Home
/
3Com
/
Switch 4500 26-Port
/
Configuration Manual

3Com Switch 4500 26-Port, Configuration Manual

Share

Page: 205 / 396

background image

AAA and RADIUS Protocol Configuration

203

receiving a user’s request from NAS, the RADIUS server performs AAA through
user database query and update and returns the configuration information and
accounting data to NAS. Here, NAS controls users and corresponding connections,
while the RADIUS protocol regulates how to transmit configuration and
accounting information between NAS and RADIUS.

NAS and RADIUS exchange the information with UDP packets. During the
interaction, both sides encrypt the packets with keys before uploading user
configuration information (for example, password) to avoid being intercepted or
stolen.

RADIUS Operation

A RADIUS server generally uses proxy function of the devices such as an access
server to perform user authentication. The operation process is as follows: First,
the user sends a request message (the client username and encrypted password is
included in the message ) to the RADIUS server. Second, the user will receive from
the RADIUS server various kinds of response messages in which the ACCEPT
message indicates that the user has passed the authentication, and the REJECT
message indicates that the user has not passed the authentication and needs to
input their username and password again, otherwise they will be rejected access.

Implementing

AAA/RADIUS on the

Ethernet Switch

In the above-mentioned AAA/RADIUS framework, the Switch 4500 Family, serving
as the user access device or NAS, is the client end of RADIUS. In other words, the
AAA/RADIUS concerning the client-end is implemented on the Switch 4500. The
figure below illustrates the RADIUS authentication network including 4500
Switches.

Figure 57

Networking when Switch 4500 Units are Applying RADIUS Authentication

Configuring AAA

AAA configuration includes:

■

Creating/deleting an ISP domain

■

Configuring relevant attributes of the ISP domain

■

Creating a local user

■

Setting attributes of the local user

Internet

Internet

SW 5500

PC user1

PC user2

PC user3

PC user4

SW 5500

ISP1

ISP2

Authentication

Server

Accounting

Server

Authentication

Server

Accounting

Server1

Accounting

Server2

Internet

«
...
203
204
205
206
207
...
»

Summary of Contents for Switch 4500 26-Port

Page 1: ...3Com Switch 4500 Family Configuration Guide Switch 4500 26 Port Switch 4500 50 Port Switch 4500 PWR 26 Port Switch 4500 PWR 50 Port www 3Com com Part No 10015033 Rev AB Published January 2007...

Page 2: ...or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered trademarks are registered in the United States and may or may not be r...

Page 3: ...Through a Dial up Modem 21 Command Line Interface 24 Command Line View 24 Features and Functions of Command Line 28 User Interface Configuration 30 User Interface Overview 30 User Interface Configura...

Page 4: ...sabling the PoE Feature on a Port 74 Setting the Maximum Power Output on a Port 75 Setting Power Supply Management Mode in Overload and Port Priority 75 Setting the PoE Mode on a Port 76 Enabling Disa...

Page 5: ...hooting IP Performance 100 6 IP ROUTING PROTOCOL OPERATION IP Routing Protocol Overview 103 103 Selecting Routes Through the Routing Table 104 Routing Management Policy 105 Static Routes 106 Configuri...

Page 6: ...ew 153 Configuring IGMP Snooping 156 Enabling Disabling IGMP Snooping 156 Configuring Router Port Aging Time 157 Configuring Maximum Response Time 157 Configuring Aging Time of Multicast Group Member...

Page 7: ...the Switch Security Function 184 Display and Debug RSTP 185 RSTP Configuration Example 186 11 802 1X CONFIGURATION IEEE 802 1X Overview 189 802 1X System Architecture 189 802 1X Authentication Process...

Page 8: ...US Accounting Servers and the Related Attributes 211 Setting the RADIUS Packet Encryption Key 213 Setting Retransmission Times of RADIUS Request Packet 214 Setting the Supported Type of the RADIUS Ser...

Page 9: ...nt of MAC Addresses Learned by a Port 241 Displaying MAC Address Table 241 MAC Address Table Management Display Example 242 Networking Requirements 242 MAC Address Table Management Configuration Examp...

Page 10: ...ersions and Supported MIB 279 Configuring SNMP 280 Setting Community Name 281 Enabling Disabling SNMP Agent to Send Trap 281 Setting the Destination Address of Trap 282 Setting Lifetime of Trap Messag...

Page 11: ...02 Configuration Examples 302 Configuring NTP Server Mode 302 Configuring NTP Peer Mode 303 Configuring NTP Broadcast Mode 305 Configuring NTP Multicast Mode 306 Configuring NTP Server Mode with Authe...

Page 12: ...ce 350 Displaying all Files in Flash 350 Skipping the Current Configuration File 351 Bootrom Passwords 351 Bootrom Password Recovery 352 B RADIUS SERVER AND RADIUS CLIENT SETUP Setting Up a RADIUS Ser...

Page 13: ...hernet configuration Network Protocol Operation Details how to configure network protocols IP Routing Protocol Operation Details how to configure routing protocols Multicast Protocol Details how to co...

Page 14: ...s the variable part of a command text You must type a value here and press Return or Enter when you are ready to enter the command Example in the command super level a value in the range 0 to 3 must b...

Page 15: ...3 Related Documentation The 3Com Switch 4500 Getting Started Guide provides information about installation The 3Com Switch 4500 Command Reference Guide provides all the information you need to use the...

Page 16: ...14 ABOUT THIS GUIDE...

Page 17: ...tropolitan area network enterprise campus networking Multicast service multicast routing and audio and video multicast service Table 3 Models in the Switch 4500 family Model Power Supply Unit PSU Numb...

Page 18: ...Switch 4500 stacking makes use of existing Gigabit connections for interconnecting the members of the stack Figure 1 Stacking Networking Topology Product Features Table 4 lists the function features...

Page 19: ...level user management and password protect 802 1X authentication Packet filtering Quality of Service QoS Traffic classification Bandwidth control Priority Queues of different priority on the port Mana...

Page 20: ...18 CHAPTER 1 GETTING STARTED Databit 8 Parity check none Stopbit 1 Flow control none Terminal type VT100 Figure 3 Setting up a New Connection Figure 4 Configuring the Port for Connection...

Page 21: ...port using the ip address command in VLAN Interface View and added the port that connects to a terminal to this VLAN using the port command in VLAN View you can Telnet this Switch and configure it 1...

Page 22: ...et do not modify the IP address of the Switch unnecessarily for the modification might end the Telnet connection By default when a Telnet user passes the password authentication to log on to the Switc...

Page 23: ...address of the Telnet Server If it is the hostname use the ip host command to specify 4 Enter the preset login password and you will see the prompt such 4500 If the prompt All user interfaces are use...

Page 24: ...r AT V to verify the Modem settings The Modem configuration commands and outputs may be different according to different Modems For details refer to the User Guide of the Modem 3Com recommends that th...

Page 25: ...Enter the preset login password on the remote terminal emulator and wait for the prompt 4500 Then you can configure and manage the Switch Enter to view online help For details of specific commands re...

Page 26: ...mmands are classified into four levels namely visit level monitoring level system level and management level Visit level Commands in this level include network diagnosis tools such as ping and tracert...

Page 27: ...erent command views are implemented according to different requirements They are related to one another For example after logging in to the Switch you will enter User View in which you can only use so...

Page 28: ...vlan interface 1 in System View quit returns to System View return returns to User View Local User View Configure local user parameters 4500 luser user1 Enter local user user1 in System View quit retu...

Page 29: ...d ACL View Define the rule of user defined ACL 4500 acl user 5000 Enter acl number 5000 in System View quit returns to System View return returns to User View QoS profile View Define QoS profile 4500...

Page 30: ...initials in the command will be listed 4500 display ver version 5 Enter the first letters of a keyword of a command and press Tab If no other keywords begin with these letters then this unique keywor...

Page 31: ...story command display history command Display history command by user inputting Retrieve the previous history command Up cursor key or Ctrl P Retrieve the previous history command if there is any Retr...

Page 32: ...ort are the same port There is only the one type of AUX user interface The user interface is numbered by absolute number or relative number To number the user interface by absolute number The AUX user...

Page 33: ...e only View By default the user interface supports Telnet and SSH protocols If the Telnet protocol is specified to ensure a successful login through Telnet you must configure the password by default I...

Page 34: ...and Configure the transmission speed on the AUX console port speed speed_value Restore the default transmission speed on the AUX console port undo speed Table 13 Configuring the Flow Control on the AU...

Page 35: ...Note the following points For security the undo shell command can only be used on the user interfaces other than AUX user interface You cannot use this command on the user interface through which you...

Page 36: ...ation method to deny the access of an unauthorized user Perform the following configuration in User Interface View By default terminal authentication is not required for users logged in through the co...

Page 37: ...cal user zbr 4500 luser zbr password simple 3Com 4500 luser zbr service type telnet 3 No authentication 4500 ui vty0 authentication mode none By default the password is required for authenticating Mod...

Page 38: ...of level 3 and lower Setting the Command Priority The following command is used for setting the priority of a specified command in a certain view The command levels include visit monitoring system an...

Page 39: ...ion before you use the auto execute command command and save the configuration Telnet 10 110 100 1 after the user logs in through VTY0 automatically 4500 ui vty0 auto execute command telnet 10 110 100...

Page 40: ...ation information of the user interface display users all Display the physical attributes and some configurations of the user interface display user interface type number number summary Table 29 Displ...

Page 41: ...ull duplex and auto auto negotiation and its speed can be set to 1000 1000Mbps and auto auto negotiation The configuration of these Ethernet ports is fundamentally the same and is described in the fol...

Page 42: ...et Port To configure a port to send and receive data packets at the same time set it to full duplex To configure a port to either send or receive data packets set it to half duplex If the port has bee...

Page 43: ...e Ethernet Port Ethernet ports support straight through and cross over network cables Use the following command to configure the cable type Perform the following configuration in Ethernet Port View By...

Page 44: ...ed for connecting to both Switches and the user s computers The difference between a hybrid port and a trunk port is that a hybrid port allows the packets from multiple VLANs to be sent without tags b...

Page 45: ...r than VLAN 1 The VLAN to which a hybrid port is added must already exist The one to which a trunk port is added cannot be VLAN 1 After adding an Ethernet port to specified VLANs the local port can fo...

Page 46: ...r an Ethernet Port Use the following command to enable port loopback detection and set the detection interval for the external loopback condition of each port If there is a loopback port found the Swi...

Page 47: ...n group take the port with minimum ID as the source if the copy destination is an aggregation group make the configurations of all group member ports identical with that of the source Displaying and D...

Page 48: ...port Ethernet1 0 1 Configure the trunk port with a default VLAN ID so that When receiving packets without a VLAN Tag the port can forward them to the member ports belonging to the default VLAN When i...

Page 49: ...Take the following steps 1 Use the display interface or display port command to check if the port is a trunk port or a hybrid port If it is neither configure it as a trunk port or a hybrid port 2 Con...

Page 50: ...ing which port into from a certain dynamic aggregation group The operation key is a configuration set generated by LACP based on port setting speed duplex mode basic configuration and management key W...

Page 51: ...w speed half duplex high speed half duplex low speed The system sets to inactive state the ports which connect to different peer devices from one that the active port with minimum port number connects...

Page 52: ...riority then the selected or standby state is determined by the port priority of the system You can decide whether the port is selected or standby by setting system priority and port priority Load Sha...

Page 53: ...ration in Ethernet Port View By default LACP is disabled at the port Note that You cannot enable LACP at a stack port mirrored port port with a static MAC address configured port with static ARP confi...

Page 54: ...ge a dynamic or static LACP aggregation group to a manual one or a dynamic LACP aggregation group to a static one In the former case LACP shall be disabled at the member ports automatically while in t...

Page 55: ...system ID is given priority Changing system priority may affect the priority levels of member ports and further their selected or standby state Perform the following configuration in System View By de...

Page 56: ...splay summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group display link aggregation verbose agg_id Display local...

Page 57: ...4500 link aggregation group 1 mode static b Add Ethernet ports Ethernet1 0 1 to Ethernet1 0 3 into aggregation group 1 4500 interface ethernet1 0 1 4500 Ethernet1 0 1 port link aggregation group 1 450...

Page 58: ...56 CHAPTER 2 PORT OPERATION...

Page 59: ...VLANs Therefore VLAN configurations are very helpful in controlling network traffic saving device investment simplifying network management and improving security Configuring a VLAN VLAN configuration...

Page 60: ...ame for example Vlan interface1 Interface Specifying Removing the VLAN Interface Use the following command to specify remove the VLAN interface To implement the network layer function on a VLAN interf...

Page 61: ...erface is enabled Displaying and Debugging VLAN After the above configuration enter the display command in any view to display the running of the VLAN configuration and to verify the effect of the con...

Page 62: ...nfigure an IP address on a VLAN interface Networking Diagram Figure 15 VLAN Configuration Example 2 Configuration Procedure 1 If the VLAN does not currently exist then create it This example uses VLAN...

Page 63: ...guration of Voice VLAN is described in the following sections Enabling Disabling Voice VLAN Features Enabling Disabling Voice VLAN Features on a Port Voice VLAN Mode Type of IP Phone Port Mode Auto mo...

Page 64: ...emoving the OUI Address Learned by Voice VLAN Configure OUI addresses which can be learned by Voice VLAN using the following command otherwise the system uses the default OUI addresses as the standard...

Page 65: ...By default Voice VLAN auto mode is enabled Setting the Aging Time of Voice VLAN In auto mode using the follow command you can set the aging time of Voice VLAN After the OUI address the MAC address of...

Page 66: ...net1 0 2 as the IP Phone access port The type of IP Phone is untagged Network Diagram Figure 16 Voice VLAN Configuration Configuration Steps 4500 vlan 2 4500 vlan2 port ethernet1 0 2 4500 vlan2 interf...

Page 67: ...tup The Voice VLAN must be set and enabled both globally for the switch and at the system view level Each port where a VoIP phone may be connected must have Voice VLAN enabled locally Each port where...

Page 68: ...ress If used in a 3Com NBX network be sure NBX Call processor is set to Standard IP Likewise ensure the NBX Call Processor default Gateway is set to the VLAN interface IP address Note that any IP rela...

Page 69: ...ver Phone 1 can call Phone 2 and the PC can ping all networks 10 10 11 0 10 10 12 0 and 50 1 1 0 Voice VLAN in Auto Mode This section provides a detailed listing of a Switch configuration file The lin...

Page 70: ...rip version 2 multicast interface Aux1 0 0 interface Ethernet1 0 1 poe enable stp edged port enable broadcast suppression PPS 3000 priority trust packet filter inbound link group 4999 rule 0 interfac...

Page 71: ...le stp edged port enable broadcast suppression PPS 3000 priority trust packet filter inbound link group 4999 rule 0 interface Ethernet1 0 9 poe enable stp edged port enable port link type trunk undo p...

Page 72: ...nable stp edged port enable broadcast suppression PPS 3000 priority trust packet filter inbound link group 4999 rule 0 interface Ethernet1 0 18 poe enable stp edged port enable broadcast suppression P...

Page 73: ...ion mode interface NULL0 rip Dynamic Routing setup only required if deploying L3 network undo summary network 10 0 0 0 network 50 0 0 0 voice vlan 50 enable Set Vlan 50 as the Voice Vlan snmp agent sn...

Page 74: ...vlan 5 broadcast suppression PPS 3000 priority trust voice vlan enable packet filter inbound link group 4999 rule 0 interface Ethernet1 0 8 poe enable stp edged port enable broadcast suppression PPS...

Page 75: ...328 feet z Each Ethernet port can supply at most 15400 mW of power to a PD z When AC power input is adopted for the switch the maximum total power that can be provided by the PWR switches is 300 W Th...

Page 76: ...use the following command to enable disable the PoE feature on a port in accordance with the network requirement Perform the following configuration in Ethernet Port View Table 67 Enabling disabling P...

Page 77: ...to mode when the switch is reaching its full load in supplying power it will first supply power to the PDs that are connected to the ports with critical priority and then supply power to the PDs that...

Page 78: ...h the 802 3af standard and then supply power to them You can use the following commands to enable disable the PD compatibility detect function Perform the following configuration in System View Table...

Page 79: ...tion of the PoE feature on the switch and verify the effect of the configuration Table 74 PoE Information Display For more information on the parameters refer to the Command Reference Guide Configurat...

Page 80: ...4500 Ethernet1 0 2 poe enable 4500 Ethernet1 0 24 poe enable Set the maximum power output of Ethernet1 0 1 and Ethernet1 0 2 to 12000 and 3000 mW respectively 4500 Ethernet1 0 1 poe max power 12000 4...

Page 81: ...ternet It consists of two fields net id field and host id field There are five types of IP address See Figure 21 Figure 21 Five Classes of IP Address Class A Class B and Class C are unicast addresses...

Page 82: ...is not put into use after starting up The IP address with network number as 0 indicates the current network and its network can be cited by the router without knowing its network number Network ID wi...

Page 83: ...face in one of three ways Using the IP address configuration command Allocated by BOOTP server Allocated by DHCP server These three methods are mutually exclusive and a new configuration will replace...

Page 84: ...lowing configuration in VLAN Interface View By default the IP address of a VLAN interface is null Displaying and Debugging IP Address After the above configuration enter the display command in any vie...

Page 85: ...same network segment If the configuration is correct enable ARP debugging on the Switch and check whether the Switch can correctly send and receive ARP packets If it can only send but cannot receive...

Page 86: ...t A The reply packet will be directly sent to Host A in stead of being broadcast Receiving the reply packet Host A will extract the IP address and the corresponding MAC address of Host B and add them...

Page 87: ...ging time of the dynamic ARP aging timer is 20 minutes Configuring the Creation of ARP Entries for Multicast Packets Use the following command to specify whether the Switch should create ARP table ent...

Page 88: ...e DHCP relay serves as conduit between the DHCP Client and the server located on different subnets The DHCP packets can be relayed to the destination DHCP server or Client across network segments The...

Page 89: ...ent the client only accepts the first received one and then broadcasts DHCP_Request messages respectively to those DHCP servers The message contains the information of the IP address request from the...

Page 90: ...above applies only when DHCP clients and server s are in the same subnet and it does not support trans segment networking To achieve dynamic address configuration you would have to configure a DHCP se...

Page 91: ...ng sections Configuring the IP address for the DHCP server Configuring the DHCP Server Group for the VLAN Interfaces Configuring the IP address for the DHCP server You can configure a master and a bac...

Page 92: ...e 85 Configuring the DHCP Server Group Corresponding to VLAN Interfaces Operation Command Configure DHCP server group corresponding to VLAN interfaces dhcp server groupNo Delete DHCP server group undo...

Page 93: ...erver 0 4500 Vlan interface1 quit 4500 interface vlan interface 10 4500 Vlan interface10 dhcp server 0 4500 Vlan interface10 quit DHCP Relay Configuration Example Two Networking Requirements The segme...

Page 94: ...igured 2 Use the display vlan and display ip interface vlan interface commands to check if the VLAN and the corresponding interface IP address have been configured 3 Ping the configured DHCP Server to...

Page 95: ...P Address Pool Based on the Port Configuring Layer 2 Isolation Between Ports Enabling Disabling Access Management Trap Enabling Disabling Access Management You can use the following command to enable...

Page 96: ...n the same unit within an aggregation group Note the following When a port in an aggregation group is added to or removed from an isolation group then all the other ports of this aggregation group on...

Page 97: ...1 is connected to port 1 of the Switch and organization 2 to port 2 Ports 1 and 2 belong to the same VLAN The IP addresses range 202 10 20 1 to 202 10 20 20 can be accessed from port 1 and the range 2...

Page 98: ...g the CLI the following commands should be entered from System View 4500 system view 4500 acl number 2500 4500 acl basic 2500 rule 0 permit source 10 10 10 1 0 0 0 255 To delete this feature enter 450...

Page 99: ...following configuration in System View Note that You must first enable the UDP Helper function and then configure the UDP port with the relay function Otherwise error information will appear The para...

Page 100: ...r the above configuration enter the display command in any view to display the running of the UDP Helper destination server and to verify the effect of the configuration Enter the debugging command in...

Page 101: ...t timer If response packets are not received before synwait timeout the TCP connection will be terminated The timeout of synwait timer range is 2 to 600 seconds and it is 75 seconds by default finwait...

Page 102: ...Attributes Operation Command Table 98 Displaying and Debugging IP Performance Operation Command Display TCP connection state display tcp status Display TCP connection statistics data display tcp stati...

Page 103: ...estination IP Address 202 38 160 1 Destination port 4296 Use the debugging tcp packet command to enable the TCP debugging to trace the TCP packets Operations include 4500 terminal debugging 4500 debug...

Page 104: ...102 CHAPTER 5 NETWORK PROTOCOL OPERATION...

Page 105: ...wo nodes and these two nodes are considered adjacent in the Internet Adjacent routers are two routers connected to the same network The number of route segments between a router and hosts in the same...

Page 106: ...segment where the destination host or router is located For example if the destination address is 129 102 8 10 the address of the network where the host or the router with the mask 255 255 0 0 is loca...

Page 107: ...te with the highest preference becomes the current route Routing protocols and the default preferences of the routes that they learn are shown in Table 99 The smaller the value the higher the preferen...

Page 108: ...sends data via the main route When the line fails the main route will hide itself and the router will choose from one of the remaining routes as a backup route whose precedence is higher than the oth...

Page 109: ...entry of the routing table the router selects the default route to forward this packet If there is no default route and the destination address of the packet fails to match any entry in the routing ta...

Page 110: ...address of the local Switch as the next hop address of an static route Preference For different configurations of preference_value you can flexibly apply the routing management policy Other parameters...

Page 111: ...View routing table summary display ip routing table View routing table details display ip routing table verbose View the detailed information of a specific route display ip routing table ip_address m...

Page 112: ...responding route is valid RIP Routing Information Protocol RIP is a simple dynamic routing protocol that is Distance Vector D V algorithm based It uses hop counts to measure the distance to the destin...

Page 113: ...on about their local routing tables 2 After receiving the response packets the router that sent the request modifies its own routing table and sends a modification triggering packet to the neighbor ro...

Page 114: ...al Routing Metrics Configuring Route Filtering Enabling RIP and Entering the RIP View Perform the following configurations in System View By default RIP is not enabled Enabling RIP on a Specified Netw...

Page 115: ...ommands rip work rip output rip input and network Specifying the RIP Version RIP has two versions RIP 1 and RIP 2 You can specify the version of the RIP packet used by the interface RIP 1 broadcasts t...

Page 116: ...time of the garbage collection timer is not fixed If the period update timer is set to 30 seconds the garbage collection timer might range from 90 to 120 seconds Before RIP completely deletes an unre...

Page 117: ...bling Host Route In some cases the router can receive many host routes from the same segment and these routes are of little help in route addressing but consume a lot of network resources Routers can...

Page 118: ...is not encrypted and can be seen in a network trace so simple authentication should not be applied when there are high security requirements MD5 authentication This mode uses two packet formats One f...

Page 119: ...mmand to import the routes of other protocols you can specify their cost If you do not specify the cost of the imported route RIP will set the cost to the default cost specified by the default cost pa...

Page 120: ...y the router and RIP routes generated by the router itself which means that it has no effect on the routes imported to RIP by other routing protocols Configuring Route Filtering The Router provides a...

Page 121: ...Filter the Received Routes Operation Command Filter the received routing information distributed by the specified address filter policy gateway ip_prefix_name import Cancel filtering of the received...

Page 122: ...addresses for the VLAN interfaces are configured 1 Configure RIP on Switch A Switch A rip Switch A rip network 110 11 2 0 Switch A rip network 155 10 1 0 2 Configure RIP on Switch B Switch B rip Swit...

Page 123: ...fying the characteristics of the routing information to be filtered You can set the rules based on such attributes as the destination address and source address of the information The rules can be set...

Page 124: ...and the domain of the routing information In addition in the IP Prefix you can specify the gateway options and require it to receive only the routing information distributed by some certain routers A...

Page 125: ...outing policy denies the routing information If all the nodes in the route policy are in deny mode all routing information is denied by the route policy Defining If match Clauses for a Route policy Th...

Page 126: ...istribution If the destination routing protocol that imports the routes cannot directly reference the route costs of the source routing protocol you should satisfy the requirement of the destination p...

Page 127: ...e routing policy configuration and to verify the effect of the configuration Typical IP Routing Policy Configuration Example Configuring the Filtering of the Received Routing Information Networking Re...

Page 128: ...h A rip 1 area 0 0 0 0 network 10 0 0 0 0 255 255 255 d Import the static routes Switch A rip 1 import route static 2 Configure Switch B a Configure the IP address of VLAN interface Switch B interface...

Page 129: ...oute Policy When all the nodes of the Route Policy are in the deny mode then all the routing information cannot pass the filtering of the Route Policy The if match mode of at least one list item of th...

Page 130: ...128 CHAPTER 6 IP ROUTING PROTOCOL OPERATION...

Page 131: ...cket with the access control rule the issue of match order arises Filtering or Classifying Data Transmitted by the Hardware ACL can be used to filter or classify the data transmitted by the hardware o...

Page 132: ...smaller range is listed ahead If the port numbers are in the same range follow the configuration sequence ACL Supported by the Switch The table below lists the limits to the numbers of different types...

Page 133: ...DP port number in use and packet priority to process the data packets The advanced ACL supports the analysis of three types of packet priorities ToS Type of Service IP and DSCP priorities You can use...

Page 134: ...o understand the Layer 2 data frame structure Any packet ending up at the FFP Fast Filter Processor that performs ACL functionality will contain a VLAN tag Even packets that ingress the Switch untagge...

Page 135: ...and in all views to display the running of the ACL configuration and to verify the effect of the configuration Execute reset command in User View to clear the statistics of the ACL module Table 133 Di...

Page 136: ...on Example Configuration Procedure In the following configurations only the commands related to ACL configurations are listed 1 Define the work time range Define time range from 8 00 to 18 00 4500 tim...

Page 137: ...fine the time range Define time range from 8 00 to 18 00 4500 time range 3Com 8 00 to 18 00 daily 2 Define the ACL for packet which source IP is 10 1 1 1 a Enter the number basic ACL number as 2000 45...

Page 138: ...GigabitEthernet1 0 50 packet filter inbound link group 4000 QoS Configuration Traffic Traffic refers to all packets passing through a Switch Traffic Classification Traffic classification means identif...

Page 139: ...an be used and defined in different QoS modules Queue Scheduling When congestion occurs several packets will compete for the resources The queue scheduling algorithm is used to overcome the problem We...

Page 140: ...by a packet with the port priority Configuring Trust Packet Priority The system replaces the 802 1p priority carried by a packet with the port priority by default The user can configure system trusti...

Page 141: ...rnet Port View Table 137 Configure Mirroring Port Delete Port Mirroring 1 Delete mirroring port Perform the following configuration in the Ethernet Port View Table 138 Delete Mirroring Port 2 Delete m...

Page 142: ...Guide Configuring the Mapping Relationship Between COS and Local Precedence The default mapping relationship between 802 1p priority and output queue of the port is as follows Table 144 Mapping betwe...

Page 143: ...to rate limit based on the port that is limiting the total rate at the port The granularity of line rate is 64 kbps Perform the following configurations in the Ethernet Port View Table 147 Setting Lin...

Page 144: ...ubnet address 129 110 1 2 For the wage server the inbound traffic is limited at 128 kbps and the inbound port rate at 128 kbps Those packets exceeding the threshold will be labeled with dscp priority...

Page 145: ...he wage server a Limit average traffic from the wage server at 128 Kbps and label over threshold packets with priority level 4 4500 Ethernet1 0 1 traffic limit inbound ip group 3000 128 exceed remark...

Page 146: ...ng two levels Level 1 User connection control Configured access control list ACL filters login users so that only legal users can be connected to the switch Level 2 User password authentication Before...

Page 147: ...view rule rule id permit deny source source addr wildcard any fragment source source addr wildcard any When TELNET and SSH users use basic and advanced ACLs only the source IP and the corresponding ma...

Page 148: ...ason for login failure L2 ACL Configuration Example Configuration Prerequisites Only the TELNET users with 00e0 fc01 0101 and 00e0 fc01 0303 source MAC addresses are allowed to access switches Figure...

Page 149: ...Switch Configuration Steps Define basic ACLs 4500 system view System View return to User View with Ctrl Z 4500 acl number 2000 match order config Define rules 4500 acl basic 2000 rule 1 permit source...

Page 150: ...s have correctly configured to log into switches by SNMP Configuration Tasks Table 151 lists the commands that you can execute to configure SNMP user ACL Table 151 Commands for Controlling ACL Access...

Page 151: ...ACLs when you configure the SNMP group name command snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number snmp agent group v3 group name a...

Page 152: ...p acl 2000 Configuring ACL Control for HTTP Users The Switch 4500 Family supports the remote management through the Web interface The users can access the Switch through HTTP Controlling such users wi...

Page 153: ...alled for WEB NM user control Configuration Example Networking Requirements Only permit Web NM user from 10 110 100 46 access Switch Networking Diagram Figure 43 Controlling Web NM users with ACL Conf...

Page 154: ...152 CHAPTER 7 ACL CONFIGURATION...

Page 155: ...IGMP host it will remove the host from the corresponding multicast table The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2 And then it...

Page 156: ...4500 Router port aging time Time set on the router port aging timer If the switch has not received any IGMP general query messages before the timer times out it is no longer considered a router port...

Page 157: ...When a router port receives an IGMP general query message the Switch 4500 will reset the aging timer of the port When a port other than a router port receives the IGMP general query message the Switch...

Page 158: ...ed the message to the group starts the port aging timer and then adds all the router ports in the native VLAN of the port into the MAC multicast forwarding table Meanwhile it creates an IP multicast g...

Page 159: ...o manually configure the maximum response time If the Switch 4500 receives no report message from a port within the maximum response time the switch will remove the port from the multicast group Perfo...

Page 160: ...first enable it The switch is connected to the router via the router port and with user PCs through the non router ports on vlan 10 Table 158 Configuring aging time of the multicast member Operation...

Page 161: ...tch disabled IGMP Snooping check whether the IGMP Snooping is enabled globally and also enabled on the VLAN If IGMP Snooping is not enabled globally first input the igmp snooping enable command in Sys...

Page 162: ...p snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent You may also input the display mac vlan command in any view to check if...

Page 163: ...ices within the stack can backup each other This feature brings you many advantages Realizes unified management of multiple devices Only one connection and one IP address are required to manage the en...

Page 164: ...ge the unit ID If you choose to change the existing unit ID is replaced and the priority is set to 5 Then you can use the fabric save unit id command to save the modified unit ID into the unit Flash m...

Page 165: ...gabit combo ports can be used to interconnect the Switch units to form a stack In the 3Com switch operating system the term fabric is used as a general expression for stack Setting Unit Names for Swit...

Page 166: ...System View Table 167 Setting an XRN Authentication Mode for Switches By default no authentication mode is set on the Switches Displaying and Debugging a Stack Following completion of the above confi...

Page 167: ...ethernet2 0 51 enable 4500 fabric port gigabitethernet2 0 52 enable 4500 sysname hello hello xrn fabric authentication mode simple welcome Configure Switch C 4500 change unit id 1 to auto numbering 45...

Page 168: ...rnet4 0 51 enable 4500 fabric port gigabitethernet4 0 52 enable 4500 sysname hello hello xrn fabric authentication mode simple welcome In the example it is assumed that the system will automatically c...

Page 169: ...led configuration Bridge Protocol Data Units or BPDU in IEEE 802 1D to decide the topology of the network The configuration BPDU contains the information enough to ensure the Switches to compute the s...

Page 170: ...h B forwards BPDU to LAN So the designated bridge of LAN is Switch B and the designated port is BP2 AP1 AP2 BP1 BP2 CP1 and CP2 respectively delegate the ports of Switch A Switch B and Switch C The Sp...

Page 171: ...he same perform the comparison based on root path costs The cost comparison is as follows the path cost to the root recorded in the configuration BPDU plus the corresponding path cost of the local por...

Page 172: ...1 0 1 BP2 Switch B compares the configuration BPDUs of the ports and selects the BP1 BPDU as the optimum one Thus BP1 is elected as the root port and the configuration BPDUs of Switch B ports are upd...

Page 173: ...certain rules The basic calculation process is described below Configuration BPDU Forwarding Mechanism in STP Upon the initiation of the network all the Switches regard themselves as the roots The des...

Page 174: ...n the upstream has begun forwarding data The conditions for rapid state transition of the designated port are The port is an edge port that does not connect with any Switch directly or indirectly If t...

Page 175: ...witch The configuration of STP feature status on the port will not take effect if the STP feature is disabled from the Switch Configure RSTP operational mode The Switch works in RSTP mode If there are...

Page 176: ...port Specify the standard to follow in Path Cost calculation The Switch gets the path cost of a port from the link rate under the IEEE 802 1t standard The path cost of a port is closely related to th...

Page 177: ...wo ports connected with a peer to peer link can rapidly transit to the forwarding status by sending synchronous packets eliminating unnecessary forwarding delay Specify the Path Cost on a port Specify...

Page 178: ...re at the preference 128 The port preference plays an important role in root port selection You can make a port to be root port by giving it a smallest preference value Configure whether to connect a...

Page 179: ...o set the RSTP operating mode Perform the following configurations in System View Table 172 Set RSTP Operating Mode Normally if there is a bridge provided to execute STP in the Switching network the p...

Page 180: ...n the Switching network are the same the bridge with the smallest MAC address will be selected as the root When RSTP is enabled an assignment of a priority to the bridge will lead to recalculation of...

Page 181: ...y of a Specified Bridge Link failure will cause recalculation of the spanning tree and change its structure However the newly calculated configuration BPDU cannot be propagated throughout the network...

Page 182: ...form the following configuration in System View Table 178 Set Max Age of the Specified Bridge If the Max Age is too short it will result in frequent calculation of spanning tree or misjudge the networ...

Page 183: ...s therefore recommended to use the default value By default an Ethernet port can transmit at most 3 STP packets within one Hello Time Set Specified Port to be an EdgePort EdgePort is not connected to...

Page 184: ...ed to the transmission rate of the link the port connects to The larger the link rate is the smaller the path cost shall be RSTP can automatically detect the link rate and calculate the path cost for...

Page 185: ...ports are 128 Configure a Specified Port to be Connected to Point to Point Link Generally a point to point link connects the Switches You can use the following command to configure a specified port to...

Page 186: ...the bridge runs RSTP in STP compatible mode Configure the Switch Security Function An RSTP Switch provides BPDU protection and root protection functions It looks like flapping refers to Spanning Tree...

Page 187: ...port has not received any higher priority BPDU for a certain period of time thereafter it will resume to the normal state When you configure a port only one configuration at a time can be effective am...

Page 188: ...lly so only the RSTP configuration on Switch D will be introduced Networking Diagram Figure 54 RSTP Configuration Example Configuration Procedure 1 Configure Switch A a Enable RSTP globally 4500 stp e...

Page 189: ...those ports that are not involved in RSTP calculation however be careful and do not disable those involved The following configuration takes Ethernet 1 0 4 as an example 4500 interface Ethernet 1 0 4...

Page 190: ...igure Switch D a Enable RSTP globally 4500 stp enable b The port RSTP defaults are enabled after global RSTP is enabled You can disable RSTP on those ports that are not involved in RSTP calculation ho...

Page 191: ...enticate and control all the accessed devices on the port of LAN access control device If the user s device connected to the port can pass the authentication the user can access the resources in the L...

Page 192: ...nly after the user passes the authentication Then the user is allowed to access the network resources Figure 55 802 1X System Architecture 802 1X Authentication Process 802 1X configures EAP frame to...

Page 193: ...figure the 802 1X state of the port The configured items will take effect after the global 802 1X is enabled When 802 1X is enabled on a port the maximum number of MAC address learning which is config...

Page 194: ...nsmitting and does not permit the user to access the network resources If the authentication flow is passed the port will be switched to the authorized state and permit the user to access the network...

Page 195: ...t By default 802 1X allows up to 256 users on each port for Series 4500 Switches Setting the Authentication in DHCP Environment If in a DHCP environment the users configure static IP addresses you can...

Page 196: ...mum Times of the Authentication Request Message Retransmission By default the max retry value is 3 That is the Switch can retransmit the authentication request message to a user for a maximum of 3 tim...

Page 197: ...he Authenticator begins to run If the user does not respond back successfully within the time range set by this timer the Authenticator will resend the above packet supp timeout value Specify how long...

Page 198: ...is accessed the domain name does not follow the user name Normally if the user s traffic is less than 2 kbps consistently over 20 minutes they will be disconnected A server group consisting of two RAD...

Page 199: ...ius1 and enters its view 4500 radius scheme radius1 4 Set IP address of the primary authentication accounting RADIUS servers 4500 radius radius1 primary authentication 10 11 1 1 4500 radius radius1 pr...

Page 200: ...Enable idle cut function for the user and set the idle cut parameter in the domain 3com163 net 4500 isp 3com163 net idle cut enable 20 2000 15 Add a local user and sets its parameter 4500 local user l...

Page 201: ...e 201 Enabling Disabling Centralized MAC Address Authentication You can configure the centralized MAC address authentication status on the ports first However the configuration does not function on ea...

Page 202: ...tch needs a period of quiet time set by the quiet timer before it re authenticates The Switch does not authenticate during the quiet time Server timeout During the authentication to the user if the co...

Page 203: ...e a local user are shown as follows For other configurations see 802 1X Configuration Example The configurations of centralized MAC address authentication is similar to 802 1x their differences are 1...

Page 204: ...etwork server Authorization authorizes the user with specified services Accounting traces network resources consumed by the user RADIUS Protocol Overview As mentioned above AAA is a management framewo...

Page 205: ...receive from the RADIUS server various kinds of response messages in which the ACCEPT message indicates that the user has passed the authentication and the REJECT message indicates that the user has...

Page 206: ...figure a complete set of exclusive ISP domain attributes on a per ISP domain basis which includes AAA policy RADIUS scheme applied etc For the Switch 4500 each user belongs to an ISP domain Up to 16 d...

Page 207: ...e Table 210 Configuring ISP Domain State By default after an ISP domain is created the state of the domain is active Setting Access Limit Maximum number of users specifies how many users can be contai...

Page 208: ...clients to inform the online users about their remaining online time through the message alert dialog box The implementation of this function is as follows On the switch use the following command to e...

Page 209: ...in the command line The Change user password option is available only when the user passes the authentication otherwise this option is in grey and unavailable Creating a Local User A local user is a...

Page 210: ...es and specify the user levels then only the last configured user level is valid Some of the service types allow a user privilege level to be entered as an optional extra parameter For example Telnet...

Page 211: ...the same configuration but two different IP addresses Accordingly attributes of every RADIUS scheme include IP addresses of primary and secondary servers shared key and RADIUS server type etc RADIUS p...

Page 212: ...es are all default values The default attribute values will be introduced in the following text Configuring RADIUS Authentication Authorization Servers After creating a RADIUS scheme you have to set I...

Page 213: ...reated RADIUS scheme the IP address of the primary accounting server is 0 0 0 0 and the UDP port number of this server is 1813 as for the system RADIUS scheme created by the system the IP address of t...

Page 214: ...fied number of times You can use the following command to set the maximum number of times of a real time accounting request failing to be responded to Perform the following configurations in RADIUS Sc...

Page 215: ...IUS client Switch system and the RADIUS server use MD5 algorithm to encrypt the exchanged packets The two ends verify the packet through setting the encryption key Only when the keys are identical can...

Page 216: ...ype of the RADIUS Server By default the newly created RADIUS scheme supports the server type standard while the system RADIUS scheme created by the system supports the server type 3com Setting the RAD...

Page 217: ...ng configurations in RADIUS Scheme View Table 231 Setting the Username Format Transmitted to the RADIUS Server If a RADIUS scheme is configured not to allow usernames including ISP domain names the RA...

Page 218: ...Source Address for the RADIUS Packets sent by the NAS You can use either command to bind a source address with the NAS By default no source address is specified and the source address of a packet is t...

Page 219: ...s more than 1000 inclusive 3Com suggests a larger value The following table recommends the ratio of minute value to the number of users Table 237 Recommended Ratio of Minute to Number of Users By defa...

Page 220: ...ucib_index user name user_name Display related information of the local user display local user domain isp_name idle cut disable enable service type telnet ftp lan access ssh terminal state active bl...

Page 221: ...nging messages between the Switch and the authentication server is expert The Switch cuts off the domain name from username and sends the remaining part to the RADIUS server Networking Topology Figure...

Page 222: ...y AAA authentication to Telnet users 4500 ui vty0 4 authentication mode scheme b Create a local user telnet 4500 local user telnet 4500 luser telnet service type telnet 4500 luser telnet password simp...

Page 223: ...created as follows 4500 radius scheme NewSchemeName New Radius scheme 4500 radius NewSchemeName 2 Next we need to add the attributes of the RADIUS scheme This involves configuring the RADIUS server I...

Page 224: ...led on port Ethernet1 0 18 802 1X is enabled on port Ethernet1 0 19 802 1X is enabled on port Ethernet1 0 20 4500 xx 802 1X login is now enabled on the port When a device with an 802 1X client connect...

Page 225: ...server defined you need to login as user domain for example joe demo This will try to log you into the demo domain which uses the external rather than the internal RADIUS server By default the userna...

Page 226: ...ht be some communication fault between NAS and RADIUS server which can be discovered through pinging RADIUS from NAS So ensure there is normal communication between NAS and RADIUS Fault Two RADIUS Pac...

Page 227: ...mand 4500 xx debugging radius packet 3Com User Access Level This determines the Access level a user will have with Switch login This can be administrator manager monitor or visitor You may need to add...

Page 228: ...226 CHAPTER 11 802 1X CONFIGURATION...

Page 229: ...Operation You can use the file system to create or delete a directory display the current working directory and display the information about the files or directories under a specified directory You c...

Page 230: ...he following configuration in System View Table 242 Execute the Specified Batch File Storage Device Operation The file system can be used to format a specified memory device You can use the following...

Page 231: ...ve the current configuration Erase configuration files from Flash Memory Displaying the Current configuration and Saved configuration of the Switch After being powered on the system reads the configur...

Page 232: ...s from Flash Memory The system will use the default configuration parameters for initialization when the Switch is powered on for the next time Perform the following configuration in User View Table 2...

Page 233: ...igure 60 FTP Configuration Table 250 Configuration of the Switch as FTP Client Table 251 Configuration of the Switch as FTP Server Operation Command Display the information of the file used at startup...

Page 234: ...passed the authentication and authorization successfully can access the FTP server Configuring the Running Parameters of FTP Server You can use the following commands to configure the connection timeo...

Page 235: ...connects the FTP clients and the remote server and inputs the command from the clients for corresponding operations such as creating or deleting a directory FTP Client Configuration Example Networking...

Page 236: ...ord to log into the FTP server 4500 ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User none switch 331 Give me your password pl...

Page 237: ...r enable 4500 local user switch 4500 luser switch service type ftp ftp directory flash 4500 luser switch password simple hello 3 Run FTP client on the PC and establish FTP connection Upload the switch...

Page 238: ...ad files by means of TFTP Perform the following configuration in User View Table 257 Download Files by means of TFTP Uploading Files by means of TFTP To upload a file the client sends a request to the...

Page 239: ...zed TFTP directory 2 Configure the Switch Log into the Switch locally through the Console port or remotely using Telnet 4500 CAUTION If the flash memory of the Switch is not enough you need to first d...

Page 240: ...HAPTER 12 FILE SYSTEM MANAGEMENT 7 Use the boot boot loader command to specify the downloaded program as the application at the next login and reboot the Switch 4500 boot boot loader switch app 4500 r...

Page 241: ...ort as a new entry to the table The system forwards the packets whose destination addresses can be found in the MAC address table directly through the hardware and broadcasts those packets whose addre...

Page 242: ...ddress table entries the learned entries will be deleted simultaneously Setting MAC Address Aging Time Setting an appropriate aging time implements MAC address aging Too long or too short an aging tim...

Page 243: ...s reaches the count value You can use the following commands to set the max count of MAC addresses learned by a port Perform the following configuration in Ethernet Port View Table 261 Set the Max Cou...

Page 244: ...working Diagram Figure 66 Display MAC address table Configuration procedure The display command shows a stack wide view of the MAC address table 4500 display mac address MAC ADDR VLAN ID STATE PORT IN...

Page 245: ...er the System View of the Switch 4500 system view 2 Add a MAC address specify the native VLAN port and state 4500 mac address static 00e0 fc35 dc71 interface ethernet1 0 2 vlan 1 3 Set the address agi...

Page 246: ...n on the Switch the Switch will be rebooted at the specified time Perform the following configuration in User View and the display schedule reboot command can be performed in any view Table 264 Reboot...

Page 247: ...pgrade using the right commands The Switch serves as FTP client and the remote PC as FTP server The configuration on the FTP server Configure an FTP user named as Switch with password hello and with r...

Page 248: ...upload the new ones 3 Type in the correct command in User View to establish FTP connection then enter the correct username and password to log into the FTP server 4500 ftp 2 2 2 2 Trying Press CTRL K...

Page 249: ...e the boot boot loader command to specify the downloaded program as the application at the next login and reboot the Switch 4500 boot boot loader switch app 4500 display boot loader The app to boot at...

Page 250: ...248 CHAPTER 14 DEVICE MANAGEMENT...

Page 251: ...ult the UTC time zone is adopted Setting the Summer Time You can set the name start and end time of the summer time Perform the following operations in the User View Table 271 Setting the Summer Time...

Page 252: ...uration of multiple users You cannot configure the configuration agent but can view the statistics of the configuration agent Perform the following operations in all views Table 272 The Display Comman...

Page 253: ...nd the debugging information of the slave is only displayed on the slave device You can view the debugging information including that of the master and the device in which the login port resides You c...

Page 254: ...for Network Connection ping The ping command can be used to check the network connection and if the host is reachable Perform the following operation in all views Table 275 The ping Command The outpu...

Page 255: ...xecution process of tracert is described as follows Send a packet with TTL value as 1 and the first hop sends back an ICMP error message indicating that the packet cannot be sent for the TTL is timeou...

Page 256: ...n perform an remote ping test after creating a test group and configuring the test parameters Being different from the ping command remote ping does not display the round trip time RTT and timeout sta...

Page 257: ...equivalent to the n parameter in the ping command Automatic test interval This parameter is used to allow the system to automatically perform the same test at regular intervals Test timeout time Test...

Page 258: ...or icmp count 10 S5500 remote ping administrator icmp timeout 3 4 Enable the test operation S5500 remote ping administrator icmp test enable Configure the test parameters Configure the destination IP...

Page 259: ...info center the first part will be Priority For example 187 Jun 7 05 22 03 2003 4500 IFNET 6 UPDOWN Line protocol on interface Ethernet1 0 2 changed state to UP The description of the components of l...

Page 260: ...e default value is 4500 You can change the host name through sysname command There is a blank between sysname and module name 4 Module name The module name is the name of module which created this log...

Page 261: ...IPC Inter process communication module IPMC IP multicast module L2INF Interface management module LACL LAN switch ACL module LQOS LAN switch QoS module LS Local server module MPM Multicast port manage...

Page 262: ...Output The settings in the six directions are independent from each other The settings will take effect only after enabling the information center The Switch info center has the following features Sup...

Page 263: ...t out and the time stamp format of information and so on You must turn on the Switch of the corresponding module before defining output debugging information Enable terminal display function You can v...

Page 264: ...onfiguration Description Switch Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set the information output direction to trapbuffe...

Page 265: ...n define the information that sent to loghost is generated by which modules information type information level and so on Perform the following operation in system view Device Configuration Default Val...

Page 266: ...configuring information source meantime using the debugging command to turn on the debugging switch of those modules You can use the following commands to configure log information debugging informat...

Page 267: ...control terminal channel number or channel name must be set to the channel that corresponds to the Console direction Every channel has been set with a default record whose module name is default and...

Page 268: ...1 Enabling info center Perform the following operation in System View Table 294 Enable Disable Info Center Info center is enabled by default After info center is enabled system performances are affect...

Page 269: ...e When there are more than one Telnet users or monitor users at the same time some configuration parameters should be shared among the users such as module based filtering settings and severity thresh...

Page 270: ...lt After info center is enabled system performances are affected when the system processes much information because of information classification and outputting 2 Configuring to output information to...

Page 271: ...specific configuration record for a module in the channel use the default one If you want to view the debugging information of some modules on the Switch you must select debugging as the information t...

Page 272: ...vels severity specifies the severity level of information The information with the level below it will not be output channel number specifies the channel number and channel name specifies the channel...

Page 273: ...fter info center is enabled system performances are affected when the system processes much information because of information classification and outputting 2 Configuring to output information to SNMP...

Page 274: ...ation and the time stamp output format of trap information Perform the following operation in System View Table 310 Configuring the Output Format of Time stamp 4 Configuring SNMP and a network managem...

Page 275: ...command in User View you can clear the statistics of info center Perform the following operation in User View The display command still can be performed in any view Figure 74 Displaying and Debugging...

Page 276: ...er source arp channel loghost log level informational 3com info center source ip channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost T...

Page 277: ...onfigure facility severity filter and the file syslog conf synthetically you can get classification in great detail and filter the information Configuration examples of sending log to Linux loghost Ne...

Page 278: ...og information level specified in etc syslog conf must be consistent with info center loghost and info center loghost a b c d facility configured on the switch Otherwise the log information probably c...

Page 279: ...abling info center 4500 info center enable 2 Configure control terminal log output allow modules ARP and IP to output information the severity level is restricted within the range of emergencies to in...

Page 280: ...278 CHAPTER 15 SYSTEM MAINTENANCE AND DEBUGGING...

Page 281: ...ment Station and Agent Network Management Station is the workstation for running the client program At present the commonly used NM platforms include Sun NetManager and IBM NetView Agent is the server...

Page 282: ...pports SNMP V1 V2C and V3 The MIBs supported are listed in the following table Table 314 MIBs Supported by the Switch Configuring SNMP The main configuration of SNMP includes Set community name Set th...

Page 283: ...the community name Perform the following configuration in System View Table 315 Set Community Name Enabling Disabling SNMP Agent to Send Trap The managed device transmits a trap without request to th...

Page 284: ...he system information Perform the following configuration in System View Table 319 Set SNMP System Information By default the sysLocation is specified as a blank string that is Setting the Engine ID o...

Page 285: ...he device snmp agent local engineid engineid Restore the default engine ID of the device undo snmp agent local engineid Operation Command Setting an SNMP group snmp agent group v1 v2c group name read...

Page 286: ...ort Transmitting Trap Information SNMP Agent Disabling SNMP Agent To disable SNMP Agent perform the following configuration in System View Table 327 Disable SNMP Agent If user disable NMP Agent it wil...

Page 287: ...Switch location and enable the Switch to send trap packet Display the group name the security mode the states for all types of views and the storage mode of each group of the Switch display snmp agent...

Page 288: ...e2 ip address 129 102 0 1 255 255 255 0 4 Set the administrator ID contact and the physical location of the Switch 4500 snmp agent sys info contact Mr Wang Tel 3306 4500 snmp agent sys info location t...

Page 289: ...4500 snmp agent group v3 sdsdsd 4500 snmp agent usm user v3 paul sdsdsd authentication mode md5 hello 4500 snmp agent mib view included ViewDefault snmpUsmMIB 4500 snmp agent mib view included ViewDef...

Page 290: ...288 CHAPTER 16 SNMP CONFIGURATION View name ViewDefault MIB Subtree snmpModules 18 Subtree mask Storage type nonVolatile View Type excluded View status active...

Page 291: ...ws multiple monitors It can collect data in two ways One is to collect data with a special RMON probe NMS directly obtains the management information from the RMON probe and controls the network resou...

Page 292: ...p messages to NMS or performing both at the same time You can use the following commands to add delete an entry to from the event table Perform the following configuration in System View Table 330 Add...

Page 293: ...on execute the display command in all views to display the running of the RMON configuration and to verify the effect of the configuration Table 334 Display and Debug RMON Operation Command Add an ent...

Page 294: ...on is VALID Gathers statistics of interface Ethernet1 0 1 Received octets 270149 packets 1954 broadcast packets 1570 multicast packets 365 undersized packets 0 oversized packets 0 fragments packets 0...

Page 295: ...e clocks of all network devices be consistent Some functions such as restarting all network devices in a network simultaneously require that they adopt the same time When multiple systems cooperate to...

Page 296: ...LS_A LS_A LS_A LS_B LS_B LS_B LS_B NTP Packet NTP Packet Network Network NTP Packet 10 00 00 am Network Network 11 00 01 am 10 00 00 am 11 00 01 am 11 00 02 am 10 00 00 am NTP Packet received at 10 0...

Page 297: ...reference clocks the one with a smaller stratum number is adopted Network Client Server Clock synchronization request packet Response packet Filters and selects a clocks and synchronize the local clo...

Page 298: ...ast client mode In this mode the local Switch 4500 receives broadcast NTP packets through the VLAN interface configured on the switch Network Client Works in the server mode automatically and sends re...

Page 299: ...mode Configure the local Switch 4500 Ethernet switch to operate in NTP multicast server mode In this mode the local switch sends multicast NTP packets through the VLAN interface configured on the swit...

Page 300: ...lticast address or the IP address used by the local reference clock NTP peer mode The remote server specified by the remote ip or peer name argument serves as the peer of the local Ethernet switch and...

Page 301: ...figuring Access Control Right The access control right to the NTP server only provides a minimal degree of security measure A more secure way is to perform identity authentication The right of an acce...

Page 302: ...ion on the server Operation Command Description Enter system view system view Enable the NTP authentication function globally ntp service authentication enable Required By default the NTP authenticati...

Page 303: ...n key is configured Enter VLAN interface view interface Vlan interface vlan id Associate the specified key with the corresponding NTP server Broadcast server mode ntp service broadcast server authenti...

Page 304: ...is the NTP server and operates in client mode while SW4500 operates in server mode automatically Network Diagram Table 342 Network diagram for the NTP server mode configuration Configuration procedur...

Page 305: ...es that Switch4500 is synchronized with Switch1 and the stratum level of its clock is 3 one level lower than that of Switch1 View the information about NTP sessions of the Switch 4500 You can see that...

Page 306: ...of Switch3 is 1 and that of the SW4500 Ethernet switch is 3 the SW4500 Ethernet switch is synchronized to Switch3 View the status of the SW4500 Ethernet switch after synchronization Sw4500 display ntp...

Page 307: ...ter clock Network diagram Figure 87 Network diagram for the NTP broadcast mode configuration Configuration procedure 1 Configure Switch3 Enter system view Switch3 system view Switch3 Enter Vlan interf...

Page 308: ...ck precision 2 19 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information...

Page 309: ...500 2 interface Vlan interface 2 Set SW4500 2 to a multicast client SW4500 2 Vlan interface2 ntp service multicast client After the above configurations SW4500 1 and SW4500 2 respectively listen to mu...

Page 310: ...service sessions source reference stra reach poll now offset delay disper 1 3 0 1 31 127 127 1 0 2 1 64 377 26 1 199 53 9 7 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Conf...

Page 311: ...tch1 ntp service authentication keyid 42 authentication mode md5 aNiceKey Specify the key as a trusted key Switch1 ntp service reliable authentication keyid 42 After the above configurations the SW450...

Page 312: ...310 CHAPTER 18 NTP CONFIGURATION...

Page 313: ...etwork environment A Switch can connect to multiple SSH clients SSH 2 0 and SSH1 x are currently available SSH client functions to enable SSH connections between users and the Switch or UNIX host that...

Page 314: ...public key from the server and the random number generated locally as parameters to calculate the session key Using the public key from the server the client encrypts the random number for calculatin...

Page 315: ...tication procedure The server configures an RSA public key for the client The client sends its RSA public key member module to the server The server performs validity authentication on the member modu...

Page 316: ...pair destroy System view Optional 3 Configure the SSH user authentication mode ssh user username authentication type System view Required 4 Set the SSH authentication timeout ssh server timeout Syste...

Page 317: ...e server key are 512 bits and 2048 bits respectively Perform the following configuration in system view Table 345 Generate an RSA key pair CAUTION Generating the RSA key pair of the server is the firs...

Page 318: ...n SSH user can request for a connection thereby preventing illegal behaviors such as malicious guessing Perform the following configuration in system view Table 349 Configure the number of SSH authent...

Page 319: ...y edit view Use this configuration task to return from the public key edit view to the public key view and save the input public key Before saving the input public key the system will check the validi...

Page 320: ...H Server 2 0 now select 2 0 for the client Specifying the RSA private key file On the server if RSA authentication is enabled for an SSH user and a public key is set for the user the private key file...

Page 321: ...the client key 1 While generating the key pair you must move the mouse continuously The mouse should be restricted off the green process bar in the blue box of Figure 93 Otherwise the process bar does...

Page 322: ...320 CHAPTER 19 SSH TERMINAL SERVICES Figure 93 Generating the client key 2 After the key pair is generated click Save public key and enter the file name public for here to save the key pair...

Page 323: ...warning window pops up to prompt you whether to save a private key without any precautions Click Yes and enter a name private for here to save the private key Figure 95 Generating the client key 4 To...

Page 324: ...322 CHAPTER 19 SSH TERMINAL SERVICES Figure 96 Generating the client key 5 Specifying the IP address of the server Launch PuTTY exe and the following window appears...

Page 325: ...he IP address can be the IP address of any interface on the server that has SSH in the state of up and a route to the client Selecting the protocol for remote connection As shown in Figure 97 select t...

Page 326: ...red SSH protocol version section Open an SSH Connection with RSA If the client needs to use RSA authentication you must specify the RSA private key file If the client needs to use password authenticat...

Page 327: ...SSH Terminal Service 325 Figure 99 Figure 8 10 SSH client interface 3 Click Browse to bring up the file selection window navigate to the private key file and click OK...

Page 328: ...n SSH client Table 355 SSH client configuration 1 Starting the SSH client Use this configuration task to enable the connection with the SSH client and the server and specify the preferred key exchange...

Page 329: ...n there is no local copy of the public key of the connected server the client assumes that the server is illegal and will refuse to access the server Perform the following configuration in system view...

Page 330: ...leted skip this step 2 Set the user login authentication mode The following shows the configuration methods for both password authentication and RSA public key authentication Password authentication S...

Page 331: ...ng the SSH 2 0 enabled client software randomly generate an RSA key pair and send the public key to the server 4 Configure the public key of the client and specify the name of the public key as 3com00...

Page 332: ...key code BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 3Com rsa key code public key code end 3Com rsa public key peer public key end 3Com ssh client 10 165 87 136 assign rsa key hello CAUTION Before lo...

Page 333: ...eering shall be allowed 3Com SFTP Service SFTP Overview Secure FTP SFTP is a new feature introduced in SSH 2 0 SFTP is established on SSH connections which makes remote users able to securely log in t...

Page 334: ...the SFTP server By default the SFTP server is shut down SFTP Client Configuration SFTP client configuration tasks are described in this section Operation Command Configure the service type to be used...

Page 335: ...3 SFTP directory operations Change the current directory cd SFTP client view Optional Return to the upper directory cdup Display the current directory pwd Display the list of files in the specified di...

Page 336: ...4 SFTP file operations As shown in Table 366 available SFTP file operations include change the name of a file download a file upload a file display the list of files and delete a file Perform the foll...

Page 337: ...e 103 A secure SSH connection has been established between Switch A and Switch B Switch A is used as the SFTP server and its IP address is 10 111 27 91 Switch B is used as the SFTP client An SFTP user...

Page 338: ...1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub rwxrwxrwx 1 noo...

Page 339: ...nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Download file pubkey2 from the server to a local device and change the file na...

Page 340: ...338 CHAPTER 19 SSH TERMINAL SERVICES...

Page 341: ...password ages out its user must update it otherwise the user cannot log in the switch Password update after a password ages out the user can update it when logging in the switch Alert before password...

Page 342: ...swords and save the passwords in ciphertext mode in the configuration file Telnet SSH super and FTP passwords Login attempts limitation and failure procession You can use this function to enable the s...

Page 343: ...imitation the configured User blacklist If the maximum attempt times is exceeded the user cannot log in the switch and is added to the blacklist by the switch All users in the blacklist are not allowe...

Page 344: ...rt time In this case the system alerts the user to the remaining time in days before the password expires and prompt the user to change the password If the user chooses to change the password and chan...

Page 345: ...gle password for a long time or using an old password that was once used to enhance the security CAUTION When adding a new record but the number of the recorded history passwords exceeds the configure...

Page 346: ...control history record super level level value Executing this command without the level level value option will remove the history records of all super passwords Executing this command with the level...

Page 347: ...rocedure starts from the time the local remote server of the switch receives the user name and ends at the time the user authentication is completed Whether the user is authenticated on the local serv...

Page 348: ...76 Configuring the Timeout for User Password Authentication Operation Command Description Enter system view system view Configure the timeout time of user password authentication password control auth...

Page 349: ...ntrol super aging 10 The super password aging time is 10 days Display the information about the global password control for all users 4500 display password control Global password settings for all use...

Page 350: ...348 CHAPTER 20 PASSWORD CONTROL CONFIGURATION OPERATIONS...

Page 351: ...s disabled and the user configurable bootrom password is lost there is no recovery mechanism available In this instance the Switch will need to be returned to 3Com for repair The following commands ar...

Page 352: ...switch startup mode 0 Reboot Enter your choice 0 9 Enter the boot menu number to display that menu option Displaying all Files in Flash Enter boot menu option 3 to display the following Boot menu choi...

Page 353: ...is followed by either of the following entries Simple this enables you to read and or change a password and send the configuration file via TFTP back into the Switch Cipher change this word to simple...

Page 354: ...based on switch mac address is invalid The current mode is enable bootrom password recovery Are you sure to disable bootrom password recovery Yes or No Y N This option allows the user to disable the f...

Page 355: ...om products and are not supported by 3Com Configuring Microsoft IAS RADIUS 3Com has successfully installed and tested Microsoft IAS RADIUS running on a Windows server in a network with Switch 4500 dep...

Page 356: ...hoose Properties select Change Mode c Add a user that is allowed to use the network Go to Active Directory Users and Computers from the left hand window right click the Users folder and choose New Use...

Page 357: ...select Reset Password 3 Enable the server as a certificate server To use EAP TLS certificate based authentication you need to enable the Certificate services in windows Make sure you have completed s...

Page 358: ...location on the Data Storage Location window To complete the installation and set up of the certificates server the wizard will require the Install CD for Microsoft Windows 2000 Server 4 Install the I...

Page 359: ...ification Authority and right click Policy Settings under your Certificate Authority server b Select New Certificate to Issue c Select Authenticated Session and select OK d Go to Programs Administrati...

Page 360: ...mputer Configuration Windows Settings Security Settings Public Key Policies and right click Automatic Certificate Request Settings Select New Automatic Certificate Request g The Certificate Request Wi...

Page 361: ...nd Select New Client b Enter a name for your device that supports IEEE 802 1X Click Next c Enter the IP address of your device that supports IEEE 802 1X and set a shared secret Select Finish Leave all...

Page 362: ...ropriate certificate and click OK There should be at least one certificate This is the certificate that has been created during the installation of the Certification Authority Service Windows may ask...

Page 363: ...certsrv b When you are prompted for a login enter the user account name and password that you will be using for the certificate c Select Request a certificate and click Next There are two ways to requ...

Page 364: ...and click Next e Select the first option and click Next f Either copy the settings from the screenshot below or choose different key options Click Save to save the PKCS 10 file The PKCS 10 file is use...

Page 365: ...a portable certificate using PKCS 10 click the Home hyperlink at the top right of the CA Webpage i Select Request a certificate Next Advanced request Next j Select the second option as shown in the s...

Page 366: ...e the certificate Save the file as DER encoded Click on the Download CA certification path hyperlink to save the PKCS 7 and select Save The certificate is also installed on the Certification Authority...

Page 367: ...t screen as is click Next followed by Finish and OK This will install the certificate q Launch the Certification Authority management tool on the server and expand the Issued Certificates folder You s...

Page 368: ...k Next when the wizard is launched Save the certificate using DER x 509 encoding select DER encoded binary followed by Next Provide a name for the certificate and save it to a specified location Click...

Page 369: ...ick Open Click OK w In the Security Identity Mapping screen click OK to close it x Close the Active Directory Users and Domains management tool This completes the configuration of the RADIUS server 10...

Page 370: ...CLIENT SETUP b Create a new remote access policy under IAS and name it Switch Login Select Next c Specify Switch Login to match the users in the switch access group select Next d Allow Switch Login to...

Page 371: ...Setting Up a RADIUS Server 369 e Use the Edit button to change the Service Type to Administrative f Add a Vendor specific attribute to indicate the access level that should be provided...

Page 372: ...are prompted to select a certificate it could be that there are additional active certificates on your client computer select the certificate that you have installed for this specific Certification Au...

Page 373: ...omputers a For example to create one group that will represent VLAN 4 select the Users folder from the domain see below b Name the VLAN Group with a descriptive name that describes the function of the...

Page 374: ...inistrative Tools Internet Authentication Service and select Remote Access Policies Select the policy that you configured earlier right click and select Properties e Click Add to add policy membership...

Page 375: ...u have just created and click Add and then OK to confirm h Click OK again to return you to the Security Policy properties i Click Edit Profile and select the Advanced tab Click Add Refer to Table 379...

Page 376: ...Ensure that the Attribute value is set to 802 and click OK l Click OK again on the Multivalued Attribute Information screen to return to the Add Attributes screen Table 380 For Auto VLAN Return Strin...

Page 377: ...n Click Add ensure that the Attribute value is set to 4 Attribute value in string format and click OK This value represents the VLAN ID o Click OK again on the Multivalued Attribute Information scree...

Page 378: ...e that there is a DHCP server connected to the Switch that resides on a switch port that is an untagged member of VLAN 4 The RADIUS server should reside in the same VLAN as the workstation Once authen...

Page 379: ...as a RADIUS server for networks with the Switch 4500 follow these steps 1 Open file eap ini in radius service and remove the before the MD5 Challenge Line This enables the MD5 challenge 2 Open file ra...

Page 380: ...tart it Funk RADIUS is now ready to run If you intend to use auto VLAN and QoS you will need to create VLAN and QoS profiles on the 3Com Switch 4500 and follow the instructions in Configuring Auto VLA...

Page 381: ...ive 6 Enter the shared secret to encrypt the authentication data The shared secret must be identical on the Switch 4500 and the RADIUS Server a Select RAS Clients from the left hand list enter a Clien...

Page 382: ...s will now appear as potential Return list attributes for every user 2 After saving the edited radius dct file stop and restart the Funk RADIUS service 3 To use these return list attributes they need...

Page 383: ...eeRADIUS To configure FreeRADIUS as a RADIUS server for networks with the Switch 4500 follow these steps 1 Add each Switch 4500 as a RADIUS client to the FreeRADIUS server a Locate the existing file c...

Page 384: ...Auto VLAN and QOS using FreeRADIUS It is slightly more complex to set up auto VLAN and QoS using FreeRADIUS as the dictionary file needs to be specially updated 1 Update the dictionary tunnel file wi...

Page 385: ...ipped with Windows XP has a security issue which affects the port authentication operation If the RADIUS client is configured to use EAP MD5 after a user logs off then the next user to log on will rem...

Page 386: ...ID can be found when running the Aegis Client application for the first time To apply the license key a Run the Aegis Client software b Go to Aegis Client Register and select Help on the menu c Copy...

Page 387: ...ion e Restart the client either by rebooting or stopping and re starting the service f Click the OK button then return to the Aegis Client main interface To restart the client press the button with th...

Page 388: ...386 APPENDIX B RADIUS SERVER AND RADIUS CLIENT SETUP...

Page 389: ...the RADIUS protocol Users that already exist on the TACACS server can be authorized using the TACACS or RADIUS server an optional VLAN and QoS profile can be applied to the user Network administrator...

Page 390: ...to the Cisco Secure ACS interface follow these steps 1 Select Network Configuration from the left hand side 2 Select Add Entry from under AAA Clients 3 Enter the details of the 3Com Switch Spaces are...

Page 391: ...de 6 Select RADIUS IETF from the list under Interface Configuration 7 Check the RADIUS attributes that you wish to install If you want to use auto VLAN and QoS ensure that you have the following optio...

Page 392: ...start Adding a User for Network Login Existing users on a network with a Secure ACS server can be authorized using the TACACS or RADIUS server New users connected through a Switch 4500 to the network...

Page 393: ...ghtly more complex as 3Com specific RADIUS attributes need to be returned to the 3Com Switch 4500 These RADIUS attributes define the access level of the user to the management interface Follow these s...

Page 394: ...will stop the Cisco Secure ACS server add the RADIUS information by adding the contents of 3Com ini to UDV User Defined Vendor slot 0 and then restart the server Once complete log into the Secure ACS...

Page 395: ...rface Configuration followed by RADIUS 3Com a Ensure that the 3Com User Access Level option is selected for both User and Group setup as shown below 5 Select User Setup and either modify the attribute...

Page 396: ...e there should be the option for configuring the access level as shown below 6 In the RADIUS 3Com Attribute box check 3Com User Access Level and select Administrator from the pull down list see below...

Reviews:

No comments

Related manuals for Switch 4500 26-Port

Matrix-PRO HD-SDI

Brand: Barco Pages: 2

TotalStorage 3534-F08

Brand: IBM Pages: 105

RedBooks SAN24B-5

Brand: IBM Pages: 11

RedBooks SAN24B-5

Brand: IBM Pages: 2

Brand: IBM Pages: 123

8265 Nways ATM Switch

Brand: IBM Pages: 192

Brand: Kobold Pages: 10

AVS-OCT-6448-210

Brand: AMX Pages: 1

Brand: Omron Pages: 10

Brand: tactio Pages: 2

Brand: Hama Pages: 36

SM24-1000SFP-AH

Brand: Transition Networks Pages: 76

Brand: Lindy Pages: 6

Extricom AT-EXLS-3000

Brand: Allied Telesis Pages: 120

Brand: Blue Sea Systems Pages: 2

EZ HUB 10/100 5608DS

Brand: SMC Networks Pages: 2

Brand: Dahua Pages: 5

Brand: Extron electronics Pages: 5

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands