manualshive.com logo in svg

3Com Switch 4500 PWR 26-Port, Configuration Manual, Page: 419 / 898

Share
Download
3Com Switch 4500 PWR 26-Port Configuration Manual Download Page 419

 

33-34 

[Switch-radius-bbb] quit 

# Create authentication domain 

aaa

, and then enter domain view. 

 

[Switch] domain aaa 

# Configure the VLAN assignment mode in domain 

aaa

 as VLAN list. 

 

[Switch-isp-aaa] vlan-assignment-mode vlan-list 

# Specify the authentication scheme for the domain.

 

[Switch-isp-aaa] radius-scheme bbb 

[Switch-isp-aaa] quit 

# Configure the authentication scheme.

 

[Switch] radius scheme bbb 

[Switch-radius-bbb] primary authentication 1.1.1.1 

[Switch-radius-bbb] key authentication hello 

[Switch-radius-bbb] primary accounting 1.1.1.1 

[Switch-radius-bbb] key accounting hello 

# Enable 802.1X authentication on Switch. 

 

[Switch] dot1x 

# Enable port-based 802.1X authentication on Ethernet 1/0/1. 

 

[Switch] interface Ethernet1/0/1 

[Switch-Ethernet1/0/1] dot1x 

[Switch-Ethernet1/0/1] dot1x port-method portbased 

# Enable port-based 802.1X authentication on Ethernet 1/0/2. 

 

[Switch] interface Ethernet1/0/2 

[Switch-Ethernet1/0/2] dot1x 

[Switch-Ethernet1/0/2] dot1x port-method portbased 

Troubleshooting AAA 

Troubleshooting RADIUS Configuration 

The RADIUS protocol operates at the application layer in the TCP/IP protocol suite. This protocol 

prescribes how the switch and the RADIUS server of the ISP exchange user information with each 

other.  

Symptom 1

: User authentication/authorization always fails. 

Possible reasons and solutions

z

 

The username is not in the userid@isp-name or 

userid.isp-name

 format, or the default ISP domain 

is not correctly specified on the switch — Use the correct username format, or set a default ISP 

domain on the switch. 

z

 

The user is not configured in the database of the RADIUS server — Check the database of the 

RADIUS server, make sure that the configuration information about the user exists. 

z

 

The user input an incorrect password — Be sure to input the correct password. 

z

 

The switch and the RADIUS server have different shared keys — Compare the shared keys at the 

two ends, make sure they are identical. 

Summary of Contents for Switch 4500 PWR 26-Port

Page 1: ...ation Guide Switch 4500 26 Port Switch 4500 50 Port Switch 4500 PWR 26 Port Switch 4500 PWR 50 Port Product Version V3 03 02p02 Manual Version 6W100 20100418 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...DFARS 252 227 7014 June 1995 or as a commercial item as defined in FAR 2 101 a and as such is provided with only such rights as are provided in 3Com s standard commercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend...

Page 3: ...lation Configuration Details how to configure port isolation 15 Port Security Configuration Details how to configure port security 16 Port Binding Configuration Details how to configure port binding 17 DLDP Configuration Details how to configure DLDP 18 MAC Address Table Management Details how to configure MAC Address Table 19 Auto Detect Configuration Details how to configure Auto Detect 20 MSTP ...

Page 4: ...ow to configure XRN fabric 48 Cluster Configuration Details how to configure cluster 49 PoE Configuration Details how to configure PoE port 50 PoE Profile Configuration Details how to configure PoE Profile 51 UDP Helper Operation Details how to configure UDP Helper 52 SNMP Configuration Details how to configure SNMP 53 RMON Configuration Details how to configure RMON 54 NTP Configuration Details h...

Page 5: ...ace italic Command arguments are in italic Items keywords or arguments in square brackets are optional x y Alternative items are grouped in braces and separated by vertical bars One is selected x y Optional alternative items are grouped in square brackets and separated by vertical bars One or none is selected x y Alternative items are grouped in braces and separated by vertical bars A minimum of o...

Page 6: ...tion set includes the following Manual Description 3Com Switch 4500 Family Command Reference Guide Provide detailed descriptions of command line interface CLI commands that you require to manage your switch 3Com Switch 4500 Family Getting Started Guide This guide provides all the information you need to install and use the 3Com Switch 4500 Family 3Com Switch 4500 Family Release Notes Contain the l...

Page 7: ...h 2 1 Introduction to the User Interface 2 1 Supported User Interfaces 2 1 User Interface Index 2 1 Common User Interface Configuration 2 2 Logging In Through the Console Port 2 3 Introduction 2 3 Logging In Through the Console Port 2 3 Console Port Login Configuration 2 5 Console Port Login Configuration with Authentication Mode Being None 2 7 Console Port Login Configuration with Authentication ...

Page 8: ...3 4 Prerequisites 3 4 Controlling Network Management Users by Source IP Addresses 3 4 Configuration Example 3 5 Controlling Web Users by Source IP Address 3 6 Prerequisites 3 6 Controlling Web Users by Source IP Addresses 3 6 Disconnecting a Web User by Force 3 6 Configuration Example 3 7 4 Switching User Level 4 1 Overview 4 1 Specifying the authentication mode for user level switching 4 1 Adopti...

Page 9: ...le 7 5 8 IP Addressing Configuration 8 1 IP Addressing Overview 8 1 IP Address Classes 8 1 Special Case IP Addresses 8 2 Subnetting and Masking 8 2 Configuring IP Addresses 8 3 Configuring IP Addresses 8 3 Configuring Static Domain Name Resolution 8 4 Displaying IP Addressing Configuration 8 4 IP Address Configuration Examples 8 4 IP Address Configuration Example I 8 4 IP Address Configuration Exa...

Page 10: ...on Tasks 11 4 Enabling GVRP 11 4 Configuring GVRP Timers 11 5 Configuring GVRP Port Registration Mode 11 6 Displaying and Maintaining GVRP 11 7 GVRP Configuration Example 11 7 GVRP Configuration Example 11 7 12 Port Basic Configuration 12 1 Ethernet Port Configuration 12 1 Combo Port Configuration 12 1 Initially Configuring a Port 12 1 Configuring Port Auto Negotiation Speed 12 2 Limiting Traffic ...

Page 11: ...verview 15 1 Introduction 15 1 Port Security Modes 15 1 Port Security Features 15 6 Port Security Configuration Task List 15 7 Enabling Port Security 15 7 Setting the Maximum Number of Secure MAC Addresses Allowed on a Port 15 8 Setting the Port Security Mode 15 9 Configuring Port Security Features 15 10 Configuring Guest VLAN for a Port in macAddressOrUserLoginSecure mode 15 11 Ignoring the Autho...

Page 12: ...Example 18 8 Adding a Static MAC Address Entry Manually 18 8 19 Auto Detect Configuration 19 1 Introduction to the Auto Detect Function 19 1 Auto Detect Configuration 19 1 Auto Detect Basic Configuration 19 2 Auto Detect Implementation in Static Routing 19 2 Auto Detect Implementation in VLAN Interface Backup 19 3 Auto Detect Configuration Examples 19 4 Configuration Example for Auto Detect Implem...

Page 13: ...e of a Port to P2P 20 33 Enabling MSTP 20 33 Performing mCheck Operation 20 33 Configuration Prerequisites 20 33 Configuration Procedure 20 34 Configuration Example 20 34 Configuring Guard Functions 20 34 Configuring BPDU Guard 20 34 Configuring Root Guard 20 35 Configuring Loop Guard 20 37 Configuring TC BPDU Attack Guard 20 37 Configuring Digest Snooping 20 39 Introduction 20 39 Configuring Dige...

Page 14: ... RIP Startup and Operation 23 2 RIP Configuration Task List 23 2 Basic RIP Configuration 23 3 Configuration Prerequisites 23 3 Configuring Basic RIP Functions 23 3 RIP Route Control 23 4 Configuration Prerequisites 23 5 Configuring RIP Route Control 23 5 RIP Network Adjustment and Optimization 23 8 Configuration Prerequisites 23 8 Configuration Tasks 23 8 Displaying and Maintaining RIP Configurati...

Page 15: ...Port 26 1 Configuring a Multicast MAC Address Entry 26 2 Configuring Dropping Unknown Multicast Packets 26 3 Displaying and Maintaining Common Multicast Configuration 26 3 27 IGMP Snooping Configuration 27 1 IGMP Snooping Overview 27 1 Principle of IGMP Snooping 27 1 Basic Concepts in IGMP Snooping 27 2 Work Mechanism of IGMP Snooping 27 3 Configuring IGMP Snooping 27 5 Enabling IGMP Snooping 27 5...

Page 16: ...8 17 Configuring Guest VLAN 28 17 Configuring 802 1x Re Authentication 28 18 Configuring the 802 1x Re Authentication Timer 28 18 Displaying and Maintaining 802 1x Configuration 28 19 Configuration Example 28 19 802 1x Configuration Example 28 19 29 Quick EAD Deployment Configuration 29 1 Introduction to Quick EAD Deployment 29 1 Quick EAD Deployment Overview 29 1 Operation of Quick EAD Deployment...

Page 17: ...US Authorization Attributes 33 13 Configuring RADIUS Accounting Servers 33 14 Configuring Shared Keys for RADIUS Messages 33 15 Configuring the Maximum Number of RADIUS Request Transmission Attempts 33 16 Configuring the Type of RADIUS Servers to be Supported 33 16 Configuring the Status of RADIUS Servers 33 17 Configuring the Attributes of Data to be Sent to RADIUS Servers 33 18 Configuring the L...

Page 18: ...ns 35 2 MAC Address Authentication Enhanced Function Configuration 35 4 MAC Address Authentication Enhanced Function Configuration Task List 35 4 Configuring a Guest VLAN 35 4 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port 35 6 Displaying and Maintaining MAC Address Authentication Configuration 35 7 MAC Address Authentication Configuration Examples 35 7...

Page 19: ...ort 39 3 DHCP Server Configuration Task List 39 4 Enabling DHCP 39 4 Configuring the Global Address Pool Based DHCP Server 39 5 Configuration Task List 39 5 Enabling the Global Address Pool Mode on Interface s 39 5 Creating a DHCP Global Address Pool 39 6 Configuring an Address Allocation Mode for the Global Address Pool 39 6 Configuring a Domain Name Suffix for the DHCP Client 39 9 Configuring DN...

Page 20: ...ge of DHCP Relay Agent 40 1 DHCP Relay Agent Fundamentals 40 1 Option 82 Support on DHCP Relay Agent 40 2 DHCP Inform Message Handling Feature Used in XRN System 40 3 Configuring the DHCP Relay Agent 40 4 DHCP Relay Agent Configuration Task List 40 4 Enabling DHCP 40 4 Correlating a DHCP Server Group with a Relay Agent Interface 40 5 Configuring DHCP Relay Agent Security Functions 40 6 Configuring...

Page 21: ...ic ACL 44 5 Configuring Advanced ACL 44 6 Configuring Layer 2 ACL 44 8 Configuring User defined ACL 44 9 Configuring IPv6 ACL 44 10 Applying ACL Rules on Ports 44 12 Applying ACL Rules to Ports in a VLAN 44 13 Displaying and Maintaining ACL Configuration 44 14 Examples for Upper layer Software Referencing ACLs 44 14 Example for Controlling Telnet Login Users by Source IP 44 14 Example for Controll...

Page 22: ...n Examples 45 24 Configuration Example of Traffic policing and Line Rate 45 24 Configuration Example of Priority Marking and Queue Scheduling 45 25 VLAN Mapping Configuration Example 45 26 46 Mirroring Configuration 46 1 Mirroring Overview 46 1 Local Port Mirroring 46 1 Remote Port Mirroring 46 2 Traffic Mirroring 46 3 Port Mirroring STP Collaboration 46 3 Mirroring Configuration 46 4 Configuring ...

Page 23: ...Maintaining Cluster Configuration 48 23 Cluster Configuration Examples 48 24 Basic Cluster Configuration Example 48 24 Network Management Interface Configuration Example 48 27 Enhanced Cluster Feature Configuration Example 48 28 49 PoE Configuration 49 1 PoE Overview 49 1 Introduction to PoE 49 1 PoE Features Supported by Switch 4500 49 1 PoE Configuration 49 2 PoE Configuration Task List 49 2 Ena...

Page 24: ... Enabling Logging for Network Management 52 5 Displaying SNMP 52 6 SNMP Configuration Example 52 6 SNMP Configuration Example 52 6 53 RMON Configuration 53 1 Introduction to RMON 53 1 Working Mechanism of RMON 53 1 Commonly Used RMON Groups 53 2 RMON Configuration 53 3 Displaying RMON 53 4 RMON Configuration Example 53 4 54 NTP Configuration 54 1 Introduction to NTP 54 1 Applications of NTP 54 1 I...

Page 25: ...rver 55 10 Configuring the Public Key of a Client on the Server 55 11 Assigning a Public Key to an SSH User 55 12 Exporting the Host Public Key to a File 55 12 Configuring the SSH Client 55 13 SSH Client Configuration Task List 55 13 Configuring an SSH Client that Runs SSH Client Software 55 13 Configuring an SSH Client Assumed by an SSH2 Capable Switch 55 19 Displaying and Maintaining SSH Configu...

Page 26: ...ating as an SFTP Client 57 15 SFTP Configuration Example 57 17 58 TFTP Configuration 58 1 Introduction to TFTP 58 1 TFTP Configuration 58 2 TFTP Configuration A Switch Operating as a TFTP Client 58 2 TFTP Configuration Example 58 3 59 Information Center 59 1 Information Center Overview 59 1 Introduction to Information Center 59 1 System Information Format 59 4 Information Center Configuration 59 7...

Page 27: ... Test 62 1 ping 62 1 tracert 62 1 63 Device Management 63 1 Introduction to Device Management 63 1 Device Management Configuration 63 1 Device Management Configuration Task list 63 1 Rebooting the Ethernet Switch 63 1 Scheduling a Reboot on the Switch 63 2 Configuring Real time Monitoring of the Running Status of the System 63 2 Specifying the APP to be Used at Reboot 63 3 Upgrading the Boot ROM 6...

Page 28: ...uration Task List 66 3 Enabling the Selective QinQ Feature for a Port 66 3 Enabling the Inter VLAN MAC Address Replicating Feature 66 4 Selective QinQ Configuration Example 66 4 Processing Private Network Packets by Their Types 66 4 67 Remote ping Configuration 67 1 Remote ping Overview 67 1 Remote ping Configuration 67 1 Introduction to remote ping Configuration 67 1 Configuring remote ping 67 2 ...

Page 29: ...70 5 Configuring History Password Recording 70 6 Configuring a User Login Password in Interactive Mode 70 7 Configuring Login Attempt Times Limitation and Failure Processing Mode 70 7 Configuring the Password Authentication Timeout Time 70 8 Configuring Password Composition Policies 70 9 Displaying Password Control 70 10 Password Control Configuration Example 70 10 Network requirements 70 10 Confi...

Page 30: ...iguration Task List 73 4 Configuring an Entity DN 73 4 Configuring a PKI Domain 73 6 Submitting a PKI Certificate Request 73 7 Submitting a Certificate Request in Auto Mode 73 7 Submitting a Certificate Request in Manual Mode 73 8 Retrieving a Certificate Manually 73 9 Configuring PKI Certificate Verification 73 10 Destroying a Local RSA Key Pair 73 11 Deleting a Certificate 73 11 Configuring an A...

Page 31: ...74 7 Troubleshooting SSL 74 7 SSL Handshake Failure 74 7 75 HTTPS Configuration 75 1 HTTPS Overview 75 1 HTTPS Configuration Task List 75 1 Associating the HTTPS Service with an SSL Server Policy 75 2 Enabling the HTTPS Service 75 2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy 75 3 Associating the HTTPS Service with an ACL 75 3 Displaying and Maintaining HTTPS 7...

Page 32: ... the CLI The Switch 4500 provides multiple methods of entering the CLI as follows z Through the console port For more information see Entering CLI Through the z Through Telnet For more information see Entering CLI Through Telnet information see SSH Configuration Enter 3Com switch for the first time you can log in to the switch and enter the CLI thro 1 Plug the DB 9 rt of your PC Then plug the RJ 4...

Page 33: ...ole cable when your wered on When connecting the PC to your switch first plug the DB 9 connector of the ole cable into the PC and then pl When disconnecting the PC from connector 2 Launch a terminal emulation utility on your PC In is used as an example Click Start All Programs HyperTerminal to enter the HyperTerminal windo shown in Figure 1 2 this chapter the HyperTerminal in Windows XP Accessorie...

Page 34: ... want to use from the Connect using drop down list and then click OK Figure 1 3 Specify the serial port used to establish the connection 4 The COM1 Properties window as shown in Figure 1 4 appears On the window set Bits per to 1 and Flow control to None Click second to 19200 Data bits to 8 Parity to None Stop bits OK 1 3 ...

Page 35: ...Figure 1 4 Set the properties of the serial port 5 The HyperTerminal window as shown in Figure 1 5 appears Figure 1 5 The HyperTerminal window 1 4 ...

Page 36: ... remote terminal to configure and Telnet login authentication methods In order to restrict the login to your switch 3Com provides three Telnet login authentication methods S thod accordin ork conditions Table 1 1 Telnet log ds Press Enter on the HyperTer indicating that you have logged in to your switch successfully After you log in to your switch through t manage your switch elect a proper me g t...

Page 37: ...ded that you configure all VTY user interfaces with the same authentication method The following example is configured in this way The number of VTY user interfaces provided by a 3Com device varies by switch model In this document a switch providing five VTY user interfaces is used as an example which means that the VTY user interface number ranges from 0 to 4 If your switch provides a different n...

Page 38: ... in Boldface Keep keywords unchanged when typing them in the CLI Italic Command arguments are in italic Replace arguments with actual values in the CLI Items keywords or arguments in square brackets are optional x y Alternative items are grouped in braces and separated by vertical bars One is selected x y Optional alternative items are grouped in square brackets and separated by vertical bars One ...

Page 39: ...tering corresponding commands Table 1 3 lists the CLI views provided by the 3com switch 4500 operations that can be performed in different CLI views and the commands used to enter specific CLI views Table 1 3 CLI views View Available operation Prompt example Enter method Quit method User view Display operation status and statistical information of the switch Sysname Enter user view once logging in...

Page 40: ...Configure NULL interface parameters Sysname NULL0 Execute the interface null command in system view Local user view Configure local user parameters Sysname luser us er1 Execute the local user command in system view User interface view Configure user interface parameters Sysname ui aux0 Execute the user interface command in system view FTP client view Configure FTP client parameters ftp Execute the...

Page 41: ...ystem view Routing policy view Configure routing policy Sysname route p olicy Execute the route policy command in system view Basic ACL view Define rules for a basic ACL with ID ranging from 2000 to 2999 Sysname acl basic 2000 Execute the acl number command in system view Advanced ACL view Define rules for an advanced ACL with ID ranging from 3000 to 3999 Sysname acl adv 3000 Execute the acl numbe...

Page 42: ...t group command in system view PKI domain view Configure PKI domain parameters Sysname pki dom ain 1 Execute the pki domain command in system view PKI entity view Configure PKI entity parameters Sysname pki entit y en Execute the pki entity command in system view PKI certificate attribute group view Configure PKI certificate attribute group parameters Sysname cert attr ibute group mygro up Execute...

Page 43: ...in any view to display all commands available in this view and brief descriptions about these commands Sysname User view commands boot Set boot option cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system...

Page 44: ... by a The CLI displays all keywords starting with the character string you typed Sysname display cl clock cluster Command Line Error Information If a command you typed contains syntax errors the CLI reports error information Table 1 4 lists some common command line errors Table 1 4 Common command line errors Error information Cause The command was not found Unrecognized command found at position T...

Page 45: ...he left Right arrow key or Ctrl F The cursor moves one character space to the right Tab If you press Tab after entering part of a keyword the system automatically completes the keyword z If finding a unique match the system substitutes the complete keyword for the incomplete one and displays it in the next line z If there is more than one match you can press Tab repeatedly to display in cycles all...

Page 46: ... the system saves them as two commands z By default the CLI can save up to ten commands for each user You can use the history command max size command to set the capacity of the history command buffer for the current user interface For more information about the history command max size command see Login Configuration Undo Form of a Command The undo form of a command typically restores the default...

Page 47: ...ction enabled when you type an incomplete keyword which partially matches both a defined alias and the keyword of a command the alias wins to execute the command whose keyword partially matches your input you must type the complete keyword When you input a character string that matches multiple aliases partially the system prompts you for various matching information z If you press Tab after you t...

Page 48: ...line break after the outputs and then what you have typed For information about the info center synchronous command refer to Information Center Configuration Commands Configuring Command Levels Introduction The device restricts different users usage of the commands by using user privilege levels and command levels to protect the device against unauthorized users User privilege levels correspond to...

Page 49: ... privilege level see Login Configuration Modifying the Command Level All the commands are defaulted to different levels The administrator can modify the default command level to improve management flexibility Follow these steps to change the command level To do Use the command Remarks Enter system view system view Configure the command level in a specified view command privilege level level view v...

Page 50: ...get Sysname command privilege level 0 view shell tftp 192 168 0 1 get bootrom btm After the above configuration general Telnet users can use the tftp get command to download file bootrom btm and other files from TFTP server 192 168 0 1 and other TFTP servers Saving Configurations Some commands in the CLI of 3Com switches are one time commands such as display commands which display specified inform...

Page 51: ...rt lo Switch 4500 support two types of user interfaces AUX and VTY AUX user interface A view when you log in through the AUX port AUX port is a line z device port ce A view when you log in through VTY VTY port is a ccess the device by means of Telnet or SSH Table 2 1 Description on user interface z Virtual type terminal VTY user interfa logical terminal line used when you a User interface Applicab...

Page 52: ...guration Follow the configure commo se steps to n user interface To do Use the command Remarks Lock the current user interface lock face is not locked Optional Available in user view A user inter by default Specify to send message to all user interfaces a s specified user interface send all number type number ser view Optional Available in u Free a user interface free user interface type number il...

Page 53: ...e port is the most common way to log in to a switch It is also the prerequisite to configure other login methods By default you can locally log in to an Ethernet switch through its console port only Table 2 2 lists the default settings of a console port Table 2 2 The default settings of a console port Setting Default Baud rate 19 200 bps Flow control None Check mode Parity None Stop bits 1 Data bi...

Page 54: ... 9X Windows 2000 Windows XP The following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally both sides that is the serial port of the PC and the console port of the switch are configured as those listed in Table 2 2 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the co...

Page 55: ...3 Common configuration of console port login Configuration Remarks Baud rate Optional The default baud rate is 19 200 bps Check mode Optional By default the check mode of the console port is set to none which means no check bit Stop bits Optional The default stop bits of a console port is 1 Console port configuration Data bits Optional The default data bits of a console port is 8 AUX user interfac...

Page 56: ...itch in other ways To log in to a switch through its console port after you modify the console port settings you need to modify the corresponding settings of the terminal emulation utility running on your PC accordingly in the dialog box shown in Figure 2 4 Console Port Login Configurations for Different Authentication Modes Table 2 4 Console port login configurations for different authentication ...

Page 57: ...AUX users Required Perform common configuration Perform common configuration for console port login Optional Refer to Table 2 3 Changes made to the authentication mode for console port login takes effect after you quit the command line interface and then log in again Console Port Login Configuration with Authentication Mode Being None Configuration Procedure Follow these steps to configure console...

Page 58: ... can use the screen length 0 command to disable the function to display information in pages Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the history command buffer size history command max size value Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the co...

Page 59: ...er interface Sysname ui aux0 user privilege level 2 Set the baud rate of the console port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 ...

Page 60: ...e stop bits stopbits 1 1 5 2 The default stop bits of a console port is 1 Optional Set the data bits databits 7 8 The default data bits of a console port is 8 Optional Configure the command level available to users logging in to the user interface By default commands of level 3 are available to users logging in to the AUX user interface user privilege level level Optional Make terminal services av...

Page 61: ...the following configurations for users logging in through the console port AUX user interface z Authenticate the users using passwords z Set the local password to 123456 in plain text z The commands of level 2 are available to the users z The baud rate of the console port is 19 200 bps z The screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout ti...

Page 62: ...heme Configuration Procedure Follow these steps to configure console port login with the authentication mode being scheme To do Use the command Remarks Enter system view system view Enter the default ISP domain view domain domain name Optional By default the local AAA scheme is applied Specify the AAA scheme to be applied to the domain scheme local none radius scheme radius scheme name local hwtac...

Page 63: ...rt Optional Set the stop bits stopbits 1 1 5 2 The default stop bits of a console port is 1 Optional Set the data bits databits 7 8 The default data bits of a console port is 8 Optional Configure the command level available to users logging in to the user interface By default commands of level 3 are available to users logging in to the AUX user interface user privilege level level Optional Make te...

Page 64: ...ssume the switch is configured to allow users to log in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Configure the local user name as guest z Set the authentication password of the local user to 123456 in plain text z Set the service type of the local user to Termi...

Page 65: ...commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2 4 to log in to the switch successfully Logging...

Page 66: ...d level available to users logging in to the VTY user interface Optional By default commands of level 0 are available to users logging in to a VTY user interface Optional Configure the protocols the user interface supports By default Telnet and SSH protocol are supported VTY user interface configuration Optional Set the commands to be executed automatically after a user log in to the user interfac...

Page 67: ...nd passwords for local RADIUS users The user name and password of a remote user are configured on the RADIUS server Refer to user manual of RADIUS server for more Scheme Manage VTY users Set service type for VTY users Required Optional Perform common configuration Perform common Telnet configuration Refer to Table 2 6 To improve security and prevent attacks to the unused Sockets TCP 23 and TCP 22 ...

Page 68: ... after a user login to the user interface successfully By default no command is executed automatically after a user logs into the VTY user interface auto execute command text Optional Make terminal services available shell By default terminal services are available in all user interfaces Optional By default the screen can contain up to 24 lines Set the maximum number of lines the screen can contai...

Page 69: ... configuration with the authentication mode being none 3 Configuration procedure Enter system view Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure not to authenticate Telnet users logging in to VTY 0 Sysname ui vty0 authentication mode none Specify commands of level 2 are available to users logging in to VTY 0 Sysname ui vty0 user privilege level 2 Config...

Page 70: ...r interface auto execute command text Optional Make terminal services available shell By default terminal services are available in all user interfaces Optional By default the screen can contain up to 24 lines Set the maximum number of lines the screen can contain screen length screen length You can use the screen length 0 command to disable the function to display information in pages Optional Th...

Page 71: ...ication mode being password 3 Configuration procedure Enter system view Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sysname ui vty0 set authentication password simple 123456 Specify commands of level ...

Page 72: ... AAA server Refer to the user manual of AAA server Create a local user and enter local user view No local user exists by default local user user name password simple cipher password Set the authentication password for the local user Required service type telnet level level Specify the service type for VTY users Required Quit to system view quit Enter one or more VTY user interface views user inter...

Page 73: ... the command level available to the users logging in to the switch depends on the user privilege level level command and the service type ftp lan access ssh telnet terminal level level command as listed in Table 2 8 Table 2 8 Determine the command level when users logging in to switches are authenticated in the scheme mode Scenario Authentication mode User type Command Command level The user privi...

Page 74: ...ege level level command is not executed and the service type command specifies the available command level Determined by the service type command The user privilege level level command is executed and the service type command does not specify the available command level Level 0 VTY users that are authenticated in the password mode of SSH The user privilege level level command is executed and the s...

Page 75: ...o users logging in to VTY 0 Sysname luser guest service type telnet level 2 Sysname luser guest quit Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 in the scheme mode Sysname ui vty0 authentication mode scheme Configure Telnet protocol is supported Sysname ui vty0 protocol inbound telnet Set the maximum number of lines the screen ca...

Page 76: ...elnet related configuration on the switch Refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication Mode Being Scheme for more 3 Connect your PC terminal and the Switch to an Ethernet as shown in Figure 2 12 Make sure the port through which the switch is connected to the Ethernet belon...

Page 77: ...same network segment or the route between the two VLAN interfaces is available As shown in Figure 2 14 after Telnetting to a switch labeled as Telnet client you can Telnet to another switch labeled as Telnet server by executing the telnet command and then configure it Figure 2 14 Network diagram for Telnetting to another switch from the current switch 2 Perform Telnet related configuration on the ...

Page 78: ...rement The PC can communicate with the modem connected to it Administrator side The modem is properly connected to PSTN The telephone number of the switch side is available The modem is connected to the console port of the switch properly The modem is properly configured Switch side The modem is properly connected to PSTN and a telephone set The authentication mode and other related settings are c...

Page 79: ...figuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None z Configuration on switch when the authentication mode is password Refer to Console Port Login Configuration with Authentication Mode Being Password z Configuration on switch when the authentication mode is scheme Refer to Console Port Login Configuration with Aut...

Page 80: ...on utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 2 16 through Figure 2 18 Note that you need to set the telephone number to that of the modem directly connected to the switch Figure 2 16 Create a connection 2 30 ...

Page 81: ... to the related parts in this manual for information about the configuration commands If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI part for information about command level Logging In Through the Web based Network Management System Go to these sections for information you are interested in Introduction z Establi...

Page 82: ...operating as the network management terminal The IP address of the VLAN interface of the switch the user name and the password are available Establishing an HTTP Connection 1 Assign an IP address to VLAN interface 1 of the switch VLAN 1 is the default VLAN of the switch See Telnetting to a Switch from a Terminal for related information 2 Configure the user name and the password on the switch for t...

Page 83: ...ntinue on the banner page the user can enter the user login authentication page and enter the main page of the Web based network management system after passing the authentication If no login banner is configured by the header command a user logging in through Web directly enters the user login authentication page Follow these steps to configure the login banner To do Use the command Remarks Enter...

Page 84: ... to enter user login authentication page You will enter the main page of the Web based network management system if the authentication succeeds Enabling Disabling the WEB Server Follow these steps to enable Disable the WEB Server To do Use the command Remarks Enter system view system view Required Enable the Web server ip http shutdown By default the Web server is enabled Disable the Web server Re...

Page 85: ...h through an NMS Item Requirement The IP address of the VLAN interface of the switch is configured The route between the NMS and the switch is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The basic SNMP functions are configured Refer to the SNMP RMON part for related information The NMS is properly configured...

Page 86: ...ts to a remote device it automatically uses the configured source IP address or source interface to encapsulate Telnet service packets Use the following commands to configure a source IP address or source interface for Telnet service packets To do Use the command Remarks telnet hostname ip address service port source ip ip address source interface interface type interface number Specify a source I...

Page 87: ...Displaying Source IP Address Configuration To do Use the command Remarks Display the source IP address configured for the Telnet service packets Available in any view display telnet source ip 2 37 ...

Page 88: ...gi sers Login mode Control method Implementation Related section Controlling Telnet Users by By source IP address Through basic ACL Source IP Addresses Controlling Telnet Users by By source and destination IP address Through advanced Source and Destination IP ACL Addresses Telnet C L ers by Controlling Telnet Us By source MA address Through Layer 2 AC Source MAC Addresses Controlling Network SNMP ...

Page 89: ...face type first number last number Apply the ACL to control yword specifies to filter the users trying to Telnet to the The outbound keyword specifies to rrent switch Telnet users by source IP addresses acl acl number inbound outbound current switch Required The inbound ke filter users trying to Telnet to other switches from the cu Controllin Source and Destination IP Addresses C y so e ACLs which...

Page 90: ...ling Telnet Users by Source MAC Addresses Controlling Telnet users by source MAC addresses is achieved by app To do Use the command Remarks Enter system view system view Create or enter Layer 2 ACL view acl number acl number Define rules for the ACL rule rule id deny permit string ded to filter by specific source MAC addresses rule Required You can define rules as nee Quit to system view quit Ente...

Page 91: ...rough SNMP You need to perform the following two operations to control network management users by source IP addresses z Defining an ACL z Applying the ACL to control users accessing the switch through SNMP Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying Controll...

Page 92: ...cy read view read view write view write view notify view notify view acl acl number Required According to the SNMP version and configuration customs of NMS users you can reference an ACL when configuring community name group name or username For the detailed configuration refer to SNMP RMON for more snmp agent usm user v1 v2c user name group name acl acl number snmp agent usm user v3 user name gro...

Page 93: ... determined including the source IP addresses to be controlled and the controlling actions permitting or denying Controlling Web Users by Source IP Addresses Controlling Web users by source IP addresses is achieved by applying basic ACLs which are numbered from 2000 to 2999 Follow these steps to control Web users by source IP addresses To do Use the command Remarks Enter system view system view Cr...

Page 94: ... of 10 110 100 52 are permitted to access the switch Network diagram Figure 3 3 Network diagram for controlling Web users using ACLs Configuration procedure Define a basic ACL Sysname system view Sysname acl number 2030 Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2030 quit Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to ...

Page 95: ...ew device operating parameters and when they have to maintain the device they can switch to a higher level temporarily someone else to manage the device temporarily they can switch to a lower privilege level before they leave to restrict the operation by others The high to low user level switching is unlimited However the low to high user le the corresponding authentication Generally two authentic...

Page 96: ...CACS authentication are specified the device adopts the preferred authentication mode first If the preferred authentication mode cannot be implemented for example the super password is not configured or the HWTACACS authentication server is unreachable the backup authentication mode is adopted Adop empt to switch to a higher user level In this case you cannot pass sers of level 0 through level 2 w...

Page 97: ...er name and the corresponding password as prompted Note that if you have passed the HWTACACS authentication when logging in to the switch only the password is required The following table lists the operations to configure HWTACACS authentication for user level switching which can only be performed by Level 3 users Follow these steps to set the HWTACACS authentication scheme for user level switchin...

Page 98: ...figuration example z The administrator configures the user level switching authentication policies Set the user level switching authentication mode for VTY 0 users to super password authentication Sysname system view Sysname user interface vty 0 Sysname ui vty0 super authentication mode super password Sysname ui vty0 quit Set the password used by the current user to switch to level 3 Sysname super...

Page 99: ...sname user interface vty 0 Sysname ui vty0 super authentication mode scheme Sysname ui vty0 quit Specify to adopt the HWTACACS authentication scheme named acs for user level switching in the ISP domain named system Sysname domain system Sysname isp system authentication super hwtacacs scheme acs z A VTY 0 user switches its level to level 3 after logging in Switch to user level 3 assuming that you ...

Page 100: ...es of configuration configuration of a switch falls into two types z Saved configuration a configuration file used for initialization If this file does not exist the switch starts up without loading any configuration file Current con configuration is stored i rebooting Configuration files are saved as text files for ease o z Save configuration in the form of commands Save only non default configur...

Page 101: ...rules below If the main configuration file exists the sw 2 If the main configuration file does not exist but the backup configuration file exists the switch initializes with the backup configuration If neither the main nor the backup configuration file exists but the defa At present only a PoE supported switch is shipped with a default configuration file Con Complete these tasks to configure confi...

Page 102: ... to cfg using the rename command The switch will use the renamed configuration file to initialize itself when it starts up next time For details of the rename command refer to the File System Management part of the manual Three attributes of the configuration file z Main attribute When you use the save safely main command to save the current configuration the configuration file you get has main at...

Page 103: ...hese reasons z After you upgrade software the old configuration file does not match the new software z The startup configuration file is corrupted or not the one you needed The following two situations exist z While the reset saved configuration main command erases the configuration file with main attribute it only erases the main attribute of a configuration file having both main and backup attri...

Page 104: ...artup saved configuration cfgfile backup command to set the file as backup startup configuration file The configuration file must use cfg as its extension name and the startup configuration file must be saved at the root directory of the switch Displaying Switch Configuration To do Use the command Remarks Display the initial configuration file saved in the Flash of a switch display saved configura...

Page 105: ...when the switch receives a broadcast pac whose MAC address is not included in the MAC address table packet to all the ports except the inbound port of the packet above scenarios cou z Large quantity of broadcast packets or unknown unicast packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself causing poten...

Page 106: ...the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible VLAN Fundamentals VLAN tag To enable a Layer 2 switch to identify frames of different VLANs a VLAN tag field is inserted into the data link layer encapsulation The format of VLAN tagged frames is defined in IEEE 802 1Q issued by IEEE in 1999 In the header of a traditional Ethe...

Page 107: ...ID identifies the VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN tag with the default VLAN ID of the inbound port for the packet and sends the packet to the default VLAN of the inbound port for transmission For the details about setting the default VLAN of a port refer to Configuring the Default VLAN ID for a Port MAC address lear...

Page 108: ...sed VLANs z IP subnet based VLANs z Policy based VLANs z Other types At present the Switch 4500 supports the port based VLANs Port Based VLAN Link Types of Ethernet Ports You can configure the link type of a port as access trunk or hybrid The three link types use different VLAN tag handling methods When configuring the link type of a port note that z An access port can belong to only one VLAN Usua...

Page 109: ...tables Table 6 1 Packet processing of an access port Processing of an incoming packet For an untagged packet For a tagged packet Processing of an outgoing packet Receive the packet and tag the packet with the default VLAN tag z If the VLAN ID is just the default VLAN ID receive the packet z If the VLAN ID is not the default VLAN ID discard the packet Strip the tag from the packet and send the pack...

Page 110: ... z If the port has not been added to its default VLAN discard the packet z If the VLAN ID is one of the VLAN IDs allowed to pass through the port receive the packet z If the VLAN ID is not one of the VLAN IDs allowed to pass through the port discard the packet Send the packet if the VLAN ID is allowed to pass through the port Use the port hybrid vlan command to configure whether the port keeps or ...

Page 111: ... these step rform ba on VLAN Configuration s to pe sic VLAN configurati To do Use the command Remarks Enter system view view system Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Create a VLAN and enter vlan vlan id t there is only one VLAN that is VLAN view Required By defaul the default VLAN VLAN 1 Assign a name for the name text t the name of a VLAN is its VLAN current VL...

Page 112: ... the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface Vlan interface vlan id Required By default there is no VLAN interface on a switch Specify the description string for the current VLAN interface description text Optional By default the description string of a VLAN interface is the name of this VLAN interface Vlan interface1 Interface ...

Page 113: ...Port Based VLAN Configuration Task List Complete these tasks to configure a port based VLAN Task Remarks Configuring the Link Type of an Ethernet Port Optional Assigning an Ethernet Port to a VLAN Required Configuring the Default VLAN for a Port Optional Configuring the Link Type of an Ethernet Port Follow these steps to configure the link type of an Ethernet port To do Use the command Remarks Ent...

Page 114: ...ow these steps to assign an Ethernet port to one or multiple VLANs To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Access port port access vlan vlan id Trunk port port trunk permit vlan vlan id list all Assign the port to one or multiple VLANs Hybrid port port hybrid vlan vlan id list tagged untagged Optional By default...

Page 115: ...ng the default VLAN for a trunk or hybrid port you need to use the port trunk permit command or the port hybrid vlan command to configure the port to allow traffic of the default VLAN to pass through Otherwise the port cannot forward traffic of the default VLAN nor can it receive VLAN untagged packets z The local and remote trunk or hybrid ports must use the same default VLAN ID for the traffic of...

Page 116: ...00 SwitchA vlan200 description Dept2 SwitchA vlan200 quit Create VLAN interface 100 and VLAN interface 200 and assign IP addresses 192 168 1 1 and 192 168 2 1 to them respectively The two VLAN interfaces are used for forwarding packets from Host 1 to Server 2 at Layer 3 SwitchA interface Vlan interface 100 SwitchA Vlan interface100 ip address 192 168 1 1 24 SwitchA Vlan interface100 quit SwitchA i...

Page 117: ...00 and VLAN 200 you can configure the ports at both ends of the link as trunk ports and permit packets of the two VLANs to pass through the two ports Configure Ethernet 1 0 2 of Switch A SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 port link type trunk SwitchA Ethernet1 0 2 port trunk permit vlan 100 SwitchA Ethernet1 0 2 port trunk permit vlan 200 Configure Ethernet 1 0 10 of Switch B S...

Page 118: ...ollowing figure in ress class IP Addressing O dress Classes IP addressing uses a 32 bit address to identify each host on a network An example is 010100001000000010000 they are written in dotted decimal notation each add ss just mentioned Eac IP address breaks down into two parts Net ID The first several bits of the IP address defining a network also known as class bits Host ID Identifies a host on...

Page 119: ...ddresses are for special use and they cannot be used as host IP addresses IP address with an all zeros net ID Identifies a host on the local network For example IP address 0 0 0 16 indicates the host with a host ID of 16 on the local network IP address with an all zeros host ID Identifies a ne IP address with an all ones host ID Identifies a directed broadcast address For example a packet with the...

Page 120: ... accommodate 216 2 Of the two deducted Class B addresses one with an all ones host ID is the broadcast address and the other with an all zeros host ID is the network address hosts before being subnetted After you break it down into 512 29 subnets by using the first 9 bits of the host ID for the subnet you have only 7 bits for the host ID and thus have only 126 27 2 hosts in each subnet The maximum...

Page 121: ...nter system view syste m view Configure a mapping between a host name and an IP address ip host hostname ip addres Required s No IP address is assigned to a host name by default The IP address you assign to a host name last time will overwrite the previous one if there is any to 50 static mappings between domain names and IP addresses You may create up Displaying IP Addressing Configuration To do ...

Page 122: ...ble the hosts on the two network segments to communicate with the external network through the switch and the hosts on the LAN can communicate with each other do the following Assign two IP addresses to VLAN interface 1 on the switch Set the switch as the gateway on all PCs of the two networks ram for IP address configuration Network diagram Figure 8 4 Network diag C IP address to VLAN interface 1...

Page 123: ... 2 bytes 56 Sequence 5 ttl 255 time 26 ms 172 16 1 2 ping statistics 5 packet s transmitted 5 packet s receiv 0 00 packet loss round trip min avg max 25 26 27 ms The output Ping a host on th Switch ping 172 16 2 2 PING 172 16 2 2 56 data bytes press CTRL_C to break Reply from 172 16 2 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 1...

Page 124: ...0 1 1 2 corresponding to host com Sysname ping host com Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from 10 1 1 2 byt Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 127 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 4 ttl 127 time 5 ms Reply from 10 1 1 2 bytes 56 Sequence 5 ttl 127 ti host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip...

Page 125: ...arding information base FIB FIB is used to store the forwarding information e switch and guide Layer 3 pa You can know the forwarding information of the switch through the FIB table Each FIB entry includes tination address mask length next hop current flag time Wh n the switch is running normally the contents of the FIB and the routing table are the same rformance Configuration Task List P perform...

Page 126: ...rease network traffic licious pac send ICMP error packets the device s performance will be reduced n function in ble size of a host the host s performance will be reduced if its routing table becomes very large s ICMP destinat ckets end users may be affected Y ng network traffic and p alicious attacks F IC ckets ally sent layer protocols to no ng devices s to facilitate control and man isadvantage...

Page 127: ...ay tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics display ip statistics Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket socktype sock type task id socket id Display the forwarding information base FIB entries display...

Page 128: ... 4 To do Use the command Remarks Clear IP traffic statistics reset ip statistics Clear TCP traffic statistics reset tcp statistics Clear UDP traffic statistics reset udp statistics Available in user view ...

Page 129: ... ports connected with voice devices to voice VLANs traffic and voice quality an IP Phone Works IP phones can convert analog voice signals into digital signals to enable them to be transmitted in IP based networks Used in conjunction with other voice devices IP phones can offer large capacity and low cost voice communication solutions As network devices IP phones need IP addresses o The following p...

Page 130: ...ce data After the IP phone is powered on it sends an untagged DHCP request message containing four special requests in the Option 184 field besides the request for an IP address The message is broadcas follows z If DHCP S VLAN the IP phone can only send untagged packets in the default VLAN of the port the IP phone is connected to In this case you need to manually configure the default VLAN of the ...

Page 131: ...ally unique identifier OUI list If a match is to be set is consistent with that of the switch and the NCP is reachable to the IP address to be set Switch 4500 s found the packet is considered as a voice packet Ports receiving packets of this type will be added to the voice VLAN automatically for transmitting voice data You can configure OUI addresses for voice packets or specify to use the default...

Page 132: ...matically adds a port connecting an IP voice device to the voice mechanism to maintain the number of ports in the voice VLAN ports whose OUI addresses are not updated that is no voice traffic passes will be removed from the voice VLAN In voice VLAN assignment automatic mod z remove a p Tagged packets from IP voice devices are forwarded based on their tagged VLAN IDs whether the automatic or manual...

Page 133: ...he voice VLAN manually Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagged voice traffic Hybrid Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the default VLAN and the voice VLAN is in the list of the tagged VLANs whose tr...

Page 134: ...port is assigned to the voice VLAN the switch receives and forwards all voice VLAN tagged traffic without matching the source MAC address of each received packet against its OUI list For a port in the manual mode with the default VLAN as the voice VLAN any untagged packet can be transmitted in the voice VLAN This makes the voice VLAN vulnerable to flow attacks because malicious users can create a ...

Page 135: ... VLAN before configuring a voice VLAN z VLAN 1 the default VLAN cannot be configured as a voice VLAN In case a connected voice device sends VLAN tagged packets ensure that the voice VLAN created on the switch is consistent with the VLAN corresponding to the VLAN tag carried in voice packets Otherwise the switch will not be able to properly receive voice packets Configuring the Voice VLAN to Operat...

Page 136: ...he voice VLAN is working normally if the device restarts or the Unit ID of a device in a XRN fabric changes in order to make the established voice connections work normally the system does not need to be triggered by the voice traffic to add the port in automatic voice VLAN assignment mode to the local devices as well as the XRN of the voice VLAN but does so immediately after the restart or the ch...

Page 137: ...e on a port to manual undo voice vlan mode auto Required The default voice VLAN assignment mode on a port is automatic Quit to system view quit Enter VLAN view vlan vlan id Access port Add the port to the VLAN port interface list Enter port view interface interface type interface num port trunk permit vlan vlan id Add the port to the VLAN port hybrid vlan vlan id tagged untagged Required By defaul...

Page 138: ...both voice data and service data in a voice VLAN If you have to do so make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication between 3Com device and other vendor s voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors voice device The voice vlan legacy command can be executed before vo...

Page 139: ...the description string being test Network diagram Figure 10 2 Network diagram for voice VLAN configuration automatic voice VLAN assignment mode Internet Device A Eth1 0 1 VLAN2 VLAN2 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 Device B Configuration procedure Create VLAN 2 and VLAN 6 DeviceA system view DeviceA vlan 2 DeviceA vlan2 quit DeviceA vlan 6 DeviceA vlan6 quit Set the voice VLAN agin...

Page 140: ...z The IP phone sends untagged packets It is connected to Ethernet 1 0 1 a hybrid port Set this port to operate in manual voice VLAN assignment mode z You need to add a user defined OUI address 0011 2200 000 with the mask being ffff ff00 0000 and the description string being test Network diagram Figure 10 3 Network diagram for voice VLAN configuration manual voice VLAN assignment mode Internet Devi...

Page 141: ... 1 0 1 DeviceA Ethernet1 0 1 voice vlan enable Verification Display the OUI addresses the corresponding OUI address masks and the corresponding description strings that the system supports DeviceA display voice vlan oui Oui Address Mask Description 0003 6b00 0000 ffff ff00 0000 Cisco phone 000f e200 0000 ffff ff00 0000 H3C Aolynk phone 0011 2200 0000 ffff ff00 0000 test 00d0 1e00 0000 ffff ff00 00...

Page 142: ...he GARP application such as the VLAN or multicast attribute GARP itself does not exist on a device as an entity GARP GARP applications One example is GV your device this port is regarded a GARP ages and timers 1 GARP messages GARP members communicate with each other through the messages exchanged between them The sages performing important functions for GARP fall into three types Join Leave and Le...

Page 143: ...re register all the attribu z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN Unlike other three time z rs which are set on a port basis the LeaveAll timer is set in system view and z ause each time a device on the network receives a LeaveAll message it resets its LeaveAll timer takes effect globally A GARP application entity may send LeaveAll messages at the inter...

Page 144: ...ttribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attribute Length The length of the attribute 2 to 255 in bytes Attribute Event The event described by the attribute 0 LeaveAll Event 1 JoinEmpty 2 JoinIn 3 LeaveEmpty 4 LeaveIn 5 Empty Attribute Value The valu...

Page 145: ... port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN information z Fixed A port in this mode cannot register deregister VLANs dynamically It only propagates static VLAN information Besides the port permits only static VLANs that is it propagates only static VLAN inf...

Page 146: ...system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number Configure the Hold Join and Leave timers garp timer hold join leave timer value Optional By default the Hold Join and Leave timers are set to 10 20 and 60 centiseconds respectively Note that z...

Page 147: ... Join timer This upper threshold is less than the timeout time of the LeaveAll timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by changing the timeout time of the Leave timer 32 765 centiseconds The following are recommended GVRP timer settings z GARP hol...

Page 148: ...work requirements z Enable GVRP on all the switches in the network so that the VLAN configurations on Switch C and Switch E can be applied to all switches in the network thus implementing dynamic VLAN information registration and refresh z By configuring the GVRP registration modes of specific Ethernet ports you can enable the corresponding VLANs in the switched network to communicate with each ot...

Page 149: ... on Ethernet1 0 3 SwitchA Ethernet1 0 3 gvrp SwitchA Ethernet1 0 3 quit 2 Configure Switch B The configuration procedure of Switch B is similar to that of Switch A and is thus omitted 3 Configure Switch C Enable GVRP on Switch C which is similar to that of Switch A and is thus omitted Create VLAN 5 SwitchC vlan 5 SwitchC vlan5 quit 4 Configure Switch D Enable GVRP on Switch D which is similar to t...

Page 150: ...ynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch B SwitchB display vlan dynamic Total 3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch E SwitchE Ethernet1 0 1 display vlan dynamic No dynamic vlans exist 8 Configure Ethernet1 0 1 on Switch E to operate...

Page 151: ...5 8 Display the VLAN information dynamically registered on Switch E SwitchE display vlan dynamic No dynamic vlans exist 11 10 ...

Page 152: ...rface For a Combo port the electrical port and the corresponding optical port are TX SFP multiplexed You can specify a Combo port to ope That is a Combo port cannot operate as both an el When one is enabled the other is Combo port state s to configur port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable a specifie...

Page 153: ...terface of an SFP port does no 100 ke Set the medium dependent interfac MDI mode of e the Ethernet port mdi across auto normal of an ort is auto Optional Be default the MDI mode Ethernet p Set the maximum frame size allowed on the Ethernet port to 9 216 bytes jumboframe enable e to jumboframe enable command Optional By default the maximum frame siz allowed on an Ethernet is 9 216 bytes To set the ...

Page 154: ...d to support all the auto negotiation speeds 10 Mbps 100 Mbps and 1000 Mbps Limiting Traffic on individual Ports By performing the following configurations you can limit the incoming broadcast multicast unknown unicast traffic on individual ports When a type of incoming traffic exceeds the threshold you set the system drops the packets exceeding the traffic limit to reduce the traffic ratio of thi...

Page 155: ...0Mbps 1000Mbps Port D 100Mbps Switch C Configure flow control in TxRx mode on Port B and flow control in Rx mode on Port A z When congestions occur on Port C Switch B buffers the frames When the amount of the buffered frames exceeds a certain value Switch B can realize that the traffic from Port B to Port C is too heavy and exceeds the forwarding capacity of Port C As a result Port B in TxRx mode ...

Page 156: ...z If you specify a source aggregation group ID the system will use the port with the smallest port number in the aggregation group as the source z If you specify a destination aggregation group ID the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the source port Configuring Loopback Detec...

Page 157: ...oopback port auto shutdown function on a port If you do so the function configured later will take effect Table 12 1 Configure loopback detection for Ethernet port s Operation Command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Optional By default the global loopback detection function is enabled if the device boots with the default configurat...

Page 158: ... current trunk or hybrid port z To enable loopback detection on a specific port you must use the loopback detection enable command in both system view and the specific port view z After you use the undo loopback detection enable command in system view loopback detection will be disabled on all ports z The loopback detection control enable command and the loopback detection per vlan enable command ...

Page 159: ...n five seconds The system can test these attributes of the cable Receive and transmit directions RX and TX short circuit open circuit or not the length of the faulty cable Follow these steps to enable the system to test connected cables To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the system to test connected ...

Page 160: ...transition conditions refer to the description of the display brief interface command in Basic Port Configuration Command When the physical link status of an Ethernet port changes between Up and Down or Up and Administratively Down the switch will generate Up Down log and send the log information to the terminal automatically by default If the status of Ethernet ports in a network changes frequent...

Page 161: ...rnet1 0 1 is UP Disable Ethernet 1 0 1 from generating Up Down log information and execute the shutdown command or the undo shutdown command on Ethernet 1 0 1 No Up Down log information is generated or output for Ethernet 1 0 1 Sysname Ethernet1 0 1 undo enable log updown Sysname Ethernet1 0 1 shutdown Sysname Ethernet1 0 1 undo shutdown Setting the Port State Change Delay During a short period af...

Page 162: ...interface number begin include exclude regular expression Display port information about a specified unit display unit unit id interface Display the Combo ports and the corresponding optical electrical ports display port combo Display the information about the port with the link delay command configured display link delay Available in any view Clear port statistics reset counters interface interfa...

Page 163: ...ort link type trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet 1 0 1 Sysname Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet 1 0 1 to 100 Sysname Ethernet1 0 1 port trunk pvid vlan 100 Troubleshooting Ethernet Port Configuration Symptom Fail to configure the default VLAN ID of an Ethernet port Solution Take the followin...

Page 164: ...rmation exchange between LACP enabled devices With LACP enabled on a port LACP notifies the following information of the port to its peer by sending LACPDUs priority and MAC address of this system priority number and operation key of the port Upon receiving the information the peer compares the information with the infor the peer device to determine the ports that can be aggregated In this way the...

Page 165: ... disabled TPID on the ports State of inner to outer tag priority replication enabled or disabled The S4500 family support cross device link aggregation if XRN fabric is enabled Link Aggregation Classification Depending on different aggregation modes the following three types of link aggregation exist z Manual aggregation z Static LACP aggregation z Dynamic LACP aggregation Manual Aggregation Group...

Page 166: ...o including initially down port you want to add to a manual aggregation group Static LACP Aggregation Group Introduction to static LACP aggregation A static LACP aggregation group is also manually created All its member ports are manually added and can be manually removed it inhibits the system from automatically adding removing ports to from it Each static aggregation group must contain at least ...

Page 167: ...us of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states selected and unselected z Both the selected and the unselected ports can receive transmit LACP protocol packets z The selected ports can receive transmit user service packets but the unselected ports cannot z In a dynamic aggregation group the selected port with the smallest port number serves as ...

Page 168: ...ups The system always allocates hardware aggregation resources to the aggregation groups with higher priorities When load sharing aggregation resources are used up by existing aggregation groups newly created aggregation groups will be non load sharing ones Load sharing aggregation resources are allocated to aggregation groups in the following order z An aggregation group containing special ports ...

Page 169: ...dded to an aggregation group Contrarily the mac address max mac count command cannot be configured on a port that has already been added to an aggregation group z MAC authentication enabled ports and 802 1x enabled ports cannot be added to an aggregation group z Mirroring destination ports and mirroring reflector ports cannot be added to an aggregation group z Ports configured with blackhole MAC a...

Page 170: ...ic static group to a manual group the system will automatically disable LACP on the member ports When you change a dynamic group to a static group the system will remain the member ports LACP enabled 2 When a manual or static aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group Configuring a Static LACP Aggregation Group You can create a...

Page 171: ...ation group is automatically created by the system based on LACP enabled ports The adding and removing of ports to from a dynamic aggregation group are automatically accomplished by LACP You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system because only when LACP is enabled on those ports at both ends can the two parties reach agreement in adding r...

Page 172: ...t the configuration concerning manual and static aggregation groups and their descriptions still exists but that of dynamic aggregation groups and their descriptions gets lost Displaying and Maintaining Link Aggregation Configuration To do Use the command Remarks Display summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggreg...

Page 173: ...nly lists the configuration on Switch A you must perform the similar configuration on Switch B to implement link aggregation 1 Adopting manual aggregation mode Create manual aggregation group 1 Sysname system view Sysname link aggregation group 1 mode manual Add Ethernet 1 0 1 through Ethernet 1 0 3 to aggregation group 1 Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 port link aggregation ...

Page 174: ...et1 0 3 port link aggregation group 1 3 Adopting dynamic LACP aggregation mode Enable LACP on Ethernet 1 0 1 through Ethernet 1 0 3 Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 lacp enable Sysname Ethernet1 0 1 quit Sysname interface Ethernet 1 0 2 Sysname Ethernet1 0 2 lacp enable Sysname Ethernet1 0 2 quit Sysname interface Ethernet1 0 3 Sysname Ethernet1 0 3 lacp e...

Page 175: ... feature you can add the ports to be controlled int isolation group a port in an isolation group does not forward traffic to the other ports in the isola gro The ports in a z Currently you can create only on isolation group on a Switch 4500 The number of Ethernet ports in an isolation group is not limited An isolation group only isolates the member ports in it z Port d an Ethernet port to an isola...

Page 176: ...RN fabric is enabled z For Switch 4500 family belonging to the same XRN Fabric the port isolation configuration performed on a port of a cross device aggregation group cannot be synchronized to the other ports of the aggregation group if the ports reside on other units That is to add multiple ports in a cross device aggregation group to the same isolation group you need to perform the configuratio...

Page 177: ...interface ethernet1 0 2 Sysname Ethernet1 0 2 port isolate Sysname Ethernet1 0 2 quit Sysname interface ethernet1 0 3 Sysname Ethernet1 0 3 port isolate Sysname Ethernet1 0 3 quit Sysname interface ethernet1 0 4 Sysname Ethernet1 0 4 port isolate Sysname Ethernet1 0 4 quit Sysname quit Display information about the ports in the isolation group Sysname display isolate port Isolated port s on UNIT 1...

Page 178: ...ur switch in Upon detection of illegal frames or events the switch takes the pre defined action automatically While curity this reduces your maintenance efforts greatly Port in an intended security mode you can control how the port learns source MAC addresses and thereby filters illegal packets uction Port security is a security mechanism for network access control It is an expansion to the curren...

Page 179: ...uthenticated and serviced at the same time z And specifies that both MAC authentication and 802 1X authentication are required A user can access the network only after passin z Else specifies that the authentication method before Else is applied first If the authentication fails whethe type of the authentication request z Ext indicates allowing multiple 80 autoL z also configure secure MAC address...

Page 180: ...serLogin A port performs 802 1X authentication and implements port based access control z userLoginSecure A port performs 802 1X authentication for users and implements MAC based access control The port services only one user passing 802 1X authentication z userLoginSecureExt Similar to the userLoginSecure mode except that this mode supports multiple online 802 1X users z userLoginWithOUI Similar ...

Page 181: ...then if the user passes MAC authentication performs 802 1X authentication A user can access the network only after passing both authentications The port supports up to one online 802 1X user z macAddressAndUserLoginSecureExt Similar to the macAddressAndUserLoginSecure mode except that a port in this mode supports multiple users as the Ext keyword implies Figure 15 2 shows how the port processes pa...

Page 182: ... Else keyword No Fail The port in a security mode with Else receives a packet Is it an 802 1X packet Allow access to authorized resources Yes Drop the packet Succeed Fail Succeed Is the source MAC in the MAC address table Forward the packet Yes No Perform MAC authentication Perform 802 1X authentication Security mode with the Or keyword z macAddressOrUserLoginSecure A port in this mode performs MA...

Page 183: ...eature Checks the source MAC addresses in inbound frames or the usernames and passwords in 802 1X authentication requests and takes the pre defined action on each detected illegal frame or event The action may be disabling the port temporarily disabling the port unless you bring it up manually or blocking frames from an illegal MAC address for three minutes unmodifiable z Trap feature Enables the ...

Page 184: ...te the following tasks to configure port security Task Remarks Enabling Port Security Required Setting the Maximum Number of Secure MAC Addresses Allowed on a Port Optional Setting the Port Security Mode Required Configuring the NTK feature Optional Configuring Port Security Configuring intrusion protection Features Choose one or more features as required Configuring trapping Configuring Guest VLA...

Page 185: ... the number of users to be authenticated on a port The number of authenticated users allowed however cannot exceed the upper limit The maximum number of users on a port in a security mode is determined by the maximum number of secure MAC addresses or the maximum number of authenticated users that the security mode supports whichever is smaller By setting the maximum number of MAC addresses allowed...

Page 186: ...ort security mode You can set a port security mode as needed z Before setting the port to operate in the autoLearn mode be sure to set the maximum number of secure MAC addresses allowed on the port with the port security max mac count command z When the port operates in the autoLearn mode you cannot change the maximum number of secure MAC addresses allowed on the port z After you set the port secu...

Page 187: ...be taken by the switch when intrusion protection is triggered port security intrusion mode blockmac disableport disableport temporarily By default intrusion protection is disabled Return to system view quit Optional Set the timer during which the port remains disabled port security timer disableport timer 20 seconds by default The port security timer disableport command is used in conjunction with...

Page 188: ...ill not be added to the guest VLAN 2 After the port is added to the guest VLAN z The users of the port can initiate 802 1X authentication If a user passes authentication the port leaves the guest VLAN and is added to the original VLAN that is the one the port belongs to before it is added to the guest VLAN The port then does not handle other users authentication requests z MAC authentication is al...

Page 189: ...he authentication of a user fails the blocking MAC address feature will be triggered and packets of the user will be dropped making the user unable to access the guest VLAN Ignoring the Authorization Information from the RADIUS Server After an 802 1X user or MAC authenticated user passes Remote Authentication Dial In User Service RADIUS authentication the RADIUS server delivers the authorization i...

Page 190: ...iew system view mac address security mac address interface interface type interface number vlan vlan id In system view Either is required Add a secure MAC address entry By default no secure MAC address entry is configured interface interface type interface number In Ethernet port view mac address security mac address vlan vlan id Configuring an aging time for learned secure MAC address entries By ...

Page 191: ...e the command Remarks Display information about port security configuration display port security interface interface list Available in any view display mac address security interface interface type interface number vlan vlan id count Display information about secure MAC address configuration Port Security Configuration Examples Port Security Mode autoLearn Configuration Example Network requiremen...

Page 192: ...is triggered Switch Ethernet1 0 1 port security intrusion mode disableport temporarily Switch Ethernet1 0 1 quit Switch port security timer disableport 30 Port Security Mode macAddressWithRadius Configuration Example Network requirements The host connects to the switch through port Ethernet 1 0 1 and the switch authenticates the host with a RADIUS server If the authentication succeeds the host is ...

Page 193: ...y accounting 192 168 1 2 Specify the secondary RADIUS authentication server and secondary RADIUS accounting server Switch radius radius1 secondary authentication 192 168 1 2 Switch radius radius1 secondary accounting 192 168 1 3 Set the shared key for message exchange between the switch and the RADIUS authentication servers to name Switch radius radius1 key authentication name Set the shared key f...

Page 194: ...rt to drop packets whose source addresses are the same as that of the packet failing MAC authentication after intrusion protection is triggered Switch Ethernet1 0 1 port security intrusion mode blockmac Port Security Mode userLoginWithOUI Configuration Example Network requirements The host connects to the switch through port Ethernet 1 0 1 and the switch authenticates the host with a RADIUS server...

Page 195: ... between the switch and the accounting RADIUS servers to name Switch radius radius1 key accounting name Set the interval and the number of packet transmission attempts for the switch to send packets to the RADIUS server Switch radius radius1 timer 5 Switch radius radius1 retry 5 Set the timer for the switch to send real time accounting packets to the RADIUS server to 15 minutes Switch radius radiu...

Page 196: ...ort security trap dot1xlogon Switch port security trap dot1xlogoff Port Security Mode macAddressElseUserLoginSecureExt Configuration Example Network requirements The host connects to the switch through port Ethernet 1 0 1 and the switch authenticates the host with a RADIUS server If the authentication succeeds the host is authorized to access the Internet Restrict port Ethernet 1 0 1 of the switch...

Page 197: ...s1 primary accounting 192 168 1 2 Specify the secondary RADIUS authentication server and secondary RADIUS accounting server Switch radius radius1 secondary authentication 192 168 1 2 Switch radius radius1 secondary accounting 192 168 1 3 Set the shared key for message exchange between the switch and the RADIUS authentication servers to name Switch radius radius1 key authentication name Set the sha...

Page 198: ...en Specify the ISP domain for MAC authentication Switch mac authentication domain aabbcc net Enable port security Switch port security enable Set the maximum number of secure MAC addresses allowed on the port to 200 Switch interface Ethernet 1 0 1 Switch Ethernet1 0 1 port security max mac count 200 Set the port security mode to mac else userlogin secure ext Switch Ethernet1 0 1 port security port...

Page 199: ...s1 primary accounting 192 168 1 2 Specify the secondary RADIUS authentication server and secondary RADIUS accounting server Switch radius radius1 secondary authentication 192 168 1 2 Switch radius radius1 secondary accounting 192 168 1 3 Set the shared key for message exchange between the switch and the RADIUS authentication servers to name Switch radius radius1 key authentication name Set the sha...

Page 200: ...uthentication domain aabbcc net Enable port security Switch port security enable Set the port security mode to macAddressAndUserLoginSecureExt Switch interface Ethernet 1 0 1 Switch Ethernet1 0 1 port security port mode mac and userlogin secure ext Guest VLAN Configuration Example Network requirements As shown in Figure 15 10 Ethernet 1 0 2 connects to a PC and a printer which are not used at the ...

Page 201: ...ounting 10 11 1 1 1813 Switch radius 2000 key authentication abc Switch radius 2000 key accouting abc Switch radius 2000 user name format without domain Switch radius 2000 quit Configure the ISP domain and apply the scheme 2000 to the domain Switch domain system Switch isp system scheme radius scheme 2000 Switch isp system quit Set the username type for MAC authentication to MAC address that requi...

Page 202: ...ernet 1 0 2 to macAddressOrUserLoginSecure Switch interface Ethernet1 0 2 Switch Ethernet1 0 2 port security port mode userlogin secure or mac specify VLAN 10 as the guest VLAN of the port Switch Ethernet1 0 2 port security guest vlan 10 You can display the guest VLAN configuration information by the display current configuration or display interface ethernet 1 0 2 command If a user fails the auth...

Page 203: ...formation carried in the packet matches the information in packet Otherwise the port discards the packet ently the switch provides the following binding z Port IP binding binds a port to an IP address On the bound port the switch forwards only the packets sourced from the bound IP address z Port MAC binding binds a port to a MAC address On the bound port the switch forwards only the packets source...

Page 204: ...rt binding is unique in all port bindings z For the same port port IP MAC binding is mutually exclusive with port IP binding Displaying and Maintaining Port Binding Configuration To do Use the command Remarks Display port binding information display am user bind interface interface type interface number ip addr ip addr mac addr mac addr Available in any view Port Binding Configuration Example Port...

Page 205: ...procedure Configure Switch A as follows Enter system view SwitchA system view Enter Ethernet 1 0 1 port view SwitchA interface Ethernet 1 0 1 Bind the MAC address and the IP address of Host A to Ethernet 1 0 1 SwitchA Ethernet1 0 1 am user bind mac addr 0001 0002 0003 ip addr 10 12 1 1 16 3 ...

Page 206: ...g Tree Protocol STP enabled netwo As for fiber links two kinds of unidirectional links exist Fiber cross connection as shown in Figure 17 1 z Fibers that are not connected or disconnected as shown in Figure 17 2 the hollow lines in which refer to fibers that are not connected or disconnected The Device Link Detection Protocol DLDP can detect the link status of an optical fiber cable or copper twis...

Page 207: ... both ends However the auto negotiation mechanism cannot implement this detection z In order for DLDP to detect fiber disconnection in one direction you need to configure the port to work in mandatory full duplex mode at a mandatory rate z When the port determines the duplex mode and speed through auto negotiation even if DLDP is enabled it does not take effect when the fiber in one direction is d...

Page 208: ...kets are used to notify unidirectional link emergencies a unidirectional link emergency occurs when the local port is down and the peer port is up Linkdown packets carry only the local port information instead of the neighbor information In some conditions a port is considered to be physically down if the link connecting to the port is physically abnormal for example the Rx line of the fiber on th...

Page 209: ...down message it does not removes the corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to the delaydown state first When a device changes to the delaydown state the related DLDP neighbor information remains and the Delaydown timer is triggered DLDP timers Table 17 3 DLDP timers Timer Description Advertisement sending timer Interval between sending ...

Page 210: ...t automatically or prompts you to disable the port manually Meanwhile DLDP deletes the neighbor entry Delaydown timer When a device in the active advertisement or probe DLDP state receives a port down message it does not removes the corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to the delaydown state first When a device changes to the delaydown...

Page 211: ...ackets including those with or without an RSY tag Advertisement Advertisement packets Probe Probe packets 2 DLDP analyzes and processes received packets from the peer device as follows z In authentication mode DLDP authenticates the packets and discards those failing to pass the authentication z DLDP processes the received DLDP packets Table 17 6 Process received DLDP packets Packet type Processin...

Page 212: ...se two states two way and unknown You can check the state of a DLDP neighbor by using the display dldp command Table 17 8 Description on the two DLDP neighbor states DLDP neighbor state Description Two way The link to the neighbor operates properly Unknown The device is detecting the neighbor and the neighbor state is unknown Link Auto recovery Mechanism If the shutdown mode of a port is set to au...

Page 213: ... port Enable DLDP dldp enable Required By default DLDP is disabled Set the authentication mode and password dldp authentication mode none simple simple password md5 md5 password Optional By default the authentication mode is none Set the interval of sending DLDP packets dldp interval timer value Optional By default the interval is 5 seconds Set the delaydown timer dldp delaydown timer delaydown ti...

Page 214: ...ch the configuration takes effect on the existing optical ports instead of those added subsequently z Make sure the authentication mode and password configured on both sides are the same for DLDP to operate properly z When DLDP works in enhanced mode the system can identify two types of unidirectional links one is caused by fiber cross connection and the other is caused by one fiber being not conn...

Page 215: ...connects the unidirectional links after detecting them z After the fibers are connected correctly the ports shut down by DLDP are restored Network diagram Figure 17 3 Network diagram for DLDP configuration Device A GE1 0 49 GE1 0 50 Device B GE1 0 49 GE1 0 50 PC Configuration procedure 1 Configure Switch A Configure the ports to work in mandatory full duplex mode at a rate of 1000 Mbps SwitchA sys...

Page 216: ...be in the disable state and the rest in the inactive state When a fiber is connected to a device correctly on one end with the other end connected to no device z If the device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end is in the inactive state z If the device operates in the enhance DLDP mode the end that receives optical sign...

Page 217: ...o all ports except the one receiving the Introd e updated and maintained through the following two ways uction to MAC Address Table An Ethernet switch is mainly used to forward packets at the data link layer that is transmit the packets to the corresponding ports according to the destination MAC address of the packets To forward packets quickly a switch maintains a MA address to forwarding port as...

Page 218: ...switch ng diagram 1 Figure 18 1 MAC address learni Figure 18 2 MAC address table entry of the switch 1 After learning the MAC address of User A the switch starts to forward the packet Because there is 2 User B in the existing MAC address table the switch xcept Ethernet 1 0 1 to ensure that User B can receive the packet ng diagram 2 no MAC address and port information of forwards the packet to all ...

Page 219: ...4 1 MAC B After this interaction the switch directly unicasts the packets destined for User A and User B based rresponding MAC address table entries 5 on the co z B is unreachable or User B receives the z The switch learns only unicast addresses by using the MAC address learning mechanism but directly drops any packet with a broadcast source MAC address Under some special circumstances for example...

Page 220: ...an not age out by themselves Using static MAC address entries can reduce broadcast packets remarkably and are suitable for networks where network devices seldom change Dynamic MAC address entry This type of MAC address entries age out after the configured aging time They are generate z Blackhole MAC address entry This type of MAC address entries are configured m discards the packets destined for o...

Page 221: ...nd Remar To do ks Enter system view system view Add a MAC a entry ddress mac address static dynamic blackhole mac address interface interface type interface number vlan vlan id Required z When you add a MAC address entry the port specified by the interface argument must belong to the VLAN specified by the vlan argument in the command Otherwise the entry will not be added If the VLAN specified by t...

Page 222: ... default is 300 seconds Normally you are recommended to use the default aging timer namely 300 seconds The no aging keyword specifies that MAC address entries never age out MAC address aging configuration applies to all ports but only takes effect on dynamic MAC addresses which are either learnt or configured Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mec...

Page 223: ...s used in an XRN fabric for communications MAC address entries of some ports in the aggregation group may not be updated in time resulting in unnecessary broadcasts The destination MAC address triggered update function solves the above problem by allowing the switch to update its MAC address entries according to destination MAC addresses in addition to source MAC addresses This function improves t...

Page 224: ... Port Ethernet 1 0 2 belongs to VLAN 1 Configuration procedure Enter system view Sysname system view Sysname Add a MAC address with the VLAN ports and states specified Sysname mac address static 000f e20f dc71 interface Ethernet 1 0 2 vlan 1 Display information about the current MAC address table Sysname display mac address interface Ethernet 1 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME s 00...

Page 225: ...h is a set of IP addresses To check the reachability to a detected group a switch enabled with Auto Detect sends ICMP requests to the IP addresses in the group and waits for the ICMP replies from the group based on the user defined policy which includes the according to the check result the switch determines whether to make detected group take ef Currently the following fe z z Interface ba z ion w...

Page 226: ...n Set a timeout waiting for an Optional ICMP reply timer wait seconds By default the timeout is 2 seconds Display the detected group configuration display detect group group number Available in any view If the relationship between IP addresses of a detected group is and any unreachable IP address in the t be detected group makes the detected group unreachable and the remaining IP addresses will no...

Page 227: ...the command Remarks Enter system view system view Bind a detected group to a static route ip route static ip address mask mask length interface type interface number next hop preference preference value reject blackhole detect group group number Required Detect Implementation in VLAN Interface Backup VLAN interface backup means backing up the VLAN interfaces on a devices Usually the master VLAN in...

Page 228: ...nd th When the link between t natio ace tion recove When the link between the ac group becomes reachable ive VLAN interface and th ain the system shuts down the rs that is the detected andby VLAN interface again You need to create the detected group and perform configurations concerning VLAN interfaces before the following operations Follow these steps to configure the auto detect function for VLA...

Page 229: ...tem view SwitchC system view Configure a static route to Switch A SwitchC ip route static 192 168 1 1 24 10 1 1 3 Configuration Example for Auto Detect Implementation with VLAN Interface Backup Network requirements z Make sure the routes between Switch A Switch B and Switch C and between Switch A Switch D and Switch C are reachable z Create detected group 10 on Switch A to detect the connectivity ...

Page 230: ...A detect group 10 Add the IP address of 10 1 1 4 to detected group 10 to detect the reachability of the IP address with the IP address of 192 168 1 2 as the next hop and the detecting number set to 1 SwitchA detect group 10 detect list 1 ip address 10 1 1 4 nexthop 192 168 1 2 SwitchA detect group 10 quit Specify to enable VLAN interface 2 when the result of detected group 10 is unreachable Switch...

Page 231: ...l RSTP and Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Spanning Tree Protocol Overview Why STP Spanning tree protocol STP is a protocol conforming to IEEE 802 1d It aims to eliminate loops on data link layer in a local area network LAN Devices running this protocol detect loops in the network by exchanging pac...

Page 232: ...he port with the lowest path cost to the root bridge The root port is used for communicating with the root bridge A non root bridge device has one and only one root port The root bridge has no root port 3 Designated bridge and designated port Refer to the following table for the description of designated bridge and designated port Table 20 1 Designated bridge and designated port Classification Des...

Page 233: ...s see Configuring the Bridge Priority of the Current Switch 5 Path cost STP uses path costs to indicate the quality of links A small path cost indicates a higher link quality The path cost of a port is related to the rate of the link connecting the port The higher the link rate the smaller the path cost By comparing the path costs of different links STP selects the most robust links and blocks the...

Page 234: ...idge priority plus MAC address z Designated port ID designated port priority plus port number z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime for the configuration BPDUs to be kept in a switch z Hello time configuration BPDU interval z Forward delay forward delay of the port The implementation of the STP algorithm involves only the followin...

Page 235: ...ath cost the following fields are compared sequentially designated bridge IDs designated port IDs and then the IDs of the ports on which the configuration BPDUs are received The smaller these values the higher priority for the configuration BPDU z Selection of the root bridge At network initialization each STP compliant device on the network assumes itself to be the root bridge with the root bridg...

Page 236: ... root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully elected the entire tree shaped topology has been constructed At this stage STP convergence is complete 2 Example of how the STP algorithm wo...

Page 237: ...tion BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 z Port BP2 receives the configuration BPDU of Device C 2 0 2 CP2 Device B finds that the configuration BPDU of the local po...

Page 238: ...port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device C By comparison z Because the root path cos...

Page 239: ...ulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with itself as the root bridge and sends configuration BPDUs and TCN BPDUs This triggers a new spanning tree calculation so that a new path is established to restore the network connectivity However the...

Page 240: ...signated port can transit fast under the following conditions the designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the forwarding state directly if the designated port is connected with a point to point link it can enter the forwarding state immediately after the device undergoes handshake with the downstream device ...

Page 241: ...2 mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU A D C B Region B0 VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to MSTI 1 VLAN 2 and 3 mapped to MSTI 2 Other VLANs mapped to CIST Region D0 VLAN 1 mapped to MSTI 1 B as the regional root bridge VLAN 2 mapped to MSTI 2 C as the regional root bridge Other VLANs mapped to CIST 2 MST region A ...

Page 242: ...ning tree generated by STP or RSTP running on the switches For example the red lines in Figure 20 4 represent the CST 7 CIST A common and internal spanning tree CIST is the spanning tree in a switched network that connects all switches in the network It comprises the ISTs and the CST In Figure 20 4 the ISTs in the MST regions and the CST connecting the MST regions form the CIST 8 Region root A reg...

Page 243: ... of the two ports to eliminate the loop that occurs The blocked port is the backup port In Figure 20 5 switch A switch B switch C and switch D form an MST region Port 1 and port 2 on switch A connect upstream to the common root Port 5 and port 6 on switch C form a loop Port 3 and port 4 on switch D connect downstream to other MST regions This figure shows the roles these ports play z A port can pl...

Page 244: ...d by MSTP At the same time MSTP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network 2 Calculate an MSTI Within an MST region MSTP generates different MSTIs for different VLANs based on the VLAN to instance mappings MSTP performs a separate calculation process which is similar to spanning tree calculation in STP for e...

Page 245: ...ing MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are performed Configuring an MST Region Required Specifying the Current Switch as a Root Bridge Secondary Root Bridge Required Configuring the Bridge Priority of the Current Switch Optional The priority of a switch cannot be changed after...

Page 246: ... Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priority Optional Configuring Leaf Nodes Setting the Link Type of a Port to P2P Optional Performing mCheck Operation Optional Configuring Guard Functions Optional Configuring Digest Snooping Optional Configuring Rapid Transitio...

Page 247: ...configuration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configuration Available in any view Neighbor Topology Discovery Protocol NTDP packets sent by devices in a cluster can only be transmitted within the MSTI where the management VLAN of the cluster resides For mo...

Page 248: ...o 10 Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region configuration Admin configuration Format selector 0 Region name info Revision level 1 Instance Vlans Mapped 0 1 11 to 19 31 to 4094 1 2 to 10 2 20 to 30 Specifying the Current Switch as a Root Bridge Secon...

Page 249: ... no new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails You can specify the network diameter and the hello time parameters while configuring a root bridge secondary root bridge Refer to Configuring the Network Diameter of the Switched Network and Configuring the MSTP Time rel...

Page 250: ...iple switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configuration example Set the bridge priority of the current switch to 4 096 in MSTI 1 Sysname system view Sysname stp instance 1 priority 4096 Configuring How a Port Recognizes and Sends MSTP Packets A port can send recognize MSTP packets of two formats z dot1s 802 1s compliant standard forma...

Page 251: ...format Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp compliance dot1s Restore the default mode for Ethernet 1 0 1 to recognize send MSTP packets Sysname Ethernet1 0 1 undo stp compliance Configuring the MSTP Operation Mode To make an MSTP enabled switch compatible with STP RSTP MSTP provides the following three operation modes z STP compatible mode where the ports ...

Page 252: ...echanism disables the switches that are beyond the maximum hop count from participating in spanning tree calculation and thus limits the size of an MST region With such a mechanism the maximum hop count configured on the switch operating as the root bridge of the CIST or an MSTI in an MST region becomes the network diameter of the spanning tree which limits the size of the spanning tree in the cur...

Page 253: ...ure the network diameter of a switched network an MSTP enabled switch adjusts its hello time forward delay and max age settings accordingly to better values The network diameter setting only applies to CIST it is invalid for MSTIs Configuration example Configure the network diameter of the switched network to 6 Sysname system view Sysname stp bridge diameter 6 Configuring the MSTP Time related Par...

Page 254: ... z As for the max age parameter if it is too small network congestion may be falsely regarded as link failures which results in frequent spanning tree recalculation If it is too large link problems may be unable to be detected in time which prevents spanning trees being recalculated in time and makes the network less adaptive The default value is recommended As for the configuration of the three t...

Page 255: ...itch stp timer factor number Required The timeout time factor defaults to 3 For a steady network the timeout time can be five to seven times of the hello time Configuration example Configure the timeout time factor to be 6 Sysname system view Sysname stp timer factor 6 Configuring the Maximum Transmitting Rate on the Current Port The maximum transmitting rate of a port specifies the maximum number...

Page 256: ... 0 1 Sysname Ethernet1 0 1 stp transmit limit 15 Configuring the Current Port as an Edge Port Edge ports are ports that neither directly connects to other switches nor indirectly connects to other switches through network segments After a port is configured as an edge port the rapid transition mechanism is applicable to the port That is when the port changes from the blocking state to the forwardi...

Page 257: ...able 2 Configure Ethernet 1 0 1 as an edge port in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp edged port enable Setting the Link Type of a Port to P2P A point to point link directly connects two switches If the roles of the two ports at the two ends of a point to point link meet certain criteria the two ports can turn to the forwarding state r...

Page 258: ...u can configure the link of the port as a point to point link After you configure the link of a port as a point to point link the configuration applies to all the MSTIs the port belongs to If the actual physical link of a port is not a point to point link and you forcibly configure the link as a point to point link loops may occur temporarily Configuration example Configure the link connected to E...

Page 259: ... Optional By default MSTP is enabled on all ports To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculation this operation saves CPU resources of the switch Other MSTP related settings can take effect only after MSTP is enabled on the switch Configuration example Disable MSTP on Ethernet 1 0 1 1 Perform...

Page 260: ...1998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports z dot1t Adopts the IEEE 802 1t standard to calculate the default path costs of ports z legacy Adopts the proprietary standard to calculate the default path costs of ports Follow these steps to specify the standard for calculating path costs To do Use the command Remarks Enter system view system view Specify the ...

Page 261: ...he aggregated link measured in 100 Kbps Configure the path cost for specific ports Follow these steps to configure the path cost for specified ports in system view To do Use the command Remarks Enter system view system view Configure the path cost for specified ports stp interface interface list instance instance id cost cost Required An MSTP enabled switch can calculate path costs for all its por...

Page 262: ...ard dot1d 1998 Configuring Port Priority Port priority is an important criterion on determining the root port In the same condition the port with the smallest port priority value becomes the root port A port on an MSTP enabled switch can have different port priorities and play different roles in different MSTIs This enables packets of different VLANs to be forwarded along different physical paths ...

Page 263: ...w Sysname stp interface Ethernet 1 0 1 instance 1 port priority 16 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp instance 1 port priority 16 Setting the Link Type of a Port to P2P Refer to Setting the Link Type of a Port to P2P Enabling MSTP Refer to Enabling MSTP Performing mCheck Operation Ports on an MSTP enable...

Page 264: ...hernet 1 0 1 mcheck 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp mcheck Configuring Guard Functions The following guard functions are available on an MSTP enabled switch BPDU guard root guard loop guard and TC BPDU attack guard Configuring BPDU Guard Normally the access ports of the devices operating on the access...

Page 265: ...cable to these ports even if you enable the BPDU guard function and specify these ports to be MSTP edge ports Configuring Root Guard A root bridge and its secondary root bridges must reside in the same region The root bridge of the CIST and its secondary root bridges are usually located in the high bandwidth core region Configuration errors or attacks may result in configuration BPDUs with their p...

Page 266: ...nd Remarks Enter system view system view Enable the root guard function on specified ports stp interface interface list root protection Required The root guard function is disabled by default Follow these steps to enable the root guard function in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view Interface interface type interface number Enable...

Page 267: ...guard on the root port and alternate port of a non root bridge z Loop guard root guard and edge port settings are mutually exclusive With one of these functions enabled on a port any of the other two functions cannot take effect even if you have configured it on the port Configuration Prerequisites MSTP runs normally on the switch Configuration procedure Follow these steps to configure loop guard ...

Page 268: ...C BPDU After the number of the TC BPDUs received reaches the maximum times the switch stops performing the removing operation For example if you set the maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch receives 200 TC BPDUs in the period the switch removes the MAC address table and ARP entries for only 100 times within the period Configuration prereq...

Page 269: ...able digest snooping on the port Then the switch 4500 regards another manufacturer s switch as in the same region it records the configuration digests carried in the BPDUs received from another manufacturer s switch and put them in the BPDUs to be sent to the another manufacturer s switch In this way the switch 4500 can communicate with another manufacturer s switches in the same MST region The di...

Page 270: ...name revision level and VLAN to instance mapping z The digest snooping feature must be enabled on all the switch ports that connect to another manufacturer s switches adopting proprietary spanning tree protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to instance mapping table cannot be modified z The digest snooping feature is not applicable to bound...

Page 271: ...e mode the root port on the downstream switch receives no agreement packet from the upstream switch and thus sends no agreement packets to the upstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay Some other manufacturers switches adopt proprietary spanning tree protocols that...

Page 272: ...is the root port Figure 20 8 Network diagram for rapid transition configuration Configuration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the rapid transition feature in system view To do Use the command Remarks Enter system view system view Enable the rapid transition feature stp interface interface type interface number no agreement check Req...

Page 273: ...he service provider network and the lower part comprises the customer networks The service provider network comprises packet input output devices and the customer network has networks A and B On the service provider network configure the arriving STP packets at the input device to have MAC addresses in a special format and reconvert them back to their original formats at the output device This is ...

Page 274: ...witch MSTP Maintenance Configuration Introduction In a large scale network with MSTP enabled there may be many MSTP instances and so the status of a port may change frequently In this case maintenance personnel may expect that log trap information is output to the log host when particular ports fail so that they can check the status changes of those ports through alarm information Enabling Log Tra...

Page 275: ...ration example Enable a switch to send trap messages conforming to 802 1d standard to the network management device when the switch becomes the root bridge of instance 1 Sysname system view Sysname stp instance 1 dot1d trap newroot enable Displaying and Maintaining MSTP To do Use the command Remarks Display the state and statistics information about spanning trees of the current device display stp...

Page 276: ...ayer Switch A and Switch B are configured as the root bridges of MSTI 1 and MSTI 3 respectively Switch C is configured as the root bridge of MSTI 4 Network diagram Figure 20 10 Network diagram for MSTP configuration The word permit shown in Figure 20 10 means the corresponding link permits packets of specific VLANs Configuration procedure 1 Configure Switch A Enter MST region view Sysname system v...

Page 277: ...ter MST region view Sysname system view Sysname stp region configuration Configure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instance 3 vlan 30 Sysname mst region instance 4 vlan 40 Sysname mst region revision level 0 Activate the settings of the MST region manually Sysname mst region active region configuration Specify Switch C ...

Page 278: ...sion between the customer networks and the service provider network Network diagram Figure 20 11 Network diagram for VLAN VPN tunnel configuration Eth 1 0 1 Switch A Switch D Switch C Switch B Eth 1 0 1 GE 1 0 2 GE 1 0 1 GE 1 0 2 GE 1 0 1 Configuration procedure 1 Configure Switch A Enable MSTP Sysname system view Sysname stp enable Add Ethernet 1 0 1 to VLAN 10 Sysname vlan 10 Sysname Vlan10 port...

Page 279: ...ANs Sysname GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP Sysname system view Sysname stp enable Enable the VLAN VPN tunnel function Sysname vlan vpn tunnel Add GigabitEthernet 1 0 2 to VLAN 10 Sysname vlan 10 Sysname Vlan10 port GigabitEthernet 1 0 2 Enable the VLAN VPN function on GigabitEthernet 1 0 2 Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthe...

Page 280: ...entry z z ute Routers are used for route selection on the Internet As a router receives a packet it selects an appropriate route destination h The key for a router to forward packets is the routing table Each router maintains a routing table Each entry in this table contains an IP address that represents a host subnet and specifies which physical port on the router should be used to forward th for...

Page 281: ...smallest numerical value will optimal route According to different destinations routes f z Subnet route The destination is a subnet z Host route The destination is a host In addition according to whether the network where the destination resides is directly connected router routes fall into the following categories z Direct route The router is directly connected to the network where the destinatio...

Page 282: ...pology changes Dynamic routing is based on dynamic routing protocols which can detect network topology changes and recalculate the routes accordingly Therefore dynami complicated to configure and it not only imposes hig Dynamic routing protocols can be classified based on the following standards tional scope Interior z BGP An autonomous system refers to a group of routers that share the same route...

Page 283: ...Any other type of routes can have their priorities manually configured red with a different priority z z Each static route can be configu Load Shar L protocol may find several routes with the same metric to the same destination and if this ring R same destination expecting the one with the highest priority to Under normal circumstances packets are forwarded through the primary route When the prima...

Page 284: ...ation about routes permitted by a basic ACL display ip routing table acl acl number verbose Display information about routes permitted by a prefix list display ip routing table ip prefix ip prefix name verbose Display routes to a specified destination display ip routing table ip address mask mask length longer match verbose Display routes to specified destinations display ip routing table ip addre...

Page 285: ...his router nd help troubleshoot the network Route Static routes are special routes They are manually configured by the administrator In a relatively simple network you only need to c configuration and usage of static routes can improve network performance and ensure sufficient bandwidth for important applications When the network topology changes static routes may become unreachable be adapt thems...

Page 286: ...es for related interfaces ollow these steps to igure a static ro Use the command Re To do marks Enter system view system view Configure a static route length interface type interface number next hop preference preference value reject blackhole detect group group number description text By default the system can obtain the route to the subnet directly connected to the router ip route static ip addr...

Page 287: ...gned as shown in Figure 22 1 ic Route Configuration Example work requirements that the network st not support any dynamic routing protocol can be fully utilized In this case static routes can implement communication b Network diagram According to the network requirements the network to Figure 22 1 Network diagram for static route configuration 1 1 5 2 24 Switch B Switch A Switch C Host A 1 1 5 1 2...

Page 288: ... a static route on Switch A SwitchA system view SwitchA ip route static 0 0 0 0 0 0 0 0 1 1 2 2 Approach 1 Configure static routes on Switch B SwitchB system view SwitchB ip route static 1 1 2 0 255 255 255 SwitchB ip route stat SwitchB ip route static 1 1 1 0 255 255 255 0 1 1 Approach 2 Configure a static route o SwitchB system view SwitchB ip route static 0 0 0 0 0 0 0 0 1 1 3 1 Configure stati...

Page 289: ...stinations and each z address of a host or network Overview networks RIP is not reco RIP is a distance vector D V algorithm based protocol It uses port 520 to exchange routing information through UDP packets RIP uses hop count also called routing cost to measure the distance to a destination address In RIP the hop count from a router to its directly connected network is 0 and that to a network whi...

Page 290: ...aging time If no update for a route is received after the aging time elapses the metric of the route is set to 16 in the routing table Garbage collection timer The garbage collect timer defines the interval from when the metric of a route becomes 16 to whe length RIP advertises th route after the Garbage Collect timer expires the route will be deleted from the routing table on RIP ance vector D V ...

Page 291: ... split horizon Optional Configuring RIP 1 packet zero field check Optional Setting RIP 2 packet authentication mode Optional RIP Network Adjustment and Optimization Configuring RIP to unicast RIP packets Optional Bas R Config r s perform the following tasks z Configuring the link layer protocol des are reachable to Configuring Basic RIP Functions Enabling RIP on the interfaces attached to a specif...

Page 292: ...send RIP update packets rip output Enable the interface to receive and send RIP update packets rip work Optional Enabled by default Specifying the RIP version on an interface Follow these steps to specify the RIP version on an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify the version of the RIP running o...

Page 293: ...itional routing metric To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Set the additional routing metric to be added for incoming RIP routes on this interface rip metricin value Optional 0 by default Set the additional routing metric to be added for outgoing RIP routes on this interface rip metricout value Optional 1 by def...

Page 294: ...ncoming outgoing routes The route filtering function provided by a router enables you to configure inbound outbound filter policy by specifying an ACL address prefix list or route policy to make RIP filter incoming outgoing routes Besides you can configure RIP to receive only the RIP packets from a specific neighbor Follow these steps to configure RIP to filter incoming outgoing routes To do Use t...

Page 295: ...he RIP preference preference value Required 100 by default Enabling load sharing among RIP interfaces Follow these steps to enable load sharing among RIP interfaces To do Use the command Remarks Enter system view system view Enter RIP view rip Enable load sharing among RIP interfaces traffic share across interf ace Required Disabled by default Configuring RIP to redistribute routes from another pr...

Page 296: ... adjacent nodes are reachable to each other at the network layer z Configuring basic RIP functions Configuration Tasks Configuring RIP timers Follow these steps to configure RIP timers To do Use the command Remarks Enter system view system view Enter RIP view rip Set the RIP timers timers update update timer timeout timeout timer Required By default the Update timer is 30 seconds and the Timeout t...

Page 297: ...n modes simple authentication and message digest 5 MD5 authentication Simple authentication cannot provide complete security because the authentication keys sent along with packets that are not encrypted Therefore simple authentication cannot be applied where high security is required Follow these steps to set RIP 2 packet authentication mode To do Use the command Remarks Enter system view system ...

Page 298: ...tion display rip routing Available in any view Reset the system configuration related to RIP reset Available in RIP view RIP Configuration Example Network requirements A small sized company requires that any two nodes in its small office network communicate with each other and that the network devices automatically adapt themselves to any topology change so as to reduce the work of manual maintena...

Page 299: ... rip SwitchB rip network 196 38 165 0 SwitchB rip network 110 11 2 0 3 Configure Switch C Configure RIP SwitchC system view SwitchC rip SwitchC rip network 117 102 0 0 SwitchC rip network 110 11 2 0 Troubleshooting RIP Configuration Failed to Receive RIP Updates Symptom The Ethernet switch cannot receive any RIP update when the physical connection between the switch and the peer routing device is ...

Page 300: ...r routing information uction to IP Route Policy Route policy is technology used to modify routing information to control the forwarding path of data packets Route policy is implemented by changing the route attributes such as reachability When a router distributes or receives routing information it may need to implement some policies to filter the routing information so as to receive or distribute...

Page 301: ...tributes with information will be set if the conditions are satisfied A route policy can comprise multiple nodes Each node is a unit for matching test and the nodes will be matched in ascending order of their node numbers Each node comprises a set of if match and apply clauses The if match clauses define the matching rules The matching objects are some attributes of routing information The relatio...

Page 302: ...red Not defined by default z The permit argument specifies the matching mode for a defined node in the route policy to be in permit mode If a route matches the rules for the node the apply clauses for the node will be executed and the test of the next node will not be taken If not however the route takes the test of the next node z The deny argument specifies the matching mode for a defined node i...

Page 303: ...ion Apply a cost to routes satisfying matching rules apply cost value Optional By default no cost is applied to routes satisfying matching rules Define an action to set the tag field of routing information apply tag value Optional By default no action is defined to set the tag field of routing information z A route policy comprises multiple nodes There is an OR relationship between the nodes in a ...

Page 304: ... checks the entries in ascending order of index number Once the route matches an entry the route passes the filtering of the IP prefix list and no other entry will be matched Follow these steps to configure an IPv4 IP prefix list To do Use the command Remarks Enter system view system view Configure an IPv4 IP prefix list ip ip prefix ip prefix name index index number permit deny network len greate...

Page 305: ...If a fault occurs to the main link of one service dynamic backup can prevent service interruption Network diagram According to the network requirements the network topology is designed as shown in Figure 24 1 Figure 24 1 Network diagram Device Interface IP address Switch A Vlan int 2 2 2 2 1 8 Vlan int 3 3 3 3 254 8 Vlan int 10 1 1 1 254 8 Switch B Vlan int 3 3 3 3 253 8 Vlan int 6 6 6 6 5 8 Vlan ...

Page 306: ...itchB rip network 1 0 0 0 SwitchB rip network 3 0 0 0 SwitchB rip network 6 0 0 0 3 Configure Switch C Create VLANs and configure IP addresses for the VLAN interfaces The configuration procedure is omitted Define IP prefix 1 containing the IP address prefix 1 0 0 0 8 and IP prefix 2 containing the IP address prefix 3 0 0 0 8 SwitchC system view SwitchC ip ip prefix 1 index 10 permit 1 0 0 0 8 Swit...

Page 307: ...chC route policy quit Create node 50 with the matching mode being permit to allow all routing information to pass SwitchC route policy in permit node 50 SwitchC route policy quit Configure RIP and apply the route policy in to the incoming routing information SwitchC rip SwitchC rip network 1 0 0 0 SwitchC rip network 3 0 0 0 SwitchC rip network 6 0 0 0 SwitchC rip filter policy route policy in imp...

Page 308: ...one if you try to set it to 0 z The cost will still be 16 if you try to set it to 16 2 Using the if match interface command will match the routes whose outgoing interface to the next hop is the specified interface 3 You are recommended to configure a node to match all routes not passing the preceding nodes in a route policy 4 If the cost of a received RIP route is equal to 16 the cost specified by...

Page 309: ...erview With the development of the Internet more and more interaction services such as data voice and video services are running on the network In addition highly bandwidth and time critical services such as e commerce Web conferencing have come into being These services have higher requirements for information security legal use of paid services and network bandwidth sections describe and compare...

Page 310: ...nformatio ation Transmission in the Broadcast Mode When you broadcast traffic the system transm network can receive the information no matter if the inform shows information transmission in broadcast mode Figure 25 2 Information transmission in the broadcast mode Source Server Receiver Receiver Receiver Host A Host B Host C Host D Host E Packets for all the network Hosts B D and E need the informa...

Page 311: ...sts B D and E need the information To transmit the information to the right users it is ry to group Hosts B D and E into a receiver set The routers on the network duplicate and necessa corre st data flow on each z rs does not work burden remarkably The advantages of multicast over broadcast are as follows requires the data Roles z distribute the information based on the distribution of the receive...

Page 312: ...urns off the TV set The receiver leaves the multicast group A multicast source does not necessarily belong to a multicast group Namely a multicast source is receiver data to multiple multicast groups at the same time and multiple e multicast group at the same time z not necessarily a multicast data z A multicast source can send multicast sources can send data to the sam Common Notations in Multica...

Page 313: ...ications of m z Communication for training and cooperative operations such as remote educatio z Database and financial applica z Any point to multiple point data a Based on the multicast source processing modes there are three multicast models z Any source multicast ASM z Source filtered multicast SFM z Source specific multicast SSM In the ASM group numbers of receivers can join a multicast group ...

Page 314: ...io z Multicast rou building a mu z Multicast application A multicast source must support multicast applications such as video confere multicast information cast Address As receivers are multiple hosts in a multicast group you should be concerned about the following questions z What destination should the information source send the information to in the multicast mode z How to select the destinati...

Page 315: ...source specific multicast SSM multicast group addresses 239 0 0 0 to 239 255 255 255 Administratively scoped multicast addresses which are for specific local use only As spe sses ranging from 224 0 0 0 to 224 0 0 255 are reserved for network p local networks The followin y used reserved IP multicast addresses T served IP multicast addre cified by IANA the IP addre rotocols on g table lists commonl...

Page 316: ...C address When a unicast IP packet is transported in an Ethernet network the destination MAC address is the MAC address of the receiver Whe multicast MAC address is used as the uncertain number of members As stipulated by IANA the high order 24 bits of a multicast MAC address are 0x0100 low order 23 bits of a MAC address are the low order 23 bits of the multicast IP addre describes the mapping rel...

Page 317: ...s Typically the Internet Group Management Protocol IGMP is used between hosts and Layer 3 multicast devices directly connected with the hosts These protocols define the mechanism of establishing and maintaining group memberships between hosts and Layer 3 multicast devices 3 Multicast routing protocols A multicast routing protocol runs on Layer 3 multicast devices to establish and maintain multicas...

Page 318: ... controlling and limiting the flooding of multicast data in a Layer 2 network 2 Multicast VLAN In the traditional multicast on demand mode when users in different VLANs on a Layer 2 device need multicast information the upstream Layer 3 device needs to forward a separate copy of the multicast data to each VLAN of the Layer 2 device With the multicast VLAN feature enabled on the Layer 2 device the ...

Page 319: ...ns that the S G entry is correct but the packet arrived from a wrong path and is to be discarded z If the result of the RPF check shows that the RPF interface is not the incoming interface of the existing S G entry this means that the S G entry is no longer valid The router replaces the incoming interface of the S G entry with the interface on which the packet actually arrived and forwards the pac...

Page 320: ...e of Switch C Switch C performs an RPF check and finds in its unicast routing table that the outgoing interface to 192 168 0 0 24 is VLAN interface 2 This means that the interface on which the packet actually arrived is not the RPF interface The RPF check fails and the packet is discarded z A multicast packet from Source arrives to VLAN interface 2 of Switch C and the corresponding forwarding entr...

Page 321: ...ing Suppression on the Multicast Source Port Some users may deploy unauthorized multicast servers on the network This affects the use of network bandwidth and transmission of multicast data of authorized users by ta configure multicast source port suppression on certain ports to prevent unauth attached to these ports from sending multicast traffic to the network stem view s to co t source port sup...

Page 322: ...st MAC address entry by configuring a multicast MAC address entry manually Generally when receiving a multicast packe switch will flood the packet within the VLAN to which the port belongs You s to co dress entry in system view To do Use the command Remarks Enter system view system view Create a multicast MAC address entry mac address interface interface list vlan vlan id address argument must be ...

Page 323: ... not registered on the local switch the packet will be flooded in the VLAN which the multicast packet belongs to When the function of dropping unknown multicast packets is enabled the switch will drop any multicast packets whose multicast address is not registered Thus the bandwidth is saved and the processing efficiency of the system is improved Follow these steps to configure dropping unknown mu...

Page 324: ...nstraining 2 devices to manage and control multicast groups Princ g received IGMP messages a Layer 2 device running IGMP Snooping establishes P Snooping Overview mechanism that runs on Layer iple of IGMP Snooping By analyzin mappings between ports and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 27 1 when IGMP Snooping is not running on the switch ...

Page 325: ...ooping runs on Switch A and Switch B Host A and Host C are receiver hosts namely multicast group members Figure 27 2 IGMP Snooping related ports Ports involved in IGMP Snooping as shown in Figure 27 2 are described as follows z Router port A router port is a port on the Layer 3 multicast device DR or IGMP querier side of the Ethernet switch In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0...

Page 326: ...ving an IGMP general query the switch forwards it through all ports in the VLAN except the receiving port and performs the following to the receiving port z If the receiving port is a router port existing in its router port list the switch resets the aging timer of this router port z If the receiving port is not a router port existing in its router port list the switch adds it into its router port...

Page 327: ...tely delete the forwarding entry corresponding to that port from the forwarding table instead it resets the aging timer of the member port Upon receiving the IGMP leave message from a host the IGMP querier resolves from the message the address of the multicast group that the host just left and sends an IGMP group specific query to that multicast group through the port that received the leave messa...

Page 328: ...st Traffic in a VLAN Optional Configuring Static Member Port for a Multicast Group Optional Configuring a Static Router Port Optional Configuring a Port as a Simulated Group Member Optional Configuring a VLAN Tag for Query Message Optional Configuring Multicast VLAN Optional Enabling IGMP Snooping Follow these steps to enable IGMP Snooping To do Use the command Remarks Enter system view system vie...

Page 329: ...GMP snooping version 2 can process IGMPv1 and IGMPv2 messages but not IGMPv3 messages which will be flooded in the VLAN z IGMP snooping version 3 can process IGMPv1 IGMPv2 and IGMPv3 messages Follow these steps to configure the version of IGMP Snooping To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the version of IGMP Snooping igmp snooping versi...

Page 330: ...essing helps improve bandwidth and resource usage If fast leave processing and unknown multicast packet dropping or non flooding are enabled on a port to which more than one host is connected when one host leaves a multicast group the other hosts connected to port and interested in the same multicast group will fail to receive multicast data for that group Enabling fast leave processing in system ...

Page 331: ...port If the receiving port can join this multicast group the switch adds this port to the IGMP Snooping multicast group list otherwise the switch drops this report message Any multicast data that has failed the ACL check will not be sent to this port In this way the service provider can control the VOD programs provided for multicast users Make sure that an ACL rule has been configured before conf...

Page 332: ...t programs on demand available to users thus to regulate traffic on the port Follow these steps to configure the maximum number of multicast groups on a port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Limit the number of multicast groups on a port igmp snooping group limit limit vlan vlan list overflow replace Requ...

Page 333: ...ng failure in the end When a Layer 2 device acts as an IGMP Snooping querier to avoid the aforesaid problem configure a non all zero IP address as the source IP address of IGMP queries IGMP Snooping querier related configurations include z Enabling IGMP Snooping querier z Configuring the IGMP query interval and z Configuring the source address to be carried in IGMP general and group specific queri...

Page 334: ... and relays the packet to router ports only instead of flooding the packet within the VLAN If the switch has no router ports it drops the multicast packet Follow these steps to suppress flooding of unknown multicast traffic in the VLAN To do Use the command Remarks Enter system view system view Enable unknown multicast flooding suppression igmp snooping nonflooding enable Required By default unkno...

Page 335: ...ace interface list Required By default no port is configured as a static multicast group member port z You can configure up to 200 static member ports on a Switch 4500 z If a port has been configured as an XRN fabric port or a reflect port it cannot be configured as a static member port Configuring a Static Router Port In a network where the topology is unlikely to change you can configure a port ...

Page 336: ...raffic Through this configuration the following functions can be implemented When an Ethernet port is configured as a simulated member host the switch sends an IGMP report through this port Meanwhile the switch sends the same IGMP report to itself and establishes a corresponding IGMP entry based on this report z When receiving an IGMP general query the simulated host responds with an IGMP report M...

Page 337: ...By default the VLAN tag in IGMP general and group specific query messages is not changed It is not recommended to configure this function while the multicast VLAN function is in effect Configuring Multicast VLAN In traditional multicast implementations when users in different VLANs listen to the same multicast group the multicast data is copied on the multicast router for each VLAN that contains r...

Page 338: ... the port type is hybrid Follow these steps to configure multicast VLAN on the Layer 2 switch To do Use the command Remarks Enter system view system view Enable IGMP Snooping igmp snooping enable Enter VLAN view vlan vlan id Enable IGMP Snooping igmp snooping enable Required Enable multicast VLAN service type multicast Required Return to system view quit Enter Ethernet port view for the Layer 3 sw...

Page 339: ...same time Displaying and Maintaining IGMP Snooping To do Use the command Remarks Display the current IGMP Snooping configuration display igmp snooping configuration Available in any view Display IGMP Snooping message statistics display igmp snooping statistics Available in any view Display the information about IP and MAC multicast groups in one or all VLANs display igmp snooping group vlan vlan i...

Page 340: ... Ethernet 1 0 1 RouterA Ethernet1 0 1 igmp enable RouterA Ethernet1 0 1 pim dm RouterA Ethernet1 0 1 quit RouterA interface Ethernet 1 0 2 RouterA Ethernet1 0 2 pim dm RouterA Ethernet1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping enable Enable IGMP Snooping ok Create VLAN 100 assign Ethernet 1 0 1 through Ethernet 1 0 4 to this VLAN and ena...

Page 341: ... multicast source A Layer 2 switch Switch B forwards the multicast data to the end users Host A and Host B Table 27 2 describes the network devices involved in this example and the configurations you should make on them Table 27 2 Network devices and their configurations Device Device description Networking description Switch A Layer 3 switch The interface IP address of VLAN 20 is 168 10 1 1 Ether...

Page 342: ... 10 1 1 Eth1 0 1 Eth1 0 10 Vlan2 Vlan3 Eth1 0 10 Vlan10 Eth1 0 1 Eth1 0 2 HostA HostB Vlan int10 168 10 2 1 Configuration procedure The following configuration is based on the prerequisite that the devices are properly connected and all the required IP addresses are already configured 1 Configure Switch A Set the interface IP address of VLAN 20 to 168 10 1 1 and enable PIM DM on the VLAN interface...

Page 343: ... 10 SwitchB interface Ethernet 1 0 10 SwitchB Ethernet1 0 10 port link type hybrid SwitchB Ethernet1 0 10 port hybrid vlan 2 3 10 tagged SwitchB Ethernet1 0 10 quit Define Ethernet 1 0 1 as a hybrid port add the port to VLAN 2 and VLAN 10 configure the port to forward untagged packets for VLAN 2 and VLAN 10 and set VLAN 2 as the default VLAN of the port SwitchB interface Ethernet 1 0 1 SwitchB Eth...

Page 344: ...ew and VLAN view to enable it both globally and on the corresponding VLAN at the same time If it is only disabled on the corresponding VLAN use the igmp snooping enable command in VLAN view only to enable it on the corresponding VLAN 2 Multicast forwarding table set up by IGMP Snooping is wrong z Use the display igmp snooping group command to check if the multicast groups are expected ones z If th...

Page 345: ...mon access control mechanism for LAN ports to address mainly authentication and security problems 802 1x is a port based network access control protocol It authenticates and controls devices requesting for access in terms of the ports of LAN acc a user side device can access the authentication are denied when accessing the LAN This section covers these topics z Architecture of 802 1x Authenticatio...

Page 346: ...cation se authenticator system Normally in the form of a RADIUS server the authentication server system serves to perform Authentication Authorization and Accounting AAA services to users It also stores user information such as user name password the VLAN a user belongs to priority and the Access Control Lists ACLs appli The four basic concepts related to the above three entities are PAE controlle...

Page 347: ...hen a supplicant system goes offline the others are not affected echanism of an 802 1x Authentication System authentication system uses the Extensible Authentication Protocol EAP to exchange n between the supplicant system and the authentication server apsulated as EAP over RADIUS EAPoR packets or be terminated at system mmunicate with RADIUS servers through Password Handshake Authentication Proto...

Page 348: ...E z The Protocol version field holds the version of the protocol supported by the sender of the EAPoL packet 00 Indicates that the pack 01 Indicates that the packet is an EAPoL start packet which initiates the authentication 02 Indicates that the packet is an EAPoL log 03 Indicates that the packet is an EAPoL ke 04 Indicates that the packet is an EAPoL e support the alerting messages of Alertin z ...

Page 349: ...wly added fields for EAP authentication T authentication Refer to the Introduction to RADIUS protocol section in the AAA Operation for information about the format of a RADIUS protocol packet The EAP message field whose format is shown in Figure 28 6 is used to encapsulate EAP packets The maximum size of the string field is 253 bytes EAP packets with their size larger than 253 bytes are ge fields ...

Page 350: ...eys z EAP TLS allows the supplicant system and the RADIUS server to check each other certificate and authenticate each other s identity guaranteeing that data is t destination and preventing data from being intercepted z EAP TTLS is a kind of extended EAP TLS EAP TLS between the client and authentication server EAP TTLS transm established using TLS z PEAP creates and uses TLS security channels to ...

Page 351: ...ver Upon receiving the packet from the switch the RAD packet finds the corresponding password by matching the user name in its database encrypts the password using a randomly gen access challenge packet The switch then sends the key to the 802 1x client Upon receiving the key encapsulated in an EAP request MD5 challenge packet from the access request packet with the locally encrypted password If t...

Page 352: ... sets the handshake period and is triggered after a supplicant system passes the authentication It sets the interval for a switch to send handshake request packets to online users You can set the maximum number of transmission attempts by using the dot1x retry command An online user will be considered offline when the switch has not received any response packets after the maximum number of handsha...

Page 353: ...o cannot request for authentication actively The switch sends multicast request identity packets periodically through the port enabled with 802 1x function In this case this timer sets the interval to send the multicast request identity packets z Client version request timer ver period This timer sets the version period and is triggered after a switch sends a version request packet The switch send...

Page 354: ...ent the proxy detecting function you need to enable the function on both the 802 1x client program and the CAMS server in addition to enabling the client version detecting function on the switch by using the dot1x version check command Checking the client version With the 802 1x client version checking function enabled a switch checks the version and validity of an 802 1x client to prevent unautho...

Page 355: ... the switch can monitor the connection status of users periodically If the switch receives no re authentication response from a user in a period of time it tears down the connection to the user To connect to the switch again the user needs to initiate 802 1x authentication with the client software again z When re authenticating a user a switch goes through the complete authentication process It tr...

Page 356: ...o configure AAA schemes on switches and specify the authentication scheme RADIUS or local authentication scheme Figure 28 11 802 1x configuration z 802 1x users use domain names to associate with the ISP domains configured on switches z Configure the AAA scheme a local authentication scheme or a RADIUS scheme to be adopted in the ISP domain z If you specify to use a local authentication scheme you...

Page 357: ... By default 802 1x is disabled on all ports In system view dot1x port control authorized force unauthorized force auto interface interface list interface interface type interface number dot1x port control authorized force unauthorized force auto Set port access control mode for specified ports In port view quit Optional By default an 802 1x enabled port operates in the auto mode In system view dot...

Page 358: ...annot be configured as EAP z With the support of the H3C proprietary client handshake packets are used to test whether or not a user is online z As clients that are not of H3C do not support the online user handshaking function switches cannot receive handshake acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online ...

Page 359: ...Enable the quiet period timer dot1x quiet period Optional By default the quiet period timer is disabled z As for the dot1x max user command if you execute it in system view without specifying the interface list argument the command applies to all ports You can also use this command in port view In this case this command applies to the current port only and the interface list argument is not needed...

Page 360: ...xy detecting function you need to enable the online user handshaking function first z The configuration listed in the above table takes effect only when it is performed on CAMS as well as on the switch In addition the client version checking function needs to be enabled on the switch too by using the dot1x version check command Configuring Client Version Checking Follow these steps to configure cl...

Page 361: ... when they apply for dynamic IP addresses through DHCP Follow these steps to enable DHCP triggered authentication To do Use the command Remarks Enter system view system view Enable DHCP triggered authentication dot1x dhcp launch Required By default DHCP triggered authentication is disabled Configuring Guest VLAN Follow these steps to configure guest VLAN To do Use the command Remarks Enter system ...

Page 362: ...e authenticating a user a switch goes through the complete authentication process It transmits the username and password of the user to the server The server may authenticate the username and password or however use re authentication for only accounting and user connection status checking and therefore does not authenticate the username and password any more z An authentication server running CAMS...

Page 363: ...ample Network requirements z Authenticate users on all ports to control their accesses to the Internet The switch operates in MAC based access control mode z All supplicant systems that pass the authentication belong to the default domain named aabbcc net The domain can accommodate up to 30 users As for authentication a supplicant system is authenticated locally if the RADIUS server fails And as f...

Page 364: ...ds Configuration on the client and the RADIUS servers is omitted Enable 802 1x globally Sysname system view System View return to User View with Ctrl Z Sysname dot1x Enable 802 1x on Ethernet 1 0 1 Sysname dot1x interface Ethernet 1 0 1 Set the access control method to MAC based This operation can be omitted as MAC based is the default Sysname dot1x port method macbased interface Ethernet 1 0 1 Cr...

Page 365: ... RADIUS server with the domain name truncated Sysname radius radius1 user name format without domain Sysname radius radius1 quit Create the domain named aabbcc net and enter its view Sysname domain aabbcc net Specify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS server is invalid specify to adopt the local authentication scheme Sysname isp aabbcc net scheme radius scheme radiu...

Page 366: ...P redirection redirection approach when the terminal users that have not passed 802 1x authentication nt have downloaded and installed one om the specified server themselves before they can access the Internet thus decreasing the complexity and effort that EAD client deployment may involve EAD Deployment Overview As an integrated solution an defense power of a network In real applications however ...

Page 367: ...z With dot1x enabled but quick EAD deployment disabled users cannot access the DHCP server if they fail 802 1x authentication With quick EAD deployment enabled users can obtain IP addresses dynamically before passing authentication if the IP address of the DHCP server is in the free IP range z The quick EAD deployment function applies to only ports with the access control mode set to auto through ...

Page 368: ...eps to configure the ACL timer To do Use the command Remarks Enter system view system view Set the ACL timer dot1x timer acl timeout acl timeout value Required By default the ACL timeout period is 30 minutes Displaying and Maintaining Quick EAD Deployment To do Use the command Remarks Display configuration information about quick EAD deployment display dot1x sessions statistics interface interface...

Page 369: ...ser s PC is configured as the IP address of the connected VLAN interface on the switch Configure the URL for HTTP redirection Sysname system view Sysname dot1x url http 192 168 0 111 Configure a free IP range Sysname dot1x free ip 192 168 0 111 24 Set the ACL timer to 10 minutes Sysname dot1x timer acl timeout 10 Enable dot1x globally Sysname dot1x Enable dot1x for Ethernet 1 0 1 Sysname dot1x int...

Page 370: ... dotted decimal notation As a result the PC cannot receive any ARP response and therefore cannot be redirected To solve this problem the user needs to enter an IP address that is not in the free IP range in dotted decimal notation z If a user enters an address in the free IP range the user cannot be redirected This is because the switch considers that the user wants to access a host in the free IP...

Page 371: ...led ports and allow only the authorized ports to forward packets In case a port fails 802 1x authentication and authorization serv impossible to manage the switch attached to the port The Huawei Authentication Bypass Protocol HABP aims at solving this problem An HABP packet carries the MAC addresses of the attached switches with it It can bypass the 802 1x authentications when can obtain the MAC a...

Page 372: ...tached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to en a Follow these steps to configure an HABP client able HABP on a switch to make it n HABP client To do Use the command Remarks Enter system view system view Enable HAB habp ional HABP is enabled by default And a swit n HABP client after you enable P enable Opt ch operate...

Page 373: ...all Layer 3 packets that the switch error packets to the CPU CPU PU protection function allows you to control the amount of packets sent to the CPU within a given time period by setting the CPU protection parameter thus preventing exceptionally high CPU usage System Guard Overvi d Against IP Attacks System guard operates to inspect the IP packets over 10 second intervals for the CPU for suspicious...

Page 374: ...time Optional By default ip record threshold is 30 record times threshold is 1 and isolate time is 3 The correlations among the arguments of the system guard ip detect threshold command can be clearly described with this example If you set ip record threshold record times threshold and isolate time to 30 1 and 3 respectively when the system detects successively three times that over 50 IP packets ...

Page 375: ...or control To do Use the command Remarks Enter system view system view Enable Layer 3 error control system guard l3err enable Required Enabled by default Configuring CPU Protection The CPU protection function is achieved through limiting the amount of packets sent to the CPU within a given time period With CPU protection enabled some normal packets may fail to be sent to the CPU for processing tim...

Page 376: ...ameter settings of System Guard against IP attacks display system guard ip state Display the information about IP packets received by the CPU display system guard ip record Display the status of Layer 3 error control display system guard l3err state Display the status of TCN display system guard tcn state Available in any view ...

Page 377: ...available to the users who can acc and z Accounting Defines how to charge the users who are using network resources Typically AAA operates in the client management of use entication supports the following authent z None authentication Users are trusted and are not checked for their validity Generally this method is not recommended Local authentication User information including username password a...

Page 378: ...depe duction to AAA Services AAA is a management framework It can be implemented by not only one protocol But in practice the most commonly used service for AAA is RADIUS DIUS ote Authentication Dial in User Service RADIUS is a distributed service based on client server stru can prevent unauthorized access to your network and is commonly used in network nments where both high security and remote u...

Page 379: ...een a RADIUS client a switch for example and a RADIUS server are verified through a shared key T authentication and authorization processes together by se the authentication response message Figure 32 2 depicts the message exchan user switch and RADIUS server Figure 32 2 Basic message exchange procedure of RADIUS ge procedure between The as follows 3 4 authenticate the user If the authentication s...

Page 380: ...twork at RADIUS messages are transported over UDP which does not guarantee reliable delivery of messages between RA management retransmission and depicts the format of RADIUS messages Figure 32 3 RADIUS message format s shown in Table 32 1 1 The Code field one byte decides the type of RADIUS message a Table 32 1 De alues of the Code field scription on the major v Code Message type Message descript...

Page 381: ...ates it is discarded 4 The Authenticator field 16 bytes is used to authenticate the response from the RADIUS server and is used in the password hiding algorithm There are two kinds of authenticators Request Authenticator and Response Authenticator 5 The Attributes field contains specific authentication authorization accounting information to provide the configuration details of a request or respon...

Page 382: ... depicts the format of attribute 26 The Vendor ID field used to identify a vendor occupies four bytes where the first byte is 0 and the other three bytes are defined in RFC 1700 Here the vendor can encapsulate multiple customized sub attributes containing vendor specific Type Length and Value to implement a RADIUS extension Figure 32 4 Vendor specific attribute format Introduction to HWTACACS What...

Page 383: ... configuration command authorization Does not support In a typical HWTACACS application as shown in Figure 32 5 a terminal user needs to log into the switch to perform some operations As a HWTACACS client the switch sends the username and password to the TACACS server for authentication After passing authentication and being authorized the user successfully logs into the switch to perform operatio...

Page 384: ...ient sends an authentication continuance message carrying the username 4 The TACACS server returns an authentication response asking for the password Upon receiving the response the TACACS client requests the user for the login password 5 After receiving the password the TACACS client sends an authentication continuance message carrying the password to the TACACS server 6 The TACACS server returns...

Page 385: ...s an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the accounting start request 12 The user logs out the TACACS client sends an accounting stop request to the TACACS server 13 The TACACS server returns an accounting response indicating that it has received the accounting stop request 32 9 ...

Page 386: ...butes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of the authentication methods You need to configure RADIUS or HWATACACS before z ing RADIUS or CACS authentication perform HWTA Configuring Dynamic VLAN Assignment Optional Configuring the Attributes o...

Page 387: ...e ISP domain name domain delimiter at dot Optional By default the delimiter between the username and the ISP domain name is Create an ISP domain or set an ISP domain as the default ISP domain domain isp name default disable enable isp name Required If no ISP domain is set as the default ISP domain the ISP domain system is used as the default ISP domain Set the status of the ISP domain state active...

Page 388: ...with any accounting server when it performs accounting for a user it does not disconnect the user as long as the accounting optional command has been executed though it cannot perform accounting for the user in this case z The self service server location function needs the cooperation of a RADIUS server that supports self service such as Comprehensive Access Management Server CAMS Through self se...

Page 389: ...e That is if the communication between the switch and a TACACS server is normal the local scheme is not used if the TACACS server is not reachable or there is a key error or NAS IP error the local scheme is used z If you execute the scheme local or scheme none command to adopt local or none as the primary scheme the local authentication is performed or no authentication is performed In this case y...

Page 390: ...nfigured z RADIUS scheme and local scheme do not support the separation of authentication and authorization Therefore pay attention when you make authentication and authorization configuration for a domain When the scheme radius scheme or scheme local command is executed and the authentication command is not executed the authorization information returned from the RADIUS or local scheme still take...

Page 391: ...cation server assigns string type of VLAN IDs you can set the VLAN assignment mode to string on the switch Then upon receiving a string ID assigned by the RADIUS authentication server the switch compares the ID with existing VLAN names on the switch If it finds a match it adds the port to the corresponding VLAN Otherwise the VLAN assignment fails and the user fails the authentication z VLAN list F...

Page 392: ...N list issued by the RADIUS server can contain up to 64 VLAN IDs Otherwise the authentication fails In addition a RADIUS attribute string can contain up to 253 characters For a VLAN list of more than 253 characters even though the VLAN list contains no more than 64 VLAN IDs the authentication switch will not accept this VLAN list which will also cause the authentication to fail z If a VLAN ID appe...

Page 393: ...re both MSTP and 802 1x are enabled you must set the MSTP port to an edge port z Only 802 1X authentication and RADIUS server authentication based MAC address authentication support the Auto VLAN feature z After a VLAN list is issued to a port if you use commands to assign remove the port to from a VLAN in the VLAN list some users will be disconnected z After a VLAN list is issued to a port you ca...

Page 394: ... type s of service service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the privilege level of the user level level Optional By default the privilege level of the user is 0 Configure the authorized VLAN for the local user authorization vlan string Required By default no authorized VLAN is configured for the...

Page 395: ...ned with an authorized VLAN The switch will not assign authorized VLANs for subsequent users passing MAC address authentication In this case you are recommended to connect only one MAC address authentication user or multiple users with the same authorized VLAN to a port z For local RADIUS authentication to take effect the VLAN assignment mode must be set to string after you specify authorized VLAN...

Page 396: ...Restart Function Optional Configuring the RADIUS server Refer to the configuration of the RADIUS Server Complete the following tasks to configure RADIUS the switch functions as a local RADIUS server Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Message...

Page 397: ... RADIUS server port settings on the switch consistent with those on the RADIUS servers Actually the RADIUS service configuration only defines the parameters for information exchange between switch and RADIUS server To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP domain view refer to AAA Configuration Creating a RADIUS Scheme The ...

Page 398: ...authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary authentication authorization servers respectively z The IP address and port number of the primary authentication server used by the default RADIUS scheme system are 127 0 0 1 and 1645 Configuring Ignorance of Assigned RADIUS Authorization Attributes A RADIUS server can be configured to assign...

Page 399: ...endor vendor id type type value Configure the RADIUS authorization attribute ignoring function Required Disabled by default In a RADIUS scheme you can configure z One standard attribute ignoring command z One proprietary attribute ignoring command per vendor z Up to three attribute ignoring commands in total Configuring RADIUS Accounting Servers Follow these steps to configure RADIUS accounting se...

Page 400: ...ronment you can specify one server as both the primary and secondary accounting servers as well as specifying two RADIUS servers as the primary and secondary accounting servers respectively In addition because RADIUS adopts different UDP ports to exchange authentication authorization messages and accounting messages you must set a port number for accounting different from that set for authenticati...

Page 401: ...he shared key on the accounting server Configuring the Maximum Number of RADIUS Request Transmission Attempts The communication in RADIUS is unreliable because this protocol uses UDP packets to carry its data Therefore it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires If the switch gets no answer aft...

Page 402: ...ver remains in the block state for a set time set by the timer quiet command the switch will try to communicate with the primary server again when it receives a RADIUS request If it finds that the primary server has recovered the switch immediately restores the communication with the primary server instead of communicating with the secondary server and at the same time restores the status of the p...

Page 403: ...mat with domain without domain Optional By default the usernames sent from the switch to RADIUS server carry ISP domain names Set the units of data flows to RADIUS servers data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet Optional By default in a RADIUS scheme the data unit and packet unit for outgoing RADIUS flows are byte and one packe...

Page 404: ...default z The purpose of setting the MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the switch s compatibility with different RADIUS servers This setting is necessary when the format of Calling Station Id field recognizable to RADIUS servers is different from the default MAC address format on the switch For details about field formats recognizable to RAD...

Page 405: ...S servers and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers If the switch gets no answer within the response timeout time it needs to retransmit the request to ensure that the user can obtain RADIUS service For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails t...

Page 406: ...s Enter system view system view Optional Enable the sending of trap message when a RADIUS server is down radius trap authentication server down accounting server down By default the switch does not send trap message when a RADIUS server is down z This configuration takes effect on all RADIUS schemes z The switch considers a RADIUS server as being down if it has tried the configured maximum times t...

Page 407: ...update message 4 Once the switch receives the response from the CAMS it stops sending Accounting On messages 5 If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Accounting On message it will not send the Accounting On message any more The switch can automatically generate the main attributes NAS ID NAS IP address and ses...

Page 408: ...WTACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to create a HWTACACS scheme To do Use the command Remarks Enter system view system view Required Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name By default no HWTACACS scheme...

Page 409: ...n remove an authentication server setting only when there is no active TCP connection that is sending authentication messages to the server Configuring TACACS Authorization Servers Follow these steps to configure TACACS authorization servers To do Use the command Remarks Enter system view system view Required Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name By defau...

Page 410: ...address and port number of the secondary TACACS accounting server By default the IP address of the secondary accounting server is 0 0 0 0 and the port number is 0 secondary accounting ip address port Optional Enable the stop accounting message retransmission function and set the maximum number of transmission attempts of a buffered stop accounting message By default the stop accounting messages re...

Page 411: ...rs Follow these steps to configure the attributes for data to be sent to TACACS servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By default no HWTACACS scheme exists Set the format of the usernames to be sent to TACACS server user name format with domain without domain Optional By default t...

Page 412: ...seconds By default the response timeout time is five seconds Optional Set the time that the switch must wait before it can restore the status of the primary server to active By default the switch must wait five minutes before it can restore the status of the primary server to active timer quiet minutes Optional Set the real time accounting interval timer realtime accounting minutes By default the ...

Page 413: ...te active block user name user name Available in any view Displaying and Maintaining RADIUS Protocol Configuration To do Use the command Remarks Display RADIUS message statistics about local RADIUS server display local server statistics Display configuration information about one specific or all RADIUS schemes display radius scheme radius scheme name Display RADIUS message statistics display radiu...

Page 414: ...ers The following text only takes Telnet users as example to describe the configuration procedure for remote authentication Network requirements In the network environment shown in Figure 33 2 you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server z A RADIUS authentication server with IP address 10 110 91 164 is connected to...

Page 415: ...e a RADIUS scheme Sysname radius scheme cams Sysname radius cams accounting optional Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams key authentication aabbcc Sysname radius cams server type Extended Sysname radius cams user name format with domain Sysname radius cams quit Associate the ISP domain with the RADIUS scheme Sysname domain cams Sysname isp cams scheme ...

Page 416: ...edure Method 1 Using local authentication scheme Enter system view Sysname system view Adopt AAA authentication for Telnet users Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode scheme Sysname ui vty0 4 quit Create and configure a local user named telnet Sysname local user telnet Sysname luser telnet service type telnet Sysname luser telnet password simple aabbcc Sysname luser ...

Page 417: ...address 10 110 91 164 is connected to the switch This server will be used as the authentication and authorization server On the switch set both authentication and authorization shared keys that are used to exchange messages with the TACACS server to aabbcc Configure the switch to strip domain names off usernames before sending usernames to the TACACS server Configure the shared key to aabbcc on th...

Page 418: ...ddress of the RADIUS server is 1 1 1 1 z The shared key used when Switch and the RADIUS server exchange packets is hello Network diagram Figure 33 5 Network diagram for Auto VLAN configuration Configuration procedure z Configuration on the RADIUS server The configuration may vary on different RADIUS servers Configure VLAN lists on the RADIUS server by referring to Configuring dynamic VLAN list ass...

Page 419: ... interface Ethernet1 0 2 Switch Ethernet1 0 2 dot1x Switch Ethernet1 0 2 dot1x port method portbased Troubleshooting AAA Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP IP protocol suite This protocol prescribes how the switch and the RADIUS server of the ISP exchange user information with each other Symptom 1 User authentication authorization ...

Page 420: ...ne or all AAA UDP port settings are incorrect Be sure to set the same UDP port numbers as those on the RADIUS server Symptom 3 The user passes the authentication and gets authorized but the accounting information cannot be transmitted to the RADIUS server Possible reasons and solutions z The accounting port number is not properly set Be sure to set a correct port number for RADIUS accounting z The...

Page 421: ...heir access rights EAD a switch Verifies th of the packets It regards only those packets sourced from authentication or security policy server as valid z Dynamically adjusts the VLAN rate and packet sch session control packets whereby to control the cal Network Application of EAD EAD checks the security status of users before they can access the network and forcibly implements user access control ...

Page 422: ...dress pports up to eight IP addresses of security policy servers Required Each RADIUS scheme su EAD Configuration Example Network requirements In Figure 34 2 z A user is connected to Ethernet 1 0 1 on the switch The user adopts 802 1x client supporting EAD extend z ed function h to use RADIUS server for remote user authentication and The 64 and the switch and configure the switch z entication serv...

Page 423: ...a RADIUS scheme Sysname radius scheme cams Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams accounting optional Sysname radius cams key authentication expert Sysname radius cams server type extended Configure the IP address of the security policy server Sysname radius cams security policy server 10 110 91 166 Associate the domain with the RADIUS scheme Sysname radi...

Page 424: ...t initiates the authentication process During authentication the user does not need to ent username or password manually For Switch 45 Aft r determining the authentication method users can select one of the following types of user name as required MAC address mode where the MAC address of a user serves as the user name for authentication Fixed mode where user names and passwords are configured on ...

Page 425: ...t not be included depending on the format configured with usernameformat command otherwise the authentication will fail z passwords and use z The service type of a local user needs t s Ad ress Authentication Timers following timers functi z Offline detect timer At this interval the switch checks to see whether an online user has gone offline Once detecting that a user becomes offline the switch se...

Page 426: ... Specify an ISP domain for MAC address mac authentication domain isp name lt is used by authentication Required The default ISP domain defau domain default Configure the MAC address authentication timers mac authentication timer offline detect offline detect value quiet quiet value server timeout server timeout value s offline detect timer 60 seconds for quiet timer and 100 seconds for server time...

Page 427: ...ns for a switch this switch can authenticate access users according to their MAC addresses or according to fixed user names and passwords The switch will not learn MAC addresses of the clients failing in the authentication into its local MAC address table thus prevent illegal users from accessing the network entication this port will be added into the Guest VLAN automatically The MAC ddress of thi...

Page 428: ... to pass the packet will be forwarded perfectly without the influence of the Guest VLAN That is packets can be forwarded to the VLANs other than the Guest VLAN through the trunk port and the hybrid port even users fail to pass authentication multiple users are co uthe accessing this port and the client is connected to a p After users that are con ther users cannot be authen ou cannot configure a G...

Page 429: ...ication cannot be enabled for a port configured with a Guest VLAN The Guest VLAN function for MAC address authentication does not take effect when port security is enabled Configuri Address Authentication Users Allowed to Access a Port You can configure the maximum number of MAC address authentication users for a port in order to ess users has nfigured maximum number the switch will not trigger MA...

Page 430: ...ilable in any view information about MAC address authentica Clear the statistics of global or reset ma on port MAC address interface authentication interface number c authentication statistics interface type Available in user view MAC Address Authentication Configuration Examples Net e 35 1 work requirements As illustrated in Figur a supplicant is connected to the switch through port Ethernet 1 0 ...

Page 431: ...n ISP domain named aabbcc net Sysname domain aabbcc net New Domain added Specify to perform local authentication Sysname isp aabbcc net scheme local Sysname isp aabbcc net quit Specify aabbcc net as the ISP domain for MAC address authentication Sysname mac authentication domain aabbcc net Enable MAC address authentication globally This is usually the last step in configuring access control related...

Page 432: ...tocol ARP is used to resolve an IP address into a data link layer address An IP address is the address of a host at the network layer To send a network layer packet to a destination host the dev d Unless otherwise stated a data link layer address in this chapter refers to a 48 bit Ethernet MAC ddress a ARP P Message Format AR messages are classified as ARP request messages and ARP reply messages F...

Page 433: ...r to Table 36 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in bytes Length of protocol address Protocol address length in bytes Operator Indicates the type of a data packets which can be 1 ARP request packets 2 ARP reply packets 3 RARP request packets 4 RARP reply p...

Page 434: ...a0 2470 febd Target IP address 192 168 1 1 Target IP address 192 168 1 2 Host A 192 168 1 1 0002 6779 0f4c Host B 192 168 1 2 00a0 2470 febd Target MAC address 0000 0000 0000 Sender IP address 192 168 1 1 Sender IP address 192 168 1 2 Sender MAC address Target MAC address 0002 6779 0f4c 0002 6779 0f4c Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B T...

Page 435: ...ware address stored in their caches With the gratuitous ARP packet learning function enabled A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet exists in the cache Periodical sending of gratuitous ARP packets In an actual network when the network load or the CPU occupancy of th...

Page 436: ...es cannot be configured on the ports of an aggregation group Configuring Gratuitous ARP Follow these steps to configure gratuitous ARP To do Use the command Remarks Enter system view system view Enable the gratuitous ARP packet learning function gratuitous arp learning enable Optional Disabled by default Enter VLAN interface view interface Vlan interface vlan id Enable the VLAN interface to send g...

Page 437: ...rp timer aging Available in any view Clear specific ARP entries reset arp dynamic static interface interface type interface number Available in user view ARP Configuration Examples Network requirements z Disable ARP entry check on the switch z Disable VLAN interface 1 of the switch from sending gratuitous ARP packets periodically z Set the aging time for dynamic ARP entries to 10 minutes z Add a s...

Page 438: ...mber of dynamic ARP entries that a to avoid ARP flood attacks uction to ARP Source MAC Address Consistency Check An attacker may use the IP or MAC address of anot packets These ARP packets can cause other network devices to update the corresponding ARP entries incorrectly thus interrupting network traffic To prevent such attacks you can configure ARP source MAC address consistency check on S4500 s...

Page 439: ...ng entries IP static binding entries or IP to MAC mappings of authenticated 802 1x users according to different network environments z If all the clients connected to the switch use IP addresses obtained through DHCP you are recommended to enable DHCP snooping on the switch The switch then checks validity of packets based on DHCP snooping entries z If the clients connected to the switch use IP add...

Page 440: ... the switch will count the ARP packets received on the port within each second If the number of ARP packets received on the port per second exceeds the preconfigured value the switch considers that the port is attacked by ARP packets In this case the switch will shut down the port As the port does not receive any packet the switch is protected from the ARP packet attack At the same time the switch...

Page 441: ...ss z To filter ARP attack packets arriving on the upstream port you can bind the IP and MAC addresses of the gateway to the cascaded port or upstream port of the access switch After that the port will discard ARP packets with the sender IP address as the gateway s IP address but with the sender MAC address different from the gateway s MAC address and permit other ARP packets to pass An ARP trusted...

Page 442: ...LAN Interface Can Learn Follow these steps to configure the maximum number of dynamic ARP entries that a VLAN interface can learn To do Use the command Remarks Enter system view system view Enter VLAN interface view interface vlan interface vlan id Configure the maximum number of dynamic ARP entries that the VLAN interface can learn arp max learning num number Optional The value is 2000 by default...

Page 443: ...eway s IP and MAC addresses on an Ethernet port Generally ARP packet filtering based on gateway s IP address is configured on the switch s port directly connected to a host and ARP packet filtering based on gateway s IP and MAC addresses is configured on the cascaded port or upstream port Configuring ARP Attack Detection Follow these steps to configure the ARP attack detection function To do Use t...

Page 444: ...switch These functions can cooperate with ARP attack detection to check the validity of packets z You need to use ARP attack detection based on authenticated 802 1x clients together with functions of both MAC based 802 1x authentication and ARP attack detection z Currently the VLAN ID of an IP to MAC binding configured on a port of an S4500 series Ethernet switch is the same as the default VLAN ID...

Page 445: ...auto recovery interval z You are not recommended to configure the ARP packet rate limit function on the ports of a fabric or an aggregation group ARP Attack Defense Configuration Example ARP Attack Defense Configuration Example I Network requirements As shown in Figure 37 3 Ethernet 1 0 1 of Switch A connects to DHCP Server Ethernet 1 0 2 connects to Client A Ethernet 1 0 3 connects to Client B Et...

Page 446: ...ble the ARP packet rate limit function on Ethernet 1 0 2 and set the maximum ARP packet rate allowed on the port to 20 pps SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 arp rate limit enable SwitchA Ethernet1 0 2 arp rate limit 20 SwitchA Ethernet1 0 2 quit Enable the ARP packet rate limit function on Ethernet 1 0 3 and set the maximum ARP packet rate allowed on the port to 50 pps SwitchA...

Page 447: ... Configuration Procedures Enter system view Switch system view Configure ARP packet filtering based on the gateway s IP and MAC addresses on Ethernet 1 0 1 Switch interface Ethernet 1 0 1 Switch Ethernet1 0 1 arp filter binding 192 168 100 1 000d 88f8 528c Switch Ethernet1 0 1 quit Configure ARP packet filtering based on the gateway s IP address on Ethernet 1 0 2 Switch interface Ethernet 1 0 2 Sw...

Page 448: ...defense Configuration Procedures Enter system view SwitchA system view Enable ARP source MAC address consistency check SwitchA arp anti attack valid check enable Enter VLAN interface 1 view SwitchA interface vlan interface 1 Configure an IP address for VLAN interface 1 SwitchA Vlan interface1 ip address 192 168 1 1 24 Configure the maximum number of ARP entries that can be learned by VLAN interfac...

Page 449: ...VLAN 1 Switch vlan 1 Switch vlan1 arp detection enable Switch vlan1 quit Configure Ethernet 1 0 2 and Ethernet 1 0 3 as ARP trusted ports Switch interface Ethernet 1 0 2 Switch Ethernet1 0 2 arp detection trust Switch Ethernet1 0 2 quit Switch interface Ethernet 1 0 3 Switch Ethernet1 0 3 arp detection trust Switch Ethernet1 0 3 quit Enable ARP attack detection based on IP to MAC mappings of authe...

Page 450: ... wireless networks a using of laptops the position change of hosts and frequent change of IP addresses also require new technology Dynamic Host Configuration Protocol DHCP is developed to solve these issues DHCP adopts a client server model where the DHCP clients send request configuration parameters and the DHCP servers return the corresponding configuration information such as IP addresses to im...

Page 451: ...ARP packet with the assigned IP address as the destination address to detect the assigned IP address and uses the IP address only if it does not receive any se within a specified period packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet Acknowledge In this phase the DHCP servers acknowledge the IP address Upon rec...

Page 452: ...ght types of packe figure describes the packet format the number in the brackets indicates the field Figure 38 2 DHCP packet format The fields are described as follows op Operation types of DHCP packets 1 for request packets and 2 for r z esponse packets z CP packet passes For each DHCP relay agent nt initiates a DHCP request o identify that the DHCP response s are reserved z s that the DHCP serve...

Page 453: ... sp RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the Bootstrap Protocol z RFC3046 DHCP Relay Agent Information option z option Optional variable length fields including server and IP address of the WINS server ocol Specification ecifications related to DHCP include z 38 4 ...

Page 454: ...ddresses through DHCP z Networks where only a few hosts need fixed IP addresses and most hosts do not need fixed IP DHCP address from the pool and sends the IP address and other related address of the DNS server and the lease time of the IP address to the e of DHCP Server erally DHCP servers are used in the following n z Large sized networks where manual configuration method bears heavy load and i...

Page 455: ...their configuration precedence order Such a structure enables configurations to be inherited That is the configurations of the natural network segment can be inherited by its subnets whose configura parameters that are common to the whole network segment or some subnets such as domain you just need to configure them on the network segment or the corresponding subnets The following is the details o...

Page 456: ...contains the IP address of the receiving z If the client and the server do not reside in the same network segment that is a DHCP relay agent is in between the smallest address pool that contains the IP address specified in the giaddr field of the client s requ assign any IP address to the c pool to the client IP Address Preferences A DHCP server assigns IP addresses in interface addre clients in t...

Page 457: ...em it adopts the configurations on the new XRN system And you need to perform DHCP server configurations if the new XRN system does not have DHCP server related configurations z In an XRN system the UDP HELPER function must be enabled on the DHCP servers that are in fabric state DHCP Server Configuration Task List Complete the following tasks to configure the DHCP server Task Remarks Enabling DHCP...

Page 458: ...rface s Required Creating a DHCP Global Address Pool Required Configuring the static IP address allocation mode Configuring an Address Allocation Mode for the Global Address Pool Configuring the dynamic IP address allocation mode One of the two options is required Only one mode can be selected for the same global address pool Configuring a Domain Name Suffix for the DHCP Client Optional Configurin...

Page 459: ...pool and only one mode can be configured for one DHCP global address pool For dynamic IP address allocation you need to specify the range of the IP addresses to be dynamically assigned But for static IP address binding you can regard that the IP address statically bound to a DHCP client comes from a special DHCP address pool that contains only one IP address Configuring the static IP address alloc...

Page 460: ...required By default no MAC address or client ID to which an IP address is to be statically bound is configured z The static bind ip address command and the static bind mac address command or the static bind client identifier command must be coupled z In the same global DHCP address pool if you configure the static bind client identifier command after configuring the static bind mac address command...

Page 461: ...icts the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip command from dynamic allocation The lease time can differ with address pools But that of the IP addresses of the same address pool are the same Lease time is not inherited that is to say the lease time of a child address pool is not affected by the config...

Page 462: ... about DNS refer to DNS Operation in this manual Follow these steps to configure a domain name suffix for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure a domain name suffix for the client domain name domain name Required Not configured by default Configuring DNS Servers for the DHCP Client If a clien...

Page 463: ...o WINS servers The character p stands for peer to peer The source node sends the unicast packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding to the destination node name to the source node z M node Nodes of this type are p nodes mixed with broadcasting features The character m stands for the word mixed that is to say this type of nodes ...

Page 464: ...rver needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure BIMS server information for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Configure the BIMS server information to be assigned to the DHCP client bims server ip ip addre...

Page 465: ... ID of the voice VLAN and the flag indicating whether the voice VLAN identification function is enabled The sub option 3 of Option 184 comprises two parts z One part carries the flag indicating whether the voice VLAN identification function is enabled z The other part carries the ID of the voice VLAN z A flag value of 0 indicates that the voice VLAN identification function is not enabled in which ...

Page 466: ... 184 does the DHCP server add Option 184 in the response packet sent to the client Configuring Option 184 Parameters for the DHCP Client with Voice Service Follow these steps to configure Option 184 parameters for the DHCP client with voice service To do Use the command Remarks Enter system view system view Enter DHCP address pool view dhcp server ip pool pool name Specify the IP address of the pr...

Page 467: ...ters of Option 66 Option 67 or Option 150 the DHCP server will return the IP address and name of the specified TFTP server bootfile name and an IP address to the client which uses such information to complete auto configuration Follow these steps to configure the TFTP server and bootfile name for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address pool vi...

Page 468: ...work segment so the clients cannot communicate with each other Therefore in the interface address pool mode if the DHCP clients in a VLAN need to obtain IP addresses from the same network segment the number of DHCP clients cannot exceed the number of the IP addresses assignable in the VLAN interface address pool Configuration Task List An interface address pool is created when the interface is ass...

Page 469: ...ssign to a client is the primary IP address of the interface Enabling the Interface Address Pool Mode on Interface s If the DHCP server works in the interface address pool mode it picks IP addresses from the interface address pools and assigns them to the DHCP clients If there is no available IP address in the interface address pools the DHCP server picks IP addresses from its global address pool ...

Page 470: ...lly allocated to DHCP clients Configuring the static IP address allocation mode Some DHCP clients such as WWW servers need fixed IP addresses This is achieved by binding IP addresses to the MAC addresses of these DHCP clients When such a DHCP client applies for an IP address the DHCP server finds the IP address corresponding to the MAC address of the DHCP client and then assigns the IP address to ...

Page 471: ...P addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip command from dynamic allocation To avoid IP address conflicts the IP addresses to be dynamically assigned to DHCP clients are those not occupied by specific network devices such as gateways and FTP servers The lease time can differ with address pools But that of the IP addresses of the same address ...

Page 472: ... these steps to configure a domain name suffix for the client To do Use the command Remarks Enter system view system view interface interface type interface number dhcp server domain name domain name In the current interface address pool quit Configure a domain name suffix for the clients In multiple interface address pools in system view dhcp server domain name domain name all interface interface...

Page 473: ...dcast The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node After receiving the broadcast packet the destination node returns its IP address to the source node z P node Nodes of this type establish their mappings by communicating with WINS servers The character p stands for peer to peer The source node sends ...

Page 474: ...er address Configuring BIMS Server Information for the DHCP Client A DHCP client performs regular software update and backup using configuration files obtained from a BIMS server Therefore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure BIMS server information for the DHCP client To do Use the ...

Page 475: ...nfig ncp ip ip address all interface interface type interface number to interface type interface number Required Not specified by default Specify the backup network calling processor dhcp server voice config as ip ip address all interface interface type interface number to interface type interface number Optional Not specified by default Configure the voice VLAN dhcp server voice config voice vlan...

Page 476: ... bootfile name bootfile name all interface interface type interface number Optional Not specified by default Configuring a Self Defined DHCP Option By configuring self defined DHCP options you can z Define new DHCP options New configuration options will come out with DHCP development To support new options you can add them into the attribute list of the DHCP server z Extend existing DHCP options W...

Page 477: ...uch information to check out any DHCP unauthorized servers Follow these steps to enable unauthorized DHCP server detection To do Use the command Remarks Enter system view system view Enable the unauthorized DHCP server detecting function dhcp server detect Required Disabled by default With the unauthorized DHCP server detection enabled the relay agent will log all DHCP servers including authorized...

Page 478: ...client For the authentication process of the DHCP server acting as a RADIUS client refer to AAA Operation in this manual The following describes only the accounting interaction between DHCP server and RADIUS server z After sending a DHCP ACK packet with the IP configuration parameters to the DHCP client the DHCP server sends an Accounting START packet to a specified RADIUS server The RADIUS server...

Page 479: ...P server receives packets containing Option 82 the DHCP server adds Option 82 into the responses when assigning IP addresses and other configuration information to the clients If a DHCP server is configured to ignore Option 82 after the DHCP server receives packets containing Option 82 the DHCP server will not add Option 82 into the responses when assigning IP addresses and other configuration inf...

Page 480: ...nd will not save the lease information on a DHCP server to the flash memory Therefore the configuration file contains no lease information after the DHCP server restarts or you clear the lease information by executing the reset dhcp server ip in use command In this case any lease update requests will be denied and the clients must apply for IP addresses again DHCP Server Configuration Examples Cur...

Page 481: ... pool For example in the network to which VLAN interface 1 is connected if multiple clients apply for IP addresses the child address pool 10 1 1 0 25 assigns IP addresses first When the IP addresses in the child address pool have been assigned if other clients need IP addresses the IP addresses will be assigned from the parent address pool 10 1 1 0 24 and the attributes will be based on the config...

Page 482: ...SwitchA dhcp pool 1 network 10 1 1 0 mask 255 255 255 128 SwitchA dhcp pool 1 gateway list 10 1 1 126 SwitchA dhcp pool 1 expired day 10 hour 12 SwitchA dhcp pool 1 nbns list 10 1 1 4 SwitchA dhcp pool 1 quit Configure DHCP address pool 2 including address range gateway and lease time SwitchA dhcp server ip pool 2 SwitchA dhcp pool 2 network 10 1 1 128 mask 255 255 255 128 SwitchA dhcp pool 2 expi...

Page 483: ...rface2 ip address 10 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure VLAN interface 2 to operate in the DHCP server mode Sysname dhcp select global interface vlan interface 2 Enter DHCP address pool view Sysname dhcp server ip pool 123 Configure sub options of Option 184 in global DHCP address pool view Sysname dhcp pool 123 network 10 1 1 1 mask 255 255 255 0 Sysname dhcp pool 123 voic...

Page 484: ...it Enter Ethernet 1 0 1 port view and add the port to VLAN 2 Sysname interface ethernet 1 0 1 Sysname Ethernet1 0 1 port access vlan 2 Sysname Ethernet1 0 1 quit Enter Ethernet 1 0 2 port view and add the port to VLAN 3 Sysname interface ethernet 1 0 2 Sysname Ethernet1 0 2 port access vlan 3 Sysname Ethernet1 0 2 quit Enter VLAN 2 interface view and assign the IP address 10 1 1 1 24 to the VLAN i...

Page 485: ... Disconnect the DHCP client from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network with the conflicting IP address as the destination and an enough timeout time z The IP address is manually configured on a host if you receive a response packet of the ping operation You can then disable the IP address from...

Page 486: ...nts can obtain IP addresses In this case the DHCP clients in multiple networks can use the same DHCP server which centralized administration DHCP Figure 40 1 e of DHCP Relay Agent Since the packets are broadcasted in the process of obtaining IP addresses DHCP is only appli the situation that DHCP clients and DHCP servers are in the same network segment that is you need to deploy at least one DHCP ...

Page 487: ...er info idual assignment policies of IP address and other parameters for the clients is defined at least one sub option must be cuit ID sub option ption 82 has no unified definition in RFC 3046 Its padding information varies with vendors Currently ay agents support the extended padding ns of Option 82 are padded as follows as Option 82 is the relay agent information option in the DHCP message It r...

Page 488: ...ds the packet replaces the original Option 82 in the packet with its own or leaves the original Option 82 unchanged in the packet and forwards the packet if not discarded to the DHCP server from the packet and forwards the packet with the DHCP configuration information to the Request packets sent by a DHCP client fall into two categories DHCP DISCOVER packets and DHCP REQUEST packets As DHCP serve...

Page 489: ...wards th A HCP client can only handle a DHCP ACK message which has the same XID as that in the DHCP rm message sent by the client Therefore to ensure clien W disabled the switch does not replace the XID figuring the DHCP Relay Agent z Helper fun z clie cted to it cannot dynamically obtain IP addresses through BOOTP If a switch belongs to an XRN fabric you need to enable the UDP configuring it as a...

Page 490: ... 8 By default no DHCP server IP address is configured in a o d DH Required DHCP server group interface interface type interface number Ma ser dhcp server groupNo not mapped to any DHCP server group p an interface to a DHCP ver group Required By default a VLAN interface is To improve security and avoid malicious attack to the unused SOCKETs S4500 Ethernet switches z are enabled only when DHCP is en...

Page 491: ... IP to MAC bindings on the DHCP The from ction enabled a use dyn red static entries in the user address table on the DHCP relay agent ollow these steps to configure address checking automatically a relay agent so that users can access external network using fixed IP addresses purpose of the address checking function on DHCP relay agent is to prevent unauthorized users statically configuring IP add...

Page 492: ...tion After relaying an IP address from th D DHCP clients through unicast when the DHCP client maintained by the DHCP cannot be updated in time relay agent handshake function and configuring the dynamic client address entry updating interval After the handshake function is enabled the DHCP relay agent sends the handsh DHCP REQUEST packet periodically to the DHCP server using a client s IP address a...

Page 493: ...DHCP servers ding authorized ones and each server is recorded only once until such information is removed and ed again The administrator needs to find unauthorized DHCP servers from the system log Configuring the DHCP Relay Agent to Support Option 82 z Configure network parameters and relay function of the DHCP relay device P server ease tim z The routes between the DHCP relay agent and the DHCP s...

Page 494: ... udp helper enable Required Disabled by default Enable the DHCP relay agent to replace the XID in DHCP Inform messages dhcp relay inform replace enable Optional Enabled by default Before enabling the DHCP relay agent to replace t UDP Helper is enabled on the switch he XID in DHCP Inform messages make sure that Displaying and Maintaining DHCP Relay Agent Configuration To do Use the command Remarks ...

Page 495: ...elay agent C fi Swi Swi Swi on guration procedure Create DHCP server group 1 and configure an IP address of 10 1 1 1 for it SwitchA system view tchA dhcp server 1 ip 10 1 1 1 ap VLAN interface 1 to DHCP server g M roup 1 tchA interface Vlan interface 1 tchA Vlan interface1 dhcp server 1 z You need to perform corresponding configurations on the DHCP server to enable the DHCP clients to obtain IP ad...

Page 496: ...re the DHCP client resides Check if the IP address of the DHCP server group is correct This problem may be caused by improper DHCP relay agent operates improperly you can locate the problem by enabling display command olu ion z Check if DHCP is enabled on the DHCP server and the DHC z Check if an address pool that is on the sam z Check if a reachable route is con interface connecting the netwo z I...

Page 497: ...security the IP addresses used by online DHCP clients need to be tracked for the inistrator to verify the corresponding rela z Switches can track DHCP clients IP addresses through the security function of the DHCP relay agent operating at the network layer z Switches can track DHCP clien When an unauthorized DHCP server exists in the network a DHCP client m address To ensure that the DHCP clients ...

Page 498: ...that re y default when S4500 Series Ethernet Switches serve as DHCP snooping devices Option 82 adopts and frame format cation for w Option 82 be padded in Option 82 Manufacturers can pad it as required 2 for S4500 Series Ethernet Switches enabled with DH nooping a ed as follows circuit ID sub o Padded with the port index smaller than the physic that received the client s re remote ID sub o ceived ...

Page 499: ...equest containing Option 82 it will handle the packet according to the handling policy and the configured contents in sub options For details see Table 41 1 Table 41 1 Ways of handling a DHCP packet with Option 82 Handling policy Sub option configuration The DHCP Snooping device will Drop Drop the packet Keep Forward the packet without changing Option 82 Neither of the two sub options is configure...

Page 500: ... field Introduction to IP Filtering A ans an attempt of an attacker s f forged a sts with different so e server normally The specific effects are as follows The resources on the server are exhausted so the server does not respond to other requests z After receiving such type of packets a switch needs to send them to the CPU for processing Too many request packets cause high CPU usage rate As a res...

Page 501: ...ve this problem the switch supports the configuration of static binding table entries that is the ing relationship between IP address MAC address ets of the client can be correctly forwarded MAC mappings of authenticated 802 1x clients ost clients are assigned with static IP addresses you need to configure an IP static binding for each t The configuration is a heavy workload and causes errors easi...

Page 502: ...esses You are not recommended to the sw onfigure both the DHCP s and selective Q in Q function o normally Configuring DHCP Snooping to Support Option 82 Enable DHCP snooping and specify trusted ports on the switch before configuring DHCP snooping to support Option 82 Complete the following tasks to configure the DHCP snooping to support Option 82 Task Remarks Enabling DHCP snooping Option 82 suppo...

Page 503: ...licy for requests received on this port while the globally configured handling policy applies on those s where a handling policy is not n Configuring the storage format of Option 82 2 field S4500 Series Ethernet Switches support the HEX or ASCII format for the Option 8 Follow these steps to configure a storage format for the Option 82 field To do Use the command Remarks Enter system view system vi...

Page 504: ...nfigure the remote ID sub option in system view or Ethernet port view e ID takes effect on all interfaces You can configure Option 82 as the me of the device or any customized character string in the ASCII format es effect only on the current interface You can configure Option 82 as any customized character string in the ASCII format for different VLANs That is to say you ca erent configuration ru...

Page 505: ...ed in the case of port aggregation nor support XRN Configuring Foll the padding format for Option 82 ow these steps to configure the padding format for Option 82 To do Use the command Remarks Enter system view system view Config for in extended format ure the padding mat dhcp snooping information packet format extended standard Optional By default the padding format is Configuring IP Filtering Fol...

Page 506: ... each of such bind corresponding authenticated 802 1x client is forced to go offline z IP filtering based on IP to MAC bindings of authenticated 802 1x clients requires to be associated with 802 1x based on MAC address authentication and requires 802 1x clients to provide IP addresses otherwise addresses of DHCP clien disable 802 1x authentication triggered by DHCP ensuring normal receivin multica...

Page 507: ...rt configuration z Enable DHCP snooping Option 82 support on the switch and set the remote ID field in Option 82 to the sy 1 on Ethernet 1 0 3 etwork diagram re 41 6 Network dia Configuration procedure Enable DHCP snooping on the switch Switch system view rt ernet 1 0 5 hcp snooping trust Enable DHCP snooping Option 82 support n Option 82 to the system name sysname of the DHCP snooping remote id s...

Page 508: ... access external networks Network diagram Figure 41 7 Network diagram for IP filtering configuration Ethernet 1 0 2 is connected to H 0001 0001 0001 respectively Ethernet 1 0 3 and Ethernet 1 0 4 Client C z Enable DHCP snooping on the switch and specify Ethernet 1 0 1 as the DHCP snooping trusted port z Configuration procedure Enable DHCP snooping on the switch Switch system view Switch dhcp snoop...

Page 509: ... address Switch interface ethernet 1 0 3 Switch Ethernet1 0 3 ip check source ip address mac address Switch interface ethernet 1 0 4 Switch Ethernet1 0 4 ip check source ip address mac address Switch Ethernet1 0 4 quit Create static binding entries on Ethernet 1 0 2 of the switch Switch interface ethernet 1 0 2 0001 0001 0001 ...

Page 510: ... passing the port at an over high rate s an attack to the port In this case the swit ts down this p ceive a thus protect the switch f In addition the switch supports port state auto recovery After a port i ver high acket rate it resumes automatically after a configurable period of time d ction to DHCP Packet Rate Limit p result the switch cannot work normally and S4500 series Ethernet switches sup...

Page 511: ...command Remarks Enter system view system view Enable port state auto recovery recover enable dhcp protective down Required By default this function is disabled Configure the port state auto recovery interval dhcp protective down recover interval interval Optional By default the auto discovery interval is 300 seconds Rate N Limit Configuration Example etwork requirements As shown in Figure 42 1 Eth...

Page 512: ...figuration procedure Enable DHCP snooping on th Switch system view Switch dhcp snooping Switch interface ethernet 1 0 1 Switch Ethernet1 0 1 quit Enable auto recovery Sysname dhcp protective down recover enable Set the port state auto recovery interval to 30 seconds Sysname dhcp protective down recover interval 30 Enter port view Sysname interface ethernet 1 0 11 Enable DHCP packet rate limit on E...

Page 513: ...le contains information such as MAC address and IP BO ay s own MAC address the request and searches for the corresponding IP address according e 3 The BOOTP client obtains the IP address from the received response F S4500 series Ethernet switches operating as DHCP clients the vendor and device information ained in Option 60 of DHCP requests is not configurable instead it is populated by the applic...

Page 514: ...e DHCP server To view detailed information about the default route run the display ip Currently an S4500 Ethernet switch functioning a days at most That is the though the DHCP An S4500 Ethernet swit the DHCP client creates a DHCP server To view detailed information about the default route run routing table command on the switch z If a switch belongs to an XRN fabric you need to enable the UDP Help...

Page 515: ...ement Switch B s port belonging to VLAN1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Network diagram See XUFigure 39 1UX Configuration procedure The following describes only the configuration on Switch B serving as a client Configure VLAN interface 1 to dynamically obtain an IP address from the DHCP server SwitchB system view SwitchB interface...

Page 516: ...itch compares the packet with the rules of the ACL applied on the current port to permit or discard the packet The rules of an ACL can be referenced by other functions that need traffic classification such as ACLs classify packets using a series of conditions known as rules The conditi ce addresses destination addresses and port numbers carried in the p According to their application purposes ACLs...

Page 517: ...2 Range of source IP address The smaller the source IP address range that is the more the number of zeros in 3 Range of destination IP address The smaller the destination IP address range the number of zeros in the wildcard mask the higher the match priority 4 Range of Layer 4 port number that is TCP UDP port number The smaller the range the higher the match priority 5 Number of parameters the mor...

Page 518: ...ckets do not match the ACL z z When an ACL is referenced by upper layer software Types of ACLs Supp y Switch 4500 Series s are supported by Switch 4500 series z can be applied to hardware directly or referenced by upper layer software for p ACL Configuration Task List Complete the following tasks to configure ACL orted b The following types of ACL Basic ACL z Advanced ACL z Layer 2 ACL z User defi...

Page 519: ...me is within one of the z he periodic time range and the absolute time range are both matched ange contains an absolute time section ranging from 00 00 January 1 2004 to 23 59 December 31 2004 and a periodic time section ranging from 12 00 to 14 00 on every rom 12 00 to esday in 2004 s from 1970 1 1 00 00 and ends on the is not specified the time section starts from the specified start that If onl...

Page 520: ...t Current time is 13 30 32 Apr 16 2005 Saturday Time range test Inactive m 15 00 Jan 28 2006 to 15 00 Jan 28 2008 A basic ACL filters packets based on their source IP To configure a time range ba first For information about tim ed basic ACL rule you ne e range configuration re ate the cor uring Time Range z The source IP addresses base the ACL filters packets are d Configuration procedure Follow t...

Page 521: ...exible e defined for basi Configuration prerequisites z as ou need to create the corresponding time ion ab uration re ime Range cannot modify any existent z If you do not specify automatically If the ACL has no rules the rule is numbered 0 otherwise the numb be the greatest rule n system will tell you that the z The content of a modified or created rule cannot be identical otherwise the rule modif...

Page 522: ...cified the newly created rules will be inserted in the Configuration example ermit the TCP packets sourced from the network 129 9 0 0 16 and destined Sysname acl adv 3000 rule permit tcp source 129 9 0 0 0 0 255 255 destination 202 38 160 0 eq 80 Sys Acl urce 129 9 0 0 0 0 255 255 destination 202 38 160 0 0 0 0 255 destination port eq www Note that z With the config match order specified for the a...

Page 523: ...t sign a de the ACL rule Assign a description string to the ACL description text No description by default Optional Note that z You can modify any existent rule of the Layer2 ACL and the unmodified part of the ACL remains z If you do not specify the rule id argument when creating an ACL rule the rule will be numbered umbered 0 otherwise the number of the rule will atest rule number is 65534 howeve...

Page 524: ...ter user def acl number acl number Required D fine an ACL rule rule rule id permit deny rule string rule mask offset 1 8 For information about Required e time range time name rule string refer to ACL Commands Define a comment for the ACL rule rule rule id comment text Optional No description by default Define a description for the ACL description text Optional No description by default Whe o z z V...

Page 525: ...eld in IPv6 packets field in IPv6 packets z z z z automatically If the ACL has no rules the ru be the greatest rule number plu system will tell z The content of a modi exists onfiguration example Configure ACL 5000 to deny all TCP packets prov the ACL rule 06 is the TCP protocol number ff is the mask of an internally processed IP packet Sysname system view Sysname acl number 5000 Sysname acl user ...

Page 526: ...6 ACL rule ollow these steps to Command Description Operation Enter system view system view Create an IPv6 ACL and enter IPv6 ACL view ed acl number acl number Requir Define an ACL rule ng address double tag dscp rule string tocol ipv6 type src ip ipv6 address prefix length src mac rule string rule mask vlan rule string keyword in the cify rule mask combination as TCP or UDP that is 0x06 or 0x11 T...

Page 527: ...lready exists IPv6 ACLs do not match IPv6 packets with extension headers Configuration example 5000 denying packets from 3001 1 64 to 3002 1 64 e deny src ip 3001 1 64 dest ip 3002 1 64 1 64 dest ip 3002 1 64 Applying ACL Rules on Ports By applying ACL rules on port on the corresponding ports Configuration prerequisites Y L b For informat to Configuring Basic ACL Configure an rule for IPv6 ACL Sys...

Page 528: ...or packet filteri z A port joining the VLAN later will not use the ACL rules ep using the ACL rules ng Co Before applying ACL rules to ports in a VLAN you need to define the related rmation bout defining an ACL refer to Configuring Basic ACL nfiguration prerequisites ACLs For info a Configuring Advanced ACL Configuring Layer 2 ACL Configuring User defined ACL and Configuring IPv6 ACL C y ACL rules...

Page 529: ... layer Software Referencing ACLs Example for Controlling Telnet Login Users by Source IP rs with the source IP address of 10 110 100 52 to telnet to the switch N for controlling Telnet login users by source IP PC Network requirements Apply an ACL to permit use etwork diagram Figure 44 1 Network diagram Internet Switch 10 110 100 52 C 00 view user interface to control Telnet login users onfiguratio...

Page 530: ...mple dress is 10 1 1 1 Apply an deny packets with the source IP address of 10 1 1 1 from 8 00 to 18 00 N for basic ACL configuration Define ACL 2001 Sysname system view Sysname acl number 2001 Sysname acl basic 2001 rule 1 permit source 10 110 100 46 0 Sysname acl basic 2001 quit Reference ACL 2001 to control users logging in to the W Sysname ip http acl 2001 Examples for Applying ACLs to Hardware...

Page 531: ...ed ACL Configuration Example Network requirements Different departments of an enterprise are interconnected through query server is 192 168 1 2 The R D department is connected to E ACL to deny requests from the R D department and destined for t h Network diagram Figure 44 4 Network diagram for advanced ACL configuration range that is active from 8 00 to 18 00 everyday er Sysname acl number 3000 Sy...

Page 532: ...sname time range test 8 00 to 18 00 Define ACL 4000 to filter packets with MAC address of 0011 0011 0012 Sysname acl number 4000 Sysname acl ethernetframe 4000 rule 1 d 0011 0011 0012 ffff ffff ffff time range t Sysname acl ethernetf Apply ACL 4000 on Ethernet 1 0 1 Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 packet filter inbound link group 4000 defined ACL Configuration Example Network...

Page 533: ...cedure Define a periodic time range that is a Sysname system view Sysname time range test 8 00 to 18 00 daily Define ACL 5000 to deny any ARP p protocol number ffff is the Ethernet frame c0a80001 is the hexadecimal form of 192 168 0 1 and 32 is the source IP address field offset of the internally processed ARP packet Sysname acl number 5000 Sysname acl use Apply ACL 5000 on Ethernet 1 0 1 Sysname ...

Page 534: ...nd user group 5000 Example for Applying an ACL to a VLAN Network requirements PC 1 PC 2 and PC 3 belong to VLAN 10 and conne 1 0 2 and Ethernet 1 0 3 respectively The IP address ACL to deny packets from PCs in VLAN 10 to the dat Network diagram Figure 44 8 Network diagram for applying an ACL to a VLAN C Define a periodic time range that is active from 8 00 to 18 00 in working days Sysname system v...

Page 535: ...nt aspects because the n jitter and packet loss ratio in the packet forw tional Packet Forwarding Service In traditional IP networks packets are treated equally That is the FIFO first in first out policy is adopted for packet processing Network resources required for packet forwarding is determined by the order in which packets arrive All the packets share the resources of the network Network reso...

Page 536: ...ds for implementing network traffic control and network resource management They are occurrences of differentiated services ser ices They are described as follow Traffic classification identifies traffic based on certain matching rules It is a prerequisite for differentiated services and is usually applied in the z Traffic policing confines traffic to a specific specification and is usually applie...

Page 537: ...ut priority trust mode refer to For inform You can configure the following Priority Trust Mode QoS actions a Switch 4500 s For information ab z out specifying priority for protocol packets refer to Protocol z Prior Priority z For information about line rate refer toLine Rate z Line rate Congestion avoidance For information about congestion avoidance and WRED refer to Congestion Avoidance WRED Cong...

Page 538: ...r is also known as DS field The first six bits bit 0 ed service codepoint DSCP in the range of 0 to 63 nd bit Table 45 2 Description on IP Prec The ToS field in an IP header contains eight bits numbered 0 through 7 among which The first three bits indicate IP precedence in the range 0 to 7 Bit 3 to bit 6 indicate ToS precedence in the range z In RFC2474 the ToS field in IP packet head through bit ...

Page 539: ...mented The QoS rank of the AF class is lower than that of the EF class Class selector CS cl z Best Effort BE class This class is a special class class can be degraded to the BE class if it exceed his class by default recedence valu DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 2...

Page 540: ... figure above the priority field three bits in length in TCI is 802 1p priority also known as CoS precedence which ranges from 0 to 7 Table 45 4 Description on 802 1p y priorit 802 1p priority decimal 802 1p priority binary Description 0 000 best effort 1 001 background 2 010 spare 3 011 excellent effort 4 100 controlled load 5 101 video 6 110 voice 7 111 network management The precedence is calle...

Page 541: ...orresponding to the port priority of the receiving port in the 802 1p to local precedence mapping table and assigns the local precedence to the packet For an 802 1q tagged p When an 802 1q tagged packet reaches the port of a switch you can use the priority trust on the receiving port to configure the port to trust packet priority or use the priority command on the receiving port to config is 0 z T...

Page 542: ...raffic will be marked with new IP precedence or DSCP precedence fic Policing The network will be made more congested by plenty of continuous burst packets if the traffic of each user is not limited The traffic of each user must be limited in order to make better use of the limited network resources and provide better service for more use only its committed resources during a time period t bursts T...

Page 543: ...ze The capacity of the token bucket namely the maximum traffic size that is permitted in each burst It is generally set to committed burst size CBS The set burst size must be greater than the maximum packet length One evaluation is performed on each arriving packet In each evaluation if the number of tokens in the bucket is enough the traffic is conforming to the specification and you must take aw...

Page 544: ...d because they are not response delay Assume that there are eight output queues on the port and the preferential queue classifies the eight output queues on the port into eight classes which are queue7 queue6 queue5 queue4 queue3 queue2 queue1 and queue0 Their priorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the priority order f...

Page 545: ...be sent among different queues the short packets must be sched that the delay jitte Compared with FQ WFQ takes the pr packets Statistically speaking WFQ assigns more scheduling chances to high those to low priority packets WFQ can classify the traffic automatically accordi information of traffic including the protocol types source and destination TCP or source and destination IP addresses and prio...

Page 546: ...ing to w7 w6 w5 w4 w3 w2 w1 and w0 in order In this way the queue with the lowest priority can get 5 Mbps 100 of SP queue scheduling that the packets in queues with lower priority may not get service fo is avoided Another advantage of WRR queue is that though the queues are scheduled in order the ser ice time for each queue is not fixed that is to say if a queue is empty the next queue will be dul...

Page 547: ...dropped at random The long and the upper limit more likely the newly re dropped However exists n WRED random numbers rmine the olicy is determined by IP preced lower pre RED prevents glob It enable ession slowed down because dropped I mirroring port or CPU depending on your configuration For information abou Mirroring module of this manua C nfiguration Complete the following tasks to configure QoS...

Page 548: ...0 1 to 7 Sysname system view Sysname interface Ethernet1 0 1 0 1 pri z Configure to trust packet pr C Sysname system view Sysname interface Ethernet1 0 2 Sysname Ethernet1 0 2 priority trust Configuring the Mapping between 802 1p Priority and Local Precedence Whe 1p priority and local precedence cannot satisfy your u he mapping at the CLI thus modifying the mapping between 802 1p priority and the ...

Page 549: ...riority Configure the fol 3 to 1 4 to 7 5 to 0 6 to 5 g mapping bet and 7 to 6 Display the configu onfiguration proced Sysname qos cos local precedence map 2 3 4 1 7 0 5 6 local precedence queue 2 3 4 1 7 0 5 6 Refer to section Protocol for information about priority of protocol packets Configuration prerequisites been determined CP and priority value have been determined C ecific protocol packets...

Page 550: ...e following items are defined or z ffic Refe this tio z type and value of the pre packets m les have been determined The port or VLAN on which the configuration is to be performed has been determined You can use the traffic priority command to mark the determined before the configuration classification have been specified n cedence to be marked for the The ACL rules used for tra manual for related...

Page 551: ... acl basic 2000 quit Sysname traffic priority vlan 2 inbound ip group 200 Configuring Traffic Policing tion Traffic Policing z Ethernet 1 0 1 belongs to VLAN 2 and is connected to the 10 1 z Mark the DSCP preceden Sysname system view Sysname interface hernet1 0 1 Sysname acl nu Sysname 000 0 rule permit source 10 1 1 0 0 0 255 0 dscp 56 Refer to sec for information about traffic policing C z d Ref...

Page 552: ...ew 000 s 0 255 s Conf Refer to section Line Rate is connected to the 10 1 1 0 24 n the packets from the 10 1 1 etwork segment network segment setting Perform traffic p ceeding the rate limit Config Sysname acl number 2 Sy name acl basic 2000 rule permit source 10 1 1 0 0 0 Sy name acl basic 2000 quit Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 traffic limit inbound ip group 2000 128 exce...

Page 553: ...CL rules used en defined this manual for informatio z The ports on which the configuration is to be performed have be ed The VLAN ID to be set for the packets has been determined Configuration procedure Follow these step nfigure VLAN m Refer to the ACL module of en determin nfiguration prer z s to co apping To do Use the command Remarks Enter system view system view Enter Ethernet port view interf...

Page 554: ...WRR The default weights of the eight output queues of a port are 1 2 3 4 5 9 13 and 15 in the order queue 0 through queue 7 nfigure queue queue2 width queue3 width queue4 wi queue6 scheduling algorithm adopted queue scheduler wfq queue0 width queue1 width Required rt of a Switch 4500 supports eight output queues A po These queue scheduling algorithms are available R or WFQ adopted if you set the w...

Page 555: ... port If the weight or lue specified SP WFQ queuing in t mand cannot meet the re r this port in the co nt o ct only on the port r command The display qu eue weight or bandwidth Configuration example 3 3 4 4 5 eue 0 through queue 7 Verify the configuration Sysname queue scheduler wrr 2 2 3 3 4 4 5 5 duler weight of queue 2 3 wei i i Conf Refer to section C voidance z Adopts WRR for queue scheduling...

Page 556: ...g ACL rules rmined Configuration procedure igure traffic mirroring Configuration prerequis z The ACL rules for tr for information about defini z The source mirroring ports and mirroring direction have been dete z The destination mirroring port has been determined Follow these steps to conf To do Use the command Remarks Enter system view system view interface interface type interface number Enter E...

Page 557: ... command Remarks Display the mapping between 802 1p priority and local precedence display qos cos local precedence map Display the priority marking configuration display qos interface interface type interface number unit id traffic priority Display the protocol packet priority configuration display protocol priority Display line rate configuration display qos interface interface type interface num...

Page 558: ...ed Configure traffic policing and line rate to satisfy the followin z z Set the maximum rate etwork diagram Figure 45 9 Network diag Configuration procedure 000 2 line rate inbound 64 Sysname Ethernet1 0 2 quit Set the maximum rate of outbound IP packets sent by PC 1 in the R D department to 640 kbps Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 traffic limit inbound ip group 2000 640 exce...

Page 559: ...through atabase server Server 2 the mail 0 2 of the switch mark traffic flows accessing Server 1 gn the three traffic flows to different duling configuration C ACL view permit ip destination 192 168 0 1 0 Sysname acl adv 3000 rule 1 permit ip destination 192 168 0 2 0 ip destination 192 168 0 3 0 2 Configure priority marking Mark priority for packets received through Ethernet 1 0 2 and matching AC...

Page 560: ...ration Sysname Ethernet1 0 2 3 Configure queue scheduling Apply SP queue scheduling algorithm Sysname queue scheduler strict priority pping Configuration Example ork requirements Two customer networks are connected to the public network through Switch A and Switch B Configure VLAN mapping function on the switches to enable th communicate through public network VLANs z Switch A provides network acc...

Page 561: ...rnet1 0 11 port link type trunk SwitchA Ethernet1 0 11 port trunk pvid vlan 100 SwitchA Ethernet1 0 11 port trunk permit vlan 100 500 SwitchA Ethernet1 0 11 quit SwitchA interface Ethernet 1 0 12 SwitchA Ethernet1 0 12 port link type trunk SwitchA Ethernet1 0 12 port t SwitchA Ethernet1 0 12 port trunk permit vlan 200 600 SwitchA Ethernet1 0 12 quit Configure Ethernet 1 0 10 of Sw 500 and VLAN 600...

Page 562: ...link group 4002 remark vlan 100 SwitchA Ethernet1 0 10 traffic remark vlanid inbound link group 4003 remark vlan 200 SwitchA Ethernet1 0 10 quit Define the same VLAN mapping rules on Switch B The detailed configuration procedure is similar to that of Switch A and thus is omitted here SwitchA Ethernet1 0 11 traffic rema SwitchA Ethernet1 0 11 quit Configure VLAN mapping on Ethernet 1 0 12 to replac...

Page 563: ...er port connected with a data monitoring device for network monitoring and diagnosis The port where packets are du to which duplicated Figure 46 1 Mirroring PC Data detection device Network Source mirroring port Destination mirroring port port three types of port mirroring ng The Switch 4500 series sup z Local Port Mirrori z Remote Port Mirroring z Traffic Mirroring in the following sections Loca ...

Page 564: ...he traffic to an intermediate switch if any or destination switch through the remote probe VLAN z Intermediate switch Intermediate switches are switches between the source switch and destination switch on the network An intermediate switch forwards mirrored traffic flows to the next intermediate switch or the destination switch through the remote probe VLAN No intermediate switch is present if the...

Page 565: ...ike port mirroring where all inbound outbound traffic passing through a port is monitored traffic mirroring provides a finer monitoring granularity For detailed configuration about traffic mirroring refer to QoS QoS Profile Operation Port Mirroring STP Collaboration In a LAN STP or MSTP is usually used to eliminate loops Configurations or network topology changes may cause some ports to transit to...

Page 566: ...reate a port mirroring group mirroring group group id local Required Enable port mirroring STP collaboration mirroring stp collaboration Optional This configuration applies to all ports of the current device By default port mirroring STP collaboration is not enabled In system view mirroring group group id mirroring port mirroring port list both inbound outbound interface interface type interface n...

Page 567: ...ransits to Forwarding state z Suppose port mirroring STP collaboration is enabled on a device in an MSTP network To make the port mirroring configuration take effect on a port make sure that the port is in Forwarding state in all instances z To enable port mirroring on an XRN fabric you are recommended to enable port mirroring STP collaboration Configuring Remote Port Mirroring A Switch 4500 can s...

Page 568: ...irroring group group id mirroring port mirroring port list both inbound outbound Required Configure the reflector port for the remote source mirroring group mirroring group group id reflector port reflector port Required Configure the remote probe VLAN for the remote source mirroring group mirroring group group id remote probe vlan remote probe vlan id Required When configuring the source switch n...

Page 569: ...red between the source and destination switches over the remote probe VLAN 2 Configuration procedure Follow these steps to perform configurations on the intermediate switch To do Use the command Remarks Enter system view system view Create a VLAN and enter VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN Configure the current VLAN as the remote probe VLAN remote probe vlan enable ...

Page 570: ... probe vlan id Required Return to system view quit Create a remote destination mirroring group mirroring group group id remote destination Required Configure the destination port for the remote destination mirroring group mirroring group group id monitor port monitor port Required Configure the remote probe VLAN for the remote destination mirroring group mirroring group group id remote probe vlan ...

Page 571: ... 1 0 2 z Data detection device is connected to Switch C through Ethernet 1 0 3 The administrator wants to monitor the packets received on and sent from the R D department and the marketing department through the data detection device Use the local port mirroring function to meet the requirement Perform the following configurations on Switch C z Configure Ethernet 1 0 1 and Ethernet 1 0 2 as mirror...

Page 572: ... B z Ethernet 1 0 2 of Switch B connects to Ethernet 1 0 1 of Switch C z The data detection device is connected to Ethernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from Department 1 and 2 through the data detection device Use the remote port mirroring function to meet the requirement Perform the following configurations z Use Switch A as the source switch Switch B as ...

Page 573: ... port Ethernet 1 0 1 Ethernet 1 0 2 inbound Sysname mirroring group 1 reflector port Ethernet 1 0 4 Sysname mirroring group 1 remote probe vlan 10 Configure Ethernet 1 0 3 as trunk port allowing packets of VLAN 10 to pass Sysname interface Ethernet 1 0 3 Sysname Ethernet1 0 3 port link type trunk Sysname Ethernet1 0 3 port trunk permit vlan 10 Sysname Ethernet1 0 3 quit Display configuration infor...

Page 574: ...oup 1 remote destination Configure VLAN 10 as the remote probe VLAN Sysname vlan 10 Sysname vlan10 remote probe vlan enable Sysname vlan10 quit Configure the destination port and remote probe VLAN for the remote destination mirroring group Sysname mirroring group 1 monitor port Ethernet 1 0 2 Sysname mirroring group 1 remote probe vlan 10 Configure Ethernet 1 0 1 as the trunk port allowing packets...

Page 575: ...r layer as shown in Figure 47 1 duction to XRN Expandable Resilient Networking XRN a feature particular to 3Com Switch 4500 series switches is a new technology for building the core o improve t ntages features the following advantages z Streamlined management After an XRN is established you can log in to the XRN system by connecting to any port of any member to manage all XRN members High reliabil...

Page 576: ...eft port and a right port respectively the other ports which are available for connections with users or devices outside the fabric are called user ports Figure 47 2 A schematic diagram of an XRN fabric A correctly built XRN fabric features the following z Multiple Switch 4500 series switches are interconnected through their fabric ports z Given a switch its left port is connected to the right por...

Page 577: ...roup of ports can be configured as fabric ports at a time Given a group either GigabitEthernet 1 0 25 49 or GigabitEthernet 1 0 27 51 can be configured as the left fabric port and either GigabitEthernet 1 0 26 50 or GigabitEthernet 1 0 28 52 can be configured as the right fabric port Once you configure a port as a fabric port the group that comprises this fabric port becomes the fabric port group ...

Page 578: ... fabric operates improperly No measure is needed for any of them Two fabric ports of the same device that is the right port and the left port are connected Pull out one end of the cable and connect it to a fabric port of another switch The left and right fabric ports of the devices are not connected in a crossed way Connect the left and right ports of two devices in a crossed way connection error ...

Page 579: ...o distinguish between the devices in a fabric when you manage them On initialization of the XRN function each device considers its Unit ID as 1 and after a fabric connection is established the FTM program automatically re numbers the devices or you can manually configure the Unit ID of them The master in a fabric collects the newest configurations of the user and the slaves periodically synchroniz...

Page 580: ...n system view Follow these steps to specify a fabric port To do Use the command Remarks Enter system view system view Specify the fabric port of a switch fabric port interface type interface number enable Required Not specified by default Configurations in Ethernet interface view Follow these steps to specify a fabric port To do Use the command Remarks Enter system view system view Enter Ethernet ...

Page 581: ...he fabric feature on the port z If you need to configure an XRN fabric as a DHCP relay or DHCP client configure the UDP Helper function in the fabric at the same time to ensure that the client can successfully obtain an IP address For the configuration of the UDP Helper function refer to the UDP Helper part in this manual z After you use the port link type xrn fabric command to specify a port as t...

Page 582: ...al switch After an XRN fabric is established you can use the following command to change the unit IDs of the switches in the XRN fabric Follow these steps to set a unit ID to a new value To do Use the command Remarks Enter system view system view Set a unit ID to a new value change unit id unit id1 to unit id2 auto numbering Optional z Unit IDs in an XRN fabric are not always arranged in order of ...

Page 583: ...low these steps to save the unit ID of each unit in the XRN fabric To do Use the command Remarks Save the unit ID of each unit in the XRN fabric fabric save unit id Optional Assigning a Unit Name to a Switch Follow these steps to assign a unit name to a switch To do Use the command Remarks Enter system view system view Assign a unit name to a switch set unit unit id name unit name Required Assigni...

Page 584: ...stem does not perform your configuration properly In this case you need to verify your previous configuration or perform your configuration again Displaying and Maintaining XRN Fabric To do Use the command Remarks Display the information about an XRN fabric display xrn fabric port Display the topology information of an XRN fabric display ftm information topology database Available in any view Clea...

Page 585: ... hello xrn fabric authentication mode simple welcome 2 Configure Switch B Configure fabric ports Sysname system view Sysname fabric port GigabitEthernet1 0 25 enable Sysname fabric port GigabitEthernet1 0 26 enable Set the unit ID to 2 Sysname change unit id 1 to 2 Configure the unit name as Unit 2 Sysname set unit 1 name unit2 Configure the fabric name as hello Sysname sysname hello Configure the...

Page 586: ...e simple welcome 4 Configure Switch D Configure fabric ports Sysname system view Sysname fabric port GigabitEthernet1 0 26 enable Set the unit ID to 4 Sysname change unit id 1 to 4 Configure the unit name as Unit 4 Sysname set unit 1 name Unit4 Configure the fabric name as hello Sysname sysname hello Configure the fabric authentication mode as simple and the password as welcome hello xrn fabric au...

Page 587: ...emote devices in batches reducing the workload need to configure external IP addresses for member devices Figure 48 1 uction to HGMP A cluster contains a group of switches Through cluster management you can manage multiple geographically dispersed in a centralized Cluster management is implemented through Huawei Gro version 2 HGMPv2 is used at pre A switch in a cluster pla z Management device z Me...

Page 588: ...y and display function which assists in monitoring and maintaining the network z It allows you to configure and upgrade multiple switches at the same time z It enables you to manage your remotely devices conveniently regardless of network topology and physical distance z It saves IP address resource Roles in a Cluster The switches in a cluster play different roles according to their functions and ...

Page 589: ...a cluster z Discovers the information about its neighbors processes the commands forwarded by the management device and reports log The member devices of a luster are under the management of the management device Candidate device Normally a candidate device is not assigned an external IP address Candidate device refers to the devices that do not belong to any clusters but are cluster capable Figur...

Page 590: ...ster is established z All devices use NDP to collect the information about their neighbors including software version host name MAC address and port name z The management device uses NTDP to collect the information about the devices within specific hops and the topology information about the devices It also determines the candidate devices according to the information collected z The management de...

Page 591: ...ly You can also launch an operation of topology information collection by executing related commands The process of topology information collection is as follows z The management device sends NTDP topology collection requests periodically through its NTDP enabled ports z Upon receiving an NTDP topology collection request the device returns a NTDP topology collection response to the management devi...

Page 592: ...ation for you to establish the cluster z By collecting NDP NTDP information the management device learns network topology so as to manage and monitor network devices z Before performing any cluster related configuration task you need to enable the cluster function first On the management device you need to enable the cluster function and configure cluster parameters On the member candidate devices...

Page 593: ...in the information holdtime it changes the state of the member device to Active otherwise it changes the state of the member device in Connect state to Disconnect in which case the management device considers the member device disconnected Likewise if this member device which is in Connect state receives a handshake packet or management packet from the management device within the information hold...

Page 594: ...is only one network management interface on a management device any newly configured network management interface will overwrite the old one Tracing a device in a cluster In practice you need to implement the following in a cluster sometimes z Know whether there is a loop in the cluster z Locate which port on which switch initiates a network attack z Determine the port and switch that a MAC addres...

Page 595: ... entry but the MAC address entry corresponding to the IP address does not exist the trace of the device fails z To trace a specific device using the tracemac command make sure that all the devices passed support the tracemac function z To trace a specific device in a management VLAN using the tracemac command make sure that all the devices passed are within the same management VLAN as the device t...

Page 596: ...nction is implemented z Closing UDP port 40000 at the same time when the cluster function is closed On the management device the preceding functions are implemented as follows z When you create a cluster by using the build or auto build command UDP port 40000 is opened at the same time z When you remove a cluster by using the undo build or undo cluster enable command UDP port 40000 is closed at th...

Page 597: ...ce type interface number Enable NTDP on the Ethernet port ntdp enable Required Enabled by default Configuring NTDP related parameters Follow these steps to configure NTDP related parameters To do Use the command Remarks Enter system view system view Configure the range to collect topology information ntdp hop hop value Optional By default the system collects topology information from the devices w...

Page 598: ...Remarks Enter system view system view Specify the management VLAN management vlan vlan id Required By default VLAN 1 is used as the management VLAN Enter cluster view cluster Configure a IP address pool for the cluster ip pool administrator ip address ip mask ip mask length Required Build a cluster build name Required name Cluster name Configure a multicast MAC address for the cluster cluster mac ...

Page 599: ...g inside outside interaction for a cluster Follow these steps to configure inside outside interaction for a cluster To do Use the command Remarks Enter system view system view Enter cluster view cluster Required Configure a shared FTP server for the cluster ftp server ip address Optional By default the management device acts as the shared FTP server Configure a shared TFTP server for the cluster t...

Page 600: ...e the network management NM interface for the cluster nm interface Vlan interface vlan id Required By default the management VLAN interface is used as the NM interface Configuring Member Devices Member device configuration task list Complete the following tasks to configure the member device Task Remarks Enabling NDP globally and on specific ports Required Enabling NTDP globally and on a specific ...

Page 601: ...ice s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 is closed at the same time z When you execute the undo build command on the management device to remove a cluster UDP port 40000 of all the member devices in the cluster is closed at the same time z When yo...

Page 602: ...the cluster tftp cluster get source file destination file Optional Available in user view Upload a file to the shared TFTP server of the cluster tftp cluster put source file destination file Optional Available in user view Managing a Cluster through the Management Device You can manage the member devices through the management device for example adding removing a cluster member rebooting a member ...

Page 603: ...strative device When errors occur to the cluster topology you can replace the current topology with the standard cluster topology and restore the administrative device using the backup topology on the Flash memory so that the devices in the cluster can resume normal operation With the display cluster current topology command the switch can display the topology of the current cluster in a tree stru...

Page 604: ... topology topology accept all save to local flash mac address mac address member id member id administrator Required Save the standard topology to the Flash memory of the administrative device topology save to local flash Required Restore the standard topology from the Flash memory of the administrative device topology restore from local flash Optional Display the detailed information about a sing...

Page 605: ...ormation about the devices in the cluster blacklist display cluster black list Optional This command can be executed in any view Configuring the Cluster Synchronization Function After a cluster is established to simplify the access and management to the cluster you can synchronize the SNMP configurations on the management device and the local user configurations to the member devices of the cluste...

Page 606: ...upname authentication mode md5 sha authpassstring privacy mode des56 privpassstring Required Not configured by default Create or update the public MIB view information for the cluster cluster snmp agent mib view included view name oid tree Required Not configured by default z Perform the above operations on the management device of the cluster z Configuring the public SNMP information is equal to ...

Page 607: ...ronize the command Create a MIB view mib_a which includes all objects of the subtree org test_0 Sysname cluster cluster snmp agent mib view included mib_a org Member 2 succeeded in the mib view configuration Member 1 succeeded in the mib view configuration Finish to synchronize the command Add a user user_a to the SNMPv3 group group_a test_0 Sysname cluster cluster snmp agent usm user v3 user_a gr...

Page 608: ...lic local user for the cluster on the management device and the username and password will be synchronized to the member devices of the cluster which is equal to creating this local user on all member devices The configured local user is a Telnet user and you can use the public username and password to manage all member devices through Web 1 Configuration prerequisites z NDP and NTDP have been ena...

Page 609: ...rval to send NDP packets the holdtime and all neighbors discovered display ndp Display NDP configuration and running information on specified ports including the neighbors discovered by NDP on the ports display ndp interface port list Display global NTDP information display ntdp Display device information collected by NTDP display ntdp device list verbose Display status and statistics information ...

Page 610: ...ugh Ethernet 1 0 1 z Ethernet 1 0 1 belongs to VLAN 2 whose interface IP address is 163 172 55 1 z All the devices in the cluster share the same FTP server and TFTP server z The FTP server and TFTP server use the same IP address 63 172 55 1 z The NMS and logging host use the same IP address 69 172 55 4 Network diagram Figure 48 4 Network diagram for HGMP cluster configuration Configuration procedu...

Page 611: ...o ntdp enable Sysname Ethernet1 0 1 quit Enable NDP on Ethernet 1 0 2 and Ethernet 1 0 3 Sysname interface Ethernet 1 0 2 Sysname Ethernet1 0 2 ndp enable Sysname Ethernet1 0 2 quit Sysname interface Ethernet 1 0 3 Sysname Ethernet1 0 3 ndp enable Sysname Ethernet1 0 3 quit Set the hold time of NDP information to 200 seconds Sysname ndp timer aging 200 Set the interval between sending NDP packets ...

Page 612: ...et the interval between sending handshake packets to 10 seconds aaa_0 Sysname cluster timer 10 Configure VLAN interface 2 as the network management interface aaa_0 Sysname cluster nm interface Vlan interface 2 Configure the shared FTP server TFTP server logging host and SNMP host for the cluster aaa_0 Sysname cluster ftp server 63 172 55 1 aaa_0 Sysname cluster tftp server 63 172 55 1 aaa_0 Sysnam...

Page 613: ...n you can receive logs and SNMP trap messages of all cluster members on the NMS Network Management Interface Configuration Example Network requirements z Configure VLAN interface 2 as the network management interface of the switch z Configure VLAN 3 as the management VLAN z The IP address of the FTP server is 192 168 4 3 z Switch A operates as the management switch z Switch B and Switch C are memb...

Page 614: ...able Enter cluster view Sysname cluster Sysname cluster Configure a private IP address pool for the cluster The IP address pool contains 30 IP addresses starting from 192 168 5 1 Sysname cluster ip pool 192 168 5 1 255 255 255 224 Name and build the cluster Sysname cluster build aaa aaa_0 Sysname cluster Configure VLAN interface 2 as the network management interface aaa_0 Sysname cluster aaa_0 Sys...

Page 615: ...nt device Member device Member device Member device 1 Configuration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034 a0e5 Backup the current topology aaa_0 Sysname cluster topology accept all save to local flash 48 29 ...

Page 616: ...rd PoE Overview uction to PoE Power over Ethe to the remote powered d simultaneously z Reliability The centralized power supply provides backup convenience unified management and safety z Easy connection Network terminals only require an Ethernet cable but no external power supply Standard PoE conforms to the 802 3af standard and uses a globally uniform power interfac z Bright application p charge...

Page 617: ...E processing software on the switch can be u z The switch provides statistics about power supplying on each port and the whole equipment which you can query through the dis z The switch provides two modes auto and manual to manage the power feeding to ports in the case of PSE power overload The switch provides over temperature protection mechanism Using this mechanism the switch disables the P sel...

Page 618: ...n the granularity of 100 mW Follow these et the maximum g the Maximum Output Power on a Port The maximum power that can be supplied by each Ethernet electrical port of a PoE capable Switch 4500 to its PD is 15 400 mW In practice you can set the maximum power on a port depending actual power of the PD in the range of 1 000 to 15 400 mW and steps to s output power on a port To do Use the command Rem...

Page 619: ...PoE feature is enabled on the port perform the following configuration to set the PoE management mode and PoE priority of a port Follow these steps to set the PoE management mode and PoE priority of a port To do Use the command Remarks Enter system view system view Set the PoE management mode for the switch poe power management auto manual Required auto by default Enter Ethernet port view interfac...

Page 620: ...ion mode Follow these steps to configure a PD disconnection detection mode To do Use the command Remarks Enter system view system view Configure a PD disconnection detection mode poe disconnect ac dc Optional The default PD disconnection detection mode is AC If you adjust the PD disconnection detection mode when the switch is running the connected PDs will be powered off Therefore be cautious to d...

Page 621: ...d that is no PoE command can be executed successfully use the full update mode to upgrade and thus restore the software z The refresh update mode is to upgrade the original processing software in the PSE through refreshing the software while the full update mode is to delete the original processing software in PSE completely and then reload the software z Generally the refresh update mode is used ...

Page 622: ...oe powersupply Display the status enabled disabled of the PoE over temperature protection feature on the switch display poe temperature protection Available in any view PoE Configuration Example PoE Configuration Example Network requirements Switch A is a Switch 4500 supporting PoE Switch B can be PoE powered z The Ethernet 1 0 1 and Ethernet 1 0 2 ports of Switch A are connected to Switch B and a...

Page 623: ... of Ethernet 1 0 2 to 2500 mW SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 poe enable SwitchA Ethernet1 0 2 poe max power 2500 SwitchA Ethernet1 0 2 quit Enable the PoE feature on Ethernet 1 0 8 and set the PoE priority of Ethernet 1 0 8 to critical SwitchA interface Ethernet 1 0 8 SwitchA Ethernet1 0 8 poe enable SwitchA Ethernet1 0 8 poe priority critical SwitchA Ethernet1 0 8 quit Set...

Page 624: ...the PoE configurations in the PoE profile ration Conf Follow these step file duction to PoE Profile On a large sized network or a network with mobi PoE features of the switc configurations including multiple PoE features tures of PoE profile Various PoE profiles can be created are stored in the corresponding PoE profiles These PoE profiles can be applied to the ports used by the corresponding user...

Page 625: ...mbination of Unit creates a new Fabric In the newly created Fabric the PoE profile configuration of the Unit with the smallest Unit ID number will become the PoE profile configuration for the Fabric currently in use 4 Split of Fabric results in many new Fabrics In each newly created Fabric the PoE profile configuration of each Unit remains the same as it was before the split 1 When the apply poe p...

Page 626: ...ereas the PoE priority for 6 through Ethernet 1 0 10 is High ernet 1 0 1 through Ethernet 1 0 5 ports is 3000 mW whereas the rough Ethernet 1 0 10 is 15400 mW PoE profiles are made for users of group A t 1 0 1 through Ethernet 1 0 5 1 0 6 through Ethernet 1 0 10 ro ile Application Example ork requirements Switch A is a Switch 4500 supporting PoE requirements z z Signal mode is used to supply power...

Page 627: ...al Create Profile 2 and enter PoE profile view SwitchA poe profile Profile2 In Profile 2 add the PoE policy configuration applicable to Ethernet 1 0 6 through Ethernet 1 0 10 ports for users of group A SwitchA poe profile Profile2 poe enable onfiguration procedure Create Profile 1 and enter PoE profile view SwitchA system view SwitchA poe profile Profile1 In Profile 1 for users of group A SwitchA ...

Page 628: ... for Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe enable poe priority high Apply the configured Profile 1 to Ethernet 1 0 1 through Ethernet 1 0 5 ports SwitchA apply poe profile Profile1 interface Ethernet1 0 1 to Ethernet1 0 5 Apply the configured Profile 2 to Ethernet 1 0 6 through Ethernet 1 0 10 ports SwitchA apply poe profile Profile2 interface Etherne...

Page 629: ...ions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet rding to the UDP destination port number of the packet If the destination port numbe device modifies the destination IP address in the IP header and then sends the specified destination server z Otherwise...

Page 630: ...erface Vlan interface vlan id Specify the which the UDP destination server to packets are to be forwarded udp helper server ip address n server is specified by default Required No destinatio z P helper function is disabled all configured UDP z cify the same port z belonging to the VLAN and having a matching UDP port will be unicast to the destination server You need to enable UDP Helper before spe...

Page 631: ... required to configure UDP Helper on the switch so that PC A can find PC B through computer search Broadcasts with UDP port 137 are used for searching Network diagram Figure 51 1 Network diagram for UDP Helper configuration Configuration procedure Enable UDP Helper on Switch A SwitchA system view SwitchA udp helper enable Configure the switch to forward broadcasts containing the destination UDP po...

Page 632: ...etrieve and modify the information about any node on the network In the meantime they can locate faults promptly and implement the fault diagnosis capacity planning and report generating As SNMP adopts the polling mechan widely supported by many prod Operation Mechanism P is implemented by two components namely network management station NMS an z An NMS can be a workstation running client program ...

Page 633: ...ined by the standard variables of the monitored network devices In the above figure the managed object B can be uniquely identified by a string of numbers 1 2 1 1 The number string is the object identifier OID of the managed object Configuring Basic SNMP Functions SNMPv3 configuration is quite different from that of SNMPv1 and SNMPv2c Therefore the configuration of basic SNMP functions is describe...

Page 634: ...ne ID snmp agent local engineid engineid Optional By default the device engine ID is enterprise number device information Create Update the view information snmp agent mib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 Follow these steps to configure basic SNMP functions SNMPv3 To do Use the command Remarks Enter system view ...

Page 635: ...view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 A Switch 4500 provides the following functions to prevent attacks through unused UDP ports z Executing the snmp agent command or any of the commands used to configure SNMP agent enables the SNMP agent and at the same opens UDP port 161 used by SNMP agents and the UDP port used by...

Page 636: ... the traps to be sent to the destination host snmp agent trap queue size size Optional The default is 100 Set the aging time for traps snmp agent trap life seconds Optional 120 seconds by default Configuring Extended Trap Function The extended trap function refers to adding interface description and interface type into the linkUp linkDown trap When receiving this extended trap NMS can immediately ...

Page 637: ...arks Display the SNMP information about the current device display snmp agent sys info contact location version Display SNMP packet statistics display snmp agent statistics Display the engine ID of the current device display snmp agent local engineid remote engineid Display group information about the device display snmp agent group group name Display SNMP user information display snmp agent usm u...

Page 638: ...n z authentication protocol to HMAC MD5 z authentication password to passmd5 z encryption protocol to DES z encryption password to cfb128cfb128 Sysname snmp agent group v3 managev3group privacy write view internet Sysname snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode des56 cfb128cfb128 Set the VLAN interface 2 as the interface used by NMS Add port E...

Page 639: ...params securityname public Configuring the NMS Authentication related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully For more information refer to the corresponding manuals of 3Com s NMS products You can query and configure an Ethernet switch through the NMS 52 8 ...

Page 640: ...ets on a network segment in a specific period of time and the total ber of packets suc z RMON is fully based on SNMP architecture It is compatible with the current SNMP implementations z RMON enables SNMP to monitor remote network devices more effectively and actively thus providing a satisfactory means of monitoring remote subnets reduced thus facilitating the ing Mechanism of RMON N allows multi...

Page 641: ...oup are mainly used by entries in the alarm group and extended al gro p to trigger alarms You can specify a network device to act in one of the followi z Logging the event z Logging z No processing larm group RMON alarm m port When the value of a monitored variable exceeds the threshold an alarm event is generated which then triggers the network device to act in the way defined in the events Event...

Page 642: ...mon event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add an alarm entry rmon alarm entry number alarm variable te lue1 er text Before adding an alarm entry to use the rmon e sampling time delta absolu rising_threshold threshold va event entry1 falling_threshold threshold value2 event entry2 own Optional you need event command to defin...

Page 643: ...ation display rmon prialarm prialarm entry number Display RMON events display rmon event event entry Dis Available in any view play RMON event logs display rmon eventlog event entry RMO ternet Ensure that the SNMP Create an entry in the extended alarm table to monitor the information of statistics on the Ethernet port if the change rate of which exceeds the set threshold the alarm events will be t...

Page 644: ...ever Latest value 0 Sysname Ethernet1 0 1 quit Add the event entries numbered 1 and 2 to the event table which will be triggered by the following extended alarm Sysname rmon event 1 log Sysname rmon event 2 trap 10 21 30 55 Add an entry numbered 2 to the exte variables with the 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 the oversize and undersize packets received sample it in every 10 seconds When the change ...

Page 645: ...ze or be synchronized by other ing NTP messages Appli racy it is unfeasible for an administrator to perform the operation However an erforming NTP NTP z sis of the log information and debugging information collected hat generate the z that the clocks of all network devices be consistent ecution order operations between a backup server and a host you must make NTP following advantages systems by ex...

Page 646: ...cy decreases as the stratum number increases A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock Implementation Principle of NTP Figure 54 1 shows the implementation principle of NTP Ethernet switch A Device A is connected to Ethernet switch B Device B through Ethernet ports Both you am and the clock of Device B is set to 11 00 00 am z It takes one second to tra...

Page 647: ...NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z When Device A receives the NTP message the local time of Device A is 10 00 03am T4 At this time Device A has enough information to calculate the following two parameters z Delay for an NTP message to make a round trip between Device A and Device B Delay T4 T1 T3 T2 z Time offset of Device A relative to ...

Page 648: ...e the local S4500 Ethernet switch serves as the symmetric active peer and sends clock synchronization request first while the remote server serves as the symmetric passive peer automatically If both of the peers have reference clocks the one with a smaller stratum number is adopted Broadcast mode Figure 54 4 Broadcast mode 54 4 ...

Page 649: ... switch and the local switch serves as the symmetric active peer Broadcast mode z Configure the local S4500 Ethernet switch to work in NTP broadcast server mode In this mode the local switch broadcasts NTP messages through the VLAN interface configured on the switch z Configure the S4500 switch to work in NTP broadcast client mode In this mode the local S4500 switch receives broadcast NTP messages...

Page 650: ...ure NTP Task Remarks Configuring NTP Implementation Modes Required Configuring Access Control Right Optional Configuring NTP Authentication Optional Configuring Optional NTP Parameters Optional Displaying NTP Configuration Optional Configuring NTP Implementation Modes An S4500 Ethernet switch can work in one of the following NTP modes z Configuring NTP Server Client Mode z Configuring the NTP Symm...

Page 651: ... server name serves as the NTP server and the local switch serves as the NTP client The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server z remote ip cannot be a broadcast address a multicast address or the IP address of the local clock z After you specify an interface for sending NTP messages through the source interface keyword the source IP address ...

Page 652: ... through the source interface keyword the source IP address of the NTP message will be configured as the IP address of the specified interface z Typically the clock of at least one of the symmetric active and symmetric passive peers should be synchronized first otherwise the clock synchronization will not proceed z You can configure multiple symmetric passive peers for the local switch by repeatin...

Page 653: ...er periodically sends NTP multicast messages to multicast clients The switches working in the NTP multicast client mode will respond to the NTP messages so as to start the clock synchronization z A multicast server can synchronize multicast clients only after its clock has been synchronized z An S4500 series switch working in the multicast server mode supports up to 1 024 multicast clients Configu...

Page 654: ...t permits the peer device to perform synchronization and control query to the local switch but does not permit the local switch to synchronize its clock to the peer device z peer Peer access This level of right permits the peer device to perform synchronization and control query to the local switch and also permits the local switch to synchronize its clock to the peer device NTP service access con...

Page 655: ...nfiguring NTP authentication on the client z Configuring NTP authentication on the server Observe the following principles when configuring NTP authentication z If the NTP authentication function is not enabled on the client the clock of the client can be synchronized to a server no matter whether the NTP authentication function is enabled on the server assuming that other related configurations a...

Page 656: ...o nding NTP server Configure on the symmetric active peer in the symmetric peer mode ntp service unicast peer remote ip peer name authentication keyid key id Required For the client in the NTP broadcast multicast mode you just need to associate the specified key with the client on the corresponding server NTP authentication requires that the authentication keys configured for the server and the cl...

Page 657: ... configuring NTP mode You can also use this command to associate them after configuring the NTP mode The procedure for configuring NTP authentication on the server is the same as that on the client Besides the client and the server must be configured with the same authentication key Configuring Optional NTP Parameters Complete the following tasks to configure optional NTP parameters Task Remarks C...

Page 658: ...ciations will be created at the symmetric active peer side and dynamic associations will be created at the symmetric passive peer side In the broadcast or multicast mode static associations will be created at the server side and dynamic associations will be created at the client side Follow these steps to configure the number of dynamic sessions allowed on the local switch To do Use the command Re...

Page 659: ...matically work in the server mode Network diagram Figure 54 6 Network diagram for the NTP server client mode configuration Configuration procedure Perform the following configurations on Device B View the NTP status of Device B before synchronization DeviceB display ntp service status Clock status unsynchronized Clock stratum 16 Reference clock ID none Nominal frequency 100 0000 Hz Actual frequenc...

Page 660: ... Device B establishes a connection with Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 1 64 1 350 1 15 1 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Symmetric Peer Mode Network requirements z The local clock of Device A is set as the NTP master cl...

Page 661: ...ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 3 0 1 32 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that the clock of Device C is synchronized to ...

Page 662: ...ew Set Device C as the broadcast server which sends broadcast messages through VLAN interface 2 DeviceC interface Vlan interface 2 DeviceC Vlan interface2 ntp service broadcast server z Configure Device A Perform the same configuration on Device D Enter system view DeviceA system view Set Device A as a broadcast client DeviceA interface Vlan interface 2 DeviceA Vlan interface2 ntp service broadcas...

Page 663: ...f Device D and you can see that a connection is established between Device D and Device C DeviceD display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 2 1 64 377 26 1 199 53 9 7 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Multicast Mode Network requirements z The local clock o...

Page 664: ... DeviceA Vlan interface2 ntp service multicast client After the above configurations Device A and Device D respectively listen to multicast messages through their own VLAN interface 2 and Device C advertises multicast messages through VLAN interface 2 Because Device A and Device C do not share the same network segment Device A cannot receive multicast messages from Device C while Device D is synch...

Page 665: ...vice A as the NTP server Device B is set to work in client mode while Device A works in server mode automatically z The NTP authentication function is enabled on Device A and Device B Network diagram Figure 54 10 Network diagram for NTP server client mode with authentication configuration Configuration procedure z Configure Device B Enter system view DeviceB system view Enable the NTP authenticati...

Page 666: ...us synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequence 100 0000 Hz Actual frequence 100 1000 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that the clock of Device B is synchronized to that of Device A with a clock...

Page 667: ...nterface CLI of a switch for configuration and management In an SSH connection data are encrypted before being sent out and decrypted after they reach the destination This prevents attacks such as plain text password interception SSH also provides powerful user authentication functions that prevent attacks such as DNS and IP spoofing Besides SSH can also provide data compression to increase transm...

Page 668: ...e private key thus ensuring data security You can also signature to the data using the private key and then sends the data to user 2 User 2 verifies the signature using the public key of user 1 If the signature is correct this means that the data originates from user 1 B key algorith signature Cu Symmetric key algorithms are used for encryption and decryption of the data transferred on the SSH c k...

Page 669: ... versi z The clie to use Th er it ca z If the negotiation is successful the server and t All the packets above are transferred in plain text Key n er and the client encrypted algorithm list message algorithm list and compressed algorithm list culate the final algorithm according to the algorithm lists supported the session key and session ID based on the Diffie Hellman DH z A e The n steps are as ...

Page 670: ...informs the client of the authentication result The publickey authentication method authenticates clients using digital signatures Currently the device supports only RSA to implement digi publickey aut verifies the public key If the public key is invalid the authentication fails otherwise the server generates a digital signature to authenticate the client and then sends back a message to inform th...

Page 671: ...are that supports Configuring the SSH Client that Runs SSH Client Software Server Configuring an SSH swit Configuring the SSH ch Another switch Client Assumed by an Server SSH2 Capable Switch An SSH server form connection with each SSH client The following describe steps for c ng an SSH c r to form an SSH n in between If multiple SSH servers need to form client and each server a s a secure onfigur...

Page 672: ...Publi Optional If a client does not support first time authentication you need to export the y and configure the key on the client server s public ke Note T cooperat ient to complete the interactions between them For SSH client configuration refer to Configuring the SSH Client he SSH server needs to e with an SSH cl Configuring the User Interfaces for SSH Clients An SSH client will access the devi...

Page 673: ... SSH s le interfaces and IP add steps to configu nt functions he SSH server provides er of management prevent illegal operations suc nnections Y ress or the interface correspon ervices for clients In this way t ding to the IP address for the e SSH client accesses the SS SH serve server only using the specified IP erver has multip resses Follow these re SSH manageme To do Use the command Remarks En...

Page 674: ...hether to rwrite it To do Use the command Remarks Enter system view system view Generate an RSA key pairs public key local create rsa Required By default no key pairs ar e generated z The command for generating a key pair can survive a reboot You only need to configure it once It takes more time to encrypt and decrypt data with a longer key which however ensures higher security Therefore specify t...

Page 675: ... on one client for publickey authentication With the AAA function in password authentication the level of commands available to a logged in SSH user is determined by the AAA scheme Follow these steps to configure an SSH user and specify an authentication type for the user An SSH user is represented as a set of use with the SSH username When a user logs in to the SSH server from the SSH client a us...

Page 676: ...et the service type of the user to SSH If the default authentication type for SSH users is password and remote authentication RADIUS authentication for example is adopted you need not use the ssh user command to create an SSH user because it is created on the remote server And the user can use its username and password configured on the remote server to access the network Under the publickey authe...

Page 677: ...key au e configured for an SSH t configure SA host public key for authenticati ou can manually config blic key or import it from a pu anually copy the client s pu y to the server In the latte uration on the server beforehand through FTP TFTP To do Use the command Remarks Enter system view m view syste Required Enter public key view public key peer keyname Enter public key edit view public key code...

Page 678: ...equired If you issue this command SSH user ssh user username assign multiple times the last command overrides the previous ones publickey keyname Exporting the Host Public Key to I ring the Public Key of a Client on the Server a File n tasks of Configu or Configuring whether first time uthentication is supported a an SSH client s or an SSH server s host public key can be imported from a c key file...

Page 679: ...rd Configuring an SSH Client that e is Runs SSH Client Software Configuring an SSH Client Assum SH2 Capable ed by an S Switch The authentication mode is Configuring an SSH publickey Client that Runs SSH Client Software Configuring an SSH Client Assumed by an SSH2 Capable Switch Whether first authentication is Configuring an SSH Client supported Assumed by an SSH2 Capable Switch Configuring an SSH ...

Page 680: ...ended to use OpenSSH_3 1p1 OpenSSH_4 2p1 is also supported Any other version or other client please be careful to use Selecting the protocol for remote connection as SSH Usually a client can use a variety of remote connection protocols such as Telnet Rlogin and SSH To establish an SSH connecti z z Specifying the private key file On the server if public key authentication is enabled for an SSH user...

Page 681: ...f shown in Figure 55 4 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 55 4 Generate the client keys 2 After the key pair is generated click Save public key and enter the key public in this case to save the public key Figure 55 5 Generate the client keys 3 name of the file for saving the public ...

Page 682: ... key whether to save the private key without saving the private key private in this case Figure 55 6 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click file and then click Convert Figure 55 7 Generate the client keys 5 Browse and select the public key Specifying the IP address of the Server Launch PuTTY exe The following window appears ...

Page 683: ...e that there must be a route available between the IP address of the server and the client Selecting a protocol for remote connection As shown in Figure 55 8 select SSH under Protocol Selecting an SSH version From the category on the left pane of the window select SSH under Connection The window as shown in Figure 55 9 appears ...

Page 684: ...on From the window shown in Figure 55 9 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection To log out enter the quit command Opening an SSH connection with publickey authentication If a user needs to be authenticated with a public key the corresponding private key file must be specified A pri...

Page 685: ... publickey authentication unnecessary for password authentication Configuring whether first time authentication is supported Optional Specifying a source IP address interface for the SSH client Optional Establishing the connection between the SSH client and server Required Configuring the SSH client for publickey authentication When the authentication mode is publickey you need to configure the RS...

Page 686: ...first time authentication support To do Use the command Remarks Enter system view system view Disable first time authentication support undo ssh client first time Required By default the client is enabled to run first time authentication Configure server public key Refer to Configuring the Public Key of a Client on the Server Required The method of configuring server public key on the client is si...

Page 687: ...er_kex dh_group1 dh_exchange_group prefer_ctos_cipher 3des des aes128 prefer_stoc_cipher 3des des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required In this command you can also specify the preferred key exchange algorithm encryption algorithms and HMAC algorithms between the server and client HMAC Hash based message authentication code Support for th...

Page 688: ...splay information about the peer RSA public keys display rsa peer public key brief name keyname display public key peer brief name pubkey name Generate RSA key pairs rsa local key pair create public key local create rsa Destroy RSA key pairs rsa local key pair destroy public key local destroy rsa Enter public key view rsa peer public key keyname public key peer keyname Import RSA public key from p...

Page 689: ...he switch SSH Server for secure data exchange The host runs SSH2 0 client software Password authentication is required Network diagram Figure 55 11 Switch acts as server for local password authentication Configuration procedure z Configure the SSH server Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection Switch system ...

Page 690: ...nt001 authentication type password z Configure the SSH client Configure an IP address 192 168 0 2 in this case for the SSH client This IP address and that of the VLAN interface on the switch must be in the same network segment Configure the SSH client software to establish a connection to the SSH server Take SSH client software Putty version 0 58 as an example 1 Run PuTTY exe to enter the followin...

Page 691: ...ation succeeds you will log in to the server When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 55 14 an SSH connection is required between the host SSH client and the switch SSH server for secure data exchange Password and RADIUS authentication is required z The host runs SSH2 0 client software to establish a local connection with the switch ...

Page 692: ...ation from the navigation tree In the System Configuration page click Modify of the Access Device item and then click Add to enter the Add Access Device page and perform the following configurations z Specify the IP address of the switch as 192 168 1 70 z Set both the shared keys for authentication and accounting packets to expert z Select LAN Access Service as the service type z Specify the ports...

Page 693: ... and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 55 16 Add an account for device management 2 Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the IP address of the SSH server for SSH connections Switch system view Switch interface vlan interface 2 Switc...

Page 694: ...witch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme radius scheme rad Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user hello authentication type password 3 Configure the SSH client Config...

Page 695: ... category on the left pane of the window select Connection SSH The window as shown in Figure 55 18 appears Figure 55 18 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version Then click Open If the connection is normal you will be prompted to enter the user name hello and the password Once ...

Page 696: ...connection with the switch z The switch cooperates with an HWTACACS server to authenticate SSH users Network diagram Figure 55 19 Switch acts as server for password and HWTACACS authentication Configuration procedure z Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the IP address of the SSH server for SSH connections Switch s...

Page 697: ...bb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 1 1 in this case for the SSH client This IP address and that of the VLAN interface on the switch must be in the same network segment Configure...

Page 698: ...l log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS server configuration manuals When Switch Acts as Server for Publickey Authentication Network requirements As shown in Figure 55 22 establish an SSH connection between the host SSH client and the switch SS...

Page 699: ...t s command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Configure the authentication type of the SSH client named client 001 as publickey Switch ssh user client001 authentication type publickey Before performing the following steps you must generate an RSA public key pair using the client software on the client save the key pair in a file named public and the...

Page 700: ... key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 55 24 Otherwise the process bar stops moving and the key pair generating process is stopped ...

Page 701: ...or saving the public key public in this case Figure 55 25 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the private key private ppk in this case ...

Page 702: ...ion before you continue to configure the client Establish a connection with the SSH server 2 Launch PuTTY exe to enter the following interface Figure 55 27 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the server 3 From the category on the left pane of the window select SSH under Connection The window as shown in Figure 55 28 appears ...

Page 703: ...ocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 55 29 SSH client configuration interface 3 Click Browse to bring up the file selection window navigate to the private key file and click OK ...

Page 704: ...nd assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA key pair on the server is prerequisite to SSH login Generate RSA key pair SwitchB public key local create rsa Set the authentication mode for ...

Page 705: ...thenticated Do you continue to access it Y N y Do you want to save the server s public key Y N n Enter password After you enter the correct password you can log into Router B successfully When Switch Acts as Client for Publickey Authentication Network requirements As shown in Figure 55 31 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The u...

Page 706: ...key pair on the client and save the key pair in a file named Switch001 and then upload the file to the SSH server through FTP or TFTP For details refer to Configure Switch A Import the client public key pair named Switch001 from the file Switch001 SwitchB public key peer Switch001 import sshkey Switch001 Assign the public key Switch001 to user client001 SwitchB ssh user client001 assign publickey ...

Page 707: ...tch Acts as Client and First Time Authentication is not Supported Network requirements As shown in Figure 55 32 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name is client001 and the SSH server s IP address is 10 165 87 136 The publickey authentication mode is used to enhance security Network diagram Figure 55 32 Switch acts as c...

Page 708: ...rst generate a RSA key pair on the client and save the key pair in a file named Switch001 and then upload the file to the SSH server through FTP or TFTP For details refer to the following Configure Switch A Import the client s public key file Switch001 and name the public key as Switch001 SwitchB public key peer Switch001 import sshkey Switch001 Assign public key Switch001 to user client001 Switch...

Page 709: ...ient Disable first time authentication on the device SwitchA undo ssh client first time When first time authentication is not supported you must first generate a RSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH client through FTP or TFTP For details refer to the above part Configure Switch B Import the public key pair named Switch002 fr...

Page 710: ...tions Optional Prompt Mode Configuration Optional The 3com 4500 series Ethernet switches support Expandable Resilient Networking XRN and allow to access a file on a switch in one of the following ways To access a file on the specified unit you need to specify the file in universal resource locator URL format and starting with unit No you z flash where No represents the unit ID of the switch For z ...

Page 711: ... Only empty directories can be deleted by using the rmdir command In the output information of the dir all command deleted files that is those stored in the recycle bin are embraced in brackets z File Operations Follow these steps to perform file related operations Use the command Remarks To do Delete a file ed file url delete running files standby files fabric stored it by mand ecifying the Avail...

Page 712: ...ed files whose names are the same only the latest deleted file is kept in the recycle bin and can be restored The files which are deleted by the z delete command without the unreserved keyword are actually clear the recycle bin by using z r all command displays the files in the recycle bin in square brackets z If the configuration files are deleted the switch adopts the null configuration when it ...

Page 713: ...0 47 38 serverkey r 02 2000 00 06 57 song cfg 1r1 bin ate data txt with main attribute b with backup attribute cfg as the name of the new file config cfg flash test 1 cfg to unit1 flash test 1 cfg Y N y g Done ystem Configuration Examples Display all the files in the root directory of the file system on the loca Sysname dir all Directory of unit1 flash 1 rw 5822215 Jan 01 1970 00 07 03 test bin 2 ...

Page 714: ...ration files and Web files supp ain backup and none as described in Table 56 1 6 rw 26103 Jan 8 rw 1376 Apr 02 2000 01 56 28 confi 9 drw Apr 04 2000 04 5 7239 KB total 2631 KB free b with both main and backup attribute Sysname dir unit1 flash tes Di 1 rw 1376 Apr 04 2000 04 5 7239 KB total 2025 KB free with main attribute b with both main and backup attribute At ribute Configuration The following ...

Page 715: ...ry the file al default app file has the main attribute Boot fails to boot with the For nfiguration file 3com may provide corresponding default file when releasing tw sele 2 b file does not exist but the main Web file exists the device will boot with the main nor the main Web file exists but the backup Web exists the device will boot with the backup Web file eb file main Web file and backup Web exi...

Page 716: ...le Optional t the user is enabled customized BOOT menu Available in user view enter the BOOT menu startup boo By defaul to use the password to enter the Display the information about ed as the startup display boot loader unit unit id the app file us file Display information about the e Optional Available in any view W b file used by the device display web package z the switch y using the boot web ...

Page 717: ...ds the file to the TFTP server In th downloads the startup configuration file from The configurations of different un on the TFTP server These configuration files form the startup c onfiguration prerequisites ns you must first ensu The relevant units The TFTP server is started P client TP server and ollow these ste restore configuration file To do Use the command Remarks Back up the current config...

Page 718: ...n FTP client or the FTP serve 1 Role cts as in FTP Item Description Remarks FTP server n FTP server by ess An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log in to a switch operating as a running an FTP client program on your PC to acc files on the FTP server FTP client can operate as an FTP client through which you can access files on...

Page 719: ...P address for an FTP server Optional Switch Operating as an FTP Server Disconnecting a specified user Optional Configuring the banner for an FTP server Optional Displaying FTP server information Optional Basic configurations on an FTP client FTP Configuration A Switch Operating as an FTP Client Specifying the source interface and source IP address for an FTP client Optional FTP Configuration A Swi...

Page 720: ... be disconnected with the FTP server due to lack of storage space on the FTP server z When you log in to a Fabric consisting of multiple switches through an FTP client after the FTP client passes authentication you can log in to the master device of the Fabric z You cannot access a 3com switch 4500 operating as an FTP server through Microsoft Internet Explorer To do so use other client software To...

Page 721: ...rface and source IP address for an FTP server To do Use the command Remarks Enter system view system view Specify the source interface for an FTP server ftp server source interface interface type interface number Use either command Not specified by default Specifying the source IP address for an FTP server ftp server source ip ip address z The specified interface must be an existing one Otherwise ...

Page 722: ...ect the user after the data transmission is completed Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the FTP server through FTP the configured banner is displayed on the FTP client Banner falls into the following two types z Login banner After the connection between an FTP client and an FTP server is established the FTP serve...

Page 723: ...e the command Remarks Display the information about FTP server configurations on a switch display ftp server Available in any view Display the source IP address set for an FTP server display ftp server source ip Display the login FTP client on an FTP server display ftp user FTP Configuration A Switch Operating as an FTP Client Basic configurations on an FTP client By default a switch can operate a...

Page 724: ...ory cdup Get the local working path on the FTP client lcd Display the working directory on the FTP server pwd Optional Create a directory on the remote FTP server mkdir pathname Remove a directory on the remote FTP server rmdir pathname Delete a specified file delete remotefile dir remotefile localfile Optional If no file name is specified all the files in the current directory are displayed The d...

Page 725: ...rface and source IP address for a switch acting as an FTP client so that it can connect to a remote FTP server Follow these steps to specify the source interface and source IP address for an FTP client To do Use the command Remarks ftp cluster remote server source interface interface type interface number Specify the source interface used for the current connection Optional ftp cluster remote serv...

Page 726: ...tch operates as an FTP server and a remote PC as an FTP client The application switch bin of the switch is stored on the PC Upload the application to the remote switch through FTP and use the boot boot loader command to specify switch bin as the application for next startup Reboot the switch to upgrade the switch application and download the configuration file config cfg from the switch thus to ba...

Page 727: ...itch through FTP Input the username switch and password hello to log in and enter FTP view C ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none switch 331 Password required for switch Password 230 User logged in ftp Upload file switch bin ftp put switch bin 200 Port command okay 150 Opening ASCII mode data connection for switch bin 226 Transfer complete ftp 75980 bytes receiv...

Page 728: ...pgraded Sysname boot boot loader switch bin Sysname reboot For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging part of this manual FTP Banner Display Configuration Example Network requirements Configure the Ethernet switch as an FTP server and the remote PC as an FTP client After a connection between the ...

Page 729: ...d for switch Password 230 shell banner appears 230 User logged in ftp FTP Configuration A Switch Operating as an FTP Client Network requirements A switch operates as an FTP client and a remote PC as an FTP server The switch application named switch bin is stored on the PC Download it to the switch through FTP and use the boot boot loader command to specify switch bin as the application for next st...

Page 730: ...e uploaded you can only delete download them through the Boot ROM menu Connect to the FTP server using the ftp command in user view You need to provide the IP address of the FTP server the user name and the password as well to enter FTP view Sysname ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 FTP service ready User none admin 331 Password required for admin Password 230 User logged in f...

Page 731: ...TP Configuration A Switch Operating as an SFTP Server Enabling an SFTP server Before enabling an SFTP server you need to enable the SSH server function and specify the service type of the SSH user as SFTP or all For details see the SSH server configuration part of SSH Operation Manual of this manual Follow these steps to enable an SFTP server To do Use the command Remarks Enter system view system ...

Page 732: ...ttempt to log in to the SFTP server or multiple connections are enabled on a client only the first user can log in to the SFTP user The subsequent connection will fail z When you upload a large file through WINSCP if a file with the same name exists on the server you are recommended to set the packet timeout time to over 600 seconds thus to prevent the client from failing to respond to device pack...

Page 733: ...ectory on the remote SFTP server rmdir pathname delete remotefile Optional Delete a specified file Both commands have the same effect remove remote file dir a l remote path Optional If no file name is provided all the files in the current directory are displayed Query a specified file on the SFTP server ls a l remote path The difference between these two commands is that the dir command can displa...

Page 734: ...er system view system view Specify an interface as the source interface of the specified SFTP client sftp source interface interface type interface number Use either command Specify an IP address as the source IP address of the specified SFTP client sftp source ip ip address Not specified by default Optional Display the source IP address used by the current SFTP client display sftp source ip Avail...

Page 735: ...ion timeout time retry number and update time of the server key adopt the default values Sysname ssh user client001 authentication type password Specify the service type as SFTP Sysname ssh user client001 service type sftp Enable the SFTP server Sysname sftp server enable 2 Configure the SFTP client switch A Configure the IP address of the VLAN interface on switch A It must be in the same segment ...

Page 736: ...key2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Success Add a directory new1 and then check whether the new directory is successfully created sftp client mkdir new1 Received status Success New directory created sftp client dir rwxrwxrwx 1 noone nogroup 17...

Page 737: ...ended Upload file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received status Success Uploading file successfully ended sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24...

Page 738: ... TFTP server A 3com switch 4500 can act as a TFTP client only When a 3com switch 4500 serving as a TFTP client d seven segment digital LED on the front panel of the switch rotates clockwise and it stops ro Figure 57 1 oading is finished as shown in n you download a file that is larger than the free space of the switch s flash memory If the TFTP server supports file size negotiation f Whe z ile siz...

Page 739: ...tp tftp serv dest file Optional Upload a file to a TFTP server tftp tftp server put source file dest file Optional Enter system view system view Set the file transmission mode tftp ascii binary Binary by default Optional Specify an ACL rule used by Optional fied by default the specified TFTP client to access a TFTP server tftp server acl acl number Not speci pecifying the source S interface or sou...

Page 740: ...ne configured later will overwrite the original one The specified interface must be an existing one otherwise a prompt appears to show that the configuration fails The value of the ip address argument must be an IP address on the device where the configuration is performed and otherwise a prompt appears to show that the z The source interface source IP address set for one connection is prior to th...

Page 741: ...them through the Boot ROM menu Enter system view Sysname system view Sysname Configure the IP address of a VLAN interface on the switch to be 1 1 1 1 and ensure that the port through which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 1 1 1 1 255 255 255 0 Sysname Vlan ...

Page 742: ...58 5 For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual ...

Page 743: ...system information hub information center classifies and manages system information Together with the de support for network administrators and developers in monitoring The information center of the system has the followi on of system information The system is available z Log information z Trap information z Debugging information of system information The information is classified into eight level...

Page 744: ...els and output tions Information channel Default channel Default output destination number name 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log trap and debugging information facilitating remote maintenance 2 loghost Log host Receives log trap and debugging information and information will be stored in files for future retrieval 3 trapbuffer Tr...

Page 745: ...e FTM ent module Fabric topology managem FTMCMD Fabric topology management command module FTPS FTP server module HA High availability module HTTPD HTTP server module IFNET Interface management module IGSP IGMP snooping module IP Internet protocol module LAGG Link aggregation module LINE Terminal line module MSTP Multiple spanning tree protocol module NAT Network address translation module NDP Neig...

Page 746: ...content To sum up the major task of and then redirect the system information from the ten channels to the nformation Format The format of system information varies with the output destination The space the forward slash and the colon are all required in the above format or debugging information respectively z z Before timestamp may have or followed with a space indicating log alarm Below is an exa...

Page 747: ...f the onds information sent from the system center to the Console monitor terminal wich standard time s of output information is the local time on each switch it is not so convenient for you to associated with each severity No that the priority field appears only when the information has been sent to the log host tamp Timestamp records the time when system information is generated to allow users t...

Page 748: ...he output information After t D login Sysname Sysname is the system name of the local switch and defaults to 3Com You can use the sysname command to modify the system name Refer to the System Maintenance and Debugging part of this manual f Note that there is a space between the This field is a preamble used to identify a vendor It is displayed only when the output destination is log host The modul...

Page 749: ...he Trap Buffer Optional Setting to Output System Information to the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional Config ous Inform t S on output re system log trap or debugging information is output when the user is inputting commands the command line prompt in ommand editing mode a prompt or a Y N string in interaction mode and the input information are r the ...

Page 750: ...these steps to configure to display time stamp with the To do Use the command Remarks Set the time zone for the system clock timezone zone name R add minus time equired By default UTC time zone is set for the system Enter system view system view Log ho dir mestamp ate st ection info center ti loghost d Set the time format in the output stamp destination of the information center Non log ho dir inf...

Page 751: ...man ebugging for the corresponding modules ion to debu d to enable d when co figuring t e system formation tput rules nd use th T f er utput d s able 59 4 De ault output rules for diff ent o estination LOG TRAP DEBUG Output destination Modules allowed Enable d disab led Severit y Enabled disabled Severity Enabled disabled Severity Console modules Enabled s Enabled g debuggin Enabled debuggin g def...

Page 752: ...er interface Setting to output s m Follo s to set monitor g to Output Syste Information to a Monitor al ch is a user terminal tha yste w these step information to a monitor terminal to output system information to a terminal To do Use the command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable system n output to nal or l inf...

Page 753: ...isplay utput information on itor termin To do Use the command Remarks Enable the debugging log trap informatio terminal display function terminal monitor Optional Enabled by default n Enable debugging information terminal display function terminal debugging Optional Disabled by default Enable log information terminal display function terminal logging Enabled by default Optional Enable trap informa...

Page 754: ...l number channel name log trap debug level severity state state Optional Refer to Table 59 4 for the default output rules of system information Set the forma sta o the g loghost date By default the time stamp format of the t of the time mp to be sent t info center timestamp Optional lo host no year date none information output to the log host is date z info center switch on command to enable the a...

Page 755: ...command Remarks Enter system view system view Enable the informatio center n info center enable Optional Enabled by default Enable information output to the log buffer ze Optional t the switch uses info center logbuffer channel channel number channel name size buffersi By defaul information channel 4 to output log information to the log buffer which can holds up to 512 items by default Configure t...

Page 756: ...ling a Port from Generating Link Up Down Logging Information By default a s of the device g gging informatio e port state changes Therefore you may need to use this function in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable m generatin rmation z The state of a port is not stable and therefore redundant logging be generate...

Page 757: ...d in the log buffer unit unit id regular expression display logbuffer level severity size buffersize begin exclude include Display the summary information recorded in the log buffer vel severity display logbuffer summary le Display the status of trap buffer and the display trapbuffer unit unit id Available in any view information recorded in the trap buffer size buffersize Clear information record...

Page 758: ...nter source ip chann state off 2 Configure the log host The operations here are performed on SunOS 4 0 The operations on other manufacturers Unix operation Step 1 Execute the following commands as the sup touch var log Switch information St Switch configuration messages local4 info var log Switch information Whe z tarting with a sign z In each pair a tab should be used as a separator instead of a ...

Page 759: ...inux log host Configuration procedure r than error to the log host ug state off trap on ser root user to add the following selector action airs Switch configuration messages local7 info var log Switch information 1 Configure the switch Enable the information center Switch system view Switch info center enable Configure the host whose IP address is 202 38 1 10 as the log host Permit all modules to ...

Page 760: ... ID of the system daemon syslogd stop the process and then restart the daemon syslogd in the background with the r option ps ae grep syslogd 147 kill 9 147 syslogd r In case of Linux log host the daemon syslogd must be started with the r option After all the above operations the switch can record information in the corresponding log file Through combined configuration of the device name facility i...

Page 761: ...inal display Switch terminal monitor Switch terminal logging Configuration Example Network requirements z The switch is in the time zone of GMT 08 00 00 z The time stamp format of output log information is date z UTC time zone will be added to the output information of the information center Network diagram Figure 59 4 Network diagram Configuration procedure Name the local time zone z8 and configu...

Page 762: ...Boot ROM and host interested in z Introduction to Loading Approaches Local Boot ROM and Software Loading z z Remote Boot ROM and Software Loading Introduction to Loading Approaches sing h Ethernet port tware remotely by using FTP TFTP You can load software locally by u z XModem through Console port z TFTP through Ethernet port z FTP throug You can load sof z z The Boot ROM software version should ...

Page 763: ...on date Sep 8 2008 14 35 39 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 00e0fc003962 Press Ctrl B to enter Boot Menu Press Ctrl B The system displays Password To enter the BOOT menu you should press Ctrl B within five seconds full startup mode or one second fast startup mode after the information Press Ctrl B to enter BOOT Menu displays Otherwise the system starts to ...

Page 764: ...ion characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data packets When receiving a complete packet the receiving program checks the packet using the agreed method If the check succeeds the receiving program sends acknowledgement characters and the sending program proceeds to send another packet If the check fails the receiving program se...

Page 765: ...s as the download baudrate you need not modify the HyperTerminal s baudrate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this case the system will not display the above information Following are configurations on PC Take the HyperTerminal in Windows 2000 as an example Step 4 Choose File Properties in HyperTerminal click Configure in the pop up dialog box and then...

Page 766: ...udrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC Step 7 Choose Transfer Send File in HyperTerminal and click Browse in pop up dialog box as shown in Figure 60 4 Selec...

Page 767: ... Step 4 and 5 Then press any key as prompted The system will display the following information when it completes the loading Bootrom updating done z If the HyperTerminal s baudrate is not reset to 19200 bps the system prompts Your baudrate should be set to 19200 bps again Press enter key when ready z You need not reset the HyperTerminal s baudrate and can skip the last step if you have chosen 1920...

Page 768: ...Console port of the switch and logs onto the switch through the Console port Step 1 Execute the xmodem get command in user view In this case the switch is ready to receive files Step 2 Enable the HyperTerminal on the PC and configure XModem as the transfer protocol and configure communication parameters on the Hyper Terminal the same as that on the Console port Step 3 Choose the file to be loaded ...

Page 769: ...ur choice 0 3 Step 4 Enter 1 in the above menu to download the Boot ROM using TFTP Then set the following TFTP related parameters as required Load File name Switch btm Switch IP address 1 1 1 2 Server IP address 1 1 1 1 Step 5 Press Enter The system displays the following information Are you sure to update your bootrom Yes or No Y N Step 6 Enter Y to start file downloading or N to return to the Bo...

Page 770: ...s an FTP client or a server and download software to the switch through an Ethernet port The following is an example Loading Procedure Using FTP Client z Loading Boot ROM Figure 60 7 Local loading using FTP client Switch PC FTP Server FTP Client Ethernet port Console port Step 1 As shown in Figure 60 7 connect the switch through an Ethernet port to the FTP server and connect the switch through the...

Page 771: ...nload and update the program Upon completion the system displays the following information Loading done Bootrom updating done z Loading host software Follow these steps to load the host software Step 1 Select 1 in BOOT Menu and press Enter The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu E...

Page 772: ...ress is 10 1 1 1 to the switch Figure 60 8 Remote loading using FTP Client Step 1 Download the program to the switch using FTP commands Sysname ftp 10 1 1 1 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User none abc 331 Give me your password please Password 230 Logged in successfully ftp get switch btm ftp bye When using different FTP s...

Page 773: ...Flash memory before software downloading For information about deleting files refer to File System Management part of this manual z Ensure the power supply during software loading Loading Procedure Using FTP Server As shown in Figure 60 9 the switch is used as the FTP server You can telnet to the switch and then execute the FTP commands to upload the Boot ROM switch btm to the switch 1 Loading the...

Page 774: ... ftp server enable Sysname local user test New local user added Sysname luser test password simple pass Sysname luser test service type ftp Step 4 Enable FTP client software on the PC Refer to Figure 60 10 for the command line interface in Windows operating system Figure 60 10 Command line interface Step 5 Use the cd command on the interface to enter the path that the Boot ROM upgrade file is to b...

Page 775: ...ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 60 12 to log on to the FTP server Figure 60 12 Log on to the FTP server Step 7 Use the put command to upload the file switch btm to the switch as shown in Figure 60 13 60 14 ...

Page 776: ...the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed above are performed in the Windows operating system if you use other FTP client software refer to the corresponding user guide before operation z Only the configuration steps concerning loading are listed he...

Page 777: ...t the name and time range of the summer time start date end time end date offset time Ex z z nt time so as to toggle the summer time to normal system time clock summer time zone_name one off repeating start time Optional ecute this command in user view When the system reaches the specified start time it automatically adds the specified offset to the current time so as to toggle the system time to ...

Page 778: ...iagnose errors following z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging information on a certain screen Figure 61 1 illustrates the relationship between the protocol debugging switch and the screen output 2 and 3 Only when both switch Assume that the device can output debugging information to...

Page 779: ... unit id module name interface interface type interface number Display all enabled debugging in the Fabric by module display debugging fabric by module Available in any view Displ rresponding operating information display command s You can use mand here t rating information modules in the system for troubleshooting your system aying Operating Information about Modules in System When an Ethernet sw...

Page 780: ...estination command can output the following results Response status for each ping packet If no response packet is received within the the message Request time out is displayed Otherwise the number of data bytes packet serial number time to live TTL and response time of the response packet are displayed Final rt You can use the tracert co destination This command is mainly used to check the network...

Page 781: ...h z Configure real time mon z Specify the APP to be used at the next reboot z Update the Boot ROM z z Identifying and Diagnosing Pluggable Transce Device Management Configuration e Management Configuration Task list Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Optional Configuring Real time Monitoring of the Running Status of the System Optional Specifying ...

Page 782: ... dd yyyy yyyy mm dd Optional Schedule a reboot on the switch and set the delay time for reboot schedule reboot delay hh mm mm Optional Enter system view system view Schedule a reboot on the switch and set the reboot period schedule reboot regularity at hh mm period Optional The switch timer can be set to precision of one minute that is the switch will reboot within one minute after the specified r...

Page 783: ...g Boot ROM With this command a remote user can conveniently upgrade the Boot ROM by uploading the Boot ROM to the switch through FTP and running this command The Boot ROM can be used when the switch restarts Use the following command to upgrade the Boot ROM To do Use the command Remarks Upgrade the Boot ROM boot bootrom file url device name Required Enabling Auto Power Down on an Ethernet Port Whe...

Page 784: ...e 63 1 Table 63 1 Commonly used pluggable transceivers Transceiver type Applied environment Whether can be an optical transceiver Whether can be an electrical transceiver SFP Small Form factor Pluggable Generally used for 100M 1000M Ethernet interfaces or POS 155M 622M 2 5G interfaces Yes Yes GBIC GigaBit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit small...

Page 785: ...digital diagnosis function which enables a transceiver to monitor the main parameters such as temperature voltage laser bias current TX power and RX power When these parameters are abnormal you can take corresponding measures to prevent transceiver faults Follow these steps to display pluggable transceiver information To do Use the command Remarks Display the current alarm information of the plugg...

Page 786: ... following configuration on the FTP server z Configure an FTP user whose name is switch and password is hello Authorize the user with the read write right on the directory Switch on the PC z Make configuration so that the IP address of a VLAN interface on the switch is 1 1 1 1 the IP address of the PC is 2 2 2 2 and the switch and the PC is reachable to each other The host software switch bin and ...

Page 787: ...ser none switch 331 Give me your password please Password 230 Logged in successfully ftp 5 Enter the authorized path on the FTP server ftp cd switch 6 Execute the get command to download the switch bin and boot btm files on the FTP server to the Flash memory of the switch ftp get switch bin ftp get boot btm 7 Execute the quit command to terminate the FTP connection and return to user view ftp quit...

Page 788: ...e switch to upgrade the Boot ROM and host software of the switch Sysname reboot Start to check configuration with next startup configuration file please wait This command will reboot the device Current configuration may be lost in next startup if you continue Continue Y N y This will reboot device Continue Y N y ...

Page 789: ...te the following when configuring a scheduled task The commands in a scheduled task must b you can specify multiple scheduled tasks iguring a scheduled task to be executed at a specified time steps to c d task that will be execu ed time To do Use the command Description Enter system view system view Create a scheduled task and enter scheduled task view job job name Required Configure the view wher...

Page 790: ... view for each scheduled task Required You can specify only Config be executed ure a scheduled task to after a delay time time time id one off repeating delay time command command Required Display configuration of a specified scheduled task display job job name Available in any view A scheduled task with a delay time configured will still be executed after the specified delay time even if the syst...

Page 791: ...sdays Fridays Switch system view Create scheduled Switch job pc1 Configure the view where the specified command to be executed as Ethernet interface view Switch job pc1 Configure the scheduled task so that the Ethernet port can be enabled on Switch at eight AM from Monday to Friday Switch job pc1 time 1 repeating at 8 00 week day Mon Tue Wed Thu Fri command undo shutdown Configure the scheduled ta...

Page 792: ...N feature is a simple yet flexible Layer 2 tunneling technology It tags private network packets with outer VLAN tags thus enabling the packets to be transmitted through the service providers backbone networks with both inner and outer VLAN t transmitted by their outer VLAN tags that is the VLAN tags of public networks and t tags are treated as part of the payload shows the structure of single tagg...

Page 793: ...t frame A Switch 4500 switch determines whether a received frame is VLAN tagged by comparing its own TPID ange the TPID that a port uses when tagging a received VLAN VPN as the same position with the protocol type field in a frame without a VLAN tag To avoid problems in packet forwarding and handling you cannot set the TPID value to any Table 65 1 Comm col type values in Ethernet frames with the T...

Page 794: ... Replicating and Mapping Feature Optional As XRN fabric is mutually exclusive with VLAN VPN make sure that XRN fabric is disabled on the switch before performing any of the configurations listed in the above table For information about XRN fabric refer to XRN Fabric Configuration in this manual Enabling the VLAN VPN Feature for a Port Follow these steps to enable the VLAN VPN feature for a port To...

Page 795: ...ting and mapping feature Follow these steps to configure the inner to outer tag priority replicating and mapping feature To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the inner to outer tag priority replicating feature vlan vpn inner cos trust enable Enable the inner to outer tag priority mapping feature and cr...

Page 796: ... in VLAN 100 created in the private network while terminal users and terminal servers are in VLAN 200 which is also created in the private network The VLAN VPN connection is established in VLAN 1040 of the public network z Switches of other vendors are used in the public network They use the TPID value 0x9200 z Employ VLAN VPN on Switch A and Switch B to enable the PC users and PC servers to commu...

Page 797: ... view SwitchB vlan 1040 SwitchB vlan1040 port Ethernet 1 0 21 SwitchB vlan1040 quit SwitchB interface Ethernet 1 0 21 SwitchB Ethernet1 0 21 vlan vpn enable Set the TPID value of Ethernet1 0 22 to 0x9200 for intercommunication with the devices in the public network and set the port as a trunk port permitting packets of VLAN 1040 SwitchB Ethernet1 0 22 vlan vpn tpid 9200 SwitchB Ethernet1 0 22 quit...

Page 798: ...N tag of the port VLAN 1040 2 The TPID value of the outer VLAN tag is set to 0x9200 before the packet is forwarded to the public network through Ethernet1 0 12 of Switch A 3 The outer VLAN tag of the packet remains unchanged while the packet travels in the public network till it reaches Ethernet1 0 22 of Switch B 4 After the packet reaches Switch B it is forwarded through Ethernet1 0 21 of Switch ...

Page 799: ...you can configure inner to outer VLAN tag mapping according to which you can add different outer VLAN tags to the packets with different inner VLAN tags The selective QinQ feature makes the service provider network structure more flexible You can classify the terminal users on the port connecting to the access layer device according to their VLAN tags and add different outer VLAN tags to these bas...

Page 800: ... source MAC addresses of user packets to the MAC address table of the default VLAN on the port However the port with selective QinQ enabled can insert an outer VLAN tag other than that of the default VLAN to the packe when packets are forwarded from the service provider to destination MAC addresses cannot be found in the M Figure 66 2 Learn MAC addresses of selective QinQ As shown in Figure 66 2 t...

Page 801: ...he Inter VLAN MAC Address Replicating Feature Optional If XRN Fabric has been enabled on a device you cannot enable the VLAN VPN feature and the selective QinQ feature on any port of the device Enabling the Selective QinQ Feature for a Port QinQ feature z ts of specific VLANs the VLANs whose tags are to be Follow these nable the selecti The following configurations are required for the selective z...

Page 802: ...nction are removed z MAC address entries obtained through the inter VLAN MAC address replicating feature cannot be removed manually To remove a MAC address entry of this kind you need to disable the inter VLAN MAC address replicating feature first z VLAN 4093 is a special VLAN reserved for the XRN fabric feature It can not serve as the destination VLAN of the inter VLAN MAC address replicating fea...

Page 803: ...ce broadcast packets in the network enable the inter VLAN MAC address replicating feature for selective QinQ Network diagram Figure 66 3 Network diagram for selective QinQ configuratio Configuration procedure z Configure Switch A Create VLAN 1000 VLAN 1200 and VLAN 5 the default VLAN of Ethernet 1 0 3 on SwitchA SwitchA system view SwitchA vlan 1000 SwitchA vlan1000 quit SwitchA vlan 1200 SwitchA ...

Page 804: ... the MAC address table of the default VLAN and replicate the MAC address entries of the MAC address table of the default VLAN to the MAC address tables of the outer VLANs SwitchA Ethernet1 0 3 vid 1200 quit SwitchA Ethernet1 0 3 mac address mapping 0 source vlan 5 destination vlan 1000 SwitchA Ethernet1 0 3 mac address mapping 1 source vlan 5 destination vlan 1200 SwitchA Ethernet1 0 3 quit Switch...

Page 805: ...agged After the above configuration Switch B can forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through Ethernet 1 0 12 and Ethernet 1 0 13 respectively To make the packets from the servers be transmitted to the clients in the same way you need to configure the selective QinQ feature and the inter VLAN MAC address replicating feature on Ethernet 1 0 12 and Ethernet 1 0 13 ...

Page 806: ... administrator name plus a test tag You can perform a remote ping test after creating a test group and configuring the test parameters Different from the ping command remote ping does not display the round trip time RTT and timeout status of each packet on the console terminal in real time You need to execute the display remote ping command to view the sta allows setting the parameters of rem Figu...

Page 807: ...ation this test is considered a failure This parame remote ping command is iguring remote ping Configure re Operation Command Description Enter system view system view Enable remote ping Client t enable remote ping Client remote ping agen Required By default is disabled Create a remote ping test group ote ping administrator name operation t no remote ping test rem tag Required By defaul group is c...

Page 808: ...10 Receive response times 10 ote ping Configuration Example Network requirement Perform a remote ping ICMP t RTTs of data packets betw onfiguration procedure Enable remote ping Client Sysname system view System View return to User V Sysname remote ping agent enable Create a remote ping test group administrator icmp Sysname remote ping administrator icmp Specify the test type as ICMP Sysname remote...

Page 809: ...st in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number Operation sequence errors 0 Drop operati Other operation errors 0 Sysname remote ping administrator icmp display remote ping history ad remote ping entry admin administrator tag icmp history record Index Response Status LasrRC Time 1 1 1 0 2004 11 25 16 28 55 0 2 1 1 0 2004 1...

Page 810: ...Internet difference be Features mat simplification IPv6 cuts down some IPv4 header fields or moves them to extension headers to reduce the overhead of the basic IPv6 header IPv6 uses a fixed length header thus making IPv6 packet handling simple and improving the forwarding efficiency Although th the size of the IPv6 header is only twice that of the IPv4 header excluding t specific IPv6 header form...

Page 811: ...e packets Enhanced neighbor discovery mechanism The IPv6 neighbor discovery protocol is implemented by a group of Internet Control Message Protocol Version 6 ICMPv6 messages The IPv6 neighbor discovery protocol manages message exchange between neighbor nodes nodes on the same link The group of ICMPv6 messages takes the place of Address Resolution Protocol ARP Internet Control Message Protocol Vers...

Page 812: ...and anycast address z Unicast address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast address is delivered to the interface identified by that address z Multicast address An identifier for a set of interfaces typically belonging to different nodes similar to an IPv4 multicast address A packet sent to a multicast address is delivered to all interfa...

Page 813: ...0 1 represented in shorter format as 1 is called the loopback address and may never be assigned to any physical interface Like the loopback address in IPv4 it may be used by a node to send an IPv6 packet to itself z Unassigned address The unicast address is called the unassigned address and may not be assigned to any node Before acquiring a valid IPv6 address a node may fill this address in the so...

Page 814: ...s unique it is necessary to set the universal local U L bit the seventh high order bit to 1 Thus an interface identifier in EUI 64 format is obtained Figure 68 2 Convert a MAC address into an EUI 64 address Introduction to IPv6 Neighbor Discovery Protocol The IPv6 Neighbor Discovery Protocol NDP uses five types of ICMPv6 messages to implement the following functions z Address resolution z Neighbor...

Page 815: ...the default gateway sends a redirect message to the source host so that the host can reselect a correct next hop router to forward packets z The 3com switch 4500 does not support the RS RA or Redirect message z Of the above mentioned IPv6 NDP functions 3com switches 4500 support the following three functions address resolution neighbor unreachability detection and duplicate address detection The s...

Page 816: ...ders that node B is reachable Otherwise node B is unreachable Duplicate address detection After a node acquires an IPv6 address it should perform the duplicate address detection to determine whether the address is being used by other nodes similar to the gratuitous ARP function The duplication address detection is accomplished through NS and NA messages Figure 68 4 shows the duplicate address dete...

Page 817: ...y Packets Optional Displaying and Maintaining IPv6 Optional Configuring an IPv6 Unicast Address z An IPv6 address is required for a host to access an IPv6 network A host can be assigned a global unicast address a site local address or a link local address z To enable a host to access a public IPv6 network you need to assign an IPv6 global unicast address to it IPv6 site local addresses and global ...

Page 818: ...e either command By default no site local address or global unicast address is configured for an interface Note that the prefix specified by the prefix length argument in an EUI 64 address cannot exceed 64 bits in length Automatically generate a link local address ipv6 address auto link local Configure an IPv6 link local address Manually assign a link local address for an interface ipv6 address ip...

Page 819: ... must have carried out the ipv6 address auto link local command before you carry out the undo ipv6 address auto link local command However if an IPv6 site local address or global unicast address is already configured for an interface the interface still has a link local address because the system automatically generates one for the interface If no IPv6 site local address or global unicast address ...

Page 820: ...a neighbor solicitation NS message for duplicate address detection If the device does not receive a response within a specified time set by the ipv6 nd ns retrans timer command the device continues to send an NS message If the device still does not receive a response after the number of attempts to send an NS message reaches the maximum the device judges the acquired address is available Follow th...

Page 821: ...etwork Follow these steps to configure a static IPv6 route To do Use the command Remarks Enter system view system view Configure a static IPv6 route ipv6 route static ipv6 address prefix length interface type interface number nexthop address Required By default no static IPv6 route is configured Configuring IPv6 TCP Properties The IPv6 TCP properties you can configure include z synwait timer When ...

Page 822: ...MP error packet is sent the number of tokens in a token bucket decreases by 1 If the number of the IPv6 ICMP error packets that are continuously sent out reaches the capacity of the token bucket the subsequent IPv6 ICMP error packets cannot be sent out until new tokens are put into the token bucket based on the specified update frequency Follow these steps to configure the maximum number of IPv6 I...

Page 823: ...lay the statistics of IPv6 TCP packets display tcp ipv6 statistics Display the IPv6 TCP connection status display tcp ipv6 status Display the statistics of IPv6 UDP packets display udp ipv6 statistics Available in any view Clear IPv6 neighbor information reset ipv6 neighbors all dynamic interface interface type interface number static Clear the statistics of IPv6 packets reset ipv6 statistics Clea...

Page 824: ...witchA system view SwitchB interface Vlan interface 2 SwitchB Vlan interface2 ipv6 address auto link local Configure an EUI 64 address for the interface VLAN interface 2 SwitchB Vlan interface2 ipv6 address 2001 64 eui 64 Configure a global unicast address for the interface VLAN interface 2 SwitchB Vlan interface2 ipv6 address 3001 2 64 Verification Display the brief IPv6 information of an interfa...

Page 825: ... address of Switch B If the configurations are correct the above three types of IPv6 addresses can be pinged When you use the ping ipv6 command to verify the reachability of the destination you must specify the i keyword if the destination address is a link local address For the operation of IPv6 ping refer to section IPv6 Ping SwitchA Vlan interface2 ping ipv6 FE80 20F E2FF FE00 1 i Vlan interfac...

Page 826: ... 56 Sequence 5 hop limit 255 time 60 ms 2001 20F E2FF FE00 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 40 58 70 ms SwitchA Vlan interface2 ping ipv6 3001 2 PING 3001 2 56 data bytes press CTRL_C to break Reply from 3001 2 bytes 56 Sequence 1 hop limit 255 time 50 ms Reply from 3001 2 bytes 56 Sequence 2 hop limit 255 time 60 ms Reply from 30...

Page 827: ...mand you can press Ctrl C to terminate the ping operation Follow these steps to ping IPv6 duction to IPv6 Application IPv6 are sup IPv4 The applicati z Ping z Tracerout z z Telnet Configur Ping The ping ipv6 command is commonly used for testing the reachability of a host This command sends an ICMPv6 mes received For details about the ping command refer to System Maintenance and Debugging Opera in ...

Page 828: ...return an ICMP timeout error message Thus the source can get the first device s address in the route z The source sends a datagram with the Hop Limit of 2 and the second hop device returns an ICMP timeout error message The source gets the second device s address in the route This process using the UDP port the destination reached and thus determines route IPv6 To do Use the command Remarks oute IP...

Page 829: ...server As the following figure shows the Host is running Telnet clie Telnet connection with Device A which serves as the Te Device B through Telnet the Device A is the Telnet client and Devi Figure 69 2 Provide Telnet services Device A Device B Host Telnet Client Telnet Server Telnet Client Telnet Server Configuration prerequisites E r ethod in O manual ollow these steps to set up IPv6 Telnet conn...

Page 830: ...equired that wnload files from the TFTP server ations SWB and SWC are two switches supporting IPv6 TFTP server for providing Telnet service and you telnet to the telnet server from SWA and do Network diagram Figure 69 3 Network diagram for IPv6 applic Configuration procedure You need configure IPv6 address at the switch s and server s interfaces and ensure that the route ng configuration between t...

Page 831: ...nd tr On SWA configure static routes to SWC the SWA system view SWA ipv6 route static 3002 64 3003 1 64 3003 1 SWA ipv6 route static 3001 SWA quit Trace the IPv6 route from SWA to SWC SWA tracert ipv6 3002 1 eroute to 3002 1 30 hops max 60 bytes packet trac 1 3003 1 30 ms 0 ms 0 ms 2 3002 1 10 ms 10 ms 0 ms SWA downloads a file from TFTP server 3001 3 SWA tftp ipv6 3001 3 get filet File will be tr...

Page 832: ... Unable to Run Telnet Symp Solution z Check that the Telnet server application is running on the server Check the configuration allows the server reachable z Check that the route between the device and the TFTP server is up olution Check that the IPv6 addresses are configured correctly Use the display ipv6 interface destination and the link z Use interface number command to increase the timeout ti...

Page 833: ...n change it when logging into the device Password aging the forthcoming expiration and prompts the user to change the password as soon as possible Telnet SSH and Super passwords Alert before password expiration Users can set their respective alert time If a user logs into the system when the password is about to age out that is the remaining usable time of the password is no more than the set aler...

Page 834: ... failure processing modes By default the switch adopts the first mode but you can actually specify the processing mode as needed Allow the user to log in again without any inhibition Telnet and SSH passwords User blacklist If the maximum number of attempts is exceeded the user cannot log into the switch and is added to the blacklist by the switch All users in the blacklist are not allowed to log i...

Page 835: ...ding the maximum number of history password records the alert time before password expiration the timeout time for password authentication the maximum number of attempts and the processing mode for login attempt failures If the password attempts of a user fail for several times the system adds the user to the blacklist You can execute the display password control blacklist command in any view to c...

Page 836: ...her the user password ages out when a user logging into the system is undergoing the password authentication This has three cases 1 The password has not expired The user logs in before the configured alert time In this case the user logs in successfully 2 The password has not expired The user logs in after the configured alert time In this case the system alerts the user to the remaining time in d...

Page 837: ...word does not meet the limitation it informs the user of this case and requires the user to input a new password Table 70 3 Configure the limitation of the minimum password length Operation Command Description Enter system view system view Enable the limitation of minimum password length password control length enable Optional By default the limitation of minimum password length is enabled Configu...

Page 838: ...for each user The purpose is to inhibit the users from using one single password or using an old password for a long time to enhance the security Table 70 4 Configure history password recording Operation Command Description Enter system view system view Enable history password recording password control history enable Optional By default history password recording is enabled Configure the maximum ...

Page 839: ...nd _ The password must conform to the related configuration of password control when you set the local user password in interactive mode Table 70 6 Configure a user login password in interactive mode Operation Command Description Enter system view system view Enter the specified user view local user user name Configure a user login password in interactive mode password Optional Input a password ac...

Page 840: ...ss the blacklist will not affect the user anymore when the user logs into the switch The system administrator can perform the following operations to manually remove one or all user entries in the blacklist Table 70 8 Manually remove one or all user entries in the blacklist Operation Command Description Delete one specific or all user entries in the blacklist reset password control blacklist user ...

Page 841: ...e categories and level 4 four categories When you set or modify a password the system will check if the password satisfies the component requirement If not an error message will occur Table 70 10 Configure password composition policy Operation Command Description Enter system view system view Enable the password composition check function password control composition enable Optional By default the...

Page 842: ...the former are not provided z For super passwords the separate settings for super password override those in system view unless the former are not provided Displaying Password Control After completing the above configuration you can execute the display command in any view to display the operation of the password control and verify your configuration Table 70 11 Displaying password control Operatio...

Page 843: ...3 Sysname password control super composition type number 3 type length 3 Configure a super password Sysname super password level 3 simple 11111AAAAAaaaaa Create a local user named test Sysname local user test Set the minimum password length for the local user to 6 Sysname luser test password control length 6 Set the minimum number of composition types for the local user password to 2 and the minim...

Page 844: ...gement IP address pool configured allows the hosts to access Note that the IP addresses in the access management IP address pool configured on a port must be in the same network segment as the IP address of the VLAN where the port belongs to interface The access management function aims to manage user access rights on access switches It enables you to manage the external network access rights of t...

Page 845: ...t be in the same network segment as the interface IP address of the VLAN which the port belongs to z If an access management address pool configured contains IP addresses that belong to the static ARP entries of other ports the system prompts you to delete the corresponding static ARP entries to ensure the access management IP address pool can take effect z To allow only the hosts with their IP ad...

Page 846: ...re the access management IP address pool on Ethernet 1 0 1 Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 am ip pool 202 10 20 1 20 Combining Access Management with Port Isolation Network requirements Client PCs are connected to the external network through Switch A an Ethernet switch The IP addresses of the PCs of Organization 1 are in the range 202 10 20 1 24 to 202 10 20 20 24 and those...

Page 847: ...r to the Port Isolation Operation Enable access management Sysname system view Sysname am enable Set the IP address of VLAN interface 1 to 202 10 20 200 24 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 202 10 20 200 24 Sysname Vlan interface1 quit Configure the access management IP address pool on Ethernet 1 0 1 Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 am ip p...

Page 848: ... Sysname Ethernet1 0 2 am ip pool 202 10 20 25 26 202 10 20 55 11 Add Ethernet 1 0 2 to the port isolation group Sysname Ethernet1 0 2 port isolate Sysname Ethernet1 0 2 quit 71 5 ...

Page 849: ...LLDP in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major functions management IP address device ID and port ID as TLV type length and value triplets in LLDPDUs to the directly connected devices and at the same time stores the device information received i...

Page 850: ...ding bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame 2 SNAP encapsulated LLDP frame format Figure 72 2 SNAP encapsulated LLDP frame format Data LLDPU n bytes 0 Destination MAC address Source MAC address Type 15 31 FCS The fiel...

Page 851: ...information field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and LLDP MED media endpoint discovery TLVs Basic management TLVs are essential to device management Organizationally specific TLVs and LLDP MED TLVs are used for enhanced device management they are defi...

Page 852: ...name on the port Protocol Identity Protocols supported on the port Currently 3Com switches 4500 support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 72 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Configuration Status Contains the rate and duplex capabilities of the sending port support for auto negotiation enabling stat...

Page 853: ...ED endpoint to advertise its vendor name Model Name Allows a MED endpoint to advertise its model name Asset ID Allows a MED endpoint to advertise its asset ID The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advertise the appropriate location identifier information for ...

Page 854: ...smit interval resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information is saved and an aging timer is set for it based on the time to live TTL TLV carried in the LLDPDU If the TTL TLV is zero the information is aged out immediately Protocols and Standards The protocol...

Page 855: ...e only receives LLDP frames z Disable mode A port in this mode does not send or receive LLDP frames Follow these steps to set LLDP operating mode To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Required Set the LLDP operating mode lldp admin status disable rx tx txrx Optional TxRx by default Setting the LLDP Re Ini...

Page 856: ...port description system capability system description system name dot1 tlv all port vlan id protocol vlan id vlan id vlan name vlan id dot3 tlv all link aggregation mac physic max frame size power med tlv all capability inventory location id civic address device type country code ca type ca value 1 10 elin address tel number network policy power over ethernet Optional By default all types of LLDP ...

Page 857: ...an be saved on a neighbor device by setting the TTL multiplier The TTL is expressed as follows TTL Min 65535 TTL multiplier LLDPDU transmit interval As the expression shows the TTL can be up to 65535 seconds TTLs greater than it will be rounded down to 65535 seconds Follow these steps to change the TTL multiplier To do Use the command Remarks Enter system view system view Set the TTL multiplier ll...

Page 858: ...w Enter Ethernet interface view interface interface type interface number Required Set the encapsulation format for LLDPDUs to SNAP lldp encapsulation snap Required Ethernet II encapsulation format applies by default To restore the default use the undo lldp encapsulation command LLDP CDP CDP is short for the Cisco Discovery Protocol packets use only SNAP encapsulation Configuring CDP Compatibility...

Page 859: ...ompatible LLDP to operate in TxRx mode Follow these steps to enable LLDP to be compatible with CDP To do Use the command Remarks Enter system view system view Enable CDP compatibility globally lldp compliance cdp Required Disabled by default Enter Ethernet interface view interface interface type interface number Required Configure CDP compatible LLDP to operate in TxRx mode lldp compliance admin s...

Page 860: ... the LLDP TLVs sent from neighboring devices display lldp neighbor information interface interface type interface number brief Available in any view Display LLDP statistics display lldp statistics global interface interface type interface number Available in any view Display LLDP status of a port display lldp status interface interface type interface number Available in any view Display types of a...

Page 861: ...0 2 lldp enable SwitchA Ethernet1 0 2 lldp admin status rx SwitchA Ethernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB lldp enable Enable LLDP on Ethernet1 0 1 you can skip this step because LLDP is enabled on ports by default and set the LLDP operating mode to Tx SwitchB interface ethernet 1 0 1 SwitchB Ethernet1 0 1 lldp enable SwitchB Ethernet1 0 1 lldp admi...

Page 862: ...tional TLV 0 Number of received unknown TLV 3 As the sample output shows Ethernet 1 0 1 of Switch A connects a MED device and Ethernet 1 0 2 of Switch A connects a non MED device Both ports operate in Rx mode that is they only receive LLDP frames Tear down the link between Switch A and Switch B and then display the global LLDP status and port LLDP status on Switch A SwitchA display lldp status Glo...

Page 863: ...CDP Compatible LLDP Configuration Example Network requirements As shown in Figure 72 5 z Ethernet 1 0 1 and Ethernet 1 0 2 of Switch A are each connected to a Cisco IP phone z Configure voice VLAN 2 on Switch A Enable CDP compatibility of LLDP on Switch A to allow the Cisco IP phones to automatically configure the voice VLAN thus confining their voice traffic within the voice VLAN to be isolated f...

Page 864: ...in status txrx SwitchA Ethernet1 0 1 lldp compliance admin status cdp txrx SwitchA Ethernet1 0 1 quit SwitchA interface ethernet 1 0 2 SwitchA Ethernet1 0 2 lldp enable SwitchA Ethernet1 0 2 lldp admin status txrx SwitchA Ethernet1 0 2 lldp compliance admin status cdp txrx SwitchA Ethernet1 0 2 quit 3 Verify the configuration Display the neighbor information on Switch A SwitchA display lldp neighb...

Page 865: ...curity through public key technologies PKI also called asymmetric key infrastructure uses a key pair to encrypt and decrypt the data The k pair consists of a private key and a public key The private key must be kept secret while the public key needs to be distributed Data encrypted by one of the two keys can only be decrypted by the other A key problem of PKI is how to manage the public keys mecha...

Page 866: ...ion In PKI the revocation is made through certificate revocation lists CRLs Whenever a certificate is revoked the CA publishes one or more CRLs to show all certificates that have been revoked The CRLs contain the serial n effective way for checking the validity of certificates A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL ma...

Page 867: ...I The PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private network VPN is a private data communication network built on the public communication infrastructure A VPN can leverage network layer security protocols for instance IPSec in conjunction with PKI based e...

Page 868: ... a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting a Certificate Optional Configuring an Access Control Policy Optional Configuring an Entity DN A certificate is the binding of a public key and the identity information of an entity where the identity inf...

Page 869: ...n name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locality locality name Optional No locality is specified by default Configure the organization name for the entity organization org name Optional No organization is specified by default Configure the unit name ...

Page 870: ...ted protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certificate request manually During this period the applicant needs to query the status of the request periodically to get the certificate as soon as possible after the certificate is signed You can configure the po...

Page 871: ...ptional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is configured by default z Currently up to two PKI domains can be created on a device z The CA name is required only when you retrieve a CA certificate It is not used when in local certificate request z Currentl...

Page 872: ...A key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information Follow these steps to submit a certificate request in manual mode To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Set t...

Page 873: ...d the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of the certificate will be abnormal z The pki request certificate domain configuration will not be saved in the configuration file Retrieving a Certificate Manually You can download an existing CA certificate local certificate or peer entity certificate from th...

Page 874: ...hecking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verification To do Use the command Remarks Enter system view system view Enter PKI domain view pki domain domain name Specify the URL of the CRL distribution point crl url url string Optional No CRL distributio...

Page 875: ... distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the private key leaks or the certificate is about to expire you can destroy the old RSA key pair and then create a pair to request a new certificate Follow these steps to destroy a local RSA key pair To do Use the command Remarks Enter system vi...

Page 876: ...y default Return to system view quit Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Required No access control policy exists by default Configure a certificate attribute based access control rule rule id deny permit group name Required No access control rule exists by default A certificate attribute group must exist t...

Page 877: ...from a CA Running RSA Keon The CA server runs RSA Keon in this configuration example Network requirements z The device submits a local certificate request to the CA server z The device acquires the CRLs for certificate verification Figure 73 2 Request a certificate from a CA running RSA Keon Configuration procedure 1 Configure the CA server Create a CA server named myca In this example you need to...

Page 878: ...witch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter its view Switch pki domain torsa Configure the name of the trusted CA as myca Switch pki domain torsa ca identifier myca Configure the URL of the registration server in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is a hexadecimal string generated on the CA server Swi...

Page 879: ...RL Please wait a while CRL retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certificate is being requested please wait Certificate request Successfully Saving the local certificate to device Done 3 Verify your configuration Use the following command to view information about the local certificate acquired Switch display pki certifica...

Page 880: ...3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You can also use some other display commands to view detailed information about the CA certificate and CRLs Refer to the parts related to display pki certificate ca domain and display pki crl domain commands ...

Page 881: ...the start menu select Control Panel Administrative Tools Internet Information Services IIS Manager and then select Web Sites from the navigation tree Right click on Default Web Site and select Properties Home Directory Specify the path for certificate service in the Local path text box In addition you are recommended to specify an available port number as the TCP port number of the default Web sit...

Page 882: ... 439C 1C1F 83AB SHA1 fingerprint 97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct Y N y Saving CA RA certificates chain please wait a moment CA certificates retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certificate is being requested please wait Certificate request Successfully Saving the local certifi...

Page 883: ...E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points URI http l00192b CertEnroll CA 20server crl URI file l00192b CertEnroll CA server crl Authority Information Access CA Issuers URI http l00192b CertEnroll l00192b_CA 20server crt CA Issuers URI file l00192b CertEnroll l00192b_CA server crt 1 3 6 1 4 1 311 20 2 0 I P S E C I n t e r m e d i a t e O f f l i n e Signature Algorithm sha1WithRSAEncryp...

Page 884: ...per For example the network cable may be damaged or loose z No CA certificate has been retrieved z The current key pair has been bound to a certificate z No trusted CA is specified z The URL of the registration server for certificate request is not correct or not configured z No authority is specified for certificate request z Some required parameters of the entity DN are not configured Solution z...

Page 885: ... The LDAP server version is wrong Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LDAP server z Specify the CRL distribution URL z Re configure the LDAP version 73 21 ...

Page 886: ...erver and the client by us the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key Infrastructure PKI Reliability SSL uses the key based message authentication code MAC to verify message integrity A MAC algorithm transforms a message of any length to a fixed length message Figur...

Page 887: ... master secret z SSL change cipher spec protocol Used for notification between a client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated cipher suite and key z SSL alert protocol Allowing a client and the server to send alert messages to each other An alert message contains the alert severity level and a description z SSL record protocol ...

Page 888: ...r policy Specify the cipher suite s for the SSL server policy to support ciphersuite rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Optional By default an SSL server policy supports all cipher suites Set the handshake timeout time for the SSL server handshake timeout time Optional 3 600 seconds by default Configure the SSL connection cl...

Page 889: ...server SSL Server Policy Configuration Example Network requirements z The switch offers Web authentication to preform access authentication for clients z The client opens the authentication page in SSL based HTTPS mode thus guaranteeing information transmission security z A CA issues a certificate to Switch In this instance Windows Server works as the CA and the Simple Certificate Enrollment Proto...

Page 890: ...fy enable Switch ssl server policy myssl quit 3 Configure Web authentication Set the IP address and port number of the Web authentication server Sysname system view Sysname web authentication web server ip 10 10 10 10 port 8080 Configure to perform Web authentication in HTTPS mode using SSL server policy myssl Switch web authentication protocol https server policy myssl Enable Web authentication o...

Page 891: ...ing steps to access the Internet Step 1 Enter http 10 10 10 10 8080 in the address column of IE Step 2 Enter the correct user name and password and then click login The following page will be displayed Authentication passed Now the user can access external networks Configuring an SSL Client Policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server An ...

Page 892: ... all Available in any view Troubleshooting SSL SSL Handshake Failure Symptom As the SSL server the device fails to handshake with the SSL client Analysis SSL handshake failure may result from the following causes z No SSL server certificate exists or the certificate is not trusted z The server is expected to authenticate the client but the SSL client has no certificate or the certificate is not tr...

Page 893: ...be trusted request and install a certificate for the client 2 You can use the display ssl server policy command to view the cipher suite used by the SSL server policy If the cipher suite used by the SSL server does not match that used by the client use the ciphersuite command to modify the cipher suite of the SSL server 74 8 ...

Page 894: ... illegal clients PS Overview The Secure HTTP HTTPS refers to the HTTP protocol that supports the Security Sock col SSL protocol o z Uses the SSL protocol to ensure the legal clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security management of t...

Page 895: ...hrough the Web function only when the HTTPS service is enabled Follow these steps to enable the HTTPS service To do Use the command Remarks Enter system view system view Enable the HTTPS service ip https enable Required Disabled by default z After the HTTPS service is enabled you can use the display ip https command to view the state of the HTTPS service and verify the configuration z Enabling of ...

Page 896: ...ess control policy z If the HTTPS service is associated with a certificate attribute access control policy the client verify enable command must be configured in the SSL server policy Otherwise the client cannot log onto the device z If the HTTPS service is associated with a certificate attribute access control policy the latter must contain at least one permit rule Otherwise no HTTPS client can l...

Page 897: ...dure Perform the following configurations on Device 1 Apply for a certificate for Device Configure a PKI entity Device system view Device pki entity en Device pki entity en common name http server1 Device pki entity en fqdn ssl security com Device pki entity en quit Configure a PKI domain Device pki domain 1 Device pki domain 1 ca identifier new ca Device pki domain 1 certificate request url http ...

Page 898: ...y myacp and create a control rule Device pki certificate access control policy myacp Device pki cert acp myacp rule 1 permit mygroup1 Device pki cert acp myacp quit 4 Reference an SSL server policy Associate the HTTPS service with the SSL server policy myssl Device ip https ssl server policy myssl 5 Associate the HTTPS service with a certificate attribute access control policy Associate the HTTPS ...

Reviews:

No comments