manualshive.com logo in svg

3Com Switch 4800G PWR 24-Port, Configuration Manual, Page: 41 / 730

Share
Download
3Com Switch 4800G PWR 24-Port Configuration Manual Download Page 41

 

5-4 

can switch to a higher level temporarily; when the administrators need to leave for a while or ask 

someone else to manage the device temporarily, they can switch to a lower privilege level before they 

leave to restrict the operation by others. 

The high-to-low user level switching is unlimited. However, the low-to-high user level switching requires 

the corresponding authentication. Generally, two authentication modes are available: the super 

password authentication mode and HWTACACS authentication mode. 

Complete the following tasks to configure user level switching: 

Task 

Remarks 

Specifying the authentication mode for user level 
switching 

Optional 

Adopting super password authentication for user level 
switching 

Required 

The administrator 
configures the user level 
switching authentication 
policies 

Adopting HWTACACS authentication for user level 
switching 

Required 

The user switches user 
level after logging in 

Switching to a specific user level 

Required 

 

Specifying the authentication mode for user level switching 

The low-to-high user level switching requires the corresponding authentication. The super password 

authentication mode and HWTACACS authentication mode are available at the same time to provide 

authentication redundancy. 

The configuration of authentication mode for user level switching is performed by Level-3 users 

(administrators). 

Follow these steps to specify the authentication mode for user level switching: 

To do… 

Use the command… 

Remarks 

Enter system view 

system-view 

— 

Enter user interface view 

user-interface 

type

 ] 

first

-

number

 [ 

last-number 

]

 

— 

Super password 
authentication 

super 
authentication-mode

 

super-password

 

HWTACACS authentication 

super 
authentication-mode

 

scheme 

Super password 
authentication preferred (with 
the HWTACACS 
authentication as the backup 
authentication mode) 

super 
authentication-mode

 

super-password

 

scheme 

Specify the 
authentication 
mode for user 
level switching 

HWTACACS authentication 
preferred (with the super 
password authentication as 
the backup authentication 
mode) 

super 
authentication-mode

 

scheme

 

super-password 

Optional  

These 
configurations 
will take effect on 
the current user 
interface only. 

By default, super 
password 
authentication is 
adopted for user 
level switching. 

 

Summary of Contents for Switch 4800G PWR 24-Port

Page 1: ...ration Guide Switch 4200G 12 Port Switch 4200G 24 Port Switch 4200G 48 Port Switch 4200G PWR 24 Port Product Version V3 02 00 Manual Version 6PW100 20081201 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...mmercial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered...

Page 3: ...ntroduces STP and the related configuration 13 802 1x and System Guard Introduces 802 1x and the related configuration 14 AAA Introduces AAA RADIUS HWTACACS EAD and the related configurations 15 MAC Address Authentication Introduces centralized MAC address authentication and the related configuration 16 IP Address and Performance Optimization Introduces IP address and IP performance optimization r...

Page 4: ...troduces Access Management and the related configuration 38 Appendix Lists the acronyms used in this manual Conventions The manual uses the following conventions Command conventions Convention Description Boldface The keywords of a command line are in Boldface italic Command arguments are in italic Items keywords or arguments in square brackets are optional x y Alternative items are grouped in bra...

Page 5: ... Provide detailed descriptions of command line interface CLI commands that you require to manage your switch 3Com Switch 4200G Family Quick Reference Guide Provide a summary of command line interface CLI commands that are required for you to manage your Stackable Switch 3Com Switch 4200G Family Getting Started Guide This guide provides all the information you need to install and use the 3Com Switc...

Page 6: ...ord 2 7 Configuration Procedure 2 7 Configuration Example 2 8 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 3 Logging In Through Telnet 3 1 Introduction 3 1 1 1 1 Common Configuration to Control Telnet Access 3 1 Telnet Configurations for Different Authentication Modes 3 3 Telnet Configuration with Authentication M...

Page 7: ...g Disabling the WEB Server 6 3 7 Logging In Through NMS 7 1 Introduction 7 1 Connection Establishment Using NMS 7 1 8 Configuring Source IP Address for Telnet Service Packets 8 1 Overview 8 1 Configuring Source IP Address for Telnet Service Packets 8 1 Displaying Source IP Address Configuration 8 2 9 User Control 9 1 Introduction 9 1 Controlling Telnet Users 9 1 Introduction 9 1 Controlling Telnet...

Page 8: ...e CLI Configuration Web based Network Management Interface Logging In Through the Web based Network Management Interface Network Management Station Logging In Through NMS Introduction to the User Interface Supported User Interfaces The auxiliary AUX port and the console port of a 3Com low end and mid range Ethernet switch are the same port referred to as console port in the following part You will...

Page 9: ...h the smallest number based on the user login mode The login process of the user is restricted by the configurations under this user interface z The user interface assigned to a user depending on the login mode and login time A user interface can be used by one user at one time however the user interface is not dedicated to a specific user For example user A can use VTY 0 to log in to the device W...

Page 10: ...s configured Set a system name for the switch sysname string Optional Enable copyright information displaying copyright info enable Optional By default copyright displaying is enabled That is the copy right information is displayed on the terminal after a user logs in successfully Enter user interface view user interface type first number last number Display the information about the current user ...

Page 11: ...og in to Switch 4200G through its console port only Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Setting Default Baud rate 9 600 bps Flow control None Check mode Parity None Stop bits 1 Data bits 8 To log in to a switch through the console port make sure the settings of both the console port and the user terminal are the same After logging...

Page 12: ...he following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally both sides that is the serial port of the PC and the console port of the switch are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the connection ...

Page 13: ...le 2 2 Common configuration of console port login Configuration Remarks Baud rate Optional The default baud rate is 9 600 bps Check mode Optional By default the check mode of the console port is set to none which means no check bit Stop bits Optional The default stop bits of a console port is 1 Console port configuration Data bits Optional The default data bits of a console port is 8 AUX user inte...

Page 14: ...box shown in Figure 2 4 Follow these steps to set common configuration of console port login To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux 0 Set the baud rate speed speed value Optional The default baud rate of a console port is 9 600 bps Set the check mode parity even none odd Optional By default the check mode of a console port is no...

Page 15: ...operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Console Port Login Configurations for Different Authentication Modes Table 2 3 Console port login configurations for different authentication modes Authentication mode Authentication related configuration Remarks None Set the authentication mode to none Optional Ref...

Page 16: ... By default users logging in through the console port AUX user interface are not authenticated Configuration Example Network requirements Assume that the switch is configured to allow users to log in through Telnet and the current user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Do not authe...

Page 17: ...console port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need...

Page 18: ... in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Authenticate the users using passwords z Set the local password to 123456 in plain text z The commands of level 2 are available to the users z The baud rate of the console port is 19 200 bps z The screen can contain ...

Page 19: ...d max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2 4 to log in to the switch successfully Console Port Login Configuration with Authentication Mode Being Scheme Configuration Proc...

Page 20: ...ists by default Set the authentication password for the local user password simple cipher password Required Specify the service type for AUX users service type terminal level level Required Note that If you configure to authenticate the users in the scheme mode the command level available to users logging in to a switch depends on the command level specified in the AAA scheme z When the AAA scheme...

Page 21: ...figuration procedure Enter system view Sysname system view Create a local user named guest and enter local user view Sysname local user guest Set the authentication password to 123456 in plain text Sysname luser guest password simple 123456 Set the service type to Terminal Specify commands of level 2 are available to users logging in to the AUX user interface Sysname luser guest service type termi...

Page 22: ...and max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2 4 to log in to the switch successfully ...

Page 23: ...gured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for more Switch The authentication mode and other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the VLAN interface of the switch is availabl...

Page 24: ...marks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure the command level available to users logging in to VTY user interface user privilege level level Optional By default commands of level 0 are available to users logging in to VTY user interfaces Configure the protocols to be supported by the VTY user interface protoco...

Page 25: ...to disable the timeout function Telnet Configurations for Different Authentication Modes Table 3 3 Telnet configurations for different authentication modes Authentication mode Authentication related configuration Description None Set the authentication mode to none Refer to Console Port Login Configuration with Authentication Mode Being None Set the authentication mode to local password authentica...

Page 26: ...onfigure Telnet with the authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure not to authenticate users logging in to VTY user interfaces authentication mode none Required By default VTY users are authenticated after logging in Note that if you configure not to aut...

Page 27: ...een can contain to 30 Sysname ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Configuration with Authentication Mode Being Password Configuration Procedure Follow these steps to configure Telnet with the authentication mode being...

Page 28: ...Network diagram Figure 3 2 Network diagram for Telnet configuration with the authentication mode being password Configuration procedure Enter system view Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sy...

Page 29: ...ify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply RADIUS or HWTACACS scheme you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA part for more z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Crea...

Page 30: ...ommand buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes Network diagram Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme Configuration procedure Enter system view Sysname system view Create a local user named guest and enter local user view Sysname local user guest Set the authentication password of the local user to 123456 in...

Page 31: ...2000 Windows XP on the PC terminal with the baud rate set to 9 600 bps data bits set to 8 parity check set to none and flow control set to none z Turn on the switch and press Enter as prompted The prompt appears z Perform the following operations in the terminal window to assign IP address 202 38 160 92 24 to VLAN interface 1 of the switch Sysname system view Sysname interface Vlan interface 1 Sys...

Page 32: ...of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later A 3Com switch can accommodate up to five Telnet connections at same time 6 After successfully Telnetting to the switch you can configure the switch or display the information about the switch by executing corresponding commands You can also type at any ...

Page 33: ... the Telnet server Refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication Mode Being Scheme for more 2 Telnet to the switch operating as the Telnet client 3 Execute the following command on the switch operating as the Telnet client Sysname telnet xxxx Note that xxxx is the IP addres...

Page 34: ... to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the console port of the switch properly The modem is properly configured The modem is properly connected to PSTN and a telephone set Switch side The authentication ...

Page 35: ... authentication mode configuration Configuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None Configuration on switch when the authentication mode is password Refer to Console Port Login Configuration with Authentication Mode Being Password Configuration on switch when the authentication mode is scheme Refer to Console...

Page 36: ...romote end 82882285 Modem Modem 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 through Figure 4 4 Note that you need to set the telephone number to that of the modem directly connected to the switch Figure 4 2 Create a connection ...

Page 37: ...t such as Sysname appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configuration commands If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI part for information about command level ...

Page 38: ... and locate network problems z Command history function This enables users to check the commands that they have lately executed and re execute the commands z Partial matching of commands The system will use partially matching method to search for commands This allows users to execute a command by entering partially spelled command keywords as long as the keywords entered can be uniquely identified...

Page 39: ... levels By default the Console user a user who logs into the switch through the Console port is a level 3 user and can use commands of level 0 through level 3 while Telnet users are level 0 users and can only use commands of level 0 You can use the user privilege level command to set the default user privilege level for users logging in through a certain user interface For details refer to Login O...

Page 40: ...e the level of a command Sysname system view Sysname command privilege level 0 view shell tftp Sysname command privilege level 0 view shell tftp 192 168 0 1 Sysname command privilege level 0 view shell tftp 192 168 0 1 get Sysname command privilege level 0 view shell tftp 192 168 0 1 get bootrom btm After the above configuration general Telnet users can use the tftp get command to download file bo...

Page 41: ...l switching The low to high user level switching requires the corresponding authentication The super password authentication mode and HWTACACS authentication mode are available at the same time to provide authentication redundancy The configuration of authentication mode for user level switching is performed by Level 3 users administrators Follow these steps to specify the authentication mode for ...

Page 42: ...e performed by level 3 users administrators Follow these steps to set a password for use level switching To do Use the command Remarks Enter system view system view Set the super password for user level switching super password level level cipher simple password Required The configuration will take effect on all user interfaces By default the super password is not set The super password is for lev...

Page 43: ... level super level Required Execute this command in user view z If no user level is specified in the super password command or the super command level 3 is used by default z For security purpose the password entered is not displayed when you switch to another user level You will remain at the original user level if you have tried three times but failed to enter the correct authentication informati...

Page 44: ... Enable HWTACACS authentication for VTY 0 user level switching Sysname system view Sysname user interface vty 0 Sysname ui vty0 super authentication mode scheme Sysname ui vty0 quit Specify to adopt the HWTACACS authentication scheme named acs for user level switching in the ISP domain named system Sysname domain system Sysname isp system authentication super hwtacacs scheme acs z A VTY 0 user swi...

Page 45: ...i gabitEthernet1 1 1 Execute the interface tengigabitethern et command in system view Aux1 0 0 port the console port view The 3com switch 4200G does not support configuration on port Aux1 0 0 Sysname Aux1 0 0 Execute the interface aux 1 0 0 command in system view VLAN view Configure VLAN parameters Sysname vlan1 Execute the vlan command in system view VLAN interface view Configure VLAN interface p...

Page 46: ...command to return to system view Edit the RSA public key for SSH users Sysname rsa ke y code Public key editing view Edit the RSA or DSA public key for SSH users Sysname peer k ey code Execute the public key code begin command in public key view Execute the public key cod e end command to return to public key view Basic ACL view Define rules for a basic ACL with ID ranging from 2000 to 2999 Sysnam...

Page 47: ...link group parameters Sysname mtlk gr oup1 Execute the monitor link group command in system view The shortcut key Ctrl Z is equivalent to the return command CLI Features Online Help When configuring the switch you can use the online help to get related help information The CLI provides two types of online help complete and partial Complete online help 1 Enter a question mark in any view on your te...

Page 48: ... terminal For example Sysname p ping pwd 2 Enter a command a space a character string and a question mark next to it All the keywords beginning with the character string if available are displayed on your terminal For example Sysname display v version vlan voice 3 Enter the first several characters of a keyword of a command and then press Tab If there is a unique keyword beginning with the charact...

Page 49: ...the down arrow key or Ctrl N This operation recalls the next history command if available z The Windows 9x HyperTerminal explains the up and down arrow keys in a different way and therefore the two keys are invalid when you access history commands in such an environment However you can use Ctrl P and Ctrl N instead to achieve the same purpose z When you enter the same command multiple times consec...

Page 50: ...ter on the left of the cursor and move the cursor one character to the left Left arrow key or Ctrl B Move the cursor one character to the left Right arrow key or Ctrl F Move the cursor one character to the right Up arrow key or Ctrl P Down arrow key or Ctrl N Display history commands Tab Use the partial online help That is when you input an incomplete keyword and press Tab if the input parameter u...

Page 51: ...an IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The user name and password for logging in to the Web based network management system are configured IE is available PC operating as the network management terminal The IP addr...

Page 52: ...k management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The contents of the banner page are the login banner information configured with the header command Then by clicking Continue on the banner page the user can enter the ...

Page 53: ...t a route is available between the user terminal the PC and the switch After the above mentioned configuration if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press Enter the browser will display the banner page as shown in Figure 6 4 Figure 6 4 Banner page displayed when a user logs in to the switch through Web Click Continue to enter u...

Page 54: ... server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Enabling the Web server by using the undo ip http shutdown command opens TCP 80 port z Disabling the Web server by using the ip http shutdown command closes TCP 80 port ...

Page 55: ...to perform related configuration on both the NMS and the switch Table 7 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is configured The route between the NMS and the switch is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The basic ...

Page 56: ...l attacks are guarded and the security is improved On the other hand you can configure the Telnet server to accept only Telnet service packets with specific source IP addresses to make sure specific users can log into the switch Configuring Source IP Address for Telnet Service Packets This feature can be configured in either user view or system view The configuration performed in user view takes e...

Page 57: ...ed exists z If a source IP address or source interface is specified you need to make sure that the route between the IP addresses or interface of both sides is reachable Displaying Source IP Address Configuration Execute the display command in any view to display the operation state after the above configurations You can verify the configuration effect through the displayed information Table 8 3 D...

Page 58: ...od Implementation Related section By source IP address Through basic ACL By source and destination IP address Through advanced ACL Telnet By source MAC address Through Layer 2 ACL Controlling Telnet Users SNMP By source IP addresses Through basic ACL Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACL Controlling Web Users by Source IP Address WEB D...

Page 59: ... as needed Table 9 2 ACL categories Category ACL number Matching criteria Basic ACL 2000 to 2999 Source IP address Advanced ACL 3000 to 3999 Source IP address and destination IP address Layer 2 ACL 4000 to 4999 Source MAC address Source and destination in this manual refer to a Telnet client and a Telnet server respectively z If the inbound keyword is specified the Telnet client is the user telnet...

Page 60: ...ddress of 10 110 100 52 are permitted to access the switch Network diagram Figure 9 1 Network diagram for controlling Telnet users using ACLs Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Configuration procedure Define a basic ACL Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Apply the ACL Sysname u...

Page 61: ...ring Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp agent community read write community name acl acl number mib view view name Apply the ACL while configuring the SNMP group name snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number snmp agent group v3 group name authentication privacy re...

Page 62: ...00 Controlling Web Users by Source IP Address You can manage Switch 4200G remotely through Web Web users can access a switch through HTTP connections You need to perform the following two operations to control Web users by source IP addresses z Defining an ACL z Applying the ACL to control Web users To control whether a Web user can manage the switch you can use this function Prerequisites The con...

Page 63: ...istrator can log out a Web user using the related command Follow the step below to log out a Web user To do Use the command Remarks Log out a Web user free web users all user id user id user name user name Required Available in user view Configuration Example Network requirements Only the Web users sourced from the IP address of 10 110 100 52 are permitted to access the switch Network diagram Figu...

Page 64: ...9 7 Sysname acl basic 2030 quit Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch Sysname ip http acl 2030 ...

Page 65: ...gement 1 1 Introduction to Configuration File 1 1 Configuration Task List 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 3 Specifying a Configuration File for Next Startup 1 4 Displaying Switch Configuration 1 5 ...

Page 66: ...and view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line if it starts with the character z The sections are listed in this order system configuration section logical interface configuration section physical port configuration section routing protocol configuration section user interface configuration and s...

Page 67: ...ist the switch starts up without loading the configuration file Configuration Task List Complete these tasks to configure configuration file management Task Remarks Saving the Current Configuration Optional Erasing the Startup Configuration File Optional Specifying a Configuration File for Next Startup Optional Saving the Current Configuration You can modify the configuration on your switch at the...

Page 68: ...nd has backup attribute the file will have both main and backup attributes after execution of this command If the filename you entered is different from that existing in the system this command will erase its main attribute to allow only one main attribute configuration file in the switch z Backup attribute When you use the save safely backup command to save the current configuration the configura...

Page 69: ...witch Specifying a Configuration File for Next Startup Use the following command to specify a configuration file for next startup To do Use the command Remarks Specify a configuration file for next startup startup saved configuration cfgfile backup main Required Available in user view You can specify a configuration file to be used for the next startup and configure the main backup attribute for t...

Page 70: ... unit unit id by linenum Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the switch display current configuration vlan vlan id by linenum Display the validated configuration in current view display this by linenum Display current configuration display current configuration configuration configuration type interfac...

Page 71: ...N ID for a Port 1 5 2 VLAN Configuration 2 1 VLAN Configuration 2 1 VLAN Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying VLAN Configuration 2 3 Configuring a Port Based VLAN 2 3 Port Based VLAN Configuration Task List 2 3 Configuring the Link Type of an Ethernet Port 2 3 Assigning an Ethernet Port to a VLAN 2 4 Configuring the Default VLAN...

Page 72: ... network receives a lot of packets whose destination is not the host itself causing potential serious security problems z Related to the point above someone on a network can monitor broadcast packets and unicast packets and learn of other activities on the network Then they can attempt to access other resources on the network whether or not they are authorized to do this Isolating broadcast domain...

Page 73: ... to the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible VLAN Fundamentals VLAN tag To enable a network device to identify frames of different VLANs a VLAN tag field is inserted into the data link layer encapsulation The format of VLAN tagged frames is defined in IEEE 802 1Q issued by IEEE in 1999 In the header of a traditional ...

Page 74: ...he VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN tag with the default VLAN ID of the inbound port for the packet and sends the packet to the default VLAN of the inbound port for transmission For the details about setting the default VLAN of a port refer to Configuring the Default VLAN ID for a Port MAC address learning mechanism ...

Page 75: ...VLANs can isolate broadcast domains each VLAN corresponds to an IP network segment And a VLAN interface serves as the gateway of the segment to forward packets in Layer 3 based on IP addresses VLAN Classification Depending on how VLANs are established VLANs fall into the following six categories z Port based VLANs z MAC address based VLANs z Protocol based VLANs z IP subnet based VLANs z Policy ba...

Page 76: ...Ns to be sent untagged but a trunk port only allows the packets of the default VLAN to be sent untagged The three types of ports can coexist on the same device Assigning an Ethernet Port to Specified VLANs You can assign an Ethernet port to a VLAN to forward packets for the VLAN thus allowing the VLAN on the current switch to communicate with the same VLAN on the peer switch An access port can be ...

Page 77: ...packet z If the VLAN ID is not one of the VLAN IDs allowed to pass through the port discard the packet z If the VLAN ID is just the default VLAN ID strip off the tag and send the packet z If the VLAN ID is not the default VLAN ID keep the original tag unchanged and send the packet Table 1 3 Packet processing of a hybrid port Processing of an incoming packet For an untagged packet For a tagged pack...

Page 78: ...Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Create a VLAN and enter VLAN view vlan vlan id Required By default there is only one VLAN that is the default VLAN VLAN 1 Assign a name for the current VLAN name text Optional By default the name of a ...

Page 79: ... prompt information Basic VLAN Interface Configuration Configuration prerequisites Before configuring a VLAN interface create the corresponding VLAN Configuration procedure Follow these steps to perform basic VLAN interface configuration To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface Vlan interface vlan id Required By def...

Page 80: ...disabling a VLAN s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN Displaying VLAN Configuration To do Use the command Remarks Display the VLAN interface information display interface Vlan interface vlan id Display the VLAN information display vlan vlan id to vlan id all dynamic static Available in any view Configuring a Port Based VLAN Port Based...

Page 81: ...t port to one or multiple VLANs To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Access port port access vlan vlan id Trunk port port trunk permit vlan vlan id list all Assign the port to one or multiple VLANs Hybrid port port hybrid vlan vlan id list tagged untagged Optional By default all Ethernet ports belong to VLAN ...

Page 82: ...is the default VLAN by default z After configuring the default VLAN for a trunk or hybrid port you need to use the port trunk permit command or the port hybrid vlan command to configure the port to allow traffic of the default VLAN to pass through Otherwise the port cannot forward traffic of the default VLAN nor can it receive VLAN untagged packets z The local and remote trunk or hybrid ports must...

Page 83: ...witchA vlan 201 SwitchA vlan201 port GigabitEthernet 1 0 2 SwitchA vlan201 quit z Configure Switch B Create VLAN 101 specify its descriptive string as DMZ and add GigabitEthernet1 0 11 to VLAN 101 SwitchB system view SwitchB vlan 101 SwitchB vlan101 description DMZ SwitchB vlan101 port GigabitEthernet 1 0 11 SwitchB vlan101 quit Create VLAN 201 and add GigabitEthernet1 0 12 to VLAN 201 SwitchB vla...

Page 84: ...abitEthernet1 0 3 port trunk permit vlan 101 SwitchA GigabitEthernet1 0 3 port trunk permit vlan 201 Configure GigabitEthernet1 0 10 of Switch B SwitchB interface GigabitEthernet 1 0 10 SwitchB GigabitEthernet1 0 10 port link type trunk SwitchB GigabitEthernet1 0 10 port trunk permit vlan 101 SwitchB GigabitEthernet1 0 10 port trunk permit vlan 201 ...

Page 85: ...guration 1 1 Introduction 1 1 Routing Table 1 1 Static Route 1 2 Default Route 1 2 Configuring a Static Route 1 3 Displaying and Maintaining a Routing Table 1 3 Static Route Configuration Example 1 4 Basic Static Route Configuration Example 1 4 ...

Page 86: ... certain number of consecutive 1s It can be expressed in dotted decimal format or by the number of the 1s z Outbound interface Specifies the interface through which the IP packets are to be forwarded z IP address of the next hop Specifies the address of the next router on the path z Priority for the route Routes to the same destination but having different nexthops may have different priorities an...

Page 87: ...es can improve network performance and ensure bandwidth for important network applications The disadvantage of using static routes is that they cannot adapt to network topology changes If a fault or a topological change occurs in the network the routes will be unreachable and the network breaks In this case the network administrator has to modify the static routes manually Default Route If the des...

Page 88: ...scription text Required Displaying and Maintaining a Routing Table To do Use the command Remarks Display summary information about the routing table display ip routing table begin exclude include regular expression Display detailed information about the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip routing table ip address mask longe...

Page 89: ...and hosts are shown in the following figure Static routes are required for interconnection between any two hosts Figure 1 2 Network diagram for static route configuration Configuration procedure 1 Configuring IP addresses for interfaces omitted 2 Configuring static routes Configure a default route on Switch A SwitchA system view SwitchA ip route static 0 0 0 0 0 0 0 0 1 1 4 2 Configure two static ...

Page 90: ...7 0 0 1 InLoopBack0 127 0 0 0 8 DIRECT 0 0 127 0 0 1 InLoopBack0 127 0 0 1 32 DIRECT 0 0 127 0 0 1 InLoopBack0 Display the IP routing table of Switch B SwitchB display ip routing table Routing Table public net Destination Mask Protocol Pre Cost Nexthop Interface 1 1 2 0 24 STATIC 60 0 1 1 4 1 Vlan interface500 1 1 3 0 24 STATIC 60 0 1 1 5 6 Vlan interface600 1 1 4 0 30 DIRECT 0 0 1 1 4 2 Vlan inte...

Page 91: ... for Voice VLAN on Various Ports 1 4 Security Mode of Voice VLAN 1 6 Voice VLAN Configuration 1 7 Configuration Prerequisites 1 7 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode 1 7 Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode 1 8 Displaying and Maintaining Voice VLAN 1 10 Voice VLAN Configuration Example 1 11 Voice VLAN Configuration Exa...

Page 92: ...in conjunction with other voice devices IP phones can offer large capacity and low cost voice communication solutions As network devices IP phones need IP addresses to operate properly in a network An IP phone can acquire an IP address automatically or through manual configuration The following part describes how an IP phone acquires an IP address automatically The following part only describes th...

Page 93: ...his case you need to manually configure the default VLAN of the port as a voice VLAN In cases where an IP phone obtains an IP address from a DHCP server that does not support Option 184 the IP phone directly communicates through the gateway after it obtains an IP address It does not go through the steps described below z If DHCP Server 1 supports Option 184 it returns the IP address assigned to th...

Page 94: ...efault OUI addresses An OUI address is a globally unique identifier assigned to a vendor by IEEE You can determine which vendor a device belongs to according to the OUI address which forms the first 24 bits of a MAC address Switch 4200G series Ethernet switches support OUI address mask configuration You can adjust the matching depth of MAC address by setting different OUI address masks The followi...

Page 95: ...ice VLAN manually z Manual voice VLAN assignment mode In this mode you need to add a port to a voice VLAN or remove a port from a voice VLAN manually Processing mode of tagged packets sent by IP voice devices Tagged packets from IP voice devices are forwarded based on their tagged VLAN IDs whether the automatic or manual voice VLAN assignment mode is used If the voice traffic transmitted by an IP ...

Page 96: ...ly Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagged voice traffic Hybrid Supported Make sure the default VLAN of the port exists and is not a voice VLAN the traffic of the default VLAN is permitted to pass through the port and the voice VLAN is in the list...

Page 97: ...port Security Mode of Voice VLAN The automatic mode and manual mode described earlier only apply to the process of assigning a port to the voice VLAN After a port is assigned to the voice VLAN the switch receives and forwards all voice VLAN tagged traffic without matching the source MAC address of each received packet against its OUI list For a port in the manual mode with the default VLAN as the ...

Page 98: ... transmitted in the voice VLAN Normal Packet carrying any other VLAN tag The packet is forwarded or dropped based on whether the port is assigned to the carried VLAN The processing method is irrelevant to the voice VLAN mode security or normal Voice VLAN Configuration Configuration Prerequisites z Create the corresponding VLAN before configuring a voice VLAN z VLAN 1 the default VLAN cannot be con...

Page 99: ...he voice VLAN manually Therefore if a VLAN is configured as the voice VLAN and a protocol based VLAN at the same time the protocol based VLAN function cannot be bound with the port For information about protocol based VLANs refer to VLAN Configuration in this manual z For a port operating in automatic voice VLAN assignment mode its default VLAN cannot be configured as the voice VLAN otherwise the ...

Page 100: ...N is disabled on a port Enable the voice VLAN legacy function on the port voice vlan legacy Optional By default voice VLAN legacy is disabled Set voice VLAN assignment mode on a port to manual undo voice vlan mode auto Required The default voice VLAN assignment mode on a port is automatic Quit to system view quit Enter VLAN view vlan vlan id Access port Add the port to the VLAN port interface list...

Page 101: ...smit both voice data and service data in a voice VLAN If you have to do so make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication between 3Com device and other vendor s voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors voice device The voice vlan legacy command can be executed befo...

Page 102: ...cket in 30 minutes the port is removed from the corresponding voice VLAN automatically Network diagram Device A Device B GE1 0 1 GE1 0 1 IP phone B 010 1002 MAC 0011 2200 0001 Mask ffff ff00 0000 0755 2002 GE1 0 2 IP phone A 010 1001 MAC 0011 1100 0001 Mask ffff ff00 0000 Internet PC A MAC 0022 1100 0002 PC B MAC 0022 2200 0002 VLAN 2 Figure 1 2 Network diagram for voice VLAN configuration automat...

Page 103: ...hernet1 0 1 voice vlan enable DeviceA GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 voice vlan mode auto DeviceA GigabitEthernet1 0 2 port link type hybrid DeviceA GigabitEthernet1 0 2 voice vlan enable Verification Display the OUI addresses OUI address masks and description strings supported currently DeviceA display...

Page 104: ...nable the security mode for the voice VLAN so that the ports in the voice VLAN permit valid voice packets only This operation is optional The security mode is enabled by default DeviceA system view DeviceA voice vlan security enable Add a user defined OUI address 0011 2200 000 and set the description string to test DeviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test ...

Page 105: ...03 6b00 0000 ffff ff00 0000 Cisco phone 000f e200 0000 ffff ff00 0000 H3C Aolynk phone 0011 2200 0000 ffff ff00 0000 test 00d0 1e00 0000 ffff ff00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3Com phone Display the status of the current voice VLAN DeviceA display voice vlan status Voice Vlan status ENABLE Voice Vlan ID 2 Voice Vlan security mode Secu...

Page 106: ...1 GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 GVRP Configuration Tasks 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maintaining GVRP 1 7 GVRP Configuration Example 1 7 GVRP Configuration Example 1 7 ...

Page 107: ...mportant functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be registered on other devices it sends Join messages to these devices A GARP entity also sends Join messages when it receives Join messages from other entities or it wants some of its statically configured attributes to be registered on other GARP entities z When a GAR...

Page 108: ...aveAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other three timers which are set on a port basis the LeaveAll timer is set in system view and takes effect globally z A GARP application entity may send LeaveAll messages at the interval set by its LeaveAll timer or the LeaveAll timer on another device on the network whiche...

Page 109: ...es Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attribute Length The length of the attribute 2 to 255 in bytes Attribute Event The event described by the attribute 0 LeaveAll Event 1 JoinEmpty 2 JoinIn 3 LeaveEmpty 4 LeaveIn 5 Empty Attribute Value The ...

Page 110: ...three port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN information z Fixed A port in this mode cannot register deregister VLANs dynamically It only propagates static VLAN information Besides the port permits only static VLANs that is it propagates only static VLA...

Page 111: ... view system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number Configure the Hold Join and Leave timers garp timer hold join leave timer value Optional By default the Hold Join and Leave timers are set to 10 20 and 60 centiseconds respectively Note ...

Page 112: ... the Join timer This upper threshold is less than the timeout time of the LeaveAll timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by changing the timeout time of the Leave timer 32 765 centiseconds The following are recommended GVRP timer settings z GARP...

Page 113: ...GVRP on all the switches in the network so that the VLAN configurations on Switch C and Switch E can be applied to all switches in the network thus implementing dynamic VLAN information registration and refresh z By configuring the GVRP registration modes of specific Ethernet ports you can enable the corresponding VLANs in the switched network to communicate with each other Network diagram Figure ...

Page 114: ...ble GVRP on GigabitEthernet1 0 3 SwitchA GigabitEthernet1 0 3 gvrp SwitchA GigabitEthernet1 0 3 quit 2 Configure Switch B The configuration procedure of Switch B is similar to that of Switch A and is thus omitted 3 Configure Switch C Enable GVRP on Switch C which is similar to that of Switch A and is thus omitted Create VLAN 5 SwitchC vlan 5 SwitchC vlan5 quit 4 Configure Switch D Enable GVRP on S...

Page 115: ...xist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch B SwitchB display vlan dynamic Total 3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch E SwitchE GigabitEthernet1 0 1 display vlan dynamic No dynamic vlans exist 8 Configure GigabitEthernet1 0 1 on Switch E to operat...

Page 116: ...1 10 5 8 Display the VLAN information dynamically registered on Switch E SwitchE display vlan dynamic No dynamic vlans exist ...

Page 117: ... Enabling Flow Control on a Port 1 3 Duplicating the Configuration of a Port to Other Ports 1 4 Configuring Loopback Detection for an Ethernet Port 1 4 Enabling Loopback Test 1 5 Enabling the System to Test Connected Cable 1 6 Configuring the Interval to Perform Statistical Analysis on Port Traffic 1 7 Disabling Up Down Log Output on a Port 1 7 Configuring a Port Group 1 8 Displaying and Maintaini...

Page 118: ...r system view system view Enter Ethernet interface view interface interface type interface number Enable a specified double Combo port undo shutdown Optional By default of the two ports in a Combo port the one with a smaller port ID is enabled Initially Configuring a Port Follow these steps to initially configure a port To do Use the command Remarks Enter system view system view Enter Ethernet por...

Page 119: ...pansion interface card Configuring Port Auto Negotiation Speed You can configure an auto negotiation speed for a port by using the speed auto command Take a 10 100 1000 Mbps port as an example z If you expect that 10 Mbps is the only available auto negotiation speed of the port you just need to configure speed auto 10 z If you expect that 10 Mbps and 100 Mbps are the available auto negotiation spe...

Page 120: ... these steps to limit traffic on port To do Use the command Remarks Enter system view system view Limit broadcast traffic received on each port broadcast suppression ratio pps max pps Optional By default the switch does not suppress broadcast traffic Enter Ethernet port view interface interface type interface number Limit broadcast traffic received on the current port broadcast suppression ratio p...

Page 121: ...ion group destination agg id Required z If you specify a source aggregation group ID the system will use the port with the smallest port number in the aggregation group as the source z If you specify a destination aggregation group ID the configuration of the source port will be copied to all ports in the aggregation group and all ports in the group will have the same configuration as that of the ...

Page 122: ...k detection enable Required By default port loopback detection is disabled z To enable loopback detection on a specific port you must use the loopback detection enable command in both system view and the specific port view z After you use the undo loopback detection enable command in system view loopback detection will be disabled on all ports z The commands of loopback detection feature cannot be...

Page 123: ... and shutdown commands on the ports running loopback test z Some ports do not support loopback test and corresponding prompts will be given when you perform loopback test on them Enabling the System to Test Connected Cable You can enable the system to test the cable connected to a specific port The test result will be returned in five seconds The system can test these attributes of the cable Recei...

Page 124: ...n a Port An Ethernet port has three physical link statuses Up Down and Administratively Down For status transition conditions refer to the description of the display brief interface command in Basic Port Configuration Command When the physical link status of an Ethernet port changes between Up and Down or Up and Administratively Down the switch will generate Up Down log and send the log informatio...

Page 125: ...igabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 undo enable log updown Sysname GigabitEthernet1 0 1 shutdown Sysname GigabitEthernet1 0 1 undo shutdown Configuring a Port Group To make the configuration task easier for users certain devices allow users to configure on a single port as well as on multiple ports in a port group In port group view the user only needs to input the configuration comm...

Page 126: ...roup id Display brief information about port configuration display brief interface interface type interface number begin include exclude regular expression Display the Combo ports and the corresponding optical electrical ports display port combo Display port information about a specified unit display unit unit id interface Available in any view Clear port statistics reset counters interface interf...

Page 127: ...regation Group 1 3 Dynamic LACP Aggregation Group 1 3 Aggregation Group Categories 1 4 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggregation Group 1 7 Configuring a Dynamic LACP Aggregation Group 1 8 Configuring a Description for an Aggregation Group 1 8 Displaying and Maintaining Link Aggregation Configuration 1 9 Link Aggregation Conf...

Page 128: ...notifies the following information of the port to its peer by sending LACPDUs priority and MAC address of this system priority number and operation key of the port Upon receiving the information the peer compares the information with the information of other ports on the peer device to determine the ports that can be aggregated In this way the two parties can reach an agreement in adding removing ...

Page 129: ...atically adding removing ports to from it Each manual aggregation group must contain at least one port When a manual aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group LACP is disabled on the member ports of manual aggregation groups and you cannot enable LACP on ports in a manual aggregation group Port status in manual aggregation gro...

Page 130: ...z Both the selected and the unselected ports in the up state can transceive LACP protocol packets z Only the selected ports can transceive service packets the unselected ports cannot In a static aggregation group the system sets the ports to selected or unselected state according to the following rules z Among the ports in an aggregation group that are in up state the system determines the master ...

Page 131: ...with smaller system ID The following is the negotiation procedure 1 Compare device IDs system priority system MAC address between the two parties First compare the two system priorities then the two system MAC addresses if the system priorities are equal The device with smaller device ID will be considered as the preferred one 2 Compare port IDs port priority port number on the preferred device Th...

Page 132: ...oup containing no special port z A manual or static aggregation group has higher priority than a dynamic aggregation group unless the latter contains special ports while the former does not z For aggregation groups the one that might gain higher speed if resources were allocated to it has higher priority than others If the groups can gain the same speed the one with smallest master port number has...

Page 133: ...be added to an aggregation group z The port with Voice VLAN enabled cannot be added to an aggregation group z A port belonging to a port group cannot be added to an aggregation group Conversely a port belonging to an aggregation group cannot be added to a port group Configuring a Manual Aggregation Group You can create a manual aggregation group or remove an existing manual aggregation group after...

Page 134: ...regation group a port can only be manually added removed to from the static aggregation group When you add an LACP enabled port to a manual aggregation group the system will automatically disable LACP on the port Similarly when you add an LACP disabled port to a static aggregation group the system will automatically enable LACP on the port Follow these steps to configure a static LACP aggregation ...

Page 135: ...emarks Enter system view system view Configure the system priority lacp system priority system priority Optional By default the system priority is 32 768 Enter Ethernet port view interface interface type interface number Enable LACP on the port lacp enable Required By default LACP is disabled on a port Configure the port priority lacp port priority port priority Optional By default the port priori...

Page 136: ... display link aggregation interface interface type interface number to interface type interface number Display local device ID display lacp system id Available in any view Clear LACP statistics about a specified port or port range reset lacp statistics interface interface type interface number to interface type interface number Available in user view Link Aggregation Configuration Example Ethernet...

Page 137: ...p 1 2 Adopting static LACP aggregation mode Create static aggregation group 1 Sysname system view Sysname link aggregation group 1 mode static Add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to aggregation group 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 port link aggregation group 1 Sysname GigabitEthernet1 0 1 quit Sysname interface GigabitEthernet 1 0 2 Sysna...

Page 138: ...t1 0 3 Sysname GigabitEthernet1 0 3 lacp enable The three LACP enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration such as rate duplex mode and so on ...

Page 139: ... of Contents 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Port Isolation Configuration 1 1 Displaying and Maintaining Port Isolation Configuration 1 2 Port Isolation Configuration Example 1 2 ...

Page 140: ... network security Currently you can create only one isolation group on an 4200G Ethernet switch The number of Ethernet ports in an isolation group is not limited z An isolation group only isolates the member ports in it z Port isolation is independent of VLAN configuration Port Isolation Configuration You can perform the following operations to add an Ethernet port to an isolation group thus isola...

Page 141: ... an isolated port to an aggregation group causes all the ports in the aggregation group on the local unit to be added to the isolation group Displaying and Maintaining Port Isolation Configuration To do Use the command Remarks Display information about the Ethernet ports added to the isolation group display isolate port Available in any view Port Isolation Configuration Example Network requirement...

Page 142: ...isolate Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 port isolate Sysname GigabitEthernet1 0 3 quit Sysname interface GigabitEthernet1 0 4 Sysname GigabitEthernet1 0 4 port isolate Sysname GigabitEthernet1 0 4 quit Sysname quit Display information about the ports in the isolation group Sysname display isolate port Isolated port s on UNIT 1 G...

Page 143: ...figuring Port Security Features 1 7 Ignoring the Authorization Information from the RADIUS Server 1 8 Configuring Security MAC Addresses 1 9 Displaying and Maintaining Port Security Configuration 1 10 Port Security Configuration Example 1 10 Port Security Configuration Example 1 10 2 Port Binding Configuration 2 1 Port Binding Overview 2 1 Introduction 2 1 Configuring Port Binding 2 1 Displaying a...

Page 144: ...akes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are provided z NTK need to know feature By checking the destination MAC addresses in outbound data frames on the port NTK ensures that the switch sends data frames through the port only to successfully authe...

Page 145: ...ity MAC addresses on the port reaches the maximum number configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned or dynamic MAC addresses configured can pass through the port secure In this mode the port is disabled from learning MAC addresses Only those packe...

Page 146: ...ngle 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port When the port changes from the normal mode to this security mode the system automatically removes the existing dynamic authenticated MAC address entries on the port macAddressWithRa dius In this mode MAC address based authentication is performed for access users mac...

Page 147: ...ations In this mode up to one user can access the network macAddressAndUs erLoginSecureExt This mode is similar to the macAddressAndUserLoginSecure mode except that more than one user can access the network z When the port operates in the userlogin withoui mode Intrusion Protection will not be triggered even if the OUI address does not match z On a port operating in either the macAddressElseUserLo...

Page 148: ...to z MAC authentication disabled In addition you cannot perform the above mentioned configurations manually because these configurations change with the port security mode automatically z For details about 802 1x configuration refer to the sections covering 802 1x and System Guard z For details about MAC authentication configuration refer to the sections covering MAC authentication configuration S...

Page 149: ...rks Enter system view system view Set the OUI value for user authentication port security oui OUI value index index value Optional In userLoginWithOUI mode a port supports one 802 1x user plus one user whose source MAC address has a specified OUI value Enter Ethernet port view interface interface type interface number Set the port security mode port security port mode autolearn mac and userlogin s...

Page 150: ...striction with the undo port security port mode command If the port security port mode mode command has been executed on a port none of the following can be configured on the same port z Maximum number of MAC addresses that the port can learn z Reflector port for port mirroring z Link aggregation Configuring Port Security Features Configuring the NTK feature Follow these steps to configure the NTK...

Page 151: ... the NTK feature and execute the port security intrusion mode blockmac command on the same port the switch will be unable to disable the packets whose destination MAC address is illegal from being sent out that port that is the NTK feature configured will not take effect on the packets whose destination MAC address is illegal Configuring the Trap feature Follow these steps to configure port securi...

Page 152: ...arn After this configuration the port changes its way of learning MAC addresses as follows z The port deletes original dynamic MAC addresses z If the amount of security MAC addresses has not yet reach the maximum number the port will learn new MAC addresses and turn them to security MAC addresses z If the amount of security MAC addresses reaches the maximum number the port will not be able to lear...

Page 153: ...w Port Security Configuration Example Port Security Configuration Example Network requirements Implement access user restrictions through the following configuration on GigabitEthernet 1 0 1 of the switch z Allow a maximum of 80 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as security MAC addresses z To ensure that Host can acc...

Page 154: ...earn Switch GigabitEthernet1 0 1 port security port mode autolearn Add the MAC address 0001 0002 0003 of Host as a security MAC address to the port in VLAN 1 Switch GigabitEthernet1 0 1 mac address security 0001 0002 0003 vlan 1 Configure the port to be silent for 30 seconds after intrusion protection is triggered Switch GigabitEthernet1 0 1 port security intrusion mode disableport temporarily Swi...

Page 155: ...nding Follow these steps to configure port binding To do Use the command Remarks Enter system view system view In system view am user bind mac addr mac address ip addr ip address interface interface type interface number interface interface type interface number Bind the MAC address and IP address of a user to a specific port In Ethernet port view am user bind mac addr mac address ip addr ip addre...

Page 156: ...s they steal from Host A to access the network Network diagram Figure 2 1 Network diagram for port binding configuration Configuration procedure Configure Switch A as follows Enter system view SwitchA system view Enter GigabitEthernet 1 0 1 port view SwitchA interface GigabitEthernet 1 0 1 Bind the MAC address and the IP address of Host A to GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 am us...

Page 157: ... Address Table 1 3 Configuring MAC Address Table Management 1 4 Configuration Task List 1 4 Configuring a MAC Address Entry 1 5 Setting the Aging Time of MAC Address Entries 1 6 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 6 Displaying MAC Address Table Information 1 7 Configuration Example 1 7 Adding a Static MAC Address Entry Manually 1 7 ...

Page 158: ...e MAC address table entries z Unicast forwarding If the destination MAC address carried in the packet is included in a MAC address table entry the switch forwards the packet through the forwarding egress port in the entry z Broadcast forwarding If the destination MAC address carried in the packet is not included in the MAC address table the switch broadcasts the packet to all ports except the one ...

Page 159: ...0 1 to ensure that User B can receive the packet Figure 1 3 MAC address learning diagram 2 3 Because the switch broadcasts the packet both User B and User C can receive the packet However User C is not the destination device of the packet and therefore does not process the packet Normally User B will respond to User A as shown in Figure 1 4 When the response packet from User B is sent to GigabitEt...

Page 160: ...stances for example User B is unreachable or User B receives the packet but does not respond to it the switch cannot learn the MAC address of User B Hence the switch still broadcasts the packets destined for User B z The switch learns only unicast addresses by using the MAC address learning mechanism but directly drops any packet with a broadcast source MAC address Managing MAC Address Table Aging...

Page 161: ... MAC address entries are configured manually A switch discards the packets destined for or originated from the MAC addresses contained in blackhole MAC address entries Table 1 1 lists the different types of MAC address entries and their characteristics Table 1 1 Characteristics of different types of MAC address entries MAC address entry Configuration method Aging time Reserved or not at reboot if ...

Page 162: ...ce argument must belong to the VLAN specified by the vlan argument in the command Otherwise the entry will not be added z If the VLAN specified by the vlan argument is a dynamic VLAN after a static MAC address is added it will become a static VLAN Adding a MAC address entry in Ethernet port view Table 1 4 Add a MAC address entry in Ethernet port view Operation Command Description Enter system view...

Page 163: ...ation applies to all ports but only takes effect on dynamic MAC addresses that are learnt or configured to age Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mechanism enables an Ethernet switch to acquire the MAC addresses of the network devices on the segment connected to the ports of the switch By searching the MAC address table the switch directly forward...

Page 164: ...he server connects to the switch through GigabitEthernet 1 0 2 To prevent the switch from broadcasting packets destined for the server it is required to add the MAC address of the server to the MAC address table of the switch which then forwards packets destined for the server through GigabitEthernet 1 0 2 z The MAC address of the server is 000f e20f dc71 z Port GigabitEthernet 1 0 2 belongs to VL...

Page 165: ...1 8 4 mac address es found on port GigabitEthernet1 0 2 ...

Page 166: ...r 1 24 Configuring the Maximum Transmitting Rate on the Current Port 1 24 Configuring the Current Port as an Edge Port 1 25 Specifying Whether the Link Connected to a Port Is Point to point Link 1 26 Enabling MSTP 1 28 Configuring Leaf Nodes 1 28 Configuration Prerequisites 1 29 Configuring the MST Region 1 29 Configuring How a Port Recognizes and Sends MSTP Packets 1 29 Configuring the Timeout Ti...

Page 167: ...38 Configuring Rapid Transition 1 39 Introduction 1 39 Configuring Rapid Transition 1 41 STP Maintenance Configuration 1 42 Introduction 1 42 Enabling Log Trap Output for Ports of MSTP Instance 1 42 Configuration Example 1 42 Enabling Trap Messages Conforming to 802 1d Standard 1 43 Displaying and Maintaining MSTP 1 43 MSTP Configuration Example 1 43 ...

Page 168: ...topology As a network with tree topology is loop free it prevents packets in it from being duplicated and forwarded endlessly and prevents device performance degradation Currently in addition to the protocol conforming to IEEE 802 1d STP also refers to the protocols based on IEEE 802 1d such as RSTP and MSTP Protocol packets of STP STP uses bridge protocol data units BPDUs also known as configurat...

Page 169: ...assification Designated bridge Designated port For a device A designated bridge is a device that is directly connected to a switch and is responsible for forwarding BPDUs to this switch The port through which the designated bridge forwards BPDUs to this device For a LAN A designated bridge is a device responsible for forwarding BPDUs to this LAN segment The port through which the designated bridge...

Page 170: ...ssage age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime for the configuration BPDUs to be kept in a switch z Hello time configuration BPDU interval z Forward delay forward delay of the port For the convenience of description the description and examples below involve only four parts of a configuration BPDU z Root bridge ID in the form of device priorit...

Page 171: ...oot path cost the following configuration BPDU priority is compared sequentially designated bridge IDs designated port IDs and then the IDs of the ports on which the configuration BPDUs are received The switch with a higher priority is elected as the root bridge z Selection of the root bridge At network initialization each STP compliant device on the network assumes itself to be the root bridge wi...

Page 172: ...ology is stable only the root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfully elected the entire tree shaped topology has been constructed The following is an example of how the STP algorithm wo...

Page 173: ...BP2 receives the configuration BPDU of Device C 2 0 2 CP2 Device B finds that the configuration BPDU of the local port 1 0 1 BP2 is superior to the received configuration BPDU and discards the received configuration BPDU BP1 0 0 0 AP1 BP2 1 0 1 BP2 Device B z Device B compares the configuration BPDUs of all its ports and determines that the configuration BPDU of BP1 is the optimum configuration BP...

Page 174: ... launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 By comparison z Because the root path cost of CP2 9 root path cost of the BPDU 5 path cost corresponding to CP2 4 is smaller than the root path cost of CP1 10 root path cost of the BPDU 0 path cost corresponding to CP2 10 the BPDU of CP2 is elected as the optimum BPDU and CP2 is elected as the root port the messages of which wi...

Page 175: ... the network connectivity However the newly calculated configuration BPDU will not be propagated throughout the network immediately so the old root ports and designated ports that have not detected the topology change continue forwarding data through the old path If the new root port and designated port begin to forward data as soon as they are elected a temporary loop may occur 3 STP timers The f...

Page 176: ...ith a point to point link it can enter the forwarding state immediately after the device undergoes handshake with the downstream device and gets a response RSTP supports rapid convergence Like STP it is of the following disadvantages all bridges in a LAN are on the same spanning tree redundant links cannot be blocked by VLAN the packets of all VLANs are forwarded along the same spanning tree Featu...

Page 177: ...ping configuration and the same MSTP revision level A switched network can contain multiple MST regions You can group multiple switches into one MST region by using the corresponding MSTP configuration commands As shown in Figure 1 4 all the switches in region A0 are of the same MST region related configuration including z Region name z VLAN to MSTI mapping that is VLAN 1 is mapped to MSTI 1 VLAN ...

Page 178: ... Common root bridge The common root bridge is the root of the CIST The common root bridge of the network shown in Figure 1 4 is a switch in region A0 Port role MSTP calculation involves the following port roles root port designated port master port region boundary port alternate port and backup port z A root port is used to forward packets to the root z A designated port is used to forward packets...

Page 179: ...n the CIST The master port which is a root port in the CIST while a master port in the other MSTIs is an exception z For example in Figure 1 5 port 1 on switch A is a region boundary port It is a root port in the CIST while a master port in all the other MSTIs in the region Figure 1 5 Port roles Port state In MSTP a port can be in one of the following three states z Forwarding state Ports in this ...

Page 180: ...thm In the beginning each switch regards itself as the root and generates a configuration BPDU for each port on it as a root with the root path cost being 0 the ID of the designated bridge being that of the switch and the designated port being itself 1 Each switch sends out its configuration BPDUs and operates in the following way when receiving a configuration BPDU on one of its ports from anothe...

Page 181: ...ated port configuration BPDU for each of its ports using the root port configuration BPDU and the root port path cost with the root ID being replaced with that of the root port configuration BPDU root path cost being replaced with the sum of the root path cost of the root port configuration BPDU and the path cost of the root port the ID of the designated bridge being replaced with that of the swit...

Page 182: ...idge Priority of the Current Switch Optional The priority of a switch cannot be changed after the switch is specified as the root bridge or a secondary root bridge Configuring How a Port Recognizes and Sends MSTP Packets Optional Configuring the MSTP Operation Mode Optional Configuring the Maximum Hop Count of an MST Region Optional Configuring the Network Diameter of the Switched Network Optional...

Page 183: ... for the MST region vlan mapping modulo modulo Required Both commands can be used to configure VLAN to MSTI mapping tables By default all VLANs in an MST region are mapped to MSTI 0 Configure the MSTP revision level for the MST region revision level level Required The default revision level of an MST region is level 0 Activate the configuration of the MST region manually active region configuratio...

Page 184: ...T region named info the MSTP revision level being level 1 VLAN 2 through VLAN 10 being mapped to MSTI 1 and VLAN 20 through VLAN 30 being mapped to MSTI 2 Sysname system view Sysname stp region configuration Sysname mst region region name info Sysname mst region instance 1 vlan 2 to 10 Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region ...

Page 185: ...STI at the same time But in the same MSTI a switch cannot be the root bridge and the secondary root bridge simultaneously When the root bridge fails or is turned off the secondary root bridge becomes the root bridge if no new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails Yo...

Page 186: ...u specify a switch as the root bridge or a secondary root bridge by using the stp root primary or stp root secondary command the bridge priority of the switch cannot be configured any more z During the selection of the root bridge if multiple switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configuration example Set the bridge priority of the cur...

Page 187: ... to configure how a port recognizes and sends MSTP packets in system view To do Use the command Remarks Enter system view system view Configure how a port recognizes and sends MSTP packets stp interface interface type interface number compliance auto dot1s legacy Required By default a port recognizes and sends MSTP packets in the automatic mode That is it determines the format of packets to be sen...

Page 188: ...ed switch operates in the MSTP mode by default Configuration example Specify the MSTP operation mode as STP compatible Sysname system view Sysname stp mode stp Configuring the Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region The value of the maximum hop count limits the size of the MST region A configuration BPDU cont...

Page 189: ...rk diameter of a network is measured by the number of switches it equals the number of the switches on the longest path that is the path containing the maximum number of switches Configuration procedure Follow these steps to configure the network diameter of the switched network To do Use the command Remarks Enter system view system view Configure the network diameter of the switched network stp b...

Page 190: ...ds to a large forward delay A too small forward delay parameter may result in temporary redundant paths And a too large forward delay parameter may cause a network unable to resume the normal state in time after changes occurred to the network The default value is recommended z An adequate hello time parameter enables a switch to detect link failures in time without occupying too many network reso...

Page 191: ...hello time and then initiates the spanning tree recalculation process Spanning trees may be recalculated even in a steady network if an upstream switch continues to be busy You can configure the timeout time factor to a larger number to avoid such cases Normally the timeout time can be four or more times of the hello time For a steady network the timeout time can be five to seven times of the hell...

Page 192: ...ration BPDUs transmitted in each hello time set it to a proper value to prevent MSTP from occupying too many network resources The default value is recommended Configuration example Set the maximum transmitting rate of GigabitEthernet 1 0 1 to 15 1 Configure the maximum transmitting rate in system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 transmit limit 15 2 Configure th...

Page 193: ...figure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time This not only enables these ports to turn to the forwarding state rapidly but also secures your network Configuration example Configure GigabitEthernet 1 0 1 as an edge port 1 Configure GigabitEthernet 1 0 1 as an edge port in system view Sysname system view Sysname stp inter...

Page 194: ...t is a point to point link stp point to point force true force false auto Required The auto keyword is adopted by default z If you configure the link connected to a port in an aggregation group as a point to point link the configuration will be synchronized to the rest ports in the same aggregation group z If an auto negotiating port operates in full duplex mode after negotiation you can configure...

Page 195: ...ired MSTP is enabled by default Enter Ethernet port view interface interface type interface number Disable MSTP on the port stp disable Optional By default MSTP is enabled on all ports To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculation this operation saves CPU resources of the switch Other MSTP r...

Page 196: ...t Link Optional In a network containing switches with both GVRP and MSTP enabled GVRP messages travel along the CIST If you want to advertise a VLAN through GVRP be sure to map the VLAN to the CIST MSTI 0 when configuring the VLAN to MSTI mapping table Configuration Prerequisites The role root branch or leaf of each switch in each MSTI is determined Configuring the MST Region Refer to Configuring ...

Page 197: ...cify the standard for calculating the default path costs of the links connected to the ports of the switch stp pathcost standard dot1d 1998 dot1t Optional By default the dot1t standard is used to calculate the default path costs of ports Table 1 7 Transmission rates vs path costs Rate Operation mode half full duplex 802 1D 1998 IEEE 802 1t Latency standard 0 65 535 200 000 000 200 000 10 Mbps Half...

Page 198: ...iew system view Enter Ethernet port view interface interface type interface number Configure the path cost for the port stp instance instance id cost cost Required An MSTP enabled switch can calculate path costs for all its ports automatically Changing the path cost of a port may change the role of the port and put it in state transition Executing the stp cost command with the instance id argument...

Page 199: ...onfigure port priority for specified ports stp interface interface list instance instance id port priority priority Required The default port priority is 128 Configure port priority in Ethernet port view Follow these steps to configure port priority in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number C...

Page 200: ... In this case you can force the port to transit to the MSTP mode by performing the mCheck operation on the port Similarly a port on an RSTP enabled switch operating as an upstream switch turns to the STP compatible mode when it has an STP enabled switch connected to it When the STP enabled downstream switch is then replaced by an MSTP enabled switch the port cannot automatically transit to the MST...

Page 201: ...iguration BPDUs deliberately to edge ports to cause network jitter You can prevent this type of attacks by utilizing the BPDU guard function With this function enabled on a switch the switch shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator Ports shut down in this way can only be restored by the administrator Root guard A root bridge and i...

Page 202: ...fault at the same time Before the timer expires the switch only performs the removing operation for limited times up to six times by default regardless of the number of the TC BPDUs it receives Such a mechanism prevents a switch from being busy in removing the MAC address table and ARP entries You can use the stp tc protection threshold command to set the maximum times for a switch to remove the M...

Page 203: ... guard function in system view To do Use the command Remarks Enter system view system view Enable the root guard function on specified ports stp interface interface list root protection Required The root guard function is disabled by default Follow these steps to enable the root guard function in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port vie...

Page 204: ...figuration example Enable the loop guard function on GigabitEthernet 1 0 1 Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp loop protection Configuring TC BPDU Attack Guard Configuration prerequisites MSTP runs normally on the switch Configuration procedure Follow these steps to configure the TC BPDU attack guard function To do Use the command Remarks En...

Page 205: ...nting the digest snooping feature If a port on a 3com switch 4200G is connected to another manufacturer s switch that has the same MST region related configuration as its own but adopts a proprietary spanning tree protocol you can enable digest snooping on the port Then the 3com switch 4200G regards another manufacturer s switch as in the same region it records the configuration digests carried in...

Page 206: ...he digest snooping feature successfully you must first enable it on all the ports of your switch that are connected to another manufacturer s switches adopting proprietary spanning tree protocols and then enable it globally z To enable the digest snooping feature the interconnected switches and another manufacturer s switch adopting proprietary spanning tree protocols must be configured with exact...

Page 207: ...on edge ports changes to forwarding state and sends Agreement to upstream device Downstream switch Upstream switch Proposal for rapid transition Agreement Designated port changes to forwarding state Root port Designated port Figure 1 7 The MSTP rapid transition mechanism Downstream switch Root port blocks other non edge ports Root port changes to forwarding state and sends Agreement to upstream sw...

Page 208: ...m switch to change their states rapidly Configuring Rapid Transition Configuration prerequisites As shown in Figure 1 8 a 3com switch is connected to another manufacturer s switch The former operates as the downstream switch and the latter operates as the upstream switch The network operates normally The upstream switch is running a proprietary spanning tree protocol that is similar to RSTP in the...

Page 209: ...og trap information is output to the log host when particular ports fail so that they can check the status changes of those ports through alarm information Enabling Log Trap Output for Ports of MSTP Instance Follow these steps to enable log trap output for ports of MSTP instance To do Use the command Remarks Enter system view system view Enable log trap output for the ports of a specified instance...

Page 210: ...m view Sysname stp instance 1 dot1d trap newroot enable Displaying and Maintaining MSTP To do Use the command Remarks Display the state and statistics information about spanning trees of the current device display stp instance instance id interface interface list slot slot number brief Display region configuration display stp region configuration Display information about the ports that are shut d...

Page 211: ...work diagram for MSTP configuration The word permit shown in Figure 1 9 means the corresponding link permits packets of specific VLANs Configuration procedure 1 Configure Switch A Enter MST region view Sysname system view Sysname stp region configuration Configure the region name VLAN to MSTI mapping table and revision level for the MST region Sysname mst region region name example Sysname mst reg...

Page 212: ...nfigure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instance 3 vlan 30 Sysname mst region instance 4 vlan 40 Sysname mst region revision level 0 Activate the settings of the MST region manually Sysname mst region active region configuration Specify Switch C as the root bridge of MSTI 4 Sysname stp instance 4 root primary 4 Configur...

Page 213: ...N 1 18 Configuring 802 1x Re Authentication 1 19 Configuring the 802 1x Re Authentication Timer 1 19 Displaying and Maintaining 802 1x Configuration 1 20 Configuration Example 1 20 802 1x Configuration Example 1 20 2 Quick EAD Deployment Configuration 2 1 Introduction to Quick EAD Deployment 2 1 Quick EAD Deployment Overview 2 1 Operation of Quick EAD Deployment 2 1 Configuring Quick EAD Deploymen...

Page 214: ...ii Displaying and Maintaining System Guard 4 1 ...

Page 215: ...ort based network access control protocol It is used to perform port level authentication and control of devices connected to the 802 1x enabled ports With the 802 1x protocol employed a user side device can access the LAN only when it passes the authentication Those devices that fail to pass the authentication are denied access to the LAN This section covers these topics z Architecture of 802 1x ...

Page 216: ...as user name password the VLAN a user should belong to priority and any Access Control Lists ACLs to be applied There are four additional basic concepts related 802 1x port access entity PAE controlled port and uncontrolled port the valid direction of a controlled port and the access control method on ports I PAE A port access entity PAE is responsible for implementing algorithms and performing pr...

Page 217: ...The Mechanism of an 802 1x Authentication System IEEE 802 1x authentication system uses the Extensible Authentication Protocol EAP to exchange information between the supplicant system and the authentication server Figure 1 2 The mechanism of an 802 1x authentication system z EAP protocol packets transmitted between the supplicant system PAE and the authenticator system PAE are encapsulated as EAP...

Page 218: ...Length field indicates the size of the Packet body field A value of 0 indicates that the Packet Body field does not exist z The Packet body field differs with the Type field Note that EAPoL Start EAPoL Logoff and EAPoL Key packets are only transmitted between the supplicant system and the authenticator system EAP packets are encapsulated by RADIUS protocol to allow them successfully reach the auth...

Page 219: ... to a RADIUS protocol packet for EAP authentication Refer to the Introduction to RADIUS protocol section in the AAA Operation for information about the format of a RADIUS protocol packet The EAP message field whose format is shown in Figure 1 6 is used to encapsulate EAP packets The maximum size of the string field is 253 bytes EAP packets with their size larger than 253 bytes are fragmented and a...

Page 220: ...licant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system which in turn encrypts the passwords using the MD5 keys z EAP TLS allows the supplicant system and the RADIUS server to check each other s security certificate and authenticate each other s identity guaranteeing that data is transferred to the right destination and preventing data...

Page 221: ...uest identity packet to ask the 802 1x client for the user name z The 802 1x client responds by sending an EAP response identity packet to the switch with the user name contained in it The switch then encapsulates the packet in a RADIUS Access Request packet and forwards it to the RADIUS server z Upon receiving the packet from the switch the RADIUS server retrieves the user name from the packet fi...

Page 222: ...if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authenticating ways used on the supplicant system and the RADIUS server are the same However for the switch you can simply enable the EAP relay mode by using the dot1x authentication method eap command EAP terminating mode In this mode EAP packet transmission is terminated at authenticator sys...

Page 223: ... Used in 802 1x In 802 1 x authentication the following timers are used to ensure that the supplicant system the switch and the RADIUS server interact in an orderly way z Handshake timer handshake period This timer sets the handshake period and is triggered after a supplicant system passes the authentication It sets the interval for a switch to send handshake request packets to online users You ca...

Page 224: ...tication actively The switch sends multicast request identity packets periodically through the port enabled with 802 1x function In this case this timer sets the interval to send the multicast request identity packets z Client version request timer ver period This timer sets the version period and is triggered after a switch sends a version request packet The switch sends another version request p...

Page 225: ...am and the CAMS server in addition to enabling the client version detecting function on the switch by using the dot1x version check command Checking the client version With the 802 1x client version checking function enabled a switch checks the version and validity of an 802 1x client to prevent unauthorized users or users with earlier versions of 802 1x client from logging in This function makes ...

Page 226: ...ers periodically If the switch receives no re authentication response from a user in a period of time it tears down the connection to the user To connect to the switch again the user needs to initiate 802 1x authentication with the client software again z When re authenticating a user a switch goes through the complete authentication process It transmits the username and password of the user to th...

Page 227: ...cal authentication scheme Figure 1 11 802 1x configuration ISP domain configuration AAA scheme Local authentication RADIUS scheme 802 1x configuration ISP domain configuration AAA scheme Local authentication RADIUS scheme 802 1x configuration z 802 1x users use domain names to associate with the ISP domains configured on switches z Configure the AAA scheme a local authentication scheme or a RADIUS...

Page 228: ...ed By default 802 1x is disabled on all ports In system view dot1x port control authorized force unauthorized force auto interface interface list interface interface type interface number dot1x port control authorized force unauthorized force auto Set port authorization mode for specified ports In port view quit Optional By default an 802 1x enabled port operates in the auto mode In system view do...

Page 229: ...prietary client software of H3C to respond to the handshake packets z As clients not running the H3C client software do not support the online user handshaking function switches cannot receive handshake acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online user handshaking function in this case Timer and Maximum Us...

Page 230: ...he interface list argument the command applies to all ports You can also use this command in port view In this case this command applies to the current port only and the interface list argument is not needed z As for the configuration of 802 1x timers the default values are recommended Advanced 802 1x Configuration Advanced 802 1x configurations as listed below are all optional z Configuration con...

Page 231: ...the above table takes effect only when it is performed on CAMS as well as on the switch In addition the client version checking function needs to be enabled on the switch too by using the dot1x version check command Configuring Client Version Checking Follow these steps to configure client version checking To do Use the command Remarks Enter system view system view In system view dot1x version che...

Page 232: ... triggered authentication To do Use the command Remarks Enter system view system view Enable DHCP triggered authentication dot1x dhcp launch Required By default DHCP triggered authentication is disabled Configuring Guest VLAN Follow these steps to configure guest VLAN To do Use the command Remarks Enter system view system view Configure the access control method of ports dot1x port method portbase...

Page 233: ...When re authenticating a user a switch goes through the complete authentication process It transmits the username and password of the user to the server The server may authenticate the username and password or however use re authentication for only accounting and user connection status checking and therefore does not authenticate the username and password any more z An authentication server runnin...

Page 234: ...on Example Network requirements z Authenticate users on all ports to control their accesses to the Internet The switch operates in MAC based access control mode z All supplicant systems that pass the authentication belong to the default domain named aabbcc net The domain can accommodate up to 30 users As for authentication a supplicant system is authenticated locally if the RADIUS server fails And...

Page 235: ...nfiguration on the client and the RADIUS servers is omitted Enable 802 1x globally Sysname system view System View return to User View with Ctrl Z Sysname dot1x Enable 802 1x on GigabitEthernet 1 0 1 Sysname dot1x interface GigabitEthernet 1 0 1 Set the access control method to MAC based This operation can be omitted as MAC based is the default Sysname dot1x port method macbased interface GigabitE...

Page 236: ...o the RADIUS server with the domain name truncated Sysname radius radius1 user name format without domain Sysname radius radius1 quit Create the domain named aabbcc net and enter its view Sysname domain aabbcc net Specify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS server is invalid specify to adopt the local authentication scheme Sysname isp aabbcc net scheme radius scheme ...

Page 237: ... Quick EAD Deployment Quick EAD deployment is achieved with the two functions restricted access and HTTP redirection Restricted access Before passing 802 1x authentication a user is restricted through ACLs to a specific range of IP addresses or a specific server Services like EAD client upgrading download and dynamic address assignment are available on the specific server HTTP redirection In the H...

Page 238: ...iguring a free IP range z With dot1x enabled but quick EAD deployment disabled users cannot access the DHCP server if they fail 802 1x authentication With quick EAD deployment enabled users can obtain IP addresses dynamically before passing authentication if the IP address of the DHCP server is in the free IP range z The quick EAD deployment function applies to only ports with the authorization mo...

Page 239: ...ps to configure the ACL timer To do Use the command Remarks Enter system view system view Set the ACL timer dot1x timer acl timeout acl timeout value Required By default the ACL timeout period is 30 minutes Displaying and Maintaining Quick EAD Deployment To do Use the command Remarks Display configuration information about quick EAD deployment display dot1x sessions statistics interface interface ...

Page 240: ...eway of the PC is configured as the IP address of the Layer 3 virtual interface of the VLAN to which the port that is directly connected with the PC belongs Configure the URL for HTTP redirection Sysname system view Sysname dot1x url http 192 168 0 111 Configure a free IP range Sysname dot1x free ip 192 168 0 111 24 Set the ACL timer to 10 minutes Sysname dot1x timer acl timeout 10 Enable dot1x gl...

Page 241: ...dotted decimal notation As a result the PC cannot receive any ARP response and therefore cannot be redirected To solve this problem the user needs to enter an IP address that is not in the free IP range in dotted decimal notation z If a user enters an address in the free IP range the user cannot be redirected This is because the switch considers that the user wants to access a host in the free IP ...

Page 242: ...management devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible HABP is built on the client server model Typically the HABP server sends HABP requests to the client periodically to collect the MAC address es of the attached switch es The client responds to the requests and forwards the HABP requests to the attached switch es The...

Page 243: ...attached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Follow these steps to configure an HABP client To do Use the command Remarks Enter system view system view Enable HABP habp enable Optional HABP is enabled by default And a switch operates as an HABP client after you enab...

Page 244: ...ed Configuring the System Guard Feature Through the following configuration you can enable the system guard feature set the threshold for the number of packets when an attack is detected and the length of the isolation after an attack is detected Configuring the System Guard Feature Table 4 1 Configure the system guard feature Operation Command Description Enter system view system view Enable the ...

Page 245: ...able 4 2 Display and maintain system guard Operation Command Display the record of detected attacks display system guard attack record Display the state of the system guard feature display system guard state ...

Page 246: ...IUS Servers to be Supported 2 14 Configuring the Status of RADIUS Servers 2 15 Configuring the Attributes of Data to be Sent to RADIUS Servers 2 16 Configuring the Local RADIUS Server 2 17 Configuring Timers for RADIUS Servers 2 18 Enabling Sending Trap Message when a RADIUS Server Goes Down 2 19 Enabling the User Re Authentication at Restart Function 2 19 HWTACACS Configuration Task List 2 21 Cre...

Page 247: ...horization of Telnet Users 2 30 Troubleshooting AAA 2 31 Troubleshooting RADIUS Configuration 2 31 Troubleshooting HWTACACS Configuration 2 31 3 EAD Configuration 3 1 Introduction to EAD 3 1 Typical Network Application of EAD 3 1 EAD Configuration 3 1 EAD Configuration Example 3 2 ...

Page 248: ...n this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardware z Remote authentication Users are authenticated remotely through RADIUS or HWTACACS protocol This device for example a 3Com switch acts as the client to communic...

Page 249: ...er structure It can prevent unauthorized access to your network and is commonly used in network environments where both high security and remote user access service are required The RADIUS service involves three components z Protocol Based on the UDP IP layer RFC 2865 and 2866 define the message format and message transfer mechanism of RADIUS and define 1812 as the authentication port and 1813 as ...

Page 250: ...re 1 2 depicts the message exchange procedure between user switch and RADIUS server Figure 1 2 Basic message exchange procedure of RADIUS The basic message exchange procedure of RADIUS is as follows 2 The user enters the username and password 3 The RADIUS client receives the username and password and then sends an authentication request Access Request to the RADIUS server 4 The RADIUS server compa...

Page 251: ...ms timer management retransmission and backup server Figure 1 3 depicts the format of RADIUS messages Figure 1 3 RADIUS message format 1 The Code field one byte decides the type of RADIUS message as shown in Table 1 1 Table 1 1 Description on the major values of the Code field Code Message type Message description 1 Access Request Direction client server The client transmits this message to the se...

Page 252: ... the Length field indicates it is discarded 4 The Authenticator field 16 bytes is used to authenticate the response from the RADIUS server and is used in the password hiding algorithm There are two kinds of authenticators Request Authenticator and Response Authenticator 5 The Attributes field contains specific authentication authorization accounting information to provide the configuration details...

Page 253: ...o implement functions that are not defined in standard RADIUS Figure 1 4 depicts the format of attribute 26 The Vendor ID field used to identify a vendor occupies four bytes where the first byte is 0 and the other three bytes are defined in RFC 1700 Here the vendor can encapsulate multiple customized sub attributes containing vendor specific Type Length and Value to implement a RADIUS extension Fi...

Page 254: ... Is more suitable for security control Is more suitable for accounting Supports configuration command authorization Does not support In a typical HWTACACS application as shown in Figure 1 50 a terminal user needs to log into the switch to perform some operations As a HWTACACS client the switch sends the username and password to the TACACS server for authentication After passing authentication and ...

Page 255: ...S client sends an authentication continuance message carrying the username 4 The TACACS server returns an authentication response asking for the password Upon receiving the response the TACACS client requests the user for the login password 5 After receiving the password the TACACS client sends an authentication continuance message carrying the password to the TACACS server 6 The TACACS server ret...

Page 256: ...sends an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the accounting start request 12 The user logs out the TACACS client sends an accounting stop request to the TACACS server 13 The TACACS server returns an accounting response indicating that it has received the accounting stop request ...

Page 257: ...utes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of the authentication methods z You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication Configuring Dynamic VLAN Assignment Optional Configuring the Attributes of a...

Page 258: ...re the form of the delimiter between the username and the ISP domain name domain delimiter at dot Optional By default the delimiter between the username and the ISP domain name is Create an ISP domain or set an ISP domain as the default ISP domain domain isp name default disable enable isp name Required If no ISP domain is set as the default ISP domain the ISP domain system is used as the default ...

Page 259: ...unting server when it performs accounting for a user it does not disconnect the user as long as the accounting optional command has been executed though it cannot perform accounting for the user in this case H3C s CAMS Server is a service management system used to manage networks and ensure network and user information security With the cooperation of other networking devices such as switches in a...

Page 260: ...l or none as the primary scheme the local authentication is performed or no authentication is performed In this case you cannot specify any RADIUS scheme or HWTACACS scheme at the same time z If you configure to use none as the primary scheme FTP users of the domain cannot pass authentication Therefore you cannot specify none as the primary scheme if you want to enable FTP service Configuring sepa...

Page 261: ... executed the authorization information returned from the RADIUS or local scheme still takes effect even if the authorization none command is executed z The Switch 4200G adopts hierarchical protection for command lines so as to inhibit users at lower levels from using higher level commands to configure the switches For details about configuring a HWTACACS authentication scheme for low to high user...

Page 262: ...ID and then adds the port to the newly created VLAN z String If the RADIUS authentication server assigns string type of VLAN IDs you can set the VLAN assignment mode to string on the switch Then upon receiving a string ID assigned by the RADIUS authentication server the switch compares the ID with existing VLAN names on the switch If it finds a match it adds the port to the corresponding VLAN Othe...

Page 263: ...To implement dynamic VLAN assignment on a port where both MSTP and 802 1x are enabled you must set the MSTP port to an edge port Configuring the Attributes of a Local User When local scheme is chosen as the AAA scheme you should create local users on the switch and configure the relevant attributes The local users are users set on the switch with each user uniquely identified by a username To make...

Page 264: ...ccess specified type s of service service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the privilege level of the user level level Optional By default the privilege level of the user is 0 Configure the authorized VLAN for the local user authorization vlan string Required By default no authorized VLAN is con...

Page 265: ...ed with an authorized VLAN The switch will not assign authorized VLANs for subsequent users passing MAC address authentication In this case you are recommended to connect only one MAC address authentication user or multiple users with the same authorized VLAN to a port z For local RADIUS authentication to take effect the VLAN assignment mode must be set to string after you specify authorized VLANs...

Page 266: ...a local RADIUS server Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status...

Page 267: ...on exchange between switch and RADIUS server To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP domain view refer to AAA Configuration Creating a RADIUS Scheme The RADIUS protocol configuration is performed on a RADIUS scheme basis You should first create a RADIUS scheme and enter its view before performing other RADIUS protocol con...

Page 268: ...ization information Therefore you need not and cannot specify a separate RADIUS authorization server z In an actual network environment you can specify one server as both the primary and secondary authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary authentication authorization servers respectively z The IP address and port number of the primar...

Page 269: ...exchange authentication authorization messages and accounting messages you must set a port number for accounting different from that set for authentication authorization z With stop accounting request buffering enabled the switch first buffers the stop accounting request that gets no response from the RADIUS accounting server and then retransmits the request to the RADIUS accounting server until i...

Page 270: ...able because this protocol uses UDP packets to carry its data Therefore it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires If the switch gets no answer after it has tried the maximum number of times to transmit the request the switch considers that the request fails Follow these steps to configure the...

Page 271: ...the block state for a set time set by the timer quiet command the switch will try to communicate with the primary server again when it receives a RADIUS request If it finds that the primary server has recovered the switch immediately restores the communication with the primary server instead of communicating with the secondary server and at the same time restores the status of the primary server t...

Page 272: ...mat with domain without domain Optional By default the usernames sent from the switch to RADIUS server carry ISP domain names Set the units of data flows to RADIUS servers data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet Optional By default in a RADIUS scheme the data unit and packet unit for outgoing RADIUS flows are byte and one packe...

Page 273: ...default z The purpose of setting the MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the switch s compatibility with different RADIUS servers This setting is necessary when the format of Calling Station Id field recognizable to RADIUS servers is different from the default MAC address format on the switch For details about field formats recognizable to RAD...

Page 274: ... is called the response timeout timer of RADIUS servers If the switch gets no answer within the response timeout time it needs to retransmit the request to ensure that the user can obtain RADIUS service For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails to communicate with the primary server due to some server t...

Page 275: ...s Enter system view system view Enable the sending of trap message when a RADIUS server is down radius trap authentication server down accounting server down Optional By default the switch does not send trap message when a RADIUS server is down z This configuration takes effect on all RADIUS schemes z The switch considers a RADIUS server as being down if it has tried the configured maximum times t...

Page 276: ...pdate message 4 Once the switch receives the response from the CAMS it stops sending Accounting On messages 5 If the switch does not receive any response from the CAMS after it has tried the configured maximum number of times to send the Accounting On message it will not send the Accounting On message any more The switch can automatically generate the main attributes NAS ID NAS IP address and sess...

Page 277: ...WTACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to create a HWTACACS scheme To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By default no HWTACACS scheme...

Page 278: ... remove an authentication server setting only when there is no active TCP connection that is sending authentication messages to the server Configuring TACACS Authorization Servers Follow these steps to configure TACACS authorization servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By defaul...

Page 279: ...nd port number of the secondary TACACS accounting server secondary accounting ip address port Required By default the IP address of the secondary accounting server is 0 0 0 0 and the port number is 0 Enable the stop accounting message retransmission function and set the maximum number of transmission attempts of a buffered stop accounting message retry stop accounting retry times Optional By defau...

Page 280: ...s Follow these steps to configure the attributes for data to be sent to TACACS servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By default no HWTACACS scheme exists Set the format of the usernames to be sent to TACACS server user name format with domain without domain Optional By default th...

Page 281: ...ptional By default the response timeout time is five seconds Set the time that the switch must wait before it can restore the status of the primary server to active timer quiet minutes Optional By default the switch must wait five minutes before it can restore the status of the primary server to active Set the real time accounting interval timer realtime accounting minutes Optional By default the ...

Page 282: ... command Remarks Display RADIUS message statistics about local RADIUS server display local server statistics Display configuration information about one specific or all RADIUS schemes display radius scheme radius scheme name Display RADIUS message statistics display radius statistics Display buffered non response stop accounting requests display stop accounting buffer radius scheme radius scheme n...

Page 283: ...hentication Network requirements In the network environment shown in Figure 2 1 you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS server z A RADIUS authentication server with IP address 10 110 91 164 is connected to the switch z On the switch set the shared key it uses to exchange messages with the authentication RADIUS server...

Page 284: ...igure a RADIUS scheme Sysname radius scheme cams Sysname radius cams accounting optional Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams key authentication aabbcc Sysname radius cams server type Extended Sysname radius cams user name format with domain Sysname radius cams quit Associate the ISP domain with the RADIUS scheme Sysname domain cams Sysname isp cams sch...

Page 285: ... Sysname ui vty0 4 quit Create and configure a local user named telnet Sysname local user telnet Sysname luser telnet service type telnet Sysname luser telnet password simple aabbcc Sysname luser telnet quit Configure an authentication scheme for the default system domain Sysname domain system Sysname isp system scheme local A Telnet user logging into the switch with the name telnet system belongs...

Page 286: ...to strip domain names off usernames before sending usernames to the TACACS server Configure the shared key to aabbcc on the TACACS server for exchanging messages with the switch Network diagram Figure 2 3 Remote HWTACACS authentication and authorization of Telnet users Internet Telnet user Authentication server 10 110 91 164 16 Configuration procedure Add a Telnet user Omitted here Configure a HWT...

Page 287: ...from the switch Take measures to make the switch communicate with the RADIUS server normally Symptom 2 RADIUS packets cannot be sent to the RADIUS server Possible reasons and solutions z The communication links physical link layer between the switch and the RADIUS server is disconnected blocked Take measures to make the links connected unblocked z None or incorrect RADIUS server IP address is set ...

Page 288: ...z Dynamically adjusts the VLAN rate and packet scheduling priority for user terminals according to session control packets whereby to control the access rights of users dynamically Typical Network Application of EAD EAD checks the security status of users before they can access the network and forcibly implements user access control policies according to the check results In this way it can isolat...

Page 289: ...h RADIUS scheme supports up to eight IP addresses of security policy servers EAD Configuration Example Network requirements In Figure 3 2 z A user is connected to GigabitEthernet 1 0 1 on the switch z The user adopts 802 1x client supporting EAD extended function z You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD co...

Page 290: ... RADIUS scheme Sysname radius scheme cams Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams accounting optional Sysname radius cams key authentication expert Sysname radius cams server type extended Configure the IP address of the security policy server Sysname radius cams security policy server 10 110 91 166 Associate the domain with the RADIUS scheme Sysname radiu...

Page 291: ...s 1 2 Quiet MAC Address 1 2 Configuring Basic MAC Address Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 3 MAC Address Authentication Enhanced Function Configuration Task List 1 3 Configuring a Guest VLAN 1 4 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port 1 6 Displaying and Maintaining MAC Address Authenticatio...

Page 292: ...witch in advance In this case the user name the password and the limits on the total number of user names are the matching criterion for successful authentication For details refer to AAA of this manual for information about local user attributes Performing MAC Address Authentication on a RADIUS Server When authentications are performed on a RADIUS server the switch serves as a RADIUS client and c...

Page 293: ... from the RADIUS server in this period it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network Quiet MAC Address When a user fails MAC address authentication the MAC address becomes a quiet MAC address which means that any packets from the MAC address will be discarded simply by the switch until the quiet timer expires This prevents an inva...

Page 294: ...ddress authentication timers mac authentication timer offline detect offline detect value quiet quiet value server timeout server timeout value Optional The default timeout values are as follows 300 seconds for offline detect timer 60 seconds for quiet timer and 100 seconds for server timeout timer z If MAC address authentication is enabled on a port you cannot configure the maximum number of dyna...

Page 295: ... to fixed user names and passwords The switch will not learn MAC addresses of the clients failing in the authentication into its local MAC address table thus prevent illegal users from accessing the network In some cases if the clients failing in the authentication are required to access some restricted resources in the network such as the virus library update server you can use the Guest VLAN You...

Page 296: ... adds the port to the Guest VLAN Therefore the Guest VLAN can separate unauthenticated users on an access port When it comes to a trunk port or a hybrid port if a packet itself has a VLAN tag and be in the VLAN that the port allows to pass the packet will be forwarded perfectly without the influence of the Guest VLAN That is packets can be forwarded to the VLANs other than the Guest VLAN through t...

Page 297: ...ication cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC address authentication does not take effect when port security is enabled Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port You can configure the maximum number of MAC address authentication users for a port in order to control the maximum number of users ac...

Page 298: ...tion interface interface list Available in any view Clear the statistics of global or on port MAC address authentication reset mac authentication statistics interface interface type interface number Available in user view MAC Address Authentication Configuration Examples Network requirements As illustrated in Figure 1 10 a supplicant is connected to the switch through port GigabitEthernet 1 0 2 z ...

Page 299: ...P domain named aabbcc net Sysname domain aabbcc net New Domain added Specify to perform local authentication Sysname isp aabbcc net scheme local Sysname isp aabbcc net quit Specify aabbcc net as the ISP domain for MAC address authentication Sysname mac authentication domain aabbcc net Enable MAC address authentication globally This is usually the last step in configuring access control related fea...

Page 300: ...face IP Address Configuration Examples 1 4 2 IP Performance Optimization Configuration 2 1 IP Performance Overview 2 1 Introduction to IP Performance Configuration 2 1 Introduction to FIB 2 1 Protocols and Standards 2 1 Configuring IP Performance Optimization 2 1 IP Performance Optimization Configuration Task List 2 1 Configuring TCP Attributes 2 1 Disabling Sending of ICMP Error Packets 2 2 Displ...

Page 301: ...ddress is used to identify a host An example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net ID The first several bits of the IP address defining a network also known as cla...

Page 302: ...ies a network z IP address with an all one host ID Identifies a directed broadcast address For example a packet with the destination address of 192 168 1 255 will be broadcasted to all the hosts on the network 192 168 1 0 Subnetting and Masking Subnetting was developed to address the risk of IP address exhaustion resulting from fast expansion of the Internet The idea is to break a network down int...

Page 303: ...ck interface is a virtual interface The physical layer state and link layer protocols of a loopback interface are always up unless the loopback interface is manually shut down A loopback interface can be configured with an IP address so routing protocols can be enabled on a loopback interface and a loopback interface is capable of sending and receiving routing protocol packets Each VLAN needs an I...

Page 304: ...ormation about a specified or all Layer 3 interfaces display ip interface brief interface type interface number Available in any view VLAN Interface IP Address Configuration Examples Network requirement Assign IP address 129 2 2 1 with mask 255 255 255 0 to VLAN interface 1 of the switch Network diagram Figure 1 3 Network diagram for IP address configuration Configuration procedure Configure an IP...

Page 305: ...orwarding information base FIB FIB is used to store the forwarding information of the switch and guide Layer 3 packet forwarding You can know the forwarding information of the switch by viewing the FIB table Each FIB entry includes destination address mask length next hop current flag timestamp and outbound interface When the switch runs normally its FIB table and routing table have the same conte...

Page 306: ...ies ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate management Advantages of sending ICMP error packets ICMP redirect packets and destination unreachable packets are two kinds of ICMP error packets Their sending conditions and functions are as follows 1 Sending ICMP redirect packets A host may have only a default route t...

Page 307: ... network traffic z If a device receives a lot of malicious packets that cause it to send ICMP error packets its performance will be reduced z As the ICMP redirection function increases the routing table size of a host the host s performance will be reduced if its routing table becomes very large z If a host sends malicious ICMP destination unreachable packets end users may be affected To prevent t...

Page 308: ...isplay the FIB entries permitted by a specific ACL display fib acl number Display the FIB entries in the buffer which begin with include or exclude the specified character string display fib begin include exclude regular expression Display FIB statistics display fib statistics Clear IP traffic statistics reset ip statistics Clear TCP traffic statistics reset tcp statistics Clear UDP traffic statis...

Page 309: ... Introduction to ARP 1 1 ARP Function 1 1 ARP Message Format 1 1 ARP Table 1 3 ARP Process 1 3 Introduction to Gratuitous ARP 1 4 Configuring ARP 1 4 Configuring Gratuitous ARP 1 5 Displaying and Debugging ARP 1 5 ARP Configuration Examples 1 6 ...

Page 310: ... device must know the data link layer address MAC address for example of the destination host or the next hop To this end the IP address must be resolved into the corresponding data link layer address Unless otherwise stated a data link layer address in this chapter refers to a 48 bit Ethernet MAC address ARP Message Format ARP messages are classified as ARP request messages and ARP reply messages...

Page 311: ...Refer to Table 1 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in bytes Length of protocol address Protocol address length in bytes Operator Indicates the type of a data packets which can be 1 ARP request packets 2 ARP reply packets 3 RARP request packets 4 RARP repl...

Page 312: ...y Dynamically generated ARP entries of this type age with time The aging period is set by the ARP aging timer ARP Process Figure 1 2 ARP process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B The resolution process is as follows 1 Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B If Host A finds it Host A uses the...

Page 313: ...ddresses carried in a received gratuitous packet conflict with those of its own it returns an ARP response to the sending device to notify of the IP address conflict By sending gratuitous ARP packets a network device can z Determine whether or not IP address conflicts exist between it and other network devices z Trigger other network devices to update its hardware address stored in their caches Wi...

Page 314: ...ackets is enabled as long as an S4200G switch operates No command is needed for enabling this function That is the device sends gratuitous ARP packets whenever a VLAN interface is enabled such as when a link is enabled or an IP address is configured for the VLAN interface or whenever the IP address of a VLAN interface is changed Displaying and Debugging ARP To do Use the command Remarks Display sp...

Page 315: ...ntry check on the switch z Set the aging time for dynamic ARP entries to 10 minutes z Add a static ARP entry with the IP address being 192 168 1 1 the MAC address being 000f e201 0000 and the outbound port being GigabitEthernet 1 0 10 of VLAN 1 Configuration procedure Sysname system view Sysname undo arp check enable Sysname arp timer aging 10 Sysname arp static 192 168 1 1 000f e201 0000 1 Gigabi...

Page 316: ...ay Agent Configuration Task List 2 3 Correlating a DHCP Server Group with a Relay Agent Interface 2 4 Configuring DHCP Relay Agent Security Functions 2 5 Configuring the DHCP Relay Agent to Support Option 82 2 6 Displaying and Maintaining DHCP Relay Agent Configuration 2 7 DHCP Relay Agent Configuration Example 2 7 Troubleshooting DHCP Relay Agent Configuration 2 8 3 DHCP BOOTP Client Configuratio...

Page 317: ...hange of hosts and frequent change of IP addresses also require new technology Dynamic Host Configuration Protocol DHCP is developed to solve these issues DHCP adopts a client server model where the DHCP clients send requests to DHCP servers for configuration parameters and the DHCP servers return the corresponding configuration information such as IP addresses to implement dynamic allocation of n...

Page 318: ...d in the DHCP DISCOVER packet refer to section DHCP Packet Format for details 3 Select In this phase the DHCP client selects an IP address If more than one DHCP server sends DHCP OFFER packets to the DHCP client the DHCP client only accepts the DHCP OFFER packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet 4 Acknow...

Page 319: ...he DHCP server performs the same operations as those described above DHCP Packet Format DHCP has eight types of packets They have the same format but the values of some fields in the packets are different The DHCP packet format is based on that of the BOOTP packets The following figure describes the packet format the number in the brackets indicates the field length in bytes Figure 1 2 DHCP packet...

Page 320: ... file that the DHCP server specifies for the DHCP client z option Optional variable length fields including packet type valid lease time IP address of a DNS server and IP address of the WINS server Protocol Specification Protocol specifications related to DHCP include z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Exten...

Page 321: ... the packets are broadcasted in the process of obtaining IP addresses DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment that is you need to deploy at least one DHCP server for each network segment which is far from economical DHCP relay agent is designed to address this problem It enables DHCP clients in a subnet to communicate with the DHC...

Page 322: ...the DHCP message It records the location information of the DHCP client With this option the administrator can locate the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients Option 82 involves at most 255 sub options If Option 82 is ...

Page 323: ...unchanged in the packet and forwards the packet if not discarded to the DHCP server z If the request packet does not contain Option 82 the DHCP relay agent adds Option 82 to the packet and forwards the packet to the DHCP server 2 Upon receiving the packet returned from the DHCP server the DHCP relay agent strips Option 82 from the packet and forwards the packet with the DHCP configuration informat...

Page 324: ... server groupNo ip ip address 1 8 Required By default no DHCP server IP address is configured in a DHCP server group interface interface type interface number Map an interface to a DHCP server group dhcp server groupNo Required By default a VLAN interface is not mapped to any DHCP server group To improve security and avoid malicious attack to the unused SOCKETs S4200G Ethernet switches provide the...

Page 325: ...ally configure IP to MAC bindings on the DHCP relay agent so that users can access external network using fixed IP addresses The purpose of the address checking function on DHCP relay agent is to prevent unauthorized users from statically configuring IP addresses to access external networks With this function enabled a DHCP relay agent inhibits a user from accessing external networks if the IP add...

Page 326: ...nd the receiving interface The administrator can use this information to check out any DHCP unauthorized servers Follow these steps to enable unauthorized DHCP server detection To do Use the command Remarks Enter system view system view Enable unauthorized DHCP server detection dhcp server detect Required Disabled by default With the unauthorized DHCP server detection enabled the relay agent will ...

Page 327: ...aintaining DHCP Relay Agent Configuration To do Use the command Remarks Display the information about a specified DHCP server group display dhcp server groupNo Display the information about the DHCP server group to which a specified VLAN interface is mapped display dhcp server interface Vlan interface vlan id Display the specified client address entries on the DHCP relay agent display dhcp securit...

Page 328: ...able the DHCP clients to obtain IP addresses from the DHCP server The DHCP server configurations vary with different DHCP server devices so the configurations are omitted z The DHCP relay agent and DHCP server must be reachable to each other Troubleshooting DHCP Relay Agent Configuration Symptom A client fails to obtain configuration information through a DHCP relay agent Analysis This problem may...

Page 329: ...ent Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides Check if the IP address of the DHCP server group is correct z If the address check enable command is configured on the interface connected to the DHCP server verify the DHCP server s IP to MAC address binding entry is configured on the DHCP relay agent otherwise th...

Page 330: ...n Before using BOOTP an administrator needs to configure a BOOTP parameter file for each BOOTP client on the BOOTP server The parameter file contains information such as MAC address and IP address of a BOOTP client When a BOOTP client sends a request to the BOOTP server the BOOTP server will search for the BOOTP parameter file and return it to the client A BOOTP client dynamically obtains an IP ad...

Page 331: ...e the following functions z UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled z UDP 67 and UDP 68 ports are disabled when DHCP is disabled The specific implementation is z Using the ip address dhcp alloc command enables the DHCP client and UDP port 68 z Using the undo ip address dhcp alloc command disables the DHCP client and UDP port 68 Displaying DHCP BOOTP Client Config...

Page 332: ... SwitchA Vlan interface1 ip address dhcp alloc BOOTP Client Configuration Example Network requirement Switch A s port belonging to VLAN1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP Network diagram See Figure 3 1 Configuration procedure The following describes only the configuration on Switch A serving as a client Configure VLAN interface 1 to ...

Page 333: ...onfiguring Domain Name Resolution 1 2 Configuring Static Domain Name Resolution 1 2 Configuring Dynamic Domain Name Resolution 1 3 Displaying and Maintaining DNS 1 3 DNS Configuration Examples 1 4 Static Domain Name Resolution Configuration Example 1 4 Dynamic Domain Name Resolution Configuration Example 1 5 Troubleshooting DNS 1 6 ...

Page 334: ...mic Each time the DNS server receives a name query it checks its static DNS database before looking up the dynamic DNS database Reduction of the searching time in the dynamic DNS database would increase efficiency Some frequently used addresses can be put in the static DNS database Currently S4200G series Ethernet switches support both static and dynamic DNS clients Static Domain Name Resolution T...

Page 335: ... are removed from the cache after some time and latest entries are required from the DNS server The DNS server decides how long a mapping is valid and the DNS client gets the information from DNS messages DNS suffixes The DNS client normally holds a list of suffixes which can be defined by users It is used when the name to be resolved is not complete The resolver can supply the missing part automa...

Page 336: ...s Enter the system view system view Enable dynamic domain name resolution dns resolve Required Disabled by default Configure an IP address for the DNS server dns server ip address Required No IP address is configured for the DNS server by default Configure DNS suffixes dns domain domain name Optional No DNS suffix is configured by default You may configure up to six DNS servers and ten DNS suffixe...

Page 337: ...ost name host com and IP address 10 1 1 2 Sysname system view Sysname ip host host com 10 1 1 2 Execute the ping host com command to verify that the device can use static domain name resolution to get the IP address 10 1 1 2 corresponding to host com Sysname ping host com PING host com 10 1 1 2 56 data bytes press CTRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from...

Page 338: ...reachable z Necessary configurations are done on the devices For the IP addresses of the interfaces see the figure above z There is a mapping between domain name host and IP address 3 1 1 1 16 on the DNS server z The DNS server works normally Enable dynamic domain name resolution Sysname system view Sysname dns resolve Configure the IP address 2 1 1 2 for the DNS server Sysname dns server 2 1 1 2 ...

Page 339: ...eshooting DNS Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to check that the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specified domain name e...

Page 340: ...g an ACL Globally 1 9 Assigning an ACL to a VLAN 1 9 Assigning an ACL to a Port Group 1 10 Assigning an ACL to a Port 1 10 Displaying ACL Configuration 1 11 Example for Upper layer Software Referencing ACLs 1 12 Example for Controlling Telnet Login Users by Source IP 1 12 Example for Controlling Web Login Users by Source IP 1 12 Example for Applying ACLs to Hardware 1 13 Basic ACL Configuration Ex...

Page 341: ...nd destination IP addresses type of the protocols carried by IP protocol specific features and so on z Layer 2 ACL Rules are created based on the Layer 2 information such as source and destination MAC addresses VLAN priorities type of Layer 2 protocol and so on z User defined ACL An ACL of this type matches packets by comparing the strings retrieved from the packets with specified strings It defin...

Page 342: ...the match priority z If the types of parameter are the same for multiple rules then the sum of parameters weighting values of a rule determines its priority The smaller the sum the higher the match priority Ways to Apply an ACL on a Switch Being applied to the hardware directly In the switch an ACL can be directly applied to hardware for packet filtering and traffic classification In this case the...

Page 343: ...s You can specify a time range for each rule in an ACL A time range based ACL takes effect only in specified time ranges Only after a time range is configured and the system time is within the time range can an ACL rule take effect Two types of time ranges are available z Periodic time range which recurs periodically on the day or days of the week z Absolute time range which takes effect only in a...

Page 344: ...00 to 14 00 on every Wednesday in 2004 z If the start time is not specified the time section starts from 1970 1 1 00 00 and ends on the specified end date If the end date is not specified the time section starts from the specified start date to 2100 12 31 23 59 Configuration Example Define a periodic time range that spans from 8 00 to 18 00 on Monday through Friday Sysname system view Sysname time...

Page 345: ...stem will display an error message and you need to specify a number for the rule z The content of a modified or created rule cannot be identical with the content of any existing rule otherwise the rule modification or creation will fail and the system prompts that the rule already exists z With the auto match order specified the newly created rules will be inserted in the existent ones by depth fi...

Page 346: ...escription by default Assign a description string to the ACL description text Optional No description by default Note that z With the config match order specified for the advanced ACL you can modify any existent rule The unmodified part of the rule remains With the auto match order specified for the ACL you cannot modify any existent rule otherwise the system prompts error information z If you do ...

Page 347: ...source and destination MAC addresses VLAN priorities and Layer 2 protocol types are determined Configuration Procedure Table 1 4 Define a Layer 2 ACL rule Operation Command Description Enter system view system view Create a Layer 2 ACL and enter layer 2 ACL view acl number acl number Required Define an ACL rule rule rule id permit deny rule string Required For information about rule string refer t...

Page 348: ...ally for filtering the inbound packets on all the ports z Assigning ACLs to a VLAN for filtering the inbound packets on all the ports and belonging to a VLAN z Assigning ACLs to a port group for filtering the inbound packets on all the ports in a port group For information about port group refer to Port Basic Configuration z Assigning ACLs to a port for filtering the inbound packets on a port You ...

Page 349: ...inbound packets on all the ports Sysname system view Sysname packet filter inbound ip group 2000 Assigning an ACL to a VLAN Configuration prerequisites Before applying ACL rules to a VLAN you need to define the related ACLs For information about defining an ACL refer to section Configuring Basic ACL section Configuring Advanced ACL section Configuring Layer 2 ACL Configuration procedure Table 1 6 ...

Page 350: ... port group view port group group id Apply an ACL to the port group packet filter inbound acl rule Required For description on the acl rule argument refer to ACL Command After an ACL is assigned to a port group it will be automatically assigned to the ports that are subsequently added to the port group Configuration example Apply ACL 2000 to port group 1 to filter the inbound packets on all the po...

Page 351: ...net 1 0 1 Sysname GigabitEthernet1 0 1 packet filter inbound ip group 2000 Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information and verify the configuration Table 1 9 Display ACL configuration Operation Command Description Display a configured ACL or all the ACLs display acl all acl number Display a time ran...

Page 352: ...ACL 2000 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Reference ACL 2000 on VTY user interface to control Telnet login users Sysname user interface vty 0 4 Sysname ui vty0 4 acl 2000 inbound Example for Controlling Web Login Users by Source IP Network requirements Apply an ACL to permit Web users with the source...

Page 353: ...CL on Ethernet 1 0 1 to deny packets with the source IP address of 10 1 1 1 from 8 00 to 18 00 everyday Network diagram Figure 1 3 Network diagram for basic ACL configuration Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 daily Define ACL 2000 to filter packets with the source IP address of 1...

Page 354: ... 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 working day Define ACL 3000 to filter packets destined for wage query server Sysname acl number 3000 Sysname acl adv 3000 rule 1 deny ip destination 192 168 1 2 0 time range test Sysname acl adv 3000 quit Apply ACL 3000 on GigabitEthernet 1 0 1 Sysname interface Ethernet1 0 1 Sysname GigabitEthernet1 0 1 packet filte...

Page 355: ...011 0011 0011 ffff ffff ffff dest 0011 0011 0012 ffff ffff ffff time range test Sysname acl ethernetframe 4000 quit Apply ACL 4000 on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 packet filter inbound link group 4000 Example for Applying an ACL to a VLAN Network requirements PC1 PC2 and PC3 belong to VLAN 10 and connect to the switch through GigabitEthe...

Page 356: ...ime range that is active from 8 00 to 18 00 in working days Sysname system view Sysname time range test 8 00 to 18 00 working day Define an ACL to deny packets destined for the database server Sysname acl number 3000 Sysname acl adv 3000 rule 1 deny ip destination 192 168 1 2 0 time range test Sysname acl adv 3000 quit Apply ACL 3000 to VLAN 10 Sysname packet filter vlan 10 inbound ip group 3000 ...

Page 357: ... 1 8 Traffic Policing and Traffic Shaping 1 8 Queue Scheduling 1 10 Flow Based Traffic Accounting 1 12 Burst 1 12 QoS Configuration 1 13 QoS Configuration Task List 1 13 Configuring Priority Trust Mode 1 13 Configuring Priority Mapping 1 14 Setting the Priority of Protocol Packets 1 17 Configuring Traffic Policing 1 18 Configuring Traffic Shaping 1 20 Configuring Queue Scheduling 1 20 Configuring ...

Page 358: ...ources of the network and devices How many resources the packets can obtain completely depends on the time they arrive This service is called best effort It delivers packets to their destinations as possibly as it can without any guarantee for delay jitter packet loss ratio reliability and so on This service policy is only suitable for applications insensitive to bandwidth and delay such as WWW e ...

Page 359: ...e inbound direction of a port You can configure restriction or penalty measures against the exceeding traffic to protect carrier benefits and network resources z Traffic shaping adapts output traffic rate usually to the input capability of the receiving device to avoid packet drop and port congestion Traffic shaping is usually applied in the outbound direction of a port z Congestion management han...

Page 360: ... about specifying priority for protocol packets refer to Protocol Priority z For information about the burst function refer to Burst Congestion management The Switch 4200G series support SP WRR and SDWRR for queuing and support the following three queue scheduling modes z SP z SDWRR z SP SDWRR For information about SP WRR and SDWRR refer to Queue Scheduling Introduction to QoS Features Traffic Cla...

Page 361: ...alue binary Description 0 000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network In a Diff Serv network traffic is grouped into the following four classes and packets are processed according to their DSCP values z Expedited Forwarding EF class In this class packets are forwarded regardless of link share of other traffic The class is ...

Page 362: ...010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be default 2 802 1p precedence 802 1p precedence lies in Layer 2 packet headers and is applicable to occasions where Layer 3 packet analysis is not needed and QoS must be assured at Layer 2 Figure 1 3 An Ethern...

Page 363: ... spare 3 011 excellent effort 4 100 controlled load 5 101 video 6 110 voice 7 111 network management The precedence in the 802 1q tag header is called 802 1p precedence because its use is defined in IEEE 802 1p 3 Local precedence Local precedence is a locally significant precedence that the switch assigns to a packet A local precedence value corresponds to one hardware output queue on the egress p...

Page 364: ...e mapping table for the set of precedence values corresponding to the port priority of the receiving port and assigns the matching precedence value set to the packet z Trusting packet priority After configuring the switch to trust packet priority on a port you can specify the trusted priority type which can be 802 1p precedence or DSCP precedence Table 1 5 describes how your switch handles a packe...

Page 365: ...he locally generated traffic of a particular protocol to implement QoS Traffic Policing and Traffic Shaping If user traffic is not limited burst traffic will make your network more congested To better utilize the network resources and provide better services for more users you must take actions to control user traffic For example you can configure a flow to use only the resources committed to it i...

Page 366: ... average rate of the traffic It is usually set to the committed information rate CIR z Burst size The capacity of the token bucket namely the maximum traffic size that is permitted in each burst It is usually set to the committed burst size CBS The set burst size must be greater than the maximum packet size Evaluation is performed each time a packet arrives If the number of tokens in the bucket is...

Page 367: ...h tokens in the token bucket the cached packets are sent out at an even rate Traffic shaping may introduce an additional delay while traffic policing does not Figure 1 7 Diagram for traffic shaping For example Device A sends packets to Device B Device B performs traffic policing on packets from Device A and drops the packets exceeding the limit To avoid unnecessary packet loss you can perform traf...

Page 368: ...eues strictly in the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packets in the queue with the second highest priority and so on By assigning mission critical packets to high priority queues and common service packets to low priority queues you can ensure that the mission critical packets are ...

Page 369: ...mber of packets identical to weight 5 are dequeued from queue 0 If there is a wide difference between the weight values of two queues great delay and jitter will result for the lower weight queue z SDWRR schedules the two queues in turn in such a way that packets identical to one weight are dequeued from queue 0 first and then from queue 1 The procedure is repeated until the scheduling for one que...

Page 370: ...l Configuring Traffic Accounting Optional Enabling the Burst Function Optional Configuring Priority Trust Mode Refer to Priority Trust Mode for details about available priority trust modes Configuration prerequisites z The priority trust mode to be used has been determined z The port where priority trust mode is to be configured has been determined z The port priority value has been determined Con...

Page 371: ...re trusting port priority on GigabitEthernet 1 0 1 and set the priority of GigabitEthernet 1 0 1 to 7 Sysname system view Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 priority 7 Configure trusting 802 1p precedence on GigabitEthernet 1 0 2 Sysname system view Sysname interface GigabitEthernet1 0 2 Sysname GigabitEthernet1 0 2 priority trust cos Configure trusting DSCP values...

Page 372: ...nd Remarks Enter system view system view Configure DSCP precedence to local precedence mapping table qos dscp local precedence map dscp list local precedence Required Configure DSCP precedence to drop precedence mapping table qos dscp drop precedence map dscp list drop precedence Required Configuration examples Configure the CoS precedence to local precedence mapping table for a Switch 4200G as fo...

Page 373: ...Sysname qos dscp local precedence map 40 41 42 43 44 45 46 47 0 Sysname qos dscp local precedence map 48 49 50 51 52 53 54 55 5 Sysname qos dscp local precedence map 56 57 58 59 60 61 62 63 6 Sysname display qos dscp local precedence map dscp local precedence map dscp local precedence queue 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 3 9 3 10 3 11 3 12 3 13 3 14 3 15 3 16 4 17 4 18 4 19 4 20 4 21 4 22 4 23 ...

Page 374: ...type IP or DSCP and priority value have been determined Configuration procedure Follow these steps to set the priority of the specific protocol packets To do Use the command Remarks Enter system view system view Set the priority of the specific type of protocol packets protocol priority protocol type protocol type ip precedence ip precedence dscp dscp value Required You can modify the IP precedenc...

Page 375: ...es You can configure traffic policing for the incoming packets matching the specific ACL rules globally in a VLAN in a port group or on a port 1 Configuring traffic policing globally Follow these steps to configure traffic policing for the incoming packets matching the specific ACL rules globally To do Use the command Remarks Enter system view system view Configure traffic policing traffic limit i...

Page 376: ... for traffic policing in the global scope or for a VLAN take precedence over the default rules used for processing protocol packets The device will execute traffic policing preferentially which may affect device management implemented through Telnet and so on Configuration example Configure traffic policing for the packets from network segment 10 1 1 0 24 setting the rate limit to 128 kbps 1 Metho...

Page 377: ...an be configured in one of the following two modes z Without queue queue id specified traffic shaping applies to all traffic z With queue queue id specified traffic shaping applies to traffic in the specified queue Configuration example Configure traffic shaping for all the traffic to be transmitted through GigabitEthernet 1 0 1 with the maximum traffic rate being 640 kbps and the burst size being...

Page 378: ...s in group 1 are scheduled using WRR only when all the queues in group 2 are empty z With both SP queuing and SDWRR queuing adopted groups are scheduled using the SP algorithm Assume that queue 0 and queue 1 are scheduled using SP queuing queues 2 through 4 are assigned to group 1 queues 5 through 7 are assigned to group 2 The queues in group 2 are scheduled preferentially using WRR When all the q...

Page 379: ...hing packets globally To do Use the command Remarks Enter system view system view Collect statistics of the packets matching a specific ACL rule traffic statistic inbound acl rule Required Clear statistics of the packets matching a specific ACL rule reset traffic statistic inbound acl rule Optional 2 Configuring traffic accounting for a VLAN Follow these steps to collect clear statistics about the...

Page 380: ...g packets reset traffic statistic inbound acl rule Optional User defined traffic classification rules configured for traffic accounting in the global scope or for a VLAN take precedence over the default rules used for processing protocol packets The device will collect traffic statistics preferentially which may affect device management implemented through Telnet and so on Configuration examples C...

Page 381: ...iguration example Enable the burst function on a Switch 4200G Sysname system view Sysname burst mode enable Displaying and Maintaining QoS To do Use the command Remarks Display protocol packet priority configuration display protocol priority Available in any view Display the CoS precedence to Drop prec edence mapping display qos cos drop precedence map Available in any view Display the CoS precede...

Page 382: ...ic policing or traffic accounting display qos global all traffic limit traffic statistic Available in any view Display VLAN level QoS configuration of traffic policing or traffic accounting display qos vlan vlan id all traffic limit traffic statistic Available in any view Display port group level QoS configuration of traffic policing or traffic accounting display qos port group group id all traffi...

Page 383: ...cl basic 2000 quit Create ACL 2001 and enter basic ACL view to match packets sourced from network segment 192 168 2 0 24 Sysname acl number 2001 Sysname acl basic 2001 rule permit source 192 168 2 0 0 0 0 255 Sysname acl basic 2001 quit 2 Configure traffic policing Set the maximum rate of outbound IP packets sourced from the marketing department to 64 kbps Sysname traffic limit vlan 2 inbound ip g...

Page 384: ... 1 1 Remote Port Mirroring 1 2 Mirroring Configuration 1 3 1 1 2 Configuring Local Port Mirroring 1 4 Configuring Remote Port Mirroring 1 5 Displaying Port Mirroring 1 8 Mirroring Configuration Examples 1 8 Local Port Mirroring Configuration Example 1 8 Remote Port Mirroring Configuration Example 1 9 ...

Page 385: ...mirroring port or monitored port and the port to which duplicated packets are sent is called the destination mirroring port or the monitor port as shown in the following figure Figure 1 1 Mirroring The Switch 4200G series support five two types of port mirroring z Local Port Mirroring z Remote Port Mirroring They are described in the following sections 1 1 1 Local Port Mirroring In local port mirr...

Page 386: ... device where the monitored port is located It copies traffic passing through the monitored port to the reflector port The reflector port then transmits the traffic to an intermediate switch if any or destination switch through the remote probe VLAN z Intermediate switch Intermediate switches are switches between the source switch and destination switch on the network An intermediate switch forwar...

Page 387: ...on switch side Trunk port Receives remote mirrored packets Destination switch Destination port Receives packets forwarded from the trunk port and transmits the packets to the data detection device z Do not configure a default VLAN a management VLAN or a dynamic VLAN as the remote probe VLAN z Configure all ports connecting the devices in the remote probe VLAN as trunk ports and ensure the Layer 2 ...

Page 388: ...e a port mirroring group mirroring group group id local Required In system view mirroring group group id mirroring port mirroring port list both inbound outbound interface interface type interface number mirroring group group id mirroring port both inbound outbound Configure the source port for the port mirroring group In port view quit Use either approach You can configure multiple source ports a...

Page 389: ...Layer 2 connectivity is ensured between the source and destination switches over the remote probe VLAN z The direction of the packets to be monitored is determined 2 Configuration procedure Table 1 3 Follow these steps to perform configurations on the source switch To do Use the command Remarks Enter system view system view Create a VLAN and enter the VLAN view vlan vlan id vlan id is the ID of th...

Page 390: ...th the functions like VLAN VPN port loopback detection port security and so on z You cannot modify the duplex mode port rate and MDI attribute of a reflector port z Only an existing static VLAN can be configured as the remote probe VLAN To remove a remote probe VLAN you need to restore it to a normal VLAN first A remote port mirroring group gets invalid if the corresponding remote port mirroring V...

Page 391: ...the remote probe VLAN 2 Configuration procedure Table 1 5 Follow these steps to configure remote port mirroring on the destination switch To do Use the command Remarks Enter system view system view Create a VLAN and enter VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN Configure the current VLAN as a remote probe VLAN remote probe vlan enable Required Return to system view quit E...

Page 392: ...o do Use the command Remarks Display the information of a mirroring group display mirroring group group id all local remote destination remote source Available in any view Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements The departments of a company connect to each other through Switch 4200G series z Research and Development R D department is connect...

Page 393: ...Ethernet 1 0 3 Display configuration information about local mirroring group 1 Sysname display mirroring group 1 mirroring group 1 type local status active mirroring port GigabitEthernet1 0 1 both GigabitEthernet1 0 2 both monitor port GigabitEthernet1 0 3 After the configurations you can monitor all packets received on and sent from the R D department and the marketing department on the data dete...

Page 394: ...mote source mirroring group configure VLAN 10 as the remote probe VLAN ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as the source ports and port GigabitEthernet 1 0 4 as the reflector port z On Switch B configure VLAN 10 as the remote probe VLAN z Configure GigabitEthernet 1 0 3 of Switch A GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of Switch B and GigabitEthernet 1 0 1 of Switch C a...

Page 395: ... 1 mirroring group 1 type remote source status active mirroring port GigabitEthernet1 0 1 inbound GigabitEthernet1 0 2 inbound reflector port GigabitEthernet1 0 4 remote probe vlan 10 2 Configure the intermediate switch Switch B Configure VLAN 10 as the remote probe VLAN Sysname system view Sysname vlan 10 Sysname vlan10 remote probe vlan enable Sysname vlan10 quit Configure GigabitEthernet 1 0 1 ...

Page 396: ...onfigure GigabitEthernet 1 0 1 as the trunk port allowing packets of VLAN 10 to pass Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 port link type trunk Sysname GigabitEthernet1 0 1 port trunk permit vlan 10 Sysname GigabitEthernet1 0 1 quit Display configuration information about remote destination mirroring group 1 Sysname display mirroring group 1 mirroring group 1 type re...

Page 397: ... Example 1 4 2 Cluster 2 1 Cluster Overview 2 1 Introduction to HGMP 2 1 Roles in a Cluster 2 2 How a Cluster Works 2 3 Cluster Configuration Tasks 2 8 Configuring the Management Device 2 9 Configuring Member Devices 2 13 Managing a Cluster through the Management Device 2 15 Configuring the Enhanced Cluster Features 2 16 Configuring the Cluster Synchronization Function 2 18 Displaying and Maintain...

Page 398: ...the main switch of the stack You can perform the following operations on a main switch z Configuring an IP address pool for the stack z Creating the stack z Switching to slave switch view Before creating a stack you need to configure an IP address pool for the stack on the main switch When adding a switch to a stack the main switch picks an IP address from the IP address pool and assigns the IP ad...

Page 399: ...1 1 Configure the IP address pool and create the stack Operation Command Description Enter system view system view Configure an IP address pool for a stack stacking ip pool from ip address ip address number ip mask Required from ip address Start address of the IP address pool ip address number Number of the IP addresses in the IP addresses pool A pool contains 16 addresses by default ip mask Mask ...

Page 400: ...ool as its IP address z Since both stack and cluster use the management VLAN and only one VLAN interface is available on the Switch 4200G switch stack and cluster must share the same management VLAN if you want to configure stack within a cluster Switching to Slave Switch View After creating a stack you can switch to slave switch view from the main switch to configure slave switches Table 1 2 Swit...

Page 401: ...is command displays the member information of the stack including stack number device name MAC addresses and status of the main switch slave switches Display the stack status information on a slave switch display stacking Optional The display command can be executed in any view The displayed information indicates that the local switch is a slave switch The information such as stack number of the l...

Page 402: ..._0 Sysname Display the information about the stack on switch A stack_0 Sysname display stacking Main device for stack Total members 3 Management vlan 1 default vlan Display the information about the stack members on switch A stack_0 Sysname display stacking members Member number 0 Name stack_0 Sysname Device 4200G 12 Port MAC Address 000f e20f c43a Member status Admin IP 129 10 1 15 16 Member numb...

Page 403: ...ack_1 Sysname Display the information about the stack on switch B stack_1 Sysname display stacking Slave device for stack Member number 1 Management vlan 1 default vlan Main device mac address 000f e20f c43a Switch back to Switch A stack_1 Sysname quit stack_0 Sysname Switch to Switch C a slave switch stack_0 Sysname stacking 2 stack_2 Sysname Switch back to Switch A stack_2 Sysname quit stack_0 S...

Page 404: ...ce and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remote devices in batches reducing the workload of the network configuration Normally there is no need to configure external IP addresses for member devices Figure 2 1 illustrates a cluster implementatio...

Page 405: ...iguration Function Management device Configured with a external IP address z Provides an interface for managing all the switches in a cluster z Manages member devices through command redirection that is it forwards the commands intended for specific member devices z Discovers neighbors collects the information about network topology manages and maintains the cluster Management device also supports...

Page 406: ... do not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 by using the ntdp timer command In this case the switch does not collect network topology information periodically How a Cluster Works HGMPv2 consists of the following three protocols z Neighbor discovery protocol NDP z Neighbor topology discovery protocol NTDP z Cluster A c...

Page 407: ...s within the specified hop count so as to provide the information of which devices can be added to a cluster Based on the neighbor information stored in the neighbor table maintained by NDP NTDP on the management device advertises NTDP topology collection requests to collect the NDP information of each device in a specific network range as well as the connection information of all its neighbors Th...

Page 408: ...ice Note the following when creating a cluster z You need to designate a management device for the cluster The management device of a cluster is the portal of the cluster That is any operations from outside the network intended for the member devices of the cluster such as accessing configuring managing and monitoring can only be implemented through the management device z The management device of...

Page 409: ...packets exchanged keep the states of the member devices to be Active and are not responded z If the management device does not receive a handshake packet from a member device after a period three times of the interval to send handshake packets it changes the state of the member device from Active to Connect Likewise if a member device fails to receive a handshake packet from the management device ...

Page 410: ...nnecting to the management device the candidate device cannot be added to the cluster In this case you can enable the packets of the management VLAN to be permitted on the port through the management VLAN auto negotiation function z Packets of the management VLAN can be exchanged between the management device and a member device candidate device without carrying VLAN tags only when the default VLA...

Page 411: ...ed on the MAC address and VLAN ID and then forward the packet to its downstream switch If within the specified hops a switch with the specified destination MAC address is found this switch sends a response to the switch sending the tracemac command indicating the success of the tracemac command If no switch with the specified destination MAC address or IP address is found the multicast packet will...

Page 412: ...t opened socket and enhance switch security the Switch 4200G series Ethernet switches provide the following functions so that a cluster socket is opened only when it is needed z Opening UDP port 40000 used for cluster only when the cluster function is implemented z Closing UDP port 40000 at the same time when the cluster function is closed On the management device the preceding functions are imple...

Page 413: ...the interval to send NDP packets ndp timer hello seconds Optional By default the interval to send NDP packets is 60 seconds Enabling NTDP globally and on a specific port Table 2 6 Enable NTDP globally and on a specific port Operation Command Description Enter system view system view Enable NTDP globally ntdp enable Required Enabled by default Enter Ethernet port view interface interface type inter...

Page 414: ...nction Operation Command Description Enter system view system view Enable the cluster function globally cluster enable Required By default the cluster function is enabled Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode as described below 1 Establishing a cluster and configuring cluster parameters in ma...

Page 415: ...sh a cluster in automatic mode Table 2 10 Establish a cluster in automatic mode Operation Command Description Enter system view system view Enter cluster view cluster Configure the IP address range for the cluster ip pool administrator ip address ip mask ip mask length Required Start automatic cluster establishment auto build recover Required Follow prompts to establish a cluster z After a cluster...

Page 416: ...t VLAN synchronization function on the management device you can enable the management device to send a management VLAN synchronization packet periodically to the connected devices After the devices receive the management VLAN synchronization packet they set their own management VLANs according to the packet In this way all devices set the same management VLAN automatically and thus simplify your ...

Page 417: ...or address command on a device the device s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 is closed at the same time z When you execute the undo build command on the management device to remove a cluster UDP port 40000 of all the member devices in the cluste...

Page 418: ...he shared FTP server of the cluster ftp cluster Optional Download a file from the shared TFTP server of the cluster tftp cluster get source file destination file Optional Upload a file to the shared TFTP server of the cluster tftp cluster put source file destination file Optional Managing a Cluster through the Management Device You can manage the member devices through the management device for ex...

Page 419: ...he standard topology and back up the standard topology on the Flash memory of the administrative device When errors occur to the cluster topology you can replace the current topology with the standard cluster topology and restore the administrative device using the backup topology on the Flash memory so that the devices in the cluster can resume normal operation With the display cluster current to...

Page 420: ... Command Description Enter system view system view Enter cluster view cluster Check the current topology and save it as the standard topology topology accept all save to ftp server local flash mac address mac address member id member id administrator Required Save the standard topology to the Flash memory of the administrative device topology save to local flash Required Restore the standard topol...

Page 421: ...tion about the devices in the cluster blacklist display cluster black list Optional This command can be executed in any view Configuring the Cluster Synchronization Function After a cluster is established to simplify the access and management to the cluster you can synchronize the SNMP configurations on the management device and the local user configurations to the member devices of the cluster by...

Page 422: ...me groupname authentication mode md5 sha authpassstring privacy mode des56 privpassstring Required Not configured by default Create or update the public MIB view information for the cluster cluster snmp agent mib view included view name oid tree Required Not configured by default z Perform the above operations on the management device of the cluster z Configuring the public SNMP information is equ...

Page 423: ...Member 1 succeeded in the group configuration Finish to synchronize the command Create a MIB view mib_a which includes all objects of the subtree org test_0 Sysname cluster cluster snmp agent mib view included mib_a org Member 2 succeeded in the mib view configuration Member 1 succeeded in the mib view configuration Finish to synchronize the command Add a user user_a to the SNMPv3 group group_a te...

Page 424: ...th this function you can create a public local user for the cluster on the management device and the username and password will be synchronized to the member devices of the cluster which is equal to creating this local user on all member devices The configured local user is a Telnet user and you can use the public username and password to manage all member devices through Web 1 Configuration prere...

Page 425: ...ration Table 2 21 Display and maintain cluster configuration Operation Command Description Display all NDP configuration and running information including the interval to send NDP packets the holdtime and all neighbors discovered display ndp Display NDP configuration and running information on specified ports including the neighbors discovered by NDP on the ports display ndp interface port list Di...

Page 426: ...bitEthernet 1 0 1 z GigabitEthernet 1 0 1 belongs to VLAN 2 whose interface IP address is 163 172 55 1 z All the devices in the cluster share the same FTP server and TFTP server z The FTP server and TFTP server use the same IP address 63 172 55 1 z The NMS and logging host use the same IP address 69 172 55 4 Network diagram Figure 2 4 Network diagram for HGMP cluster configuration Configuration pr...

Page 427: ...tEthernet 1 0 2 and GigabitEthernet 1 0 3 Sysname ntdp enable Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 ntdp enable Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet 1 0 3 Sysname GigabitEthernet1 0 3 ntdp enable Sysname GigabitEthernet1 0 3 quit Set the topology collection range to 2 hops Sysname ntdp hop 2 Set the member device forward delay for topol...

Page 428: ...uster perform the following operations on a member device Connect the member device to the remote shared FTP server of the cluster aaa_1 Sysname ftp cluster Download the file named aaa txt from the shared TFTP server of the cluster to the member device aaa_1 Sysname tftp cluster get aaa txt Upload the file named bbb txt from the member device to the shared TFTP server of the cluster aaa_1 Sysname ...

Page 429: ...topology as the base topology and save it in the flash of the local management device in the cluster Network diagram Figure 2 5 Network diagram for the enhanced cluster feature configuration Configuration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034 a0e5 Ba...

Page 430: ...ctions 1 5 Configuring Basic Trap Functions 1 5 Configuring Extended Trap Function 1 5 Enabling Logging for Network Management 1 6 Displaying SNMP 1 6 SNMP Configuration Example 1 7 SNMP Configuration Example 1 7 2 RMON Configuration 2 1 Introduction to RMON 2 1 Working Mechanism of RMON 2 1 Commonly Used RMON Groups 2 2 RMON Configuration 2 3 Displaying RMON 2 4 RMON Configuration Example 2 4 ...

Page 431: ...lient program At present the commonly used network management platforms include QuidView Sun NetManager IBM NetView and so on z Agent is server side software running on network devices such as switches An NMS can send GetRequest GetNextRequest and SetRequest messages to the agents Upon receiving the requests from the NMS an agent performs Read or Write operation on the managed object MIB Managemen...

Page 432: ... B A MIB describes the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored network devices In the above figure the managed object B can be uniquely identified by a string of numbers 1 2 1 1 The number string is the object identifier OID of the managed object Configuring Basic SNMP Functions SNMPv3 configuration is quite different from that of ...

Page 433: ...quired z You can set an SNMPv1 SNMPv2c community name through direct configuration z Indirect configuration is compatible with SNMPv3 The added user is equal to the community name for SNMPv1 and SNMPv2c z You can choose either of them as needed Set the maximum size of an SNMP packet for SNMP agent to receive or send snmp agent packet max size byte count Optional 1 500 bytes by default Set the devi...

Page 434: ...r name group name cipher authentication mode md5 sha auth password privacy mode des56 aes128 priv password acl acl number Required Set the maximum size of an SNMP packet for SNMP agent to receive or send snmp agent packet max size byte count Optional 1 500 bytes by default Set the device engine ID snmp agent local engineid engineid Optional By default the device engine ID is enterprise number devi...

Page 435: ...wn Enable the port to send traps Quit to system view quit Optional By default a port is enabled to send all types of traps Set the destination for traps snmp agent target host trap address udp domain ip address udp port port number params securityname security string v1 v2c v3 authentication privacy Required Set the source address for traps snmp agent trap source interface type interface number Op...

Page 436: ...t the output destinations of SNMP logs will be decided z The severity level of SNMP logs is informational that is the logs are taken as general prompt information of the device To view SNMP logs you need to enable the information center to output system information with informational level z For detailed description on system information and information center refer to the Information Center Confi...

Page 437: ...he switch to sent traps Thus the NMS is able to access Switch A and receive the traps sent by Switch A Network diagram Figure 1 2 Network diagram for SNMP configuration 10 10 10 2 16 NMS 10 10 10 1 16 Switch A Network procedure Enable SNMP agent and set the SNMPv1 and SNMPv2c community names Sysname system view Sysname snmp agent Sysname snmp agent sys info version all Sysname snmp agent community...

Page 438: ... the SNMP agent to send traps to the NMS whose IP address is 10 10 10 1 The SNMP community name to be used is public Sysname snmp agent trap enable standard authentication Sysname snmp agent trap enable standard coldstart Sysname snmp agent trap enable standard linkup Sysname snmp agent trap enable standard linkdown Sysname snmp agent target host trap address udp domain 10 10 10 1 udp port 5000 pa...

Page 439: ...isfactory means of monitoring remote subnets z With RMON implemented the communication traffic between NMS and SNMP agents can be reduced thus facilitating the management of large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways z Using the dedicated RMON probes When an RMON system operates in this way the NMS directly obtain...

Page 440: ...ined alarm variables periodically z Comparing the samples with the threshold and triggering the corresponding events if the former exceed the latter Extended alarm group With extended alarm entry you can perform operations on the samples of alarm variables and then compare the operation results with the thresholds thus implement more flexible alarm functions With an extended alarm entry defined in...

Page 441: ... event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add an alarm entry rmon alarm entry number alarm variable sampling time delta absolute rising_threshold threshold value1 event entry1 falling_threshold threshold value2 event entry2 owner text Optional Before adding an alarm entry you need to use the rmon event command to define the ev...

Page 442: ...play rmon prialarm prialarm entry number Display RMON events display rmon event event entry Display RMON event logs display rmon eventlog event entry Available in any view RMON Configuration Example Network requirements z The switch to be tested is connected to a remote NMS through the Internet Ensure that the SNMP agents are correctly configured before performing RMON configuration z Create an en...

Page 443: ...e change ratio between samples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 Display the RMON extended alarm entry numbered 2 Sysname display rm...

Page 444: ...sion of IGMP Snooping 2 5 Configuring Timers 2 6 Configuring Fast Leave Processing 2 6 Configuring a Multicast Group Filter 2 7 Configuring the Maximum Number of Multicast Groups on a Port 2 8 Configuring IGMP Querier 2 9 Suppressing Flooding of Unknown Multicast Traffic in a VLAN 2 10 Configuring Static Member Port for a Multicast Group 2 10 Configuring a Static Router Port 2 11 Configuring a Por...

Page 445: ...ii ...

Page 446: ...mation Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this information and sends a separate copy of the information to the user as shown in Figure 1 10 Figure 1 1 Information transmission in the unicast mode Assume that Hosts B D and E need this information The source server establishes transmission channels for the d...

Page 447: ...ization ratio of the network resources is very low and the bandwidth resources are greatly wasted Therefore broadcast is disadvantageous in transmitting data to specific users moreover broadcast occupies large bandwidth Information Transmission in the Multicast Mode As described in the previous sections unicast is suitable for networks with sparsely distributed users whereas broadcast is suitable ...

Page 448: ...not add to the network burden remarkably The advantages of multicast over broadcast are as follows z A multicast data flow can be sent only to the receiver that requires the data z Multicast brings no waste of network resources and makes proper use of bandwidth Roles in Multicast The following roles are involved in multicast transmission z An information sender is referred to as a multicast source...

Page 449: ...pplications of Multicast Advantages of multicast Advantages of multicast include z Enhanced efficiency Multicast decreases network traffic and reduces server load and CPU load z Optimal performance Multicast reduces redundant traffic z Distributive application Multicast makes multiple point application possible Application of multicast The multicast technology effectively addresses the issue of po...

Page 450: ...the SSM model uses a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers You shoul...

Page 451: ...ss All the receivers join a group Once they join the group the data sent to this group of addresses starts to be transported to the receivers All the members in this group can receive the data packets This group is a multicast group A multicast group has the following characteristics z The membership of a group is dynamic A host can join and leave a multicast group at any time z A multicast group ...

Page 452: ...ared tree routers 224 0 0 8 Shared tree hosts 224 0 0 9 RIP 2 routers 224 0 0 11 Mobile agents 224 0 0 12 DHCP server relay agent 224 0 0 13 All protocol independent multicast PIM routers 224 0 0 14 Resource reservation protocol RSVP encapsulation 224 0 0 15 All core based tree CBT routers 224 0 0 16 The specified subnetwork bandwidth management SBM 224 0 0 17 All SBMS 224 0 0 18 Virtual router re...

Page 453: ...st address are 1110 representing the multicast ID Only 23 bits of the remaining 28 bits are mapped to a MAC address Thus five bits of the multicast IP address are lost As a result 32 IP multicast addresses are mapped to the same MAC address 1 1 1 Multicast Protocols z Generally we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as L...

Page 454: ... routes z An intra domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an autonomous system AS so as to deliver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in two modes dense mode often r...

Page 455: ...twork multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast z To process the same multicast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check on the incom...

Page 456: ...ually arrived is the RPF interface the RPF check is successful and the router forwards the packet to all the outgoing interfaces z If the interface on which the packet actually arrived is not the RPF interface the RPF check fails and the router discards the packet RPF Check The basis for an RPF check is a unicast route A unicast routing table contains the shortest path to each destination subnet A...

Page 457: ... that the interface on which the packet actually arrived is not the RPF interface The RPF check fails and the packet is discarded z A multicast packet from Source arrives to VLAN interface 2 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C The router performs an RPF check and finds in its unicast routing table that the outgoing interfa...

Page 458: ...Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 Figure 2 1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiver Multicast packets Layer 2 switch Multica...

Page 459: ...hernet 1 0 2 of Switch B are member ports The switch records all member ports on the local device in the IGMP Snooping forwarding table Port aging timers in IGMP Snooping and related messages and actions Table 2 1 Port aging timers in IGMP Snooping and related messages and actions Timer Description Message before expiry Action after expiry Router port aging timer For each router port the switch se...

Page 460: ...arding table the switch resets the member port aging timer of the port z If the port is not in the forwarding table the switch installs an entry for this port in the forwarding table and starts the member port aging timer of this port A switch will not forward an IGMP report through a non router port for the following reason Due to the IGMP report suppression mechanism if member hosts of that mult...

Page 461: ...y this means that no members of that multicast group still exist under the port the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires After an Ethernet switch enables IGMP Snooping when it receives the IGMP leave message sent by a host in a multicast group it judges whether the multicast group exists automatically If the multicast ...

Page 462: ...solve this problem by configuring VLAN tags for queries For details see 0 Configuring a VLAN Tag for Query Messages Configuring the Version of IGMP Snooping With the development of multicast technologies IGMPv3 has found increasingly wide application In IGMPv3 a host can not only join a specific multicast group but also explicitly specify to receive or reject the information from a specific multic...

Page 463: ...nfigure the query response timer igmp snooping max response time seconds Optional By default the query response timeout time is 10 seconds Configure the aging timer of the multicast member port igmp snooping host aging time seconds Optional By default the aging time of multicast member ports is 260 seconds Configuring Fast Leave Processing With fast leave processing enabled when the switch receive...

Page 464: ... enabled on a port to which more than one host is connected when one host leaves a multicast group the other hosts connected to port and interested in the same multicast group will fail to receive multicast data for that group Configuring a Multicast Group Filter On an IGMP Snooping enabled switch the configuration of a multicast group allows the service provider to define restrictions on multicas...

Page 465: ...together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function z The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified if one or more VLANs are specified the configuration takes effect on all ports in the specified VLAN s z The con...

Page 466: ...g IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called IGMP querier However a Layer 2 multicast switch does not support IGMP and therefore cannot send general queries by default By enabling IGMP Snooping on a Layer 2 switch in a VLAN...

Page 467: ... nonflooding entry and relays the packet to router ports only instead of flooding the packet within the VLAN If the switch has no router ports it drops the multicast packet Table 2 12 Suppress flooding of unknown multicast traffic in the VLAN Operation Command Remarks Enter system view system view Enable unknown multicast flooding suppression igmp snooping nonflooding enable Required By default un...

Page 468: ...tic Router Port In a network where the topology is unlikely to change you can configure a port on the switch as a static router port so that the switch has a static connection to a multicast router and receives IGMP messages from that router In Ethernet port view Table 2 15 Configure a static router port in Ethernet port view Operation Command Remarks Enter system view system view Enter Ethernet p...

Page 469: ...lated host responds with an IGMP report Meanwhile the switch sends the same IGMP report to itself to ensure that the IGMP entry does not age out z When the simulated joining function is disabled on an Ethernet port the simulated host sends an IGMP leave message Therefore to ensure that IGMP entries will not age out the port must receive IGMP general queries periodically Table 2 17 Configure a port...

Page 470: ...t Configuring Multicast VLAN In traditional multicast implementations when users in different VLANs listen to the same multicast group the multicast data is copied on the multicast router for each VLAN that contains receivers This is a big waste of network bandwidth In an IGMP Snooping environment by configuring a multicast VLAN and adding ports to the multicast VLAN you can allow users in differe...

Page 471: ...ble Enter VLAN view vlan vlan id Enable IGMP Snooping igmp snooping enable Required Enable multicast VLAN service type multicast Required Return to system view quit Enter Ethernet port view for the Layer 3 switch interface interface type interface number Define the port as a trunk or hybrid port port link type trunk hybrid Required port hybrid vlan vlan list tagged untagged Specify the VLANs to be...

Page 472: ...e the reset command in user view to clear the statistics information about IGMP Snooping Table 2 21 Display and maintain IGMP Snooping Operation Command Remarks Display the current IGMP Snooping configuration display igmp snooping configuration Display IGMP Snooping message statistics display igmp snooping statistics Display the information about IP and MAC multicast groups in one or all VLANs dis...

Page 473: ...e and enable IGMP on GigabitEthernet1 0 1 RouterA system view RouterA multicast routing enable RouterA interface GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 quit RouterA interface GigabitEthernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA i...

Page 474: ...r ports GigabitEthernet1 0 3 and GigabitEthernet1 0 4 This means that Host A and Host B have joined the multicast group 224 1 1 1 Configuring Multicast VLAN Network requirements As shown in Figure 2 4 Workstation is a multicast source Switch A forwards multicast data from the multicast source A Layer 2 switch Switch B forwards the multicast data to the end users Host A and Host B Table 2 22 descri...

Page 475: ...e you need to configure the ports that connect Switch A and Switch B to each other as hybrid ports The following text describes the configuration details You can also configure these ports as trunk ports The configuration procedure is omitted here For details see Configuring Multicast VLAN Configure a multicast VLAN so that users in VLAN 2 and VLAN 3 can receive multicast streams through the multi...

Page 476: ...p snooping enable SwitchB vlan10 quit Define GigabitEthernet 1 0 10 as a hybrid port add the port to VLAN 2 VLAN 3 and VLAN 10 and configure the port to forward tagged packets for VLAN 2 VLAN 3 and VLAN 10 SwitchB interface GigabitEthernet 1 0 10 SwitchB GigabitEthernet1 0 10 port link type hybrid SwitchB GigabitEthernet1 0 10 port hybrid vlan 2 3 10 tagged SwitchB GigabitEthernet1 0 10 quit Defin...

Page 477: ...n the specific VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time If it is only disabled on the corresponding VLAN use the igmp snooping enable command in VLAN view only to enable it on the corresponding VLAN 2 Multicast forwarding table set up by IGMP Snooping is wrong z U...

Page 478: ...port belongs You can configure a static multicast MAC address entry to avoid this Table 3 1 Configure a multicast MAC address entry in system view Operation Command Remarks Enter system view system view Create a multicast MAC address entry mac address multicast mac address interface interface list vlan vlan id Required The mac address argument must be a multicast MAC address Table 3 2 Configure a ...

Page 479: ...itch is not registered on the local switch the packet will be flooded in the VLAN When the function of dropping unknown multicast packets is enabled the switch will drop any multicast packets whose multicast address is not registered Thus the bandwidth is saved and the processing efficiency of the system is improved Table 3 3 Configure dropping unknown multicast packet Operation Command Remarks En...

Page 480: ...0 Configuration Procedure 1 10 Configuring NTP Authentication 1 11 1 1 1 Configuration Prerequisites 1 11 Configuration Procedure 1 12 Configuring Optional NTP Parameters 1 13 Configuring an Interface on the Local Switch to Send NTP Messages 1 14 Configuring the Number of Dynamic Sessions Allowed on the Local Switch 1 14 Disabling an Interface from Receiving NTP Messages 1 15 Displaying NTP Config...

Page 481: ...chronize or be synchronized by other systems by exchanging NTP messages Applications of NTP As setting the system time manually in a network with many devices leads to a lot of workload and cannot ensure accuracy it is unfeasible for an administrator to perform the operation However an administrator can synchronize the clocks of devices in a network with required accuracy by performing NTP configu...

Page 482: ...eference clock source to synchronize the clock of other devices only after it is synchronized Implementation Principle of NTP Figure 1 1 shows the implementation principle of NTP Ethernet switch A Device A is connected to Ethernet switch B Device B through Ethernet ports Both having their own system clocks they need to synchronize the clocks of each other through NTP To help you to understand the ...

Page 483: ...message arrives at Device B Device B inserts its own timestamp 11 00 01 am T2 into the packet z When the NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z When Device A receives the NTP message the local time of Device A is 10 00 03am T4 At this time Device A has enough information to calculate the following two parameters z Delay for an NTP message to...

Page 484: ...e Passive peer Clock synchronization request packet Synchronize Network Active peer Works in passive peer mode automatically In peer mode both sides can be synchronized to each other Response packet In the symmetric peer mode the local S4200G Ethernet switch serves as the symmetric active peer and sends clock synchronization request first while the remote server serves as the symmetric passive pee...

Page 485: ...time server while the local switch serves as the client Symmetric peer mode Configure the local S4200G switch to work in NTP symmetric peer mode In this mode the remote server serves as the symmetric passive peer of the S4200G switch and the local switch serves as the symmetric active peer Broadcast mode z Configure the local S4200G Ethernet switch to work in NTP broadcast server mode In this mode...

Page 486: ...ly after the local clock of the 3Com S4200G Ethernet switch has been synchronized z When symmetric peer mode is configured on two Ethernet switches to synchronize the clock of the two switches make sure at least one switch s clock has been synchronized NTP Configuration Task List Complete the following tasks to configure NTP Task Remarks Configuring NTP Implementation Modes Required Configuring Ac...

Page 487: ...y default the switch is not configured to work in the NTP client mode z The remote server specified by remote ip or server name serves as the NTP server and the local switch serves as the NTP client The clock of the NTP client will be synchronized by but will not synchronize that of the NTP server z remote ip cannot be a broadcast address a multicast address or the IP address of the local clock z ...

Page 488: ... you specify an interface for sending NTP messages through the source interface keyword the source IP address of the NTP message will be configured as the IP address of the specified interface z Typically the clock of at least one of the symmetric active and symmetric passive peers should be synchronized first otherwise the clock synchronization will not proceed z You can configure multiple symmet...

Page 489: ...n the multicast mode you need to configure both the server and clients The multicast server periodically sends NTP multicast messages to multicast clients The switches working in the NTP multicast client mode will respond to the NTP messages so as to start the clock synchronization z A multicast server can synchronize multicast clients only after its clock has been synchronized z An S4200G series ...

Page 490: ...he peer device to synchronize its clock to the local switch but does not permit the peer device to perform control query z server Server right This level of right permits the peer device to perform synchronization and control query to the local switch but does not permit the local switch to synchronize its clock to the peer device z peer Peer access This level of right permits the peer device to p...

Page 491: ... mode Client in the server client mode Client in the broadcast mode Client in the multicast mode Client Symmetric active peer in the symmetric peer mode Server in the server client mode Server in the broadcast mode Server in the multicast mode Server Symmetric passive peer in the symmetric peer mode 1 1 1 Configuration Prerequisites NTP authentication configuration involves z Configuring NTP authe...

Page 492: ...uthentication model md5 value Required By default no NTP authentication key is configured Configure the specified key as a trusted key ntp service reliable authentication keyid key id Required By default no trusted key is configured Configure on the client in the server client mode ntp service unicast server remote ip server name authentication keyid key id Associat e the specified key with the co...

Page 493: ...server mode and NTP multicast server mode you need to associate the specified key with the corresponding broadcast multicast client z You can associate an NTP broadcast multicast client with an authentication key while configuring NTP mode You can also use this command to associate them after configuring the NTP mode z The procedure for configuring NTP authentication on the server is the same as t...

Page 494: ...ually created by using an NTP command while a dynamic association is a temporary association created by the system during operation A dynamic association will be removed if the system fails to receive messages from it over a specific long time In the server client mode for example when you carry out a command to synchronize the time to a server the system will create a static association and the s...

Page 495: ...y the brief information about NTP servers along the path from the local device to the reference clock source display ntp service trace Available in any view Configuration Examples Configuring NTP Server Client Mode Network requirements z The local clock of Device A a switch is to be used as a master clock with the stratum level of 2 z Device A is used as the NTP server of Device B an S4200G Ethern...

Page 496: ... 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The above output information indicates that Device B is synchronized to Device A and the stratum level of its clock is 3 one level lower than that of Device A View the information about NTP sessions of Device B You can see that Device B establishes a connection with Device A DeviceB display ntp service sessions source reference stra reach poll now offset...

Page 497: ...ctive mode while Device C works in symmetric passive mode Because the stratum level of the local clock of Device B is 1 and that of Device C is 3 the clock of Device C is synchronized to that of Device B View the status of Device C after the clock synchronization DeviceC display ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 3 0 1 32 Nominal frequency 60 0002 Hz Ac...

Page 498: ...mode and send NTP broadcast messages through VLAN interface 2 z Device A and Device D are two S4200G Ethernet switches Configure Device A and Device D to work in the NTP broadcast client mode and listen to broadcast messages through their own VLAN interface 2 Network diagram Figure 1 8 Network diagram for the NTP broadcast mode configuration Vlan int2 1 0 1 31 24 Vlan int2 3 0 1 31 24 Vlan int2 3 ...

Page 499: ...persion 9 63 ms Reference time 17 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that Device D is synchronized to Device C with the clock stratum level of 3 one level lower than that of Device C View the information about the NTP sessions of Device D and you can see that a connection is established between Device D and Device C DeviceD display ntp service sessions sour...

Page 500: ...rough VLAN interface 2 DeviceA interface Vlan interface 2 DeviceA Vlan interface2 ntp service multicast client After the above configurations Device A and Device D respectively listen to multicast messages through their own VLAN interface 2 and Device C advertises multicast messages through VLAN interface 2 Because Device A and Device C do not share the same network segment Device A cannot receive...

Page 501: ... clock stratum level of 2 z Device B is an S4200G Ethernet switch and uses Device A as the NTP server Device B is set to work in client mode while Device A works in server mode automatically z The NTP authentication function is enabled on Device A and Device B Network diagram Figure 1 10 Network diagram for NTP server client mode with authentication configuration Configuration procedure 1 Configur...

Page 502: ...o that of Device A View the status of Device B after synchronization DeviceB display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequence 60 0002 Hz Actual frequence 60 0002 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA...

Page 503: ...ic Key to a File 1 13 Configuring the SSH Client 1 14 SSH Client Configuration Task List 1 14 Configuring an SSH Client that Runs SSH Client Software 1 14 Configuring an SSH Client Assumed by an SSH2 Capable Switch 1 20 Displaying and Maintaining SSH Configuration 1 23 Comparison of SSH Commands with the Same Functions 1 24 SSH Configuration Examples 1 25 When Switch Acts as Server for Local Passw...

Page 504: ...s SSH can also provide data compression to increase transmission speed take the place of Telnet and provide a secure channel for transfers using File Transfer Protocol FTP SSH adopts the client server model The switch can be configured as an SSH client an SSH server or both at the same time As an SSH server the switch provides secure connections to multiple clients As an SSH client the switch allo...

Page 505: ...gnature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA is used for data encryption and signature whereas DSA is used for adding signature Currently the switch supports RSA and DSA Symmetric key algorithms are used for encryption and decryption of the data transferred on the SS...

Page 506: ... use The server compares the version carried in the packet with that of its own to determine whether it can cooperate with the client z If the negotiation is successful the server and the client go on to the key and algorithm negotiation If not the server breaks the TCP connection All the packets above are transferred in plain text Key negotiation z The server and the client send algorithm negotia...

Page 507: ...f the public key is invalid the authentication fails otherwise the server generates a digital signature to authenticate the client and then sends back a message to inform the success or failure of the authentication Session request After passing authentication the client sends a session request to the server while the server listens to and processes the request from the client If the client passes...

Page 508: ...SH Server Configuring an SSH Client that Runs SSH Client Software An 3Com switch Another 3Com switch Configuring the SSH Server Configuring an SSH Client Assumed by an SSH2 Capable Switch An SSH server forms a secure connection with each SSH client The following describe steps for configuring an SSH client and an SSH server to form an SSH connection in between If multiple SSH servers need to form ...

Page 509: ...H User z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Data exchange Exporting the Host Public Key to a File Optional If a client does not support first time authentication you need to export the server s public key and configure the key on the client The SSH server needs to cooperate with an SSH client to complete the interactions betw...

Page 510: ...nagement functions to prevent illegal operations such as malicious password guess guaranteeing the security of SSH connections You can specify the IP address or the interface corresponding to the IP address for the SSH server to provide SSH access services for clients In this way the SSH client accesses the SSH server only using the specified IP address This increases the service manageability whe...

Page 511: ...sh server compatible ssh1x enable Optional By default the SSH server is compatible with SSH1 clients Configuring Key Pairs The SSH server s key pairs are for generating session keys and for SSH clients to authenticate the server The SSH client s key pairs are for the SSH server to authenticate the SSH clients in publickey authentication mode Both RSA and DSA key pairs are supported As different cl...

Page 512: ...ey pairs To do Use the command Remarks Enter system view system view Destroy the RSA key pairs public key local destroy rsa Destroy key pair s Destroy the DSA key pair public key local destroy dsa Optional Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type Specifying an authentication type for a new user is a must to get...

Page 513: ...ltiple SSH clients want to access one SSH server in the network z Password publickey authentication An SSH user must pass both types of authentication before logging in In this mode you do not need to create a key pair on each client You can configure the clients to use the same key pair that is created on one client for publickey authentication With the AAA function in password authentication the...

Page 514: ... will enjoy this level z Under the password or password publickey authentication mode the level of commands available to a logged in SSH user is determined by the AAA scheme Meanwhile for different users the available levels of commands are also different z Under the all authentication mode the level of commands available to a logged in SSH user is determined by the actual authentication method us...

Page 515: ...re the public key of a client manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Required Enter public key edit view public key code begin Configure a public key for the client Enter the content of the public key When you input the key spaces are allowed between the characters you input because the system can remove the spaces automat...

Page 516: ... the Public Key of a Client on the Server or Configuring whether first time authentication is supported an SSH client s or an SSH server s host public key can be imported from a public key file This task allows you to export the host public key to a file on the client or server device with key pairs generated Follow these steps to export the RSA host public key To do Use the command Remarks Enter ...

Page 517: ... client configuration task Scenario For a client running SSH client software For a client assumed by an SSH2 capable switch The authentication mode is password Configuring an SSH Client that Runs SSH Client Software Configuring an SSH Client Assumed by an SSH2 Capable Switch The authentication mode is publickey Configuring an SSH Client that Runs SSH Client Software Configuring an SSH Client Assum...

Page 518: ...e connection protocols such as Telnet Rlogin and SSH To establish an SSH connection you must select SSH z Selecting the SSH version Since the device supports SSH2 0 now select 2 0 or lower for the client z Specifying the private key file On the server if public key authentication is enabled for an SSH user and a public key is set for the user the private key file corresponding to the public key mu...

Page 519: ...ating the key pair you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1 4 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 1 4 Generate the client keys 2 ...

Page 520: ...ave the private key click Save private key A warning window pops up to prompt you whether to save the private key without any precaution Click Yes and enter the name of the file for saving the private key private in this case to save the private key Figure 1 6 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse and select the public key file and then cl...

Page 521: ...1 18 Figure 1 7 Generate the client keys 5 Specifying the IP address of the Server Launch PuTTY exe The following window appears Figure 1 8 SSH client configuration interface 1 ...

Page 522: ... 9 appears Figure 1 9 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version Some SSH client software for example Tectia client software supports the DES algorithm only when the ssh1 version is selected The PuTTY client software supports DES algorithm negotiation ssh2 Opening an SSH connection with password authentication From the window shown in F...

Page 523: ...file and click Open If the connection is normal a user will be prompted for a username Once passing the authentication the user can log in to the server Configuring an SSH Client Assumed by an SSH2 Capable Switch Complete the following tasks to configure an SSH client that is assumed by an SSH2 capable switch Task Remarks Configuring the SSH client for publickey authentication Required for publick...

Page 524: ...cation disabled an SSH client that is not configured with the server host public key will be denied of access to the server To access the server a user must configure in advance the server host public key locally and specify the public key name for authentication Follow these steps to enable the device to support first time authentication To do Use the command Remarks Enter system view system view...

Page 525: ...the SSH server This improves the service manageability when the SSH client has multiple IP addresses and interfaces Follow these steps to specify a source IP address interface for the SSH client To do Use the command Remarks Enter system view system view Specify a source IP address for the SSH client ssh2 source ip ip address Optional By default no source IP address is configured Specify a source ...

Page 526: ...his keyword while the 56 bit version does not When logging into the SSH server using public key authentication an SSH client needs to read its local private key for authentication As two algorithms RSA or DSA are available the identity key keyword must be used to specify one algorithm in order to get the correct private key Displaying and Maintaining SSH Configuration To do Use the command Remarks...

Page 527: ...brief name keyname display public key peer brief name pubkey name Generate RSA key pairs rsa local key pair create public key local create rsa Destroy RSA key pairs rsa local key pair destroy public key local destroy rsa Enter public key view rsa peer public key keyname public key peer keyname Import RSA public key from public key file rsa peer public key keyname import sshkey filename public key ...

Page 528: ... the rsa peer public key command directly SSH Configuration Examples When Switch Acts as Server for Local Password Authentication Network requirements As shown in Figure 1 11 establish an SSH connection between the host SSH Client and the switch SSH Server for secure data exchange The host runs SSH2 0 client software Password authentication is required Network diagram Figure 1 11 Switch acts as se...

Page 529: ...al user client001 Switch luser client001 password simple abc Switch luser client001 service type ssh level 3 Switch luser client001 quit Specify the authentication method of user client001 as password Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 0 2 in this case for the SSH client This IP address and that of the VLAN interface on...

Page 530: ...nection is normal you will be prompted to enter the user name client001 and password abc Once authentication succeeds you will log in to the server When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 1 14 an SSH connection is required between the host SSH client and the switch SSH server for secure data exchange Password and RADIUS authenticati...

Page 531: ...uration from the navigation tree In the System Configuration page click Modify of the Access Device item and then click Add to enter the Add Access Device page and perform the following configurations z Specify the IP address of the switch as 192 168 1 70 z Set both the shared keys for authentication and accounting packets to expert z Select LAN Access Service as the service type z Specify the por...

Page 532: ...llo and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 16 Add an account for device management 5 Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the IP address of the SSH server for SSH connections Switch system view Switch interface vlan interface 2 Swi...

Page 533: ... key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme radius scheme rad Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user hello authentication type password 6 Con...

Page 534: ...the category on the left pane of the window select Connection SSH The window as shown in Figure 1 18 appears Figure 1 18 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version Then click Open If the connection is normal you will be prompted to enter the user name hello and the password Once ...

Page 535: ...h z The switch cooperates with an HWTACACS server to authenticate SSH users Network diagram Figure 1 19 Switch acts as server for password and HWTACACS authentication Configuration procedure z Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the IP address of the SSH server for SSH connections Switch system view Switch interfac...

Page 536: ... bbb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 1 1 in this case for the SSH client This IP address and that of the VLAN interface on the switch must be in the same network segment Configu...

Page 537: ...will log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS server configuration manuals When Switch Acts as Server for Publickey Authentication Network requirements As shown in Figure 1 22 establish an SSH connection between the host SSH client and the switch ...

Page 538: ...airs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Set the client s command privilege level to 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Conf...

Page 539: ...y Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair 1 Run PuTTYGen exe choose SSH2 RSA and click Generate Figure 1 23 Generate a client key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 24 Otherwise the process bar stops moving and the key pair generating p...

Page 540: ...ure 1 24 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 1 25 Generate a client key pair 3 ...

Page 541: ...r is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with the SSH server 2 Launch PuTTY exe to enter the following interface Figure 1 27 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the server 3 From t...

Page 542: ... 28 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 1 29 SSH client configuration interface 3 ...

Page 543: ... Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA k...

Page 544: ... SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s public key Y N n Enter password Copyright c 2004 2008 3Com Corp and its licensors All rights reserved Without the owner s prior written consent no decompiling or reverse engineering s...

Page 545: ...witchB public key local create rsa SwitchB public key local create dsa Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 SwitchB ui vty0 4 user privilege level 3 SwitchB ui vty0 4 quit Specify...

Page 546: ...te dsa Export the generated DSA key pair to a file named Switch001 SwitchA public key local export dsa ssh2 Switch001 After the key pair is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 identity ...

Page 547: ...s the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA key pairs SwitchB public key local create rsa SwitchB public key local create dsa Set AAA authentication on user interfa...

Page 548: ... generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH client through FTP or TFTP z Configure Switch A Create a VLAN interface on the switch and assign an IP address which serves as the SSH client s address in an SSH connection SwitchA system view SwitchA interface vlan interface 1 SwitchA Vlan interface1 ip address 10 165 87 137 ...

Page 549: ...h002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connection to server 10 165 87 136 SwitchA ssh2 10 165 87 136 identity key dsa Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 Copyright c 2004 2008 3Com Corp and its...

Page 550: ...tem 1 1 File System Configuration Tasks 1 1 Directory Operations 1 1 File Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 3 File System Configuration Example 1 4 File Attribute Configuration 1 5 Introduction to File Attributes 1 5 Booting with the Startup File 1 6 Configuring File Attributes 1 6 ...

Page 551: ...name in one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used to specify a file in the current Flash memory For example the URL of a file named text txt in the root directory of the switch is unit1 flash text txt or flash text txt z Entering the path name or file name directly This method can be used to specify a path or a f...

Page 552: ...e that the execute command should be executed in system view Table 1 3 File operations To do Use the command Remarks Delete a file delete unreserved file url delete running files standby files unreserved Optional A deleted file can be restored by using the undelete command if you delete it by executing the delete command without specifying the unreserved keyword Restore a file in the recycle bin u...

Page 553: ... up next time Flash Memory Operations Perform the following Flash memory operations using commands listed in Table 1 4 Perform the following configuration in user view Table 1 4 Operations on the Flash memory To do Use the command Remarks Format the Flash memory format device Required Restore space on the Flash memory fixdisk device Required The format operation leads to the loss of all files incl...

Page 554: ... attribute b with both main and backup attribute Copy the file flash config cfg to flash test with 1 cfg as the name of the new file Sysname copy flash config cfg flash test 1 cfg Copy unit1 flash config cfg to unit1 flash test 1 cfg Y N y Copy file unit1 flash config cfg to unit1 flash test 1 cfg Done Display the file information after the copy operation Sysname dir all Directory of unit1 flash 1...

Page 555: ... In the Flash memory there can be only one app file one configuration file and one Web file with the main attribute backup Identifies backup startup files The backup startup file is used after a switch fails to start up using the main startup file In the Flash memory there can be only one app file one configuration file and one Web file with the backup attribute b none Identifies files that are ne...

Page 556: ...default Web file main Web file and backup Web exists the device considers that no Web file exists For the selection of the configuration file when the device boots refer to the Configuration File Management part in this manual Configuring File Attributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch and change the main o...

Page 557: ...tion of the main or backup attribute of a Web file takes effect immediately without restarting the switch z After upgrading a Web file you need to specify the new Web file in the Boot menu after restarting the switch or specify a new Web file by using the boot web package command Otherwise Web server cannot function normally z Currently a configuration file has the extension of cfg and resides in ...

Page 558: ...ample A Switch Operating as an FTP Server 1 8 FTP Banner Display Configuration Example 1 10 FTP Configuration A Switch Operating as an FTP Client 1 11 SFTP Configuration 1 13 SFTP Configuration A Switch Operating as an SFTP Server 1 13 SFTP Configuration A Switch Operating as an SFTP Client 1 14 SFTP Configuration Example 1 16 2 TFTP Configuration 2 1 Introduction to TFTP 2 1 TFTP Configuration 2 ...

Page 559: ... act as an FTP client or the FTP server in FTP employed data transmission Table 1 1 Roles that a 3com switch 4200G acts as in FTP Item Description Remarks FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log in to a switch operating as an FTP server by running an FTP client program on your PC to access files on the FTP server ...

Page 560: ...er Configure the user name and password for the FTP user and set the service type to FTP To use FTP services a user must provide a user name and password for being authenticated by the FTP server Only users that pass the authentication have access to the FTP server Follow these steps to create an FTP user To do Use the command Remarks Enter system view system view Add a local user and enter local ...

Page 561: ...ithout performing any operation Follow these steps to configure connection idle time To do Use the command Remarks Enter system view system view Configure the connection idle time for the FTP server ftp timeout minutes Optional 30 minutes by default Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server t...

Page 562: ... switch FTP server is the command switch or member switch in a cluster do not use the ftp server source ip command to specify the private IP address of the cluster as the source IP address of the FTP server Otherwise FTP does not take effect Disconnecting a specified user On the FTP server you can disconnect a specified user from the FTP server to secure the network Follow these steps to disconnec...

Page 563: ...t user name and password are provided the FTP server outputs the configured shell banner to the FTP client terminal Figure 1 2 Process of displaying a shell banner Follow these steps to configure the banner display for an FTP server To do Use the command Remarks Enter system view system view Configure a login banner header login text Configure a shell banner header shell text Required Use either c...

Page 564: ...n the switch Follow these steps to perform basic configurations on an FTP client To do Use the command Remarks Enter FTP client view ftp cluster remote server port number Specify to transfer files in ASCII characters ascii Specify to transfer files in binary streams binary Use either command By default files are transferred in ASCII characters Set the data transfer mode to passive passive Optional...

Page 565: ...t disconnect Terminate the current FTP connection without exiting FTP client view close quit Terminate the current FTP connection and return to user view bye Display the online help about a specified command concerning FTP remotehelp protocol command Optional Enable the verbose function verbose Optional Enabled by default Specifying the source interface and source IP address for an FTP client You ...

Page 566: ... interface source IP address used for the connection this time and the specified source interface source IP address is different from the fixed one the former will be used for the connection this time z Only one fixed source interface or source IP address can be set for the FTP client at one time That is only one of the commands ftp source interface and ftp source ip can be valid at one time If yo...

Page 567: ... client Run an FTP client application on the PC to connect to the FTP server Upload the application named switch bin to the root directory of the Flash memory of the FTP server and download the configuration file named config cfg from the FTP server The following takes the command line window tool provided by Windows as an example Enter the command line window and switch to the directory where the...

Page 568: ...need to purchase and install it by yourself 3 Configure Switch A FTP server After uploading the application use the boot boot loader command to specify the uploaded file switch bin to be the startup file used when the switch starts the next time and restart the switch Thus the switch application is upgraded Sysname boot boot loader switch bin Sysname reboot For information about the boot boot load...

Page 569: ...passes the authentication C ftp 1 1 1 1 Connected to 1 1 1 1 220 login banner appears 220 FTP service ready User 1 1 1 1 none switch 331 Password required for switch Password 230 shell banner appears 230 User logged in ftp FTP Configuration A Switch Operating as an FTP Client Network requirements A switch operates as an FTP client and a remote PC as an FTP server The switch application named switc...

Page 570: ... you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make room for the file to be uploaded you can only delete download them through the Boot ROM menu Connect to the FTP server using the ftp command in user view You need to provide the IP address of the FTP se...

Page 571: ...owing tasks to configure SFTP Task Remarks Enabling an SFTP server Required Configuring connection idle time Optional SFTP Configuration A Switch Operating as an SFTP Server Supported SFTP client software Basic configurations on an SFTP client SFTP Configuration A Switch Operating as an SFTP Client Specifying the source interface or source IP address for an SFTP client Optional SFTP Configuration ...

Page 572: ... name or a directory name browsing directory structure and manually terminating a connection For configurations on client software see the corresponding configuration manual z Currently a 3com switch 4200G operating as an SFTP server supports the connection of only one SFTP user When multiple users attempt to log in to the SFTP server or multiple connections are enabled on a client only the first ...

Page 573: ...n the SFTP server pwd Create a directory on the remote SFTP server mkdir pathname Remove a directory on the remote SFTP server rmdir pathname Optional delete remotefile Delete a specified file remove remote file Optional Both commands have the same effect dir a l remote path Query a specified file on the SFTP server ls a l remote path Optional If no file name is provided all the files in the curre...

Page 574: ... SFTP server Follow these steps to specify the source interface or source IP address for an SFTP client To do Use the command Remarks Enter system view system view Specify an interface as the source interface of the specified SFTP client sftp source interface interface type interface number Specify an IP address as the source IP address of the specified SFTP client sftp source ip ip address Use ei...

Page 575: ...01 password simple abc Sysname luser client001 service type ssh Sysname luser client001 quit Configure the authentication mode as password Authentication timeout time retry number and update time of the server key adopt the default values Sysname ssh user client001 authentication type password Specify the service type as SFTP Sysname ssh user client001 service type sftp Enable the SFTP server Sysn...

Page 576: ... wait Received status Success File successfully Removed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Success Add a directory new1 and t...

Page 577: ...file public Received status End of file Received status Success Downloading file successfully ended Upload file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received status Success Uploading file successfully ended sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 conf...

Page 578: ...edgement packets from the TFTP server A 3com switch 4200G can act as a TFTP client only When you download a file that is larger than the free space of the switch s flash memory z If the TFTP server supports file size negotiation file size negotiation will be initiated between the switch and the server and the file download operation will be aborted if the free space of the switch s flash memory is...

Page 579: ...et the file transmission mode tftp ascii binary Optional Binary by default Specify an ACL rule used by the specified TFTP client to access a TFTP server tftp server acl acl number Optional Not specified by default Specifying the source interface or source IP address for an FTP client You can specify the source interface and source IP address for a switch operating as a TFTP client so that it can c...

Page 580: ...rver if you specify the source interface source IP address only used for the connection this time and the specified source interface source IP address is different from the fixed one the former will be used for the connection this time z You may specify only one source interface or source IP address for the TFTP client at one time That is only one of the commands tftp source interface and tftp sou...

Page 581: ...em through the Boot ROM menu Enter system view Sysname system view Sysname Configure the IP address of a VLAN interface on the switch to be 1 1 1 1 and ensure that the port through which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 1 1 1 1 255 255 255 0 Sysname Vlan in...

Page 582: ...2 5 For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual ...

Page 583: ...ystem Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 10 Setting to Output System Information to a Log Host 1 11 Setting to Output System Information to the Trap Buffer 1 12 Setting to Output System Information to the Log Buffer 1 13 Setting to Output System Information to the SNMP NMS 1 13 Displaying and Maintaining Information Center 1 14 Information C...

Page 584: ...agnosing network problems The information center of the system has the following features Classification of system information The system is available with three types of information z Log information z Trap information z Debugging information Eight levels of system information The information is classified into eight levels by severity and can be filtered by level More emergent information has a ...

Page 585: ...d output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log trap and debugging information facilitating remote maintenance 2 loghost Log host Receives log trap and debugging information and information will be stored in files for future retrieval 3 trapbuffer Trap ...

Page 586: ...r module HA High availability module HABP Huawei authentication bypass protocol module HTTPD HTTP server module HWCM Huawei Configuration Management private MIB module IFNET Interface management module IGSP IGMP snooping module IP Internet protocol module LAGG Link aggregation module LINE Terminal line module MSTP Multiple spanning tree protocol module NAT Network address translation module NDP Ne...

Page 587: ...tions z If the output destination is console monitor terminal logbuffer trapbuffer or SNMP the system information is in the following format timestamp sysname module level digest unitid content z The space the forward slash and the colon are all required in the above format z Before timestamp may have or followed with a space indicating log alarm or debugging information respectively Below is an e...

Page 588: ...s the time when system information is generated to allow users to check and identify system events Note that there is a space between the timestamp and sysname host name fields The time stamp has the following two formats 1 Without the universal time coordinated UTC time zone the time stamp is in the format of Mmm dd hh mm ss ms yyyy 2 With the UTC time zone the time stamp is in the format of Mmm ...

Page 589: ...manual for details Note that there is a space between the sysname and module fields This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn This field is a version identifier of syslog It is displayed only when the output destination is log host Module The module field represents the name of the module that generates system information You...

Page 590: ...ion to the Trap Buffer Optional Setting to Output System Information to the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log trap or debugging information is output when the user is inputting commands the command line prompt in ...

Page 591: ...ps to configure to display time stamp with the UTC time zone To do Use the command Remarks Set the time zone for the system clock timezone zone name add minus time Required By default UTC time zone is set for the system Enter system view system view Log host direction info center timestamp loghost date Set the time stamp format in the output direction of the information center to date Non log host...

Page 592: ... when configuring the system information output rules and use the debugging command to enable debugging for the corresponding modules Table 1 4 Default output rules for different output directions LOG TRAP DEBUG Output direction Modules allowed Enable d disab led Severit y Enabled disabled Severity Enabled disabled Severity Console default all modules Enabled warning s Enabled debuggin g Enabled d...

Page 593: ...and Setting to Output System Information to a Monitor Terminal System information can also be output to a monitor terminal which is a user terminal that has login connections through the AUX VTY or TTY user interface Setting to output system information to a monitor terminal Follow these steps to set to output system information to a monitor terminal To do Use the command Remarks Enter system view...

Page 594: ...utput system information to a monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the display of system information on a monitor terminal To do Use the command Remarks Enable the debugging log trap information terminal display function terminal monitor Optional Enabled by default Enable ...

Page 595: ...erface as the source interface Configure the output rules of system information info center source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of the time stamp to be sent to the log host info center timestamp loghost date no year date none Optional By d...

Page 596: ...formation to the log buffer To do Use the command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable information output to the log buffer info center logbuffer channel channel number channel name size buffersize Optional By default the switch uses information channel 4 to output log information to the log buffer which can holds...

Page 597: ...ed configurations are required on both the switch and the SNMP NMS Displaying and Maintaining Information Center To do Use the command Remarks Display information on an information channel display channel channel number channel name Display the operation status of information center the configuration of information channels the format of time stamp display info center unit unit id Display the stat...

Page 598: ...he host whose IP address is 202 38 1 10 as the log host Permit ARP and IP modules to output information with severity level higher than informational to the log host Switch info center loghost 202 38 1 10 facility local4 Switch info center source arp channel loghost log level informational debug state off trap state off Switch info center source ip channel loghost log level informational debug sta...

Page 599: ... the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After all the above operations the switch can make records in the corresponding log file Through combined configuration of the device name facility information severity level threshold severity module name filter and the file sysl...

Page 600: ...onf z A note must start in a new line starting with a sign z In each pair a tab should be used as a separator instead of a space z No space is permitted at the end of the file name z The device name facility and received log information severity specified in file etc syslog conf must be the same with those corresponding parameters configured in commands info center loghost and info center source O...

Page 601: ...ting information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules to output log information with severity level higher than informational to the console Switch info center console channel console Switch info center source arp channel console log level informational debug state off trap state off Sw...

Page 602: ...TC time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch info center timestamp loghost date Configure to add UTC time to the output information of the information center Switch info center timestamp utc ...

Page 603: ...ng Disabling System Debugging 2 2 Displaying Debugging Status 2 3 Displaying Operating Information about Modules in System 2 3 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tracert 3 1 4 Device Management 4 1 Introduction to Device Management 4 1 Device Management Configuration 4 1 Device Management Configuration Task list 4 1 Rebooting the Ethernet Switch 4 1 Scheduling a...

Page 604: ...for information you are interested in z Introduction to Loading Approaches z Local Boot ROM and Software Loading z Remote Boot ROM and Software Loading Introduction to Loading Approaches You can load software locally by using z XModem through Console port z TFTP through Ethernet port z FTP through Ethernet port You can load software remotely by using z FTP z TFTP The Boot ROM software version shou...

Page 605: ... 2007 17 02 48 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 00e0fc005100 Press Ctrl B to enter Boot Menu Press Ctrl B The system displays Password To enter the BOOT menu you should press Ctrl B within five seconds full startup mode or one second fast startup mode after the information Press Ctrl B to enter BOOT Menu displays Otherwise the system starts to extract the p...

Page 606: ...egotiate a packet checking method After the negotiation the sending program starts to transmit data packets When receiving a complete packet the receiving program checks the packet using the agreed method If the check succeeds the receiving program sends acknowledgement characters and the sending program proceeds to send another packet If the check fails the receiving program sends negative acknow...

Page 607: ... as the download baudrate you need not modify the HyperTerminal s baudrate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this case the system will not display the above information Following are configurations on PC Take the HyperTerminal in Windows 2000 as an example Step 4 Choose File Properties in HyperTerminal click Configure in the pop up dialog box and then ...

Page 608: ... baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC Step 7 Choose Transfer Send File in HyperTerminal and click Browse in pop up dialog box as shown in Figure 1 4 Sel...

Page 609: ...r to Step 4 and 5 Then press any key as prompted The system will display the following information when it completes the loading Bootrom updating done z If the HyperTerminal s baudrate is not reset to 9600 bps the system prompts Your baudrate should be set to 9600 bps again Press enter key when ready z You need not reset the HyperTerminal s baudrate and can skip the last step if you have chosen 96...

Page 610: ...o the Console port of the switch and logs onto the switch through the Console port Step 1 Execute the xmodem get command in user view In this case the switch is ready to receive files Step 2 Enable the HyperTerminal on the PC and configure XModem as the transfer protocol and configure communication parameters on the Hyper Terminal the same as that on the Console port Step 3 Choose the file to be l...

Page 611: ...r your choice 0 3 Step 4 Enter 1 in the above menu to download the Boot ROM using TFTP Then set the following TFTP related parameters as required Load File name Switch btm Switch IP address 1 1 1 2 Server IP address 1 1 1 1 Step 5 Press Enter The system displays the following information Are you sure to update your bootrom Yes or No Y N Step 6 Enter Y to start file downloading or N to return to th...

Page 612: ...d for file transfer between server and client and is widely used in IP networks You can use the switch as an FTP client or a server and download software to the switch through an Ethernet port The following is an example Loading Procedure Using FTP Client z Loading Boot ROM Figure 1 7 Local loading using FTP client Step 1 As shown in Figure 1 7 connect the switch through an Ethernet port to the FT...

Page 613: ...return to the Boot ROM update menu If you enter Y the system begins to download and update the program Upon completion the system displays the following information Loading done Bootrom updating done z Loading host software Follow these steps to load the host software Step 1 Select 1 in BOOT Menu and press Enter The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP ...

Page 614: ... whose IP address is 10 1 1 1 to the switch Figure 1 8 Remote loading using FTP Client Step 1 Download the program to the switch using FTP commands Sysname ftp 10 1 1 1 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User none abc 331 Give me your password please Password 230 Logged in successfully ftp get switch btm ftp bye When using dif...

Page 615: ... you restart the switch with the reboot command z If the space of the Flash memory is not enough you can delete the unused files in the Flash memory before software downloading For information about deleting files refer to File System Management part of this manual z Ensure the power supply during software loading Loading Procedure Using FTP Server As shown in Figure 1 9 the switch is used as the ...

Page 616: ...able FTP service on the switch and configure the FTP user name to test and password to pass Sysname Vlan interface1 quit Sysname ftp server enable Sysname local user test New local user added Sysname luser test password simple pass Sysname luser test service type ftp Step 4 Enable FTP client software on the PC Refer to Figure 1 10 for the command line interface in Windows operating system Figure 1...

Page 617: ... Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file switch btm to the switch as shown in Figure 1 13 ...

Page 618: ...that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed above are performed in the Windows operating system if you use other FTP client software refer to the corresponding user guide before operation z Only the configuration steps concerning loading are list...

Page 619: ...ommand in user view By default it is the UTC time zone Set the name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offset time Optional Execute this command in user view z When the system reaches the specified start time it automatically adds the specified offset to the current time so as to toggle the system time to the summ...

Page 620: ...ing information to help users diagnose errors The following two switches control the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging information on a certain screen Figure 2 1 illustrates the relationship between the protocol debugging switch and the screen out...

Page 621: ...ystem debugging Displaying Debugging Status To do Use the command Remarks Display all enabled debugging on the specified device display debugging unit unit id interface interface type interface number module name Available in any view Displaying Operating Information about Modules in System When an Ethernet switch is in trouble you may need to view a lot of operating information to locate the prob...

Page 622: ...acket percentage and the minimum average and maximum values of response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This command is mainly used to check the network connectivity It can also be used to help locate the network faults The executing procedure of the tracert command is as follows First the source host sends ...

Page 623: ... be used at the next reboot z Update the Boot ROM z Identifying and Diagnosing Pluggable Transceivers Device Management Configuration Device Management Configuration Task list Complete the following tasks to configure device management Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Optional Configuring Real time Monitoring of the Running Status of the System ...

Page 624: ...dd yyyy yyyy mm dd Optional Schedule a reboot on the switch and set the delay time for reboot schedule reboot delay hh mm mm Optional Enter system view system view Schedule a reboot on the switch and set the reboot period schedule reboot regularity at hh mm period Optional The switch timer can be set to precision of one minute that is the switch will reboot within one minute after the specified re...

Page 625: ...n conveniently upgrade the Boot ROM by uploading the Boot ROM to the switch through FTP and running this command The Boot ROM can be used when the switch restarts Use the following command to upgrade the Boot ROM To do Use the command Remarks Upgrade the Boot ROM boot bootrom file url device name Required Identifying and Diagnosing Pluggable Transceivers Introduction to pluggable transceivers At p...

Page 626: ...luggable transceiver s customized by H3C only z You can use the Vendor Name field in the prompt information of the display transceiver interface command to identify an anti spoofing pluggable transceiver customized by H3C If the field is H3C it is considered an H3C customized pluggable transceiver z Electrical label information is also called permanent configuration data or archive information whi...

Page 627: ...stem diagnostic information or save system diagnostic information to a file with the extension diag into the Flash memory display diagnostic information Display enabled debugging on a specified switch display debugging unit unit id interface interface type interface number module name Available in any view Remote Switch APP Upgrade Configuration Example Network requirements Telnet to the switch fr...

Page 628: ...l 3 telnet user with the username as user and password as hello Authentication mode is by user name and password Refer to the Login Operation part of this manual for configuration commands and steps about telnet user 3 Execute the telnet command on the PC to log into the switch The following prompt appears Sysname If the Flash memory of the switch is not sufficient delete the original applications...

Page 629: ...t Upgrade BOOTROM succeeded 9 Specify the downloaded program as the host software to be adopted when the switch starts next time Sysname boot boot loader switch app The specified file will be booted next time on unit 1 Sysname display boot loader Unit 1 The current boot app is switch app The main boot app is switch app The backup boot app is Reboot the switch to upgrade the Boot ROM and host softw...

Page 630: ...ping Configuration 1 4 remote ping Server Configuration 1 4 remote ping Client Configuration 1 4 Displaying remote ping Configuration 1 15 remote ping Configuration Examples 1 15 ICMP Test 1 15 DHCP Test 1 17 FTP Test 1 18 HTTP Test 1 20 Jitter Test 1 22 SNMP Test 1 24 TCP Test Tcpprivate Test on the Specified Ports 1 26 UDP Test Udpprivate Test on the Specified Ports 1 28 DNS Test 1 30 ...

Page 631: ...sponding remote ping servers as well to perform various remote ping tests All remote ping tests are initiated by a remote ping client and you can view the test results on the remote ping client only When performing a remote ping test you need to configure a remote ping test group on the remote ping client A remote ping test group is a set of remote ping test parameters A test group contains severa...

Page 632: ...r a TCP UDP jitter test you must specify a destination IP address and the destination address must be the IP address of a TCP UDP UDP listening service configured on the remote ping server Destination port destination port For a tcpprivate udpprivate jitter test you must specify a destination port number and the destination port number must be the port number of a TCP or UDP listening service conf...

Page 633: ... packets dns This parameter is used to specify a DNS domain name in a remote ping DNS test group dns server This parameter is used to set the DNS server IP address in a remote ping DNS test group HTTP operation type http operation This parameter is used to set the type of HTTP interaction operation between remote ping client and HTTP server FTP operation type ftp operation This parameter is used t...

Page 634: ...ions To do Use the command Remarks Enter system view system view Enable the remote ping server function remote ping server enable Required Disabled by default Configure a UDP listening service remote ping server udpecho ip address port num Required for UDP and jitter tests By default no UDP listening service is configured Configure a TCP listening service remote ping server tcpconnect ip address p...

Page 635: ...est count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test interval frequency interval Optional By default the automatic test interval is zero sec...

Page 636: ...igure the probe timeout time timeout time Optional By default a probe times out in three seconds Start the test test enable Required Display test results display remote ping results admin name operation tag Required You can execute the command in any view 3 Configuring FTP test on remote ping client Follow these steps to configure FTP test on remote ping client To do Use the command Remarks Enter ...

Page 637: ...pe of FTP operation is get that is the FTP operation will get a file from the FTP server Configure an FTP login username username name Configure an FTP login password password password Required By default neither username nor password is configured Configure a file name for the FTP operation filename file name Required By default no file name is configured for the FTP operation Start the test test...

Page 638: ...ximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test interval frequency interval Optional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the type...

Page 639: ...ervice on the remote ping server By default no destination port is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source port is configured Configure the test type test type jitter Required By default the test type is ICMP Configure the number of probes p...

Page 640: ...view system view Enable the remote ping client function remote ping agent enable Required By default the remote ping client function is disabled Create a remote ping test group and enter its view remote ping administrator name operation tag Required By default no test group is configured Configure the destination IP address destination ip ip address Required By default no destination address is co...

Page 641: ...efault the remote ping client function is disabled Create a remote ping test group and enter its view remote ping administrator name operation tag Required By default no test group is configured Configure the destination address destination ip ip address Required This IP address and the one configured on the remote ping server for listening services must be the same By default no destination addre...

Page 642: ...r is 50 Configure the type of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display remote ping results admin name operation tag Required The display command can be executed in any view 8 Configuring UDP test on remote ping client Follow these steps to configure UDP test on remote ping client To do Use the command Remarks En...

Page 643: ...igure the number of probes per test count times Optional By default one probe is made per test Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the data packet size datasize size Optional By default the data packet size is 100 bytes Configure the automatic test interval frequency interval Optional By def...

Page 644: ...he automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Configure the domain name to be resolved dns resolve target domain name Required By default the domain name to be resolved by DNS...

Page 645: ...time a test fails Configure the number of consecutive unsuccessful remote ping probes before Trap output probe failtimes times Optional By default Trap messages are sent each time a probe fails Displaying remote ping Configuration To do Use the command Remarks Display test history display remote ping history administrator name operation tag Display the results of the latest test display remote pin...

Page 646: ...to 5 Sysname remote ping administrator icmp history records 5 Display test results Sysname remote ping administrator icmp display remote ping results administrator icmp remote ping entry admin administrator tag icmp test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 3 6 3 Square Sum of Round Trip Time 145 Last succeeded tes...

Page 647: ...ote ping client Sysname system view Sysname remote ping agent enable Create a remote ping test group setting the administrator name to administrator and test tag to DHCP Sysname Remote ping administrator dhcp Configure the test type as dhcp Sysname remote ping administrator dhcp test type dhcp Configure the source interface which must be a VLAN interface Make sure the DHCP server resides on the ne...

Page 648: ...27 1 0 2000 04 03 09 51 06 8 5 1018 1 0 2000 04 03 09 51 00 8 6 1020 1 0 2000 04 03 09 50 52 8 7 1018 1 0 2000 04 03 09 50 48 8 8 1020 1 0 2000 04 03 09 50 36 8 9 1020 1 0 2000 04 03 09 50 30 8 10 1028 1 0 2000 04 03 09 50 22 8 For detailed output description see the corresponding command manual You can perform a remote ping DHCP test only when no DHCP client is enabled on any interface Otherwise ...

Page 649: ...s of the FTP server as 10 2 2 2 Sysname remote ping administrator ftp destination ip 10 2 2 2 Configure the FTP login username Sysname remote ping administrator ftp username admin Configure the FTP login password Sysname remote ping administrator ftp password admin Configure the type of FTP operation Sysname remote ping administrator ftp ftp operation put Configure a file name for the FTP operatio...

Page 650: ... tag ftp history record Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 2000 04 03 04 00 18 8 3 9945 1 0 2000 04 03 04 00 02 9 4 15891 1 0 2000 04 03 03 59 52 9 5 15772 1 0 2000 04 03 03 59 37 0 6 15653 1 0 2000 04 03 03 59 21 2 7 9792 1 0 2000 04 03 03 59 05 5 8 9794 1 0 2000 04 03 03 58 55 6 9 9891 1 0 2000 04 03 03 58 45 8 10 3245 1 0 2000 04 03 03 58 35 9 For de...

Page 651: ... the HTTP server as 10 2 2 2 Sysname remote ping administrator http destination ip 10 2 2 2 Configure to make 10 probes per test Sysname remote ping administrator http count 10 Set the probe timeout time to 30 seconds Sysname remote ping administrator http timeout 30 Start the test Sysname remote ping administrator http test enable Display test results Sysname remote ping administrator http displa...

Page 652: ...nse Status LastRC Time 1 13 1 0 2000 04 02 15 15 52 5 2 9 1 0 2000 04 02 15 15 52 5 3 3 1 0 2000 04 02 15 15 52 5 4 3 1 0 2000 04 02 15 15 52 5 5 3 1 0 2000 04 02 15 15 52 5 6 2 1 0 2000 04 02 15 15 52 4 7 3 1 0 2000 04 02 15 15 52 4 8 3 1 0 2000 04 02 15 15 52 4 9 2 1 0 2000 04 02 15 15 52 4 10 2 1 0 2000 04 02 15 15 52 4 For detailed output description see the corresponding command manual For an...

Page 653: ...r Jitter test type Jitter Configure the IP address of the remote ping server as 10 2 2 2 Sysname remote ping administrator Jitter destination ip 10 2 2 2 Configure the destination port on the remote ping server Sysname remote ping administrator Jitter destination port 9000 Configure to make 10 probes per test Sysname remote ping administrator http count 10 Set the probe timeout time to 30 seconds ...

Page 654: ...e SD Square Sum 200 Negative DS Square Sum 161 SD lost packets number 0 DS lost packet number 0 Unknown result lost packet number 0 Sysname remote ping administrator Jitter display remote ping history administrator Jitter remote ping entry admin administrator tag Jitter history record Index Response Status LastRC Time 1 274 1 0 2000 04 02 08 14 58 2 2 278 1 0 2000 04 02 08 14 57 9 3 280 1 0 2000 0...

Page 655: ...example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual z Configure remote ping Client Switch A Enable the remote ping client Sysname system view Sysname remote ping agent enable Create a remote ping test group setting the administrator name to administrator and test tag to snmp Sysname Remote ping administrator snmp Configure t...

Page 656: ...nmp display remote ping history administrator snmp remote ping entry admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19 9 5 9 1 0 2000 04 03 08 57 19 9 6 11 1 0 2000 04 03 08 57 19 9 7 10 1 0 2000 04 03 08 57 19 9 8 10 1 0 2000 04 03 08 57 19 9 9 10 1...

Page 657: ...rt on the remote ping server Sysname remote ping administrator tcpprivate destination port 8000 Configure to make 10 probes per test Sysname remote ping administrator tcpprivate count 10 Set the probe timeout time to 5 seconds Sysname remote ping administrator tcpprivate timeout 5 Start the test Sysname remote ping administrator tcpprivate test enable Display test results Sysname remote ping admin...

Page 658: ... remote ping server are 4200G Ethernet switches Perform a remote ping Udpprivate test on the specified ports between the two switches to test the RTT of UDP packets between this end remote ping client and the specified destination end remote ping server Network diagram Figure 1 9 Network diagram for the Udpprivate test Configuration procedure z Configure remote ping Server Switch B Enable the remo...

Page 659: ...operation times 10 Receive response times 10 Min Max Average Round Trip Time 10 12 10 Square Sum of Round Trip Time 1170 Last complete test time 2000 4 2 8 29 45 5 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number...

Page 660: ...up setting the administrator name to administrator and test tag to dns Sysname remote ping administrator dns Configure the test type as dns Sysname remote ping administrator dns test type dns Configure the IP address of the DNS server as 10 2 2 2 Sysname remote ping administrator dns dns server 10 2 2 2 Configure to resolve the domain name www test com Sysname remote ping administrator dns dns res...

Page 661: ...DNS Resolve Times 10 DNS Resolve Max Time 10 DNS Resolve Timeout Times 0 DNS Resolve Failed Times 0 Sysname remote ping administrator dns display remote ping history administrator dns remote ping entry admin administrator tag dns history record Index Response Status LastRC Time 1 10 1 0 2006 11 28 11 50 40 9 2 10 1 0 2006 11 28 11 50 40 9 3 10 1 0 2006 11 28 11 50 40 9 4 7 1 0 2006 11 28 11 50 40 ...

Page 662: ...Port 1 4 Configuring the PD Compatibility Detection Function 1 4 Configuring a PD Disconnection Detection Mode 1 5 Configuring PoE Over Temperature Protection on the Switch 1 5 Upgrading the PSE Processing Software Online 1 6 Displaying PoE Configuration 1 7 PoE Configuration Example 1 7 PoE Configuration Example 1 7 2 PoE Profile Configuration 2 1 Introduction to PoE Profile 2 1 PoE Profile Confi...

Page 663: ...tion system PoE components PoE consists of three components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information collection PoE power supply monitoring and power off for devices z PD PDs receive power from the PSE PDs include standard PDs and nonstandard PDs Standard PDs conform t...

Page 664: ...lf protection and restores the PoE feature on all its ports when the temperature drops below 60 C 140 F z The switch supports the PoE profile feature that is different PoE policies can be set for different user groups These PoE policies are each saved in the corresponding PoE profile and applied to ports of the user groups z When you use the PoE capable Switch 4200G to supply power the PDs need no...

Page 665: ...et the maximum output power on a port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the maximum output power on the port poe max power max power Required 15 400 mW by default Setting PoE Management Mode and PoE Priority of a Port When a switch is close to its full load in supplying power you can adjust the power s...

Page 666: ...priority of a port poe priority critical high low Required low by default Setting the PoE Mode on a Port PoE mode of a port falls into two types signal mode and spare mode z Signal mode DC power is carried over the data pairs 1 2 3 and 6 of category 3 5 twisted pairs z Spare mode DC power is carried over the spare pairs 4 5 7 and 8 of category 3 5 twisted pairs Currently Switch 4200G does not supp...

Page 667: ...c dc Optional The default PD disconnection detection mode is AC If you adjust the PD disconnection detection mode when the switch is running the connected PDs will be powered off Therefore be cautious to do so Configuring PoE Over Temperature Protection on the Switch If this function is enabled the switch disables the PoE feature on all ports when its internal temperature exceeds 65 C 149 F for se...

Page 668: ...SE processing software online poe update refresh full filename Required The specified PSE processing software is a file with the extension s19 z In the case that the PSE processing software is damaged that is no PoE command can be executed successfully use the full update mode to upgrade and thus restore the software z The refresh update mode is to upgrade the original processing software in the P...

Page 669: ...PoE Configuration Example PoE Configuration Example Network requirements Switch A is a Switch 4200G supporting PoE Switch B can be PoE powered z The GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 ports of Switch A are connected to Switch B and an AP respectively the GigabitEthernet 1 0 8 port is intended to be connected with an important AP z The PSE processing software of Switch A is first upgra...

Page 670: ...W SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 poe enable SwitchA GigabitEthernet1 0 2 poe max power 2500 SwitchA GigabitEthernet1 0 2 quit Enable the PoE feature on GigabitEthernet 1 0 8 and set the PoE priority of GigabitEthernet 1 0 8 to critical SwitchA interface GigabitEthernet 1 0 8 SwitchA GigabitEthernet1 0 8 poe enable SwitchA GigabitEthernet1 0 8 poe priority crit...

Page 671: ...ple PoE features Features of PoE profile z Various PoE profiles can be created PoE policy configurations applicable to different user groups are stored in the corresponding PoE profiles These PoE profiles can be applied to the ports used by the corresponding user groups z When users connect a PD to a PoE profile enabled port the PoE configurations in the PoE profile will be enabled on the port PoE...

Page 672: ...e to a port some PoE features in the PoE profile can be applied successfully while some cannot PoE profiles are applied to Switch 4200G according to the following rules z When the apply poe profile command is used to apply a PoE profile to a port the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly When the display current configuration command is ...

Page 673: ...ority for GigabitEthernet 1 0 6 through GigabitEthernet 1 0 10 is High z The maximum power for GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 ports is 3000 mW whereas the maximum power for GigabitEthernet 1 0 6 through GigabitEthernet 1 0 10 is 15400 mW Based on the above requirements two PoE profiles are made for users of group A z Apply PoE profile 1 for GigabitEthernet 1 0 1 through Gigabi...

Page 674: ... configuration applicable to GigabitEthernet 1 0 6 through GigabitEthernet 1 0 10 ports for users of group A SwitchA poe profile Profile2 poe enable SwitchA poe profile Profile2 poe mode signal SwitchA poe profile Profile2 poe priority high SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 SwitchA display poe ...

Page 675: ...nd Maintaining Smart Link 1 6 Smart Link Configuration Example 1 6 Implementing Link Redundancy Backup 1 6 2 Monitor Link Configuration 2 1 Introduction to Monitor Link 2 1 How Monitor Link Works 2 2 Configuring Monitor Link 2 3 Configuration Task List 2 3 Creating a Monitor Link Group 2 3 Configuring the Uplink Port 2 3 Configuring a Downlink Port 2 4 Displaying Monitor Link Configuration 2 5 Mon...

Page 676: ...ackup for dual uplink networking z Simple configuration and operation Basic Concepts in Smart Link Smart link group A smart link group consists of two member ports one master port and one slave port Normally only one port master or slave is active and the other port is blocked that is in the standby state When link failure occurs on the port in active state the smart link group will block the port...

Page 677: ... VLAN for sending flush messages This control VLAN sends flush messages When link switching occurs the device Switch A in Figure 1 1 broadcasts flush messages in this control VLAN Control VLAN for receiving flush messages This control VLAN is used for receiving and processing flush messages When link switching occurs the devices Switch B and Switch C in Figure 1 1 receive and process flush message...

Page 678: ... their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of identifying flush messages from the smart link group and refreshing MAC forwarding entries and ARP entries z On a Smart Link enabled device if a port is blocked due to link failure the port remains blocked after the link recovers from the failure and does not preempt the traffic resource Theref...

Page 679: ...rs of the smart link group To do Use the command Remarks Enter system view system view Create a smart link group and enter smart link group view smart link group group id Required Enable the function of sending flush messages in the specified control VLAN flush enable control vlan vlan id Required By default no control VLAN for sending flush messages is specified smart link group view port interfa...

Page 680: ...Switch E Follow these steps to enable the specified port to process flush messages received from the specified control VLAN To do Use the command Remarks Enter system view system view System view smart link flush enable control vlan vlan id port interface type interface number to interface type interface number interface interface type interface number Enable the specified port s to process flush ...

Page 681: ...s in the aggregation group automatically that is the other member ports in the aggregation group cannot process flush messages The function of processing flush messages must be manually configured for each port in the aggregation group 11 The VLAN configured as a control VLAN to send and receive flush messages must exist You cannot directly remove the control VLAN When a dynamic VLAN is configured...

Page 682: ...tEthernet1 0 1 quit SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 stp disable Return to system view SwitchA GigabitEthernet1 0 2 quit Create smart link group 1 and enter the corresponding smart link group view SwitchA smart link group 1 Configure GigabitEthernet 1 0 1 as the master port and GigabitEthernet 1 0 2 as the slave port for smart link group 1 SwitchA smlk group1 po...

Page 683: ...system view Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 SwitchD smart link flush enable control vlan 1 port GigabitEthernet 1 0 2 4 Enable the function of processing flush messages received from VLAN 1 on Switch E Enter system view SwitchE system view Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 an...

Page 684: ...one or multiple downlink ports When the link for the uplink port of a monitor link group fails all the downlink ports in the monitor link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 2 1 Network diagram for a monitor link group implementation As shown in Figure 2 1 the monitor link group configured on the device Switch A...

Page 685: ...mally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of GigabitEthernet 1 0 1 z If Switch C is configured with monitor link group and monitor link group detects that the link for the uplink port GigabitEthernet 1 0 1 fails all the downlink ports in the group are shut down therefore GigabitEthernet 1 0 3 on Switch C is blocked Now smart link group configur...

Page 686: ...he Uplink Port Required Configuring a Downlink Port Required Creating a Monitor Link Group Follow these steps to create a monitor link group To do Use the command Remarks Enter system view system view Create a monitor link group monitor link group group id Required Configuring the Uplink Port Follow these steps to configure the uplink port To do Use the command Remarks Enter system view system vie...

Page 687: ...marks Enter system view system view Enter the specified monitor link group view monitor link group group id Required Configure the specified link aggregation group as a downlink port of the monitor link group link aggregation group group id downlink Monitor link group view port interface type interface number downlink quit interface interface type interface number Configure a downlink port for the...

Page 688: ...on group member z Using the copy command on a port does not copy the smart link monitor link group member information configured on the port to any other port Displaying Monitor Link Configuration To do Use the command Remarks Display the information about one or all monitor link groups display monitor link group group id all Available in any view Monitor Link Configuration Example Implementing Co...

Page 689: ...t view Disable STP on GigabitEthernet1 0 1 and GigabitEthernet1 0 2 SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 stp disable SwitchA GigabitEthernet1 0 1 quit SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 stp disable Return to system view SwitchA GigabitEthernet1 0 2 quit Create smart link group 1 and enter smart link group view SwitchA smart link gro...

Page 690: ...link SwitchC mtlk group1 port GigabitEthernet 1 0 2 downlink SwitchC mtlk group1 port GigabitEthernet 1 0 3 downlink Return to system view Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 SwitchC mtlk group1 quit SwitchC smart link flush enable control vlan 1 port GigabitEthernet 1 0 2 to GigabitEthernet 1 0 3 3 Enable the fun...

Page 691: ...v6 ICMP Error Packets Sent within a Specified Time 1 13 Configuring the Hop Limit of ICMPv6 Reply Packets 1 14 Configuring IPv6 DNS 1 14 Displaying and Maintaining IPv6 1 15 IPv6 Configuration Example 1 16 IPv6 Unicast Address Configuration 1 16 2 IPv6 Application Configuration 2 1 Introduction to IPv6 Application 2 1 Configuring IPv6 Application 2 1 IPv6 Ping 2 1 IPv6 Traceroute 2 2 IPv6 TFTP 2 2...

Page 692: ...ned by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits IPv6 Features Header format simplification IPv6 cuts down some IPv4 header fields or moves them to extension headers to reduce the overhead of the basic IPv6 header IPv6 uses a fixed...

Page 693: ...tateful address configuration means that a host acquires an IPv6 address and related information from the server for example DHCP server z Stateless address configuration means that the host automatically configures an IPv6 address and related information based on its own link layer address and the prefix information issued by the router In addition a host can automatically generate a link local a...

Page 694: ...resses zeros in IPv6 addresses can be handled as follows z Leading zeros in each group can be removed For example the above mentioned address can be represented in shorter format as 2001 0 130F 0 0 9C0 876A 130B z If an IPv6 address contains two or more consecutive groups of zeros they can be replaced by the double colon option For example the above mentioned address can be represented in the shor...

Page 695: ...ddress 11111111 FF00 8 Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses Unicast address There are several forms of unicast address assignment in IPv6 including global unicast address link local address and site local address z The global unicast address equivalent to an IPv4 public address is used for aggregatab...

Page 696: ...detection Each IPv6 unicast or anycast address has one corresponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 address Interface identifier in IEEE EUI 64 format Interface identifiers in IPv6 unicast addresses are used to iden...

Page 697: ... the change Router solicitation RS message After started a host sends a router solicitation message to request the router for an address prefix and other configuration information for the purpose of autoconfiguration Used to respond to a router solicitation message Router advertisement RA message With the RA message suppression disabled the router regularly sends a router advertisement message con...

Page 698: ...ss of node A and returns an NA message containing the link layer address of node B in the unicast mode 4 Node A acquires the link layer address of node B from the NA message After that node A and node B can communicate with each other Neighbor unreachability detection After node A acquires the link layer address of its neighbor node B node A can verify whether node B is reachable according to NS a...

Page 699: ...ution The function and implementation of these two types of domain name resolution are the same as those of an IPv4 DNS For details refer to DNS Operation in this manual Usually the DNS server connecting IPv4 and IPv6 networks contain not only A records IPv4 addresses but also AAAA records IPv6 addresses The DNS server can convert domain names into IPv4 addresses or IPv6 addresses In this way the ...

Page 700: ...ublic IPv6 network you need to assign an IPv6 global unicast address to it IPv6 site local addresses and global unicast addresses can be configured in either of the following ways z EUI 64 format When the EUI 64 format is adopted to form IPv6 addresses the IPv6 address prefix of an interface is the configured prefix and the interface identifier is derived from the link layer address of the interfa...

Page 701: ...v6 site local address or global unicast address is configured for an interface a link local address will be generated automatically The automatically generated link local address is the same as the one generated by using the ipv6 address auto link local command z The manual assignment takes precedence over the automatic generation That is if you first adopt the automatic generation and then the ma...

Page 702: ...gh NS and NA messages and add it to the neighbor table Too large a neighbor table may lead to the forwarding performance degradation of the device Therefore you can restrict the size of the neighbor table by setting the maximum number of neighbors that an interface can dynamically learn When the number of dynamically learned neighbors reaches the threshold the interface will stop learning neighbor...

Page 703: ...ber Specify the NS interval ipv6 nd ns retrans timer value Optional 1 000 milliseconds by default Configuring the neighbor reachable timeout time on an interface After a neighbor passed the reachability detection the device considers the neighbor to be reachable in a specific period However the device will examine whether the neighbor is reachable again when there is a need to send packets to the ...

Page 704: ... default Set the synwait timer of IPv6 TCP packets tcp ipv6 timer syn timeout wait time Optional 75 seconds by default Configure the size of IPv6 TCP receiving sending buffer tcp ipv6 window size Optional 8 KB by default Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time If too many IPv6 ICMP error packets are sent within a short time in a network network conges...

Page 705: ...ectly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address Each host name can correspond to only one IPv6 address A newly configured IPv6 address will overwrite the previous one Follow these steps to configure a static IPv6 DNS entry To do Use the command Remarks Enter system view system view Configure a static IPv6 DNS entry ipv6 host ho...

Page 706: ...ame suffix information display dns domain dynamic Display IPv6 dynamic domain name cache information display dns ipv6 dynamic host Display DNS server information display dns server dynamic Display the FIB entries display ipv6 fib Display the mapping between host name and IPv6 address display ipv6 host Display the brief IPv6 information of an interface display ipv6 interface interface type interfac...

Page 707: ... ipv6 statistics Clear the statistics of all IPv6 UDP packets reset udp ipv6 statistics Available in user view The display dns domain and display dns server commands are the same as those of IPv4 DNS For details about the commands refer to DNS Operation in this manual IPv6 Configuration Example IPv6 Unicast Address Configuration Network requirements Two switches are directly connected through two ...

Page 708: ...eui 64 Configure a global unicast address for the interface VLAN interface 2 SwitchB Vlan interface2 ipv6 address 3001 2 64 Verification Display the brief IPv6 information of an interface on Switch A SwitchA Vlan interface2 display ipv6 interface vlan interface 2 Vlan interface2 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE49 8048 Global uni...

Page 709: ...erface2 ping ipv6 FE80 20F E2FF FE00 1 i Vlan interface 2 PING FE80 20F E2FF FE00 1 56 data bytes press CTRL_C to break Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence 1 hop limit 255 time 80 ms Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence 2 hop limit 255 time 60 ms Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence 3 hop limit 255 time 60 ms Reply from FE80 20F E2FF FE00 1 bytes 56 Sequence...

Page 710: ...8 70 ms SwitchA Vlan interface2 ping ipv6 3001 2 PING 3001 2 56 data bytes press CTRL_C to break Reply from 3001 2 bytes 56 Sequence 1 hop limit 255 time 50 ms Reply from 3001 2 bytes 56 Sequence 2 hop limit 255 time 60 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 255 time 60 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 255 time 70 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 255...

Page 711: ...and is commonly used for testing the reachability of a host This command sends an ICMPv6 message to the destination host and records the time for the response message to be received For details about the ping command refer to System Maintenance and Debugging Operation in this manual After you execute the ping ipv6 command you can press Ctrl C to terminate the ping operation Follow these steps to p...

Page 712: ...es the destination host As there is no application using the UDP port the destination returns a port unreachable ICMP error message z The source receives the port unreachable ICMP error message and understands that the packet has reached the destination and thus determines the route of the packet from source to destination Follow these steps to traceroute IPv6 To do Use the command Remarks Tracero...

Page 713: ...client application of IPv6 to set up an IPv6 Telnet connection with Device A which serves as the Telnet server If Device A again connects to Device B through Telnet the Device A is the Telnet client and Device B is the Telnet server Figure 2 2 Provide Telnet services Configuration prerequisites Enable Telnet on the Telnet server and configure the authentication method For details refer to Login Op...

Page 714: ...ce to the switch respectively It is required that you telnet to the telnet server from SWA and download files from the TFTP server Network diagram Figure 2 3 Network diagram for IPv6 applications SWA SWB SWC 3003 2 64 3003 1 64 3002 2 64 3002 1 64 3001 2 64 3001 4 64 3001 3 64 Telnet_Server TFTP_Server Configuration procedure You need configure IPv6 address at the switch s and server s interfaces ...

Page 715: ... route from SWA to SWC SWA tracert ipv6 3002 1 traceroute to 3002 1 30 hops max 60 bytes packet 1 3003 1 30 ms 0 ms 0 ms 2 3002 1 10 ms 10 ms 0 ms SWA downloads a file from TFTP server 3001 3 SWA tftp ipv6 3001 3 get filetoget flash filegothere File will be transferred in binary mode Downloading file from remote tftp server please wait TFTP 13 bytes received in 1 243 second s File downloaded succe...

Page 716: ...ether the UDP port that was included in the tracert ipv6 command is used by an application on the host If yes you need to use the tracert ipv6 command with an unreachable UDP port Unable to Run TFTP Symptom Unable to download and upload files by performing TFTP operations Solution z Check that the route between the device and the TFTP server is up z Check that the file system of the device is usab...

Page 717: ... 1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 2 Displaying and Maintaining UDP Helper 1 2 UDP Helper Configuration Example 1 3 Cross Network Computer Search Through UDP Helper 1 3 ...

Page 718: ...cified destination server With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the one pre configured on the device the device modifies the destination IP address in the IP header and then sends the packet to the specified destination server z O...

Page 719: ...ng any UDP port to match UDP broadcasts otherwise the configuration fails When the UDP helper function is disabled all configured UDP ports are disabled including the default ports z The dns netbios ds netbios ns tacacs tftp and time keywords correspond to the six default ports You can configure the default ports by specifying port numbers or the corresponding parameters For example udp helper por...

Page 720: ...can find PC B through computer search Broadcasts with UDP port 137 are used for searching Network diagram Figure 1 1 Network diagram for UDP Helper configuration Configuration procedure Enable UDP Helper on Switch A SwitchA system view SwitchA udp helper enable Configure the switch to forward broadcasts containing the destination UDP port number 137 By default the device enabled with UDP Helper fo...

Page 721: ...nagement Configuration 1 1 Access Management Overview 1 1 Configuring Access Management 1 2 Access Management Configuration Examples 1 2 Access Management Configuration Example 1 2 Combining Access Management with Port Isolation 1 3 ...

Page 722: ...The access management function aims to manage user access rights on access switches It enables you to manage the external network access rights of the hosts connected to ports of an access switch To implement the access management function you need to configure an IP address pool on a port of an access switch that is bind a specified range of IP addresses to the port z A port with an access manage...

Page 723: ...hich the port belongs and the IP addresses in the access management IP address pool of a port must be in the same network segment as the interface IP address of the VLAN which the port belongs to z If an access management address pool configured contains IP addresses that belong to the static ARP entries of other ports the system prompts you to delete the corresponding static ARP entries to ensure...

Page 724: ...llowing configuration on Switch A Enable access management Sysname system view Sysname am enable Set the IP address of VLAN interface 1 to 202 10 20 200 24 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 202 10 20 200 24 Sysname Vlan interface1 quit Configure the access management IP address pool on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname Gigabit...

Page 725: ...witch C GE1 0 2 PC2_1 PC2_2 PC2_37 Organization 2 Organization 1 202 10 20 25 24 202 10 20 50 24 202 10 20 55 24 202 10 20 65 24 Vlan int1 202 10 20 200 24 Configuration procedure Perform the following configuration on Switch A For information about port isolation and the corresponding configuration refer to the Port Isolation Operation Enable access management Sysname system view Sysname am enabl...

Page 726: ...cess management IP address pool on GigabitEthernet 1 0 2 Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 am ip pool 202 10 20 25 26 202 10 20 55 11 Add GigabitEthernet 1 0 2 to the port isolation group Sysname GigabitEthernet1 0 2 port isolate Sysname GigabitEthernet1 0 2 quit ...

Page 727: ...i Table of Contents Appendix A Acronyms A 1 ...

Page 728: ...ice D DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multicast Registration Protocol H HGMP Huawei Group Management Protocol I IAB Internet Architecture Board ICMP Internet...

Page 729: ... DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PoE Power over Ethernet Q QoS Quality of Service R RIP Routing Information Protocol RMON Remote Network Monitoring RSTP Rapid Spanning Tree Protocol S SNMP Simple Network Management Protocol SP Strict Priority STP Spanning Tree Protocol T TCP IP Transmission Control Protocol Internet Protocol TFTP Trivi...

Page 730: ...A 3 VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking ...

Reviews:

No comments