manualshive.com logo in svg

3Com SuperStack 4, Configuration Manual

Share
Download
3Com SuperStack 4 Configuration Manual Download Page 359

SSH Terminal Services

371

The communication process between the server and client include these five 
stages: version negotiation stage, key negotiation stage, authentication stage, 
session request stage, interactive session stage. 

Version negotiation stage: The client sends TCP connection requirement to the 
server. When TCP connection is established, both ends begin to negotiate the 
SSH version. If they can work together in harmony, they enter the key 
algorithm negotiation stage. Otherwise the server clears the TCP connection. 

Key negotiation stage: Both ends negotiate key algorithm and compute session 
key. The server randomly generates its RSA key and sends the public key to the 
client. The client figures out session key based on the public key from the server 
and the random number generated locally. The client encrypts the random 
number with the public key from the server and sends the result back to the 
server. The server then decrypts the received data with the server private key to 
get the client random number. It then uses the same algorithm to work out the 
session key based on server public key and the returned random number. Then 
both ends get the same key without data transfer over the network, while the 
key is used at both ends for encryption and description. 

Authentication stage: The server authenticates the user at the client after 
obtaining a session key. The client sends its username to the server: If the 
username has been created and configured as no authentication, 
authentication stage is skipped for this user. Otherwise, the authentication 
process continues. SSH supports two authentication types: password 
authentication and RSA authentication. In the first type, the server compares 
the username and password received with those configured locally. The user is 
allowed to log on to the Switch if the usernames and passwords match exactly. 
RSA authentication works in this way: The RSA public key of the client user is 
configured at the server. The client first sends the member modules of its RSA 
public key to the server, which checks its validity. If it is valid, the server 
generates a random number, which is sent to the client after being encrypted 
with RSA public key. Both ends calculate authentication data based on the 
random number and session ID. The client sends the authentication data 
calculated back to the server, which compares it with its attention data 
obtained locally. If they match exactly, the user is allowed to access the Switch. 
Otherwise, authentication process fails.

Session request stage: The client sends session request messages to the server 
which processes the request messages. 

Interactive session stage: Both ends exchange data till the session ends. 

Session packets are encrypted in transfer and the session key is generated 
randomly. Encryption is used in exchanging session key and RSA authentication 
achieves key exchange without transfer over the network. SSH can protect 
server-client data security. The authentication will also start even if the 
username received is not configured at the server, so malicious intruders 
cannot judge whether a username they key in exists or not. This is also a way to 
protect a username. 

Configuring SSH Server

Basic configuration tasks refer to those required for successful connection from 
SSH client to SSH server, which advanced configuration tasks are those modifying 
SSH parameters. 

Configuration tasks on the SSH server include: 

Summary of Contents for SuperStack 4

Page 1: ...SuperStack 4 Switch 5500G EI Family Configuration Guide http www 3com com Part number DUA1725 0BAA02 Published August 2005 ...

Page 2: ...m or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com and the 3Com logo are registered trademarks of 3Com Corporation Cisco is a registered trademark of Cisco Systems Inc Funk RADIUS is a registered trademark of Funk So...

Page 3: ...nfiguration Details how to configure PoE Network Protocol Operation Details how to configure network protocols IP Routing Protocol Operation Details how to configure routing protocols Multicast Protocol Details how to configure multicast protocols ACL Configuration Details how to configure QoS ACL XRN Fabric Details how to configure an XRN fabric RSTP Configuration Details how to configure RSTP 80...

Page 4: ...tes the variable part of a command text You must type a value here and press Return or Enter when you are ready to enter the command Example in the command super level a value in the range 0 to 3 must be entered in the position indicated by level x y Alternative items one of which must be entered are grouped in braces and separated by vertical bars You must select and enter one of the items Exampl...

Page 5: ...s The 3Com SuperStack 4 Switch 5500G EI Getting Started Guide provides information about installation The 3Com SuperStack 4 Switch 5500G EI Command Reference Guide provides all the information you need to use the configuration commands ...

Page 6: ...18 ABOUT THIS GUIDE ...

Page 7: ...t 10 Gbps XENPAK Module The front panel has 24 x 10 100 1000Base T auto negotiation ethernet ports with RJ 45 connectors and 4 SFP combo ports Each combo port corresponds to an ethernet port so there are 4 port pairs Only 1 port in a pair can be used at the same time For details of the relationship between combo and ethernet ports please refer to Table 3 Switch 5500G EI 24 Port PWR the Switch has ...

Page 8: ...o fixed fabric ports and one expansion module slot that is compatible with the following modules 8 Port 1000 Mbps SFP Module 1 Port 10 Gbps XENPAK Module The front panel has 24 x 1000Base X SFP ports and 4 10 100 1000Base T auto negotiation ethernet ports with RJ 45 connectors Table 3 Combo Ports The Switch 5500G EI 24 Port PWR and Switch 5500G EI 48 Port PWR are capable of supplying 48 VDC power ...

Page 9: ...M Users can treat the Fabric as a single device They can manage the Fabric through any port or IP address connected into the Fabric and from any unit in the fabric DRR The multiple units of a Fabric route and forward packets as a single unit and provide uniform VLAN interfaces routing table and L3 forwarding table so the Fabric is regarded as a single Layer 3 switch Failure of one of the units wil...

Page 10: ...mpliant with IEEE 802 1D IEEE802 1w Standard Flow control IEEE 802 3 flow control full duplex Back pressure based flow control half duplex Broadcast Suppression Broadcast Suppression Multicast Internet Group Management Protocol IGMP Snooping Internet Group Management Protocol IGMP Protocol Independent Multicast Dense Mode PIM DM Protocol Independent Multicast Sparse Mode PIM SM IP routing Static r...

Page 11: ...agement manner Management and Maintenance Command line interface configuration Configuration through console port Remote configuration through Telnet or SSH Configuration through dialing the Modem SNMP System log Level alarms Output of debugging information Ping and Tracert Remote maintenance with Telnet Modem and SSH Loading and updates Loading and upgrading of software through the XModem protoco...

Page 12: ...port of the Switch with the console cable see Figure 2 Figure 2 Setting up the Local Configuration Environment through the Console Port 2 Run terminal emulator such as Terminal on Windows 3X or the Hyper Terminal on Windows 9X on the PC Set the terminal communication parameters as follows Baud rate 9600 Databit 8 Parity check none Stopbit 1 Flow control none Terminal type VT100 Console port RS 232...

Page 13: ...Logging in to the Switch 25 Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection ...

Page 14: ...port using the ip address command in VLAN Interface View and added the port that connects to a terminal to this VLAN using the port command in VLAN View you can Telnet this Switch and configure it 1 Authenticate the Telnet user through the console port before the user logs in by Telnet By default the password is required for authenticating the Telnet user to log in to the Switch If a user logs in ...

Page 15: ...lnet do not modify the IP address of the Switch unnecessarily for the modification might end the Telnet connection By default when a Telnet user passes the password authentication to log on to the Switch the access level for commands will be Level 0 Telneting a Switch through another Switch After a user has logged into a Switch it is possible to configure another Switch through the Switch through ...

Page 16: ... the Telnet Server If it is the hostname use the ip host command to specify 4 Enter the preset login password and you will see the prompt such SW5500 If the prompt All user interfaces are used please try later appears it indicates that too many users are connected to the Switch through Telnet In this case connect later 5 Use the corresponding commands to configure the Switch or view it running sta...

Page 17: ...er AT V to verify the Modem settings The Modem configuration commands and outputs may be different according to different Modems For details refer to the User Manual of the Modem 3Com recommends that the transmission rate on the console port must lower than that of Modem otherwise packets may be lost 3 To set up the remote configuration environment connect the Modems to a PC or a terminal serial p...

Page 18: ... Enter the preset login password on the remote terminal emulator and wait for the prompt SW5500 Then you can configure and manage the Switch Enter to view online help For details of specific commands refer to the following chapters By default after login a modem user can access the commands at Level 0 ...

Page 19: ...View The Switch 5500G EI Family provides hierarchy protection for command lines to avoid unauthorized users accessing it illegally Commands are classified into four levels namely visit level monitoring level system level and management level Visit level Commands in this level include network diagnosis tools such as ping and tracert commands for the different language environments of the user inter...

Page 20: ...hen correct password is input three times can the user switch to the higher level Otherwise the original user level will remain unchanged Different command views are implemented according to different requirements They are related to one another For example after logging in to the Switch you will enter User View in which you can only use some basic functions such as displaying the running state an...

Page 21: ...iew VLAN Interface View Configure IP interface parameters for a VLAN or a VLAN aggregation SW5500 Vlan interface1 Enter interface vlan interface 1 in System View quit returns to System View return returns to User View Local User View Configure local user parameters SW5500 luser user1 Enter local user user1 in System View quit returns to System View return returns to User View User Interface View C...

Page 22: ...SW5500 acl adv 3000 Enter acl number 3000 in System View quit returns to System View return returns to User View Layer 2 ACL View Define the rule of layer 2 ACL SW5500 acl ethernetframe 40 00 Enter acl number 4000 in System View quit returns to System View return returns to User View User defined ACL View Define the rule of user defined ACL SW5500 acl user 5000 Enter acl number 5000 in System View...

Page 23: ...nitials in the command will be listed SW5500 display ver version 5 Enter the first letters of a keyword of a command and press Tab If no other keywords begin with these letters then this unique keyword will be displayed automatically 6 To switch to the Chinese display for the above information perform the language mode command Displaying Characteristics of the Command Line The command line interfa...

Page 24: ...history command display history command Display history command by user inputting Retrieve the previous history command Up cursor key or Ctrl P Retrieve the previous history command if there is any Retrieve the next history command Down cursor key or Ctrl N Retrieve the next history command if there is any Table 8 Common Command Line Error Messages Error messages Causes Unrecognized command Cannot...

Page 25: ...t are the same port There is only the one type of AUX user interface The user interface is numbered by absolute number or relative number To number the user interface by absolute number The AUX user interface is the first interface user interface 0 The number ranges from 0 to 7 The VTY is numbered after the AUX user interface The absolute number of the first VTY is the AUX user interface number pl...

Page 26: ...e only View By default the user interface supports Telnet and SSH protocols If the Telnet protocol is specified to ensure a successful login through Telnet you must configure the password by default If SSH protocol is specified to ensure a successful login you must configure the local or remote authentication of username and password using the authentication mode scheme command The protocol inboun...

Page 27: ...mmand Configure the transmission speed on the AUX console port speed speed_value Restore the default transmission speed on the AUX console port undo speed Table 13 Configuring the Flow Control on the AUX Console Port Operation Command Configure the flow control on the AUX console port flow control hardware none software Restore the default flow control mode on the AUX console port undo flow contro...

Page 28: ...Note the following points For security the undo shell command can only be used on the user interfaces other than AUX user interface You cannot use this command on the user interface through which you log in You will be asked to confirm before using undo shell on any legal user interface Configuring Idle timeout By default idle timeout is enabled and set to 10 minutes on all the user interfaces Tha...

Page 29: ...tication method to deny the access of an unauthorized user Perform the following configuration in User Interface View By default terminal authentication is not required for users logged in through the console port whereas the password is required for authenticating the Modem and Telnet users when they log in 1 Perform local password authentication to the user interface Using authentication mode pa...

Page 30: ... local user zbr SW5500 luser zbr password simple 3Com SW5500 luser zbr service type telnet 3 No authentication SW5500 ui vty0 authentication mode none By default the password is required for authenticating Modem and Telnet users when they log in If the password has not been set when a user logs in he will see the prompt Login password has not been set If the authentication mode none command is use...

Page 31: ...nds of level 3 and lower Setting the command priority The following command is used for setting the priority of a specified command in a certain view The command levels include visit monitoring system and management which are identified with 0 through 3 respectively An administrator assigns authorities as per user requirements Perform the following configuration in System View Do not change the co...

Page 32: ...on before you use the auto execute command command and save the configuration Telnet 10 110 100 1 after the user logs in through VTY0 automatically SW5500 ui vty0 auto execute command telnet 10 110 100 1 When a user logs on through VTY 0 the system will run telnet 10 110 100 1 automatically Displaying and Debugging User Interface After the above configuration use the display command in any view to...

Page 33: ...ication information of the user interface display users all Display the physical attributes and some configurations of the user interface display user interface type number number summary Table 29 Displaying and Debugging User Interface Operation Command ...

Page 34: ...46 CHAPTER 1 GETTING STARTED ...

Page 35: ...slot The expansion slot can accomodate the 8 port SFP module 1 port 10G module or 2 port 10G module The following features are found in the Ethernet ports of the Switch 5500G EI 10 100 1000BASE T Ethernet ports support MDI MDI X auto sensing They can operate in 1000Mbps full duplex 100Mbps half duplex full duplex and 10Mbps half duplex full duplex Gigabit SFP ports operate in 1000Mbps full duplex ...

Page 36: ...Port Use the following command to disable or enable the port After configuring the related parameters and protocol of the port you can use the following command to enable the port If you do not want a port to forward data use the command to disable it Perform the following configuration in Ethernet Port View By default the port is enabled Setting the Description Character String for the Ethernet P...

Page 37: ... the Ethernet Port Use the following command to set the speed of the Ethernet port If the speed is set to auto negotiation mode the local and peer ports will automatically negotiate the port speed Perform the following configuration in Ethernet Port View Note that the 10 100 1000BASE T ports excluding the combo ports can operate at 10Mbps 100Mbps or 1000Mbps as per different requirements However i...

Page 38: ...files This command can forbid or permit jumbo frames to pass through an Ethernet port Perform the following configuration in Ethernet Port View By default jumbo frames with lengths between 1518 bytes and 9216 bytes inclusive are permitted to pass through an Ethernet port Setting the Ethernet Port Suppression Ratio Use the following commands to restrict broadcast multicast unicast traffic Once traf...

Page 39: ...figure three types of ports concurrently on the same Switch but you cannot switch port type between trunk port and hybrid port You must return it first into access port and then set it as the other type For example you cannot configure a trunk port directly as a hybrid port but first set it as an access port and then as a hybrid port Table 38 Setting the Ethernet Port Suppression Ratio Operation C...

Page 40: ...ID has been configured the packets without VLAN Tag will be forwarded to the port that belongs to the default VLAN When sending the packets with VLAN Tag if the VLAN ID of the packet is identical to the default VLAN ID of the port the system will remove VLAN Tag before sending this packet Perform the following configuration in Ethernet Port View Table 40 Adding the Ethernet Port to Specified VLANs...

Page 41: ...bling link attribute point to point or not STP priority path cost max transmission speed loop protection root protection edge port or not The QoS setting includes traffic limiting priority marking default 802 1p priority bandwidth assurance congestion avoidance traffic redirection traffic statistics The VLAN setting includes permitted VLAN types and default VLAN ID The port setting includes port l...

Page 42: ...t Some ports do not support the loopback test If performing this command in these ports you will see the system prompt After 802 1X is enabled the port information cannot be reset Ethernet Port Configuration Example Networking Requirements Switch A is connected to Switch B through Trunk port Ethernet1 0 1 Configure the trunk port with a default VLAN ID so that Table 43 Copying Port Configuration t...

Page 43: ...rmit vlan 2 6 to 50 100 3 Create the VLAN 100 SW5500 vlan 100 4 Configure the default VLAN ID of Ethernet1 0 1 as 100 SW5500 Ethernet1 0 1 port trunk pvid vlan 100 Ethernet Port Troubleshooting Fault Default VLAN ID configuration failed Troubleshooting Take the following steps 1 Use the display interface or display port command to check if the port is a trunk port or a hybrid port If it is neither...

Page 44: ...egated so that the two parties can agree on adding deleting which port into from a certain dynamic aggregation group The operation key is a configuration set generated by LACP based on port setting speed duplex mode basic configuration and management key When LACP is enabled the management key of a dynamic aggregation port is 0 by default but the management key of a static aggregation port consist...

Page 45: ...eed half duplex high speed half duplex low speed The system sets to inactive state the ports which connect to different peer devices from one that the active port with minimum port number connects to or the ports in different aggregation groups though they are connected to the same peer device The system sets to inactive state the ports which cannot aggregate with the active port with minimum port...

Page 46: ... priority then the selected or unselected state is determined by the port priority of the system You can decide whether the port is selected or unselected by setting system priority and port priority Load Sharing In terms of load balancing link aggregation may be load balancing aggregation and non load balancing aggregation In general the system only provides limited load balancing aggregation res...

Page 47: ...guration in Ethernet Port View By default LACP is disabled at the port Note that You cannot enable LACP at a stack port mirrored port port with a static MAC address configured port with static ARP configured port with 802 1x enabled port in a manual aggregation group You can add a port with LACP enabled into a manual aggregation group but then the LACP will be disabled on it automatically Or you c...

Page 48: ...nge a dynamic or static LACP aggregation group to a manual one or a dynamic LACP aggregation group to a static one In the former case LACP shall be disabled at the member ports automatically while in the latter case LACP shall remain enabled Adding Deleting an Ethernet Port into from an Aggregation Group You can add delete ports into from a manual or static LACP aggregation group but member port a...

Page 49: ...system ID is given priority Changing system priority may affect the priority levels of member ports and further their selected or unselected state Perform the following configuration in System View By default system priority is 32768 Configuring Port Priority The LACP compares system IDs first and then port IDs if system IDs are the same in determining if the member ports are selected or unselecte...

Page 50: ...mmand Display summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group display link aggregation verbose agg_id Display local system ID display lacp system id Display detailed link aggregation information at the port display link aggregation interface interface_type interface_number interface_name to interface_type i...

Page 51: ...ACP aggregation a Create static LACP aggregation group 1 SW5500 link aggregation group 1 mode static b Add Ethernet ports GigabitEthernet1 0 1 to GigabitEthernet1 0 3 into aggregation group 1 SW5500 interface gigabitethernet1 0 1 SW5500 GigabitEthernet1 0 1 port link aggregation group 1 SW5500 GigabitEthernet1 0 1 interface gigabitethernet1 0 2 SW5500 GigabitEthernet1 0 2 port link aggregation gro...

Page 52: ...PORT OPERATION Only when the three ports are configured with identical basic configuration rate and duplex mode can they be added into a same dynamic aggregation group after LACP is enabled on them for load sharing ...

Page 53: ... VLANs Therefore VLAN configurations are very helpful in controlling network traffic saving device investment simplifying network management and improving security VLAN Configuartion VLAN configuration is described in the following sections Creating Deleting a VLAN Adding Ethernet Ports to a VLAN Setting Deleting a VLAN or VLAN Interface Description Character String Specifying Removing the VLAN In...

Page 54: ...name e g Vlan interface1 Interface Specifying Removing the VLAN Interface Use the following command to specify remove the VLAN interface To implement the network layer function on a VLAN interface the VLAN interface must be configured with an IP address and a subnet mask Perform the following configurations in System View Delete the specified VLAN undo vlan vlan_id to vlan_id all Table 53 Adding E...

Page 55: ...bled Displaying and Debugging VLAN After the above configuration enter the display command in any view to display the running of the VLAN configuration and to verify the effect of the configuration VLAN Configuration Example One Networking Requirements Create VLAN2 and VLAN3 Add GigabitEthernet1 0 1 and GigabitEthernet1 0 2 to VLAN2 and add GigabitEthernet1 0 3 and GigabitEthernet1 0 4 to VLAN3 Re...

Page 56: ...ration Example Two Networking Requirements Configure an IP address on a VLAN interface Networking Diagram Figure 15 VLAN Configuration Example 2 Configuration Procedure 1 If the VLAN does not currently exist then create it This example uses VLAN ID 3 SW5500 vlan 3 SW5500 vlan3 quit 2 Enter the VLAN interface view SW5500 interface vlan interface 3 3 Provide the IP address and subnet mask SW5500 Vla...

Page 57: ...uration of Voice VLAN is described in the following sections Enabling Disabling Voice VLAN Features Enabling Disabling Voice VLAN Features on a Port Voice VLAN Mode Type of IP Phone Port Mode Auto mode Tagged IP Phone Access Not supported Trunk Supported but the default VLAN of the connected port must exist and cannot be the voice VLAN The default VLAN is allowed to pass the connected port Hybrid ...

Page 58: ...LAN function on the port run normally Setting Removing the OUI Address Learned by Voice VLAN Configure OUI addresses which can be learned by Voice VLAN using the following command otherwise the system uses the default OUI addresses as the standard of IP Phone traffic The OUI address system can learn 16 MAC addresses at most Perform the following configuration in System View Table 59 Configuring Vo...

Page 59: ... By default Voice VLAN auto mode is enabled Setting the Aging Time of Voice VLAN In auto mode using the follow command you can set the aging time of Voice VLAN After the OUI address the MAC address of IP Phone is aged on the port this port enters the aging phase of Voice VLAN If OUI address is not learned by a port within the aging time the port is automatically deleted from Voice VLAN This comman...

Page 60: ...GigabitEthernet1 0 2 as the IP Phone access port The type of IP Phone is untagged Network Diagram Figure 16 Voice VLAN Configuration Configuration Steps SW5500 vlan 2 SW5500 vlan2 port gigabitethernet1 0 2 SW5500 vlan2 interface gigabitethernet1 0 2 SW5500 GigabitEthernet1 0 2 voice vlan enable Table 65 Configuring the Aging Time of Voice VLAN Operation command Set the aging time of Voice VLAN voi...

Page 61: ...guration 73 SW5500 GigabitEthernet1 0 2 quit SW5500 undo voice vlan mode auto SW5500 voice vlan mac_address 0011 2200 0000 mask ffff ff00 0000 description private SW5500 voice vlan 2 enable SW5500 voice vlan aging 100 ...

Page 62: ...74 CHAPTER 3 VLAN OPERATION ...

Page 63: ... 100 m 328 feet z Each Ethernet port can supply at most 15400 mW of power to a PD z When AC power input is adopted for the switch the maximum total power that can be provided by the PWR switches is 300 W These switches can determine whether to supply power to the next remote PD it detected depending on the total power z When DC power input is adopted for the switch the PWR switches are capable of ...

Page 64: ... the following command to enable disable the PoE feature on a port in accordance with the network requirement Perform the following configuration in Ethernet Port View Table 68 Enabling disabling PoE feature on a port By default the PoE feature of each port is enabled Table 67 PoE Configuration Device Configuration Default Description Switch 5500G EI 24 Port PWR Switch 5500G EI 48 Port PWR Enablin...

Page 65: ...he switch is reaching its full load in supplying power it will first supply power to the PDs that are connected to the ports with critical priority and then supply power to the PDs that are connected to the ports with high priority For example Port A has the priority of critical When the switch is reaching its full load and a new PD is now added to port A the switch will power down the PD connecte...

Page 66: ...t with the 802 3af standard and then supply power to them You can use the following commands to enable disable the PD compatibility detect function Perform the following configuration in System View Table 73 Enabling Disabling the PD Compatibility Detect By default the PD compatibility detect function is disabled Operation Command Set the power supply management mode on the Switch to auto poe powe...

Page 67: ...ature on the switch and verify the effect of the configuration Table 75 PoE Information Display Refer to the Command Reference Manual for furhter details on parameters Configuration Example Networking Requirements The GigabitEthernet1 0 1 and GigabitEthernet1 0 2 ports of the Switch 5500 PWR are connected with a PD and an access point AP respectively The GigabitEthernet1 0 24 port is intended to b...

Page 68: ...e SW5500 GigabitEthernet1 0 2 poe enable SW5500 GigabitEthernet1 0 24 poe enable Set the maximum power output of GigabitEthernet1 0 1 and GigabitEthernet1 0 2 to 12000 and 3000 mW respectively SW5500 GigabitEthernet1 0 1 poe max power 12000 SW5500 GigabitEthernet1 0 2 poe max power 3000 Set the priority of GigabitEthernet1 0 24 to critical to guarantee the power feeding to the AP to which this por...

Page 69: ...PoE Configuration 81 ...

Page 70: ...82 CHAPTER 4 POWER OVER ETHERNET POE CONFIGURATION ...

Page 71: ... devices which access the Internet It consists of two fields net id field and host id field There are five types of IP address See Figure 18 Figure 18 Five Classes of IP Address Class A Class B and Class C are unicast addresses while Class D addresses are multicast addresses and Class E addresses are reserved for special applications The first three types are commonly used 0 1 2 3 4 5 6 7 8 9 10 1...

Page 72: ...t is not put into use after starting up The IP address with network number as 0 indicates the current network and its network can be cited by the router without knowing its network number Network ID with the format of 127 X Y Z is reserved for self loop test and the packets sent to this address will not be output to the line The packets are processed internally and regarded as input packets B 128 ...

Page 73: ...rface in one of three ways Using the IP address configuration command Allocated by BOOTP server Allocated by DHCP server These three methods are mutually exclusive and a new configuration will replace the current IP address For example if you apply for an IP address using the ip address bootp alloc command the address allocated by BOOTP shall replace the currently configured IP address This sectio...

Page 74: ...e IP address of a VLAN interface is null Note that the VLAN interface cannot be configured with the secondary IP address if its IP address is set to be allocated by BOOTP or DHCP Displaying and Debugging IP Address After the above configuration enter the display command in any view to display the IP addresses configured on interfaces of the network device and to verify the effect of the configurat...

Page 75: ... and the host are on the same network segment If the configuration is correct enable ARP debugging on the Switch and check whether the Switch can correctly send and receive ARP packets If it can only send but cannot receive ARP packets there are possibly errors occurring on the Ethernet physical layer ARP Configuration Introduction to ARP Necessity of ARP An IP address cannot be directly used for ...

Page 76: ...st A The reply packet will be directly sent to Host A in stead of being broadcast Receiving the reply packet Host A will extract the IP address and the corresponding MAC address of Host B and add them to its own ARP mapping table Then Host A will send Host B all the packets standing in the queue Normally dynamic ARP automatically executes and searches for the resolution from the IP address to the ...

Page 77: ...the aging time of the dynamic ARP aging timer is 20 minutes Configuring the Creation of ARP Entries for Multicast Packets Use the following command to specify whether the Switch should create ARP table entries for multicast MAC addresses Address resolution for multicast packets is not required because the IANA Internet Assigned Numbers Authority have reserved a block of Ethernet addresses that map...

Page 78: ...Layer 2 devices A resilient ARP state machine may be in one of six states Initialize LisentForL3Master L3Master L3Slave L2Master and L2Slave An L3Master state machine regularly sends resilient ARP messages to notify other XRN fabrics that its home fabric is in Layer 3 state The resilient ARP mechanism can implement state transition by sending receiving resilient ARP messages regularly so as to det...

Page 79: ...nt The system provides a default VLAN interface to send resilient ARP packets Perform the following configuration in System View By default the system sends resilient ARP packets through VLAN interface 1 Note that you only specify resilient ARP packet sending VLAN interfaces and any VLAN interface can receive resilient ARP packets Displaying and Debugging Resilient ARP Configuration After the abov...

Page 80: ...5 authentication is enabled for the sake of security The ports of Unit 1 and Unit 3 connecting the Switch belong to VLAN 2 Networking Diagram Figure 21 Networking for Resilient ARP Configuration Configuration Procedure 1 Enable resilient ARP function SW5500 resilient arp enable 2 Set VLAN interface 2 to send resilient ARP packets SW5500 resilient arp interface vlan interface 2 Table 86 Displaying ...

Page 81: ...sion occurs every five seconds and the maximum number of retransmissions is three that is the message shall not be retransmitted after the third time BOOTP Client Configuration BOOTP client is described in the following section Configuring a VLAN Interface to Obtain the IP Address Using BOOTP Perform the following configuration in VLAN Interface View By default the VLAN interface cannot use BOOTP ...

Page 82: ...HCP client logs into the network for the first time When a DHCP client logs into the network for the first time its communication with the DHCP server includes these four stages Discovery stage the stage when the DHCP client looks for the DHCP server The client broadcasts the DHCP_Discover message and only the DHCP server can respond Offer stage the stage when the DHCP server allocates the IP addr...

Page 83: ...s IP lease period There is a time limit for the IP addresses leased to DHCP clients The DHCP server shall withdraw the IP addresses when their lease period expires If the DHCP client wants to continue use of the old IP address it has to extend the IP lease In practice the DHCP client by default shall originate the DHCP_Request message to the DHCP server right in the middle of the IP lease period t...

Page 84: ...P relay In fact several such interactions may be needed to complete a DHCP relay configuration DHCP Client Configuration DHCP client configuration is described in the following section Configuring a VLAN Interface to Obtain an IP Address Using DHCP Perform the following configuration in VLAN Interface View By default the VLAN interface does not obtain an IP address using DHCP If you are attempting...

Page 85: ...hich are in the same DHCP server group in the same network segment to ensure reliability Perform the following configuration in System View By default no IP address is configured for the DHCP server Note that you must configure an IP address for the backup DHCP server together with that of the master server Configuring the DHCP Server Group for the VLAN Interfaces Perform the following configurati...

Page 86: ...isplay command in any view to display the running of the DHCP configuration and to verify the effect of the configuration Enter the debugging command in User View to debug DHCP configuration Table 92 Configuring the User Address Entry for the DHCP Server Group Operation Command Configure user address entry for DHCP server group dhcp security static ip_address mac_address Delete the user address en...

Page 87: ...5500 interface vlan interface 10 SW5500 Vlan interface10 dhcp server 0 SW5500 Vlan interface10 quit DHCP Relay Configuration Example Two Networking Requirements The segment address for the DHCP Client is 10 110 0 0 which is connected to a port in VLAN2 on the Switch The IP address of the DHCP Server is 202 38 1 2 The DHCP packets should be forwarded via the Switch with DHCP Relay enabled A DHCP Cl...

Page 88: ...n configured 2 Use the display vlan and display ip interface vlan interface commands to check if the VLAN and the corresponding interface IP address have been configured 3 Ping the configured DHCP Server to ensure that the link is connected 4 Ping the IP address of the VLAN interface of the Switch to which the DHCP user is connected from the DHCP Server to make sure that the DHCP Server can correc...

Page 89: ...nabling Disabling Access Management Trap Enabling Disabling Access Management You can use the following command to enable the access management function Only after the access management function is enabled will the access management features IP and port binding and Layer 2 port isolation take effect Perform the following configuration in System View By default the system disables the access manage...

Page 90: ...within an aggregation group Note the following When a port in an aggregation group is added to or removed from an isolation group then all the other ports of this aggregation group on the same unit are automatically added in or removed from this isolation group In the same aggregation group the port isolation feature on one unit is consistent If a port is removed from an aggregation group its port...

Page 91: ... 2 Organization 1 and organization 2 cannot communicate with each other Networking Diagram Figure 26 Networking Diagram for Port Isolation Configuration Configuration Procedure 1 Enable access management globally SW5500 am enable 2 Configure the IP address pool for access management on port 1 SW5500 interface gigabitethernet1 0 1 SW5500 GigabitEthernet1 0 1 am ip pool 202 10 20 1 20 3 Add port 1 i...

Page 92: ...ature enter SW5500 system view SW5500 acl number 2500 SW5500 acl basic 2500 undo rule 0 UDP Helper Configuration Overview of UDP Helper The major function of the UDP Helper is to relay forward UDP broadcast packets that is it can convert UDP broadcast packets into unicast packets and send them to the designated server as a relay When UDP Helper starts the Switch can judge whether to forward the UD...

Page 93: ...g configuration in System View By default the UDP Helper function is disabled Configuring UDP Port with Replay Function When the UDP relay function is enabled by default the system forwards the broadcast packets on the UDP ports listed in Table 101 You can configure up to 256 UDP ports with the relay function Perform the following configuration in System View Table 100 Enabling Disabling UDP Helpe...

Page 94: ...unicasted to the destination server Perform the following configuration in VLAN Interface View Note that The undo udp helper server command without any parameter deletes all desitnation servers configured on the interface By default no relay destination server for UDP broadcast packets is configured Displaying and Debugging UDP Helper Configuration After the above configuration enter the display c...

Page 95: ...r 202 38 1 2 IP Performance Configuration IP Performance Configuration IP performance is described in the following section Configuring TCP Attributes TCP attributes that can be configured include synwait timer When sending the syn packets TCP starts the synwait timer If response packets are not received before synwait timeout the TCP connection will be terminated The timeout of synwait timer rang...

Page 96: ...gging IP Performance Operation Command Display TCP connection state display tcp status Display TCP connection statistics data display tcp statistics Display UDP statistics information display udp statistics Display IP statistics information display ip statistics Display ICMP statistics information display icmp statistics Display socket interface information of current system display ip socket sock...

Page 97: ...packet The following are the UDP packet formats UDP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets Operations include SW5500 terminal debugging SW5500 debugging tcp packet Then the TCP packets received or sent can be checked in real time...

Page 98: ...110 CHAPTER 5 NETWORK PROTOCOL OPERATION ...

Page 99: ...egments Therefore when a node is connected to another node across a network there is a hop between these two nodes and these two nodes are considered adjacent in the Internet Adjacent routers are two routers connected to the same network The number of route segments between a router and hosts in the same network is zero A router can be connected to any physical link that constitutes a route segmen...

Page 100: ... the mask Combined with the destination address the network mask identifies the network address of the destination host or router With the destination address and the network mask you have the address of the network segment where the destination host or router is located For example if the destination address is 129 102 8 10 the address of the network where the host or the router with the mask 255...

Page 101: ...rence and when there are multiple routing information sources the route with the highest preference becomes the current route Routing protocols and the default preferences of the routes that they learn are shown in Table 107 The smaller the value the higher the preference Forwarding Port router passed 10 0 0 0 Directly 11 0 0 0 12 0 0 0 11 0 0 2 13 0 0 0 3 14 0 0 0 13 0 0 2 3 15 0 0 0 10 0 0 2 2 1...

Page 102: ...l automatically switch to a backup route to improve the network reliability To achieve route backup the user can configure multiple routes to the same destination according to actual situation One of the routes has the highest precedence and is called the main route The other routes have descending precedences and are called backup routes Normally the router sends data via the main route When the ...

Page 103: ...s destination are discarded and the originating host is not informed The attributes reject and blackhole are usually used to control the range of reachable destinations for the router and to help troubleshoot the network Default Route The default route is also a static route The default route is used only when no suitable routing table entry is found In a routing table the default route is in the ...

Page 104: ... transmits a packet it first searches the matching route in the routing table depending on the destination address of the packet Only when the next hop address of the route is specified can the link layer find the corresponding link layer address and then forward the packet The packets sent to the NULL interface which is a virtual interface are discarded at once This can decrease system load You c...

Page 105: ...tic 0 0 0 0 0 0 0 0 0 interface_type interface_number gateway_address preference value reject blackhole Table 110 Deleting all static routes Operation Command Delete all static routes delete static routes all Table 111 Displaying and debugging the routing table Operation Command View routing table summary display ip routing table View routing table details display ip routing table verbose View the...

Page 106: ... 255 255 255 0 1 1 3 1 3 Configure the static route for Ethernet Switch C Switch C ip route static 1 1 1 0 255 255 255 0 1 1 2 1 Switch C ip route static 1 1 4 0 255 255 255 0 1 1 3 2 4 Configure the default gateway of the Host A to be 1 1 5 2 5 Configure the default gateway of the Host B to be 1 1 4 1 6 Configure the default gateway of the Host C to be 1 1 1 2 Using this procedure all the hosts o...

Page 107: ...he reachable destinations in the network These routing entries contain the following information Destination address The IP address of a host or network Next hop address The address of the next router that an IP packet will pass through for reaching the destination Output interface The interface through which the IP packet should be forwarded Cost The cost for the router to reach the destination w...

Page 108: ...has been enabled After RIP is disabled the interface related features also become invalid The RIP configuration tasks are described in the following sections Enabling RIP and Entering the RIP View Enabling RIP on a Specified Network Configuring Unicast RIP Messages Specifying the RIP Version Configuring RIP Timers Configuring RIP 1 Zero Field Check of the Interface Packet Specifying the Operating ...

Page 109: ...s a broadcast protocol To exchange routing information with a non broadcast network unicast transmission mode must be used Perform the following configuration in the RIP View By default RIP does not send messages to unicast addresses 3Com does not recommend the use of this command because the destination address does not need to receive two copies of the same message at the same time Note that pee...

Page 110: ... updated by the update packets from the neighbors the route will be deleted completely from the routing table Modification of these timers can affect the convergence speed of RIP Perform the following configuration in RIP View The modification of RIP timers is validated immediately By default the values of the period update and timeout timers are 30 seconds and 180 seconds respectively The value o...

Page 111: ... In addition you can specify whether an interface sends or receives RIP update packets Perform the following configuration in Interface View The undo rip work command and the undo network command have similar but not the same functions The undo rip work command allows other interfaces to forward the route of the interface applying this command The undo network command prevents other interfaces fro...

Page 112: ...P 2 supports subnet mask and classless inter domain routing To advertise all the subnet routes the route aggregation function of RIP 2 can be disabled Perform the following configurations in RIP View By default RIP 2 uses the route aggregation function Setting RIP 2 Packet Authentication RIP 1 does not support packet authentication However you can configure packet authentication on RIP 2 interface...

Page 113: ...s not import the route information of other protocols Configuring the Default Cost for the Imported Route When you use the import route command to import the routes of other protocols you can specify their cost If you do not specify the cost of the imported Table 121 Setting RIP 2 Packet Authentication Operation Command Configure RIP 2 simple authentication key rip authentication mode simple passw...

Page 114: ...te when RIP sends the packet is 1 The additional routing metric when RIP receives the packet is 0 The metricout configuration takes effect only on the RIP routes learnt by the router and RIP routes generated by the router itself which means that it has no effect on the routes imported to RIP by other routing protocols Table 124 Configuring the Default Cost for the Imported Route Operation Command ...

Page 115: ...be filtered Configuring Traffic Sharing Across RIP Interfaces Equivalent routes indicates that there is one destination address and multiple next hop routes in the routing table If RIP traffic sharing among the interfaces is Table 127 Configuring RIP to Filter the Received Routes Operation Command Filter the received routing information distributed by the specified address filter policy gateway ip...

Page 116: ...via Ethernet 110 11 2 0 Correctly configure RIP to ensure that Switch C Switch A and Switch B can interconnect Configuration Item Command Description Enter System view system view Enter RIP view rip Enter RIP traffic sharing among interfaces traffic share across interface Required by default RIP traffic sharing among interfaces is disabled Table 130 Displaying and Debugging RIP Operation Command D...

Page 117: ... The Switch 5500G EI cannot receive the update packets when the physical connection to the peer routing device is normal RIP does not operate on the corresponding interface for example the undo rip work command is executed or this interface is not enabled through the network command The peer routing device is configured to be in the multicast mode for example the rip version 2 multicast command is...

Page 118: ...ulticast transmission Uses multicast address to receive and send packets Calculating OSPF Routes The OSPF protocol calculates routes as follows Each OSPF capable router maintains a Link State Database LSDB which describes the topology of the entire AS Depending on the surrounding network topology each router generates a Link State Advertisement LSA The routers on the network transmit the LSAs amon...

Page 119: ...epts Related to OSPF Router ID To run OSPF a router must have a router ID If no ID is configured the system automatically selects an IP address from the IP addresses of the current interface as the Router ID How a router ID is chosen if the LoopBack interface address exists the system chooses the LoopBack address with the greatest IP address value as the router ID if no LoopBack interface configur...

Page 120: ...backbone area Virtual link As all the areas should be connected to the backbone area virtual link is adopted so that the physically separated areas can still maintain logical connectivity to the backbone area Route Summary An AS is divided into different areas that are interconnected via OSPF ABRs The routing information between areas can be reduced by use of a route summary Thus the size of routi...

Page 121: ...port External routes Configuring OSPF to Import the Default Route Setting OSPF Route Preference Configuring OSPF Route Filtering Configuring the Filling of the MTU Field When an Interface Transmits DD Packets Disabling the Interface to Send OSPF Packets Configuring OSPF and Network Management System NMS Resetting the OSPF Process Enabling OSPF and Entering OSPF View Perform the following configura...

Page 122: ...he OSPF will be applied after enabling OSPF ip mask can be IP address mask or IP address wildcard shielded text similar to the complement of the IP address mask Configuring a Router ID A Router ID is a 32 bit unsigned integer that uniquely identifies a router within an AS A Router ID can be configured manually If a Router ID is not configured the system selects the IP address of an interface autom...

Page 123: ...non broadcast and multi accessible ATM is a typical example You can configure the polling interval for hello packets before the adjacency of the neighboring routers is formed Configure the interface type to nonbroadcast on a broadcast network without multi access capability Configure the interface type to P2MP if not all the routers are directly accessible on an NBMA network Change the interface t...

Page 124: ...ed DR in the packet and sends it to all the other routers on the segment If two routers attached to the same segment concurrently declare themselves to be the DR the one with higher priority is elected DR If the priorities are the same the router with the higher router ID is elected DR If the priority of a router is 0 it will not be elected as DR or BDR If DR fails the routers on the network must ...

Page 125: ...IP address for the adjacent router for the interface and whether the adjacent router is eligible for election This can be done by configuring the peer ip_address command Perform the following configuration in OSPF View By default the preference for the neighbor of NBMA interface is 1 Setting the Interval of Hello Packet Transmission Hello packets are the most frequently sent packets They are perio...

Page 126: ...seconds should be added to the aging time of the LSA in an LSU packet This parameter affects the time duration that the interface requires to transmit the packet You can configure the interval for sending LSU messages This is more important on low speed networks Perform the following configuration in Interface View By default the LSU packets are transmitted every second Table 139 Setting Hello Tim...

Page 127: ... the following configuration in OSPF View By default the interval for SPF recalculation is 5 seconds Configuring STUB Area of OSPF STUB areas are special LSA areas in which the ABRs do not propagate the learned external routes of the AS In these areas the routing table sizes of routers and the routing traffic are significantly reduced The STUB area is an optional configuration attribute but not ev...

Page 128: ...the NSSA area which can only advertise in the NSSA area When a Type 7 LSA reaches the ABR of the NSSA the ABR decides whether to transform the Type 7 LSA into an AS External LSA so as to advertise it to other areas For example in Figure 32 the AS running OSPF comprises three areas Area 1 Area 2 and Area 0 Area 0 is the backbone area There are another two ASs running RIP Area 1 is defined as an NSS...

Page 129: ...not configured and the cost of the default route to the NSSA is 1 Configuring the Route Summarization of OSPF Area Route summary means that ABR can aggregate information of routes of the same prefix and advertise only one route to other areas An area can be configured with multiple aggregate segments allowing OSPF can summarize them When the ABR transmits routing information to other areas it will...

Page 130: ...as an area border router ABR and a router in the NSSA this command summarizes Type 5 LSAs translated from Type 7 LSAs If the router is not the router in the NSSA this summarization is disabled Configuring OSPF Virtual Link According to RFC2328 after the area division of OSPF the backbone is established with an area id of 0 0 0 0 The OSPF routes between non backbone areas are updated with the help ...

Page 131: ...ers to the type 3 LSAs generated by the ABRs for which the synchronization mode of the routers in the area will not be changed Perform the following configuration in OSPF Area View The area_id and router_id have no default value By default hello timer is 10 seconds retransmit 5 seconds trans delay 1 second and the dead timer is 40 seconds Configuring the OSPF Area to Support Packet Authentication ...

Page 132: ...ternal type 1 routes refer to imported IGP routes such as static route and RIP Since these routes are more reliable the calculated cost of the external routes is the same as the cost of routes within the AS Also this route cost and the route cost of the OSPF itself are comparable That is the cost to reach the external route type 1 equals the cost to reach the corresponding ASBR from the local rout...

Page 133: ...ID can be used to identify the protocol related information Perform the following configuration in OSPF View Table 151 Configuring OSPF to Import Routes of Other Protocols Operation Command Configure OSPF to import routes of other protocols import route protocol cost value type value tag value route policy route_policy_name Cancel importing routing information of other protocols undo import route ...

Page 134: ...different protocols discover the same route Perform the following configuration in OSPF View By default the OSPF preference is 10 and the imported external routing protocol is 150 Configuring OSPF Route Filtering Perform the following configuration in OSPF View Restore the default tag for the OSPF to import external routes undo default tag Configure the default type of external routes that OSPF wi...

Page 135: ...tabases You can manually specify an interface to fill in the MTU field in a DD packet when it transmits the packet The MTU should be set to the real MTU on the interface Perform the following configuration in Interface View Table 155 Enabling OSPF to filter the received routes Operation Command Disable to filter the received global routing information filter policy acl_number ip prefix ip_prefix_n...

Page 136: ...interface to send OSPF packets Configuring OSPF and Network Management System NMS Configuring OSPF MIB binding After multiple OSPF processes are enabled you can configure to which OSPF process MIB is bound Perform the following configuration in System View By default MIB is bound to the first enabled OSPF process Configuring OSPF TRAP You can configure the switch to send multiple types of SNMP TRA...

Page 137: ...tive or re elect the DR and BDR Displaying and Debugging OSPF After the above configuration execute display command in any view to display the operation of the OSPF configuration and to verify the effect of the Table 160 Enabling disabling OSPF TRAP function Operation Command Enable OSPF TRAP function snmp agent trap enable ospf process_id ifstatechange virifstatechange nbrstatechange virnbrstatec...

Page 138: ...PF display ospf process_id area_id lsdb brief asbr ase network nssa router summary ip_address originate router ip_address self originate Display OSPF peer information display ospf process_id peer brief Display OSPF next hop information display ospf process_id nexthop Display OSPF routing table display ospf process_id routing Display OSPF virtual links display ospf process_id vlink Display OSPF req...

Page 139: ... 1 1 1 Switch A ospf Switch A ospf 1 area 0 Switch A ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 2 Configure Switch B Switch B interface Vlan interface 1 Switch B Vlan interface1 ip address 196 1 1 2 255 255 255 0 Switch B Vlan interface1 ospf dr priority 0 Switch B router id 2 2 2 2 Switch B ospf Switch B ospf 1 area 0 Switch B ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 3 Configure Switc...

Page 140: ...B Vlan interface2000 ospf dr priority 200 Execute the display ospf peer command on Switch A to show its OSPF neighbors Please note the priority of Switch B has been modified to 200 but it is still not the DR Only when the current DR is offline does the DR change Shut down Switch A and run display ospf peer command on Switch D to display its neighbors Note that the original BDR Switch C becomes the...

Page 141: ...an interface 8 Switch B Vlan interface8 ip address 197 1 1 2 255 255 255 0 Switch B router id 2 2 2 2 Switch B ospf Switch B ospf 1 area 0 Switch B ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 Switch B ospf 1 area 0 0 0 0 quit Switch B ospf 1 area 1 Switch B ospf 1 area 0 0 0 1 network 197 1 1 0 0 0 0 255 Switch B ospf 1 area 0 0 0 1 vlink peer 3 3 3 3 3 Configure Switch C Switch C interface Vl...

Page 142: ...ates that faults have occurred on the physical link and the lower level protocol If the physical link and the lower level protocol are normal please check the OSPF parameters configured on the interface The parameters should be the same parameters configured on the router adjacent to the interface The same area ID should be used and the networks and the masks should also be consistent The P2P or v...

Page 143: ...scovered by other protocols to enrich its routing knowledge While importing the routing information it must import only the information that meets its conditions To implement a routing policy you must define a set of rules by specifying the characteristics of the routing information to be filtered You can set the rules based on such attributes as the destination address and source address of the i...

Page 144: ...ng information filtering its matching objects are the destination address information and the domain of the routing information In addition in the IP Prefix you can specify the gateway options and require it to receive only the routing information distributed by some certain routers An IP Prefix is identified by the ip prefix name Each IP Prefix can include multiple list items and each list item c...

Page 145: ...routing policy denies the routing information If all the nodes in the route policy are in deny mode all routing information is denied by the route policy Defining If match Clauses for a Route policy The if match clauses define the matching rules that the routing information must satisfy to pass the route policy The matching objects are attributes of the routing information Perform the following co...

Page 146: ...oute policy can filter route information to implement the redistribution If the destination routing protocol that imports the routes cannot directly reference the route costs of the source routing protocol you should satisfy the requirement of the destination protocol by specifying a route cost for the imported route Cancel the matched next hop of the routing information set by the address prefix ...

Page 147: ...mit mode The list items of the deny mode can be defined to rapidly filter the routing information not satisfying the requirement but if all the items are in the deny mode no route will pass the ip prefix filtering You can define an item of permit 0 0 0 0 0 greater equal 0 less equal 32 after the multiple list items in the deny mode to let all the other routes pass Configuring the Filtering of Rece...

Page 148: ...A NSSA route discovered by OSPF By default the filtering of distributed routes is not performed Table 168 Configuring the Filtering of Received Routes Operation Command Configure to filter the received routing information distributed by the specified address filter policy gateway ip_prefix_name import Cancel the filtering of the received routing information distributed by the specified address und...

Page 149: ...dress of VLAN interface Switch A interface vlan interface 100 Switch A Vlan interface100 ip address 10 0 0 1 255 0 0 0 Switch A interface vlan interface 200 Switch A Vlan interface200 ip address 12 0 0 1 255 0 0 0 b Configure three static routes Switch A ip route static 20 0 0 1 255 0 0 0 12 0 0 2 Switch A ip route static 30 0 0 1 255 0 0 0 12 0 0 2 Switch A ip route static 40 0 0 1 255 0 0 0 12 0...

Page 150: ...olicy are in the deny mode then all the routing information cannot pass the filtering of the Route Policy The if match mode of at least one list item of the ip prefix should be the permit mode The list items of the deny mode can be firstly defined to rapidly filter the routing information not satisfying the requirement but if all the items are in the deny mode no routes will not pass the ip prefix...

Page 151: ...utes are removed from the routing table Perform the following configuration in the System View The lower limit value set for the memory must be smaller than the safety value Enabling and Disabling Automatic Recovery of Disconnected Routing Protocols If the Automatic Recovery function of the Switch 5500G EI is disabled connection to routing protocols is not restored even if the free memory returns ...

Page 152: ...mmand in any view to display the operation of the Route Capacity configuration Table 173 Displaying and debugging route capacity Operation Command Display the route capacity memory information display memory unit unit_id Display the route capacity memory setting and state information display memory limit ...

Page 153: ...twork In either case the end users will receive the information For example if the same information is required by 200 users on the network the traditional solution is to send the information 200 times in unicast mode In the broadcast mode the data is broadcast over the entire network However both of the methods waste bandwidth resources In addition the broadcast mode cannot ensure information sec...

Page 154: ...ticast Addresses The destination addresses of multicast packets use Class D IP addresses ranging from 224 0 0 0 to 239 255 255 255 Class D addresses cannot appear in the source IP address fields of IP packets During unicast data transmission a packet is transmitted from the source address to the destination address with the hop by hop principle of the IP network A packet has more than one destinat...

Page 155: ...ss D addresses Class D address range Meaning 224 0 0 0 224 0 0 255 Reserved multicast addresses addresses of permanent groups Address 224 0 0 0 is reserved The other addresses can be used by routing protocols 224 0 1 0 238 255 255 255 Multicast addresses available for users addresses of temporary groups They are valid in the entire network 239 0 0 0 239 255 255 255 Multicast addresses for local ma...

Page 156: ...re IP multicast Hosts report the group membership to a router through IGMP and inform the router of the conditions of other members in the group through the directly connected host If a user on the network joins a multicast group through IGMP declaration the multicast router on the network will transmit the information sent to the multicast group through the multicast routing protocol Finally the ...

Page 157: ...onding to the group for receiving the multicast data traffic from the specified group The join message passes routers and finally reaches the root i e the RP The join message becomes a branch of the shared tree In PIM sparse mode multicast packets are sent to the RP first and then are forwarded along the shared tree rooted at the RP and with members as the branches To prevent the branches of the s...

Page 158: ...ia applications Communications at training and corporate sites Data repository and finance stock applications Any point to multipoint data distribution With the increase of multimedia services on IP networks multicast has huge market potential IGMP Snooping IGMP Snooping Internet Group Management Protocol Snooping is a multicast control mechanism running on Layer 2 the link layer of the switch It ...

Page 159: ...r port The port connected to the multicast member The multicast member refers to a host that joined a multicast group MAC multicast group The multicast group is identified with MAC multicast address and maintained by the Switch 5500G EI Internet Intranet Video stream VOD Server Layer 2 Ethernet Switch Video stream Multicast group member Non multicast group member Multicast router Video stream Vide...

Page 160: ...a port joins an IP multicast group the aging timer of the port will begin timing If the switch has not received any IGMP report messages before the timer times out it transmits IGMP specific query message to the port Maximum response time When the switch transmits IGMP specific query message to the multicast member port the Switch 5500G EI starts a response timer which times before the response to...

Page 161: ...MAC multicast group does not exist the switch notifies the router that a member is ready to join a multicast group creates a new MAC multicast group adds the port that received the message to the group starts the port aging timer and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table Meanwhile it creates an IP multicast group and adds the port rec...

Page 162: ...essage from the router before the router port is aged the switch will remove the port from the MAC multicast group Perform the following configuration in system view By default the port aging time is 105 seconds Configuring Maximum Response Time Use the commands in Table 180 to manually configure the maximum response time If the Switch 5500G EI receives no report message from a port within the max...

Page 163: ...nd in user view to debug IGMP Snooping configuration Configuration Example Enable IGMP Snooping Networking Requirements To implement IGMP Snooping on the switch first enable it The switch is connected to the router via the router port and with user PCs through the non router ports on vlan 10 Table 181 Configuring aging time of the multicast member Operation Command Configure aging time of the mult...

Page 164: ...isabled IGMP Snooping check whether the IGMP Snooping is enabled globally and also enabled on the VLAN If IGMP Snooping is not enabled globally first input the igmp snooping enable command in System View and then input the igmp snooping enable command in VLAN view If IGMP Snooping is not enabled on the VLAN input the igmp snooping enable command in VLAN view Diagnosis 2 Multicast forwarding table ...

Page 165: ...figuration includes Enabling multicast Configuring the multicast route limit Clearing MFC forwarding entries or statistics information Clearing route entries from the core multicast routing table Enabling Multicast Enable multicast first before enabling IGMP and the multicast routing protocol Perform the following configuration in system view By default multicast is disabled Other multicast config...

Page 166: ...ies or its statistic information reset multicast forwarding table statistics all group_address mask group_mask group_mask_length source_address mask source_mask source_mask_length incoming interface interface_type interface_number Table 186 Clearing routing entries from multicast routing table Operation Command Clear routing entries from multicast routing table reset multicast routing table all gr...

Page 167: ...race reversely hop by hop from the local router to the first hop router that connects directly to multicast source following RPF rule If the source address and group address only are specified the last hop address defaults to that of a physical interface of the local router In this instance trace reversely from the local router to the first hop router which is directly connected with multicast sou...

Page 168: ...router will send a group specific query IGMP Version 2 to discover whether there are no members in the group Up to now IGMP has three versions namely IGMP Version 1 defined by RFC1112 IGMP Version 2 defined by RFC2236 and IGMP Version 3 IGMP Version 2 is currently the most widely used version IGMP Version 2 benefits from the following improvements over IGMP Version 1 Election mechanism of multicas...

Page 169: ...ast Enabling IGMP on an Interface Advanced IGMP configuration includes Configuring the IGMP Version Configuring the Interval and the Number of IGMP Query Packets Configuring Maximum Response Time for IGMP Query Message Configuring Maximum Response Time for IGMP Query Message Configuring the Limit of IGMP Groups on an Interface Configuring a Router to Join Specified Multicast Group Limiting Multica...

Page 170: ...bership on the interface When an IGMP querier receives an IGMP Leave Group message from a host the last member query interval can be specified for Group Specific Queries 1 The host sends the IGMP Leave message 2 Upon receiving the message the IGMP querier sends the designated group IGMP query message for the specified number of times defined by the robust_value in igmp robust count with the defaul...

Page 171: ... seconds If the router has received no query message within twice the interval specified by the igmp timer query command it will regard the previous querier invalid Configuring Maximum Response Time for IGMP Query Message When a router receives a query message the host will set a timer for each multicast group it belongs to The value of the timer is randomly selected between 0 and the maximum resp...

Page 172: ...xceeded the specified value during configuration no IGMP group will be deleted Configuring a Router to Join Specified Multicast Group Usually the host operating IGMP will respond to IGMP query packet of the multicast router In case of response failure the multicast router will consider that there is no multicast member on this network segment and will cancel the corresponding path Configuring one ...

Page 173: ... host join group_address port interface_type interface_ num interface_name to interface_type interface_ num interface_name Quit from specified multicast group VLAN Interface View undo igmp host join group address port interface_type interface_ num interface_name to interface_type interface_ num interface_name Configure a router to join specified multicast group Ethernet Port View igmp host join gr...

Page 174: ...embers of multicast groups are relatively dense in such network environments The working procedures of PIM DM include neighbor discovery flood prune and graft Table 199 Configuring the interval to send IGMP query message Operation Command Configure the interval to send IGMP query message igmp timer query seconds Restore the default value undo igmp timer query Table 200 Deleting IGMP groups joined ...

Page 175: ...is way a SPT Shortest Path Tree rooted at Source S is built The pruning process is initiated by leaf routers first This process is called flood prune process In addition nodes that are pruned provide timeout mechanism Each router re starts the flood prune process upon pruning timeout The consistent flood prune process of PIM DM is performed periodically During this process PIM DM uses the RPF chec...

Page 176: ...IM DM PIM DM basic configuration includes Enabling Multicast Enabling PIM DM PIM DM advanced configuration includes Entering the PIM View Configuring Sending Interval for the Hello Packets Configuring the Filtering of Multicast Source Group Configuring the Filtering of PIM Neighbor Configuring the Maximum Number of PIM Neighbor on an Interface Clearing Multicast Route Entries from PIM Routing Tabl...

Page 177: ...enabled on an interface it will send Hello messages periodically on the interface The interval at which Hello messages are sent can be modified according to the bandwidth and type of the network connected to the interface Perform the following configuration in Interface view The default interval is 30 seconds You can configure the value according to different network environments Generally this pa...

Page 178: ...t no filtering rules are set Only the routers that match the filtering rule in the ACL can serve as a PIM neighbor of the current interface Configuring the Maximum Number of PIM Neighbor on an Interface The maximum number of PIM neighbors of a router interface can be configured to avoid exhausting the memory of the router or router faults The maximum number of PIM neighbors of a router is defined ...

Page 179: ... the G item will be cleared Note that this command clears not only multicast route entries from PIM routing table but also the corresponding route entries and forward entries in the multicast core routing table and MFC Clearing PIM Neighbors Perform the following configuration in User View Displaying and Debugging PIM DM After the above configuration execute the display command in any view to disp...

Page 180: ...mask mask_length mask group_address mask mask_length mask source_address mask mask_length mask incoming interface interface type interface_number interface name null dense mode sparse mode Display the PIM interface information display pim interface interface type interface_number Display the information about PIM neighboring routers display pim neighbor interface type interface_number Enable the P...

Page 181: ...10 pim dm SW5500 vlan interface10 quit SW5500 interface vlan interface 11 SW5500 vlan interface11 ip address 2 2 2 2 255 255 0 0 SW5500 vlan interface11 igmp enable SW5500 vlan interface11 pim dm SW5500 vlan interface11 quit SW5500 interface vlan interface 12 SW5500 vlan interface12 ip address 3 3 3 3 255 255 0 0 SW5500 vlan interface12 igmp enable SW5500 vlan interface12 pim dm PIM SM Overview PI...

Page 182: ... SM include neighbor discovery building the RP rooted shared tree RPT multicast source registration and switch over to the SPT Neighbor Discovery The PIM SM router uses Hello messages to perform neighbor discovery when it is started All network nodes running PIM SM stay in touch with one another by periodically sending Hello messages Build the RP Shared Tree RPT When hosts join a multicast group G...

Page 183: ...e equal All multicast routers calculate the RPs corresponding to multicast groups according to the same algorithm after receiving the C RP messages that the BSR advertises It should be noted that one RP can serve multiple multicast groups or all multicast groups Each multicast group can only be uniquely correspondent to one RP at a time rather than multiple RPs Configuring BSRs The BSR is the mana...

Page 184: ... Interval for the Hello Packets of the Interface Configuring the Filtering of Multicast Source Group Configuring the Filtering of PIM Neighbor Configuring the Maximum Number of PIM Neighbor on an Interface Configuring RP to Filter the Register Messages Sent by DR Limiting the Range of Legal BSR Limiting the Range of Legal C RP Clearing Multicast Route Entries from PIM Routing Table Clearing PIM Ne...

Page 185: ...configuration in PIM view and back to system view Configuring Candidate BSRs In a PIM domain one or more candidate BSRs should be configured A BSR Bootstrap Router is elected among candidate BSRs The BSR takes charge of collecting and advertising RP information The automatic election among candidate BSRs operates as follows One interface which has started PIM SM must be specified when configuring ...

Page 186: ...erform the following configuration in PIM view When configuring RP if the range of the served multicast group is not specified the RP will serve all multicast groups Otherwise the range of the served multicast group is the multicast group in the specified range 3Com recommends that you configure Candidate RP on the backbone router Configuring Static RP Static RP serves as the backup of dynamic RP ...

Page 187: ... PIM DM Overview on page 186 Configuring the Filtering of PIM Neighbor Refer to PIM DM Overview on page 186 Configuring the Maximum Number of PIM Neighbor on an Interface Refer to PIM DM Overview on page 186 Configuring RP to Filter the Register Messages Sent by DR In the PIM SM network the register message filtering mechanism can control which sources to send messages to which groups on the RP i ...

Page 188: ... as C BSR shall propagate BSR messages which are multicast messages sent hop by hop with TTL as 1 among the network then the network cannot be affected as long as the peer routers do not receive these BSR messages One way is to configure bsr policy on each router to limit legal BSR range for example only 1 1 1 1 32 and 1 1 1 2 32 can be BSR thus the routers cannot receive or forward BSR messages o...

Page 189: ...that Host A is the receiver of the multicast group at 225 0 0 1 Host B begins transmitting data destined to 225 0 0 1 Switch_A receives the multicast data from Host B via Switch_B Table 220 Limiting the range of legal C RP Operation Command Set the legal C RP range limit crp policy acl number Restore to the default setting undo crp policy Table 221 Displaying and debugging PIM SM Operation Command...

Page 190: ...5500 vlan interface11 igmp enable SW5500 vlan interface11 pim sm SW5500 vlan interface11 quit SW5500 vlan 12 SW5500 vlan12 port gigabitethernet 1 0 6 to gigabitethernet 1 0 7 SW5500 vlan12 quit SW5500 interface vlan interface 12 SW5500 vlan interface12 igmp enable SW5500 vlan interface12 pim sm SW5500 vlan interface12 quit 2 On Switch_B a Enable PIM SM SW5500 multicast routing enable SW5500 vlan 1...

Page 191: ...p vlan interface 10 group policy 2000 d Configure PIM domain border SW5500 interface vlan interface 12 SW5500 vlan interface12 pim bsr boundary After VLAN interface 12 is configured as the domain border Switch_D will be excluded from the local PIM domain and will no longer receive the BSR information transmitted from Switch_B 3 On Switch_C a Enable PIM SM SW5500 multicast routing enable SW5500 vla...

Page 192: ...204 CHAPTER 7 MULTICAST PROTOCOL SW5500 vlan interface12 igmp enable SW5500 vlan interface12 pim sm SW5500 vlan interface12 quit ...

Page 193: ...ackets When matching a data packet with the access control rule the issue of match order arises The case of filter or classify the data transmitted by the hardware ACL can be used to filter or classify the data transmitted by the hardware of the Switch In this case the match order of the ACL s sub rules is determined by the Switch hardware The match order defined by the user will not be effective ...

Page 194: ...e the same then compare the destination address wildcards For the same destination address wildcards compare the ranges of port numbers the one with the smaller range is listed ahead If the port numbers are in the same range follow the configuration sequence ACL Supported by the Switch The table below lists the limits to the numbers of different types of ACL on a Switch Table 223 Quantitative Limi...

Page 195: ...n ACL If ACL is used to filter or classify the data transmitted by the hardware of the Switch the match order defined in the acl command will not be effective If ACL is used to filter or classify the data treated by the software of the Switch the match order of ACL s sub rules will be effective Once the user specifies the match order of an ACL rule he cannot modify it later The default matching or...

Page 196: ... 2 packet format and destination MAC address Operation Command Enter basic ACL view from System View acl number acl_number match order config auto add a sub item to the ACL from Basic ACL View rule rule_id permit deny source source_addr wildcard any fragment logging time range name delete a sub item from the ACL from Basic ACL View undo rule rule_id source fragment logging time range Delete one AC...

Page 197: ... refer to the Command Reference Manual Operation Command Enter Layer 2 ACL view from System View acl number acl_number match order config auto Add a sub item to the ACL from Layer 2 ACL View rule rule_id permit deny type protocol_type type_mask lsap lsap_type type_mask format_type cos cos source source_vlan_id source_mac_addr source_mac_wildcard dest dest_mac_addr dest_mac_wildcard time range name...

Page 198: ...e work time range Define time range from 8 00 to 18 00 SW5500 time range 3Com 8 00 to 18 00 working day 2 Define the ACL to access the payment server a Enter the numbered advanced ACL number as 3000 SW5500 acl number 3000 match order config b Define the rules for other department to access the payment server SW5500 acl adv 3000 rule 1 deny ip source any destination 129 110 1 2 0 0 0 0 time range 3...

Page 199: ...o 18 00 SW5500 time range 3Com 8 00 to 18 00 daily 2 Define the ACL for packet which source IP is 10 1 1 1 a Enter the number basic ACL number as 2000 SW5500 acl number 2000 b Define the rules for packet which source IP is 10 1 1 1 SW5500 acl basic 2000 rule 1 deny source 10 1 1 1 0 time range 3Com 3 Activate ACL Activate the ACL 2000 SW5500 GigabitEthernet1 0 1 packet filter inbound ip group 2000...

Page 200: ...0 SW5500 GigabitEthernet1 0 1 packet filter inbound link group 4000 QoS Configuration Traffic Traffic refers to all packets passing through a Switch Traffic Classification Traffic classification means identifying the packets with certain characteristics using the matching rule called classification rule set by the configuration administrator based on the actual requirements The rule can be very si...

Page 201: ...traffic i e the deny operation the default ACL operation Traffic Policing To deliver better service with the limited network resources QoS monitors the traffic of the specific user on the ingress so that it can make a better use of the assigned resource Port traffic limit The port traffic limit is the port based traffic limit used for limiting the general speed of packet output on the port Traffic...

Page 202: ...ut the packets of lower priority like e mail in the lower priority queue can guarantee the key service packets of higher priority are transmitted first while the packets of lower service priority are transmitted during the idling gap between transmitting the packets of higher service priorities Note that SP has the drawback that when congestion occurs if there are many packets queuing in the highe...

Page 203: ...y carried by a packet with the port priority Configuring Trust Packet Priority The system replaces the 802 1p priority carried by a packet with the port priority by default The user can configure system trusting the packet 802 1p priority and not replacing the 802 1p priorities carried by the packets with the port priority Perform the following configuration in Ethernet Port View Table 231 Configu...

Page 204: ...iew Table 233 Configure Mirroring Port Delete Port Mirroring 1 Delete mirroring port Perform the following configuration in the Ethernet Port View Table 234 Delete Mirroring Port 2 Delete monitor port Perform the following configuration in the Ethernet Port View Table 235 Delete Monitor Port Configuring Traffic Mirroring The function of traffic mirroring is to copy the traffic matching an ACL rule...

Page 205: ... that multiple messages compete for resource when the network congestion happens The queue scheduling function puts the packet to the output queue of the port according to the 802 1p priority of the packet The mapping relationship between 802 1p priority and output queue of the port is as shown in Table 240 Table 240 Mapping between 802 1p Priority Levels and Outbound Queues Perform the following ...

Page 206: ... dropping excessive packets Setting Line Limit Line limit refers to rate limit based on the port that is limiting the total rate at the port The granularity of line rate is 64 kbps Perform the following configurations in the Ethernet Port View Table 243 Setting Line Rate Relabeling Priority Level This configuration re labels priority level for the packets that match ACL The new priority label can ...

Page 207: ...rform the following configuration in the Ethernet Port View Table 246 Configuring Traffic Statistics Operation Command Relabel traffic priority traffic priority inbound ip group acl_number rule rule link group acl_number rule rule link group acl_number rule rule dscp dscp_value ip precedence pre_value from cos cos pre_value from ipprec local precedence pre_value Remove the setting undo traffic pri...

Page 208: ...l_number rule rule link group acl_number rule rule Display the statistics information display qos interface interface_name interface_type interface_num unit_id traffic statistic Operation Command Operation Command Display mirroring configuration display mirror Display queue scheduling mode display queue scheduler Display line rate for outbound packets display qos interface interface_name interface...

Page 209: ...the wage server a Limit average traffic from the wage server at 128 Kbps and label over threshold packets with priority level 4 SW5500 Ethernet1 0 1 traffic limit inbound ip group 3000 128 exceed remark dscp 4 b Limit traffic to the wage server from the port Ethernet1 0 1 at 128 Kbps SW5500 Ethernet1 0 1 line rate outbound 128 Port Mirroring Configuration Example Networking Requirement Use one ser...

Page 210: ...ach day from PC1 IP 1 0 0 2 as priority labeling reference for the upper layer device Networking Diagram Figure 53 QoS Configuration Example Configuration Procedure 1 Define the time range Define the time range 8 00 18 00 SW5500 time range 3Com 8 00 to 18 00 daily 2 Define traffic rules for PC packets a Enter the number based basic ACL and select the ACL 2000 SW5500 acl number 2000 b Define traffi...

Page 211: ...ration Figure 54 QoS Profile Configuration Environment QoS profile configuration details Table 248 QoS Profile Configuration Device Configuration Default Description AAA server Configure user authentication information Configure mapping between user names and QoS profile Multiple users can correspond to the same QoS profile Switch Enable 802 1x authentication function Refer to the Security part of...

Page 212: ...er is accessed The QoS profile can be delivered to the port in these different modes Operation Command Enter QoS profile view qos profile profile name Delete the QoS profile undo qos profile profile name Operation Command Add packet filtering action packet filter inbound ip group acl_number rule rule link group acl_number rule rule link group acl_number rule rule Add traffic policing action traffi...

Page 213: ... to one or more consecutive ports Table 252 Applying QoS Profile to the Port in System View In Ethernet Port View In Ethernet Port View you can only apply the QoS profile to the current port Table 253 Applying QoS Profile to the Port in Ethernet Port View You cannot delete the specific QoS profile once you apply it to the port Displaying and Debugging QoS Profile Configuration Use the display comm...

Page 214: ...ils are omitted here 2 Configuration on the Switch a Enable 802 1x SW5500 dot1x SW5500 dot1x interface ethernet 1 0 1 b Configure IP address for the RADIUS server SW5500 radius scheme radius1 SW5500 radius radius1 primary authentication 10 11 1 1 SW5500 radius radius1 primary accounting 10 11 1 2 SW5500 radius radius1 secondary authentication 10 11 1 2 SW5500 radius radius1 secondary accounting 10...

Page 215: ...r access modes SNMP Simple Network Management Protocol access Telnet access and HTTP Hypertext Transfer Protocol access Security control is achieved at two levels Connection request control is achieved at the first level and appropriate ACL configuration ensures that only legal users can be connected to the Switch Password authentication is achieved at the second level and only those connected wit...

Page 216: ...t users Configuration Procedure 1 Define a basic ACL SW5500 acl number 2000 match order config SW5500 acl basic 2000 rule 1 permit source 10 110 100 52 0 SW5500 acl basic 2000 rule 2 permit source 10 110 100 46 0 SW5500 acl basic 2000 quit Operation Command Enter basic ACL System View acl number acl_number match order config auto Define a sub rule Basic ACL View rule rule id permit deny source sou...

Page 217: ...gured for the SNMP V1 and SNMP V2 SNMP username or group name is one of the features of SNMP V2 and above therefore you import the ACL into the commands with SNMP username or group name configured for the SNMP V2 and above If you import the ACL into both features the Switch will filter both features for the users You can import different ACLs in the three commands listed above Operation Command Im...

Page 218: ...ring ACL Control over the HTTP Users The Switch 5500G EI Family supports the remote management through the Web interface The users can access the Switch through HTTP Controlling such users with ACL can help filter the illegal users and prevent them from accessing the local Switch After configuring ACL control over these users the Switch allows only one Web user to access the Ethernet Switch at one...

Page 219: ...uirements Only permit Web NM user from 10 110 100 46 access Switch Networking Diagram Figure 58 Controlling Web NM users with ACL Configuration Procedure 1 Define the basic ACL SW5500 acl number 2030 match order config SW5500 acl basic 2030 rule 1 permit source 10 110 100 46 0 SW5500 acl basic 2030 quit 2 Call the basic ACL SW5500 ip http acl 2030 Operation Command Call an ACL to control the WEB N...

Page 220: ...232 CHAPTER 8 ACL CONFIGURATION ...

Page 221: ...nnection and one IP address are required to manage the entire Fabric Therefore management cost is reduced Enables you to purchase devices on demand and expand network capacity smoothly Protects your investment to the full extent during network upgrade Ensures high reliability by N 1 redundancy avoids single point failure and lessens service interruption Figure 59 Fabric Example Fabric Topology Map...

Page 222: ...ing configuration in System View Table 261 Setting Unit Names for Switches Setting a Fabric Name for Switches Only the Switches with the same Fabric name and XRN authentication mode can constitute a Fabric You can use the commands in the following table to set a Fabric name for the Switches Perform the following configuration in System View Table 262 Setting a Fabric Name for Switches By default t...

Page 223: ...mode simple password Password welcome Networking Diagram Figure 60 Networking Diagram of a Fabric Configuration Procedure Configure Switch A SW5500 change unit id 1 to 1 SW5500 set unit 1 name unit1 SW5500 sysname hello Configure Switch B SW5500 change unit id 1 to auto numbering SW5500 set unit 1 name unit2 SW5500 sysname hello Configure Switch C SW5500 change unit id 1 to auto numbering Operatio...

Page 224: ...igure Switch D SW5500 change unit id 1 to auto numbering SW5500 set unit 1 name unit SW5500 sysname hello In the example it is assumed that the system will automatically change the unit IDs of Switch B Switch C and Switch D to 2 3 and 4 after you choose auto numbering for unit id ...

Page 225: ...lled configuration Bridge Protocol Data Units or BPDU in IEEE 802 1D to decide the topology of the network The configuration BPDU contains the information enough to ensure the Switches to compute the spanning tree The configuration BPDU mainly contains the following information 1 The root ID consisting of root priority and MAC address 2 The cost of the shortest path to the root 3 Designated bridge...

Page 226: ... forwards BPDU to LAN So the designated bridge of LAN is Switch B and the designated port is BP2 AP1 AP2 BP1 BP2 CP1 and CP2 respectively delegate the ports of Switch A Switch B and Switch C The Specific Calculation Process of STP Algorithm The following example illustrates the calculation process of STP Figure 62 illustrates the network Figure 62 Switch Networking To facilitate the descriptions o...

Page 227: ... same perform the comparison based on root path costs The cost comparison is as follows the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local port is set as X the configuration BPDU with a lower X has a higher priority If the costs of path to the root are also the same compare in sequence the designated bridge ID designated port ID and the ID of...

Page 228: ...2 1 0 1 BP2 Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are updated as follows The configuration BPDU of the root port BP1 retains as 0 0 0 BP1 BP2 updates root ID with that in the optimum configuration BPDU the path cost to root with 5 sets the designated bridg...

Page 229: ... certain rules The basic calculation process is described below Configuration BPDU Forwarding Mechanism in STP Upon the initiation of the network all the Switches regard themselves as the roots The designated ports send the configuration BPDUs of local ports at a regular interval of HelloTime If it is the root port that receives the configuration BPDU the Switch will enable a timer to time the con...

Page 230: ...nnect with any Switch directly or indirectly If the designated port is an edge port it can Switch to forwarding state directly without immediately forwarding data The port is connected with the point to point link that is it is the master port in aggregation ports or full duplex port It is feasible to configure a point to point connection However errors may occur and therefore this configuration i...

Page 231: ...P operational mode The Switch works in RSTP mode If there are Switches respectively running STP and RSTP on the network it is recommended to set the Switch in STP compatible mode Configure the STP Ignore attribute of VLANs on a Switch No VLAN on a STP enabled Switch is STP Ignored Once a VLAN is specified to be STP Ignored the packets of this VLAN will be forwarded on any Switch port with no restr...

Page 232: ...cost shall be It is recommended to use the default configuration Specify mCheck for a port You can change the operational mode of a port from STP compatible to RSTP Configure the protection functions on a Switch No protection function is enabled on a Switch It is recommended to enable the Root protection function on the root bridge Switch C Switch D Enable the STP feature on the Switch Enable the ...

Page 233: ...de of a port from STP compatible to RSTP Configure the protection functions on a Switch No protection function is enabled on a Switch It is recommended to enable the loop protection function on the intermediate Switches Switch E Switch F Switch G Enable the STP feature on the Switch Enable the STP feature on the port The STP feature is disabled from the Switch but will be enabled on all ports once...

Page 234: ...smallest preference value Configure whether to connect a port with a peer to peer link RSTP can detect automatically whether the current Ethernet port is connect to a peer to peer link The two ports connected with a peer to peer link can rapidly transit to the forwarding status by sending synchronous packets eliminating unnecessary forwarding delay Specify the Path Cost on a port Specify the stand...

Page 235: ...panning tree protocol under which only one spanning tree will be generated on one Switched network To ensure the successful communication between VLANs on a network all of them must be distributed consecutively along the STP path otherwise some VLANs will be isolated due to the blocking of intra links causing the failure in cross VLAN communication Once there are VLANs specially required to be loc...

Page 236: ...ands to specify the current Switch as the primary or secondary root of the spanning tree Perform the following configuration in System View Table 270 Specify the Switch as Primary or Secondary Root Bridge After a Switch is configured as primary root bridge or secondary root bridge you cannot modify the bridge priority of the Switch A Switch can either be a primary or secondary root bridge but not ...

Page 237: ...te for a period of Forward Delay before they transition to the forwarding state and resume data frame forwarding This delay ensures that the new configuration BPDU has been propagated throughout the network before the data frame forwarding is resumed You can use the following command to set the Forward Delay for a specified bridge Perform the following configurations in System View Table 271 Set F...

Page 238: ...ansmits hello packet regularly to the adjacent bridges to check if there is link failure Generally if the Switch does not receive the RSTP packets from the upstream Switch for 3 occurences of hello time the Switch will decide the upstream Switch is dead and will recalculate the topology of the network Then in a steady network the recalculation may be caused when the upstream Switch is busy In this...

Page 239: ...net Port View Table 276 Set Specified Port as the EdgePort In the process of recalculating the spanning tree the EdgePort can transfer to the forwarding state directly and reduce unnecessary transition time If the current Ethernet port is not connected with any Ethernet port of other bridges this port should be set as an EdgePort If a specified port connected to a port of any other bridge is confi...

Page 240: ...y available on the Switch dot1d 1998 The Switch calculates the default Path Cost of a port by the IEEE 802 1D 1998 standard dot1t The Switch calculates the default Path Cost of a port by the IEEE 802 1t standard You can specify the intended standard by using the following commands Perform the following configuration in System View Table 278 Specifying the Standard to be Followed in Path Cost Calcu...

Page 241: ...e auto mode RSTP can automatically detect if the current Ethernet port is connected to a Point to Point link Note that for an aggregated port only the master port can be configured to connect with the point to point link After auto negotiation the port working in full duplex can also be configured to connect with such a link You can manually configure the active Ethernet port to connect with the p...

Page 242: ...h state In normal cases these ports will not receive STP BPDU If someone forges a BPDU to attack the Switch the network topology to reconfigure BPDU protection function is used against such network attack In case of configuration error or malicious attack the primary root may receive the BPDU with a higher priority and then lose its place which causes network topology change errors Due to the erro...

Page 243: ...ration execute display command in all views to display the running of the RSTP configuration and to verify the effect of the configuration Execute reset command in User View to clear the statistics of RSTP module Execute debugging command in User View to debug the RSTP module Table 283 Display and Debug RSTP Operation Command Configure Switch BPDU protection from System View stp bpdu protection Re...

Page 244: ...will be introduced Networking Diagram Figure 65 RSTP Configuration Example Configuration Procedure 1 Configure Switch A a Enable RSTP globally SW5500 stp enable b The port RSTP defaults are enabled after global RSTP is enabled You can disable RSTP on those ports that are not involved in the RSTP calculation however be careful and do not disable those involved The following configuration takes Giga...

Page 245: ... 1 stp root protection SW5500 interface gigabitethernet 1 0 2 SW5500 GigabitEthernet1 0 2 stp root protection SW5500 interface gigabitethernet 1 0 3 SW5500 GigabitEthernet1 0 3 stp root protection RSTP operating mode time parameters and port parameters take default values 3 Configure Switch C a Enable RSTP globally SW5500 stp enable b The port RSTP defaults are enabled after global RSTP is enabled...

Page 246: ... involved The following configuration takes GigabitEthernet 1 3 as an example SW5500 interface gigabitethernet 1 3 SW5500 GigabitEthernet1 3 stp disable c Configure the ports GigabitEthernet 0 1 through GigabitEthernet 0 24 directly connected to users as edge ports and enables BPDU PROTECTION function Take GigabitEthernet 0 1 as an example SW5500 interface gigabitethernet 1 3 SW5500 GigabitEtherne...

Page 247: ...equirement on the above mentioned Port Based Network Access Control originates As the name implies Port Based Network Access Control means to authenticate and control all the accessed devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the user can access the resources in the LAN Otherwise the user cannot access the resources in t...

Page 248: ... the other is the Controlled Port The Uncontrolled Port is always in bi directional connection state The user can access and share the network resources any time through the ports The Controlled Port will be in connecting state only after the user passes the authentication Then the user is allowed to access the network resources Figure 66 802 1x System Architecture 802 1x Authentication Process 80...

Page 249: ...ication method can be based on port or MAC address In this way the system becomes much securer and easier to manage Configuring 802 1x The configuration tasks of 802 1x itself can be fulfilled in System View of the Ethernet switch When the global 802 1x is not enabled you can configure the 802 1x state of the port The configured items will take effect after the global 802 1x is enabled When 802 1x...

Page 250: ...the Port Access Control Mode By default the mode of 802 1x performing access control on the port is auto automatic identification mode which is also called protocol control mode That is the initial state of the port is unauthorized It only permits EAPoL packets receiving transmitting and does not permit the user to access the network resources If the authentication flow is passed the port will be ...

Page 251: ...urations in System View or Ethernet Port View Table 288 Setting the Maximum Number of Users via a Specified Port By default 802 1x allows up to 256 users on each port for Series 5500 Switches Setting the Authentication in DHCP Environment If in a DHCP environment the users configure static IP addresses you can set 802 1x to disable the Switch to trigger the user ID authentication over them with th...

Page 252: ...ation request message that the Switch sends to the user Perform the following configurations in System View Table 291 Setting the Maximum Times of the Authentication Request Message Retransmission By default the max retry value is 2 That is the Switch can retransmit the authentication request message to a user for a maximum of 2 times Configuring Timers The following commands are used for configur...

Page 253: ...ify the authentication timeout timer of a user After the Authenticator sends a Request Challenge request packet to request the MD5 encrypted text the supp timeout timer of the Authenticator begins to run If the user does not respond back successfully within the time range set by this timer the Authenticator will resend the above packet supp timeout value Specify how long the duration of an authent...

Page 254: ...ed on the MAC address All the users belong to the default domain 3com163 net which can contain up to 30 users RADIUS authentication is performed first If there is no response from the RADIUS server local authentication will be performed For accounting if the RADIUS server fails to account the user will be disconnected In addition when the user is accessed the domain name does not follow the user n...

Page 255: ...AA and RADIUS Protocol Configuration The configurations of accessing user workstation and the RADIUS server are omitted 1 Enable the 802 1x performance on the specified port Ethernet 1 0 1 SW5500 dot1x interface Ethernet 1 0 1 2 Set the access control mode This command could not be configured when it is configured as MAC based by default SW5500 dot1x port method macbased interface Ethernet 1 0 1 3...

Page 256: ...W5500 radius radius1 user name format without domain SW5500 radius radius1 quit 11 Create the user domain 3com163 net and enters isp configuration mode SW5500 domain 3com163 net 12 Specify radius1 as the RADIUS scheme for the users in the domain 3com163 net SW5500 isp 3com163 net scheme radius scheme radius1 local 13 Set a limit of 30 users to the domain 3com163 net SW5500 isp 3com163 net access l...

Page 257: ...hyphens The service type of local user must be set to lan access Enabling MAC Address Authentication Both Globally and On the Port You can use the following commands to enable disable the centralized MAC address authentication on the specified port if you do not specify the port the feature is enabled globally Perform the following configuration in System View or Ethernet Port View Table 296 Enabl...

Page 258: ...rver timeout time is 100 seconds Displaying and Debugging Centralized MAC Address Authentication After the above configuration perform the display command in any view you can view the centralized MAC address authentication running state and check the configuration result Perform the debugging command in User View you can debug the centralized MAC address authentication Table 299 Displaying and Deb...

Page 259: ...User name and password on the RADIUS server must be configured to the MAC address of the user The following example shows how to enabling centralized MAC address authentication both on a port and globally and the way of configuring local user are shown as follows For other configurations see 1 Enable centralized MAC address authentication on port Ethernet 1 0 2 SW5500 mac authentication interface ...

Page 260: ...ial in users who use serial ports and modems RADIUS system is the important auxiliary part of Network Access Server NAS After RADIUS system is started if the user wants to have the right to access other networks or consume some network resources through connection to NAS dial in access server in PSTN environment or a Switch with the access function in an Ethernet environment NAS namely RADIUS clie...

Page 261: ...a local user Setting attributes of the local user Disconnecting a user by force Among the above configuration tasks creating ISP domain is compulsory otherwise the user attributes cannot be distinguished The other tasks are optional You can configure them at requirements Creating Deleting an ISP Domain What is Internet Service Provider ISP domain To make it simple ISP domain is a group of users be...

Page 262: ...in ISP Domain View Configuring AAA Scheme The AAA schemes includes RADIUS scheme you can implement authentication authorization and accounting by referencing the RADIUS server group The adopted RADIUS scheme is the one used by all the users in the ISP domain For detailed information of the commands of setting RADIUS scheme refer to the following Configuring RADIUS section of this chapter Local aut...

Page 263: ...specifies how many users can be contained in the ISP For any ISP domain there is no limit to the number of users by default Table 304 Setting Access Limit By default there is no limit to the amount of users Enabling Disabling the Idle Cut Function The idle cut function means if the traffic from a certain connection is lower than the defined traffic this connection is cut off Table 305 Enabling Dis...

Page 264: ...ollowing configuration in ISP domain view By default messenger alert is disabled on the switch Configuring Self Service Server URL The self service url enable command can be used to configure self service server uniform resource locator URL This command must be incorporated with a RADIUS server such as a CAMS that supports self service Self service means that users can manage their accounts and ca...

Page 265: ...and some other settings Setting the Password Display Mode Perform the following configurations in System View Table 310 Setting the Password Display Mode of Local Users auto means that the password display mode will be the one specified by the user at the time of configuring the password see the password command in Table 311 for reference and cipher force means that the password display mode of al...

Page 266: ...elnet level 1 5500 luser adminpwd service type ssh level 3 You can use either level or service type command to specify the level for a local user If both of these two commands are used the latest configuration will take effect Disconnecting a User by Force Sometimes it is necessary to disconnect a user or a category of users by force The system provides the following command to serve this purpose ...

Page 267: ...horization Servers Configuring RADIUS Accounting Servers and the Related Attributes Setting the RADIUS Packet Encryption Key Setting Retransmission Times of RADIUS Request Packet Setting the Supported Type of the RADIUS Server Setting the RADIUS Server State Setting the Username Format Transmitted to the RADIUS Server Configuring the Local RADIUS Authentication Server Configuring Source Address fo...

Page 268: ... RADIUS Scheme View Table 314 Configuring RADIUS Authentication Authorization Servers By default as for the newly created RADIUS scheme the IP address of the primary authentication server is 0 0 0 0 and the UDP port number of this server is 1812 as for the system RADIUS scheme created by the system the IP address of the primary authentication server is 127 0 0 1 and the UDP port number is 1645 The...

Page 269: ...ntee the normal routes between RADIUS server and NAS before setting the IP address and UDP port of the RADIUS server In addition because RADIUS protocol uses different UDP ports to receive transmit authentication authorization and accounting packets you need to set two different ports accordingly Suggested by RFC2138 2139 authentication authorization port number is 1812 and accounting port number ...

Page 270: ...quest Buffer Because the stopping accounting request concerns the account balance and will affect the amount of charge which is very important for both the subscribers and the ISP NAS shall make its best effort to send the message to the RADIUS accounting server If the message from the Switch to the RADIUS accounting server has not been responded to the Switch will save it in the local buffer and ...

Page 271: ...m Setting Retransmission Times of RADIUS Request Packet Since RADIUS protocol uses UDP packets to carry the data the communication process is not reliable If the RADIUS server has not responded to NAS before timeout NAS has to retransmit the RADIUS request packet If it transmits more than the specified retry times NAS considers the communication with the primary and secondary RADIUS servers has be...

Page 272: ...erver When the secondary server fails to communicate the NAS will turn to the primary server again The following commands can be used to set the primary server to be active manually in order that NAS can communicate with it immediately after a fault has been resolved When the primary and secondary servers are both active or block NAS will send the packets to the primary server only Perform the fol...

Page 273: ...main name Setting the Unit of Data Flow that Transmitted to the RADIUS Server The following command defines the unit of the data flow sent to RADIUS server Perform the following configurations in RADIUS Scheme View Table 325 Setting the Unit of Data Flow Transmitted to the RADIUS Server By default the default data unit is byte and the default data packet unit is one packet Configuring the Local RA...

Page 274: ... if NAS has not received the response from the RADIUS server it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS Scheme View Table 328 Setting the Response Timeout Timer of the RADIUS Server By default timeout timer of RADIUS server is 3 seconds Sett...

Page 275: ...suring the user can obtain the RADIUS service You can specify this period by setting the RADIUS server response timeout timer taking into consideration the network condition and the desired system performance Perform the following configurations in RADIUS Scheme View Table 331 Configure the RADIUS Server Response Timer By default the response timeout timer for the RADIUS server is set to three sec...

Page 276: ...me vlan vlan_id Display the statistics of local RADIUS authentication server display local server statistics Display the configuration information of all the RADIUS schemes or a specified one display radius radius_scheme_name Display the statistics of RADIUS packets display radius statistics Display the stopping accounting requests saved in buffer without response from System View display stop acc...

Page 277: ...d a Telnet user For details about configuring FTP and Telnet users refer to User Interface Configuration in the Getting Started chapter 2 Configure remote authentication mode for the Telnet user that is scheme mode SW5500 ui vty0 4 authentication mode scheme 3 Configure domain SW5500 domain cams SW5500 isp cams quit 4 Configure RADIUS scheme SW5500 radius scheme cams SW5500 radius cams primary aut...

Page 278: ...500 luser telnet quit SW5500 domain cams SW5500 isp cams scheme local Telnet users use usernames in the userid cams format to log onto the network and are to be authenticated as users of the cams domain 2 Method 2 Using Local RADIUS authentication server Local server method is similar to remote RADIUS authentication But you should modify the server IP address to 127 0 0 1 authentication password t...

Page 279: ...SchemeName 2 Next we need to add the attributes of the RADIUS scheme This involves configuring the RADIUS server IP address and shared secret SW5500 radius NewSchemeName key authentication mysharedsecret SW5500 radius NewSchemeName primary authentication 161 71 67 250 3 The RADIUS scheme will not become active unless an accounting server is also defined If you don t have an accounting server then ...

Page 280: ... on port Ethernet1 0 18 802 1x is enabled on port Ethernet1 0 19 802 1x is enabled on port Ethernet1 0 20 5500 xx 802 1x login is now enabled on the port When a device with an 802 1x client connects to the port the user will be challenged for a username and password The username should be in the form ìuser domainî where ìdomainî is the name of the domain that was created on the Switch This will te...

Page 281: ...main Use the username in proper format and configure the default ISP domain on NAS The user may have not been configured in the RADIUS server database Check the database and make sure that the configuration information of the user does exist in the database The user may have input a wrong password So make sure that the user inputs the correct password The encryption keys of RADIUS server and NAS m...

Page 282: ...rminal debugging Once enabled different debug traces can be enabled to the terminal For example to turn on RADIUS debugging enter the command 5500 debugging radius packet 3Com User Access Level This determines the Access level a user will have with Switch login This can be administrator manager monitor or visitor You may need to add the return list attributes to a dictionary file using the followi...

Page 283: ... storage devices such as flash memory The file system offers file access and directory management including creating the file system creating deleting modifying and renaming a file or a directory and opening a file By default the file system requires that the user confirm before executing commands This prevents unwanted data loss In the Switches supporting XRN the file path must start with unit No...

Page 284: ...en removed from the system use the reset recycle bin command this will prompt for removal of all files in the file system When operating in a stack of switches to clear space the user has to change to the flash of each switch in the stack separatly and then clear space in the file system of each switch in turn Use the cd directory command for changing focus to a different switches file system or t...

Page 285: ...Thus you can view the configuration information conveniently The format of the configuration file includes It is saved in the command format Only the non default constants will be saved The organization of commands is based on command views The commands in the same command mode are sorted in one section The sections are separated with a blank line or a comment line a comment line begins with excla...

Page 286: ...Fabric saves the current configuration to its individual configuration file If you do not enter the file name parameter in this command for the Switches that have specified the configuration file for booting the current configurations will be stored to the specified configuration file and for the Switches that have not specified the configuration file for booting the current configurations will be...

Page 287: ...nformation of the File used at Startup FTP Overview FTP is a common way to transmit files on the Internet and IP network Before the World Wide Web WWW files were transmitted in the command line mode and FTP was the most popular application Even now FTP is still used widely while most users transmit files via email and Web FTP a TCP IP protocol on the application layer is used for transmitting file...

Page 288: ...llowing configuration in the corresponding view Table 346 Configure the FTP Server Authentication and Authorization Device Configuration Default Description Switch Log into the remote FTP server directly with the ftp command You need first get FTP user command and password and then log into the remote FTP server Then you can get the directory and file authority PC Start FTP server and make such se...

Page 289: ...P server and the FTP connection timeout The display ftp user command can be used for displaying the detailed information about the connected FTP users Introduction to FTP Client As an additional function provided by the Switch FTP client is an application module and has no configuration functions The Switch connects the FTP clients and the remote server and inputs the command from the clients for ...

Page 290: ... the Switch Log into the Switch locally through the Console port or remotely using Telnet SW5500 CAUTION If the flash memory of the Switch is not enough you need to first delete the existing programs in the flash memory and then upload the new ones Type in the right command in User View to establish FTP connection then correct username and password to log into the FTP server SW5500 ftp 2 2 2 2 Try...

Page 291: ...om the remote FTP server and download the config cfg from the FTP server for backup purpose Networking Diagram Figure 73 Networking for FTP Configuration 1 Configure the Switch Log into the Switch locally through the Console port or remotely using Telnet SW5500 2 Start FTP function and set username password and file directory SW5500 ftp server enable SW5500 local user switch SW5500 luser switch se...

Page 292: ...s data to it and receives the acknowledgement from it TFTP transmits files in two modes binary mode for program files and ASCII mode for text files Figure 74 TFTP Configuration Table 349 Configuration of the Switch as TFTP Client Downloading Files by means of TFTP To download a file the client sends a request to the TFTP server and then receives data from it and sends acknowledgement to it You can...

Page 293: ...ored on the PC Using TFTP the Switch can download the switch app from the remote TFTP server and upload the config cfg to the TFTP server under the Switch directory for backup purpose Networking Diagram Figure 75 Networking for TFTP Configuration Configuration Procedure 1 Start TFTP server on the PC and set authorized TFTP directory 2 Configure the Switch Log into the Switch locally through the Co...

Page 294: ...t The dynamic entries not configured manually are learned by the Switch The Switch learns a MAC address in the following way after receiving a data frame from a port assumed as port A the Switch analyzes its source MAC address assumed as MAC_SOURCE and considers that the packets destined at MAC_SOURCE can be forwarded via the port A If the MAC address table contains the MAC_SOURCE the Switch will ...

Page 295: ...ng MAC Address Table Entries Administrators can manually add modify or delete the entries in MAC address table according to the actual needs They can also delete all the unicast MAC address table entries related to a specified port or delete a specified type of entry such as dynamic entries or static entries You can use the following commands to add modify or delete the entries in the MAC address ...

Page 296: ...dress aging only functions on the dynamic addresses manual entries added to the Switch are not aged By default the aging time is 300 seconds With the no aging parameter the command performs no aging on the MAC address entries Setting the Max Count of MAC Addresses Learned by a Port With the address learning function a Switch can learn new MAC addresses After its received a packet destined for an a...

Page 297: ... Networking requirements The user logs into the switch via the Console port to display the MAC address table Switch display the entire MAC address table of the the switch If this switch is a member of a stack then the entire database of all the switches will be shown here Operation Command Set the Max Count of MAC Address Learned by a Port mac address max mac count count Restore the default Max Co...

Page 298: ...0 0000 0000 5100 1 Learned GigabitEthernet2 0 22 300 0020 9c08 e774 1 Learned GigabitEthernet2 0 7 288 0000 0000 5000 1 Learned GigabitEthernet2 0 3 143 4 mac address es found MAC Address Table Management Configuration Example Networking Requirements The user logs into the Switch via the Console port to configure the address table management It is required to set the address aging time to 500s and...

Page 299: ...0 fc 17 a7 d6 1 Learned GigabitEthernet1 0 2500 00 e0 fc 5e b1 fb 1 Learned GigabitEthernet1 0 2500 00 e0 fc 55 f1 16 1 Learned GigabitEthernet1 0 2500 4 mac address es found on port GigabitEthernet1 0 2 Device Management With the device management function the Switch can display the current running state and event debugging information about the unit thereby implementing the maintenance and manag...

Page 300: ...e upgrade You can upload the BootROM program file from a remote end to the Switch via FTP and then use this command to upgrade the BootROM Perform the following configuration in User View Table 359 Upgrade BootROM Displaying and Debugging Device Management After the above configuration execute display command in all views to display the running of the device management configuration and to verify ...

Page 301: ...t app from the remote FTP server Networking Diagram Figure 79 Networking for FTP Configuration Configuration Procedure 1 Configure FTP server parameters on the PC Define a user named as Switch password hello read and write authority over the Switch directory on the PC 2 Configure the Switch The Switch has been configured with a Telnet user named as user as 3 level user with password hello requirin...

Page 302: ...rver ftp get switch app ftp get boot app 6 Use the quit command to release the FTP connection and return to User View ftp quit SW5500 7 Upgrade BootROM SW5500 boot bootrom boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded 8 Use the boot boot loader command to specify the downloaded program as the application at the next login an...

Page 303: ...iguration information Commands for displaying the system running state Commands for displaying the system statistics information For the display commands related to each protocol and different ports refer to the relevant chapters The following display commands are used for displaying the system state and the statistics information Operation Command Set the system clock clock datetime time date Ope...

Page 304: ...ovides various ways for debugging most of the supported protocols and functions which can help you diagnose and address the errors The following Switches can control the outputs of the debugging information Protocol debugging Switch controls the debugging output of a protocol Terminal debugging Switch controls the debugging output on a specified user screen Figure 80 illustrates the relationship b...

Page 305: ... You can view the debugging information including that of the master and the device in which the login port resides You can enable the logging debugging and trap information switches within the fabric by executing the info center switch on all command Synchronization is a process that each switch sends its own information to the other switches in the fabric and meantime receives information from o...

Page 306: ...be used to check the network connection and if the host is reachable Perform the following operation in all views Table 368 The ping Command The output of the command includes The response to each ping message If no response packet is received when time is out Request time out information appears Otherwise the data bytes the packet sequence number TTL and the round trip time of the response packet...

Page 307: ...ches the destination The purpose to carry out the process is to record the source address of each ICMP TTL timeout message so as to provide the route of an IP packet to the destination Perform the following operation in all views Figure 81 The tracert Command HWPing Introduction to HWPing HWPing is a tool used for testing performance of the protocols operating on a network It is an enhancement to ...

Page 308: ...roup is configured Configure the Test Parameter The following parameters are included in an HWPing test group Destination address Test type Number of packets sent for a test Packet transmission interval Test timeout time Configuring a Destination Address The Destination address is equal to the destination address in a ping command Perform the following configurations in HWPing Test Group View Tabl...

Page 309: ...erform the following configurations in HWPing Test Group View Table 374 Configure the Number of Messages sent for a Test By default one message is sent for a test Configuring Auto Test Interval Configured with the auto test feature the system will automatically test the connection of a specified type at regular intervals Perform the following configurations in HWPing Test Group View Table 375 Conf...

Page 310: ...onfiguration in HWPing Test Group View Table 377 Test After you execute the test enable command the system does not display the test result You may view the test result information by executing the display hwping command Displaying Test Information You may view the test history and the last test information respectively by executing display hwping history and display hwping result commands Perform...

Page 311: ...et the test type to ICMP SW5500 hwping administrator icmp test type icmp 3 Configure a destination IP address 169 254 10 2 SW5500 hwping administrator icmp destination ip 169 254 10 2 4 Configure the number of test messages SW5500 hwping administrator icmp count 10 5 Configure the timeout time SW5500 hwping administrator icmp timeout 3 6 Enable a test SW5500 hwping administrator icmp test enable 7...

Page 312: ...Ethernet1 0 2 changed state to UP The description of the components of log information is as follows 1 Priority The priority is computed according to following formula facility 8 severity 1 The default value for the facility is 23 The range of severity is 1 8 and the severity will be introduced in a separate section The value of the facility can be set by command info center loghost local1 to loca...

Page 313: ...ween sysname and module name 4 Module name The module name is the name of module which created this logging information the following sheet lists some examples Table 379 Module Names in Logging Information Module name Description 8021X 802 1X module ACL Access control list module AM Access management module ARP Address resolution protocol module CFAX Configuration proxy module CFG Configuration ma...

Page 314: ...terface management module IGSP IGMP snooping module IP IP module IPC Inter process communication module IPMC IP multicast module L2INF Interface management module LACL LANswitch ACL module LQOS LANswitch QoS module LS Local server module MPM Multicast port management module NTP Network time protocol module PPRDT Protocol packet redirection module PTVL Driver port VLAN Port VLAN module QACL QoS ACL...

Page 315: ...r has the following features Support to output log in six directions that is Console monitor to Telnet terminal logbuffer loghost trapbuffer and SNMP The log is divided into 8 levels according to the significance and it can be filtered based on the levels The information can be classified in terms of the source modules and the information can be filtered in accordance with the modules Severity Des...

Page 316: ...he loghost correctly Set information source You can define which modules and information to be sent out and the time stamp format of information and so on You must turn on the Switch of the corresponding module before defining output debugging information Loghost Refer to configuration cases for related log host configuration Device Configuration Default Value Configuration Description Switch Enab...

Page 317: ...ent terminal display function using the terminal monitor command Device Configuration Default Value Configuration Description Switch Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set the information output direction to logbuffer You can configure the size of the log buffer at the same time Set information source You can defin...

Page 318: ...fo center is enabled Set the information output direction to SNMP Set information source You can define which modules and information to be sent out and the time stamp format of information and so on You must turn on the Switch of the corresponding module before defining output debugging information Configuring SNMP features See SNMP Configuration Network management workstation The same as the SNM...

Page 319: ...fferent channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one If you want to view the debugging information of some modules on the Switch you must select debugging as the information type when configuring information source meantime using the debugging command to turn ...

Page 320: ...at is generated by which modules information type information level and so on Perform the following operation in System View Table 393 Defining Information Source modu name specifies the module name default represents all the modules level refers to the severity levels severity specifies the severity level of information The information with the level below it will not be output channel number spe...

Page 321: ...esponding log debugging and trap information functions at the Switch For example if you have set the log information as the information sent to the control terminal now you need to use the terminal logging command to enable the terminal display function of log information on the Switch then you can view the information at the control terminal Perform the following operation in User View Table 395 ...

Page 322: ... or dumb terminal channel number or channel name must be set to the channel that corresponds to the Console direction Every channel has been set with a default record whose module name is default and the module number is 0xffff0000 However for different channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a mod...

Page 323: ...the following operation in User View Table 400 Enabling Terminal Display Function Sending the Information to the Log Buffer To send information to the log buffer follow the steps below 1 Enabling info center Perform the following operation in System View Table 401 Enabling Disabling Info center Operation Command Configure the output format of the time stamp info center timestamp log trap debugging...

Page 324: ...t corresponds to the Console direction Every channel has been set with a default record whose module name is default and the module number is 0xffff0000 However for different channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one If you want to view the debugging inform...

Page 325: ...ion Source modu name specifies the module name default represents all the modules level refers to the severity levels severity specifies the severity level of information The information with the level below it will not be output channel number specifies the channel number and channel name specifies the channel name Operation Command Configure the output format of the time stamp info center timest...

Page 326: ...able 408 Configuring the Output Format of Time stamp Sending the Information to SNMP Network Management To send information to SNMP NM follow the steps below 1 Enabling info center Perform the following operation in System View Table 409 Enabling Disabling Info center Info center is enabled by default After info center is enabled system performances are affected when the system processes much info...

Page 327: ...dules You can use the following commands to configure log information debugging information and the time stamp output format of trap information Perform the following operation in System View Table 412 Configuring the Output Format of Time stamp 4 Configuring SNMP and a network management workstation on the Switch You have to configure SNMP on the Switch and the remote workstation to ensure that t...

Page 328: ...the reset command in User View you can clear the statistics of info center Perform the following operation in User View The display command still can be performed in any view Figure 85 Displaying and Debugging Info center Configuration Examples of Sending Log to Unix Loghost Networking Requirement The networking requirements are as follows Sending the log information of the Switch to Unix loghost ...

Page 329: ... center source arp channel loghost log level informational SW5500 info center source ip channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost The following example is performed on SunOS 4 0 and the operation on Unix operation system produced by other manufactures is generally the same to the operation on SunOS 4 0 a Perform the follow...

Page 330: ...figure facility severity filter and the file syslog conf synthetically you can get classification in great detail and filter the information Configuration Examples for Sending Log to Linux Loghost Networking Requirement The networking requirements are as follows Sending the log information of the Switch to Linux loghost The IP address of the loghost is 202 38 1 10 The information with the severity...

Page 331: ...d info center loghost a b c d facility configured on the Switch Otherwise the log information probably cannot be output to the loghost correctly c After the establishment of information log file and the revision of etc syslog conf you should view the number of syslogd system daemon through the following command kill syslogd daemon and reuse r option the start syslogd in daemon ps ae grep syslogd 1...

Page 332: ...nd modify the information on any node on the network In the meantime they can locate faults promptly and implement the fault diagnosis capacity planning and report generating SNMP adopts the polling mechanism and provides the most basic function set It is most applicable to the small sized fast speed and low cost environment It only requires the unverified transport layer protocol UDP and is thus ...

Page 333: ...e the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network device In the above figure the managed object B can be uniquely specified by a string of numbers 1 2 1 1 The number string is the Object Identifier of the managed object The current SNMP Agent of the Switch supports SNMP V1 V2C and V3 The MIBs supported are listed in the followi...

Page 334: ... is named with a character string which is called Community Name The various communities can have read only or read write access mode The community with read only authority can only query the device information whereas the community with read write authority can also configure the device You can use the following commands to set the community name Perform the following configuration in System View...

Page 335: ...ommands to set the system information Perform the following configuration in System View Table 420 Set SNMP System Information Operation Command Enable to send trap snmp agent trap enable configuration flash ospf process id ospf trap list standard authentication coldstart linkdown linkup warmstart system Disable to send trap undo snmp agent trap enable bgp backwardtransition established configurat...

Page 336: ...rce Address of Trap Adding Deleting a User to from an SNMP Group You can use the following commands to add or delete a user to from an SNMP group Perform the following configuration in System View Restore the default SNMP System Information of the Switch undo snmp agent sys info contact location version v1 v2c v3 all Operation Command Operation Command Set the engine ID of the device snmp agent lo...

Page 337: ...ble a Port Transmitting Trap Information SNMP Agent Disabling SNMP Agent To disable SNMP Agent perform the following configuration in System View Table 428 Disable SNMP Agent Operation Command Add a user to an SNMP group snmp agent usm user v1 v2c username groupname acl acl list snmp agent usm user v3 username groupname authentication mode md5 sha authpassstring privacy mode des56 privpassstring a...

Page 338: ... ID contact and Switch location and enable the Switch to send trap packet Operation Command Display the statistics information about SNMP packets display snmp agent statistics Display the engine ID of the active device display snmp agent local engineid remote engineid Display the group name the security mode the states for all types of views and the storage mode of each group of the Switch display...

Page 339: ...2 ip address 129 102 0 1 255 255 255 0 4 Set the administrator ID contact and the physical location of the Switch SW5500 snmp agent sys info contact Mr Wang Tel 3306 SW5500 snmp agent sys info location telephone closet 3rd floor 5 Enable SNMP agent to send the trap to Network Management Station whose ip address is 129 102 149 23 The SNMP community is public SW5500 snmp agent trap enable standard a...

Page 340: ...ll SW5500 snmp agent group v3 sdsdsd SW5500 snmp agent usm user v3 paul sdsdsd authentication mode md5 hello SW5500 snmp agent mib view included ViewDefault snmpUsmMIB SW5500 snmp agent mib view included ViewDefault snmpVacmMIB SW5500 display snmp agent mib view View name ViewDefault MIB Subtree iso Subtree mask Storage type nonVolatile View Type included View status active View name ViewDefault M...

Page 341: ...ks RMON allows multiple monitors It can collect data in two ways One is to collect data with a special RMON probe NMS directly obtains the management information from the RMON probe and controls the network resource In this way it can obtain all the information of the RMON MIB Another way is to implant the RMON Agent directly into the network devices such as a Switch Hub etc so that the devices be...

Page 342: ...ou can use the following commands to add delete an entry to from the event table Perform the following configuration in System View Table 431 Add Delete an Entry to from the Event Table Adding Deleting an Entry to from the History Control Terminal The history data management helps you set the history data collection periodical data collection and storage of the specified ports The sampling informa...

Page 343: ... RMON After the above configuration execute the display command in all views to display the running of the RMON configuration and to verify the effect of the configuration Table 435 Display and Debug RMON Operation Command Add an entry to the history control terminal rmon history entry number buckets number interval sampling interval owner text string Delete an entry from the history control termi...

Page 344: ...f interface GigabitEthernet1 0 1 Received octets 270149 packets 1954 broadcast packets 1570 multicast packets 365 undersized packets 0 oversized packets 0 fragments packets 0 jabbers packets 0 CRC alignment errors 0 collisions 0 Dropped packet events due to lack of resources 0 Packets received according to length in octets 64 644 65 127 518 128 255 688 256 511 101 512 1023 3 1024 1518 0 Display th...

Page 345: ... user logs in to a system a file is modified or Basic Operating Principle of NTP The following figure illustrates the basic operating principle of NTP Figure 93 Basic Operating Principle of NTP In the figure above Switch A and Switch B are connected via the Ethernet port They have independent system clocks Before implementing automatic clock synchronization on both Switches it is assume that The c...

Page 346: ...hentication Set NTP authentication key Set the specified key to be reliable Set a local interface for transmitting NTP packets Set an external reference clock or the local clock as the master NTP clock Enable Disable an interface to receive NTP packets Set control authority to access the local Switch service Set maximum local sessions Configuring NTP Operating Mode You can set the NTP operating mo...

Page 347: ...time server will be the first choice Configuring NTP Peer Mode Set a remote server whose ip address is ip address as the peer of the local equipment In this case the local equipment operates in symmetric active mode ip address specifies a host address other than a broadcast multicast or reference clock IP address In this mode both the local Switch and the remote server can synchronize their clocks...

Page 348: ...server When it receives the first broadcast packets it starts a brief client server mode to Switch messages with a remote server for estimating the network delay Thereafter the local Switch enters broadcast client mode and continues listening to the broadcast and synchronizes the local clock according to the arrived broadcast message Perform the following configurations in the VLAN Interface View ...

Page 349: ... interface view Table 441 Configure NTP multicast client mode Multicast IP address ip address defaults to 224 0 1 1 This command can only be configured on the interface where the NTP multicast packets will be received Configuring NTP ID Authentication Enable NTP authentication set MD5 authentication key and specify the reliable key A client will synchronize itself by a server only if the server ca...

Page 350: ...er The source address of the packets will be taken from the IP address of the interface If the ntp service unicast server or ntp service unicast peer command also designates a transmitting interface use the one designated by them Enabling Disabling an Interface to Receive NTP Message This configuration task is to enable disable an interface to receive NTP message Perform the following configuratio...

Page 351: ...al NTP time service request and control query However the local clock will not be synchronized by a remote server peer Allow local NTP time service request and control query The local clock will also be synchronized by a remote server Setting Maximum Local Sessions This configuration task is to set the maximum local sessions Perform the following configurations in System View Table 448 Set the Max...

Page 352: ...et the local equipment as in client mode Networking Diagram Figure 94 Typical NTP Configuration Networking Diagram Operation Command Display the status of NTP service display ntp service status Display the status of sessions maintained by NTP service display ntp service sessions verbose Display the brief information about every NTP time server on the way from the local equipment to the reference c...

Page 353: ...cision 2 17 clock offset 0 0000 ms root delay 0 00 ms root dispersion 0 00 ms peer dispersion 0 00 ms reference time 00 00 00 000 UTC Jan 1 1900 00000000 00000000 After the synchronization Switch 2 turns into the following status switch2 display ntp service status clock status synchronized clock stratum 3 reference clock ID 1 0 1 11 nominal frequency 60 0002 Hz actual frequency 60 0002 Hz clock pr...

Page 354: ...itch4 ntp service unicast server 3 0 1 31 Configure Switch 5 Switch 4 has been synchronized by Switch 3 1 Enter System View switch5 system view Set the local clock as the NTP master clock at stratum 1 switch5 ntp service unicast peer 3 0 1 32 2 After performing local synchronization set Switch 4 as a peer switch5 ntp service unicast peer 3 0 1 32 The above examples configure Switch 4 and Switch 5 ...

Page 355: ...rface2 Configure Switch 4 and Switch 1 to listen to the broadcast from their Vlan interface2 respectively Networking Diagram See Figure 94 Configuration Procedure Configure Switch 3 1 Enter System View switch3 system view 2 Set the local clock as the NTP master clock at stratum 2 switch3 ntp service refclock master 2 3 Enter Vlan interface2 view switch3 interface vlan interface 2 4 Set it as broad...

Page 356: ... been synchronized by Switch 3 and it is at stratum 3 higher than Switch 3 by 1 Display the status of Switch 4 sessions and you will see Switch 4 has been connected to Switch 3 switch2 display ntp service sessions source reference stra reach poll now offset delay disper 12345 127 127 1 0 LOCAL 0 7 377 64 57 0 0 0 0 1 0 5 1 0 1 11 0 0 0 0 3 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 0 0 0 0 0...

Page 357: ...om Vlan interface2 Since Switch 1 and Switch 3 are not located on the same segments Switch 1 cannot receive the multicast packets from Switch 3 while Switch 4 is synchronized by Switch 3 after receiving the multicast packet Configure Authentication enabled NTP Server Mode Network Requirements Switch 1 sets the local clock as the NTP master clock at stratum 2 Switch 2 sets Switch 1 as its time serv...

Page 358: ...d5 aNiceKey 3 Configure the key as reliable switch1 ntp service reliable authentication keyid 42 SSH Terminal Services Secure Shell SSH can provide information security and powerful authentication to prevent such assaults as IP address spoofing plain text password interception when users log on to the Switch remotely from an insecure network environment A Switch can connect to multiple SSH clients...

Page 359: ...ication types password authentication and RSA authentication In the first type the server compares the username and password received with those configured locally The user is allowed to log on to the Switch if the usernames and passwords match exactly RSA authentication works in this way The RSA public key of the client user is configured at the server The client first sends the member modules of...

Page 360: ...u cannot configure authentication mode password and authentication mode none any more Configuring and Canceling Local RSA Key Pair In executing this command if you have configured RSA host key pair the system gives an alarm after using this command and prompts that the existing one will be replaced The server key pair is created dynamically by the SSH server The maximum bit range of both key pairs...

Page 361: ...Setting SSH authentication retry value can effectively prevent malicious registration attempt Perform the following configurations in System View Table 455 Defining SSH Authentication Retry Value By default the retry value is 3 Entering Public Key Edit View and Editing Public Key You can enter the public key edit view and edit the client public key Operation Command Configure authentication type s...

Page 362: ...in the Public Key View Figure 96 Starting Terminating Public Key Editing Associating Public Key with SSH User Please perform the following configurations in System View Figure 97 Associating Public Key with SSH User Configuring SSH Client There are several types of SSH client software such as PuTTY and FreeBSD You should first configure the client s connection with the server The basic configurati...

Page 363: ... in the client The following description takes the PuTTY as an example Generating the Key Start the Puttygen program choose SSH1 RSA then click on the Generate button and follow the instructions Figure 98 PuTTy key generator When the generation process has finished save the generated public and private keys to files using the Save buttons Run the sshkey program This converts SSH public key to the ...

Page 364: ...pad and the following lines of text before the existing text rsa peer public key mykey public key code begin where myKey is a name used to identify the key within the switch you may choose any name for this Then add the following after the existing text public key code end peer end Also remove any blank lines from the file The file should look like this ...

Page 365: ...g with a bat extension e g keys bat This file can be transferred to the switch using FTP or TFTP The key is installed using the execute command in the System view SW5500 execute keys bat Specifying Server IP Address Start PuTTY program and the client configuration interface pops up ...

Page 366: ...the IP address of the Switch for example 10 110 28 10 You can also input the IP address of an interface in UP state but its route to SSH client PC must be reachable Selecting SSH Protocol Select SSH for the Protocol item Choosing SSH Version Click the left menu Category Connection SSH to enter the interface shown in following figure ...

Page 367: ...ou can select 1 as shown in the above figure Specifying RSA Private Key File If you want to enable RSA authentication you must specify RSA private key file which is not required for password authentication Click SSH Auth to enter the interface as shown in the following figure ...

Page 368: ...File Select interface Choose a desired file and click OK Opening SSH Connection Click Open to enter SSH client interface If it runs normally you are prompted to enter username and password See the following figure Figure 104 SSH client interface Key in the correct username and password and log into SSH connection ...

Page 369: ...is operation is unnecessary 2 For password authentication mode SW5500 user interface vty 0 4 SW5500 ui vty0 4 authentication mode scheme SW5500 ui vty0 4 protocol inbound ssh SW5500 local user client001 SW5500 luser client001 password simple 3com SW5500 luser client001 service type ssh SW5500 ssh user client001 authentication type password Select the default values for SSH authentication timeout v...

Page 370: ...ile containing keys then you need not perfom this step SW5500 rsa peer public key switch002 SW5500 rsa public public key code begin SW5500 key code 308186028180739A291ABDA704F5D93DC8FDF84C427463 SW5500 key code 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 SW5500 key code D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 SW5500 key code 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC SW5500 key code ...

Page 371: ... recovery mechanism is disabled and the user configurable bootrom password is lost there is no recovery mechanism available In this instance the Switch will need to be returned to 3Com for repair The following commands are all executed from the Bootrom directly via the console CLI Commands Controlling Bootrom Access Access to the bootrom is enabled by default on your Switch To disable access enter...

Page 372: ... switch startup mode 0 Reboot Enter your choice 0 9 Enter the boot menu number to display that menu option Displaying all Files in Flash Enter boot menu option 3 to display the following Boot menu choice 3 Free Space 10460160 bytes The current application file is s4b03_01_04s56 app Table 458 displays the configuration files Table 458 Configuration Files File Number File Size bytes File Name 1 7147...

Page 373: ...h is followed by either of the following entries Simple this enables you to read and or change a password and send the configuration file via TFTP back into the Switch Cipher change this word to simple and replace the encrypted password with a plain text password and send the configuration file via TFTP back into the Switch The manager and monitor passwords can be modified in the same way Bootrom ...

Page 374: ... based on switch mac address is invalid The current mode is enable bootrom password recovery Are you sure to disable bootrom password recovery Yes or No Y N This option allows the user to disable the fixed unit unique password recovery mechanism If this is disabled and the bootrom password recovery is lost then a recovery will not be possible In this instance the Switch will need to be returned to...

Page 375: ...Com products and are not supported by 3Com Configuring Microsoft IAS RADIUS 3Com has successfully installed and tested Microsoft IAS RADIUS running on a Windows server in a network with Switch 5500G EI deployed The following steps are required to setup a RADIUS server using the Microsoft IAS RADIUS application You will need to use the Install CD for Microsoft Windows 2000 Server to complete the pr...

Page 376: ...hoose Properties select Change Mode c Add a user that is allowed to use the network Go to Active Directory Users and Computers from the left hand window right click the Users folder and choose New User as shown below d Follow the wizard to create a user enter the required information at each stage ...

Page 377: ...nd select Reset Password 3 Enable the server as a certificate server To use EAP TLS certificate based authentication you need to enable the Certificate services in windows Make sure you have completed step 2 and created the DNS server before enabling Certificate services You will not be able to create the DNS server after certification has been enabled a Go to Control Panel Add Remove Programs Add...

Page 378: ...location on the Data Storage Location window To complete the installation and set up of the certificates server the wizard will require the Install CD for Microsoft Windows 2000 Server 4 Install the Internet Authentication Service IAS program a Go to Control Panel Add Remove Programs Add Remove Windows Components Enable Networking Services and ensure Internet Authentication Service component is ch...

Page 379: ...tification Authority and right click Policy Settings under your Certificate Authority server b Select New Certificate to Issue c Select Authenticated Session and select OK d Go to Programs Administrative Tools Active Directory Users and Computers and right click your active directory domain Select Properties ...

Page 380: ...omputer Configuration Windows Settings Security Settings Public Key Policies and right click Automatic Certificate Request Settings Select New Automatic Certificate Request g The Certificate Request Wizard will start Select Next Computer certificate template and click Next h Ensure that your Certificate Authority is checked then click Next Review the Policy Change Information and click Finish ...

Page 381: ...and Select New Client b Enter a name for your device that supports IEEE 802 1x Click Next c Enter the IP address of your device that supports IEEE 802 1x and set a shared secret Select Finish Leave all the other settings as default d Right click Remote Access Policies and select New Remote Access Policy e Give the policy a name for example EAP TLS and select Next f Click Add g Set the conditions f...

Page 382: ...ropriate certificate and click OK There should be at least one certificate This is the certificate that has been created during the installation of the Certification Authority Service Windows may ask if you wish to view the Help topic for EAP Select No if you want to continue with the installation l Click Finish IFor EAP TLS to work correctly it is important that there is only one policy configure...

Page 383: ...st certsrv b When you are prompted for a login enter the user account name and password that you will be using for the certificate c Select Request a certificate and click Next There are two ways to request a certificate the Advanced Request or the Standard Request The following steps show an Advanced Request The Standard Request differs in the way the certificate is stored on the local computer i...

Page 384: ...and click Next e Select the first option and click Next f Either copy the settings from the screenshot below or choose different key options Click Save to save the PKCS 10 file The PKCS 10 file is used to generate a certificate g You will receive this warning messages select Yes ...

Page 385: ...e a portable certificate using PKCS 10 click the Home hyperlink at the top right of the CA Webpage i Select Request a certificate Next Advanced request Next j Select the second option as shown in the screenshot below and click Next k Open the previously saved PKCS 10 certificate file in Notepad select all Control a and copy Control c as shown below ...

Page 386: ...e the certificate Save the file as DER encoded Click on the Download CA certification path hyperlink to save the PKCS 7 and select Save The certificate is also installed on the Certification Authority You can verify this in the CA Administration tool under Issued Certificates The PKCS 7 file is not actually required for IEEE 802 1x functionality n Install both PKCS 10 and PKCS 7 files on the works...

Page 387: ...xt screen as is click Next followed by Finish and OK This will install the certificate q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder You should see the newly created certificate r Double click the certificate that was generated by the client and select the Details tab ...

Page 388: ...k Next when the wizard is launched Save the certificate using DER x 509 encoding select DER encoded binary followed by Next Provide a name for the certificate and save it to a specified location Click Finish and followed by OK t Exit the Certification Authority management tool and launch the Active Directory Users and Computers management tool Ensure that the Advanced Features are enabled in the A...

Page 389: ...ck Open Click OK w In the Security Identity Mapping screen click OK to close it x Close the Active Directory Users and Domains management tool This completes the configuration of the RADIUS server 10 Configure Microsoft IAS RADIUS Server for Switch Login a Create a Windows Group that contains the users that are allowed access to the Switch 5500G EI Add an additional user as a member of this window...

Page 390: ...CLIENT SETUP b Create a new remote access policy under IAS and name it Switch Login Select Next c Specify Switch Login to match the users in the switch access group select Next d Allow Switch Login to grant access to these users select Next ...

Page 391: ...Setting Up A RADIUS Server 403 e Use the Edit button to change the Service Type to Administrative f Add a Vendor specific attribute to indicate the access level that should be provided ...

Page 392: ... are prompted to select a certificate it could be that there are additional active certificates on your client computer select the certificate that you have installed for this specific Certification Authority server If you encounter problems check the Event Viewer and the System Log on the server to determine what is what is happening and possible causes for the problems Configuring auto VLAN and ...

Page 393: ...Computers a For example to create one group that will represent VLAN 4 select the Users folder from the domain see below b Name the VLAN Group with a descriptive name that describes the function of the VLAN Groupn for example VLAN4 Check Global in the Group Scope box and Security in the Group Type box click OK c Select the group right click and select Properties Select the Members tab add the user...

Page 394: ...ministrative Tools Internet Authentication Service and select Remote Access Policies Select the policy that you configured earlier right click and select Properties e Click Add to add policy membership f Select the Windows Groups attribute type and select Add and Add again ...

Page 395: ...ou have just created and click Add and then OK to confirm h Click OK again to return you to the Security Policy properties i Click Edit Profile and select the Advanced tab Click Add Refer to Table 459 and Table 460 for the RADIUS attributes to add to the profile ...

Page 396: ...lick Add k Ensure that the Attribute value is set to 802 and click OK l Click OK again on the Multivalued Attribute Information screen to return to the Add Attributes screen For Auto VLAN Return String Comment Tunnel Medium type 802 Tunnel Private Group ID 2 VLAN value Tunnel Type VLAN For Auto QoS Return String Comment Filter id profile student QoS Profile name ...

Page 397: ...n Click Add ensure that the Attribute value is set to 4 Attribute value in string format and click OK This value represents the VLAN ID o Click OK again on the Multivalued Attribute Information screen to return to the the Add Attributes screen Select the Tunnel Type entry and click Add ...

Page 398: ...re that there is a DHCP server connected to the switch that resides on a switch port that is an untagged member of VLAN 4 The RADIUS server should reside in the same VLAN as the workstation Once authenticated the switch will receive VLAN information from the RADIUS server and will place the switch port in the associated VLAN For troubleshooting you can use the Event Viewer on both the workstation ...

Page 399: ...s a RADIUS server for networks with the Switch 5500G EI follow these steps 1 Open file eap ini in radius service and remove the before the MD5 Challenge Line This enables the MD5 challenge 2 Open file radius ini in radius service and change the log level to 5 ...

Page 400: ...art it Funk RADIUS is now ready to run If you intend to use auto VLAN and QoS you will need to create VLAN and QoS profiles on the 3Com Switch 5500G EI and follow the instructions in Configuring auto VLAN and QoS for Funk RADIUS 4 Start the Funk RADIUS program select Servers from the left hand list and select Local Radius server Select Connect to start listening for clients 5 To add a user select ...

Page 401: ...ve 6 Enter the shared secret to encrypt the authentication data The shared secret must be identical on the Switch 5500G EI and the RADIUS Server a Select RAS Clients from the left hand list enter a Client name the IP address and the Shared secret SWITCH 5500 ...

Page 402: ...he attributes will now appear as potential Return list attributes for every user 2 After saving the edited radius dct file stop and restart the Funk RADIUS service 3 To use these return list attributes they need to be assigned to a user or group Create a new user and add the return list attributes shown in Table 461 and Table 462 Table 461 Summary of auto VLAN attributes Table 462 Summary of QoS a...

Page 403: ...ADIUS To configure FreeRADIUS as a RADIUS server for networks with the Switch 5500G EI follow these steps 1 Add each Switch 5500G EI as a RADIUS client to the FreeRADIUS server a Locate the existing file clients conf in usr local etc raddb b Add an entry in clients conf for the Switch 5500G EI you wish to administer For example client xxx xxx xxx xxx secret a shared secret shortname a short name W...

Page 404: ... Up Auto VLAN and QOS using FreeRADIUS It is slightly more complex to set up auto VLAN and QoS using FreeRADIUS as the dictionary file needs to be specially updated 1 Update the dictionary tunnel file with the following lines ATTRIBUTE Tunnel Type 64 integerhas_tag ATTRIBUTE Tunnel Medium Type 65 integerhas_tag ATTRIBUTE Tunnel Private Group Id 81 stringhas_tag VALUE Tunnel Type VLAN 13 VALUE Tunn...

Page 405: ...hipped with Windows XP has a security issue which affects the port authentication operation If the RADIUS client is configured to use EAP MD5 after a user logs off then the next user to log on will remain authorised with the original user s credentials This occurs because the Microsoft client does not generate an EAPOL Logoff message when the user logs off which leaves the port authorised To reduc...

Page 406: ... ID can be found when running the Aegis Client application for the first time To apply the license key a Run the Aegis Client software b Go to Aegis Client Register and select Help on the menu c Copy the License ID indicated at the bottom of the dialog box into the License ID field d Copy the License Key provided in the email from Meetinghouse into the License Key field e Press OK 2 Configuring th...

Page 407: ...tion e Restart the client either by rebooting or stopping and re starting the service f Click the OK button then return tothe Aegis Client main interface To restart the client press the button with the red cross If authentication is successful the icon will turn green ...

Page 408: ...420 CHAPTER B RADIUS SERVER AND RADIUS CLIENT SETUP ...

Page 409: ...using the RADIUS protocol Users that already exist on the TACACS server can be authorised using the TACACS or RADIUS server an optional VLAN and QoS profile can be applied to the user Network administrators can also be authorised using the built in RADIUS server providing centralised access to 3Com switches The remainder of this appendix describes how to setup Cisco Secure ACS v3 3 to operate usin...

Page 410: ...d into the Cisco Secure ACS interface follow these steps 1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients 3 Enter the details of the 3Com switch Spaces are not permitted in the AAA Client Host name An example is shown below 4 Select Submit Do not restart the ACS server at this stage ...

Page 411: ...ide 6 Select RADIUS IETF from the list under Interface Configuration 7 Check the RADIUS attributes that you wish to install If you want to use auto VLAN and QoS ensure that you have the following options selected for both the User and Group Filter ID Tunnel Type Tunnel Medium Type Tunnel Private Group I ...

Page 412: ...k Restart Adding a User for Network Login Existing users on a network with a Secure ACS server can be authorised using the TACACS or RADIUS server New users connected through a Switch 5500G EI to the network need to be authorised via the RADIUS server An optional VLAN and QoS profile can be applied to the user Follow these steps to add a user for Network Login 1 Select User Setup from the left han...

Page 413: ...htly more complex as 3Com specific RADIUS attributes need to be returned to the 3Com Switch 5500G EI These RADIUS attributes define the access level of the the user to the management interface Follow these steps 1 Add the required RADIUS attributes to the Cisco Secure ACS server by editing a ini file and compiling it into the Secure ACS RADIUS server using an application called csutil exe For exam...

Page 414: ...ll stop the Cisco Secure ACS server add the RADIUS information by adding the contents of 3Com ini to UDV User Defined Vendor slot 0 and then restart the server Once complete log into the Secure ACS server again and complete steps 2 and 3 2 To use the new RADIUS attributes a client needs to be a user of RADIUS 3Com attributes Select Network Configuration from the left hand side and select an existi...

Page 415: ...erface Configuration followed by RADIUS 3Com a Ensure that the 3Com User Access Level option is selected for both User and Group setup as shown below 5 Select User Setup and either modify the attributes of an existing user select Find to display the User List in the right hand window or Add a new user see Adding a User for Network Login Set the user s access level to the 3Com Switch 5500G EI ...

Page 416: ...ere there should be the option for configuring the access level as shown below 6 In the RADIUS 3Com Attribute box check 3Com User Access Level and select Administrator from the pull down list see below 7 Select Submit The Switch 5500G EI can now be managed by the Network Administrator through the CISCO Secure ACS server ...

Page 417: ...Example using XRN Recovering your XRN Network The sections below provide supplementary information that are not essential reading but may be of interest to advanced users How XRN Interacts with other 3Com Switches How XRN Interacts with other Features How a Failure affects the Distributed Fabric For detailed descriptions of the web interface operations and the command line interface CLI commands t...

Page 418: ...Device Management DDM DDM allows Switches in the XRN Distributed Fabric to behave as a single managed entity irrespective of the form factor or Switch deployed For further information see page 431 Distributed Link Aggregation DLA DLA is the configuration of Aggregated Links across interconnected devices in the Distributed Fabric 3Com and non 3Com devices can connect to the XRN Distributed Fabric u...

Page 419: ...l software features Configuration of port specific software features across the Distributed Fabric via a single management interface Distributed Resilient Routing DRR DRR allows the Switches in the Distributed Fabric to act as a single logical router which provides router resiliency in the event of failure in one of the interconnected Switches With DRR Switches in the Distributed Fabric are routin...

Page 420: ...l be forwarded via the remaining member links Distributed Link Aggregation Example You can also use DLA to create highly resilient network backbones supporting multihomed links to the wiring closets as shown in Figure 107 Intelligent local forwarding ensures that each Switch in the XRN Distributed Fabric forwards traffic to local Link Aggregation ports rather than across the Fabric Interconnect th...

Page 421: ...tting Started Guide that accompanies your Switch Once the Switches are interconnected to create an XRN Distributed Fabric they behave as if they were one Switch and can be managed via a single IP address 4 Set up the IP information so you can begin managing and configuring the Switches in the Distributed Fabric For more information on setting up IP information for your Switch so it is ready for ma...

Page 422: ...N Distributed Fabric for example a Switch 5500G EI 52 Port with a Switch 5500G EI 28 Port 3Com strongly recommends that you upgrade all Switches to be interconnected to the latest software agent 3Com recommends that you initialize a Switch unit that has previously been used elsewhere in your network before you interconnect to an existing unit If you do not initialize the unit problems may be cause...

Page 423: ...Distributed Fabric traffic flow will be maintained at all times If you want to know more detail about how the Distributed Fabric behaves in certain failure scenarios see How a Failure affects the Distributed Fabric on page 441 Unit ID Numbering Mechanism This section outlines the mechanisms that the Switch 5500G EI Family uses to determine the unit IDs for management purposes When a Fabric is crea...

Page 424: ...uted Fabric Network How to Set up this Network This section provides information on how to configure an XRN network as shown in Figure 108 It assumes you have carried out steps 1 to 4 as detailed in How to Implement XRN Overview on page 433 1 Enable LACP on the required ports ensuring you have not connected your devices to the Distributed Fabric yet as you must configure your VLANs before the aggr...

Page 425: ...nect the new Switch to the operational Switch to form the Distributed Fabric 4 IP interfaces and VLANs will be converged between the Switches that is IP interfaces and the creation of the VLANs is done automatically on the new Switch However any port based configuration must be done manually 5 If any Switch features for example IGMP snooping or passwords are not set to default state then these sho...

Page 426: ...ll also have different VLAN membership This will result in the different VLANs not being able to communicate 3Com recommends that you set individual ports that are to be members of an aggregated link to the same VLAN membership This ensures communication between all VLANs at all times SuperStack 3 Switch 3300 Family Yes Yes No Yes No SuperStack 3 Switch 4200 Family Yes Yes No Yes Yes SuperStack 3 ...

Page 427: ...uter STP will detect a potential loop and block a path of its choosing in this example it has blocked the path between Switch X units and Switch A If ports have different VLAN membership as shown here there will be loss of communication between VLANs 1 and 2 Figure 110 How XRN interacts with VLANs Example 2 Legacy Aggregated Links Legacy aggregated links will react in the normal way if a unit with...

Page 428: ...loop occuring on a multihomed link STP RSTP should always be enabled if your multihomed links are aggregated links Figure 110 shows how on interconnect failure STP RSTP will detect the potential loop caused by the aggregated links splitting and block a path to prevent the loop occuring Figure 112 How XRN interacts with STP RSTP Resilient Links In Figure 113 if Switch A within the Distributed Fabri...

Page 429: ...dations in Important Considerations and Recommendations on page 434 your traffic flow should continue through your network The way the network reacts depends upon which features are configured on which links For example Figure 114 shows an XRN network where all the edge devices are connected to the Distributed Fabric using a range of supported features some of which are legacy features Figure 114 ...

Page 430: ...ible impact on your network Any MAC address change is propogated to your network by the issuing of gratuitous ARP messages Switch A Recovery When Switch A recovers and starts to operate again all links will reconfigure themselves as they were before the failure according to the protocols used The routing task will once again be shared between Switches A and B using the same IP address Loss of the ...

Page 431: ... occur due to split aggregated links If the Distributed Fabric has been configured to be the root bridge in the network then this will encourage STP to maintain the traffic flow through the shortest paths in the event of an Fabric Interconnect failure Resilient Links The Switch 3300 will continue to send traffic down the active link to Switch A and keep the link to Switch B in standby mode VLANs A...

Page 432: ...444 APPENDIX D 3COM XRN ...

Reviews:

No comments

Brands by name

Popular brands

Load more brands