 150 Figure 150 The first step 2 Create a new user and then on the General Attributes page input the password of the user meanwhile set the Account Expiration Date as Dec 31 2049 See Fi...

Page 528: ...LY APPLY ACL BY RADIUS SERVER CONFIGURATION Figure 152 The third step 4 Click Options Encryption Keys set the encryption key See Figure 153 Figure 153 The fourth step 5 Input the NAS IP and the encryp...

Page 529: ...radius radius1 key accounting aaaa 4 Order the switch to delete the user domain name from the user name and then send the user name to the RADIUS sever S5500 radius radius1 user name format without d...

Page 530: ...0 153 1 9 Access 8021X Auth CHAP Port Ether Port NO 0x10001001 Initial VLAN 1 Authorization VLAN 1 ACL Group 3000 CAR Disable Priority Disable Start 2005 01 02 20 43 56 Current 2005 01 02 20 50 00 Onl...

Page 531: ...ommand Set the detecting interval to 60 seconds the maximum number of retries to 3 and the timeout time to 3 seconds Table 591 Configure the auto detect function Operation Command Description Enter sy...

Page 532: ...5500 detect group 10 timer wait 3 S5500 detect group 10 quit Auto Detect Implementation The results of auto detect operations reachable or unreachable can be used to determine whether or not to enable...

Page 533: ...detecting group 8 is reachable Network diagram Figure 156 Network diagram for static routing Table 592 Configure the auto detect function for a static route Operation Command Description Enter system...

Page 534: ...iguring the Auto Detect Function for VRRP You need to create a detecting group and perform VRRP related configurations before the following operations Configuration Example Network requirements Switch...

Page 535: ...500 B vlan interface1 vrrp vrid 1 priority 110 S5500 B vlan interface1 vrrp vrid 1 track detect group 9 reduced 20 2 Configure Switch D a Assign an IP address to VLAN 1 interface S5500 D system view S...

Page 536: ...up that is the result of the detecting group becomes reachable again the system enables the primary VLAN interface and shuts down the secondary Configuring the Auto Detect Function for VLAN Interface...

Page 537: ...24 d Add Ethernet1 0 2 port to VLAN 2 S5500 A vlan 2 S5500 A vlan2 port ethernet1 0 2 e Assign an IP address to VLAN 2 interface S5500 A interface vlan interface 2 S5500 A vlan interface2 ip address 1...

Page 538: ...address of 192 168 1 2 as the next hop and set the detecting number to 1 S5500 A detect group 10 detect list 1 ip address 10 1 1 4 nexthop 192 168 1 2 S5500 A detect group 10 quit h Specify to enable...

Page 539: ...decide the topology of the network The configuration BPDU contains the information enough to ensure the Switches to compute the spanning tree The configuration BPDU mainly contains the following info...

Page 540: ...strates the network Figure 160 Switch Networking To facilitate the descriptions only the first four parts of the configuration BPDU are described in the example They are root ID expressed as Ethernet...

Page 541: ...o root with the value made by the root path cost plus the path cost corresponding to the root port the designated bridge ID with the local Switch ID and the designated port ID with the local port ID T...

Page 542: ...ications made on its configuration BPDU However CP2 will be blocked and its BPDU also remains the same but it will not receive the data excluding the STP packet forwarded from Switch B until spanning...

Page 543: ...an occasional loop may still occur In RSTP a transitional state mechanism is thus adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and desi...

Page 544: ...Switch A and Switch B Enable the STP feature on the Switch Enable the STP feature on the port The STP feature is disabled from the Switch but will be enabled on all ports once being enabled on the Sw...

Page 545: ...ynchronous packets eliminating unnecessary forwarding delay Specify the Path Cost on a port Specify the standard to follow in Path Cost calculation The Switch gets the path cost of a port from the lin...

Page 546: ...culation The Switch gets the path cost of a port from the link rate under the IEEE 802 1t standard The path cost of a port is closely related to the transmission rate of the link the port connected wi...

Page 547: ...nt role in root port selection You can make a port to be root port by giving it a smallest preference value Configure whether to connect a port with a peer to peer link RSTP can detect automatically w...

Page 548: ...one spanning tree will be generated on one Switched network To ensure the successful communication between VLANs on a network all of them must be distributed consecutively along the STP path otherwise...

Page 549: ...root bridge or secondary root bridge you cannot modify the bridge priority of the Switch A Switch can either be a primary or secondary root bridge but not both of them If the primary root of a spannin...

Page 550: ...red too short occasional path redundancy may occur If the Forward Delay is configured too long restoring the network connection may take a long time It is recommended to use the default setting By def...

Page 551: ...eout Factor of the Bridge It is recommended to set 5 6 or 7 as the value of multiple in the steady network By default the multiple value of hello time of the bridge is 3 Specifying the Maximum Transmi...

Page 552: ...t directly connected to the terminal as an EdgePort so that the port can transfer immediately to the forwarding state By default all the Ethernet ports are configured as non EdgePort Specifying the Pa...

Page 553: ...hernet port you can put a specified Ethernet port into the final spanning tree Generally the lower the value is set the higher priority the port has and the more likely it is for this Ethernet port to...

Page 554: ...the port to work in RSTP mode This command can only be issued if the bridge runs RSTP in RSTP mode and has no effect in the STP compatible mode You can use the following command to configure mCheck o...

Page 555: ...e the security functions of the Switch Perform the following configuration in corresponding views Table 613 Configure the Switch Security Function After being configured with BPDU protection the Switc...

Page 556: ...m user computers and they are connected to Switch C and Switch B with uplink ports You can configure RSTP on the Switch B through Switch F to meet these requirements Only the configurations related to...

Page 557: ...itEthernet2 0 1 stp root protection SW5500 interface Gigabitethernet 2 0 2 SW5500 GigabitEthernet2 0 2 stp root protection 2 Configure Switch B a Enable RSTP globally SW5500 stp enable b The port RSTP...

Page 558: ...ection SW5500 interface Ethernet 1 0 3 SW5500 Ethernet1 0 3 stp root protection RSTP operating mode time parameters and port parameters take default values 4 Configure Switch D a Enable RSTP globally...

Page 559: ...le Configuration Operation Command Description Enter system view system view Create PoE Profile poe profile profilename Required Enter PoE Profile view while creating PoE Profile Configure the relevan...

Page 560: ...the PoE Profile configuration of each Unit remains the same as it was before the split PoE Profile Configuration Example Network requirements Ethernent1 0 1 through thernet1 0 10 ports of the Switch...

Page 561: ...me Profile1 4 Create Profile 2 and enter poe profile view S5500 poe profile profile2 5 In Profile 2 add the PoE policy configuration applicable to Ethernet1 0 6 through Ethernet1 0 10 ports for type A...

Page 562: ...to Ethernet1 0 1 through Ethernet1 0 5 ports S5500 apply poe profile profile1 interface ethernet1 0 1 to ethernet1 0 5 8 Apply the configured Profile 2 to Ethernet1 0 6 through Ethernet1 0 10 ports S...

Page 563: ...server software operated on network devices Network Management Station can send GetRequest GetNextRequest and SetRequest messages to the Agent Upon receiving the requests from the Network Management S...

Page 564: ...PV2 RFC1907 RMON II Probe Config RFC2021 IP FORWARDING MIB RFC2096 Interfaces MIB RFC2233 SNMP FRAMEWORK MIB RFC2571 SNMP MPD MIB RFC2572 SNMP NOTIFICATION MIB SNMP TARGET MIB RFC2573 RADIUS AUTH CLIE...

Page 565: ...Deleting a View Set the Size of SNMP Packet Sent Received by an Agent Enable Disable a Port Transmitting Trap Information SNMP Agent Disable SNMP Agent Private MIB Configuration Management MIB Flash...

Page 566: ...ble 618 Enable Disable SNMP Agent to Send Trap Setting the Destination Address of Trap You can use the following commands to set or delete the destination address of the trap Perform the following con...

Page 567: ...r Remote Device You can use the following commands to set the engine ID of a local or remote device Perform the following configuration in System View Table 622 Set the Engine ID of a Local or Remote...

Page 568: ...uration in System View Operation Command Setting an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl list snmp agent group v3 gro...

Page 569: ...mmand setting the set command device status Configuring the Network Management Operation Logging Function In a network that contains no fabric you can use the display logbuffer command to view the log...

Page 570: ...splay the modules with trap enabled and the module with trap not enabled display snmp agent trap list Display the statistics information about SNMP packets display snmp agent statistics Display the en...

Page 571: ...ch SW5500 snmp agent sys info contact Mr Wang Tel 3306 SW5500 snmp agent sys info location telephone closet 3rd floor 5 Enable SNMP agent to send the trap to Network Management Station whose ip addres...

Page 572: ...nmp agent mib view included ViewDefault snmpVacmMIB SW5500 display snmp agent mib view View name ViewDefault MIB Subtree iso Subtree mask Storage type nonVolatile View Type included View status active...

Page 573: ...interface type interface number Optional Use a specified source IP address to establish a connection with a TFTP server tftp tftp server source ip ip addr Optional Use a specified source interface to...

Page 574: ...type interface number Optional Table 632 Configure source IP address for service packets continued Operation Command Remarks Table 633 Display the source IP address configuration Operation Command Dis...

Page 575: ...and prompts the user to change the password as soon as possible Telnet and SSH passwords all password aging sub functions are applicable Super passwords only the password aging time setting and the p...

Page 576: ...rom re logging in forever The user is allowed to log into the switch again only after the administrator manually removes the user from the user blacklist 3 Allow the user to log in again without any i...

Page 577: ...Table 635 Configure password aging Operation Command Description Enter system view system view Enable password aging password control aging enable Optional By default password aging is enabled Set ag...

Page 578: ...assword or the two input passwords are inconsistent After the user changes the password successfully the switch saves the old password in a readable file in the flash memory The switch does not provid...

Page 579: ...ng Operation Command Description Enter system view system view Enable history password recording password control history enable Optional By default history password recording is enabled Configure the...

Page 580: ...ddress the blacklist will not affect the user any more when the user logs into the switch Table 639 Configuring a user login password in encryption mode Operation Command Description Enter system view...

Page 581: ...ration of the password control and verify your configuration Table 641 Manually remove one or all user entries in the blacklist Operation Command Description Enter system view system view Delete one s...

Page 582: ...est password Password Confirm Updating the password file please wait 3 Enable password aging S5500 S5500 password control aging enable Password aging enabled for all users Default 90 days 4 Enable the...

Page 583: ...tion Disable Password History was last reset 38 days ago 8 Display the names and corresponding IP addresses of all the users that have been added to the blacklist because of password attempt failure S...

Page 584: ...584 CHAPTER 30 PASSWORD CONTROL CONFIGURATION OPERATIONS...

Page 585: ...other protocol independent multicast sparse mode PIM SM domains MSDP is only valid for the any source multicast ASM model MSDP describes a mechanism of interconnecting multiple PIM SM domains It requ...

Page 586: ...accept SA messages only from the correct paths and forward the SA messages thus avoiding SA message loop In addition you can configure a mesh group among MSDP peers to avoid SA flooding among MSDP pee...

Page 587: ...icast data sent by all the multicast sources in the entire PIM SM domain As described above RPs exchange information among one another through MSDP a multicast source registers with the nearest RP and...

Page 588: ...he SA message and the first multicast data received by the RP in the PIM SM1 domain 5 If group members namely receivers exists in the PIM SM domains where MSDP peers of RP1 reside for example if group...

Page 589: ...elongs to the same MSDP mesh group with the receiver the receiver accepts the SA message and forwards it to peers out of the mesh group For example when RP2 sends an SA message to RP4 RP4 accepts the...

Page 590: ...d to handle them based on the configured filtering policy using the rp policy parameter When configuring multiple static RPF peers for the same router you must follow the following two configuration m...

Page 591: ...there will be no reconnection attempts However the configuration information is kept Configuration Prerequisites Before configuring an MSDP peer connection you need to configure A unicast routing pro...

Page 592: ...one another The same group name must be configured on all the peers If you add the same MSDP peer into multiple mesh groups only the latest configuration takes effect Table 645 Configure description...

Page 593: ...receiver In order for the new receiver to know about the currently active multicast source as quickly as possible the router needs to send SA request messages to the MSDP peer Generally a router accep...

Page 594: ...A message An MSDP peer can be configured to advertise only the S G entries in the multicast routing table that satisfy the filtering rule when the MSDP creates the SA message that is to control the S...

Page 595: ...ext SA message You can configure the number of SA entries cached in each MSDP peer on the router by executing the following command but the number must be within the system limit The system sets the m...

Page 596: ...up the switch directly connected to the receiver can send a Join message to the nearest RP on the topology Configure the maximum number of SA messages cached peer peer address sa cache maximum sa limi...

Page 597: ...100 SwitchC Vlan interface100 pim sm SwitchC Vlan interface100 interface vlan interface 200 SwitchC Vlan interface200 pim sm SwitchC Vlan interface200 interface vlan interface 110 SwitchC Vlan interf...

Page 598: ...lag SPT ACT UpTime 00 03 32 Upstream interface Vlan interface101 RPF neighbor 192 168 3 2 Downstream interface s information Total number of downstreams 1 1 Vlan interface100 Protocol pim sm UpTime 00...

Page 599: ...eck that the address of the local connect interface interface is consistent with the address of the corresponding MSDP peer No SA Entry in the SA Cache of the Router Symptom An MSDP fails to send S G...

Page 600: ...600 CHAPTER 31 MSDP CONFIGURATION...

Page 601: ...is not necessary Topology discovery and display functions that help network monitoring and debugging Concurrent software upgrade and parameter configurations on multiple switches Being free from topo...

Page 602: ...uster can be the management device a member device or a candidate device Figure 175 shows the role changing rule Table 655 Devices in a cluster Role Configurations Functions Management device Is confi...

Page 603: ...all the activated ports regularly The packet carries the holdtime indicating how long the receiving device has to keep the updating data The receiver only keeps the information in the NDP packet but...

Page 604: ...ce collects topology information about all the member and candidate devices to provide useful information for a user when he establishes a cluster The management device learns the network topology thr...

Page 605: ...Enter the Ethernet port interface interface type interface number Enable port NDP ndp enable Required Table 657 Configure NDP parameters Operation Command Remark Enter system view system view Configu...

Page 606: ...ers continued Operation Command Remark Table 661 Configure cluster parameters manually Operation Command Remark Enter system view system view Specify the management VLAN management vlan vlan id This i...

Page 607: ...based on your instructions Table 661 Configure cluster parameters manually continued Operation Command Remark Table 663 Configure internal external interaction Operation Command Description Enter syst...

Page 608: ...the Ethernet port interface interface type interface number Enable port NDP ndp enable Required Table 666 Enable system and port NTDP Operation Command Remark Enter system view system view Enable syst...

Page 609: ...switch to a member device according to the MAC address Table 669 Display and maintain cluster configurations Operation Command Remark Display global NDP configuration information including NDP packet...

Page 610: ...of the SNMP site and logging host is 69 172 55 4 Network diagram Cluster Management Configuration procedure 1 Configure the management device a Enable system NDP and port NDP on E1 0 2 and E1 0 3 S55...

Page 611: ...n collection as 3 minutes S5500 ntdp timer 3 i Enable the cluster function S5500 cluster enable j Enter cluster view S5500 cluster S5500 cluster k Configure an IP address pool for cluster members The...

Page 612: ...command on the management device to switch to member device view to maintain and manage a member device You can then execute the cluster switch to administrator command to resume the management devic...

Page 613: ...terface S5500 cluster S5500 cluster nm interface Vlan interface 2 P o rte 1 0 2 V L A N 2 V L A N 2 F T P S e v e r IP A d d re s s1 9 2 1 6 8 4 3 IP A d d re s s 1 9 2 1 6 8 4 2 2 S 3 5 2 6 E IP A d...

Page 614: ...614 CHAPTER 32 CLUSTERING...

Page 615: ...econdary authorization HWTACACS Configuring the secondary authorization server Configuring HWTACACS Accounting Servers and the Related Attributes Configuring the TACACS accounting server and related f...

Page 616: ...ters HWTACACS view The system supports up to 16 HWTACACS schemes You can only delete the schemes that are not being used Setting the Username Format Acceptable to the TACACS Server Setting the usernam...

Page 617: ...ring HWTACACS authentication servers Operation Command Configure the HWTACACS primary authentication server primary authentication ip address port Delete the HWTACACS primary authentication server und...

Page 618: ...erform the following configuration in HWTACACS view By default each username sent to a TACACS server contains a domain name Table 676 Configuring source address for HWTACACS packets sent by the NAS Op...

Page 619: ...ine users to the TACACS accounting server periodically Perform the following configuration in HWTACACS view The interval is in minutes and must be a multiple of 3 Table 679 Setting the unit of data fl...

Page 620: ...domain domain name interface interface type interface number ip ip address mac mac address radius scheme radius scheme name vlan vlanid ucibindex ucib index user name user name Display related inform...

Page 621: ...ith the switch to expert add the usernames and passwords of users Networking diagram See Figure 177 Networking topology Figure 177 Configuring the remote RADIUS authentication for Telnet users Reset t...

Page 622: ...10 110 91 164 49 S5500 hwtacacs hwtac primary authorization 10 110 91 164 49 S5500 hwtacacs hwtac key authentication expert S5500 hwtacacs hwtac key authorization expert S5500 hwtacacs hwtac undo use...

Page 623: ...is disabled and the user configurable bootrom password is lost there is no recovery mechanism available In this instance the Switch will need to be returned to 3Com for repair The following commands a...

Page 624: ...cation file to boot 3 Display all files in flash 4 Delete file from flash 5 Modify bootrom password 6 Enter bootrom upgrade menu 7 Skip current configuration file 8 Set bootrom password recovery 9 Set...

Page 625: ...following entries n Simple this enables you to read and or change a password and send the configuration file using TFTP back into the Switch n Cipher change this word to simple and replace the encrypt...

Page 626: ...Bootrom Password Recovery Select option 8 to set the bootrom password discovery The following is displayed Warning if disable the bootrom password recovery the super password based on switch mac addr...

Page 627: ...rver using these products Microsoft IAS RADIUS Funk RADIUS and FreeRADIUS are not 3Com products and are not supported by 3Com Configuring Microsoft IAS RADIUS 3Com has successfully installed and teste...

Page 628: ...t available in Mixed mode To change mode go to the Active Directory Users and Computers window right click Domain and choose Properties select Change Mode c Add a user that is allowed to use the netwo...

Page 629: ...abelled Store password using reversible encryption f Now re enter the password for the account right click the user account and select Reset Password 3 Enable the server as a certificate server To use...

Page 630: ...continue through the wizard In the Certificate Authority Type window select Enterprise root CA Enter information to identify the Certificate Authority on the CA Identifying Information window Enter th...

Page 631: ...le Networking Services and ensure Internet Authentication Service component is checked b Select OK to end the wizard 5 Configure a Certificate Authority a Go to Programs Administrative Tools Certifica...

Page 632: ...ve directory domain Select Properties e Select the Group Policy tab and ensure that the Default Domain Policy is highlighted Click Edit to launch the Group Policy editor f Go to Computer Configuration...

Page 633: ...icy machine_policy The command may take a few minutes to take effect 6 Setup the Internet Authentication Service IAS RADIUS Server a Go to Programs Administrative Tools Internet Authentication Service...

Page 634: ...And Time Restrictions and click Add Click Permitted then OK Select Next h Select Grant remote access permission and select Next i Click on Edit Profile and select the Authentication tab Ensure Extensi...

Page 635: ...Enable Remote Access Login for Users a Select Programs Administrative Tools Active Directory Users and Computers Double click the user account for which you want to enable authentication b Select the...

Page 636: ...e following steps show an Advanced Request The Standard Request differs in the way the certificate is stored on the local computer it allows you to install the certificate on your computer directly af...

Page 637: ...file is used to generate a certificate g You will receive this warning messages select Yes followed by this warning message select Yes and then OK The PKCS 10 file is now saved to the local drive h To...

Page 638: ...ot below and click Next k Open the previously saved PKCS 10 certificate file in Notepad select all Control a and copy Control c as shown below l Paste the copied information into the Saved Request fie...

Page 639: ...elect Save The certificate is also installed on the Certification Authority You can verify this in the CA Administration tool under Issued Certificates The PKCS 7 file is not actually required for IEE...

Page 640: ...gement tool on the server and expand the Issued Certificates folder You should see the newly created certificate r Double click the certificate that was generated by the client and select the Details...

Page 641: ...by Next Provide a name for the certificate and save it to a specified location Click Finish and followed by OK t Exit the Certification Authority management tool and launch the Active Directory Users...

Page 642: ...ted and click Open Click OK w In the Security Identity Mapping screen click OK to close it x Close the Active Directory Users and Domains management tool This completes the configuration of the RADIUS...

Page 643: ...3 b Create a new remote access policy under IAS and name it Switch Login Select Next c Specify Switch Login to match the users in the switch access group select Next d Allow Switch Login to grant acce...

Page 644: ...CHAPTER B RADIUS SERVER AND RADIUS CLIENT SETUP e Use the Edit button to change the Service Type to Administrative f Add a Vendor specific attribute to indicate the access level that should be provid...

Page 645: ...select a certificate it could be that there are additional active certificates on your client computer select the certificate that you have installed for this specific Certification Authority server...

Page 646: ...Users and Computers a For example to create one group that will represent VLAN 4 select the Users folder from the domain see below b Name the VLAN Group with a descriptive name that describes the func...

Page 647: ...Tools Internet Authentication Service and select Remote Access Policies Select the policy that you configured earlier right click and select Properties e Click Add to add policy membership f Select t...

Page 648: ...8 CHAPTER B RADIUS SERVER AND RADIUS CLIENT SETUP g Select the VLAN group that you have just created and click Add and then OK to confirm h Click OK again to return you to the Security Policy properti...

Page 649: ...hat the Attribute value is set to 802 and click OK l Click OK again on the Multivalued Attribute Information screen to return to the Add Attributes screen Table 686 Summary of auto VLAN attributes For...

Page 650: ...lick Add n Click Add ensure that the Attribute value is set to 4 Attribute value in string format and click OK This value represents the VLAN ID o Click OK again on the Multivalued Attribute Informati...

Page 651: ...vice 2 To test the configuration connect the workstation to a port on the Switch 5500 the port does not have to be a member of VLAN 4 Ensure that there is a DHCP server connected to the switch that re...

Page 652: ...teel Belted RADIUS Server application from www funk com and install the application Once installed you have a 30 day license to use it To configure Funk RADIUS as a RADIUS server for networks with the...

Page 653: ...k RADIUS is now ready to run If you intend to use auto VLAN and QoS you will need to create VLAN and QoS profiles on the 3Com Switch 5500 and follow the instructions in Configuring auto VLAN and QoS f...

Page 654: ...case sensitive 6 Enter the shared secret to encrypt the authentication data The shared secret must be identical on the Switch 5500 and the RADIUS Server a Select RAS Clients from the left hand list en...

Page 655: ...will now appear as potential Return list attributes for every user 2 After saving the edited radius dct file stop and restart the Funk RADIUS service 3 To use these return list attributes they need t...

Page 656: ...p www freeradius org and install the application following the instructions from the website The following instructions assume that you have installed a standard version of FreeRADIUS To configure Fre...

Page 657: ...vendor specific attribute 3Com User Access Level in the Access Accept message for that user b Add an entry for Network Login For example user name Auth Type Local User Password password 4 Run the Free...

Page 658: ...ylang en Famil yID 6B78EDBE D3CA 4880 929F 453C695B9637 2 After the updates have been installed start the Wireless Authentication Service in Component Services on the Windows 2000 workstation set the...

Page 659: ...ems such as Win XP 2000 NT 98 ME Mac OSX Details of the Aegis client can be found at http www mtghouse com Follow these steps to install the Aegis client 1 Registering the Aegis Client When using the...

Page 660: ...on the RADIUS Server with the Password d Click OK to finish the configuration e Restart the client either by rebooting or stopping and re starting the service f Click the OK button then return to the...

Page 661: ...the RADIUS protocol Users that already exist on the TACACS server can be authorized using the TACACS or RADIUS server an optional VLAN and QoS profile can be applied to the user Network administrators...

Page 662: ...o the Cisco Secure ACS interface follow these steps 1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients 3 Enter the details of the 3Com switch Spaces are n...

Page 663: ...Select RADIUS IETF from the list under Interface Configuration 7 Check the RADIUS attributes that you wish to install If you want to use auto VLAN and QoS ensure that you have the following options s...

Page 664: ...Restart Adding a User for Network Login Existing users on a network with a Secure ACS server can be authorized using the TACACS or RADIUS server New users connected through a Switch 5500 to the netwo...

Page 665: ...n is slightly more complex as 3Com specific RADIUS attributes need to be returned to the 3Com Switch 5500 These RADIUS attributes define the access level of the the user to the management interface Fo...

Page 666: ...ogram files Cisco Secure ACS utils c Copy the 3Com ini file into the utils directory d At the command prompt enter csutil addUDV 0 3Com ini This will stop the Cisco Secure ACS server add the RADIUS in...

Page 667: ...ration from the left hand side and select an existing device or add a new device In the AAA Client Setup window select RADIUS 3COM from the Authenticate Using pull down list 3 Select Submit Restart Th...

Page 668: ...w 6 Select User Setup and either modify the attributes of an existing user select Find to display the User List in the right hand window or Add a new user see Adding a User for Network Login Set the u...

Page 669: ...r 669 7 In the RADIUS 3Com Attribute box check 3Com User Access Level and select Administrator from the pull down list see below 8 Select Submit The Switch 5500 can now be managed by the Network Admin...

Page 670: ...670 CHAPTER C AUTHENTICATING THE SWITCH 5500 WITH CISCO SECURE ACS...

Page 671: ...ations n Network Example using XRN n Recovering your XRN Network The sections below provide supplementary information that are not essential reading but may be of interest to advanced users n How XRN...

Page 672: ...tion DLA DLA is the configuration of Aggregated Links across interconnected devices in the Distributed Fabric 3Com and non 3Com devices can connect to the XRN Distributed Fabric using DLA For further...

Page 673: ...In the event of failure in one of the Switches in the Distributed Fabric management access to the remaining Switch is retained on the same IP address DDM allows you to manage the Distributed Fabric us...

Page 674: ...within the Distributed Fabric However it will interoperate with other routers outside of the XRN Distributed Fabric Figure 178 Network Example illustrating Distributed Resilient Routing Distributed L...

Page 675: ...STP RSTP for resilience however this does not provide the bandwidth advantage of link aggregation For more information about STP RSTP refer to Chapter 17 Network Protocol Operation Figure 179 Distrib...

Page 676: ...a single IP address 4 Set up the IP information so you can begin managing and configuring the Switches in the Distributed Fabric For more information on setting up IP information for your Switch so i...

Page 677: ...ble in the normal way that is you cannot control port features such as auto negotiation VLANs static addresses STP Aggregated Links Resilient Links and so on Recommendations for Achieving Maximum Resi...

Page 678: ...ssign unit IDs to a Switch using the change command the IDs will be retained after a power cycle If you add a unit to a Fabric that has previously been manually configured with a unit ID and this conf...

Page 679: ...om the aggregated link 2 Create the VLANs and assign VLAN membership to all ports 3 Connect up your ports As LACP was enabled in step 1 the aggregated links will now automatically configure themselves...

Page 680: ...interconnect failure within your Distributed Fabric 1 Obtain a new cable 2 Install the new cable How XRN Interacts with other 3Com Switches This section provides guidelines on connecting legacy and ne...

Page 681: ...ferent VLANs not being able to communicate 3Com recommends that you set individual ports that are to be members of an aggregated link to the same VLAN membership This ensures communication between all...

Page 682: ...f the interconnect fails the aggregation is still a single logical entity at the legacy Switch end but it is now split over both units within the Distributed Fabric The legacy Switch is not aware that...

Page 683: ...y link to Switch B active and pass all traffic down the link to Switch B When using resilient links in a Distributed Fabric network the resilient links must be configured at the remote end rather than...

Page 684: ...ion on Distributed Fabric unit failure Should Switch A fail the network will react in the following way LACP IEEE 802 3ad and Legacy Aggregated Links The Switch 4400 and Switch 4300 Aggregated Links w...

Page 685: ...have STP RSTP and LACP enabled as recommended in Important Considerations and Recommendations on page 676 your traffic flow should continue through your network Figure 187 XRN Network reaction on Fabr...

Page 686: ...ks The Switch 3300 will continue to send traffic down the active link to Switch A and keep the link to Switch B in standby mode VLANs As all VLANs will have been configured on all links the traffic wi...

Search results

Summary of Contents for 5500 SI - Switch - Stackable

Reviews:

Related manuals for 5500 SI - Switch - Stackable

Brands by name

Popular brands

3Com 5500 SI - Switch - Stackable, Configuration Manual

Search results

Summary of Contents for 5500 SI - Switch - Stackable

Reviews:

Related manuals for 5500 SI - Switch - Stackable

Brands by name

Popular brands