manualshive.com logo in svg

3Com E4500-24, Cli Configuration Manual


Share
Download
background image

 

3-1 

3  

EAD Configuration 

Introduction to EAD 

Endpoint Admission Defense (EAD) is an attack defense solution. Using this solution, you can enhance 

the active defense capability of network endpoints, prevents viruses and worms from spreading on the 

network, and protects the entire network by limiting the access rights of insecure endpoints. 

With the cooperation of switch, AAA sever, security policy server and security client, EAD is able to 

evaluate the security compliance of network endpoints and dynamically control their access rights. 

With EAD, a switch: 

z

 

Verifies the validity of the session control packets it receives according to the source IP addresses 

of the packets: It regards only those packets sourced from authentication or security policy server 

as valid. 

z

 

Dynamically adjusts the VLAN, rate and packet scheduling priority for user terminals according to 

session control packets, whereby to control the access rights of users dynamically. 

Typical Network Application of EAD 

EAD checks the security status of users before they can access the network, and forcibly implements 

user access control policies according to the check results. In this way, it can isolate the users that are 

not compliant with security standard and force these users to update their virus databases and install 

system patches. 

Figure 3-1

 shows a typical network application of EAD. 

Figure 3-1 

Typical network application of EAD 

 

EAD Configuration 

The EAD configuration includes: 

z

 

Configuring the attributes of access users (such as username, user type, and password). For local 

authentication, you need to configure these attributes on the switch; for remote authentication, you 

need to configure these attributes on the AAA sever. 

z

 

Configuring a RADIUS scheme. 

Summary of Contents for E4500-24

Page 1: ...he CLI 1 1 Command Hierarchy 1 1 Command Level and User Privilege Level 1 1 Modifying the Command Level 1 2 Switching User Level 1 3 CLI Views 1 7 CLI Features 1 11 Online Help 1 11 Terminal Display 1...

Page 2: ...nd locate network problems z Command history function This enables users to check the commands that they have lately executed and re execute the commands z Partial matching of commands The system will...

Page 3: ...levels By default the Console user a user who logs into the switch through the Console port is a level 3 user and can use commands of level 0 through level 3 while Telnet users are level 0 users and c...

Page 4: ...the level of a command Sysname system view Sysname command privilege level 0 view shell tftp Sysname command privilege level 0 view shell tftp 192 168 0 1 Sysname command privilege level 0 view shell...

Page 5: ...switching The low to high user level switching requires the corresponding authentication The super password authentication mode and HWTACACS authentication mode are available at the same time to prov...

Page 6: ...performed by level 3 users administrators Follow these steps to set a password for use level switching To do Use the command Remarks Enter system view system view Set the super password for user leve...

Page 7: ...level super level Required Execute this command in user view z If no user level is specified in the super password command or the super command level 3 is used by default z For security purpose the pa...

Page 8: ...configuration procedures Enable HWTACACS authentication for VTY 0 user level switching Sysname system view Sysname user interface vty 0 Sysname ui vty0 super authentication mode scheme Sysname ui vty0...

Page 9: ...hernet1 0 25 Execute the interface gigabitethernet command in system view Aux1 0 0 port the console port view The 3com switch 4500 does not support configuration on port Aux1 0 0 Sysname Aux1 0 0 Exec...

Page 10: ...lic ke y end command to return to system view Edit the RSA public key for SSH users Sysname rsa key code Public key editing view Edit the RSA or DSA public key for SSH users Sysname peer ke y code Exe...

Page 11: ...e ping test group parameters Sysname remote ping a123 a123 Execute the remote ping command in system view HWTACACS view Configure HWTACACS parameters Sysname hwtaca cs a123 Execute the hwtacacs scheme...

Page 12: ...on Other information is omitted 2 Enter a command a space and a question mark If the question mark is at a keyword position in the command all available keywords at the position and their descriptions...

Page 13: ...p the display output and execution of the command Press any character except Space Enter and when the display output pauses Stop the display output Press the space key Get to the next page Press Enter...

Page 14: ...plete command The command entered is incomplete Too many parameters The parameters entered are too many Ambiguous command The parameters entered are ambiguous Wrong parameter A parameter entered is wr...

Page 15: ...entifies a complete keyword the system substitutes the complete keyword for the input parameter if more than one keywords match the input parameter you can display them one by one in complete form by...

Page 16: ...uration Example 2 9 Console Port Login Configuration with Authentication Mode Being Scheme 2 10 Configuration Procedure 2 10 Configuration Example 2 12 3 Logging In Through Telnet 3 1 Introduction 3 1...

Page 17: ...Packets 7 1 Displaying Source IP Address Configuration 7 2 8 User Control 8 1 Introduction 8 1 Controlling Telnet Users 8 2 Prerequisites 8 2 Controlling Telnet Users by Source IP Addresses 8 2 Contro...

Page 18: ...e console port of a 3Com low end and mid range Ethernet switch are the same port referred to as console port in the following part You will be in the AUX user interface if you log in through this port...

Page 19: ...pport Fabric A Fabric can contain up to eight devices Accordingly the AUX user interfaces in a Fabric can be numbered from AUX0 to AUX7 through which all the console ports of the units in a Fabric can...

Page 20: ...r logs in successfully Enter user interface view user interface type first number last number Display the information about the current user interface all user interfaces display users all Display the...

Page 21: ...to an Ethernet switch through its console port only Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Setting Default Baud rate 19 200 bps Flow c...

Page 22: ...e following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally both sides that is the serial port of...

Page 23: ...switch Console Port Login Configuration Common Configuration Table 2 2 Common configuration of console port login Configuration Remarks Baud rate Optional The default baud rate is 19 200 bps Check mod...

Page 24: ...To configure a console port you are recommended to log in to the switch in other ways To log in to a switch through its console port after you modify the console port settings you need to modify the...

Page 25: ...users Required Scheme Perform common configuration Perform common configuration for console port login Optional Refer to Table 2 2 Changes made to the authentication mode for console port login takes...

Page 26: ...fault the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size...

Page 27: ...hrough the console port Sysname ui aux0 authentication mode none Specify commands of level 2 are available to users logging in to the AUX user interface Sysname ui aux0 user privilege level 2 Set the...

Page 28: ...de of a console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a console port is 1 Configure the console port Set the data bits databits...

Page 29: ...is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Authenticate the users using passwords z Set the local...

Page 30: ...n to the switch successfully Console Port Login Configuration with Authentication Mode Being Scheme Configuration Procedure Follow these steps to configure console port login with the authentication m...

Page 31: ...none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a console port is 1 Configure the console port Set the data bits databits 7 8 Optional The default data b...

Page 32: ...mple Network requirements Assume the switch is configured to allow users to log in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for...

Page 33: ...to authenticate users logging in through the console port in the scheme mode Sysname ui aux0 authentication mode scheme Set the baud rate of the console port to 19 200 bps Sysname ui aux0 speed 19200...

Page 34: ...dress is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Prot...

Page 35: ...igurations for Different Authentication Modes Table 3 3 Telnet configurations for different authentication modes Authentication mode Telnet configuration Description None Perform common configuration...

Page 36: ...TCP 22 port will be enabled Telnet Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure Telnet with the authentication mode being none To do Use t...

Page 37: ...he connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if...

Page 38: ...6 Telnet Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to configure Telnet with the authentication mode being password To do Use the command Remarks...

Page 39: ...idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operatio...

Page 40: ...screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeo...

Page 41: ...ed AAA scheme determines whether to authenticate users locally or remotely Users are authenticated locally by default Configure the command level available to users logging in to the user interface us...

Page 42: ...type command does not specify the available command level Level 0 The user privilege level level command is not executed and the service type command specifies the available command level Determined...

Page 43: ...el command is executed and the service type command specifies the available command level Determined by the service type command Refer to AAA Operation and SSH Operation of this manual for information...

Page 44: ...vty 0 Configure to authenticate users logging in to VTY 0 in the scheme mode Sysname ui vty0 authentication mode scheme Configure Telnet protocol is supported Sysname ui vty0 protocol inbound telnet S...

Page 45: ...heme for more 3 Connect your PC terminal and the Switch to an Ethernet as shown in Figure 3 5 Make sure the port through which the switch is connected to the Ethernet belongs to VLAN 1 and the route b...

Page 46: ...net client you can Telnet to another switch labeled as Telnet server by executing the telnet command and then configure it Figure 3 7 Network diagram for Telnetting to another switch from the current...

Page 47: ...to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is a...

Page 48: ...authentication mode configuration Configuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None Configuration on switch whe...

Page 49: ...omote end 82882285 Modem Modem 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 through Figure 4 4...

Page 50: ...e prompt appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configuration comm...

Page 51: ...he VLAN interface of the switch is assigned an IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Performance Con...

Page 52: ...e 5 2 The login page of the Web based network management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through...

Page 53: ...a route is available between the user terminal the PC and the switch After the above mentioned configuration if you enter the IP address of the switch in the address bar of the browser running on the...

Page 54: ...server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Ena...

Page 55: ...perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is co...

Page 56: ...itch A as 192 168 2 5 and then log in to Switch B through Switch A Configuring Source IP Address for Telnet Service Packets The feature of configuring source IP address for Telnet service packets can...

Page 57: ...ion failure z Configuring the source interface of Telnet service packets equals configuring the IP address of this interface as the source IP address of the Telnet service packets z If a source IP add...

Page 58: ...users Login mode Control method Implementation Related section By source IP address Through basic ACL Controlling Telnet Users by Source IP Addresses By source and destination IP address Through adva...

Page 59: ...face type first number last number Apply the ACL to control Telnet users by source IP addresses acl acl number inbound outbound Required The inbound keyword specifies to filter the users trying to Tel...

Page 60: ...CLs which are numbered from 4000 to 4999 Follow these steps to control Telnet users by source MAC addresses To do Use the command Remarks Enter system view system view Create or enter Layer 2 ACL view...

Page 61: ...users can access switches through SNMP You need to perform the following two operations to control network management users by source IP addresses z Defining an ACL z Applying the ACL to control user...

Page 62: ...ew write view notify view notify view acl acl number Apply the ACL while configuring the SNMP user name snmp agent usm user v1 v2c user name group name acl acl number snmp agent usm user v3 user name...

Page 63: ...determined including the source IP addresses to be controlled and the controlling actions permitting or denying Controlling Web Users by Source IP Addresses Controlling Web users by source IP addresse...

Page 64: ...to access the switch Network diagram Figure 8 3 Network diagram for controlling Web users using ACLs Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Configuration procedure Define a basic...

Page 65: ...ement 1 1 Introduction to Configuration File 1 1 Configuration Task List 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 4 Specifying a Configuration File for Next St...

Page 66: ...nd view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line if it starts with the character z The sections are...

Page 67: ...either the main nor the backup configuration file exists but the default configuration file config def exists the switch initializes with the default configuration file if the default configuration fi...

Page 68: ...tmp to cfg using the rename command The switch will use the renamed configuration file to initialize itself when it starts up next time For details of the rename command refer to the File System Manag...

Page 69: ...f these reasons z After you upgrade software the old configuration file does not match the new software z The startup configuration file is corrupted or not the one you needed The following two situat...

Page 70: ...startup saved configuration cfgfile backup command to set the file as backup startup configuration file The configuration file must use cfg as its extension name and the startup configuration file mu...

Page 71: ...ID for a Port 1 5 2 VLAN Configuration 2 1 VLAN Configuration 2 1 VLAN Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying VLAN Configuration 2 3...

Page 72: ...network receives a lot of packets whose destination is not the host itself causing potential serious security problems z Related to the point above someone on a network can monitor broadcast packets...

Page 73: ...of the virtual workgroup the host can access the network without changing its network configuration VLAN Principles VLAN tag To enable a network device to identify frames of different VLANs a VLAN tag...

Page 74: ...rames encapsulated in these formats for VLAN identification VLAN ID identifies the VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN ta...

Page 75: ...And a VLAN interface serves as the gateway of the segment to forward packets in Layer 3 based on IP addresses VLAN Classification Depending on how VLANs are established VLANs fall into the following s...

Page 76: ...AN ID for a Port An access port can belong to only one VLAN Therefore the VLAN an access port belongs to is also the default VLAN of the access port A hybrid trunk port can belong to multiple VLANs so...

Page 77: ...ID is not the default VLAN ID keep the original tag unchanged and send the packet Table 1 3 Packet processing of a hybrid port Processing of an incoming packet For an untagged packet For a tagged pac...

Page 78: ...nfiguration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Cre...

Page 79: ...the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface Vlan interface vlan id Required By default there is no VLAN interface on a switch Spec...

Page 80: ...ed VLAN Task Remarks Configuring the Link Type of an Ethernet Port Optional Assigning an Ethernet Port to a VLAN Required Configuring the Default VLAN for a Port Optional Displaying and Maintaining Po...

Page 81: ...port access vlan vlan id Trunk port port trunk permit vlan vlan id list all Assign the current port to one or multiple VLANs Hybrid port port hybrid vlan vlan id list tagged untagged Optional By defau...

Page 82: ...n vlan id Optional The link type of a port is access by default The local and remote trunk or hybrid ports must use the same default VLAN ID for the traffic of the default VLAN to be transmitted prope...

Page 83: ...lan 100 SwitchB vlan100 description Dept1 SwitchB vlan100 port GigabitEthernet 1 0 13 SwitchB vlan103 quit Create VLAN 200 specify its descriptive string as Dept2 and add GigabitEthernet 1 0 11 and Gi...

Page 84: ...1 0 2 port trunk permit vlan 200 Configure GigabitEthernet 1 0 10 of Switch B SwitchB interface GigabitEthernet 1 0 10 SwitchB GigabitEthernet1 0 10 port link type trunk SwitchB GigabitEthernet1 0 10...

Page 85: ...Configuration Examples 1 5 IP Address Configuration Example I 1 5 IP Address Configuration Example II 1 5 Static Domain Name Resolution Configuration Example 1 7 2 IP Performance Optimization Configu...

Page 86: ...32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z...

Page 87: ...P address 0 0 0 16 indicates the host with a host ID of 16 on the local network z IP address with an all zeros host ID Identifies a network z IP address with an all ones host ID Identifies a directed...

Page 88: ...its for the host ID and thus have only 126 27 2 hosts in each subnet The maximum number of hosts is thus 64 512 512 126 1022 less after the network is subnetted Class A B and C networks before being s...

Page 89: ...ow these steps to configure static domain name resolution To do Use the command Remarks Enter system view system view Configure a mapping between a host name and an IP address ip host hostname ip addr...

Page 90: ...interface 1 Switch Vlan interface1 ip address 129 2 2 1 255 255 255 0 IP Address Configuration Example II Network requirements As shown in Figure 1 4 VLAN interface 1 on a switch is connected to a LAN...

Page 91: ...6 1 2 PING 172 16 1 2 56 data bytes press CTRL_C to break Reply from 172 16 1 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 1 2 bytes 56 Sequence 2 ttl 255 time 27 ms Reply from 172 16 1...

Page 92: ...gram Figure 1 5 Network diagram for static DNS configuration Configuration procedure Configure a mapping between host name host com and IP address 10 1 1 2 Sysname system view Sysname ip host host com...

Page 93: ...can know the forwarding information of the switch through the FIB table Each FIB entry includes destination address mask length next hop current flag timestamp and outbound interface When the switch i...

Page 94: ...transport layer protocols to notify corresponding devices so as to facilitate control and management Although sending ICMP error packets facilitate control and management it still has the following di...

Page 95: ...he FIB entries matching the destination IP address display fib ip_address1 mask1 mask length1 ip_address2 mask2 mask length2 longer longer Display the FIB entries filtering through a specific ACL disp...

Page 96: ...ous Ports 1 4 Security Mode of Voice VLAN 1 6 Voice VLAN Configuration 1 7 Configuration Prerequisites 1 7 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode 1 7 Configuring...

Page 97: ...in conjunction with other voice devices IP phones can offer large capacity and low cost voice communication solutions As network devices IP phones need IP addresses to operate properly in a network A...

Page 98: ...VLAN the IP phone can only send untagged packets in the default VLAN of the port the IP phone is connected to In this case you need to manually configure the default VLAN of the port as a voice VLAN...

Page 99: ...r transmitting voice data You can configure OUI addresses for voice packets or specify to use the default OUI addresses An OUI address is a globally unique identifier assigned to a vendor by IEEE You...

Page 100: ...AN assignment mode In this mode you need to add a port to a voice VLAN or remove a port from a voice VLAN manually Processing mode of tagged packets sent by IP voice devices Tagged packets from IP voi...

Page 101: ...to the voice VLAN manually Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and th...

Page 102: ...r a port is assigned to the voice VLAN the switch receives and forwards all voice VLAN tagged traffic without matching the source MAC address of each received packet against its OUI list For a port in...

Page 103: ...n Configuration Prerequisites z Create the corresponding VLAN before configuring a voice VLAN z VLAN 1 the default VLAN cannot be configured as a voice VLAN In case a connected voice device sends VLAN...

Page 104: ...be configured as the voice VLAN otherwise the system prompts you for unsuccessful configuration When the voice VLAN is working normally if the device restarts or the Unit ID of a device in a XRN fabr...

Page 105: ...N legacy is disabled Set voice VLAN assignment mode on a port to manual undo voice vlan mode auto Required The default voice VLAN assignment mode on a port is automatic Quit to system view quit Enter...

Page 106: ...make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication between 3Com device and other vendor s voice device by automatically adding...

Page 107: ...0 0755 2002 GE1 0 2 IP phone A 010 1001 MAC 0011 1100 0001 Mask ffff ff00 0000 Internet PC A MAC 0022 1100 0002 PC B MAC 0022 2200 0002 VLAN 2 Configuration procedure Create VLAN 2 DeviceA system view...

Page 108: ...cess Please wait Done DeviceA GigabitEthernet1 0 2 port link type hybrid DeviceA GigabitEthernet1 0 2 voice vlan enable Verification Display the OUI addresses OUI address masks and description strings...

Page 109: ...Eth1 0 1 VLAN2 VLAN2 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 Device B Configuration procedure Enable the security mode for the voice VLAN so that the ports in the voice VLAN permit valid voice...

Page 110: ...ce vlan oui Oui Address Mask Description 0003 6b00 0000 ffff ff00 0000 Cisco phone 000f e200 0000 ffff ff00 0000 H3C Aolynk phone 0011 2200 0000 ffff ff00 0000 test 00d0 1e00 0000 ffff ff00 0000 Pingt...

Page 111: ...GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 GVRP Configuration Tasks 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maint...

Page 112: ...portant functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be registered on other devices it sends Join messages to these devices...

Page 113: ...veAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other three timers which are set on a port basis the LeaveAll timer is set...

Page 114: ...s Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attrib...

Page 115: ...hree port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN informati...

Page 116: ...iew system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type inter...

Page 117: ...the Join timer This upper threshold is less than the timeout time of the LeaveAll timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is...

Page 118: ...so that the VLAN configurations on Switch C and Switch E can be applied to all switches in the network thus implementing dynamic VLAN information registration and refresh z By configuring the GVRP reg...

Page 119: ...VRP on Ethernet1 0 3 SwitchA Ethernet1 0 3 gvrp SwitchA Ethernet1 0 3 quit 2 Configure Switch B The configuration procedure of Switch B is similar to that of Switch A and is thus omitted 3 Configure S...

Page 120: ...3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch B SwitchB display vlan dynamic Total 3 dynamic VLAN exist s The following d...

Page 121: ...1 10 5 8 Display the VLAN information dynamically registered on Switch E SwitchE display vlan dynamic No dynamic vlans exist...

Page 122: ...rt to Other Ports 1 5 Configuring Loopback Detection for an Ethernet Port 1 5 Enabling Loopback Test 1 7 Enabling the System to Test Connected Cable 1 8 Configuring the Interval to Perform Statistical...

Page 123: ...n optical port That is a Combo port cannot operate as both an electrical port and an optical port simultaneously When one is enabled the other is automatically disabled Configuring Combo port state Fo...

Page 124: ...ace MDI mode of the Ethernet port mdi across auto normal Optional Be default the MDI mode of an Ethernet port is auto Set the maximum frame size allowed on the Ethernet port to 9 216 bytes jumboframe...

Page 125: ...gured to support all the auto negotiation speeds 10 Mbps 100 Mbps and 1000 Mbps Limiting Traffic on individual Ports By performing the following configurations you can limit the incoming broadcast mul...

Page 126: ...figure flow control in TxRx mode on Port B and flow control in Rx mode on Port A z When congestions occur on Port C Switch B buffers the frames When the amount of the buffered frames exceeds a certain...

Page 127: ...agg id Required z If you specify a source aggregation group ID the system will use the port with the smallest port number in the aggregation group as the source z If you specify a destination aggrega...

Page 128: ...net port To do Use the command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Optional By default the global loopback detection function is enabled...

Page 129: ...r you use the undo loopback detection enable command in system view loopback detection will be disabled on all ports z The loopback detection control enable command and the loopback detection per vlan...

Page 130: ...he test result will be returned in five seconds The system can test these attributes of the cable Receive and transmit directions RX and TX short circuit open circuit or not the length of the faulty c...

Page 131: ...ription of the display brief interface command in Basic Port Configuration Command When the physical link status of an Ethernet port changes between Up and Down or Up and Administratively Down the swi...

Page 132: ...nformation and execute the shutdown command or the undo shutdown command on Ethernet 1 0 1 No Up Down log information is generated or output for Ethernet 1 0 1 Sysname Ethernet1 0 1 undo enable log up...

Page 133: ...type interface number begin include exclude regular expression Display port information about a specified unit display unit unit id interface Display the Combo ports and the corresponding optical elec...

Page 134: ...1 port link type trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet 1 0 1 Sysname Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of E...

Page 135: ...gation Group 1 3 Dynamic LACP Aggregation Group 1 4 Aggregation Group Categories 1 5 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggregation...

Page 136: ...otifies the following information of the port to its peer by sending LACPDUs priority and MAC address of this system priority number and operation key of the port Upon receiving the information the pe...

Page 137: ...led TPID on the ports State of inner to outer tag priority replication enabled or disabled The S4500 series Ethernet switches support cross device link aggregation if XRN fabric is enabled Link Aggreg...

Page 138: ...also including initially down port you want to add to a manual aggregation group Static LACP Aggregation Group Introduction to static LACP aggregation A static LACP aggregation group is also manually...

Page 139: ...status of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states selected and unselected z Both the selected and the unselected ports can receive transmit LACP...

Page 140: ...groups The system always allocates hardware aggregation resources to the aggregation groups with higher priorities When load sharing aggregation resources are used up by existing aggregation groups n...

Page 141: ...ess max mac count command is configured cannot be added to an aggregation group Contrarily the mac address max mac count command cannot be configured on a port that has already been added to an aggreg...

Page 142: ...ynamic static group to a manual group the system will automatically disable LACP on the member ports When you change a dynamic group to a static group the system will remain the member ports LACP enab...

Page 143: ...based on LACP enabled ports The adding and removing of ports to from a dynamic aggregation group are automatically accomplished by LACP You need to enable LACP on the ports which you want to participa...

Page 144: ...oups and their descriptions still exists but that of dynamic aggregation groups and their descriptions gets lost Displaying and Maintaining Link Aggregation Configuration To do Use the command Remarks...

Page 145: ...edure The following only lists the configuration on Switch A you must perform the similar configuration on Switch B to implement link aggregation 1 Adopting manual aggregation mode Create manual aggre...

Page 146: ...t1 0 3 Sysname Ethernet1 0 3 port link aggregation group 1 3 Adopting dynamic LACP aggregation mode Enable LACP on Ethernet 1 0 1 through Ethernet 1 0 3 Sysname system view Sysname interface Ethernet...

Page 147: ...of Contents 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Port Isolation Configuration 1 1 Displaying and Maintaining Port Isolation Configuration 1 2 Port Isolation Configuration Exa...

Page 148: ...p does not forward traffic to the other ports in the isolation group The ports in an isolation group must reside on the same switch or different units of an XRN fabric z Currently you can create only...

Page 149: ...if XRN fabric is enabled z For Switch 4500 series switches belonging to the same XRN Fabric the port isolation configuration performed on a port of a cross device aggregation group cannot be synchroni...

Page 150: ...me interface ethernet1 0 2 Sysname Ethernet1 0 2 port isolate Sysname Ethernet1 0 2 quit Sysname interface ethernet1 0 3 Sysname Ethernet1 0 3 port isolate Sysname Ethernet1 0 3 quit Sysname interface...

Page 151: ...s Allowed on a Port 1 5 Setting the Port Security Mode 1 6 Configuring Port Security Features 1 7 Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode 1 8 Ignoring the Authorization I...

Page 152: ...kes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are prov...

Page 153: ...red manually When the number of security MAC addresses reaches the upper limit configured by the port security max count command the port changes to work in secure mode and no more MAC addresses can b...

Page 154: ...gle 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port When the port changes from the normal mode to this security mode th...

Page 155: ...tions In this mode up to one user can access the network macAddressAndUs erLoginSecureExt This mode is similar to the macAddressAndUserLoginSecure mode except that more than one user can access the ne...

Page 156: ...802 1x disabled port access control method macbased and port access control mode auto z MAC authentication disabled In addition you cannot perform the above mentioned configurations manually because t...

Page 157: ...curity Mode Follow these steps to set the port security mode To do Use the command Remarks Enter system view system view Set the OUI value for user authentication port security oui OUI value index ind...

Page 158: ...ses that the port can learn z Reflector port for port mirroring z Fabric port z Link aggregation Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK...

Page 159: ...nt port security trap addresslearned dot1xlogfailure dot1xlogoff dot1xlogon intrusion ralmlogfailure ralmlogoff ralmlogon Required By default no trap is sent Configuring Guest VLAN for a Port in macAd...

Page 160: ...at the users need z If one user of the port has passed or is undergoing authentication you cannot specify a guest VLAN for it z When a user using a port with a guest VLAN specified fail the authentica...

Page 161: ...can only be added to the forwarding table of one port This feature allows binding a security MAC address with a port in the same VLAN After the security port is set to autolearn the port changes its...

Page 162: ...nfigure an aging time for learned security MAC address entries To do Use the command Remarks Enter system view system view Enable port security port security enable Configure the aging time for learne...

Page 163: ...z To ensure that Host can access the network add the MAC address 0001 0002 0003 of Host as a security MAC address to the port in VLAN 1 z After the number of security MAC addresses reaches 80 the por...

Page 164: ...connectivity z The switch s port Ethernet 1 0 3 connects to the Internet This port is assigned to VLAN 1 Normally the port Ethernet 1 0 2 is also assigned to VLAN z VLAN 10 is intended to be a guest V...

Page 165: ...nfigure the ISP domain for MAC address authentication Switch mac authentication domain system Enable port security Switch port security enable Specify the switch to trigger MAC address authentication...

Page 166: ...DLDP Status 1 4 DLDP Timers 1 4 DLDP Operating Mode 1 5 DLDP Implementation 1 6 DLDP Neighbor State 1 8 Link Auto recovery Mechanism 1 8 DLDP Configuration 1 9 Performing Basic DLDP Configuration 1 9...

Page 167: ...two way link If one of these fibers gets broken this is a unidirectional link one way link When a unidirectional link appears the local device can receive packets from the peer device through the link...

Page 168: ...rovides the following features z As a link layer protocol it works together with the physical layer protocols to monitor the link status of a device z The auto negotiation mechanism at the physical la...

Page 169: ...packets are used to notify unidirectional link emergencies a unidirectional link emergency occurs when the local port is down and the peer port is up Linkdown packets carry only the local port inform...

Page 170: ...corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to the delaydown state first When a device changes to the delaydown state the related DLDP neighbor...

Page 171: ...n the user defined DLDP down mode DLDP disables the local port automatically or prompts you to disable the port manually Meanwhile DLDP deletes the neighbor entry DelayDown timer When a device in the...

Page 172: ...however Port A tests Port B after the Entry timer concerning Port B expires Port A then transits to the Disable state if it receives no Echo packet from Port A when the Echo timer expires As Port B i...

Page 173: ...witches to the probe state Advertisement packet Extracts neighbor information If the corresponding neighbor entry already exists on the local device DLDP resets the aging timer of the entry Flush pack...

Page 174: ...ects the link connecting to the port is a unidirectional link A port in DLDP down state does not forward service packets or receive send protocol packets except DLDPDUs A port in the DLDP down state r...

Page 175: ...the handling mode is auto Set the DLDP operating mode dldp work mode enhance normal Optional By default DLDP works in normal mode Note the following when performing basic DLDP configuration z DLDP can...

Page 176: ...nks caused by fiber cross connection z When the device is busy with services and the CPU utilization is high DLDP may issue mistaken reports You are recommended to configure the operating mode of DLDP...

Page 177: ...DP configuration Device A GE1 0 49 GE1 0 50 Device B GE1 0 49 GE1 0 50 PC Configuration procedure 1 Configure Switch A Configure the ports to work in mandatory full duplex mode at a rate of 1000 Mbps...

Page 178: ...vice correctly on one end with the other end connected to no device z If the device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end i...

Page 179: ...Table Management 1 4 MAC Address Table Management Configuration Task List 1 4 Configuring a MAC Address Entry 1 5 Setting the MAC Address Aging Timer 1 6 Setting the Maximum Number of MAC Addresses a...

Page 180: ...ddress table recording the MAC address to forwarding port association Each entry in a MAC address table contains the following fields z Destination MAC address z ID of the VLAN which a port belongs to...

Page 181: ...h 1 2 After learning the MAC address of User A the switch starts to forward the packet Because there is no MAC address and port information of User B in the existing MAC address table the switch forwa...

Page 182: ...ircumstances for example User B is unreachable or User B receives the packet but does not respond to it the switch cannot learn the MAC address of User B Hence the switch still broadcasts the packets...

Page 183: ...configured manually z Blackhole MAC address entry This type of MAC address entries are configured manually A switch discards the packets destined for or originated from the MAC addresses contained in...

Page 184: ...ackhole mac address interface interface type interface number vlan vlan id Required z When you add a MAC address entry the port specified by the interface argument must belong to the VLAN specified by...

Page 185: ...seconds The capacity of the MAC address table on a switch is limited After the limit is reached the switch will forward the frames received with unknown source MAC addresses without learning MAC addr...

Page 186: ...s Triggered Update By default a switch updates its MAC address entries based on the source MAC addresses of packets However this may cause the switch to perform unnecessary broadcasts in some applicat...

Page 187: ...spiciously on the network you can add a blackhole MAC address entry for the MAC address to drop all packets destined for the host for security sake Configuration procedure Enter system view Sysname sy...

Page 188: ...tect Basic Configuration 1 2 Auto Detect Implementation in Static Routing 1 2 Auto Detect Implementation in VLAN Interface Backup 1 3 Auto Detect Configuration Examples 1 4 Configuration Example for A...

Page 189: ...and waits for the ICMP replies from the group based on the user defined policy which includes the number of ICMP requests and the timeout waiting for a reply Then according to the check result the sw...

Page 190: ...2 Set a timeout waiting for an ICMP reply timer wait seconds Optional By default the timeout is 2 seconds Display the detected group configuration display detect group group number Available in any vi...

Page 191: ...e the command Remarks Enter system view system view Bind a detected group to a static route ip route static ip address mask mask length interface type interface number next hop preference preference v...

Page 192: ...backup VLAN interface z When the link between the active VLAN interface and the destination recovers that is the detected group becomes reachable again the system shuts down the standby VLAN interfac...

Page 193: ...4 nexthop 192 168 1 2 SwitchA detect group 8 quit Enable the static route when the detected group is reachable The static route is invalid when the detected group is unreachable SwitchA ip route stat...

Page 194: ...tchA detect group 10 Add the IP address of 10 1 1 4 to detected group 10 to detect the reachability of the IP address with the IP address of 192 168 1 2 as the next hop and the detecting number set to...

Page 195: ...g the Timeout Time Factor 1 25 Configuring the Maximum Transmitting Rate on the Current Port 1 25 Configuring the Current Port as an Edge Port 1 26 Setting the Link Type of a Port to P2P 1 27 Enabling...

Page 196: ...l 1 44 Introduction 1 44 Configuring VLAN VPN tunnel 1 44 MSTP Maintenance Configuration 1 45 Introduction 1 45 Enabling Log Trap Output for Ports of MSTP Instance 1 45 Configuration Example 1 45 Enab...

Page 197: ...RSTP and Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Spanning Tree Protocol Overview Why STP Spanning tree prot...

Page 198: ...he port with the lowest path cost to the root bridge The root port is used for communicating with the root bridge A non root bridge device has one and only one root port The root bridge has no root po...

Page 199: ...see Configuring the Bridge Priority of the Current Switch 5 Path cost STP uses path costs to indicate the quality of links A small path cost indicates a higher link quality The path cost of a port is...

Page 200: ...dge priority plus MAC address z Designated port ID designated port priority plus port number z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime f...

Page 201: ...h cost the following fields are compared sequentially designated bridge IDs designated port IDs and then the IDs of the ports on which the configuration BPDUs are received The smaller these values the...

Page 202: ...root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each...

Page 203: ...on BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration...

Page 204: ...ort CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port...

Page 205: ...ty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with...

Page 206: ...gnated port can transit fast under the following conditions the designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the f...

Page 207: ...mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU A D C B Region B0 VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to MSTI 1 VLAN 2 and 3 mapped...

Page 208: ...ing tree generated by STP or RSTP running on the switches For example the red lines in Figure 1 4 represent the CST 6 CIST A common and internal spanning tree CIST is the spanning tree in a switched n...

Page 209: ...of the two ports to eliminate the loop that occurs The blocked port is the backup port In Figure 1 5 switch A switch B switch C and switch D form an MST region Port 1 and port 2 on switch A connect u...

Page 210: ...y MSTP At the same time MSTP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network 2 Calculate an MSTI Within an MST reg...

Page 211: ...figure MSTP Task Remarks Enabling MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are perf...

Page 212: ...nsmitting Rate on the Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priori...

Page 213: ...onfiguration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configurati...

Page 214: ...10 Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region config...

Page 215: ...o new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails You can specify the ne...

Page 216: ...le switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configuration example Set the bridge priority of the current switch to 4 096 in MSTI 1 Sysname s...

Page 217: ...rmat Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp compliance dot1s Restore the default mode for Ethernet 1 0 1 to recognize send MSTP packets Sysname Ethernet1 0 1 un...

Page 218: ...chanism disables the switches that are beyond the maximum hop count from participating in spanning tree calculation and thus limits the size of an MST region With such a mechanism the maximum hop coun...

Page 219: ...re the network diameter of a switched network an MSTP enabled switch adjusts its hello time forward delay and max age settings accordingly to better values The network diameter setting only applies to...

Page 220: ...As for the max age parameter if it is too small network congestion may be falsely regarded as link failures which results in frequent spanning tree recalculation If it is too large link problems may...

Page 221: ...tch stp timer factor number Required The timeout time factor defaults to 3 For a steady network the timeout time can be five to seven times of the hello time Configuration example Configure the timeou...

Page 222: ...0 1 Sysname Ethernet1 0 1 stp transmit limit 15 Configuring the Current Port as an Edge Port Edge ports are ports that neither directly connects to other switches nor indirectly connects to other swit...

Page 223: ...le 2 Configure Ethernet 1 0 1 as an edge port in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp edged port enable Setting the Link Type of a Port to...

Page 224: ...can configure the link of the port as a point to point link After you configure the link of a port as a point to point link the configuration applies to all the MSTIs the port belongs to If the actual...

Page 225: ...Optional By default MSTP is enabled on all ports To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculati...

Page 226: ...998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports z dot1t Adopts the IEEE 802 1t standard to calculate the default path costs of ports z legacy Adopts the proprieta...

Page 227: ...aggregated link measured in 100 Kbps Configure the path cost for specific ports Follow these steps to configure the path cost for specified ports in system view To do Use the command Remarks Enter sy...

Page 228: ...rd dot1d 1998 Configuring Port Priority Port priority is an important criterion on determining the root port In the same condition the port with the smallest port priority value becomes the root port...

Page 229: ...Sysname stp interface Ethernet 1 0 1 instance 1 port priority 16 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp insta...

Page 230: ...1 0 1 mcheck 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp mcheck Configuring Guard Functions The following guard fu...

Page 231: ...able to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports Configuring Root Guard A root bridge and its secondary root bridges must reside in the same...

Page 232: ...d Remarks Enter system view system view Enable the root guard function on specified ports stp interface interface list root protection Required The root guard function is disabled by default Follow th...

Page 233: ...ard on the root port and alternate port of a non root bridge z Loop guard root guard and edge port settings are mutually exclusive With one of these functions enabled on a port any of the other two fu...

Page 234: ...ng operation For example if you set the maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch receives 200 TC BPDUs in the period the switch removes the MAC...

Page 235: ...h MSTIs in an MST region only when the two switches have the same MST region related configuration Interconnected MSTP enabled switches determine whether or not they are in the same MST region by chec...

Page 236: ...e protocol MSTP and the network operate normally Configuration procedure Follow these steps to configure digest snooping To do Use the command Remarks Enter system view system view Enter Ethernet port...

Page 237: ...tree protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to instance mapping table cannot be modified z The digest snooping feature is not applicable to b...

Page 238: ...he upstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay Some other manufactu...

Page 239: ...uration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the rapid transition feature in system view To do Use the command Remarks Enter system view sy...

Page 240: ...e service provider network and the lower part comprises the customer networks The service provider network comprises packet input output devices and the customer network has networks A and B On the se...

Page 241: ...tch MSTP Maintenance Configuration Introduction In a large scale network with MSTP enabled there may be many MSTP instances and so the status of a port may change frequently In this case maintenance p...

Page 242: ...tion example Enable a switch to send trap messages conforming to 802 1d standard to the network management device when the switch becomes the root bridge of instance 1 Sysname system view Sysname stp...

Page 243: ...yer Switch A and Switch B are configured as the root bridges of MSTI 1 and MSTI 3 respectively Switch C is configured as the root bridge of MSTI 4 Network diagram Figure 1 10 Network diagram for MSTP...

Page 244: ...er MST region view Sysname system view Sysname stp region configuration Configure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instanc...

Page 245: ...ion between the customer networks and the service provider network Network diagram Figure 1 11 Network diagram for VLAN VPN tunnel configuration Eth 1 0 1 Switch A Switch D Switch C Switch B Eth 1 0 1...

Page 246: ...Ns Sysname GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP Sysname system view Sysname stp enable Enable the VLAN VPN tunnel function Sysname vlan vpn tunnel Add Gigab...

Page 247: ...Route 2 2 Displaying and Maintaining Static Routes 2 2 Static Route Configuration Example 2 3 Troubleshooting a Static Route 2 4 3 RIP Configuration 3 1 RIP Overview 3 1 Basic Concepts 3 1 RIP Startup...

Page 248: ...Route Policy 4 3 Defining if match Clauses and apply Clauses 4 3 IP Prefix Configuration 4 5 Configuration Prerequisites 4 5 Configuring an ip prefix list 4 5 Displaying IP Route Policy 4 5 IP Route P...

Page 249: ...ter Routes in a routing table can be divided into three categories by origin z Direct routes Routes discovered by data link protocols also known as interface routes z Static routes Routes that are man...

Page 250: ...e The router is directly connected to the network where the destination resides z Indirect route The router is not directly connected to the network where the destination resides In order to avoid an...

Page 251: ...ically including RIP OSPF and IS IS z Exterior Gateway Protocols EGPs Work between autonomous systems The most popular one is BGP An autonomous system refers to a group of routers that share the same...

Page 252: ...ocol has the highest priority among all the active protocols these routes will be considered valid and are used to forward packets thus achieving load sharing Route backup You can configure multiple r...

Page 253: ...routes permitted by a prefix list display ip routing table ip prefix ip prefix name verbose Display routes to a specified destination display ip routing table ip address mask mask length longer match...

Page 254: ...y thus resulting in network interruption In this case the network administrator needs to modify the configuration of static routes manually Static routes are divided into three types z Reachable route...

Page 255: ...Static Route Follow these steps to configure a static route To do Use the command Remarks Enter system view system view Configure a static route ip route static ip address mask mask length interface t...

Page 256: ...re be simple and stable The company hopes that the existing devices that do not support any dynamic routing protocol can be fully utilized In this case static routes can implement communication betwee...

Page 257: ...ip route static 1 1 1 0 255 255 255 0 1 1 2 1 SwitchC ip route static 1 1 4 0 255 255 255 0 1 1 3 2 2 Perform the following configurations on the host Set the default gateway address of Host A to 1 1...

Page 258: ...to a destination address In RIP the hop count from a router to its directly connected network is 0 and that to a network which can be reached through another router is 1 and so on To restrict the tim...

Page 259: ...llowing mechanisms to prevent routing loops z Counting to infinity The metric value of 16 is defined as unreachable When a routing loop occurs the metric value of the route will increment to 16 z Spli...

Page 260: ...ing split horizon Optional Configuring RIP 1 packet zero field check Optional Setting RIP 2 packet authentication mode Optional RIP Network Adjustment and Optimization Configuring RIP to unicast RIP p...

Page 261: ...nd RIP update packets rip output Enable the interface to receive and send RIP update packets rip work Optional Enabled by default Specifying the RIP version on an interface Follow these steps to speci...

Page 262: ...ional routing metric To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Set the additional routing metric to be added for incomi...

Page 263: ...oming outgoing routes The route filtering function provided by a router enables you to configure inbound outbound filter policy by specifying an ACL address prefix list or route policy to make RIP fil...

Page 264: ...e RIP preference preference value Required 100 by default Enabling load sharing among RIP interfaces Follow these steps to enable load sharing among RIP interfaces To do Use the command Remarks Enter...

Page 265: ...djacent nodes are reachable to each other at the network layer z Configuring basic RIP functions Configuration Tasks Configuring RIP timers Follow these steps to configure RIP timers To do Use the com...

Page 266: ...modes simple authentication and message digest 5 MD5 authentication Simple authentication cannot provide complete security because the authentication keys sent along with packets that are not encrypt...

Page 267: ...ion display rip routing Available in any view Reset the system configuration related to RIP reset Available in RIP view RIP Configuration Example Network requirements A small sized company requires th...

Page 268: ...rip SwitchB rip network 196 38 165 0 SwitchB rip network 110 11 2 0 3 Configure Switch C Configure RIP SwitchC system view SwitchC rip SwitchC rip network 117 102 0 0 SwitchC rip network 110 11 2 0 Tr...

Page 269: ...may need to import the routing information discovered by other protocols to enrich its routing knowledge While importing routing information from another protocol it possibly only needs to import the...

Page 270: ...ng order of their node numbers Each node comprises a set of if match and apply clauses The if match clauses define the matching rules The matching objects are some attributes of routing information Th...

Page 271: ...d Not defined by default z The permit argument specifies the matching mode for a defined node in the route policy to be in permit mode If a route matches the rules for the node the apply clauses for t...

Page 272: ...n Apply a cost to routes satisfying matching rules apply cost value Optional By default no cost is applied to routes satisfying matching rules Define an action to set the tag field of routing informat...

Page 273: ...hecks the entries in ascending order of index number Once the route matches an entry the route passes the filtering of the IP prefix list and no other entry will be matched Follow these steps to confi...

Page 274: ...If a fault occurs to the main link of one service dynamic backup can prevent service interruption Network diagram According to the network requirements the network topology is designed as shown in Fig...

Page 275: ...chB rip network 1 0 0 0 SwitchB rip network 3 0 0 0 SwitchB rip network 6 0 0 0 3 Configure Switch C Create VLANs and configure IP addresses for the VLAN interfaces The configuration procedure is omit...

Page 276: ...C route policy quit Create node 50 with the matching mode being permit to allow all routing information to pass SwitchC route policy in permit node 50 SwitchC route policy quit Configure RIP and apply...

Page 277: ...ne if you try to set it to 0 z The cost will still be 16 if you try to set it to 16 2 Using the if match interface command will match the routes whose outgoing interface to the next hop is the specifi...

Page 278: ...Packets 1 3 Displaying and Maintaining Common Multicast Configuration 1 3 3 IGMP Snooping Configuration 1 1 IGMP Snooping Overview 1 1 Principle of IGMP Snooping 1 1 Basic Concepts in IGMP Snooping 1...

Page 279: ...ii Configuring IGMP Snooping 1 16 Configuring Multicast VLAN 1 18 Troubleshooting IGMP Snooping 1 21...

Page 280: ...and tele education have come into being These services have higher requirements for information security legal use of paid services and network bandwidth In the network packets are sent in three mode...

Page 281: ...Broadcast Mode When you broadcast traffic the system transmits information to all users on a network Any user on the network can receive the information no matter if the information is needed or not F...

Page 282: ...t Hosts B D and E need the information To transmit the information to the right users it is necessary to group Hosts B D and E into a receiver set The routers on the network duplicate and distribute t...

Page 283: ...sends to the multicast group 4 The user turns off the TV set The receiver leaves the multicast group z A multicast source does not necessarily belong to a multicast group Namely a multicast source is...

Page 284: ...y time SFM model The SFM model is derived from the ASM model From the view of a sender the two models have the same multicast group membership architecture Functionally the SFM model is an extension o...

Page 285: ...about multicast addressing To enable the communication between the information source and members of a multicast group a group of information receivers network layer multicast addresses namely IP mul...

Page 286: ...etwork 232 0 0 0 to 232 255 255 255 Available source specific multicast SSM multicast group addresses 239 0 0 0 to 239 255 255 255 Administratively scoped multicast addresses which are for specific lo...

Page 287: ...MAC address of the receiver When a multicast packet is transported in an Ethernet network a multicast MAC address is used as the destination address because the destination is a group with an uncerta...

Page 288: ...cols Typically the Internet Group Management Protocol IGMP is used between hosts and Layer 3 multicast devices directly connected with the hosts These protocols define the mechanism of establishing an...

Page 289: ...traditional multicast on demand mode when users in different VLANs on a Layer 2 device need multicast information the upstream Layer 3 device needs to forward a separate copy of the multicast data to...

Page 290: ...ming interface of the existing S G entry this means that the S G entry is no longer valid The router replaces the incoming interface of the S G entry with the interface on which the packet actually ar...

Page 291: ...in the multicast forwarding table of Switch C Switch C performs an RPF check and finds in its unicast routing table that the outgoing interface to 192 168 0 0 24 is VLAN interface 2 This means that t...

Page 292: ...use of network bandwidth and transmission of multicast data of authorized users by taking network resources You can configure multicast source port suppression on certain ports to prevent unauthorized...

Page 293: ...ered on the switch the switch will flood the packet within the VLAN to which the port belongs You can configure a static multicast MAC address entry to avoid this Follow these steps to configure a mul...

Page 294: ...e flooded in the VLAN which the multicast packet belongs to When the function of dropping unknown multicast packets is enabled the switch will drop any multicast packets whose multicast address is not...

Page 295: ...is a multicast constraining mechanism that runs on Layer 2 devices to manage and control multicast groups Principle of IGMP Snooping By analyzing received IGMP messages a Layer 2 device running IGMP...

Page 296: ...icast group members Figure 3 2 IGMP Snooping related ports Router A Switch A Switch B Eth1 0 1 Eth1 0 2 Eth1 0 3 Eth1 0 1 Eth1 0 2 Receiver Receiver Host A Host B Host C Host D Source Multicast packet...

Page 297: ...ng an IGMP general query the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port z If the receiving port is a router port existi...

Page 298: ...ely delete the forwarding entry corresponding to that port from the forwarding table instead it resets the aging timer of the member port Upon receiving the IGMP leave message from a host the IGMP que...

Page 299: ...Traffic in a VLAN Optional Configuring Static Member Port for a Multicast Group Optional Configuring a Static Router Port Optional Configuring a Port as a Simulated Group Member Optional Configuring...

Page 300: ...2 messages but not IGMPv3 messages which will be flooded in the VLAN z IGMP snooping version 3 can process IGMPv1 IGMPv2 and IGMPv3 messages Follow these steps to configure the version of IGMP Snoopin...

Page 301: ...esource usage If fast leave processing and unknown multicast packet dropping or non flooding are enabled on a port to which more than one host is connected when one host leaves a multicast group the o...

Page 302: ...rt If the receiving port can join this multicast group the switch adds this port to the IGMP Snooping multicast group list otherwise the switch drops this report message Any multicast data that has fa...

Page 303: ...programs on demand available to users thus to regulate traffic on the port Follow these steps to configure the maximum number of multicast groups on a port To do Use the command Remarks Enter system...

Page 304: ...g failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem configure a non all zero IP address as the source IP address of IGMP queries IGMP Snooping qu...

Page 305: ...oup an IGMP Snooping switch creates a nonflooding entry and relays the packet to router ports only instead of flooding the packet within the VLAN If the switch has no router ports it drops the multica...

Page 306: ...gure specified port s as static member port s of a multicast group in the VLAN multicast static group group address interface interface list Required By default no port is configured as a static multi...

Page 307: ...witch will respond As a result the port of the VLAN can continue to receive multicast traffic Through this configuration the following functions can be implemented z When an Ethernet port is configure...

Page 308: ...apping vlan vlan id Required By default the VLAN tag in IGMP general and group specific query messages is not changed It is not recommended to configure this function while the multicast VLAN function...

Page 309: ...ticast VLAN if the port type is hybrid Follow these steps to configure multicast VLAN on the Layer 2 switch To do Use the command Remarks Enter system view system view Enable IGMP Snooping igmp snoopi...

Page 310: ...ame time Displaying and Maintaining IGMP Snooping To do Use the command Remarks Display the current IGMP Snooping configuration display igmp snooping configuration Available in any view Display IGMP S...

Page 311: ...e PIM DM on each interface and enable IGMP on Ethernet 1 0 1 RouterA system view RouterA multicast routing enable RouterA interface Ethernet 1 0 1 RouterA Ethernet1 0 1 igmp enable RouterA Ethernet1 0...

Page 312: ...ports Ethernet 1 0 3 and Ethernet 1 0 4 This means that Host A and Host B have joined the multicast group 224 1 1 1 Configuring Multicast VLAN Network requirements As shown in Figure 3 4 Workstation i...

Page 313: ...ext describes the configuration details You can also configure these ports as trunk ports The configuration procedure is omitted here For details see Configuring Multicast VLAN Configure a multicast V...

Page 314: ...st VLAN and then enable IGMP Snooping on it SwitchB vlan 2 to 3 Please wait Done SwitchB vlan 10 SwitchB vlan10 service type multicast SwitchB vlan10 igmp snooping enable SwitchB vlan10 quit Define Et...

Page 315: ...ng is disabled check whether it is disabled globally or in the specific VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globall...

Page 316: ...Guest VLAN 1 18 Configuring 802 1x Re Authentication 1 18 Configuring the 802 1x Re Authentication Timer 1 19 Displaying and Maintaining 802 1x Configuration 1 20 Configuration Example 1 20 802 1x Co...

Page 317: ...4 1 Configuring System Guard 4 1 Configuring System Guard Against IP Attacks 4 1 Configuring System Guard Against TCN Attacks 4 2 Enabling Layer 3 Error Control 4 3 Displaying and Maintaining System...

Page 318: ...port based network access control protocol It is used to perform port level authentication and control of devices connected to the 802 1x enabled ports With the 802 1x protocol employed a user side d...

Page 319: ...s user name password the VLAN a user should belong to priority and any Access Control Lists ACLs to be applied There are four additional basic concepts related 802 1x port access entity PAE controlled...

Page 320: ...he Mechanism of an 802 1x Authentication System IEEE 802 1x authentication system uses the Extensible Authentication Protocol EAP to exchange information between the supplicant system and the authenti...

Page 321: ...ength field indicates the size of the Packet body field A value of 0 indicates that the Packet Body field does not exist z The Packet body field differs with the Type field Note that EAPoL Start EAPoL...

Page 322: ...to a RADIUS protocol packet for EAP authentication Refer to the Introduction to RADIUS protocol section in the AAA Operation for information about the format of a RADIUS protocol packet The EAP messag...

Page 323: ...icant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system which in turn encrypts the passwords using the MD5 keys z EAP TLS allows the suppl...

Page 324: ...est identity packet to ask the 802 1x client for the user name z The 802 1x client responds by sending an EAP response identity packet to the switch with the user name contained in it The switch then...

Page 325: ...e if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authenticating ways used on the supplicant system and the RADIUS server are the same However...

Page 326: ...Used in 802 1x In 802 1 x authentication the following timers are used to ensure that the supplicant system the switch and the RADIUS server interact in an orderly way z Handshake timer handshake peri...

Page 327: ...ulticast request identity packets periodically through the port enabled with 802 1x function In this case this timer sets the interval to send the multicast request identity packets z Client version r...

Page 328: ...ersion check command Checking the client version With the 802 1x client version checking function enabled a switch checks the version and validity of an 802 1x client to prevent unauthorized users or...

Page 329: ...user a switch goes through the complete authentication process It transmits the username and password of the user to the server The server may authenticate the username and password or however use re...

Page 330: ...he AAA scheme a local authentication scheme or a RADIUS scheme to be adopted in the ISP domain z If you specify to use a local authentication scheme you need to configure the user names and passwords...

Page 331: ...quit Optional By default an 802 1x enabled port operates in the auto mode In system view dot1x port method macbased portbased interface interface list interface interface type interface number dot1x p...

Page 332: ...e acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online user handshaking function in this case z The handshake packe...

Page 333: ...in port view In this case this command applies to the current port only and the interface list argument is not needed z As for the configuration of 802 1x timers the default values are recommended Ad...

Page 334: ...Checking Follow these steps to configure client version checking To do Use the command Remarks Enter system view system view In system view dot1x version check interface interface list interface inter...

Page 335: ...ased Required The default access control method on a port is MAC based That is the macbased keyword is used by default In system view dot1x guest vlan vlan id interface interface list interface interf...

Page 336: ...ch the switch determines the re authentication interval in one of the following two ways z The switch uses the value of the Session timeout attribute field of the Access Accept packet sent by the RADI...

Page 337: ...connection is terminated if the total size of the data passes through it during a period of 20 minutes is less than 2 000 bytes z The switch is connected to a server comprising of two RADIUS servers w...

Page 338: ...based is the default Sysname dot1x port method macbased interface Ethernet 1 0 1 Create a RADIUS scheme named radius1 and enter RADIUS scheme view Sysname radius scheme radius1 Assign IP addresses to...

Page 339: ...nd enter its view Sysname domain aabbcc net Specify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS server is invalid specify to adopt the local authentication scheme Sysname isp aa...

Page 340: ...ck EAD Deployment Quick EAD deployment is achieved with the two functions restricted access and HTTP redirection Restricted access Before passing 802 1x authentication a user is restricted through ACL...

Page 341: ...onfiguring a free IP range z With dot1x enabled but quick EAD deployment disabled users cannot access the DHCP server if they fail 802 1x authentication With quick EAD deployment enabled users can obt...

Page 342: ...Use the command Remarks Enter system view system view Set the ACL timer dot1x timer acl timeout acl timeout value Required By default the ACL timeout period is 30 minutes Displaying and Maintaining Q...

Page 343: ...ormat other than the dotted decimal notation the user may not be redirected This is related with the operating system used on the PC In this case the PC considers the IP address string a name and trie...

Page 344: ...anagement devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible HABP is built on the client server model Typically the HABP server...

Page 345: ...servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Follow these steps to configure an HA...

Page 346: ...re received on the ports If a port receives an excessive number of TCN TC packets within a given period of time the switch sends only one TCN TC packet in every 10 seconds to the CPU and discards the...

Page 347: ...a period of 10 seconds the system considers that it is being attacked the system sorts out the source IP address and decreases the precedence of delivering packets from the source IP address to the C...

Page 348: ...and Maintaining System Guard Configuration To do Use the command Remarks Display the monitoring result and parameter settings of System Guard against IP attacks display system guard ip state Display...

Page 349: ...US Servers to be Supported 2 14 Configuring the Status of RADIUS Servers 2 15 Configuring the Attributes of Data to be Sent to RADIUS Servers 2 15 Configuring the Local RADIUS Server 2 17 Configuring...

Page 350: ...orization of Telnet Users 2 29 Troubleshooting AAA 2 30 Troubleshooting RADIUS Configuration 2 30 Troubleshooting HWTACACS Configuration 2 31 3 EAD Configuration 3 1 Introduction to EAD 3 1 Typical Ne...

Page 351: ...this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage c...

Page 352: ...r structure It can prevent unauthorized access to your network and is commonly used in network environments where both high security and remote user access service are required The RADIUS service invo...

Page 353: ...e 1 2 depicts the message exchange procedure between user switch and RADIUS server Figure 1 2 Basic message exchange procedure of RADIUS The basic message exchange procedure of RADIUS is as follows 1...

Page 354: ...timer management retransmission and backup server Figure 1 3 depicts the format of RADIUS messages Figure 1 3 RADIUS message format 1 The Code field one byte decides the type of RADIUS message as sho...

Page 355: ...arded 4 The Authenticator field 16 bytes is used to authenticate the response from the RADIUS server and is used in the password hiding algorithm There are two kinds of authenticators Request Authenti...

Page 356: ...or occupies four bytes where the first byte is 0 and the other three bytes are defined in RFC 1700 Here the vendor can encapsulate multiple customized sub attributes containing vendor specific Type Le...

Page 357: ...mmand authorization Does not support In a typical HWTACACS application as shown in 0 a terminal user needs to log into the switch to perform some operations As a HWTACACS client the switch sends the u...

Page 358: ...client sends an authentication continuance message carrying the username 4 The TACACS server returns an authentication response asking for the password Upon receiving the response the TACACS client r...

Page 359: ...ends an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the accounting start request 12 The user logs out the TACACS c...

Page 360: ...tes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of...

Page 361: ...e the form of the delimiter between the username and the ISP domain name domain delimiter at dot Optional By default the delimiter between the username and the ISP domain name is Create an ISP domain...

Page 362: ...counting server or fails to communicate with any accounting server when it performs accounting for a user it does not disconnect the user as long as the accounting optional command has been executed t...

Page 363: ...switch and a TACACS server is normal the local scheme is not used if the TACACS server is not reachable or there is a key error or NAS IP error the local scheme is used z If you execute the scheme loc...

Page 364: ...local scheme do not support the separation of authentication and authorization Therefore pay attention when you make authentication and authorization configuration for a domain When the scheme radius...

Page 365: ...ID assigned by the RADIUS authentication server the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID If no such a VLAN exists the switch first creates a VLAN with th...

Page 366: ...o implement dynamic VLAN assignment on a port where both MSTP and 802 1x are enabled you must set the MSTP port to an edge port Configuring the Attributes of a Local User When local scheme is chosen a...

Page 367: ...cess specified type s of service service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the privilege level of...

Page 368: ...d with an authorized VLAN The switch will not assign authorized VLANs for subsequent users passing MAC address authentication In this case you are recommended to connect only one MAC address authentic...

Page 369: ...local RADIUS server Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared K...

Page 370: ...n exchange between switch and RADIUS server To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP domain view refer to AAA Configuration...

Page 371: ...fy one server as both the primary and secondary authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary authentication authorization servers respecti...

Page 372: ...ing request that gets no response from the RADIUS accounting server and then retransmits the request to the RADIUS accounting server until it gets a response or the maximum number of transmission atte...

Page 373: ...no answer after it has tried the maximum number of times to transmit the request the switch considers that the request fails Follow these steps to configure the maximum transmission attempts of a RADI...

Page 374: ...ry server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged When both the primary and secondary servers are in active...

Page 375: ...giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet Optional By default in a RADIUS scheme the data unit and packet unit for outgoing RADIUS flows are byte and one pac...

Page 376: ...efault z The purpose of setting the MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the switch s compatibility with different RADIUS servers This setting is...

Page 377: ...servers and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers If the switch gets no answer within the response timeout time it needs to retransmit th...

Page 378: ...when a RADIUS server is down radius trap authentication server down accounting server down Optional By default the switch does not send trap message when a RADIUS server is down z This configuration t...

Page 379: ...se from the CAMS it stops sending Accounting On messages 5 If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Accounting On...

Page 380: ...TACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to creat...

Page 381: ...horization Servers Follow these steps to configure TACACS authorization servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme...

Page 382: ...nal By default the stop accounting messages retransmission function is enabled and the system can transmit a buffered stop accounting request for 100 times z You are not allowed to configure the same...

Page 383: ...ain names data flow format data byte giga byte kilo byte mega byte Set the units of data flows to TACACS servers data flow format packet giga packet kilo packet mega packet one packet Optional By defa...

Page 384: ...y sends online users accounting information to the TACACS server at the set interval z The real time accounting interval must be a multiple of 3 z The setting of real time accounting interval somewhat...

Page 385: ...tics reset radius statistics Available in user view Displaying and Maintaining HWTACACS Protocol Configuration To do Use the command Remarks Display the configuration or statistic information about on...

Page 386: ...nd login passwords The Telnet usernames added to the RADIUS server must be in the format of userid isp name if you have configured the switch to include domain names in the usernames to be sent to the...

Page 387: ...ly takes Telnet users as example to describe the configuration procedure for local authentication Network requirements In the network environment shown in Figure 2 2 you are required to configure the...

Page 388: ...respectively z Configure local users HWTACACS Authentication and Authorization of Telnet Users Network requirements You are required to configure the switch so that the Telnet users logging into the...

Page 389: ...ure to input the correct password z The switch and the RADIUS server have different shared keys Compare the shared keys at the two ends make sure they are identical z The switch cannot communicate wit...

Page 390: ...2 31 Troubleshooting HWTACACS Configuration See the previous section if you encounter an HWTACACS fault...

Page 391: ...Dynamically adjusts the VLAN rate and packet scheduling priority for user terminals according to session control packets whereby to control the access rights of users dynamically Typical Network Appl...

Page 392: ...Each RADIUS scheme supports up to eight IP addresses of security policy servers EAD Configuration Example Network requirements In Figure 3 2 z A user is connected to Ethernet 1 0 1 on the switch z The...

Page 393: ...system view Sysname domain system Sysname isp system quit Configure a RADIUS scheme Sysname radius scheme cams Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams account...

Page 394: ...1 2 Quiet MAC Address 1 2 Configuring Basic MAC Address Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 3 MAC Address Authentication Enhanced Function Config...

Page 395: ...itch in advance In this case the user name the password and the limits on the total number of user names are the matching criterion for successful authentication For details refer to AAA of this manua...

Page 396: ...from the RADIUS server in this period it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network Quiet MAC Address When a user fails MAC address...

Page 397: ...dress authentication timers mac authentication timer offline detect offline detect value quiet quiet value server timeout server timeout value Optional The default timeout values are as follows 300 se...

Page 398: ...to fixed user names and passwords The switch will not learn MAC addresses of the clients failing in the authentication into its local MAC address table thus prevent illegal users from accessing the ne...

Page 399: ...adds the port to the Guest VLAN Therefore the Guest VLAN can separate unauthenticated users on an access port When it comes to a trunk port or a hybrid port if a packet itself has a VLAN tag and be in...

Page 400: ...cation cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC address authentication does not take effect when port security is enabled Configuring the Maximum Num...

Page 401: ...ac authentication interface interface list Available in any view Clear the statistics of global or on port MAC address authentication reset mac authentication statistics interface interface type inter...

Page 402: ...ISP domain named aabbcc net Sysname domain aabbcc net New Domain added Specify to perform local authentication Sysname isp aabbcc net scheme local Sysname isp aabbcc net quit Specify aabbcc net as the...

Page 403: ...k Detection 2 1 Introduction to ARP Packet Rate Limit 2 3 Introduction to ARP Packet Filtering Based on Gateway s Address 2 3 Configuring ARP Attack Defense 2 4 ARP Attack Defense Configuration Task L...

Page 404: ...device must know the data link layer address MAC address for example of the destination host or the next hop To this end the IP address must be resolved into the corresponding data link layer address...

Page 405: ...efer to Table 1 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in by...

Page 406: ...Dynamically generated ARP entries of this type age with time The aging period is set by the ARP aging timer ARP Process Figure 1 2 ARP process Suppose that Host A and Host B are on the same subnet and...

Page 407: ...ardware address stored in their caches With the gratuitous ARP packet learning function enabled A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic...

Page 408: ...ntries cannot be configured on the ports of an aggregation group Configuring Gratuitous ARP Follow these steps to configure gratuitous ARP To do Use the command Remarks Enter system view system view E...

Page 409: ...isplay arp timer aging Available in any view Clear specific ARP entries reset arp dynamic static interface interface type interface number Available in user view ARP Configuration Examples Network req...

Page 410: ...tacks you can configure ARP source MAC address consistency check on S4500 series Ethernet switches operating as gateways With this function the device can verify whether an ARP packet is valid by chec...

Page 411: ...appings of authenticated 802 1x users according to different network environments z If all the clients connected to the switch use IP addresses obtained through DHCP you are recommended to enable DHCP...

Page 412: ...P packets received on the port within each second If the number of ARP packets received on the port per second exceeds the preconfigured value the switch considers that the port is attacked by ARP pac...

Page 413: ...z To filter ARP attack packets arriving on the upstream port you can bind the IP and MAC addresses of the gateway to the cascaded port or upstream port of the access switch After that the port will di...

Page 414: ...N Interface Can Learn Follow these steps to configure the maximum number of dynamic ARP entries that a VLAN interface can learn To do Use the command Remarks Enter system view system view Enter VLAN i...

Page 415: ...ess or based on gateway s IP and MAC addresses on an Ethernet port Generally ARP packet filtering based on gateway s IP address is configured on the switch s port directly connected to a host and ARP...

Page 416: ...tatic IP binding entries on the switch These functions can cooperate with ARP attack detection to check the validity of packets z You need to use ARP attack detection based on authenticated 802 1x cli...

Page 417: ...you can configure the port state auto recovery interval z You are not recommended to configure the ARP packet rate limit function on the ports of a fabric or an aggregation group ARP Attack Defense Co...

Page 418: ...e the ARP packet rate limit function on Ethernet 1 0 2 and set the maximum ARP packet rate allowed on the port to 20 pps SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 arp rate limit enable Sw...

Page 419: ...C 000D 88F8 528C Gateway Host A Host B Configuration Procedures Enter system view Switch system view Configure ARP packet filtering based on the gateway s IP and MAC addresses on Ethernet 1 0 1 Switch...

Page 420: ...A Vlan int 192 168 1 1 24 Configuration Procedures Enter system view SwitchA system view Enable ARP source MAC address consistency check SwitchA arp anti attack valid check enable Enter VLAN interface...

Page 421: ...N 1 Switch vlan 1 Switch vlan1 arp detection enable Switch vlan1 quit Configure Ethernet 1 0 2 and Ethernet 1 0 3 as ARP trusted ports Switch interface Ethernet 1 0 2 Switch Ethernet1 0 2 arp detectio...

Page 422: ...g WINS Servers for the DHCP Client 2 10 Configuring Gateways for the DHCP Client 2 11 Configuring BIMS Server Information for the DHCP Client 2 11 Configuring Option 184 Parameters for the Client with...

Page 423: ...r Group with a Relay Agent Interface 3 4 Configuring DHCP Relay Agent Security Functions 3 5 Configuring the DHCP Relay Agent to Support Option 82 3 7 Displaying and Maintaining DHCP Relay Agent Confi...

Page 424: ...tion 6 1 Introduction to DHCP Client 6 1 Introduction to BOOTP Client 6 1 Configuring a DHCP BOOTP Client 6 2 DHCP Client Configuration Example 6 3 BOOTP Client Configuration Example 6 3 Displaying DH...

Page 425: ...iguration Protocol DHCP is developed to solve these issues DHCP adopts a client server model where the DHCP clients send requests to DHCP servers for configuration parameters and the DHCP servers retu...

Page 426: ...R packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet 4 Acknowledge In this phase the DHCP servers acknowledge the I...

Page 427: ...llowing figure describes the packet format the number in the brackets indicates the field length in bytes Figure 1 2 DHCP packet format The fields are described as follows z op Operation types of DHCP...

Page 428: ...type valid lease time IP address of a DNS server and IP address of the WINS server Protocol Specification Protocol specifications related to DHCP include z RFC2131 Dynamic Host Configuration Protocol...

Page 429: ...z Large sized networks where manual configuration method bears heavy load and is difficult to manage the whole network in centralized way z Networks where the number of available IP addresses is less...

Page 430: ...e you just need to configure them on the network segment or the corresponding subnets The following is the details of configuration inheritance 1 A newly created child address pool inherits the config...

Page 431: ...found in a proper DHCP address pool 5 If no IP address is available the DHCP server queries lease expired and conflicted IP addresses If the DHCP server finds such IP addresses it assigns them otherwi...

Page 432: ...it adopts the configurations on the new XRN system And you need to perform DHCP server configurations if the new XRN system does not have DHCP server related configurations z In an XRN system the UDP...

Page 433: ...ace s Required Creating a DHCP Global Address Pool Required Configuring the static IP address allocation mode Configuring an Address Allocation Mode for the Global Address Pool Configuring the dynamic...

Page 434: ...ol and only one mode can be configured for one DHCP global address pool For dynamic IP address allocation you need to specify the range of the IP addresses to be dynamically assigned But for static IP...

Page 435: ...equired By default no MAC address or client ID to which an IP address is to be statically bound is configured z The static bind ip address command and the static bind mac address command or the static...

Page 436: ...ts the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip command from dynamic allocation The lease time can differ...

Page 437: ...bout DNS refer to DNS Operation in this manual Follow these steps to configure a domain name suffix for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address p...

Page 438: ...WINS servers The character p stands for peer to peer The source node sends the unicast packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding...

Page 439: ...efore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure BIMS server information for the DHCP clie...

Page 440: ...option is defined Voice VLAN Configuration sub option 3 The voice VLAN configuration sub option carries the ID of the voice VLAN and the flag indicating whether the voice VLAN identification function...

Page 441: ...onse packet to be sent to the DHCP client Only when the DHCP client specifies in Option 55 of the request packet that it requires Option 184 does the DHCP server add Option 184 in the response packet...

Page 442: ...e DHCP server but you do not need to perform any configuration on the DHCP client When Option 55 in a client s request contains parameters of Option 66 Option 67 or Option 150 the DHCP server will ret...

Page 443: ...s and those obtained from interface address pools are not on the same network segment so the clients cannot communicate with each other Therefore in the interface address pool mode if the DHCP clients...

Page 444: ...ign to a client is the primary IP address of the interface Enabling the Interface Address Pool Mode on Interface s If the DHCP server works in the interface address pool mode it picks IP addresses fro...

Page 445: ...ly allocated to DHCP clients Configuring the static IP address allocation mode Some DHCP clients such as WWW servers need fixed IP addresses This is achieved by binding IP addresses to the MAC address...

Page 446: ...o be dynamically assigned is unnecessary To avoid address conflicts the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbi...

Page 447: ...DHCP server The DHCP server provides the domain name suffix together with an IP address for a requesting DHCP client Follow these steps to configure a domain name suffix for the client To do Use the...

Page 448: ...etBIOS nodes fall into the following four categories z B node Nodes of this type establish their mappings through broadcasting The character b stands for the word broadcast The source node obtains the...

Page 449: ...nterface number all Required By default no NetBIOS node type is specified If b node is specified for the client you don t need to specify any WINS server address Configuring BIMS Server Information fo...

Page 450: ...ig ncp ip ip address all interface interface type interface number to interface type interface number Required Not specified by default Specify the backup network calling processor dhcp server voice c...

Page 451: ...ootfile name bootfile name all interface interface type interface number Optional Not specified by default Configuring a Self Defined DHCP Option By configuring self defined DHCP options you can z Def...

Page 452: ...nformation to check out any DHCP unauthorized servers Follow these steps to enable unauthorized DHCP server detection To do Use the command Remarks Enter system view system view Enable the unauthorize...

Page 453: ...t For the authentication process of the DHCP server acting as a RADIUS client refer to AAA Operation in this manual The following describes only the accounting interaction between DHCP server and RADI...

Page 454: ...CP Server to Process Option 82 If a DHCP server is enabled to process Option 82 after the DHCP server receives packets containing Option 82 the DHCP server adds Option 82 into the responses when assig...

Page 455: ...pe interface number all Clear the statistics on a DHCP server reset dhcp server statistics Available in user view Executing the save command will not save the lease information on a DHCP server to the...

Page 456: ...s for example gateway also are based on the configuration of the parent address pool For example in the network to which VLAN interface 1 is connected if multiple clients apply for IP addresses the ch...

Page 457: ...p server ip pool 1 SwitchA dhcp pool 1 network 10 1 1 0 mask 255 255 255 128 SwitchA dhcp pool 1 gateway list 10 1 1 126 SwitchA dhcp pool 1 expired day 10 hour 12 SwitchA dhcp pool 1 nbns list 10 1 1...

Page 458: ...4 Sysname vlan 2 Sysname vlan2 port ethernet 1 0 1 Sysname vlan2 quit Sysname interface vlan interface 2 Sysname Vlan interface2 ip address 10 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configur...

Page 459: ...gram Figure 2 3 Network diagram for DHCP accounting configuration Configuration procedure Enter system view Sysname system view Create VLAN 2 Sysname vlan 2 Sysname vlan2 quit Create VLAN 3 Sysname vl...

Page 460: ...Analysis With DHCP enabled IP address conflicts are usually caused by IP addresses that are manually configured on hosts Solution z Disconnect the DHCP client from the network and then check whether...

Page 461: ...the packets are broadcasted in the process of obtaining IP addresses DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment that is you need to de...

Page 462: ...he DHCP message It records the location information of the DHCP client With this option the administrator can locate the DHCP client to further implement security control and accounting The Option 82...

Page 463: ...cket with its own or leaves the original Option 82 unchanged in the packet and forwards the packet if not discarded to the DHCP server z If the request packet does not contain Option 82 the DHCP relay...

Page 464: ...m view Enable DHCP dhcp enable Required Enabled by default Correlating a DHCP Server Group with a Relay Agent Interface To enhance reliability you can set multiple DHCP servers on the same network The...

Page 465: ...re the group number specified in the dhcp server groupNo command in VLAN interface view by using the command dhcp server groupNo ip ip address 1 8 in advance Configuring DHCP Relay Agent Security Func...

Page 466: ...gh unicast when the DHCP clients release IP addresses the user address entries maintained by the DHCP cannot be updated in time You can solve this problem by enabling the DHCP relay agent handshake fu...

Page 467: ...view system view Enable unauthorized DHCP server detection dhcp server detect Required Disabled by default With the unauthorized DHCP server detection enabled the relay agent will log all DHCP server...

Page 468: ...y Agent Configuration To do Use the command Remarks Display the information about a specified DHCP server group display dhcp server groupNo Display the information about the DHCP server group to which...

Page 469: ...configurations on the DHCP server to enable the DHCP clients to obtain IP addresses from the DHCP server The DHCP server configurations vary with different DHCP server devices so the configurations ar...

Page 470: ...e DHCP server z Check the DHCP relay agent Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides Check if the IP address of...

Page 471: ...network layer z Switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer When an unauthorized DHCP server exists in the network a DHCP client may obtains...

Page 472: ...as follows z sub option 1 circuit ID sub option Padded with the port index smaller than the physical port number by 1 and VLAN ID of the port that received the client s request z sub option 2 remote...

Page 473: ...est containing Option 82 it will handle the packet according to the handling policy and the configured contents in sub options For details see Table 4 1 Table 4 1 Ways of handling a DHCP packet with O...

Page 474: ...or will directly forward the packet if the packet does not contain the Option 82 field Introduction to IP Filtering A denial of service DoS attack means an attempt of an attacker sending a large numb...

Page 475: ...e IP static binding table or IP to MAC mappings of authenticated 802 1x clients according to actual network requirements The switch can filter IP packets in the following modes z Filtering packets bas...

Page 476: ...ve Q in Q function on the switch which may result in the DHCP snooping to function abnormally Configuring DHCP Snooping to Support Option 82 Enable DHCP snooping and specify trusted ports on the switc...

Page 477: ...iguration overrides the globally configured handling policy for requests received on this port while the globally configured handling policy applies on those ports where a handling policy is not nativ...

Page 478: ...igured on the primary port z The circuit ID sub option configured on a port will neither be synchronized in the case of port aggregation nor support XRN Configuring the remote ID sub option You can co...

Page 479: ...m other VLANs z In a port aggregation group you can use this command to configure the primary and member ports respectively When Option 82 is added however the remote ID is subject to the one configur...

Page 480: ...clients can be updated for corresponding IP to MAC entries you are recommended to enable 802 1x authentication handshake function otherwise you need to disable 802 1x authentication triggered by DHCP...

Page 481: ...ly connected to Client A Client B and Client C z Enable DHCP snooping on the switch z Specify Ethernet 1 0 5 on the switch as a trusted port for DHCP snooping z Enable DHCP snooping Option 82 support...

Page 482: ...he DHCP server and Ethernet 1 0 2 is connected to Host A The IP address and MAC address of Host A are 1 1 1 1 and 0001 0001 0001 respectively Ethernet 1 0 3 and Ethernet 1 0 4 are connected to DHCP Cl...

Page 483: ...0 2 Switch Ethernet1 0 2 ip check source ip address mac address Switch Ethernet1 0 2 quit Switch interface ethernet 1 0 3 Switch Ethernet1 0 3 ip check source ip address mac address Switch Ethernet1 0...

Page 484: ...us impact on the device CPU For details about ARP packet rate limit refer to ARP Operation in this manual The following describes only the DHCP packet rate limit function After DHCP packet rate limit...

Page 485: ...t state auto recovery function is disabled Set the port state auto recovery interval dhcp protective down recover interval interval Optional The port state auto recovery interval is 300 seconds z Enab...

Page 486: ...witch Networking diagram Figure 5 1 Network diagram for DHCP packet rate limit configuration Configuration procedure Enable DHCP snooping on the switch Switch system view Switch dhcp snooping Specify...

Page 487: ...5 4 Sysname Ethernet1 0 11 dhcp rate limit 100...

Page 488: ...pecify an interface as a Bootstrap Protocol BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP...

Page 489: ...ailed information about the default route run the display ip routing table command on the switch z If a switch belongs to an XRN fabric you need to enable the UDP Helper function on the switch before...

Page 490: ...ment Switch B s port belonging to VLAN1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Network diagram See Figure 2 1 Configuration procedure The fo...

Page 491: ...pplying ACL Rules on Ports 1 10 Applying ACL Rules to Ports in a VLAN 1 10 Displaying and Maintaining ACL Configuration 1 11 Examples for Upper layer Software Referencing ACLs 1 11 Example for Control...

Page 492: ...port numbers carried in the packets According to their application purposes ACLs fall into the following four types z Basic ACL Rules are created based on source IP addresses only z Advanced ACL Rule...

Page 493: ...dence fragment Comparison rules are listed below z The smaller the weighting value left which is a fixed weighting value minus the weighting value of every parameter of the rule the higher the match p...

Page 494: ...ftware for packet filtering ACL Configuration Task List Complete the following tasks to configure ACL Task Remarks Configuring Time Range Optional Configuring Basic ACL Required Configuring Advanced A...

Page 495: ...ange is active only when the system time is within one of the absolute time sections z If both a periodic time section and an absolute time section are defined in a time range the time range is active...

Page 496: ...tion about rule string refer to ACL Command Configure a description string to the ACL description text Optional Not configured by default Note that z With the config match order specified for the basi...

Page 497: ...Using advanced ACLs you can define classification rules that are more accurate more abundant and more flexible than those defined for basic ACLs Configuration prerequisites z To configure a time range...

Page 498: ...ced from the network 129 9 0 0 16 and destined for the network 202 38 160 0 24 and with the destination port number being 80 Sysname system view Sysname acl number 3000 Sysname acl adv 3000 rule permi...

Page 499: ...ication or creation will fail and the system prompts that the rule already exists Configuration example Configure ACL 4000 to deny packets sourced from the MAC address 000d 88f5 97ed destined for the...

Page 500: ...you modify the rule string rule mask offset combinations however the new combinations will replace all of the original ones z If you do not specify the rule id argument when creating an ACL rule the...

Page 501: ...L Commands Configuration example Apply ACL 2000 on Ethernet 1 0 1 to filter inbound packets Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 packet filter inbound ip group 20...

Page 502: ...the command Remarks Display a configured ACL or all the ACLs display acl all acl number Display a time range or all the time ranges display time range all time name Display information about packet f...

Page 503: ...through HTTP Network diagram Figure 1 2 Network diagram for controlling Web login users by source IP Switch PC 10 110 100 46 Internet Configuration procedure Define ACL 2001 Sysname system view Sysnam...

Page 504: ...Sysname acl basic 2000 quit Apply ACL 2000 on Ethernet 1 0 1 Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 packet filter inbound ip group 2000 Advanced ACL Configuration Example Network requi...

Page 505: ...011 0011 Apply an ACL to filter packets with the source MAC address of 0011 0011 0011 and the destination MAC address of 0011 0011 0012 from 8 00 to 18 00 everyday Network diagram Figure 1 5 Network d...

Page 506: ...192 168 0 1 from 8 00 to 18 00 everyday provided that VLAN VPN is not enabled on any port In the ACL rule 0806 is the ARP protocol number ffff is the mask of the rule 16 is the protocol type field of...

Page 507: ...ime range that is active from 8 00 to 18 00 in working days Sysname system view Sysname time range test 8 00 to 18 00 working day Define an ACL to deny packets destined for the database server Sysname...

Page 508: ...nce 1 12 Traffic mirroring 1 13 QoS Configuration 1 13 Configuring Priority Trust Mode 1 13 Configuring the Mapping between 802 1p Priority and Local Precedence 1 14 Setting the Priority of Protocol P...

Page 509: ...urces of the network Network resources available to the packets completely depend on the time they arrive This service policy is known as Best effort which delivers the packets to their destination wi...

Page 510: ...onfines traffic to a specific specification and is usually applied in the inbound direction of a port You can configure restriction or penalty measures against the exceeding traffic to protect carrier...

Page 511: ...series z Priority trust mode z Protocol packet priority z Line rate z For information about priority trust mode refer to Priority Trust Mode z For information about specifying priority for protocol pa...

Page 512: ...icate ToS precedence in the range of 0 to 15 z In RFC2474 the ToS field in IP packet header is also known as DS field The first six bits bit 0 through bit 5 of the DS field indicate differentiated ser...

Page 513: ...s a special class without any assurance in the CS class The AF class can be degraded to the BE class if it exceeds the limit Current IP network traffic belongs to this class by default Table 1 3 Descr...

Page 514: ...1p priority also known as CoS precedence which ranges from 0 to 7 Table 1 4 Description on 802 1p priority 802 1p priority decimal 802 1p priority binary Description 0 000 best effort 1 001 backgroun...

Page 515: ...is 0 z Trusting port priority In this mode the switch replaces the 802 1p priority of the received packet with the port priority searches for the local precedence corresponding to the port priority o...

Page 516: ...ted resources during a time period to avoid network congestion caused by excessive bursts Traffic policing is a kind of traffic control policy used to limit the traffic and the resource occupied by su...

Page 517: ...riority of the packets Traffic policing is widely used in policing the traffic into the network of internet service providers ISPs Traffic policing can identify the policed traffic and perform pre def...

Page 518: ...3 queue2 queue1 and queue0 Their priorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the priority order from high to low When the que...

Page 519: ...WFQ can classify the traffic automatically according to the session information of traffic including the protocol types source and destination TCP or UDP port numbers source and destination IP address...

Page 520: ...f a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use Congestion Avoidance Congestion may cause network resource unavailable and thus need to be pre...

Page 521: ...different rates in any case and the link bandwidth can be fully utilized Traffic mirroring Traffic mirroring identifies traffic using ACLs and duplicates the matched packets to the destination mirrori...

Page 522: ...on Ethernet 1 0 1 and set the priority of Ethernet 1 0 1 to 7 Configuration procedure Sysname system view Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 priority 7 z Configure to trust packet p...

Page 523: ...edence map 2 3 4 1 7 0 5 6 Sysname display qos cos local precedence map cos local precedence map cos 802 1p 0 1 2 3 4 5 6 7 local precedence queue 2 3 4 1 7 0 5 6 Setting the Priority of Protocol Pack...

Page 524: ...precedence of the packets Configuration prerequisites The following items are defined or determined before the configuration z The ACL rules used for traffic classification have been specified Refer t...

Page 525: ...ce Ethernet1 0 1 Sysname Ethernet1 0 1 traffic priority inbound ip group 2000 dscp 56 2 Method II Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 2...

Page 526: ...network segment setting the rate to 128 kbps z Mark the DSCP precedence as 56 for the inbound packets exceeding the rate limit Configuration procedure Sysname system view Sysname acl number 2000 Sysna...

Page 527: ...equisites z The ACL rules used for traffic classification have been defined Refer to the ACL module of this manual for information about defining ACL rules z The ports on which the configuration is to...

Page 528: ...ueue0 weight queue1 weight queue2 weight queue3 weight queue4 weight queue5 weight queue6 weight queue7 weight Required By default the queue scheduling algorithm adopted on all the ports is WRR The de...

Page 529: ...weight or bandwidth value takes effect only on the port z The display queue scheduler command cannot display the queue weight or bandwidth value specified in Ethernet port view Configuration example...

Page 530: ...ined Refer to the ACL module of this manual for information about defining ACL rules z The source mirroring ports and mirroring direction have been determined z The destination mirroring port has been...

Page 531: ...command Remarks Display the mapping between 802 1p priority and local precedence display qos cos local precedence map Display the priority marking configuration display qos interface interface type i...

Page 532: ...op the packets exceeding the rate limit Network diagram Figure 1 9 Network diagram for traffic policing and rate limiting configuration Configuration procedure 1 Define an ACL for traffic classificati...

Page 533: ...twork diagram Figure 1 10 Network diagram for priority marking and queue scheduling configuration PC 3 PC 2 PC 1 Switch Eth1 0 1 Server 1 192 168 0 1 PC 6 Eth1 0 2 Server 2 192 168 0 2 Server 3 192 16...

Page 534: ...etwork VLANs z Switch A provides network access for terminal devices in VLAN 100 and VLAN 200 through Ethernet 1 0 11 and Ethernet 1 0 12 On the other side of the public network Switch B provides netw...

Page 535: ...Ethernet1 0 12 port trunk pvid vlan 200 SwitchA Ethernet1 0 12 port trunk permit vlan 200 600 SwitchA Ethernet1 0 12 quit Configure Ethernet 1 0 10 of Switch A as a trunk port and assign it to VLAN 10...

Page 536: ...c remark vlanid inbound link group 4001 remark vlan 600 SwitchA Ethernet1 0 12 quit Configure VLAN mapping on Ethernet 1 0 10 to replace VLAN tag 500 with VLAN tag 100 and replace VLAN tag 600 with VL...

Page 537: ...roring 1 2 Traffic Mirroring 1 3 Mirroring Configuration 1 3 Configuring Local Port Mirroring 1 4 Configuring Remote Port Mirroring 1 4 Displaying and Maintaining Port Mirroring 1 7 Mirroring Configur...

Page 538: ...e mirroring port or monitored port and the port to which duplicated packets are sent is called the destination mirroring port or the monitor port as shown in the following figure Figure 1 1 Mirroring...

Page 539: ...switch through the remote probe VLAN z Intermediate switch Intermediate switches are switches between the source switch and destination switch on the network An intermediate switch forwards mirrored t...

Page 540: ...3 interface for the remote probe VLAN run other protocol packets or carry other service packets on the remote prove VLAN and do not use the remote prove VLAN as the voice VLAN and protocol VLAN otherw...

Page 541: ...system view or you can configure the source port in specific port view The configurations in the two views have the same effect In system view mirroring group group id monitor port monitor port id int...

Page 542: ...uired By default the port type is Access Configure the trunk port to permit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required Return to system view quit Create a...

Page 543: ...h To do Use the command Remarks Enter system view system view Create a VLAN and enter VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN Configure the current VLAN as the remote probe V...

Page 544: ...monitor port monitor port Required Configure the remote probe VLAN for the remote destination mirroring group mirroring group group id remote probe vlan remote probe vlan id Required When configuring...

Page 545: ...t mirroring function to meet the requirement Perform the following configurations on Switch C z Configure Ethernet 1 0 1 and Ethernet 1 0 2 as mirroring source ports z Configure Ethernet 1 0 3 as the...

Page 546: ...or the packets sent from Department 1 and 2 through the data detection device Use the remote port mirroring function to meet the requirement Perform the following configurations z Use Switch A as the...

Page 547: ...trunk Sysname Ethernet1 0 3 port trunk permit vlan 10 Sysname Ethernet1 0 3 quit Display configuration information about remote source mirroring group 1 Sysname display mirroring group 1 mirroring gro...

Page 548: ...group 1 monitor port Ethernet 1 0 2 Sysname mirroring group 1 remote probe vlan 10 Configure Ethernet 1 0 1 as the trunk port allowing packets of VLAN 10 to pass Sysname interface Ethernet 1 0 1 Sysna...

Page 549: ...ng the Fabric Port of a Switch 1 5 Specifying the VLAN Used to Form an XRN Fabric 1 6 Setting a Unit ID for a Switch 1 7 Assigning a Unit Name to a Switch 1 8 Assigning an XRN Fabric Name to a Switch...

Page 550: ...an XRN fabric An XRN fabric typically has a bus topology structure As shown in Figure 1 1 each switch has two ports connected with two other switches in the fabric but the switches at both ends of the...

Page 551: ...one group of ports can be configured as fabric ports at a time Given a group either GigabitEthernet 1 0 25 49 or GigabitEthernet 1 0 27 51 can be configured as the left fabric port and either Gigabit...

Page 552: ...fabric ports of the same device that is the right port and the left port are connected Pull out one end of the cable and connect it to a fabric port of another switch The left and right fabric ports o...

Page 553: ...XRN function each device considers its Unit ID as 1 and after a fabric connection is established the FTM program automatically re numbers the devices or you can manually configure the Unit ID of them...

Page 554: ...these steps to specify a fabric port To do Use the command Remarks Enter system view system view Specify the fabric port of a switch fabric port interface type interface number enable Required Not spe...

Page 555: ...re an XRN fabric as a DHCP relay or DHCP client configure the UDP Helper function in the fabric at the same time to ensure that the client can successfully obtain an IP address Since this configuratio...

Page 556: ...hange the unit ID of the local switch After an XRN fabric is established you can use the following command to change the unit IDs of the switches in the XRN fabric Follow these steps to set a unit ID...

Page 557: ...Follow these steps to save the unit ID of each unit in the XRN fabric To do Use the command Remarks Save the unit ID of each unit in the XRN fabric fabric save unit id Optional Assigning a Unit Name...

Page 558: ...ic system does not perform your configuration properly In this case you need to verify your previous configuration or perform your configuration again Displaying and Maintaining XRN Fabric To do Use t...

Page 559: ...gure Switch B Configure fabric ports Sysname system view Sysname fabric port GigabitEthernet1 0 25 enable Sysname fabric port GigabitEthernet1 0 26 enable Set the unit ID to 2 Sysname change unit id 1...

Page 560: ...mode simple welcome 4 Configure Switch D Configure fabric ports Sysname system view Sysname fabric port GigabitEthernet1 0 26 enable Set the unit ID to 4 Sysname change unit id 1 to 4 Configure the u...

Page 561: ...ent Device 1 9 Configuring Member Devices 1 14 Managing a Cluster through the Management Device 1 16 Configuring the Enhanced Cluster Features 1 17 Displaying and Maintaining Cluster Configuration 1 1...

Page 562: ...hrough Huawei Group Management Protocol HGMP HGMP version 2 HGMPv2 is used at present A switch in a cluster plays one of the following three roles z Management device z Member device z Candidate devic...

Page 563: ...very and display function which assists in monitoring and maintaining the network z It allows you to configure and upgrade multiple switches at the same time z It enables you to manage your remotely d...

Page 564: ...of a cluster z Discovers the information about its neighbors processes the commands forwarded by the management device and reports log The member devices of a luster are under the management of the m...

Page 565: ...cluster is established z All devices use NDP to collect the information about their neighbors including software version host name MAC address and port name z The management device uses NTDP to collec...

Page 566: ...cally You can also launch an operation of topology information collection by executing related commands The process of topology information collection is as follows z The management device sends NTDP...

Page 567: ...formation for you to establish the cluster z By collecting NDP NTDP information the management device learns network topology so as to manage and monitor network devices z Before performing any cluste...

Page 568: ...ithin the information holdtime it changes the state of the member device to Active otherwise it changes the state of the member device in Connect state to Disconnect in which case the management devic...

Page 569: ...re is only one network management interface on a management device any newly configured network management interface will overwrite the old one Tracing a device in a cluster In practice you need to im...

Page 570: ...ess entry corresponding to the IP address does not exist the trace of the device fails z To trace a specific device using the tracemac command make sure that all the devices passed support the tracema...

Page 571: ...is closed On the management device the preceding functions are implemented as follows z When you create a cluster by using the build or auto build command UDP port 40000 is opened at the same time z...

Page 572: ...red Enabled by default Configuring NTDP related parameters Follow these steps to configure NTDP related parameters To do Use the command Remarks Enter system view system view Configure the range to co...

Page 573: ...red By default VLAN 1 is used as the management VLAN Enter cluster view cluster Configure a IP address pool for the cluster ip pool administrator ip address ip mask ip mask length Required Build a clu...

Page 574: ...To do Use the command Remarks Enter system view system view Enter cluster view cluster Required Configure a shared FTP server for the cluster ftp server ip address Optional By default the management d...

Page 575: ...Vlan interface vlan id Required By default the management VLAN interface is used as the NM interface Configuring Member Devices Member device configuration task list Complete the following tasks to c...

Page 576: ...e device s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 i...

Page 577: ...r of the cluster tftp cluster get source file destination file Optional Available in user view Upload a file to the shared TFTP server of the cluster tftp cluster put source file destination file Opti...

Page 578: ...evice When errors occur to the cluster topology you can replace the current topology with the standard cluster topology and restore the administrative device using the backup topology on the Flash mem...

Page 579: ...dard topology topology accept all save to local flash mac address mac address member id member id administrator Required Save the standard topology to the Flash memory of the administrative device top...

Page 580: ...t delete member member id to black list Optional Displays the information about the devices in the cluster blacklist display cluster black list Optional This command can be executed in any view Displa...

Page 581: ...ter where z A Switch 4500 series switch serves as the management device z The rest are member devices Serving as the management device the Switch 4500 switch manages the two member devices The configu...

Page 582: ...ysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 ndp enable Sysname Ethernet1 0 1 quit Enable NTDP globally and on Ethernet 1 0 1 Sysname ntdp enable Sysname interface Ethernet 1 0 1 Sysname Ethe...

Page 583: ...ace Ethernet 1 0 2 Sysname Ethernet1 0 2 ntdp enable Sysname Ethernet1 0 2 quit Sysname interface Ethernet 1 0 3 Sysname Ethernet1 0 3 ntdp enable Sysname Ethernet1 0 3 quit Set the topology collectio...

Page 584: ...agement device to the cluster perform the following operations on a member device Connect the member device to the remote shared FTP server of the cluster aaa_1 Sysname ftp cluster Download the file n...

Page 585: ...4 Ethernet 1 0 2 Network diagram Figure 1 5 Network diagram for network management interface configuration FTP Server Switch A Switch C Vlan interface3 192 168 5 30 Eth1 0 1 Vlan interface 2 192 168 4...

Page 586: ...p pool 192 168 5 1 255 255 255 224 Name and build the cluster Sysname cluster build aaa aaa_0 Sysname cluster Configure VLAN interface 2 as the network management interface aaa_0 Sysname cluster aaa_0...

Page 587: ...gement device Member device Member device Member device 1 Configuration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster b...

Page 588: ...ility Detection Function 1 5 Configuring a PD Disconnection Detection Mode 1 5 Configuring PoE Over Temperature Protection on the Switch 1 5 Upgrading the PSE Processing Software Online 1 6 Upgrading...

Page 589: ...rtable devices card readers network cameras and data collection system PoE components PoE consists of three components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of...

Page 590: ...nism Using this mechanism the switch disables the PoE feature on all ports when its internal temperature exceeds 65 C 149 F for self protection and restores the PoE feature on all its ports when the t...

Page 591: ...Maximum Output Power on a Port The maximum power that can be supplied by each Ethernet electrical port of a PoE capable Switch 4500 to its PD is 15 400 mW In practice you can set the maximum power on...

Page 592: ...he PoE feature is enabled on the port perform the following configuration to set the PoE management mode and PoE priority of a port Follow these steps to set the PoE management mode and PoE priority o...

Page 593: ...ection mode Follow these steps to configure a PD disconnection detection mode To do Use the command Remarks Enter system view system view Configure a PD disconnection detection mode poe disconnect ac...

Page 594: ...aged that is no PoE command can be executed successfully use the full update mode to upgrade and thus restore the software z The refresh update mode is to upgrade the original processing software in t...

Page 595: ...ay poe powersupply Display the status enabled disabled of the PoE over temperature protection feature on the switch display poe temperature protection Available in any view PoE Configuration Example P...

Page 596: ...wer of Ethernet 1 0 2 to 2500 mW SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 poe enable SwitchA Ethernet1 0 2 poe max power 2500 SwitchA Ethernet1 0 2 quit Enable the PoE feature on Etherne...

Page 597: ...e PoE features Features of PoE profile z Various PoE profiles can be created PoE policy configurations applicable to different user groups are stored in the corresponding PoE profiles These PoE profil...

Page 598: ...ch 4500 according to the following rules z When the apply poe profile command is used to apply a PoE profile to a port the PoE profile is applied successfully only if one PoE feature in the PoE profil...

Page 599: ...s of group A who have the following requirements z The PoE function can be enabled on all ports in use z Signal mode is used to supply power z The PoE priority for Ethernet 1 0 1 through Ethernet 1 0...

Page 600: ...Profile1 poe enable SwitchA poe profile Profile1 poe mode signal SwitchA poe profile Profile1 poe priority critical SwitchA poe profile Profile1 poe max power 3000 SwitchA poe profile Profile1 quit D...

Page 601: ...or Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe enable poe priority high Apply the configured Profile 1 to Ethernet 1 0 1 through Ethernet 1 0 5 ports SwitchA a...

Page 602: ...1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 2 Displaying and Maintaining UDP Helper 1 2 UDP Helper Configuration Example 1 3 Cross Network Computer Search Th...

Page 603: ...rver With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the pa...

Page 604: ...tch UDP broadcasts otherwise the configuration fails When the UDP helper function is disabled all configured UDP ports are disabled including the default ports z The dns netbios ds netbios ns tacacs t...

Page 605: ...an find PC B through computer search Broadcasts with UDP port 137 are used for searching Network diagram Figure 1 1 Network diagram for UDP Helper configuration Configuration procedure Enable UDP Help...

Page 606: ...tions 1 4 Configuring Basic Trap Functions 1 4 Configuring Extended Trap Function 1 5 Enabling Logging for Network Management 1 5 Displaying SNMP 1 6 SNMP Configuration Example 1 6 SNMP Configuration...

Page 607: ...ient program At present the commonly used network management platforms include QuidView Sun NetManager IBM NetView and so on z Agent is server side software running on network devices such as switches...

Page 608: ...efined by the standard variables of the monitored network devices In the above figure the managed object B can be uniquely identified by a string of numbers 1 2 1 1 The number string is the object ide...

Page 609: ...engine ID snmp agent local engineid engineid Optional By default the device engine ID is enterprise number device information Create Update the view information snmp agent mib view included excluded v...

Page 610: ...ib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 A Switch 4500 provides the following functions to prevent attacks through unu...

Page 611: ...old the traps to be sent to the destination host snmp agent trap queue size size Optional The default is 100 Set the aging time for traps snmp agent trap life seconds Optional 120 seconds by default C...

Page 612: ...Remarks Display the SNMP information about the current device display snmp agent sys info contact location version Display SNMP packet statistics display snmp agent statistics Display the engine ID o...

Page 613: ...entication and encryption z authentication protocol to HMAC MD5 z authentication password to passmd5 z encryption protocol to DES z encryption password to cfb128cfb128 Sysname snmp agent group v3 mana...

Page 614: ...00 params securityname public Configuring the NMS Authentication related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully For more inf...

Page 615: ...actory means of monitoring remote subnets z With RMON implemented the communication traffic between NMS and SNMP agents can be reduced thus facilitating the management of large scale internetworks Wor...

Page 616: ...alarm variables periodically z Comparing the samples with the threshold and triggering the corresponding events if the former exceed the latter Extended alarm group With extended alarm entry you can...

Page 617: ...event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add an alarm entry rmon alarm entry number alarm variable sampling time delta absolute...

Page 618: ...mation display rmon prialarm prialarm entry number Display RMON events display rmon event event entry Display RMON event logs display rmon eventlog event entry Available in any view RMON Configuration...

Page 619: ...ratio between samples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1...

Page 620: ...10 Configuration Procedure 1 10 Configuring NTP Authentication 1 11 Configuration Prerequisites 1 11 Configuration Procedure 1 12 Configuring Optional NTP Parameters 1 13 Configuring an Interface on...

Page 621: ...hronize or be synchronized by other systems by exchanging NTP messages Applications of NTP As setting the system time manually in a network with many devices leads to a lot of workload and cannot ensu...

Page 622: ...et as a reference clock It can serve as a reference clock source to synchronize the clock of other devices only after it is synchronized Implementation Principle of NTP Figure 1 1 shows the implementa...

Page 623: ...he NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z When Device A receives the NTP message the local time of Device A is 10 00 03am T4 At this time Devic...

Page 624: ...y In peer mode both sides can be synchronized to each other Response packet In the symmetric peer mode the local S4500 Ethernet switch serves as the symmetric active peer and sends clock synchronizati...

Page 625: ...00 switch and the local switch serves as the symmetric active peer Broadcast mode z Configure the local S4500 Ethernet switch to work in NTP broadcast server mode In this mode the local switch broadca...

Page 626: ...nfigure NTP Task Remarks Configuring NTP Implementation Modes Required Configuring Access Control Right Optional Configuring NTP Authentication Optional Configuring Optional NTP Parameters Optional Di...

Page 627: ...p or server name serves as the NTP server and the local switch serves as the NTP client The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server z remote ip...

Page 628: ...ages through the source interface keyword the source IP address of the NTP message will be configured as the IP address of the specified interface z Typically the clock of at least one of the symmetri...

Page 629: ...server periodically sends NTP multicast messages to multicast clients The switches working in the NTP multicast client mode will respond to the NTP messages so as to start the clock synchronization z...

Page 630: ...right permits the peer device to perform synchronization and control query to the local switch but does not permit the local switch to synchronize its clock to the peer device z peer Peer access This...

Page 631: ...Configuring NTP authentication on the client z Configuring NTP authentication on the server Observe the following principles when configuring NTP authentication z If the NTP authentication function i...

Page 632: ...respo nding NTP server Configure on the symmetric active peer in the symmetric peer mode ntp service unicast peer remote ip peer name authentication keyid key id Required For the client in the NTP bro...

Page 633: ...hile configuring NTP mode You can also use this command to associate them after configuring the NTP mode The procedure for configuring NTP authentication on the server is the same as that on the clien...

Page 634: ...associations will be created at the symmetric active peer side and dynamic associations will be created at the symmetric passive peer side In the broadcast or multicast mode static associations will...

Page 635: ...automatically work in the server mode Network diagram Figure 1 6 Network diagram for the NTP server client mode configuration Configuration procedure Perform the following configurations on Device B...

Page 636: ...that Device B establishes a connection with Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 1 64 1 350 1 15 1 0 0 no...

Page 637: ...lay ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 3 0 1 32 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 0 66 ms Root d...

Page 638: ...m view Set Device C as the broadcast server which sends broadcast messages through VLAN interface 2 DeviceC interface Vlan interface 2 DeviceC Vlan interface2 ntp service broadcast server z Configure...

Page 639: ...ons of Device D and you can see that a connection is established between Device D and Device C DeviceD display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1...

Page 640: ...ce 2 DeviceA Vlan interface2 ntp service multicast client After the above configurations Device A and Device D respectively listen to multicast messages through their own VLAN interface 2 and Device C...

Page 641: ...es Device A as the NTP server Device B is set to work in client mode while Device A works in server mode automatically z The NTP authentication function is enabled on Device A and Device B Network dia...

Page 642: ...status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequence 100 0000 Hz Actual frequence 100 1000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion...

Page 643: ...H Client 1 13 SSH Client Configuration Task List 1 13 Configuring an SSH Client that Runs SSH Client Software 1 13 Configuring an SSH Client Assumed by an SSH2 Capable Switch 1 19 Displaying and Maint...

Page 644: ...SSH can also provide data compression to increase transmission speed take the place of Telnet and provide a secure channel for transfers using File Transfer Protocol FTP SSH adopts the client server...

Page 645: ...ignature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA is used for data encr...

Page 646: ...ine whether it can cooperate with the client z If the negotiation is successful the server and the client go on to the key and algorithm negotiation If not the server breaks the TCP connection All the...

Page 647: ...y is invalid the authentication fails otherwise the server generates a digital signature to authenticate the client and then sends back a message to inform the success or failure of the authentication...

Page 648: ...functions Configuring the SSH Server Configuring an SSH Client that Runs SSH Client Software An 3Com switch Another 3Com switch Configuring the SSH Server Configuring an SSH Client Assumed by an SSH2...

Page 649: ...Optional If a client does not support first time authentication you need to export the server s public key and configure the key on the client Note The SSH server needs to cooperate with an SSH clien...

Page 650: ...the interface corresponding to the IP address for the SSH server to provide SSH access services for clients In this way the SSH client accesses the SSH server only using the specified IP address This...

Page 651: ...ey pairs To do Use the command Remarks Enter system view system view Generate an RSA key pairs public key local create rsa Required By default no key pairs are generated z The command for generating a...

Page 652: ...server and authentication is implemented through the cooperation of the SSH server and the authentication server For AAA details refer to AAA Operation z Publickey authentication Publickey authentica...

Page 653: ...configured on the remote server to access the network z Under the publickey authentication mode the level of commands available to a logged in SSH user can be configured using the user privilege level...

Page 654: ...rated by the client to complete the configuration on the server but the client s public key should be transferred from the client to the server beforehand through FTP TFTP Follow these steps to config...

Page 655: ...SSH user ssh user username assign publickey keyname Required If you issue this command multiple times the last command overrides the previous ones Exporting the Host Public Key to a File In tasks of C...

Page 656: ...sword Configuring an SSH Client that Runs SSH Client Software Configuring an SSH Client Assumed by an SSH2 Capable Switch The authentication mode is publickey Configuring an SSH Client that Runs SSH C...

Page 657: ...SSH connection you must select SSH z Selecting the SSH version Since the device supports only SSH2 0 now select 2 0 for the client z Specifying the private key file On the server if public key authen...

Page 658: ...x of shown in Figure 1 4 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 1 4 Generate the client keys 2 After the key pair is generated click Save public k...

Page 659: ...e name of the file for saving the private key private in this case to save the private key Figure 1 6 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse a...

Page 660: ...ote that there must be a route available between the IP address of the server and the client Selecting a protocol for remote connection As shown in Figure 1 8 select SSH under Protocol Selecting an SS...

Page 661: ...tion From the window shown in Figure 1 9 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection T...

Page 662: ...ed for publickey authentication unnecessary for password authentication Configuring whether first time authentication is supported Optional Specifying a source IP address interface for the SSH client...

Page 663: ...first time authentication support To do Use the command Remarks Enter system view system view Disable first time authentication support undo ssh client first time Required By default the client is en...

Page 664: ...fer_kex dh_group1 dh_exchange_group prefer_ctos_cipher 3des des aes128 prefer_stoc_cipher 3des des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required In...

Page 665: ...isplay information about the peer RSA public keys display rsa peer public key brief name keyname display public key peer brief name pubkey name Generate RSA key pairs rsa local key pair create public...

Page 666: ...e host SSH Client and the switch SSH Server for secure data exchange The host runs SSH2 0 client software Password authentication is required Network diagram Figure 1 11 Switch acts as server for loca...

Page 667: ...ord Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 0 2 in this case for the SSH client This IP address and that of the VLAN interface...

Page 668: ...ion succeeds you will log in to the server 1 1 1 When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 1 14 an SSH connection is required between th...

Page 669: ...ration from the navigation tree In the System Configuration page click Modify of the Access Device item and then click Add to enter the Add Access Device page and perform the following configurations...

Page 670: ...lo and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 16 Add an account for device management 2 Configure the SSH server Creat...

Page 671: ...Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme radius scheme...

Page 672: ...ce 1 In the Host Name or IP address text box enter the IP address of the SSH server z From the category on the left pane of the window select Connection SSH The window as shown in Figure 1 18 appears...

Page 673: ...or secure data exchange Password and HWTACACS authentication is required z The host runs SSH2 0 client software to establish a local connection with the switch z The switch cooperates with an HWTACACS...

Page 674: ...s hwtac quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authen...

Page 675: ...word Once authentication succeeds you will log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACA...

Page 676: ...nt s command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Configure the authentication type of the SSH client named client 001 as publickey Switch ssh user client...

Page 677: ...nt key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 24 Otherwise the process bar stops moving and the key pa...

Page 678: ...for saving the public key public in this case Figure 1 25 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save t...

Page 679: ...ation before you continue to configure the client Establish a connection with the SSH server 2 Launch PuTTY exe to enter the following interface Figure 1 27 SSH client configuration interface 1 In the...

Page 680: ...28 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 1 29 SSH client configurati...

Page 681: ...procedure z Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface...

Page 682: ...165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s...

Page 683: ...nbound ssh Set the user command privilege level to 3 SwitchB ui vty0 4 user privilege level 3 SwitchB ui vty0 4 quit Specify the authentication type of user client001 as publickey SwitchB ssh user cli...

Page 684: ...SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to sa...

Page 685: ...public key local create rsa Set AAA authentication on user interfaces SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Configure the user interfaces to support SSH SwitchB u...

Page 686: ...ient s address in an SSH connection SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 255 255 255 0 SwitchA Vlan interface1 quit Generate a RSA ke...

Page 687: ...client 10 165 87 136 assign publickey Switch002 Establish the SSH connection to server 10 165 87 136 SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected...

Page 688: ...ile Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 4 File System Configuration Examples 1 4 File Attribute Configuration 1 5 Introduction to File Attributes 1 5 Booting with th...

Page 689: ...ry Operations Optional Prompt Mode Configuration Optional The 3com 4500 series Ethernet switches support Expandable Resilient Networking XRN and allow you to access a file on a switch in one of the fo...

Page 690: ...Only empty directories can be deleted by using the rmdir command z In the output information of the dir all command deleted files that is those stored in the recycle bin are embraced in brackets File...

Page 691: ...leted files whose names are the same only the latest deleted file is kept in the recycle bin and can be restored z The files which are deleted by the delete command without the unreserved keyword are...

Page 692: ...ration Examples Display all the files in the root directory of the file system on the local unit Sysname dir all Directory of unit1 flash 1 rw 5822215 Jan 01 1970 00 07 03 test bin 2 rwh 4 Apr 01 2000...

Page 693: ...b with both main and backup attribute File Attribute Configuration Introduction to File Attributes The following three startup files support file attribute configuration z App files An app file is an...

Page 694: ...ttribute If you download a valid file with the same name as the deleted file to the flash memory the file will possess the main attribute After the Boot ROM of a switch is upgraded the original defaul...

Page 695: ...enu startup bootrom access enable Optional By default the user is enabled to use the customized password to enter the BOOT menu Available in user view Display the information about the app file used a...

Page 696: ...ric File Backup and Restoration Configuration prerequisites Before performing the following operations you must first ensure that z The relevant units support TFTP client z The TFTP server is started...

Page 697: ...mple A Switch Operating as an FTP Server 1 9 FTP Banner Display Configuration Example 1 11 FTP Configuration A Switch Operating as an FTP Client 1 12 SFTP Configuration 1 14 SFTP Configuration A Switc...

Page 698: ...1 1 Roles that a 3com switch 4500 acts as in FTP Item Description Remarks FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log...

Page 699: ...n FTP server Optional Disconnecting a specified user Optional Configuring the banner for an FTP server Optional FTP Configuration A Switch Operating as an FTP Server Displaying FTP server information...

Page 700: ...will be disconnected with the FTP server due to lack of storage space on the FTP server z When you log in to a Fabric consisting of multiple switches through an FTP client after the FTP client passes...

Page 701: ...interface and source IP address for an FTP server To do Use the command Remarks Enter system view system view Specify the source interface for an FTP server ftp server source interface interface type...

Page 702: ...connect the user after the data transmission is completed Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the FTP server through...

Page 703: ...Use the command Remarks Display the information about FTP server configurations on a switch display ftp server Display the source IP address set for an FTP server display ftp server source ip Display...

Page 704: ...ectory cdup Get the local working path on the FTP client lcd Display the working directory on the FTP server pwd Create a directory on the remote FTP server mkdir pathname Remove a directory on the re...

Page 705: ...nterface and source IP address for a switch acting as an FTP client so that it can connect to a remote FTP server Follow these steps to specify the source interface and source IP address for an FTP cl...

Page 706: ...switch operates as an FTP server and a remote PC as an FTP client The application switch bin of the switch is stored on the PC Upload the application to the remote switch through FTP and use the boot...

Page 707: ...t switch through FTP Input the username switch and password hello to log in and enter FTP view C ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none switch 331 Password required f...

Page 708: ...is upgraded Sysname boot boot loader switch bin Sysname reboot For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and...

Page 709: ...quired for switch Password 230 shell banner appears 230 User logged in ftp FTP Configuration A Switch Operating as an FTP Client Network requirements A switch operates as an FTP client and a remote PC...

Page 710: ...to be uploaded you can only delete download them through the Boot ROM menu Connect to the FTP server using the ftp command in user view You need to provide the IP address of the FTP server the user n...

Page 711: ...l SFTP Configuration A Switch Operating as an SFTP Server Enabling an SFTP server Before enabling an SFTP server you need to enable the SSH server function and specify the service type of the SSH user...

Page 712: ...ers attempt to log in to the SFTP server or multiple connections are enabled on a client only the first user can log in to the SFTP user The subsequent connection will fail z When you upload a large f...

Page 713: ...y on the remote SFTP server rmdir pathname Optional delete remotefile Delete a specified file remove remote file Optional Both commands have the same effect dir a l remote path Query a specified file...

Page 714: ...s Enter system view system view Specify an interface as the source interface of the specified SFTP client sftp source interface interface type interface number Specify an IP address as the source IP a...

Page 715: ...ication timeout time retry number and update time of the server key adopt the default values Sysname ssh user client001 authentication type password Specify the service type as SFTP Sysname ssh user c...

Page 716: ...1 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Su...

Page 717: ...lly ended Upload file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received sta...

Page 718: ...3com switch 4500 serving as a TFTP client downloads files from the TFTP server the seven segment digital LED on the front panel of the switch rotates clockwise and it stops rotating when the file dow...

Page 719: ...rce file dest file Optional Upload a file to a TFTP server tftp tftp server put source file dest file Optional Enter system view system view Set the file transmission mode tftp ascii binary Optional B...

Page 720: ...erface source IP address set for each connection That is for a connection between a TFTP client and a TFTP server if you specify the source interface source IP address only used for the connection thi...

Page 721: ...m through the Boot ROM menu Enter system view Sysname system view Sysname Configure the IP address of a VLAN interface on the switch to be 1 1 1 1 and ensure that the port through which the switch con...

Page 722: ...2 5 For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual...

Page 723: ...stem Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 10 Setting to Output System Information to a Log Host 1 11 Setting to Output System Information to the...

Page 724: ...gnosing network problems The information center of the system has the following features Classification of system information The system is available with three types of information z Log information...

Page 725: ...d output destinations Information channel number Default channel name Default output destination 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log t...

Page 726: ...le FTM Fabric topology management module FTMCMD Fabric topology management command module FTPS FTP server module HA High availability module HTTPD HTTP server module IFNET Interface management module...

Page 727: ...tions z If the output destination is console monitor terminal logbuffer trapbuffer or SNMP the system information is in the following format timestamp sysname module level digest unitid content z The...

Page 728: ...the time when system information is generated to allow users to check and identify system events Note that there is a space between the timestamp and sysname host name fields The time stamp has the f...

Page 729: ...anual for details Note that there is a space between the sysname and module fields This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn Th...

Page 730: ...on to the Trap Buffer Optional Setting to Output System Information to the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output...

Page 731: ...s to configure to display time stamp with the UTC time zone To do Use the command Remarks Set the time zone for the system clock timezone zone name add minus time Required By default UTC time zone is...

Page 732: ...en configuring the system information output rules and use the debugging command to enable debugging for the corresponding modules Table 1 4 Default output rules for different output destinations LOG...

Page 733: ...ch is a user terminal that has login connections through the AUX or VTY user interface Setting to output system information to a monitor terminal Follow these steps to set to output system information...

Page 734: ...stem information on a monitor terminal To do Use the command Remarks Enable the debugging log trap information terminal display function terminal monitor Optional Enabled by default Enable debugging i...

Page 735: ...nnel channel number channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of the time stamp to be sent to...

Page 736: ...he command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable information output to the log buffer info center logbuffer channel...

Page 737: ...ration refer to the SNMP RMON part Displaying and Maintaining Information Center To do Use the command Remarks Display information on an information channel display channel channel number channel name...

Page 738: ...ce default channel loghost Configure the host whose IP address is 202 38 1 10 as the log host Permit ARP and IP modules to output information with severity level higher than informational to the log h...

Page 739: ...the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After all the above operations...

Page 740: ...separator instead of a space z No space is permitted at the end of the file name z The device name facility and received log information severity specified in file etc syslog conf must be the same wit...

Page 741: ...le log information output to the console Permit ARP and IP modules to output log information with severity level higher than informational to the console Switch info center console channel console Swi...

Page 742: ...C time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch...

Page 743: ...ugging Status 2 3 Displaying Operating Information about Modules in System 2 3 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tracert 3 1 4 Device Management 4 1 Introduction t...

Page 744: ...or information you are interested in z Introduction to Loading Approaches z Local Boot ROM and Software Loading z Remote Boot ROM and Software Loading Introduction to Loading Approaches You can load s...

Page 745: ...eation date Sep 8 2008 14 35 39 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 00e0fc003962 Press Ctrl B to enter Boot Menu Press Ctrl B The system displays Password To ente...

Page 746: ...iation characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data packets When receiving a complete packet the receiving program checks the pack...

Page 747: ...0 bps as the download baudrate you need not modify the HyperTerminal s baudrate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this case the system will not display th...

Page 748: ...baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start tr...

Page 749: ...to Step 4 and 5 Then press any key as prompted The system will display the following information when it completes the loading Bootrom updating done z If the HyperTerminal s baudrate is not reset to...

Page 750: ...the Console port of the switch and logs onto the switch through the Console port Step 1 Execute the xmodem get command in user view In this case the switch is ready to receive files Step 2 Enable the...

Page 751: ...your choice 0 3 Step 4 Enter 1 in the above menu to download the Boot ROM using TFTP Then set the following TFTP related parameters as required Load File name Switch btm Switch IP address 1 1 1 2 Ser...

Page 752: ...networks You can use the switch as an FTP client or a server and download software to the switch through an Ethernet port The following is an example Loading Procedure Using FTP Client z Loading Boot...

Page 753: ...download and update the program Upon completion the system displays the following information Loading done Bootrom updating done z Loading host software Follow these steps to load the host software S...

Page 754: ...P address is 10 1 1 1 to the switch Figure 1 8 Remote loading using FTP Client Step 1 Download the program to the switch using FTP commands Sysname ftp 10 1 1 1 Trying Press CTRL K to abort Connected...

Page 755: ...n the Flash memory before software downloading For information about deleting files refer to File System Management part of this manual z Ensure the power supply during software loading Loading Proced...

Page 756: ...sname ftp server enable Sysname local user test New local user added Sysname luser test password simple pass Sysname luser test service type ftp Step 4 Enable FTP client software on the PC Refer to Fi...

Page 757: ...Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file...

Page 758: ...hat the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed abo...

Page 759: ...name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offset time Optional Execute this command in user view z When the system r...

Page 760: ...information z Screen output switch which controls whether to display the debugging information on a certain screen Figure 2 1 illustrates the relationship between the protocol debugging switch and the...

Page 761: ...it id interface interface type interface number module name Display all enabled debugging in the Fabric by module display debugging fabric by module Available in any view Displaying Operating Informat...

Page 762: ...cket percentage and the minimum average and maximum values of response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This c...

Page 763: ...e switches in the Fabric z Identifying and Diagnosing Pluggable Transceivers Device Management Configuration Device Management Configuration Task list Complete the following tasks to configure device...

Page 764: ...d yyyy yyyy mm dd Optional Schedule a reboot on the switch and set the delay time for reboot schedule reboot delay hh mm mm Optional Enter system view system view Schedule a reboot on the switch and s...

Page 765: ...Boot ROM With this command a remote user can conveniently upgrade the Boot ROM by uploading the Boot ROM to the switch through FTP and running this command The Boot ROM can be used when the switch re...

Page 766: ...e 4 1 Table 4 1 Commonly used pluggable transceivers Transceiver type Applied environment Whether can be an optical transceiver Whether can be an electrical transceiver SFP Small Form factor Pluggable...

Page 767: ...gital diagnosis function which enables a transceiver to monitor the main parameters such as temperature voltage laser bias current TX power and RX power When these parameters are abnormal you can take...

Page 768: ...ration on the FTP server z Configure an FTP user whose name is switch and password is hello Authorize the user with the read write right on the directory Switch on the PC z Make configuration so that...

Page 769: ...er none switch 331 Give me your password please Password 230 Logged in successfully ftp 5 Enter the authorized path on the FTP server ftp cd switch 6 Execute the get command to download the switch bin...

Page 770: ...switch to upgrade the Boot ROM and host software of the switch Sysname reboot Start to check configuration with next startup configuration file please wait This command will reboot the device Current...

Page 771: ...1 4 Configuring the Inner to Outer Tag Priority Replicating and Mapping Feature 1 5 Displaying and Maintaining VLAN VPN Configuration 1 5 VLAN VPN Configuration Example 1 6 Transmitting User Packets t...

Page 772: ...cific ways establish dedicated tunnels for user traffic on public network devices and thus improve data security VLAN VPN feature is a simple yet flexible Layer 2 tunneling technology It tags private...

Page 773: ...f the default VLAN When a packet reaches a VLAN VPN enabled port z If the packet already carries a VLAN tag the packet becomes a dual tagged packet z Otherwise the packet becomes a packet carrying the...

Page 774: ...configuring inner to outer tag priority replicating or mapping for a VLAN VPN enabled port you can replicate the inner tag priority to the outer tag or assign outer tags of different priorities to pac...

Page 775: ...view Enter Ethernet port view interface interface type interface number Enable the VLAN VPN feature on the port vlan vpn enable Required By default the VLAN VPN feature is disabled on a port Configuri...

Page 776: ...r Enable the inner to outer tag priority replicating feature vlan vpn inner cos trust enable Enable the inner to outer tag priority mapping feature and create a priority mapping vlan vpn priority old...

Page 777: ...tches of other vendors are used in the public network They use the TPID value 0x9200 z Employ VLAN VPN on Switch A and Switch B to enable the PC users and PC servers to communicate with each through a...

Page 778: ...21 SwitchB Ethernet1 0 22 port link type trunk SwitchB Ethernet1 0 22 port trunk permit vlan 1040 z Do not configure VLAN 1040 as the default VLAN of Ethernet 1 0 12 of Switch A and Ethernet 1 0 22 of...

Page 779: ...ernet1 0 22 of Switch B 4 After the packet reaches Switch B it is forwarded through Ethernet1 0 21 of Switch B As the port belongs to VLAN 1040 and is an access port the outer VLAN tag the tag of VLAN...

Page 780: ...e flexible You can classify the terminal users on the port connecting to the access layer device according to their VLAN tags and add different outer VLAN tags to these users In the public network you...

Page 781: ...port However the port with selective QinQ enabled can insert an outer VLAN tag other than that of the default VLAN to the packets Thus when packets are forwarded from the service provider to users th...

Page 782: ...e Inter VLAN MAC Address Replicating Feature Optional If XRN Fabric has been enabled on a device you cannot enable the VLAN VPN feature and the selective QinQ feature on any port of the device Enablin...

Page 783: ...tion are removed z MAC address entries obtained through the inter VLAN MAC address replicating feature cannot be removed manually To remove a MAC address entry of this kind you need to disable the int...

Page 784: ...tive QinQ Network diagram Figure 2 3 Network diagram for selective QinQ configuration Public Network VLAN1000 VLAN1200 PC User VLAN100 108 IP Phone User VLAN200 230 Eth1 0 3 Eth1 0 5 For PC User VLAN1...

Page 785: ...the MAC address table of the default VLAN and replicate the MAC address entries of the MAC address table of the default VLAN to the MAC address tables of the outer VLANs SwitchA Ethernet1 0 3 vid 1200...

Page 786: ...ged After the above configuration Switch B can forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through Ethernet 1 0 12 and Ethernet 1 0 13 respectively To make the packets from...

Page 787: ...e ping Configuration 1 1 Introduction to remote ping 1 1 remote ping Configuration 1 1 Introduction to remote ping Configuration 1 1 Configuring remote ping 1 2 Displaying remote ping Configuration 1...

Page 788: ...lows setting the parameters of remote ping test groups and starting remote ping test operations through network management system Figure 1 1 Illustration for remote ping remote ping Configuration Intr...

Page 789: ...group remote ping administrator name operation tag Required By default no remote ping test group is configured Configure the destination IP address of the test destination ip ip address Required By de...

Page 790: ...strator icmp Sysname remote ping administrator icmp Specify the test type as ICMP Sysname remote ping administrator icmp test type icmp Specify the destination IP address as 1 1 1 99 Sysname remote pi...

Page 791: ...or icmp remote ping entry admin administrator tag icmp history record Index Response Status LasrRC Time 1 1 1 0 2004 11 25 16 28 55 0 2 1 1 0 2004 11 25 16 28 55 0 3 1 1 0 2004 11 25 16 28 55 0 4 1 1...

Page 792: ...ICMP Error Packets Sent within a Specified Time 1 13 Configuring the Hop Limit of ICMPv6 Reply Packets 1 13 Displaying and Maintaining IPv6 1 14 IPv6 Configuration Example 1 15 IPv6 Unicast Address Co...

Page 793: ...igned by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from...

Page 794: ...ateful address configuration means that a host acquires an IPv6 address and related information from the server for example DHCP server z Stateless address configuration means that the host automatica...

Page 795: ...esses zeros in IPv6 addresses can be handled as follows z Leading zeros in each group can be removed For example the above mentioned address can be represented in shorter format as 2001 0 130F 0 0 9C0...

Page 796: ...dress 11111111 FF00 8 Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses Unicast address There are several forms of...

Page 797: ...etection Each IPv6 unicast or anycast address has one corresponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1...

Page 798: ...e change Router solicitation RS message After started a host sends a router solicitation message to request the router for an address prefix and other configuration information for the purpose of auto...

Page 799: ...s of node A and returns an NA message containing the link layer address of node B in the unicast mode 4 Node A acquires the link layer address of node B from the NA message After that node A and node...

Page 800: ...Pv6 Unicast Address Allocation z RFC 1981 Path MTU Discovery for IP version 6 z RFC 2375 IPv6 Multicast Address Assignments z RFC 2460 Internet Protocol Version 6 IPv6 Specification z RFC 2461 Neighbo...

Page 801: ...are configured manually IPv6 link local addresses can be acquired in either of the following ways z Automatic generation The device automatically generates a link local address for an interface accor...

Page 802: ...ou first adopt the manual assignment and then the automatic generation the automatically generated link local address will not take effect and the link local address of an interface is still the manua...

Page 803: ...m view system view Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynamically learned by an interface ipv6 neighbors max learning num num...

Page 804: ...rface To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Configure the neighbor reachable timeout time ipv6 nd nud reachabl...

Page 805: ...in the bucket In addition you can set the update period of the token bucket namely the interval for updating the number of tokens in the token bucket to the configured capacity One token allows one I...

Page 806: ...ighbors all dynamic static interface interface type interface number vlan vlan id count Display information about the routing table display ipv6 route table verbose Display information related to a sp...

Page 807: ...2 ipv6 address auto link local Configure an EUI 64 address for the interface VLAN interface 2 SwitchA Vlan interface2 ipv6 address 2001 64 eui 64 Configure a global unicast address for the interface V...

Page 808: ...2 1 FF00 1 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for ad...

Page 809: ...6 Sequence 3 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 4 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 5 hop limit 255 time 60 ms 2001 20F...

Page 810: ...is commonly used for testing the reachability of a host This command sends an ICMPv6 message to the destination host and records the time for the response message to be received For details about the...

Page 811: ...s the destination host As there is no application using the UDP port the destination returns a port unreachable ICMP error message z The source receives the port unreachable ICMP error message and und...

Page 812: ...lient application of IPv6 to set up an IPv6 Telnet connection with Device A which serves as the Telnet server If Device A again connects to Device B through Telnet the Device A is the Telnet client an...

Page 813: ...e to the switch respectively It is required that you telnet to the telnet server from SWA and download files from the TFTP server Network diagram Figure 2 3 Network diagram for IPv6 applications SWA S...

Page 814: ...route from SWA to SWC SWA tracert ipv6 3002 1 traceroute to 3002 1 30 hops max 60 bytes packet 1 3003 1 30 ms 0 ms 0 ms 2 3002 1 10 ms 10 ms 0 ms SWA downloads a file from TFTP server 3001 3 SWA tftp...

Page 815: ...ther the UDP port that was included in the tracert ipv6 command is used by an application on the host If yes you need to use the tracert ipv6 command with an unreachable UDP port Unable to Run TFTP Sy...

Page 816: ...e Limitation of Minimum Password Length 1 5 Configuring History Password Recording 1 6 Configuring a User Login Password in Interactive Mode 1 7 Configuring Login Attempt Times Limitation and Failure...

Page 817: ...change it when logging into the device Password aging Alert before password expiration Users can set their respective alert time If a user logs into the system when the password is about to age out t...

Page 818: ...failure processing modes By default the switch adopts the first mode but you can actually specify the processing mode as needed Allow the user to log in again without any inhibition Telnet and SSH pa...

Page 819: ...ording the maximum number of history password records the alert time before password expiration the timeout time for password authentication the maximum number of attempts and the processing mode for...

Page 820: ...ther the user password ages out when a user logging into the system is undergoing the password authentication This has three cases 1 The password has not expired The user logs in before the configured...

Page 821: ...ssword does not meet the limitation it informs the user of this case and requires the user to input a new password Table 1 3 Configure the limitation of the minimum password length Operation Command D...

Page 822: ...for each user The purpose is to inhibit the users from using one single password or using an old password for a long time to enhance the security Table 1 4 Configure history password recording Operat...

Page 823: ...and _ The password must conform to the related configuration of password control when you set the local user password in interactive mode Table 1 6 Configure a user login password in interactive mode...

Page 824: ...ress the blacklist will not affect the user anymore when the user logs into the switch The system administrator can perform the following operations to manually remove one or all user entries in the b...

Page 825: ...ee categories and level 4 four categories When you set or modify a password the system will check if the password satisfies the component requirement If not an error message will occur Table 1 10 Conf...

Page 826: ...words the settings in local user view override those in system view unless the former are not provided z For super passwords the separate settings for super password override those in system view unle...

Page 827: ...word to 3 and the minimum number of characters in each composition type to 3 Sysname password control super composition type number 3 type length 3 Configure a super password Sysname super password le...

Page 828: ...agement Configuration 1 1 Access Management Overview 1 1 Configuring Access Management 1 2 Access Management Configuration Examples 1 3 Access Management Configuration Example 1 3 Combining Access Man...

Page 829: ...n Figure 1 1 Switch A is an access switch Switch B is a Layer 2 switch Figure 1 1 Typical Ethernet access networking scenario Switch A Switch B Eth1 0 1 PC1_1 PC1_2 PC1_n PC2 PC3 Internet Organization...

Page 830: ...e access management IP address pool of the port am ip pool address list Required By default no access management IP address pool is configured Display current configuration of access management displa...

Page 831: ...hat are not of Organization 1 PC 2 and PC 3 from accessing the external network through Ethernet 1 0 1 of Switch A Network diagram Figure 1 2 Network diagram for access management configuration Switch...

Page 832: ...k through Ethernet 1 0 2 of Switch A z Ethernet 1 0 1 and Ethernet 1 0 2 belong to VLAN 1 The IP address of VLAN interface 1 is 202 10 20 200 24 z PCs of Organization 1 are isolated from those of Orga...

Page 833: ...nterface Ethernet 1 0 1 Sysname Ethernet1 0 1 am ip pool 202 10 20 1 20 Add Ethernet 1 0 1 to the port isolation group Sysname Ethernet1 0 1 port isolate Sysname Ethernet1 0 1 quit Configure the acces...

Page 834: ...g Mode 1 5 Configuring LLDPDU TLVs 1 5 Enable LLDP Polling 1 6 Configuring the Parameters Concerning LLDPDU Sending 1 7 Configuring the Encapsulation Format for LLDPDUs 1 7 Configuring CDP Compatibili...

Page 835: ...perating mode LLDP can operate in one of the following modes z TxRx mode A port in this mode sends and receives LLDPDUs z Tx mode A port in this mode only sends LLDPDUs z Rx mode A port in this mode o...

Page 836: ...o 65535 seconds TTLs longer than it will be rounded off to 65535 seconds TLV Types TLVs encapsulated in LLDPDUs fall into these categories basic TLV organization defined TLV and MED media endpoint dis...

Page 837: ...ate of auto negotiation current speed and current duplex state z Power via MDI TLV which carries information about power supply capabilities z Link aggregation TLV which carries the capability and sta...

Page 838: ...ons For detailed information about LLDP TLV refer to IEEE 802 1AB 2005 and ANSI TIA 1057 Protocols and Standards z IEEE 802 1AB 2005 Station and Media Access Control Connectivity Discovery z ANSI TIA...

Page 839: ...ng mode To do Use the command Remarks Enter system view system view Set the initialization delay period lldp timer reinit delay value Optional 2 seconds by default Enter Ethernet interface view interf...

Page 840: ...t If the IP address of the VLAN interface is not configured IP address 127 0 0 1 is used as the management address z To enable MED related LLDP TLV sending you need to enable LLDP MED capabilities TLV...

Page 841: ...nal 2 seconds by default To enable local device information to be updated on neighboring devices before being aged out make sure the interval to send LLDPDUs is shorter than the TTL of the local devic...

Page 842: ...apsulation Configuring CDP Compatibility For detailed information about voice VLAN refer to Voice VLAN Operation in this manual You need to enable CDP compatibility for your device to work with Cisco...

Page 843: ...current port only By default CDP compatible LLDP operates in disable mode As the maximum TTL allowed by CDP is 255 seconds your TTL configuration that is the product of the TTL multiplier and the LLDP...

Page 844: ...ghbor information interface interface type interface number brief Available in any view Display LLDP statistics display lldp statistics global interface interface type interface number Available in an...

Page 845: ...2 SwitchA GigabitEthernet1 0 2 lldp enable SwitchA GigabitEthernet1 0 2 lldp admin status rx SwitchA GigabitEthernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB ll...

Page 846: ...umber of neighbors 1 Number of MED neighbors 0 Number of CDP neighbors 0 Number of sent optional TLV 0 Number of received unknown TLV 3 Tear down the link between Switch A and Switch B and then displa...

Page 847: ...e LLDP Configuration Example Network requirements z GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of Switch A are each connected to a Cisco IP phone z Configure voice VLAN 2 on Switch A Enable CDP c...

Page 848: ...Ethernet1 0 1 lldp enable SwitchA GigabitEthernet1 0 1 lldp admin status txrx SwitchA GigabitEthernet1 0 1 lldp compliance admin status cdp txrx SwitchA GigabitEthernet1 0 1 quit SwitchA interface gig...

Reviews:

No comments

Related manuals for E4500-24

Neol ePowerSwitch 8M+R2 User Manual preview
ePowerSwitch 8M+R2
Brand: Neol Pages: 74
United Electric Controls 54 Series Assembly, Installation And Operation Instructions preview
54 Series
Brand: United Electric Controls Pages: 6
StarTech.com 8STSV211HDUA4K Quick Start Manual preview
8STSV211HDUA4K
Brand: StarTech.com Pages: 2
Edge-Core AS7726-32X Quick Start Manual preview
AS7726-32X
Brand: Edge-Core Pages: 9
ANTAIRA LMP-1204G-SFP Series Hardware Manual preview
LMP-1204G-SFP Series
Brand: ANTAIRA Pages: 20
Linksys ProConnect PS2KVM2 User Manual preview
ProConnect PS2KVM2
Brand: Linksys Pages: 17
Gembird UHB-U3P7P-01 User Manual preview
UHB-U3P7P-01
Brand: Gembird Pages: 2
Hamlet XUSB370MS User Manual preview
XUSB370MS
Brand: Hamlet Pages: 2
Cabletron Systems SEHI SEHI100TX- User Manual preview
SEHI SEHI100TX-
Brand: Cabletron Systems Pages: 75
Maiwe MISCOM7028GX Series User Manual preview
MISCOM7028GX Series
Brand: Maiwe Pages: 22
G&D ControlCenter-IP-XS Installation Manual preview
ControlCenter-IP-XS
Brand: G&D Pages: 56
WilTec SKD-1 Operation Manual preview
SKD-1
Brand: WilTec Pages: 7
W2IIHY 3 4 Operating Manual preview
3 4
Brand: W2IIHY Pages: 28
Extron electronics SVS 100 Instruction Manual preview
SVS 100
Brand: Extron electronics Pages: 6
APG FT-100 Series Operator'S Manual preview
FT-100 Series
Brand: APG Pages: 7
Madas CE-51AT1438 Manual preview
CE-51AT1438
Brand: Madas Pages: 24
Kinesis JSB User Manual preview
JSB
Brand: Kinesis Pages: 12
jbc P105 Instruction Manual preview
P105
Brand: jbc Pages: 4

Brands by name

Popular brands

Load more brands