3Com Switch 4210 52-Port Configuration Manual Download Page 165

Page: 165 / 870

1-5

Enabling Port Security

Configuration Prerequisites

Before enabling port security, you need to disable 802.1x and MAC authentication globally.

Enabling Port Security

Follow these steps to enable port security:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enable port security

port-security enable

Required

Disabled by default

Enabling port security resets the following configurations on the ports to the defaults (shown in

parentheses below):

802.1x (disabled), port access control method (

macbased

), and port access control mode (

auto

)

MAC authentication (disabled)

In addition, you cannot perform the above-mentioned configurations manually because these

configurations change with the port security mode automatically.

For details about 802.1x configuration, refer to the sections covering 802.1x and System-Guard.

For details about MAC authentication configuration, refer to the sections covering MAC

authentication configuration.

Setting the Maximum Number of MAC Addresses Allowed on a Port

Port security allows more than one user to be authenticated on a port. The number of authenticated

users allowed, however, cannot exceed the configured upper limit.

By setting the maximum number of MAC addresses allowed on a port, you can

Control the maximum number of users who are allowed to access the network through the port

Control the number of Security MAC addresses that can be added with port security

This configuration is different from that of the maximum number of MAC addresses that can be leaned

by a port in MAC address management.

Follow these steps to set the maximum number of MAC addresses allowed on a port:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Summary of Contents for Switch 4210 52-Port

Page 1: ...witch 4210 18 Port Switch 4210 26 Port Switch 4210 52 Port Switch 4210 PWR 9 Port Switch 4210 PWR 18 Port Switch 4210 PWR 26 Port Product Version Release 2212 Manual Version 6W100 20100112 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...rcial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered tr...

Page 3: ...on 12 Port Security Port Binding Introduces port security port binding and the related configuration 13 DLDP Introduces DLDP and the related configuration 14 MAC Address Table Management Introduces MAC address forwarding table and the related configuration 15 MSTP Introduces STP and the related configuration 16 Multicast Introduces the configuration of IGMP Snooping 17 802 1x System Guard Introduc...

Page 4: ...nfiguration 38 Smart Link Monitor Link Introduces Smart Link Monitor Link and the related configuration 39 ARP and IP Attack Defense Introduces ARP and IP attack defense and the related configuration 40 LLDP Introduces LLDP and the related configuration 41 PKI Introduces PKI and the related configuration 42 SSL Introduces SSL and the related configuration 43 HTTPS Introduces HTTPS and the related ...

Page 5: ...iption Means reader be extremely careful Improper operation may cause bodily injury Means reader be careful Improper operation may cause data loss or damage to equipment Means a complementary description Related Documentation In addition to this manual each 3com Switch 4210 documentation set includes the following Manual Description 3Com Switch 4210 Family Command Reference Guide Release 2212 Prov...

Page 6: ...ssword 2 7 Configuration Procedure 2 7 Configuration Example 2 8 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 3 Logging In Through Telnet 3 1 Introduction 3 1 Common Configuration to Control Telnet Access 3 1 Telnet Configurations for Different Authentication Modes 3 3 Telnet Configuration with Authentication Mode...

Page 7: ...nfiguring the Login Banner 6 2 Configuration Procedure 6 2 Configuration Example 6 3 Enabling Disabling the WEB Server 6 3 7 Logging In Through NMS 7 1 Introduction 7 1 Connection Establishment Using NMS 7 1 8 User Control 8 1 Introduction 8 1 Controlling Telnet Users 8 1 Introduction 8 1 Controlling Telnet Users by ACL 8 2 Configuration Example 8 3 Controlling Network Management Users by Source I...

Page 8: ...e CLI Configuration Web based Network Management Interface Logging In Through the Web based Network Management Interface Network Management Station Logging In Through NMS Introduction to the User Interface Supported User Interfaces The auxiliary AUX port and the console port of a 3Com low end and mid range Ethernet switch are the same port referred to as console port in the following part You will...

Page 9: ...h the smallest number based on the user login mode The login process of the user is restricted by the configurations under this user interface z The user interface assigned to a user depending on the login mode and login time A user interface can be used by one user at one time however the user interface is not dedicated to a specific user For example user A can use VTY 0 to log in to the device W...

Page 10: ...s configured Set a system name for the switch sysname string Optional Enable copyright information displaying copyright info enable Optional By default copyright displaying is enabled That is the copy right information is displayed on the terminal after a user logs in successfully Enter user interface view user interface type first number last number Display the information about the current user ...

Page 11: ...og in to Switch 4210 through its console port only Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Setting Default Baud rate 19 200 bps Flow control None Check mode Parity None Stop bits 1 Data bits 8 To log in to a switch through the console port make sure the settings of both the console port and the user terminal are the same After logging...

Page 12: ...he following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally both sides that is the serial port of the PC and the console port of the switch are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the connection ...

Page 13: ...e 2 2 Common configuration of console port login Configuration Remarks Baud rate Optional The default baud rate is 19 200 bps Check mode Optional By default the check mode of the console port is set to none which means no check bit Stop bits Optional The default stop bits of a console port is 1 Console port configuration Data bits Optional The default data bits of a console port is 8 AUX user inte...

Page 14: ...ox shown in Figure 2 4 Follow these steps to set common configuration of console port login To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux 0 Set the baud rate speed speed value Optional The default baud rate of a console port is 19 200 bps Set the check mode parity even none odd Optional By default the check mode of a console port is no...

Page 15: ...operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Console Port Login Configurations for Different Authentication Modes Table 2 3 Console port login configurations for different authentication modes Authentication mode Authentication related configuration Remarks None Set the authentication mode to none Optional Ref...

Page 16: ... By default users logging in through the console port AUX user interface are not authenticated Configuration Example Network requirements Assume that the switch is configured to allow users to log in through Telnet and the current user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Do not authe...

Page 17: ...console port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need...

Page 18: ... in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Authenticate the users using passwords z Set the local password to 123456 in plain text z The commands of level 2 are available to the users z The baud rate of the console port is 19 200 bps z The screen can contain ...

Page 19: ...ommand max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2 4 to log in to the switch successfully Console Port Login Configuration with Authentication Mode Being Scheme Configuration...

Page 20: ...e local user password simple cipher password Required Specify the service type for AUX users service type terminal level level Required Note that If you configure to authenticate the users in the scheme mode the command level available to users logging in to a switch depends on the command level specified in the AAA scheme z When the AAA scheme is local authentication the command level available t...

Page 21: ...r named guest and enter local user view Sysname local user guest Set the authentication password to 123456 in plain text Sysname luser guest password simple 123456 Set the service type to Terminal Specify commands of level 2 are available to users logging in to the AUX user interface Sysname luser guest service type terminal level 2 Sysname luser guest quit Enter AUX user interface view Sysname us...

Page 22: ... the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2 4 to log in to the switch successfully ...

Page 23: ...nfigured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for more Switch The authentication mode and other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the VLAN interface of the switch is avail...

Page 24: ...marks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure the command level available to users logging in to VTY user interface user privilege level level Optional By default commands of level 0 are available to users logging in to VTY user interfaces Configure the protocols to be supported by the VTY user interface protoco...

Page 25: ...to disable the timeout function Telnet Configurations for Different Authentication Modes Table 3 3 Telnet configurations for different authentication modes Authentication mode Authentication related configuration Description None Set the authentication mode to none Refer to Console Port Login Configuration with Authentication Mode Being None Set the authentication mode to local password authentica...

Page 26: ...onfigure Telnet with the authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure not to authenticate users logging in to VTY user interfaces authentication mode none Required By default VTY users are authenticated after logging in Note that if you configure not to aut...

Page 27: ...een can contain to 30 Sysname ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to configure Telnet with the authentication mode being...

Page 28: ...Network diagram Figure 3 2 Network diagram for Telnet configuration with the authentication mode being password Configuration procedure Enter system view Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sy...

Page 29: ...pply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply RADIUS scheme you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA part for more z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Create a local user and ...

Page 30: ...nd buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes Network diagram Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme Configuration procedure Enter system view Sysname system view Create a local user named guest and enter local user view Sysname local user guest Set the authentication password of the local user to 123456 in pla...

Page 31: ...000 Windows XP on the PC terminal with the baud rate set to 19 200 bps data bits set to 8 parity check set to none and flow control set to none z Turn on the switch and press Enter as prompted The prompt appears z Perform the following operations in the terminal window to assign IP address 202 38 160 92 24 to VLAN interface 1 of the switch Sysname system view Sysname interface Vlan interface 1 Sys...

Page 32: ...of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later A 3Com switch can accommodate up to five Telnet connections at same time 6 After successfully Telnetting to the switch you can configure the switch or display the information about the switch by executing corresponding commands You can also type at any ...

Page 33: ... the Telnet server Refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication Mode Being Scheme for more 3 Telnet to the switch operating as the Telnet client 4 Execute the following command on the switch operating as the Telnet client Sysname telnet xxxx Note that xxxx is the IP addres...

Page 34: ... to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the console port of the switch properly The modem is properly configured The modem is properly connected to PSTN and a telephone set Switch side The authentication ...

Page 35: ... authentication mode configuration Configuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None Configuration on switch when the authentication mode is password Refer to Console Port Login Configuration with Authentication Mode Being Password Configuration on switch when the authentication mode is scheme Refer to Console...

Page 36: ...romote end 82882285 Modem Modem 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 through Figure 4 4 Note that you need to set the telephone number to that of the modem directly connected to the switch Figure 4 2 Create a connection ...

Page 37: ...t such as Sysname appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configuration commands If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI part for information about command level ...

Page 38: ...and locate network problems z Command history function This enables users to check the commands that they have lately executed and re execute the commands z Partial matching of commands The system will use partially matching method to search for commands This allows users to execute a command by entering partially spelled command keywords as long as the keywords entered can be uniquely identified ...

Page 39: ...or lower levels By default the Console user a user who logs into the switch through the Console port is a level 3 user and can use commands of level 0 through level 3 while Telnet users are level 0 users and can only use commands of level 0 You can use the user privilege level command to set the default user privilege level for users logging in through a certain user interface For details refer to...

Page 40: ...the level of a command Sysname system view Sysname command privilege level 0 view shell tftp Sysname command privilege level 0 view shell tftp 192 168 0 1 Sysname command privilege level 0 view shell tftp 192 168 0 1 get Sysname command privilege level 0 view shell tftp 192 168 0 1 get bootrom btm After the above configuration general Telnet users can use the tftp get command to download file boot...

Page 41: ...ching The low to high user level switching requires the corresponding authentication The super password authentication mode and HWTACACS authentication mode are available at the same time to provide authentication redundancy The configuration of authentication mode for user level switching is performed by Level 3 users administrators as described in Table 5 3 Table 5 3 Specify the authentication m...

Page 42: ...d authentication for user level switching which can only be performed by level 3 users Table 5 4 Set a password for use level switching Operation Command Remarks Enter system view system view Set the super password for user level switching super password level level cipher simple password Required The configuration will take effect on all user interfaces By default the super password is not set Th...

Page 43: ...mmand Remarks Switch to a specified user level super level Required Execute this command in user view z If no user level is specified in the super password command or the super command level 3 is used by default z For security purpose the password entered is not displayed when you switch to another user level You will remain at the original user level if you have tried three times but failed to en...

Page 44: ...or detailed configuration procedures Enable HWTACACS authentication for VTY 0 user level switching Sysname system view Sysname user interface vty 0 Sysname ui vty0 super authentication mode scheme Sysname ui vty0 quit Specify to adopt the HWTACACS authentication scheme named acs for user level switching in the ISP domain named system Sysname domain system Sysname isp system authentication super hw...

Page 45: ...n system view Aux1 0 0 port the console port view The switch 4210 does not support configuration on port Aux1 0 0 Sysname Aux1 0 0 Execute the interface aux 1 0 0 command in system view VLAN view Configure VLAN parameters Sysname vlan1 Execute the vlan command in system view VLAN interface view Configure VLAN interface parameters including the management VLAN parameters Sysname Vlan i nterface1 Ex...

Page 46: ... Edit the RSA or DSA public key for SSH users Sysname peer k ey code Execute the public key code begin command in public key view Execute the public key cod e end command to return to public key view Basic ACL view Define rules for a basic ACL with ID ranging from 2000 to 2999 Sysname acl basic 2000 Execute the acl number command in system view Advanced ACL view Define rules for an advanced ACL wi...

Page 47: ...omain parameters Sysname pki do main 1 Execute the pki domain command in system view PKI entity view Configure PKI entity parameters Sysname pki ent ity en Execute the pki entity command in system view PKI certificate attribute group view Configure PKI certificate attribute group parameters Sysname cert at tribute group my group Execute the pki certificate attribute group command in system view PK...

Page 48: ...word position in the command all available keywords at the position and their descriptions will be displayed on your terminal Sysname clock datetime Specify the time and date summer time Configure summer time timezone Configure time zone If the question mark is at an argument position in the command the description of the argument will be displayed on your terminal Sysname interface vlan interface...

Page 49: ...t Space Enter and when the display output pauses Stop the display output Press the space key Get to the next page Press Enter Get to the next line Command History The CLI provides the command history function You can use the display history command command to view a specific number of latest executed commands and execute them again in a convenient way By default the CLI can store up to 10 latest e...

Page 50: ...complete command The command entered is incomplete Too many parameters The parameters entered are too many Ambiguous command The parameters entered are ambiguous Wrong parameter A parameter entered is wrong found at position An error is found at the position Command Edit The CLI provides basic command edit functions and supports multi line editing The maximum number of characters a command can con...

Page 51: ...dentifies a complete keyword the system substitutes the complete keyword for the input parameter if more than one keywords match the input parameter you can display them one by one in complete form by pressing Tab repeatedly if no keyword matches the input parameter the system displays your original input on a new line without any change ...

Page 52: ...n IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The user name and password for logging in to the Web based network management system are configured IE is available PC operating as the network management terminal The IP addre...

Page 53: ...k management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The contents of the banner page are the login banner information configured with the header command Then by clicking Continue on the banner page the user can enter the ...

Page 54: ...t a route is available between the user terminal the PC and the switch After the above mentioned configuration if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press Enter the browser will display the banner page as shown in Figure 6 4 Figure 6 4 Banner page displayed when a user logs in to the switch through Web Click Continue to enter u...

Page 55: ... server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Enabling the Web server by using the undo ip http shutdown command opens TCP 80 port z Disabling the Web server by using the ip http shutdown command closes TCP 80 port ...

Page 56: ...to perform related configuration on both the NMS and the switch Table 7 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is configured The route between the NMS and the switch is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The basic ...

Page 57: ...od Implementation Related section By source IP address Through basic ACL By source and destination IP address Through advanced ACL Telnet By source MAC address Through Layer 2 ACL Controlling Telnet Users SNMP By source IP addresses Through basic ACL Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACL Controlling Web Users by Source IP Address WEB D...

Page 58: ... as needed Table 8 2 ACL categories Category ACL number Matching criteria Basic ACL 2000 to 2999 Source IP address Advanced ACL 3000 to 3999 Source IP address and destination IP address Layer 2 ACL 4000 to 4999 Source MAC address Source and destination in this manual refer to a Telnet client and a Telnet server respectively z If the inbound keyword is specified the Telnet client is the user telnet...

Page 59: ...ddress of 10 110 100 52 are permitted to access the switch Network diagram Figure 8 1 Network diagram for controlling Telnet users using ACLs Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Configuration procedure Define a basic ACL Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Apply the ACL Sysname u...

Page 60: ...ring Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp agent community read write community name acl acl number mib view view name Apply the ACL while configuring the SNMP group name snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number snmp agent group v3 group name authentication privacy re...

Page 61: ...00 Controlling Web Users by Source IP Address You can manage Switch 4210 remotely through Web Web users can access a switch through HTTP connections You need to perform the following two operations to control Web users by source IP addresses z Defining an ACL z Applying the ACL to control Web users To control whether a Web user can manage the switch you can use this function Prerequisites The cont...

Page 62: ...istrator can log out a Web user using the related command Follow the step below to log out a Web user To do Use the command Remarks Log out a Web user free web users all user id user id user name user name Required Available in user view Configuration Example Network requirements Only the Web users sourced from the IP address of 10 110 100 52 are permitted to access the switch Network diagram Figu...

Page 63: ...8 7 Sysname acl basic 2030 quit Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch Sysname ip http acl 2030 ...

Page 64: ...nt 1 1 Introduction to Configuration File 1 1 Management of Configuration File 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 3 Specifying a Configuration File for Next Startup 1 4 Displaying Device Configuration 1 5 ...

Page 65: ...erface configuration section physical port configuration section routing protocol configuration section user interface configuration and so on z End with a return The operating interface provided by the configuration file management function is user friendly With it you can easily manage your configuration files Main backup attribute of the configuration file Main and backup indicate the main and ...

Page 66: ...marks Saving the Current Configuration Optional Erasing the Startup Configuration File Optional Specifying a Configuration File for Next Startup Optional Saving the Current Configuration You can modify the configuration on your device at the command line interface CLI To use the modified configuration for your subsequent startups you must save it using the save command as a configuration file Tabl...

Page 67: ...n of this command If the filename you entered is different from that existing in the system this command will erase its backup attribute to allow only one backup attribute configuration file in the device z Normal attribute When you use the save cfgfile command to save the current configuration the configuration file you get has normal attribute if it is not an existing file Otherwise the attribut...

Page 68: ...an specify a configuration file to be used for the next startup and configure the main backup attribute for the configuration file Assign main attribute to the startup configuration file z If you save the current configuration to the main configuration file the system will automatically set the file as the main startup configuration file z You can also use the startup saved configuration cfgfile m...

Page 69: ...ay saved configuration unit unit id by linenum Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the device display current configuration vlan vlan id by linenum Display the validated configuration in current view display this by linenum Display current configuration display current configuration configuration confi...

Page 70: ... VLAN ID for a Port 1 5 2 VLAN Configuration 2 1 VLAN Configuration 2 1 VLAN Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying VLAN Configuration 2 3 Configuring a Port Based VLAN 2 3 Configuring an Access Port Based VLAN 2 3 Configuring a Hybrid Port Based VLAN 2 4 Configuring a Trunk Port Based VLAN 2 4 Displaying and Maintaining Port Base...

Page 71: ... network receives a lot of packets whose destination is not the host itself causing potential serious security problems z Related to the point above someone on a network can monitor broadcast packets and unicast packets and learn of other activities on the network Then they can attempt to access other resources on the network whether or not they are authorized to do this Isolating broadcast domain...

Page 72: ... to the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible VLAN Fundamentals VLAN tag To enable a Layer 2 switch to identify frames of different VLANs a VLAN tag field is inserted into the data link layer encapsulation The format of VLAN tagged frames is defined in IEEE 802 1Q issued by IEEE in 1999 In the header of a traditional ...

Page 73: ...ich a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN tag with the default VLAN ID of the inbound port for the packet and sends the packet to the default VLAN of the inbound port for transmission For the details about setting the default VLAN of a port refer to Configuring the Default VLAN ID for a Port MAC address learning mechanism of VLANs Swit...

Page 74: ...he destination IP addresses at the network layer Normally since VLANs can isolate broadcast domains each VLAN corresponds to an IP network segment And a VLAN interface serves as the gateway of the segment to forward packets in Layer 3 based on IP addresses An Switch S4210 can be configured with a single VLAN interface only and the VLAN must be the management VLAN For details about the management V...

Page 75: ...cted to a network device or user terminal as a hybrid port for access link connectivity or trunk connectivity A hybrid port allows the packets of multiple VLANs to be sent untagged but a trunk port only allows the packets of the default VLAN to be sent untagged The three types of ports can coexist on the same device Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a...

Page 76: ...N ID is not one of the VLAN IDs allowed to pass through the port discard the packet z Remove the tag and send the packet if the frame carries the default VLAN tag and the port belongs to the default VLAN z If the VLAN ID is not the default VLAN ID keep the original tag unchanged and send the packet Table 1 3 Packet processing of a hybrid port Processing of an incoming packet For an untagged packet...

Page 77: ...Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Create a VLAN and enter VLAN view vlan vlan id Required By default there is only one VLAN that is the default VLAN VLAN 1 Assign a name for the current VLAN name text Optional By default the name of a ...

Page 78: ... the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface Vlan interface vlan id Required By default there is no VLAN interface on a switch Specify the description string for the current VLAN interface description text Optional By default the description string of a VLAN interface is the name of this VLAN interface Vlan interface1 Interface ...

Page 79: ...d VLAN There are two ways to configure Access port based VLAN one way is to configure in VLAN view the other way is to configure in Ethernet port view Follow these steps to configure the Access port based VLAN in VLAN view To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Required If the specified VLAN does not exist this command be created first creates the ...

Page 80: ...Hybrid port port hybrid vlan vlan id list tagged untagged Required By default all Hybrid ports only allow packets of VLAN 1 to pass Configure the default VLAN of the Hybrid port port hybrid pvid vlan vlan id Optional VLAN 1 is the default by default z To configure a Trunk port into a Hybrid port or vice versa you need to use the Access port as a medium For example the Trunk port has to be configur...

Page 81: ... the Trunk port has to be configured as an Access port first and then a Hybrid port z The default VLAN IDs of the Trunk ports on the local and peer devices must be the same Otherwise packets cannot be transmitted properly Displaying and Maintaining Port Based VLAN To do Use the command Remarks Display the hybrid or trunk ports display port hybrid trunk Available in any view Port Based VLAN Configu...

Page 82: ... its descriptive string as DMZ and add Ethernet1 0 11 to VLAN 101 SwitchB system view SwitchB vlan 101 SwitchB vlan101 description DMZ SwitchB vlan101 port Ethernet 1 0 11 SwitchB vlan101 quit Create VLAN 201 and add Ethernet1 0 12 to VLAN 201 SwitchB vlan 201 SwitchB vlan201 port Ethernet 1 0 12 SwitchB vlan201 quit z Configure the link between Switch A and Switch B Because the link between Switc...

Page 83: ...nk permit vlan 201 Troubleshooting Ethernet Port Configuration Symptom Fail to configure the default VLAN ID of an Ethernet port Solution Take the following steps z Use the display interface or display port command to check if the port is a trunk port or a hybrid port z If the port is not a trunk or hybrid port configure it to be a trunk or hybrid port z Configure the default VLAN ID of the port F...

Page 84: ...oduction to Management VLAN 1 1 Management VLAN 1 1 Static Route 1 1 Default Route 1 1 Management VLAN Configuration 1 2 Prerequisites 1 2 Configuring the Management VLAN 1 2 Configuration Example 1 3 Displaying and Maintaining management VLAN configuration 1 4 ...

Page 85: ...s to a VLAN interface by using the corresponding commands and then apply for another IP address through BOOTP using the ip address bootp alloc command the former IP address will be released and the final IP address of the VLAN interface is the one obtained through BOOTP For details of DHCP refer to the DHCP module Static Route A static route is configured manually by an administrator You can make ...

Page 86: ...Required By default VLAN 1 operates as the management VLAN Create the management VLAN interface and enter the corresponding VLAN interface view interface vlan interface vlan id Required Assign an IP address to the management VLAN interface ip address ip address mask Required By default no IP address is assigned to the management VLAN interface Configure a static route ip route static ip address ma...

Page 87: ... VLAN configuration RS 232 serial interface Console port Console cable Vlan interface10 1 1 1 1 24 Switch A Telnet user Ethernet1 1 1 1 1 2 24 Router Current user Configuration procedure Perform the following configurations after the current user logs in to Switch A through the Console port Enter system view SwitchA system view Create VLAN 10 and configure VLAN 10 as the management VLAN SwitchA vl...

Page 88: ... Display detailed information about the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading to a specified IP address range display ip routing table ip address1 mask1 ip address2 mask2 verbose Display the routing information of the specified protocol display ip r...

Page 89: ...3 IP Address Configuration Examples 1 4 IP Address Configuration Example I 1 4 2 IP Performance Configuration 2 1 IP Performance Overview 2 1 Introduction to IP Performance Configuration 2 1 Introduction to FIB 2 1 Configuring IP Performance 2 1 Introduction to IP Performance Configuration Tasks 2 1 Configuring TCP Attributes 2 1 Disabling ICMP to Send Error Packets 2 2 Displaying and Maintaining ...

Page 90: ...addresses are divided into five classes as shown in the following figure in which the blue parts represent the address class Figure 1 1 IP address classes Table 1 1 describes the address ranges of these five classes Currently the first three classes of IP addresses are used in quantity Table 1 1 IP address classes and ranges Class Address range Description A 0 0 0 0 to 127 255 255 255 Address 0 0 ...

Page 91: ...rresponding bits in an IP address In a subnet mask the part containing consecutive ones identifies the combination of net ID and subnet ID whereas the part containing consecutive zeros identifies the host ID Figure 1 2 shows how a Class B network is subnetted Figure 1 2 Subnet a Class B network While allowing you to create multiple logical networks within a single Class A B or C network subnetting...

Page 92: ...d from BOOTP will overwrite the old one manually assigned This chapter only covers how to assign an IP address manually For the other two approaches to IP address assignment refer to the part discussing DHCP in this manual Table 1 2 Configure an IP address to an interface Operation Command Remarks Enter system view system view Enter interface view interface interface type interface number Assign a...

Page 93: ...erface brief interface type interface number Available in any view IP Address Configuration Examples IP Address Configuration Example I Network requirement Assign IP address 129 2 2 1 with mask 255 255 255 0 to VLAN interface 1 of the switch Network diagram Figure 1 3 Network diagram for IP address configuration Configuration procedure Configure an IP address for VLAN interface 1 Switch system vie...

Page 94: ...are the same Configuring IP Performance Introduction to IP Performance Configuration Tasks Table 2 1 Introduction to IP performance configuration tasks Configuration task Description Configuring TCP Attributes Optional Disabling ICMP to Send Error Packets Optional Configuring TCP Attributes TCP optional parameters that can be configured include z synwait timer When sending a SYN packet TCP starts ...

Page 95: ...nagement it still has the following disadvantages z Sending a lot of ICMP packets will increase network traffic z If receiving a lot of malicious packets that cause it to send ICMP error packets the device s performance will be reduced z As the ICMP redirection function increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large z If a ...

Page 96: ...forwarding information base FIB entries display fib Display the FIB entries matching the destination IP address display fib ip address1 mask1 mask length1 ip address2 mask2 mask length2 longer longer Display the FIB entries filtering through a specific ACL display fib acl number Display the FIB entries in the buffer which begin with include or exclude the specified character string display fib beg...

Page 97: ...onfiguring Domain Name Resolution 1 2 Configuring Static Domain Name Resolution 1 2 Configuring Dynamic Domain Name Resolution 1 3 Displaying and Maintaining DNS 1 3 DNS Configuration Example 1 4 Static Domain Name Resolution Configuration Example 1 4 Dynamic Domain Name Resolution Configuration Example 1 5 Troubleshooting DNS 1 6 ...

Page 98: ...Static Domain Name Resolution The static domain name resolution means manually setting up mappings between domain names and IP addresses IP addresses of the corresponding domain names can be found in the static domain name resolution table for applications such as Telnet Dynamic Domain Name Resolution Resolution procedure Dynamic domain name resolution is implemented by querying the DNS server The...

Page 99: ...d is not complete The resolver can supply the missing part automatic domain name addition For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The resolver can add the suffix and delimiter before passing the name to the DNS server z If there is no dot in the domain name such as aabbcc the resolver will consider thi...

Page 100: ...may configure up to six DNS servers and ten DNS suffixes Displaying and Maintaining DNS After the above configuration you can execute the display command and the nslookup type command in any view to display the DNS configuration information and the DNS resolution result to verify the configuration effect You can execute the reset command in user view to clear the information stored in the dynamic ...

Page 101: ... Sysname system view Sysname ip host host com 10 1 1 2 Execute the ping host com command to verify that the device can use static domain name resolution to get the IP address 10 1 1 2 corresponding to host com Sysname ping host com PING host com 10 1 1 2 56 data bytes press CTRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 127 tim...

Page 102: ...rations are done on the devices For the IP addresses of the interfaces see the figure above z There is a mapping between domain name host and IP address 3 1 1 1 16 on the DNS server z The DNS server works normally Enable dynamic domain name resolution Sysname system view Sysname dns resolve Configure the IP address 2 1 1 2 for the DNS server Sysname dns server 2 1 1 2 Configure com as the DNS suff...

Page 103: ...nabling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to check that the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specified domain name exists in the cache but the IP...

Page 104: ... 6 Voice VLAN Configuration 1 7 Configuration Prerequisites 1 7 Configuring QoS Priority Settings for Voice Traffic on an Interface 1 7 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode 1 8 Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode 1 9 Displaying and Maintaining Voice VLAN 1 11 Voice VLAN Configuration Example 1 12 Voice VLAN Configurati...

Page 105: ...in conjunction with other voice devices IP phones can offer large capacity and low cost voice communication solutions As network devices IP phones need IP addresses to operate properly in a network An IP phone can acquire an IP address automatically or through manual configuration The following part describes how an IP phone acquires an IP address automatically The following part only describes th...

Page 106: ...nd untagged packets in the default VLAN of the port the IP phone is connected to In this case you need to manually configure the default VLAN of the port as a voice VLAN In cases where an IP phone obtains an IP address from a DHCP server that does not support Option 184 the IP phone directly communicates through the gateway after it obtains an IP address It does not go through the steps described ...

Page 107: ...r transmitting voice data You can configure OUI addresses for voice packets or specify to use the default OUI addresses An OUI address is a globally unique identifier assigned to a vendor by IEEE You can determine which vendor a device belongs to according to the OUI address which forms the first 24 bits of a MAC address Switch S4210 support OUI address mask configuration You can adjust the matchi...

Page 108: ...gnment mode In this mode you need to add a port to a voice VLAN or remove a port from a voice VLAN manually Processing mode of tagged packets sent by IP voice devices Tagged packets from IP voice devices are forwarded based on their tagged VLAN IDs whether the automatic or manual voice VLAN assignment mode is used If the voice traffic transmitted by an IP voice device carries VLAN tags and 802 1x ...

Page 109: ...t supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagged voice traffic Hybrid Supported Make sure the default VLAN of the port exists and is not a voice VLAN the port permits the traffic of default VLAN and the voice VLAN is in the list of the tagged VLANs whose traffic is...

Page 110: ... and manual mode described earlier only apply to the process of assigning a port to the voice VLAN After a port is assigned to the voice VLAN the switch receives and forwards all voice VLAN tagged traffic without matching the source MAC address of each received packet against its OUI list For a port in the manual mode with the default VLAN as the voice VLAN any untagged packet can be transmitted i...

Page 111: ...ing QoS Priority Settings for Voice Traffic on an Interface In voice VLAN applications you can improve the quality of voice traffic by configuring the appropriate QoS priority settings including the Class of Service CoS and Differentiated Services Code Point DSCP values for voice traffic Voice traffic carries its own QoS priority settings You can configure the device either to modify or not to mod...

Page 112: ...ption text Optional By default the switch determines the voice traffic according to the default OUI address Enable the voice VLAN security mode voice vlan security enable Optional By default the voice VLAN security mode is enabled Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1440 minutes Enable the voice VLAN function globally voice vlan vlan id enabl...

Page 113: ...ed to be triggered by the voice traffic to add the port in automatic voice VLAN assignment mode to the local devices but does so immediately after the restart or the changes Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate in manual voice VLAN assignment mode To do Use the command Remarks Enter system view system vie...

Page 114: ...nment mode on a port is automatic Quit to system view quit Enter VLAN view vlan vlan id Access port Add the port to the VLAN port interface list Enter port view interface interface type interface num Add the port to the VLAN port trunk permit vlan vlan id port hybrid vlan vlan id tagged untagged Required By default all the ports belong to VLAN 1 Add a port in manual voice VLAN assignm ent mode to ...

Page 115: ...smit both voice data and service data in a voice VLAN If you have to do so make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication between 3Com device and other vendor s voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors voice device The voice vlan legacy command can be executed befo...

Page 116: ...sk being ffff ff00 0000 and the description string being test Network diagram Figure 1 2 Network diagram for voice VLAN configuration automatic voice VLAN assignment mode Internet Device A Eth1 0 1 VLAN2 VLAN2 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 Device B Configuration procedure Create VLAN 2 and VLAN 6 DeviceA system view DeviceA vlan 2 DeviceA vlan2 quit DeviceA vlan 6 DeviceA vlan6 q...

Page 117: ... the voice VLAN to operate in security mode z The IP phone sends untagged packets It is connected to Ethernet 1 0 1 a hybrid port Set this port to operate in manual voice VLAN assignment mode z You need to add a user defined OUI address 0011 2200 000 with the mask being ffff ff00 0000 and the description string being test Network diagram Figure 1 3 Network diagram for voice VLAN configuration manu...

Page 118: ... function on Ethernet 1 0 1 DeviceA Ethernet1 0 1 voice vlan enable Verification Display the OUI addresses the corresponding OUI address masks and the corresponding description strings that the system supports DeviceA display voice vlan oui Oui Address Mask Description 0003 6b00 0000 ffff ff00 0000 Cisco phone 000f e200 0000 ffff ff00 0000 3Com Aolynk phone 0011 2200 0000 ffff ff00 0000 test 00d0 ...

Page 119: ...1 GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 GVRP Configuration Tasks 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maintaining GVRP 1 7 GVRP Configuration Example 1 7 GVRP Configuration Example 1 7 ...

Page 120: ...mportant functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be registered on other devices it sends Join messages to these devices A GARP entity also sends Join messages when it receives Join messages from other entities or it wants some of its statically configured attributes to be registered on other GARP entities z When a GAR...

Page 121: ...aveAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other three timers which are set on a port basis the LeaveAll timer is set in system view and takes effect globally z A GARP application entity may send LeaveAll messages at the interval set by its LeaveAll timer or the LeaveAll timer on another device on the network whiche...

Page 122: ...es Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attribute Length The length of the attribute 2 to 255 in bytes Attribute Event The event described by the attribute 0 LeaveAll Event 1 JoinEmpty 2 JoinIn 3 LeaveEmpty 4 LeaveIn 5 Empty Attribute Value The ...

Page 123: ...three port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN information z Fixed A port in this mode cannot register deregister VLANs dynamically It only propagates static VLAN information Besides the port permits only static VLANs that is it propagates only static VLA...

Page 124: ... view system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number Configure the Hold Join and Leave timers garp timer hold join leave timer value Optional By default the Hold Join and Leave timers are set to 10 20 and 60 centiseconds respectively Note ...

Page 125: ... the Join timer This upper threshold is less than the timeout time of the LeaveAll timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by changing the timeout time of the Leave timer 32 765 centiseconds The following are recommended GVRP timer settings z GARP...

Page 126: ... so that the VLAN configurations on Switch C and Switch E can be applied to all switches in the network thus implementing dynamic VLAN information registration and refresh z By configuring the GVRP registration modes of specific Ethernet ports you can enable the corresponding VLANs in the switched network to communicate with each other Network diagram Figure 1 2 Network diagram for GVRP configurat...

Page 127: ...GVRP on Ethernet1 0 3 SwitchA Ethernet1 0 3 gvrp SwitchA Ethernet1 0 3 quit 2 Configure Switch B The configuration procedure of Switch B is similar to that of Switch A and is thus omitted 3 Configure Switch C Enable GVRP on Switch C which is similar to that of Switch A and is thus omitted Create VLAN 5 SwitchC vlan 5 SwitchC vlan5 quit 4 Configure Switch D Enable GVRP on Switch D which is similar ...

Page 128: ... 3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch B SwitchB display vlan dynamic Total 3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch E SwitchE Ethernet1 0 1 display vlan dynamic No dynamic vlans exist 8 Configure Ethernet1 0 1 on Switch E to ope...

Page 129: ...1 10 5 8 Display the VLAN information dynamically registered on Switch E SwitchE display vlan dynamic No dynamic vlans exist ...

Page 130: ...figuring Loopback Detection for an Ethernet Port 1 5 Configuring Loopback Detection for Ethernet Port s 1 6 Enabling Loopback Test 1 7 Enabling the System to Test Connected Cable 1 7 Configuring the Interval to Perform Statistical Analysis on Port Traffic 1 8 Disabling Up Down Log Output on a Port 1 8 Configuring Storm Control on a Port 1 9 Setting the Port State Change Delay 1 10 Displaying and M...

Page 131: ...to sensing Ethernet port GigabitEthernet1 0 27 GigabitEthernet1 0 25 Switch 4210 26 Port Switch 4210 PWR 26 Port GigabitEthernet1 0 28 GigabitEthernet1 0 26 GigabitEthernet1 0 19 GigabitEthernet1 0 17 Switch 4210 18 Port Switch 4210 PWR 18 Port GigabitEthernet1 0 20 GigabitEthernet1 0 18 Switch 4210 9 Port Switch 4210 PWR 9 Port GigabitEthernet1 0 10 GigabitEthernet1 0 9 Switch 4210 52 Port does n...

Page 132: ...port duplex auto full half Optional By default the duplex mode of the port is auto auto negotiation Set the speed of the Ethernet port speed 10 100 1000 auto Optional z By default the speed of an Ethernet port is determined through auto negotiation the auto keyword z Use the 1000 keyword for Gigabit Ethernet ports only Set the medium dependent interface MDI mode of the Ethernet port mdi across aut...

Page 133: ...cuting speed auto that is the port is configured to support all the auto negotiation speeds 10 Mbps 100 Mbps and 1000 Mbps Limiting Traffic on individual Ports By performing the following configurations you can limit the incoming broadcast unknown multicast unknown unicast traffic on individual ports When a type of incoming traffic exceeds the threshold you set the system drops the packets exceedi...

Page 134: ...d Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable flow control on the Ethernet port flow control By default flow control is not enabled on the port Duplicating the Configuration of a Port to Other Ports To make other ports have the same configuration as that of a specific port you can duplicate the configuration of a port to specific ...

Page 135: ...trap messages to the terminal After the loop is removed you need to use the undo shutdown command to bring up the port z If you have not enabled the loopback port auto shutdown function on the port the port will automatically resume the normal forwarding state after the loop is removed 2 If a loop is found on a trunk or hybrid port the system sends log and trap messages to the terminal If you have...

Page 136: ...umber Enable loopback detection on a specified port loopback detection enable Optional By default the loopback detection function is enabled on ports if the device boots with the default configuration file config def if the device boots with null configuration this function is disabled Enable loopback port control on the trunk or hybrid port loopback detection control enable Optional By default th...

Page 137: ...elf loop headers are made from four cores of the 8 core cables for 1000M port the self loop header are made from eight cores of the 8 core cables then the packets forwarded by the port will be received by itself The external loop test can locate the hardware failures on the port z internal Performs internal loop test In the internal loop test self loop is established in the switching chip to locat...

Page 138: ...splays the average rates in the interval For example if you set this interval to 100 seconds the displayed information is as follows Last 100 seconds input 0 packets sec 0 bytes sec Last 100 seconds output 0 packets sec 0 bytes sec Table 1 9 Set the interval to perform statistical analysis on port traffic Operation Command Description Enter system view system view Enter Ethernet port view interfac...

Page 139: ...face Ethernet 1 0 1 Sysname Ethernet1 0 1 shutdown Apr 5 07 25 37 634 2000 Sysname L2INF 5 PORT LINK STATUS CHANGE 1 Ethernet1 0 1 is DOWN Sysname Ethernet1 0 1 undo shutdown Apr 5 07 25 56 244 2000 Sysname L2INF 5 PORT LINK STATUS CHANGE 1 Ethernet1 0 1 is UP After you disable Ethernet 1 0 1 from outputting Up Down log information and execute the shutdown command or the undo shutdown command on E...

Page 140: ...ceived on the port exceeds the upper threshold or falls below the lower threshold storm constrain enable log trap Optional Enabled by default z If the broadcast suppression command or multicast suppression command is configured on a port you cannot configure the storm control function on the port and vice versa z You are not recommended to set the upper and lower traffic thresholds to the same val...

Page 141: ...arks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the port state change delay link delay delay time Required Defaults to 0 which indicates that no delay is introduced The delay configured in this way does not take effect for ports in DLDP down state For information about the DLDP down state refer to DLDP ...

Page 142: ...lay unit unit id interface Display the information about the port with the link delay command configured display link delay You can execute the display commands in any view Clear port statistics reset counters interface interface type interface type interface number You can execute the reset command in user view After 802 1x is enabled on a port clearing the statistics on the port will not work Et...

Page 143: ...VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet1 0 1 Sysname Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet1 0 1 to 100 Sysname Ethernet1 0 1 port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom Fail to configure the default VLAN ID of an Ethernet port Solution Take the following steps z Use the display interface or display...

Page 144: ... Aggregation Group 1 3 Dynamic LACP Aggregation Group 1 4 Aggregation Group Categories 1 5 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggregation Group 1 7 Configuring a Dynamic LACP Aggregation Group 1 8 Configuring a Description for an Aggregation Group 1 8 Displaying and Maintaining Link Aggregation Configuration 1 9 Link Aggregation ...

Page 145: ...basic fields in LACPDUs which cover information including system LACP priority system MAC address port LACP priority port number and operational key With LACP enabled on a port LACP sends the above information of the port to its peer via LACPDUs Upon receiving an LACPDU the peer compares the received information with the information received on other ports This allows the two systems to reach an a...

Page 146: ...nt to point or not STP priority STP path cost STP packet format loop guard status root guard status edge port or not z QoS configuration including traffic limit priority remarking 802 1p priority traffic redirection traffic statistics and so on z VLAN configuration including permitted VLANs and default VLAN ID z Link type configuration which can be trunk hybrid or access z GVRP configuration inclu...

Page 147: ...s also including initially down port you want to add to a manual aggregation group Static LACP Aggregation Group Introduction to static LACP aggregation A static LACP aggregation group is also manually created All its member ports are manually added and can be manually removed it inhibits the system from automatically adding removing ports to from it Each static aggregation group must contain at l...

Page 148: ...regation group A port in a dynamic aggregation group can be in one of the two states selected and unselected z Both the selected and the unselected ports can receive transmit LACP protocol packets z The selected ports can receive transmit user service packets but the unselected ports cannot z In a dynamic aggregation group the selected port with the smallest port number serves as the master port o...

Page 149: ...egation groups will be non load sharing ones Load sharing aggregation resources are allocated to aggregation groups in the following order z An aggregation group containing special ports which require hardware aggregation resources has higher priority than any aggregation group containing no special port z A manual or static aggregation group has higher priority than a dynamic aggregation group un...

Page 150: ...o an aggregation group z Do not add ports with IP filtering enabled to an aggregation group z Do not add ports with ARP intrusion detection enabled to an aggregation group z Do not add ports with source IP addresses source MAC addresses statically bound to them to an aggregation group z A port cannot belong to a port group and an aggregation group at the same time Configuring a Manual Aggregation ...

Page 151: ...atic aggregation group a port can only be manually added removed to from the static aggregation group When you add an LACP enabled port to a manual aggregation group the system will automatically disable LACP on the port Similarly when you add an LACP disabled port to a static aggregation group the system will automatically enable LACP on the port Table 1 2 Configure a static LACP aggregation grou...

Page 152: ...n Command Remarks Enter system view system view Configure the system priority lacp system priority system priority Optional By default the system priority is 32 768 Enter Ethernet port view interface interface type interface number Enable LACP on the port lacp enable Required By default LACP is disabled on a port Configure the port priority lacp port priority port priority Optional By default the ...

Page 153: ...mand Remarks Display summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group or all aggregation groups display link aggregation verbose agg id Display link aggregation details of a specified port or port range display link aggregation interface interface type interface number to interface type interface number Disp...

Page 154: ...0 1 Sysname Ethernet1 0 1 port link aggregation group 1 Sysname Ethernet1 0 1 quit Sysname interface Ethernet1 0 2 Sysname Ethernet1 0 2 port link aggregation group 1 Sysname Ethernet1 0 2 quit Sysname interface Ethernet1 0 3 Sysname Ethernet1 0 3 port link aggregation group 1 2 Adopting static LACP aggregation mode Create static aggregation group 1 Sysname system view Sysname link aggregation gro...

Page 155: ... interface Ethernet1 0 1 Sysname Ethernet1 0 1 lacp enable Sysname Ethernet1 0 1 quit Sysname interface Ethernet1 0 2 Sysname Ethernet1 0 2 lacp enable Sysname Ethernet1 0 2 quit Sysname interface Ethernet1 0 3 Sysname Ethernet1 0 3 lacp enable The three LACP enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuratio...

Page 156: ...i Table of Contents 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Port Isolation Configuration 1 1 Displaying Port Isolation Configuration 1 2 Port Isolation Configuration Example 1 2 ...

Page 157: ...10 The number of Ethernet ports in an isolation group is not limited An isolation group only isolates the member ports in it Port Isolation Configuration You can perform the following operations to add an Ethernet ports to an isolation group thus isolating Layer 2 and Layer 3 data among the ports in the isolation group Table 1 1 Configure port isolation Operation Command Description Enter system v...

Page 158: ...n group causes all the ports in the aggregation group being added to the isolation group Displaying Port Isolation Configuration After the above configuration you can execute the display command in any view to display the result of your port isolation configuration thus verifying your configuration Table 1 2 Display port isolation configuration Operation Command Description Display information abo...

Page 159: ...ame interface ethernet1 0 2 Sysname Ethernet1 0 2 port isolate Sysname Ethernet1 0 2 quit Sysname interface ethernet1 0 3 Sysname Ethernet1 0 3 port isolate Sysname Ethernet1 0 3 quit Sysname interface ethernet1 0 4 Sysname Ethernet1 0 4 port isolate Sysname Ethernet1 0 4 quit Sysname quit Display information about the ports in the isolation group Sysname display isolate port Isolated port s on UN...

Page 160: ...AN for a Port in macAddressOrUserLoginSecure mode 1 8 Ignoring the Authorization Information from the RADIUS Server 1 9 Configuring Security MAC Addresses 1 10 Displaying and Maintaining Port Security Configuration 1 11 Port Security Configuration Example 1 12 Port Security Configuration Example 1 12 Guest VLAN Configuration Example 1 13 2 Port Binding Configuration 2 1 Port Binding Overview 2 1 I...

Page 161: ...akes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are provided z NTK need to know feature By checking the destination MAC addresses in outbound data frames on the port NTK ensures that the switch sends data frames through the port only to successfully authe...

Page 162: ...er configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned can pass through the port secure In this mode the port is disabled from learning MAC addresses Only those packets whose source MAC addresses are security MAC addresses learned and static MAC addresses ...

Page 163: ...es the existing dynamic authenticated MAC address entries on the port macAddressWithRa dius In this mode MAC address based authentication is performed for access users macAddressOrUser LoginSecure In this mode both MAC authentication and 802 1x authentication can be performed but 802 1x authentication has a higher priority 802 1x authentication can still be performed on an access user who has pass...

Page 164: ...erLoginSecure or macAddressElseUserLoginSecureExt security mode the MAC address of a user failing MAC authentication is set as a quiet MAC address If the user initiates 802 1x authentication during the quiet period the switch does not authenticate the user z A port with port security configured permits all ordinary Layer 2 packets to be forwarded whose source MAC addresses are dynamic ones configu...

Page 165: ...out 802 1x configuration refer to the sections covering 802 1x and System Guard z For details about MAC authentication configuration refer to the sections covering MAC authentication configuration Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed however cannot exceed the con...

Page 166: ...mac authentication mac else userlogin secure mac else userlogin secure e xt secure userlogin userlogin secure userlogin secure ext userlogin secure or mac userlogin secure or mac ext userlogin withoui Required By default a port operates in noRestriction mode In this mode access to the port is not restricted You can set a port security mode as needed z Before setting the port security mode to autol...

Page 167: ...y all frames are allowed to be sent Configuring intrusion protection Follow these steps to configure the intrusion protection feature To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the corresponding action to be taken by the switch when intrusion protection is triggered port security intrusion mode blockmac disable...

Page 168: ...services only one user at a time 1 When the first user of the port initiates 802 1x or MAC address authentication z If the user fails the authentication the port is added to the guest VLAN and all the other users of the port are authorized to access the guest VLAN z If the user passes the authentication authentication requests from other users are not handled because only one user is allowed to pa...

Page 169: ...s authentication does not have any client software and therefore no such messages will be displayed z To change the security mode from macAddressOrUserLoginSecure mode of a port that is assigned to a guest VLAN execute the undo port security guest vlan command first to remove the guest VLAN configuration z For a port configured with both the port security guest vlan and port security intrusion mod...

Page 170: ...h the maximum number the port will learn new MAC addresses and turn them to security MAC addresses z If the amount of security MAC addresses reaches the maximum number the port will not be able to learn new MAC addresses and the port mode will be changed from autolearn to secure The security MAC addresses manually configured are written to the configuration file they will not get lost when the por...

Page 171: ...urity MAC address entries port security timer autolearn age Required Aging of MAC address entries is disabled by default Enter Ethernet port view interface interface type interface number Set the maximum number of MAC addresses allowed on the port port security max mac count count value Required By default there is no limit on the number of MAC addresses Set the security mode of the port to autole...

Page 172: ... stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds Network diagram Figure 1 1 Network diagram for port security configuration Configuration procedure Enter system view Switch system view Enable port security Switch port security enable Enter Ethernet1 0 1 port view Switch inte...

Page 173: ...o the Internet This port is assigned to VLAN 1 Normally the port Ethernet 1 0 2 is also assigned to VLAN z VLAN 10 is intended to be a guest VLAN It contains an update server for users to download and upgrade their client software When a user fails authentication port Ethernet 1 0 2 is added to VLAN 10 Then the user can access only VLAN 10 The port goes back to VLAN 1 when the user passes authenti...

Page 174: ...main for MAC address authentication Switch mac authentication domain system Enable port security Switch port security enable Specify the switch to trigger MAC address authentication at an interval of 60 seconds Switch port security timer guest vlan reauth 60 Create VLAN 10 and assign the port Ethernet 1 0 1 to it Switch vlan 10 Switch vlan10 port Ethernet 1 0 1 Set the security mode of the port Et...

Page 175: ...e switch forwards only the packets sourced from the bound IP address z Port MAC binding binds a port to a MAC address On the bound port the switch forwards only the packets sourced from the bound MAC address z Port MAC IP binding binds a MAC address and an IP address to a port On the bound port the switch forwards only the packets sourced from the bound MAC address and IP address combination z IP ...

Page 176: ...ing Configuration To do Use the command Remarks Display port binding information display am user bind interface interface type interface number ip addr ip address mac addr mac address Available in any view Port Binding Configuration Example Port Binding Configuration Example Network requirements It is required to bind the MAC and IP addresses of Host A to Ethernet 1 0 1 on Switch A so as to preven...

Page 177: ...ollows Enter system view SwitchA system view Enter Ethernet 1 0 1 port view SwitchA interface Ethernet 1 0 1 Bind the MAC address and the IP address of Host A to Ethernet 1 0 1 SwitchA Ethernet1 0 1 am user bind mac addr 0001 0002 0003 ip addr 10 12 1 1 ...

Page 178: ...2 DLDP Status 1 4 DLDP Timers 1 4 DLDP Operating Mode 1 5 DLDP Implementation 1 6 DLDP Neighbor State 1 8 Link Auto recovery Mechanism 1 8 DLDP Configuration 1 9 Performing Basic DLDP Configuration 1 9 Resetting DLDP State 1 10 Displaying and Maintaining DLDP 1 10 DLDP Configuration Example 1 11 ...

Page 179: ... to A it is a bidirectional link two way link If one of these fibers gets broken this is a unidirectional link one way link When a unidirectional link appears the local device can receive packets from the peer device through the link layer but the peer device cannot receive packets from the local device Unidirectional link can cause problems such as network loops As for fiber links two kinds of un...

Page 180: ...ovides the following features z As a link layer protocol it works together with the physical layer protocols to monitor the link status of a device z The auto negotiation mechanism at the physical layer detects physical signals and faults DLDP identifies peer devices and unidirectional links and disables unreachable ports z Even if both ends of links can work normally at the physical layer DLDP ca...

Page 181: ...n packets are used to notify unidirectional link emergencies a unidirectional link emergency occurs when the local port is down and the peer port is up Linkdown packets carry only the local port information instead of the neighbor information In some conditions a port is considered to be physically down if the link connecting to the port is physically abnormal for example the Rx line of the fiber ...

Page 182: ...e corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to the delaydown state first When a device changes to the delaydown state the related DLDP neighbor information remains and the DelayDown timer is triggered After the DelayDown timer expires the DLDP neighbor information is removed DLDP Timers Table 1 3 DLDP timers Timer Description Advertisement ...

Page 183: ...on the user defined DLDP down mode DLDP disables the local port automatically or prompts you to disable the port manually Meanwhile DLDP deletes the neighbor entry DelayDown timer When a device in the active advertisement or probe DLDP state receives a port down message it does not removes the corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to th...

Page 184: ...e however Port A tests Port B after the Entry timer concerning Port B expires Port A then transits to the Disable state if it receives no Echo packet from Port A when the Echo timer expires As Port B is physically down it is in the Inactive DLDP state Figure 1 3 A case for Enhanced DLDP mode z In normal DLDP mode only fiber cross connected unidirectional links as shown in Figure 1 1 can be detecte...

Page 185: ...switches to the probe state Advertisement packet Extracts neighbor information If the corresponding neighbor entry already exists on the local device DLDP resets the aging timer of the entry Flush packet Removes the neighbor entry from the local device Creates the neighbor entry if it does not exist on the local device Probe packet Sends echo packets containing both neighbor and its own informatio...

Page 186: ...tects the link connecting to the port is a unidirectional link A port in DLDP down state does not forward service packets or receive send protocol packets except DLDPDUs A port in the DLDP down state recovers when the corresponding link recovers A port in the DLDP down state sends recover probe packets periodically On receiving a correct recover echo packet which means that the unidirectional link...

Page 187: ... the handling mode is auto Set the DLDP operating mode dldp work mode enhance normal Optional By default DLDP works in normal mode Note the following when performing basic DLDP configuration z DLDP can detect unidirectional links only after the links are connected Therefore before enabling DLDP make sure that optical fibers or copper twisted pairs are connected z To ensure unidirectional links can...

Page 188: ...inks caused by fiber cross connection z When the device is busy with services and the CPU utilization is high DLDP may issue mistaken reports You are recommended to configure the operating mode of DLDP as manual after unidirectional links are detected so as to reduce the influence of mistaken reports Resetting DLDP State You can reset the DLDP state for the ports shut down by DLDP due to unidirect...

Page 189: ... for DLDP configuration Switch A GE1 1 1 GE1 1 2 Switch B GE1 1 1 GE1 1 2 PC Configuration procedure 1 Configure Switch A Configure the ports to work in mandatory full duplex mode at a rate of 1000 Mbps SwitchA system view SwitchA interface gigabitethernet 1 1 1 SwitchA GigabitEthernet1 1 1 duplex full SwitchA GigabitEthernet1 1 1 speed 1000 SwitchA GigabitEthernet1 1 1 quit SwitchA interface giga...

Page 190: ...evice correctly on one end with the other end connected to no device z If the device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end is in the inactive state z If the device operates in the enhance DLDP mode the end that receives optical signals is in the disable state the other end is in the inactive state Restore the ports shut d...

Page 191: ...dress Table 1 4 MAC Address Table Management 1 5 MAC Address Table Management Configuration Task List 1 5 Configuring a MAC Address Entry 1 5 Setting the MAC Address Aging Timer 1 6 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 7 Displaying MAC Address Table Information 1 7 Configuration Example 1 8 Adding a Static MAC Address Entry Manually 1 8 ...

Page 192: ...ddress table recording the MAC address to forwarding port association Each entry in a MAC address table contains the following fields z Destination MAC address z ID of the VLAN which a port belongs to z Forwarding egress port number on the local switch When forwarding a packet an Ethernet switch adopts one of the two forwarding methods based upon the MAC address table entries z Unicast forwarding ...

Page 193: ...address MAC A of User A to the MAC address table of the switch forming an entry shown in Figure 1 2 Figure 1 1 MAC address learning diagram 1 Figure 1 2 MAC address table entry of the switch 1 Port VLAN ID MAC address Ethernet1 0 1 1 MAC A 2 After learning the MAC address of User A the switch starts to forward the packet Because there is no MAC address and port information of User B in the existin...

Page 194: ...igure 1 5 When forwarding the response packet from User B to User A the switch sends the response to User A through Ethernet 1 0 1 technically called unicast because MAC A is already in the MAC address table Figure 1 5 MAC address table entries of the switch 2 5 After this interaction the switch sends packets destined for User A and User B in unicast mode based on the corresponding MAC address tab...

Page 195: ...educe broadcast packets and are suitable for networks where network devices seldom change z Dynamic MAC address entry This type of MAC address entries age out after the configured aging time They are generated by the MAC address learning mechanism or configured manually z Blackhole MAC address entry This type of MAC address entries are configured manually A switch discards the packets destined for...

Page 196: ...ollow these steps to add a MAC address entry in system view To do Use the command Remarks Enter system view system view Add a MAC address entry mac address static dynamic blackhole mac address interface interface type interface number vlan vlan id Required z When you add a MAC address entry the port specified by the interface argument must belong to the VLAN specified by the vlan argument in the c...

Page 197: ...set too short the switch may remove valid MAC address entries This decreases the forwarding performance of the switch Follow these steps to set aging time of MAC address entries To do Use the command Remarks Enter system view system view Set the MAC address aging timer mac address timer aging age no aging Required The default is 300 seconds The capacity of the MAC address table on a switch is limi...

Page 198: ...e maximum number of MAC addresses a port can learn To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the maximum number of MAC addresses the port can learn mac address max mac count count Required By default the number of the MAC addresses a port can learn is not limited If you have configured the maximum number of MA...

Page 199: ...C address to drop all packets destined for the host for security sake Configuration procedure Enter system view Sysname system view Sysname Add a MAC address with the VLAN ports and states specified Sysname mac address static 000f e20f dc71 interface Ethernet 1 0 2 vlan 1 Add a black hole MAC address 000f e235 abcd with the VLAN and ports specified Sysname mac address blackhole 000f e235 abcd inte...

Page 200: ...ng the Timeout Time Factor 1 25 Configuring the Maximum Transmitting Rate on the Current Port 1 25 Configuring the Current Port as an Edge Port 1 26 Setting the Link Type of a Port to P2P 1 27 Enabling MSTP 1 29 Configuring Leaf Nodes 1 30 Configuring the MST Region 1 30 Configuring How a Port Recognizes and Sends MSTP Packets 1 30 Configuring the Timeout Time Factor 1 30 Configuring the Maximum T...

Page 201: ...el 1 44 Introduction 1 44 Configuring VLAN VPN tunnel 1 44 MSTP Maintenance Configuration 1 45 Introduction 1 45 Enabling Log Trap Output for Ports of MSTP Instance 1 45 Configuration Example 1 45 Enabling Trap Messages Conforming to 802 1d Standard 1 46 Displaying and Maintaining MSTP 1 46 MSTP Configuration Example 1 47 VLAN VPN Tunnel Configuration Example 1 49 ...

Page 202: ... RSTP and Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Spanning Tree Protocol Overview Why STP Spanning tree protocol STP is a protocol conforming to IEEE 802 1d It aims to eliminate loops on data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging pack...

Page 203: ...the port with the lowest path cost to the root bridge The root port is used for communicating with the root bridge A non root bridge device has one and only one root port The root bridge has no root port 3 Designated bridge and designated port Refer to the following table for the description of designated bridge and designated port Table 1 1 Designated bridge and designated port Classification Des...

Page 204: ...ils see Configuring the Bridge Priority of the Current Switch 5 Path cost STP uses path costs to indicate the quality of links A small path cost indicates a higher link quality The path cost of a port is related to the rate of the link connecting the port The higher the link rate the smaller the path cost By comparing the path costs of different links STP selects the most robust links and blocks t...

Page 205: ...bridge priority plus MAC address z Designated port ID designated port priority plus port number z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime for the configuration BPDUs to be kept in a switch z Hello time configuration BPDU interval z Forward delay forward delay of the port The implementation of the STP algorithm involves only the follow...

Page 206: ...th cost the following fields are compared sequentially designated bridge IDs designated port IDs and then the IDs of the ports on which the configuration BPDUs are received The smaller these values the higher priority for the configuration BPDU z Selection of the root bridge At network initialization each STP compliant device on the network assumes itself to be the root bridge with the root bridge...

Page 207: ...e root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully elected the entire tree shaped topology has been constructed At this stage STP convergence is complete 2 Example of how the STP algorithm w...

Page 208: ...ion BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 z Port BP2 receives the configuration BPDU of Device C 2 0 2 CP2 Device B finds that the configuration BPDU of the local por...

Page 209: ...te process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device C z By comparing the configuration BPDU 0 0 0 AP2 of port CP1 and the configuration BPDU 0 5 1 BP2 of port CP2 the device selects the root port Because the two configuration BPDUs carry the same root bridge ID ...

Page 210: ...lty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with itself as the root bridge and sends configuration BPDUs and TCN BPDUs This triggers a new spanning tree calculation so that a new path is established to restore the network connectivity However the ...

Page 211: ...ignated port can transit fast under the following conditions the designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the forwarding state directly if the designated port is connected with a point to point link it can enter the forwarding state immediately after the device undergoes handshake with the downstream device a...

Page 212: ... mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU A D C B Region B0 VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to MSTI 1 VLAN 2 and 3 mapped to MSTI 2 Other VLANs mapped to CIST Region D0 VLAN 1 mapped to MSTI 1 B as the regional root bridge VLAN 2 mapped to MSTI 2 C as the regional root bridge Other VLANs mapped to CIST 2 MST region A m...

Page 213: ...ning tree generated by STP or RSTP running on the switches For example the red lines in Figure 1 4 represent the CST 7 CIST A common and internal spanning tree CIST is the spanning tree in a switched network that connects all switches in the network It comprises the ISTs and the CST In Figure 1 4 the ISTs in the MST regions and the CST connecting the MST regions form the CIST 8 Region root A regio...

Page 214: ...e of the two ports to eliminate the loop that occurs The blocked port is the backup port In Figure 1 5 switch A switch B switch C and switch D form an MST region Port 1 and port 2 on switch A connect upstream to the common root Port 5 and port 6 on switch C form a loop Port 3 and port 4 on switch D connect downstream to other MST regions This figure shows the roles these ports play z A port can pl...

Page 215: ...y MSTP At the same time MSTP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network 2 Calculate an MSTI Within an MST region MSTP generates different MSTIs for different VLANs based on the VLAN to instance mappings MSTP performs a separate calculation process which is similar to spanning tree calculation in STP for each...

Page 216: ...onfigure MSTP Task Remarks Enabling MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are performed Configuring an MST Region Required Specifying the Current Switch as a Root Bridge Secondary Root Bridge Required Configuring the Bridge Priority of the Current Switch Optional The priority of ...

Page 217: ...ansmitting Rate on the Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priority Optional Configuring Leaf Nodes Setting the Link Type of a Port to P2P Optional Performing mCheck Operation Optional Configuring Guard Functions Optional Configuring Digest Snooping Optional Confi...

Page 218: ...configuration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configuration Available in any view Neighbor Topology Discovery Protocol NTDP packets sent by devices in a cluster can only be transmitted within the MSTI where the management VLAN of the cluster resides For mo...

Page 219: ...o 10 Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region configuration Admin configuration Format selector 0 Region name info Revision level 1 Instance Vlans Mapped 0 1 11 to 19 31 to 4094 1 2 to 10 2 20 to 30 Specifying the Current Switch as a Root Bridge Secon...

Page 220: ...no new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails You can specify the network diameter and the hello time parameters while configuring a root bridge secondary root bridge Refer to Configuring the Network Diameter of the Switched Network and Configuring the MSTP Time rela...

Page 221: ... switch cannot be configured any more z During the selection of the root bridge if multiple switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configuration example Set the bridge priority of the current switch to 4 096 in MSTI 1 Sysname system view Sysname stp instance 1 priority 4096 Configuring How a Port Recognizes and Sends MSTP Packets A port...

Page 222: ...g to the format of the packets received Follow these steps to configure how a port recognizes and sends MSTP packets in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure how a port recognizes and sends MSTP packets stp compliance auto dot1s legacy Required By default a port recognizes and send...

Page 223: ...he Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region The value of the maximum hop count limits the size of the MST region A configuration BPDU contains a field that maintains the remaining hops of the configuration BPDU And a switch discards the configuration BPDUs whose remaining hops are 0 After a configuration BPDU ...

Page 224: ...switches Configuration procedure Follow these steps to configure the network diameter of the switched network To do Use the command Remarks Enter system view system view Configure the network diameter of the switched network stp bridge diameter bridgenumber Required The default network diameter of a network is 7 The network diameter parameter indicates the size of a network The bigger the network ...

Page 225: ...red to the network The default value is recommended z An adequate hello time parameter enables a switch to detect link failures in time without occupying too many network resources And a too small hello time parameter may result in duplicated configuration BPDUs being sent frequently which increases the work load of the switches and wastes network resources The default value is recommended z As fo...

Page 226: ...ime factor to a larger number to avoid such cases Normally the timeout time can be four or more times of the hello time For a steady network the timeout time can be five to seven times of the hello time Configuration procedure Follow these steps to configure the timeout time factor To do Use the command Remarks Enter system view system view Configure the timeout time factor for the switch stp time...

Page 227: ...o many network resources The default value is recommended Configuration example Set the maximum transmitting rate of Ethernet 1 0 1 to 15 1 Configure the maximum transmitting rate in system view Sysname system view Sysname stp interface Ethernet 1 0 1 transmit limit 15 2 Configure the maximum transmitting rate in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ether...

Page 228: ...are recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time This not only enables these ports to turn to the forwarding state rapidly but also secures your network Configuration example Configure Ethernet 1 0 1 as an edge port 1 Configure Ethernet 1 0 1 as an edge port in system view Sysname system view Sysname s...

Page 229: ... point link stp point to point force true force false auto Required The auto keyword is adopted by default z If you configure the link connected to a port in an aggregation group as a point to point link the configuration will be synchronized to the rest ports in the same aggregation group z If an auto negotiating port operates in full duplex mode after negotiation you can configure the link of th...

Page 230: ...TP stp enable Required MSTP is enabled globally by default Enter Ethernet port view interface interface type interface number Disable MSTP on the port stp disable Optional By default MSTP is enabled on all ports To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculation this operation saves CPU resources...

Page 231: ...ased load balancing can be implemented Path cost of a port can be determined by the switch or through manual configuration Standards for calculating path costs of ports Currently a switch can calculate the path costs of ports based on one of the following standards z dot1d 1998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports z dot1t Adopts the IEEE 802 1t standard...

Page 232: ...f a port operating in full duplex mode is slightly less than that of the port operating in half duplex mode When calculating the path cost of an aggregated link the 802 1D 1998 standard does not take the number of the ports on the aggregated link into account whereas the 802 1T standard does The following formula is used to calculate the path cost of an aggregated link Path cost 200 000 000 link t...

Page 233: ... Sysname Ethernet1 0 1 stp instance 1 cost 2000 Configuration example B Configure the path cost of Ethernet 1 0 1 in MSTI 1 to be calculated by the MSTP enabled switch according to the IEEE 802 1D 1998 standard 1 Perform this configuration in system view Sysname system view Sysname undo stp interface Ethernet 1 0 1 instance 1 cost Sysname stp pathcost standard dot1d 1998 2 Perform this configurati...

Page 234: ... change the role of the port and put the port into state transition A smaller port priority value indicates a higher possibility for the port to become the root port If all the ports of a switch have the same port priority value the port priorities are determined by the port indexes Changing the priority of a port will cause spanning tree recalculation You can configure port priorities according t...

Page 235: ... on the switch Configuration Procedure You can perform the mCheck operation in the following two ways Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in system view To do Use the command Remarks Enter system view system view Perform the mCheck operation stp interface interface list mcheck Required Perform the mCheck operation in Ethernet port view Fol...

Page 236: ... users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter You can prevent this type of attacks by utilizing the BPDU guard function With this function enabled on a switch the switch shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator Ports shut down in this way can only be restored by the a...

Page 237: ...k It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period z You are recommended to enable root guard on the designated ports of a root bridge z Loop guard root guard and edge port settings are mutually exclusive With one of these functions enabled on a port any of the other two functions cannot take effect even if you have configured...

Page 238: ...loops in the network The loop guard function suppresses loops With this function enabled if link congestions or unidirectional link failures occur both the root port and the blocked ports become designated ports and turn to the discarding state In this case they stop forwarding packets and thereby loops can be prevented z You are recommended to enable loop guard on the root port and alternate port...

Page 239: ...on threshold command to set the maximum times for a switch to remove the MAC address table and ARP entries in a specific period When the number of the TC BPDUs received within a period is less than the maximum times the switch performs a removing operation upon receiving a TC BPDU After the number of the TC BPDUs received reaches the maximum times the switch stops performing the removing operation...

Page 240: ... Ethernet ports of the switches With BPDU dropping enabled a port will not receive or forward any BPDUs In this way switches are protected against forged BPDU attacks thus ensuring correct STP calculation You can enable BPDU dropping on ports that need not receive or forward BPDUs for example edge ports Configuration Prerequisites MSTP runs normally on the switch Configuration procedure Follow the...

Page 241: ...nable digest snooping on the port Then the switch 4210 regards another manufacturer s switch as in the same region it records the configuration digests carried in the BPDUs received from another manufacturer s switch and put them in the BPDUs to be sent to the another manufacturer s switch In this way the switch 4210 can communicate with another manufacturer s switches in the same MST region The d...

Page 242: ...ision level and VLAN to instance mapping z The digest snooping feature must be enabled on all the switch ports that connect to another manufacturer s switches adopting proprietary spanning tree protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to instance mapping table cannot be modified z The digest snooping feature is not applicable to boundary port...

Page 243: ... mode the root port on the downstream switch receives no agreement packet from the upstream switch and thus sends no agreement packets to the upstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay Some other manufacturers switches adopt proprietary spanning tree protocols that ...

Page 244: ...ot port Figure 1 8 Network diagram for rapid transition configuration Configuration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the rapid transition feature in system view To do Use the command Remarks Enter system view system view Enable the rapid transition feature stp interface interface type interface number no agreement check Required By d...

Page 245: ...he service provider network and the lower part comprises the customer networks The service provider network comprises packet input output devices and the customer network has networks A and B On the service provider network configure the arriving STP packets at the input device to have MAC addresses in a special format and reconvert them back to their original formats at the output device This is ...

Page 246: ...h MSTP enabled there may be many MSTP instances and so the status of a port may change frequently In this case maintenance personnel may expect that log trap information is output to the log host when particular ports fail so that they can check the status changes of those ports through alarm information Enabling Log Trap Output for Ports of MSTP Instance Follow these steps to enable log trap outp...

Page 247: ... Enable trap messages conforming to 802 1d standard in an instance stp instance instance id dot1d trap newroot topologychange enable Required Configuration example Enable a switch to send trap messages conforming to 802 1d standard to the network management device when the switch becomes the root bridge of instance 1 Sysname system view Sysname stp instance 1 dot1d trap newroot enable Displaying a...

Page 248: ...ayer Switch A and Switch B are configured as the root bridges of MSTI 1 and MSTI 3 respectively Switch C is configured as the root bridge of MSTI 4 Network diagram Figure 1 10 Network diagram for MSTP configuration The word permit shown in Figure 1 10 means the corresponding link permits packets of specific VLANs Configuration procedure 1 Configure Switch A Enter MST region view Sysname system vie...

Page 249: ...ter MST region view Sysname system view Sysname stp region configuration Configure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instance 3 vlan 30 Sysname mst region instance 4 vlan 40 Sysname mst region revision level 0 Activate the settings of the MST region manually Sysname mst region active region configuration Specify Switch C ...

Page 250: ...between the customer networks and the service provider network Network diagram Figure 1 11 Network diagram for VLAN VPN tunnel configuration Eth 1 0 1 Switch A Switch D Switch C Switch B Eth 1 0 1 GE 1 0 2 GE 1 0 1 GE 1 0 2 GE 1 0 1 Configuration procedure 1 Configure Switch A Enable MSTP Sysname system view Sysname stp enable Add Ethernet 1 0 1 to VLAN 10 Sysname vlan 10 Sysname Vlan10 port Ether...

Page 251: ...ANs Sysname GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP Sysname system view Sysname stp enable Enable the VLAN VPN tunnel function Sysname vlan vpn tunnel Add GigabitEthernet 1 0 2 to VLAN 10 Sysname vlan 10 Sysname Vlan10 port GigabitEthernet 1 0 2 Enable the VLAN VPN function on GigabitEthernet 1 0 2 Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthe...

Page 252: ... Configuring the Version of IGMP Snooping 2 5 Configuring Timers 2 6 Configuring Fast Leave Processing 2 6 Configuring a Multicast Group Filter 2 7 Configuring the Maximum Number of Multicast Groups on a Port 2 8 Configuring IGMP Snooping Querier 2 9 Suppressing Flooding of Unknown Multicast Traffic in a VLAN 2 10 Configuring Static Member Port for a Multicast Group 2 11 Configuring a Static Route...

Page 253: ...ii Configuring Dropping Unknown Multicast Packets 3 2 Displaying Common Multicast Configuration 3 3 ...

Page 254: ...blishes a separate data transmission channel for each user requiring this information and sends a separate copy of the information to the user as shown in Figure 1 1 Figure 1 1 Information transmission in the unicast mode Source Server Receiver Receiver Receiver Host A Host B Host C Host D Host E Packets for Host B Packets for Host D Packets for Host E Assume that Hosts B D and E need this informa...

Page 255: ... users on the same network need the information the utilization ratio of the network resources is very low and the bandwidth resources are greatly wasted Therefore broadcast is disadvantageous in transmitting data to specific users moreover broadcast occupies large bandwidth Information Transmission in the Multicast Mode As described in the previous sections unicast is suitable for networks with s...

Page 256: ...not add to the network burden remarkably The advantages of multicast over broadcast are as follows z A multicast data flow can be sent only to the receiver that requires the data z Multicast brings no waste of network resources and makes proper use of bandwidth Roles in Multicast The following roles are involved in multicast transmission z An information sender is referred to as a multicast source...

Page 257: ...pplications of Multicast Advantages of multicast Advantages of multicast include z Enhanced efficiency Multicast decreases network traffic and reduces server load and CPU load z Optimal performance Multicast reduces redundant traffic z Distributive application Multicast makes multiple point application possible Application of multicast The multicast technology effectively addresses the issue of po...

Page 258: ...addition the SSM model uses a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers ...

Page 259: ...ion addresses called group address rather than one address All the receivers join a group Once they join the group the data sent to this group of addresses starts to be transported to the receivers All the members in this group can receive the data packets This group is a multicast group A multicast group has the following characteristics z The membership of a group is dynamic A host can join and ...

Page 260: ...h first designated routers OSPF DR 224 0 0 7 Shared tree routers 224 0 0 8 Shared tree hosts 224 0 0 9 RIP 2 routers 224 0 0 11 Mobile agents 224 0 0 12 DHCP server relay agent 224 0 0 13 All protocol independent multicast PIM routers 224 0 0 14 Resource reservation protocol RSVP encapsulation 224 0 0 15 All core based tree CBT routers 224 0 0 16 The specified subnetwork bandwidth management SBM 2...

Page 261: ...icast address are 1110 representing the multicast ID Only 23 bits of the remaining 28 bits are mapped to a MAC address Thus five bits of the multicast IP address are lost As a result 32 IP multicast addresses are mapped to the same MAC address Multicast Protocols z Generally we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Laye...

Page 262: ... routes z An intra domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an autonomous system AS so as to deliver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in two modes dense mode often r...

Page 263: ...lticast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast z To process the same multicast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check on the incoming inte...

Page 264: ...l the outgoing interfaces z If the interface on which the packet actually arrived is not the RPF interface the RPF check fails and the router discards the packet RPF Check The basis for an RPF check is a unicast route A unicast routing table contains the shortest path to each destination subnet A multicast routing protocol does not independently maintain any type of unicast route instead it relies...

Page 265: ... that the interface on which the packet actually arrived is not the RPF interface The RPF check fails and the packet is discarded z A multicast packet from Source arrives to VLAN interface 2 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C The router performs an RPF check and finds in its unicast routing table that the outgoing interfa...

Page 266: ...e switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 However multicast packets for unknown multicast groups are still broadcast at Layer 2 Figure 2 1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiv...

Page 267: ...he IGMP Snooping forwarding table Port aging timers in IGMP Snooping and related messages and actions Table 2 1 Port aging timers in IGMP Snooping and related messages and actions Timer Description Message before expiry Action after expiry Router port aging timer For each router port the switch sets a timer initialized to the aging time of the route port IGMP general query or PIM hello The switch ...

Page 268: ... reason Due to the IGMP report suppression mechanism if member hosts of that multicast group still exist under non router ports the hosts will stop sending reports when they receive the message and this prevents the switch from knowing if members of that multicast group are still attached to these ports When receiving a leave message When an IGMPv1 host leaves a multicast group the host does not s...

Page 269: ...itch enables IGMP Snooping when it receives the IGMP leave message sent by a host in a multicast group it judges whether the multicast group exists automatically If the multicast group does not exist the switch drops this IGMP leave message IGMP Snooping Configuration The following table lists all the IGMP Snooping configuration tasks Table 2 2 IGMP Snooping configuration tasks Operation Remarks E...

Page 270: ...lve this problem by configuring VLAN tags for queries For details see Configuring a VLAN Tag for Query Messages Configuring the Version of IGMP Snooping With the development of multicast technologies IGMPv3 has found increasingly wide application In IGMPv3 a host can not only join a specific multicast group but also explicitly specify to receive or reject the information from a specific multicast ...

Page 271: ...fault the aging time of the router port is 105 seconds Configure the aging timer of the multicast member port igmp snooping host aging time seconds Optional By default the aging time of multicast member ports is 260 seconds Configuring Fast Leave Processing With fast leave processing enabled when the switch receives an IGMP leave message on a port the switch directly removes that port from the for...

Page 272: ... enabled on a port to which more than one host is connected when one host leaves a multicast group the other hosts connected to port and interested in the same multicast group will fail to receive multicast data for that group Configuring a Multicast Group Filter On an IGMP Snooping enabled switch the configuration of a multicast group allows the service provider to define restrictions on multicas...

Page 273: ...together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function z The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified if one or more VLANs are specified the configuration takes effect on all ports in the specified VLAN s z The con...

Page 274: ...t IGMP and therefore cannot send general queries by default By enabling IGMP Snooping querier on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer 2 switched only and no multicast routers are present the Layer 2 switch will act as a querier to send IGMP general queries thus allowing multicast forwarding entries to be established and maintained at the data link layer Upon receivi...

Page 275: ... queries igmp snooping general query source ip current interface ip address Optional 0 0 0 0 by default Configure the source IP address of IGMP group specific queries igmp snooping special query source ip current interface ip address 0 0 0 0 by default Suppressing Flooding of Unknown Multicast Traffic in a VLAN With IGMP Snooping enabled in a VLAN multicast traffic for unknown multicast groups is ...

Page 276: ...onnected to a port is interested in the multicast data for a specific group you can configure that port as a static member port for that multicast group In Ethernet port view Table 2 12 Configure a static multicast group member port in Ethernet port view Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the current ...

Page 277: ...d Required By default no static router port is configured In VLAN view Table 2 15 Configure a static router port in VLAN view Operation Command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure a specified port as a static router port multicast static router port interface type interface number Required By default no static router port is configured Configuring a Port as...

Page 278: ...group member igmp host join group address source ip source address vlan vlan id Required Simulated joining is disabled by default z Before configuring a simulated host enable IGMP Snooping in VLAN view first z The port to be configured must belong to the specified VLAN otherwise the configuration does not take effect z You can use the source ip source address command to specify a multicast source ...

Page 279: ...s mainly used in Layer 2 switching but you must make the corresponding configurations on the Layer 3 switch Table 2 18 Configure multicast VLAN on the Layer 3 switch Operation Command Remarks Enter system view system view Create a multicast VLAN and enter VLAN view vlan vlan id Return to system view quit Enter VLAN interface view interface Vlan interface vlan id Enable IGMP igmp enable Required By...

Page 280: ...s a hybrid port port link type hybrid Required Specify the VLANs to be allowed to pass the port port hybrid vlan vlan id list tagged untagged Required The multicast VLAN must be included and the port must be configured to forward tagged packets for the multicast VLAN z One port can belong to only one multicast VLAN z The port connected to a user terminal must be a hybrid port z The multicast membe...

Page 281: ...P Snooping Configuration Examples Configuring IGMP Snooping Network requirements To prevent multicast traffic from being flooded at Layer 2 enable IGMP snooping on Layer 2 switches z As shown in Figure 2 3 Router A connects to a multicast source Source through Ethernet1 0 2 and to Switch A through Ethernet1 0 1 z Run PIM DM and IGMP on Router A Run IGMP snooping on Switch A Router A acts as the IG...

Page 282: ...y SwitchA system view SwitchA igmp snooping enable Enable IGMP Snooping ok Create VLAN 100 assign Ethernet1 0 1 through Ethernet1 0 4 to this VLAN and enable IGMP Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port Ethernet 1 0 1 to Ethernet 1 0 4 SwitchA vlan100 igmp snooping enable SwitchA vlan100 quit 4 Verify the configuration View the detailed information of the multicast group in VLAN...

Page 283: ...et 1 0 1 is connected to the workstation and belongs to VLAN 20 The interface IP address of VLAN 10 is 168 10 2 1 Ethernet 1 0 10 belongs to VLAN 10 Ethernet 1 0 10 is connected to Switch B Switch B Layer 2 switch VLAN 2 contains Ethernet 1 0 1 and VLAN 3 contains Ethernet 1 0 2 The two ports are connected to Host A and Host B respectively VLAN 10 includes Ethernet 1 0 10 Ethernet1 0 1 and Etherne...

Page 284: ...erface 20 SwitchA Vlan interface20 ip address 168 10 1 1 255 255 255 0 SwitchA Vlan interface20 pim dm SwitchA Vlan interface20 quit Configure VLAN 10 SwitchA vlan 10 SwitchA vlan10 quit Define Ethernet 1 0 10 as a hybrid port add the port to VLAN 10 and configure the port to forward tagged packets for VLAN 10 SwitchA interface Ethernet 1 0 10 SwitchA Ethernet1 0 10 port link type hybrid SwitchA E...

Page 285: ...and VLAN 10 and set VLAN 3 as the default VLAN of the port SwitchB interface Ethernet 1 0 2 SwitchB Ethernet1 0 2 port link type hybrid SwitchB Ethernet1 0 2 port hybrid vlan 3 10 untagged SwitchB Ethernet1 0 2 port hybrid pvid vlan 3 SwitchB Ethernet1 0 2 quit Troubleshooting IGMP Snooping Symptom Multicast function does not work on the switch Solution Possible reasons are 1 IGMP Snooping is not ...

Page 286: ...authorized multicast servers attached to these ports from sending multicast traffic to the network Configuring multicast source port suppression in system view Table 3 2 Configure multicast source port suppression in system view Operation Command Remarks Enter system view system view Configure multicast source port suppression multicast source deny interface interface list Optional Multicast sourc...

Page 287: ... system view Enter Ethernet port view interface interface type interface number Create a multicast MAC address entry mac address multicast mac address vlan vlan id Required The mac address argument must be a multicast MAC address z If the multicast MAC address entry to be created already exists the system gives you a prompt z If you want to add a port to a multicast MAC address entry created throu...

Page 288: ...ion of dropping unknown multicast packets is disabled Displaying Common Multicast Configuration After the above described configuration you can use the display command in any view to verify the configuration Table 3 7 Display common multicast configuration Operation Command Remarks Display the statistics information about multicast source port suppression display multicast source deny interface in...

Page 289: ...Mandatory Authentication Domain for a Port 1 15 Configuring Proxy Checking 1 17 Configuring Client Version Checking 1 17 Enabling DHCP triggered Authentication 1 18 Configuring Guest VLAN 1 18 Configuring 802 1x Re Authentication 1 19 Configuring the 802 1x Re Authentication Timer 1 19 Displaying and Debugging 802 1x 1 20 Configuration Example 1 20 802 1x Configuration Example 1 20 802 1X Mandator...

Page 290: ...m Figure 1 1 Architecture of 802 1x authentication z The supplicant system is an entity residing at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN segment The supplicant system is usually a user terminal device An 802 1x authentication is triggered when a user launches client program on the supplicant system Note that the client program must s...

Page 291: ...em can send and receive authentication requests z The controlled port can be used to pass service packets when it is in authorized state It is blocked when not in authorized state In this case no packets can pass through it z Controlled port and uncontrolled port are two properties of a port Packets reaching a port are visible to both the controlled port and uncontrolled port of the port The valid...

Page 292: ...t defined in 802 1x To enable EAP protocol packets to be transmitted between supplicant systems and authenticator systems through LANs EAP protocol packets are encapsulated in EAPoL format The following figure illustrates the structure of an EAPoL packet Figure 1 3 The format of an EAPoL packet In an EAPoL packet z The PAE Ethernet type field holds the protocol identifier The identifier for 802 1x...

Page 293: ...the Code Identifier Length and Data fields z The Data field carries the EAP packet whose format differs with the Code field A Success or Failure packet does not contain the Data field so the Length field of it is 4 Figure 1 5 shows the format of the Data field of a Request packet or a Response packet Figure 1 5 The format of the Data field of a Request packet or a Response packet z The Type field ...

Page 294: ...ort the two newly added fields the EAP message field with a value of 79 and the Message authenticator field with a value of 80 Four authentication ways namely EAP MD5 EAP TLS transport layer security EAP TTLS tunneled transport layer security and PEAP protected extensible authentication protocol are available in the EAP relay mode z EAP MD5 authenticates the supplicant system The RADIUS server sen...

Page 295: ...n process z Upon receiving the authentication request packet the switch sends an EAP request identity packet to ask the 802 1x client for the user name z The 802 1x client responds by sending an EAP response identity packet to the switch with the user name contained in it The switch then encapsulates the packet in a RADIUS Access Request packet and forwards it to the RADIUS server z Upon receiving...

Page 296: ...ed to rejected In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authenticating ways used on the supplicant system and the RADIUS server are the same However for the switch you can simply enable the EAP relay mode by using the dot1x authentication method eap command EAP ...

Page 297: ...ract in an orderly way z Handshake timer handshake period This timer sets the handshake period and is triggered after a supplicant system passes the authentication It sets the interval for a switch to send handshake request packets to online users You can set the number of retries by using the dot1x retry command An online user will be considered offline when the switch has not received any respon...

Page 298: ...version period and is triggered after a switch sends a version request packet The switch sends another version request packet if it does receive version response packets from the supplicant system when the timer expires 802 1x Implementation on an S4210 Series Switch In addition to the earlier mentioned 802 1x features an S4210 series switch is also capable of the following z Checking supplicant s...

Page 299: ...sers or users with earlier versions of 802 1x client from logging in This function makes the switch to send version requesting packets again if the 802 1x client fails to send version reply packet to the switch when the version checking timer times out The 802 1x client version checking function needs the support of 3Com s 802 1x client program The Guest VLAN function The Guest VLAN function enabl...

Page 300: ...e server may authenticate the username and password or however use re authentication for only accounting and user connection status checking and therefore does not authenticate the username and password any more z An authentication server running CAMS authenticates the username and password during re authentication of a user in the EAP authentication mode but does not in PAP or CHAP authentication...

Page 301: ...A scheme a local authentication scheme or a RADIUS scheme to be adopted in the ISP domain z If you specify to use a local authentication scheme you need to configure the user names and passwords manually on the switch Users can pass the authentication through 802 1x client if they provide user names and passwords that match those configured on the switch z If you specify to adopt the RADIUS scheme...

Page 302: ...ew quit Optional By default an 802 1x enabled port operates in the auto mode In system view dot1x port method macbased portbased interface interface list interface interface type interface number dot1x port method macbased portbased Set port access method for specified ports In port view quit Optional The default port access method is MAC address based that is the macbased keyword is used by defau...

Page 303: ...tion switches cannot receive handshaking acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online user handshaking function in this case z For the handshaking packet secure function to take effect the clients that enable the function need to cooperate with the authentication server If either the clients or the authent...

Page 304: ...guration Advanced 802 1x configurations as listed below are all optional z Specifying a Mandatory Authentication Domain for a Port z Configuration concerning CAMS including multiple network adapters detecting proxy detecting and so on z Client version checking configuration z DHCP triggered authentication z Guest VLAN configuration z 802 1x re authentication configuration z Configuration of the 80...

Page 305: ...fault domain user name format without domain user name format with domain Z X Z Z X Z user name format without domain Note that z You can view usernames by using the display connection command on the device z The above configuration relations are applicable to the switch with authentication domain Y or Z configured If the specified mandatory authentication domain on a port does not exist on the sw...

Page 306: ...e the proxy detecting function you need to enable the online user handshaking function first z The configuration listed in Table 1 4 takes effect only when it is performed on CAMS as well as on the switch In addition the client version checking function needs to be enabled on the switch too by using the dot1x version check command Configuring Client Version Checking Table 1 5 Configure client vers...

Page 307: ...s are authenticated when they apply for dynamic IP addresses through DHCP Table 1 6 Enable DHCP triggered authentication Operation Command Remarks Enter system view system view Enable DHCP triggered authentication dot1x dhcp launch Required By default DHCP triggered authentication is disabled Configuring Guest VLAN Table 1 7 Configure Guest VLAN Operation Command Remarks Enter system view system v...

Page 308: ...hen re authenticating a user a switch goes through the complete authentication process It transmits the username and password of the user to the server The server may authenticate the username and password or however use re authentication for only accounting and user connection status checking and therefore does not authenticate the username and password any more z An authentication server running...

Page 309: ...w You can clear 802 1x related statistics information by executing the reset command in user view Table 1 10 Display and debug 802 1x Operation Command Remarks Display the configuration session and statistics information about 802 1x display dot1x sessions statistics interface interface list This command can be executed in any view Clear 802 1x related statistics information reset dot1x statistics...

Page 310: ... name is sent to the RADIUS servers with the domain name truncated z The user name and password for local 802 1x authentication are localuser and localpass in plain text respectively The idle disconnecting function is enabled Network diagram Figure 1 12 Network diagram for AAA configuration with 802 1x and RADIUS enabled IP network Supplicant Authenticator Ethernet 1 0 1 Authentication Servers IP ...

Page 311: ...y 5 Set the timer for the switch to send real time accounting packets to the RADIUS servers Sysname radius radius1 timer realtime accounting 15 Configure to send the user name to the RADIUS server with the domain name truncated Sysname radius radius1 user name format without domain Sysname radius radius1 quit Create the domain named aabbcc net and enter its view Sysname domain enable aabbcc net Sp...

Page 312: ...4 to provide authentication authorization and accounting services Specify aabbcc as the shared key for Switch to exchange packets with the RADIUS server z Configure hello as both the username and password for local authentication of Host B Figure 1 13 Network diagram for configuring RADIUS authentication of the telnet user Configuration Procedure Enable telnet services on Switch Switch system view...

Page 313: ...bbcc Switch radius radius1 key accounting aabbcc Switch radius radius1 server type extended Switch radius radius1 user name format with domain Switch radius radius1 quit Specify aabbcc as the mandatory authentication domain for Ethernet 1 0 1 Switch interface ethernet 1 0 1 Switch Ethernet1 0 1 dot1x mandatory domain aabbcc Switch Ethernet1 0 1 quit Enable 802 1X globally Switch dot1x Enable 802 1...

Page 314: ...to the HABP request packets and forward the HABP request packets to lower level switches HABP servers usually reside on management devices and HABP clients usually on attached switches For ease of switch management it is recommended that you enable HABP for 802 1x enabled switches HABP Server Configuration With the HABP server launched a management device sends HABP request packets regularly to th...

Page 315: ...P habp enable Optional HABP is enabled by default And a switch operates as an HABP client after you enable HABP for it Displaying HABP After performing the above configuration you can display and verify your HABP related configuration by execute the display command in any view Table 2 3 Display HABP Operation Command Remarks Display HABP configuration and status display habp Display the MAC addres...

Page 316: ...hus system guard is implemented Configuring the System Guard Feature Through the following configuration you can enable the system guard feature set the threshold for the number of packets when an attack is detected and the length of the isolation after an attack is detected Configuring the System Guard Feature Table 3 1 Configure the system guard feature Operation Command Description Enter system...

Page 317: ...any view to display the running status of the system guard feature and to verify the configuration Table 3 2 Display and maintain system guard Operation Command Display the record of detected attacks display system guard attack record Display the state of the system guard feature display system guard state ...

Page 318: ...onfiguring RADIUS Accounting Servers 2 15 Configuring Shared Keys for RADIUS Messages 2 16 Configuring the Maximum Number of RADIUS Request Transmission Attempts 2 17 Configuring the Type of RADIUS Servers to be Supported 2 17 Configuring the Status of RADIUS Servers 2 18 Configuring the Attributes of Data to be Sent to RADIUS Servers 2 19 Configuring the Local RADIUS Authentication Server Functio...

Page 319: ...S Authentication of Telnet SSH Users 2 31 Local Authentication of FTP Telnet Users 2 32 HWTACACS Authentication and Authorization of Telnet Users 2 34 Troubleshooting AAA 2 35 Troubleshooting RADIUS Configuration 2 35 Troubleshooting HWTACACS Configuration 2 35 ...

Page 320: ...cated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardware z Remote authentication Users are authenticated remotely through RADIUS or HWTACACS protocol This device for example a 3Com series switch acts as the client to communicate with the RADIUS or TACACS...

Page 321: ...heme and so on for each ISP domain independently in ISP domain view Authentication authorization and accounting of a user depends on the AAA methods configured for the domain that the user belongs to The ISP domain of a user is determined by the username used for login z If the user enters the username in the form of userid domain name the NAS device uses domain domain name to authenticate the use...

Page 322: ...ng as a RADIUS client passes user information to a specified RADIUS server and takes appropriate action such as establishing terminating user connection depending on the responses returned from the server z The RADIUS server receives user connection requests authenticates users and returns all required information to the switch Generally a RADIUS server maintains the following three databases see ...

Page 323: ...lient an authentication response Access Accept which contains the user s authorization information If the authentication fails the server returns an Access Reject response 4 The RADIUS client accepts or denies the user depending on the received authentication result If it accepts the user the RADIUS client sends a start accounting request Accounting Request with the Status Type attribute value sta...

Page 324: ... 4 Accounting Request Direction client server The client transmits this message to the server to request the server to start or end the accounting whether to start or to end the accounting is determined by the Acct Status Type attribute in the message This message carries almost the same attributes as those carried in the Access Request message 5 Accounting Response Direction server client The ser...

Page 325: ...Length fields Table 1 2 RADIUS attributes Type field value Attribute type Type field value Attribute type 1 User Name 23 Framed IPX Network 2 User Password 24 State 3 CHAP Password 25 Class 4 NAS IP Address 26 Vendor Specific 5 NAS Port 27 Session Timeout 6 Service Type 28 Idle Timeout 7 Framed Protocol 29 Termination Action 8 Framed IP Address 30 Called Station Id 9 Framed IP Netmask 31 Calling S...

Page 326: ...reliable transmission and encryption and therefore is more suitable for security control Table 1 3 lists the primary differences between HWTACACS and RADIUS Table 1 3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP providing more reliable network transmission Adopts UDP Encrypts the entire message except the HWTACACS header Encrypts only the password field in authentication mess...

Page 327: ...hange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication authorization and accounting for a user Figure 1 7 illustrates the basic message exchange procedure Figure 1 7 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows ...

Page 328: ... message carrying the password to the TACACS server 6 The TACACS server returns an authentication response indicating that the user has passed the authentication 7 The TACACS client sends a user authorization request to the TACACS server 8 The TACACS server returns an authorization response indicating that the user has passed the authorization 9 After receiving the response indicating an authoriza...

Page 329: ...configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication Configuring Dynamic VLAN Assignment Optional Configuring the Attributes of a Local User Optional AAA configuration Cutting Down User Connections Forcibly Optional Table 2 2 AAA configuration tasks configuring separate AAA schemes for an ISP domain Task Remarks Creating an ISP Domain and Configuring Its Attributes Req...

Page 330: ...etwork service Set the maximum number of access users that the ISP domain can accommodate access limit disable enable max user number Optional By default there is no limit on the number of access users that the ISP domain can accommodate Set the idle cut function idle cut disable enable minute flow Optional By default the idle cut function is disabled Set the accounting optional switch accounting ...

Page 331: ...user information security With the cooperation of other networking devices such as switches in a network a CAMS server can implement the AAA functions and right management Configuring an AAA Scheme for an ISP Domain You can configure a combined AAA scheme or separate AAA scheme on the switch z If both are configured separate AAA schemes apply z Once the authentication command is configured separat...

Page 332: ...e local hwtacacs scheme hwtacacs scheme name local Required By default an ISP domain uses the local AAA scheme Specify an AAA scheme for LAN users scheme lan access local none radius scheme radius scheme name local none Optional Not configured by default Specify an AAA scheme for login users scheme login local none radius scheme radius scheme name local hwtacacs scheme hwtacacs scheme name local O...

Page 333: ...e the FTP service you should not configure the none scheme z If scheme switching occurs during authentication local authorization and accounting will be performed If no scheme switching occurs during authentication authorization and accounting will use the primary scheme z The AAA scheme specified with the scheme command is for all types of users and has a priority lower than that for a specific a...

Page 334: ...ocal and none authentication methods do not require any scheme 2 Determine the access mode or service type to be configured With AAA you can configure an authentication method specifically for each access mode and service type limiting the authentication protocols that can be used for access 3 Determine whether to configure an authentication authorization accounting method for all access modes or ...

Page 335: ...tching processes do not affect each other For example if scheme switching occurs during authentication the primary HWTACACS authorization scheme is still used though the authorization hwtacacs scheme hwtacacs scheme name local command is configured Authorization scheme switching occurs only when the HWTACACS scheme is invalid z The authentication scheme specified with the authentication command is...

Page 336: ...ames on the switch If it finds a match it adds the port to the corresponding VLAN Otherwise the VLAN assignment fails and the user fails the authentication In actual applications to use this feature together with Guest VLAN you should better set port control to port based mode For more information refer to the section Basic 802 1x Configuration of 802 1x Operation Manual Table 2 6 Configure dynami...

Page 337: ...cal user password simple cipher password Required Set the status of the local user state active block Optional By default the user is in active state that is the user is allowed to request network services Authorize the user to access specified type s of service service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any serv...

Page 338: ...MAC address authentication can be assigned with an authorization VLAN The switch will not assign authorization VLANs for subsequent users passing MAC address authentication In this case you are recommended to connect only one MAC address authentication user or multiple users with the same authorization VLAN to a port z For local RADIUS authentication to take effect the VLAN assignment mode must be...

Page 339: ...DIUS Server Goes Down Optional Configuring the RADIUS client Enabling the User Re Authentication at Restart Function Optional Configuring the RADIUS server Refer to the configuration of the RADIUS Server Table 2 10 RADIUS configuration tasks the switch functions as a local RADIUS server Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication Authorization Servers Required ...

Page 340: ...ication authorization server and one accounting server and keep the RADIUS server port settings on the switch consistent with those on the RADIUS servers Actually the RADIUS service configuration only defines the parameters for information exchange between switch and RADIUS server To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP d...

Page 341: ...cannot specify a separate RADIUS authorization server z In an actual network environment you can specify one server as both the primary and secondary authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary authentication authorization servers respectively z The IP address and port number of the primary authentication server used by the default RAD...

Page 342: ...e name Required By default a RADIUS scheme named system has already been created in the system Configure the RADIUS authorization attribute ignoring function attribute ignore standard vendor vendor id type type value Required Disabled by default In a RADIUS scheme you can configure z One standard attribute ignoring command z One proprietary attribute ignoring command per vendor z Up to three attri...

Page 343: ...ew system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Set the IP address and port number of the primary RADIUS accounting server primary accounting ip address ipv6 ipv6 address port number key string Required By default the IP address and UDP port number of the primary accoun...

Page 344: ...se it discards the request z You can set the maximum allowed number of continuous real time accounting failures If the number of continuously failed real time accounting requests to the RADIUS server reaches the set maximum number the switch cuts down the user connection z The IP address and port number of the primary accounting server of the default RADIUS scheme system are 127 0 0 1 and 1646 res...

Page 345: ...m number of times to transmit the request the switch considers that the request fails Table 2 16 Configure the maximum transmission attempts of a RADIUS request Operation Command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Set the maximum numb...

Page 346: ... the primary server instead of communicating with the secondary server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged When both the primary and secondary servers are in active or block state the switch sends messages only to the primary server Table 2 18 Set the status of RADIUS servers Operation Command Remarks E...

Page 347: ...flows to RADIUS servers data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet Optional By default in a RADIUS scheme the data unit and packet unit for outgoing RADIUS flows are byte and one packet respectively Set the MAC address format of the Calling Station Id Type 31 field in RADIUS packets calling station id mode mode1 mode2 lowercase up...

Page 348: ... MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the switch s compatibility with different RADIUS servers This setting is necessary when the format of Calling Station Id field recognizable to RADIUS servers is different from the default MAC address format on the switch For details about field formats recognizable to RADIUS servers refer to the correspondi...

Page 349: ... server The maximum time that the switch can wait for the response is called the response timeout time of RADIUS servers and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers If the switch gets no answer within the response timeout time it needs to retransmit the request to ensure that the user can obtain RADIUS service For the primary and secondar...

Page 350: ...tional By default the real time accounting interval is 12 minutes Enabling Sending Trap Message when a RADIUS Server Goes Down Table 2 22 Specify to send trap message when a RADIUS server goes down Operation Command Remarks Enter system view system view Enable the sending of trap message when a RADIUS server is down radius trap authentication server down accounting server down Optional By default ...

Page 351: ...ding to the information NAS ID NAS IP address and session ID contained in the message and ends the accounting for the users depending on the last accounting update message 4 Once the switch receives the response from the CAMS it stops sending Accounting On messages 5 If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Acco...

Page 352: ...eme The HWTACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Table 2 25 Create a HWTACACS scheme Operation Command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By default no HWTACACS scheme exist...

Page 353: ...Configuring TACACS Authorization Servers Table 2 27 Configure TACACS authorization servers Operation Command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By default no HWTACACS scheme exists Set the IP address and port number of the primary TACACS authorization server primary authorization ip address port Required B...

Page 354: ...onal By default the stop accounting messages retransmission function is enabled and the system can transmit a buffered stop accounting request for 100 times z You are not allowed to configure the same IP address for both primary and secondary accounting servers If you do this the system will prompt that the configuration fails z You can remove a server only when it is not used by any active TCP co...

Page 355: ...e user names sent from the switch to TACACS server carry ISP domain names data flow format data byte giga byte kilo byte mega byte Set the units of data flows to TACACS servers data flow format packet giga packet kilo packet mega packet one packet Optional By default in a TACACS scheme the data unit and packet unit for outgoing HWTACACS flows are byte and one packet respectively HWTACACS scheme vi...

Page 356: ...nting interval is 12 minutes z To control the interval at which users are charge in real time you can set the real time accounting interval After the setting the switch periodically sends online users accounting information to the TACACS server at the set interval z The real time accounting interval must be a multiple of 3 z The setting of real time accounting interval somewhat depends on the perf...

Page 357: ...tics display radius statistics Display buffered non response stop accounting requests display stop accounting buffer radius scheme radius scheme name session id session id time range start time stop time user name user name You can execute the display command in any view Delete buffered non response stop accounting requests reset stop accounting buffer radius scheme radius scheme name session id s...

Page 358: ...ers The IP address of the server is 10 110 91 164 z Set the shared keys for authentication authorization and accounting packets exchanged with the RADIUS server to aabbcc Configure the switch to remove the domain name from a username before sending the username to the RADIUS server z Configure the switch to perform RADIUS authentication for Host A and local authentication for Host B Figure 2 2 Con...

Page 359: ...Switch Ethernet1 0 1 dot1x Remote RADIUS Authentication of Telnet SSH Users The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that for Telnet users The following text only takes Telnet users as example to describe the configuration procedure for remote authentication Network requirements In the network environment shown in Figure 2 3 you are required...

Page 360: ...sname domain cams Sysname isp cams access limit enable 10 Sysname isp cams quit Configure a RADIUS scheme Sysname radius scheme cams Sysname radius cams accounting optional Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams key authentication aabbcc Sysname radius cams server type Extended Sysname radius cams user name format with domain Sysname radius cams quit Asso...

Page 361: ...authentication for Telnet users Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode scheme Sysname ui vty0 4 quit Create and configure a local user named telnet Sysname local user telnet Sysname luser telnet service type telnet Sysname luser telnet password simple aabbcc Sysname luser telnet quit Configure an authentication scheme for the default system domain Sysname domain syste...

Page 362: ... set both authentication and authorization shared keys that are used to exchange messages with the TACACS server to aabbcc Configure the switch to strip domain names off user names before sending user names to the TACACS server Configure the shared key to aabbcc on the TACACS server for exchanging messages with the switch Network diagram Figure 2 5 Remote HWTACACS authentication and authorization ...

Page 363: ... from the switch Take measures to make the switch communicate with the RADIUS server normally Symptom 2 RADIUS packets cannot be sent to the RADIUS server Possible reasons and solutions z The communication links physical link layer between the switch and the RADIUS server is disconnected blocked Take measures to make the links connected unblocked z None or incorrect RADIUS server IP address is set...

Page 364: ...s 1 2 Configuring Basic MAC Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 3 MAC Address Authentication Enhanced Function Configuration Tasks 1 3 Configuring a Guest VLAN 1 4 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port 1 5 Configuring the Quiet MAC Function on a Port 1 6 Displaying and Debugging MAC Authenti...

Page 365: ...t local user attributes Performing MAC Authentication on a RADIUS Server When authentications are performed on a RADIUS server the switch serves as a RADIUS client and completes MAC authentication in combination of the RADIUS server z In MAC address mode the switch sends the MAC addresses detected to the RADIUS server as both the user names and passwords z In fixed mode the switch sends the user n...

Page 366: ...mply by the switch until the quiet timer expires This prevents an invalid user from being authenticated repeatedly in a short time z If the quiet MAC is the same as the static MAC configured or an authentication passed MAC then the quiet function is not effective z The S4210 series Ethernet switches support quiet MAC function on ports Configuring Basic MAC Authentication Functions Table 1 1 Config...

Page 367: ... timeout timer z If MAC authentication is enabled on a port you cannot configure the maximum number of dynamic MAC address entries for that port through the mac address max mac count command and vice versa z If MAC authentication is enabled on a port you cannot configure port security through the port security enable command on that port and vice versa z You can configure MAC authentication on a p...

Page 368: ...AN and thus the user can access the network resources of the Guest VLAN After a port is added to a Guest VLAN the switch will re authenticate the first access user of this port namely the first user whose unicast MAC address is learned by the switch periodically If this user passes the re authentication this port will exit the Guest VLAN and thus the user can access the network normally z Guest VL...

Page 369: ...e the VLAN configured as a Guest VLAN If you want to remove this VLAN you must remove the Guest VLAN configuration for it Refer to the VLAN module in this manual for the description on the undo vlan command z Only one Guest VLAN can be configured for a port and the VLAN configured as the Guest VLAN must be an existing VLAN Otherwise the Guest VLAN configuration does not take effect If you want to ...

Page 370: ...e the maximum number of MAC address authentication users for a port if any user connected to this port is online Configuring the Quiet MAC Function on a Port You can configure whether to enable the quiet MAC function on a port When this function is enabled the MAC address connected to this port will be set as a quiet MAC address if its authentication fails When this function is disabled the MAC ad...

Page 371: ...ly and the MAC address of the PC 00 0d 88 f6 44 c1 is used as both the user name and password Network Diagram Figure 1 1 Network diagram for MAC authentication configuration Configuration Procedure Enable MAC authentication on port Ethernet 1 0 2 Sysname system view Sysname mac authentication interface Ethernet 1 0 2 Set the user name in MAC address mode for MAC authentication requiring hyphened l...

Page 372: ...AC authentication globally This is usually the last step in configuring access control related features Otherwise a user may be denied of access to the networks because of incomplete configuaration Sysname mac authentication After doing so your MAC authentication configuration will take effect immediately Only users with the MAC address of 00 0d 88 f6 44 c1 are allowed to access the Internet throu...

Page 373: ...t Rate Limit 1 5 Introduction to Gratuitous ARP 1 5 ARP Configuration 1 5 Configuring ARP Basic Functions 1 5 Configuring ARP Attack Detection 1 6 Configuring the ARP Packet Rate Limit Function 1 7 Gratuitous ARP Packet Configuration 1 8 Displaying and Debugging ARP 1 8 ARP Configuration Example 1 9 ARP Basic Configuration Example 1 9 ARP Attack Detection and Packet Rate Limit Configuration Exampl...

Page 374: ...equest messages and ARP reply messages Figure 1 1 illustrates the format of these two types of ARP messages z As for an ARP request all the fields except the hardware address of the receiver field are set The hardware address of the receiver is what the sender requests for z As for an ARP reply all the fields are set Figure 1 1 ARP message format Hardware type 16 bits Protocol type 16 bits Length ...

Page 375: ... address of the sender Hardware address of the receiver z For an ARP request packet this field is null z For an ARP reply packet this field carries the hardware address of the receiver IP address of the receiver IP address of the receiver Table 1 2 Description on the values of the hardware type field Value Description 1 Ethernet 2 Experimental Ethernet 3 X 25 4 Proteon ProNET Token Ring 5 Chaos 6 ...

Page 376: ... IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all zero MAC address Because the ARP request is sent in broadcast mode all hosts on this subnet can receive the request but only the requested host namely Host B will process the request 3 Host B compares its ow...

Page 377: ...ily support the ARP attack detection function All ARP both request and response packets passing through the switch are redirected to the CPU which checks the validity of all the ARP packets by using the DHCP snooping table or the manually configured IP binding table For description of DHCP snooping table and the manually configured IP binding table refer to the DHCP snooping section in the part di...

Page 378: ...ll revert to the Up state after a configured period of time Introduction to Gratuitous ARP The following are the characteristics of gratuitous ARP packets z Both source and destination IP addresses carried in a gratuitous ARP packet are the local addresses and the source MAC address carried in it is the local MAC addresses z If a device finds that the IP addresses carried in a received gratuitous ...

Page 379: ...ntified by the interface type and interface number arguments must belong to the VLAN z Currently static ARP entries cannot be configured on the ports of an aggregation group Configuring ARP Attack Detection Table 1 5 Configure the ARP attack detection function Operation Command Remarks Enter system view system view Enable DHCP snooping dhcp snooping Required By default the DHCP snooping function i...

Page 380: ... a port of a Switch 4210 is the same as the default VLAN ID of the port If the VLAN tag of an ARP packet is different from the default VLAN ID of the receiving port the ARP packet cannot pass the ARP attack detection based on the IP to MAC bindings z When you use the ARP attack detection in cooperation with VLAN mapping you need to enable ARP attack detection in both the original VLAN and the mapp...

Page 381: ...ion Table 1 7 Configure the gratuitous ARP packet Operation Command Remarks Enter system view system view Enable the gratuitous ARP packet learning function gratuitous arp learning enable Required By default the gratuitous ARP packet learning function is disabled The sending of gratuitous ARP packets is enabled as long as a Switch 4210 operates No command is needed for enabling this function That ...

Page 382: ... entry check on the switch z Set the aging time for dynamic ARP entries to 10 minutes z Add a static ARP entry with the IP address being 192 168 1 1 the MAC address being 000f e201 0000 and the outbound port being Ethernet1 0 10 of VLAN 1 Configuration procedure Sysname system view Sysname undo arp check enable Sysname arp timer aging 10 Sysname arp static 192 168 1 1 000f e201 0000 1 Ethernet1 0 ...

Page 383: ...tion trust SwitchA Ethernet1 0 1 quit Enable ARP attack detection on all ports in VLAN 1 SwitchA vlan 1 SwitchA vlan1 arp detection enable SwitchA vlan1 quit Enable the ARP packet rate limit function on Ethernet1 0 2 and set the maximum ARP packet rate allowed on the port to 20 pps SwitchA interface Ethernet1 0 2 SwitchA Ethernet1 0 2 arp rate limit enable SwitchA Ethernet1 0 2 arp rate limit 20 S...

Page 384: ...1 11 Configure the port state auto recovery function and set the recovery interval to 200 seconds SwitchA arp protective down recover enable SwitchA arp protective down recover interval 200 ...

Page 385: ...g WINS Servers for the DHCP Client 2 9 Configuring Gateways for the DHCP Client 2 10 Configuring BIMS Server Information for the DHCP Client 2 10 Configuring Option 184 Parameters for the Client with Voice Service 2 10 Configuring a Self Defined DHCP Option 2 13 Configuring the Interface Address Pool Based DHCP Server 2 14 Configuration Task List 2 14 Enabling the Interface Address Pool Mode on In...

Page 386: ...iguring DHCP Snooping 3 5 Configuring DHCP Snooping Trusted Untrusted Ports 3 5 Configuring DHCP Snooping to Support Option 82 3 6 Configuring IP Filtering 3 9 Displaying DHCP Snooping Configuration 3 10 DHCP Snooping Configuration Example 3 10 DHCP Snooping Option 82 Support Configuration Example 3 10 IP Filtering Configuration Example 3 11 4 DHCP Packet Rate Limit Configuration 4 1 Introduction ...

Page 387: ...nt dynamic allocation of network resources A typical DHCP application includes one DHCP server and multiple clients such as PCs and laptops as shown in Figure 1 1 Figure 1 1 Typical DHCP application DHCP IP Address Assignment IP Address Assignment Policy Currently DHCP provides the following three IP address assignment policies to meet the requirements of different clients z Manual assignment The ...

Page 388: ...e the assignment of the IP address to the client When the client receives the DHCP ACK packet it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address and uses the IP address only if it does not receive any response within a specified period z After the client receives the DHCP ACK message it will probe whether the IP address assigned by...

Page 389: ...agents which a DHCP packet passes For each DHCP relay agent that the DHCP request packet passes the field value increases by 1 z xid Random number that the client selects when it initiates a request The number is used to identify an address requesting process z secs Elapsed time after the DHCP client initiates a DHCP request z flags The first bit is the broadcast response flag bit used to identify...

Page 390: ...fications related to DHCP include z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the Bootstrap Protocol z RFC3046 DHCP Relay Agent Information option ...

Page 391: ...s z Large sized networks where manual configuration method bears heavy load and is difficult to manage the whole network in centralized way z Networks where the number of available IP addresses is less than that of the hosts In this type of networks IP addresses are not enough for all the hosts to obtain a fixed IP address and the number of on line users is limited such is the case in an ISP netwo...

Page 392: ...me you just need to configure them on the network segment or the corresponding subnets The following is the details of configuration inheritance 1 A newly created child address pool inherits the configurations of its parent address pool 2 For an existing parent child address pool pair when you performs a new configuration on the parent address pool z The child address pool inherits the new configu...

Page 393: ...ls to DHCP clients in the following sequence 1 IP addresses that are statically bound to the MAC addresses of DHCP clients or client IDs 2 The IP address that was ever assigned to the client 3 The IP address designated by the Option 50 field in a DHCP DISCOVER message 4 The first assignable IP address found in a proper DHCP address pool 5 If no IP address is available the DHCP server queries lease...

Page 394: ...rt 68 ports will be disabled Configuring the Global Address Pool Based DHCP Server Configuration Task List Complete the following tasks to configure the global address pool based DHCP server Task Remarks Enabling the Global Address Pool Mode on Interface s Required Creating a DHCP Global Address Pool Required Configuring the static IP address allocation mode Configuring an Address Allocation Mode ...

Page 395: ...address pool mode Creating a DHCP Global Address Pool Follow these steps to create a DHCP address pool To do Use the command Remarks Enter system view system view Create a DHCP global address pool and enter its view dhcp server ip pool pool name Required Not created by default Configuring an Address Allocation Mode for the Global Address Pool You can configure either the static IP address allocati...

Page 396: ...bound static bind mac address mac address Bind an IP address to the MAC address of a DHCP client or a client ID statically Configure the client ID to which the IP address is to be statically bound static bind client identifier client identifier One of these two options is required By default no MAC address or client ID to which an IP address is to be statically bound is configured z The static bin...

Page 397: ...s the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip command from dynamic allocation The lease time can differ with address pools But that of the IP addresses of the same address pool are the same Lease time is not inherited that is to say the lease time of a child address pool is not affected by the configura...

Page 398: ...about DNS refer to DNS Operation in this manual Follow these steps to configure a domain name suffix for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure a domain name suffix for the client domain name domain name Required Not configured by default Configuring DNS Servers for the DHCP Client If a client...

Page 399: ... WINS servers The character p stands for peer to peer The source node sends the unicast packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding to the destination node name to the source node z M node Nodes of this type are p nodes mixed with broadcasting features The character m stands for the word mixed that is to say this type of nodes o...

Page 400: ...refore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure BIMS server information for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure the BIMS server information to be assigned to the DHCP client bims ...

Page 401: ...b option is defined Voice VLAN Configuration sub option 3 The voice VLAN configuration sub option carries the ID of the voice VLAN and the flag indicating whether the voice VLAN identification function is enabled The sub option 3 of Option 184 comprises two parts z One part carries the flag indicating whether the voice VLAN identification function is enabled z The other part carries the ID of the ...

Page 402: ...ponse packet to be sent to the DHCP client Only when the DHCP client specifies in Option 55 of the request packet that it requires Option 184 does the DHCP server add Option 184 in the response packet sent to the client Configuring Option 184 Parameters for the DHCP Client with Voice Service Follow these steps to configure Option 184 parameters for the DHCP client with voice service To do Use the ...

Page 403: ... meet customers requirements for example you cannot use the dns list command to configure more than eight DNS server addresses you can configure a self defined option for extension Follow these steps to configure a self defined DHCP option To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure a self defined DHCP option opti...

Page 404: ...in IP addresses from the same network segment the number of DHCP clients cannot exceed the number of the IP addresses assignable in the VLAN interface address pool Configuration Task List An interface address pool is created when the interface is assigned a valid unicast IP address and you execute the dhcp select interface command in interface view The IP addresses contained in it belong to the ne...

Page 405: ...of the interface Enabling the Interface Address Pool Mode on Interface s If the DHCP server works in the interface address pool mode it picks IP addresses from the interface address pools and assigns them to the DHCP clients If there is no available IP address in the interface address pools the DHCP server picks IP addresses from its global address pool that contains the interface address pool seg...

Page 406: ...lly allocated to DHCP clients Configuring the static IP address allocation mode Some DHCP clients such as WWW servers need fixed IP addresses This is achieved by binding IP addresses to the MAC addresses of these DHCP clients When such a DHCP client applies for an IP address the DHCP server finds the IP address corresponding to the MAC address of the DHCP client and then assigns the IP address to ...

Page 407: ...to be dynamically assigned is unnecessary To avoid address conflicts the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip command from dynamic allocation To avoid IP address conflicts the IP addresses to be dynamically assigned to DHCP clients are those not occupied by specific network devices such as gateways a...

Page 408: ...e DHCP server The DHCP server provides the domain name suffix together with an IP address for a requesting DHCP client Follow these steps to configure a domain name suffix for the client To do Use the command Remarks Enter system view system view interface interface type interface number dhcp server domain name domain name In the current interface address pool quit Configure a domain name suffix f...

Page 409: ...dcast The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node After receiving the broadcast packet the destination node returns its IP address to the source node z P node Nodes of this type establish their mappings by communicating with WINS servers The character p stands for peer to peer The source node sends ...

Page 410: ...r address Configuring BIMS Server Information for the DHCP Client A DHCP client performs regular software update and backup using configuration files obtained from a BIMS server Therefore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure BIMS server information for the DHCP client To do Use the c...

Page 411: ...alling processor dhcp server voice config ncp ip ip address all interface interface type interface number to interface type interface number Required Not specified by default Specify the backup network calling processor dhcp server voice config as ip ip address all interface interface type interface number to interface type interface number Optional Not specified by default Configure the voice VLA...

Page 412: ...interface number all Required By default no customized option is configured Be cautious when configuring self defined DHCP options because such configuration may affect the DHCP operation process Configuring DHCP Server Security Functions DHCP security configuration is needed to ensure the security of DHCP service Prerequisites Before configuring DHCP security you should first complete the DHCP se...

Page 413: ...he IP address to the requesting client The DHCP client probes the IP address by sending gratuitous ARP packets Follow these steps to configure IP address detecting To do Use the command Remarks Enter system view system view Specify the number of ping packets dhcp server ping packets number Optional Two ping packets by default Configure a timeout waiting for ping responses dhcp server ping timeout ...

Page 414: ...three packets bring no response from the RADIUS server the DHCP server does not send Accounting START packets any more DHCP Accounting Configuration Prerequisites Before configuring DHCP accounting make sure that z The DHCP server is configured and operates properly Address pools and lease time are configured z DHCP clients are configured and DHCP service is enabled z The network operates properly...

Page 415: ... ip Display information about address binding display dhcp server ip in use ip ip address pool pool name interface interface type interface number all Display the statistics on a DHCP server display dhcp server statistics Display information about DHCP address pool tree display dhcp server tree pool pool name interface interface type interface number all Available in any view Clear IP address conf...

Page 416: ...d VLAN interface 2 on Switch A are 10 1 1 1 25 and 10 1 1 129 25 respectively z In the address pool 10 1 1 0 25 the address lease duration is ten days and twelve hours domain name suffix aabbcc com DNS server address 10 1 1 2 gateway 10 1 1 126 and WINS server 10 1 1 4 z In the address pool 10 1 1 128 25 the address lease duration is five days domain name suffix aabbcc com DNS server address 10 1 ...

Page 417: ...1 0 24 and the attributes will be based on the configuration of the parent address pool For this example the number of clients applying for IP addresses from VLAN interface 1 is recommended to be less than or equal to 122 and the number of clients applying for IP addresses from VLAN interface 2 is recommended to be less than or equal to 124 Network diagram Figure 2 2 Network diagram for DHCP confi...

Page 418: ...A dhcp pool 1 nbns list 10 1 1 4 SwitchA dhcp pool 1 quit Configure DHCP address pool 2 including address range gateway and lease time SwitchA dhcp server ip pool 2 SwitchA dhcp pool 2 network 10 1 1 128 mask 255 255 255 128 SwitchA dhcp pool 2 expired day 5 SwitchA dhcp pool 2 gateway list 10 1 1 254 DHCP Server with Option 184 Support Configuration Example Network requirements A 3COM VCX device ...

Page 419: ...rface2 ip address 10 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure VLAN interface 2 to operate in the DHCP server mode Sysname dhcp select global interface vlan interface 2 Enter DHCP address pool view Sysname dhcp server ip pool 123 Configure sub options of Option 184 in global DHCP address pool view Sysname dhcp pool 123 network 10 1 1 1 mask 255 255 255 0 Sysname dhcp pool 123 voic...

Page 420: ...2 Sysname interface ethernet 1 0 1 Sysname Ethernet1 0 1 port access vlan 2 Sysname Ethernet1 0 1 quit Enter Ethernet 1 0 2 port view and add the port to VLAN 3 Sysname interface ethernet 1 0 2 Sysname Ethernet1 0 2 port access vlan 3 Sysname Ethernet1 0 2 quit Enter VLAN 2 interface view and assign the IP address 10 1 1 1 24 to the VLAN interface Sysname interface vlan interface 2 Sysname Vlan in...

Page 421: ...ent from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network with the conflicting IP address as the destination and an enough timeout time z The IP address is manually configured on a host if you receive a response packet of the ping operation You can then disable the IP address from being dynamically assig...

Page 422: ...on DHCP snooping listens the DHCP REQUEST packets and DHCP ACK packets to retrieve the IP addresses the DHCP clients obtain from DHCP servers and the MAC addresses of the DHCP clients Introduction to DHCP Snooping Trusted Untrusted Ports When an unauthorized DHCP server exists in the network a DHCP client may obtains an illegal IP address To ensure that the DHCP clients obtain IP addresses from va...

Page 423: ...ed with DHCP snooping are padded as follows z sub option 1 circuit ID sub option Padded with the port index smaller than the physical port number by 1 and VLAN ID of the port that received the client s request z sub option 2 remote ID sub option Padded with the bridge MAC address of the DHCP snooping device that received the client s request By default when Switch 4210 Family serve as DHCP snoopin...

Page 424: ... content The storage format of Option 82 content is the one specified with the dhcp snooping information format command or the default HEX format if this command is not executed Circuit ID sub option is configured Forward the packet after replacing the circuit ID sub option of the original Option 82 with the configured circuit ID sub option in ASCII format Replace Remote ID sub option is configure...

Page 425: ...kets a switch needs to send them to the CPU for processing Too many request packets cause high CPU usage rate As a result the CPU cannot work normally z The switch can filter invalid IP packets through the DHCP snooping table and IP static binding table DHCP snooping table After DHCP snooping is enabled on a switch a DHCP snooping table is generated It is used to record IP addresses obtained from ...

Page 426: ... it otherwise the switch drops it directly DHCP Snooping Configuration Configuring DHCP Snooping Follow these steps to configure DHCP snooping Operation Command Description Enter system view system view Enable DHCP snooping dhcp snooping Required By default the DHCP snooping function is disabled After DHCP snooping is enabled on a Switch 4210 clients connected with this switch cannot obtain IP add...

Page 427: ... Required Follow these steps to configure a handling policy for DHCP packets with Option 82 Optional Configure the storage format of Option 82 Optional Configure the circuit ID sub option Optional Configure the remote ID sub option Optional Configure the padding format for Option 82 Optional Enable DHCP snooping Option 82 support Follow these steps to enable DHCP snooping Option 82 support Operati...

Page 428: ... not natively configured Configure the storage format of Option 82 Switch 4210 Family support the HEX or ASCII format for the Option 82 field Follow these steps to configure a storage format for the Option 82 field Operation Command Description Enter system view system view Configure a storage format for the Option 82 field dhcp snooping information format hex ascii Optional By default the format ...

Page 429: ...on in system view or Ethernet port view z In system view the remote ID takes effect on all interfaces You can configure Option 82 as the system name sysname of the device or any customized character string in the ASCII format z In Ethernet port view the remote ID takes effect only on the current interface You can configure Option 82 as any customized character string in the ASCII format for differ...

Page 430: ...o the one configured on the primary port z The remote ID configured on a port will not be synchronized in the case of port aggregation Configure the padding format for Option 82 Follow these steps to configure the padding format for Option 82 Operation Command Description Enter system view system view Configure the padding format dhcp snooping information packet format extended standard Optional B...

Page 431: ... command in any view Follow these steps to display DHCP snooping Operation Command Description Display the user IP MAC address mapping entries recorded by the DHCP snooping function display dhcp snooping unit unit id Display the enabled disabled state of the DHCP snooping function and the trusted ports display dhcp snooping trust Display the IP static binding table display ip source static binding...

Page 432: ...Option 82 to the system name sysname of the DHCP snooping device Switch dhcp snooping information remote id sysname Set the circuit ID sub option in DHCP packets from VLAN 1 to abcd on Ethernet 1 0 3 Switch interface Ethernet1 0 3 Switch Ethernet1 0 3 dhcp snooping information vlan 1 circuit id string abcd IP Filtering Configuration Example Network requirements As shown in Figure 3 9 Ethernet1 0 1...

Page 433: ... view Switch dhcp snooping Specify Ethernet1 0 1 as the trusted port Switch interface Ethernet1 0 1 Switch Ethernet1 0 1 dhcp snooping trust Switch Ethernet1 0 1 quit Enable IP filtering on Ethernet1 0 2 Ethernet1 0 3 and Ethernet1 0 4 to filter packets based on the source IP addresses MAC addresses Switch interface Ethernet1 0 2 Switch Ethernet1 0 2 ip check source ip address mac address Switch E...

Page 434: ...3 13 Switch Ethernet1 0 2 ip source static binding ip address 1 1 1 1 mac address 0001 0001 0001 ...

Page 435: ...g describes only the DHCP packet rate limit function After DHCP packet rate limit is enabled on an Ethernet port the switch counts the number of DHCP packets received on this port per second If the number of DHCP packets received per second exceeds the specified value packets are passing the port at an over high rate which implies an attack to the port In this case the switch shuts down this port ...

Page 436: ...d Set the port state auto recovery interval dhcp protective down recover interval interval Optional The port state auto recovery interval is 300 seconds z Enable the port state auto recovery function before setting the auto recovery interval z You are not recommended to configure DHCP packet rate limit on the ports of an aggregation group Rate Limit Configuration Example Network requirements As sh...

Page 437: ... Switch interface Ethernet1 0 1 Switch Ethernet1 0 1 dhcp snooping trust Switch Ethernet1 0 1 quit Enable auto recovery Switch dhcp protective down recover enable Set the port state auto recovery interval to 30 seconds Switch dhcp protective down recover interval 30 Enter port view Switch interface Ethernet 1 0 11 Enable DHCP packet rate limit on Ethernet1 0 11 Switch Ethernet1 0 11 dhcp rate limi...

Page 438: ...ote server for initialization Since the devices of an enterprise network may be deployed in a wide geographical area the task of manually configuring each device is huge With the automatic configuration feature the network administrator can save the configuration file on a server for other devices to get Therefore the automatic configuration feature simplifies network configuration and facilitates...

Page 439: ...e name Option 67 the domain name Option 66 or IP address Option 150 of a TFTP server that keeps the configuration file 3 The switch obtains the configuration file from the TFTP server as follows z The switch first requests the domain name corresponding to its IP address from the DNS server and takes the domain name as a configuration file name to get the configuration file from the TFTP server z I...

Page 440: ...he automatic configuration terminates During this period the command line input is disabled in case of deletion of commands mistakenly After the automatic configuration terminates the command line input is enabled again z If the switch obtains the configuration file before you press Enter the configuration file will not be executed Introduction to BOOTP Client After you specify an interface as a b...

Page 441: ... client can obtain an address lease for no more than 24 days even though the DHCP server offers a longer lease period z A Switch 4210 functioning as a DHCP client supports default route creation That is the DHCP client creates a default route with the next hop being the gateway assigned by the DHCP server To view detailed information about the default route run the display ip routing table command...

Page 442: ...client Configure VLAN interface 1 to dynamically obtain an IP address by using DHCP SwitchA system view SwitchA interface Vlan interface 1 SwitchA Vlan interface1 ip address dhcp alloc Displaying DHCP BOOTP Client Configuration Follow these steps to displaying DHCP BOOTP Client Operation Command Description Display related information on a DHCP client display dhcp client verbose Display related in...

Page 443: ...yer 2 ACL 1 7 ACL Assignment 1 8 Assigning an ACL Globally 1 8 Assigning an ACL to a VLAN 1 9 Assigning an ACL to a Port 1 9 Displaying ACL Configuration 1 10 Example for Upper layer Software Referencing ACLs 1 11 Example for Controlling Telnet Login Users by Source IP 1 11 Example for Controlling Web Login Users by Source IP 1 11 Example for Applying ACLs to Hardware 1 12 Basic ACL Configuration ...

Page 444: ...nd destination IP addresses type of the protocols carried by IP protocol specific features and so on z Layer 2 ACL Rules are created based on the Layer 2 information such as source and destination MAC addresses VLAN priorities type of Layer 2 protocol and so on z User defined ACL An ACL of this type matches packets by comparing the strings retrieved from the packets with specified strings It defin...

Page 445: ... the match priority z If the types of parameter are the same for multiple rules then the sum of parameters weighting values of a rule determines its priority The smaller the sum the higher the match priority Ways to Apply an ACL on a Switch Being applied to the hardware directly In the switch an ACL can be directly applied to hardware for packet filtering and traffic classification In this case th...

Page 446: ...ets You can specify a time range for each rule in an ACL A time range based ACL takes effect only in specified time ranges Only after a time range is configured and the system time is within the time range can an ACL rule take effect Two types of time ranges are available z Periodic time range which recurs periodically on the day or days of the week z Absolute time range which takes effect only in...

Page 447: ...m 12 00 to 14 00 on every Wednesday in 2004 z If the start time is not specified the time section starts from 1970 1 1 00 00 and ends on the specified end date If the end date is not specified the time section starts from the specified start date to 2100 12 31 23 59 Configuration Example Define a periodic time range that spans from 8 00 to 18 00 on Monday through Friday Sysname system view Sysname...

Page 448: ...stem will display an error message and you need to specify a number for the rule z The content of a modified or created rule cannot be identical with the content of any existing rule otherwise the rule modification or creation will fail and the system prompts that the rule already exists z With the auto match order specified the newly created rules will be inserted in the existent ones by depth fi...

Page 449: ...ent text Optional No description by default Assign a description string to the ACL description text Optional No description by default Note that z With the config match order specified for the advanced ACL you can modify any existent rule The unmodified part of the rule remains With the auto match order specified for the ACL you cannot modify any existent rule otherwise the system prompts error in...

Page 450: ...ayer 2 ACL rule Operation Command Description Enter system view system view Create a Layer 2 ACL and enter layer 2 ACL view acl number acl number Required Define an ACL rule rule rule id permit deny rule string Required For information about rule string refer to ACL Commands Assign a description string to the ACL rule rule rule id comment text Optional No description by default Assign a descriptio...

Page 451: ...Ls to a VLAN for filtering the inbound packets on all the ports and belonging to a VLAN z Assigning ACLs to a port for filtering the inbound packets on a port You can assign ACLs in the above mentioned ways as required In terms of priority the ACLs assigned globally ACLs assigned to a VLAN and ACLs assigned to a port group or a port rank in descending order If a packet matches multiple rules in th...

Page 452: ... Assign an ACL to a VLAN Operation Command Description Enter system view system view Apply an ACL to a VLAN packet filter vlan vlan id inbound acl rule Required For description on the acl rule argument refer to ACL Command An ACL assigned to a VLAN takes effect only for the packets tagged with 802 1Q header For more information about 802 1Q header refer to the VLAN part Configuration example Apply...

Page 453: ... Ethernet 1 0 1 Sysname Ethernet1 0 1 packet filter inbound ip group 2000 Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information and verify the configuration Table 1 8 Display ACL configuration Operation Command Description Display a configured ACL or all the ACLs display acl all acl number Display a time rang...

Page 454: ...ACL 2000 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Reference ACL 2000 on VTY user interface to control Telnet login users Sysname user interface vty 0 4 Sysname ui vty0 4 acl 2000 inbound Example for Controlling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source...

Page 455: ...n ACL on Ethernet 1 0 1 to deny packets with the source IP address of 10 1 1 1 from 8 00 to 18 00 everyday Network diagram Figure 1 3 Network diagram for basic ACL configuration Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 daily Define ACL 2000 to filter packets with the source IP address o...

Page 456: ...Network diagram Figure 1 4 Network diagram for advanced ACL configuration Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 working day Define ACL 3000 to filter packets destined for Internet Sysname acl number 3000 Sysname acl adv 3000 rule 1 deny tcp destination port eq 80 time range test Sysn...

Page 457: ...e range test 8 00 to 18 00 daily Define ACL 4000 to filter packets with the source MAC address of 0011 0011 0011 Sysname acl number 4000 Sysname acl ethernetframe 4000 rule 1 deny source 0011 0011 0011 ffff ffff ffff time range test Sysname acl ethernetframe 4000 quit Apply ACL 4000 on Ethernet 1 0 1 Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 packet filter inbound link group 4000 ...

Page 458: ...2 Configuring Priority Trust Mode 1 12 Configuring Priority Mapping 1 14 Marking Packet Priority 1 15 Configuring Traffic Policing 1 16 Configuring Port Rate Limiting 1 18 Configuring Traffic Redirecting 1 19 Configuring Queue Scheduling 1 20 Configuring Traffic Accounting 1 21 Enabling the Burst Function 1 22 Configuring Traffic Mirroring 1 23 Displaying QoS 1 25 QoS Configuration Example 1 26 Co...

Page 459: ... only suitable for applications insensitive to bandwidth and delay such as WWW file transfer and E mail New Applications and New Requirements With the expansion of computer network more and more networks become part of the Internet The Internet gains rapid development in terms of scale coverage and user quantities More and more users use the Internet as a platform for their services and for data t...

Page 460: ...tput traffic rate usually to the input capability of the receiving device to avoid packet drop and port congestion Traffic shaping is usually applied in the outbound direction of a port z Congestion management handles resource competition during network congestion Generally it puts packets into queues first and then schedules the packets with a certain algorithm Congestion management is usually ap...

Page 461: ...ity trust mode refer to Priority trust mode z For information about line rate refer to Port Rate Limiting z For information about the burst function refer to Burst Congestion management WRR and HQ WRR queue scheduling algorithms For introduction to WRR and HQ WRR queue scheduling algorithms refer to Queue Scheduling Introduction to QoS Features Traffic Classification Traffic here refers to service...

Page 462: ...000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network In a network providing differentiated services traffics are grouped into the following four classes and packets are processed according to their DSCP values z Expedited Forwarding EF class In this class packets can be forwarded regardless of link share of other traffic The class ...

Page 463: ...6 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be default 2 802 1p priority 802 1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header does not need analysis but QoS must be assured at Layer 2 Figure 1...

Page 464: ... in the 802 1p specifications 3 Local precedence Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds to one of the eight hardware output queues Packets with the highest local precedence are processed preferentially As local precedence is used only for internal queuing a packet does not carry it after leaving the queue Priori...

Page 465: ...rity types Table 1 5 Description on the two trusted packet priority types Trusted priority type Description 802 1p priority The switch searches for the local precedence corresponding to the 802 1p priority of the packet in the 802 1p to local precedence mapping table and assigns the local precedence to the packet DSCP precedence The switch searches for the local precedence corresponding to the DSC...

Page 466: ...is not limited The traffic of each user must be limited in order to make better use of the limited network resources and provide better service for more users For example a traffic flow can be limited to get only its committed resources during a time period to avoid network congestion caused by excessive bursts Traffic policing is a kind of traffic control policy used to limit the traffic and the ...

Page 467: ...e away some tokens whose number is corresponding to the packet forwarding authority if the number of tokens in the bucket is not enough it means that too many tokens have been used and the traffic is excess Traffic policing The typical application of traffic policing is to supervise specific traffic into the network and limit it to a reasonable range or to discipline the extra traffic In this way ...

Page 468: ... the problem that many packets compete for resources must be solved usually through queue scheduling In the following section strict priority SP queues weighted round robin WRR and HQ WRR High Queue WRR queues are introduced 1 SP queuing Figure 1 6 Diagram for SP queuing SP queue scheduling algorithm is specially designed for critical service applications An important feature of critical services ...

Page 469: ...1 1 at least and the disadvantage of SP queue scheduling that the packets in queues with lower priority may not get service for a long time is avoided Another advantage of WRR queue is that though the queues are scheduled in order the service time for each queue is not fixed that is to say if a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use 3 ...

Page 470: ...n tasks Task Remarks Configuring Priority Trust Mode Optional Configuring Priority Mapping Optional Marking Packet Priority Optional Configuring Traffic Policing Optional Configuring Port Rate Limiting Optional Configuring Traffic Redirecting Optional Configuring Queue Scheduling Optional Configuring Traffic Accounting Optional Enabling the Burst Function Optional Configuring Traffic Mirroring Opt...

Page 471: ...itches trust port priority z If you configure to trust packet priority without specifying the trusted priority type the switch trusts the 802 1p priority of the received packets z On the 4210 series switches to configure to trust DSCP precedence of packets you should configure the priority trust command first and then use the priority trust command to specify the DSCP precedence Configure to trust...

Page 472: ...le 1 10 Configure CoS precedence to local precedence mapping table Operation Command Description Enter system view system view Configure CoS precedence to local p recedence mapping table qos cos local precedence map cos0 map local prec cos1 map local prec cos2 map local prec cos3 map local prec cos4 map local prec cos5 map local prec cos6 map local prec cos7 map local prec Required Table 1 11 Conf...

Page 473: ...nd to mark the 802 1p priority local precedence and DSCP precedence of the packets Configuration prerequisites The following items are defined or determined before the configuration z The ACL rules used for traffic classification are specified Refer to the ACL module of this manual for related information z The type and value of the precedence to be marked for the packets matching the ACL rules ar...

Page 474: ...d with 802 1Q header Configuration example z Ethernet 1 0 1 belongs to VLAN 2 and is connected to the 10 1 1 0 24 network segment z Mark the DSCP precedence as 56 for the packets from the 10 1 1 0 24 network segment 1 Method I configure priority marking for port Ethernet 1 0 1 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Sysname acl basic...

Page 475: ...ing statistics reset traffic limit inbound acl rule Optional Table 1 16 Configure traffic policing for packets that are of a VLAN and match specific ACL rules Operation Command Description Enter system view system view Configure traffic policing traffic limit vlan vlan id inbound acl rule target rate burst bucket burst bucket size conform con action exceed exceed action meter statistic Required By...

Page 476: ...re traffic policing for VLAN 2 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Sysname acl basic 2000 quit Sysname traffic limit vlan 2 inbound ip group 2000 128 exceed remark dscp 56 Configuring Port Rate Limiting Refer to section Port Rate Limiting for information about port rate limiting Note that the target rate argument is committed inf...

Page 477: ...ch specific ACL rules and are of a VLAN or pass a port Table 1 19 Redirect all the packets matching specific ACL rules Operation Command Description Enter system view system view Configure traffic redirecting traffic redirect inbound acl rule cpu interface interface type interface number Required Table 1 20 Redirect packets that are of a VLAN and match specific ACL rules Operation Command Descript...

Page 478: ... Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 traffic redirect inbound ip group 2000 interface Ethernet1 0 7 2 Method II configure traffic redirecting for VLAN 2 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Sysname acl basic 2000 quit Sysname traffic redirect vlan 2 inbound ip group 2000 interface Ethernet1 0 7 Configuring Queue ...

Page 479: ...ate traffic statistics or clear traffic statistics on all the packets matching specific ACL rules or on packets that match specific ACL rules and are of a VLAN or pass a port Table 1 23 Generate traffic statistics on all the packets matching specific ACL rules Operation Command Description Enter system view system view Generate the statistics on the packets matching specific ACL rules traffic stat...

Page 480: ...kets sourced from the 10 1 1 0 24 network segment z Clear the statistics 1 Method I configure traffic accounting for port Ethernet 1 0 1 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Sysname acl basic 2000 quit Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 traffic statistic inbound ip group 2000 Sysname Ethernet1 0 1 reset traffic ...

Page 481: ...irroring port is determined Configuration procedure You can configure traffic mirroring on all the packets matching specific ACL rules or on packets that match specific ACL rules and are of a VLAN or pass a port Table 1 27 Configure traffic mirroring globally Operation Command Description Enter system view system view Enter Ethernet port view of the destination port interface interface type interf...

Page 482: ...rroring configuration interface interface type interface number Reference ACLs for identifying traffic flows and perform traffic mirroring for packets that match mirrored to inbound acl rule cpu monitor interface Required The traffic mirroring function configured on a VLAN is only applicable to packets tagged with 802 1Q header Configuration example Network requirements z Ethernet 1 0 1 is connect...

Page 483: ...play qos interface interface type interface number unit id all Display rate limiting configuration of a port or all the ports display qos interface interface type interface number unit id line rate Display traffic policing configuration of a port or all the ports display qos interface interface type interface number unit id traffic limit Display priority marking configuration of a port or all the ...

Page 484: ...to the switch through Ethernet 1 0 2 Configure traffic policing to satisfy the following requirements z Set the maximum rate of outbound IP packets sourced from the marketing department to 64 kbps Drop the packets exceeding the rate limit z Set the maximum rate of outbound IP packets sourced from the R D department to 128 kbps Drop the packets exceeding the rate limit Network diagram Figure 1 8 Ne...

Page 485: ...of outbound IP packets sourced from the R D department to 128 kbps Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 traffic limit inbound ip group 2000 128 exceed drop Set the maximum rate of outbound IP packets sourced from the marketing department to 64 kbps Sysname interface Ethernet 1 0 2 Sysname Ethernet1 0 2 traffic limit inbound ip group 2001 64 exceed drop ...

Page 486: ...S profiles dynamically a user name to QoS profile mapping table is required on the AAA server For a switch operating in this mode after a user passes the 802 1x authentication the switch looks up the user name to QoS profile mapping table for the QoS profile using the user name and then applies the QoS profile found to the port the user is connected to Corresponding to the 802 1x authentication mo...

Page 487: ...QoS profile are specified Configuration procedure Table 2 2 Configure a QoS profile Operation Command Description Enter system view system view Create a QoS profile and enter QoS profile view qos profile profile name Required If the specified QoS profile already exists you enter the QoS profile view directly Configure traffic policing traffic limit inbound acl rule target rate burst bucket burst b...

Page 488: ...ode to apply a QoS profile is user based z If the 802 1x authentication mode is MAC address based the mode to apply a QoS profile must be configured user based z If the 802 1x authentication mode is port based the mode to apply a QoS profile must be configured as port based Table 2 4 Apply a QoS profile manually Operation Command Description Enter system view system view In system view apply qos p...

Page 489: ...of the user to 128 kbps and configuring to drop the packets exceeding the target packet rate Network diagram Figure 2 1 Network diagram for QoS profile configuration User Switch Network AAA Server Eth1 0 1 Configuration procedure 1 Configuration on the AAA server Configure the user authentication information and the matching relationship between the user name and the QoS profile Refer to the user ...

Page 490: ...t net Sysname isp test net radius scheme radius1 Sysname isp test net quit Create ACL 3000 to permit IP packets destined for any IP address Sysname acl number 3000 Sysname acl adv 3000 rule 1 permit ip destination any Sysname acl adv 3000 quit Define a QoS profile named example to limit the rate of matched packets to 128 kbps and configuring to drop the packets exceeding the target packet rate Sys...

Page 491: ... 1 1 Remote Port Mirroring 1 1 Mirroring Configuration 1 3 Configuring Local Port Mirroring 1 3 Configuring Remote Port Mirroring 1 4 Displaying Port Mirroring 1 7 Mirroring Configuration Example 1 7 Local Port Mirroring Configuration Example 1 7 Remote Port Mirroring Configuration Example 1 8 ...

Page 492: ...ce copies the packets of the source port to the reflector port which then broadcasts the packets in the remote probe VLAN After the remote device receives the packets it compares the VLAN ID of the packets with that of the remote probe VLAN on the remote device If the VLAN IDs are identical the remote device forwards the packets to the destination port of the remote destination mirroring group Loc...

Page 493: ...s to the next intermediate switch or the destination switch through the remote probe VLAN No intermediate switch is present if the source and destination switches directly connect to each other z Destination switch The remote mirroring destination port resident switch It forwards mirrored traffic flows it received from the remote probe VLAN to the monitoring device through the destination port Tab...

Page 494: ...e VLAN run other protocol packets or carry other service packets on the remote prove VLAN and do not use the remote prove VLAN as the voice VLAN and protocol VLAN otherwise remote port mirroring may be affected Mirroring Configuration Table 1 2 Mirroring configuration tasks Task Remarks Configuring Local Port Mirroring Optional Configuring Remote Port Mirroring Optional Configuring Local Port Mirr...

Page 495: ...me effect When configuring local port mirroring note that z You need to configure the source and destination ports for the local port mirroring to take effect z The destination port cannot be a member port of an aggregation group or a port enabled with LACP or STP Configuring Remote Port Mirroring 3Com Switch 4210 series can serve as a source switch an intermediate switch or a destination switch i...

Page 496: ...te source mirroring group are on the same device Each remote source mirroring group can be configured with only one reflector port z The reflector port cannot be a member port of an aggregation group or a port enabled with LACP or STP It must be an access port and cannot be configured with the functions like VLAN VPN port loopback detection packet filtering QoS port security and so on z It is reco...

Page 497: ...ion switch 1 Configuration prerequisites z The destination port and the remote probe VLAN are determined z Layer 2 connectivity is ensured between the source and destination switches over the remote probe VLAN 2 Configuration procedure Table 1 6 Configure remote port mirroring on the destination switch Operation Command Description Enter system view system view Create a VLAN and enter VLAN view vl...

Page 498: ...display commands in any view to view the mirroring running information so as to verify your configurations Table 1 7 Display configuration of mirroring Operation Command Description Display port mirroring configuration display mirroring group group id all local remote destination remote source Available in any view Mirroring Configuration Example Local Port Mirroring Configuration Example Network ...

Page 499: ...g port Ethernet1 0 1 both Ethernet1 0 2 both monitor port Ethernet1 0 3 After the configurations you can monitor all packets received on and sent from the R D department and the marketing department on the data detection device Remote Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through 3Com 4210 switches z Switch A Switch B and Switc...

Page 500: ...to pass z On Switch C create a remote destination mirroring group configure VLAN 10 as the remote probe VLAN and configure Ethernet 1 0 2 connected with the data detection device as the destination port Network diagram Figure 1 4 Network diagram for remote port mirroring Configuration procedure 1 Configure the source switch Switch A Create remote source mirroring group 1 Sysname system view Sysnam...

Page 501: ...ort trunk permit vlan 10 Sysname Ethernet1 0 1 quit Configure Ethernet 1 0 2 as the trunk port allowing packets of VLAN 10 to pass Sysname interface Ethernet 1 0 2 Sysname Ethernet1 0 2 port link type trunk Sysname Ethernet1 0 2 port trunk permit vlan 10 3 Configure the destination switch Switch C Create remote destination mirroring group 1 Sysname system view Sysname mirroring group 1 remote dest...

Page 502: ...mirroring group 1 Sysname display mirroring group 1 mirroring group 1 type remote destination status active monitor port Ethernet1 0 2 remote probe vlan 10 After the configurations you can monitor all packets sent from Department 1 and 2 on the data detection device ...

Page 503: ...ent Device 1 9 Configuring Member Devices 1 13 Managing a Cluster through the Management Device 1 15 Configuring the Enhanced Cluster Features 1 16 Configuring the Cluster Synchronization Function 1 18 Displaying and Maintaining Cluster Configuration 1 22 Cluster Configuration Example 1 23 Basic Cluster Configuration Example 1 23 Enhanced Cluster Feature Configuration Example 1 26 ...

Page 504: ...ce and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remote devices in batches reducing the workload of the network configuration Normally there is no need to configure external IP addresses for member devices Figure 1 1 illustrates a cluster implementatio...

Page 505: ...iguration Function Management device Configured with a external IP address z Provides an interface for managing all the switches in a cluster z Manages member devices through command redirection that is it forwards the commands intended for specific member devices z Discovers neighbors collects the information about network topology manages and maintains the cluster Management device also supports...

Page 506: ...not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 by using the ntdp timer command In this case the switch does not collect network topology information periodically How a Cluster Works HGMPv2 consists of the following three protocols z Neighbor discovery protocol NDP z Neighbor topology discovery protocol NTDP z Cluster A clust...

Page 507: ...s within the specified hop count so as to provide the information of which devices can be added to a cluster Based on the neighbor information stored in the neighbor table maintained by NDP NTDP on the management device advertises NTDP topology collection requests to collect the NDP information of each device in a specific network range as well as the connection information of all its neighbors Th...

Page 508: ...ice Note the following when creating a cluster z You need to designate a management device for the cluster The management device of a cluster is the portal of the cluster That is any operations from outside the network intended for the member devices of the cluster such as accessing configuring managing and monitoring can only be implemented through the management device z The management device of...

Page 509: ...packets exchanged keep the states of the member devices to be Active and are not responded z If the management device does not receive a handshake packet from a member device after a period three times of the interval to send handshake packets it changes the state of the member device from Active to Connect Likewise if a member device fails to receive a handshake packet from the management device ...

Page 510: ...vice the candidate device cannot be added to the cluster In this case you can enable the packets of the management VLAN to be permitted on the port through the management VLAN auto negotiation function z Packets of the management VLAN can be exchanged between the management device and a member device candidate device without carrying VLAN tags only when the default VLAN ID of both the two ports co...

Page 511: ...the MAC address and VLAN ID and then forward the packet to its downstream switch If within the specified hops a switch with the specified destination MAC address is found this switch sends a response to the switch sending the tracemac command indicating the success of the tracemac command If no switch with the specified destination MAC address or IP address is found the multicast packet will not b...

Page 512: ...tches provide the following functions so that a cluster socket is opened only when it is needed z Opening UDP port 40000 used for cluster only when the cluster function is implemented z Closing UDP port 40000 at the same time when the cluster function is closed On the management device the preceding functions are implemented as follows z When you create a cluster by using the build or auto build c...

Page 513: ...ing NTDP globally and on a specific port Follow these steps to enable NTDP globally and on a specific port Operation Command Description Enter system view system view Enable NTDP globally ntdp enable Required Enabled by default Enter Ethernet port view interface interface type interface number Enable NTDP on the Ethernet port ntdp enable Required Enabled by default Configuring NTDP related paramet...

Page 514: ...luster function is enabled Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode as described below 1 Establishing a cluster and configuring cluster parameters in manual mode Follow these steps to establish a cluster and configure cluster parameters in manual mode Operation Command Description Enter system v...

Page 515: ...Enter cluster view cluster Configure the IP address range for the cluster ip pool administrator ip address ip mask ip mask length Required Start automatic cluster establishment auto build recover Required Follow prompts to establish a cluster z After a cluster is established automatically ACL 3998 and ACL 3999 will be generated automatically z After a cluster is established automatically ACL 3998 ...

Page 516: ... configured Configure a shared SNMP host for the cluster snmp host ip address Optional By default no shared SNMP host is configured Configuring Member Devices Member device configuration tasks Complete the following tasks to configure the member device Task Remarks Enabling NDP globally and on specific ports Required Enabling NTDP globally and on a specific port Required Enabling the cluster funct...

Page 517: ...he device s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 is closed at the same time z When you execute the undo build command on the management device to remove a cluster UDP port 40000 of all the member devices in the cluster is closed at the same time z W...

Page 518: ...ps to access the shared FTP TFTP server from a member device Operation Command Description Access the shared FTP server of the cluster ftp cluster Optional Download a file from the shared TFTP server of the cluster tftp cluster get source file destination file Optional Upload a file to the shared TFTP server of the cluster tftp cluster put source file destination file Optional Managing a Cluster t...

Page 519: ...an id by ip ip address nondp Optional These commands can be executed in any view Configuring the Enhanced Cluster Features Enhanced cluster feature overview 1 Cluster topology management function After the cluster topology becomes stable you can use the topology management commands on the cluster administrative device to save the topology of the current cluster as the standard topology and back up...

Page 520: ...luster device blacklist Required Configure cluster topology management function 1 Configuration prerequisites Before configuring the cluster topology management function make sure that z The basic cluster configuration is completed z Devices in the cluster work normally 2 Configuration procedure Follow these steps to configure cluster topology management function on a management device Operation C...

Page 521: ... Operation Command Description Enter system view system view Enter cluster view cluster Add the MAC address of a specified device to the cluster blacklist black list add mac mac address Optional By default the cluster blacklist is empty Delete the specified MAC address from the cluster blacklist black list delete mac mac address Optional Delete a device from the cluster add this device to the clus...

Page 522: ...gement device 2 Configuration procedure Perform the following operations on the management device to synchronize SNMP configurations To do Use the command Remarks Enter system view system view Enter cluster view cluster Create a public SNMP community for the cluster cluster snmp agent community read write community name mib view view name Required Not configured by default Create a public SNMPv3 g...

Page 523: ...a allowing read only access right using this community name test_0 Sysname cluster cluster snmp agent community read read_a Member 2 succeeded in the read community configuration Member 1 succeeded in the read community configuration Finish to synchronize the command Create a community with the name of write_a allowing read and write access right using this community name test_0 Sysname cluster cl...

Page 524: ... mib view included mib_a org snmp agent usm user v3 user_a group_a undo snmp agent trap enable standard z Configuration file content on a member device only the SNMP related information is displayed test_2 Sysname display current configuration snmp agent snmp agent local engineid 800007DB000FE224055F6877 snmp agent community read read_a cm2 snmp agent community write write_a cm2 snmp agent sys inf...

Page 525: ...rations cannot be synchronized to the devices that are on the cluster blacklist z If a member device leaves the cluster the public local user configurations will not be removed Displaying and Maintaining Cluster Configuration Operation Command Description Display all NDP configuration and running information including the interval to send NDP packets the holdtime and all neighbors discovered displ...

Page 526: ...serves as the management device z The rest are member devices Serving as the management device the Switch 4210 switch manages the two member devices The configuration for the cluster is as follows z The two member devices connect to the management device through Ethernet 1 0 2 and Ethernet 1 0 3 z The management device connects to the Internet through Ethernet 1 0 1 z Ethernet 1 0 1 belongs to VLA...

Page 527: ...ysname system view Sysname ndp enable Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 ndp enable Sysname Ethernet1 0 1 quit Enable NTDP globally and on Ethernet1 0 1 Sysname ntdp enable Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 ntdp enable Sysname Ethernet1 0 1 quit Enable the cluster function Sysname cluster enable 2 Configure the management device Enable NDP globally and on E...

Page 528: ...et the interval to collect topology information to 3 minutes Sysname ntdp timer 3 Enable the cluster function Sysname cluster enable Enter cluster view Sysname cluster Sysname cluster Configure a private IP address pool for the cluster The IP address pool contains six IP addresses starting from 172 16 0 1 Sysname cluster ip pool 172 16 0 1 255 255 255 248 Name and build the cluster Sysname cluster...

Page 529: ...witch to member number mac address H H H command on the management device to switch to member device view to maintain and manage a member device After that you can execute the cluster switch to administrator command to return to management device view z In addition you can execute the reboot member member number mac address H H H eraseflash command on the management device to reboot a member devic...

Page 530: ...Configuration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034 a0e5 Backup the current topology aaa_0 Sysname cluster topology accept all save to local flash ...

Page 531: ...ing the PoE Mode on a Port 1 5 Configuring the PD Compatibility Detection Function 1 5 Configuring PoE Over Temperature Protection on the Switch 1 6 Upgrading the PSE Processing Software Online 1 6 Displaying PoE Configuration 1 7 PoE Configuration Example 1 7 PoE Configuration Example 1 7 2 PoE Profile Configuration 2 1 Introduction to PoE Profile 2 1 PoE Profile Configuration 2 1 Configuring PoE...

Page 532: ...E components PoE consists of three components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information collection PoE power supply monitoring and power off for devices z PD PDs receive power from the PSE PDs include standard PDs and nonstandard PDs Standard PDs conform to the 802 3af ...

Page 533: ...tch can be upgraded online z The switch provides statistics about power supplying on each port and the whole equipment which you can query through the display command z The switch provides two modes auto and manual to manage the power feeding to ports in the case of PSE power overload z The switch provides over temperature protection mechanism Using this mechanism the switch disables the PoE featu...

Page 534: ...e on a Port Required Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection Function Optional Configuring PoE Over Temperature Protection on the Switch Optional Upgrading the PSE Processing Software Online Optional Displaying PoE Configuration Optional Ena...

Page 535: ...agement modes auto and manual The auto mode is adopted by default z auto When the switch is close to its full load in supplying power it will first supply power to the PDs that are connected to the ports with critical priority and then supply power to the PDs that are connected to the ports with high priority For example Port A has the priority of critical When the switch PoE is close to its full ...

Page 536: ...he port perform the following configuration to set the PoE mode on a port Table 1 6 Set the PoE mode on a port Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Set the PoE mode on the port to signal poe mode signal Optional signal by default Configuring the PD Compatibility Detection Function After the PD compatibility d...

Page 537: ...9 F to Y 60 C Y 65 C or 140 F Y 149 F the switch still keeps the PoE function disabled on all the ports z When the internal temperature of the switch increases from X X 60 C or X 140 F to Y 60 C Y 65 C or 140 F Y 149 F the switch still keeps the PoE function enabled on all the ports Upgrading the PSE Processing Software Online The online upgrading of PSE processing software can update the processi...

Page 538: ...able 1 10 Display PoE configuration Operation Command Description Display the PoE status of a specific port or all ports of the switch display poe interface interface type interface number Display the PoE power information of a specific port or all ports of the switch display poe interface power interface type interface number Display the PSE parameters display poe powersupply Display the status e...

Page 539: ...et the PoE maximum output power of Ethernet 1 0 2 to 2500 mW SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 poe enable SwitchA Ethernet1 0 2 poe max power 2500 SwitchA Ethernet1 0 2 quit Enable the PoE feature on Ethernet 1 0 8 and set the PoE priority of Ethernet 1 0 8 to critical SwitchA interface Ethernet 1 0 8 SwitchA Ethernet1 0 8 poe enable SwitchA Ethernet1 0 8 poe priority critical...

Page 540: ... port the PoE configurations in the PoE profile will be enabled on the port PoE Profile Configuration Configuring PoE Profile Table 2 1 Configure PoE profile Operation Command Description Enter system view system view Create a PoE profile and enter PoE profile view poe profile profilename Required If the PoE file is created you will enter PoE profile view directly through the command Enable the Po...

Page 541: ...ed for query it is displayed that the PoE profile is applied properly to the port z If one or more features in the PoE profile are not applied properly on a port the switch will prompt explicitly which PoE features in the PoE profile are not applied properly on which ports z The display current configuration command can be used to query which PoE profile is applied to a port However the command ca...

Page 542: ...s are made for users of group A z Apply PoE profile 1 for Ethernet 1 0 1 through Ethernet 1 0 5 z Apply PoE profile 2 for Ethernet 1 0 6 through Ethernet 1 0 10 Network diagram Figure 2 1 PoE profile application Network IP Phone Switch A AP IP Phone IP Phone IP Phone AP AP AP Eth1 0 1 Eth1 0 5 Eth1 0 6 Eth1 0 10 Configuration procedure Create Profile1 and enter PoE profile view SwitchA system view...

Page 543: ...poe profile Profile2 poe mode signal SwitchA poe profile Profile2 poe priority high SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe enable poe priority high Apply the configured Profile1 to Ethernet 1 0 1 through Ethernet 1 0 5 ports...

Page 544: ...Parameters 1 4 Configuring Basic Trap 1 4 Configuring Extended Trap 1 5 Enabling Logging for Network Management 1 5 Displaying SNMP 1 6 SNMP Configuration Examples 1 6 SNMP Configuration Examples 1 6 2 RMON Configuration 2 1 Introduction to RMON 2 1 Working Mechanism of RMON 2 1 Commonly Used RMON Groups 2 2 RMON Configuration 2 3 Displaying RMON 2 4 RMON Configuration Examples 2 4 ...

Page 545: ...bject MIB Management Information Base according to the message types generates the corresponding Response packets and returns them to the NMS When a network device operates improperly or changes to other state the agent on it can also send trap messages on its own initiative to the NMS to report the events SNMP Versions Currently SNMP agent on a switch supports SNMPv3 and is compatible with SNMPv1...

Page 546: ...fore the configuration of basic SNMP functions is described by SNMP versions as listed in Table 1 1 and Table 1 2 Table 1 1 Configure basic SNMP functions SNMPv1 and SNMPv2c Operation Command Description Enter system view system view Enable SNMP agent snmp agent Optional Disabled by default You can enable SNMP agent by executing this command or any of the commands used to configure SNMP agent Set ...

Page 547: ...ional By default the view name is ViewDefault and OID is 1 Table 1 2 Configure basic SNMP functions SNMPv3 Operation Command Description Enter system view system view Enable SNMP agent snmp agent Optional Disabled by default You can enable SNMP agent by executing this command or any of the commands used to configure SNMP agent Set system information and specify to enable SNMPv3 on the switch snmp ...

Page 548: ...he commands used to configure SNMP agent enables the SNMP agent and at the same opens UDP port 161 used by SNMP agents and the UDP port used by SNMP trap respectively z Executing the undo snmp agent command disables the SNMP agent and closes UDP ports used by SNMP agent and SNMP trap as well Configuring Trap Parameters Configuring Basic Trap Trap messages refer to those sent by managed devices to ...

Page 549: ...escription and interface type are added into the linkUp linkDown Trap message When receiving this extended Trap message NMS can immediately determine which interface on the device fails according to the interface description and type z In all Trap messages sent from the information center to the log server a MIB object name is added after the OID field of the MIB object The name is for your better...

Page 550: ...ormation display snmp agent usm user engineid engineid username user name group group name Display Trap list information display snmp agent trap list Display the currently configured community name display snmp agent community read write Display the currently configured MIB view display snmp agent mib view exclude include viewname view name Available in any view SNMP Configuration Examples SNMP Co...

Page 551: ...p agent group v3 managev3group privacy write view internet Sysname snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode des56 cfb128cfb128 Set the VLAN interface 2 as the interface used by NMS Add port Ethernet 1 0 2 which is to be used for network management to VLAN 2 Set the IP address of VLAN interface 2 as 10 10 10 2 Sysname vlan 2 Sysname vlan2 port E...

Page 552: ...me public Configuring the NMS You can query and configure an Ethernet switch through the NMS For more information refer to the corresponding manuals of NMS products Authentication related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully ...

Page 553: ...he management of large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways z Using the dedicated RMON probes When an RMON system operates in this way the NMS directly obtains management information from the RMON probes and controls the network resources In this case all information in the RMON MIB can be obtained z Embedding RMO...

Page 554: ...alarm entry you can perform operations on the samples of alarm variables and then compare the operation results with the thresholds thus implement more flexible alarm functions With an extended alarm entry defined in an extended alarm group the network devices perform the following operations accordingly z Sampling the alarm variables referenced in the defined extended alarm expressions periodical...

Page 555: ...old threshold value2 event entry2 owner text Optional Before adding an alarm entry you need to use the rmon event command to define the event to be referenced by the alarm entry Add an extended alarm entry rmon prialarm entry number prialarm formula prialarm des sampling timer delta absolute changeratio rising_threshold threshold value1 event entry1 falling_threshold threshold value2 event entry2 ...

Page 556: ... in any view RMON Configuration Examples Network requirements z The switch to be tested is connected to a remote NMS through the Internet Ensure that the SNMP agents are correctly configured before performing RMON configuration z Create an entry in the extended alarm table to monitor the information of statistics on the Ethernet port if the change rate of which exceeds the set threshold the alarm ...

Page 557: ...drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 Display the RMON extended alarm entry numbered 2 Sysname display rmon prialarm 2 Prialarm table 2 owned by user1 is VALID Samples type changeratio Variable formula 1 3 6 1 2 1 ...

Page 558: ...10 Configuration Procedure 1 10 Configuring NTP Authentication 1 10 Configuration Prerequisites 1 11 Configuration Procedure 1 11 Configuring Optional NTP Parameters 1 13 Configuring an Interface on the Local Switch to Send NTP messages 1 13 Configuring the Number of Dynamic Sessions Allowed on the Local Switch 1 13 Disabling an Interface from Receiving NTP messages 1 14 Displaying NTP Configurati...

Page 559: ...of devices in a network with required accuracy by performing NTP configuration NTP is mainly applied to synchronizing the clocks of all devices in a network For example z In network management the analysis of the log information and debugging information collected from different devices is meaningful and valid only when network devices that generate the information adopts the same time z The billi...

Page 560: ...ough NTP To help you to understand the implementation principle we suppose that z Before the system clocks of Device A and Device B are synchronized the clock of Device A is set to 10 00 00 am and the clock of Device B is set to 11 00 00 am z Device B serves as the NTP server that is the clock of Device A will be synchronized to that of Device B z It takes one second to transfer an NTP message fro...

Page 561: ...ssage to make a round trip between Device A and Device B Delay T4 T1 T3 T2 z Time offset of Device A relative to Device B Offset T2 T1 T3 T4 2 Device A can then set its own clock according to the above information to synchronize its clock to that of Device B For detailed information refer to RFC 1305 NTP Implementation Modes According to the network structure and the position of the local Ethernet...

Page 562: ...nt mode Configure the local Switch 4210 to work in the NTP client mode In this mode the remote server serves as the local time server while the local switch serves as the client Symmetric peer mode Configure the local Switch 4210 to work in NTP symmetric peer mode In this mode the remote server serves as the symmetric passive peer of the Switch 4210 and the local switch serves as the symmetric act...

Page 563: ...s effect only after the local clock of the Switch 4210 has been synchronized z When symmetric peer mode is configured on two Ethernet switches to synchronize the clock of the two switches make sure at least one switch s clock has been synchronized NTP Configuration Tasks Table 1 2 NTP configuration tasks Task Remarks Configuring NTP Implementation Modes Required Configuring Access Control Right Op...

Page 564: ...rsion number Required By default the switch is not configured to work in the NTP client mode z The remote server specified by remote ip or server name serves as the NTP server and the local switch serves as the NTP client The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server z remote ip cannot be a broadcast address a multicast address or the IP addres...

Page 565: ...for sending NTP messages through the source interface keyword the source IP address of the NTP message will be configured as the IP address of the specified interface z Typically the clock of at least one of the symmetric active and symmetric passive peers should be synchronized first otherwise the clock synchronization will not proceed z You can configure multiple symmetric passive peers for the ...

Page 566: ...ter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the switch to work in the NTP broadcast client mode ntp service broadcast client Required Not configured by default Configuring NTP Multicast Mode For switches working in the multicast mode you need to configure both the server and clients The multicast server periodically sends NTP multicast messages ...

Page 567: ...figured by default Configuring Access Control Right With the following command you can configure the NTP service access control right to the local switch for a peer device There are four access control rights as follows z query Control query right This level of right permits the peer device to perform control query to the NTP service on the local device but does not permit the peer device to synch...

Page 568: ...r synchronization query acl number Optional peer by default The access control right mechanism provides only a minimum degree of security protection for the local switch A more secure method is identity authentication Configuring NTP Authentication In networks with higher security requirements the NTP authentication function must be enabled to run NTP Through password authentication on the client ...

Page 569: ...ific key on the broadcast multicast server with the corresponding NTP broadcast multicast client Otherwise NTP authentication cannot be enabled normally z Configurations on the server and the client must be consistent Configuration Procedure Configuring NTP authentication on the client Table 1 11 Configure NTP authentication on the client Operation Command Description Enter system view system view...

Page 570: ...ntication keyid key id Required By default no trusted authentication key is configured Enter VLAN interface view interface Vlan interface vlan id Configure on the NTP broadcast server ntp service broadcast server authentication keyid key id Associate the specified key with the correspondi ng broadcast m ulticast client Configure on the NTP multicast server ntp service multicast server authenticati...

Page 571: ...ssociations at the same time including static associations and dynamic associations A static association refers to an association that a user has manually created by using an NTP command while a dynamic association is a temporary association created by the system during operation A dynamic association will be removed if the system fails to receive messages from it over a specific long time In the ...

Page 572: ... you can execute the display commands in any view to display the running status of switch and verify the effect of the configurations Table 1 17 Display NTP configuration Operation Command Description Display the status of NTP services display ntp service status Display the information about the sessions maintained by NTP display ntp service sessions verbose Display the brief information about NTP...

Page 573: ...B system view DeviceB ntp service unicast server 1 0 1 11 After the above configurations Device B is synchronized to Device A View the NTP status of Device B DeviceB display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion ...

Page 574: ... Figure 1 7 Network diagram for NTP peer mode configuration Device A Device B Device C 3 0 1 31 24 3 0 1 32 24 3 0 1 33 24 Configuration procedure 1 Configure Device C Set Device A as the NTP server DeviceC system view DeviceC ntp service unicast server 3 0 1 31 2 Configure Device B after the Device C is synchronized to Device A Enter system view DeviceB system view Set Device C as the peer of Dev...

Page 575: ...e that a connection is established between Device C and Device B DeviceC display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 32 LOCL 1 95 64 42 14 3 12 9 2 7 25 3 0 1 31 127 127 1 0 2 1 64 1 4408 6 38 7 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 Configuring NTP Broadcast Mode Network requirements z Th...

Page 576: ...ent DeviceA interface Vlan interface 2 DeviceA Vlan interface2 ntp service broadcast client After the above configurations Device A and Device D will listen to broadcast messages through their own Vlan interface2 and Device C will send broadcast messages through Vlan interface2 Because Device A and Device C do not share the same network segment Device A cannot receive broadcast messages from Devic...

Page 577: ...1 Configuring NTP Multicast Mode Network requirements z The local clock of Device C is set as the NTP master clock with a clock stratum level of 2 Configure Device C to work in the NTP multicast server mode and advertise multicast NTP messages through Vlan interface2 z Device A and Device D are two Switch 4210 Configure Device A and Device D to work in the NTP multicast client mode and listen to m...

Page 578: ...ency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that Device D is synchronized to Device C with a clock stratum level of 3 one stratum level lower than that Device C View the information about ...

Page 579: ...he NTP authentication function is not enabled on Device A the clock of Device B will fail to be synchronized to that of Device A 2 To synchronize Device B you need to perform the following configurations on Device A Enable the NTP authentication function DeviceA system view DeviceA ntp service authentication enable Configure an MD5 authentication key with the key ID being 42 and the key being aNic...

Page 580: ... stratum level of 3 one stratum level lower than that Device A View the information about NTP sessions of Device B You can see that a connection is established between Device B and Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 255 64 8 2 8 17 7 1 2 note 1 source master 2 source peer 3 selected 4 candidate 5 confi...

Page 581: ...10 Exporting the RSA or DSA Public Key 1 11 Configuring the SSH Client 1 12 SSH Client Configuration Task List 1 12 Configuring an SSH Client that Runs SSH Client Software 1 12 Configuring an SSH Client Assumed by an SSH2 Capable Switch 1 18 Displaying and Maintaining SSH Configuration 1 20 Comparison of SSH Commands with the Same Functions 1 20 SSH Configuration Examples 1 21 When Switch Acts as ...

Page 582: ...d as an SSH client or an SSH server In the former case the device establishes a remote SSH connection to an SSH server In the latter case the device provides connections to multiple clients Furthermore SSH can also provide data compression to increase transmission speed take the place of Telnet or provide a secure channel for FTP z Currently when functioning as an SSH server an S4210 switch suppor...

Page 583: ...key of user 1 If the signature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA is used for data encryption and signature whereas DSA is used for adding signature Currently SSH supports both RSA and DSA SSH Operating Process The session establishment between an SSH client and th...

Page 584: ...algorithm negotiation packets to each other which contain public key algorithm lists supported by the server and the client encrypted algorithm list message authentication code MAC algorithm list and compressed algorithm list z The server and the client calculate the final algorithm according to the algorithm lists supported z The server and the client generate the session key and session ID based...

Page 585: ...n SSH_SMSG_FAILURE packet indicating that the processing fails or it cannot resolve the request The client sends a session request to the server which processes the request and establishes a session Data exchange In this stage the server and the client exchanges data in this way z The client encrypts and sends the command to be executed to the server z The server decrypts and executes the command ...

Page 586: ...t on the Server z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Assigning a Public Key to an SSH User z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Data exchange Exporting the RSA or DSA Public Key Optional If a client does not support first time authentication you need to ...

Page 587: ...ommand is not available Similarly if the protocol inbound ssh command has been executed the authentication mode password and authentication mode none commands are not available Configuring the SSH Management Functions The SSH server provides a number of management functions Some functions can prevent illegal operations such as malicious password guess further guaranteeing the security of SSH conne...

Page 588: ...stroy a key pair You must generate an RSA and DSA key pair on the server for an SSH client to log in successfully When generating a key pair you will be prompted to enter the key length in bits which is between 512 and 2048 The default length is 1024 In case a key pair already exists the system will ask whether to replace the existing key pair Table 1 5 Follow these steps to create or destroy key ...

Page 589: ...ng an Authentication Type This task is to create an SSH user and specify an authentication type for it Specifying an authentication type for a new user is a must to get the user login Table 1 6 Follow these steps to configure an SSH user and specify an authentication type for the user To do Use the command Remarks Enter system view system view ssh authentication type default all password password ...

Page 590: ...ble to a logged in SSH user can be configured using the user privilege level command on the server and all the users with this authentication mode will enjoy this level z Under the password or password publickey authentication mode the level of commands available to a logged in SSH user is determined by the AAA scheme Meanwhile for different users the available levels of commands are also differen...

Page 591: ...anually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Required Enter public key edit view public key code begin Configure a public key for the client Enter the content of the public key When you input the key data spaces are allowed between the characters you input because the system can remove the spaces automatically you can also press ...

Page 592: ...ic key on the screen in a specified format or export it to a specified file so that you can configure the key at a remote end when necessary Table 1 11 Follow these steps to export the RSA public key To do Use the command Remarks Enter system view system view Display the RSA key on the screen in a specified format or export it to a specified file public key local export rsa openssh ssh1 ssh2 filen...

Page 593: ... Software Configuring an SSH Client Assumed by an SSH2 Capable Switch Whether first authentication is supported Configuring an SSH Client Assumed by an SSH2 Capable Switch Configuring an SSH Client that Runs SSH Client Software A variety of SSH client software are available such as PuTTY and OpenSSH For an SSH client to establish a connection with an SSH server use the following commands Complete ...

Page 594: ...ust be specified on the client RSA key pairs and DSA key pairs are generated by a tool of the client software The following takes the client software of PuTTY Version 0 58 as an example to illustrate how to configure the SSH client Generating a client key To generate a client key run PuTTYGen exe and select from the Parameters area the type of key you want to generate either SSH 2 RSA or SSH 2 DSA...

Page 595: ...Generate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key Figure 1 4 Generate the client keys 3 ...

Page 596: ...he name of the file for saving the private key private in this case to save the private key Figure 1 5 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse and select the public key file and then click Convert Figure 1 6 Generate the client keys 5 Specifying the IP address of the Server Launch PuTTY exe The following window appears ...

Page 597: ...Note that there must be a route available between the IP address of the server and the client Selecting a protocol for remote connection As shown in Figure 1 7 select SSH under Protocol Selecting an SSH version From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 8 appears ...

Page 598: ...ation From the window shown in Figure 1 8 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection To log out enter the quit command Opening an SSH connection with publickey authentication If a user needs to be authenticated with a public key the corresponding private key file must be specified A p...

Page 599: ...ion z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Configuring whether first time authentication is supported Optional Establishing the connection between the SSH client and server Required Configuring the SSH client for publickey authentication When the authentication mode is publickey you need to configure the RSA or DSA public key o...

Page 600: ...Enter system view system view Enable the device to support first time authentication ssh client first time enable Optional By default the client is enabled to run first time authentication Table 1 16 Follow these steps to disable first time authentication support To do Use the command Remarks Enter system view system view Disable first time authentication support undo ssh client first time Require...

Page 601: ... correct private key Displaying and Maintaining SSH Configuration To do Use the command Remarks Display the public key part of the current switch s key pairs display public key local dsa rsa public Display information about locally saved public keys of SSH peers display public key peer brief name pubkey name Display SSH status and session information display ssh server session status Display SSH u...

Page 602: ... assign publickey keyname Create an SSH user and specify pubblickey authentication as its authentication type ssh user username authentication type rsa ssh user username authentication type publickey z After the RSA key pair is generated the display rsa local key pair public command displays two public keys the host public key and server public key when the S4210 switch is working in SSH1 compatib...

Page 603: ...on mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch ui vty0 4 quit Create local client client001 and set the authentication password to abc protocol type to SSH and command privilege level to 3 for the client Switch local user client001 Switch luser cl...

Page 604: ...8 as an example 1 Run PuTTY exe to enter the following configuration interface Figure 1 11 SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH server 2 From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 12 appears ...

Page 605: ...uthentication succeeds you will log in to the server When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 1 13 an SSH connection is required between the host SSH client and the switch SSH server for secure data exchange Password authentication is required z The host runs SSH2 0 client software to establish a local connection with the switch z Th...

Page 606: ...tion from the navigation tree In the System Configuration window click Modify of the Access Device item and then click Add to enter the Add Access Device window and perform the following configurations z Specify the IP address of the switch as 192 168 1 70 z Set both the shared keys for authentication and accounting packets to expert z Select LAN Access Service as the service type z Specify the po...

Page 607: ... and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 15 Add an account for device management 1 Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the IP address of the SSH server for SSH connections Switch system view Switch interface vlan interface 2 Switch...

Page 608: ... key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme radius scheme rad Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user hello authentication type password 2 Con...

Page 609: ...the category on the left pane of the window select Connection SSH The window as shown in Figure 1 17 appears Figure 1 17 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version Then click Open If the connection is normal you will be prompted to enter the user name hello and the password Once ...

Page 610: ...n with the switch z The switch cooperates with an HWTACACS server to authenticate SSH users Network diagram Figure 1 18 Switch acts as server for password and HWTACACS authentication Configuration procedure z Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the IP address of the SSH server for SSH connections Switch system view...

Page 611: ... domain bbb Switch isp bbb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 1 1 in this case for the SSH client This IP address and that of the VLAN interface on the switch must be in the same n...

Page 612: ...will log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS server configuration manuals When Switch Acts as Server for Publickey Authentication Network requirements As shown in Figure 1 21 establish an SSH connection between the host SSH client and the switch ...

Page 613: ...ey pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Set the client s command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit ...

Page 614: ...y Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair 1 Run PuTTYGen exe choose SSH2 RSA and click Generate Figure 1 22 Generate a client key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 23 Otherwise the process bar stops moving and the key pair generating p...

Page 615: ...ure 1 23 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 1 24 Generate a client key pair 3 ...

Page 616: ...r is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with the SSH server 2 Launch PuTTY exe to enter the following interface Figure 1 26 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the server 3 From t...

Page 617: ... 27 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 1 28 SSH client configuration interface 2 ...

Page 618: ... Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA k...

Page 619: ... SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s public key Y N n Enter password Copyright c 2004 2009 3Com Corp and its licensors All rights reserved Without the owner s prior written consent no decompiling or reverse engineering s...

Page 620: ...witchB public key local create rsa SwitchB public key local create dsa Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 SwitchB ui vty0 4 user privilege level 3 SwitchB ui vty0 4 quit Specify...

Page 621: ...te dsa Export the generated DSA key pair to a file named Switch001 SwitchA public key local export dsa ssh2 Switch001 After the key pair is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 identity ...

Page 622: ...s the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA key pairs SwitchB public key local create rsa SwitchB public key local create dsa Set AAA authentication on user interfa...

Page 623: ... generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH client through FTP or TFTP z Configure Switch A Create a VLAN interface on the switch and assign an IP address which serves as the SSH client s address in an SSH connection SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 ...

Page 624: ...h002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connection to server 10 165 87 136 SwitchA ssh2 10 165 87 136 identity key dsa Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 Copyright c 2004 2009 3Com Corp and its...

Page 625: ...tem 1 1 File System Configuration Tasks 1 1 Directory Operations 1 1 File Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 3 File System Configuration Example 1 4 File Attribute Configuration 1 5 Introduction to File Attributes 1 5 Booting with the Startup File 1 6 Configuring File Attributes 1 6 ...

Page 626: ...one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used to specify a file in the current Flash memory For example the URL of a file named text txt in the root directory of the switch is unit1 flash text txt or flash text txt z Entering the path name or file name directly This method can be used to specify a path or a file in t...

Page 627: ...e that the execute command should be executed in system view Table 1 3 File operations To do Use the command Remarks Delete a file delete unreserved file url delete running files standby files unreserved Optional A deleted file can be restored by using the undelete command if you delete it by executing the delete command without specifying the unreserved keyword Restore a file in the recycle bin u...

Page 628: ...d the switch adopts the null configuration when it starts up next time Flash Memory Operations Perform the following Flash memory operations using commands listed in Table 1 4 Perform the following configuration in user view Table 1 4 Operations on the Flash memory To do Use the command Remarks Format the Flash memory format device Required Restore space on the Flash memory fixdisk device Required...

Page 629: ... drw Apr 04 2000 23 04 21 test 7239 KB total 3585 KB free with main attribute b with backup attribute b with both main and backup attribute Copy the file flash config cfg to flash test with 1 cfg as the name of the new file Sysname copy flash config cfg flash test 1 cfg Copy unit1 flash config cfg to unit1 flash test 1 cfg Y N y Copy file unit1 flash config cfg to unit1 flash test 1 cfg Done Displ...

Page 630: ... main backup and none as described in Table 1 6 Table 1 6 Descriptions on file attributes Attribute name Description Feature Identifier main Identifies main startup files The main startup file is preferred for a switch to start up In the Flash memory there can be only one app file one configuration file and one Web file with the main attribute backup Identifies backup startup files The backup star...

Page 631: ... default Web file 2 If the default Web file does not exist but the main Web file exists the device will boot with the main Web file 3 If neither the default Web file nor the main Web file exists but the backup Web exists the device will boot with the backup Web file 4 If neither of the default Web file main Web file and backup Web exists the device considers that no Web file exists For the selecti...

Page 632: ...Optional Available in any view z The configuration of the main or backup attribute of a Web file takes effect immediately without restarting the switch z After upgrading a Web file you need to specify the new Web file in the Boot menu after restarting the switch or specify a new Web file by using the boot web package command Otherwise Web server cannot function normally z Currently a configuration...

Page 633: ...ample A Switch Operating as an FTP Server 1 7 FTP Banner Display Configuration Example 1 9 FTP Configuration A Switch Operating as an FTP Client 1 10 SFTP Configuration 1 11 SFTP Configuration A Switch Operating as an SFTP Server 1 12 SFTP Configuration A Switch Operating as an SFTP Client 1 13 SFTP Configuration Example 1 14 2 TFTP Configuration 2 1 Introduction to TFTP 2 1 TFTP Configuration 2 1...

Page 634: ... 1 Roles that a Switch 4210 acts as in FTP Item Description Remarks FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log in to a switch operating as an FTP server by running an FTP client program on your PC to access files on the FTP server FTP client In this case you need to establish a connection between your PC and the swit...

Page 635: ... the service type to FTP To use FTP services a user must provide a user name and password for being authenticated by the FTP server Only users that pass the authentication have access to the FTP server Table 1 3 Create an FTP user Operation Command Description Enter system view system view Add a local user and enter local user view local user user name Required By default no local user is configur...

Page 636: ...own the FTP server Configuring connection idle time After the idle time is configured if the server does not receive service requests from a client within a specified time period it terminates the connection with the client thus preventing a user from occupying the connection for a long time without performing any operation Table 1 5 Configure connection idle time Operation Command Description Ent...

Page 637: ...ough FTP the configured banner is displayed on the FTP client Banner falls into the following two types z Login banner After the connection between an FTP client and an FTP server is established the FTP server outputs the configured login banner to the FTP client terminal Figure 1 1 Process of displaying a login banner z Shell banner After the connection between an FTP client and an FTP server is ...

Page 638: ... a switch display ftp server Display the login FTP client on an FTP server display ftp user Available in any view FTP Configuration A Switch Operating as an FTP Client Basic configurations on an FTP client By default a switch can operate as an FTP client In this case you can connect the switch to the FTP server to perform FTP related operations such as creating removing a directory by executing co...

Page 639: ... these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can display only the file name and directory Download a remote file from the FTP server get remotefile localfile Upload a local file to the remote FTP server put localfile remotefile Rename a file on the remote server rename remote source remote dest Log in with the speci...

Page 640: ...nd enable the FTP server function on the switch Configure the user name and password used to access FTP services and specify the service type as FTP You can log in to a switch through the Console port or by telnetting the switch See the Login module for detailed information Configure the FTP user name as switch the password as hello and the service type as FTP Sysname Sysname system view Sysname f...

Page 641: ... the corresponding instructions for operation description z If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make room for the file to be uploaded you can onl...

Page 642: ...tch as login banner appears and the shell banner as shell banner appears Network diagram Figure 1 4 Network diagram for FTP banner display configuration Configuration procedure 1 Configure the switch FTP server Configure the login banner of the switch as login banner appears and the shell banner as shell banner appears For detailed configuration of other network requirements see section Configurat...

Page 643: ... the switch and 2 2 2 2 for the PC Ensure a route exists between the switch and the PC Network diagram Figure 1 5 Network diagram for FTP configurations a switch operating as an FTP client Configuration procedure 1 Configure the PC FTP server Perform FTP server related configurations on the PC that is create a user account on the FTP server with user name switch and password hello For detailed con...

Page 644: ...switch ftp get switch bin Execute the quit command to terminate the FTP connection and return to user view ftp quit Sysname After downloading the file use the boot boot loader command to specify the downloaded file switch bin to be the application for next startup and then restart the switch Thus the switch application is upgraded Sysname boot boot loader switch bin Sysname reboot For information ...

Page 645: ...requests from a client within a specified time period it terminates the connection with the client thus preventing a user from occupying the connection for a long time without performing any operation Table 1 12 Configure connection idle time Operation Command Description Enter system view system view Configure the connection idle time for the SFTP server ftp timeout time out value Optional 10 min...

Page 646: ... switch to the SFTP server to perform SFTP related operations such as creating removing a directory by executing commands on the switch Table 1 13 lists the operations that can be performed on an SFTP client Table 1 13 Basic configurations on an SFTP client Operation Command Description Enter system view system view Enter SFTP client view sftp host ip host name port num identity key dsa rsa prefer...

Page 647: ...nd concerning SFTP help all command name Optional If you specify to authenticate a client through public key on the server the client needs to read the local private key when logging in to the SFTP server Since both RSA and DSA are available for public key authentication you need to use the identity key key word to specify the algorithms to get correct local private key otherwise you will fail to ...

Page 648: ...01 password simple abc Sysname luser client001 service type ssh Sysname luser client001 quit Configure the authentication mode as password Authentication timeout time retry number and update time of the server key adopt the default values Sysname ssh user client001 authentication type password Specify the service type as SFTP Sysname ssh user client001 service type sftp Enable the SFTP server Sysn...

Page 649: ...on may take a long time Please wait Received status Success File successfully Removed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Succ...

Page 650: ...t Remote file pubkey2 Local file public Received status End of file Received status Success Downloading file successfully ended Upload the file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received status Success Uploading file successfully ended sftp client dir rwxrwxrwx 1 noon...

Page 651: ... you download a file that is larger than the free space of the switch s flash memory z If the TFTP server supports file size negotiation file size negotiation will be initiated between the switch and the server and the file download operation will be aborted if the free space of the switch s flash memory is found to be insufficient z If the TFTP server does not support file size negotiation the sw...

Page 652: ...i binary Optional Binary by default Specify an ACL rule used by the specified TFTP client to access a TFTP server tftp server acl acl number Optional Not specified by default TFTP Configuration Example Network requirements A switch operates as a TFTP client and a PC as the TFTP server The application named switch bin is stored on the PC Download it switch bin to the switch through TFTP and use the...

Page 653: ...n the switch to be 1 1 1 1 and ensure that the port through which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 1 1 1 1 255 255 255 0 Sysname Vlan interface1 quit Download the switch application named switch bin from the TFTP server to the switch Sysname tftp 1 1 1 2 ge...

Page 654: ...Output System Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 10 Setting to Output System Information to a Log Host 1 12 Setting to Output System Information to the Trap Buffer 1 12 Setting to Output System Information to the Log Buffer 1 13 Setting to Output System Information to the SNMP NMS 1 13 Displaying and Maintaining Information Center 1 14 Infor...

Page 655: ...n is classified into eight levels by severity and can be filtered by level More emergent information has a smaller severity level Table 1 1 Severity description Severity Severity value Description emergencies 1 The system is unavailable alerts 2 Information that demands prompt reaction critical 3 Critical information errors 4 Error information warnings 5 Warnings notifications 6 Normal information...

Page 656: ...and debugging information and information will be stored in files for future retrieval 3 trapbuffer Trap buffer Receives trap information a buffer inside the device for recording information 4 logbuffer Log buffer Receives log information a buffer inside the device for recording information 5 snmpagent SNMP NMS Receives trap information 6 channel6 Not specified Receives log trap and debugging info...

Page 657: ... private MIB module HWP HWPing module IFNET Interface management module IGSP IGMP snooping module IP Internet protocol module LAGG Link aggregation module LINE Terminal line module MSTP Multiple spanning tree protocol module NAT Network address translation module NDP Neighbor discovery protocol module NTDP Network topology discovery protocol module NTP Network time protocol module PKI Public key i...

Page 658: ...destination is console monitor terminal logbuffer trapbuffer or SNMP the system information is in the following format timestamp sysname module level digest unitid content z The space the forward slash and the colon are all required in the above format z Before timestamp may have or followed with a space indicating log alarm or debugging information respectively Below is an example of the format o...

Page 659: ...s the time when system information is generated to allow users to check and identify system events Note that there is a space between the timestamp and sysname host name fields The time stamp has the following two formats 1 Without the universal time coordinated UTC time zone the time stamp is in the format of Mmm dd hh mm ss ms yyyy 2 With the UTC time zone the time stamp is in the format of Mmm ...

Page 660: ...manual for details Note that there is a space between the sysname and module fields This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn This field is a version identifier of syslog It is displayed only when the output destination is log host Module The module field represents the name of the module that generates system information You...

Page 661: ...Information to the Trap Buffer Optional Setting to Output System Information to the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log trap or debugging information is output when the user is inputting commands the command line pr...

Page 662: ...e 1 6 Configure to display time stamp with the UTC time zone Operation Command Description Set the time zone for the system clock timezone zone name add minus time Required By default UTC time zone is set for the system Enter system view system view Log host direction info center timestamp loghost date Set the time stamp format in the output direction of the information center to date Non log host...

Page 663: ...g information of some modules on the switch you need to set the type of the output information to debug when configuring the system information output rules and use the debugging command to enable debugging for the corresponding modules Table 1 8 Default output rules for different output directions LOG TRAP DEBUG Output direction Modules allowed Enable d disab led Severit y Enabled disabled Severi...

Page 664: ...ing terminal display function by using the terminal debugging terminal logging or terminal trapping command Setting to Output System Information to a Monitor Terminal System information can also be output to a monitor terminal which is a user terminal that has login connections through the AUX VTY or TTY user interface Setting to output system information to a monitor terminal Table 1 10 Set to ou...

Page 665: ...stem information display on a monitor terminal After setting to output system information to a monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Table 1 11 Enable the display of system information on a monitor terminal Operation Command Description Enable the debugging log trap information terminal display functio...

Page 666: ...ce is configured and the system automatically selects an interface as the source interface Configure the output rules of system information info center source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to Table 1 8 for the default output rules of system information Set the format of the time stamp to be sent to the log host info c...

Page 667: ...formation to the log buffer Operation Command Description Enter system view system view Enable the information center info center enable Optional Enabled by default Enable information output to the log buffer info center logbuffer channel channel number channel name size buffersize Optional By default the switch uses information channel 4 to output log information to the log buffer which can holds...

Page 668: ...Maintaining Information Center After the above configurations you can execute the display commands in any view to display the running status of the information center and thus validate your configurations You can also execute the reset commands in user view to clear the information in the log buffer and trap buffer Table 1 16 Display and maintain information center Operation Command Description Di...

Page 669: ...on of outputting information to log host channels Switch undo info center source default channel loghost Configure the host whose IP address is 202 38 1 10 as the log host Permit ARP and IP modules to output information with severity level higher than informational to the log host Switch info center loghost 202 38 1 10 facility local4 Switch info center source arp channel loghost log level informa...

Page 670: ...e information is created and the file etc syslog conf is modified execute the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After all the above operations the switch can make records in the corresponding log file Through combined configuration of the device name facility informati...

Page 671: ... items when you edit file etc syslog conf z A note must start in a new line starting with a sign z In each pair a tab should be used as a separator instead of a space z No space is permitted at the end of the file name z The device name facility and received log information severity specified in file etc syslog conf must be the same with those corresponding parameters configured in commands info c...

Page 672: ...ting information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules to output log information with severity level higher than informational to the console Switch info center console channel console Switch info center source arp channel console log level informational debug state off trap state off Sw...

Page 673: ...TC time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch info center timestamp loghost date Configure to add UTC time to the output information of the information center Switch info center timestamp utc ...

Page 674: ...and Alias Configuration 2 1 Introduction 2 1 Configuring Command Alias 2 1 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tracert 3 1 4 Device Management 4 1 Introduction to Device Management 4 1 Device Management Configuration 4 1 Device Management Configuration Tasks 4 1 Rebooting the Ethernet Switch 4 1 Scheduling a Reboot on the Switch 4 2 Configuring Real time Monitori...

Page 675: ...ii Configuring a Scheduled Task 5 1 Scheduled Task Configuration Example 5 2 ...

Page 676: ...through Ethernet port z FTP through Ethernet port You can load software remotely by using z FTP z TFTP The Boot ROM software version should be compatible with the host software version when you load the Boot ROM and host software Local Boot ROM and Software Loading If your terminal is directly connected to the Console port of the switch you can load the Boot ROM and host software locally Before lo...

Page 677: ...ond fast startup mode after the information Press Ctrl B to enter BOOT Menu displays Otherwise the system starts to extract the program and if you want to enter the BOOT Menu at this time you will have to restart the switch Enter the correct Boot ROM password no password is set by default The system enters the BOOT Menu BOOT MENU 1 Download application file to flash 2 Select application file to bo...

Page 678: ...d the sending program proceeds to send another packet If the check fails the receiving program sends negative acknowledgement characters and the sending program retransmits the packet Loading Boot ROM Follow these steps to load the Boot ROM Step 1 At the prompt Enter your choice 0 9 in the BOOT Menu press 6 or Ctrl U and then press Enter to enter the Boot ROM update menu shown below Bootrom update...

Page 679: ...se the system will not display the above information Following are configurations on PC Take the HyperTerminal in Windows 2000 as an example Step 4 Choose File Properties in HyperTerminal click Configure in the pop up dialog box and then select the baudrate of 115200 bps in the Console port configuration dialog box that appears as shown in Figure 1 1 Figure 1 2 Figure 1 1 Properties dialog box ...

Page 680: ...e HyperTerminal to the switch as shown in Figure 1 3 Figure 1 3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC ...

Page 681: ...dialog box Step 8 Click Send The system displays the page as shown in Figure 1 5 Figure 1 5 Sending file page Step 9 After the sending process completes the system displays the following information Loading CCCCCCCCCC done Step 10 Reset HyperTerminal s baudrate to 19200 bps refer to Step 4 and 5 Then press any key as prompted The system will display the following information when it completes the ...

Page 682: ...se for loading the Boot ROM except that the system gives the prompt for host software loading instead of Boot ROM loading You can also use the xmodem get command to load host software through the Console port of AUX type The load procedures are as follows assume that the PC is connected to the Console port of the switch and logs onto the switch through the Console port Step 1 Execute the xmodem ge...

Page 683: ...rminal program on the configuration PC Start the switch Then enter the BOOT Menu At the prompt Enter your choice 0 9 in the BOOT Menu press 6 or Ctrl U and then press Enter to enter the Boot ROM update menu shown below Bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Step 4 Enter 1 in the abov...

Page 684: ...M except that the system gives the prompt for host software loading instead of Boot ROM loading When loading Boot ROM and host software using TFTP through BOOT menu you are recommended to use the PC directly connected to the device as TFTP server to promote upgrading reliability Loading by FTP through Ethernet Port Introduction to FTP FTP is an application layer protocol in the TCP IP protocol sui...

Page 685: ... the following FTP related parameters as required Load File name switch btm Switch IP address 10 1 1 2 Server IP address 10 1 1 1 FTP User Name Switch FTP User Password abc Step 5 Press Enter The system displays the following information Are you sure to update your bootrom Yes or No Y N Step 6 Enter Y to start file downloading or N to return to the Boot ROM update menu If you enter Y the system be...

Page 686: ...OM and host software remotely Remote Loading Using FTP Loading Procedure Using FTP Client 1 Loading the Boot ROM As shown in Figure 1 8 a PC is used as both the configuration device and the FTP server You can telnet to the switch and then execute the FTP commands to download the Boot ROM program switch btm from the remote FTP server whose IP address is 10 1 1 1 to the switch Figure 1 8 Remote load...

Page 687: ...the boot boot loader command to select the host software used for next startup of the switch After the above operations the Boot ROM and host software loading is completed Pay attention to the following z The loading of Boot ROM and host software takes effect only after you restart the switch with the reboot command z If the space of the Flash memory is not enough you can delete the unused files i...

Page 688: ...h Ctrl Z Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 192 168 0 28 255 255 255 0 Step 3 Enable FTP service on the switch and configure the FTP user name to test and password to pass Sysname Vlan interface1 quit Sysname ftp server enable Sysname local user test New local user added Sysname luser test password simple pass Sysname luser test service type ftp Step 4 Enable FTP...

Page 689: ... Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file switch btm to the switch as shown in Figure 1 13 ...

Page 690: ...at the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed above are performed in the Windows operating system if you use other FTP client software refer to the corresponding user guide before operation z Only the configuration steps concerning loading are listed...

Page 691: ...time it automatically adds the specified offset to the current time so as to toggle the system time to the summer time z When the system reaches the specified end time it automatically subtracts the specified offset from the current time so as to toggle the summer time to normal system time Enter system view from user view system view Set the system name of the switch sysname sysname Optional By d...

Page 692: ...control the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging information on a certain screen Figure 2 1 illustrates the relationship between the protocol debugging switch and the screen output switch Assume that the device can output debugging information to mod...

Page 693: ...nit unit id interface interface type interface number module name You can execute the display command in any view Displaying Operating Information about Modules in System When an Ethernet switch is in trouble you may need to view a lot of operating information to locate the problem Each functional module has its corresponding operating information display command s You can use the command here to ...

Page 694: ...e habits Configuring Command Alias Follow these steps to configure command aliases To do Use the command Remarks Enter system view system view Enable the command alias function command alias enable Required Disabled by default that is you cannot configure command aliases Configure command aliases command alias mapping cmdkey alias Required Not configured by default Display defined command aliases ...

Page 695: ...2 2 ...

Page 696: ...f response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This command is mainly used to check the network connectivity It can also be used to help locate the network faults The executing procedure of the tracert command is as follows First the source host sends a data packet with the TTL of 1 and the first hop device retu...

Page 697: ...Configuring Real time Monitoring of the Running Status of the System Optional Specifying the APP to be Used at Reboot Optional Upgrading the Boot ROM Optional Identifying and Diagnosing Pluggable Transceivers Optional Rebooting the Ethernet Switch You can perform the following operation in user view when the switch is faulty or needs to be rebooted Before rebooting the system checks whether there ...

Page 698: ...eboot date and time Configuring Real time Monitoring of the Running Status of the System This function enables you to dynamically record the system running status such as CPU thus facilitating analysis and solution of the problems of the device Table 4 4 Configure real time monitoring of the running status of the system Operation Command Description Enter system view system view Enable real time m...

Page 699: ...rt or if the peer port is shut down the 1000 Mbps uplink port automatically enters the power save state so as to lower the power consumption of the switch Table 4 7 Follow these steps to enable auto power down on the 1000 Mbps uplink port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable auto power down on the 1000...

Page 700: ...ctor type central wavelength of the laser sent transfer distance and vendor name or vendor name specified Table 4 9 Identify pluggable transceivers Operation Command Description Display main parameters of the pluggable transceiver s display transceiver interface interface type interface number Available for all pluggable transceivers Display part of the electrical label information of the anti spo...

Page 701: ...stomized by H3C only Displaying the Device Management Configuration After the above configurations you can execute the display command in any view to display the operating status of the device management to verify the configuration effects Table 4 11 Display the operating status of the device management Operation Command Description Display the APP to be adopted at next startup display boot loader...

Page 702: ...he PC is reachable to each other The host software switch bin and the Boot ROM file boot btm of the switch are stored in the directory switch on the PC Use FTP to download the switch bin and boot btm files from the FTP server to the switch Network diagram Figure 4 1 Network diagram for FTP configuration Configuration procedure 1 Configure the following FTP server related parameters on the PC an FT...

Page 703: ...rver to the Flash memory of the switch ftp get switch bin ftp get boot btm 7 Execute the quit command to terminate the FTP connection and return to user view ftp quit Sysname 8 Upgrade the Boot ROM Sysname boot bootrom boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded 9 Specify the downloaded program as the host software to be a...

Page 704: ...4 8 This command will reboot the device Current configuration may be lost in next startup if you continue Continue Y N y This will reboot device Continue Y N y ...

Page 705: ...wing when configuring a scheduled task z The commands in a scheduled task must be in the same view z You can specify up to ten commands in one scheduled task To execute more than ten commands you can specify multiple scheduled tasks Configuring a Scheduled Task Specify the time to execute the commands in the task Follow these steps to configure a scheduled task To do Use the command Description En...

Page 706: ... one off repeating delay time command command Required Display information about a scheduled task display job job name Available in any view z You can specify only one view for each scheduled task z After a scheduled task is configured modification of the system time will affect the execution of the task However as the delay keyword is unrelated to the system time even though the system time chang...

Page 707: ...i command undo shutdown Switch job pc2 time 2 repeating at 18 00 week day Mon Tue Wed Thu Fri command shutdown Switch job pc3 Switch job pc3 view Ethernet1 0 3 Switch job pc3 time 1 repeating at 8 00 week day Mon Tue Wed Thu Fri command undo shutdown Switch job pc3 time 2 repeating at 18 00 week day Mon Tue Wed Thu Fri command shutdown Switch job pc3 quit Display the information about the schedule...

Page 708: ...LAN VPN 1 1 Implementation of VLAN VPN 1 2 VLAN VPN Configuration 1 2 Enabling the VLAN VPN Feature for a Port 1 2 Displaying and Maintaining VLAN VPN Configuration 1 2 VLAN VPN Configuration Example 1 2 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN VPN 1 2 ...

Page 709: ...hrough the service providers backbone networks with both inner and outer VLAN tags In public networks packets of this type are transmitted by their outer VLAN tags that is the VLAN tags of public networks and the inner VLAN tags are treated as part of the payload Figure 1 1 describes the structure of the packets with single layer VLAN tags Figure 1 1 Structure of packets with single layer VLAN tag...

Page 710: ...ed By default the VLAN VPN feature is disabled on a port Displaying and Maintaining VLAN VPN Configuration To do Use the command Remarks Display the VLAN VPN configurations of all the ports display port vlan vpn Available in any view VLAN VPN Configuration Example Transmitting User Packets through a Tunnel in the Public Network by Using VLAN VPN Network requirements As shown in Figure 1 3 Switch A...

Page 711: ...thernet 1 0 11 SwitchA vlan1040 quit SwitchA interface Ethernet 1 0 11 SwitchA Ethernet1 0 11 vlan vpn enable SwitchA Ethernet1 0 11 quit Configure Ethernet 1 0 12 as a trunk port permitting packets of VLAN 1024 SwitchA interface Ethernet 1 0 12 SwitchA Ethernet1 0 12 port link type trunk SwitchA Ethernet1 0 12 port trunk permit vlan 1040 z Configure Switch B Enable the VLAN VPN feature on Etherne...

Page 712: ...the devices connecting to Ethernet 1 0 12 of Switch A and Ethernet 1 0 22 of Switch B to permit the corresponding ports to transmit tagged packets of VLAN 1040 Data transfer process The following describes how a packet is forwarded from Switch A to Switch B in this example 1 As Ethernet 1 0 11 of Switch A is a VLAN VPN port when a packet from the customer s network side reaches this port it is tag...

Page 713: ...ping Configuration 1 4 Remote ping Server Configuration 1 4 Remote ping Client Configuration 1 5 Displaying Remote ping Configuration 1 22 Remote ping Configuration Examples 1 22 ICMP Test 1 22 DHCP Test 1 24 FTP Test 1 25 HTTP Test 1 27 Jitter Test 1 29 SNMP Test 1 31 TCP Test Tcpprivate Test on the Specified Ports 1 33 UDP Test Udpprivate Test on the Specified Ports 1 35 DNS Test 1 37 ...

Page 714: ...sponding remote ping servers as well to perform various remote ping tests All remote ping tests are initiated by a remote ping client and you can view the test results on the remote ping client only When performing a remote ping test you need to configure a remote ping test group on the remote ping client A remote ping test group is a set of remote ping test parameters A test group contains severa...

Page 715: ...u must specify a destination IP address and the destination address must be the IP address of a TCP UDP UDP listening service configured on the remote ping server Destination port destination port For a tcpprivate udpprivate jitter test you must specify a destination port number and the destination port number must be the port number of a TCP or UDP listening service configured on the remote ping ...

Page 716: ...sroute With routing table bypass a remote host can bypass the normal routing tables and send ICMP packets directly to a host on an attached network If the host is not on a directly attached network an error is returned You can use this function when pinging a local host on an VLAN interface that has no route defined TTL of remote ping test packets ttl It is equal to the argument h in a ping comman...

Page 717: ... Trap messages send trap z A remote ping test will generate a Trap message no matter whether the test successes or not You can use the Trap switch to enable or disable the output of trap messages z You can set the number of consecutive failed remote ping tests before Trap output You can also set the number of consecutive failed remote ping probes before Trap output Remote ping Configuration The TC...

Page 718: ...m view system view Enable the remote ping client function remote ping agent enable Required By default the remote ping client function is disabled Create a remote ping test group and enter its view remote ping administrator name operation tag Required By default no test group is configured Configure the destination IP address destination ip ip address Required By default no destination address is ...

Page 719: ...tional By default the retaining time of statistics information is 120 minutes Configure test start time and lifetime test time begin hh mm ss yyyy mm dd now lifetime lifetime Optional By default no test start time and lifetime is configured Enable routing table bypass sendpacket passroute Optional By default routing table bypass is disabled Configure the TTL ttl number Optional By default TTL is 2...

Page 720: ...ype test type dhcp Required By default the test type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure a test description description string Optional By default no description information is configured Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 5...

Page 721: ...P test on remote ping client To do Use the command Remarks Enter system view system view Enable the remote ping client function remote ping agent enable Required By default the remote ping client function is disabled Create a remote ping test group and enter its view remote ping administrator name operation tag Required By default no test group is configured Configure the destination IP address de...

Page 722: ...etime lifetime Optional By default no test start time and lifetime is configured Enable routing table bypass sendpacket passroute Optional By default routing table bypass is disabled Configure the TTL ttl number Optional By default TTL is 20 The sendpacket passroute command voids the ttl command Configure the automatic test interval frequency interval Optional By default the automatic test interva...

Page 723: ...ed By default no test group is configured Configure the destination IP address destination ip ip address Required You can configure an IP address or a host name By default no destination address is configured Configure dns server dns server ip address Required when you use the destination ip command to configure the destination address as the host name By default no IP address of the DNS server is...

Page 724: ...tart time and lifetime test time begin hh mm ss yyyy mm dd now lifetime lifetime Optional By default no test start time and lifetime is configured Enable routing table bypass sendpacket passroute Optional By default routing table bypass is disabled Configure the TTL ttl number Optional By default TTL is 20 The sendpacket passroute command voids the ttl command Configure the automatic test interval...

Page 725: ...s Required The destination address must be the IP address of a UDP listening service on the remote ping server By default no destination address is configured Configure the destination port destination port Port number Required The destination port must be the port of a UDP listening service on the remote ping server By default no destination port is configured Configure the source IP address sour...

Page 726: ...tics interval is 120 minutes and up to two pieces of statistics information can be retained Configure the retaining time of statistics information statistics keep time keep time Optional By default the retaining time of statistics information is 120 minutes Configure test start time and lifetime test time begin hh mm ss yyyy mm dd now lifetime lifetime Optional By default no test start time and li...

Page 727: ...lient function remote ping agent enable Required By default the remote ping client function is disabled Create a remote ping test group and enter its view remote ping administrator name operation tag Required By default no test group is configured Configure the destination IP address destination ip ip address Required By default no destination address is configured Configure the source IP address ...

Page 728: ...lifetime lifetime Optional By default no test start time and lifetime is configured Enable routing table bypass sendpacket passroute Optional By default routing table bypass is disabled Configure the TTL ttl number Optional By default TTL is 20 The sendpacket passroute command voids the ttl command Configure the automatic test interval frequency interval Optional By default the automatic test inte...

Page 729: ...the client any destination port number configured on the client will not take effect By default no destination port number is configured Configure the source IP address source ip ip address Optional By default the source IP address is not specified Configure the source port source port port number Optional By default no source port is specified Configure the test type test type tcpprivate tcppubli...

Page 730: ...he sendpacket passroute command voids the ttl command Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the type of service tos value Optional By default the service type is zero Start the test test enable...

Page 731: ...d Configure the source port source port port number Optional By default no source port is specified Configure the test type test type udpprivate udppublic Required By default the test type is ICMP Configure the number of probes per test count times Optional By default one probe is made per test Configure the maximum number of history records that can be saved history records number Optional By def...

Page 732: ... automatic test interval frequency interval Optional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the service type tos value Optional By default the service type is zero Start the test test enable Required Display test results display re...

Page 733: ...rmation statistics interval interval max group number Optional By default statistics interval is 120 minutes and up to two pieces of statistics information can be retained Configure the retaining time of statistics information statistics keep time keep time Optional By default the retaining time of statistics information is 120 minutes Configure test start time and lifetime test time begin hh mm s...

Page 734: ...client To do Use the command Remarks Enter system view system view Clear all agents on the remote ping client remote ping agent clear Required z This command clears all the configured agents including the test configuration test result and history information z The result cannot be restored after the execution of the command z The command does not disable remote ping agent Configuring remote ping ...

Page 735: ...efault Trap messages are sent each time a probe fails Displaying Remote ping Configuration To do Use the command Remarks Display the results of the test display remote ping results history jitter administrator name operation tag Display test statistics display remote ping statistics administrator name operation tag Available in any view Remote ping Configuration Examples ICMP Test Network requirem...

Page 736: ...nistrator icmp display remote ping results administrator icmp remote ping entry admin administrator tag icmp test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 3 6 3 Square Sum of Round Trip Time 145 Last succeeded test time 2000 4 2 20 55 12 3 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Discon...

Page 737: ...administrator and test tag to DHCP Sysname remote ping administrator dhcp Configure the test type as dhcp Sysname remote ping administrator dhcp test type dhcp Configure the source interface which must be a VLAN interface Make sure the DHCP server resides on the network connected to this interface Sysname remote ping administrator dhcp source interface Vlan interface 1 Configure to make 10 probes ...

Page 738: ... 0 2000 04 03 09 50 52 8 7 1018 1 0 2000 04 03 09 50 48 8 8 1020 1 0 2000 04 03 09 50 36 8 9 1020 1 0 2000 04 03 09 50 30 8 10 1028 1 0 2000 04 03 09 50 22 8 For detailed output description see the corresponding command manual You can perform a remote ping DHCP test only when no DHCP client is enabled on any interface Otherwise the DHCP Server sends the response to an interface enabled with the DH...

Page 739: ...s of the FTP server as 10 2 2 2 Sysname remote ping administrator ftp destination ip 10 2 2 2 Configure the FTP login username Sysname remote ping administrator ftp username admin Configure the FTP login password Sysname remote ping administrator ftp password admin Configure the type of FTP operation Sysname remote ping administrator ftp ftp operation put Configure a file name for the FTP operatio...

Page 740: ...tor tag ftp history record Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 2000 04 03 04 00 18 8 3 9945 1 0 2000 04 03 04 00 02 9 4 15891 1 0 2000 04 03 03 59 52 9 5 15772 1 0 2000 04 03 03 59 37 0 6 15653 1 0 2000 04 03 03 59 21 2 7 9792 1 0 2000 04 03 03 59 05 5 8 9794 1 0 2000 04 03 03 58 55 6 9 9891 1 0 2000 04 03 03 58 45 8 10 3245 1 0 2000 04 03 03 58 35 9 For...

Page 741: ... the HTTP server as 10 2 2 2 Sysname remote ping administrator http destination ip 10 2 2 2 Configure to make 10 probes per test Sysname remote ping administrator http count 10 Set the probe timeout time to 30 seconds Sysname remote ping administrator http timeout 30 Start the test Sysname remote ping administrator http test enable Display test results Sysname remote ping administrator http displa...

Page 742: ...x Response Status LastRC Time 1 13 1 0 2000 04 02 15 15 52 5 2 9 1 0 2000 04 02 15 15 52 5 3 3 1 0 2000 04 02 15 15 52 5 4 3 1 0 2000 04 02 15 15 52 5 5 3 1 0 2000 04 02 15 15 52 5 6 2 1 0 2000 04 02 15 15 52 4 7 3 1 0 2000 04 02 15 15 52 4 8 3 1 0 2000 04 02 15 15 52 4 9 2 1 0 2000 04 02 15 15 52 4 10 2 1 0 2000 04 02 15 15 52 4 For detailed output description see the corresponding command manual...

Page 743: ...r Jitter test type Jitter Configure the IP address of the remote ping server as 10 2 2 2 Sysname remote ping administrator Jitter destination ip 10 2 2 2 Configure the destination port on the remote ping server Sysname remote ping administrator Jitter destination port 9000 Configure to make 10 probes per test Sysname remote ping administrator http count 10 Set the probe timeout time to 30 seconds ...

Page 744: ...Negative SD Square Sum 200 Negative DS Square Sum 161 SD lost packets number 0 DS lost packet number 0 Unknown result lost packet number 0 Sysname remote ping administrator Jitter display remote ping history administrator Jitter remote ping entry admin administrator tag Jitter history record Index Response Status LastRC Time 1 274 1 0 2000 04 02 08 14 58 2 2 278 1 0 2000 04 02 08 14 57 9 3 280 1 0...

Page 745: ...example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual z Configure Remote ping Client Switch A Enable the remote ping client Sysname system view Sysname remote ping agent enable Create a remote ping test group setting the administrator name to administrator and test tag to snmp Sysname remote ping administrator snmp Configure t...

Page 746: ...trator snmp display remote ping history administrator snmp remote ping entry admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19 9 5 9 1 0 2000 04 03 08 57 19 9 6 11 1 0 2000 04 03 08 57 19 9 7 10 1 0 2000 04 03 08 57 19 9 8 10 1 0 2000 04 03 08 57 19 ...

Page 747: ...rt on the remote ping server Sysname remote ping administrator tcpprivate destination port 8000 Configure to make 10 probes per test Sysname remote ping administrator tcpprivate count 10 Set the probe timeout time to 5 seconds Sysname remote ping administrator tcpprivate timeout 5 Start the test Sysname remote ping administrator tcpprivate test enable Display test results Sysname remote ping admin...

Page 748: ...and the remote ping server are switches Perform a remote ping Udpprivate test on the specified ports between the two switches to test the RTT of UDP packets between this end remote ping client and the specified destination end remote ping server Network diagram Figure 1 9 Network diagram for the Udpprivate test Configuration procedure z Configure Remote ping Server Switch B Enable the remote ping ...

Page 749: ...operation times 10 Receive response times 10 Min Max Average Round Trip Time 10 12 10 Square Sum of Round Trip Time 1170 Last complete test time 2000 4 2 8 29 45 5 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number...

Page 750: ...setting the administrator name to administrator and test tag to dns Sysname remote ping administrator dns Configure the test type as dns Sysname remote ping administrator dns test type dns Configure the IP address of the DNS server as 10 2 2 2 Sysname remote ping administrator dns dns server 10 2 2 2 Configure to resolve the domain name www test com Sysname remote ping administrator dns dns resolv...

Page 751: ...DNS Resolve Times 10 DNS Resolve Max Time 10 DNS Resolve Timeout Times 0 DNS Resolve Failed Times 0 Sysname remote ping administrator dns display remote ping history administrator dns remote ping entry admin administrator tag dns history record Index Response Status LastRC Time 1 10 1 0 2006 11 28 11 50 40 9 2 10 1 0 2006 11 28 11 50 40 9 3 10 1 0 2006 11 28 11 50 40 9 4 7 1 0 2006 11 28 11 50 40 ...

Page 752: ...6 ICMP Error Packets Sent within a Specified Time 1 13 Configuring the Hop Limit of ICMPv6 Reply Packets 1 13 Configuring IPv6 DNS 1 14 Displaying and Maintaining IPv6 1 15 IPv6 Configuration Example 1 16 IPv6 Unicast Address Configuration 1 16 2 IPv6 Application Configuration 2 1 Introduction to IPv6 Application 2 1 IPv6 Application Configuration 2 1 IPv6 Ping 2 1 IPv6 Traceroute 2 1 IPv6 TFTP 2 ...

Page 753: ...nificant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits IPv6 Features Header format simplification IPv6 cuts down some IPv4 header fields or move them to extension headers to reduce the load of basic IPv6 headers IPv6 uses a fixed length header thus making IPv6 packet handling simple and improving the forwarding efficiency Although the IPv6 add...

Page 754: ... prefix FE80 64 to communicate with other hosts on the link Built in security IPv6 uses IPSec as its standard extension header to provide end to end security This feature provides a standard for network security solutions and improves the interoperability between different IPv6 applications Support for QoS The Flow Label field in the IPv6 header allows the device to label packets in a flow and pro...

Page 755: ...nd interface ID The address prefix and the interface ID are respectively equivalent to the network ID and the host ID in an IPv4 address An IPv6 address prefix is written in IPv6 address prefix length notation where IPv6 address is an IPv6 address in any of the notations and prefix length is a decimal number indicating how many bits from the left of an IPv6 address are the address prefix IPv6 addr...

Page 756: ...ery protocol and the stateless autoconfiguration process Routers must not forward any packets with link local source or destination addresses to other links z IPv6 unicast site local addresses are similar to private IPv4 addresses Routers must not forward any packets with site local source or destination addresses outside of the site equivalent to a private network z Loopback address The unicast a...

Page 757: ...icast addresses are currently required to be 64 bits long An interface identifier is derived from the link layer address of that interface Interface identifiers in IPv6 addresses are 64 bits long while MAC addresses are 48 bits long Therefore the hexadecimal number FFFE needs to be inserted in the middle of MAC addresses behind the 24 high order bits To ensure the interface identifier obtained fro...

Page 758: ...ssage suppression disabled the router regularly sends a router advertisement message containing information such as address prefix and flag bits Redirect message When a certain condition is satisfied the default gateway sends a redirect message to the source host so that the host can reselect a correct next hop router to forward packets z 3Com Switch 4210 Family do not support RS RA or Redirect me...

Page 759: ...he NA message After that node A and node B can communicate with each other Neighbor unreachability detection After node A acquires the link layer address of its neighbor node B node A can verify whether node B is reachable according to NS and NA messages 1 Node A sends an NS message whose destination address is the IPv6 address of node B 2 If node A receives an NA message from node B node A consid...

Page 760: ...orks contain not only A records IPv4 addresses but also AAAA records IPv6 addresses The DNS server can convert domain names into IPv4 addresses or IPv6 addresses In this way the DNS server has the functions of both IPv6 DNS and IPv4 DNS Protocols and Standards Protocol specifications related to IPv6 include z RFC 1881 IPv6 Address Allocation Management z RFC 1887 An Architecture for IPv6 Unicast A...

Page 761: ...the interface z Manual configuration IPv6 site local addresses or global unicast addresses are configured manually IPv6 link local addresses can be acquired in either of the following ways z Automatic generation The device automatically generates a link local address for an interface according to the link local address prefix FE80 64 and the link layer address of the interface z Manual assignment ...

Page 762: ...eneration the automatically generated link local address will not take effect and the link local address of an interface is still the manually assigned one If the manually assigned link local address is deleted the automatically generated link local address takes effect z You must have carried out the ipv6 address auto link local command before you carry out the undo ipv6 address auto link local c...

Page 763: ...w system view Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynamically learned by an interface ipv6 neighbors max learning num number Optional The default value is 2 048 Configure the attempts to send an ns message for duplicate address detection The device sends a neighbor solicitation NS message for duplicate address detection If t...

Page 764: ...achable timeout time elapsed Table 1 10 Configure the neighbor reachable timeout time on an interface To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Configure the neighbor reachable timeout time ipv6 nd nud reachable time value Optional 30 000 milliseconds Configuring a Static IPv6 Route You can configure static IPv6 ...

Page 765: ... specified time Currently the token bucket algorithm is adopted You can set the capacity of a token bucket namely the number of tokens in the bucket In addition you can set the update period of the token bucket namely the interval for updating the number of tokens in the token bucket to the configured capacity One token allows one IPv6 ICMP error packet to be sent Each time an IPv6 ICMP error pack...

Page 766: ...wing command to enable the dynamic domain name resolution function In addition you should configure a DNS server so that a query request message can be sent to the correct server for resolution The system can support at most six DNS servers You can configure a domain name suffix so that you only need to enter some fields of a domain name and the system automatically adds the preset suffix for addr...

Page 767: ... ipv6 address all dynamic interface interface type interface number static vlan vlan id begin exclude include regular expression Display the total number of neighbor entries satisfying the specified conditions display ipv6 neighbors all dynamic static interface interface type interface number vlan vlan id count Display information about the routing table display ipv6 route table verbose Display in...

Page 768: ... are directly connected through two Ethernet ports The Ethernet ports belong to VLAN 1 IPv6 addresses are configured for the interface Vlan interface1 on each switch to verify the connectivity between the two switches The global unicast address of Switch A is 3001 1 64 and the global unicast address of Switch B is 3001 2 64 Network diagram Figure 1 5 Network diagram for IPv6 address configuration ...

Page 769: ... 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses Display the brief IPv6 information of the interface on Switch B SwitchB Vlan interface1 display ipv6 interface Vlan interface 1 Vlan interface1 current state UP Line protocol current state UP IPv6 is enabled link loc...

Page 770: ... Reply from FE80 2E0 FCFF FE00 2006 bytes 56 Sequence 4 hop limit 64 time 7 ms Reply from FE80 2E0 FCFF FE00 2006 bytes 56 Sequence 5 hop limit 64 time 14 ms FE80 2E0 FCFF FE00 2006 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 6 22 77 ms SwitchA Vlan interface1 ping ipv6 3001 2 PING 3001 2 56 data bytes press CTRL_C to break Reply from 3001 2 b...

Page 771: ...about the ping command refer to System Maintenance and Debugging After you execute the ping ipv6 command you can press Ctrl C to terminate the ping operation Table 2 1 Ping IPv6 To do Use the command Remarks Ping IPv6 ping ipv6 a source ipv6 c count m interval s packet size t timeout remote system i interface type interface number Required Available in any view When you use the ping ipv6 command t...

Page 772: ...ion using the UDP port the destination returns a port unreachable ICMP error message z The source receives the port unreachable ICMP error message and understands that the packet has reached the destination and thus determines the route of the packet from source to destination Table 2 2 Traceroute IPv6 To do Use the command Remarks Traceroute IPv6 tracert ipv6 f first ttl m max ttl p port q packet...

Page 773: ...et client application of IPv6 to set up an IPv6 Telnet connection with Device A which serves as the Telnet server If Device A again connects to Device B through Telnet the Device A is the Telnet client and Device B is the Telnet server Figure 2 2 Provide Telnet services Device A Device B Host Telnet Client Telnet Client Telnet Server Telnet Server Configuration prerequisites Enable Telnet on the T...

Page 774: ...ver for providing Telnet service and TFTP service to the switch respectively It is required that you telnet to the telnet server from SWA and download files from the TFTP server Network diagram Figure 2 3 Network diagram for IPv6 applications SWA SWB SWC 3003 2 64 3003 1 64 3002 2 64 3002 1 64 3001 2 64 3001 4 64 3001 3 64 Telnet_Server TFTP_Server Configuration procedure You need configure IPv6 a...

Page 775: ...03 1 SWA ipv6 route static 3001 64 3003 1 SWA quit Trace the IPv6 route from SWA to SWC SWA tracert ipv6 3002 1 traceroute to 3002 1 30 hops max 60 bytes packet 1 3003 1 30 ms 0 ms 0 ms 2 3002 1 10 ms 10 ms 0 ms SWA downloads a file from TFTP server 3001 3 SWA tftp ipv6 3001 3 get filetoget flash filegothere File will be transferred in binary mode Downloading file from remote tftp server please wa...

Page 776: ...st can be pinged through check whether the UDP port that was included in the tracert ipv6 command is used by an application on the host If yes you need to use the tracert ipv6 command with an unreachable UDP port Unable to Run TFTP Symptom Unable to download and upload files by performing TFTP operations Solution z Check that the route between the device and the TFTP server is up z Check that the ...

Page 777: ...he Limitation of Minimum Password Length 1 5 Configuring History Password Recording 1 6 Configuring a User Login Password in Interactive Mode 1 7 Configuring Login Attempt Times Limitation and Failure Processing Mode 1 7 Configuring the Password Authentication Timeout Time 1 8 Configuring Password Composition Policies 1 9 Displaying Password Control 1 10 Password Control Configuration Example 1 10...

Page 778: ...n change it when logging into the device Password aging Alert before password expiration Users can set their respective alert time If a user logs into the system when the password is about to age out that is the remaining usable time of the password is no more than the set alert time the switch will alert the user to the forthcoming expiration and prompts the user to change the password as soon as...

Page 779: ...e failure processing modes By default the switch adopts the first mode but you can actually specify the processing mode as needed Allow the user to log in again without any inhibition Telnet and SSH passwords User blacklist If the maximum number of attempts is exceeded the user cannot log into the switch and is added to the blacklist by the switch All users in the blacklist are not allowed to log ...

Page 780: ...cording the maximum number of history password records the alert time before password expiration the timeout time for password authentication the maximum number of attempts and the processing mode for login attempt failures If the password attempts of a user fail for several times the system adds the user to the blacklist You can execute the display password control blacklist command in any view t...

Page 781: ...ether the user password ages out when a user logging into the system is undergoing the password authentication This has three cases 1 The password has not expired The user logs in before the configured alert time In this case the user logs in successfully 2 The password has not expired The user logs in after the configured alert time In this case the system alerts the user to the remaining time in...

Page 782: ...assword does not meet the limitation it informs the user of this case and requires the user to input a new password Table 1 3 Configure the limitation of the minimum password length Operation Command Description Enter system view system view Enable the limitation of minimum password length password control length enable Optional By default the limitation of minimum password length is enabled Confi...

Page 783: ...d for each user The purpose is to inhibit the users from using one single password or using an old password for a long time to enhance the security Table 1 4 Configure history password recording Operation Command Description Enter system view system view Enable history password recording password control history enable Optional By default history password recording is enabled Configure the maximum...

Page 784: ...e and _ The password must conform to the related configuration of password control when you set the local user password in interactive mode Table 1 6 Configure a user login password in interactive mode Operation Command Description Enter system view system view Enter the specified user view local user user name Configure a user login password in interactive mode password Optional Input a password ...

Page 785: ...dress the blacklist will not affect the user anymore when the user logs into the switch The system administrator can perform the following operations to manually remove one or all user entries in the blacklist Table 1 8 Manually remove one or all user entries in the blacklist Operation Command Description Delete one specific or all user entries in the blacklist reset password control blacklist use...

Page 786: ...ree categories and level 4 four categories When you set or modify a password the system will check if the password satisfies the component requirement If not an error message will occur Table 1 10 Configure password composition policy Operation Command Description Enter system view system view Enable the password composition check function password control composition enable Optional By default th...

Page 787: ...swords the settings in local user view override those in system view unless the former are not provided z For super passwords the separate settings for super password override those in system view unless the former are not provided Displaying Password Control After completing the above configuration you can execute the display command in any view to display the operation of the password control an...

Page 788: ...sword to 3 and the minimum number of characters in each composition type to 3 Sysname password control super composition type number 3 type length 3 Configure a super password Sysname super password level 3 simple 11111AAAAAaaaaa Create a local user named test Sysname local user test Set the minimum password length for the local user to 6 Sysname luser test password control length 6 Set the minimu...

Page 789: ...and Debugging Smart Link 1 6 Smart Link Configuration Example 1 6 Implementing Link Redundancy Backup 1 6 2 Monitor Link Configuration 2 1 Introduction to Monitor Link 2 1 How Monitor Link Works 2 2 Configuring Monitor Link 2 2 Configuration Tasks 2 3 Creating a Monitor Link Group 2 3 Configuring the Uplink Port 2 3 Configuring a Downlink Port 2 4 Displaying Monitor Link Configuration 2 4 Monitor ...

Page 790: ...and the other port is blocked that is in the standby state When link failure occurs on the port in active state the Smart Link group will block the port automatically and turn standby state to active state on the blocked port Figure 1 1 Network diagram of Smart Link Switch A Switch B Switch C Eth1 0 1 Eth1 0 2 uplink uplink Master Port Slave Port In Figure 1 1 Ethernet1 0 1 and Ethernet1 0 2 on Sw...

Page 791: ... in Figure 1 1 receive and process flush messages of this control VLAN and then refresh MAC forwarding table entries and ARP entries z Currently the member ports of a Smart Link group cannot be dynamic link aggregation groups z If the master port or slave port of a Smart Link group is a link aggregation group you cannot remove this link aggregation group directly or change the aggregation group in...

Page 792: ...void loops thus preventing broadcast storm z Disable STP on the port After completing the configuration you need to enable the Ethernet ports disabled before configuring the Smart Link group Configuration Tasks Table 1 1 Smart Link configuration tasks Task Remarks Create a Smart Link group Add member ports to the Smart Link group Configuring a Smart Link Device Enable the function of sending flush...

Page 793: ...e function of sending flush messages in the specified control VLAN flush enable control vlan vlan id Optional By default no control VLAN for sending flush messages is specified Configuring Associated Devices An associated device mentioned in this document refers to a device that supports Smart Link and locally configured to process flush messages received from the specified control VLAN so as to w...

Page 794: ...e both engaged with a cable at the same time 6 When you copy a port the Smart Link Monitor Link group member information configured on the port will not be copied to other ports 7 If a single port is specified as a member of a Smart Link Monitor Link group you cannot execute the lacp enable command on this port or add this port into other dynamic link aggregation groups because these operations wi...

Page 795: ...istics information of flush messages received and processed by the current device display smart link flush You can execute the display command in any view Clear flush message statistics reset smart link packets counter You can execute the reset command in user view Smart Link Configuration Example Implementing Link Redundancy Backup Network requirements As shown in Figure 1 3 Switch A is a 3Com sw...

Page 796: ... 1 0 2 slave Configure to send flush messages within VLAN 1 SwitchA smlk group1 flush enable control vlan 1 2 Enable the function of processing flush messages received from VLAN 1 on Switch C Enter system view SwitchC system view Enable the function of processing flush messages received from VLAN 1 on Ethernet 1 0 2 SwitchC smart link flush enable control vlan 1 port Ethernet 1 0 2 3 Enable the fu...

Page 797: ...onitor Link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 2 1 Network diagram for a Monitor Link group implementation Switch A Eth1 0 1 Eth1 0 2 Eth1 0 3 Uplink Downlink As shown in Figure 2 1 the Monitor Link group configured on the device Switch A consists of an uplink port Ethernet1 0 1 and two downlink ports Ethernet1...

Page 798: ...A configured with Smart Link group operates normally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of Ethernet1 0 1 z If Switch C is configured with Monitor Link group and Monitor Link group detects that the link for the uplink port Ethernet1 0 1 fails all the downlink ports in the group are shut down therefore Ethernet1 0 3 on Switch C is blocked Now Sm...

Page 799: ...plink Port Required Configuring a Downlink Port Required Creating a Monitor Link Group Table 2 2 Create a Monitor Link group Operation Command Remarks Enter system view system view Create a Monitor Link group monitor link group group id Required Configuring the Uplink Port Table 2 3 Configure the uplink port Operation Command Remarks Enter system view system view Enter the specified Monitor Link g...

Page 800: ... specified Ethernet port as a downlink port of the Monitor Link group Ethernet port view port monitor link group group id downlink Required Use either approach z A Smart Link Monitor Link group with members cannot be deleted A Smart Link group as a Monitor Link group member cannot be deleted z The Smart Link Monitor Link function and the remote port mirroring function are incompatible with each ot...

Page 801: ...to access the server and Internet due to uplink link or port failure Network diagram Figure 2 3 Network diagram for Monitor Link configuration BLOCK Switch A Switch B Eth1 0 1 Eth1 0 2 Switch C Switch D Switch E Eth1 0 1 Eth1 0 2 Eth1 0 3 Server Eth1 0 2 Eth1 0 2 Eth1 0 1 Eth1 0 1 Eth1 0 3 Eth1 0 11 Eth1 0 10 PC 1 PC 4 PC 3 PC 2 Internet Configuration procedure 1 Enable Smart Link on Switch A and ...

Page 802: ...h C Enter system view SwitchC system view Create Monitor Link group 1 and enter Monitor Link group view SwitchC monitor link group 1 Configure Ethernet1 0 1 as the uplink port of the Monitor Link group and Ethernet1 0 2 and Ethernet1 0 3 as the downlink ports SwitchC mtlk group1 port Ethernet 1 0 1 uplink SwitchC mtlk group1 port Ethernet 1 0 2 downlink SwitchC mtlk group1 port Ethernet 1 0 3 down...

Page 803: ...Attack Defense Based on 802 1x 3 Overview 3 Configuring 802 1x Based ARP IP Attack Defense 4 Configuring ARP Source MAC Address Consistency Check 4 Introduction 4 Enabling ARP Source MAC Address Consistency Check 5 ARP Attack Defense Configuration Example I 5 Network Requirements 5 Network Diagram 5 Configuration Procedures 5 ARP Attack Defense Configuration Example II 6 Network Requirements 6 Net...

Page 804: ...gateway will be redirected to the fake MAC address and the client will be unable to access the external network Figure 1 1 Gateway spoofing attack To prevent gateway spoofing attacks Switch can filter ARP packets based on the gateway s address 1 You can bind the gateway s IP address to the downstream port directly connected to hosts of the switch After that the port will discard ARP packets with t...

Page 805: ...n Introduction To prevent ARP flood attacks you can limit the number of ARP entries learned by a VLAN interface on switches operating as gateways That is you can set the maximum number of dynamic ARP entries that a VLAN interface can learn If the number of ARP entries learned by the VLAN interface exceeds the specified upper limit the VLAN interface stops learning ARP entries thus to avoid ARP flo...

Page 806: ...clients which obtain IP addresses through DHCP or manual assignment to implement ARP attack detection or IP filtering The feature avoids configuring IP MAC static bindings for clients with static IP addresses configured z With this feature configured for ARP attack detection the device after checking its DHCP snooping and static client entries will use the IP MAC bindings of authenticated 802 1x c...

Page 807: ...ach of such bindings If an ACL fails to be assigned to a binding the corresponding authenticated 802 1x client is forced to go offline z IP filtering based on IP MAC bindings of authenticated 802 1x clients requires 802 1x clients to provide IP addresses otherwise the IP addresses of 802 1x clients cannot be obtained To ensure IP addresses of DHCP clients can be updated for corresponding IP MAC en...

Page 808: ...ted to Gateway through an access switch Switch The IP and MAC addresses of Gateway are 192 168 100 1 24 and 000D 88F8 528C To prevent gateway spoofing attacks from Host A and Host B configure ARP packet filtering based on the gateway s IP and MAC addresses on Switch Network Diagram Figure 1 2 Network diagram for ARP attack defense I Eth1 0 1 Eth1 0 2 Eth1 0 3 Switch Vlan int 1 192 168 100 1 24 MAC...

Page 809: ... B To prevent ARP attacks such as ARP flooding z Enable ARP packet source MAC address consistency check on Switch A to block ARP packets with the sender MAC address different from the source MAC address in the Ethernet header z Limit the number of dynamic ARP entries learned on VLAN interface 1 Network Diagram Figure 1 3 Network diagram for ARP attack defense II Switch A Gateway Switch B Host B Ho...

Page 810: ... on the switch to prevent ARP attacks Network Diagram Figure 1 4 Network diagram for 802 1x based ARP IP attack defense Configuration Procedures Enter system view Switch system view Enable 802 1x authentication globally Switch dot1x Enable ARP attack detection for VLAN 1 Switch vlan 1 Switch vlan1 arp detection enable Switch vlan1 quit Configure Ethernet 1 0 2 and Ethernet 1 0 3 as ARP trusted por...

Page 811: ...ble 802 1x on Ethernet 1 0 1 Switch interface ethernet1 0 1 Switch Ethernet1 0 1 dot1x Enable IP filtering based on IP MAC bindings of authenticated 802 1x clients Switch Ethernet1 0 1 ip check dot1x enable ...

Page 812: ... Re Initialization Delay 1 7 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address 1 8 Setting Other LLDP Parameters 1 9 Setting an Encapsulation Format for LLDPDUs 1 10 Configuring CDP Compatibility 1 10 Configuration Prerequisites 1 11 Configuring CDP Compatibility 1 11 Configuring LLDP Trapping 1 11 Displaying and Maintaining LLDP 1 12 LLDP Confi...

Page 813: ...LDP in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major functions management IP address device ID and port ID as TLV type length and value triplets in LLDPDUs to the directly connected devices and at the same time stores the device information received in...

Page 814: ...ing bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame 2 SNAP encapsulated LLDP frame format Figure 1 2 SNAP encapsulated LLDP frame format Data LLDPU n bytes 0 Destination MAC address Source MAC address Type 15 31 FCS The fields...

Page 815: ...information field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and LLDP MED media endpoint discovery TLVs Basic management TLVs are essential to device management Organizationally specific TLVs and LLDP MED TLVs are used for enhanced device management they are defi...

Page 816: ...ame on the port Protocol Identity Protocols supported on the port Currently 3Com switches 4210 support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Configuration Status Contains the rate and duplex capabilities of the sending port support for auto negotiation enabling status...

Page 817: ... endpoint to advertise its vendor name Model Name Allows a MED endpoint to advertise its model name Asset ID Allows a MED endpoint to advertise its asset ID The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advertise the appropriate location identifier information for an...

Page 818: ...mit interval resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information is saved and an aging timer is set for it based on the time to live TTL TLV carried in the LLDPDU If the TTL TLV is zero the information is aged out immediately Protocols and Standards The protocols...

Page 819: ... only receives LLDP frames z Disable mode A port in this mode does not send or receive LLDP frames Follow these steps to set LLDP operating mode To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Required Set the LLDP operating mode lldp admin status disable rx tx txrx Optional TxRx by default Setting the LLDP Re Init...

Page 820: ...port description system capability system description system name dot1 tlv all port vlan id protocol vlan id vlan id vlan name vlan id dot3 tlv all link aggregation mac physic max frame size power med tlv all capability inventory location id civic address device type country code ca type ca value 1 10 elin address tel number network policy power over ethernet Optional By default all types of LLDP ...

Page 821: ...n be saved on a neighbor device by setting the TTL multiplier The TTL is expressed as follows TTL Min 65535 TTL multiplier LLDPDU transmit interval As the expression shows the TTL can be up to 65535 seconds TTLs greater than it will be rounded down to 65535 seconds Follow these steps to change the TTL multiplier To do Use the command Remarks Enter system view system view Set the TTL multiplier lld...

Page 822: ... Enter Ethernet interface view interface interface type interface number Required Set the encapsulation format for LLDPDUs to SNAP lldp encapsulation snap Required Ethernet II encapsulation format applies by default To restore the default use the undo lldp encapsulation command LLDP CDP CDP is short for the Cisco Discovery Protocol packets use only SNAP encapsulation Configuring CDP Compatibility ...

Page 823: ...mpatible LLDP to operate in TxRx mode Follow these steps to enable LLDP to be compatible with CDP To do Use the command Remarks Enter system view system view Enable CDP compatibility globally lldp compliance cdp Required Disabled by default Enter Ethernet interface view interface interface type interface number Required Configure CDP compatible LLDP to operate in TxRx mode lldp compliance admin st...

Page 824: ... the LLDP TLVs sent from neighboring devices display lldp neighbor information interface interface type interface number brief Available in any view Display LLDP statistics display lldp statistics global interface interface type interface number Available in any view Display LLDP status of a port display lldp status interface interface type interface number Available in any view Display types of a...

Page 825: ... 2 lldp enable SwitchA Ethernet1 0 2 lldp admin status rx SwitchA Ethernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB lldp enable Enable LLDP on Ethernet1 0 1 you can skip this step because LLDP is enabled on ports by default and set the LLDP operating mode to Tx SwitchB interface ethernet 1 0 1 SwitchB Ethernet1 0 1 lldp enable SwitchB Ethernet1 0 1 lldp admin...

Page 826: ...tional TLV 0 Number of received unknown TLV 3 As the sample output shows Ethernet 1 0 1 of Switch A connects a MED device and Ethernet 1 0 2 of Switch A connects a non MED device Both ports operate in Rx mode that is they only receive LLDP frames Tear down the link between Switch A and Switch B and then display the global LLDP status and port LLDP status on Switch A SwitchA display lldp status Glo...

Page 827: ...n in the sample output Ethernet 1 0 2 of Switch A does not connect any neighboring devices CDP Compatible LLDP Configuration Example Network requirements As shown in Figure 1 5 z Ethernet 1 0 1 and Ethernet 1 0 2 of Switch A are each connected to a Cisco IP phone z Configure voice VLAN 2 on Switch A Enable CDP compatibility of LLDP on Switch A to allow the Cisco IP phones to automatically configur...

Page 828: ...d configure CDP compatible LLDP to operate in TxRx mode on Ethernet 1 0 1 and Ethernet 1 0 2 SwitchA interface ethernet 1 0 1 SwitchA Ethernet1 0 1 lldp enable SwitchA Ethernet1 0 1 lldp admin status txrx SwitchA Ethernet1 0 1 lldp compliance admin status cdp txrx SwitchA Ethernet1 0 1 quit SwitchA interface ethernet 1 0 2 SwitchA Ethernet1 0 2 lldp enable SwitchA Ethernet1 0 2 lldp admin status t...

Page 829: ... 17 Platform Cisco IP Phone 7960 Duplex Full As the sample output shows Switch A has discovered the IP phones connected to Ethernet 1 0 1 and Ethernet 1 0 2 and has obtained their LLDP device information ...

Page 830: ...a Certificate Request in Manual Mode 1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 12 Displaying and Maintaining PKI 1 12 PKI Configuration Examples 1 13 Requesting a Certificate from a CA Running RSA Keon 1 13 Requesting a Certificate from a CA Running ...

Page 831: ...rtificate mechanism to solve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI system provides network communication and e commerce with security services such as user authentication data non repudiation data confidentiality and data integrity Currently PKI system provides Sec...

Page 832: ...blish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of these CRLs CA policy A CA policy is a set of criteria that a CA follows in processing certificate requests issuing and revoking certificates and publishing CRLs Usually a CA advertises its policy in ...

Page 833: ...of PKI The PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private network VPN is a private data communication network built on the public communication infrastructure A VPN can leverage network layer security protocols for instance IPSec in conjunction with PKI ba...

Page 834: ...ting a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting a Certificate Optional Configuring an Access Control Policy Optional Configuring an Entity DN A certificate is the binding of a public key and the identity information of an entity where the identity...

Page 835: ...y fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locality locality name Optional No locality is specified by default Configure the organization name for the entity organization org name Optional No organization is specified by default Configure the unit ...

Page 836: ...dicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certificate request manually During this period the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed You can configure th...

Page 837: ...and optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is configured by default z Currently up to two PKI domains can be created on a device z The CA name is required only when you retrieve a CA certificate It is not used when in local certificate request z Cur...

Page 838: ...n RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information Follow these steps to submit a certificate request in manual mode To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name S...

Page 839: ...n send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of the certificate will be abnormal z The pki request certificate domain configuration will not be saved in the configuration file Retrieving a Certificate Manually You can download an existing CA certificate local certificate or peer entity certificate fr...

Page 840: ... CRL checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verification To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Specify the URL of the CRL distribution point crl url url string Optional No CRL distr...

Page 841: ...e CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the private key leaks or the certificate is about to expire you can destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Use the command Remarks Enter syst...

Page 842: ...ame by default Return to system view quit Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Required No access control policy exists by default Configure a certificate attribute based access control rule rule id deny permit group name Required No access control rule exists by default A certificate attribute group must ex...

Page 843: ...icate from a CA Running RSA Keon The CA server runs RSA Keon in this configuration example Network requirements z The device submits a local certificate request to the CA server z The device acquires the CRLs for certificate verification Figure 1 2 Request a certificate from a CA running RSA Keon Configuration procedure 1 Configure the CA server Create a CA server named myca In this example you ne...

Page 844: ...name Switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter its view Switch pki domain torsa Configure the name of the trusted CA as myca Switch pki domain torsa ca identifier myca Configure the URL of the registration server in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is a hexadecimal string generated on the CA serv...

Page 845: ...ing CRL Please wait a while CRL retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certificate is being requested please wait Certificate request Successfully Saving the local certificate to device Done 3 Verify your configuration Use the following command to view information about the local certificate acquired Switch display pki cert...

Page 846: ...765A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to view detailed information about the CA certificate and CRLs Refer to the parts related to display pki certificate ca domain and display pki crl domain com...

Page 847: ... From the start menu select Control Panel Administrative Tools Internet Information Services IIS Manager and then select Web Sites from the navigation tree Right click on Default Web Site and select Properties Home Directory Specify the path for certificate service in the Local path text box In addition you are recommended to specify an available port number as the TCP port number of the default W...

Page 848: ... 4DCE 439C 1C1F 83AB SHA1 fingerprint 97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct Y N y Saving CA RA certificates chain please wait a moment CA certificates retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certificate is being requested please wait Certificate request Successfully Saving the local ce...

Page 849: ... 4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points URI http l00192b CertEnroll CA 20server crl URI file l00192b CertEnroll CA server crl Authority Information Access CA Issuers URI http l00192b CertEnroll l00192b_CA 20server crt CA Issuers URI file l00192b CertEnroll l00192b_CA server crt 1 3 6 1 4 1 311 20 2 0 I P S E C I n t e r m e d i a t e O f f l i n e Signature Algorithm sha1WithRSA...

Page 850: ...t proper For example the network cable may be damaged or loose z No CA certificate has been retrieved z The current key pair has been bound to a certificate z No trusted CA is specified z The URL of the registration server for certificate request is not correct or not configured z No authority is specified for certificate request z Some required parameters of the entity DN are not configured Solut...

Page 851: ...red z The LDAP server version is wrong Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LDAP server z Specify the CRL distribution URL z Re configure the LDAP version ...

Page 852: ...k List 1 2 Configuring an SSL Server Policy 1 2 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 6 Configuration Prerequisites 1 6 Configuration Procedure 1 6 Displaying and Maintaining SSL 1 7 Troubleshooting SSL 1 7 SSL Handshake Failure 1 7 ...

Page 853: ... and the client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key Infrastructure PKI z Reliability SSL uses the key based message authentication code MAC to verify message integrity A MAC algorithm transforms a message of any length to a fixed length message Figur...

Page 854: ...and master secret z SSL change cipher spec protocol Used for notification between a client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key z SSL alert protocol Allowing a client and the server to send alert messages to each other An alert message contains the alert severity level and a description z SSL record protoc...

Page 855: ...erver policy Specify the cipher suite s for the SSL server policy to support ciphersuite rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional By default an SSL server policy supports all cipher suites Set the handshake timeout time for the SSL server handshake timeout time Optional 3 600 seconds by default Configure the SSL connectio...

Page 856: ... 0 or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z The switch offers Web authentication to preform access authentication for clients z The client opens the authentication page in SSL based HTTPS mode thus guaranteeing information transmission security z A CA issues a certificate to Switch In this instance Windows Server works as the CA and t...

Page 857: ...verify enable Switch ssl server policy myssl quit 3 Configure Web authentication Set the IP address and port number of the Web authentication server Sysname system view Sysname web authentication web server ip 10 10 10 10 port 8080 Configure to perform Web authentication in HTTPS mode using SSL server policy myssl Switch web authentication protocol https server policy myssl Enable Web authenticati...

Page 858: ...llowing steps to access the Internet Step 1 Enter http 10 10 10 10 8080 in the address column of IE Step 2 Enter the correct user name and password and then click login The following page will be displayed Authentication passed Now the user can access external networks Configuring an SSL Client Policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server...

Page 859: ... name all Available in any view Troubleshooting SSL SSL Handshake Failure Symptom As the SSL server the device fails to handshake with the SSL client Analysis SSL handshake failure may result from the following causes z No SSL server certificate exists or the certificate is not trusted z The server is expected to authenticate the client but the SSL client has no certificate or the certificate is n...

Page 860: ...not be trusted request and install a certificate for the client 2 You can use the display ssl server policy command to view the cipher suite used by the SSL server policy If the cipher suite used by the SSL server does not match that used by the client use the ciphersuite command to modify the cipher suite of the SSL server ...

Page 861: ... 1 1 Associating the HTTPS Service with an SSL Server Policy 1 2 Enabling the HTTPS Service 1 2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy 1 3 Associating the HTTPS Service with an ACL 1 3 Displaying and Maintaining HTTPS 1 3 HTTPS Configuration Example 1 4 ...

Page 862: ... clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security management of the device z Defines certificate attribute based access control policy for the device to control the access right of the client in order to further avoid attacks from illegal...

Page 863: ...ce through the Web function only when the HTTPS service is enabled Follow these steps to enable the HTTPS service To do Use the command Remarks Enter system view system view Enable the HTTPS service ip https enable Required Disabled by default z After the HTTPS service is enabled you can use the display ip https command to view the state of the HTTPS service and verify the configuration z Enabling...

Page 864: ... access control policy z If the HTTPS service is associated with a certificate attribute access control policy the client verify enable command must be configured in the SSL server policy Otherwise the client cannot log onto the device z If the HTTPS service is associated with a certificate attribute access control policy the latter must contain at least one permit rule Otherwise no HTTPS client c...

Page 865: ...rocedure Perform the following configurations on Device 1 Apply for a certificate for Device Configure a PKI entity Device system view Device pki entity en Device pki entity en common name http server1 Device pki entity en fqdn ssl security com Device pki entity en quit Configure a PKI domain Device pki domain 1 Device pki domain 1 ca identifier new ca Device pki domain 1 certificate request url h...

Page 866: ...olicy myacp and create a control rule Device pki certificate access control policy myacp Device pki cert acp myacp rule 1 permit mygroup1 Device pki cert acp myacp quit 4 Reference an SSL server policy Associate the HTTPS service with the SSL server policy myssl Device ip https ssl server policy myssl 5 Associate the HTTPS service with a certificate attribute access control policy Associate the HT...

Page 867: ...i Table of Contents Appendix A Acronyms A 1 ...

Page 868: ... DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multicast Registration Protocol H HGMP HUAWEI Group Management Protocol HTTP Hyper Text Transport Protocol HWTACACS HUAWEI T...

Page 869: ...RAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PKI Public Key Infrastructure Q QoS Quality of Service R RIP Routing Information Protocol RMON Remote Network Monitoring RSTP Rapid Spanning Tree Protocol S SNMP Simple Network Management Protocol SP Strict Prior...

Page 870: ...A 3 TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking ...

Search results

Summary of Contents for Switch 4210 52-Port

Reviews:

Related manuals for Switch 4210 52-Port

Brands by name

Popular brands

3Com Switch 4210 52-Port, Configuration Manual

Search results

Summary of Contents for Switch 4210 52-Port

Reviews:

Related manuals for Switch 4210 52-Port

Brands by name

Popular brands