3Com Switch 4210 9-Port Configuration Manual Download Page 123 | Manualshive

Page: 123 / 567

background image

12

P

ORT

S

ECURITY

C

ONFIGURATION

Port Security
Overview

Introduction

Port security is a security mechanism for network access control. It brings together
both 802.1x access control and MAC address authentication and allows for
combinations of these technologies.

Port security allows you to define various security modes that enable devices to
learn legal source MAC addresses, so that you can implement different network
security management as needed.

With port security enabled, packets whose source MAC addresses cannot be
learned by your switch in a security mode are considered illegal packets, The
events that cannot pass 802.1x authentication or MAC authentication are
considered illegal.

With port security enabled, upon detecting an illegal packet or illegal event, the
system triggers the corresponding port security features and takes pre-defined
actions automatically. This reduces your maintenance workload and greatly
enhances system security and manageability.

Port Security Features

The following port security features are provided:

■

NTK (need to know) feature: By checking the destination MAC addresses in
outbound data frames on the port, NTK ensures that the switch sends data
frames through the port only to successfully authenticated devices, thus
preventing illegal devices from intercepting network data.

■

Intrusion protection feature: By checking the source MAC addresses in inbound
data frames or the username and password in 802.1x authentication requests
on the port, intrusion protection detects illegal packets or events and takes a
pre-set action accordingly. The actions you can set include: disconnecting the
port temporarily/permanently, and blocking packets with the MAC address
specified as illegal.

■

Trap feature: When special data packets (generated from illegal intrusion,
abnormal login/logout or other special activities) are passing through the
switch port, the Trap feature enables the switch to send Trap messages to help
the network administrator monitor special activities.

Port Security Modes

Table 77 describes the available port security modes:

«
...
121
122
123
124
125
...
»

Summary of Contents for Switch 4210 9-Port

Page 1: ...Family Configuration Guide Switch 4210 PWR 9 port Switch 4210 PWR 18 port Switch 4210 PWR 26 port Switch 4210 9 port Switch 4210 18 port Switch 4210 26 port www 3Com com Part Number 10016117 Rev AA Published August 2007 ...

Page 2: ... 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be registered in other countries 3Com ...

Page 3: ...hentication Mode Being Scheme 44 Logging in Using a Modem 52 Logging in through the Web based Network Management System 56 Managing from an NMS 59 User Control 60 3 CONFIGURATION FILE MANAGEMENT Introduction to Configuration File 67 Management of Configuration File 68 4 VLAN OVERVIEW VLAN Overview 73 Port Based VLAN 76 5 VLAN CONFIGURATION VLAN Configuration 77 Configuring a Port Based VLAN 79 6 M...

Page 4: ... 10 LINK AGGREGATION CONFIGURATION Overview 107 Link Aggregation Classification 108 Aggregation Group Categories 110 Link Aggregation Configuration 111 Displaying and Maintaining Link Aggregation Configuration 114 Link Aggregation Configuration Example 114 11 PORT ISOLATION CONFIGURATION Port Isolation Overview 117 Port Isolation Configuration 117 Displaying Port Isolation Configuration 118 Port I...

Page 5: ...icast Models 189 Multicast Architecture 189 Multicast Packet Forwarding Mechanism 195 16 IGMP SNOOPING CONFIGURATION IGMP Snooping Overview 197 IGMP Snooping Configuration 200 Displaying and Maintaining IGMP Snooping 207 IGMP Snooping Configuration Examples 208 Troubleshooting IGMP Snooping 210 Configuring Dropping Unknown Multicast Packets 210 17 802 1X CONFIGURATION Introduction to 802 1x 211 80...

Page 6: ...MAC Authentication Functions 270 MAC Address Authentication Enhanced Function Configuration 271 Displaying and Debugging MAC Authentication 274 MAC Authentication Configuration Example 275 23 ARP CONFIGURATION Introduction to ARP 277 ARP Configuration 279 Displaying and Debugging ARP 279 ARP Configuration Example 280 24 DHCP OVERVIEW Introduction to DHCP 281 DHCP IP Address Assignment 281 DHCP Pac...

Page 7: ...4 30 CLUSTER Cluster Overview 317 Cluster Configuration Tasks 325 Displaying and Maintaining Cluster Configuration 333 Cluster Configuration Example 333 31 POE CONFIGURATION PoE Overview 339 PoE Configuration 340 PoE Configuration Example 344 32 POE PROFILE CONFIGURATION Introduction to PoE Profile 347 PoE Profile Configuration 347 Displaying PoE Profile Configuration 348 PoE Profile Configuration...

Page 8: ...IGURATION SSH Overview 387 Configuring the SSH Server 390 Configuring the SSH Client 396 Displaying SSH Configuration 406 SSH Configuration Examples 406 37 FILE SYSTEM MANAGEMENT CONFIGURATION File System Configuration 423 File Attribute Configuration 426 38 FTP AND SFTP CONFIGURATION Introduction to FTP and SFTP 429 FTP Configuration 430 SFTP Configuration 438 39 TFTP CONFIGURATION Introduction t...

Page 9: ...n Example 491 45 REMOTE PING CONFIGURATION Remote Ping Overview 495 Remote Ping Configuration 498 Remote Ping Configuration Example 511 46 IPV6 MANGEMENT CONFIGURATION IPv6 Overview 525 IPv6 Configuration Task List 532 IPv6 Configuration Example 540 47 IPV6 APPLICATION CONFIGURATION Introduction to IPv6 Application 543 IPv6 Application Configuration 543 IPv6 Application Configuration Example 546 T...

Page 10: ...Password Control Configuration 556 Displaying Password Control 563 Password Control Configuration Example 564 ...

Page 11: ...ists icon conventions that are used throughout this guide Table 2 lists text conventions that are used throughout this guide Table 1 Notice Icons Icon Notice Type Description n Information note Information that describes important features or instructions c Caution Information that alerts you to potential loss of data or potential damage to an application system or device w Warning Information tha...

Page 12: ...information in this guide differs from information in the release notes use the information in the Release Notes These documents are available in Adobe Acrobat Reader Portable Document Format PDF on the CD ROM that accompanies your router or on the 3Com World Wide Web site http www 3com com Words in italics Italics are used to Emphasize a point Denote a new term at the place where it is defined in...

Page 13: ... to enter partially matching text to search for commands This allows you to execute a command by entering partially spelled command keywords as long as the system can uniquely identify the keywords entered Command Hierarchy The Switch 4210 uses hierarchical command protection for command lines to prevent users with fewer access rights from using higher level commands to change the switch s configu...

Page 14: ...cation for user level switching Switching to a specific user level n If no user level is specified in the super password command or the super command level 3 is used by default For security purposes the password entered is not displayed when you switch to another user level You will remain at the original user level if you have tried three times but failed to enter the correct authentication infor...

Page 15: ...operating and maintaining the switch When you change the level of a command with multiple keywords you should input the keywords one by one in the order they appear in the command syntax Otherwise your configuration will not take effect Configuration example The network administrator a level 3 user changes TFTP commands such as tftp get from level 3 to level 0 so that general Telnet users level 0 ...

Page 16: ...e switch To enter the system view execute the system view command Table 4 lists the CLI views provided by the Switch 4210 Family operations that can be performed in each view and the commands used to enter each view Table 4 CLI views View Available operation Prompt example Enter method Quit method User view Display operation status and statistical information of the switch 4210 Enter user view onc...

Page 17: ... Configure user interface parameters 4210 ui aux0 Execute the user interface command in system view FTP client view Configure FTP client parameters ftp Execute the ftp command in user view SFTP client view Configure SFTP client parameters sftp client Execute the sftp command in system view MST region view Configure MST region parameters 4210 mst region Execute the stp region configuration command ...

Page 18: ...all available keywords at the position and their descriptions will be displayed on your terminal Basic ACL view Define rules for a basic ACL with ID ranging from 2000 to 2999 4210 acl basic 2000 Execute the acl number command in system view Execute the quit command to return to system view Execute the return command to return to user view Advanced ACL view Define rules for an advanced ACL with ID ...

Page 19: ...y u udp unit user interface users 3 Enter the first several characters of a command s keyword and then press Tab If there is a unique keyword beginning with the characters just typed the unique keyword is displayed in its complete form If there are multiple keywords beginning with the characters you can display then one by one in complete form by pressing Tab repeatedly Terminal Display The CLI pr...

Page 20: ...st executed history commands Execute the display history command command This command displays the command history Recall the previous history command Press the up arrow key or Ctrl P This operation recalls the previous history command if available Recall the next history command Pressing the down arrow key or Ctrl N This operation recalls the next history command if available Table 7 Common error...

Page 21: ... keyword and press Tab if the input parameter uniquely identifies a complete keyword the system substitutes the complete keyword for the input parameter if more than one keywords match the input parameter you can display them one by one in complete form by pressing Tab repeatedly if no keyword matches the input parameter the system displays your original input on a new line without any change Tabl...

Page 22: ...20 CHAPTER 1 CLI CONFIGURATION ...

Page 23: ... Ethernet port or remotely over the network using Telnet or SSH The VTY port is the logical port associated with your management session User Interface Index Index numbers are used to distinguish between multiple users accessing the switch for management at the same time There are two types of user interface indexes absolute user interface index and relative user interface index 1 The absolute use...

Page 24: ...ee user interface type number Optional Execute this command in user view Enter system view system view Set the banner header incoming legal login shell text Optional By default no banner is configured Set a system name for the switch sysname string Optional By default the system name is 4210 Enable copyright information displaying copyright info enable Optional By default one word copyright displa...

Page 25: ...ing into a switch you can perform configuration for AUX users Refer to Common Configurations on page 26 Following are the procedures to connect to a switch through the Console port 1 Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 1 Figure 1 Diagram for connecting to the Console port of a switch 2 the terminal emulation utility you are most familiar...

Page 26: ...24 CHAPTER 2 LOGGING INTO AN ETHERNET SWITCH Figure 2 Create a connection Figure 3 Specify the port used to establish the connection ...

Page 27: ...r key if the switch successfully completes POST power on self test The prompt such as 4210 appears after you press the Enter key as shown in Figure 5 Figure 5 HyperTerminal CLI 4 You can then configure the switch or check the information about the switch by executing the corresponding commands You can also acquire help by typing the character ...

Page 28: ... Check mode Optional By default the check mode of the Console port is set to none which means no check bit Stop bits Optional The default stop bits of a Console port is 1 Data bits Optional The default data bits of a Console port is 8 AUX user interface configuration Configure the command level available to the users logging into the AUX user interface Optional By default commands of level 3 are a...

Page 29: ...gure user names and passwords for local RADIUS users Required The user name and password of a local user are configured on the switch The user name and password of a RADIUS user are configured on the RADIUS server Refer to the RADIUS server s user manual for more information Manage AUX users Set service type for AUX users Required Perform common configuration Perform common configuration for Conso...

Page 30: ...s of level 3 are available to users logging into the AUX user interface and commands of level 0 are available to users logging into the VTY user interface Enable terminal services shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 line...

Page 31: ...Console port is 19 200 bps The screen can contain up to 30 lines The history command buffer can contain up to 20 commands The timeout time of the AUX user interface is 6 minutes Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is term...

Page 32: ...ugh the Console port 4210 ui aux0 authentication mode none Specify commands of level 2 are available to users logging into the AUX user interface 4210 ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps 4210 ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 4210 ui aux0 screen length 30 Set the maximum number of commands the history com...

Page 33: ... simple password Required Configure the Console port Set the baud rate speed speed value Optional The default baud rate of an AUX port also the Console port is 9 600 bps Set the check mode parity even none odd Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a Console port is 1 Set the data...

Page 34: ... buffer can store up to 20 commands The timeout time of the AUX user interface is 6 minutes Set history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user i...

Page 35: ...assword 4210 ui aux0 authentication mode password Set the local password to 123456 in plain text 4210 ui aux0 set authentication password simple 123456 Specify commands of level 2 are available to users logging into the AUX user interface 4210 ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps 4210 ui aux0 speed 19200 Set the maximum number of lines the screen can c...

Page 36: ... name argument you need to perform the following configuration as well Perform AAA RADIUS configuration on the switch Refer to AAA Configuration on page 245 for more information Configure the user name and password accordingly on the AAA server Refer to the AAA server s user manual Specify the AAA scheme to be applied to the domain scheme local none radius scheme radius scheme name local hwtacacs ...

Page 37: ...gging into the AUX user interface Make terminal services available to the user interface shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in...

Page 38: ...gure to authenticate the users in the scheme mode The baud rate of the Console port is 19 200 bps The screen can contain up to 30 lines The history command buffer can store up to 20 commands The timeout time of the AUX user interface is 6 minutes Network diagram Figure 8 Network diagram for AUX user interface configuration with the authentication mode being scheme Configuration procedure Enter sys...

Page 39: ...PC accordingly in the dialog box shown in Figure 4 to log into the switch successfully Logging in through Telnet The Switch 4210 Family supports Telnet You can manage and maintain a switch remotely by using Telnet to access the switch To log into a switch through Telnet the corresponding configuration is required on both the switch and the Telnet terminal You can also log into a switch through SSH...

Page 40: ... be executed automatically after a user log into the user interface successfully Optional By default no command is executed automatically after a user logs into the VTY user interface VTY terminal configuration Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the sc...

Page 41: ...ion specifies whether to perform local authentication or RADIUS authentication Optional Local authentication is performed by default Refer to AAA Configuration on page 245 Configure user name and password Configure user names and passwords for local RADIUS users Required The user name and password of a local user are configured on the switch The user name and password of a remote user are configur...

Page 42: ... user interface successfully auto execute command text Optional By default no command is executed automatically after a user logs into the VTY user interface Make terminal services available shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up...

Page 43: ...ce vty 0 Configure not to authenticate Telnet users logging into VTY 0 4210 ui vty0 authentication mode none Specify commands of level 2 are available to users logging into VTY 0 4210 ui vty0 user privilege level 2 Configure Telnet protocol is supported 4210 ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 4210 ui vty0 screen length 30 Set the maximum nu...

Page 44: ...ser interface Configure the protocol to be supported by the user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the commands to be executed automatically after a user login to the user interface successfully auto execute command text Optional By default no command is executed automatically after a user logs into the VTY user in...

Page 45: ...n contain up to 30 lines The history command buffer can contain up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 10 Network diagram for Telnet configuration with the authentication mode being password Configuration procedure Enter system view 4210 system view Set the timeout time of the user interface idle timeout minutes seconds Optional The default timeout time of ...

Page 46: ...ui vty0 user privilege level 2 Configure Telnet protocol is supported 4210 ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 4210 ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 4210 ui vty0 history command max size 20 Set the timeout time to 6 minutes 4210 ui vty0 idle timeout 6 Telnet Configuration ...

Page 47: ...ed Specify the service type for VTY users service type telnet level level Required Quit to system view quit Enter one or more VTY user interface views user interface vty first number last number Configure to authenticate users locally or remotely authentication mode scheme command authorization Required The specified AAA scheme determines whether to authenticate users locally or remotely Users are...

Page 48: ... disable the function to display information in pages Set history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeou...

Page 49: ...Y users that are authenticatedin the RSA mode of SSH The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user privilege level level command is not executed and the service type command specifies the available command level The user privilege level level command is executed and the service type command does not...

Page 50: ...command buffer can store up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 11 Network diagram for Telnet configuration with the authentication mode being scheme Configuration procedure Enter system view 4210 system view Create a local user named guest and enter local user view 4210 local user guest Set the authentication password of the local user to 123456 in plain t...

Page 51: ...an IP address to VLAN interface 1 of the switch VLAN 1 is the default VLAN of the switch Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 12 Figure 12 Diagram for establishing connection to a Console port Launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 95 Windows 98 Windows NT Windows 2000 Windows XP on...

Page 52: ...ding to instructions earlier in this chapter 3 Connect your PC terminal and the switch to an Ethernet as shown in Figure 14 Make sure the port through which the switch is connected to the Ethernet belongs to VLAN 1 and the route between your PC and VLAN interface 1 is reachable Figure 14 Network diagram for Telnet connection establishment 4 Launch Telnet on your PC with the IP address of VLAN inte...

Page 53: ... Refer to Command Hierarchy on page 11 and CLI Views on page 14 for information about command hierarchy Telnetting to another Switch from the Current Switch You can Telnet to another switch from the current switch In this case the current switch operates as the client and the other operates as the server If the interconnected Ethernet ports of the two switches are in the same LAN segment make sure...

Page 54: ...d to configure the administrator side and the switch properly as listed in the following table Configuring the Switch Modem Configuration Perform the following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Set ...

Page 55: ...ion mode is none Refer to Configuring Console Port Login with no Authentication on page 27 Configuration on switch when the authentication mode is password Refer to Configuring Console Port Login to Require a Password on page 31 Configuration on switch when the authentication mode is scheme Refer to Console Port Login Configuration with Authentication Mode Being Scheme on page 34 Establishin a Mod...

Page 56: ...4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 18 through Figure 20 Note that you need to set the telephone number to that of the modem directly connected to the switch Figure 18 Create a connection ...

Page 57: ...ompted If the password is correct the prompt such as 4210 appears You can then configure or manage the switch You can also enter the character at anytime for help n If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to CLI Configuration on page 11 for information about the command line interface ...

Page 58: ...t or telnet This is an example of creating a Web user account with the user name and password set to admin with level 3 priviledges 4210 system view 4210 local user admin 4210 luser admin service type telnet level 3 4210 luser admin password simple admin 3 Establish an HTTP connection between your PC and the switch as shown in Figure 21 Table 25 Requirements for logging into a switch through the W...

Page 59: ...configured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The contents of the banner page are the login banner information configured with the header command Then by clicking Continue on the banner page the user can enter the user login authentication page and enter the main page of the Web based network management sys...

Page 60: ...ess of the switch in the address bar of the browser running on the user terminal and press Enter the browser will display the banner page as shown in Figure 24 Figure 24 Banner page displayed when a user logs in to the switch through Web Click Continue to enter user login authentication page You will enter the main page of the Web based network management system if the authentication succeeds Enab...

Page 61: ... RMON Configuration on page 361 for related information To manage your switch from an NMS you need to perform related configuration on both the NMS and the switch Figure 25 Network diagram for logging in through an NMS Disable the Web server undo ip http shutdown Required Table 27 Enable Disable the WEB Server Operation Command Description Table 28 Requirements for logging into a switch through an...

Page 62: ...gh basic ACL Controlling Telnet Users by Source IP Addresses By source and destination IP address Through advanced ACL Controlling Telnet Users by Source and Destination IP Addresses By source MAC address Through Layer 2 ACL Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACL Controlling Network Management Users by Source IP Addresses WEB By source IP add...

Page 63: ...der config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id deny permit protocol rule string Required You can define rules as needed to filter by specific source and destination IP addresses Quit to system view quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by speci...

Page 64: ...ontrolling Network Management Users by Source IP Addresses You can manage a Switch 4210 through network management software Network management users can access switches through SNMP You need to perform the following two operations to control network management users by source IP addresses Defining an ACL Applying the ACL to control users accessing the switch through SNMP Enter user interface view ...

Page 65: ...ontrol network management users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id deny permit rule string Required Quit to system view quit Apply the ACL while configu...

Page 66: ... 52 to access the switch 4210 snmp agent community read aaa acl 2000 4210 snmp agent group v2c groupa acl 2000 4210 snmp agent usm user v2c usera groupa acl 2000 Controlling Web Users by Source IP Address You can manage a Switch 4210 remotely through Web Web users can access a switch through HTTP connections You need to perform the following two operations to control Web users by source IP address...

Page 67: ...it Table 34 Control Web users by source IP addresses Operation Command Description Enter system view system view Create a basic ACL or enter basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id deny permit rule string Required Quit to system view quit Apply the ACL to control Web ...

Page 68: ...66 CHAPTER 2 LOGGING INTO AN ETHERNET SWITCH Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch 4210 ip http acl 2030 ...

Page 69: ...configuration settings commands are grouped into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line if it starts with the character sections are listed in this order system configuration section logical interface configuration section physical port configuration section routing protoc...

Page 70: ...Port def This has factory loaded default settings recommended by 3Com There is a specific def file for each switch type Management of Configuration File If the default def configuration file does not exist the switch will come up with the switch internal defaults Saving the Current Configuration You can modify the configuration on your device at the command line interface CLI To use the modified c...

Page 71: ...n attribute the file will have both main and backup attributes after execution of this command If the filename you entered is different from that existing in the system this command will erase its backup attribute to allow only one backup attribute configuration file in the device Normal attribute When you use the save cfgfile command to save the current configuration the configuration file you ge...

Page 72: ...e file as the main startup configuration file You can also use the startup saved configuration cfgfile main command to set the file as main startup configuration file Assign backup attribute to the startup configuration file If you save the current configuration to the backup configuration file the system will automatically set the file as the backup startup configuration file You can also use the...

Page 73: ... view Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the device display current configuration vlan vlan id by linenum Display the validated configuration in current view display this by linenum Display current configuration display current configuration configuration configuration type interface interface type in...

Page 74: ...72 CHAPTER 3 CONFIGURATION FILE MANAGEMENT ...

Page 75: ...k resources A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolating broadcast domains is the solution for the above problems The traditional way is to use routers which forward packets according to the destination IP address and does not forward broadcast packets in the link layer However routers are expensive a...

Page 76: ...ess the network without changing its network configuration VLAN Principles VLAN tag VLAN tags in the packets are necessary for a switch to identify packets of different VLANs A switch works at the data link layer of the OSI model Layer 3 switches are not discussed in this chapter and it can identify the data link layer encapsulation of the packet only so you need to add the VLAN tag field into the...

Page 77: ...ge of 1 to 4 094 VLAN ID identifies the VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN tag with the default VLAN ID of the inbound port for the packet and sends the packet to the default VLAN of the inbound port for transmission MAC address learning mechanism of VLANs Switches forward packets according to the destination MAC addre...

Page 78: ...VLAN Port based VLAN technology introduces the simplest way to classify VLANs You can assign the ports on the device to different VLANs Thus packets received on a port will be transmitted through the corresponding VLAN only so as to isolate hosts to different broadcast domains and divide them into different virtual workgroups Ports on Ethernet switches have the three link types access trunk and hy...

Page 79: ...g VLAN configuration Optional Displaying VLAN Configuration Table 42 Basic VLAN configuration Operation Command Description Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Create a VLAN and enter VLAN view vlan vlan id Required By default there is only one VLAN that is the default VLAN VLAN 1 Assign a name for the current VLAN name text Optional ...

Page 80: ...terface Vlan interface vlan id Required By default there is no VLAN interface on a switch Specify the description string for the current VLAN interface description text Optional By default the description string of a VLAN interface is the name of this VLAN interface Vlan interface1 Interface for example Disable the VLAN interface shutdown Optional By default the VLAN interface is enabled In this c...

Page 81: ...re 32 Switch A and Switch B each connect to a server and a workstation PC For data security concerns the two servers are assigned to VLAN 101 with the descriptive string being DMZ and the PCs are assigned to VLAN 201 The devices within each VLAN can communicate with each other but that in different VLANs cannot communicate with each other directly Network diagram Figure 32 Network diagram for VLAN...

Page 82: ...chB vlan101 quit Create VLAN 201 and add Ethernet1 0 12 to VLAN 201 SwitchB vlan 201 SwitchB vlan201 port Ethernet 1 0 12 SwitchB vlan201 quit Configure the link between Switch A and Switch B Because the link between Switch A and Switch B need to transmit data of both VLAN 101 and VLAN 102 you can configure the ports at the end of the link as trunk ports and permit packets of the two VLANs to pass...

Page 83: ...Based VLAN 81 n For the command of configuring a port link type port link type and the command of allowing packets of certain VLANs to pass through a port port trunk permit refer to Ethernet Port Configuration on page 96 ...

Page 84: ...82 CHAPTER 5 VLAN CONFIGURATION ...

Page 85: ... of the VLAN interface is the one obtained through BOOTP n For details of DHCP refer to the DHCP module Static Route A static route is configured manually by an administrator You can make a network with relatively simple topology to operate properly by simply configuring static routes for it Configuring and using static routes wisely helps to improve network performance and can guarantee bandwidth...

Page 86: ... through Telnet these requirements are to be met Switch A has an IP address and the remote Telnet user is reachable You need to configure the switch as follows Assigning an IP address to the management VLAN interface on Switch A Configuring the default route Table 46 Configure the management VLAN Operation Command Remarks Enter system view system view Configure a specified VLAN to be the managemen...

Page 87: ...management VLAN 4210 vlan 10 4210 vlan10 quit 4210 management vlan 10 Create the VLAN 10 interface and enter VLAN interface view 4210 interface vlan interface 10 Configure the IP address of VLAN 10 interface as 1 1 1 1 24 4210 Vlan interface10 ip address 1 1 1 1 255 255 255 0 4210 Vlan interface10 quit Configure the default route 4210 ip route static 0 0 0 0 0 0 0 0 1 1 1 2 RS 232 serial interface...

Page 88: ...ut the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading to a specified IP address range display ip routing table ip address1 mask1 ip address2 mask2 verbose Display the routing information of the specified protocol display ip routing table protocol protocol in...

Page 89: ...into two parts Net ID The first several bits of the IP address defining a network also known as class bits Host ID Identifies a host on a network For administration sake IP addresses are divided into five classes as shown in the following figure in which the blue parts represent the address class Figure 34 IP address classes Table 48 describes the address ranges of these five classes Currently the...

Page 90: ...ts related to the corresponding bits in an IP address In a subnet mask the section containing consecutive ones identifies the combination of net ID and subnet ID whereas the section containing consecutive zeros identifies the host ID Figure 35 shows how a Class B network is subnetted Figure 35 Subnet a Class B network Table 48 IP address classes and ranges Class Address range Description A 0 0 0 0...

Page 91: ...net The maximum number of hosts is thus 64 512 512 Ðó 126 1022 less after the network is subnetted Class A B and C networks before being subnetted use these default masks also called natural masks 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively Configuring IP Addresses Switch 4210 Family support assigning IP addresses to VLAN interfaces and loopback interfaces Besides directly assigning an IP...

Page 92: ...itch Network diagram Figure 36 Network diagram for IP address configuration Configuration procedure Configure an IP address for VLAN interface 1 4210 system view 4210 interface Vlan interface 1 4210 Vlan interface1 ip address 129 2 2 1 255 255 255 0 Table 50 Display IP addressing configuration Operation Command Remarks Display information about a specified or all Layer 3 interfaces display ip inte...

Page 93: ...ormally the contents of the FIB and the routing table are the same Configuring IP Performance Introduction to IP Performance Configuration Tasks Configuring TCP Attributes TCP optional parameters that can be configured include synwait timer When sending a SYN packet TCP starts the synwait timer If no response packets are received before the synwait timer times out the TCP connection is not success...

Page 94: ...on increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large If a host sends malicious ICMP destination unreachable packets end users may be affected You can disable the device from sending such ICMP error packets for reducing network traffic and preventing malicious attacks Table 52 Configure TCP attributes Operation Command Remarks ...

Page 95: ...ics Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket socktype sock type task id socket id Display the forwarding information base FIB entries display fib Display the FIB entries matching the destination IP address display fib ip_address1 mask1 mask length1 ip_address2 mask2 mask length2 longer longer Display the FIB entr...

Page 96: ...94 CHAPTER 8 IP PERFORMANCE CONFIGURATION ...

Page 97: ...gs but a trunk port only allows the packets of the default VLAN to be sent without tags You can configure all the three types of ports on the same device However note that you cannot directly switch a port between trunk and hybrid and you must set the port as access before the switching For example to change a trunk port to hybrid you must first set it as access and then hybrid Configuring the Def...

Page 98: ... the packet carries a VLAN tag Access Receive the packet and add the default tag to the packet If the VLAN ID is just the default VLAN ID receive the packet If the VLAN ID is not the default VLAN ID discard the packet Deprive the tag from the packet and send the packet Trunk If the VLAN ID is just the default VLAN ID receive the packet If the VLAN ID is not the default VLAN ID but is one of the VL...

Page 99: ...mand to disable the port Set the description string for the Ethernet port description text Optional By default the description string of an Ethernet port is null Set the duplex mode of the Ethernet port duplex auto full half Optional By default the duplex mode of the port is auto auto negotiation Set the speed of the Ethernet port speed 10 100 1000 auto Optional By default the speed of an Ethernet...

Page 100: ...bling Flow Control on a Port Flow control is enabled on both the local and peer switches If congestion occurs on the local switch Configure the available auto negotiation speed s for the port speed auto 10 100 1000 Optional By default the port speed is determined through auto negotiation Use the 1000 keyword for Gigabit Ethernet ports only Table 57 Configure auto negotiation speeds for a port Oper...

Page 101: ... Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the link type of the port to access port link type access Optional By default the link type of a port is access Add the current access port to a specified VLAN port access vlan vlan id Optional Table 61 Configure hybrid port attribute Operation Command Remarks Enter system view system view...

Page 102: ...pback Detection for an Ethernet Port Loopback detection is used to monitor if loopback occurs on a switch port After you enable loopback detection on Ethernet ports the switch can monitor if external loopback occurs on them If there is a loopback port found the switch will put it under control Table 62 Configure trunk port attribute Operation Command Remarks Enter system view System view Enter Eth...

Page 103: ...fic period Table 64 Configure loopback detection for an Ethernet port Operation Command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Required By default loopback detection is disabled globally Set the interval for performing port loopback detection loopback detection interval time time Optional The default is 30 seconds Enter Ethernet port view...

Page 104: ...est these attributes of the cable Receive and transmit directions RX and TX short circuit open circuit or not the length of the faulty cable n Currently the device is only capable of testing the cable status and cable length For the testing items that are currently not supported is displayed in the corresponding fields of the virtual cable test command Cable test cannot be performed on an optical ...

Page 105: ... By default a port is allowed to output the Up Down log information Execute the shutdown command or the undo shutdown command on Ethernet 1 0 1 and the system outputs Up Down log information of Ethernet 1 0 1 4210 system view System View return to User View with Ctrl Z 4210 interface Ethernet 1 0 1 4210 Ethernet1 0 1 shutdown Apr 5 07 25 37 634 2000 4210 L2INF 5 PORT LINK STATUS CHANGE 1 Ethernet1...

Page 106: ...t configuration Operation Command Remarks Display port configuration information display interface interface type interface type interface number You can execute the display commands in any view Display information about SFP module on a specified port display transceiver information interface interface type interface number Display the enable disable status of port loopback detection display loopb...

Page 107: ...ype trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet1 0 1 4210 Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet1 0 1 to 100 4210 Ethernet1 0 1 port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom Fail to configure the default VLAN ID of an Ethernet port Solution Take the following steps Use the di...

Page 108: ...106 CHAPTER 9 PORT BASIC CONFIGURATION ...

Page 109: ...r compares the information with the information of other ports on the peer device to determine the ports that can be aggregated In this way the two parties can reach an agreement in adding removing the port to from a dynamic aggregation group Operation key is generated by the system It is determined by port settings such as port speed duplex state basic configuration and so on Selected ports in a ...

Page 110: ...te the system determines the mater port with one of the following settings being the highest in descending order as the master port full duplex high speed full duplex low speed half duplex high speed half duplex low speed The ports with their rate duplex mode and link type being the same as that of the master port are selected ports and the rest are unselected ports The system sets the ports unabl...

Page 111: ... rest are unselected ports The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port but to a peer port that is not in the same aggregation group as the peer port of the master port are unselected ports The ports unable to aggregate with the master port due to some hardware limit are unselected ports Th...

Page 112: ... as the preferred one 2 Compare port IDs port priority port number on the preferred device The comparison between two port IDs is as follows First compare the two port priorities then the two port numbers if the two port priorities are equal the port with the smallest port ID is the selected port and the left ports are unselected ports n For an aggregation group When the rate or duplex mode of a p...

Page 113: ...ing aggregation resources c CAUTION A load sharing aggregation group contains at least two selected ports but a non load sharing aggregation group can only have one selected port at most while others are unselected ports Link Aggregation Configuration c CAUTION The commands of link aggregation cannot be configured with the commands of port loopback detection feature at the same time The ports wher...

Page 114: ... cannot remove the port unless you remove the whole aggregation group Configuring a Static LACP Aggregation Group You can create a static LACP aggregation group or remove an existing static LACP aggregation group after that the system will re aggregate the original member ports in the group to form one or multiple dynamic aggregation groups For a static aggregation group a port can only be manuall...

Page 115: ...is already in a manual aggregation group n Changing the system priority may affect the priority relationship between the aggregation peers and thus affect the selected unselected status of member ports in the dynamic aggregation group Configuring a Description for an Aggregation Group Perform the following tasks to configure a description for an aggregation group Enter Ethernet port view interface...

Page 116: ...e three ports Adopt three different aggregation modes to implement link aggregation on the three ports between switch A and B Configure a description for an aggregation group link aggregation group agg id description agg name Optional By default no description is configured for an aggregation group Table 73 Configure a description for an aggregation group Operation Command Remarks Table 74 Display...

Page 117: ...rnet1 0 1 port link aggregation group 1 4210 Ethernet1 0 1 quit 4210 interface Ethernet1 0 2 4210 Ethernet1 0 2 port link aggregation group 1 4210 Ethernet1 0 2 quit 4210 interface Ethernet1 0 3 4210 Ethernet1 0 3 port link aggregation group 1 2 Adopting static LACP aggregation mode Create static aggregation group 1 4210 system view 4210 link aggregation group 1 mode static Add Ethernet1 0 1 throu...

Page 118: ...ce Ethernet1 0 1 4210 Ethernet1 0 1 lacp enable 4210 Ethernet1 0 1 quit 4210 interface Ethernet1 0 2 4210 Ethernet1 0 2 lacp enable 4210 Ethernet1 0 2 quit 4210 interface Ethernet1 0 3 4210 Ethernet1 0 3 lacp enable c CAUTION The three LACP enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration such as rate dupl...

Page 119: ...solation group n When a member port of an aggregation group joins leaves an isolation group the other ports in the same aggregation group on the local device will join leave the isolation group at the same time For ports that belong to an aggregation group and an isolation group simultaneously removing a port from the aggregation group has no effect on the other ports That is the rest ports remain...

Page 120: ...r so that they cannot communicate with each other Network diagram Figure 39 Network diagram for port isolation configuration Configuration procedure Add Ethernet1 0 2 Ethernet1 0 3 and Ethernet1 0 4 to the isolation group 4210 system view System View return to User View with Ctrl Z 4210 interface ethernet1 0 2 4210 Ethernet1 0 2 port isolate 4210 Ethernet1 0 2 quit 4210 interface ethernet1 0 3 421...

Page 121: ...10 interface ethernet1 0 4 4210 Ethernet1 0 4 port isolate 4210 Ethernet1 0 4 quit 4210 quit Display information about the ports in the isolation group 4210 display isolate port Isolated port s on UNIT 1 Ethernet1 0 2 Ethernet1 0 3 Ethernet1 0 4 ...

Page 122: ...120 CHAPTER 11 PORT ISOLATION CONFIGURATION ...

Page 123: ... system security and manageability Port Security Features The following port security features are provided NTK need to know feature By checking the destination MAC addresses in outbound data frames on the port NTK ensures that the switch sends data frames through the port only to successfully authenticated devices thus preventing illegal devices from intercepting network data Intrusion protection...

Page 124: ...es the maximum number configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned can pass through the port In either mode the device will trigger NTK and intrusion protection upon detecting an illegal packet secure In this mode the port is disabled from learning ...

Page 125: ... user on the port userLoginWithOUI This mode is similar to the userLoginSecure mode except that besides the packets of the single 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port When the port changes from the normal mode to this security mode the system automatically removes the existing dynamic authenticated MAC addr...

Page 126: ...LoginSecu re mode except that there can be more than one authenticated user on the port macAddressAndUserLo ginSecure To perform 802 1x authentication on the access user MAC authentication must be performed first 802 1x authentication can be performed on the access user only if MAC authentication succeeds In this mode there can be only one authenticated user on the port macAddressAndUserLo ginSecu...

Page 127: ...es Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed however cannot exceed the configured upper limit By setting the maximum number of MAC addresses allowed on a port you can Control the maximum number of users who are allowed to access the network through the port Control the number of Security MAC addresses that can ...

Page 128: ...ed to set the maximum number of MAC addresses allowed on the port with the port security max mac count command When the port operates in the autoLearn mode you cannot change the maximum number of MAC addresses allowed on the port Set the maximum number of MAC addresses allowed on the port port security max mac count count value Required Not limited by default Table 80 Set the maximum number of MAC...

Page 129: ...ity intrusion mode blockmac command on the same port the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port that is the NTK feature configured will not take effect on the packets whose destination MAC address is illegal Table 82 Configure the NTK feature Operation Command Remarks Enter system view system view Enter Ethernet port view...

Page 130: ... not yet reach the maximum number the port will learn new MAC addresses and turn them to security MAC addresses If the amount of security MAC addresses reaches the maximum number the port will not be able to learn new MAC addresses and the port mode will be changed from autolearn to secure n The security MAC addresses manually configured are written to the configuration file they will not get lost...

Page 131: ...security MAC address to the port in VLAN 1 After the number of security MAC addresses reaches 80 the port stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds Table 86 Configure a security MAC address Operation Command Remarks Enter system view system view Add a security MAC addr...

Page 132: ...rnet1 0 1 port security max mac count 80 Set the port security mode to autolearn 4210 Ethernet1 0 1 port security port mode autolearn Add the MAC address 0001 0002 0003 of Host as a security MAC address to the port in VLAN 1 4210 Ethernet1 0 1 mac address security 0001 0002 0003 vlan 1 Configure the port to be silent for 30 seconds after intrusion protection is triggered 4210 Ethernet1 0 1 port se...

Page 133: ...tch adopts one of the two forwarding methods based upon the MAC address table entries Unicast forwarding If the destination MAC address carried in the packet is included in a MAC address table entry the switch forwards the packet through the forwarding egress port in the entry Broadcast forwarding If the destination MAC address carried in the packet is not included in the MAC address table the swi...

Page 134: ...ress table the switch forwards the packet to all ports except Ethernet 1 0 1 to ensure that User B can receive the packet Figure 43 MAC address learning diagram 2 3 Because the switch broadcasts the packet both User B and User C can receive the packet However User C is not the destination device of the packet and therefore does not process the packet Normally User B will respond to User A as shown...

Page 135: ...me special circumstances for example User B is unreachable or User B receives the packet but does not respond to it the switch cannot learn the MAC address of User B Hence the switch still broadcasts the packets destined for User B The switch learns only unicast addresses by using the MAC address learning mechanism but directly drops any packet with a broadcast source MAC address Managing MAC Addr...

Page 136: ...kets destined for or originated from the MAC addresses contained in blackhole MAC address entries Table 88 lists the different types of MAC address entries and their characteristics Configuring MAC Address Table Management MAC Address Table Management Configuration Tasks Table 88 Characteristics of different types of MAC address entries MAC address entry Configuration method Aging time Reserved or...

Page 137: ...gument is a dynamic VLAN after a static MAC address is added it will become a static VLAN Setting the Aging Time of MAC Address Entries Setting aging time properly helps effective utilization of MAC address aging The aging time that is too long or too short affects the performance of the switch If the aging time is too long excessive invalid MAC address entries maintained by the switch may fill up...

Page 138: ...table can dynamically maintain When the number of the MAC address entries learnt from a port reaches the set value the port stops learning MAC addresses Displaying MAC Address Table Information To verify your configuration you can display information about the MAC address table by executing the display command in any view Table 92 Set aging time of MAC address entries Operation Command Description...

Page 139: ...rver is 000f e20f dc71 Port Ethernet 1 0 2 belongs to VLAN 1 Configuration procedure Enter system view 4210 system view 4210 Add a MAC address with the VLAN ports and states specified 4210 mac address static 000f e20f dc71 interface Ethernet 1 0 2 vlan 1 Display information about the current MAC address table 4210 display mac address interface Ethernet 1 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING...

Page 140: ...138 CHAPTER 13 MAC ADDRESS TABLE MANAGEMENT ...

Page 141: ... transmitting BPDUs between STP compliant network devices BPDUs contain sufficient information for the network devices to complete the spanning tree calculation In STP BPDUs come in two types Configuration BPDUs used to calculate spanning trees and maintain the spanning tree topology Topology change notification TCN BPDUs used to notify concerned devices of network topology changes if any Basic co...

Page 142: ...nated port is the port BP2 on Device B Figure 46 A schematic diagram of designated bridges and designated ports n All the ports on the root bridge are designated ports 4 Path cost Path cost is a value used for measuring link capacity By comparing the path costs of different links STP selects the most robust links and blocks the other links to prune the network into a tree Table 95 Designated bridg...

Page 143: ...t name 1 Detailed calculation process of the STP algorithm Initial state Upon initialization of a device each device generates a BPDU with itself as the root bridge in which the root path cost is 0 designated bridge ID is the device ID and the designated port is the local port Selection of the optimum configuration BPDU Each device sends out its configuration BPDU and receives configuration BPDUs ...

Page 144: ... they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully elected the entire tree shaped topology has been constructed Table 97 Selection of the root port and designated ports Step Description 1 A non root bridge device takes the port on which the optimum configuration BPDU was received as t...

Page 145: ...STP algorithm Initial state of each device The following table shows the initial state of each device Comparison process and result on each device The following table shows the comparison process and result on each device Table 98 Initial state of each device Device Port name BPDU of port Device A AP1 0 0 0 AP1 AP2 0 0 0 AP2 Device B BP1 1 0 1 BP1 BP2 1 0 1 BP2 Device C CP1 2 0 2 CP1 CP2 2 0 2 CP2...

Page 146: ...BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 Port BP2 receives the configuration BPDU of Device C 2 0 2 CP2 Device B finds that the configuration BPDU of the local port 1 0 1 BP2 is superior to the received configuration BPDU and discards the received config...

Page 147: ...figuration BPDU Root port CP1 0 0 0 AP2 Designated port CP2 0 10 2 CP2 Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 ...

Page 148: ...omes faulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with itself as the root bridge and sends configuration BPDUs and TCN BPDUs This triggers a new spanning tree calculation so that a new path is established to restore the network connectivity Howe...

Page 149: ...timized version of STP RSTP allows a newly elected root port or designated port to enter the forwarding state much quicker under certain conditions than in STP As a result it takes a shorter time for the network to reach the final topology stability n In RSTP the state of a root port can transit fast under the following conditions the old root port on the device has stopped forwarding data and the...

Page 150: ...ting packets from being duplicated and forwarded in a network endlessly Furthermore it offers multiple redundant paths for forwarding data and thus achieves load balancing for forwarding VLAN data MSTP is compatible with STP and RSTP Basic MSTP Terminologies Figure 49 illustrates basic MSTP terms assuming that MSTP is enabled on each switch in this figure Figure 49 Basic MSTP terminologies MST reg...

Page 151: ...s information about how VLANs are mapped to MSTIs For example in Figure 49 the VLAN mapping table of region A0 is VLAN 1 is mapped to MSTI 1 VLAN 2 is mapped to MSTI 2 and other VLANs are mapped to CIST In an MST region load balancing is implemented according to the VLAN mapping table IST An internal spanning tree IST is a spanning tree in an MST region ISTs together with the common spanning tree ...

Page 152: ...her MST region an STP enabled region or an RSTP enabled region An alternate port is a secondary port of a root port or master port and is used for rapid transition With the root port or master port being blocked the alternate port becomes the new root port or master port A backup port is the secondary port of a designated port and is used for rapid transition With the designated port being blocked...

Page 153: ...h of the highest priority in the network is selected as the root of the CIST In each MST region an IST is calculated by MSTP At the same time MSTP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network Table 100 Combinations of port states and port roles Port role Port state Root port Master port Designated port Region ...

Page 154: ...d as follows For MSTP CIST configuration information is generally expressed as follows Root bridge ID External path cost Master bridge ID Internal path cost Designated bridge ID ID of sending port ID of receiving port The smaller the Root bridge ID of the configuration BPDU is the higher the priority of the configuration BPDU is For configuration BPDUs with the same Root bridge IDs the External pa...

Page 155: ...switch If the latter takes precedence over the former the switch blocks the local port and keeps the port s configuration BPDU unchanged so that the port can only receive configuration messages and cannot forward packets Otherwise the switch sets the local port to the designated port replaces the original configuration BPDU of the port with the calculated one and advertises it regularly MSTP Imple...

Page 156: ...anged after the switch is specified as the root bridge or a secondary root bridge Configuring the Bridge Priority of the Current Switch Configure the mode a port recognizes and sends MSTP packets Optional Configuring the Mode a Port Recognizes and Sends MSTP Packets Configure the MSTP operation mode Optional Configuring the MSTP Operation Mode Configure the maximum hop count of an MST region Optio...

Page 157: ...gh VLAN 10 being mapped to spanning tree instance 1 and VLAN 20 through VLAN 30 being mapped to spanning tree 2 4210 system view 4210 stp region configuration 4210 mst region region name info 4210 mst region instance 1 vlan 2 to 10 Table 102 Configure an MST region Operation Command Description Enter system view system view Enter MST region view stp region configuration Configure the name of the M...

Page 158: ... If the value of the instance id argument is set to 0 the stp root primary stp root secondary command specify the current switch as the root bridge or the secondary root bridge of the CIST A switch can play different roles in different spanning tree instances That is it can be the root bridges in a spanning tree instance and be a secondary root bridge in another spanning tree instance at the same ...

Page 159: ...ches using the stp root secondary command You can also configure the current switch as the root bridge by setting the priority of the switch to 0 Note that once a switch is configured as the root bridge or a secondary root bridge its priority cannot be modified Configuration example Configure the current switch as the root bridge of spanning tree instance 1 and a secondary root bridge of spanning ...

Page 160: ...ermines the format legacy or dot1s of received MSTP packets and then determines the format of the packets to be sent accordingly thus communicating with the peer devices If the format of the received packets changes repeatedly MSTP will shut down the corresponding port to prevent network storm A port shut down in this way can only be brought up by the network administrator When a port operates in ...

Page 161: ... RSTP compatible mode MSTP mode where the ports of a switch send MSTP BPDUs or STP BPDUs if the switch is connected to STP enabled switches to neighboring devices In this case the switch is MSTP capable Configure the mode a port recognizes and sends MSTP packets stp interface interface type interface number compliance auto dot1s legacy Required By default a port recognizes and sends MSTP packets i...

Page 162: ...nism the maximum hop count configured on the switch operating as the root bridge of the CIST or an MSTI in an MST region becomes the network diameter of the spanning tree which limits the size of the spanning tree in the current MST region The switches that are not root bridges in the MST region adopt the maximum hop settings of their root bridges Configuration procedure The bigger the maximum hop...

Page 163: ...iew 4210 stp bridge diameter 6 Configuring the MSTP Time related Parameters Three MSTP time related parameters exist forward delay hello time and max age You can configure the three parameters to control the process of spanning tree calculation Configuration procedure Table 110 Configure the network diameter of the switched network Operation Command Description Enter system view system view Config...

Page 164: ...iguration of the three time related parameters that is the hello time forward delay and max age parameters the following formulas must be met to prevent frequent network jitter 2 x forward delay 1 second max age Max age 2 x hello time 1 second You are recommended to specify the network diameter of the switched network and the hello time by using the stp root primary or stp root secondary command A...

Page 165: ...net port view As the maximum transmitting speed parameter determines the number of the configuration BPDUs transmitted in each hello time set it to a proper value to Table 112 Configure the timeout time factor Operation Command Description Enter system view system view Configure the timeout time factor for the switch stp timer factor number Required The timeout time factor defaults to 3 Table 113 ...

Page 166: ... in one of the following two ways Configure a port as an edge port in system view Configure a port as an edge port in Ethernet port view On a switch with BPDU guard disabled an edge port becomes a non edge port again once it receives a BPDU from another port n You are recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the...

Page 167: ...configure the link connected to a port in an aggregation group as a point to point link the configuration will be synchronized to the rest ports in the same aggregation group If an auto negotiating port operates in full duplex mode after negotiation you can configure the link of the port as a point to point link After you configure the link of a port as a point to point link the configuration appl...

Page 168: ... procedure Table 119 Enable MSTP in system view Operation Command Description Enter system view system view Enable MSTP stp enable Required MSTP is disabled by default Disable MSTP on specified ports stp interface interface list disable Optional By default MSTP is enabled on all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disable MSTP on specific ...

Page 169: ...sable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculation this operation saves CPU resources of the switch Table 120 Enable MSTP in Ethernet port view Operation Command Description Table 121 Configure leaf nodes Operation Description Related section Enable MSTP Required To prevent network topology jitter caused by other related configurations you are recom...

Page 170: ...tting Speed on the Current Port on page 163 Configuring a Port as an Edge Port Refer to Configuring the Current Port as an Edge Port on page 164 Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port For a port on an MSTP enabled switch the path cost may be different in different spanning tree instances You can enable flows of different VLA...

Page 171: ...y the standard for calculating the default path costs of the links connected to the ports of the switch stp pathcost standard dot1d 1998 dot1t legacy Optional By default the legace standard is used to calculate the default path costs of ports Table 123 Transmission speeds and the corresponding path costs Transmission speed Operation mode half full duplex 802 1D 1998 IEEE 802 1t Proprietary standar...

Page 172: ...00000000 With the proprietary standard adopted the path cost ranges from 1 to 200000 Configuration example A Configure the path cost of Ethernet 1 0 1 in spanning tree instance 1 to be 2 000 1 Perform this configuration in system view 4210 system view 4210 stp interface Ethernet1 0 1 instance 1 cost 2000 2 Perform this configuration in Ethernet port view Table 124 Configure the path cost for speci...

Page 173: ...ch can have different port priorities and play different roles in different spanning tree instances This enables packets of different VLANs to be forwarded along different physical paths so that VLAN based load balancing can be implemented You can configure port priority in one of the following two ways Configure port priority in system view Configure port priority in Ethernet port view Changing p...

Page 174: ...e 166 Performing mCheck Operation Ports on an MSTP enabled switch can operate in three modes STP compatible RSTP compatible and MSTP A port on an MSTP enabled switch operating as an upstream switch transits to the STP compatible mode when it has an STP enabled switch connected to it When the STP enabled downstream switch is then replaced by an MSTP enabled switch the port cannot automatically tran...

Page 175: ...ume non edge ports automatically upon receiving configuration BPDUs which causes spanning tree recalculation and network topology jitter Normally no configuration BPDU will reach edge ports But malicious users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter You can prevent this type of attacks by utilizing the BPDU guard function With this fun...

Page 176: ...oops in the network The loop guard function suppresses loops With this function enabled if link congestions or unidirectional link failures occur both the root port and the blocked ports become designated ports and turn to the discarding state In this case they stop forwarding packets and thereby loops can be prevented c CAUTION With the loop guard function enabled the root guard function and the ...

Page 177: ...Ethernet1 0 1 root protection 2 Perform this configuration in Ethernet port view Table 130 Configure BPDU guard Operation Command Description Enter system view system view Enable the BPDU guard function stp bpdu protection Required The BPDU guard function is disabled by default Table 131 Configure the root guard function in system view Operation Command Description Enter system view system view En...

Page 178: ... switch to remove the MAC address table within 10 seconds to 5 4210 system view 4210 stp tc protection threshold 5 Table 133 Configure loop guard Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable the loop guard function on the current port stp loop protection Required The loop guard function is disabled by default ...

Page 179: ...anufacturer s switch as in the same region it records the configuration digests carried in the BPDUs received from another manufacturer s switch and put them in the BPDUs to be sent to the other manufacturer s switch In this way the Switch 4210 can communicate with another manufacturer s switches in the same MST region c CAUTION The digest snooping function is not applicable to edge ports Configur...

Page 180: ...s in the same MST region When the digest snooping feature is enabled globally the VLAN to MSTI mapping table cannot be modified The digest snooping feature is not applicable to boundary ports in an MST region The digest snooping feature is not applicable to edge ports in an MST region Configuring Rapid Transition Introduction Designated ports of RSTP enabled or MSTP enabled switches use the follow...

Page 181: ...rom the upstream switch and thus sends no agreement packets to the upstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay Some other manufacturers switches adopt proprietary spanning tree protocols that are similar to RSTP in the way to implement rapid transition on designated ...

Page 182: ...e latter operates as the upstream switch The network operates normally The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports Port 1 is the designated port The downstream switch is running MSTP Port 2 is the root port Figure 53 Network diagram for rapid transition configuration Configuration procedure...

Page 183: ...of all instances 4210 system view 4210 stp portlog all Enabling Trap Messages Conforming to 802 1d Standard A switch sends trap messages conforming to 802 1d standard to the network management device in the following two cases The switch becomes the root bridge of an instance Enter Ethernet port view interface interface type interface number Enable the rapid transition feature stp no agreement che...

Page 184: ... respectively In this network Switch A and Switch B operate on the convergence layer Switch C and Switch D operate on the access layer VLAN 10 and VLAN 30 are limited in the convergence layer and VLAN 40 is limited in the access layer Switch A and Table 139 Enable trap messages conforming to 802 1d standard Operation Command Description Enter system view system view Enable trap messages conforming...

Page 185: ...ST region 4210 mst region region name example 4210 mst region instance 1 vlan 10 4210 mst region instance 3 vlan 30 4210 mst region instance 4 vlan 40 4210 mst region revision level 0 Activate the settings of the MST region manually 4210 mst region active region configuration Specify Switch A as the root bridge of spanning tree instance 1 4210 stp instance 1 root primary 2 Configure Switch B Enter...

Page 186: ...nce 4 vlan 40 4210 mst region revision level 0 Activate the settings of the MST region manually 4210 mst region active region configuration Specify Switch C as the root bridge of spanning tree instance 4 4210 stp instance 4 root primary 4 Configure Switch D Enter MST region view 4210 system view 4210 stp region configuration Configure the MST region 4210 mst region region name example 4210 mst reg...

Page 187: ...nteraction processes in unicast broadcast and multicast Information Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this information and sends a separate copy of the information to the user as shown in Figure 55 Figure 55 Information transmission in the unicast mode Assume that Hosts B D and E need this information The...

Page 188: ...ee from the information transmission process the security and legal use of paid service cannot be guaranteed In addition when only a small number of users on the same network need the information the utilization ratio of the network resources is very low and the bandwidth resources are greatly wasted Therefore broadcast is disadvantageous in transmitting data to specific users moreover broadcast o...

Page 189: ...nd E The advantages of multicast over unicast are as follows No matter how many receivers exist there is only one copy of the same multicast data flow on each link With the multicast mode used to transmit information an increase of the number of users does not add to the network burden remarkably The advantages of multicast over broadcast are as follows A multicast data flow can be sent only to th...

Page 190: ...traffic Distributive application Multicast makes multiple point application possible Application of multicast The multicast technology effectively addresses the issue of point to multipoint data transmission By enabling high efficiency point to multipoint data transmission over an IP network multicast greatly saves network bandwidth and reduces network load Multicast provides the following applica...

Page 191: ...st data from only certain multicast sources The SSM model provides a transmission service that allows users to specify the multicast sources they are interested in at the client side The radical difference between the SSM model and the ASM model is that in the SSM model receivers already know the locations of the multicast sources by some means In addition the SSM model uses a multicast address ra...

Page 192: ...thority IANA categorizes IP addresses into five classes A B C D and E Unicast packets use IP addresses of Class A B and C based on network scales Class D IP addresses are used as destination addresses of multicast packets Class D address must not appear in the IP address field of a source IP address of IP packets Class E IP addresses are reserved for future use In unicast data transport a data pac...

Page 193: ...rotocols 224 0 1 0 to 231 255 255 255 233 0 0 0 to 238 255 255 255 Available any source multicast ASM multicast addresses IP addresses for temporary groups They are valid for the entire network 232 0 0 0 to 232 255 255 255 Available source specific multicast SSM multicast group addresses 239 0 0 0 to 239 255 255 255 Administratively scoped multicast addresses which are for specific local use only ...

Page 194: ...bits are mapped to a MAC address Thus five bits of the multicast IP address are lost As a result 32 IP multicast addresses are mapped to the same MAC address Multicast Protocols This section provides only general descriptions about applications and functions of the Layer 2 and Layer 3 multicast protocols in a network For details about these protocols refer to the related chapters of this manual La...

Page 195: ...he flooding of multicast data in a Layer 2 network Layer 3 multicast protocols n We refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols which include IGMP PIM and MSDP among others Note that the Switch 4210 does not support Layer 3 multicast protocols Layer 3 multicast protocols include multicast group man...

Page 196: ...tes and inter domain routes An intra domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an autonomous system AS so as to deliver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in two modes ...

Page 197: ...icast source S sends to a multicast group G the multicast device first searches its multicast forwarding table If the corresponding S G entry exists and the interface on which the packet actually arrived is the incoming interface in the multicast forwarding table the router forwards the packet to all the outgoing interfaces If the corresponding S G entry exists but the interface on which the packe...

Page 198: ...igure 59 Multicast packets travel along the SPT from the multicast source to the receivers Figure 61 RPF check process A multicast packet from Source arrives to VLAN interface 1 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C Switch C performs an RPF check and finds in its unicast routing table that the outgoing interface to 192 168 0...

Page 199: ...en IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 However multicast packets for unknown multicast groups are still broadcast at Layer 2 Figure 62 Before and after IGMP Snooping is ...

Page 200: ... and related messages and actions Work Mechanism of IGMP Snooping A switch running IGMP Snooping performs different actions when it receives different IGMP messages as follows When receiving a general query The IGMP querier periodically sends IGMP general queries to all hosts and routers on the local subnet to find out whether active multicast group members exist on the subnet Table 144 Port aging...

Page 201: ...ng table the switch installs an entry for this port in the forwarding table and starts the member port aging timer of this port n A switch will not forward an IGMP report through a non router port for the following reason Due to the IGMP report suppression mechanism if member hosts of that multicast group still exist under non router ports the hosts will stop sending reports when they receive the ...

Page 202: ...of that multicast group still exist under the port the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires c Caution After an Ethernet switch enables IGMP Snooping when it receives the IGMP leave message sent by a host in a multicast group it judges whether the multicast group exists automatically If the multicast group does not exis...

Page 203: ...ping version is version 2 c Caution Before configuring related IGMP Snooping functions you must enable IGMP Snooping in the specified VLAN Different multicast group addresses should be configured for different multicast sources because IGMPv3 Snooping cannot distinguish multicast data from different sources to the same multicast group Configuring Timers This section describes how to configure the ...

Page 204: ...if one or more VLANs are specified the configuration takes effect on the port only if the port belongs to the specified VLAN s If fast leave processing and unknown multicast packet dropping are enabled on a port to which more than one host is connected when one host leaves a multicast group the other hosts connected to port and interested in the same multicast group will fail to receive multicast ...

Page 205: ...dcast unknown multicast packets by default this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified if one or more VLANs are specified the conf...

Page 206: ... case the multicast packets for the removed multicast group s will be flooded in the VLAN as unknown multicast packets As a result non member ports can receive multicast packets within a period of time To avoid this from happening enable the function of dropping unknown multicast packets Configuring Static Member Port for a Multicast Group If the host connected to a port is interested in the multi...

Page 207: ...view interface interface type interface number Configure the current port as a static member port for a multicast group in a VLAN multicast static group group address vlan vlan id Required By default no port is configured as a static multicast group member port Table 155 Configure a static multicast group member port in VLAN interface view Operation Command Remarks Enter system view system view En...

Page 208: ... simulated host responds with an IGMP report Meanwhile the switch sends the same IGMP report to itself to ensure that the IGMP entry does not age out When the simulated joining function is disabled on an Ethernet port the simulated host sends an IGMP leave message Therefore to ensure that IGMP entries will not age out the port must receive IGMP general queries periodically Table 156 Configure a st...

Page 209: ...guration above you can execute the following display commands in any view to verify the configuration by checking the displayed information You can execute the reset command in user view to clear the statistics information about IGMP Snooping Configure the current port as a simulated multicast group member igmp host join group address source ip source address vlan vlan id Optional Simulated joinin...

Page 210: ... 1 Host A and Host B are receivers of the multicast group 224 1 1 1 Network diagram Figure 64 Network diagram for IGMP Snooping configuration Configuration procedure 1 Configure the IP address of each interface Configure an IP address and subnet mask for each interface shown in Figure 64 The detailed configuration steps are omitted 2 Configure Router A Clear IGMP Snooping statistics reset igmp sno...

Page 211: ...tchA vlan100 port Ethernet 1 0 1 to Ethernet 1 0 4 SwitchA vlan100 igmp snooping enable SwitchA vlan100 quit 4 Verify the configuration View the detailed information of the multicast group in VLAN 100 on Switch A SwitchA display igmp snooping group Total 1 IP Group s Total 1 MAC Group s Vlan id 100 Total 1 IP Group s Total 1 MAC Group s Static Router port s Dynamic Router port s Ethernet1 0 1 IP g...

Page 212: ...oping is wrong Use the display igmp snooping group command to check if the multicast groups are expected ones If the multicast group set up by IGMP Snooping is not correct contact your technical support personnel Configuring Dropping Unknown Multicast Packets Generally if the multicast address of the multicast packet received on the switch is not registered on the local switch the packet will be f...

Page 213: ...control protocol It authenticates and controls devices requesting for access in terms of the ports of LAN access devices With the 802 1x protocol employed a user side device can access the LAN only when it passes the authentication Those fail to pass the authentication are denied when accessing the LAN Architecture of 802 1x Authentication As shown in Figure 65 802 1x adopts a client server archit...

Page 214: ... PAE authenticates the supplicant systems when they log into the LAN and controls the status authorized unauthorized of the controlled ports according to the authentication result The supplicant system PAE responds to the authentication requests received from the authenticator system and submits user authentication information to the authenticator system It also sends authentication requests and d...

Page 215: ...as EAPoL packets EAP protocol packets transmitted between the authenticator system PAE and the RADIUS server can either be encapsulated as EAP over RADIUS EAPoR packets or be terminated at system PAEs The system PAEs then communicate with RADIUS servers through password authentication protocol PAP or challenge handshake authentication protocol CHAP packets When a supplicant system passes the authe...

Page 216: ...e size of the Packet body field A value of 0 indicates that the Packet Body field does not exist The Packet body field differs with the Type field Note that EAPoL Start EAPoL Logoff and EAPoL Key packets are only transmitted between the supplicant system and the authenticator system EAP packets are encapsulated by RADIUS protocol to allow them successfully reach the authentication servers Network ...

Page 217: ...st and Response packets Newly added fields for EAP authentication Two fields EAP message and Message authenticator are added to a RADIUS protocol packet for EAP authentication The EAP message field whose format is shown in Figure 70 is used to encapsulate EAP packets The maximum size of the string field is 253 bytes EAP packets with their size larger than 253 bytes are fragmented and are encapsula...

Page 218: ...cation protocol are available in the EAP relay mode EAP MD5 authenticates the supplicant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system which in turn encrypts the passwords using the MD5 keys EAP TLS allows the supplicant system and the RADIUS server to check each other s security certificate and authenticate each other s identity gu...

Page 219: ...est packet and forwards it to the RADIUS server Upon receiving the packet from the switch the RADIUS server retrieves the user name from the packet finds the corresponding password by matching the user name in its database encrypts the password using a randomly generated key and sends the key to the switch through an RADIUS access challenge packet The switch then sends the key to the 802 1x client...

Page 220: ...ccess the network The supplicant system can also terminate the authenticated state by sending EAPoL Logoff packets to the switch The switch then changes the port state from accepted to rejected n In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authenticating ways used ...

Page 221: ...s You can set the number of retries by using the dot1x retry command An online user will be considered offline when the switch has not received any response packets after a certain number of handshake request transmission retries Quiet period timer quiet period This timer sets the quiet period When a supplicant system fails to pass the authentication the switch quiets for the set period set by the...

Page 222: ... for authentication actively The switch sends multicast request identity packets periodically through the port enabled with 802 1x function In this case this timer sets the interval to send the multicast request identity packets Client version request timer ver period This timer sets the version period and is triggered after a switch sends a version request packet The switch sends another version ...

Page 223: ...ng function on the switch by using the dot1x version check command Checking the client version With the 802 1x client version checking function enabled a switch checks the version and validity of an 802 1x client to prevent unauthorized users or users with earlier versions of 802 1x client from logging in This function makes the switch to send version requesting packets again if the 802 1x client ...

Page 224: ...nect to the switch again the user needs to initiate 802 1x authentication with the client software again Figure 74 802 1x re authentication 802 1x re authentication can be enabled in one of the following two ways The RADIUS server triggers the switch to perform 802 1x user re authentication The RADIUS server sends the switch an Access Accept packet with the Termination Action field of 1 Upon recei...

Page 225: ... configure the user names and passwords on the RADIUS server and perform RADIUS client related configuration on the switch You can also specify to adopt the RADIUS authentication scheme with a local authentication scheme as a backup In this case the local authentication scheme is adopted when the RADIUS server fails Refer to AAA Configuration on page 245 for detailed information about AAA scheme c...

Page 226: ...handshaking function switches cannot receive handshaking acknowledgement packets Enable 802 1x for specified ports In system view dot1x interface interface list Required By default 802 1x is disabled on all ports In port view interface interface type interface number dot1x quit Set port access control mode for specified ports dot1x port control authorized force unauthorized force auto interface in...

Page 227: ...view Set the maximum number of concurren t on line users for specified ports In system view dot1x max user user number interface interface list Optional By default a port can accommodate up to 256 users at a time In port view interface interface type interface number dot1x max user user number quit Set the maximum retry times to send request packets dot1x retry max retry value Optional By default ...

Page 228: ...y detecting function you need to enable the online user handshaking function first The configuration listed in Table 164 takes effect only when it is performed on CAMS as well as on the switch In addition the client version checking function needs to be enabled on the switch too by using the dot1x version check command Configuring Client Version Checking Table 164 Configure proxy checking Operatio...

Page 229: ...ing request packets dot1x retry version max max retry version value Optional By default the maximum number of retires to send version checking request packets is 3 Set the client version checking period timer dot1x timer ver period ver period value Optional By default the timer is set to 30 seconds Table 165 Configure client version checking Operation Command Remarks Table 166 Enable DHCP triggere...

Page 230: ...he re authentication interval for access users Note the following During re authentication the switch always uses the latest re authentication interval configured no matter which of the above mentioned two ways is used to determine the re authentication interval For example if you configure a re authentication interval on the switch and the switch receives an Access Accept packet whose Termination...

Page 231: ...whose IP addresses are 10 11 1 1 and 10 11 1 2 The RADIUS server with an IP address of 10 11 1 1 operates as the primary authentication server and the secondary accounting server The other operates as the secondary authentication server and primary accounting server The password for the switch and the authentication RADIUS servers to exchange message is name And the password for the switch and the...

Page 232: ...ased This operation can be omitted as MAC address based is the default 4210 dot1x port method macbased interface Ethernet 1 0 1 Create a RADIUS scheme named radius1 and enter RADIUS scheme view 4210 radius scheme radius1 Assign IP addresses to the primary authentication and accounting RADIUS servers 4210 radius radius1 primary authentication 10 11 1 1 4210 radius radius1 primary accounting 10 11 1...

Page 233: ... without domain 4210 radius radius1 quit Create the domain named aabbcc net and enter its view 4210 domain enable aabbcc net Specify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS server is invalid specify to adopt the local authentication scheme 4210 isp aabbcc net scheme radius scheme radius1 local Specify the maximum number of users the user domain can accommodate to 30 4210...

Page 234: ...232 CHAPTER 17 802 1X CONFIGURATION ...

Page 235: ...nts to collect the MAC addresses of the attached switches HABP clients respond to the HABP request packets and forward the HABP request packets to lower level switches HABP servers usually reside on management devices and HABP clients usually on attached switches For ease of switch management it is recommended that you enable HABP for 802 1x enabled switches HABP Server Configuration With the HABP...

Page 236: ...est packets habp timer interval Optional The default interval for an HABP server to send HABP request packets is 20 seconds Table 171 Configure an HABP server Operation Command Remarks Table 172 Configure an HABP client Operation Command Remarks Enter system view system view Enable HABP habp enable Optional HABP is enabled by default And a switch operates as an HABP client after you enable HABP fo...

Page 237: ...function Configuring System Guard Related Parameters Table 175 lists the operations to configure system guard related parameters including system guard mode checking interval threshold in terms of the number of the received packets and controlling period Note that the configuration takes effect only after you enable the system guard function Table 174 Enable the system guard function Operation Com...

Page 238: ... the threshold of inbound rate limit any service packets including BPDU packets are possible to be dropped at random which may result in state transition of STP Displaying and Maintaining the System Guard Function After the above configuration you can display and verify your configuration by performing the operation listed in Table 177 Table 176 Enable system guard on ports Operation Command Descr...

Page 239: ...d on this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardware Remote authentication Users are authenticated remotely through the RADIUS protocol This device for example a 3Com series switch acts as the client to communic...

Page 240: ...only one protocol But in practice the most commonly used service for AAA is RADIUS What is RADIUS RADIUS remote authentication dial in user service is a distributed service based on client server structure It can prevent unauthorized access to your network and is commonly used in network environments where both high security and remote user access service are required The RADIUS service involves t...

Page 241: ...sages exchanged between a RADIUS client a switch for example and a RADIUS server are verified through a shared key This enhances the security The RADIUS protocol combines the authentication and authorization processes together by sending authorization information along with the authentication response message Figure 78 depicts the message exchange procedure between user switch and RADIUS server Fi...

Page 242: ...depending on the received authentication result If it accepts the user the RADIUS client sends a start accounting request Accounting Request with the Status Type attribute value start to the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response 6 The user starts to access network resources 7 The RADIUS client sends a stop accounting request Accounting Request wi...

Page 243: ...IP Address User Password and NAS Port 2 Access Accept Direction server client The server transmits this message to the client if all the attribute values carried in the Access Request message are acceptable that is the user passes the authentication 3 Access Reject Direction server client The server transmits this message to the client if any attribute value carried in the Access Request message i...

Page 244: ...n bytes including the Type Length and Value fields The Value field up to 253 bytes contains the information of the attribute Its format is determined by the Type and Length fields The RADIUS protocol has good scalability Attribute 26 Vender Specific defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS Table 179 RADIUS attri...

Page 245: ...t byte is 0 and the other three bytes are defined in RFC 1700 Here the vendor can encapsulate multiple customized sub attributes containing vendor specific Type Length and Value to implement a RADIUS extension Figure 80 Vendor specific attribute format Type ĂĂ Length 0 7 Vendor ID 7 15 31 Vendor ID Type specified Length specified Specified attribute valueĂĂ ...

Page 246: ...244 CHAPTER 20 AAA OVERVIEW ...

Page 247: ... authentication Local authentication RADIUS authentication Configuring Dynamic VLAN Assignment Optional Configuring the Attributes of a Local User Optional Cutting Down User Connections Forcibly Optional Table 181 AAA configuration tasks configuring separate AAA schemes for an ISP domain Task Remarks AAA configuration Creating an ISP Domain and Configuring Its Attributes Required Configuring separ...

Page 248: ... By default the delimiter between the user name and the ISP domain name is Create an ISP domain or set an ISP domain as the default ISP domain domain isp name default disable enable isp name Required If no ISP domain is set as the default ISP domain the ISP domain system is used as the default ISP domain Set the status of the ISP domain state active block Optional By default an ISP domain is in th...

Page 249: ...c CAUTION You can execute the scheme radius scheme radius scheme name command to adopt an already configured RADIUS scheme to implement all the three AAA functions If you adopt the local scheme only the authentication and authorization functions are implemented the accounting function cannot be implemented If you execute the scheme radius scheme radius scheme name local command the local scheme is...

Page 250: ...he scheme radius scheme or scheme local command is executed and the authentication command is not executed the authorization information returned from the RADIUS or local scheme still takes effect even if the authorization none command is executed Configuring Dynamic VLAN Assignment The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully authenticat...

Page 251: ...gned by the RADIUS server is a character string containing only digits for example 1024 the switch first regards it as an integer VLAN ID the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range if it is the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID VLAN 1024 for example To implement dynamic VLAN assignmen...

Page 252: ...local user in the system Set a password for the local user password simple cipher password Required Set the status of the local user state active block Optional By default the user is in active state that is the user is allowed to request network services Authorize the user to access specified type s of service service type ftp lan access telnet ssh terminal level level Required By default the sys...

Page 253: ...dress authentication user or multiple users with the same authorization VLAN to a port For local RADIUS authentication or local authentication to take effect the VLAN assignment mode must be set to string after you specify authorization VLANs for local users Cutting Down User Connections Forcibly n You can use the display connection command to view the connections of Telnet users but you cannot us...

Page 254: ...Configuring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes of Data to be Sent to RADIUS Servers Optional Configuring Timers for RADIUS Servers Optional Enabling Sending Trap Message when a RADIUS Server Goes Down Optional Enabling the Use...

Page 255: ...st one authentication authorization server and one accounting server and you should keep the RADIUS server port settings on the switch consistent with those on the RADIUS servers Table 189 RADIUS configuration tasks the switch functions as a local RADIUS server Task Remarks Configuring the RADIUS server Creating a RADIUS Scheme Required Configuring RADIUS Authentication Authorizati on Servers Requ...

Page 256: ... view system view Enable RADIUS authentication port radius client enable Optional By default RADIUS authentication port is enabled Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Table 191 Configure RADIUS authentication authorization servers Operation Command Remarks Enter system vie...

Page 257: ...heme name Required By default a RADIUS scheme named system has already been created in the system Set the IP address and port number of the primary RADIUS accounting server primary accounting ip address port number Required By default the IP address and UDP port number of the primary accounting server are 0 0 0 0 and 1813 for a newly created RADIUS scheme Set the IP address and port number of the ...

Page 258: ...e the same shared key c CAUTION The authentication authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication authorization server and the shared key on the accounting server Configuring the Maximum Number of RADIUS Request Transmission Attempts The communication in RADIUS is unreliable because this protoco...

Page 259: ...ng with the secondary server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged When both the primary and secondary servers are in active or block state the switch sends messages only to the primary server Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme na...

Page 260: ...tive Table 196 Set the status of RADIUS servers Operation Command Remarks Table 197 Configure the attributes of data to be sent to RADIUS servers Operation Command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Set the format of the user names to...

Page 261: ...switch provides the local RADIUS server function including authentication and authorization also known as the local RADIUS authentication server function in addition to RADIUS client service where separate authentication authorization server and the accounting server are used for user authentication c CAUTION If you adopt the local RADIUS authentication server function the UDP port number of the a...

Page 262: ...to communicate with the primary server again when it has a RADIUS request If it finds that the primary server has recovered the switch immediately restores the communication with the primary server instead of communicating with the secondary server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchanged To control the inte...

Page 263: ...counting On message which mainly contains the following information NAS ID NAS IP address source IP address and session ID 2 The switch sends the Accounting On message to the CAMS at regular intervals 3 Once the CAMS receives the Accounting On message it sends a response to the switch At the same time it finds and deletes the original online information of the users who were accessing the network ...

Page 264: ...e user re authentication at restart function accounting on enable send times interval interval By default this function is disabled If you use this command without any parameter the system will try at most 15 times to send an Accounting On message at the interval of three seconds Table 202 Display AAA information Operation Command Remarks Display configuration information about one specific or all...

Page 265: ...DIUS server You can select extended as the server type in a RADIUS scheme Table 203 Display and maintain RADIUS protocol information Operation Command Remarks Display RADIUS message statistics about local RADIUS authentication server display local server statistics You can execute the display command in any view Display configuration information about one specific or all RADIUS schemes display rad...

Page 266: ...e Enter system view 4210 system view Adopt AAA authentication for Telnet users 4210 user interface vty 0 4 4210 ui vty0 4 authentication mode scheme 4210 ui vty0 4 quit Configure an ISP domain 4210 domain cams 4210 isp cams access limit enable 10 4210 isp cams quit Configure a RADIUS scheme 4210 radius scheme cams 4210 radius cams accounting optional 4210 radius cams primary authentication 10 110 ...

Page 267: ...uthenticated locally Network diagram Figure 82 Local authentication of Telnet users Configuration procedure Method 1 Using local authentication scheme Enter system view 4210 system view Adopt AAA authentication for Telnet users 4210 user interface vty 0 4 4210 ui vty0 4 authentication mode scheme 4210 ui vty0 4 quit Create and configure a local user named telnet 4210 local user telnet 4210 luser t...

Page 268: ...d in the database of the RADIUS server Check the database of the RADIUS server make sure that the configuration information about the user exists The user input an incorrect password Be sure to input the correct password The switch and the RADIUS server have different shared keys Compare the shared keys at the two ends make sure they are identical The switch cannot communicate with the RADIUS serv...

Page 269: ...h the authentication authorization server and the accounting server use the same device with the same IP address but in fact they are not resident on the same device Be sure to configure the RADIUS servers on the switch according to the actual situation ...

Page 270: ...268 CHAPTER 21 AAA CONFIGURATION ...

Page 271: ...entication For details refer to AAA Configuration on page 245 for information about local user attributes Performing MAC Authentication on a RADIUS Server When authentications are performed on a RADIUS server the switch serves as a RADIUS client and completes MAC authentication in combination of the RADIUS server In MAC address mode the switch sends the MAC addresses detected to the RADIUS server ...

Page 272: ...iet MAC address which means that any packets from the MAC address will be discarded simply by the switch until the quiet timer expires This prevents an invalid user from being authenticated repeatedly in a short time c CAUTION If the quiet MAC is the same as the static MAC configured or an authentication passed MAC then the quiet function is not effective Configuring Basic MAC Authentication Funct...

Page 273: ...e user name is mac and no password is configured Configure the user name mac authentica tion authusername username Configure the password mac authentica tion authpassword password Specify an ISP domain for MAC authentication mac authentication domain isp name Required The default ISP domain default domain is used by default Configure the MAC authentication timers mac authentication timer offline d...

Page 274: ...l re authenticate the first access user of this port namely the first user whose unicast MAC address is learned by the switch periodically If this user passes the re authentication this port will exit the Guest VLAN and thus the user can access the network normally c CAUTION Guest VLANs are implemented in the mode of adding a port to a VLAN For example when multiple users are connected to a port i...

Page 275: ...ion for MAC authentication does not take effect when port security is enabled Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port You can configure the maximum number of MAC address authentication users for a port in order to control the maximum number of users accessing a port After the number of access users has exceeded the configured maximum number the s...

Page 276: ... the display command in any view to display system running of MAC Authentication configuration and to verify the effect of the configuration You can execute the reset command in user view to clear the statistics of MAC Authentication Configure the maximum number of MAC address authentication users allowed to access a port mac authentication max auth num user number Required By default the maximum ...

Page 277: ...on interface Ethernet 1 0 2 Set the user name in MAC address mode for MAC authentication requiring hyphened lowercase MAC addresses as the usernames and passwords 4210 mac authentication authmode usernameasmacaddress usernameformat with hyphen lowercase Add a local user Specify the user name and password 4210 local user 00 0d 88 f6 44 c1 4210 luser 00 0d 88 f6 44 c1 password simple 00 0d 88 f6 44 ...

Page 278: ...ntrol related features Otherwise a user may be denied of access to the networks because of incomplete configuaration 4210 mac authentication After doing so your MAC authentication configuration will take effect immediately Only users with the MAC address of 00 0d 88 f6 44 c1 are allowed to access the Internet through port Ethernet 1 0 2 ...

Page 279: ...RP reply messages Figure 84 illustrates the format of these two types of ARP messages As for an ARP request all the fields except the hardware address of the receiver field are set The hardware address of the receiver is what the sender requests for As for an ARP reply all the fields are set Figure 84 ARP message format Table 210 describes the fields of an ARP packet Hardware type 16 bits Protocol...

Page 280: ...ess length in bytes Length of protocol address Protocol address length in bytes Operator Indicates the type of a data packets which can be 1 ARP request packets 2 ARP reply packets 3 RARP request packets 4 RARP reply packets Hardware address of the sender Hardware address of the sender IP address of the sender IP address of the sender Hardware address of the receiver For an ARP request packet this...

Page 281: ...ddress into its ARP mapping table encapsulates its MAC address into an ARP reply and unicasts the reply to Host A 4 After receiving the ARP reply Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding Meanwhile Host A encapsulates the IP packet and sends it out Usually ARP dynamically implements and automatically seeks mappings from IP addresses to MAC ad...

Page 282: ... 1 00e0 fc01 0000 1 Ethernet1 0 10 Table 213 Display and debug ARP Operation Command Remarks Display specific ARP mapping table entries display arp static dynamic ip address Available in any view Display the ARP mapping entries related to a specified string in a specified way display arp dynamic static begin include exclude text Display the number of the ARP entries of a specified type display arp...

Page 283: ...servers return the corresponding configuration information such as IP addresses to implement dynamic allocation of network resources A typical DHCP application includes one DHCP server and multiple clients such as PCs and laptops as shown in Figure 85 Figure 85 Typical DHCP application DHCP IP Address Assignment IP Address Assignment Policy Currently DHCP provides the following three IP address as...

Page 284: ... a DHCP ACK packet to the DHCP client to confirm the assignment of the IP address to the client or returns a DHCP NAK packet to refuse the assignment of the IP address to the client When the client receives the DHCP ACK packet it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address and uses the IP address only if it does not receive any...

Page 285: ...en Hardware address type and length of the DHCP client hops Number of DHCP relay agents which a DHCP packet passes For each DHCP relay agent that the DHCP request packet passes the field value increases by 1 xid Random number that the client selects when it initiates a request The number is used to identify an address requesting process secs Elapsed time after the DHCP client initiates a DHCP requ...

Page 286: ...length fields including packet type valid lease time IP address of a DNS server and IP address of the WINS server Protocol Specification Protocol specifications related to DHCP include RFC2131 Dynamic Host Configuration Protocol RFC2132 DHCP Options and BOOTP Vendor Extensions RFC1542 Clarifications and Extensions for the Bootstrap Protocol RFC3046 DHCP Relay Agent Information option ...

Page 287: ...P relay agent operating at the network layer Switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer Figure 87 illustrates a typical network diagram for DHCP snooping application where Switch A is a Switch 4210 Figure 87 Typical network diagram for DHCP snooping application DHCP snooping listens the DHCP REQUEST packets to retrieve the IP addresses th...

Page 288: ...t C Enable DHCP snooping on the switch Network diagram Figure 88 Network diagram for DHCP snooping configuration Configuration procedure Enable DHCP snooping on the switch 4210 system view 4210 dhcp snooping Table 214 Configure DHCP snooping Operation Command Description Enter system view system view Enable DHCP snooping dhcp snooping Required By default the DHCP snooping function is disabled Disp...

Page 289: ...address and IP address of a BOOTP client When a BOOTP client sends a request to the BOOTP server the BOOTP server will search for the BOOTP parameter file and return it to the client A BOOTP client dynamically obtains an IP address from a BOOTP server in the following way 1 The BOOTP client broadcasts a BOOTP request which contains its own MAC address 2 The BOOTP server receives the request and se...

Page 290: ...ables the DHCP client and UDP port 68 Using the undo ip address dhcp alloc command disables the DHCP client and UDP port 68 Displaying DHCP BOOTP Client Configuration DHCP Client Configuration Example Network requirements Using DHCP VLAN interface 1 of Switch B is connected to the LAN to obtain an IP address from the DHCP server Configure the VLAN interface to obtain IP address through DHCP or BOO...

Page 291: ...scribes only the configuration on Switch A serving as a DHCP client Configure VLAN interface 1 to dynamically obtain an IP address by using DHCP 4210 system view 4210 interface Vlan interface 1 4210 Vlan interface1 ip address dhcp alloc WINS server DHCP Client DNS server Vlan interface1 Switch A DHCP Client DHCP Server ...

Page 292: ...290 CHAPTER 26 DHCP BOOTP CLIENT CONFIGURATION ...

Page 293: ...nd port numbers carried in the packets According to their application purposes ACLs fall into the following four types Basic ACL Rules are created based on source IP addresses only Advanced ACL Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addresses type of the protocols carried by IP protocol specific features and so on Layer 2 ACL Rules are ...

Page 294: ...principles will be used in deciding their priority order Each parameter is given a fixed weighting value This weighting value and the value of the parameter itself will jointly decide the final matching order Involved parameters with weighting values from high to low are icmp type established dscp tos precedence fragment Comparison rules are listed below The smaller the weighting value left which ...

Page 295: ...upper layer software for packet filtering They cannot be applied to hardware ACL Configuration Configuring a Time Range Time ranges can be used to filter packets You can specify a time range for each rule in an ACL A time range based ACL takes effect only in specified time ranges Only after a time range is configured and the system time is within the time range can an ACL rule take effect Two type...

Page 296: ...is within the range from 12 00 to 14 00 on every Wednesday in 2004 If the start time is not specified the time section starts from 1970 1 1 00 00 and ends on the specified end date If the end date is not specified the time section starts from the specified start date to 2100 12 31 23 59 Configuration Example Define a periodic time range that spans from 8 00 to 18 00 on Monday through Friday 4210 s...

Page 297: ...istent rules are unaltered Configuration Example Configure ACL 2000 to deny packets whose source IP addresses are 192 168 0 1 4210 system view 4210 acl number 2000 4210 acl basic 2000 rule deny source 192 168 0 1 0 Display the configuration information of ACL 2000 4210 acl basic 2000 display acl 2000 Basic ACL 2000 1 rule Acl s step is 1 rule 0 deny source 192 168 0 1 0 Configuring Advanced ACL An...

Page 298: ... the ACL you cannot modify any existent rule otherwise the system prompts error information If you do not specify the rule id argument when creating an ACL rule the rule will be numbered automatically If the ACL has no rules the rule is numbered 0 otherwise it is the maximum rule number plus one The content of a modified or created rule cannot be identical with the content of any existing rules ot...

Page 299: ...8 160 0 0 0 0 255 destination port eq www 0 times matched Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information and verify the configuration Example for Upper layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP Network requirements Apply an ACL to permit users with the sour...

Page 300: ...ntrolling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source IP address of 10 110 100 46 to log in to the switch through HTTP Network diagram Figure 91 Network diagram for controlling Web login users by source IP Configuration procedure Define ACL 2001 4210 system view 4210 acl number 2001 4210 acl basic 2001 rule 1 permit source 10 110 100 46 0 4210...

Page 301: ...hey arrive This service policy is known as Best effort which delivers the packets to their destination with the best effort with no assurance and guarantee for delivery delay jitter packet loss ratio reliability and so on The traditional Best Effort service policy is only suitable for applications insensitive to bandwidth and delay such as WWW file transfer and E mail New Applications and New Requ...

Page 302: ...anagement handles resource competition during network congestion Generally it adds packets to queues first and then forwards the packets by using a scheduling algorithm Congestion avoidance monitors the use of network resources and drops packets actively when congestion reaches certain degree It relieves network load by adjusting traffics Traffic identifying is the basis of all the above mentioned...

Page 303: ...according to their DSCP values Expedited Forwarding EF class In this class packets can be forwarded regardless of link share of other traffic The class is suitable for preferential services with low delay low packet loss ratio low jitter and assured bandwidth such as virtual leased line Assured forwarding AF class This class is further divided into four subclasses AF1 2 3 4 and a subclass is furth...

Page 304: ...me with an 802 1Q tag header As shown in the figure above each host supporting 802 1Q protocol adds a 4 byte 802 1Q tag header after the source address of the former Ethernet frame header when sending packets Table 221 Description of DSCP precedence values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010...

Page 305: ...es and will be processed preferentially By default a Switch 4210 processes a received packet as follows For a packet without an 802 1q tag header the switch uses the priority of the receiving port as the 802 1p precedence of the packet and looks up it in the 802 1p precedence to local precedence mapping table for the local precedence and then assigns the local precedence to the packet for it to be...

Page 306: ... precedence to the packet With the IP precedence trusted the switch obtains the corresponding local precedence by looking up the IP precedence of the packet in the IP precedence to local precedence mapping table and assigns the local precedence to the packet The Switch 4210 provide COS precedence to local precedence DSCP precedence to local precedence and IP precedence to local precedence mapping ...

Page 307: ...agram for LR If you perform port rate limiting configuration for a port the token bucket determines the way to process the packets to be sent by this port or packets reaching the port Packets can be sent or received if there are enough tokens in the token bucket otherwise they will be dropped Queue Scheduling When the network is congested the problem that many packets compete for resources must be...

Page 308: ...t fixed that is to say if a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use HQ WRR queuing HQ WRR is an improvement over WRR With queue 3 allocated with the highest priority the switch will ensure that this queue get served first and will perform round robin scheduling to the other three queues when the traffic has exceeded the bandwidth capaci...

Page 309: ... is to be configured is determined The target priority value is determined Configuration procedure Configuration example Configure port priority on Ethernet 1 0 1 and set the priority of Ethernet 1 0 1 to 7 4210 system view 4210 interface Ethernet1 0 1 4210 Ethernet1 0 1 priority 7 Table 226 QoS configuration tasks Task Remarks Configuring Port Priority Optional Configuring to Trust the 802 1p Pre...

Page 310: ...re Configuration example Configure the switch to trust the DSCP precedence of the received packets 4210 system view 4210 priority trust dscp Table 228 Configure to trust the 802 1p precedence of the received packets Operation Command Description Enter system view system view Configure to trust the 802 1p precedence of the received packets priority trust Required By default for a packet with an 802...

Page 311: ...cedence to local precedence mapping table Operation Command Description Enter system view system view Configure COS precedence to local pre cedence mapping table qos cos local precedence map cos0 map local prec cos1 map local prec cos2 map local prec cos3 map local prec cos4 map local prec cos5 map local prec cos6 map local prec cos7 map local prec Required Table 231 Configure DSCP precedence to l...

Page 312: ...for inbound packets on Ethernet 1 0 1 The rate limit is 1 024 Kbps Configuration procedure 4210 system view 4210 interface Ethernet1 0 1 4210 Ethernet1 0 1 line rate inbound 1024 Configuring Queue Scheduling Refer to Queue Scheduling on page 305 for information about queue scheduling Configuration prerequisites The algorithm for queue scheduling to be used and the related parameters are determined...

Page 313: ...ion Configuration prerequisites The burst function is required Configuration procedure Configuration example Enable the burst function 4210 system view 4210 burst mode enable Table 234 Configure queue scheduling Operation Command Description Enter system view system view Configure queue scheduling queue scheduler hq wrr queue0 weight queue1 weight queue2 weight wrr queue0 weight queue1 weight queu...

Page 314: ...g relationship display qos dscp local precedence map Available in any view Display the IP precedence to local preceden ce mapping relationship display qos ip precedence local precedenc e map Available in any view Display queue scheduling algorithm and related parameters display queue scheduler Available in any view Display the QoS related configuration of a port or all the ports display qos interf...

Page 315: ...ore source ports of a device are copied to the destination port on the same device for packet analysis and monitoring In this case the source ports and the destination port must be located on the same device Configuring Local Port Mirroring Configuration prerequisites The source port is determined and the direction in which the packets are to be mirrored is determined The destination port is deter...

Page 316: ...from the R D department and the marketing department through the data detection device Configure the source port for the port mirroring group In system view mirroring group group id mirroring port mirroring port list both inbound outbound Use either approach You can configure multiple source ports at a time in system view or you can configure the source port in specific port view The configuration...

Page 317: ...he source ports and destination port for the local mirroring group 4210 mirroring group 1 mirroring port Ethernet 1 0 1 Ethernet 1 0 2 both 4210 mirroring group 1 monitor port Ethernet 1 0 3 Display configuration information about local mirroring group 1 4210 display mirroring group 1 mirroring group 1 type local status active mirroring port Ethernet1 0 1 both Ethernet1 0 2 both monitor port Ether...

Page 318: ...316 CHAPTER 29 MIRRORING CONFIGURATION ...

Page 319: ...ent A switch in a cluster plays one of the following three roles Management device Member device Candidate device A cluster comprises of a management device and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remote devices in batches reducing the workload o...

Page 320: ...itoring and maintaining the network It allows you to configure and upgrade multiple switches at the same time It enables you to manage your remotely devices conveniently regardless of network topology and physical distance It saves IP address resource Roles in a Cluster The switches in a cluster play different roles according to their functions and status You can specify the role a switch plays A ...

Page 321: ...ology manages and maintains the cluster Management device also supports FTP server and SNMP host proxy Processes the commands issued by users through the public network Member device Normally a member device is not assigned an external IP address Members of a cluster Discovers the information about its neighbors processes the commands forwarded by the management device and reports log The member d...

Page 322: ...collect network topology information is determined by the NTDP timer If you do not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 by using the ntdp timer command In this case the switch does not collect network topology information periodically How a Cluster Works Switch Clusteringv2 consists of the following three protocols Nei...

Page 323: ...ng the receiving devices will keep the NDP packet data The receiving devices store the information carried in the NDP packet into the NDP table but do not forward the NDP packet When they receive another NDP packet if the information carried in the packet is different from the stored one the corresponding entry in the NDP table is updated otherwise only the holdtime of the entry is updated Introdu...

Page 324: ...P enabled port on a device to forward an NTDP topology collection request after a specific period since the previous port on the device forwards the NTDP topology collection request n To implement NTDP you need to enable NTDP both globally and on specific ports on the management device and configure NTDP parameters On member candidate devices you only need to enable NTDP globally and on specific p...

Page 325: ...ice is added to the cluster as a member device both the management device and the member device store the state information of the member device and mark the member device as Active The management device and the member devices exchange handshake packets periodically Note that the handshake packets exchanged keep the states of the member devices to be Active and are not responded If the management ...

Page 326: ...functions can be implemented Enabling the management packets including NDP packets NTDP packets and handshake packets to be transmitted in the management VLAN only through which the management packets are isolated from other packets and network security is improved Enabling the management device and the member devices to communicate with each other in the management VLAN Cluster management require...

Page 327: ... When you remove a cluster by using the undo build or undo cluster enable command UDP port 40000 is closed at the same time Enabling NDP globally and on specific ports Table 240 Cluster configuration tasks Configuration task Remarks Configuring the Management Device Required Configuring Member Devices Required Managing a Cluster through the Management Device Optional Configuring the Enhanced Clust...

Page 328: ...nal By default the holdtime of NDP information is 180 seconds Configure the interval to send NDP packets ndp timer hello seconds Optional By default the interval to send NDP packets is 60 seconds Table 244 Enable NTDP globally and on a specific port Operation Command Description Enter system view system view Enable NTDP globally ntdp enable Required Enabled by default Enter Ethernet port view inte...

Page 329: ...Optional Table 246 Enable the cluster function Operation Command Description Enter system view system view Enable the cluster function globally cluster enable Required By default the cluster function is enabled Table 245 Configure NTDP related parameters Operation Command Description Table 247 Establish a cluster and configure cluster parameters in manual mode Operation Command Description Enter s...

Page 330: ...s 60 seconds Set the interval to send handshake packets timer interval Optional By default the interval to send handshake packets is 10 seconds Table 247 Establish a cluster and configure cluster parameters in manual mode Operation Command Description Table 248 Establish a cluster in automatic mode Operation Command Description Enter system view system view Enter cluster view cluster Configure the...

Page 331: ... the member devices in the cluster is closed at the same time When you execute the undo administrator address command on a member device UDP port 40000 of the member device is closed at the same time Enabling NDP globally and on specific ports Enabling NTDP globally and on a specific port Enabling the cluster function Table 250 Enable NDP globally and on specific ports Operation Command Descriptio...

Page 332: ...stination file Optional Table 252 Enable the cluster function Operation Command Description Table 254 Manage a cluster through management devices Operation Command Description Enter system view system view Enter cluster view cluster Configuring MAC address of Management device administrator address mac address name name Optional Add a candidate device to the cluster add member member number mac ad...

Page 333: ...nd restore the administrative device using the backup topology on the Flash memory so that the devices in the cluster can resume normal operation With the display cluster current topology command the switch can display the topology of the current cluster in a tree structure The output formats include Display the tree structure three layers above or below the specified node Display the topology bet...

Page 334: ...ative device topology save to local flash Required Restore the standard topology from the Flash memory of the administrative device topology restore from local flash Optional Display the detailed information about a single device display ntdp single device mac address mac address Optional These commands can be executed in any view Display the topology of the current cluster display cluster current...

Page 335: ...257 Configure the cluster device blacklist Operation Command Description Table 258 Display and maintain cluster configuration Operation Command Description Display all NDP configuration and running information including the interval to send NDP packets the holdtime and all neighbors discovered display ndp You can execute the display command in any view Display NDP configuration and running informa...

Page 336: ...is 163 172 55 1 All the devices in the cluster share the same FTP server and TFTP server The FTP server and TFTP server use the same IP address 63 172 55 1 The NMS and logging host use the same IP address 69 172 55 4 Network diagram Figure 102 Network diagram for Switch Clustering cluster configuration Configuration procedure 1 Configure the member devices taking one member as an example Enable ND...

Page 337: ... and on Ethernet 1 0 2 and Ethernet 1 0 3 4210 ntdp enable 4210 interface Ethernet 1 0 2 4210 Ethernet1 0 2 ntdp enable 4210 Ethernet1 0 2 quit 4210 interface Ethernet 1 0 3 4210 Ethernet1 0 3 ntdp enable 4210 Ethernet1 0 3 quit Set the topology collection range to 2 hops 4210 ntdp hop 2 Set the member device forward delay for topology collection requests to 150 ms 4210 ntdp timer hop delay 150 Se...

Page 338: ...er device to the remote shared FTP server of the cluster aaa_1 3Com ftp cluster Download the file named aaa txt from the shared TFTP server of the cluster to the member device aaa_1 3Com tftp cluster get aaa txt Upload the file named bbb txt from the member device to the shared TFTP server of the cluster aaa_1 3Com tftp cluster put bbb txt n After completing the above configuration you can execute...

Page 339: ...nd save it in the flash of the local management device in the cluster Network diagram Figure 103 Network diagram for the enhanced cluster feature configuration Configuration procedure Enter cluster view aaa_0 3Com system view aaa_0 3Com cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 3Com cluster black list add mac 0001 2034 a0e5 Backup the current topology aaa_0 3Com clu...

Page 340: ...338 CHAPTER 30 CLUSTER ...

Page 341: ...e applied to IP phones wireless access points APs chargers for portable devices card readers network cameras and data collection system PoE components PoE consists of three components power sourcing equipment PSE PD and power interface PI PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information collection PoE power supply monitoring and pow...

Page 342: ...re that is different PoE policies can be set for different user groups These PoE policies are each saved in the corresponding PoE profile and applied to ports of the user groups n When you use the PoE enabled Switch 4210 to supply power the PDs need no external power supply If a remote PD has an external power supply the PoE enabled Switch 4210 and the external power supply will backup each other ...

Page 343: ... default auto When the switch is close to its full load in supplying power it will first supply power to the PDs that are connected to the ports with critical priority and then supply power to the PDs that are connected to the ports with high Configuring the PD Compatibility Detection Function Optional Configuring PoE Over Temperature Protection on the Switch Optional Upgrading the PSE Processing ...

Page 344: ...o two types signal mode and spare mode Signal mode DC power is carried over the data pairs 1 2 3 6 of category 3 5 twisted pairs Spare mode DC power is carried over the spare pairs 4 5 7 8 of category 3 5 twisted pairs Currently the Switch 4210 does not support the spare mode After the PoE feature is enabled on the port perform the following configuration to set the PoE mode on a port Configuring ...

Page 345: ...on disabled on all the ports When the internal temperature of the switch increases from X X 60 C or X 140 F to Y 60 C Y 65 C or 140 F Y 149 F the switch still keeps the PoE function enabled on all the ports Upgrading the PSE Processing Software Online The online upgrading of PSE processing software can update the processing software or repair the software if it is damaged Before performing the fol...

Page 346: ...ay command in any view to see the operation of the PoE feature and verify the effect of the configuration PoE Configuration Example PoE Configuration Example Networking requirements Switch A is a Switch 4210 that supports PoE Switch B can be PoE powered Table 268 Upgrade PSE processing software online Operation Command Description Enter system view system view Upgrade the PSE processing software o...

Page 347: ...guration procedure Upgrade the PSE processing software online SwitchA system view SwitchA poe update refresh 0290_021 s19 Enable the PoE feature on Ethernet 1 0 1 and set the PoE maximum output power of Ethernet 1 0 1 to 12 000 mW SwitchA interface Ethernet 1 0 1 SwitchA Ethernet1 0 1 poe enable SwitchA Ethernet1 0 1 poe max power 12000 SwitchA Ethernet1 0 1 quit Enable the PoE feature on Ethernet...

Page 348: ...et the PoE management mode on the switch to auto it is the default mode so this step can be omitted SwitchA poe power management auto Enable the PD compatibility detect of the switch to allow the switch to supply power to part of the devices noncompliant with the 802 3af standard SwitchA poe legacy enable ...

Page 349: ... the PoE configurations in the PoE profile will be enabled on the port PoE Profile Configuration Configuring PoE Profile Table 270 Configure PoE profile Operation Command Description Enter system view system view Create a PoE profile and enter PoE profile view poe profile profilename Required If the PoE file is created you will enter PoE profile view directly through the command Configure the rele...

Page 350: ...ient framework IRF system 3 Combination of Unit creates a new Fabric In the newly created Fabric the PoE profile configuration of the Unit with the smallest Unit ID number will become the PoE profile configuration for the Fabric currently in use 4 Split of Fabric results in many new Fabrics In each newly created Fabric the PoE profile configuration of each Unit remains the same as it was before th...

Page 351: ...1 0 5 is Critical whereas the PoE priority for Ethernet 1 0 6 through Ethernet 1 0 10 is High The maximum power for Ethernet 1 0 1 through Ethernet 1 0 5 ports is 3 000 mW whereas the maximum power for Ethernet 1 0 6 through Ethernet 1 0 10 is 15 400 mW Based on the above requirements two PoE profiles are made for users of group A Apply PoE profile 1 for Ethernet 1 0 1 through Ethernet 1 0 5 Apply...

Page 352: ...l Create Profile2 and enter PoE profile view SwitchA poe profile Profile2 In Profile2 add the PoE policy configuration applicable to Ethernet 1 0 6 through Ethernet 1 0 10 ports for users of group A SwitchA poe profile Profile2 poe enable SwitchA poe profile Profile2 poe mode signal SwitchA poe profile Profile2 poe priority high SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile ...

Page 353: ...tRequest GetNextRequest and SetRequest messages to the agents Upon receiving the requests from the NMS an agent performs Read or Write operation on the managed object MIB Management Information Base according to the message types generates the corresponding Response packets and returns them to the NMS When a network device operates improperly or changes to other state the agent on it can also send...

Page 354: ... be uniquely identified by a path starting from the root Figure 106 Architecture of the MIB tree The management information base MIB describes the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network devices In the above figure the managed object B can be uniquely identified by a string of numbers 1 2 1 1 The number string is the object...

Page 355: ...IB attribute MIB content Related RFC Table 273 Configure basic SNMP functions SNMPv1 and SNMPv2c Operation Command Description Enter system view system view Enable SNMP agent snmp agent Optional Disabled by default You can enable SNMP agent by executing this command or any of the commands used to configure SNMP agent Set system information and specify to enable SNMPv1 or SNMPv2c on the switch snmp...

Page 356: ...bricid Optional By default the device switch fabric ID is enterprise number device information Create Update the view information snmp agent mib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 Table 274 Configure basic SNMP functions SNMPv3 Operation Command Description Enter system view system view Enable SNMP agent snmp agen...

Page 357: ...nt calculate password plain password mode md5 sha local switch fabricid specified switch fabricid switch fabricid Optional This command is used if password in cipher text is needed for adding a new user Add a user to an SNMP group snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode des56 priv password acl acl number Required Set the maximum siz...

Page 358: ... view interface interface type interface number Enable the port or interface to send Trap messages enable snmp trap updown Quit to system view quit Set the destination for Trap messages snmp agent target host trap address udp domain ip address udp port port number params securityname security string v1 v2c v3 authentication privacy Required Set the source address for Trap messages snmp agent trap ...

Page 359: ...network management Operation Command Description Enter system view system view Enable logging for network management snmp agent log set operation get operation all Optional Disabled by default Table 278 Display SNMP Operation Command Description Display the SNMP information about the current device display snmp agent sys info contact location version Available in any view Display SNMP packet stati...

Page 360: ...ion protocol to HMAC MD5 authentication password to passmd5 encryption protocol to DES encryption password to cfb128cfb128 4210 snmp agent group v3 managev3group privacy write view internet 4210 snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode des128 cfb128cfb128 Set the VLAN interface 2 as the interface used by NMS Add port Ethernet 1 0 2 which is to ...

Page 361: ...name and password authentication When you use 3Com s NMS you need to set user names and choose the security level in Authentication Parameter For each security level you need to set authorization mode authorization password encryption mode encryption password and so on In addition you need to set timeout time and maximum retry times You can query and configure an Ethernet switch through the NMS Fo...

Page 362: ...360 CHAPTER 33 SNMP CONFIGURATION ...

Page 363: ...nts can be reduced thus facilitating the management of large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways Using the dedicated RMON probes When an RMON system operates in this way the NMS directly obtains management information from the RMON probes and controls the network resources In this case all information in the RMON...

Page 364: ...he following operations accordingly Sampling the defined alarm variables periodically Comparing the samples with the threshold and triggering the corresponding events if the former exceed the latter Extended alarm group With extended alarm entry you can perform operations on the samples of alarm variables and then compare the operation results with the thresholds thus implement more flexible alarm...

Page 365: ...peration Command Description Enter system view system view Add an event entry rmon event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add an alarm entry rmon alarm entry number alarm variable sampling time delta absolute rising_threshold threshold value1 event entry1 falling_threshold threshold value2 event entry2 owner text Optional Be...

Page 366: ...m table to monitor the information of statistics on the Ethernet port if the change rate of which exceeds the set threshold the alarm events will be triggered Network diagram Figure 108 Network diagram for RMON configuration Configuration procedures Add the statistics entry numbered 1 to take statistics on Ethernet 1 0 1 4210 system view 4210 interface Ethernet 1 0 1 Table 280 Display RMON Operati...

Page 367: ...every 10 seconds When the change ratio between samples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered 4210 rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype fo rever owner user1 Display the RMON extended alarm entry numbere...

Page 368: ...366 CHAPTER 34 RMON CONFIGURATION ...

Page 369: ...configuration NTP is mainly applied to synchronizing the clocks of all devices in a network For example In network management the analysis of the log information and debugging information collected from different devices is meaningful and valid only when network devices that generate the information adopts the same time The billing system requires that the clocks of all network devices be consiste...

Page 370: ...iple we suppose that Before the system clocks of Device A and Device B are synchronized the clock of Device A is set to 10 00 00 am and the clock of Device B is set to 11 00 00 am Device B serves as the NTP server that is the clock of Device A will be synchronized to that of Device B It takes one second to transfer an NTP message from Device A to Device B or from Device B to Device A Figure 109 Im...

Page 371: ...ime offset of Device A relative to Device B Offset T2 T1 T3 T4 2 Device A can then set its own clock according to the above information to synchronize its clock to that of Device B For detailed information refer to RFC 1305 NTP Implementation Modes According to the network structure and the position of the local Ethernet switch in the network the local Ethernet switch can work in multiple NTP mode...

Page 372: ...hronization packets periodically Network Server Initiates a client server mode request after receiving the first multicast packet Works in the server mode automatically and sends responses Client server mode request Response Obtains the delay between the client and server and works in the multicast client mode Receives multicast packets and synchronizes the local clock Broadcast clock synchronizat...

Page 373: ...al Switch 4210 to work in NTP symmetric peer mode In this mode the remote server serves as the symmetric passive peer of the Switch 4210 and the local switch serves as the symmetric active peer Broadcast mode Configure the local Switch 4210 to work in NTP broadcast server mode In this mode the local switch broadcasts NTP messages through the VLAN interface configured on the switch Configure the Sw...

Page 374: ...on the clients and not on the servers n The remote server specified by remote ip or server name serves as the NTP server and the local switch serves as the NTP client The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server remote ip cannot be a broadcast address a multicast address or the IP address of the local clock After you specify an interface for s...

Page 375: ...d first otherwise the clock synchronization will not proceed You can configure multiple symmetric passive peers for the local switch by repeating the ntp service unicast peer command The clock of the peer with the smallest stratum will be chosen to synchronize with the local clock of the switch Configuring NTP Broadcast Mode For switches working in the broadcast mode you need to configure both the...

Page 376: ...lients Configuring a switch to work in the multicast server mode Table 285 Configure a switch to work in the NTP broadcast server mode Operation Command Description Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the switch to work in the NTP broadcast server mode ntp service broadcast server authentication keyid key id version number Required Not...

Page 377: ...ce to perform synchronization and control query to the local switch and also permits the local switch to synchronize its clock to the peer device From the highest NTP service access control right to the lowest one are peer server synchronization and query When a device receives an NTP request it will perform an access control right match in this order and use the first matched right Configuration ...

Page 378: ...lated configurations are properly performed For the NTP authentication function to take effect a trusted key needs to be configured on both the client and server after the NTP authentication is enabled on them The local clock of the client is only synchronized to the server that provides a trusted key In addition for the server client mode and the symmetric peer mode you need to associate a specif...

Page 379: ...t no trusted key is configured Associate the specified key with the correspo nding NTP server Configure on the client in the server client mode ntp service unicast server remote ip server name authentication keyid key id Required For the client in the NTP broadcast multicast mode you just need to associate the specified key with the client on the corresponding server Configure on the symmetric act...

Page 380: ...tem will create a static association and the server will just respond passively Associate the specified key with the correspondin g broadcast m ulticast client Configure on the NTP broadcast server ntp service broadcast server authentication keyidkey id In NTP broadcast server mode and NTP multicast server mode you need to associate the specified key with the corresponding broadcast multicast clie...

Page 381: ...erver of Device B a Switch 4210 Table 295 Configure the number of dynamic sessions allowed on the local switch Operation Command Description Enter system view system view Configure the maximum number of dynamic sessions that can be established on the local switch ntp service max dynamic sessions number Required By default up to 100 dynamic sessions can be established locally Table 296 Disable an i...

Page 382: ...0000 00000000 Set Device A as the NTP server of Device B DeviceB system view DeviceB ntp service unicast server 1 0 1 11 After the above configurations Device B is synchronized to Device A View the NTP status of Device B DeviceB display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision...

Page 383: ...re 115 Network diagram for NTP peer mode configuration Configuration procedure 1 Configure Device C Set Device A as the NTP server DeviceC system view DeviceC ntp service unicast server 3 0 1 31 2 Configure Device B after the Device C is synchronized to Device A Enter system view DeviceB system view Set Device C as the peer of Device B DeviceB ntp service unicast peer 3 0 1 33 Device C and Device ...

Page 384: ... offset delay disper 1234 3 0 1 32 LOCL 1 95 64 42 14 3 12 9 2 7 25 3 0 1 31 127 127 1 0 2 1 64 1 4408 6 38 7 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 Configuring NTP Broadcast Mode Network requirements The local clock of Device C is set as the NTP master clock with a stratum level of 2 Configure Device C to work in the NTP broadcast server mo...

Page 385: ...3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Apr 2 2007 BF422AE4 05AEA86C The output information indicates that Device D is synchronized to Device C with the clock stratum level of 3 one level lower than that of Device C View...

Page 386: ...vice multicast client After the above configurations Device A and Device D respectively listen to multicast messages through their own Vlan interface2 and Device C advertises multicast messages through Vlan interface2 Because Device A and Device C do not share the same network segment Device A cannot receive multicast messages from Device C while Device D is synchronized to Device C after receivin...

Page 387: ...s the NTP server Device B is set to work in client mode while Device A works in server mode automatically The NTP authentication function is enabled on Device A and Device B Network diagram Figure 118 Network diagram for NTP server client mode with authentication configuration Configuration procedure 1 Configure Device B Enter system view DeviceB system view Enable the NTP authentication function ...

Page 388: ...status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 100 0000 Hz Actual frequency 100 1000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Apr 2 2007 BF422AE4 05AEA86C The output information indicates that the clock of Device B is synchronized to that of ...

Page 389: ...rrently the Switch 4210 device supports only SSH2 when functioning as either an SSH client or an SSH server Unless otherwise noted SSH refers to SSH2 throughout this document Algorithm and Key Algorithm is a set of transformation rules for encryption and decryption Information without being encrypted is known as plain text while information that is encrypted is known as cipher text Encryption and ...

Page 390: ... version identification string in the format of SSH primary protocol version number secondary protocol version number software version number The primary and secondary protocol version numbers constitute the protocol version number while the software version number is used for debugging The client receives and resolves the packet If the protocol version of the server is lower but supportable the c...

Page 391: ...ntication type from the method list to perform authentication again The above process repeats until the authentication succeeds or the connection is torn down when the authentication times reach the upper limit SSH provides two authentication methods password authentication and publickey authentication In password authentication the client encrypts the username and password encapsulates them into ...

Page 392: ...e configuration does not take effect immediately but will be effective for subsequent login requests Table 299 SSH server configuration tasks Tasks Description Configuring the SSH server Configuring the Protocol Support for the User Interface Required Generating Destroying a RSA or DSA Key Pair Required Exporting the RSA or DSA Public Key Optional Creating an SSH User and Specify an Authentication...

Page 393: ... to replace the existing key pair n The command for generating a key pair can survive a reboot You only need to configure it once Some third party software for example WinSCP requires that the modulo of a public key be greater than or equal to 768 Therefore a local key pair of more than 768 bits is recommended Specify the supported protocol s protocol inbound all ssh telnet Optional By default bot...

Page 394: ... password and remote authentication RADIUS authentication for example is adopted you need not use the ssh user command to create an SSH user because it is created on the Table 302 Export the RSA public key Operation Command Remarks Enter system view system view Display the RSA key on the screen in a specified format or export it to a specified file public key local export rsa openssh ssh1 ssh2 fil...

Page 395: ...th a username that does not exist the system will automatically create the SSH user However the user cannot log in unless you specify an authentication type for it Configuring SSH Management The SSH server provides a number of management functions that prevent illegal operations such as malicious password guess to further guarantee the security of SSH connections c CAUTION You can configure a logi...

Page 396: ... TFTP You can also use the following commands to configure the client s RSA public key on the server Table 307 Configure the client s public key manually Operation Command Description Enter system view system view Enter public key view public key peer keyname Required Enter public key edit view public key code begin Configure a public key for the client Enter the content of the public key When you...

Page 397: ... Configure the client RSA public key manually Operation Command Description Enter system view system view Enter public key view rsa peer public key keyname Required Enter public key edit view public key code begin Configure the client RSA public key Enter the content of the RSA public key The content must be a hexadecimal string that is generated randomly by the SSH supported client software and c...

Page 398: ...y pairs and DSA key pairs are generated by a tool of the client software The following takes the client software of PuTTY PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client Generate a client key To generate a client key run PuTTYGen exe and select from the Parameters area the type of key you want to generate either SSH 2 RSA or SSH 2 DSA then click Generate Table 311 SSH...

Page 399: ...ient key 1 Note that while generating the key pair you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 121 Otherwise the process bar stops moving and the key pair generating process is stopped ...

Page 400: ...ON Figure 121 Generate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key Figure 122 Generate the client keys 3 ...

Page 401: ...Yes and enter the name of the file for saving the private key private in this case to save the private key Figure 123 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse and select the public key file and then click Convert Figure 124 Generate the client keys 5 Specify the IP address of the Server Launch PuTTY exe The following window appears ...

Page 402: ...ss of the server Note that there must be a route available between the IP address of the server and the client Select a protocol for remote connection As shown in Figure 125 select SSH under Protocol Select an SSH version From the category on the left pane of the window select SSH under Connection The window as shown in Figure 126 appears ...

Page 403: ...hm only when the ssh1 version is selected The PuTTY client software supports DES algorithm negotiation ssh2 Open an SSH connection with publickey authentication If a user needs to be authenticated with a public key the corresponding private key file must be specified A private key file is not required for password only authentication From the category on the left of the window select Connection SS...

Page 404: ...e 3 Click Browse to bring up the file selection window navigate to the private key file and click Open to enter the following SSH client interface If the connection is normal a user will be prompted for a username Once passing the authentication the user can log onto the server ...

Page 405: ...erface 1 Open an SSH connection with password authentication From the window shown in Figure 127 click Open The following SSH client interface appears If the connection is normal you will be prompted to enter the username and password as shown in Figure 129 ...

Page 406: ...e and is not configured with the server host public key the user can continue accessing the server and will save the host public key on the client for use in subsequent authentications When first time authentication is not supported a client if not configured with the server host public key will be denied of access to the server To access the server a user must configure in advance the server host...

Page 407: ...client first time Required By default the client is enabled to run first time authentication Configure server public key Refer to Configuring the Client Public Key on the Server on page 394 Required The method of configuring server public key on the client is similar to that of configuring client public key on the server Specify the host key name of the server ssh client server ip server name assi...

Page 408: ...he SSH client will use as the destination for SSH connection 4210 system view 4210 interface vlan interface 1 4210 Vlan interface1 ip address 192 168 0 1 255 255 255 0 4210 Vlan interface1 quit n Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Table 317 Display SSH configuration Operation Command Description Display host and server public keys display rsa local key ...

Page 409: ...on password to abc protocol type to SSH and command privilege level to 3 for the client 4210 local user client001 4210 luser client001 password simple abc 4210 luser client001 service type ssh level 3 4210 luser client001 quit Specify the authentication method of user client001 as password 4210 ssh user client001 authentication type password Configure the SSH client Configure an IP address 192 168...

Page 410: ...TTY exe to enter the following configuration interface Figure 131 SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH server 2 From the category on the left pane of the window select SSH under Connection The window as shown in Figure 132 appears ...

Page 411: ...Protocol options select 2 from Preferred SSH protocol version 3 As shown in Figure 131 click Open to enter the following interface If the connection is normal you will be prompted to enter the user name client001 and password abc Once authentication succeeds you will log onto the server ...

Page 412: ...n Configuration procedure n Under the publickey authentication mode either the RSA or DSA public key can be generated for the server to authenticate the client Here takes the RSA public key as an example Configure the SSH server Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection 4210 system view 4210 interface vlan int...

Page 413: ...e authentication type of the SSH client named client 001 as publickey 4210 ssh user client001 authentication type publickey n Before performing the following steps you must generate an RSA public key pair using the client software on the client save the key pair in a file named public and then upload the file to the SSH server through FTP or TFTP For details refer to Configuring the SSH Client on ...

Page 414: ...en exe choose SSH2 RSA and click Generate Figure 135 Generate a client key pair 1 n While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 136 Otherwise the process bar stops moving and the key pair generating process is stopped ...

Page 415: ...amples 413 Figure 136 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 137 Generate a client key pair 3 ...

Page 416: ... to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with the SSH server The following takes the SSH client software Putty version 0 58 as an example 1 Launch PuTTY exe to enter the following interface Figure 139 SSH client configuration interface 1 In the Host Name or IP address...

Page 417: ...SH Configuration Examples 415 Figure 140 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 3 Select Connection SSH Auth The following window appears ...

Page 418: ...Browse to bring up the file selection window navigate to the private key file and click OK 4 From the window shown in Figure 141 click Open The following SSH client interface appears If the connection is normal you will be prompted to enter the username and password as shown in Figure 142 ...

Page 419: ...ired Network diagram Figure 143 Network diagram of SSH client configuration when using password authentication Configuration procedure Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection 4210 system view 4210 interface vlan interface 1 4210 Vlan interface1 ip address 10 165 87 136 255 255 255 0 4210 V...

Page 420: ...and assign an IP address which serves as the SSH client s address in an SSH connection 4210 system view 4210 interface vlan interface 1 4210 Vlan interface1 ip address 10 165 87 137 255 255 255 0 4210 Vlan interface1 quit Establish a connection to the server 10 165 87 136 4210 ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is ...

Page 421: ...interfaces to AAA 4210 user interface vty 0 4 4210 ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH 4210 ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 4210 ui vty0 4 user privilege level 3 4210 ui vty0 4 quit Specify the authentication type of user client001 as publickey 4210 ssh user client001 authentication type publickey n Before doing th...

Page 422: ... to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s public key Y N n Copyright c 2004 2007 3Com Corporation Without the owner s prior written consent no decompiling or reverse switch fabricering shall be allowed 4210 When the Switch Acts as an SSH Client and First time authentication is not Supported Network requi...

Page 423: ...the file to the SSH server through FTP or TFTP For details refer to the following Configure Switch A Import the client s public key file Switch001 and name the public key as Switch001 4210 public key peer Switch001 import sshkey Switch001 Assign public key Switch001 to user client001 4210 ssh user client001 assign publickey Switch001 Export the generated DSA host public key to a file named Switch0...

Page 424: ...n upload the file to the SSH client through FTP or TFTP For details refer to the above section Configure Switch B Import the public key named Switch002 from the file Switch002 4210 public key peer Switch002 import sshkey Switch002 Specify the host public key name of the server 4210 ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connection to server 10 165 87 136 4210 ssh2 10...

Page 425: ...is method can be used to specify a path or a file in the current work directory Directory Operations The file system provides directory related functions such as Creating deleting a directory Displaying the current work directory or contents in a specified directory Table 319 describes the directory related operations Perform the following configuration in user view Table 318 Configuration tasks o...

Page 426: ...brackets If the configuration files are deleted the switch adopts the null configuration when it starts up next time Table 320 File operations To do Use the command Remarks Delete a file delete unreserved file url delete running files standby files unreserved Optional A deleted file can be restored by using the undelete command if you delete it by executing the delete command without specifying th...

Page 427: ...fig cfg 3 rwh 151 Apr 03 2000 16 04 55 private data txt 4 rwh 716 Apr 04 2000 17 27 35 hostkey 5 rwh 572 Apr 04 2000 17 27 41 serverkey 6 rwh 548 Apr 04 2000 17 30 06 dsakey 7 drw Apr 04 2000 23 04 21 test 7239 KB total 3585 KB free with main attribute b with backup attribute b with both main and backup attribute Copy the file flash config cfg to flash test with 1 cfg as the name of the new file 4...

Page 428: ...hree startup files support file attribute configuration App files An app file is an executable file with bin as the extension Configuration files A configuration file is used to store and restore configuration with cfg as the extension Web files A Web file is used for Web based network management with web as the extension The app files configuration files and Web files support three kinds of attri...

Page 429: ...ttributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch and change the main or backup attribute of the file Perform the configuration listed in Table 324 in user view The display commands can be executed in any view none Identifies files that are neither of main attribute nor backup attribute None Table 323 Descriptions ...

Page 430: ...mand Otherwise Web server cannot function normally Currently a configuration file has the extension of cfg and resides in the root directory of the Flash memory For the detailed configuration of configuration file attributes refer to Configuration File Management on page 67 Display the information about the app file used as the startup file display boot loader unit unit id Optional Available in an...

Page 431: ... for program file transfer ASCII mode for text file transfer A 3Com Switch 4210 can operate as an FTP client or the FTP server in FTP employed data transmission Table 325 The Switch 4210 FTP Roles Item Description Remarks FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log in to a switch operating as an FTP server by running ...

Page 432: ...ates as an FTP server Table 326 FTP configuration tasks Item Configuration task Description FTP Configuration A Switch Operating as an FTP Server Creating an FTP user Required Enabling an FTP server Required Configuring connection idle time Optional Configuring the banner for an FTP server Optional Displaying FTP server information Optional FTP Configuration A Switch Operating as an FTP Client Bas...

Page 433: ...a long time without performing any operation Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the FTP server through FTP the configured banner is displayed on the FTP client Banner falls into the following two types Login banner After the connection between an FTP client and an FTP server is established the FTP server outputs t...

Page 434: ...ions such as creating removing a directory by executing commands on the switch Table 332 lists the operations that can be performed on an FTP client Table 330 Configure the banner display for an FTP server Operation Command Description Enter system view system view Configure a login banner header login text Required Use either command or both By default no banner is configured Configure a shell ba...

Page 435: ... current directory are displayed The difference between these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can display only the file name and directory ls remotefile localfile Download a remote file from the FTP server get remotefile localfile Optional Upload a local file to the remote FTP server put localfile remotefile R...

Page 436: ...nfigure Switch A the FTP server Log in to the switch and enable the FTP server function on the switch Configure the user name and password used to access FTP services and specify the service type as FTP You can log in to a switch through the Console port or by telnetting the switch See the Login module for detailed information Configure the FTP user name as switch the password as hello and the ser...

Page 437: ...ION If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make room for the file to be uploaded you can only delete download them through the Boot ROM menu 3Com se...

Page 438: ...nfiguration Configuration procedure 1 Configure the switch FTP server Configure the login banner of the switch as login banner appears and the shell banner as shell banner appears For detailed configuration of other network requirements see Configuration Example A Switch Operating as an FTP Server 4210 system view 4210 header login login banner appears 4210 header shell shell banner appears 4210 2...

Page 439: ... client Configuration procedure 1 Configure the PC FTP server Perform FTP server related configurations on the PC that is create a user account on the FTP server with user name switch and password hello 2 Configure the switch FTP client Log in to the switch You can log in to a switch through the Console port or by telnetting the switch See the Login module for detailed information 4210 c CAUTION I...

Page 440: ...ion is upgraded 4210 boot boot loader switch bin 4210 reboot n For information about the boot boot loader command and how to specify the startup file for a switch refer to Basic System Configuration and Debugging on page 483 SFTP Configuration SFTP Configuration A Switch Operating as an SFTP Server Enabling an SFTP server Before enabling an SFTP server you need to enable the SSH server function an...

Page 441: ...nt only the first user can log in to the SFTP user The subsequent connection will fail When you upload a large file through WINSCP if a file with the same name exists on the server you are recommended to set the packet timeout time to over 600 seconds thus to prevent the client from failing to respond to device packets due to timeout Similarly when you delete a large file from the server you are r...

Page 442: ... rmdir pathname Delete a specified file delete remotefile Optional Both commands have the same effect remove remote file Query a specified file on the SFTP server dir remotefile localfile Optional If no file name is provided all the files in the current directory are displayed The difference between these two commands is that the dir command can display the file name directory as well as file attr...

Page 443: ...diagram for SFTP configuration Configuration procedure 1 Configure the SFTP server switch B Create key pairs 4210 system view 4210 public key local create rsa 4210 public key local create dsa Create a VLAN interface on the switch and assign to it an IP address which is used as the destination address for the client to connect to the SFTP server 4210 interface vlan interface 1 4210 Vlan interface1 ...

Page 444: ...ame client001 and the password abc and then enter SFTP client view 4210 sftp 192 168 0 1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s public key Y N n Enter password sftp client Display the current directory of the server Delete the file z and verify the...

Page 445: ... and then verify the result sftp client rename new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Rece...

Page 446: ...ey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk Received status End of file Received status Success sftp client Exit SFTP sftp client quit Bye 4210 ...

Page 447: ... server he Switch 4210 can operate as a TFTP client only When you download a file that is larger than the free space of the switch s flash memory If the TFTP server supports file size negotiation file size negotiation will be initiated between the switch and the server and the file download operation will be aborted if the free space of the switch s flash memory is found to be insufficient If the ...

Page 448: ...nfigure the IP addresses of a VLAN interface on the switch and the PC as 1 1 1 1 and 1 1 1 2 respectively The port through which the switch connects with the PC belongs to the VLAN Network diagram Figure 152 Network diagram for TFTP configurations Configuration procedure 1 Configure the TFTP server PC Start the TFTP server and configure the working directory on the PC 2 Configure the TFTP client s...

Page 449: ...ough which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 4210 interface Vlan interface 1 4210 Vlan interface1 ip address 1 1 1 1 255 255 255 0 4210 Vlan interface1 quit Download the switch application named switch bin from the TFTP server to the switch 4210 tftp 1 1 1 2 get switch bin switch bin Upload the switch configuration file named ...

Page 450: ...448 CHAPTER 39 TFTP CONFIGURATION ...

Page 451: ......

Page 452: ...450 CHAPTER 39 TFTP CONFIGURATION ...

Page 453: ...information Debugging information Eight levels of system information The information is classified into eight levels by severity and can be filtered by level More emergent information has a smaller severity level Information filtering by severity works this way information with the severity value greater than the configured threshold is not output during the filtering Table 338 Severity descriptio...

Page 454: ... information center is enabled Table 339 Information channels and output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log trap and debugging information facilitating remote maintenance 2 loghost Log host Receives log trap and debugging information and information...

Page 455: ...y module HABP 3Com authentication bypass protocol module HTTPD HTTP server module HWCM 3Com Configuration Management private MIB module HWP Remote Ping module IFNET Interface management module IGSP IGMP snooping module IP Internet protocol module LAGG Link aggregation module LINE Terminal line module MSTP Multiple spanning tree protocol module NAT Network address translation module NDP Neighbor di...

Page 456: ...tailed explanation of the fields involved Priority The priority is calculated using the following formula facility 8 severity 1 in which facility the device name defaults to local7 with the value being 23 the value of local6 is 22 that of local5 is 21 and so on severity the information level ranges from 1 to 8 Table 338 details the value and meaning associated with each severity Note that there is...

Page 457: ...so that you can know the standard time when the information center processing each piece of information That is you can know the Greenwich standard time of each switch in the network based on the UTC record in the time stamp To add UTC time zone to the time stamp in the information center output information you must Set the local time zone Set the time stamp format in the output direction of the i...

Page 458: ... information output refers to the feature that if the system information such as log trap or debugging information is output when the user is inputting commands the command line prompt in command editing mode a prompt or a Y N string in interaction mode and the input information are echoed after the output This feature is used in the case that your input is interrupted by a large amount of system ...

Page 459: ...sole Table 342 Configure synchronous information output Operation Command Description Enter system view system view Enable synchronous information output info center synchronous Required Disabled by default Table 343 Configure to display time stamp with the UTC time zone Operation Command Description Set the time zone for the system clock timezone zone name add minus time Required By default UTC t...

Page 460: ...info center timestamp log trap debugging boot date none Optional By default the time stamp format of the log and trap output information is date and that of the debugging output information is boot Table 344 Set to output system information to the console Operation Command Description Table 345 Default output rules for different output directions Output direction Modules allowed LOG TRAP DEBUG Ena...

Page 461: ...bugging Optional Disabled by default Enable log information terminal display function terminal logging Optional Enabled by default Enable trap information terminal display function terminal trapping Optional Enabled by default Table 346 Enable the system information display on the console Operation Command Description Table 347 Set to output system information to a monitor terminal Operation Comma...

Page 462: ...ble debugging information terminal display function terminal debugging Optional Disabled by default Enable log information terminal display function terminal logging Optional Enabled by default Enable trap information terminal display function terminal trapping Optional Enabled by default Table 349 Set to output system information to a log host Operation Command Description Enter system view syste...

Page 463: ... center enable Optional Enabled by default Enable system information output to the trap buffer info center trapbuffer channel channel number channel name size buffersize Optional By default the switch uses information channel 3 to output trap information to the trap buffer which can holds up to 256 items by default Configure the output rules of system information info center source modu name defau...

Page 464: ...nfo center timestamp log trap debugging boot date none Optional By default the time stamp format of the output log information is date Table 351 Set to output system information to the log buffer Operation Command Description Table 352 Set to output system information to the SNMP NMS Operation Command Description Enter system view system view Enable the information center info center enable Option...

Page 465: ...er Operation Command Description Display information on an information channel display channel channel number channel name Available in any view Display the operation status of information center the configuration of information channels the format of time stamp display info center unit unit id Display the status of log buffer and the information recorded in the log buffer display logbuffer unit u...

Page 466: ...ting with a sign In each pair a tab should be used as a separator instead of a space No space is allowed at the end of a file name The device name facility and received log information severity level specified in the file etc syslog conf must be the same as those corresponding parameters configured in the commands info center loghost and info center source Otherwise log information may not be outp...

Page 467: ... action pairs Switch configuration messages local7 info var log Switch information n Note the following items when you edit file etc syslog conf A note must start in a new line starting with a sign In each pair a tab should be used as a separator instead of a space No space is permitted at the end of the file name The device name facility and received log information severity specified in file etc...

Page 468: ...able Disable the function of outputting information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules to output log information with severity level higher than informational to the console Switch info center console channel console Switch info center source arp channel console log level informationa...

Page 469: ... 4210 clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date 4210 system view System View return to User View with Ctrl Z 4210 info center timestamp loghost date Configure to add UTC time to the output information of the information center 4210 info center timestamp utc Internet PC Switch ...

Page 470: ...468 CHAPTER 40 INFORMATION CENTER ...

Page 471: ...Ethernet port You can load software remotely by using FTP TFTP n The Boot ROM software version should be compatible with the host software version when you load the Boot ROM and host software Local Boot ROM and Software Loading If your terminal is directly connected to the Console port of the switch you can load the Boot ROM and host software locally Before loading the software make sure that your...

Page 472: ...et bootrom password recovery 9 Set switch startup mode 0 Reboot Enter your choice 0 9 Loading by XModem through Console Port Introduction to XModem XModem protocol is a file transfer protocol that is widely used due to its simplicity and high stability The XModem protocol transfers files through Console port It supports two types of data packets 128 bytes and 1 KB two check methods checksum and CR...

Page 473: ...3 Choose an appropriate baudrate for downloading For example if you press 5 the baudrate 115200 bps is chosen and the system displays the following information Download baudrate is 115200 bps Please change the terminal s baudrate to 115200 bps and select XMODEM protocol Press enter key when ready n If you have chosen 9600 bps as the download baudrate you need not modify the HyperTerminal s baudrat...

Page 474: ...472 CHAPTER 41 BOOT ROM AND HOST SOFTWARE LOADING Figure 157 Properties dialog box Figure 158 Console port configuration dialog box ...

Page 475: ...t the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC Step 7 Choose Transfer Send File in HyperTerminal and click Browse in pop up dialog box as shown in Figure 160 Select the software file that you need to load to the switc...

Page 476: ...he system prompts Your baudrate should be set to 9600 bps again Press enter key when ready You need not reset the HyperTerminal s baudrate and can skip the last step if you have chosen 9600 bps In this case the system upgrades the Boot ROM automatically and prompts Bootrom updating now done Loading host software Follow these steps to load the host software Step 1 Select 1 in BOOT Menu and press En...

Page 477: ...ion to TFTP TFTP a protocol in TCP IP protocol suite is used for trivial file transfer between client and server It is over UDP to provide unreliable data stream transfer service Loading the Boot ROM Figure 162 Local loading using TFTP Step 1 As shown in Figure 162 connect the switch through an Ethernet port to the TFTP server and connect the switch through the Console port to the configuration PC...

Page 478: ...ys the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 3 Step 2 Enter 1 in the above menu to download the host software using TFTP The subsequent steps are the same as those for loading the Boot ROM except that the system gives the prompt for host software loading instead of Boot ROM loadin...

Page 479: ...Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 4 Enter 2 in the above menu to download the Boot ROM using FTP Then set the following FTP related parameters as required Load File name switch btm Switch IP address 10 1 1 2 Server IP address 10 1 1 1 FTP User Name switch FTP User Password abc 5 Press Enter The system displays the following information Are you sure to update...

Page 480: ...Loading the Boot ROM As shown in Figure 164 a PC is used as both the configuration device and the FTP server You can telnet to the switch and then execute the FTP commands to download the Boot ROM program switch btm from the remote FTP server whose IP address is 10 1 1 1 to the switch Figure 164 Remote loading using FTP Client Step 1 Download the program to the switch using FTP commands 4210 ftp 1...

Page 481: ...ng files refer to File System Management Configuration on page 423 Ensure that the power supply is available during software loading Loading Procedure Using FTP Server As shown in Figure 165 the switch is used as the FTP server You can telnet to the switch and then execute the FTP commands to upload the Boot ROM switch btm to the switch Figure 165 Remote loading using FTP server 1 To load the Boot...

Page 482: ...est New local user added 4210 luser test password simple pass 4210 luser test service type ftp d Enable FTP client software on the PC Refer to Figure 166 for the command line interface in Windows operating system Figure 166 Command line interface e Use the cd command on the interface to enter the path that the Boot ROM upgrade file is to be stored Assume the name of the path is D Bootrom as shown ...

Page 483: ...oot ROM directory f Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 168 to log on to the FTP server Figure 168 Log on to the FTP server g Use the put command to upload the file switch btm to the switch as shown in Figure 169 ...

Page 484: ...Loading the host software is the same as loading the Boot ROM program except that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch Only the configuration steps concerning loading are listed here For detailed description of the corresponding configuration commands refer to th...

Page 485: ...te end time end date offset time Optional Execute this command in user view When the system reaches the specified start time it automatically adds the specified offset to the current time so as to toggle the system time to the summer time When the system reaches the specified end time it automatically subtracts the specified offset from the current time so as to toggle the summer time to normal sy...

Page 486: ...play of debugging information Protocol debugging switch which controls protocol specific debugging information Screen output switch which controls whether to display the debugging information on a certain screen Figure 170 illustrates the relationship between the protocol debugging switch and the screen output switch Assume that the device can output debugging information to module 1 2 and 3 Only ...

Page 487: ... OFF ON Debugging information Protocol debugging switch Screen output switch 1 3 1 2 3 OFF ON ON Debugging information Protocol debugging switch Screen output switch 1 3 1 2 3 1 3 Table 356 Enable debugging and terminal display for a specific module Operation Command Description Enable system debugging for specific module debugging module name debugging option Required Disabled for all modules by ...

Page 488: ...can use the command here to display the current operating information about the modules in the system for troubleshooting your system Table 358 Display the current operation information about the modules in the system Operation Command Description Display the current operation information about the modules in the system display diagnostic information You can use this command in any view You should...

Page 489: ...sed to check the network connectivity It can also be used to help locate the network faults The executing procedure of the tracert command is as follows First the source host sends a data packet with the TTL of 1 and the first hop device returns an ICMP error message indicating that it cannot forward this packet because of TTL timeout Then the source host resends the packet with the TTL of 2 and t...

Page 490: ...he tracert command Operation Command Description View the gateways that a packet passes from the source host to the destination tracert a source ip f first ttl m max ttl p port q num packet w timeout string You can execute the tracert command in any view ...

Page 491: ... tasks Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Optional Configuring Real time Monitoring of the Running Status of the System Optional Specifying the APP to be Used at Reboot Optional Upgrading the Boot ROM Optional Table 362 Reboot the Ethernet switch Operation Command Description Reboot the Ethernet switch reboot unit unit id Available in user view Ta...

Page 492: ...re to specify the one that will be used when the switch reboots Upgrading the Boot ROM You can use the Boot ROM program saved in the Flash memory of the switch to upgrade the running Boot ROM With this command a remote user can conveniently upgrade the BootRom by uploading the Boot ROM to the switch through FTP and running this command The Boot ROM can be used when the switch restarts Table 364 Co...

Page 493: ...he PC is reachable to each other The host software switch bin and the Boot ROM file boot btm of the switch are stored in the directory switch on the PC Use FTP to download the switch bin and boot btm files from the FTP server to the switch Table 367 Display the operating status of the device management Operation Command Description Display the APP to be adopted at next startup display boot loader ...

Page 494: ...ppears 4210 c CAUTION If the Flash memory of the switch is not sufficient delete the original applications before downloading the new ones 4 Initiate an FTP connection with the following command in user view Enter the correct user name and password to log into the FTP server 4210 ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user ...

Page 495: ... booted next time on unit 1 4210 display boot loader Unit 1 The current boot app is switch bin The main boot app is switch bin The backup boot app is Reboot the switch to upgrade the Boot ROM and host software of the switch 4210 reboot Start to check configuration with next startup configuration file please wait This command will reboot the device Current configuration may be lost in next startup ...

Page 496: ...494 CHAPTER 44 DEVICE MANAGEMENT ...

Page 497: ...tiated by Remote Ping client and you can view the test results on Remote Ping client only When performing a Remote Ping test you need to configure a Remote Ping test group on the Remote Ping client A Remote Ping test group is a set of Remote Ping test parameters A test group contains several test parameters and is uniquely identified by an administrator name and a test tag After creating a Remote ...

Page 498: ...ell known port 1 to 1023 being unavailable TCP test Tcppublic test Tcpprivate test UDP test Udppublic test Udpprivate test Table 369 Remote Ping test parameters Test parameter Description Destination address destination ip For TCP UDP jitter test you must specify a destination IP address and the destination address must be the IP address of a TCP UDP UDP listening service configured on the Remote ...

Page 499: ...ding IP and ICMP headers Maximum number of history records that can be saved history records This parameter is used to specify the maximum number of history records that can be saved in a test group When the number of saved history records exceeds the maximum number Remote Ping discards some earliest records Automatic test interval frequency This parameter is used to set the interval at which the ...

Page 500: ...robe the Remote Ping client sends a series of packets to the Remote Ping server at regular intervals you can set the interval Once receiving such a packet the Remote Ping server marks it with a timestamp and then sends it back to the Remote Ping client Upon receiving a packet returned the Remote Ping client computes the delay jitter time The Remote Ping client collects delay jitter statistics on a...

Page 501: ...y for jitter TCP and UDP tests Remote Ping server configuration Configure a listening service on the Remote Ping server You can configure multiple TCP UDP listening services on one Remote Ping server with each listening service corresponding to a specific destination IP address and port number Remote Ping server configuration Table 371 Remote Ping server configuration Operation Command Description...

Page 502: ... type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test interval frequency interval Optional ...

Page 503: ...er Figure 173 Optional By default the maximum number is 50 Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Start the test test enable Required Display test results display Remote Ping results admin name operation tag Required You can execute the command in any view Table 373 Configure DHCP test on Remote Ping client Operation Command Description...

Page 504: ...t a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Configure the type of FTP operation ftp operation get put Optional By default the type of FTP operation is get that is the FTP operation will get a file from the FTP server Configure an FTP login username username name Required By default neither username nor password is config...

Page 505: ...as host name Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source port is configured Configure the test type test type http Required By default the test type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe C...

Page 506: ...Enable the Remote Ping client function Remote Ping agent enable Required By default the Remote Ping client function is disabled Create a Remote Ping test group and enter its view Remote Ping administrator name operation tag Required By default no test group is configured Configure the destination IP address destination ip ip address Required The destination address must be the IP address of a UDP ...

Page 507: ...ll be sent in each jitter probe jitter packetnum number Optional By default each jitter probe will send 10 packets Configure the interval to send test packets in the jitter test jitter interval interval Optional By default the interval is 20 milliseconds Start the test test enable Required Display test results display Remote Ping results admin name operation tag Required You can execute the comman...

Page 508: ...lt the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display Remote Ping results admin name operation tag Required You ca...

Page 509: ...ss Optional By default the source IP address is not specified Configure the source port source port port number Optional By default no source port is specified Configure the test type test type tcpprivate tcppublic Required By default the test type is ICMP Configure the number of probes per test count times Optional By default one probe is made per time Configure the automatic test interval freque...

Page 510: ...p address Required This IP address and the one configured on the Remote Ping server for listening service must be the same By default no destination address is configured Configure the destination port destination port port number Required in a Udpprivate test A Udppublic test is a UDP connection test on port 7 Use the Remote Ping server udpecho ip address 7 command on the server to configure the ...

Page 511: ...the service type is zero Start the test test enable Required Display test results display Remote Ping results admin name operation tag Required The display command can be executed in any view Table 379 Configure UDP test on Remote Ping client Operation Command Description Table 380 Configure DNS test on Remote Ping client Operation Command Description Enter system view system view Enable the Remot...

Page 512: ...ot specified Configure the IP address of the DNS server dns server ip address Required By default no DNS server address is configured Start the test test enable Required Display test results display Remote Ping results admin name operation tag Required The display command can be executed in any view Table 381 Configure the Remote Ping client to send Trap messages Operation Command Description Ente...

Page 513: ...nable Remote Ping client 4210 system view 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrator name to administrator and test tag to ICMP 4210 Remote Ping administrator icmp Configure the test type as icmp Configure the number of consecutive unsuccessful Remote Ping probes before Trap output probe failtimes times Optional By default Trap messages are sent each ti...

Page 514: ...d test time 2000 4 2 20 55 12 3 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 4210 Remote Ping administrator icmp display Remote Ping history administrator i cmp Remote Ping entry ad...

Page 515: ...isplay Remote Ping results administra tor dhcp Remote Ping entry admin administrator tag dhcp test result Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 1018 1037 1023 Square Sum of Round Trip Time 10465630 Last complete test time 2000 4 3 9 51 30 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation t...

Page 516: ...ystem view 4210 interface Vlan interface 1 4210 Vlan interface1 ip address 10 1 1 1 8 Enable the Remote Ping client 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrator name to administrator and test tag to FTP 4210 Remote Ping administrator ftp Configure the test type as ftp 4210 Remote Ping administrator ftp test type ftp Configure the IP address of the FTP ser...

Page 517: ...Other operation errors 0 4210 Remote Ping administrator ftp display Remote Ping history administrat or ftp Remote Ping entry admin administrator tag ftp history record Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 2000 04 03 04 00 18 8 3 9945 1 0 2000 04 03 04 00 02 9 4 15891 1 0 2000 04 03 03 59 52 9 5 15772 1 0 2000 04 03 03 59 37 0 6 15653 1 0 2000 04 03 03 59 ...

Page 518: ...rator http timeout 30 Start the test 4210 Remote Ping administrator http test enable Display test results 4210 Remote Ping administrator http display Remote Ping results administrator h ttp Remote Ping entry admin administrator tag http test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 47 87 74 Square Sum of Round Trip Tim...

Page 519: ...he DNS server to resolve the host name into an IP address which is the destination IP address of this HTTP test Jitter Test Network requirements Both the Remote Ping client and the Remote Ping server are Switch 4210s Perform a Remote Ping jitter test between the two switches to test the delay jitter of the UDP packets exchanged between this end Remote Ping client and the specified destination end ...

Page 520: ... 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Jitter result RTT Number 100 Min Positive SD 1 Min Positive DS 1 Max Positive SD 6 Max Positive DS 8 Positive SD Number 38 Positive DS Number 25 Positive SD Sum 85 Positive DS Sum 42 Positive SD average 2 Positive DS average 1 Positive S...

Page 521: ...agent community write private n The SNMP network management function must be enabled on SNMP agent before it can receive response packets The SNMPv2c version is used as reference in this example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual Configure Remote Ping Client Switch A Enable the Remote Ping client 4210 system view 42...

Page 522: ...y admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19 9 5 9 1 0 2000 04 03 08 57 19 9 6 11 1 0 2000 04 03 08 57 19 9 7 10 1 0 2000 04 03 08 57 19 9 8 10 1 0 2000 04 03 08 57 19 9 9 10 1 0 2000 04 03 08 57 19 8 10 10 1 0 2000 04 03 08 57 19 8 For detail...

Page 523: ...trator tcpprivate test enable Display test results 4210 Remote Ping administrator tcpprivate display Remote Ping results administr ator tcpprivate Remote Ping entry admin administrator tag tcpprivate test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 4 7 5 Square Sum of Round Trip Time 282 Last complete test time 2000 4 2 8...

Page 524: ...Configure Remote Ping Client Switch A Enable the Remote Ping client 4210 system view 4210 Remote Ping agent enable Create a Remote Ping test group setting the administrator name to administrator and test tag to udpprivate 4210 Remote Ping administrator udpprivate Configure the test type as udpprivate 4210 Remote Ping administrator udpprivate test type udpprivate Configure the IP address of the Rem...

Page 525: ... 04 02 08 29 45 4 4 11 1 0 2000 04 02 08 29 45 4 5 11 1 0 2000 04 02 08 29 45 4 6 11 1 0 2000 04 02 08 29 45 4 7 10 1 0 2000 04 02 08 29 45 3 8 10 1 0 2000 04 02 08 29 45 3 9 10 1 0 2000 04 02 08 29 45 3 10 11 1 0 2000 04 02 08 29 45 3 For detailed output description see the corresponding command manual DNS Test Network requirements A Switch 4210 serves as the Remote Ping client and a PC serves as...

Page 526: ...8 Square Sum of Round Trip Time 756 Last complete test time 2006 11 28 11 50 40 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Dns result DNS Resolve Current Time 10 DNS Resolve Min...

Page 527: ... header thus making IPv6 packet handling simple and improving the forwarding efficiency Although the IPv6 address size is four times that of IPv4 addresses the size of basic IPv6 headers is only twice that of IPv4 headers excluding the Options field For the specific IPv6 header format see Figure 189 Figure 189 Comparison between IPv4 header format and IPv6 header format Adequate address space The ...

Page 528: ...n the IPv6 header allows the device to label packets in a flow and provide special handling for these packets Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented by a group of Internet control message protocol version 6 ICMPv6 messages The IPv6 neighbor discovery protocol manages message exchange between neighbor nodes nodes on the same link The group of ICMPv...

Page 529: ...inly fall into three types unicast address multicast address and anycast address Unicast address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast address is delivered to the interface identified by that address Multicast address An identifier for a set of interfaces typically belonging to different nodes similar to an IPv4 multicast address A packe...

Page 530: ...ket to itself Unassigned address The unicast address is called the unassigned address and may not be assigned to any node Before acquiring a valid IPv6 address a node may fill this address in the source address field of an IPv6 packet but may not use it as a destination IPv6 address Multicast address Multicast addresses listed in Table 384 are reserved for special purpose Besides there is another ...

Page 531: ... Thus an interface identifier in EUI 64 format is obtained Figure 190 Convert a MAC address into an EUI 64 address Introduction to IPv6 Neighbor Discovery Protocol The IPv6 neighbor discovery protocol NDP uses five types of ICMPv6 messages to implement the following functions Address resolution Neighbor unreachability detection Duplicate address detection Router prefix discovery Address autoconfig...

Page 532: ...on address is the Neighbor advertisement NA message Used to respond to a neighbor solicitation message When the link layer address changes the local node initiates a neighbor advertisement message to notify neighbor nodes of the change Router solicitation RS message After started a host sends a router solicitation message to request the router for an address prefix and other configuration informat...

Page 533: ...therwise node B is unreachable Duplicate address detection After a node acquires an IPv6 address it should perform the duplicate address detection to determine whether the address is being used by other nodes similar to the gratuitous ARP function The duplication address detection is accomplished through NS and NA messages Figure 192 shows the duplicate address detection procedure Figure 192 Dupli...

Page 534: ...981 Path MTU Discovery for IP version 6 RFC 2375 IPv6 Multicast Address Assignments RFC 2460 Internet Protocol Version 6 IPv6 Specification RFC 2461 Neighbor Discovery for IP Version 6 IPv6 RFC 2462 IPv6 Stateless Address Autoconfiguration RFC 2463 Internet Control Message Protocol ICMPv6 for the Internet Protocol Version 6 IPv6 Specification RFC 2464 Transmission of IPv6 Packets over Ethernet Net...

Page 535: ... configured for an interface a link local address will be generated automatically The automatically generated link local address is the same as the one generated by using the ipv6 address auto link local command If a link local address is manually assigned to an interface this link local address takes effect If the Table 387 Configure an IPv6 unicast address To do Use the command Remarks Enter sys...

Page 536: ... resolved into a link layer address dynamically through NS and NA messages or statically through manual configuration You can configure a static neighbor entry in two ways Mapping a VLAN interface to an IPv6 address and a link layer address Mapping a port in a VLAN to an IPv6 address and a link layer address If you configure a static neighbor entry in the second way make sure the corresponding VLA...

Page 537: ...essage You can configure the interval for sending NS messages Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynamically learned by an interface ipv6 neighbors max learning num number Optional The default value is 2 048 Table 390 Configure the attempts to send an NS message for duplicate address detection To do Use the command Remarks ...

Page 538: ...ived before the finwait timer expires the IPv6 TCP connection is terminated If FIN packets are received the IPv6 TCP connection status becomes TIME_WAIT If other packets are received the finwait timer is reset from the last packet and the connection is terminated after the finwait timer expires Size of IPv6 TCP receiving sending buffer Specify the NS interval ipv6 nd ns retrans timer value Optiona...

Page 539: ...c host name to IPv6 address mapping You can directly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address Each host name can correspond to one IPv6 address Set the finwait timer of IPv6 TCP packets tcp ipv6 timer fin timeout wait time Optional 675 seconds by default Set the synwait timer of IPv6 TCP packets tcp ipv6 timer syn timeout wait...

Page 540: ...support at most 10 domain name suffixes n The dns resolve and dns domain commands are the same as those of IPv4 DNS For details about the commands refer to DNS Configuration on page 549 Table 398 Configure dynamic DNS resolution To do Use the command Remarks Enter system view system view Enable the dynamic domain name resolution function dns resolve Required Disabled by default Configure an IPv6 D...

Page 541: ...exclude include text Display the total number of neighbor entries satisfying the specified conditions display ipv6 neighbors all dynamic static interface interface type interface number vlan vlan id count Display information about the routing table display ipv6 route table verbose Display information related to a specified socket display ipv6 socket socktype socket type task id socket id Display t...

Page 542: ...terface Vlan interface 2 SwitchA Vlan interface2 ipv6 address auto link local Configure a global unicast address for the interface Vlan interface2 SwitchA Vlan interface2 ipv6 address 3001 1 64 2 Configure Switch B Configure an automatically generated link local address for the interface Vlan interface2 SwitchA system view SwitchB interface Vlan interface 2 SwitchB Vlan interface2 ipv6 address aut...

Page 543: ...ypes of IPv6 addresses can be pinged c CAUTION When you use the ping ipv6 command to verify the reachability of the destination you must specify the i keyword if the destination address is a link local address For the operation of IPv6 ping refer to IPv6 Ping on page 543 SwitchA Vlan interface2 ping ipv6 FE80 2E0 FCFF FE00 2006 i Vlan interface 2 PING FE80 2E0 FCFF FE00 2006 56 data bytes press CT...

Page 544: ...3 hop limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 5 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 6 ms 3001 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 5 20 79 ms ...

Page 545: ...o be received For details about the ping command refer to Basic System Configuration and Debugging on page 483 c CAUTION When you use the ping ipv6 command to verify the reachability of the destination you must specify the i keyword if the destination address is a link local address IPv6 Traceroute The traceroute ipv6 command is used to record the route of IPv6 packets from source to destination s...

Page 546: ...port unreachable ICMP error message and understands that the packet has reached the destination and thus determines the route of the packet from source to destination IPv6 TFTP IPv6 supports TFTP Trivial File Transfer Protocol As a client the device can download files from or upload files to a TFTP server For details about TFTP see File System Management Configuration preparation Enable TFTP on th...

Page 547: ...d For details refer to You can log into a Switch 4210 in one of the following ways on page 21 c CAUTION When you use the telnet ipv6 command to connect to the Telnet server you must specify the i keyword if the destination address is a link local address Display and maintain IPv6 Telnet Table 402 Download upload files to TFTP servers To do Use the command Remarks Download Upload files from TFTP se...

Page 548: ...ns Configuration procedure n You need configure IPv6 address at the switch s and server s interfaces and ensure that the route between the switch and the server is accessible before the following configuration Ping SWB s IPv6 address from SWA SWA ping ipv6 3003 1 PING 3003 1 64 data bytes press CTRL_C to break Reply from 3003 1 bytes 56 Sequence 1 hop limit 64 time 110 ms Reply from 3003 1 bytes 5...

Page 549: ...e wait TFTP 13 bytes received in 1 243 second s File downloaded successfully SWA Connect to Telnet server 3001 2 SWA telnet ipv6 3001 2 Trying 3001 2 Press CTRL K to abort Connected to 3001 2 Telnet Server Troubleshooting IPv6 Application Unable to Ping a Remote Destination Symptom Unable to ping a remote destination and return an error message Solution Check that the IPv6 addresses are configured...

Page 550: ...mptom Unable to download and upload files by performing TFTP operations Solution Check that the route between the device and the TFTP server is up Check that the file system of the device is usable You can check it by running the dir command in user view Check that the ACL configured for the TFTP server does not block the connection to the TFTP server Unable to Run Telnet Symptom Unable to login t...

Page 551: ... Switch 4210 supports both static and dynamic DNS clients Static Domain Name Resolution The static domain name resolution means manually setting up mappings between domain names and IP addresses IP addresses of the corresponding domain names can be found in the static domain name resolution table for applications such as Telnet Dynamic Domain Name Resolution Resolution procedure Dynamic domain nam...

Page 552: ...ages DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resolved is not complete The resolver can supply the missing part automatic domain name addition For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The resolver can add the suffix and de...

Page 553: ... in user view to clear the information stored in the dynamic domain name resolution cache Table 405 Configure static domain name resolution Operation Command Remarks Enter system view system view Configure a mapping between a host name and an IP address ip host hostname ip address Required No IP address is assigned to a host name by default Table 406 Configure dynamic domain name resolution Operat...

Page 554: ...C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 127 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 4 ttl 127 time 5 ms Reply from 10 1 1 2 bytes 56 Sequence 5 ttl 127 time 3 ms host com ping statistics 5 packet s transmitted 5 packet s received Display the DNS server informat...

Page 555: ...ions are done on the devices For the IP addresses of the interfaces see the figure above There is a mapping between domain name host and IP address 3 1 1 1 16 on the DNS server The DNS server works normally Enable dynamic domain name resolution 4210 system view 4210 dns resolve Configure the IP address 2 1 1 2 for the DNS server 4210 dns server 2 1 1 2 Configure com as the DNS suffix 4210 dns doma...

Page 556: ...eceived 100 00 packet loss Troubleshooting DNS Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution Use the display dns dynamic host command to check that the specified domain name is in the cache If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server If ...

Page 557: ...the system when the password is about to age out that is the remaining usable time of the password is no more than the set alert time the switch will alert the user to the forthcoming expiration and prompts the user to change the password as soon as possible Limitation of minimum password This function is used to limit the minimum length of the passwords A user can successfully configure a passwor...

Page 558: ... allowed to log into the switch again only after the administrator manually removes the user from the user blacklist Allow the user to log in again without any inhibition User blacklist If the maximum number of attempts is exceeded the user cannot log into the switch and is added to the blacklist by the switch All users in the blacklist are not allowed to log into the switch For the user inhibited...

Page 559: ...l blacklist command in any view to check the names and the IP addresses of such users Configuring Password Aging n In this section you must note the effective range of the same commands when executed in different views or to different types of passwords Global settings in system view apply to all local user passwords and super passwords Table 409 Configure password aging Operation Command Descript...

Page 560: ...r chooses not to change the password the system allows the user to log in If the user chooses to change the password but fails in modification the system logs out the user after the maximum number of attempts is reached 3 The password has already expired In this case the system alerts the user to the expiration requires the user to change the password and requires the user to change the password a...

Page 561: ...ing one single password or using an old password for a long time to enhance the security Enable the limitation of minimum password length password control length enable Optional By default the limitation of minimum password length is enabled Configure the minimum password length globally password control length length Optional By default the minimum length is 10 characters Configure the minimum pa...

Page 562: ... password must conform to the related configuration of password control when you set the local user password in interactive mode Table 412 Manually remove history password records Operation Command Description Remove history password records of one or all users reset password control history record user name user name Executing this command without the user name user name option removes the histor...

Page 563: ... actions to be taken when the number of retries to enter the SSH password exceeds the configured value Refer to SSH Configuration on page 387 for information about SSH server If a user in the blacklist changes his her IP address the blacklist will not affect the user anymore when the user logs into the switch The system administrator can perform the following operations to manually remove one or a...

Page 564: ...gory Password combination falls into four levels 1 2 3 and 4 each representing the number of categories that a password should at least contain Level 1 means that a password must contain characters of one category level 2 at least two categories level 3 three categories and level 4 four categories When you set or modify a password the system will check if the password satisfies the component requi...

Page 565: ...on enable Optional By default the password composition check function is enabled Configure the password composition policy globally password control composition type number policy type type length type length Optional By default the minimum number of types a password should contain is 1 and the minimum number of characters of each type is 1 Configure the password composition policy for a super pas...

Page 566: ... and the minimum number of characters in each composition type to 3 4210 password control super composition type number 3 type length 3 Configure a super password 4210 super password level 3 simple 11111AAAAAaaaaa Create a local user named test 4210 local user test Set the minimum password length for the local user to 6 4210 luser test password control length 6 Set the minimum number of compositio...

Page 567: ... Control Configuration Example 565 Set the aging time for the local user password to 20 days 4210 luser test password control aging 20 Configure the password of local user 4210 luser test password simple 11111 ...

Reviews:

No comments

Related manuals for Switch 4210 9-Port

Brand: D-Link Pages: 2

DHI-NVR5224-24P-4KS2

Brand: Dahua Pages: 24

Avenue Express Control Panel

Brand: Ensemble Designs Pages: 19

HBJC924R3288DG2NS Series

Brand: JETWAY Pages: 6

Enterasys Matrix 2G4082-25

Brand: Enterasys Pages: 58

Brand: Caton Pages: 18

SFD-2 MkIII Jumper

Brand: Anthem Audio Pages: 2

Brand: ZALMAN Pages: 18

Brand: Procool Pages: 2

Brand: Ebyte Pages: 23

Brand: Teldat Pages: 47

Brand: Wieland Pages: 2

IPSec VPN Client Zyxel ZyWall 10

Brand: TheGreenBow Pages: 12

Brand: IEI Technology Pages: 119

Brand: Zte Pages: 28

Brand: Linksys Pages: 17

Brand: D-Link Pages: 129

DVG-G1402S - Wireless Broadband VoIP Router

Brand: D-Link Pages: 66

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands