Home
/
3Com
/
Switch 7757
/
Configuration Manual

3Com Switch 7757, Configuration Manual

Share

Page: 524 / 940

3Com Switch 7757 Configuration Manual Download Page 524

524

C

HAPTER

49: AAA & RADIUS & HWTACACS C

ONFIGURATION

c

CAUTION:

■

The character string of user-name cannot contain “/”, “:”, “*”, “?”, “<“ and
“>”. Moreover, “@” can be used no more than once.

■

After the

local-user password-display-mode cipher-force

command is

executed, all passwords will be displayed in cipher mode even through you
specify to display user passwords in plain text by using the

password

command.

■

If the configured authentication method (local or RADIUS) requires a user name
and a password, the command level that a user can access after login is
determined by the priority level of the user. For SSH users, when they use RSA
shared keys for authentication, the commands they can access are determined
by the levels set on their user interfaces.

■

If the configured authentication method is none or requires a password, the
command level that a user can access after login is determined by the level of
the user interface.

Cutting Down User

Connections Forcibly

n

Telnet and FTP users can use the

display connection

command to view the

connection, but they cannot use the

cut connection

command to cut down the

connection.

Authorize the user to access
the specified type(s) of
service(s)

service-type

{

ftp

|

lan-access

| {

telnet

|

ssh

|

terminal

}* [

level

level

] }

Required

By default, the system does not
authorize the user to access any
service.

Set the priority level of the user

level

level

Optional

By default, the priority level of
the user is 0.

Set the attributes of the user
whose service type is
lan-access

attribute

{

ip

ip-address

|

mac

mac-address

|

idle-cut

second

|

access-limit

max-user-number

|

vlan

vlan-id

|

location

{

nas-ip

ip-address

port

port-number

|

port

port-number

} }*

Optional

If the user is bound to a remote
port, you must specify the

nas-ip

parameter (the following

ip-address

is 127.0.0.1 by

default, representing this
device). If the user is bound to a
local port, you do not need to
specify the

nas-ip

parameter.

Table 405

Configure the attributes of a local user

Operation Command

Description

Table 406

Cut down user connection forcibly

Operation Command

Description

Enter system view

system-view

-

Cut down user connections
forcibly

cut connection

{

all

|

access-type

{

dot1x |

mac-authentication

} |

domain

isp-name

|

interface

interface-type

interface-number

|

ip

ip-address

|

mac

mac-address

|

radius-scheme

radius-scheme-name

|

vlan

vlan-id

|

ucibindex

ucib-index

|

user-name

user-name

}

Required

«
...
522
523
524
525
526
...
»

Summary of Contents for Switch 7757

Page 1: ...3Com Switch 7750 Family Configuration Guide Switch 7750 Switch 7754 Switch 7757 Switch 7758 www 3Com com Part Number 10015462 Rev AD Published December 2007...

Page 2: ...252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or d...

Page 3: ...Authentication Mode Being None 39 Console Port Login Configuration with Authentication Mode Being Password 42 Console Port Login Configuration with Authentication Mode Being Scheme 46 4 LOGGING IN TH...

Page 4: ...FILE MANAGEMENT Introduction to Configuration File 83 Configuration File Related Operations 83 10 VLAN OVERVIEW VLAN Overview 87 Port Based VLAN 89 Protocol Based VLAN 91 11 VLAN CONFIGURATION VLAN C...

Page 5: ...ecial IP Packets to CPU 132 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 132 Disabling ICMP Error Message Sending 133 Displaying and Debugging IP Performance 133 Troubles...

Page 6: ...89 Displaying and Maintaining Link Aggregation Configuration 192 Link Aggregation Configuration Example 193 24 PORT ISOLATION CONFIGURATION Port Isolation Overview 195 Configuring Port Isolation 195 D...

Page 7: ...figuration 264 Digest Snooping Configuration 268 Rapid Transition Configuration 269 BPDU Tunnel Configuration 272 STP Maintenance Configuration 274 MSTP Displaying and Debugging 274 MSTP Implementatio...

Page 8: ...IS IS Configuration Example 345 36 BGP CONFIGURATION BGP Overview 349 BGP Configuration Tasks 354 Basic BGP Configuration 355 Configuring the Way to Advertise Receive Routing Information 356 Configuri...

Page 9: ...Architecture 416 Forwarding Mechanism of Multicast Packets 420 42 GMRP CONFIGURATION GMRP Overview 423 Configuring GMRP 423 Displaying and Maintaining GMRP 424 GMRP Configuration Example 424 43 IGMP...

Page 10: ...93 MSDP Configuration Example 494 Troubleshooting MSDP Configuration 504 49 AAA RADIUS HWTACACS CONFIGURATION Overview 507 Configuration Tasks 516 AAA Configuration 518 RADIUS Configuration 525 HWTACA...

Page 11: ...xample 584 56 DHCP OVERVIEW Introduction to DHCP 589 DHCP IP Address Assignment 589 DHCP Packet Format 590 DHCP Packet Processing Modes 592 Protocols and Standards 592 57 DHCP SERVER CONFIGURATION Int...

Page 12: ...playing ACL Configuration 652 ACL Configuration Example 653 61 QOS CONFIGURATION Overview 657 QoS Supported by the Switch 7750 666 Setting Port Priority 666 Configuring Priority to Be Used When a Pack...

Page 13: ...oE Supervision Information 729 PoE PSU Supervision Configuration Example 729 66 POE PROFILE CONFIGURATION Introduction to PoE Profile 731 PoE Profile Configuration Tasks 731 Displaying PoE Profile Con...

Page 14: ...n Tasks 798 Basic Configuration of BIMS Device 798 Configuring BIMS Access Mode 799 BIMS Configuration Example 800 74 FTP AND TFTP CONFIGURATION FTP Configuration 803 TFTP Configuration 810 75 INFORMA...

Page 15: ...kets Monitoring 868 Displaying the Device Management Configuration 869 Remote Switch Update Configuration Example 870 81 REMOTE PING CONFIGURATION Remote ping Overview 873 Remote ping Configuration 87...

Page 16: ...r Link Configuration 934 Monitor Link Configuration Example 934 86 CONFIGURING HARDWARE DEPENDENT SOFTWARE Configuring Boot ROM Upgrade with App File 937 Configuring Inter Card Link State Adjustment 9...

Page 17: ...hat are used throughout this guide Related Documentation The following manuals offer additional information necessary for managing your Switch 7750 Switch 7750 Command Reference Guide Provides detaile...

Page 18: ...If information in this guide differs from information in the release notes use the information in the Release Notes These documents are available in Adobe Acrobat Reader Portable Document Format PDF...

Page 19: ...level Commands at this level are mainly used to diagnose network and change the language mode of user interface and cannot be saved in configuration files For example the ping tracert and language mo...

Page 20: ...into four command levels visit monitor system and manage which are identified as 0 1 2 and 3 respectively The administrator can change the command level a command belongs to Table 3 lists the operatio...

Page 21: ...iew Ethernet port view Null interface view Tunnel interface view AUX interface view VLAN view VLAN interface view Loopback interface view Local user view User interface view FTP client view SFTP clien...

Page 22: ...estination prefix aggregation view Netstream source and destination aggregation view Smart link group view Table 4 lists information about CLI views including the operations you can performed in these...

Page 23: ...rn to system view Execute the return command to return to user view Tunnel interface view Configure tunnel interface parameters SW7750 Tunne l0 Execute the interface tunnel 0 command in system view Ex...

Page 24: ...meters sftp client Execute the sftp 10 1 1 1 command in system view Execute the quit command to return to user view Cluster view Configure cluster parameters SW7750 cluster Execute the cluster command...

Page 25: ...and in system view Execute the peer public key end command to return to system view Public key code view Edit RSA public keys of SSH users SW7750 rsa ke y code Execute the public key code begin comman...

Page 26: ...user view ES IS view Configure parameters for the ES IS protocol SW7750 esis Execute the esis command in system view Execute the quit command to return to system view Execute the return command to ret...

Page 27: ...view Execute the quit command to return to system view Execute the return command to return to user view QinQ view Create QinQ instances and configure parameters for QinQ SW7750 Gigabi tEthernet4 0 1...

Page 28: ...tion view Configure netstream protocol port aggregation parameters SW7750 aggregation pr otport Execute the ip netstream aggregation protocol port command in system view Execute the quit command to re...

Page 29: ...in this position of the command on your terminal to display all the available keywords and their brief descriptions The following takes the clock command as an example SW7750 clock datetime Specify t...

Page 30: ...ranslate the help into Chinese Terminal Display CLI provides the following display feature Display suspending That is the displaying of output information can be split when the screen is full and you...

Page 31: ...ed too many parameters Ambiguous command The parameters entered are ambiguous Wrong parameter The input parameter is wrong Table 8 Edit operations Press To A common key Insert the character the key re...

Page 32: ...32 CHAPTER 1 CLI OVERVIEW...

Page 33: ...er Two kinds of user interface index exist absolute user interface index and relative user interface index 1 The absolute user interface indexes are as follows AUX user interface 0 VTY user interfaces...

Page 34: ...connect a specified user interface free user interface type number Optional Execute this command in user view Enter system view system view Enable copyright information displaying copyright info enabl...

Page 35: ...ough the Console Port Following are the procedures to connect to a switch through the Console port 1 Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 1...

Page 36: ...36 CHAPTER 3 LOGGING IN THROUGH THE CONSOLE PORT Figure 2 Create a connection Figure 3 Specify the port used to establish the connection...

Page 37: ...e character The commands available on a switch are described in the related module of the command manual Console Port Login Configuration Common Configuration Table 12 lists the common configuration o...

Page 38: ...ble Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set hist...

Page 39: ...RADIUS users Required The user name and password of a local user are configured on the switch The user name and password of a RADIUS user are configured on the RADIUS server Refer to user manual of RA...

Page 40: ...and level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Make terminal...

Page 41: ...can contain up to 20 commands The timeout time of the AUX user interface is 6 minutes Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a us...

Page 42: ...user privilege level 2 Set the baud rate of the Console port to 19 200 bps SW7750 ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 SW7750 ui aux0 screen length 30 Set t...

Page 43: ...trol Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a Console port is 1 Set the data bits databits 7 8 Optional The default data bits of a Console port is 8 Configure the command...

Page 44: ...can store up to 20 commands The timeout time of the AUX user interface is 6 minutes Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a use...

Page 45: ...he local password to 123456 in plain text SW7750 ui aux0 set authentication password simple 123456 Specify commands of level 2 are available to users logging into the AUX user interface SW7750 ui aux0...

Page 46: ...nt you need to perform the following configuration as well Perform AAA RADIUS configuration on the switch Refer to AAA Configuration on page 518 and RADIUS Configuration on page 525 for more Configure...

Page 47: ...does not perform flow control Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a Console port is 1 Set the data bits databits 7 8 Optional The default data bits of a Console port i...

Page 48: ...and buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the...

Page 49: ...er view SW7750 local user guest Set the authentication password to 1234567890 in plain text SW7750 luser guest password simple 1234567890 Set the service type of the local user to Terminal with the av...

Page 50: ...50 CHAPTER 3 LOGGING IN THROUGH THE CONSOLE PORT SW7750 ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes SW7750 ui aux0 idle timeout 6...

Page 51: ...Configuration Description VTY user interface configuration Configure the command level available to users logging into the VTY user interface Optional By default commands of level 0 are available to...

Page 52: ...r RADIUS authentication Optional Local authentication is performed by default Refer to Configuring RADIUS Authentication Authorization Servers on page 525 for more Configure user name and password Con...

Page 53: ...s are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the scre...

Page 54: ...for Telnet configuration with the authentication mode being none Configuration procedure Enter system view SW7750 system view Enter VTY 0 user interface view SW7750 user interface vty 0 Configure not...

Page 55: ...tion mode being password Operation Command Description Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure to authenticate us...

Page 56: ...ormation in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands...

Page 57: ...ure to authenticate users logging into VTY 0 using the local password SW7750 ui vty0 authentication mode password Set the local password to 123456 in plain text SW7750 ui vty0 set authentication passw...

Page 58: ...accordingly on the AAA server Refer to the user manual of AAA server Configure the AAA scheme to be applied to the domain scheme local none radius scheme radius scheme name local hwtacacs scheme hwta...

Page 59: ...screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages...

Page 60: ...authenticated in the RSA mode of SSH The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user privilege level...

Page 61: ...and buffer can store up to 20 commands The timeout time of VTY 0 is 6 minutes Network diagram Figure 10 Network diagram for Telnet configuration with the authentication mode being scheme Configuration...

Page 62: ...u log in through the Console port Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 11 Figure 11 Diagram for establishing connection to a Console port La...

Page 63: ...parameter as shown in Figure 13 Figure 13 Launch Telnet 5 Enter the password when the Telnet window displays Login authentication and prompts for login password The CLI prompt such as SW7750 appears i...

Page 64: ...m Telnet related configuration on the switch operating as the Telnet server Refer to Telnet Configuration with Authentication Mode Being None on page 52 Telnet Configuration with Authentication Mode B...

Page 65: ...switch side is available Configuration on the Switch Side Modem Configuration Perform the following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1...

Page 66: ...tion mode configuration Configuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None on page 39 Configuration on switch wh...

Page 67: ...X port also the Console port be set to a value lower than the transmission speed of the modem Otherwise packets may get lost 3 Connect your PC the modems and the switch as shown in the following figur...

Page 68: ...ted modules in the command manual for detailed configuration commands n If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to Com...

Page 69: ...n procedures of the Modem attribute Operation Command Description Enter system view system view Enter AUX user interface view user interface aux 0 Enable Modem call in call in and call out modem call...

Page 70: ...70 CHAPTER 5 LOGGING IN USING MODEM...

Page 71: ...in Create a Web user account setting both the user name and the password to admin and the user level to 3 SW7750 system view SW7750 local user admin SW7750 luser admin service type telnet level 3 SW77...

Page 72: ...is configured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The contents of the banner page are the login banner infor...

Page 73: ...of the switch in the address bar of the browser running on the user terminal and press Enter the browser will display the banner page as shown in Figure 21 Figure 21 Banner page displayed when a user...

Page 74: ...HTTP service is enabled disabled after the corresponding configuration Enabling the Web server by using the undo ip http shutdown command opens TCP 80 port Disabling the Web server by using the ip htt...

Page 75: ...uration on both the NMS and the switch Connection Establishment Using NMS Figure 22 Network diagram for logging in through an NMS Table 34 Requirements for logging into a switch through an NMS Item Re...

Page 76: ...76 CHAPTER 7 LOGGING IN THROUGH NMS...

Page 77: ...olling Telnet Users by Source IP Addresses on page 77 By source and destination IP address Through advanced ACL Controlling Telnet Users by Source and Destination IP Addresses on page 78 SNMP By sourc...

Page 78: ...tion Enter system view system view Create an advanced ACL or enter advanced ACL view acl number acl number name acl name advanced match order config auto As for the acl number command the config keywo...

Page 79: ...stem view Create a basic ACL or enter basic ACL view acl number acl number name acl name basic match order config auto As for the acl number command the config keyword is specified by default Define r...

Page 80: ...ample Network requirements Only SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 are permitted to access the switch Network diagram Figure 23 Network diagram for controlling...

Page 81: ...commands Configuration Example Network requirements Only the Web users sourced from the IP address of 10 110 100 52 are permitted to access the switch Table 39 Control Web users by source IP addresse...

Page 82: ...a basic ACL SW7750 system view SW7750 acl number 2030 SW7750 acl basic 2030 rule 1 permit source 10 110 100 52 0 SW7750 acl basic 2030 quit Apply ACL 2030 to only permit the Web users sourced from th...

Page 83: ...into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by empty lines or comment lines A line is a comment line if it starts...

Page 84: ...the system saves the configuration files in the safely saving mode In this mode the configuration files are saved slowly However the original configuration files will be saved in the Flash if the dev...

Page 85: ...the configuration before restarting a device so that the current configuration remains after the device is restarted If you use the save command to save the current configuration file without specifyi...

Page 86: ...86 CHAPTER 9 CONFIGURATION FILE MANAGEMENT...

Page 87: ...t the inbound port of the packet In this case a host in the network receives a lot of packets whose destination is not the host itself Thus plenty of bandwidth resources are wasted causing potential s...

Page 88: ...hosts When the physical position of a host changes within the range of the VLAN you need not change its network configuration VLAN Principles VLAN tags in the packets are necessary for the switch to i...

Page 89: ...hen the switch receives an un VLAN tagged packet it will encapsulate a VLAN tag with the default VLAN ID of the inbound port for the packet and the packet will be assigned to the default VLAN of the i...

Page 90: ...with a default VLAN the port receives and sends packets in a way related to its link type For detailed description refer to Table 42 Table 43 and Table 44 Table 42 Packet processing of an Access port...

Page 91: ...ernet data for you to understand well the procedure for the switch to identify the packet protocols Ethernet II and 802 2 802 3 encapsulation In the link layer there are two main packet encapsulation...

Page 92: ...col supports 802 3 raw encapsulation format currently This format is identified by the two bytes whose value is 0xFFFF after the length field 802 2 logical link control LLC encapsulation the length fi...

Page 93: ...tion Control field Invalid packets that cannot be matched dsap ssap value 802 2 SNAP encapsulation Match the dsap ssap value 802 2 LLC encapsulation Match the type value 802 3 raw encapsulation 0x05DD...

Page 94: ...eria The user defined template adopts the user defined encapsulation formats and values of some specific fields as the matching criteria After configuring the protocol template you must add a port to...

Page 95: ...he system can suppress broadcast storm avoid network congestion and ensure normal network operation Table 46 Basic VLAN configuration Operation Command Description Enter system view system view Create...

Page 96: ...e VLAN interface are down the VLAN interface is down disabled if one or more ports of the VLAN interface are up the VLAN interface is up enabled Enter VLAN view vlan vlan id Set VLAN broadcast storm s...

Page 97: ...1 Display VLAN configuration Operation Command Description Display the VLAN interface information display interface Vlan interface vlan id You can execute the display command in any view Display the V...

Page 98: ...you need to use the Access port as a medium For example the Trunk port has to be configured as an Access port first and then a Hybrid port To do Use the command Remarks Enter system view system view...

Page 99: ...0 2 to VLAN 2 and add Ethernet2 0 3 and Ethernet2 0 4 to VLAN 3 Network diagram Figure 34 Network diagram for VLAN configuration Configuration procedure Create VLAN 2 and enter its view SW7750 system...

Page 100: ...gure both ipx raw standard template and LLC user defined template whose dsap and ssap are both ff in the same VLAN It is not allowed to configure both ipx ethernetii standard template and EthernetII u...

Page 101: ...ot be removed If a protocol of a VLAN has been distributed to a port the VLAN cannot be removed from the port If a protocol of a VLAN has been distributed to a port the protocol cannot be removed from...

Page 102: ...ation Table 55 Protocol based VLAN creation on different cards Description Type A card Non Type A card Create protocol based VLAN on specific module in system view Not supported Supported only for all...

Page 103: ...t to be a hybrid port SW7750 Ethernet2 0 5 port link type hybrid Add the port to VLAN 5 and add VLAN 5 to the untagged VLAN list of the port SW7750 Ethernet2 0 5 port hybrid vlan 5 untagged Associate...

Page 104: ...50 vlan7 protocol vlan 2 mode snap etype abcd Enter port view of the Ethernet2 0 7 SW7750 vlan7 interface Ethernet 2 0 7 Configure Ethernet2 0 7 as a hybrid port SW7750 Ethernet2 0 7 port link type hy...

Page 105: ...bits of a MAC address The following table shows the five default OUI addresses of a switch You can create multiple voice VLANs and bind each voice VLAN to a port In this way the voice traffic received...

Page 106: ...it As multiple types of IP voice devices exist you need to match port mode with types of voice stream sent by IP voice devices as listed in Table 58 Table 58 Matching relationship between port modes...

Page 107: ...ice VLAN And the access port permits the packets of the default VLAN Hybrid Supported Make sure the default VLAN of the port exists and is in the list of the tagged VLANs whose packets are permitted b...

Page 108: ...N to the port as a voice VLAN voice vlan vlan id Required By default no voice VLAN is bound to a port Enable the voice VLAN legacy function on the port voice vlan legacy Optional By default voice VLAN...

Page 109: ...Add the port to the VLAN port interface list Trunk or Hybrid port Enter port view interface interface type interface number Add the port to the voice VLAN port trunk permit vlan vlan id port hybrid vl...

Page 110: ...eature realizes the communication between 3Com s devices and other vendor s voice devices by automatically adding the voice VLAN tag to the voice data coming from other vendors voice devices The voice...

Page 111: ...ind VLAN 2 to Ethernet 2 0 3 as a voice VLAN Configure the OUI address to be 0011 2200 0000 with the description string being test Configuration procedure Create VLAN 3 SW7750 system view SW7750 vlan...

Page 112: ...aging time 1440 minutes Current voice vlan enabled port mode PORT MODE STATUS Voice Vlan ID Ethernet2 0 3 MANUAL ENABLE 3 Remove Ethernet2 0 3 port from the voice VLAN SW7750 interface Ethernet2 0 3...

Page 113: ...without VLAN tags Therefore the switch can reset the local VLAN structure to save VLAN resource without considering the VLAN configuration in the lower layer Isolate User VLAN Packets Forwarding Proce...

Page 114: ...thernet2 0 1 of Switch B the packets are automatically added with default VLAN ID that is the tag of VLAN 5 2 According to the MAC address forwarding table copied in the outbound process the system wi...

Page 115: ...VLAN and the secondary VLAN must be hybrid ports and all ports must perform untag operation on all VLAN packets Configure the mapping between the isolate user VLAN and the secondary VLAN Required Conf...

Page 116: ...he VLAN configurations of the lower layer switches VLAN 5 on Switch B is an isolate user VLAN which includes the uplink port Ethernet2 0 1 and two secondary VLANs VLAN 2 and VLAN 3 VLAN 3 includes por...

Page 117: ...id broadcast SwitchB vlan2 quit SwitchB interface Ethernet 2 0 2 SwitchB Ethernet2 0 2 port link type hybrid SwitchB Ethernet2 0 2 port hybrid vlan 3 untagged SwitchB Ethernet2 0 2 port hybrid vlan 5...

Page 118: ...secondary VLAN SwitchC vlan6 quit SwitchC vlan 3 SwitchC vlan3 vlan 4 Add port Ethernet2 0 3 to the isolate user VLAN and the secondary VLAN and configure the port to untag the VLAN packets Remove th...

Page 119: ...olate user VLAN to secondary VLAN mapping SwitchC Ethernet2 0 1 quit SwitchC isolate user vlan 6 secondary 3 to 4 After the above configurations Switch A can receive packets from Switch B and Switch C...

Page 120: ...120 CHAPTER 13 ISOLATE USER VLAN CONFIGURATION...

Page 121: ...oxy function is used ARP proxy enables Layer 3 connectivity between Layer 2 isolated ports by performing ARP request and forwarding and handling response packets Super VLAN Configuration Super VLAN Co...

Page 122: ...Sub VLAN You can use the following commands to establish the mapping between a super VLAN and a sub VLAN c CAUTION The sub VLAN must exist before you create mapping between the sub VLAN and the super...

Page 123: ...the outside network Configuration Procedure n A super VLAN interface can only correspond to one DHCP server group The last configuration will take effect if you execute the dhcp server groupNo command...

Page 124: ...it SW7750 system view SW7750 vlan 10 SW7750 vlan10 supervlan Create VLAN2 VLAN3 and VLAN5 and add corresponding ports to them SW7750 vlan10 quit SW7750 vlan 2 SW7750 vlan2 port Ethernet 2 0 1 Ethernet...

Page 125: ...igure it as a super VLAN SW7750 system view SW7750 vlan 6 SW7750 vlan6 supervlan Create VLAN 2 and VLAN 3 and establish the mapping between them and VLAN 6 SW7750 vlan6 quit SW7750 vlan 2 SW7750 vlan2...

Page 126: ...126 CHAPTER 14 SUPER VLAN...

Page 127: ...ed decimal notation Each IP address contains four decimal integers with each integer corresponding to one byte for example 10 110 50 101 Some IP addresses are reserved for special use The IP address r...

Page 128: ...by hosts when they are booted but is not used afterward An IP address with all 0s network ID represents a specific host on the local network and can be used as a source address but cannot be used as a...

Page 129: ...ss 138 38 128 0 101 Subnet address 138 38 160 0 110 Subnet address 138 38 192 0 111 Subnet address 138 38 224 0 Subnet number Host number Subnet address 10001010 00100110 000 00000 00000000 ClassB 138...

Page 130: ...You can perform troubleshooting as follows Check the configuration of the switch and then use the display arp command to check whether the host has an corresponding ARP entry in the ARP table maintain...

Page 131: ...Introduction to FIB Every switch stores a forwarding information base FIB FIB is used to store the forwarding information of the switch and guide Layer 3 packet forwarding You can know the forwarding...

Page 132: ...e subnet If a directed broadcast packet reaches the destination network after being forwarded by the switch the switch will receive the broadcast packet for the switch also belongs to the subnet Since...

Page 133: ...ng table becomes very large If a host sends malicious ICMP destination unreachable packets end users may be affected To solve such problems you can disable a device from sending ICMP error packets Cur...

Page 134: ...port 4296 Use the debugging tcp packet command to enable the TCP debugging to trace TCP packets Switch terminal debugging Switch debugging tcp packet Table 81 Display IP performance Operation Command...

Page 135: ...will be displayed in the following format in real time TCP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 Sequence number 4185...

Page 136: ...136 CHAPTER 16 IP PERFORMANCE CONFIGURATION...

Page 137: ...0 0cb 47 0000 00cb 0047 is the node address You can also write an IPX address in the form of N H H H where N is the network number and H H H is the node address Routing Information Protocol IPX uses...

Page 138: ...outing Configuring IPX static routes Table 83 Configure IPX Configuration task Description Detailed configuration Basic IPX configuration Required Basic IPX Configuration on page 138 IPX routing confi...

Page 139: ...s needed Enable IPX ipx enable Required IPX is disabled by default Enter VLAN interface view interface Vlan interface vlan id Configure an IPX network number for the VLAN interface ipx network network...

Page 140: ...ks 1 tick 1 18 seconds indicate the delay that a VLAN interface experiences Table 87 Configure IPX RIP Operation Command Description Enter system view system view Enable IPX ipx enable Required IPX is...

Page 141: ...where the switches mistake an operating server for a failed one The aging period of IPX SAP is a multiple of the IPX RIP update interval You can set multiple update intervals as an aging period Table...

Page 142: ...VLAN interface Configure the aging period of IPX SAP ipx sap multiplier multiplier Optional By default an IPX SAP service entry is deleted if it is not updated after three update intervals Enter VLAN...

Page 143: ...the information of the server picked out by round robin polling ipx sap gns load balance Optional By default the switch responds to SAP GNS requests with the information of a server that is picked out...

Page 144: ...ence preference Optional By default no static service entry is found in the service information table Configure the maximum length of the service information reserve queue for one service type ipx sap...

Page 145: ...the IPX network The node address of the server is 0000 0c91 f61f Enable the forwarding of type 20 broadcast packets ipx netbios propagation Optional By default type 20 broadcast packets are not forwa...

Page 146: ...e 2 Switch Vlan interface2 ipx encapsulation ethernet 2 Switch Vlan interface2 quit Assign the network number 1000 to VLAN interface 1 to enable IPX on the VLAN interface Switch interface Vlan interfa...

Page 147: ...451 hop 2 Configure a service information entry indicating that the server can provide the printing service Switch ipx service 7 printserver 2 0000 0c91 f61f 5 hop 2 Troubleshooting IPX Troubleshooti...

Page 148: ...empt the packet is dropped Troubleshooting IPX RIP Symptom 1 The switch cannot learn routes from the peer device Solutions Use the debugging ipx rip packet verbose command to enable debugging for IPX...

Page 149: ...rface command Check whether the hop count of the route to the server is smaller than 16 with the display ipx routing table command Check whether adequate memory is available for adding the service ent...

Page 150: ...se the display current configuration command to check whether the triggered updates feature is configured on the VLAN interface Periodical update is disabled when the triggered updates feature applies...

Page 151: ...ent switch with the display ipx routing table verbose command Solutions Use the display current configuration command to view the maximum number of dynamic routes for each destination network number T...

Page 152: ...152 CHAPTER 17 IPX CONFIGURATION...

Page 153: ...the received declarations withdrawal declarations GARP members exchange information through sending messages There mainly are 3 types of GARP messages including Join Leave and LeaveAll When a GARP pa...

Page 154: ...eaveALL message after the timer times out so that other GARP participants can re register all the attribute information on this participant After that the participant restarts the LeaveAll timer to be...

Page 155: ...bute List It contains multiple attributes Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts At...

Page 156: ...ue Table 95 GVRP Configuration procedure Operation Command Description Enter system view system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer...

Page 157: ...hanging the timeout time of the Hold timer This upper threshold is less than one half of the timeout time of the Leave timer You can change the threshold by changing the timeout time of the Leave time...

Page 158: ...ll the VLANs SW7750 interface Ethernet2 0 1 SW7750 Ethernet2 0 1 port link type trunk SW7750 Ethernet2 0 1 port trunk permit vlan all Enable GVRP on the trunk port SW7750 Ethernet2 0 1 gvrp GVRP is en...

Page 159: ...llustrates the structure of a packet with single VLAN tag Figure 43 Structure of the packets with single VLAN tag Figure 44 illustrates the structure of a packet with nested VLAN tags Figure 44 Struct...

Page 160: ...tructure of tagged packets of Ethernet frames The user priority field is the 802 1p priority of the tag This 3 bit field is in the range of 0 to 7 Through configuring inner to outer tag priority mappi...

Page 161: ...quirements Switch A Switch B and Switch C are Switch 7750s Two networks are connected to the Ethernet2 0 1 ports of Switch A and Switch C Switch B only permits the packets of VLAN 10 It is required th...

Page 162: ...ernet2 0 1 port access vlan 10 SwitchA Ethernet2 0 1 stp disable SwitchA Ethernet2 0 1 undo ntdp enable SwitchA Ethernet2 0 1 vlan vpn enable SwitchA Ethernet2 0 1 quit 2 Configure Switch B Configure...

Page 163: ...2 port of Switch B it is forwarded in VLAN 10 and is passed to Ethernet2 0 1 port The packet is forwarded from Ethernet2 0 1 port of Switch B to the network on the other side and reaches Ethernet2 0...

Page 164: ...164 CHAPTER 19 QINQ CONFIGURATION...

Page 165: ...VLAN tags according to the VLAN ID they carry This is achieved by using the corresponding commands n For Switch 7750 Ethernet switches the selective QinQ feature can also be achieved through using ACL...

Page 166: ...ew Enter Ethernet port view interface interface type interface number Enable QinQ for the port vlan vpn enable Required By default QinQ is disabled Configure the outer VLAN tag to be added to a packet...

Page 167: ...Enter system view SwitchA system view Enter GigabitEthernet2 0 1 port view SwitchA interface GigabitEthernet 2 0 1 Configure this port to be a hybrid port And configure to keep the outer tags of packe...

Page 168: ...f VLAN 100 to be inserted to packets and specify the upstream port of the tag to be GigabitEthernet2 0 1 which does not remove the outer VLAN tags of packets when transmitting these packets SwitchA Gi...

Page 169: ...of VLAN 4 When a packet is received its source MAC address MAC A is learned into the MAC address table of the default VLAN VLAN 2 of the port When a response packet is returned to the device from VLAN...

Page 170: ...shared VLAN enabled the packets of the current I O Module or Fabric are forwarded according to the MAC address table of the shared VLAN So you need to add the ports of all the packets to be forwarded...

Page 171: ...ure 49 Network diagram for Shared VLAN configuration Configuration Procedure Enable selective QinQ on Ethernet2 0 6 Refer to Selective QinQ Configuration Example on page 167 for the details Specify VL...

Page 172: ...172 CHAPTER 21 SHARED VLAN CONFIGURATION...

Page 173: ...he Ethernet port description text Optional By default no description is defined for the port Set the duplex mode of the Ethernet port duplex auto full half Optional By default the duplex mode of the p...

Page 174: ...to full or auto 100 Mbps optical Ethernet port It works in full duplex mode and its duplex mode can be set to full or auto Gigabit optical Ethernet port It works in full duplex mode and its duplex mo...

Page 175: ...multicast unknown unicast suppression on ports Configure the available auto negotiation speed s for the port speed auto 10 100 1000 Optional By default the port speed is determined through auto negot...

Page 176: ...sical state of its ports n The delays set with the above commands are weight values rather than exact time values The greater the delay weight the longer the delay You can set the delay of reporting d...

Page 177: ...e port is an edge port Port configuration includes link type of the port port rate and duplex mode n To copy the configuration of a source port to a member port of a link aggregation group you should...

Page 178: ...ring the specified interval and displays the average rates in the interval For example if you set this interval to 100 seconds the displayed information is as follows Table 113 Set loopback detection...

Page 179: ...g the function you can choose to monitor certain Ethernet ports instead of monitoring all ports so as to reduce the quantity of log information output to the log server n After you allow a port to out...

Page 180: ...rface interface type interface number Allow the port to output the UP Down log information enable log updown Required By default a port is allowed to output the UP Down log information Table 118 Displ...

Page 181: ...t2 0 1 Set Ethernet2 0 1 as a trunk port SW7750 Ethernet2 0 1 port link type trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet2 0 1 SW7750 Ethernet2 0 1 port trunk per...

Page 182: ...182 CHAPTER 22 PORT BASIC CONFIGURATION...

Page 183: ...QoS configuration including traffic limiting priority marking default 802 1p priority bandwidth assurance congestion avoidance traffic redirection traffic statistics and so on VLAN configuration inclu...

Page 184: ...member ports that can be set as selected ports in an aggregation group exceeds the maximum number supported by the device the system will choose the ports with lower port numbers as the selected port...

Page 185: ...alf duplex low speed The system sets the following ports to standby state ports that are not connected to the same peer device as the master port selected port with the minimum port number and ports t...

Page 186: ...Ds system priority system MAC address between the two parties First compare the two system priorities then the two system MAC addresses if the system priorities are equal The device with smaller devic...

Page 187: ...descriptions Aggregation type Basic description Specific description Manual aggregation Support up to 384 aggregation groups including 64 load sharing aggregation groups For Type A modules an aggrega...

Page 188: ...ources are as follows Table 120 Restriction of type A I O Modules on link aggregation I O Module type Cross chip aggregation Aggregation type I O Module specificatio n Maximum number of ports in an ag...

Page 189: ...esources c CAUTION A load sharing aggregation group contains up to two selected ports however a non load sharing aggregation group can only have one selected port at most and others are standby ports...

Page 190: ...m one or more dynamic aggregation groups You can manually add remove a port to from a static aggregation group and a port can only be manually added removed to from a static aggregation group Add a gr...

Page 191: ...to participate in dynamic aggregation of the system because only when LACP is enabled on those ports at both ends can the two parties reach agreement in adding removing ports to from dynamic aggregat...

Page 192: ...ven parameters are available on type A I O Modules including 3C16860 3C16860 3C16861 3C16861 LS81FS24A LS81FS24 3C16858 3C16858 3C16859 and 3C16859 None of the above seven parameters are available on...

Page 193: ...o User View with Ctrl Z SW7750 link aggregation group 1 mode manual Add Ethernet 2 0 1 through Ethernet 2 0 3 to aggregation group 1 SW7750 interface ethernet2 0 1 SW7750 Ethernet2 0 1 port link aggre...

Page 194: ...2 0 2 interface ethernet2 0 3 SW7750 Ethernet2 0 3 port link aggregation group 1 3 Adopt the dynamic LACP aggregation mode Enable LACP on Ethernet 2 0 1 through Ethernet 2 0 3 SW7750 interface etherne...

Page 195: ...the isolation group automatically When a port in an aggregation group leaves an isolation group the other ports in the aggregation group leave the isolation group automatically Configuring Port Isolat...

Page 196: ...onfiguration Example Network requirements PC2 PC3 and PC4 connect to the switch ports Ethernet2 0 2 Ethernet2 0 3 and Ethernet2 0 4 respectively It is desired that PC2 PC3 and PC4 are isolated from ea...

Page 197: ...ort isolate group1 port Ethernet2 0 2 to Ethernet2 0 4 Display information about the ports in the isolation group SW7750 port isolate group1 display isolate port Isolate group ID 1 Isolated port s in...

Page 198: ...198 CHAPTER 24 PORT ISOLATION CONFIGURATION...

Page 199: ...load and greatly enhances system security and manageability Port Security Features The following port security features are provided 1 NTK need to know feature By checking the destination MAC addresse...

Page 200: ...nt command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned configured can pass through the port In the secur...

Page 201: ...lar to the userlogin secure mode except that besides the packets of the single 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through t...

Page 202: ...allowed however cannot exceed the configured upper limit By setting the maximum number of MAC addresses allowed on a port you can Control the maximum number of users who are allowed to access the net...

Page 203: ...for port mirroring Link aggregation Table 132 Set the maximum number of MAC addresses allowed on a port Operation Command Remarks Enter system view system view Enter Ethernet port view interface inter...

Page 204: ...pe interface number Configure the NTK feature port security ntk mode ntkonly ntk withbroadcasts ntk withmulticasts Required Be default NTK is disabled on a port namely all frames are allowed to be sen...

Page 205: ...n to secure n The security MAC addresses manually configured are written to the configuration file they will not get lost when the port is up or down As long as the configuration file is saved the sec...

Page 206: ...1 After the number of security MAC addresses reaches 80 the port stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be di...

Page 207: ...tolearn SW7750 GigabitEthernet2 0 1 quit Add the MAC address 0001 0002 0003 of Host as a security MAC address to the port in VLAN 1 SW7750 mac address security 0001 0002 0003 interface GigabitEthern e...

Page 208: ...208 CHAPTER 25 PORT SECURITY CONFIGURATION...

Page 209: ...e configuration you can use the display command in any view to display port binding information and verify your configuration Table 140 Configure port binding Operation Command Description Enter syste...

Page 210: ...Host A Network diagram Figure 54 Network diagram for port binding configuration Configuration procedure Configure switch A as follows Enter system view SW7750 system view Enter Ethernet 2 0 1 port vie...

Page 211: ...shown in Figure 55 Fibers that are not connected or disconnected as shown in Figure 56 the hollow lines in which refer to fibers that are not connected or disconnected Device link detection protocol D...

Page 212: ...correctly and whether packets can be exchanged normally at both ends However the auto negotiation mechanism cannot implement this detection n In order for DLDP to detect fiber disconnection in one dir...

Page 213: ...ble state Disable packets carry only the local port information instead of the neighbor information When a port detects a unidirectional link and enters the disable state the port sends disable packet...

Page 214: ...ts with the RSY flag set or not set Advertisement Advertisement packets Probe Probe packets Table 144 The procedure to process a received DLDP packet Packet type Processing procedure Advertisement pac...

Page 215: ...remains in active state for more than five seconds and enters this status It is a stable state where no unidirectional link is found Probe DHCP sends packets to check whether the link is a unidirectio...

Page 216: ...when the entry aging timer expires DLDP sends an advertisement packet with an RSY tag and deletes the neighbor entry In the enhanced mode if no packet is received from the neighbor when the entry agin...

Page 217: ...s original DLDP state if it receives a port up message before the delaydown timer expires Otherwise it removes the DLDP neighbor information and changes to the inactive state Table 147 DLDP timers Tim...

Page 218: ...see if the neighbor information carried in the recover echo packet is consistent with that of the local port If yes the link between the local port and the neighbor is considered to be recovered to b...

Page 219: ...is 5 seconds Set the delaydown timer dldp delaydown timer delaydown time Optional By default the delaydown timer expires after 1 second it is triggered Set the DLDP handling mode when an unidirectiona...

Page 220: ...lization is high DLDP may issue mistaken reports You are recommended to configure the operating mode of DLDP as manual after unidirectional links are discovered For the dldp interval integer command m...

Page 221: ...etwork traffic increases and port bandwidth is reduced DLDP is also applicable to STP Discarding ports Ports discarded by STP can set up normal DLDP neighbors and detect unidirectional links DLDP does...

Page 222: ...nd Switch B are cross connected DLDP disconnects the unidirectional links after detecting them When the network administrator connects the fiber correctly the ports taken down by DLDP are restored Net...

Page 223: ...the fibers are not correctly connected When the fibers are cross connected both ends are unidirectional links and the two ends are displayed as in Disable status When one end is correctly connected a...

Page 224: ...224 CHAPTER 27 DLDP CONFIGURATION...

Page 225: ...itch queries its MAC address table for the forwarding port number according to the destination MAC address carried in the packet and then forwards the packet through the port The dynamic address entri...

Page 226: ...the destination device does not respond to the packet this indicates that the destination device is unreachable or that the destination device receives the packet but gives no response In this case t...

Page 227: ...152 Characteristics of different types of MAC address entries MAC address entry Configuration method Aging time Reserved or not at reboot if the configuration is saved Static MAC address entry Manual...

Page 228: ...no aging keyword specifies that MAC address entries do not age out Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mechanism enables an Ethernet switch to acquir...

Page 229: ...s The Switch 7750 learn MAC address entries in one of the following ways Through MAC address learning on the port By synchronizing MAC address entries between chips Table 156 Set the maximum number of...

Page 230: ...PT4GB0 LS8M1PT8GB0 LS81PT4GA and LS81PT8GA Setting the processing method for the specific packets You can use the following commands to configure whether or not the packets with destination MAC addres...

Page 231: ...amic MAC addresses to 500 seconds SW7750 mac address timer aging 500 Display the information about the MAC address entries in system view SW7750 display mac address interface Ethernet 2 0 2 MAC ADDR V...

Page 232: ...232 CHAPTER 28 MAC ADDRESS TABLE MANAGEMENT...

Page 233: ...hes authentication can be performed locally or through a RADIUS server 1 When a RADIUS server is used for authentication the switch serves as a RADIUS client Authentication is carried out through the...

Page 234: ...esses that the port can learn you are not allowed to enable the centralized MAC address authentication function on the port If a port is already enabled with the 802 1x function and the access control...

Page 235: ...zed MAC address authentication for a port in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable ce...

Page 236: ...ation The period is determined by the Reauth period server Table 167 lists the operations to configure the timers used in centralized MAC address authentication Configuring Centralized MAC Address Re...

Page 237: ...s Authentication Configuration Example n Centralized MAC address authentication configuration is similar to that of 802 1x In this example the differences between the two lie in Centralized MAC addres...

Page 238: ...cation mode The user name and password are both 000fe2010101 Network diagram Figure 59 Enable to perform the MAC address authentication locally for access users Configuration Procedure Add a local acc...

Page 239: ...s Authentication Configuration Example 239 SW7750 mac authentication timer offline detect 180 SW7750 mac authentication timer quiet 30 For domain related configuration refer to the 802 1x Configuratio...

Page 240: ...240 CHAPTER 29 CENTRALIZED MAC ADDRESS AUTHENTICATION CONFIGURATION...

Page 241: ...he forwarding loads of different VLANs MSTP is compatible with both STP and RSTP It overcomes the drawback of STP and RSTP It not only enables spanning trees to converge rapidly but also enables packe...

Page 242: ...spanning tree in a MST region Multiple spanning trees can be established in one MST region These spanning trees are independent of each other For example each region in Figure 60 contains multiple spa...

Page 243: ...n in Figure 60 the region root of MSTI 1 is switch B and the region root of MSTI 2 is switch C Common root bridge The common root bridge is the root of the CIST The common root bridge of the network s...

Page 244: ...rts can be in the following three states Forwarding state Ports in this state can forward user packets and receive send BPDU packets Learning state Ports in this state can receive send BPDU packets Di...

Page 245: ...ing itself 1 Each switch sends out its configuration BPDUs and operates in the following way when receiving a configuration BPDU on one of its ports from another switch If the priority of the configur...

Page 246: ...receive configuration messages and cannot forward packets Otherwise the switch sets the local port to the designated port replaces the original configuration BPDU of the port with the resulting one an...

Page 247: ...iguration Optional The default is recommended Network Diameter Configuration on page 252 MSTP time related configuration Optional The defaults are recommended MSTP Time related Configuration on page 2...

Page 248: ...tance 1 and VLAN 20 through VLAN 30 being mapped to spanning tree 2 SW7750 system view SW7750 stp region configuration SW7750 mst region region name info SW7750 mst region instance 1 vlan 2 to 10 SW77...

Page 249: ...s replaces the root bridge when the latter fails You can specify the network diameter and the Hello time parameters while configuring a root bridge secondary root bridge Refer to Network Diameter Conf...

Page 250: ...ge or a secondary root bridge by using the stp root primary or stp root secondary command the bridge priority of the switch is not configurable During the selection of the root bridge if multiple swit...

Page 251: ...ecreased by 1 every time the configuration BPDU passes a switch Such a mechanism disables the switches that are beyond the maximum hops from participating in spanning tree generation and thus limits t...

Page 252: ...dge diameter 6 MSTP Time related Configuration You can configure three MSTP time related parameters for a switch Forward delay Hello time and Max age The Forward delay parameter sets the delay of stat...

Page 253: ...t in normal links being regarded as invalid when packets get lost on them which in turn results in spanning trees being regenerated And a too small Hello time parameter may result in duplicated config...

Page 254: ...devices at the interval specified by the Hello time parameter to test the links Normally a switch regards its upstream switch faulty if the former does not receive any protocol packets from the latte...

Page 255: ...rts that neither directly connects to other switches nor indirectly connects to other switches through network segments After a port is configured as an edge port rapid transition is applicable to the...

Page 256: ...ted Configuration A point to point link directly connects two switches If the roles of the two ports at the two ends of a point to point link meet certain criteria the two ports can transit to the for...

Page 257: ...force false auto Required The auto keyword is adopted by default The force true keyword specifies that the links connected to the specified ports are point to point links The force false keyword speci...

Page 258: ...on specified ports stp interface interface list disable Optional By default MSTP is enabled on all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disabl...

Page 259: ...tus root branch or leaf of each switch in each spanning tree instance is determined Table 189 Leaf node configuration Operation Remarks Related section MSTP configuration Required To prevent network t...

Page 260: ...determined by switch or through manual configuration Standards for calculating path costs of ports Currently a switch can calculate the path costs of ports based on one of the following standards dot...

Page 261: ...2 ports Aggregated link 3 ports Aggregated link 4 ports 19 15 15 15 200 000 100 000 66 666 50 000 200 180 160 140 1 000 Mbps Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link...

Page 262: ...etermining the root port In the same condition ports with smaller port priority values are more potential to become the root port than those with bigger priority values A port on a MSTP enabled switch...

Page 263: ...256 MSTP Configuration Refer to MSTP Configuration on page 258 The mCheck Configuration As mentioned previously ports on an MSTP enabled switch can operate in three modes STP compatible RSTP compatibl...

Page 264: ...tion Configuration Introduction The following protection functions are available on an MSTP enabled switch BPDU protection root protection loop guard and topology change BPDU TC BPDU attack guard BPDU...

Page 265: ...d period Loop guard A switch maintains the states of the root port and other blocked ports by receiving and processing BPDUs from the upstream switch These BPDUs may get lost because of network conges...

Page 266: ...tion function and edge port setting only one can be valid on a port at one time BPDU Protection Configuration Configuration prerequisites MSTP is enabled on the current switch Configuration procedure...

Page 267: ...200 Enable the root guard function in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view Interface interface type interface number Enable the root...

Page 268: ...on such as region ID and configuration digest As some partners switches adopt proprietary spanning tree protocols they cannot interwork with other switches in an MST region even if they are configured...

Page 269: ...configured with exactly the same MST region related configurations including region name revision level and VLAN to MSTI mapping The digest snooping feature must be enabled on all the ports of your S...

Page 270: ...witch Figure 62 and Figure 63 illustrate the RSTP and MSTP rapid transition mechanisms Figure 62 The RSTP rapid transition mechanism Figure 63 The MSTP rapid transition mechanism Limitation on the com...

Page 271: ...tree protocol you can enable the rapid transition feature on the ports of the 3Com series switch operating as the downstream switch Among these ports those operating as the root ports will then send...

Page 272: ...operator s network comprises packet ingress egress devices and the user s network has networks A and B On the operator s network configure the arriving BPDU packets at the ingress to have MAC addresse...

Page 273: ...802 1x GVRP GMRP STP or NTDP enabled the BPDU Tunnel function is not applicable to these ports Network Network A Network B Customer networks Service provider network Packet input output device Packet...

Page 274: ...cs Table 208 Enable log trap output for ports of MSTP instance Operation Command Description Enter system view system view Enable log trap output for the ports of a specified instance stp instance ins...

Page 275: ...re configured as the root bridges of spanning tree instance 1 and spanning tree instance 3 respectively Switch C is configured as the root bridge of spanning tree instance 4 Network diagram Figure 66...

Page 276: ...guration Specify Switch B as the root bridge of spanning tree instance 3 SW7750 stp instance 3 root primary 3 Configure Switch C Enter MST region view SW7750 system view SW7750 stp region configuratio...

Page 277: ...operate as the access devices of the user s network that is Switch A and Switch B in the network diagram Switch C and Switch D connect to each other through the configured trunk port of the switch and...

Page 278: ...nd then enable the VLAN VPN function on it SW7750 interface Ethernet 1 0 1 SW7750 Ethernet1 0 1 port access vlan 10 SW7750 Ethernet1 0 1 stp disable SW7750 Ethernet1 0 1 vlan vpn enable SW7750 Etherne...

Page 279: ...1 0 2 SW7750 Ethernet1 0 2 port access vlan 10 SW7750 Ethernet1 0 2 stp disable SW7750 Ethernet1 0 2 vlan vpn enable SW7750 Ethernet1 0 2 quit Configure port Ethernet1 0 1 as a trunk port SW7750 inter...

Page 280: ...280 CHAPTER 30 MSTP CONFIGURATION...

Page 281: ...directly to the destination host if the host is on a network directly connected to the router Each entry in a routing table contains Destination address It identifies the address of the destination ho...

Page 282: ...the network where the destination resides In order to avoid an oversized routing table you can set a default route All the packets for which the router fails to find a matching entry in the routing ta...

Page 283: ...ng protocols may discover different routes to the same destination but only one route among these routes and the static routes is optimal In fact at any given moment only one routing protocol can dete...

Page 284: ...of the routes has the highest preference and is called primary route The other routes have descending preferences and are called backup routes Normally the router sends data through the main route Wh...

Page 285: ...will be discarded and the source hosts will be informed of the unreachability of the destination Blackhole route route with blackhole attribute If a static route destined for a destination has the bl...

Page 286: ...table will be forwarded through the default route Do not configure the next hop address of a static route to the address of an interface on the local switch The preference can be configured different...

Page 287: ...c route display ip routing table ip address mask longer match verbose Display the routes in a specified address range display ip routing table ip address1 mask1 ip address2 mask2 verbose Display the r...

Page 288: ...atic 1 1 1 0 255 255 255 0 1 1 2 1 SwitchC ip route static 1 1 4 0 255 255 255 0 1 1 3 2 Configure the default gateway of Host A to 1 1 5 1 Detailed configuration procedure is omitted Configure the de...

Page 289: ...RIP manages a routing database which contains routing entries to all the reachable destinations in the internetwork Each routing entry contains the following information Destination address IP address...

Page 290: ...bors every 30 seconds Upon receiving the packets the neighbors maintain their own routing tables and select optimal routes and then advertise update information to their respective neighbors so as to...

Page 291: ...Setting RIP preference Optional Setting RIP preference on page 295 Enabling RIP traffic sharing across interfaces Optional Enabling RIP traffic sharing across interfaces on page 295 Configuring RIP to...

Page 292: ...e Specifying the RIP version on an interface Table 214 Enable RIP globally and on the interface of a specified network segment Operation Command Description Enter system view system view Enable RIP gl...

Page 293: ...rm the following tasks Configuring network layer addresses of interfaces so that adjacent nodes are reachable to each other at the network layer Configuring basic RIP functions Configuring RIP Route C...

Page 294: ...elp in route addressing but consume a lot of network resources After host route receiving is disabled a router can refuse any incoming host routes Set the additional routing metric to be added for inc...

Page 295: ...sharing across interfaces Table 220 Configure RIP to filter incoming outgoing routes Operation Command Description Enter system view system view Enter RIP view rip Configure RIP to filter incoming rou...

Page 296: ...an interface or link with special requirements Configuration Prerequisites Before adjusting RIP perform the following tasks Configuring the network layer addresses of interfaces so that adjacent node...

Page 297: ...for RIP 2 Setting RIP 2 packet authentication mode RIP 2 supports two authentication modes simple authentication and MD5 authentication Table 224 Configure RIP timers Operation Command Description En...

Page 298: ...ssword md5 rfc2453 key string rfc2082 key string key id Required If you specify to use MD5 authentication you must specify one of the following MD5 authentication types rfc2453 this type supports the...

Page 299: ...ion related to RIP is listed below Before the following configuration make sure the Ethernet link layer works normally and the IP addresses of VLAN interfaces are configured correctly 1 Configure Swit...

Page 300: ...configuration rip command to verify RIP is enabled on the interface with the network command Use the display this command in VLAN interface view to verify the undo rip work command was not executed o...

Page 301: ...OSPF supports multiple equivalent routes to the same destination Routing hierarchy OSPF has a four level routing hierarchy It prioritizes the routes as intra area inter area external type 1 and exter...

Page 302: ...gured the system will automatically select an IP address from the IP addresses of the interfaces as the router ID A router ID is selected in the following way if loopback interface addresses are confi...

Page 303: ...y After an AS is divided into different areas that are interconnected through OSPF ABRs The routing information between areas can be reduced through route summary This reduces the size of routing tabl...

Page 304: ...e network are not directly reachable to each other you must configure the corresponding interface type to P2MP If a router in the network has only one peer you can change the corresponding interface t...

Page 305: ...ead of being manually configured DR and BDR are elected by all the routers on the current network segment The priority of a router interface determines the qualification of the interface in DR BDR ele...

Page 306: ...R packets contain the digest of the needed LSAs LSU packet Link state update LSU packets are used to transmit the needed LSAs to the peer router An LSU packet is a collection of multiple LSAs complete...

Page 307: ...ogy in a stub area OSPF multi process Multiple OSPF processes can be run on a router Sharing discovered routing information with other dynamic routing protocols At present OSPF supports importing the...

Page 308: ...iguring OSPF Route Summary Optional Configuring OSPF Route Summary on page 314 Configuring OSPF to Filter Received Routes Optional Configuring OSPF to Filter Received Routes on page 314 Configuring th...

Page 309: ...OSPF Timers Optional Configuring OSPF Timers on page 317 Configuring the LSA transmission delay Optional Configuring the LSA transmission delay on page 318 Configuring the SPF Calculation Interval Opt...

Page 310: ...The undo protocol multicast mac enable command must be configured if Layer 2 Layer 3 multicast function is enabled in the system In router ID selection the priorities of the router IDs configured with...

Page 311: ...ith the backbone area and the backbone area must keep connectivity in itself If the physical connectivity cannot be ensured due to various restrictions you can configure OSPF virtual links to satisfy...

Page 312: ...ection in the network Thus the router with higher performance and reliability can be selected as a DR or BDR Configuration Prerequisites Before configuring the network type of an OSPF interface perfor...

Page 313: ...a neighbor has the right to vote If you specify the priority to 0 when configuring a neighbor the local router will believe that the neighbor has no right to vote and sends no Hello packet to it This...

Page 314: ...w system view Enter OSPF view ospf process id router id router id Enter area view area area id Enable ABR route summary abr summary ip address mask advertise not advertise Required This command takes...

Page 315: ...t for sending packets on an OSPF interface ospf cost value Optional By default OSPF calculates the cost for sending packets on an interface according to the current baud rate on the interface For a VL...

Page 316: ...ed when the interfaces transmit LSAs By Adjusting SPF calculation interval you can mitigate resource consumption caused by frequent network changes In a network with high security requirements you can...

Page 317: ...smission interval that is too short Otherwise unnecessary retransmission will occur LSA retransmission interval must be greater than the round trip time of a packet between two routers Table 242 Confi...

Page 318: ...you can disable multiple OSPF processes from transmitting OSPF packets The silent interface command however only applies to the OSPF interface where the specified process has been enabled without aff...

Page 319: ...MTU value of the interface is filled in the Interface MTU field of the DD packets Table 246 Configure OSPF authentication Operation Command Description Enter system view system view Enter OSPF view o...

Page 320: ...status changes Table 249 Configure OSPF MIB binding Operation Command Description Enter system view system view Configure OSPF MIB binding ospf mib binding process id Optional By default MIB is bound...

Page 321: ...Display OSPF statistics display ospf process id cumulative Display OSPF LSDB information display ospf process id area id lsdb brief asbr ase network nssa router summary ip address verbose originate ro...

Page 322: ...an interface1 ospf dr priority 0 SwitchB router id 2 2 2 2 SwitchB ospf SwitchB ospf 1 area 0 SwitchB ospf 1 area 0 0 0 0 network 196 1 1 0 0 0 0 255 Configure SwitchC SwitchC system view SwitchC inte...

Page 323: ...chB interface Vlan interface 1 SwitchB Vlan interface1 ospf dr priority 200 On SwitchA run the display ospf peer command to display its OSPF peers Note that the priority of SwitchB has been changed to...

Page 324: ...witchB Vlan interface1 ip address 196 1 1 2 255 255 255 0 SwitchB Vlan interface1 quit SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 197 1 1 2 255 255 255 0 SwitchB router id 2...

Page 325: ...routers reaches the FULL state Note On a broadcast or NBMA network if the interfaces between two routers are in DROther state the peer state machine between the two routers are in 2 way state instead...

Page 326: ...should be configured to be connected to the backbone area As shown in Figure 75 Router A and Router D are configured to belong to only one area whereas Router B Area 0 and Area 1 and Router C Area 1...

Page 327: ...ommunication between an ES and an IS therefore an ES does not participate in the IS IS process and can be ignored in the IS IS protocol Routing domain RD A group of ISs exchange routing information wi...

Page 328: ...ghbor relationship with the Level 2 and Level 1 2 routers in the same or in different areas It maintains a Level 2 LSDB which contains routing information for routing between areas All Level 2 routers...

Page 329: ...in this topology The backbone is composed of all contiguous Level 2 and Level 1 2 routers which can reside in different areas Figure 77 IS IS topology II n The IS IS backbone does not need to be a spe...

Page 330: ...tify the area and the routing domain In normal condition a router only needs one area address and all nodes must share the same area addresses in the same domain But a router can have three area addre...

Page 331: ...ed 47 0001 aaaa bbbb cccc 00 where Area 47 0001 System ID aaaa bbbb cccc SEL 00 Here is another example A NET exists that is named 01 1111 2222 4444 00 where Area 01 System ID 1111 2222 4444 SEL 00 IS...

Page 332: ...redistribution Optional Configuring IS IS Route Redistribution on page 335 Configure route filtering Optional Configuring Route Filtering on page 336 Configure route leaking Optional Configuring Route...

Page 333: ...342 Configure to discard LSPs with incorrect checksum Optional Configuring to Discard LSPs with Incorrect Checksum on page 342 Configure to log peer changes Optional Configuring to Log Peer Changes o...

Page 334: ...ea address and router system ID Enabling IS IS on the Specified Interface Configuring DIS Priority In a broadcast network IS IS needs to select a router as DIS When a DIS needs to be selected from the...

Page 335: ...figuring IS IS Route Redistribution IS IS processes the routes discovered by other routing protocols as routes outside a routing domain You can specify the default cost for IS IS to redistribute route...

Page 336: ...e of routes are to be filtered with the filter policy export command all the routes imported with the import route command will be filtered Table 258 Configure route redistribution Operation Command D...

Page 337: ...ystem assigns a priority for each routing protocol When multiple routing protocols discover a route to the same destination the protocol with the highest priority will dominate Table 261 Configure rou...

Page 338: ...ty of IS IS routes is 15 Table 264 Configure protocol priority Operation Command Description Table 265 Configure IS IS route cost style Operation Command Description Enter system view system view Ente...

Page 339: ...mand Description Enter system view system view Enter interface view interface interface type interface number Required Configure the CSNP packets sending interval in seconds isis timer csnp seconds le...

Page 340: ...thentication password is encapsulated in the LSP CSNP and PSNP packets at Level 1 as predefined If area authentication is also enabled on other routers in the same area area authentication works norma...

Page 341: ...to a mesh group The interfaces in the group will flood the new LSPs to only the interfaces outside the mesh group Table 273 Configure authentication Operation Command Description Enter system view sys...

Page 342: ...Refresh Time All LSPs are sent periodically to synchronize the LSPs in an area Add an interface to a mesh group isis mesh group mesh group numbe r mesh blocked Optional By default LSPs are flooded on...

Page 343: ...ions SPF calculation in IS IS may occupy system resources for a long time if the routing table contains a great number of entries over 30 000 To avoid this you can configure SPF calculation durations...

Page 344: ...n spf slice size seconds Optional By default SPF calculation is not sliced Table 283 Configure SPF to release CPU resources automatically Operation Command Description Enter system view system view En...

Page 345: ...B Switch C and Switch D belong to the same area Table 286 Reset configuration data of the IS IS peer Operation Command Description Enter system view system view Reset configuration data of an IS IS p...

Page 346: ...001 0000 0000 0006 00 SwitchB interface vlan interface 101 SwitchB Vlan interface101 ip address 200 10 0 1 255 255 255 0 SwitchB Vlan interface101 isis enable SwitchB interface vlan interface 102 Swit...

Page 347: ...lan interface100 isis enable Configure Switch D SwitchD isis SwitchD isis network entity 86 0001 0000 0000 0008 00 SwitchD interface vlan interface 102 SwitchD Vlan interface102 ip address 100 20 0 2...

Page 348: ...348 CHAPTER 35 IS IS CONFIGURATION...

Page 349: ...nsport layer protocol with the port number being 179 to ensure reliability BGP supports classless inter domain routing CIDR With BGP employed only the changed routes are propagated This saves network...

Page 350: ...tion is performed all the bits of this field are 1 Length 2 bytes in length This filed indicates the size in bytes of a BGP packet with the packet header counted in Type 1 byte in length This field in...

Page 351: ...sage format An Update message can advertise a group of reachable routes with the same path attribute These routes are set in the NLRI field The Path Attributes field carries the attributes of these ro...

Page 352: ...router it sends the whole BGP routing table to its peers to exchange routing information Afterwards BGP sends only Update messages instead of the whole table During the running BGP also sends receive...

Page 353: ...Peer and Peer Group Definition As described in BGP Routing Mechanism on page 352 two BGP speakers capable of exchanging BGP messages with each other are peers of each other A BGP peer group is a set...

Page 354: ...g information Optional Configuring BGP Route Receiving Policy on page 359 Configuring BGP IGP Route Synchronization Optional Configuring BGP IGP Route Synchronization on page 360 Configuring BGP route...

Page 355: ...m view system view Start BGP and enter BGP view bgp as number Required By default the system does not run BGP Enter multicast address family view ipv4 family multicast Required Table 290 Configure bas...

Page 356: ...the peers to establish multiple hop TCP connections between them Configuring the Way to Advertise Receive Routing Information Configuration Prerequisites Make sure the following operation is performe...

Page 357: ...GP peer routing tables BGP supports two route aggregation modes automatic aggregation mode and manual aggregation mode Automatic aggregation mode where IGP sub network routes imported by BGP are aggre...

Page 358: ...licy route policy name suppress policy route policy name Table 293 Enable default rout advertising Operation Command Description Enter system view system view Enable BGP and enter BGP view bgp as numb...

Page 359: ...ring policy configured Specify an AS path ACL based BGP filtering policy for a peer group peer group name as path acl acl number export IP prefix based BGP route filtering policy for a peer group peer...

Page 360: ...ng information Suppressed routes are neither added to the routing table nor advertised to other BGP peers Filter the routing information receivedfrom a peer peer group Specify an ACL based BGP route f...

Page 361: ...able 15 in minutes half life unreachable 15 in minutes reuse 750 suppress 2000 ceiling 16 000 Table 298 Configure BGP load balance Operation Command Description Enter system view system view Enable BG...

Page 362: ...oming from the neighbor routers in different ASs is disabled Configure the local address as the next hop address when a BGP router advertises a route peer group name next hop local Required In some ne...

Page 363: ...To make a new BGP routing policy taking effect you need to reset the BGP connection This temporarily disconnects the BGP connection In the Switch 7750 BGP supports the route refresh function With rou...

Page 364: ...address timer keepalive keepalive interval hold holdtime interval Configure the interval at which a peer group sends the same route update packet peer group name route update interval seconds Optiona...

Page 365: ...iple BGP routers In an AS to ensure the connectivity among IBGP peers you need to set up full connection among them When there are too many IBGP peers it will cost a lot in establishing a full connect...

Page 366: ...as the local AS number Add a peer to a peer group peer ip address group group name as number as number Create an EBGP peer group Create an EBGP peer group group group name external Optional You can ad...

Page 367: ...bgp as number Required By default the system does not operate BGP Configure the local router as the RR and configure the peer group as the client of the RR peer group name reflect client Required By d...

Page 368: ...table as path acl acl number Display routing information about CIDR display bgp multicast routing table cidr Display routing information about a specified BGP community display bgp multicast routing t...

Page 369: ...nd IBGP Network diagram Figure 84 Diagram for AS confederation Table 306 Reset BGP connection Operation Command Reset all BGP connections reset bgp all Reset the BGP connection with a specified peer r...

Page 370: ...nfed1001 external SwitchC bgp peer 172 68 10 1 group confed1001 as number 1001 SwitchC bgp group confed1002 external SwitchC bgp peer 172 68 10 2 group confed1002 as number 1002 SwitchC bgp group ebgp...

Page 371: ...igure SwitchB Configure VLAN2 SwitchB interface Vlan interface 2 SwitchB Vlan interface2 ip address 192 1 1 2 255 255 255 0 Configure VLAN3 SwitchB interface Vlan interface 3 SwitchB Vlan interface3 i...

Page 372: ...tchD Vlan interface4 ip address 194 1 1 2 255 255 255 0 Configure a BGP peer SwitchD bgp 200 SwitchD bgp group in internal SwitchD bgp peer 194 1 1 1 group in Use the display bgp routing table command...

Page 373: ...hA bgp group ex192 external SwitchA bgp peer 192 1 1 2 group ex192 as number 200 SwitchA bgp group ex193 external SwitchA bgp peer 193 1 1 2 group ex193 as number 200 SwitchA bgp quit Configure the ME...

Page 374: ...ate of neighbor Switch B 192 1 1 2 SwitchA bgp 100 SwitchA bgp peer ex193 route policy apply_med_50 export SwitchA bgp peer ex192 route policy apply_med_100 export 2 Configure Switch B SwitchB interfa...

Page 375: ...Switch B Switch D will choose the route 1 0 0 0 coming from Switch C If you do not configure MED attribute of Switch A when you configure Switch A but configure the local preference on Switch C as fol...

Page 376: ...kets If you cannot ping through the neighbor device check whether there is a route to the neighbor in the routing table If you can ping through the neighbor device check whether an ACL is configured t...

Page 377: ...cols The following sections describe these filters Route policy A route policy is used to match some attributes with given routing information and the attributes of the information will be set if the...

Page 378: ...used in BGP to define the matching conditions about AS path An as path contains a series of AS paths which are the records of routing information passed paths during BGP routing information exchange c...

Page 379: ...ake the test of the next node If not the system goes on the test of the next node The deny argument specifies that the matching mode for the defined node in the route policy is deny In this mode no ap...

Page 380: ...Enter system view system view Enter route policy view route policy route policy name permit deny node node number Define a rule to match the AS path field of BGP routing information if match as path...

Page 381: ...te of BGP routing information apply community none aa nn 1 13 no export subconfed no export no advertise additive Optional Define a action to set the next hop address of routing information apply ip n...

Page 382: ...tributes A router can decide whether to change community attributes before forwarding a route to other peer entity Community list is used to identify community information It falls in to two types bas...

Page 383: ...routing policy configuration IP Routing Policy Configuration Example Configuring IP Routing Policy Network requirements As shown in Figure 87 Switch A communicates with Switch B using OSPF protocol S...

Page 384: ...tic 40 0 0 1 255 0 0 0 12 0 0 2 Enable the OSPF protocol and specify the ID of the area to which the interface 10 0 0 1 belongs SwitchA system view SwitchA router id 1 1 1 1 SwitchA ospf SwitchA ospf...

Page 385: ...on Cost Type NextHop AdvRouter Area 10 0 0 0 8 10 Net 10 0 0 1 1 1 1 1 0 0 0 0 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 20 0 0 0 8 1 2 1 10 0 0 1 1 1 1 1 40 0 0 0 8 1 2 1 10 0 0 1...

Page 386: ...items are in the deny mode no route will pass the ip prefix filtering You can define the item permit 0 0 0 0 0 less equal 32 after multiple items in the deny mode for all other routes to pass the fil...

Page 387: ...efore the route capacity limitation implemented by a Switch 7750 applies to OSPF and BGP routes only but not to static and RIP routes When the free memory of the switch is equal to or lower than the l...

Page 388: ...cription Enter system view system view Set the lower limit and the safety value of switch memory memory safety safety value limit limit value Optional safety value defaults to 40 and limit value defau...

Page 389: ...88 Architecture of 802 1x authentication The supplicant system is an entity residing at one end of the LAN segment and is authenticated by the authenticator system connected to the other end of the L...

Page 390: ...d port and an uncontrolled port The uncontrolled port can always send and receive packets It mainly serves to forward EAPoL packets to ensure that a supplicant system can send and receive authenticati...

Page 391: ...m in turn determines the state authorized or unauthorized of the controlled port according to the instructions accept or reject received from the RADIUS server Encapsulation of EAPoL Messages The form...

Page 392: ...e authentication servers Network management related information such as alarming information is encapsulated in EAPoL Encapsulated ASF Alert packets which are terminated by authenticator systems The f...

Page 393: ...age fields The type code of the EAP message field is 79 Figure 93 The format of an EAP message field The Message authenticator field as shown in Figure 94 can be used to prevent interception of access...

Page 394: ...5 authentication procedure Figure 95 802 1x authentication procedure in EAP relay mode The detailed procedure is as follows A supplicant system launches an 802 1x client to initiate an access request...

Page 395: ...US access request packet with the locally encrypted password If the two match it will then send feedbacks through a RADIUS access accept packet and an EAP success packet to the switch to indicate that...

Page 396: ...equests for authentication The switch sends a unicast request identity packet to a supplicant system and then enables the transmission timer The switch sends another request identity packet to the sup...

Page 397: ...ch quiets for the set period set by the quiet period timer before it processing another 802 1x relatedauthentication request initiated by the supplicant system ver period This timer sets the client ve...

Page 398: ...logging in This function makes the switch to send version requesting packets again if the 802 1x client fails to send version reply packet to the switch before the version checking timer times out n...

Page 399: ...ass the authentication through 802 1x client if they provide the user names and passwords that match with those stored in the switches You can also specify to adopt RADIUS authentication scheme with a...

Page 400: ...latest time value obtained as the authentication interval After re authentication is enabled on a port you cannot change the dynamic VLAN delivery attribute value for the port if you do so the re aut...

Page 401: ...ers for specified ports In system view dot1x max user user number interface interface list Optional By default up to 1 024 concurrent on line users are allowed on each port In port view dot1x max user...

Page 402: ...ted in Table 320 takes effect only when it is performed on CAMS as well as on the switch and the client version checking function is enabled on the switch by the dot1x version check command Configurin...

Page 403: ...rify the 802 1x related configuration by executing the display command in any view You can clear 802 1x related statistics information by executing the reset command in user view Configure the client...

Page 404: ...accounting server The other operates as the secondary authentication server and primary accounting server The password for the switch and the authentication RADIUS servers to exchange message is name...

Page 405: ...Configuration on page 525 for information about these commands Configuration on the client and the RADIUS servers is omitted Enable 802 1x globally SW7750 system view System View return to User View w...

Page 406: ...the timer for the switch to send real time accounting packets to the RADIUS servers SW7750 radius radius1 timer realtime accounting 15 Configure to send the user name to the RADIUS server with the do...

Page 407: ...Configuration Example 407 Create a local access user account SW7750 local user localuser SW7750 luser localuser service type lan access SW7750 luser localuser password simple localpass...

Page 408: ...408 CHAPTER 39 802 1X CONFIGURATION...

Page 409: ...tion and to be forwarded between HABP enabled switches Therefore the management devices can get the MAC addresses of their attached switches to manage them effectively HABP is implemented by HABP serv...

Page 410: ...ets of all the VLANs Configure the current switch to be an HABP server habp server vlan vlan id Required By default a switch operates as an HABP client after you enable HABP on the switch and if you w...

Page 411: ...abled globally Enable the 802 1x on GigabitEthernet2 0 2 SW7750 interface GigabitEthernet 2 0 2 SW7750 GigabitEthernet2 0 2 dot1x 802 1x is enabled on port GigabitEthernet2 0 2 2 Configure Switch A En...

Page 412: ...412 CHAPTER 40 HABP CONFIGURATION...

Page 413: ...n security legal use of paid services and network bandwidth In the network packets are sent in three modes unicast broadcast and multicast The following sections describe and compare data interaction...

Page 414: ...erver broadcasts this information through routers and users A and C on the network also receive this information The security and payment of the information cannot be guaranteed As we can see from the...

Page 415: ...he information is correctly delivered to users B D and E The advantages of multicast over unicast are as follows No matter how many receivers exist there is only one copy of the same multicast data fl...

Page 416: ...iciency Multicast decreases network traffic and reduces server load and CPU load Optimal performance Multicast reduces redundant traffic Distributive application Multicast makes multiple point applica...

Page 417: ...mmunication between the information source and members of a multicast group a group of information receivers network layer multicast addresses namely IP multicast addresses must be provided In additio...

Page 418: ...lticast groups The IP address 224 0 0 0 is reserved Other IP addresses can be used by routing protocols 224 0 1 0 to 231 255 255 255 233 0 0 0 to 238 255 255 255 Available any source multicast ASM mul...

Page 419: ...der 23 bits of a MAC address are the low order 23 bits of the multicast IP address Figure 103 describes the mapping relationship Figure 103 Mapping relationship between multicast IP address and multic...

Page 420: ...omain routes Intra domain multicast routes have been quite mature Protocol independent multicast PIM is the most commonly used protocol currently PIM transmits information to receivers by means of mul...

Page 421: ...routing protocols Based on source addresses multicast routers judge whether multicast packets come from specified interfaces that is RPF check determines whether inbound interfaces are correct by comp...

Page 422: ...422 CHAPTER 41 MULTICAST OVERVIEW...

Page 423: ...e VLAN where the receiving port resides In this way the multicast source in the VLAN gets aware of the existence of the multicast group member When the multicast source sends multicast packets to a gr...

Page 424: ...configuration Configuration procedure Configure SwitchA Enable GMRP globally SW7750 system view SW7750 gmrp GMRP is enabled globally Enable GMRP on the port SW7750 interface Ethernet 2 0 1 SW7750 Ethe...

Page 425: ...GMRP Configuration Example 425 SW7750 interface Ethernet 2 0 1 SW7750 Ethernet2 0 1 gmrp GMRP is enabled on port Ethernet 2 0 1...

Page 426: ...426 CHAPTER 42 GMRP CONFIGURATION...

Page 427: ...d from the router As shown in Figure 106 multicast packets are broadcasted at Layer 2 when IGMP Snooping is disabled and multicast at Layer 2 when IGMP Snooping is enabled Figure 106 Multicast packet...

Page 428: ...ulticast MAC address Figure 107 IGMP Snooping implementation To implement Layer 2 multicast the switch processes four different types of IGMP messages it received as shown in Table 335 Table 334 IGMP...

Page 429: ...queried IGMP host report message Host Multicast router and multicast switch Apply for joining a multicast group or respond to an IGMP query message Chec k if the IP multi cast group has a corres pond...

Page 430: ...bers and enable the corresponding query timer If the multicast groupresponds the switch checks whether the port is the last host port corresponding to the MAC multicast group If yes remove the corresp...

Page 431: ...zing the network topology Configure timers Optional Configuring Timers on page 432 Enable IGMP fast leave Optional Enabling IGMP Fast Leave for a Port or All Ports on page 432 Configure IGMP Snooping...

Page 432: ...ry to the port and enables the query response timer of the IP multicast group Enabling IGMP Fast Leave for a Port or All Ports Normally when receiving an IGMP Leave message the switch does not immedia...

Page 433: ...If yes it adds the port to the forward port list of the multicast group If not it drops the IGMP report message and does not forward the corresponding data stream to the port In this way you can cont...

Page 434: ...layer This router or Layer 3 switch is called IGMP querier Enable IGMP Snooping filter in system view igmp snooping group policy acl number vlan vlan list Required You can configure the ACL to filter...

Page 435: ...s enabled in a query interval the Layer 2 switch will forward only the first IGMP host report message from a multicast group to the Layer 3 switch and drop the other IGMP host report messages from the...

Page 436: ...nsure that the IGMP entry does not age out When the simulated joining function is disabled on an Ethernet port the simulated host sends an IGMP leave message Therefore to ensure that IGMP entries will...

Page 437: ...y if multicast VLAN is configured Perform the following configuration to configure multicast VLAN c CAUTION You can configure up to 5 multicast VLANs for the device A multicast VLAN cannot be configur...

Page 438: ...nooping enable Table 350 Display information about IGMP Snooping Operation Command Description Display the current IGMP Snooping configuration display igmp snooping configuration You can execute the d...

Page 439: ...abled Switch B Layer 3 switch GigabitEthernet 2 0 1 GigabitEthernet 2 0 2 GigabitEthernet 2 0 3 Router A Switch C Switch D GigabitEthernet 2 0 1 belongs to VLAN 1024 GigabitEthernet 2 0 2 is a trunk p...

Page 440: ...the corresponding VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time If i...

Page 441: ...rmation in the network You can configure the suppression on the multicast source port feature to filter multicast packets on the unauthorized multicast source port so as to prevent the users connected...

Page 442: ...le 353 Enable multicast routing and configure limit on the number of multicast route entries Operation Command Description Enter system view system view Enable multicast routing multicast routing enab...

Page 443: ...sers usually configure both primary and secondary links over a connection in order to avoid communication interruption due to link failure When the primary link fails the secondary link can replace it...

Page 444: ...rface interface type interface number Configure static router ports multicast static router port vlan vlan id Required Operation Command Description Enter system view system view Enter VLAN view vlan...

Page 445: ...he statistics information about the suppression on the multicast source port display multicast source deny interface interface type interface number You can execute the display commanding any view If...

Page 446: ...mask mask length source address mask group mask mask length incoming interface interfa ce type interface number register You can execute the display commanding any view Display the information about t...

Page 447: ...icast MAC address entries created by the mac address multicast command manually however it cannot be used to delete the multicast MAC address entries learned by the switch If you want to add a port to...

Page 448: ...MAC ADDRESS TABLE CONFIGURATION Table 361 Display the multicast MAC addresses Operation Command Description Display the static multicast MAC addresses display mac address multicast count You can use...

Page 449: ...IGMP is asymmetric between the host and the router The host needs to respond to the IGMP query messages of the multicast routers that is report message responses as an IGMP host The multicast router...

Page 450: ...Version 2 It is used to dynamically adjust the maximum time for a host to respond to the membership query message Working Procedure of IGMP The working procedure of IGMP is as follows The receiver ho...

Page 451: ...osts in the network want to join in another multicast group G2 they will send IGMP host report messages about G2 to respond to the query messages After the query response process the IGMP routers get...

Page 452: ...n to the multicast router The multicast router relies on IGMP query response timeout to know whether a group no longer has members This adds to the leave latency In IGMPv2 on the other hand when a hos...

Page 453: ...l on VLAN interface 1 Configure the pim neighbor policy command to filter PIM neighbors in the network segment 33 33 33 0 24 That is Switch A does not consider Switch B as its PIM neighbor In this cas...

Page 454: ...g IGMP Query Packets on page 454 Configure IGMP multicast groups on the interface Optional Configuring IGMP Multicast Groups on the Interface on page 456 Configure IGMP simulated joining Optional Conf...

Page 455: ...value x seconds time it will maintain the membership of the group If the IGMP querier does not receive IGMP join messages from other hosts after the robust value x seconds time it considers the group...

Page 456: ...nabled globally IGMP is enabled on all the layer 3 interfaces automatically Configure the query interval igmp timer query seconds Optional The query interval is 60 seconds by default Configuring the i...

Page 457: ...t routing enable Required Enter VLAN interface view interface Vlan interface interface number Enable IGMP on the current interface igmp enable By default if the IP multicast routing protocol is enable...

Page 458: ...face view first Limit the range of multicast groups that the interface serves igmp group policy acl number vlan vlan id Optional By default the filter is not configured that is any multicast group is...

Page 459: ...ed for one interface Configuring Suppression on IGMP Host Report Messages When a Layer 2 switch receives an IGMP host report message from a host in a multicast group the switch will forward the messag...

Page 460: ...Configure suppression on IGMP host report messages Operation Command Description Enter system view system view Configure suppression on IGMP host report messages igmp report aggregation Required By de...

Page 461: ...d the related resources bandwidth and the CPU of the router are consumed at the same time In order to reduce the network resource consumption PIM DM prunes the branches which do not forward multicast...

Page 462: ...d forward the packet to all the downstream PIM DM nodes That is the process of flooding If not that is the router considers that the multicast packets travel into the router through incorrect interfac...

Page 463: ...forwarding tree from the data source S based on the existing unicast routing table static multicast routing table and MBGP routing table The procedure is as follows When a multicast packet arrives th...

Page 464: ...the upstream neighbor of the S G entry which is responsible for forwarding the S G multicast packets The unselected routers will prune the corresponding interfaces to disable the information forwardi...

Page 465: ...receiver PIM SM is independent of the special unicast routing protocol Instead it performs RPF check based on the existing unicast routing table Work Mechanism of PIM SM The working procedure of PIM...

Page 466: ...ple network there is only little multicast information One RP is enough for information forwarding In this case you can statically specify the position of RP in each router in the SM domain However PI...

Page 467: ...itself as BSR any more Otherwise the candidate BSR will keep its own BSR address and continue to consider itself as BSR The positions of RPs and BSRs in the network are as shown in Figure 115 Figure 1...

Page 468: ...to the receiver will send Prune messages to RP hop by hop in the direction reverse to RPT When the first upstream router receives the Prune message it will delete the links with the downstream router...

Page 469: ...reaches the router nearest to the multicast source namely the first hop router hop by hop and all the passed routers have the S G entry As a result a branch of SPT is built Then the last hop router se...

Page 470: ...PIM neighbors Optional Configuring PIM Neighbors on page 471 Clear the related PIM entries Optional Clearing the Related PIM Entries on page 471 Table 373 Enable PIM DM PIM SM on the interface Operati...

Page 471: ...l multicast routing enable Required Enter VLAN interface view interface Vlan interface interface number Enable PIM DM PIM SM on the current interface pim dm pim sm Required Configure the PIM protocol...

Page 472: ...guring BSR RP Table 377 Configure filtering policies for multicast source group Operation Command Description Enter system view system view Enable the multicast routing protocol multicast routing enab...

Page 473: ...interface number hash mask len priority Optional By default candidate BSRs are not set for the switch and the value of priority is 0 Configure candidate RPs c rp interface type interface number group...

Page 474: ...network can be effectively divided into domains using different BSRs Filtering the Registration Packets from RP to DR Through the registration packet filtering mechanism in PIM SM network you can dete...

Page 475: ...t hop switch performs RPT to SPT switchover upon receiving the first multicast packet The infinity keyword specifies that RPT to SPT switchover never takes place Displaying and Debugging PIM After com...

Page 476: ...les display pim routing table g group address mask mask length mask rp rp address mask mask length mask group address mask mask length mask source address mask mask length mask incoming interface inte...

Page 477: ...interface 20 Lanswitch2 system view Lanswitch2 multicast routing enable Lanswitch2 interface Vlan interface 11 Lanswitch2 Vlan interface11 pim dm Lanswitch2 Vlan interface11 quit Lanswitch2 interface...

Page 478: ...SM on each interface and enable IGMP on Vlan interface 11 SW7750 system view SW7750 multicast routing enable SW7750 interface Vlan interface 10 SW7750 Vlan interface10 pim sm SW7750 Vlan interface10...

Page 479: ...LS_D cannot receive BSR information from LS_B any mote that is LS_D is excluded from the PIM domain Configure LS_C The configuration on LS_C is similar to the configuration on LS_A Troubleshooting PIM...

Page 480: ...480 CHAPTER 47 PIM CONFIGURATION...

Page 481: ...to local receivers If there is a mechanism that allows RPs of different PIM SM domains to share their multicast source information the local RP will be able to join multicast sources in other domains...

Page 482: ...ied in the message and joins the SPT rooted at the source across the PIM SM domain When multicast data from the multicast source arrives the receiver side MSDP peer forwards the data to the receivers...

Page 483: ...gets aware of the information related to the multicast source 2 As the source side RP RP 1 creates SA messages and periodically sends the SA messages to its MSDP peer An SA message contains the source...

Page 484: ...o longer relies on RPs in other PIM SM domains The receivers can override the RPs in other domains and directly join the multicast source based SPT RPF check rules for SA messages As shown in Figure 1...

Page 485: ...P 6 receives the SA messages from RP 4 and RP 5 suppose RP 5 has a higher IP address Although RP 4 and RP 5 are in the same SA AS 3 and both are MSDP peers of RP 6 because RP 5 has a higher IP address...

Page 486: ...as this RP In this example Receiver joins the RPT rooted at RP 2 3 RPs share the registered multicast information by means of SA messages In this example RP 1 creates an SA message and sends it to RP...

Page 487: ...only one MSDP peer known as a stub area the BGP or MBGP route is not compulsory SA messages are transferred in a stub area through the static RPF peers In addition the use of static RPF peers can avo...

Page 488: ...om outside the mesh group it sends them to other members of the group On the other hand a mesh group member does not perform RPF check on SA messages from within the mesh group and does not forward th...

Page 489: ...peers to each other To prevent failure of RPF check on SA messages between MSDP peers you must configure the RP address to be carried in the SA messages n In Anycast RP application C BSR and C RP must...

Page 490: ...icast data must be encapsulated in the SA message otherwise the receiver will never receive the multicast source information By default when a new receiver joins a router does not send any SA request...

Page 491: ...SA request message the router will get immediately a response from all active multicast sources By default the router does not send any SA request message to its MSDP peers upon receipt of a Join mess...

Page 492: ...default an MSDP peer receives and forwards all SA messages MSDP inbound outbound filter implements the following functions Filtering out all S G entries Receiving forwarding only the SA messages permi...

Page 493: ...onfiguration In user view you can execute the reset command to reset the MSDP counter Configure to filter SA messages to be received or forwarded peer peer address sa policy import export acl acl numb...

Page 494: ...p is established between the RPs based on BGP routes within each PIM SM network Loopback 0 on Switch C Switch D and Switch E functions as the C BSR and C RP of its own PIM SM domain respectively An MS...

Page 495: ...each interface according to Figure 124 The details are omitted here 2 Enable multicast and enable PIM SM on each interface Enable multicast on SwitchC and enable PIM SM on all interfaces Switch C is...

Page 496: ...tion of C BSRs and C RPs Configure the interface Loopback0 on Switch C Switch D and Switch F and configure the locations of C BSRs and C RPs Switch C is taken for example The configuration procedures...

Page 497: ...168 1 1 100 4 0 1 4 00 01 05 Established 192 168 3 1 200 4 0 0 0 00 00 05 Active Carry out the display bgp routing table command to view the BGP routing table information on the switches The BGP rout...

Page 498: ...192 168 3 2 Up 00 15 32 200 8 0 SwitchD display msdp brief MSDP Peer Brief Information Peer s Address State Up Down time AS SA Count Reset Count 192 168 3 1 UP 01 07 08 200 8 0 192 168 1 1 UP 00 06 39...

Page 499: ...In the PIM SM domain configure the interface IP addresses on the switches and interconnect the switches through OSPF Configure the IP address and mask of each interface according to Figure 125 The det...

Page 500: ...pim c bsr loopback 10 32 SwitchC pim c rp loopback 10 SwitchC pim quit When the multicast source S1 in the PIM SM domain sends multicast information receivers on Switch D can receive multicast informa...

Page 501: ...Count 1 1 1 1 Up 00 10 18 0 0 Configuration Example of a PIM Stub Domain Network requirements Two ISPs maintains their ASs AS 100 and AS 200 respectively OSPF is running within each AS and BGP is run...

Page 502: ...n Figure 126 The detailed configuration steps are omitted 2 Enable multicast and enable PIM SM on each interface Enable multicast on all the switches and enable PIM SM on each interface The configurat...

Page 503: ...tch D and Switch F are similar to the configuration procedure on Switch C so the configuration procedures are omitted SwitchC pim SwitchC pim c bsr loopback 0 32 SwitchC pim c rp loopback 0 SwitchC pi...

Page 504: ...is configured but it is always in the down state Analysis An MSDP peer relationship between the locally configured connect interface interface address and the configured peer address is based on a TC...

Page 505: ...entries of the local multicast domain through SA messages verify that the import source command is configured correctly Solution 1 Check the connectivity of the route between the routers Use the displ...

Page 506: ...506 CHAPTER 48 MSDP CONFIGURATION...

Page 507: ...s configured on this device Local authentication is fast and requires lower operational cost But the information storage capacity is limited by device hardware Remote authentication Users are authenti...

Page 508: ...ISP domain view Introduction to RADIUS AAA is a management framework It can be implemented by not only one protocol But in practice the most commonly used protocol for AAA is RADIUS What is RADIUS RA...

Page 509: ...RADIUS client a switch for example and the RADIUS server are verified by using a shared key This enhances the security The RADIUS protocol combines the authentication and authorization processes toget...

Page 510: ...pts or denies the user depending on the received authentication result If it accepts the user the RADIUS client sends a start accounting request Accounting Request with the Status Type filed set to st...

Page 511: ...k This packet carries user information It must contain the User Name attribute and may contain the following attributes NAS IP Address User Password and NAS Port 2 Access Accept Direction server clien...

Page 512: ...otocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS Figure 130 depicts the structure of attribute 26 The Vendor ID field representing the code...

Page 513: ...cal HWTACACS application a dial up or terminal user needs to log in to the device for operations As the client of HWTACACS in this case the switch sends the username and password to the TACACS server...

Page 514: ...HWTACACS server HWTACACS server TACACS server User TACACS client Requests to log in Authentication start request Authentication response requesting username Requests username Enters username Authenti...

Page 515: ...ntication continuance packet carrying the login password to the TACACS server 6 The TACACS server sends back an authentication response indicating that the user has passed the authentication 7 The TAC...

Page 516: ...for the ISP domain Required If local authentication is adopted refer to Configuring the Attributes of a Local User on page 523 If RADIUS authentication is adopted refer to RADIUS Configuration on page...

Page 517: ...age 528 Configure the supported RADIUS server type Optional Configuring the Supported RADIUS Server Type on page 528 Configure the status of RADIUS servers Optional Configuring the Status of RADIUS Se...

Page 518: ...heme Required Creating a HWTACACS Scheme on page 532 Configure HWTACACS authentication servers Required Configuring HWTACACS Authentication Servers on page 532 Configure HWTACACS authorization servers...

Page 519: ...iption Enter system view system view Create an ISP domain or enter the view of an existing ISP domain domain isp name Required Activate deactivate the ISP domain state active block Optional By default...

Page 520: ...scheme name local command the local scheme becomes the secondary scheme in case the RADIUS server does not response normally That is if the communication between the switch and the RADIUS server is no...

Page 521: ...orization and accounting schemes the separate ones will be adopted in precedence RADIUS scheme and local scheme do not support the separation of authentication and authorization Therefore pay attentio...

Page 522: ...with the assigned ID and then adds the port to the newly created VLAN String If the RADIUS server assigns string type of VLAN IDs you can set the VLAN assignment mode to string on the switch Then upon...

Page 523: ...Create an ISP domain and enter its view domain isp name Set the VLAN assignment mode vlan assignment mode inte ger string Optional By default the VLAN assignment mode is integer Create a VLAN and ente...

Page 524: ...cut down the connection Authorize the user to access the specified type s of service s service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize th...

Page 525: ...ion exchange between the switch and the RADIUS servers To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP domain view For specific con...

Page 526: ...Command Description Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created...

Page 527: ...fails to perform accounting it cuts down the connection of the user The IP address and the port number of the default primary accounting server system are 127 0 0 1 and 1646 Currently RADIUS does not...

Page 528: ...restores the communication with the primary server instead of communicating with the secondary server and at the same time restores the status of the primary server to the active state while keeping...

Page 529: ...ting block active Set the status of the secondary RADIUS authentication authori zation server state secondary authentication block active Set the status of the secondary RADIUS accounting server state...

Page 530: ...uthentication servers including the default local RADIUS authentication server Configuring the Timers of RADIUS Servers If the switch gets no response from the RADIUS server after sending out a RADIUS...

Page 531: ...art function is designed to resolve the above problem After this function is enabled every time the switch restarts 1 The switch generates an Accounting On packet which mainly contains the following i...

Page 532: ...rotocol is configured scheme by scheme Therefore you must create a HWTACACS scheme and enter HWTACACS view before you perform other configuration tasks c CAUTION The system supports up to 16 HWTACACS...

Page 533: ...rt number of the secondary TACACS authentication server secondary authentication ip address port Required By default the IP address of the secondary authentication server is 0 0 0 0 and the port numbe...

Page 534: ...y TACACS accounting server primary accounting ip address port Required By default the IP address of the primary accounting server is 0 0 0 0 and the port number is 0 Set the IP address and port number...

Page 535: ...names Set the units of measure for data flows sent to TACACS servers data flow format data byte giga byte kilo byte mega byte Optional By default in a TACACS scheme the unit of measure for data is by...

Page 536: ...ay command in any view Display the information about user connections display connection access type dot1x domain domain name interface interface type interface number ip ip address mac mac address ra...

Page 537: ...the RADIUS protocol reset radius statistics Table 427 Display and maintain HWTACACS protocol information Operation Command Description Display the configuration or statistic information about one spec...

Page 538: ...user names and login passwords The Telnet user name added to the RADIUS server must be in the format of userid isp name if you have configure the switch to include domain names in the user names to b...

Page 539: ...of Telnet users The following description only takes the local authentication of Telnet users as example Network requirements In the network environment shown in Figure 134 you are required to configu...

Page 540: ...ith the configuration in RADIUS scheme TACACS Authentication Authorization and Accounting of Telnet Users Network requirements You are required to configure the switch so that the Telnet users logging...

Page 541: ...n is specified on the switch Use the correct user name format or set a default ISP domain on the switch The user is not configured in the database of the RADIUS server Check the database of the RADIUS...

Page 542: ...properly set Be sure to set a correct port number for RADIUS accounting The switch requests that both the authentication authorization server and the accounting server use the same device with the sa...

Page 543: ...led the switch determines the validity of session control packets it receives according to the source IP address of the packets Only those session control packets sent from the authentication server a...

Page 544: ...ard the security policy server reissues an ACL to the switch to assign the access right to the client EAD Configuration Configuration prerequisites EAD is implemented typically in RADIUS scheme Before...

Page 545: ...erver Configure the authentication server type to extended Configure the encryption password for exchanging messages between the switch and RADIUS server to expert Configure the IP address of the secu...

Page 546: ...radius cams primary authentication 10 110 91 164 1812 SW7750 radius cams key authentication expert SW7750 radius cams accouting optional SW7750 radius cams server type extended Configure the IP addre...

Page 547: ...ss configured for a traffic group You can configure some network addresses for a traffic group and then traffic generated by accessing these addresses will be accounted Traffic collection module an in...

Page 548: ...ffic accounting module periodically sends update traffic accounting statistics to the accounting server 7 When the user goes offline the authenticator device sends the total traffic amount to the acco...

Page 549: ...raffic collection card Traffic slot slot num Required Enable the traffic accounting function accounting enable Required By default this function is disabled on the traffic accounting module Table 430...

Page 550: ...traffic group somegroup Configure the following two destination network IP addresses for the traffic accounting group SW7750 traffic group somegroup network 11 127 1 0 24 SW7750 traffic group somegrou...

Page 551: ...roup rate 1 SW7750 isp aaa quit Configure the traffic accounting module specify the traffic collection module and enable the traffic accounting function SW7750 traffic accounting accounting slot 2 SW7...

Page 552: ...552 CHAPTER 51 TRAFFIC ACCOUNTING CONFIGURATION...

Page 553: ...o the Layer 3 Switch implementing communication between these hosts and the external network If Switch fails all the hosts on this segment taking Switch as the next hop through the default routes are...

Page 554: ...etween the hosts and the external networks This ensures the communications between the hosts and the external networks Virtual Router Overview After you enable VRRP on the switches of a backup group a...

Page 555: ...ready enabled the system does not support this configuration By default virtual router IP addresses are mapped to the virtual MAC address of a backup group n When you map a virtual IP address to the v...

Page 556: ...thentication key should not exceed eight characters In a vulnerable network the authentication type can be set to md5 The switch then uses the authentication type provided by the Authentication Header...

Page 557: ...s a result other switch in the backup group may have a higher priority than this switch and therefore take over the role as a master switch n The Ethernet port tracked can be in or out of the VLAN in...

Page 558: ...ted parameters Operation Command Description Enter system view system view Create a VLAN vlan vlan id Quit to system view quit Enter VLAN interface view interface Vlan interface valn id Configure the...

Page 559: ...mode enabled Table 436 Display and Maintain VRRP Operation Command Description Display the VRRP statistics information display vrrp statistics interface interface type interface number vrid virtual r...

Page 560: ...1 255 255 255 0 LSW A Vlan interface2 quit Enable a backup group to respond to ping operations destined for its virtual router IP address LSW A vrrp ping enable Create a backup group LSW A interface V...

Page 561: ...ackup group LSW B Vlan interface2 vrrp vrid 1 preempt mode The IP address of the default gateway of Host A can be configured to be 202 38 160 111 Normally Switch A functions as the gateway but when Sw...

Page 562: ...address 202 38 160 1 255 255 255 0 LSW A Vlan interface2 quit Configure that the virtual router can be pinged LSW A vrrp ping enable Create a backup group LSW A interface Vlan interface 2 LSW A Vlan...

Page 563: ...erface 2 LSW B Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set the authentication key for the backup group LSW B Vlan interface2 vrrp vrid 1 authentication mode md5 abc123 Set the master to...

Page 564: ...rnet 1 0 6 LSW A vlan2 quit LSW A interface Vlan interface 2 LSW A Vlan interface2 ip address 202 38 160 1 255 255 255 0 Create backup group 1 LSW A Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 1...

Page 565: ...group or the attempt of other devices sending out illegal VRRP packets The first possible fault can be solved through modifying the configuration And as the second possibility is caused by the malici...

Page 566: ...GURATION Symptom 3 VRRP state of a switch changes repeatedly Such problems occur when the backup group timer duration is too short They can be solved through prolonging the duration or configuring the...

Page 567: ...nually switchover master slave You can change the current module state manually by executing command c CAUTION The HA feature of the Switch 7758 can detect the software upgrade of the two Fabric with...

Page 568: ...lave module works normally you can set the slave system restart manually Perform the following configuration in user view Performing the Master Slave Switchover Manually When the slave module is avail...

Page 569: ...nfiguration file to the slave module only if the slave system operates normally The configuration file will be fully copied at each time the operation is executed Displaying HA After the above configu...

Page 570: ...570 CHAPTER 53 HA CONFIGURATION...

Page 571: ...re All fields except for the target hardware address field are used in an ARP request The target hardware address is just what the sender wants to obtain All fields are used in an ARP reply Figure 146...

Page 572: ...tes Protocol address length Length of the protocol address in bytes Operation code Type of the packet which can be 1 ARP request 2 ARP reply 3 RARP request 4 RARP reply Sender hardware address Hardwar...

Page 573: ...ddress and MAC address carried in the request IP_A and MAC_A of Host A in an entry to its ARP table and then returns an ARP reply packet to the sender Host A with its MAC address carried in the packet...

Page 574: ...This prevents traffic interruption as mentioned above How gratuitous ARP update interval works A switch periodically sends gratuitous ARP packets that carry the master IP address and secondary IP add...

Page 575: ...on a trusted port Introduction to ARP Source Suppression With the ARP source suppression function the switch classifies incoming ARP packets and limits the maximum number of ARP packets with the same...

Page 576: ...iguring the Aging Time for Dynamic ARP Entries on page 577 Configure ARP entry checking Optional Configuring ARP Entry Checking on page 577 Enabling ARP forwarding in the protocol based VLAN Optional...

Page 577: ...to MAC resolutions Enter port view interface interface type interface number Configure the maximum number of dynamic ARP entries that can be learnt by the port arp max dynamic entry number Optional I...

Page 578: ...Enter system view system view Enable gratuitous ARP learning gratuitous arp learning enable Required Disabled by default Table 455 Configure the gratuitous ARP update interval Operation Command Descr...

Page 579: ...port is 15pps Configure the port state auto recovery interval arp protective down recover interval time Optional 300 seconds by default Configure the port as a trusted port for ARP packet rate limit a...

Page 580: ...splay command in any view Display ARP entries display arp static dynamic ip address Display the ARP entries matching a specified rule display arp begin include exclude text Display the number limits o...

Page 581: ...on the ports of Switch A and set the recovery interval to 200 seconds Network diagram Figure 147 ARP packet rate limit configuration Configuration procedure Enable DHCP snooping on Switch A SwitchA s...

Page 582: ...582 CHAPTER 54 ARP CONFIGURATION SwitchA arp protective down recover interval 200...

Page 583: ...wo hosts cannot communicate With proxy ARP enabled on the switch when VLAN interface 3 receives the ARP request if the switch finds a route to the destination IP address encapsulated in the ARP reques...

Page 584: ...en isolate user vlan function is enabled on the Layer 2 switches connected with the Switch 7750 ports in the same VLAN are isolated with each other at Layer 2 To provide Layer 3 connectivity between L...

Page 585: ...e3 quit Configure the IP address of VLAN interface 4 as 192 168 1 27 24 Switch interface Vlan interface 4 Switch Vlan interface4 ip address 192 168 1 27 24 Switch Vlan interface4 quit Enable proxy ARP...

Page 586: ...Switch vlan10 supervlan Switch vlan10 subvlan 2 3 Switch vlan10 interface vlan interface 10 Switch Vlan interface10 ip address 192 168 10 100 255 255 0 0 Switch Vlan interface10 quit Enable proxy ARP...

Page 587: ...lan 2 SwitchB vlan2 port ethernet 2 0 2 SwitchB vlan2 quit SwitchB vlan 3 SwitchB vlan3 port ethernet 2 0 3 SwitchB vlan3 quit SwitchB vlan 5 SwitchB vlan5 port ethernet 2 0 1 SwitchB vlan5 isolate us...

Page 588: ...588 CHAPTER 55 PROXY ARP CONFIGURATION SwitchA Vlan interface5 arp proxy enable SwitchA Vlan interface5 arp proxy source vlan enable SwitchA Vlan interface5 quit...

Page 589: ...P servers return the corresponding configuration information such as IP addresses to configure IP addresses dynamically A typical DHCP application includes one DHCP server and multiple clients such as...

Page 590: ...ment of the IP address to the client When the client receives the DHCP ACK packet it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned IP address...

Page 591: ...HCP client initiates a DHCP request flags The first bit is the broadcast response flag bit It is used to identify that the DHCP response packet is sent in the unicast or broadcast mode Other bits are...

Page 592: ...ls the DHCP server picks IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients Trunk DHCP packets received from DHCP clients a...

Page 593: ...lease time of the IP address to the DHCP client Types of address pools The address pools of a DHCP server fall into two types global address pool and interface address pool A global address pool is c...

Page 594: ...IP addresses from its global address pool that contains the interface address pool segment and assigns them to the DHCP clients A DHCP server assigns IP addresses in interface address pools or global...

Page 595: ...e NetBIOS services for the DHCP server Optional Configuring NetBIOS Services for the DHCP Server on page 598 Customize DHCP service Optional Customizing DHCP Service on page 599 Configure gateway addr...

Page 596: ...be coupled In the same global DHCP address pool if the static bind ip address command or the static bind mac address command is executed repeatedly the new configuration overwrites the previous one Th...

Page 597: ...ddresses while assigning IP addresses to DHCP clients Currently you can configure up to eight DNS server addresses for a DHCP address pool You can configure domain names to be used by DHCP clients for...

Page 598: ...NS server returns the IP address corresponding to the destination node name to the source node M node Nodes of this type are p nodes mixed with broadcasting features The character m stands for the wor...

Page 599: ...ents to be of a specific NetBIOS node type netbios type b node h node m node p node Optional By default no NetBIOS node type of the DHCP client is specified and a DHCP client uses an h node Table 467...

Page 600: ...s contained in it belong to the network segment where the interface resides and are available to the interface only You can perform certain configurations for DHCP address pools of an interface or mul...

Page 601: ...ents When such a DHCP client applies for an IP address the DHCP server finds the IP address corresponding to the MAC address of the DHCP client and then assigns the IP address to the DHCP client Custo...

Page 602: ...gned to DHCP clients are those not occupied by specific network devices such as gateways and FTP servers The lease time can differ with address pools But that of the IP addresses of the same address p...

Page 603: ...erver you can configure domain names to be used by DHCP clients for address pools After you do this the DHCP server provides the domain names to the DHCP clients while the DHCP server assigns IP addre...

Page 604: ...packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding to the destination node name to the source node M node Nodes of this type are p nodes...

Page 605: ...equired By default no NetBIOS node type is specified and a DHCP client uses an h node dhcp server netbios type b node h node m node p node quit Configure multiple interfaces in system view dhcp server...

Page 606: ...assigns the address to a DHCP client IP address detecting is achieved by performing ping operations To detect whether an IP address is currently in use the DHCP server sends an ICMP packet with the I...

Page 607: ...the same network segment The network segment 10 1 1 0 24 to which the IP addresses of the address pool belong is divided into two sub network segments 10 1 1 0 25 and 10 1 1 128 25 The switch operati...

Page 608: ...example in the network to which VLAN interface 1 is connected if multiple clients apply for IP addresses the child address pool 10 1 1 0 25 assigns IP addresses first When the IP addresses in the chil...

Page 609: ...main name aabbcc com SW7750 dhcp pool 0 dns list 10 1 1 2 SW7750 dhcp pool 0 quit Configure DHCP address pool 1 including address range gateway and lease time SW7750 dhcp server ip pool 1 SW7750 dhcp...

Page 610: ...onfigured on a host if you receive a response packet of the ping operation You can then disable the IP address from being dynamically assigned by using the dhcp server forbidden ip command on the DHCP...

Page 611: ...P addresses In this case the DHCP clients in multiple networks can use the same DHCP server which can decrease your cost and provide a centralized administration DHCP Relay Agent Fundamentals Figure 1...

Page 612: ...nts through which and other proper software you can achieve the DHCP assignment limitation and accounting functions Primary terminologies Option A length variable field in DHCP packets carrying inform...

Page 613: ...o which the DHCP client belongs and the MAC address of the DHCP relay agent 5 Upon receiving the DHCP request packet forwarded by the DHCP relay agent the DHCP server stores the information contained...

Page 614: ...ing a DHCP Relay Agent to Broadcast Responses to Clients on page 615 Specify gateways for DHCP clients Optional Specifying Gateways for DHCP Clients on page 615 Specify source IP address of uplink pac...

Page 615: ...ents After this function is enabled even if the flag field in the DHCP DISCOVER packet is set to 0 the DHCP relay agent still broadcasts responses to the clients Specifying Gateways for DHCP Clients T...

Page 616: ...econdary Removing all the gateways in system view Specifying the Source IP Address of Uplink Packets When a Switch 7750 Ethernet switch working as a DHCP relay agent forwards a client s packet to the...

Page 617: ...d a DHCP relay agent inhibits a user from accessing external networks if the binding of the IP address MAC address VLAN ID and port number do not match any entries including the entries dynamically tr...

Page 618: ...ask you can validate or invalidate the dynamic IP to MAC mapping entries generated by the DHCP relay agent DHCP client addresses are matched based on the dynamic entries generated by DHCP relay agent...

Page 619: ...d lease time The routes between the DHCP relay agent and the DHCP server are reachable Enabling option 82 supporting on a DHCP relay agent The following operations need to be performed on a DHCP relay...

Page 620: ...diagram Figure 156 Network diagram for DHCP relay agent Configuration procedure Enter system view SW7750 system view Table 494 Display DHCP relay agent configuration Operation Command Description Dis...

Page 621: ...Relay Agent Symptom A client fails to obtain configuration information through a DHCP relay agent Analysis This problem may be caused by improper DHCP relay agent configuration When a DHCP relay agent...

Page 622: ...622 CHAPTER 58 DHCP RELAY AGENT CONFIGURATION...

Page 623: ...n unauthorized DHCP server exists in the network a DHCP client may obtain an illegal IP address To ensure that the DHCP clients obtain IP addresses from valid DHCP servers you can specify a port to be...

Page 624: ...K packet DHCP REQUEST packet Introduction to DHCP Snooping Option 82 Introduction to Option 82 For details about Option 82 refer to Option 82 Support on page 612 Padding content and frame format of Op...

Page 625: ...to 1 in the case of ASCII format Figure 159 Extended format of the circuit ID sub option Figure 160 Extended format of the remote ID sub option In practice some network devices do not support the type...

Page 626: ...e will Drop Drop the packet Keep Forward the packet without changing Option 82 Replace Neither of the two sub options is configured Forward the packet after replacing the original Option 82 with the d...

Page 627: ...which the port belongs to These records are saved as entries in the DHCP snooping table IP static binding table The DHCP snooping table only records information about clients that obtains IP address d...

Page 628: ...ble the DHCP snooping function dhcp snooping Required By default the DHCP snooping function is disabled Enter Ethernet port view interface interface type interface number Set the port connected to a D...

Page 629: ...CP Snooping to Support Option 82 on page 628 Configuring the padding format for Option 82 on page 631 Table 499 Enable DHCP snooping Option 82 support Operation Command Description Enter system view s...

Page 630: ...ort aggregation Configuring the remote ID sub option You can configure the remote ID sub option in system view or Ethernet port view In system view the remote ID takes effect on all interfaces You can...

Page 631: ...ote ID sub option in Option 82 Operation Command Description Enter system view system view Configure the remote ID sub option in system view dhcp snoopinginformation remote id sysname string string Op...

Page 632: ...ption 82 and option 82 is enabled on the switch The Ethernet 2 0 1 port of Switch A is a trusted port Create a static binding ip source static binding ip address ip address mac address mac address Opt...

Page 633: ...82 Support Configuration Example Network requirements As shown in Figure 164 Ethernet 2 0 5 of the switch is connected to the DHCP server and Ethernet 2 0 1 Ethernet 2 0 2 and Ethernet 2 0 3 are respe...

Page 634: ...f the DHCP snooping device Switch dhcp snooping information remote id sysname Set the circuit ID sub option in DHCP packets from VLAN 1 to abcd on Ethernet 2 0 3 Switch interface Ethernet2 0 3 Switch...

Page 635: ...as the trusted port Switch interface Ethernet2 0 1 Switch Ethernet2 0 1 dhcp snooping trust Switch Ethernet2 0 1 quit Enable IP filtering on Ethernet 2 0 2 Ethernet 2 0 3 and Ethernet 2 0 4 to filter...

Page 636: ...636 CHAPTER 59 DHCP SNOOPING CONFIGURATION Switch interface Ethernet2 0 2 Switch Ethernet2 0 2 ip source static binding ip address 1 1 1 1 m ac address 0001 0001 0001...

Page 637: ...ly Advanced ACL rules are made based on the L3 and L4 information such as the source and destination IP addresses of the data packets the type of protocol over IP protocol specific features and so on...

Page 638: ...L are matched in the following order 1 Protocol number of ACL rules Protocol number ranges from 1 to 255 The smaller the protocol range the higher the priority 2 Range of source IP address The smaller...

Page 639: ...range is configured and the system time is within the time range If you remove the time range of an ACL rule the ACL rule becomes invalid the next time the ACL rule timer refreshes Types of ACLs Supp...

Page 640: ...e time range configuration tasks include configuring periodic time sections and configuring absolute time sections A periodic time section appears as a period of time in a day of the week while an abs...

Page 641: ...configuration till the largest date available in the system Configuration Example Define a periodic time section test that will be active from 8 00 to 18 00 Monday through Friday SW7750 system view SW...

Page 642: ...atched Defining Advanced ACLs Advanced ACLs define classification rules according to the source and destination IP addresses of packets the type of protocol over IP and protocol specific features such...

Page 643: ...match order is config Define an rule rule rule id permit deny rule string Required Display ACL information display acl config all acl number acl name Optional This command can be executed in any view...

Page 644: ...cedence ToS priority Value range 0 to 15 dscp dscp Packet precedence DSCP priority Value range 0 to 63 fragment Fragment information Specifies that the ACL rule is effective for non initial fragment p...

Page 645: ...8 1000 Table 516 TCP UDP specific rule information Parameter Type Function Description source port operator port1 port2 Source port s Defines the source port information of UDP TCP packets The value o...

Page 646: ...Parameter Type Function Description icmp type icmp type icmp code Type and message code information of ICMP packets Specifies the type and message code information of ICMP packets in the ACL rule icmp...

Page 647: ...2 information such as the source and destination MAC address information VLAN priority and Layer 2 protocol to process packets The value range for Layer 2 ACL numbers is 4 000 to 4 999 Configuration P...

Page 648: ...ask in the format of H H H defaults to ffff ffff ffff source vlan id source VLAN ID in the range of 1 to 4 094 any represents all packets received from all ports egress dest mac ad dr dest mac mask an...

Page 649: ...0 acl number 4000 SW7750 acl link 4000 rule deny cos 3 source 000d 88f5 97ed ffff ff ff ffff dest 0011 4301 991e ffff ffff ffff SW7750 acl link 4000 display acl config 4000 Link ACL 4000 1 rule rule 0...

Page 650: ...g 5001 User ACL 5001 1 rule rule 25 deny 06 ff 27 time range t1 0 times matched Inactive Applying ACLs on Ports By applying ACLs on ports you can filter certain packets Configuration Preparation You n...

Page 651: ...nation mode Form of acl rule Apply all rules in an IP type ACL separately ip group acl number acl name Apply one rule in an IP type ACL separately ip group acl number acl name rule rule id Apply all r...

Page 652: ...h letter a to z or A to Z without space and quotation mark case insensitive user group acl num ber acl name User defined ACL acl number ACL number ranging from 5 000 to 5 999 acl name ACL name up to 3...

Page 653: ...L configuration are listed below 1 Define the time range Define the time range from 8 00 to 18 00 SW7750 system view SW7750 time range test 8 00 to 18 00 daily 2 Define an ACL for packets with the sou...

Page 654: ...e range that contain a periodic time section from 8 00 to 18 00 SW7750 system view SW7750 time range test 8 00 to 18 00 working day 2 Define an ACL for filtering requests destined for the wage server...

Page 655: ...000 Define an ACL rule to deny packets with the source MAC address of 0011 0011 0011 and destination MAC address of 0011 0011 0012 specifying the time range named test for the ACL rule SW7750 acl link...

Page 656: ...to 18 00 SW7750 system view SW7750 time range aaa 8 00 to 18 00 daily 2 Create an ACL rule to filter TCP packets Create ACL 5000 SW7750 acl number 5000 Define a rule for TCP packets SW7750 acl user 5...

Page 657: ...is the evaluation on the service ability to support the core requirements such as delay delay variation and packet loss ratio in the packet delivery Traffic Traffic means service traffic that is all t...

Page 658: ...different service classes The Diff Serv network defines four traffic classes Expedited Forwarding EF class In this class packets can be forwarded regardless of link share of other traffic The class is...

Page 659: ...le to occasions where the Layer 3 packet header does not need analysis but QoS must be assured in Layer 2 Figure 171 An Ethernet frame with a 802 1Q tag header Table 529 Description on DSCP values DSC...

Page 660: ...specification 3 Local precedence Local precedence is the precedence of an outbound queue on a port of the switch It is in the range of 0 to 7 Each outbound queue has its own local precedence Priority...

Page 661: ...uous burst packets if the traffic of each user is not limited The traffic of each user must be limited in order to make better use of the limited network resources and provide better service for more...

Page 662: ...pacity of the token bucket namely the maximum traffic size that is permitted in every burst It is generally set to committed burst size CBS The set burst size must be bigger than the maximum packet le...

Page 663: ...ors are protected For example you can limit HTTP packets within 50 of the network bandwidth If the traffic of a certain connection is excess TP can choose to drop the packets or to reset the priority...

Page 664: ...ueue with higher priority strictly following the priority order from high to low When the queue with higher priority is empty packets in the queue with lower priority are sent You can put critical ser...

Page 665: ...full use of Traffic based Traffic Statistics The function of traffic based traffic statistics is to use ACL rules in traffic identifying and perform traffic statistics on the packets matching with the...

Page 666: ...is VLAN tagged the switch does not perform the operation above Configuration prerequisites The port whose priority is to be configured is specified The priority value of the specified port is specifi...

Page 667: ...ty are sent preferentially The switch puts a packet into the corresponding queue according to the DSCP precedence IP precedence 802 1p priority or local precedence of the packet The mapping relationsh...

Page 668: ...type A I O Module Queue 0 to 7 be 0 be 0 0 8 to 15 cs1 8 af1 10 cs1 8 af11 10 af12 12 af13 14 1 16 to 23 cs2 16 af2 18 cs2 16 af21 18 af22 20 af23 22 2 24 to 31 cs3 24 af3 26 cs3 24 af31 26 af32 28 a...

Page 669: ...cal precedence map 2 3 4 1 7 0 5 6 SW7750 display qos cos local precedence map cos local precedence map cos 0 1 2 3 4 5 6 7 local precedence 2 3 4 1 7 0 5 6 Configuring Priority Remark Refer to Priori...

Page 670: ...CL rules traffic priority inbound outbound acl rule system index system index dscp dscp value ip precedence pre value local precedence pre value Required Type A I O Modules support this command traffi...

Page 671: ...es in an IP ACL separately ip group acl number acl name Apply a rule in an IP ACL separately ip group acl number acl name rule rule id Apply all the rules in a Link ACL separately link group acl numbe...

Page 672: ...rule Applied ACL rules which can be the combination of various ACL rules Type A I O Modules ways of combinations are described in Table 540 and non type A I O Modules ways of combination is described...

Page 673: ...edirect on page 663 for the introduction to redirect Configuration Prerequisites ACL rules used for traffic identifying are defined Refer to Choosing ACL Mode for Traffic Flows on page 639 for definin...

Page 674: ...ue scheduling Refer to Queue Scheduling on page 663 for the introduction to queue scheduling Configuration Prerequisites The queue scheduling algorithm is specified The ports that need this configurat...

Page 675: ...8 10 COS configuration Config max queues 8 Schedule mode weighted round robin Weighting in packets COSQ 0 10 packets COSQ 1 5 packets COSQ 2 10 packets COSQ 3 10 packets COSQ 4 5 packets COSQ 5 10 pa...

Page 676: ...qos SW7750 qoss Ethernet2 0 1 traffic red outbound ip group 2000 64 128 20 Configuring Traffic Statistics Refer to Traffic based Traffic Statistics on page 665 for the introduction to traffic statist...

Page 677: ...r system view system view Enter Ethernet port view interface interface type interface number Enter QoS view qos Use the ACL rules in traffic identifying and perform traffic statistics on the packets m...

Page 678: ...ion can be properly applied to the hardware Configuration Example Ethernet 2 0 1 of the switch is accessed into the network segment 10 1 1 1 24 Enable the function of assured bandwidth for traffic fro...

Page 679: ...th for all the traffic matching the CAR rule on these ports to share Suppose you want to allocate 2 Mbps of CAR bandwidth for the incoming traffic matching ACL rule 0 and enable CAR on two ports with...

Page 680: ...with Voice VLAN That is you cannot configure both features on the same port The port on which the traffic based selective QinQ function is configured and the specified uplink port cannot be in the sa...

Page 681: ...net2 0 1 port hybrid vlan 25 untagged SW7750 GigabitEthernet2 0 1 vlan vpn enable SW7750 GigabitEthernet2 0 1 qos SW7750 qosb GigabitEthernet2 0 1 traffic remark inbound ip group 2 000 remark vlan 25...

Page 682: ...traffic within 640 kbps and set the precedence of packets exceeding the specification to 4 SW7750 interface Ethernet 2 0 1 SW7750 Ethernet2 0 1 qos SW7750 qosb Ethernet2 0 1 traffic limit inbound ip...

Page 683: ...dentification based basic ACL view identified SW7750 acl number 2000 SW7750 acl basic 2000 rule 0 permit source 1 0 0 1 0 time range test SW7750 acl basic 2000 quit 3 Remark ef precedence on the packe...

Page 684: ...684 CHAPTER 61 QOS CONFIGURATION...

Page 685: ...irroring Local Port Mirroring Port mirroring refers to the process of copying the packets received or sent by the specified port to the specified local port Remote Port Mirroring Remote port mirroring...

Page 686: ...itoring device through the destination port Table 552 describes how the ports on various switches are involved in the mirroring operation Table 552 Ports involved in the mirroring operation Switch Por...

Page 687: ...LAN such as voice VLAN or protocol VLAN Configuring other VLAN related functions Local Traffic Mirroring Traffic mirroring maps traffic flows that match specific ACLs to the specified local port for p...

Page 688: ...ng group mirroring group mirroring port mirroring group monitor port mirroring group reflector port mirroring group remote probe vlan remote probe vlan enable Configuring Remote Port Mirroring on page...

Page 689: ...ber Configure the source port and specify the direction of the packets to be mirrored mirroring group group id mirroring port both inbound outbound Required Display parameter settings of the local por...

Page 690: ...on the source switch Table 556 Configure remote port mirroring on the source switch Operation Command Description Enter system view system view Create a VLAN and enter its VLAN view vlan vlan id vlan...

Page 691: ...rt The reflector port cannot forward traffics as a normal port Therefore it is recommended that you use an idle and in down state port as the reflector port and be careful to not add other settings on...

Page 692: ...irroring on the intermediate switch Operation Command Description Enter system view system view Create a remote probe VLAN and enter VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN D...

Page 693: ...pe interface number Configure the current port as a trunk port port link type trunk Required By default the type of the port is access Configure the relay port to permit packets from the remote probe...

Page 694: ...analyze the packets sent and received by PC1 via the data detect device To meet the requirement above by using the remote port mirroring function perform the following configuration Define VLAN10 as...

Page 695: ...k permit vlan 10 SW7750 GigabitEthernet2 0 1 quit SW7750 interface GigabitEthernet 2 0 2 SW7750 GigabitEthernet2 0 2 port link type trunk SW7750 GigabitEthernet2 0 2 port trunk permit vlan 10 SW7750 G...

Page 696: ...d Define the destination port mirroring group group id monitor port monitor port Required LACP must be disabled on the mirroring destination port and you are recommended to disable STP on the mirrorin...

Page 697: ...GigabitEthernet 2 0 4 Configuring Remote Traffic Mirroring Configuration prerequisites ACLs for identifying traffics have been defined For defining ACLs refer to ACL Configuration on page 637 The sour...

Page 698: ...with the intermediate switch and the destination switch must be configured so Quit from the current view quit Configure the remote source mirroring group mirroring group group id remote source Requir...

Page 699: ...itch is the same as configuring remote port mirroring on the intermediate switch Refer to Configuring remote port mirroring on the intermediate switch on page 692 for details Configuring the destinati...

Page 700: ...e the traffic mirroring function on GigabitEthernet 2 0 2 2 Network diagram Figure 181 Network diagram for remote traffic mirroring 3 Configuration procedure Configure Switch A SW7750 system view SW77...

Page 701: ...Ethernet 2 0 3 SW7750 mirroring group 1 remote probe vlan 10 SW7750 interface GigabitEthernet 2 0 2 SW7750 GigabitEthernet2 0 2 qos SW7750 qosb GigabitEthernet2 0 2 mirrored to inbound ip group 2000 i...

Page 702: ...oring port mirroring port list both inbound outbound You must perform one of the two operations The mirroring source I O Module can be a distributed or centralized I O Module however the mirroring sou...

Page 703: ...devices forms a cluster Normally a cluster member device is not assigned a public IP address Management and maintenance operations intended for the member devices in a cluster are redirected by the m...

Page 704: ...ing each member and then distributes the configuration and management commands to members Member management means to manage the following events through the management device including adding a member...

Page 705: ...candidate device enable NTDP both globally and for specific ports As member devices and candidate devices adopt the NTDP settings configured for the management device NTDP setting configurations are...

Page 706: ...the data to the external server When the management program running on the external server manages the member device the external server transmits the protocol packets to the management device first...

Page 707: ...directing commands that is forward the commands to the intended member devices for processing Provide the following functions including neighbor discovery topology information collection cluster manag...

Page 708: ...gure cluster parameters Required Configuring Cluster Parameters on page 709 Configure interaction for the cluster Required Configuring Interaction for the Cluster on page 711 Table 565 Enable NDP glob...

Page 709: ...w Configure the range topology information within which is to be collected ntdp hop hop value Optional By default the hop range for topology collection is 3 hops Configure the hop delay to forward top...

Page 710: ...rface vlan id Required The Switch 7750 requires you to configure the IP address of the Layer 3 virtual interface of VLAN1 before you set up a cluster Otherwise the cluster cannot be set up Configure t...

Page 711: ...ip address mask mask length Required Enter cluster view cluster Configure the rang e of the IP addresses of the cluster ip pool administrator ip address ip mas k ip mask length Required Build a cluste...

Page 712: ...lt the NDP is enabled for the port You can choose to enable NDP in system view or in Ethernet port view In Ethernet port view Enter Ethernet port view interface interface type interface number Enable...

Page 713: ...dress H H H eraseflash Optional Return to system view quit Return to user view quit Switch between the management device view and a member device view cluster switch to member number mac address H H H...

Page 714: ...of the management device belongs to VLAN1 whose interface IP address is 163 172 55 1 All the devices in the cluster use the same FTP server and TFTP server The FTP server and TFTP server share one IP...

Page 715: ...AN SW7750 system view SW7750 interface Vlan interface 1 SW7750 Vlan interface1 ip address 163 172 55 1 SW7750 Vlan interface1 quit Enable NDP globally and on Ethernet1 0 2 and Ethernet1 0 3 SW7750 ndp...

Page 716: ...tarts from 172 16 0 1 The mask is 255 255 255 248 SW7750 cluster ip pool 172 16 0 1 255 255 255 248 Specify a name for the cluster and create the cluster SW7750 cluster build aaa aaa_0 3Com cluster Ad...

Page 717: ...luster put bbb txt n Upon the completion of the above configurations you can execute the cluster switch to member num mac address H H H command on the management device to switch to member device view...

Page 718: ...718 CHAPTER 63 CLUSTER...

Page 719: ...D detection PD power information collection PoE power supply monitoring and power off for devices PD PDs receive power from the PSE PDs include standard PDs and nonstandard PDs Standard PDs conform to...

Page 720: ...they work together to supply 2 400 W of power 2 Input voltage 200 VAC to 240 VAC One PSU of the PSE2500 A1 power system can supply 2 500 W of power If the PSUs of PSE2500 A1 power system need to work...

Page 721: ...e of a PoE enabled board Required Configuring the PoE Feature of a PoE enabled Board on page 721 Configure the PoE feature of a PoE port Required Setting the PoE Feature of a PoE Port on page 722 Upgr...

Page 722: ...t enable PoE on this module with the poe enable slot slot num command When PoE compatibility detection is performed on non standard devices the system performance will be affected When standard 802 3a...

Page 723: ...is to upgrade the valid software in the PSE through refreshing the software while the full update mode is to delete the invalid software in PSE completely and then reload the software Generally the r...

Page 724: ...high priority Set the PoE management mode of slot 3 to auto Slot 3 is supplied with 400 W of power and slot 5 is supplied with full power namely 806 W Enable PoE compatibility detection on the PoE mod...

Page 725: ...n the modules in slot 3 and slot 5 SW7750 poe enable slot 3 SW7750 poe enable slot 5 Set the PoE management mode on slot 3 to auto SW7750 poe power management auto slot 3 Set the maximum power supplie...

Page 726: ...critical so that the devices connected to Ethernet3 0 48 can be provided with power preferentially without interrupting power supply to the current ports SW7750 interface Ethernet 3 0 48 SW7750 Ethern...

Page 727: ...ou are recommended to set the upper threshold to 132 0 V and the lower threshold to 90 0 V AC Input Alarm Threshold Configuration Example Network requirements Set the overvoltage alarm threshold of AC...

Page 728: ...old of DC output for the PoE PSUs to 55 0 V Set the undervoltage alarm threshold of DC output for the PoE PSUs to 47 0 V Configuration procedure Enter the system view SW7750 system view Set the overvo...

Page 729: ...onnect IP phones to Ethernet3 0 1 through Ethernet3 0 48 Set the AC input and DC output alarm thresholds to appropriate values Table 588 Display PoE supervision information Operation Command Descripti...

Page 730: ...t for the PoE PSUs to 264 0 V SW7750 poe power input thresh upper 264 0 Set the undervoltage alarm threshold of AC input for the PoE PSUs to 181 0 V SW7750 poe power input thresh lower 181 0 Set the o...

Page 731: ...be enabled on the port PoE Profile Configuration Tasks Table 589 Configure PoE profile Operation Command Description Enter system view system view Create a PoE profile poe profile profile name Require...

Page 732: ...play command in any view to see the running status of the PoE profile You can verify the configurations by viewing the information PoE Profile Configuration Example Network requirements Ethernet2 0 1...

Page 733: ...thernet 1 0 10 Figure 187 PoE profile application Configuration procedure Create Profile1 and enter PoE profile view SW7750 system view SW7750 poe profile Profile1 In Profile1 add the PoE policy confi...

Page 734: ...e profile Profile2 poe priority high SW7750 poe profile Profile2 poe max power 15400 SW7750 poe profile Profile2 quit Display detailed configuration information for Profile2 SW7750 display poe profile...

Page 735: ...addresses of the packets and then sends the packet to the specified destination server n The DHCP Relay module uses UDP port 67 and 68 to relay BOOTP DHCP broadcast packets so do not use port 67 and 6...

Page 736: ...rming the above configurations you can use the display command in any view to display the information about the destination servers and the number of the packets forwarded to each destination server V...

Page 737: ...network segment 202 38 1 0 24 is reachable Enable UDP Helper SW7750 system view SW7750 udp helper enable Configure port 55 as a UDP Helper destination port SW7750 udp helper port 55 Configure the serv...

Page 738: ...738 CHAPTER 67 UDP HELPER CONFIGURATION...

Page 739: ...or running the client program At present the commonly used NM platforms include 3Com s Network Management Products Sun NetManager and IBM NetView Agent is the server software operated on network devic...

Page 740: ...epresents a managed object as shown in Figure 189 Thus the object can be identified with the unique path starting from the root Figure 189 Architecture of the MIB tree The management information base...

Page 741: ...MIB Device management Interface management Table 594 Common MIBs MIB attribute MIB content References Table 595 Configure SNMP basic functions for SNMP V1 and SNMP V2C Operation Command Description E...

Page 742: ...d switch fabricid Optional By default the device switch fabric ID is Enterprise Number device information Create or update the view information snmp agent mib view included excluded view name oid tree...

Page 743: ...he device switch fabric ID is Enterprise Number device information Create or update the view information snmp agent mib view included excluded view name oid tree Optional By default the view name is V...

Page 744: ...yname security string v1 v2c v3 authentication privacy Required Set the source address to send Trap packets snmp agent trap source interface type interface number Optional Set the information queue le...

Page 745: ...Description Display system information of the current SNMP device display snmp agent sys info contact location version The display command can be executed in any view Display SNMP packet statistics in...

Page 746: ...P community is public SW7750 snmp agent trap enable standard authentication SW7750 snmp agent trap enable standard coldstart SW7750 snmp agent trap enable standard linkup SW7750 snmp agent trap enable...

Page 747: ...is reduced thus facilitating the management of large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It collects data in one of the following two ways Using the dedicated...

Page 748: ...riod sampling time Comparing the sampled value with the set threshold and triggering the corresponding events if the sampled value exceeds the threshold Extended alarm group With extended alarm entry...

Page 749: ...ing SNMP Basic Functions on page 741 Configuring RMON Table 599 Configure RMON Operation Command Description Enter system view system view Add an event entry rmon event event entry description string...

Page 750: ...connected to a remote NMS through Internet Create an entry in the Ethernet statistics table to make statistics on the Ethernet port performance for network management Network diagram Figure 191 Networ...

Page 751: ...try 1 owned by user1 rmon is VALID Interface Ethernet2 0 1 ifIndex 4227626 etherStatsOctets 0 etherStatsPkts 0 etherStatsBroadcastPkts 0 etherStatsMulticastPkts 0 etherStatsUndersizePkts 0 etherStatsO...

Page 752: ...752 CHAPTER 69 RMON CONFIGURATION...

Page 753: ...e same time The accounting system requires that the clocks of all the network devices be consistent Some functions such as restarting all the network devices in a network simultaneously require that t...

Page 754: ...serves as the NTP server that is the clock of Device A will be synchronized to that of Device B It takes one second to transfer an NTP message from Device A to Device B or from Device B to Device A Fi...

Page 755: ...ation Mode To accommodate networks of different structures and switches in different network positions NTP can operate in multiple modes as described in the following Client Server mode Figure 193 NTP...

Page 756: ...ote server operates as the peer of the Switch 7750 and the Switch 7750 operates as the active peer Client Broadcast clock synchronizati on packets periodically Network Server Initiates a client server...

Page 757: ...VLAN interface configured on the switch Multicast mode Configure the Switch 7750 to operate in NTP multicast server mode In this case the Switch 7750 sends multicast NTP packets through the VLAN inte...

Page 758: ...clock synchronization packet periodically The devices which are configured to be in the NTP broadcast client mode will respond this packet and start the clock synchronization procedure NTP multicast...

Page 759: ...on For the networks with higher security requirements you can specify to perform authentications when enabling NTP With the authentications performed on both the client side and the server side the cl...

Page 760: ...ntication model md5 value Required By default the NTP authentication key is not configured Configure the specified key to be a trusted key ntp service reliable authentication keyid key id Required By...

Page 761: ...erver authentication keyid key id In NTP broadcast server mode and NTP multicast server mode you need to associate the specified key with the corresponding NTP server on the server You can associate a...

Page 762: ...ments Configure the local clock of S7750 1 to be the NTP master clock with the stratum being 2 S7750 2 operates in client mode with S7750 1 as the time server S7750 1 operates in server mode automatic...

Page 763: ...nce 99 8562 Hz Clock precision 2 7 Clock offset 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer dispersion 0 00 ms Reference time 00 00 00 000 UTC Jan 1 1900 00000000 00000000 Configure S775...

Page 764: ...master clock with the clock stratum being 2 Configure a Switch 7750 to operate as a client with 3Com2 as the time server 3Com2 will then operate in the server mode automatically Meanwhile 3Com3 sets...

Page 765: ...ersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that the Switch 7750 is synchronized to 3Com3 and the stratum...

Page 766: ...server and send broadcast packets through VLAN interface 2 SW77503 Vlan Interface2 ntp service broadcast server 2 Configure Switch 7750 1 Enter system view SW7750 1 system view SW7750 1 Enter VLAN int...

Page 767: ...al frequency 249 9992 Hz Clock precision 2 19 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05A...

Page 768: ...a multicast server SW77503 Vlan Interface2 ntp service multicast server 2 Configure Switch 7750 1 Enter system view SW7750 1 system view SW7750 1 Enter VLAN interface 2 view SW7750 1 interface vlan in...

Page 769: ...uency 249 9992 Hz Clock precision 2 19 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C T...

Page 770: ...SW7750 2 ntp service unicast server 1 0 1 11 authentication keyid 42 The above configuration synchronizes Switch 7750 2 to Switch 7750 1 As NTP authentication is not enabled on Switch 7750 1 Switch 77...

Page 771: ...UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that Switch 7750 2 is synchronized to Switch 7750 1 with the clock stratum being 3 one stratum higher than Switch 7750 1 View the...

Page 772: ...772 CHAPTER 70 NTP CONFIGURATION...

Page 773: ...herwise the server clears the TCP connection 2 Key algorithm negotiation stage These operations are completed at this stage The server and the client send key algorithm negotiation packets to each oth...

Page 774: ...s SSH server configuration tasks Configuring supported protocols Table 608 Configure SSH2 0 server Configuration Keyword Description Configure supported protocols protocol inbound Refer to Configuring...

Page 775: ...mpts you the host RSA key pair 3Com_Host is generated and does not inform you the information about the server RSA key pair even if the server RSA key pair is generated in the background for the purpo...

Page 776: ...ntication type for a user When the two commands are configured simultaneously and the authentication types configured for the user specified by username are different with each other comply with the c...

Page 777: ...tion type On the other hand you can import the RSA public key of an SSH user from the public key file When the rsa peer public key keyname import sshkey filename command is executed the system will tr...

Page 778: ...lient you need to configure the host public key of the server to be accessed on the local device and specify the name of the host public key file of the server to be accessed Thus the SSH client can a...

Page 779: ...is the same as that of configuring a client public key on the server Specify the name of the host public key of the SSH server to be accessed on the SSH client ssh client server ip assign rsa key keyn...

Page 780: ...SSH SW7750 ui vty0 4 protocol inbound ssh Configure the login protocol for user clinet001 as SSH and authentication type as password SW7750 local user client001 SW7750 luser client001 password simple...

Page 781: ...25 SW7750 rsa key code public key code end SW7750 rsa public key peer public key end SW7750 ssh user client002 assign rsa key 3Com002 Start the SSH client software on the host which stores the RSA pri...

Page 782: ...uration on page 778 Configure the client public key on the server and name the public key Switch001 SW7750 rsa peer public key Switch001 RSA public key view return to System View with peer public key...

Page 783: ...a VLAN interface on the switch and assign it an IP address which the SSH server will use as the destination for SSH connection SW7750 system view SW7750 interface vlan interface 1 SW7750 Vlan interfac...

Page 784: ...A A94A207E 1E25F3F9 SW7750 rsa key code E0EA01A2 4E0F2FF7 B1D31505 39F02333 E443EE74 SW7750 rsa key code 5C3615C3 E5B3DC91 D41900F0 2AE8B301 E55B1420 SW7750 rsa key code 024ECF2C 28A6A454 C27449E0 46E...

Page 785: ...ion Enter system view system view Configure service type for an SSH user ssh user username service type stelnet sftp all Required By default the available service type is stelnet Table 619 Enable the...

Page 786: ...lp information about SFTP client commands help SFTP client view Optional Table 621 Enable the SFTP client Operation Command Description Enter system view system view Enable the SFTP client sftp host i...

Page 787: ...directory dir a l remote path Optional The dir and ls commands have the same function ls a l remote path Create a directory on the SFTP server mkdir remote path Optional Delete a directory from the SF...

Page 788: ...he remote SFTP server and enter SFTP client view SW7750 sftp 10 111 27 91 Display the current directory on the SFTP server delete file z and verify the operation sftp client dir rwxrwxrwx 1 noone nogr...

Page 789: ...noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 30 new1 Received status End of file Received status Success Rename directory new1...

Page 790: ...ogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noo...

Page 791: ...efore executing the commands which have potential risks for example deleting and overwriting files n Switch 7750s support Fabric switchover Both the primary and the secondary Fabric have file system b...

Page 792: ...le Configuration Operation Command Description Enter the root directory of a CF card cd cf Required Disable a CF card umount cf Required Table 627 File system configuration tasks Task Remark Related s...

Page 793: ...vable For memory spaces that are unavailable due to unexpected errors you can use the fixdisk command to restore them Table 629 File related operations Operation Command Description Delete a file dele...

Page 794: ...3 rw 3980 Apr 21 2006 15 08 29 config cfg 4 drw Apr 16 2006 11 18 17 hj 5 drw Apr 10 2005 19 07 59 dd 6 rw 11779 Apr 05 2006 10 23 03 test bak 7 rw 19307 Apr 16 2006 11 15 55 1 txt 8 rw 66 Apr 05 2006...

Page 795: ...B free SW7750 dir flash test Directory of flash test 0 rw 3980 Apr 25 2006 16 33 21 1 cfg 31877 KB total 15869 KB free Enter directory test SW7750 cd test Rename 1 cfg as c cfg SW7750 rename 1 cfg c c...

Page 796: ...796 CHAPTER 72 FILE SYSTEM MANAGEMENT...

Page 797: ...ated in the software system of the router By accessing the BIMS center the router updates its configuration file and application automatically BIMS allows the device to access the BIMS center immediat...

Page 798: ...st software or configuration file is deleted and the new file is not saved yet In this case the upgrade will fail the configuration on the device will be lost and eventually the BIMS cannot manage the...

Page 799: ...he BIMS Center at a Specified Time You can configure the BIMS device to access the BIMS center at a specified time and if desired at regular intervals from then on during a specified period Table 633...

Page 800: ...Automatically add the device function and set the shared key between the BIMS center and BIMS device After that when the device accesses the BIMS center it can be automatically added to the BIMS cente...

Page 801: ...21 97 and 80 respectively Configuration procedure 1 Configure the BIMS center Refer to Configuring the BIMS Device to Access the BIMS Center Periodically at Startup on page 800 2 Configure the BIMS d...

Page 802: ...802 CHAPTER 73 BIMS CONFIGURATION...

Page 803: ...FTP client or an FTP server in an FTP implementation FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log into a switch operati...

Page 804: ...TP Server Prerequisites A switch operates as an FTP server A remote PC operates as an FTP client The network operates properly as shown in Figure 205 Figure 205 Network diagram for FTP configuration P...

Page 805: ...ating the FTP client a work directory An FTP server provides services to the FTP clients that are both authenticated and authorized The configurations such as configuring user name password the way to...

Page 806: ...igurations Configuration procedure 1 Configure the switch Log into the switch You can log into a switch through the Console port or by Telneting to the switch See Logging into an Ethernet Switch on pa...

Page 807: ...hold the file to be uploaded you need to move the files that are not in use from the flash to other place to make room for the file 3Com series switch is not shipped with FTP client applications You...

Page 808: ...d Optional Create a directory on the remote FTP server mkdir pathname Optional Remove a directory on the remote FTP server rmdir pathname Optional Delete a specified file delete remotefile Optional Qu...

Page 809: ...ocedure 1 Perform FTP server related configurations on the PC that is create a user account on the FTP server with user name switch and password hello For detailed configuration refer to the configura...

Page 810: ...and then restart the switch Thus the switch application is upgraded SW7750 boot boot loader switch app SW7750 reboot n For information about the boot boot loader command and how to specify the startup...

Page 811: ...switch operates as a TFTP client Device Configuration Default Description Switch Configure an IP address for the VLAN interface of the switch so that it is reachable for TFTP server TFTP applies to n...

Page 812: ...a switch through the Console port or by Telneting to the switch See Logging into an Ethernet Switch on page 33 for detailed information SW7750 c CAUTION If the available space of the flash of the swit...

Page 813: ...813 SW7750 boot boot loader switch app SW7750 reboot n For information about the boot boot loader command and how to specify the startup file for a switch refer to Specifying the APP to be Adopted at...

Page 814: ...814 CHAPTER 74 FTP AND TFTP CONFIGURATION...

Page 815: ...log host 188 Apr 9 17 28 50 524 2004 3Com IFNET 5 UPDOWN Line protocol on t he interface M Ethernet0 0 0 is UP SIP 10 5 1 5 SP 1080 The following describes the fields of an information item 1 Priority...

Page 816: ...formation Table 644 Modules generating information Module name Description ACCOUNT L3 real time accounting module ACL Access control list module ADBM Address base module AM_USERB Access management mod...

Page 817: ...DEM module MPM Multicast port management module MSDP Multicast source discovery protocol module MSTP Multiple spanning tree protocol module NAT Network address translation module NDP Neighbor discover...

Page 818: ...st 6 Digest It is a phrase within 32 characters abstracting the information contents A colon separates the digest and information contents SYSM System management module SYSMIB System MIB module TAC Te...

Page 819: ...n center of the Ethernet switch features Supporting six information output directions namely console console monitor terminal monitor log host loghost trap buffer trapbuffer log buffer logbuffer and S...

Page 820: ...face through which log information is sent to the log host info center loghost source interface type interface number Optional Define an information source info center source modu name default channel...

Page 821: ...t this function is enabled for console user Enable debugging information terminal display function terminal debugging Optional By default the debugging information terminal display is disabled for ter...

Page 822: ...function with the terminal logging command Perform the following configuration in user view Define an information source info center source modu name default channel channel number channel name log tr...

Page 823: ...view Enable the information center info center enable Optional By default the information center is enabled Enable information output to the log buffer info center logbuffer channel channel number ch...

Page 824: ...debugging boot date none Optional This is to set the time stamp format for log debugging trap information output This determines how the time stamp is presented to users Table 653 Enable information...

Page 825: ...lowing log information in English to the Unix log host whose IP address is 202 38 1 10 the log information of the two modules ARP and IP with severity higher than informational Table 655 Display and d...

Page 826: ...ap state off SW7750 info center source ip channel loghost log level informational debug stat e off trap state off 2 Configure the log host The operations here are performed on SunOS 4 0 The operations...

Page 827: ...x Log Host Network requirements The switch sends the following log information in English to the Linux log host whose IP address is 202 38 1 10 All modules log information with severity higher than er...

Page 828: ...conf is modified run the following commands to view the process ID of the system daemon syslogd stop the process and then restart the daemon syslogd in the background with the r option ps ae grep sysl...

Page 829: ...information output to the console Permit ARP and IP modules to output information with severity level higher than informational to the console SW7750 info center console channel console SW7750 info c...

Page 830: ...830 CHAPTER 75 INFORMATION CENTER...

Page 831: ...S Resolution With static DNS resolution you can manually configure some name to address mappings in the static DNS list and the system will search the static list for corresponding IP addresses when u...

Page 832: ...n use the list to supply the missing part For example you can configure a suffix com in the list and users only need to input aabbcc to get the IP address of aabbcc com for the resolver will automatic...

Page 833: ...o visit Host with IP address 3 1 1 1 16 The DNS server IP address is 2 1 1 2 16 The DNS suffixes com and net are configured Table 656 Configure static DNS resolution Operation Command Description Ente...

Page 834: ...rver IP address 2 1 1 2 SW7750 dns server 2 1 1 2 Configure net as a DNS suffix SW7750 dns domain net Configure com as a DNS suffix SW7750 dns domain com Ping Host on Switch to verify the configuratio...

Page 835: ...s the correct IP address of the DNS Server If the specified domain name is not in the cache ensure that dynamic DNS resolution is enabled the DNS Client can normally communicate with the DNS Server an...

Page 836: ...836 CHAPTER 76 DNS CONFIGURATION...

Page 837: ...through Ethernet port You can load software remotely by using FTP TFTP n The BootROM software version should be compatible with the host software version when you load the BootROM and host software L...

Page 838: ...ot Menu appears Otherwise the system starts to decompress the program and if you want to enter the Boot Menu at this time you will have to restart the switch Input the correct BootROM password no pass...

Page 839: ...enu shown below SRPG bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Then you can choose diff...

Page 840: ...are configurations on PC Take the Hyperterminal using Windows operating system as example Step 4 Choose File Properties in HyperTerminal click Configure in the pop up dialog box and then select the b...

Page 841: ...ns n The new baud rate takes effect only after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information...

Page 842: ...rate to 9600 bps refer to Step 4 and 5 Then press any key as prompted The system will display the following information when it completes the loading Bootrom updating done n If the HyperTerminal s bau...

Page 843: ...lient and server It uses UDP to provide unreliable data stream transfer service Loading BootROM software Figure 220 Local loading using TFTP Step 1 As shown in Figure 220 connect the switch through an...

Page 844: ...st software Step 1 Select 1 in Boot Menu and press Enter The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Retu...

Page 845: ...otROM update menu shown below SRPG bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Step 4 Ent...

Page 846: ...emote Software Loading If your terminal is not directly connected to the switch you can telnet to the switch and use FTP or TFTP to load BootROM and host software remotely Remote Loading Using FTP Loa...

Page 847: ...e and that you need to use the boot boot loader command to select the host software at reboot of the switch After the above operations the BootROM and host software loading is completed Pay attention...

Page 848: ...terface1 ip address 192 168 0 65 255 255 255 0 Step 3 Enable FTP service on the switch configure the FTP user name to test password to pass and directory to FLASH root directory SW7750 Vlan interface1...

Page 849: ...tROM Step 6 Enter ftp 192 168 0 65 and enter the user name test password pass as shown in Figure 226 to log on the FTP server Figure 226 Log on the FTP server Step 7 Use the put command to upload the...

Page 850: ...or that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software at reboot of the switch n The steps listed above are perfo...

Page 851: ...e Fabrics and active standby switchover function If a switch possesses two Fabrics with the active standby switchover function enabled you can in turn upgrade and restart the two Fabrics with one Fabr...

Page 852: ...852 CHAPTER 77 BOOTROM AND HOST SOFTWARE LOADING...

Page 853: ...54 Set the local time zone Optional Setting the Local Time Zone on page 854 Set the summer time Optional Setting the Summer Time on page 854 Set the CLI language mode Optional Setting the CLI Language...

Page 854: ...m time Perform the following configuration in user view Setting the CLI Language Mode Table 662 Set the date and time of the system Operation Command Description Set the current date and time of the s...

Page 855: ...s whether the debugging information of a protocol is output Terminal display which controls whether the debugging information is output to a user screen The relation between the two switches is as fol...

Page 856: ...mation will affect the efficiency of the system disable your debugging after you finish it Enable terminal display for debugging terminal debugging By default terminal display for debugging is disable...

Page 857: ...nt operating information about the modules settled when this command is designed in the system for troubleshooting your system Perform the following operation in any view Table 671 Display the current...

Page 858: ...858 CHAPTER 78 BASIC SYSTEM CONFIGURATION DEBUGGING...

Page 859: ...check the network connectivity It can help you locate the trouble spot of the network The executing procedure of the tracert command is as follows First the source host sends a data packet with the TT...

Page 860: ...Y TEST Table 673 The tracert command Operation Command Support IP protocol tracert a source ip f first TTL m max TTL p port q num packet w timeout host Support CLNS protocol tracert clns m max TTL n n...

Page 861: ...e secondary module is inserted configurations on the last two SFP interfaces of the primary module will not be sent to the first two SFP interfaces of the secondary module automatically and you need t...

Page 862: ...time Update the BootROM Optional Updating the BootROM on page 863 Upgrade BootROM along with the upgrade of ARP Optional Upgrading BootROM along with the Upgrade of ARP on page 863 Set module temperat...

Page 863: ...to update the running BootROM application With this command a remote user can conveniently update the BootRom by uploading the BootROM to the switch through FTP and running this command The BootROM c...

Page 864: ...ss card forwarded load sharing is performed between the active Fabric and the standby Fabric n Only unicast traffic supports load sharing The 96Gbps Switch Fabric and GEbus I O Modules do not support...

Page 865: ...sceiver Electrical label information is also called permanent configuration data or archive information which is written to the storage device of a module during device debugging or test The informati...

Page 866: ...commands A type modules include 3C16860 3C16861 LS81FS24A 3C16858 and 3C16859 Pause Frame Protection Mechanism Configuration Task The following describes the configuration tasks of Pause Frame protec...

Page 867: ...ect IP addresses Layer 3 Connectivity Detection Configuration Example Network requirements The physical link between the local peer and the remote peer is correct The local peer port that is used to c...

Page 868: ...nable queue traffic monitoring SW7750 qe monitor enable Set the overall traffic threshold used in queue traffic monitoring to 90 Mbps SW7750 qe monitor overflow threshold 90000000 Configuring Error Pa...

Page 869: ...Device Management Configuration After the above configurations you can execute the display command in any view to display the operating status of the device management to verify the configuration eff...

Page 870: ...are stored into the directory of the switch Use FTP to download the switch app and boot btm files from the FTP server to the switch Network diagram Figure 229 Network diagram of FTP configuration Con...

Page 871: ...mand in user view Input the correct user name and password to log into the FTP server SW7750 ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 FTP service ready User none switch 331 Password requ...

Page 872: ...ified file will be booted next time on unit 1 SW7750 display boot loader The primary app to boot of board 0 at the next time is flash switch app The backup app to boot of board 0 at the next time is f...

Page 873: ...ing client and you can view the test results on remote ping client only When performing a remote ping test you need to configure a remote ping test group on the remote ping client A remote ping test g...

Page 874: ...number greater than 50000 Otherwise your remote ping test may fail or the service corresponding to the well known port may become unavailable TCP test Tcppublic test Tcpprivate test UDP test Udppubli...

Page 875: ...ize For ICMP UDP jitter test you can configure the size of test packets For ICMP test the ICMP packet size refers to the length of ECHO REQUEST packets excluding IP and ICMP headers Maximum number of...

Page 876: ...e sent per probe jitter packetnum Jitter test is used to collect statistics about delay jitter in UDP packet transmission In a jitter probe the remote ping client sends a series of packets to the remo...

Page 877: ...ic is enabled all other test types cannot be performed when IRF fabric is enabled With IRF fabric enabled you are allowed to configure remote ping tests and use the display commands to check your conf...

Page 878: ...configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the test type test type icmp Optional By default the test type is ICMP...

Page 879: ...ch test makes one probe Configure the maximum number of history records that can be saved history records number Figure 231 Optional By default the maximum number is 50 Configure the probe timeout tim...

Page 880: ...By default a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Configure the type of FTP operation ftp operation get put Optional B...

Page 881: ...o IP address of the DNS server is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port numb...

Page 882: ...w Enable the remote ping client function remote ping agent enable Required By default the remote ping client function is disabled Create a remote ping test group and enter its view remote ping adminis...

Page 883: ...packets that will be sent in each jitter probe jitter packetnum number Optional By default each jitter probe will send 10 packets Configure the interval to send test packets in the jitter test jitter...

Page 884: ...ptional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three se...

Page 885: ...s Optional By default the source IP address is not specified Configure the test type test type tcpprivate tcppublic Required By default the test type is ICMP Configure the source port source port port...

Page 886: ...lic Required By default the test type is ICMP Configure the destination address destination ip ip address Required This IP address and the one configured on the remote ping server for listening servic...

Page 887: ...he service type is zero Start the test test enable Required Display test results display remote ping results admin name operation tag Required The display command can be executed in any view Table 701...

Page 888: ...t specified Configure the IP address of the DNS server dns server ip address Required By default no DNS server address is configured Start the test test enable Required Display test results display re...

Page 889: ...e remote ping client 7750 system view 7750 remote ping agent enable Create a remote ping test group setting the administrator name to administrator and test tag to ICMP 7750 remote ping administrator...

Page 890: ...ed test time 2000 4 2 20 55 12 3 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Conne...

Page 891: ...ping administrator dhcp test enable Display test results 7750 remote ping administrator dhcp display remote ping results administra tor dhcp Remote ping entry admin administrator tag dhcp test result...

Page 892: ...ork diagram for the FTP test Configuration procedure Configure FTP Server Switch B Configure FTP server on Switch B For specific configuration of FTP server refer to FTP and TFTP Configuration on page...

Page 893: ...ail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 7750 remote ping administrator ftp display remote ping history administrat or ftp Remote ping entry admin admi...

Page 894: ...7750 remote ping administrator http timeout 30 Start the test 7750 remote ping administrator http test enable Display test results 7750 remote ping administrator http display remote ping results admi...

Page 895: ...name you must configure the IP address of the DNS server to resolve the host name into an IP address which is the destination IP address of this HTTP test Jitter Test Network requirements Both the re...

Page 896: ...t operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Jitter result RTT N...

Page 897: ...t community write private n The SNMP network management function must be enabled on SNMP agent before it can receive response packets The SNMPv2c version is used as reference in this example This conf...

Page 898: ...n administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19 9 5...

Page 899: ...rator tcpprivate test enable Display test results 7750 remote ping administrator tcpprivate display remote ping results administr ator tcpprivate Remote ping entry admin administrator tag tcpprivate t...

Page 900: ...000 Configure remote ping Client Switch A Enable the remote ping client 7750 system view 7750 remote ping agent enable Create a remote ping test group setting the administrator name to administrator a...

Page 901: ...11 1 0 2000 04 02 08 29 45 5 2 12 1 0 2000 04 02 08 29 45 4 3 11 1 0 2000 04 02 08 29 45 4 4 11 1 0 2000 04 02 08 29 45 4 5 11 1 0 2000 04 02 08 29 45 4 6 11 1 0 2000 04 02 08 29 45 4 7 10 1 0 2000 04...

Page 902: ...eive response times 10 Min Max Average Round Trip Time 6 10 8 Square Sum of Round Trip Time 756 Last complete test time 2006 11 28 11 50 40 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet...

Page 903: ...ncepts of RRPP Figure 250 RRPP networking Domain A domain consists of switches with the same domain ID and control VLAN A domain can consist of multiple Ethernet rings only one of which is the primary...

Page 904: ...sed to transfer data packets A data VLAN contains the ports connecting the switch with the Ethernet ring network and other ports Node Every switch on an Ethernet ring network is a node Node roles are...

Page 905: ...fter the ports are unblocked these packets or messages can pass through the ports Common port and edge port Of the two ports connecting an edge node or assistant edge node to a subring one is the comm...

Page 906: ...he secondary port and sends the Common Flush packet to tell all transit nodes to refresh their respective MAC address FDB and ARP table Ring recovery The master node may detect that the ring has recov...

Page 907: ...atus and the master node sends the Complete Flush message through the primary port to request the transit node to update the FDB and unblock the temporarily blocked port After the transit node receive...

Page 908: ...exist between each pair of rings In this case only one RRPP domain is to be defined in which one ring must be defined as the primary ring and the rest as subrings RRPP on 3Com Switch 7750 Family To em...

Page 909: ...s have been configured as trunk ports All ports allow data VLAN packets to pass And STP has been disenabled on all the ports connecting the Ethernet rings Master Node Configuration Tasks The following...

Page 910: ...ter Node Configuration Example Network requirements Define the switch as a node in RRPP domain 1 Define VLAN 4092 as the control VLAN Define the switch as the master node on primary ring 1 in RRPP dom...

Page 911: ...te an RRPP domain and enter RRPP domain view rrpp domain domain id Required The command prompt of RRPP domain view depends on the domain id you input Specify a control VLAN for the RRPP domain control...

Page 912: ...unique in the same RRPP domain Transit Node Configuration Example Network requirements Define the switch as a node in RRPP domain 1 Define VLAN 4092 as the control VLAN Define the switch as a transit...

Page 913: ...depends on the domain id you input Specify a control VLAN for the RRPP domain control vlan vlan id Required Specify the current switch as a transit node of the primary ring and specify the primary por...

Page 914: ...CAUTION Make sure that the switch ports connecting the Ethernet rings have been configured as trunk ports All ports allow data VLAN packets to pass And STP has been disenabled on all the ports connec...

Page 915: ...ntrol VLAN for the RRPP domain control vlan vlan id Required Specify the current switch as a transit node of the primary ring and specify the primary port and the secondary port ring ring id node mode...

Page 916: ...CAUTION Make sure that the switch ports connecting the Ethernet rings have been configured as trunk ports All ports allow data VLAN packets to pass And STP has been disenabled on all the ports connect...

Page 917: ...control vlan 4092 SW7750 rrpp domain 1 ring 1 node mode master primary port GigabitE thernet2 0 1 secondary port GigabitEthernet2 0 2 level 0 SW7750 rrpp domain 1 ring 1 enable SW7750 rrpp domain 1 q...

Page 918: ...Switch B Switch C and Switch D constitute primary ring 1 Switch B Switch C and Switch E form the subring 2 Switch A serves as the master node of the primary ring GigabitEthernet2 0 1 as the primary po...

Page 919: ...SW7750 rrpp domain 1 control vlan 4092 SW7750 rrpp domain 1 ring 1 node mode transit primary port Gigabit Ethernet2 0 1 secondary port GigabitEthernet2 0 2 level 0 SW7750 rrpp domain 1 ring 2 node mod...

Page 920: ...Gigabit Ethernet2 0 1 secondary port GigabitEthernet2 0 2 level 0 SW7750 rrpp domain 1 ring 1 enable SW7750 rrpp domain 1 quit SW7750 rrpp enable Configure Switch E SW7750 system view SW7750 rrpp doma...

Page 921: ...gment where the next hop of the default route resides through enabling default route Telnet protection By default default route Telnet protection is disabled Before configuring Telnet protection you n...

Page 922: ...ction or special ARP Telnet protection attack protection ip address Required If you use this command with the ip address parameter you can protect the specified Layer 3 interfaces Table 712 Configure...

Page 923: ...sists of two member ports one master port and one slave port Normally only one port master or slave is active and the other port is blocked that is in the standby state When link failure occurs on the...

Page 924: ...he device Switch A in Figure 256 broadcasts flush messages in this control VLAN Control VLAN for receiving flush messages This control VLAN is used for receiving and processing flush messages When lin...

Page 925: ...port does not come into the forwarding state until the next link switching Configuring Smart Link n Before configuring a member port of a Smart Link group you must Disable the port to avoid loops thu...

Page 926: ...Configure Smart Link with ports as the members of the Smart Link group Operation Command Remarks Enter system view system view Create a Smart Link group and enter Smart Link group view smart link gro...

Page 927: ...an associated device is different than the one for sending flush messages configured on the corresponding Smart Link device the device will forward received flush messages without processing them 9 I...

Page 928: ...itch Switch C Switch D and Switch E support Smart Link Configure Smart Link feature to provide remote PCs with reliable access to the server Network diagram Figure 258 Network diagram for Smart Link c...

Page 929: ...Ethernet2 0 1 as the master port and Ethernet2 0 2 as the slave port for Smart Link group 1 SwitchA smlk group1 port Ethernet 2 0 1 master SwitchA smlk group1 port Ethernet 2 0 2 slave Configure to s...

Page 930: ...lush messages received from VLAN 1 on Switch E Enter system view SwitchE system view Enable the function of processing flush messages received from VLAN 1 on Ethernet 2 0 2 and Ethernet 2 0 3 SwitchE...

Page 931: ...tor Link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 259 Network diagram for a Monitor Link group implementation As shown...

Page 932: ...or Link group and Monitor Link group detects that the link for the uplink port Ethernet2 0 1 fails all the downlink ports in the group are shut down therefore Ethernet2 0 3 on Switch C is blocked Now...

Page 933: ...oup group id Required Table 721 Configure the uplink port Operation Command Remarks Enter system view system view Enter the specified Monitor Link group view monitor link group group id Configure the...

Page 934: ...onitor Link Configuration Example Implementing Collaboration Between Smart Link and Monitor Link Network requirements As shown in Figure 261 the PCs access the server and Internet through the switch C...

Page 935: ...nter Ethernet port view Disable STP on Ethernet2 0 1 and Ethernet2 0 2 SwitchA interface Ethernet 2 0 1 SwitchA Ethernet2 0 1 stp disable SwitchA Ethernet2 0 1 quit SwitchA interface Ethernet 2 0 2 Sw...

Page 936: ...nitor link group 1 Configure Ethernet2 0 1 as the uplink port of the Monitor Link group and Ethernet2 0 2 and Ethernet2 0 3 as the downlink ports SwitchC mtlk group1 port Ethernet 2 0 1 uplink SwitchC...

Page 937: ...t ROM You need also to confirm the upgrade operation in the upgrade process Boot ROM Upgrade Configuration Example Network requirements Use the current startup file to upgrade the Boot ROMs of all nor...

Page 938: ...hrough negotiation to improve the adaptability and stability This mode is based on the corresponding Ethernet standards By default the Fabric and the service modules in a Switch 7750 Ethernet switch n...

Page 939: ...number of times the Fabric fails to receive handshake packets exceeds the upper limit Monitoring Internal Channel Configuration Configuring Switch Chip Auto reset Introduction In actual application a...

Page 940: ...ied module When the CPU usage of the module in the specified slot exceeds the configured threshold the switch sends trap messages and log messages to the network administrator If you set CPU threshold...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands