3Com WX3000 Series Operation Manual Download

Page: 362 / 715

1-1

QoS Configuration

The term switch used throughout this chapter refers to a switching device in a generic sense or the

switching engine of the WX3000 series.

The sample output information in this manual was created on the WX3024. The output information

on your device may vary.

Overview

Introduction to QoS

Quality of service (QoS) is a concept generally existing in occasions with service supply and demand. It

evaluates the ability to meet the need of the customers in service. Generally, the evaluation is not to

grade precisely. Its purpose is to analyze the conditions where the service is the best and the conditions

where the service still needs improvement and then to make improvements in the specified aspects.

In an internet, QoS evaluates the ability of the network to deliver packets. The evaluation on QoS can

be based on different aspects because the network provides various services. Generally speaking, QoS

is the evaluation on the service ability to support the core requirements such as delay, jitter, and packet

loss ratio in the packet delivery.

Traditional Packet Forwarding Service

In traditional IP networks, packets are treated equally. That is, the FIFO (first in first out) policy is

adopted for packet processing. Network resources required for packet forwarding is determined by the

order in which packets arrive. All the packets share the resources of the network. Network resources

available to the packets completely depend on the time they arrive. This service policy is known as

Best-effort, which delivers the packets to their destination with the best effort, with no assurance and

guarantee for delivery delay, jitter, packet loss ratio, reliability, and so on.

The traditional Best-Effort service policy is only suitable for applications insensitive to bandwidth and

delay, such as WWW, file transfer and E-mail.

New Applications and New Requirements

With the expansion of computer network, more and more networks become part of the Internet. The

Internet gains rapid development in terms of scale, coverage and user quantities. More and more users

use the Internet as a platform for their services and for data transmission.

Besides the traditional applications such as WWW, E-mail, and FTP, new services are developed on the

Internet, such as tele-education, telemedicine, video telephone, videoconference and

Summary of Contents for WX3000 Series

Page 1: ...3Com WX3000 Series Unified Switches Switching Engine Operation Manual Manual Version 6W100 www 3com com 3Com Corporation 350 Campus Drive Marlborough MA USA 01752 3064 ...

Page 2: ...rcial license for the Software Technical data is provided with limited rights only as provided in DFAR 252 227 7015 Nov 1995 or FAR 52 227 14 June 1987 whichever is applicable You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in or delivered to you in conjunction with this User Guide Unless otherwise indicated 3Com registered tr...

Page 3: ...oduces link aggregation and the related configuration 10 Port Isolation Introduces port isolation and the related configuration 11 Port Security Port Binding Introduces port security port binding and the related configuration 12 DLDP Introduces DLDP and the related configuration 13 MAC Address Table Management Introduces MAC address forwarding table management 14 MSTP Introduces STP and the relate...

Page 4: ...itor Link and the related configuration 36 PoE PoE Profile Introduces PoE PoE profile and the related configuration 37 Routing Protocol Introduces the static route RIP and IP route policy configurations 38 UDP Helper Introduces UDP Helper and the related configuration 39 Appendix Lists the acronyms used in this manual Conventions The manual uses the following conventions Command conventions Conven...

Page 5: ...e documentation set includes the following Manual Description 3Com WX3000 Series Unified Switches Installation Manual It introduces the installation process startup hardware and software maintenance of WX3000 Series unified switches 3Com WX3000 Series Unified Switches Switching Engine Command Manual Elaborates on the operation commands for WX3000 series unified switches switching engines It covers...

Page 6: ...ation Manual Introduces the Web based functions of the access control engine of WX3000 series unified switches access controller engines Obtaining Documentation You can access the most up to date 3Com product documentation on the World Wide Web at this URL http www 3com com ...

Page 7: ...roduction to the CLI 1 1 Command Hierarchy 1 1 Switching User Levels 1 2 Setting the Level of a Command in a Specific View 1 3 CLI Views 1 4 CLI Features 1 7 Online Help 1 7 Terminal Display 1 8 Command History 1 8 Error Prompts 1 9 Command Edit 1 9 ...

Page 8: ...istory function This enables users to check the commands that they have lately executed and re execute the commands z Partial matching of commands The system will use partially matching method to search for commands This allows users to execute a command by entering partially spelled command keywords as long as the keywords entered can be uniquely identified by the system Command Hierarchy The dev...

Page 9: ...ll remain at their original levels z If no switching password is set for a specific user level the Console user can directly switch to the level while the Telnet users at lower levels will fail to switch to the level they will remain at their original levels and the information like the following will be displayed Password is not set Setting a user level switching password Follow these steps to se...

Page 10: ... a Specific View Setting the level of a command in a specific view Commands fall into four levels visit level 0 monitor level 1 system level 2 and manage level 3 By using the following command the administrator can change the level of a command in a specific view as required Follow these steps to set the level of a command output description in a specific view To do Use the command Remarks Enter s...

Page 11: ...once a user logs into a device successfully the user enters user view where the user can perform some simple operations such as checking the operation status and statistics information of the device After executing the system view command the user enters system view where the user can go to other views by entering corresponding commands Table 1 1 lists the CLI views provided by the device operatio...

Page 12: ...ew Configure local user parameters device luser user 1 Execute the local user command in system view User interface view Configure user interface parameters device ui aux0 Execute the user interface aux command in system view FTP client view Configure FTP client parameters ftp Execute the ftp command in user view SFTP client view Configure SFTP client parameters sftp client Execute the sftp comman...

Page 13: ...ofile command in system view RADIUS scheme view Configure RADIUS scheme parameters device radius 1 Execute the radius scheme command in system view ISP domain view Configure ISP domain parameters device isp aaa123 net Execute the domain command in system view HWPing view Configure HWPing parameters device hwping a1 23 a123 Execute the hwping command in system view HWTACA CS view Configure HWTACACS...

Page 14: ...e online help 1 Enter a question mark in any view on your terminal to display all the commands available in the view and their brief descriptions The following takes user view as an example device User view commands boot Set boot option cd Change current directory clock Specify the system clock cluster Run cluster command copy Copy from one file to another debugging Enable system debugging functio...

Page 15: ...irst several characters of a keyword of a command and then press Tab If there is a unique keyword beginning with the characters just typed the unique keyword is displayed in its complete form If there are multiple keywords beginning with the characters you can have them displayed one by one in complete form by pressing Tab repeatedly Terminal Display The CLI provides the screen splitting feature t...

Page 16: ...ou can use Ctrl P and Ctrl N instead to achieve the same purpose z When you enter the same command multiple times consecutively only one history command entry is created by the command line interface Error Prompts If a command passes the syntax check it will be successfully executed otherwise an error message will be displayed Table 1 4 lists the common error messages Table 1 4 Common error messag...

Page 17: ...ey or Ctrl F Move the cursor one character to the right Up arrow key or Ctrl P Down arrow key or Ctrl N Display history commands Tab Use the partial online help That is when you input an incomplete keyword and press Tab if the input parameter uniquely identifies a complete keyword the system substitutes the complete keyword for the input parameter if more than one keywords match the input paramete...

Page 18: ...tication Modes 3 2 Telnet Configuration with Authentication Mode Being None 3 3 Configuration Procedure 3 3 Configuration Example 3 4 Telnet Configuration with Authentication Mode Being Password 3 5 Configuration Procedure 3 5 Configuration Example 3 6 Telnet Configuration with Authentication Mode Being Scheme 3 7 Configuration Procedure 3 7 Configuration Example 3 10 Telnetting to the Switching E...

Page 19: ... by Source and Destination IP Addresses 7 2 Controlling Telnet Users by Source MAC Addresses 7 3 Configuration Example 7 3 Controlling Network Management Users by Source IP Addresses 7 4 Prerequisites 7 4 Controlling Network Management Users by Source IP Addresses 7 4 Configuration Example 7 5 Controlling Web Users by Source IP Address 7 5 Prerequisites 7 6 Controlling Web Users by Source IP Addre...

Page 20: ...AUX port and the console port of the device are the same port referred to as console port in the following part You will be in the AUX user interface if you log in through this port The device supports two types of user interfaces AUX and VTY z AUX user interface A view when you log in through the console port z Virtual type terminal VTY user interface A view when you log in through VTY VTY port i...

Page 21: ...re common user interface To do Use the command Remarks Lock the current user interface lock Optional Execute this command in user view A user interface is not locked by default Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Free a user interface free user interface type number Optional Execute this c...

Page 22: ... user interfaces display users all Display the physical attributes and configuration of the current a specified user interface display user interface type number number Display the information about the current web users display web users Optional You can execute the display command in any view ...

Page 23: ...he access control engine Then you can log in to the switching engine 1 Execute the oap connect slot 0 command in user view of the access control engine to log in to the switching engine device oap connect slot 0 Connected to OAP 2 Press Enter to enter user view of the switching engine device_LSW z To distinguish between the access control engine and the switching engine the name of the switching e...

Page 24: ...ed by default Configuring the Management IP Address of the OAP Software System on the Switching Engine 1 Configure the management IP address of the OAP software system on the switching engine side device_LSW system view device_LSW interface vlan interface 1 device_LSW Vlan interface1 ip address 192 168 0 2 24 Press Ctrl K to return to the command line operating interface of the access control engi...

Page 25: ...s to reset the OAP software system To do Use the command Remarks Reset the OAP software system oap reboot slot 0 Required Available in user view The reset operation may cause data loss and service interruption Therefore before resetting the OAP software system you need to save the data on the operating system to avoid service interruption and hardware data loss ...

Page 26: ...mance Operation and Routing Protocol parts for more Switching engine The authentication mode and other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the VLAN of the switching engine is available Common Configuration Table 3 2 lists the common Telnet configuration Table 3 2 Common Telnet configuration Configuration Description Configure...

Page 27: ...rform common Telnet configuration Optional Refer to Table 3 2 Configure the password Configure the password for local authentication Required Password Perform common configuration Perform common Telnet configuration Optional Refer to Table 3 2 Specify to perform local authentication or remote RADIUS authentication AAA configuration specifies whether to perform local authentication or RADIUS authen...

Page 28: ...user interface views user interface vty first number last number Configure not to authenticate users logging in to VTY user interfaces authentication mode none Required By default VTY users are authenticated after logging in Configure the command level available to users logging in to VTY user interface user privilege level level Optional By default commands of level 0 are available to users loggi...

Page 29: ...e switching engine depends on the user privilege level level command Configuration Example Network requirements As shown in Figure 3 1 assume current user logs in using the oap connect slot 0 command and the user level is set to the manage level level 3 Perform the following configurations for users logging in through VTY 0 using Telnet z Do not authenticate the users z Commands of level 2 are ava...

Page 30: ...cal password authentication mode password Required Set the local password set authentication password cipher simple password Required Configure the command level available to users logging in to the user interface user privilege level level Optional By default commands of level 0 are available to users logging in to VTY user interface Configure the protocol to be supported by the user interface pr...

Page 31: ...vel level command Configuration Example Network requirements As shown in Figure 3 2 assume current user logs in using the oap connect slot 0 command and the user level is set to the manage level level 3 Perform the following configurations for users logging in to VTY 0 using Telnet z Authenticate users using the local password z Set the local password to 123456 in plain text z Commands of level 2 ...

Page 32: ...fault ISP domain view domain domain name Configure the AAA scheme to be applied to the domain scheme local none radius scheme radius scheme name local hwtacacs scheme hwtacacs scheme name local Configure the authenticati on scheme Quit to system view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concernin...

Page 33: ...ell Optional Terminal services are available in all use interfaces by default Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set history command buffer size history command max size value Optional The default h...

Page 34: ... user privilege level level command is not executed and the service type command specifies the available command level Level 0 The user privilege level level command is executed and the service type command does not specify the available command level VTY users that are authenticated in the RSA mode of SSH The user privilege level level command is executed and the service type command specifies th...

Page 35: ...nes z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme RS 232 serial interface Console port PC Console cable Switching engine Configuration procedure Enter system view device system view Create a local user named guest and enter local user view device local u...

Page 36: ...rol engine of the device VLAN 1 is the default VLAN of the access control engine z Connect the serial port of your PC terminal to the console port of the device as shown in Figure 3 4 Figure 3 4 Diagram for establishing connection to a console port z Launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 95 Windows 98 Windows NT Windows 2000 Windows XP on t...

Page 37: ...engine and the switching engine the name of the switching engine is changed to device_LSW here In fact the default name of the switching engine is device 2 Perform Telnet related configuration on the switching engine For details refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication...

Page 38: ... or modify the IP address of the VLAN interface in the Telnet session z By default commands of level 0 are available to Telnet users authenticated by password For the command hierarchy and command views refer to CLI Operation in this manual Telnetting to the Switching Engine from the Access Control Engine You can Telnet to the switching engine from the access control engine In this case the access...

Page 39: ...ess or the host name of the access control engine operating as the Telnet server You can use the ip host to assign a host name to the access control engine 4 After successful login the CLI prompt such as device appears If all the VTY user interfaces of the switching engine are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try...

Page 40: ...e you need to perform the related configuration on both the switching engine and the PC operating as the network management terminal Table 4 1 Requirements for logging in to the switching engine from the Web based network management system Item Requirement The VLAN interface of the switching engine is assigned an IP address and the route between the switching engine and the Web network management ...

Page 41: ...is the default VLAN of the switching engine and create a user account for the login user Assign an IP address to the switching engine device system view device interface Vlan interface 1 device Vlan interface1 ip address 192 168 0 101 24 device Vlan interface1 quit Create a Web user account setting both the user name and the password to admin and the user level to 3 manage level device local user ...

Page 42: ...me and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Figure 4 3 The login page of the Web based network management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through Web the banner page is displayed before the user login authenticatio...

Page 43: ...engine through Web z The banner page is desired when a user logs in to the switching engine Figure 4 4 Network diagram for login banner configuration Configuration Procedure Enter system view device system view Configure the banner Welcome to be displayed when a user logs in to the switching engine through Web device header login Welcome Assume that a route is available between the user terminal t...

Page 44: ...erver To do Use the command Remarks Enter system view system view Enable the Web server ip http shutdown Required By default the Web server is enabled Disable the Web server undo ip http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Enabling the Web server by using the...

Page 45: ...S and the switching engine Table 5 1 Requirements for logging in to the switching engine from an NMS Item Requirement The IP address of the VLAN interface of the switching engine is configured The route between the NMS and the switching engine is reachable Refer to IP Address and Performance Operation and Routing Protocol parts for related information Switching engine The basic SNMP functions are ...

Page 46: ...users can log in to the switching engine Configuring Source IP Address for Telnet Service Packets This feature can be configured in either user view or system view The configuration performed in user view takes effect for only the current session while the configuration performed in system view takes effect for all the following sessions Configuration in user view Follow these steps to configure a...

Page 47: ... source interface must already exist z A reachable route is available between the source IP address or the source interface specified for the Telnet server or client and the Telnet client or server Displaying Source IP Address Configuration To do Use the command Remarks Display the source IP address configured for the Telnet client display telnet source ip Display the source IP address configured ...

Page 48: ... MAC Addresses SNMP By source IP addresses Through basic ACLs Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACLs Controlling Web Users by Source IP Address WEB Disconnect Web users by force By executing commands at CLI Disconnecting a Web User by Force Controlling Telnet Users Prerequisites The controlling policy against Telnet users is determined...

Page 49: ...stination IP addresses is achieved by applying advanced ACLs which are numbered from 3000 to 3999 Follow these steps to control Telnet users by source and destination IP addresses To do Use the command Remarks Enter system view system view Create an advanced ACL or enter advanced ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by...

Page 50: ...ew quit Enter user interface view user interface type first number last number Apply the ACL to control Telnet users by specified source MAC addresses acl acl number inbound Required By default no ACL is applied for Telnet users Configuration Example Network requirements As shown in Figure 7 1 only the Telnet users sourced from the IP address of 10 110 100 52 are permitted to access the switching ...

Page 51: ... ACL or enter basic ACL view acl number acl number match order config auto Required As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id deny permit rule string Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp agent community read write community name mib view view name acl acl number Optional B...

Page 52: ... name Configuration Example Network requirements As shown in Figure 7 2 only SNMP users sourced from the IP addresses of 10 110 100 52 are permitted to log in to the switching engine Figure 7 2 Network diagram for controlling SNMP users using ACLs Configuration procedure Define a basic ACL device system view device acl number 2000 device acl basic 2000 rule 1 permit source 10 110 100 52 0 device a...

Page 53: ...nd the config keyword is specified by default Define rules for the ACL rule rule id deny permit rule string Required Quit to system view quit Apply the ACL to control Web users ip http acl acl number Optional By default no ACL is applied for Web users Disconnecting a Web User by Force The administrator can disconnect a Web user by force using the related commands Follow these steps to disconnect a...

Page 54: ...em view device acl number 2030 device acl basic 2030 rule 1 permit source 10 110 100 52 0 device acl basic 2030 quit Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switching engine device ip http acl 2030 ...

Page 55: ...ntroduction to Configuration File 1 1 Management of Configuration File 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 3 Specifying a Configuration File for Next Startup 1 4 Displaying and Maintaining Device Configuration 1 5 ...

Page 56: ...on default configuration settings z The commands are grouped into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line if it starts with the character z The sections are listed in this order system configuration section logical interface configuration section physical port configuration...

Page 57: ...up configuration file exists the device initializes with the backup configuration 3 If neither the main nor the backup configuration file exists the device starts up without loading the configuration file Management of Configuration File Complete the following tasks to configure configuration file management Task Remarks Saving the Current Configuration Optional Erasing the Startup Configuration F...

Page 58: ...n attribute configuration file in the device z Backup attribute When you use the save safely backup command to save the current configuration the configuration file you get has backup attribute If this configuration file already exists and has main attribute the file will have both main and backup attributes after execution of this command If the filename you entered is different from that existin...

Page 59: ...the device Specifying a Configuration File for Next Startup Follow the step below to specify a configuration file for next startup To do Use the command Remarks Specify a configuration file for next startup startup saved configuration cfgfile backup main Required Available in user view You can specify a configuration file to be used for the next startup and configure the main backup attribute for ...

Page 60: ...uration unit unit id by linenum Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the device display current configuration vlan vlan id by linenum Display the validated configuration in current view display this by linenum Display current configuration display current configuration configuration configuration type i...

Page 61: ... Protocol Based VLAN 1 7 2 VLAN Configuration 2 1 VLAN Configuration 2 1 Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying and Maintaining VLAN 2 2 Configuring a Port Based VLAN 2 3 Configuring a Port Based VLAN 2 3 Protocol Based VLAN Configuration Example 2 3 Configuring a Protocol Based VLAN 2 5 Configuration Task List 2 5 Configuring a P...

Page 62: ... inbound port of the packet The above scenarios could result in the following network problems z Large quantity of broadcast packets or unknown unicast packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolating broadcast domains is the solution for the abov...

Page 63: ...kgroup spanning physical network segments When the physical position of a host changes within the range of the virtual workgroup the host can access the network without changing its network configuration How VLAN Works VLAN tag VLAN tags in the packets are necessary for a switch to identify packets of different VLANs A switch works at the data link layer of the OSI model Layer 3 switches are not d...

Page 64: ...t The value is 0 by default z VLAN ID is a 12 bit field indicating the ID of the VLAN to which this packet belongs It is in the range of 0 to 4 095 Generally 0 and 4 095 is not used so the field is in the range of 1 to 4 094 The frame format here takes the Ethernet II encapsulation as an example Ethernet also supports 802 2 802 3 encapsulation where VLAN tag is also encapsulated after the DA and S...

Page 65: ...AN interfaces configuration to forward packets in Layer 3 VLAN interface is a virtual interface in Layer 3 mode used to realize the layer 3 communication between different VLANs and does not exist on a switch as a physical entity Each VLAN has a VLAN interface which can forward packets of the local VLAN to the destination IP addresses at the network layer Normally since VLANs can isolate broadcast...

Page 66: ...facilitate management and maintenance Encapsulation Format of Ethernet Data This section introduces the common encapsulation formats of Ethernet data for you to understand well the procedure for the switch to identify the packet protocols Ethernet II and 802 2 802 3 encapsulation Mainly there are two encapsulation types of Ethernet packets Ethernet II and 802 2 802 3 defined by RFC 894 and RFC 104...

Page 67: ...P 1 Control 1 The DSAP field and the SSAP field in the 802 2 LLC encapsulation are used to identify the upper layer protocol For example if the two fields are both 0xE0 the upper layer protocol is IPX protocol z 802 2 sub network access protocol SNAP encapsulation encapsulates packets according to the 802 3 standard packet format including the length DSAP SSAP control organizationally unique ident...

Page 68: ... 3 encapsulation Control field Invalid packets that cannot be matched dsap ssap value 802 2 SNAP encapsulation Match the dsap ssap value 802 2 LLC encapsulation Match the type value 802 3 raw encapsulation 0x05DD to 0x05FF 0x0600 to 0xFFFF 0 to 0x05DC Value is not 3 Value is 3 Both are AA Both are FF Other values Encapsulation Formats Table 1 1 lists the encapsulation formats supported by some pro...

Page 69: ...rotocol template you must add a port to the protocol based VLAN and associate this port with the protocol template This port will add VLAN tags to the packets based on protocol types The port in the protocol based VLAN must be connected to a client However a common client cannot process VLAN tagged packets In order that the client can process the packets out of this port you must configure the por...

Page 70: ...t VLAN VLAN 1 Assign a name for the current VLAN name text Optional By default the name of a VLAN is its VLAN ID VLAN 0001 for example Specify the description string of the current VLAN description text Optional By default the description string of a VLAN is its VLAN ID VLAN 0001 for example z VLAN 1 is the system default VLAN which needs not to be created and cannot be removed either z The VLAN y...

Page 71: ...erface shutdown Enable the VLAN Interface undo shutdown Optional By default the VLAN interface is enabled In this case the VLAN interface s status is determined by the status of the ports in the VLAN that is if all ports of the VLAN are down the VLAN interface is down disabled if one or more ports of the VLAN are up the VLAN interface is up enabled If you disable the VLAN interface the VLAN interf...

Page 72: ...nd or the port hybrid vlan command in Ethernet port view For the configuration procedure refer to the section of configuring Ethernet ports in the Port Basic Configuration part of the manual Protocol Based VLAN Configuration Example Network requirements z As shown in Figure 2 1 Switch A and Switch B each connect to a server and a workstation PC z For data security concerns the two servers are assi...

Page 73: ...nd add GigabitEthernet 1 0 12 to VLAN 201 SwitchB vlan 201 SwitchB vlan201 port GigabitEthernet 1 0 12 SwitchB vlan201 quit z Configure the link between Switch A and Switch B Because the link between Switch A and Switch B need to transmit data of both VLAN 101 and VLAN 102 you can configure the ports at the end of the link as trunk ports and permit packets of the two VLANs to pass through Configur...

Page 74: ...Template for a Protocol Based VLAN Configuration prerequisites Create a VLAN before configuring the VLAN as a protocol based VLAN Configuration procedure Follow these steps to configure the protocol template for a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the protocol template for the VLAN protocol vlan protocol index at ip ipx ethernet...

Page 75: ...set both the dsap id and ssap id arguments to 0xFF 0xE0 or 0xAA z When you use the mode keyword to configure a user defined protocol template if you set the etype id argument for ethernetii or snap packets to 0x0800 0x809B or 0x8137 the matching packets will take the same format as that of the IP IPX and AppleTalk packets respectively To prevent two commands from processing packets of the same pro...

Page 76: ...l vlan interface interface type interface number to interface type interface number all Available in any view Protocol Based VLAN Configuration Example Network requirements z As shown in Figure 2 2 Workroom connects to the LAN through port GigabitEthernet 1 0 10 on the switch z IP network and AppleTalk network workstations hosts coexist in the Workroom z The switch connects to VLAN 100 using IP ne...

Page 77: ...ates device vlan100 display protocol vlan vlan all VLAN ID 100 VLAN Type Protocol based VLAN Protocol Index Protocol Type 0 ip 1 ethernetii etype 0x0806 VLAN ID 200 VLAN Type Protocol based VLAN Protocol Index Protocol Type 0 at Configure GigabitEthernet 1 0 10 as a hybrid port which removes the VLAN tag of the packets of VLAN 100 and VLAN 200 before forwarding the packets device vlan100 quit devi...

Page 78: ... already been associated with the corresponding protocol templates of VLAN 100 and VLAN 200 Thus packets from the IP and AppleTalk workstations can be automatically assigned to VLAN 100 and VLAN 200 respectively for transmission by matching the corresponding protocol templates so as to realize the normal communication between the workstations and the servers ...

Page 79: ... Detect Basic Configuration 1 2 Auto Detect Implementation in Static Routing 1 3 Auto Detect Implementation in VLAN Interface Backup 1 3 Auto Detect Configuration Examples 1 4 Configuration Example for Auto Detect Implementation in Static Routing 1 4 Configuration Example for Auto Detect Implementation in VLAN Interface Backup 1 5 ...

Page 80: ...ly packets to test network connectivity regularly The detected object of the Auto Detect function is a detected group which is a set of IP addresses To check the reachability to a detected group a device enabled with Auto Detect sends ICMP requests to the group and waits for the ICMP replies from the group based on the user defined policy which includes the number of ICMP requests and the timeout ...

Page 81: ...IP addresses in the group option and or Optional By default the and keyword is specified Set an interval between detecting operations timer loop interval Optional By default the detecting interval is 15 seconds Set the number of ICMP requests during a detecting operation retry retry times Optional By default the number is 2 Set a timeout waiting for an ICMP reply timer wait seconds Optional By def...

Page 82: ...up When data can be transmitted through two VLAN interfaces on the device to the same destination configure one of the VLAN interface as the active interface and the other as the standby interface The standby interface is enabled automatically when the active fails so as to ensure the data transmission In this case the Auto Detect function is implemented as follows z In normal situations that is w...

Page 83: ... group 8 is reachable z To ensure normal operating of the auto detect function configure a static route to Switch A on Switch C Figure 1 1 Network diagram for implementing the auto detect function in static route Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1 1 The configuration procedure is omitted z Configure Switch A Enter system view SwitchA syste...

Page 84: ...ce backup Vlan int1 20 1 1 4 24 Vlan int2 10 1 1 4 24 Vlan int2 192 168 2 1 24 Vlan int1 192 168 1 1 24 Switch B Switch D Switch C Vlan int2 10 1 1 3 24 Vlan int1 20 1 1 3 24 Vlan int1 192 168 1 2 24 Switch A Vlan int2 192 168 2 2 24 Configuration procedure Configure the IP addresses of all the interfaces as shown in Figure 1 2 The configuration procedure is omitted Enter system view SwitchA syste...

Page 85: ...LAN on Various Ports 1 4 Security Mode of Voice VLAN 1 5 Voice VLAN Configuration 1 6 Configuration Prerequisites 1 6 Configuring a Voice VLAN to Operate in Automatic Mode 1 6 Configuring a Voice VLAN to Operate in Manual Mode 1 7 Displaying and Maintaining Voice VLAN 1 9 Voice VLAN Configuration Example 1 9 Voice VLAN Configuration Example Automatic Mode 1 9 Voice VLAN Configuration Example Manua...

Page 86: ...unction with other voice devices IP phones can offer large capacity and low cost voice communication solutions As network devices IP phones need IP addresses to operate properly in a network Normally an IP telephone automatically acquires an IP address from a DHCP server in its network When an IP phone applies for an IP address from a DHCP server the IP phone can also apply for the following exten...

Page 87: ...ckets in the default VLAN of the port the IP phone is connected to In this case you need to manually configure the default VLAN of the port as a voice VLAN In cases where an IP phone obtains an IP address from a DHCP server that does not support Option 184 the IP phone directly communicates through the gateway after it obtains an IP address It does not go through step 2 and step 3 described below ...

Page 88: ...ure OUI addresses for voice packets or specify to use the default OUI addresses An OUI address is a globally unique identifier assigned to a vendor by IEEE You can determine which vendor a device belongs to according to the OUI address which forms the first 24 bits of a MAC address The WX3000 supports OUI address mask configuration You can adjust the matching depth of MAC address by setting differ...

Page 89: ...LAN IDs whether the automatic or manual mode is used z If the voice traffic transmitted by an IP voice device carries VLAN tags and 802 1x authentication and guest VLAN is enabled on the port which the IP voice device is connected to assign different VLAN IDs for the voice VLAN the default VLAN of the port and the 802 1x guest VLAN to ensure the effective operation of these functions z If the voic...

Page 90: ...d Make sure the default VLAN of the port exists and is not a voice VLAN And the access port permits the traffic of the default VLAN Tagged voice traffic Hybrid Supported Make sure the default VLAN of the port exists and is in the list of the tagged VLANs whose traffic is permitted by the access port Access Supported Make sure the default VLAN of the port is a voice VLAN Trunk Supported Make sure t...

Page 91: ...t port view interface interface type interface number Required Enable the voice VLAN function on a port voice vlan enable Required By default voice VLAN is disabled Enable the voice VLAN legacy function on the port voice vlan legacy Optional By default voice VLAN legacy is disabled Set the voice VLAN operation mode on a port to automatic voice vlan mode auto Optional The default voice VLAN operati...

Page 92: ...l Without this address the default OUI address is used Enable the voice VLAN security mode voice vlan security enable Optional By default the voice VLAN security mode is enabled Set the aging time for a voice VLAN voice vlan aging minutes Optional The default aging time is 1 440 minutes Enable the voice VLAN function globally voice vlan vlan id enable Required Enter port view interface interface t...

Page 93: ...be enabled on this port You can use the display voice vlan error info command to locate such ports z When a voice VLAN operates in security mode the device in it permits only the packets whose source addresses are the identified voice OUI addresses Packets whose source addresses cannot be identified including certain authentication packets such as 802 1x authentication packets will be dropped Ther...

Page 94: ... to join or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN as shown in Figure 1 2 z Create VLAN 2 and configure it as a voice VLAN with the aging time being 100 minutes z The IP phone sends tagged packets It is connected to GigabitEthernet 1 0 1 a hybrid port with VLAN 6 being its default VLAN Set this port to operate in automatic mode z You need to add...

Page 95: ...AN function on GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 voice vlan enable Voice VLAN Configuration Example Manual Mode Network requirements Create a voice VLAN and configure it to operate in manual mode Add the port to which an IP phone is connected to the voice VLAN to enable voice traffic to be transmitted within the voice VLAN as shown in Figure 1 3 z Create VLAN 2 and configure it as...

Page 96: ...y the port DeviceA GigabitEthernet1 0 1 port hybrid pvid vlan 2 DeviceA GigabitEthernet1 0 1 port hybrid vlan 2 untagged Enable the voice VLAN function on GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 voice vlan enable Verification Display the OUI addresses the corresponding OUI address masks and the corresponding description strings that the system supports DeviceA display voice vlan oui Oui...

Page 97: ... 1 GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 Configuration Task List 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maintaining GVRP 1 6 GVRP Configuration Example 1 7 GVRP Configuration Example 1 7 ...

Page 98: ...ed a GARP application entity GARP messages and timers 1 GARP messages GARP members communicate with each other through the messages exchanged between them The messages performing important functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be registered on other devices it sends Join messages to these devices A GARP entity also ...

Page 99: ...es out so that other GARP entities can re register all the attribute information on this entity After that the entity restarts the LeaveAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other three timers which are set on a port basis the LeaveAll timer is set in system view and takes effect globally z A GARP application enti...

Page 100: ...nd Attribute List Attribute Type Defined by the specific GARP application The attribute type of GVRP is 0x01 Attribute List It contains multiple attributes Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attribute Length The length of the attribute 2 to 25...

Page 101: ...vices GVRP has the following three port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN information z Fixed A port in this mode cannot register deregister VLANs dynamically It only propagates static VLAN information Besides the port permits only static VLANs that is ...

Page 102: ...eAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number Configure the Hold Join and Leave timers garp timer hold join leave timer value Optional By default the Hold Join and Leave timers are set to 10 20 and 60 centiseconds respectively Note that z The setting of each timer mus...

Page 103: ...timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by changing the timeout time of the Leave timer 32 765 centiseconds Configuring GVRP Port Registration Mode Follow these steps to configure GVRP port registration mode To do Use the command Remarks Enter system view system view Enter Ethernet port view inter...

Page 104: ... A Enable GVRP globally SwitchA system view SwitchA gvrp Configure GigabitEthernet 1 0 1 to be a trunk port and to permit the packets of all the VLANs SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 port link type trunk SwitchA GigabitEthernet1 0 1 port trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 gvrp SwitchA GigabitEthernet1 0 1 qui...

Page 105: ...chE vlan5 quit SwitchE vlan 7 SwitchE vlan7 quit 6 Display the VLAN information dynamically registered on Switch A Switch B and Switch E Display the VLAN information dynamically registered on Switch A SwitchA display vlan dynamic Total 3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch B SwitchB display vlan dynamic Total 3 ...

Page 106: ...0 1 on Switch E to operate in forbidden GVRP registration mode and display the VLAN registration information dynamically registered on Switch A Switch B and Switch E Configure GigabitEthernet 1 0 1 on Switch E to operate in forbidden GVRP registration mode SwitchE GigabitEthernet1 0 1 gvrp registration forbidden Display the VLAN information dynamically registered on Switch A SwitchA display vlan d...

Page 107: ... Ratio 1 5 Enabling Flow Control on a Port 1 5 Configuring Access Port Attribute 1 6 Configuring Hybrid Port Attribute 1 6 Configuring Trunk Port Attribute 1 6 Disabling Up Down Log Output on a Port 1 7 Copying Port Configuration to Other Ports 1 8 Configuring a Port Group 1 8 Setting Loopback Detection for an Ethernet Port 1 9 Configuring the Ethernet Port to Run Loopback Test 1 10 Enabling the S...

Page 108: ...00 1000Base T autosensing Ethernet ports 1000Base X SFP ports Extension slots WX3024 24 4 2 WX3010 8 2 None WX3008 8 None None Combo Ports Mapping Relations An SFP port and its corresponding 10 100 1000Base T autosensing Ethernet port form a Combo port That is only one of the two ports forming the Combo port can be used at a time Table 1 2 shows the mapping relations between the ports forming the ...

Page 109: ...t only allows the packets of the default VLAN to be sent without tags You can configure all the three types of ports on the same Ethernet switch However note that you cannot directly switch a port between trunk and hybrid and you must set the port as access before the switching For example to change a trunk port to hybrid you must first set it as access and then hybrid Configuring the Default VLAN...

Page 110: ...r one of the VLAN IDs allowed to pass through the port discard the packet z If the VLAN ID is just the default VLAN ID deprive the tag and send the packet z If the VLAN ID is not the default VLAN ID deprive the tag or keep the tag unchanged whichever is done is determined by the port hybrid vlan vlan id list tagged untagged command and send the packet To guarantee the proper packet forwarding the ...

Page 111: ...ss through the port z For a combo port only after the optical interface has been configured with the shutdown command can the electrical interface be used and vice versa z The speed and mdi commands are not available on the combo port z The mdi command is not available on the Ethernet ports of the expansion interface card Configuring Port Auto Negotiation Speed You can configure an auto negotiatio...

Page 112: ...ic so as to suppress broadcast storm avoid network congestion and ensure normal network services You can execute the broadcast suppression command in system view or Ethernet port view z If you execute the command in system view the command takes effect on all ports z If you execute the command in Ethernet port view the command takes effect only on current port Follow these steps to set the Etherne...

Page 113: ...e specified VLAN port access vlan vlan id Optional Configuring Hybrid Port Attribute Follow these steps to configure hybrid port attribute To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the link type for the port as hybrid port link type hybrid Required Set the default VLAN ID for the hybrid port port hybrid pvid v...

Page 114: ...ork resources To solve this problem you can disable the Up Down log output function on some ports so as to reduce the quantity of log information output to the log server After you allow a port to output the Up Down log information if the physical link status of the port does not change the device does not send log information to the log server but monitors the port in real time Configuration task...

Page 115: ...f port configuration can be copied from one port to other ports VLAN configuration protocol based VLAN configuration LACP configuration QoS configuration GARP configuration STP configuration and initial port configuration For the detailed copy content please refer to the Command Manual Follow these steps to copy port configuration to other ports To do Use the command Remarks Enter system view syst...

Page 116: ... put it under control z If loopback is found on an access port the system disables the port sends a Trap message to the client and removes the corresponding MAC forwarding entry z If loopback is found on a trunk or hybrid port the system sends a Trap message to the client When the loopback port control function is enabled on these ports the system disables the port sends a Trap message to the clie...

Page 117: ...ckets normally The loopback test terminates automatically after a specific period Follow these steps to configure an Ethernet port to run loopback test To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the Ethernet port to run loopback test loopback external internal Required z external Performs external loop te...

Page 118: ...ports this function Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration you can set the interval to perform statistical analysis on the traffic of a port When you use the display interface interface type interface number command to display the information of a port the system performs statistical analysis on the traffic flow passing th...

Page 119: ...nterface type interface type interface number After 802 1X is enabled the port information cannot be reset Ethernet Port Configuration Example Network requirements As shown in Figure 1 1 z Switch A is connected to Switch B through trunk port GigabitEthernet 1 0 1 z Configure the default VLAN ID for the trunk port as 100 z Allow the packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass the ...

Page 120: ...id vlan 100 Troubleshooting Ethernet Port Configuration Symptom Default VLAN ID configuration failed Solution Take the following steps z Use the display interface or display port command to check if the port is a trunk port or a hybrid port If not configure it as a trunk port or a hybrid port z Configure the default VLAN ID ...

Page 121: ...up 1 2 Static LACP Aggregation Group 1 3 Dynamic LACP Aggregation Group 1 4 Aggregation Group Categories 1 5 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggregation Group 1 7 Configuring a Dynamic LACP Aggregation Group 1 8 Displaying and Maintaining Link Aggregation 1 9 Link Aggregation Configuration Example 1 9 ...

Page 122: ...isabled link attribute point to point or not STP priority path cost standard packet format maximum packet transmission speed loop prevention status root protection status edge port or not z QoS configuration including traffic limit priority remarking default 802 1p priority bandwidth assurance congestion avoidance traffic redirection traffic statistics and so on z VLAN configuration including perm...

Page 123: ...erves as the master port of the group and other selected ports serve as member ports of the group There is a limit on the number of selected ports in an aggregation group Therefore if the number of the member ports serving as selected ports in an aggregation group exceeds the maximum number supported by the device the system will choose the ports with lower port numbers as the selected ports and s...

Page 124: ... or unselected z Both the selected and the unselected ports can transceive LACP protocol packets z Only the selected ports can transceive service packets the unselected ports cannot In a static aggregation group the system sets the ports to selected or unselected state according to the following rules z The system determines the master port with one of the following settings being the highest in d...

Page 125: ...er ports that can be set as selected ports in an aggregation group exceeds the maximum number supported by the device the system will negotiate with its peer end to determine the states of the member ports according to the port IDs of the preferred device that is the device with smaller system ID The following is the negotiation procedure 1 Compare device IDs system priority system MAC address bet...

Page 126: ...tination IP address z For non IP packets the system will implement load sharing based on source MAC address and destination MAC address In general the system only provides limited load sharing aggregation resources so the system needs to reasonably allocate the resources among different aggregation groups The system always allocates hardware aggregation resources to the aggregation groups with hig...

Page 127: ... address binding is configured cannot be added to an aggregation group z Port security enabled ports cannot be added to an aggregation group z The port with Voice VLAN enabled cannot be added to an aggregation group z Do not add ports with IP filtering enabled to an aggregation group z Do not add ports with ARP intrusion detection enabled to an aggregation group z Do not add ports with source IP a...

Page 128: ...s When you change a dynamic group to a static group the system will remain the member ports LACP enabled 2 When a manual or static aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group Configuring a Static LACP Aggregation Group You can create a static LACP aggregation group or remove an existing static aggregation group after that the sy...

Page 129: ...gregation group is automatically created by the system based on LACP enabled ports The adding and removing of ports to from a dynamic aggregation group are automatically accomplished by LACP You need to enable LACP on the ports which you want to participate in dynamic aggregation of the system because only when LACP is enabled on those ports at both ends can the two parties reach agreement in addi...

Page 130: ...lay link aggregation interface interface type interface number to interface type interface number Display local device ID display lacp system id You can execute the display command in any view Clear LACP statistics about a specified port or port range reset lacp statistics interface interface type interface number to interface type interface number Execute the reset command in user view Link Aggre...

Page 131: ...Create static aggregation group 1 device system view device link aggregation group 1 mode static Add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to aggregation group 1 device interface GigabitEthernet1 0 1 device GigabitEthernet1 0 1 port link aggregation group 1 device GigabitEthernet1 0 1 interface GigabitEthernet1 0 2 device GigabitEthernet1 0 2 port link aggregation group 1 device Giga...

Page 132: ...1 Note that the three LACP enabled ports can be aggregated into a dynamic aggregation group to implement load sharing only when they have the same basic configuration such as rate and duplex mode and so on ...

Page 133: ...s 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Introduction to Port Isolation 1 1 Port Isolation Configuration 1 1 Displaying and Maintaining Port Isolation 1 2 Port Isolation Configuration Example 1 2 ...

Page 134: ...te the Layer 2 data between each port in the isolation group Thus you can improve the network security and network in a more flexible way Currently you can configure only one isolation group on a switch The number of Ethernet ports an isolation group can accommodate is not limited The port isolation function is independent of VLAN configuration Port Isolation Configuration Follow these steps to ad...

Page 135: ...isolate port Available in any view Port Isolation Configuration Example Network requirements As shown in Figure 1 1 z PC 2 PC 3 and PC 4 are connected to GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 z The switch connects to the Internet through GigabitEthernet 1 0 1 z It is desired that PC 2 PC 3 and PC 4 cannot communicate with each other Figure 1 1 Network diagram for po...

Page 136: ...e GigabitEthernet1 0 3 device GigabitEthernet1 0 3 port isolate device GigabitEthernet1 0 3 quit device interface GigabitEthernet1 0 4 device GigabitEthernet1 0 4 port isolate device GigabitEthernet1 0 4 quit device Display the information about the ports in the isolation group device display isolate port Isolated port s on UNIT 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3 GigabitEthernet1 0 4 ...

Page 137: ...tting the Port Security Mode 1 5 Configuring Port Security Features 1 6 Ignoring the Authorization Information from the RADIUS Server 1 8 Configuring Security MAC Addresses 1 8 Displaying and Maintaining Port Security Configuration 1 9 Port Security Configuration Example 1 9 2 Port Binding Configuration 2 1 Port Binding Overview 2 1 Introduction 2 1 Configuring Port Binding 2 1 Displaying and Main...

Page 138: ...s the corresponding port security features and takes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are provided z NTK need to know feature By checking the destination MAC addresses in outbound data frames on the port NTK ensures that the device sends data fr...

Page 139: ...resses reaches the upper limit the port changes to work in secure mode and permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses configured by using the mac address static command secure In this mode the port is disabled from learning MAC addresses Only those packets whose source MAC addresses are security MAC addresses learned and static or dynamic MAC ad...

Page 140: ...thentication For a wireless user 802 1x authentication is performed first If 802 1x authentication fails MAC authentication is performed macAddressOrUs erLoginSecureExt This mode is similar to the macAddressOrUserLoginSecure mode except that there can be more than one 802 1x authenticated user on the port macAddressElse UserLoginSecure This mode is the combination of the macAddressWithRadius and u...

Page 141: ...these steps to enable port security To do Use the command Remarks Enter system view system view Enable port security port security enable Required Disabled by default Enabling port security resets the following configurations on the ports to the defaults shown in parentheses below z 802 1x disabled port access control method macbased and port access control mode auto z MAC authentication disabled ...

Page 142: ...ured to allow up to n authenticated users to access the network When all of these n authenticated users are connected to the network and one or more of them are MAC authenticated to perform 802 1x authentication on the MAC authenticated user s the number of maximum MAC addresses allowed on the port must be set to n 1 Similarly in the case of the macAddressOrUserLoginSecure security mode the maximu...

Page 143: ...urity mode to autolearn you cannot configure any static or blackhole MAC addresses on the port z If the port is in a security mode other than noRestriction before you can change the port security mode you need to restore the port security mode to noRestriction with the undo port security port mode command If the port security port mode mode command has been executed on a port none of the following...

Page 144: ...iew quit Set the timer during which the port remains disabled port security timer disableport timer Optional 20 seconds by default The port security timer disableport command is used in conjunction with the port security intrusion mode disableport temporarily command to set the length of time during which the port remains disabled If you configure the NTK feature and execute the port security intr...

Page 145: ...rmation from the RADIUS server port security authorization ignore Required By default a port uses the authorization information from the RADIUS server Configuring Security MAC Addresses Security MAC addresses are special MAC addresses that never age out One security MAC address can be added to only one port in the same VLAN so that you can bind a MAC address to one port in the same VLAN Security M...

Page 146: ...pe interface number Add a security MAC address In Ethernet port view mac address security mac address vlan vlan id Either is required By default no security MAC address is configured Displaying and Maintaining Port Security Configuration To do Use the command Remarks Display information about port security configuration display port security interface interface list Display information about secur...

Page 147: ... device system view Enable port security device port security enable Enter GigabitEthernet 1 0 1 port view device interface GigabitEthernet 1 0 1 Set the maximum number of MAC addresses allowed on the port to 80 device GigabitEthernet1 0 1 port security max mac count 80 Set the port security mode to autolearn device GigabitEthernet1 0 1 port security port mode autolearn Add the MAC address 0001 00...

Page 148: ...stem view In system view am user bind mac addr mac address ip addr ip address interface interface type interface number interface interface type interface number Bind the MAC address and IP address of a user to a specific port In Ethernet port view am user bind mac addr mac address ip addr ip address User either approach By default no user MAC address or IP address is bound to a port z An IP addre...

Page 149: ...he network Figure 2 1 Network diagram for port binding configuration Switch A GE1 0 1 Switch B IP Address 10 12 1 1 MAC 0001 0002 0003 Host2 Host1 Configuration procedure Configure switch A as follows Enter system view device system view Enter GigabitEthernet 1 0 1 port view device interface GigabitEthernet 1 0 1 Bind the MAC address and the IP address of Host 1 to GigabitEthernet 1 0 1 device Gig...

Page 150: ...tents 1 DLDP Configuration 1 1 DLDP Overview 1 1 DLDP Fundamentals 1 2 Precautions During DLDP Configuration 1 6 DLDP Configuration 1 6 DLDP Configuration Tasks 1 6 Resetting DLDP Status 1 7 DLDP Network Example 1 8 ...

Page 151: ...rs the local device can receive packets from the peer device through the link layer but the peer device cannot receive packets from the local device Unidirectional links can cause many problems such as spanning tree topology loop Device Link Detection Protocol DLDP can detect the link status of the optical fiber cable or copper twisted pair such as super category 5 twisted pair If DLDP finds a uni...

Page 152: ...chanism z When the port works in mandatory full duplex mode and the mandatory rate DLDP can detect fiber disconnection in one direction as shown in Figure 1 2 z When the port works in auto negotiation duplex mode and auto negotiation rate even if DLDP is enabled it does not take effect when fiber in one direction is disconnected as shown in Figure 1 2 in that case it considers that the port is dow...

Page 153: ...ds two probe packets every second Echo waiting timer It is enabled when DLDP enters probe status The timeout time is 10 seconds If no echo packet is received from the neighbor when the Echo waiting timer expires the local end is set to unidirectional communication status and the state machine turns into disable status DLDP outputs log and tracking information sends flush packets Depending on the u...

Page 154: ...laydown state the related DLDP neighbor information remains and the Delaydown timer is triggered The Delaydown timer is configurable and ranges from 1 to 5 seconds A device in the delaydown state only responds to port up messages A device in the delaydown state resumes its original DLDP state if it receives a port up message before the delaydown timer expires Otherwise it removes the DLDP neighbor...

Page 155: ... information to the peer If the neighbor entry already exists on the local device refresh the entry aging timer No Discard this echo packet No Discard this echo packet Set the neighbor flag bit to bidirectional Echo packet Check whether the local device is in probe status Yes Check whether neighbor information in the packet is the same as that on the local device Yes If all neighbors are in bidire...

Page 156: ...The interval must be shorter than one third of the STP convergence time which is generally 30 seconds If too long an interval is set an STP loop may occur before DLDP shut down unidirectional links On the contrary if too short an interval is set network traffic increases and port bandwidth is reduced z DLDP does not process any LACP event and treats each link in the aggregation group as independen...

Page 157: ... DLDP enabled ports display dldp unit id interface type interface number You can execute this command in any view z When you use the dldp enable dldp disable command in system view to enable disable DLDP globally on all optical ports of the device this command is only valid for existing optical ports on the device however it is not valid for those added subsequently z DLDP can operate normally onl...

Page 158: ...ers between Switch A and Switch B are connected inversely DLDP disconnects the unidirectional links after discovering them z When the network administrator connects the fiber correctly the ports taken down by DLDP are restored Figure 1 3 Fiber cross connection GE1 0 10 SwitchA GE1 0 11 GE1 0 10 SwitchB GE1 0 11 PC Configuration procedure 1 Configure Switch A Configure the ports to work in mandator...

Page 159: ...isplay dldp 1 When two switches are connected through fibers in a crossed way two or three ports may be in the disable state and the rest in the inactive state When a fiber is connected to a device correctly on one end with the other end connected to no device z If the device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end is in th...

Page 160: ...uring MAC Address Table Management 1 4 Configuration Task List 1 4 Configuring a MAC Address Entry 1 5 Setting the Aging Time of MAC Address Entries 1 6 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 6 Disabling MAC Address learning for a VLAN 1 7 Displaying and Maintaining MAC Address Table 1 8 Configuration Example 1 8 Adding a Static MAC Address Entry Manually 1 8 ...

Page 161: ...ess to forwarding port association Each entry in a MAC address table contains the following fields z Destination MAC address z ID of the VLAN which a port belongs to z Forwarding egress port numbers on the local switch When forwarding a packet a switch adopts one of the two forwarding methods based on the MAC address table entries z Unicast forwarding If the destination MAC address carried in the ...

Page 162: ...r A the device starts to forward the packet Because there is no MAC address and port information of User B in the existing MAC address table the device forwards the packet to all ports except GigabitEthernet 1 0 1 to ensure that User B can receive the packet Figure 1 3 MAC address learning diagram 2 3 Because the device broadcasts the packet both User B and User C can receive the packet However Us...

Page 163: ... the corresponding MAC address table entries z Under some special circumstances for example User B is unreachable or User B receives the packet but does not respond to it the device cannot learn the MAC address of User B Hence the device still broadcasts the packets destined for User B z The device learns only unicast addresses by using the MAC address learning mechanism but directly drops any pac...

Page 164: ...ly The device discards the packets destined for or originated from the MAC addresses contained in blackhole MAC address entries Table 1 1 lists the different types of MAC address entries and their characteristics Table 1 1 Characteristics of different types of MAC address entries MAC address entry Configuration method Aging time Reserved or not at reboot if the configuration is saved Static MAC ad...

Page 165: ...ce argument must belong to the VLAN specified by the vlan argument in the command Otherwise the entry will not be added z If the VLAN specified by the vlan argument is a dynamic VLAN after a static MAC address is added it will become a static VLAN Adding a MAC address entry in Ethernet port view Follow these steps to add a MAC address entry in Ethernet port view To do Use the command Remarks Enter...

Page 166: ...nfiguration applies to all ports but only takes effect on dynamic MAC addresses that are learnt or configured to age Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mechanism enables the device to acquire the MAC addresses of the network devices on the segment connected to the ports of the device By searching the MAC address table the device directly forwards ...

Page 167: ...in specific VLANs to improve stability and security for the users belong to these VLANs and prevent unauthorized accesses Follow these steps to disable MAC address learning for a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Disable the switch from learning MAC addresses in the VLAN mac address max mac count 0 Required By default the device learns MA...

Page 168: ...e of the device which then forwards packets destined for the server through GigabitEthernet 1 0 2 z The MAC address of the server is 000f e20f dc71 z Port GigabitEthernet 1 0 2 belongs to VLAN 1 Configuration procedure Enter system view device system view Add a MAC address with the VLAN ports and states specified device mac address static 000f e20f dc71 interface GigabitEthernet 1 0 2 vlan 1 Displ...

Page 169: ...the Timeout Time Factor 1 24 Configuring the Maximum Transmitting Speed on the Current Port 1 25 Configuring the Current Port as an Edge Port 1 26 Specifying Whether the Link Connected to a Port Is Point to point Link 1 27 Enabling MSTP 1 28 Configuring Leaf Nodes 1 29 Configuration Prerequisites 1 30 Configuring the MST Region 1 30 Configuring the Mode a Port Recognizes and Sends MSTP Packets 1 3...

Page 170: ...41 Introduction 1 41 Configuring Rapid Transition 1 43 Configuring VLAN VPN Tunnel 1 44 Introduction 1 44 Configuring VLAN VPN tunnel 1 44 STP Maintenance Configuration 1 45 Introduction 1 45 Enabling Log Trap Output for Ports of MSTP Instance 1 45 Configuration Example 1 45 Enabling Trap Messages Conforming to 802 1d Standard 1 46 Displaying and Maintaining MSTP 1 46 MSTP Configuration Example 1 ...

Page 171: ... device performance degradation Currently in addition to the protocol conforming to IEEE 802 1d STP also refers to the protocols based on IEEE 802 1d such as RSTP and MSTP Protocol packets of STP STP uses bridge protocol data units BPDUs also known as configuration messages as its protocol packets STP identifies the network topology by transmitting BPDUs between STP compliant network devices BPDUs...

Page 172: ...d is responsible for forwarding BPDUs to the device The port through which the designated bridge forwards BPDUs to this device For a LAN A designated bridge is a device responsible for forwarding BPDUs to this LAN segment The port through which the designated bridge forwards BPDUs to this LAN segment Table 1 1 shows designated bridges and designated ports In the figure AP1 and AP2 BP1 and BP2 and ...

Page 173: ...z Root bridge ID in the form of device priority z Root path cost z Designated bridge ID in the form of device priority z Designated port ID in the form of port name 1 Detailed calculation process of the STP algorithm z Initial state Upon initialization of a device each device generates a BPDU with itself as the root bridge in which the root path cost is 0 designated bridge ID is the device ID and ...

Page 174: ...ignated ports The process of selecting the root port and designated ports is as follows Table 1 3 Selection of the root port and designated ports Step Description 1 A non root bridge device takes the port on which the optimum configuration BPDU was received as the root port 2 Based on the configuration BPDU and the path cost of the root port the device calculates a designated port configuration BP...

Page 175: ...ity of Device A is 0 the priority of Device B is 1 the priority of Device C is 2 and the path costs of these links are 5 10 and 4 respectively Figure 1 2 Network diagram for STP algorithm AP 1 AP 2 Device A With priority 0 Device B Device C BP 1 BP 2 CP 1 CP 2 5 10 4 With priority1 With priority 2 z Initial state of each device The following table shows the initial state of each device Table 1 4 I...

Page 176: ...P1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 z Port BP2 receives the configuration BPDU of Device C 2 0 2 CP2 Device B finds that the configuration BPDU of the local port 1 0 1 BP2 is superior to the received configuration BPDU and discards the received configuration BPDU BP1 0 0 0...

Page 177: ...port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device C By comparison z Because the root path cos...

Page 178: ...figuration BPDU in response z If a path becomes faulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with itself as the root bridge and sends configuration BPDUs and TCN BPDUs This triggers a new spanning tree calculation so that a new path is establish...

Page 179: ...root port or designated port to enter the forwarding state much quicker under certain conditions than in STP As a result it takes a shorter time for the network to reach the final topology stability z In RSTP the state of a root port can transit fast under the following conditions the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding da...

Page 180: ... MSTP Terminologies Figure 1 4 illustrates basic MSTP terms assuming that MSTP is enabled on every device in this figure Figure 1 4 Basic MSTP terminologies MST region A multiple spanning tree region MST region comprises multiple physically interconnected MSTP enabled devices and the corresponding network segments connected to these devices These devices have the same region name the same VLAN to ...

Page 181: ...ects all MST regions in the network If you regard each MST region in the network as a device then the CST is the spanning tree generated by STP or RSTP running on the devices CIST A CIST is the spanning tree in a switched network that connects all devices in the network It comprises the ISTs and the CST In Figure 1 4 the ISTs in the MST regions and the CST connecting the MST regions form the CIST ...

Page 182: ...s to eliminate the loop that occurs The blocked port is the backup port In Figure 1 5 device A device B device C and device D form an MST region Port 1 and port 2 on device A connect upstream to the common root Port 5 and port 6 on device C form a loop Port 3 and port 4 on device D connect downstream to other MST regions This figure shows the roles these ports play z A port can play different role...

Page 183: ...lated by MSTP At the same time MSTP regards each MST region as a device to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network Calculate an MSTI In an MST region different MSTIs are generated for different VLANs based on the VLAN to MSTI mappings Each spanning tree is calculated independently in the same way as how STP RSTP is calculated Implement STP alg...

Page 184: ...he root bridge z Determining the root port For each device in a network the port on which the configuration BPDU with the highest priority is received is chosen as the root port of the device z Determining the designated port First the device calculates a designated port configuration BPDU for each of its ports using the root port configuration BPDU and the root port path cost with the root ID bei...

Page 185: ...ge Required Configuring the Bridge Priority of the Current Device Optional The priority of a device cannot be changed after the device is specified as the root bridge or a secondary root bridge Configuring the Mode a Port Recognizes and Sends MSTP Packets Optional Configuring the MSTP Operation Mode Optional Configuring the Maximum Hop Count of an MST Region Optional Configuring the Network Diamet...

Page 186: ...fault MST region name of a device is its MAC address instance instance id vlan vlan list Configure the VLAN mapping table for the MST region vlan mapping modulo modulo Required Both commands can be used to configure VLAN mapping tables By default all VLANs in an MST region are mapped to spanning tree instance 0 Configure the MSTP revision level for the MST region revision level level Required The ...

Page 187: ... VLAN 2 through VLAN 10 being mapped to spanning tree instance 1 and VLAN 20 through VLAN 30 being mapped to spanning tree 2 device system view device stp region configuration device mst region region name info device mst region instance 1 vlan 2 to 10 device mst region instance 2 vlan 20 to 30 device mst region revision level 1 device mst region active region configuration Verify the above config...

Page 188: ...ent is set to 0 the stp root primary stp root secondary command specify the current device as the root bridge or the secondary root bridge of the CIST A device can play different roles in different spanning tree instances That is it can be the root bridges in a spanning tree instance and be a secondary root bridge in another spanning tree instance at the same time But in the same spanning tree ins...

Page 189: ...e instance 2 device system view device stp instance 1 root primary device stp instance 2 root secondary Configuring the Bridge Priority of the Current Device Root bridges are selected according to the bridge priorities of the devices You can make a specific device be selected as a root bridge by setting a lower bridge priority for it An MSTP enabled device can have different bridge priorities in d...

Page 190: ... down in this way can only be brought up by the network administrator When a port operates in the legacy mode z The port only recognizes and sends MSTP packets in legacy format In this case the port can only communicate with the peer through packets in legacy format z If packets in dot1s format are received the port turns to discarding state to prevent network storm When a port operates in the 802...

Page 191: ...mpatible with STP RSTP MSTP provides the following three operation modes z STP compatible mode where the ports of a device send STP BPDUs to neighboring devices If STP enabled devices exist in a switched network you can use the stp mode stp command to configure an MSTP enabled device to operate in STP compatible mode z RSTP compatible mode where the ports of a device send RSTP BPDUs to neighboring...

Page 192: ... of the spanning tree which limits the size of the spanning tree in the current MST region The devices that are not root bridges in the MST region adopt the maximum hop settings of their root bridges Configuration procedure Follow these steps to configure the maximum hop count for an MST region To do Use the command Remarks Enter system view system view Configure the maximum hop count of the MST r...

Page 193: ... Configuring the MSTP Time related Parameters Three MSTP time related parameters exist forward delay hello time and max age You can configure the three parameters to control the process of spanning tree calculation Configuration procedure Follow these steps to configure MSTP time related parameters To do Use the command Remarks Enter system view system view Configure the forward delay parameter st...

Page 194: ...ork jitter 2 x forward delay 1 second max age Max age 2 x hello time 1 second You are recommended to specify the network diameter of the switched network and the hello time by using the stp root primary or stp root secondary command After that the three proper time related parameters are determined automatically Configuration example Configure the forward delay parameter to be 1 600 centiseconds t...

Page 195: ...ied ports in system view Follow these steps to configure the maximum transmitting speed for specified ports in system view To do Use the command Remarks Enter system view system view Configure the maximum transmitting speed for specified ports stp interface interface list transmit limit packetnum Required The maximum transmitting speed of all Ethernet ports on a device defaults to 10 Configure the...

Page 196: ... does not have to wait for a delay You can configure a port as an edge port in one of the following two ways Configure a port as an edge port in system view Follow these steps to configure a port as an edge port in system view To do Use the command Remarks Enter system view system view Configure the specified ports as edge ports stp interface interface list edged port enable Required By default al...

Page 197: ...nt link meet certain criteria the two ports can turn to the forwarding state rapidly by exchanging synchronization packets thus reducing the forward delay You can determine whether or not the link connected to a port is a point to point link in one of the following two ways Specify whether the link connected to a port is point to point link in system view Follow these steps to specify whether the ...

Page 198: ...nk connected to GigabitEthernet 1 0 1 as a point to point link 1 Perform this configuration in system view device system view device stp interface GigabitEthernet1 0 1 point to point force true 2 Perform this configuration in Ethernet port view device system view device interface GigabitEthernet1 0 1 device GigabitEthernet1 0 1 stp point to point force true Enabling MSTP Configuration procedure Fo...

Page 199: ...ching engine of the WX3010 or GigabitEthernet 1 0 9 on the switching engine of the WX3008 Other MSTP related settings can take effect only after MSTP is enabled on the device Configuration example Enable MSTP on the device and disable MSTP on GigabitEthernet 1 0 1 1 Perform this configuration in system view device system view device stp enable device stp interface GigabitEthernet1 0 1 disable 2 Pe...

Page 200: ...dcast packets of a specific VLAN through GVRP be sure to map the VLAN to the CIST when configuring the MSTP VLAN mapping table the CIST of a network is spanning tree instance 0 Configuration Prerequisites The role root branch or leaf of each device in each spanning tree instance is determined Configuring the MST Region Refer to Configuring an MST Region Configuring the Mode a Port Recognizes and S...

Page 201: ...r system view system view Specify the standard for calculating the default path costs of the links connected to the ports of the device stp pathcost standard dot1d 1998 dot1t legacy Optional By default the legacy standard is used to calculate the default path costs of ports Table 1 7 Transmission speeds and the corresponding path costs Transmissio n speed Operation mode half full duplex 802 1D 199...

Page 202: ...w Enter Ethernet port view interface interface type interface number Configure the path cost for the port stp instance instance id cost cost Required An MSTP enabled device can calculate path costs for all its ports automatically Changing the path cost of a port may change the role of the port and put it in state transition Executing the stp cost command with the instance id argument being 0 sets ...

Page 203: ...igure port priority for specified ports stp interface interface list instance instance id port priority priority Required The default port priority is 128 Configure port priority in Ethernet port view Follow these steps to configure port priority in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Conf...

Page 204: ...ble mode In this case you can force the port to transit to the MSTP mode by performing the mCheck operation on the port Similarly a port on an RSTP enabled device operating as an upstream device turns to the STP compatible mode when it has an STP enabled device connected to it When the STP enabled downstream device is then replaced by an MSTP enabled device the port cannot automatically transit to...

Page 205: ...DUs deliberately to edge ports to cause network jitter You can prevent this type of attacks by utilizing the BPDU guard function With this function enabled on a device the device shuts down the edge ports that receive configuration BPDUs and then reports these cases to the administrator Ports shut down in this way can only be restored by the administrator Root guard A root bridge and its secondary...

Page 206: ...efault at the same time Before the timer expires the device only performs the removing operation for limited times up to six times by default regardless of the number of the TC BPDUs it receives Such a mechanism prevents a device from being busy in removing the MAC address table and ARP entries You can use the stp tc protection threshold command to set the maximum times for a device to remove the ...

Page 207: ...w To do Use the command Remarks Enter system view system view Enable the root guard function on specified ports stp interface interface list root protection Required The root guard function is disabled by default Follow these steps to enable the root guard function in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view Interface interface type in...

Page 208: ...n on GigabitEthernet 1 0 1 device system view device interface GigabitEthernet1 0 1 device GigabitEthernet1 0 1 stp loop protection Configuring TC BPDU Attack Guard Configuration prerequisites MSTP runs normally on the device Configuration procedure Follow these steps to configure the TC BPDU attack guard function To do Use the command Remarks Enter system view system view Enable the TC BPDU attac...

Page 209: ...T region by checking the configuration IDs of the BPDUs between them A configuration ID contains information such as region ID and configuration digest As some other vendors devices adopt proprietary spanning tree protocols they cannot communicate with the other devices in an MST region even if they are configured with the same MST region related settings as the other devices in the MST region Thi...

Page 210: ...ormally Configuration procedure Follow these steps to configure digest snooping To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the digest snooping feature stp config digest snooping Required The digest snooping feature is disabled on a port by default Return to system view quit Enable the digest snooping feature...

Page 211: ...protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to MSTI mapping table cannot be modified z The digest snooping feature is not applicable to boundary ports in an MST region z The digest snooping feature is not applicable to edge ports in an MST region Configuring Rapid Transition Introduction Designated ports of RSTP enabled or MSTP enabled devices u...

Page 212: ...similar to RSTP in the way to implement rapid transition on designated ports When a device of this kind operating as the upstream device connects with a WX3000 series device running MSTP the upstream designated port fails to change its state rapidly The rapid transition feature is developed to resolve this problem When a WX3000 series device running MSTP is connected in the upstream direction to a...

Page 213: ...iguration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the rapid transition feature in system view To do Use the command Remarks Enter system view system view Enable the rapid transition feature stp interface interface type interface number no agreement check Required By default the rapid transition feature is disabled on a port 2 Configure the ...

Page 214: ...pper part is the operator s network and the lower part is the user s network The operator s network comprises packet ingress egress devices and the user s network has networks A and B On the operator s network configure the arriving STP packets at the ingress to have MAC addresses in a special format and reconvert them back to their original formats at the egress This is how transparent transmissi...

Page 215: ... this case maintenance personnel may expect that log trap information is output to the log host when particular ports fail so that they can check the status changes of those ports through alarm information Enabling Log Trap Output for Ports of MSTP Instance Follow these steps to enable log trap output for ports of MSTP instance To do Use the command Remarks Enter system view system view Enable log...

Page 216: ...ment device when the device becomes the root bridge of instance 1 device system view device stp instance 1 dot1d trap newroot enable Displaying and Maintaining MSTP To do Use the command Remarks Display the state and statistics information about spanning trees of the current device display stp instance instance id interface interface list slot slot number brief Available in any view Display region...

Page 217: ...B are configured as the root bridges of spanning tree instance 1 and spanning tree instance 3 respectively Switch C is configured as the root bridge of spanning tree instance 4 Figure 1 10 Network diagram for MSTP configuration The word permit shown in Figure 1 10 means the corresponding link permits packets of specific VLANs Configuration procedure 1 Configure Switch A Enter MST region view Switc...

Page 218: ...hC system view SwitchC stp region configuration Configure the MST region SwitchC mst region region name example SwitchC mst region instance 1 vlan 10 SwitchC mst region instance 3 vlan 30 SwitchC mst region instance 4 vlan 40 SwitchC mst region revision level 0 Activate the settings of the MST region manually SwitchC mst region active region configuration Specify Switch C as the root bridge of spa...

Page 219: ...ystem view thus implementing transparent transmission between the user s network and the operator s network Figure 1 11 Network diagram for VLAN VPN tunnel configuration Ethernet 1 0 1 Switch A Switch D Switch C Switch B Ethernet 1 0 1 GigabitEthernet 1 0 2 GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 GigabitEthernet 1 0 1 Configuration procedure 1 Configure Switch A Enable MSTP SwitchA system view...

Page 220: ... Add the trunk port to all VLANs SwitchC GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP SwitchD system view SwitchD stp enable Enable the VLAN VPN tunnel function SwitchD vlan vpn tunnel Add GigabitEthernet 1 0 2 to VLAN 10 SwitchD vlan 10 SwitchD Vlan10 port GigabitEthernet1 0 2 Disable STP on GigabitEthernet 1 0 2 and then enable the VLAN VPN function on it Swit...

Page 221: ...abling DHCP triggered Authentication 1 17 Configuring Guest VLAN 1 17 Configuring 802 1x Re Authentication 1 18 Configuring the 802 1x Re Authentication Timer 1 18 Displaying and Maintaining 802 1x 1 19 Configuration Example 1 19 802 1x Configuration Example 1 19 2 Quick EAD Deployment Configuration 2 1 Introduction to Quick EAD Deployment 2 1 Quick EAD Deployment Overview 2 1 Operation of Quick E...

Page 222: ...ice can access the LAN only when it passes the authentication Those fail to pass the authentication are denied when accessing the LAN Architecture of 802 1x Authentication As shown in Figure 1 1 802 1x adopts a client server architecture with three entities a supplicant system an authenticator system and an authentication server system Figure 1 1 Architecture of 802 1x authentication z The supplic...

Page 223: ...onnection requests to the authenticator system PAE Controlled port and uncontrolled port The Authenticator system provides ports for supplicant systems to access a LAN Logically a port of this kind is divided into a controlled port and an uncontrolled port z The uncontrolled port can always send and receive packets It mainly serves to forward EAPoL packets to ensure that a supplicant system can se...

Page 224: ... information about the supplicant system to the authenticator system The authenticator system in turn determines the state authorized or unauthorized of the controlled port according to the instructions accept or reject received from the RADIUS server Encapsulation of EAPoL Messages The format of an EAPoL packet EAPoL is a packet encapsulation format defined in 802 1x To enable EAP protocol packet...

Page 225: ...acket its Packet body field is an EAP packet whose format is illustrated in Figure 1 4 Figure 1 4 The format of an EAP packet In an EAP packet z The Code field indicates the EAP packet type which can be Request Response Success or Failure z The Identifier field is used to match a Response packet with the corresponding Request packet z The Length field indicates the size of an EAP packet which incl...

Page 226: ...t of an Message authenticator field 802 1x Authentication Procedure The device can authenticate supplicant systems in EAP terminating mode or EAP relay mode EAP relay mode This mode is defined in 802 1x In this mode EAP packets are encapsulated in higher level protocol such as EAPoR packets to enable them to successfully reach the authentication server Normally this mode requires that the RADIUS s...

Page 227: ...shake timer Handshake request EAP Request Identity Handshake response EAP Response Identity EAPOL Logoff Port unauthorized Authenticator System PAE The detailed procedure is as follows z A supplicant launches an iNode client and then provides the valid user name and password on the iNode client to initiate a connection request In this case the iNode client program sends the connection request the ...

Page 228: ...f the corresponding port to accepted state to allow the supplicant to access the network z The supplicant can also terminate the authenticated state by sending EAPoL Logoff packets to the device The device then changes the port state from accepted to rejected When you configure your device to work in EAP relay mode you do not need to configure the authentication method to be used The device and th...

Page 229: ...g timers are used to ensure that the supplicant system the device and the RADIUS server interact in an orderly way z Handshake timer handshake period This timer sets the handshake period and is triggered after a supplicant system passes the authentication It sets the interval for the device to send handshake request packets to online users You can set the number of retries by using the dot1x retry...

Page 230: ...ase this timer sets the interval to send the multicast request identity packets z Client version request timer ver period This timer sets the version period and is triggered after the device sends a version request packet The device sends another version request packet if it does receive version response packets from the supplicant system when the timer expires Additional 802 1x Features Implement...

Page 231: ...lient to prevent unauthorized users or users with earlier versions of iNode client from logging in This function makes the device to send version requesting packets again if the iNode client fails to send version reply packet to the device when the version checking timer times out The iNode client version checking function needs the support of an iNode client program The Guest VLAN function The Gu...

Page 232: ...thentication of users The RADIUS server sends the device an Access Accept packet with the Termination Action attribute field of 1 Upon receiving the packet the device re authenticates users periodically z You enable 802 1x re authentication on the device With 802 1x re authentication enabled the device re authenticates users periodically 802 1x re authentication will fail if a iMC server is used a...

Page 233: ...iguration on the device z If you specify to adopt the HWTACACS scheme users are authenticated by a remote TACACS server In this case you need to configure user names and passwords on the TACACS server and perform HWTACACS client related configuration on the device z You can also specify to adopt the RADIUS or HWTACACS authentication scheme with a local authentication scheme as a backup In this cas...

Page 234: ... specified ports dot1x port method macbased portbased interface interface list Optional The default access control method on a port is MAC based that is the macbased keyword is used by default Set authentication method for 802 1x users dot1x authentication method chap pap eap Optional By default the device performs CHAP authentication in EAP terminating mode Enable online user handshaking dot1x ha...

Page 235: ...ser handshaking function the device cannot receive handshaking acknowledgement packets from the client in handshaking periods To prevent the user being falsely considered offline you need to disable the online user handshaking function in this case z For the handshaking packet secure function to take effect the clients that enable the function need to cooperate with the authentication server If ei...

Page 236: ...e this command in port view In this case this command applies to the current port only and the interface list argument is not needed z As for the configuration of 802 1x timers the default values are recommended Advanced 802 1x Configuration Advanced 802 1x configurations as listed below are all optional z Configuration concerning iMC including multiple network adapters detecting proxy detecting a...

Page 237: ... device In addition the client version checking function needs to be enabled on the device too by using the dot1x version check command Configuring Client Version Checking Follow these steps to configure client version checking To do Use the command Remarks Enter system view system view In system view dot1x version check interface interface list interface interface type interface number dot1x vers...

Page 238: ...y default DHCP triggered authentication is disabled Configuring Guest VLAN Follow these steps to configure Guest VLAN To do Use the command Remarks Enter system view system view Configure the access control method on ports dot1x port method portbased Required The default access control method on ports is MAC based That is the macbased keyword is used by default Enable the Guest VLAN function dot1x...

Page 239: ...ed on the device the device determines the re authentication interval in one of the following two ways 1 The device uses the value of the Session timeout attribute field of the Access Accept packet sent by the RADIUS server as the re authentication interval 2 The device uses the value configured with the dot1x timer reauth period command as the re authentication interval for access users Note the ...

Page 240: ...t system is disconnected by force if the RADIUS server fails The name of an authenticated supplicant system is not suffixed with the domain name A connection is terminated if the total size of the data passes through it during a period of 20 minutes is less than 2 000 bytes z The device is connected to a server comprising of two RADIUS servers whose IP addresses are 10 11 1 1 and 10 11 1 2 The RAD...

Page 241: ...MAC address based is the default device dot1x port method macbased interface GigabitEthernet 1 0 1 Create a RADIUS scheme named radius1 and enter RADIUS scheme view device radius scheme radius1 Assign IP addresses to the primary authentication and accounting RADIUS servers device radius radius1 primary authentication 10 11 1 1 device radius radius1 primary accounting 10 11 1 2 Assign IP addresses ...

Page 242: ... enter its view device domain enable aabbcc net Specify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS server is invalid specify to adopt the local authentication scheme device isp aabbcc net scheme radius scheme radius1 local Specify the maximum number of users the user domain can accommodate to 30 device isp aabbcc net access limit enable 30 Enable the idle disconnecting func...

Page 243: ... a user is restricted through ACLs to a specific range of IP addresses or a specific server Services like EAD client upgrading download and dynamic address assignment are available on the specific server HTTP redirection Whenever a user accesses the Internet through the Internet Explorer IE before passing 802 1x authentication the device redirects the user to a predefined URL such as the EAD clien...

Page 244: ... quick EAD deployment function applies to only ports with the authorization mode set to auto through the dot1x port control command z Currently the quick EAD deployment function is implemented based on only 802 1x authentication z Currently the quick EAD deployment function does not support port security The configured free IP range cannot take effect if you enable port security Setting the ACL ti...

Page 245: ...e interface list Available in any view Quick EAD Deployment Configuration Example Network requirements As shown in Figure 2 1 a user PC connects to the device Switch directly The device connects to the Web server and the Internet The user will be redirected to the Web server to download the authentication client and upgrade software when accessing the Internet through IE before passing authenticat...

Page 246: ...t other than the dotted decimal notation the user may not be redirected This is related with the operating system used on the PC In this case the PC considers the IP address string a name and tries to resolve the name If the resolution fails the PC will access a specific website Generally this address is not in dotted decimal notation As a result the PC cannot receive any ARP response and therefor...

Page 247: ...tering rules according the characteristics of the attack source Thus system guard is implemented Configuring the System Guard Feature Through the following configuration you can enable the system guard feature set the threshold for the number of packets when an attack is detected and the length of the isolation after an attack is detected Configuring the System Guard Feature Follow these steps to ...

Page 248: ...System Guard To do Use the command Remarks Display the record of detected attacks display system guard attack record Available in any view Display the state of the system guard feature display system guard state Available in any view ...

Page 249: ...on Attempts 2 13 Configuring the Type of RADIUS Servers to be Supported 2 13 Configuring the Status of RADIUS Servers 2 14 Configuring the Attributes of Data to be Sent to RADIUS Servers 2 15 Configuring the Local RADIUS Authentication Server Function 2 16 Configuring Timers for RADIUS Servers 2 17 Enabling Sending Trap Message when a RADIUS Server Goes Down 2 18 Enabling the User Re Authenticatio...

Page 250: ...30 Troubleshooting RADIUS Configuration 2 30 Troubleshooting HWTACACS Configuration 2 30 3 EAD Configuration 3 1 Introduction to EAD 3 1 Typical Network Application of EAD 3 1 EAD Configuration 3 2 EAD Configuration Example 3 2 ...

Page 251: ...entication methods z None authentication Users are trusted and are not checked for their validity Generally this method is not recommended z Local authentication User information including user name password and some other attributes is configured on this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost...

Page 252: ...ssary to distinguish the users by setting ISP domains You can configure a set of ISP domain attributes including AAA policy RADIUS scheme and so on for each ISP domain independently in ISP domain view Introduction to AAA Services Introduction to RADIUS AAA is a management framework It can be implemented by not only one protocol But in practice the most commonly used service for AAA is RADIUS What ...

Page 253: ...cation or accounting proxy service Basic message exchange procedure in RADIUS The messages exchanged between a RADIUS client and a RADIUS server are verified through a shared key This enhances the security The RADIUS protocol combines the authentication and authorization processes together by sending authorization information along with the authentication response message Figure 1 2 depicts the me...

Page 254: ...ver 8 The RADIUS server returns a stop accounting response Accounting Response 9 The access to network resources is ended RADIUS message format RADIUS messages are transported over UDP which does not guarantee reliable delivery of messages between RADIUS server and client As a remedy RADIUS adopts the following mechanisms timer management retransmission and backup server Figure 1 3 depicts the for...

Page 255: ...nd Attributes fields The bytes beyond the length are regarded as padding and are ignored upon reception If a received message is shorter than what the Length field indicates it is discarded 4 The Authenticator field 16 bytes is used to authenticate the response from the RADIUS server and is used in the password hiding algorithm There are two kinds of authenticators Request Authenticator and Respon...

Page 256: ... allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS Figure 1 4 depicts the format of attribute 26 The Vendor ID field used to identify a vendor occupies four bytes where the first byte is 0 and the other three bytes are defined in RFC 1700 Here the vendor can encapsulate multiple customized sub attributes containing vendor specific Type Length an...

Page 257: ...more suitable for security control Is more suitable for accounting Supports configuration command authorization Does not support In a typical HWTACACS application as shown in Figure 1 5 a terminal user needs to log into the device to perform some operations As a HWTACACS client the device sends the username and password to the TACACS server for authentication After passing authentication and being...

Page 258: ...nt which then sends an authentication start request to the TACACS server 2 The TACACS server returns an authentication response asking for the username Upon receiving the response the TACACS client requests the user for the username 3 After receiving the username from the user the TACACS client sends an authentication continuance message carrying the username 4 The TACACS server returns an authent...

Page 259: ...sends an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the accounting start request 12 The user logs out the TACACS client sends an accounting stop request to the TACACS server 13 The TACACS server returns an accounting response indicating that it has received the accounting stop request ...

Page 260: ...ng Its Attributes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of the authentication methods z You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication Configuring Dynamic VLAN Assignment Optional Configuring the At...

Page 261: ...ure the form of the delimiter between the user name and the ISP domain name domain delimiter at dot Optional By default the delimiter between the user name and the ISP domain name is Create an ISP domain or set an ISP domain as the default ISP domain domain isp name default disable enable isp name Required If no ISP domain is set as the default ISP domain the ISP domain system is used as the defau...

Page 262: ...mmunicate with any accounting server when it performs accounting for a user it does not disconnect the user as long as the accounting optional command has been executed though it cannot perform accounting for the user in this case z The self service server location function needs the cooperation of a RADIUS server that supports self service such as comprehensive access management server iMC Throug...

Page 263: ...authentication is performed otherwise local authentication is performed z If you execute the scheme hwtacacs scheme hwtacacs scheme name local command the local scheme is used as the secondary scheme in case no TACACS server is available That is if the communication between the device and a TACACS server is normal no local authentication is performed otherwise local authentication is performed z I...

Page 264: ...eme is configured z If a combined AAA scheme is configured as well as the separate authentication authorization and accounting schemes the separate ones will be adopted in precedence z RADIUS scheme and local scheme do not support the separation of authentication and authorization Therefore pay attention when you make authentication and authorization configuration for a domain When the scheme radi...

Page 265: ...and enter its view domain isp name Set the VLAN assignment mode vlan assignment mode integer string Optional By default the VLAN assignment mode is integer Create a VLAN and enter its view vlan vlan id Set a VLAN name for VLAN assignment name string This operation is required if the VLAN assignment mode is set to string z In string mode if the VLAN ID assigned by the RADIUS server is a character s...

Page 266: ...ices Authorize the user to access specified type s of service service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the privilege level of the user level level Optional By default the privilege level of the user is 0 Configure the authorization VLAN for the local user authorization vlan string Required By de...

Page 267: ...address authentication can be assigned with an authorization VLAN The device will not assign authorization VLANs for subsequent users passing MAC address authentication In this case you are recommended to connect only one MAC address authentication user or multiple users with the same authorization VLAN to a port z For local RADIUS authentication or local authentication to take effect the VLAN ass...

Page 268: ...following tasks to configure RADIUS for the device functioning as a local RADIUS server Task Remarks Creating a RADIUS Scheme Required Configuring RADIUS Authentication Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type...

Page 269: ...ally the RADIUS service configuration only defines the parameters for information exchange between device and RADIUS server To make these parameters take effect you must reference the RADIUS scheme configured with these parameters in an ISP domain view refer to AAA Configuration Creating a RADIUS Scheme The RADIUS protocol configuration is performed on a RADIUS scheme basis You should first create...

Page 270: ... carries authorization information Therefore you need not and cannot specify a separate RADIUS authorization server z In an actual network environment you can specify one server as both the primary and secondary authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary authentication authorization servers respectively z The IP address and port numbe...

Page 271: ... the primary and secondary accounting servers respectively In addition because RADIUS adopts different UDP ports to exchange authentication authorization messages and accounting messages you must set a port number for accounting different from that set for authentication authorization z With stop accounting request buffering enabled the device first buffers the stop accounting request that gets no...

Page 272: ...e shared key on the accounting server Configuring the Maximum Number of RADIUS Request Transmission Attempts The communication in RADIUS is unreliable because this protocol uses UDP packets to carry its data Therefore it is necessary for the device to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires If the device gets no answer afte...

Page 273: ...ll turn to the secondary server and exchange messages with the secondary server After the primary server remains in the block state for a set time set by the timer quiet command the device will try to communicate with the primary server again when it receives a RADIUS request If it finds that the primary server has recovered the device immediately restores the communication with the primary server...

Page 274: ...US scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Set the format of the user names to be sent to RADIUS server user name format with domain without domain Optional By default the user names sent from the device to RADIUS server carry ISP domain names Set the units of data flows to RADIUS servers dat...

Page 275: ...dress format of the Calling Station Id Type 31 field in RADIUS packets is to improve the device s compatibility with different RADIUS servers This setting is necessary when the format of Calling Station Id field recognizable to RADIUS servers is different from the default MAC address format on the device For details about field formats recognizable to RADIUS servers refer to the corresponding RADI...

Page 276: ...r in the device system is called the response timeout timer of RADIUS servers If the device gets no answer within the response timeout time it needs to retransmit the request to ensure that the user can obtain RADIUS service For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the device fails to communicate with the primary serve...

Page 277: ...ks Enter system view system view Enable the sending of trap message when a RADIUS server is down radius trap authentication server down accounting server down Optional By default the device does not send trap message when a RADIUS server is down z This configuration takes effect on all RADIUS schemes z The device considers a RADIUS server as being down if it has tried the configured maximum times ...

Page 278: ...es the response from the IMC it stops sending Accounting On messages 5 If the device does not receive any response from the IMC after it has tried the configured maximum number of times to send the Accounting On message it will not send the Accounting On message any more The device can automatically generate the main attributes NAS ID NAS IP address and session ID contained in Accounting On messag...

Page 279: ...d on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to create a HWTACACS scheme To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By default no HWTACACS scheme exists The system supports up to 16 HWTAC...

Page 280: ... remove an authentication server setting only when there is no active TCP connection that is sending authentication messages to the server Configuring TACACS Authorization Servers Follow these steps to configure TACACS authorization servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By defaul...

Page 281: ...nd port number of the secondary TACACS accounting server secondary accounting ip address port Required By default the IP address of the secondary accounting server is 0 0 0 0 and the port number is 0 Enable the stop accounting message retransmission function and set the maximum number of transmission attempts of a buffered stop accounting message retry stop accounting retry times Optional By defau...

Page 282: ... Follow these steps to configure the attributes for data to be sent to TACACS servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs scheme name Required By default no HWTACACS scheme exists Set the format of the user names to be sent to TACACS server user name format with domain without domain Optional By default th...

Page 283: ...Optional By default the response timeout time is five seconds Set the time that the device must wait before it can restore the status of the primary server to active timer quiet minutes Optional By default the device must wait five minutes before it can restore the status of the primary server to active Set the real time accounting interval timer realtime accounting minutes Optional By default the...

Page 284: ... user name user name Available in any view Displaying and maintaining RADIUS protocol information To do Use the command Remarks Display RADIUS message statistics about local RADIUS authentication server display local server statistics Display configuration information about one specific or all RADIUS schemes display radius scheme radius scheme name Display RADIUS message statistics display radius ...

Page 285: ... following text only takes Telnet users as example to describe the configuration procedure for remote authentication Network requirements In the network environment shown in Figure 2 1 you are required to configure the device so that the Telnet users logging into the switching engine are authenticated by the RADIUS server z A RADIUS authentication server with IP address 10 110 91 164 is connected ...

Page 286: ...ice isp imc quit Configure a RADIUS scheme device radius scheme imc device radius imc accounting optional device radius imc primary authentication 10 110 91 164 1812 device radius imc key authentication aabbcc device radius imc server type Extended device radius imc user name format with domain device radius imc quit Associate the ISP domain with the RADIUS scheme device domain imc device isp imc ...

Page 287: ...ystem view device system view Adopt AAA authentication for Telnet users device user interface vty 0 4 device ui vty0 4 authentication mode scheme device ui vty0 4 quit Create and configure a local user named telnet device local user telnet device luser telnet service type telnet device luser telnet password simple aabbcc device luser telnet quit Configure an authentication scheme for the default s...

Page 288: ...entication and authorization shared keys that are used to exchange messages with the TACACS server to expert Configure the device to strip domain names off user names before sending user names to the TACACS server Configure the shared key to expert on the TACACS server for exchanging messages with the device Figure 2 3 Remote HWTACACS authentication and authorization of Telnet users Internet Telne...

Page 289: ... from the device Take measures to make the device communicate with the RADIUS server normally Symptom 2 RADIUS packets cannot be sent to the RADIUS server Possible reasons and solutions z The communication links physical link layer between the device and the RADIUS server is disconnected blocked Take measures to make the links connected unblocked z None or incorrect RADIUS server IP address is set...

Page 290: ... ACL for user terminals according to session control packets whereby to control the access rights of users dynamically Typical Network Application of EAD EAD checks the security status of users before they can access the network and forcibly implements user access control policies according to the check results In this way it can isolate the users that are not compliant with security standard and ...

Page 291: ...e command Remarks Enter system view system view Enter RADIUS scheme view radius scheme radius scheme name Configure the RADIUS server type to extended server type extended Required Configure the IP address of a security policy server security policy server ip address Required Each RADIUS scheme supports up to eight IP addresses of security policy servers EAD Configuration Example Network requireme...

Page 292: ...m view device domain system device isp system quit Configure a RADIUS scheme device radius scheme imc device radius imc primary authentication 10 110 91 164 1812 device radius imc accounting optional device radius imc key authentication expert device radius imc server type extended Configure the IP address of the security policy server device radius imc security policy server 10 110 91 166 Associa...

Page 293: ...rs 1 2 Quiet MAC Address 1 2 Configuring Basic MAC Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 4 MAC Address Authentication Enhanced Function Configuration Tasks 1 4 Configuring a Guest VLAN 1 4 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port 1 6 Displaying and Maintaining MAC Authentication 1 7 MAC Authentic...

Page 294: ...erion for successful authentication For details refer to AAA of this manual for information about local user attributes Performing MAC Authentication on a RADIUS Server In RADIUS based MAC authentication the device serves as a RADIUS client and completes MAC authentication in combination of the RADIUS server z If the type of username is MAC address the device sends a detected MAC address to the RA...

Page 295: ...te any MAC authentication of the user during a period defined by this timer z Server timeout timer During authentication of a user if the device receives no response from the RADIUS server in this period it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network Quiet MAC Address When a user fails MAC authentication the MAC address becomes a q...

Page 296: ...ional By default the username is mac and no password is configured Specify an ISP domain for MAC authentication mac authentication domain isp name Required The default ISP domain default domain is used by default Configure the MAC authentication timers mac authentication timer offline detect offline detect value quiet quiet value server timeout server timeout value Optional The default timeout val...

Page 297: ...rn MAC addresses of the clients failing in the authentication into its local MAC address table thus prevent illegal users from accessing the network In some cases if the clients failing in the authentication are required to access some restricted resources in the network such as the virus library update server you can use the Guest VLAN You can configure a Guest VLAN for each port of the device Wh...

Page 298: ...f a packet itself has a VLAN tag and be in the VLAN that the port allows to pass the packet will be forwarded perfectly without the influence of the Guest VLAN That is packets can be forwarded to the VLANs other than the Guest VLAN through the trunk port and the hybrid port even users fail to pass authentication Follow these steps to configure a Guest VLAN To do Use the command Remarks Enter syste...

Page 299: ...entication cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC authentication does not take effect when port security is enabled Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port You can configure the maximum number of MAC address authentication users for a port in order to control the maximum number of users accessi...

Page 300: ...n statistics interface interface type interface number Available in user view MAC Authentication Configuration Example Network requirements As illustrated in Figure 1 1 a supplicant is connected to Switch through port GigabitEthernet 1 0 2 z MAC authentication is required on port GigabitEthernet 1 0 2 to control user access to the Internet z All users belong to domain aabbcc net The authentication...

Page 301: ... device isp aabbcc net scheme local device isp aabbcc net quit Specify aabbcc net as the ISP domain for MAC authentication device mac authentication domain aabbcc net Enable MAC authentication globally This is usually the last step in configuring access control related features Otherwise a user may be denied of access to the networks because of incomplete configuaration device mac authentication A...

Page 302: ...dress Configuration Examples 1 4 IP Address Configuration Example I 1 4 IP Address Configuration Example II 1 5 2 IP Performance Configuration 2 1 IP Performance Overview 2 1 Introduction to IP Performance Configuration 2 1 Introduction to FIB 2 1 Configuring IP Performance 2 1 Configuration Task List 2 1 Configuring TCP Attributes 2 1 Disabling Sending of ICMP Error Packets 2 2 Displaying and Mai...

Page 303: ...ecimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net ID The first several bits of the IP address defining a network also known as class bits z Host ID Identifies a host on a network For administration sake IP addresses are divided into five classes as shown in the following figure in which the blue par...

Page 304: ...dress For example a packet with the destination address of 192 168 1 255 will be broadcasted to all the hosts on the network 192 168 1 0 Subnetting and Masking Subnetting was developed to address the risk of IP address exhaustion resulting from fast expansion of the Internet The idea is to break a network down into smaller networks called subnets by using some bits of the host ID to create a subne...

Page 305: ...imum number of hosts is thus 64 512 512 126 1022 less after the network is subnetted Class A B and C networks before being subnetted use these default masks also called natural masks 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively Configuring IP Addresses The device supports assigning IP addresses to VLAN interfaces and loopback interfaces Besides directly assigning an IP address to a VLAN in...

Page 306: ...ing and Maintaining IP Addressing To do Use the command Remarks Display information about a specified or all Layer 3 interfaces display ip interface interface type interface number Display brief configuration information about a specified or all Layer 3 interfaces display ip interface brief interface type interface number Available in any view IP Address Configuration Examples IP Address Configura...

Page 307: ...sign a primary IP address and a secondary IP address to VLAN interface 1 Switch system view Switch interface vlan interface 1 Switch Vlan interface1 ip address 172 16 1 1 255 255 255 0 Switch Vlan interface1 ip address 172 16 2 1 255 255 255 0 sub Set the gateway address to 172 16 1 1 on the PCs attached to the subnet 172 16 1 0 24 and to 172 16 2 1 on the PCs attached to the subnet 172 16 2 0 24 ...

Page 308: ...RL_C to break Reply from 172 16 2 2 bytes 56 Sequence 1 ttl 255 time 25 ms Reply from 172 16 2 2 bytes 56 Sequence 2 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 5 ttl 255 time 26 ms 172 16 2 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet...

Page 309: ... the same Configuring IP Performance Configuration Task List Complete the following tasks to configure IP performance Task Remarks Configuring TCP Attributes Optional Disabling Sending of ICMP Error Packets Optional Configuring TCP Attributes TCP optional parameters that can be configured include z synwait timer When sending a SYN packet TCP starts the synwait timer If no response packets are rece...

Page 310: ...ion unreachable packets Although sending ICMP error packets facilitate control and management it still has the following disadvantages z Sending a lot of ICMP packets will increase network traffic z If receiving a lot of malicious packets that cause it to send ICMP error packets the device s performance will be reduced z As the ICMP redirection function increases the routing table size of a host t...

Page 311: ...ding information base FIB entries display fib Display the FIB entries matching the destination IP address display fib ip_address1 mask1 mask length1 ip_address2 mask2 mask length2 longer longer Display the FIB entries permitted by a specific ACL display fib acl number Display the FIB entries in the buffer which begin with include or exclude the specified character string display fib begin include ...

Page 312: ...laying and Maintaining DHCP Relay Agent Configuration 2 8 DHCP Relay Agent Configuration Example 2 8 Troubleshooting DHCP Relay Agent Configuration 2 9 3 DHCP Snooping Configuration 3 1 DHCP Snooping Overview 3 1 Function of DHCP Snooping 3 1 Overview of DHCP Snooping Option 82 3 2 Overview of IP Filtering 3 4 DHCP Snooping Configuration 3 5 Configuring DHCP Snooping 3 5 Configuring DHCP Snooping ...

Page 313: ... position change of hosts and frequent change of IP addresses also require new technology Dynamic host configuration protocol DHCP is developed to solve these issues DHCP adopts a client server model where the DHCP clients send requests to DHCP servers for configuration parameters and the DHCP servers return the corresponding configuration information such as IP addresses to implement dynamic allo...

Page 314: ...filed in the DHCP DISCOVER packet refer to DHCP Packet Format for details 3 Select In this phase the DHCP client selects an IP address If more than one DHCP server sends DHCP OFFER packets to the DHCP client the DHCP client only accepts the DHCP OFFER packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet 4 Acknowledg...

Page 315: ...CP Packet Format DHCP has eight types of packets They have the same format but the values of some fields in the packets are different The DHCP packet format is based on that of the BOOTP packets The following figure describes the packet format the number in the brackets indicates the field length in bytes Figure 1 2 DHCP packet format op 1 0 7 15 htype 1 hlen 1 hops 1 xid 4 23 31 secs 2 flags 2 ci...

Page 316: ...the boot configuration file that the DHCP server specifies for the DHCP client z option Optional variable length fields including packet type valid lease time IP address of a DNS server and IP address of the WINS server Protocols and Standards z RFC 2131 Dynamic Host Configuration Protocol z RFC 2132 DHCP Options and BOOTP Vendor Extensions z RFC 1542 Clarifications and Extensions for the Bootstra...

Page 317: ...e the packets are broadcasted in the process of obtaining IP addresses DHCP is only applicable to the situation that DHCP clients and DHCP servers are in the same network segment that is you need to deploy at least one DHCP server for each network segment which is far from economical DHCP relay agent is designed to address this problem It enables DHCP clients in a subnet to communicate with the DH...

Page 318: ... the DHCP message It records the location information of the DHCP client With this option the administrator can locate the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clients Option 82 involves at most 255 sub options If Option 82 is...

Page 319: ...tion 82 in the packet with its own or leaves the original Option 82 unchanged in the packet and forwards the packet if not discarded to the DHCP server z If the request packet does not contain Option 82 the DHCP relay agent adds Option 82 to the packet and forwards the packet to the DHCP server 2 Upon receiving the packet returned from the DHCP server the DHCP relay agent strips Option 82 from the...

Page 320: ...multiple DHCP servers on the same network These DHCP servers form a DHCP server group When an interface of the relay agent establishes a correlation with the DHCP server group the interface will forward received DHCP packets to all servers in the server group Follow these steps to correlate a DHCP server group with a relay agent interface To do Use the command Remarks Enter system view system view...

Page 321: ...vious one z You need to configure the group number specified in the dhcp server groupNo command in VLAN interface view by using dhcp server groupNo ip ip address 1 8 in advance Configuring DHCP Relay Agent Security Functions Configuring address checking After relaying an IP address from the DHCP server to a DHCP client the DHCP relay agent can automatically record the client s IP to MAC binding an...

Page 322: ...s entry But as a DHCP relay agent does not process DHCP RELEASE packets which are sent to DHCP servers by DHCP clients through unicast when the DHCP clients release IP addresses the user address entries maintained by the DHCP cannot be updated in time You can solve this problem by enabling the DHCP relay agent handshake function and configuring the dynamic client address entry updating interval Af...

Page 323: ...enable unauthorized DHCP server detection To do Use the command Remarks Enter system view system view Enable unauthorized DHCP server detection dhcp server detect Required Disabled by default With the unauthorized DHCP server detection enabled the relay agent will log all DHCP servers including authorized ones and each server is recorded only once until such information is removed and is recorded ...

Page 324: ... Relay Agent Configuration To do Use the command Remarks Display the information about a specified DHCP server group display dhcp server groupNo Display the information about the DHCP server group to which a specified VLAN interface is mapped display dhcp server interface vlan interface vlan id Display the specified client address entries on the DHCP relay agent display dhcp security ip address dy...

Page 325: ...igurations vary with different DHCP server devices so the configurations are omitted z The DHCP relay agent and DHCP server must be reachable to each other Troubleshooting DHCP Relay Agent Configuration Symptom A client fails to obtain configuration information through a DHCP relay agent Analysis This problem may be caused by improper DHCP relay agent configuration When a DHCP relay agent operates...

Page 326: ...ent Check if the correct DHCP server group is configured on the interface connecting the network segment where the DHCP client resides Check if the IP address of the DHCP server group is correct z If the address check enable command is configured on the interface connected to the DHCP server verify the DHCP server s IP to MAC address binding entry is configured on the DHCP relay agent otherwise th...

Page 327: ...sses through the DHCP snooping function at the data link layer When an unauthorized DHCP server exists in the network a DHCP client may obtains an illegal IP address To ensure that the DHCP clients obtain IP addresses from valid DHCP servers you can specify a port to be a trusted port or an untrusted port by the DHCP snooping function z Trusted A trusted port is connected to an authorized DHCP ser...

Page 328: ...e such information to define individual assignment policies of IP address and other parameters for the clients Option 82 involves at most 255 sub options If Option 82 is defined at least one sub option must be defined Currently the DHCP relay agent supports two sub options sub option 1 circuit ID sub option and sub option 2 remote ID sub option Padding content and frame format of Option 82 There i...

Page 329: ...ptions To interwork with these devices the device supports Option 82 in the standard format Refer to Figure 3 4 and Figure 3 5 for the standard format of the sub options with the default padding contents In the standard format the Circuit ID or Remote ID sub option does not contain the two byte type and length fields of the circuit ID or remote ID Figure 3 4 Standard format of the circuit ID sub o...

Page 330: ...ut Option 82 Sub option configuration The DHCP snooping device will Neither of the two sub options is configured Forward the packet after adding Option 82 with the default contents The format of Option 82 is the one specified with the dhcp snooping information format command or the default HEX format if this command is not executed Circuit ID sub option is configured Forward the packet after addin...

Page 331: ... access external networks To solve this problem the device supports the configuration of static binding table entries that is the binding relationship between IP address MAC address and the port connecting to the client so that packets of the client can be correctly forwarded IP filtering The device can filter IP packets in the following two modes z Filtering the source IP address in a packet If t...

Page 332: ...snooping to function abnormally Configuring DHCP Snooping to Support Option 82 Enable DHCP snooping and specify trusted ports on the device before configuring DHCP snooping to support Option 82 DHCP Snooping Option 82 Support Configuration Task List Complete the following tasks to configure DHCP snooping Option 82 support Task Remarks Enable DHCP snooping Option 82 support Required Configure a han...

Page 333: ... number Configure a handling policy for requests that contain Option 82 received on the specified interface dhcp snooping information strategy drop keep replace Optional The default policy is replace If a handling policy is configured on a port this configuration overrides the globally configured handling policy for requests received on this port while the globally configured handling policy appli...

Page 334: ...ts z In a port aggregation group you can use this command to configure the primary and member ports respectively When Option 82 is added however the circuit ID sub option is subject to the one configured on the primary port z The circuit ID sub option configured on a port will not be synchronized in the case of port aggregation Configure the remote ID sub option You can configure the remote ID sub...

Page 335: ...es when the port receives a packet and the global remote ID applies to other interfaces that have no remote ID sub option configured z In a port aggregation group you can use this command to configure the primary and member ports respectively When Option 82 is added however the remote ID is subject to the one configured on the primary port z The remote ID configured on a port will not be synchroni...

Page 336: ...onfiguration Example Network requirements As shown in Figure 3 6 GigabitEthernet 1 0 5 of Switch is connected to the DHCP server and GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 are respectively connected to Client A Client B and Client C z Enable DHCP snooping on Switch z Specify GigabitEthernet 1 0 5 on Switch as a trusted port for DHCP snooping z Enable DHCP snooping Op...

Page 337: ...dhcp snooping information vlan 1 circuit id string abcd IP Filtering Configuration Example Network requirements As shown in Figure 3 7 GigabitEthernet 1 0 1 of Switch is connected to DHCP server and GigabitEthernet 1 0 2 is connected to Host A The IP address and MAC address of Host A are 1 1 1 1 and 0001 0001 0001 respectively GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is connected to DHCP Cl...

Page 338: ... 3 and GigabitEthernet 1 0 4 to filter packets based on the source IP addresses MAC addresses Switch interface gigabitethernet 1 0 2 Switch GigabitEthernet1 0 2 ip check source ip address mac address Switch GigabitEthernet1 0 2 quit Switch interface gigabitethernet 1 0 3 Switch GigabitEthernet1 0 3 ip check source ip address mac address Switch GigabitEthernet1 0 3 quit Switch interface gigabitethe...

Page 339: ...es recorded by the DHCP snooping function display dhcp snooping unit unit id Display the enabled disabled state of the DHCP snooping function and the trusted ports display dhcp snooping trust Display the IP static binding table display ip source static binding vlan vlan id interface interface type interface number Available in any view ...

Page 340: ...ss and IP address of a BOOTP client When a BOOTP client sends a request to the BOOTP server the BOOTP server will search for the BOOTP parameter file and return it to the client A BOOTP client dynamically obtains an IP address from a BOOTP server in the following way 1 The BOOTP client broadcasts a BOOTP request which contains its own MAC address 2 The BOOTP server receives the request and searche...

Page 341: ...ys DHCP Client Configuration Example Network requirements As shown in Figure 4 1 using DHCP VLAN interface 1 of Switch A is connected to the LAN to obtain an IP address from the DHCP server Figure 4 1 A DHCP network Switch A serving as a DHCP client WINS server DHCP Client DNS server Vlan interface1 Switch A DHCP Client DHCP Server Configuration procedure The following describes only the configura...

Page 342: ...lient Configuration To do Use the command Remarks Display related information on a DHCP client display dhcp client verbose Display related information on a BOOTP client display bootp client interface vlan interface vlan id Available in any view ...

Page 343: ... Globally 1 9 Assigning an ACL to a VLAN 1 9 Assigning an ACL to a Port Group 1 10 Assigning an ACL to a Port 1 11 Displaying and Maintaining ACL 1 11 Examples for Upper layer Software Referencing ACLs 1 12 Example for Controlling Telnet Login Users by Source IP 1 12 Example for Controlling Web Login Users by Source IP 1 12 Examples for Applying ACLs to Hardware 1 13 Basic ACL Configuration Exampl...

Page 344: ...conditions known as rules The conditions can be based on source addresses destination addresses and port numbers carried in the packets According to their application purposes ACLs fall into the following four types z Basic ACL Rules are created based on source IP addresses only z Advanced ACL Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addr...

Page 345: ...ach parameter is given a fixed weighting value This weighting value and the value of the parameter itself will jointly decide the final matching order Involved parameters with weighting values from high to low are icmp type established dscp tos precedence fragment Comparison rules are listed below z The smaller the weighting value left which is a fixed weighting value minus the weighting value of ...

Page 346: ...Types of ACLs Supported by Devices The devices support the following types of ACLs z Basic ACLs z Advanced ACLs z Layer 2 ACLs ACLs defined on the devices can be applied to hardware directly or referenced by upper layer software for packet filtering ACL Configuration Configuring Time Range Time ranges can be used to filter packets You can specify a time range for each rule in an ACL A time range b...

Page 347: ...a time range the time range is active only when the periodic time range and the absolute time range are both matched Assume that a time range contains an absolute time section ranging from 00 00 January 1 2004 to 23 59 December 31 2004 and a periodic time section ranging from 12 00 to 14 00 on every Wednesday This time range is active only when the system time is within the range from 12 00 to 14 ...

Page 348: ...the basic ACL you can modify any existent rule The unmodified part of the rule remains With the auto match order specified for the basic ACL you cannot modify any existent rule otherwise the system prompts error information z If you do not specify the rule id argument when creating an ACL rule the rule will be numbered automatically If the ACL has no rules the rule is numbered 0 otherwise it is th...

Page 349: ...tures are determined Configuration Procedure Follow these steps to define an advanced ACL rule To do Use the command Remarks Enter system view system view Create an advanced ACL and enter advanced ACL view acl number acl number match order auto config Required config by default Define an ACL rule rule rule id permit deny protocol rule string Required For information about protocol and rule string ...

Page 350: ...ng to their Layer 2 information such as the source and destination MAC addresses VLAN priority and Layer 2 protocol types A Layer 2 ACL can be numbered from 4000 to 4999 Configuration Prerequisites z To configure a time range based Layer 2 ACL rule you need to create the corresponding time ranges first For information about time range configuration refer to Configuring Time Range z The settings to...

Page 351: ...ernetframe 4000 rule deny cos 3 source 000d 88f5 97ed ffff ffff ffff dest 0011 4301 991e ffff ffff ffff Display the configuration information of ACL 4000 device acl ethernetframe 4000 display acl 4000 Ethernet frame ACL 4000 1 rule Acl s step is 1 rule 0 deny cos excellent effort source 000d 88f5 97ed ffff ffff ffff dest 0011 4301 991e ffff ffff ffff ACL Assignment On a device you can assign ACLs ...

Page 352: ...L Globally Configuration prerequisites Before applying ACL rules to a VLAN you need to define the related ACLs For information about defining an ACL refer to Configuring Basic ACL Configuring Advanced ACL Configuring Layer 2 ACL Configure procedure Follow these steps to assign an ACL globally To do Use the command Remarks Enter system view system view Assign an ACL globally packet filter inbound a...

Page 353: ...an ACL refer to Configuring Basic ACL Configuring Advanced ACL Configuring Layer 2 ACL Configuration procedure Follow these steps to assign an ACL to a port group To do Use the command Remarks Enter system view system view Enter port group view port group group id Apply an ACL to the port group packet filter inbound acl rule Required For description on the acl rule argument refer to ACL Command Af...

Page 354: ... to ACL Command You cannot assign an ACL to a member port of a port group Configuration example Apply ACL 2000 to GigabitEthernet 1 0 1 to filter the inbound packets device system view device interface GigabitEthernet 1 0 1 device GigabitEthernet1 0 1 packet filter inbound ip group 2000 Displaying and Maintaining ACL To do Use the command Remarks Display a configured ACL or all the ACLs display ac...

Page 355: ... Define ACL 2000 device system view device acl number 2000 device acl basic 2000 rule 1 permit source 10 110 100 52 0 device acl basic 2000 quit Reference ACL 2000 on VTY user interface to control Telnet login users device user interface vty 0 4 device ui vty0 4 acl 2000 inbound Example for Controlling Web Login Users by Source IP Network requirements As shown in Figure 1 2 apply an ACL to permit ...

Page 356: ...ram for basic ACL configuration Switch To the router GEth1 0 1 PC1 10 1 1 1 PC2 Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 everyday device system view device time range test 8 00 to 18 00 daily Define ACL 2000 to filter packets with the source IP address of 10 1 1 1 device acl number 2000 device acl basic 2000 rule 1 deny source 10 1 1 1 0 time range tes...

Page 357: ...device acl adv 3000 rule 1 deny ip destination 192 168 1 2 0 time range test device acl adv 3000 quit Apply ACL 3000 on GigabitEthernet 1 0 1 device interface GigabitEthernet1 0 1 device GigabitEthernet1 0 1 packet filter inbound ip group 3000 Layer 2 ACL Configuration Example Network requirements As shown in Figure 1 5 PC1 and PC2 connect to Switch through GigabitEthernet 1 0 1 PC1 s MAC address ...

Page 358: ... 1 6 PC1 PC2 and PC3 belong to VLAN 10 and connect to the device through GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 respectively The IP address of the database server is 192 168 1 2 Apply an ACL to deny packets from PCs in VLAN 10 to the database server from 8 00 to 18 00 in working days Figure 1 6 Network diagram for applying an ACL to a VLAN GEth1 0 1 PC1 PC3 Database ...

Page 359: ...1 16 Apply ACL 3000 to VLAN 10 device packet filter vlan 10 inbound ip group 3000 ...

Page 360: ...k List 1 13 Configuring Priority Trust Mode 1 14 Configuring Priority Mapping 1 15 Setting the Priority of Protocol Packets 1 18 Marking Packet Priority 1 19 Configuring Traffic Policing 1 20 Configuring Traffic Shaping 1 22 Configuring Traffic Redirecting 1 23 Configuring VLAN Mapping 1 25 Configuring Queue Scheduling 1 25 Collecting Clearing Traffic Statistics 1 27 Enabling the Burst Function 1 ...

Page 361: ...ii Applying a QoS Profile 2 2 Displaying and Maintaining QoS Profile 2 3 Configuration Example 2 4 QoS Profile Configuration Example 2 4 ...

Page 362: ...very Traditional Packet Forwarding Service In traditional IP networks packets are treated equally That is the FIFO first in first out policy is adopted for packet processing Network resources required for packet forwarding is determined by the order in which packets arrive All the packets share the resources of the network Network resources available to the packets completely depend on the time th...

Page 363: ... the specification to protect the benefits of carriers and to prevent network resources from being abused z Traffic shaping actively adjusts the output rate of traffics It can enable the traffics to match the capacity of the downstream network devices so as to prevent packets from being dropped and network congestion z Congestion management handles resource competition during network congestion Ge...

Page 364: ... z In RFC2474 the ToS field in IP packet header is also known as DS field The first six bits bit 0 through bit 5 of the DS field indicate differentiated service codepoint DSCP in the range of 0 to 63 and the last two bits bit 6 and bit 7 are reserved Table 1 1 Description on IP precedence IP Precedence decimal IP Precedence binary Description 0 000 Routine 1 001 priority 2 010 immediate 3 011 flas...

Page 365: ...00 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be default 802 1p priority 802 1p priority lies in Layer 2 packet headers and is applicable to occasions where the Layer 3 packet header...

Page 366: ... 1 3 Description on 802 1p priority 802 1p priority decimal 802 1p priority binary Description 0 000 best effort 1 001 background 2 010 spare 3 011 excellent effort 4 100 controlled load 5 101 video 6 110 voice 7 111 network management The precedence is called 802 1p priority because the related applications of this precedence are defined in detail in the 802 1p specifications Priority Trust Mode ...

Page 367: ...he following packet priority z 802 1p precedence z DSCP precedence Trusting the 802 1p precedence In this mode you can specify to process the received packets in one of the following two ways z Keeping the original packet precedence unchanged the default mode z Replacing the original packet precedence with the corresponding one the automap mode If a packet does not carry 802 1p precedence the devi...

Page 368: ...e Target drop precedence Target DSCP precedence 0 2 0 16 1 0 0 0 2 1 0 8 3 3 0 24 4 4 0 32 5 5 0 40 6 6 0 48 7 7 0 56 Table 1 5 The default DSCP precedence to other precedence mapping table of the devices DSCP precedence Target local precedence Target drop precedence Target 802 1p precedence 0 to 7 0 1 1 8 to 15 1 1 2 16 to 23 2 1 0 24 to 31 3 1 3 32 to 39 4 0 4 40 to 47 5 0 5 48 to 55 6 0 6 56 to...

Page 369: ...congestion caused by excessive bursts Traffic policing and traffic shaping is each a kind of traffic control policy used to limit the traffic and the resource occupied by supervising the traffic The regulation policy is implemented according to the evaluation result on the premise of knowing whether the traffic exceeds the specification when traffic policing or traffic shaping is performed Normall...

Page 370: ...extra traffic In this way the network resources and the interests of the operators are protected For example you can limit HTTP packets to be within 50 of the network bandwidth If the traffic of a certain connection is excess traffic policing can choose to drop the packets or to reset the priority of the packets Traffic policing is widely used in policing the traffic into the network of internet s...

Page 371: ... the traffic specification of the device B Traffic Redirecting Traffic redirecting identifies traffic using ACLs and redirects the matched packets to specific ports By traffic redirecting you can change the way in which a packet is forwarded to achieve specific purposes VLAN Mapping VLAN mapping identifies traffics using ACLs and maps the VLAN tags carrier in matched packets to specific VLAN tags ...

Page 372: ...are queue7 queue6 queue5 queue4 queue3 queue2 queue1 and queue0 Their priorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the priority order from high to low When the queue with higher priority is empty packets in the queue with lower priority are sent You can put critical service packets into the queues with higher priority and pu...

Page 373: ...antage of WRR queue is that though the queues are scheduled in order the service time for each queue is not fixed that is to say if a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use 3 SDWRR Comparing with WRR queue SDWRR queue further optimizes the delay and variation for different queues For example configure the weight value of queue0 and que...

Page 374: ...ks with the equal rates are forwarded to a single link that is of the same rate as that of the incoming links Although the burst function helps reduce the packet loss ratio and improve packet processing capability in the networks mentioned above it may affect QoS performance So use this function with caution Traffic mirroring Traffic mirroring identifies traffic using ACLs and duplicates the match...

Page 375: ...ter Ethernet port view interface interface type interface number Configure the port priority priority priority level Optional 0 by default Follow these steps to configure to trust 802 1p precedence To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure to trust 802 1p precedence priority trust cos automap Required By...

Page 376: ... and DSCP precedence to DSCP precedence mapping tables as required to mark packets with different priorities Configuration prerequisites The target COS precedence to other precedence DSCP precedence to other precedence and DSCP precedence to DSCP precedence mapping tables are determined Configuration procedure Follow these steps to configure the COS precedence to other precedence mapping table To ...

Page 377: ... DSCP precedence mapping table To do Use the command Remarks Enter system view system view Configure DSCP precedence to DSCP precedence mapping table qos dscp dscp map dscp list dscp value Required Configuration example z Configure the COS precedence to local precedence mapping relationship for a device as follows 0 to 2 1 to 3 2 to 4 3 to 1 4 to 7 5 to 0 6 to 5 and 7 to 6 z Display the configurat...

Page 378: ...ice qos dscp local precedence map 40 41 42 43 44 45 46 47 0 device qos dscp local precedence map 48 49 50 51 52 53 54 55 5 device qos dscp local precedence map 56 57 58 59 60 61 62 63 6 device display qos dscp local precedence map dscp local precedence map dscp local precedence queue 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 3 9 3 10 3 11 3 12 3 13 3 14 3 15 3 16 4 17 4 18 4 19 4 20 4 21 4 22 4 23 4 24 1 ...

Page 379: ...termined z The priority value is determined Configuration procedure Follow these steps to set the priority for specific protocol packets To do Use the command Remarks Enter system view system view Set the priority for specific protocol packets protocol priority protocol type protocol type ip precedence ip precedence dscp dscp value Required You can modify the IP precedence or DSCP precedence of th...

Page 380: ... are defined or determined before the configuration z The ACL rules used for traffic classification are specified Refer to the ACL module of this manual for related information z The type and value of the precedence to be marked for the packets matching the ACL rules are determined Configuration procedure You can mark priority for all the packets matching specific ACL rules or for packets that mat...

Page 381: ...n that of the default rules used for processing protocol packets marking priority for all the packets or packets of a VLAN may affect device management that is implemented through Telnet and so on Configuration example z GigabitEthernet 1 0 1 belongs to VLAN 2 and is connected to the 10 1 1 0 24 network segment z Mark the DSCP precedence as 56 for the packets from the 10 1 1 0 24 network segment 1...

Page 382: ...c limit inbound acl rule Optional Follow these steps to configure traffic policing for packets that are of a VLAN and match specific ACL rules To do Use the command Remarks Enter system view system view Configure traffic policing traffic limit vlan vlan id inbound acl rule target rate conform con action exceed exceed action meter statistic Required By default traffic policing is disabled Clear the...

Page 383: ... policing on the packets from the 10 1 1 0 24 network segment setting the rate to 128 kbps z Mark the DSCP precedence as 56 for the inbound packets exceeding the rate limit 1 Method I device system view device acl number 2000 device acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 device acl basic 2000 quit device interface GigabitEthernet1 0 1 device GigabitEthernet1 0 1 traffic limit inbound...

Page 384: ...ith the maximum traffic rate being 640 kbps and the burst size being 16 kbytes device system view device interface GigabitEthernet1 0 1 device GigabitEthernet1 0 1 traffic shape 640 16 Configuring Traffic Redirecting Refer to Traffic Redirecting for information about traffic redirecting Configuration prerequisites z The ACL rules used for traffic classification are defined Refer to the ACL module ...

Page 385: ...e interface type interface number Configure traffic redirecting traffic redirect inbound acl rule interface interface type interface number Required If the traffic is redirected to a Combo port in down state the system automatically redirects the traffic to the port corresponding to the Combo port in up state Refer to the Port Basic Configuration module of this manual for information about Combo p...

Page 386: ...uration procedure Follow these steps to configure VLAN mapping To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure VLAN mapping traffic remark vlanid inbound acl rule remark vlan vlan id untagged packet Required By default VLAN mapping is not configured Configuration example z GigabitEthernet 1 0 1 belongs to VLAN...

Page 387: ... z With SDWRR queue scheduling algorithm adopted the output queues of a port can be assigned to group 1 and group 2 The two groups are scheduled using SP algorithm For example you can assign queue 0 queue 1 queue 2 and queue 3 to group 1 and assign queue 4 queue 5 queue 6 and queue 7 to group 2 The queues in group 2 are scheduled preferentially using WRR queue scheduling algorithm Queues in group ...

Page 388: ...on about traffic accounting Configuration prerequisites The ACL rules for traffic classification are defined Refer to the ACL module of this manual for information about defining ACL rules Configuration procedure You can collect traffic statistics or clear traffic statistics on all the packets matching specific ACL rules or on packets that match specific ACL rules and are of a VLAN of a port group...

Page 389: ...teps to collect traffic statistics on packets passing a port and matching specific ACL rules To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Collect the statistics on the packets matching specific ACL rules traffic statistic inbound acl rule Required Clear the statistics on the packets matching specific ACL rules reset ...

Page 390: ...ut the burst function Configuration prerequisites The burst function is required Configuration procedure Follow these steps to enable the burst function To do Use the command Remarks Enter system view system view Enable the burst function burst mode enable Required By default the burst function is disabled Configuration example Enable the burst function on the devicees Configuration procedure devi...

Page 391: ...LAN To do Use the command Remarks Enter system view system view Enter Ethernet port view of the destination port interface interface type interface number Define the current port as the destination port monitor port Required Exit current view quit Reference ACLs for identifying traffic flows and perform traffic mirroring for packets that match mirrored to vlan vlan id inbound acl rule monitor inte...

Page 392: ...s of a VLAN may affect device management that is implemented through Telnet and so on Configuration example Network requirements z GigabitEthernet 1 0 1 is connected to the 10 1 1 0 24 network segment z Duplicate the packets from network segment 10 1 1 0 24 to the destination mirroring port GigabitEthernet 1 0 4 1 Method I device system view device acl number 2000 device acl basic 2000 rule permit...

Page 393: ...ce map Display queue scheduling algorithm and related parameters display queue scheduler Display the QoS related configuration of a port or all the ports display qos interface interface type interface number unit id all Display the priority trust mode of a port or all the ports display qos interface interface type interface number unit id priority trust Display traffic shaping configuration of a p...

Page 394: ... accounting performed for packets of a port group display qos port group group id all mirrored to traffic limit traffic priority traffic redirect traffic statistic QoS Configuration Example Configuration Example of Traffic Policing Network requirement As shown in Figure 1 9 an enterprise network connects all the departments through a device PC1 with the IP address 192 168 0 1 belongs to the R D de...

Page 395: ...ets sourced from the 192 168 2 0 24 network segment device acl number 2001 device acl basic 2001 rule permit source 192 168 2 0 0 0 0 255 device acl basic 2001 quit 2 Configure traffic policing Set the maximum rate of outbound IP packets sourced from the marketing department to 64 kbps device traffic limit vlan 2 inbound ip group 2001 64 exceed drop Set the maximum rate of outbound IP packets sour...

Page 396: ...ile mapping table is required on the AAA server For a device operating in this mode after a user passes the 802 1x authentication the device looks up the user name to QoS profile mapping table for the QoS profile using the user name and then applies the QoS profile found to the port the user is connected to Corresponding to the 802 1x authentication modes dynamic QoS profile application can be use...

Page 397: ...e traffic policing traffic limit inbound acl rule target rate conform con action exceed exceed action meter statistic Optional Configure packet filtering packet filter inbound acl rule Optional Refer to the ACL module of this manual for information about packet filtering Configure priority marking traffic priority inbound acl rule dscp dscp value cos cos value Optional Applying a QoS Profile You c...

Page 398: ...ased z If the 802 1x authentication mode is port based the mode to apply a QoS profile must be configured as port based Follow these steps to apply a QoS profile manually To do Use the command Remarks Enter system view system view In system view apply qos profile profile name interface interface list Enter Ethernet port view interface interface type interface number Apply a QoS profile to specific...

Page 399: ...p between the user name and the QoS profile Refer to the user manual of the AAA server for detailed configuration 2 Configuration on the switch Configure IP addresses for the RADIUS server device system view device radius scheme radius1 device radius radius1 primary authentication 10 11 1 1 device radius radius1 primary accounting 10 11 1 2 device radius radius1 secondary authentication 10 11 1 2 ...

Page 400: ... device acl adv 3000 quit Define a QoS profile named example to limit the rate of matched packets to 128 kbps and configuring to drop the packets exceeding the target packet rate device qos profile example device qos profile example traffic limit inbound ip group 3000 128 exceed drop Enable 802 1x device dot1x device dot1x interface GigabitEthernet1 0 1 After the configuration the QoS profile name...

Page 401: ...roring 1 3 Mirroring Configuration 1 4 Configuring Local Port Mirroring 1 4 Configuring Remote Port Mirroring 1 5 Configuring MAC Based Mirroring 1 7 Configuring VLAN Based Mirroring 1 8 Displaying and Maintaining Port Mirroring 1 9 Mirroring Configuration Example 1 9 Local Port Mirroring Configuration Example 1 9 Remote Port Mirroring Configuration Example 1 10 ...

Page 402: ...ection device Network Source port Destination port The device supports four kinds of port mirroring z Local port mirroring a device copies packets passing through one or more source ports of the device to the destination port z Remote port mirroring implements port mirroring through the remote source mirroring group and remote destination mirroring group The device copies the packets of the source...

Page 403: ...tch on the destination switch Figure 1 2 illustrates the implementation of remote port mirroring Figure 1 2 Remote port mirroring application Reflector port Source Port Trunk port Destination port Remote probe VLAN Intermediate Switch Source Switch Destination Switch The switches involved in the remote port mirroring implementation play the following three roles z Source switch The monitored port ...

Page 404: ...vices in the remote probe VLAN as trunk ports and ensure the Layer 2 connectivity from the source switch to the destination switch over the remote probe VLAN z Do not configure a Layer 3 interface for the remote probe VLAN run other protocol packets or carry other service packets on the remote prove VLAN and do not use the remote prove VLAN as the voice VLAN and protocol VLAN otherwise remote port...

Page 405: ...e number mirroring group group id mirroring port both inbound outbound Configure the source port for the port mirroring group In port view quit Use either approach You can configure multiple source ports at a time in system view or you can configure the source port in specific port view The configurations in the two views have the same effect In system view mirroring group group id monitor port mo...

Page 406: ...be VLAN remote probe vlan enable Required Return to system view quit Enter the view of the Ethernet port that connects to the intermediate switch or destination switch interface interface type interface number Configure the current port as trunk port port link type trunk Required By default the port type is Access Configure the trunk port to permit packets from the remote probe VLAN port trunk per...

Page 407: ...intermediate switch 1 Configuration prerequisites z The trunk ports and the remote probe VLAN are determined z Layer 2 connectivity is ensured between the source and destination switches over the remote probe VLAN 2 Configuration procedure Follow these steps to configure the intermediate switch To do Use the command Remarks Enter system view system view Create a VLAN and enter VLAN view vlan vlan ...

Page 408: ...onfigure the destination port for the remote destination mirroring group mirroring group group id monitor port monitor port Required Configure the remote probe VLAN for the remote destination mirroring group mirroring group group id remote probe vlan remote probe vlan id Required When configuring a destination switch note that z The destination port of remote port mirroring cannot be a member port...

Page 409: ... destination port on the source switch when configuring MAC based remote mirroring Configuration example Configure MAC based mirroring to mirror packets whose source destination MAC addresses match 000f e20f 0101 to port GigabitEthernet 1 0 2 on the local device Configuration procedure device system view device mac address static 000f e20f 0101 interface Gigabitethernet 1 0 1 vlan 2 device mirrori...

Page 410: ... system view device mirroring group 1 local device mirroring group 1 mirroring vlan 2 inbound device mirroring group 1 monitor port GigabitEthernet 1 0 2 Displaying and Maintaining Port Mirroring To do Use the command Remarks Display the information of a mirroring group display mirroring group group id all local remote destination remote source Available in any view Mirroring Configuration Example...

Page 411: ...the local mirroring group device mirroring group 1 mirroring port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 both device mirroring group 1 monitor port GigabitEthernet 1 0 3 Display configuration information about local mirroring group 1 device display mirroring group 1 mirroring group 1 type local status active mirroring port GigabitEthernet1 0 1 both GigabitEthernet1 0 2 both mirroring mac mirr...

Page 412: ...ort GigabitEthernet 1 0 4 as the reflector port z On Switch B configure VLAN 10 as the remote probe VLAN z Configure GigabitEthernet 1 0 3 of Switch A GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of Switch B and GigabitEthernet 1 0 1 of Switch C as trunk ports allowing packets of VLAN 10 to pass z On Switch C create a remote destination mirroring group configure VLAN 10 as the remote probe VLAN...

Page 413: ... remote probe vlan 10 2 Configure the intermediate switch Switch B Configure VLAN 10 as the remote probe VLAN device system view device vlan 10 device vlan10 remote probe vlan enable device vlan10 quit Configure GigabitEthernet 1 0 1 as the trunk port allowing packets of VLAN 10 to pass device interface GigabitEthernet 1 0 1 device GigabitEthernet1 0 1 port link type trunk device GigabitEthernet1 ...

Page 414: ... interface GigabitEthernet 1 0 1 device GigabitEthernet1 0 1 port link type trunk device GigabitEthernet1 0 1 port trunk permit vlan 10 device GigabitEthernet1 0 1 quit Display configuration information about remote destination mirroring group 1 device display mirroring group 1 mirroring group 1 type remote destination status active monitor port GigabitEthernet1 0 2 remote probe vlan 10 After the ...

Page 415: ...oduction to ARP Attack Detection 1 4 Introduction to Gratuitous ARP 1 5 Configuring ARP 1 5 Configuring ARP Basic Functions 1 5 Configuring ARP Attack Detection 1 6 Configuring Gratuitous ARP 1 7 Displaying and Maintaining ARP 1 8 ARP Configuration Example 1 8 ARP Basic Configuration Example 1 8 ARP Attack Detection Configuration Example 1 8 ...

Page 416: ...to a destination host the device must know the data link layer address MAC address for example of the destination host or the next hop To this end the IP address must be resolved into the corresponding data link layer address Unless otherwise stated a data link layer address in this chapter refers to a 48 bit Ethernet MAC address ARP Message Format ARP messages are classified as ARP request messag...

Page 417: ...to Table 1 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in bytes Length of protocol address Protocol address length in bytes Operator Indicates the type of a data packets which can be z 1 ARP request packets z 2 ARP reply packets z 3 RARP request packets z 4 RARP re...

Page 418: ...t IP address 192 168 1 1 Target IP address 192 168 1 2 Host A 192 168 1 1 0002 6779 0f4c Host B 192 168 1 2 00a0 2470 febd Target MAC address 0000 0000 0000 Sender IP address 192 168 1 1 Sender IP address 192 168 1 2 Sender MAC address Target MAC address 0002 6779 0f4c 0002 6779 0f4c Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B The resolution proc...

Page 419: ...ssible In Figure 1 3 Host A communicates with Host C through Switch To intercept the traffic between Host A and Host C the hacker Host B forwards invalid ARP reply messages to Host A and Host C respectively causing the two hosts to update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B Then the traffic between Host A and C will pass through H...

Page 420: ...e MAC address carried in it is the local MAC addresses z If a device finds that the IP addresses carried in a received gratuitous packet conflict with those of its own it returns an ARP response to the sending device to notify of the IP address conflict By sending gratuitous ARP packets a network device can z Determine whether or not IP address conflicts exist between it and other network devices ...

Page 421: ... configured on the ports of an aggregation group Configuring ARP Attack Detection Follow these steps to configure the ARP attack detection function To do Use the command Remarks Enter system view system view Enable DHCP snooping dhcp snooping Required By default the DHCP snooping function is disabled Enter Ethernet port view interface interface type interface number Specify the current port as a t...

Page 422: ... restricted forwarding make sure you enable ARP attack detection and configure ARP trusted ports z You are not recommended to configure ARP attack detection on the ports of an aggregation group Configuring Gratuitous ARP Follow these steps to configure the gratuitous ARP To do Use the command Remarks Enter system view system view Enable the gratuitous ARP packet learning function gratuitous arp le...

Page 423: ...ation Example Network requirement z Disable ARP entry check on the device z Set the aging time for dynamic ARP entries to 10 minutes z Add a static ARP entry with the IP address being 192 168 1 1 the MAC address being 000f e201 0000 and the outbound port being GigabitEthernet 1 0 10 of VLAN 1 Configuration procedure device system view device undo arp check enable device arp timer aging 10 device a...

Page 424: ...ystem view SwitchA dhcp snooping Specify GigabitEthernet 1 0 1 as the DHCP snooping trusted port and the ARP trusted port SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 dhcp snooping trust SwitchA GigabitEthernet1 0 1 arp detection trust SwitchA GigabitEthernet1 0 1 quit Enable ARP attack detection on all ports in VLAN 1 SwitchA vlan 1 SwitchA vlan1 arp detection enable ...

Page 425: ...onfiguring Basic Trap 1 5 Configuring Extended Trap 1 6 Enabling Logging for Network Management 1 7 Displaying and Maintaining SNMP 1 7 SNMP Configuration Examples 1 7 SNMP Configuration Examples 1 7 2 RMON Configuration 2 1 Introduction to RMON 2 1 Working Mechanism of RMON 2 1 Commonly Used RMON Groups 2 2 RMON Configuration 2 3 Displaying and Maintaining RMON 2 4 RMON Configuration Examples 2 4...

Page 426: ...is implemented by two components namely network management station NMS and agent z An NMS can be a workstation running client program At present the commonly used network management platforms include QuidView Sun NetManager IBM NetView and so on z Agent is server side software running on network devices An NMS can send GetRequest GetNextRequest and SetRequest messages to the agents Upon receiving ...

Page 427: ...ts a hierarchical naming scheme to organize the managed objects It is like a tree with each tree node representing a managed object as shown in Figure 1 1 Each node in this tree can be uniquely identified by a path starting from the root Figure 1 1 Architecture of the MIB tree A 2 6 1 5 2 1 1 2 1 B The management information base MIB describes the hierarchical architecture of the tree and it is th...

Page 428: ... SNMPv2c Follow these steps to configure basic SNMP functions for SNMPv1 or SNMPv2c To do Use the command Remarks Enter system view system view Enable SNMP agent snmp agent Optional Disabled by default You can enable SNMP agent by executing this command or any of the commands used to configure SNMP agent Set system information and specify to enable SNMPv1 or SNMPv2c on the device snmp agent sys in...

Page 429: ...cal engineid engineid Optional By default the device engine ID is enterprise number device information Create Update the view information snmp agent mib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 Configuring basic SNMP functions for SNMPv3 The device now supports the Advanced Encryption Standard AES for SNMPv3 to provide ...

Page 430: ...d Optional By default the device engine ID is enterprise number device information Create or update the view information snmp agent mib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 The device provides the following functions to prevent attacks through unused UDP ports z Executing the snmp agent command or any of the command...

Page 431: ...ue used to hold the Traps to be sent to the destination host snmp agent trap queue size size Optional The default is 100 Set the aging time for Trap messages snmp agent trap life seconds Optional 120 seconds by default Configuring Extended Trap The extended Trap includes the following z Interface description and interface type are added into the linkUp linkDown Trap message When receiving this ext...

Page 432: ...y the engine ID of the current device display snmp agent local engineid remote engineid Display group information about the device display snmp agent group group name Display SNMP user information display snmp agent usm user engineid engineid username user name group group name Display Trap list information display snmp agent trap list Display the currently configured community name display snmp a...

Page 433: ...ntication and encryption z authentication protocol to HMAC MD5 z authentication password to passmd5 z encryption protocol to AES z encryption password to cfb128cfb128 device snmp agent group v3 managev3group privacy write view internet device snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode aes128 cfb128cfb128 Set the VLAN interface 2 as the interface ...

Page 434: ... and choose the security level in For each security level you need to set authorization mode authorization password encryption mode encryption password and so on In addition you need to set timeout time and maximum retry times You can query and configure the device through the NMS For more information refer to the corresponding manuals of network management products Authentication related configur...

Page 435: ...ing the management of large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways z Using the dedicated RMON probes When an RMON system operates in this way the NMS directly obtains management information from the RMON probes and controls the network resources In this case all information in the RMON MIB can be obtained z Embeddin...

Page 436: ...ed alarm entry you can perform operations on the samples of alarm variables and then compare the operation results with the thresholds thus implement more flexible alarm functions With an extended alarm entry defined in an extended alarm group the network devices perform the following operations accordingly z Sampling the alarm variables referenced in the defined extended alarm expressions periodi...

Page 437: ...shold threshold value2 event entry2 owner text Optional Before adding an alarm entry you need to use the rmon event command to define the event to be referenced by the alarm entry Add an extended alarm entry rmon prialarm entry number prialarm formula prialarm des sampling timer delta absolute changeratio rising_threshold threshold value1 event entry1 falling_threshold threshold value2 event entry...

Page 438: ...change rate of which exceeds the set threshold the alarm events will be triggered Figure 2 1 Network diagram for RMON configuration Console port Switch Internet Network port NMS Configuration procedures Add the statistics entry numbered 1 to take statistics on GigabitEthernet 1 0 1 device system view device interface GigabitEthernet 1 0 1 device GigabitEthernet1 0 1 rmon statistics 1 device Gigabi...

Page 439: ... alarm entry numbered 2 device display rmon prialarm 2 Prialarm table 2 owned by user1 is VALID Samples type changeratio Variable formula 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 Description test Sampling interval 10 sec Rising threshold 100 linked with event 1 Falling threshold 10 linked with event 2 When startup enables risingOrFallingAlarm This entry will exist forever Latest value 0 ...

Page 440: ...the Version of IGMP Snooping 2 5 Configuring Timers 2 6 Configuring Fast Leave Processing 2 6 Configuring a Multicast Group Filter 2 7 Configuring the Maximum Number of Multicast Groups on a Port 2 8 Configuring IGMP Querier 2 9 Suppressing Flooding of Unknown Multicast Traffic in a VLAN 2 10 Configuring Static Member Port for a Multicast Group 2 10 Configuring a Static Router Port 2 11 Configurin...

Page 441: ...andwidth and time critical services such as e commerce Web conference online auction video on demand VoD and tele education have come into being These services have higher requirements for information security legal use of paid services and network bandwidth In the network packets are sent in three modes unicast broadcast and multicast The following sections describe and compare data interaction p...

Page 442: ...users that receive this information when a large number of users need this information the server must send many pieces of information with the same content to the users Therefore the limited bandwidth becomes the bottleneck in information transmission This shows that unicast is not good for the transmission of a great deal of information Information Transmission in the Broadcast Mode When you ado...

Page 443: ...tly wasted Therefore broadcast is disadvantageous in transmitting data to specific users moreover broadcast occupies large bandwidth Information Transmission in the Multicast Mode As described in the previous sections unicast is suitable for networks with sparsely distributed users whereas broadcast is suitable for networks with densely distributed users When the number of users requiring informat...

Page 444: ...not add to the network burden remarkably The advantages of multicast over broadcast are as follows z A multicast data flow can be sent only to the receiver that requires the data z Multicast brings no waste of network resources and makes proper use of bandwidth Roles in Multicast The following roles are involved in multicast transmission z An information sender is referred to as a multicast source...

Page 445: ...pplications of Multicast Advantages of multicast Advantages of multicast include z Enhanced efficiency Multicast decreases network traffic and reduces server load and CPU load z Optimal performance Multicast reduces redundant traffic z Distributive application Multicast makes multiple point application possible Application of multicast The multicast technology effectively addresses the issue of po...

Page 446: ...the SSM model uses a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast sources Multicast Architecture The purpose of IP multicast is to transmit information from a multicast source to receivers in the multicast mode and to satisfy information requirements of receivers You shoul...

Page 447: ...ss All the receivers join a group Once they join the group the data sent to this group of addresses starts to be transported to the receivers All the members in this group can receive the data packets This group is a multicast group A multicast group has the following characteristics z The membership of a group is dynamic A host can join and leave a multicast group at any time z A multicast group ...

Page 448: ...server relay agent 224 0 0 13 All protocol independent multicast PIM routers 224 0 0 14 Resource reservation protocol RSVP encapsulation 224 0 0 15 All core based tree CBT routers 224 0 0 16 The specified subnetwork bandwidth management SBM 224 0 0 17 All SBMS 224 0 0 18 Virtual router redundancy protocol VRRP 224 0 0 19 to 224 0 0 255 Other protocols Like having reserved the private network segme...

Page 449: ...address Thus five bits of the multicast IP address are lost As a result 32 IP multicast addresses are mapped to the same MAC address Multicast Protocols z Generally we refer to IP multicast working at the network layer as Layer 3 multicast and the corresponding multicast protocols as Layer 3 multicast protocols which include IGMP PIM and MSDP we refer to IP multicast working at the data link layer...

Page 450: ...n routes z An intra domain multicast routing protocol is used to discover multicast sources and build multicast distribution trees within an autonomous system AS so as to deliver multicast data to receivers Among a variety of mature intra domain multicast routing protocols protocol independent multicast PIM is a popular one Based on the forwarding mechanism PIM comes in two modes dense mode often ...

Page 451: ...twork multicast packet transmission is based on the guidance of the multicast forwarding table derived from the unicast routing table or the multicast routing table specially provided for multicast z To process the same multicast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check on the incom...

Page 452: ...l the outgoing interfaces z If the interface on which the packet actually arrived is not the RPF interface the RPF check fails and the router discards the packet RPF Check The basis for an RPF check is a unicast route A unicast routing table contains the shortest path to each destination subnet A multicast routing protocol does not independently maintain any type of unicast route instead it relies...

Page 453: ... that the interface on which the packet actually arrived is not the RPF interface The RPF check fails and the packet is discarded z A multicast packet from Source arrives to VLAN interface 2 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C The router performs an RPF check and finds in its unicast routing table that the outgoing interfa...

Page 454: ...Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 Figure 2 1 Before and after IGMP Snooping is enabled on Layer 2 device Multicast packet transmission without IGMP Snooping Source Multicast router Host A Receiver Host B Host C Receiver Multicast packets Layer2 switch Multicas...

Page 455: ... 0 2 of Switch B are member ports A device records all member ports on the local device in the IGMP Snooping forwarding table Port aging timers in IGMP Snooping and related messages and actions Table 2 1 Port aging timers in IGMP Snooping and related messages and actions Timer Description Message before expiry Action after expiry Router port aging timer For each router port the device sets a timer...

Page 456: ...arding table the device resets the member port aging timer of the port z If the port is not in the forwarding table the device installs an entry for this port in the forwarding table and starts the member port aging timer of this port A device will not forward an IGMP report through a non router port for the following reason Due to the IGMP report suppression mechanism if member hosts of that mult...

Page 457: ...imer expires as a response to the IGMP group specific query this means that no members of that multicast group still exist under the port the device deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires After a device enables IGMP Snooping when it receives the IGMP leave message sent by a host in a multicast group it judges whether the multic...

Page 458: ...ueries are likely to fail to pass the VLAN You can solve this problem by configuring VLAN tags for queries For details see Configuring a VLAN Tag for Query Messages Configuring the Version of IGMP Snooping With the development of multicast technologies IGMPv3 has found increasingly wide application In IGMPv3 a host can not only join a specific multicast group but also explicitly specify to receive...

Page 459: ...nfigure the query response timer igmp snooping max response time seconds Optional By default the query response timeout time is 10 seconds Configure the aging timer of the multicast member port igmp snooping host aging time seconds Optional By default the aging time of multicast member ports is 260 seconds Configuring Fast Leave Processing With fast leave processing enabled when the device receive...

Page 460: ...to the specified VLAN s z If fast leave processing and unknown multicast packet dropping are enabled on a port to which more than one host is connected when one host leaves a multicast group the other hosts connected to port and interested in the same multicast group will fail to receive multicast data for that group Configuring a Multicast Group Filter On an IGMP Snooping enabled device the confi...

Page 461: ...LAN on a port z If no ACL rule is configured all the multicast groups will be filtered z Since most devices broadcast unknown multicast packets by default this function is often used together with the function of dropping unknown multicast packets to prevent multicast streams from being broadcast as unknown multicast packets to a port blocked by this function z The configuration performed in syste...

Page 462: ...uring IGMP Querier In an IP multicast network running IGMP a multicast router or Layer 3 multicast device is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 device is called IGMP querier However a Layer 2 multicast device...

Page 463: ...h the unknown multicast flooding suppression function enabled when receiving a multicast packet for an unknown multicast group an IGMP Snooping device creates a nonflooding entry and relays the packet to router ports only instead of flooding the packet within the VLAN If the device has no router ports it drops the multicast packet Follow these steps to suppress flooding of unknown multicast traffi...

Page 464: ...rface interface number Configure specified port s as static member port s of a multicast group in the VLAN multicast static group group address interface interface list Required By default no port is configured as a static multicast group member port Configuring a Static Router Port In a network where the topology is unlikely to change you can configure a port on the device as a static router port...

Page 465: ...affic Through this configuration the following functions can be implemented z When an Ethernet port is configured as a simulated member host the device sends an IGMP report through this port Meanwhile the device sends the same IGMP report to itself and establishes a corresponding IGMP entry based on this report z When receiving an IGMP general query the simulated host responds with an IGMP report ...

Page 466: ...igure a VLAN tag for query messages igmp snooping vlan mapping vlan vlan id Required By default no VLAN tag is configured for general and group specific query messages sent or forwarded by IGMP Snooping Configuring Multicast VLAN In traditional multicast implementations when users in different VLANs listen to the same multicast group the multicast data is copied on the multicast router for each VL...

Page 467: ... Enable IGMP Snooping igmp snooping enable Enter VLAN view vlan vlan id Enable IGMP Snooping igmp snooping enable Required Enable multicast VLAN service type multicast Required Return to system view quit Enter Ethernet port view for the Layer 3 device interface interface type interface number Define the port as a trunk or hybrid port port link type trunk hybrid Required port hybrid vlan vlan list ...

Page 468: ...ooping To do Use the command Remarks Display the current IGMP Snooping configuration display igmp snooping configuration Display IGMP Snooping message statistics display igmp snooping statistics Display the information about IP and MAC multicast groups in one or all VLANs display igmp snooping group vlan vlanid Available in any view Clear IGMP Snooping statistics reset igmp snooping statistics Ava...

Page 469: ...A multicast routing enable RouterA interface GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 quit RouterA interface GigabitEthernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit 3 Configure Switch A Enable IGMP Snooping globally SwitchA system view SwitchA igmp snooping enable Enable IGMP Snooping ok Create VLAN 100 assign G...

Page 470: ... Layer 2 device Switch B forwards the multicast data to the end users Host A and Host B Table 2 2 describes the network devices involved in this example and the configurations you should make on them Table 2 2 Network devices and their configurations Device Device description Networking description Switch A Layer 3 device The interface IP address of VLAN 20 is 168 10 1 1 GigabitEthernet 1 0 1 is c...

Page 471: ...rt GigabitEthernet 1 0 1 SwitchA vlan20 quit SwitchA interface Vlan interface 20 SwitchA Vlan interface20 ip address 168 10 1 1 255 255 255 0 SwitchA Vlan interface20 pim dm SwitchA Vlan interface20 quit Configure VLAN 10 SwitchA vlan 10 SwitchA vlan10 quit Define GigabitEthernet 1 0 10 as a hybrid port add the port to VLAN 10 and configure the port to forward tagged packets for VLAN 10 SwitchA in...

Page 472: ...0 configure the port to forward untagged packets for VLAN 3 and VLAN 10 and set VLAN 3 as the default VLAN of the port SwitchB interface GigabitEthernet 1 0 2 SwitchB GigabitEthernet1 0 2 port link type hybrid SwitchB GigabitEthernet1 0 2 port hybrid vlan 3 10 untagged SwitchB GigabitEthernet1 0 2 port hybrid pvid vlan 3 SwitchB GigabitEthernet1 0 2 quit Troubleshooting IGMP Snooping Symptom Multi...

Page 473: ...ss argument must be a multicast MAC address Follow these steps to configure a multicast MAC address entry in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Create a multicast MAC address entry mac address multicast mac address vlan vlan id Required The mac address argument must be a multicast MAC add...

Page 474: ...ocessing efficiency of the system is improved Follow these steps to configure dropping unknown multicast packet To do Use the command Remarks Enter system view system view Configure dropping unknown multicast packets unknown multicast drop enable Required By default the function of dropping unknown multicast packets is disabled Displaying and Maintaining Common Multicast Configuration To do Use th...

Page 475: ...guration Procedure 1 10 Configuring NTP Authentication 1 10 Configuration Prerequisites 1 11 Configuration Procedure 1 11 Configuring Optional NTP Parameters 1 13 Configuring an Interface on the Local Device to Send NTP Messages 1 13 Configuring the Number of Dynamic Sessions Allowed on the Local Device 1 14 Disabling an Interface from Receiving NTP messages 1 14 Displaying and Maintaining NTP Con...

Page 476: ... distributed time servers and clients Carried over UDP NTP transmits packets through UDP port 123 NTP is intended for time synchronization between all devices that have clocks in a network so that the clocks of all devices can keep consistent Thus the devices can provide multiple unified time based applications See Applications of NTP A local system running NTP can not only be synchronized by othe...

Page 477: ... packets in unicast multicast or broadcast mode z The clock stratum determines the accuracy which ranges from 1 to 16 The stratum of a reference clock ranges from 1 to 15 The clock accuracy decreases as the stratum number increases A stratum 16 clock is in the unsynchronized state and cannot serve as a reference clock z The local clock of the device cannot be set as a reference clock It can serve ...

Page 478: ... the NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z When receiving a response packet Device A inserts a new timestamp 10 00 03 am T4 into it At this time Device A has enough information to calculate the following two parameters z Delay for an NTP message to make a round trip between Device A and Device B Delay T4 T1 T3 T2 z Time offset of Device A r...

Page 479: ...ice serves as the symmetric active peer and sends clock synchronization request first while the remote server serves as the symmetric passive peer automatically If both of the peers have reference clocks the one with a smaller stratum number is adopted Broadcast mode Figure 1 4 Broadcast mode Client Broadcast clock synchronization packets periodically Network Server Initiates a client server mode ...

Page 480: ...e serves as the symmetric active peer Broadcast mode z Configure the local device to work in NTP broadcast server mode In this mode the local device broadcasts NTP messages through the VLAN interface configured on the device z Configure the device to work in NTP broadcast client mode In this mode the local device receives broadcast NTP messages through the VLAN interface configured on the device M...

Page 481: ... the device provides the following functions z UDP port 123 is opened only when the NTP feature is enabled z UDP port 123 is closed as the NTP feature is disabled These functions are implemented as follows z Execution of one of the ntp service unicast server ntp service unicast peer ntp service broadcast client ntp service broadcast server ntp service multicast client and ntp service multicast ser...

Page 482: ... primary IP address of the specified interface z The device can act as a server to synchronize the clock of other devices only after its clock has been synchronized If the clock of a server has a stratum level lower than or equal to that of a client s clock the client will not synchronize its clock to the server s z You can configure multiple servers by repeating the ntp service unicast server com...

Page 483: ... first otherwise the clock synchronization will not proceed z You can configure multiple symmetric passive peers for the local device by repeating the ntp service unicast peer command The clock of the peer with the smallest stratum will be chosen to synchronize with the local clock of the device Configuring NTP Broadcast Mode For devices working in the broadcast mode you need to configure both the...

Page 484: ...a multicast client z A multicast server can synchronize multicast clients only after its clock has been synchronized z The device working in the multicast server mode supports up to 1 024 multicast clients Configuring the device to work in the multicast server mode To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the d...

Page 485: ...s the local device to synchronize its clock to the peer device From the highest NTP service access control right to the lowest one are peer server synchronization and query When a device receives an NTP request it will perform an access control right match in this order and use the first matched right Configuration Prerequisites Prior to configuring the NTP service access control right to the loca...

Page 486: ...nabled on the server assuming that other related configurations are properly performed z For the NTP authentication function to take effect a trusted key needs to be configured on both the client and server after the NTP authentication is enabled on them z The local clock of the client is only synchronized to the server that provides a trusted key z In addition for the server client mode and the s...

Page 487: ...hentication keys must be trusted keys Otherwise the clock of the client cannot be synchronized with that of the server z In NTP server mode and NTP peer mode you need to associate the specified key with the corresponding NTP server symmetric active peer on the client symmetric passive peer In these two modes multiple NTP servers symmetric active peers may be configured for a client passive peer an...

Page 488: ...t on the client Besides the client and the server must be configured with the same authentication key Configuring Optional NTP Parameters Complete the following tasks to configure optional NTP parameters Task Remarks Configuring an Interface on the Local Device to Send NTP Messages Optional Configuring the Number of Dynamic Sessions Allowed on the Local Device Optional Disabling an Interface from ...

Page 489: ...e from receiving NTP messages ntp service in interface disable Required By default a VLAN interface receives NTP messages Displaying and Maintaining NTP Configuration To do Use the command Remarks Display the status of NTP services display ntp service status Display the information about the sessions maintained by NTP display ntp service sessions verbose Display the brief information about NTP ser...

Page 490: ...ceB ntp service unicast server 1 0 1 11 After the above configurations Device B is synchronized to Device A View the NTP status of Device B DeviceB display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispe...

Page 491: ...Device A Device B Device C 3 0 1 31 24 3 0 1 32 24 3 0 1 33 24 Configuration procedure 1 Configure Device C Set Device A as the NTP server DeviceC system view DeviceC ntp service unicast server 3 0 1 31 2 Configure Device B after the Device C is synchronized to Device A Enter system view DeviceB system view Set Device C as the peer of Device B DeviceB ntp service unicast peer 3 0 1 33 Device C and...

Page 492: ...offset delay disper 1234 3 0 1 32 LOCL 1 95 64 42 14 3 12 9 2 7 25 3 0 1 31 127 127 1 0 2 1 64 1 4408 6 38 7 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 Configuring NTP Broadcast Mode Network requirements z As shown in Figure 1 8 the local clock of Device C is set as the NTP master clock with a stratum level of 2 Configure Device C to work in the...

Page 493: ...Device D is synchronized to Device C after receiving broadcast messages from Device C View the NTP status of Device D after the clock synchronization DeviceD display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39...

Page 494: ...s a multicast server to send multicast messages through Vlan interface2 DeviceC interface Vlan interface 2 DeviceC Vlan interface2 ntp service multicast server 2 Configure Device A perform the same configuration on Device D Enter system view DeviceA system view Set Device A as a multicast client to listen to multicast messages through Vlan interface2 DeviceA interface Vlan interface 2 DeviceA Vlan...

Page 495: ... 2 1 64 377 26 1 199 53 9 7 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Server Client Mode with Authentication Network requirements z As shown in Figure 1 10 the local clock of Device A is set as the NTP master clock with a clock stratum level of 2 z Device B is a WX3000 series device and uses Device A as the NTP server Device B is se...

Page 496: ...ify the key 42 as a trusted key DeviceA ntp service reliable authentication keyid 42 After the above configurations the clock of Device B can be synchronized to that of Device A View the status of Device B after synchronization DeviceB display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock prec...

Page 497: ...ing a Source IP Address Interface for the SSH Server 1 11 Configuring the SSH Client 1 12 SSH Client Configuration Tasks 1 12 Configuring the SSH Client Using an SSH Client Software 1 12 Configuring the SSH Client on an SSH2 Capable Device 1 19 Specifying a Source IP address Interface for the SSH client 1 21 Displaying and Maintaining SSH Configuration 1 21 SSH Configuration Examples 1 22 When the...

Page 498: ... an SSH client or an SSH server In the former case the device establishes a remote SSH connection to an SSH server In the latter case the device provides connections to multiple clients Furthermore SSH can also provide data compression to increase transmission speed take the place of Telnet or provide a secure channel for FTP z Currently the device that serves as an SSH server supports two SSH ver...

Page 499: ...e data to user 2 User 2 verifies the signature using the public key of user 1 If the signature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA is used for data encryption and signature whereas DSA is used for adding signature Currently SSH supports both RSA and DSA SSH Operatin...

Page 500: ...algorithm negotiation packets to each other which contain public key algorithm lists supported by the server and the client encrypted algorithm list message authentication code MAC algorithm list and compressed algorithm list z The server and the client calculate the final algorithm according to the algorithm lists supported z The server and the client generate the session key and session ID based...

Page 501: ...rm the success or failure of the authentication Session request After passing authentication the client sends a session request to the server while the server listens to and processes the request from the client If the client passes authentication the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client Otherwise the server sends b...

Page 502: ...cation Configuring the SSH server Specifying a Source IP Address Interface for the SSH Server Optional Configuring the Protocol Support for the User Interface You must configure the supported protocol s for SSH remote login Note that the configuration does not take effect immediately but will be effective for subsequent login requests Follow these steps to configure the protocol s that a user inte...

Page 503: ... do Use the command Remarks Enter system view system view rsa local key pair create Generate an RSA key pair public key local create rsa Required Use either command By default no RSA key pair is created rsa local key pair destroy Destroy the RSA key pair public key local destroy rsa Optional Use either command to destroy the configured RSA key pair Generate a DSA key pair public key local create d...

Page 504: ...A public key format can be SSH1 SSH2 and OpenSSH Creating an SSH User and Specify an Authentication Type This task is to create an SSH user and specify an authentication type for it Specifying an authentication type for a new user is a must to get the user login Follow these steps to configure an SSH user and specify an authentication type for it To do Use the command Remarks Enter system view sys...

Page 505: ... method z Under the publickey authentication mode the level of commands available to a logged in SSH user can be configured using the user privilege level command on the server and all the users with this authentication mode will enjoy this level z Under the password authentication mode the level of commands available to a logged in SSH user is determined by AAA and different users with this authe...

Page 506: ...rvice Type for an SSH User z For details of the header command see the corresponding section in Login Command Configuring the Client Public Key on the Server This configuration is not necessary if the password authentication mode is configured for SSH users With the publickey authentication mode configured for an SSH client you must configure the client s RSA or DSA host public key s on the server...

Page 507: ...ew Import the public key from a public key file public key peer keyname import sshkey filename Required You can also use the following commands to configure the client s RSA public key on the server Follow these steps to configure the client RSA public key manually To do Use the command Remarks Enter system view system view Enter public key view rsa peer public key keyname Required Enter public ke...

Page 508: ...ssigning a Public Key to an SSH User This configuration task is unnecessary if the SSH user s authentication mode is password For the publickey authentication mode you must specify the client s public key on the server for authentication Follow these steps to assign a public key for an SSH user To do Use the command Remarks Enter system view system view Assign a public key to an SSH user ssh user ...

Page 509: ...emarks Using an SSH client software Configuring the SSH client On an SSH2 capable device Use either approach Configuring the SSH Client Using an SSH Client Software A variety of SSH client software are available such as PuTTY and OpenSSH For an SSH client to establish a connection with an SSH server use the following commands Complete the following tasks to configure SSH client using a client soft...

Page 510: ...y must be specified on the client RSA key pairs and DSA key pairs are generated by a tool of the client software The following takes the client software of PuTTY PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client Generate a client key To generate a client key run PuTTYGen exe and select from the Parameters area the type of key you want to generate either SSH 2 RSA or SSH...

Page 511: ...Generate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key Figure 1 4 Generate the client keys 3 ...

Page 512: ... the name of the file for saving the private key private in this case to save the private key Figure 1 5 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse and select the public key file and then click Convert Figure 1 6 Generate the client keys 5 Specify the IP address of the Server Launch PuTTY exe The following window appears ...

Page 513: ...er Note that there must be a route available between the IP address of the server and the client Select a protocol for remote connection As shown in Figure 1 7 select SSH under Protocol Select an SSH version From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 8 appears ...

Page 514: ...he ssh1 version is selected The PuTTY client software supports DES algorithm negotiation ssh2 Open an SSH connection with publickey authentication If a user needs to be authenticated with a public key the corresponding private key file must be specified A private key file is not required for password only authentication From the category on the left of the window select Connection SSH Auth The fol...

Page 515: ...e file selection window navigate to the private key file and click Open to enter the following SSH client interface If the connection is normal a user will be prompted for a username Once passing the authentication the user can log onto the server Figure 1 10 SSH client interface 1 ...

Page 516: ... connection between the SSH client and server Required Configure whether first time authentication is supported When the device connects to the SSH server as an SSH client you can configure whether the device supports first time authentication z First time authentication means that when the SSH client accesses the server for the first time and is not configured with the server host public key the ...

Page 517: ...e of the server ssh client server ip server name assign publickey rsa key keyname Required Establish the connection between the SSH client and server The client s method of establishing an SSH connection to the SSH server varies with authentication types See the table below for details Follow these steps to establish an SSH connection To do Use the command Remarks Enter system view system view Sta...

Page 518: ...for the SSH client ssh2 source interface interface type interface number Required By default the system determines a source IP address Displaying and Maintaining SSH Configuration To do Use the command Remarks Display host and server public keys display rsa local key pair public Display client RSA public key s display rsa peer public key brief name keyname Display local public key s display public...

Page 519: ...enerate RSA and DSA key pairs device public key local create rsa device public key local create dsa Set the authentication mode for the user interfaces to AAA device user interface vty 0 4 device ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH device ui vty0 4 protocol inbound ssh device ui vty0 4 quit Create local client client001 and set the authentication password...

Page 520: ...SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH server 2 As shown in Figure 1 13 click Open to enter the following interface If the connection is normal you will be prompted to enter the user name client001 and password abc Once authentication succeeds you will log onto the server ...

Page 521: ...ickey authentication is required Figure 1 15 Network diagram of SSH server configuration Switch SSH Client 192 168 0 2 24 VLAN Interface 1 192 168 0 1 24 Configuration procedure Under the publickey authentication mode either the RSA or DSA public key can be generated for the server to authenticate the client Here takes the RSA public key as an example z Configure the SSH server Create a VLAN inter...

Page 522: ...it Configure the authentication type of the SSH client named client 001 as publickey device ssh user client001 authentication type publickey Before performing the following steps you must generate an RSA public key pair using the client software on the client save the key pair in a file named public and then upload the file to the SSH server through FTP or TFTP For details refer to Configuring the...

Page 523: ...ent key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 17 Otherwise the process bar stops moving and the key pair generating process is stopped ...

Page 524: ...ure 1 17 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 1 18 Generate a client key pair 3 ...

Page 525: ...rated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with the SSH server The following takes the SSH client software Putty version 0 58 as an example 1 Launch PuTTY exe to enter the following interface Figure 1 20 SSH client configuration interface 1 In the Host Nam...

Page 526: ...ection window navigate to the private key file and click OK 3 From the window shown in Figure 1 21 click Open The following SSH client interface appears If the connection is normal you will be prompted to enter the username and password as shown in Figure 1 22 Figure 1 22 SSH client interface ...

Page 527: ...e1 ip address 10 165 87 136 255 255 255 0 device Vlan interface1 quit Generate RSA and DSA key pairs device public key local create rsa device public key local create dsa Set the authentication mode for the user interfaces to AAA device user interface vty 0 4 device ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH device ui vty0 4 protocol inbound ssh device ui vty0 4...

Page 528: ...Client and the Authentication Type is Publickey Network requirements As shown in Figure 1 24 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name is client001 and the SSH server s IP address is 10 165 87 136 Publickey authentication is required Figure 1 24 Network diagram of SSH client configuration when using publickey authenticati...

Page 529: ...ing steps you must first generate a DSA public key pair on the client and save the key pair in a file named Switch001 and then upload the file to the SSH server through FTP or TFTP For details refer to Configure Switch A Import the client public key pair named Switch001 from the file Switch001 device public key peer Switch001 import sshkey Switch001 Assign the public key Switch001 to user client00...

Page 530: ...gineering shall be allowed device When the Device Acts as an SSH Client and First time authentication is not Supported Network requirements As shown in Figure 1 25 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name is client001 and the SSH server s IP address is 10 165 87 136 The publickey authentication mode is used to enhance se...

Page 531: ...01 and then upload the file to the SSH server through FTP or TFTP For details refer to the following Configure Switch A Import the client s public key file Switch001 and name the public key as Switch001 device public key peer Switch001 import sshkey Switch001 Assign public key Switch001 to user client001 device ssh user client001 assign rsa key Switch001 Export the generated DSA host public key pa...

Page 532: ... generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH client through FTP or TFTP For details refer to the above part Configure Switch B Import the public key pair named Switch002 from the file Switch002 device public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server device ssh client 1...

Page 533: ...ction to File System 1 1 File System Configuration Tasks 1 1 Directory Operations 1 1 File Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 3 File System Configuration Example 1 4 File Attribute Configuration 1 5 Introduction to File Attributes 1 5 Configuring File Attributes 1 6 ...

Page 534: ...onfiguration Tasks Complete the following tasks to configure the file system Task Remarks Directory Operations Optional File Operations Optional Flash Memory Operations Optional Prompt Mode Configuration Optional The device allows you to input a file path and file name in one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used...

Page 535: ...he following table Follow these steps to perform file operations in user view except the execute command that should be executed in system view To do Use the command Remarks Delete a file delete unreserved file url delete running files standby files unreserved Optional A deleted file can be restored by using the undelete command if you delete it by executing the delete command without specifying t...

Page 536: ... brackets z If the configuration files are deleted the device adopts the null configuration when it starts up next time Flash Memory Operations Follow these steps to perform operations on the flash memory in user view To do Use the command Remarks Format the flash memory format device Required Restore space on the flash memory fixdisk device Required The format operation leads to the loss of all f...

Page 537: ...rkey 6858 KB total 6848 KB free with main attribute b with backup attribute b with both main and backup attribute Copy the file flash startup cfg to flash test with 1 cfg as the name of the new file device copy flash startup cfg flash test 1 cfg Copy unit1 flash startup cfg to unit1 flash test 1 cfg Y N y Copy file unit1 flash startup cfg to unit1 flash test 1 cfg Done Display the file information...

Page 538: ...emory there can be only one configuration file and one Web file with the main attribute backup Identifies backup startup files The backup startup file is used after the device fails to start up using the main startup file In the flash memory there can be only one configuration file and one Web file with the backup attribute b none Identifies files that are neither of main attribute nor backup attr...

Page 539: ...ation about the app file used as the startup file display boot loader unit unit id Display information about the Web file used by the device display web package Optional Available in any view z Before configuring the main or backup attribute for a file make sure the file already exists on the device z The configuration of the main or backup attribute of a Web file takes effect immediately without ...

Page 540: ...le The Device Operating as an FTP Server 1 8 FTP Banner Display Configuration Example 1 10 FTP Configuration The Device Operating as an FTP Client 1 11 SFTP Configuration 1 13 SFTP Configuration The Device Operating as an SFTP Server 1 13 SFTP Configuration The Device Operating as an SFTP Client 1 14 SFTP Configuration Example 1 16 2 TFTP Configuration 2 1 Introduction to TFTP 2 1 TFTP Configurati...

Page 541: ...ansfer and control command transfer respectively Basic FTP operations are described in RFC 959 FTP based file transmission is performed in the following two modes z Binary mode for program file transfer z ASCII mode for text file transfer The device can act as an FTP client or the FTP server in FTP employed data transmission Table 1 1 Roles that the device acts as in FTP Item Description Remarks F...

Page 542: ... information Optional Basic configurations on an FTP client FTP Configuration The Device Operating as an FTP Client Specifying the source interface and source IP address for an FTP client Optional FTP Configuration The Device Operating as an FTP Server Creating an FTP user Configure the user name and password for the FTP user and set the service type to FTP To use FTP services a user must provide ...

Page 543: ...is disabled when you shut down the FTP server Configuring connection idle time After the idle time is configured if the server does not receive service requests from a client within a specified time period it terminates the connection with the client thus preventing a user from occupying the connection for a long time without performing any operation Follow these steps to configure connection idle...

Page 544: ...e configuration fails z The value of the ip address argument must be an IP address on the device where the configuration is performed Otherwise a prompt appears to show that the configuration fails z You can specify only one source interface or source IP address for the FTP at one time That is only one of the commands ftp server source interface and ftp server source ip can be valid at one time If...

Page 545: ...wo types z Login banner After the connection between an FTP client and an FTP server is established the FTP server outputs the configured login banner to the FTP client terminal Figure 1 1 Process of displaying a login banner z Shell banner After the connection between an FTP client and an FTP server is established and correct user name and password are provided the FTP server outputs the configur...

Page 546: ...any view FTP Configuration The Device Operating as an FTP Client Basic configurations on an FTP client By default the device can operate as an FTP client In this case you can connect the device to the FTP server to perform FTP related operations such as creating removing a directory by executing commands on the device Follow these steps to perform basic configurations on an FTP client To do Use th...

Page 547: ... these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can display only the file name and directory Download a remote file from the FTP server get remotefile localfile Upload a local file to the remote FTP server put localfile remotefile Rename a file on the remote server rename remote source remote dest Log in with the speci...

Page 548: ...ce must be an existing one Otherwise a prompt appears to show that the configuration fails z The value of the ip address argument must be the IP address of the device where the configuration is performed Otherwise a prompt appears to show that the configuration fails z The source interface source IP address set for one connection is prior to the fixed source interface source IP address set for eac...

Page 549: ... by telnetting the switching engine See the Login module for detailed information Configure the FTP user name as switch the password as hello and the service type as FTP device device system view device ftp server enable device local user switch device luser switch password simple hello device luser switch service type ftp 2 Configure the PC FTP client Run an FTP client application on the PC to co...

Page 550: ...e as the main configuration file for next startup and restart the device device startup saved configuration config cfg main Please wait Done For information about the startup saved configuration command and how to specify the main configuration file for the switching engine refer to the System Maintenance and Debugging part of this manual FTP Banner Display Configuration Example Network requiremen...

Page 551: ...e user passes the authentication C ftp 1 1 1 1 Connected to 1 1 1 1 220 login banner appears 220 FTP service ready User 1 1 1 1 none switch 331 Password required for switch Password 230 shell banner appears 230 User logged in ftp FTP Configuration The Device Operating as an FTP Client Network requirements As shown in Figure 1 5 the device operates as an FTP client and a remote PC as an FTP server ...

Page 552: ...the device is not enough to hold the file to be uploaded you need to delete files not in use from the flash memory to make room for the file and then upload the file again The files in use cannot be deleted Connect to the FTP server using the ftp command in user view You need to provide the IP address of the FTP server the user name and the password as well to enter FTP view device ftp 2 2 2 2 Try...

Page 553: ...he Device Operating as an SFTP Client Specifying the source interface or source IP address for an SFTP client Optional SFTP Configuration The Device Operating as an SFTP Server Enabling an SFTP server Before enabling an SFTP server you need to enable the SSH server function and specify the service type of the SSH user as SFTP or all For details see the SSH server configuration part of SSH Operatio...

Page 554: ...pt to log in to the SFTP server or multiple connections are enabled on a client only the first user can log in to the SFTP user The subsequent connection will fail z When you upload a large file through WINSCP if a file with the same name exists on the server you are recommended to set the packet timeout time to over 600 seconds thus to prevent the client from failing to respond to device packets ...

Page 555: ...remove remote file Optional Both commands have the same effect dir remotefile localfile Query a specified file on the SFTP server ls remotefile localfile Optional If no file name is provided all the files in the current directory are displayed The difference between these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can di...

Page 556: ...source interface of the specified SFTP client sftp source interface interface type interface number Specify an IP address as the source IP address of the specified SFTP client sftp source ip ip address Use either command Not specified by default Display the source IP address used by the current SFTP client display sftp source ip Optional Available in any view SFTP Configuration Example Network req...

Page 557: ...e retry number and update time of the server key adopt the default values device ssh user client001 authentication type password Specify the service type as SFTP device ssh user client001 service type sftp Enable the SFTP server device sftp server enable 2 Configure the SFTP client Switch A Configure the IP address of the VLAN interface on Switch A It must be in the same segment with the IP addres...

Page 558: ...01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Success Add a directory new1 and then check whether the new directory is successfully created sftp client mkdir new1 Received status Success New directory created sftp client dir rwxrwxrwx 1 noone nogr...

Page 559: ...lly ended Upload the file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received status Success Uploading file successfully ended sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 28...

Page 560: ... s flash memory z If the TFTP server supports file size negotiation file size negotiation will be initiated between the device and the server and the file download operation will be aborted if the free space of the device s flash memory is found to be insufficient z If the TFTP server does not support file size negotiation the device will receive data from the server until the flash memory is full...

Page 561: ...ACL rule used by the specified TFTP client to access a TFTP server tftp server acl acl number Optional Not specified by default Specifying the source interface or source IP address for an FTP client You can specify the source interface and source IP address for the device operating as a TFTP client so that it can connect with a remote TFTP server through the IP address of the specified interface o...

Page 562: ...fy the source interface source IP address only used for the connection this time and the specified source interface source IP address is different from the fixed one the former will be used for the connection this time z You may specify only one source interface or source IP address for the TFTP client at one time That is only one of the commands tftp source interface and tftp source ip can be eff...

Page 563: ...re that the port through which the device connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 device interface Vlan interface 1 device Vlan interface1 ip address 1 1 1 1 255 255 255 0 device Vlan interface1 quit Download the device configuration file named config cfg from the TFTP server to the device device tftp 1 1 1 2 get config cfg config cfg After do...

Page 564: ...Output System Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 10 Setting to Output System Information to a Log Host 1 11 Setting to Output System Information to the Trap Buffer 1 12 Setting to Output System Information to the Log Buffer 1 12 Setting to Output System Information to the SNMP NMS 1 13 Displaying and Maintaining Information Center 1 14 Infor...

Page 565: ...s and developers in monitoring network performance and diagnosing network problems The information center of the system has the following features Classification of system information The system is available with three types of information z Log information z Trap information z Debugging information Eight levels of system information The information is classified into eight levels by severity and ...

Page 566: ...l names and the associations between the channels and output directions can be changed through commands Table 1 2 Information channels and output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log trap and debugging information facilitating remote maintenance 2 log...

Page 567: ...ion protocol module CMD Command line module DEV Device management module DNS Domain name system module ETH Ethernet module FIB Forwarding module FTM Fabric topology management module FTPS FTP server module HA High availability module HABP Huawei authentication bypass protocol module HTTPD HTTP server module HWCM Huawei Configuration Management private MIB module HWP HWPing module IFNET Interface m...

Page 568: ...tion of the modules onto the ten channels in terms of the eight severity levels and according to the user s settings and then redirect the system information from the ten channels to the six output directions System Information Format System information has the following format priority timestamp sysname module level digest content z The closing set of angel brackets the space the forward slash an...

Page 569: ...mm ss ms is the local time where hh is in the 24 hour format ranging from 00 to 23 both mm and ss range from 00 to 59 ms ranges from 000 to 999 z yyyy is the year z GMT hh mm ss is the UTC time zone which represents the time difference with the Greenwich standard time Because devices in a network may distribute in different time zones when the time displayed in the time stamps of output informatio...

Page 570: ...hat there is a colon between the digest and content fields Content This field provides the content of the system information The above section describes the log information format sent to a log host by the device Some log host software will resolve the received information as well as its format so that you may see the log format displayed on the log host is different from the one described in this...

Page 571: ... Required Disabled by default z If the system information is output before you input any information following the current command line prompt the system does not echo any command line prompt after the system information output z In the interaction mode you are prompted for some information input If the input is interrupted by system output no system prompt except the Y N string will be echoed aft...

Page 572: ...nable system information output to the console info center console channel channel number channel name Optional By default the device uses information channel 0 to output log debugging trap information to the console Configure the output rules of system information info center source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to T...

Page 573: ...rmation display on the console After setting to output system information to the console you need to enable the associated display function to display the output information on the console Follow these steps to enable the system information display on the console To do Use the command Remarks Enable the debugging log trap information terminal display function terminal monitor Optional Enabled by d...

Page 574: ...ty state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of time stamp in the output information info center timestamp log trap debugging boot date none Optional By default the time stamp format of the log and trap output information is date and that of the debugging output information is boot z When there are multiple Telnet users or dumb termin...

Page 575: ... these steps to set to output system information to a log host To do Use the command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable system information output to a log host info center loghost host ip addr channel channel number channel name facility local number Required By default the device does not output information to ...

Page 576: ...ffer info center trapbuffer channel channel number channel name size buffersize Optional By default the device uses information channel 3 to output trap information to the trap buffer which can holds up to 256 items by default Configure the output rules of system information info center source modu name default channel channel number channel name log trap debug level severity state state Optional ...

Page 577: ... to the SNMP NMS Follow these steps to set to output system information to the SNMP NMS To do Use the command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable information output to the SNMP NMS info center snmp channel channel number channel name Optional By default the device outputs trap information to SNMP through channel ...

Page 578: ...trap buffer display trapbuffer unit unit id size buffersize Available in any view Clear information recorded in the log buffer reset logbuffer unit unit id Clear information recorded in the trap buffer reset trapbuffer unit unit id Available in user view Information Center Configuration Examples Log Output to a UNIX Log Host Network requirements As shown in Figure 1 1 Switch sends the following lo...

Page 579: ...e following selector action pairs Switch configuration messages local4 info var log Switch information When you edit the file etc syslog conf note that z A note must start in a new line starting with a sign z In each pair a tab should be used as a separator instead of a space z No space is allowed at the end of a file name z The device name facility and received log information severity level spec...

Page 580: ...dure 1 Configure Switch Enable the information center Switch system view Switch info center enable Configure the host whose IP address is 202 38 1 10 as the log host Permit all modules to output log information with severity level higher than error to the log host Switch info center loghost 202 38 1 10 facility local7 Switch info center source default channel loghost log level errors debug state o...

Page 581: ...tem daemon syslogd stop the process and then restart the daemon syslogd in the background with the r option ps ae grep syslogd 147 kill 9 147 syslogd r In case of Linux log host the daemon syslogd must be started with the r option After all the above operations the device can record information in the corresponding log file Through combined configuration of the device name facility information sev...

Page 582: ...ch terminal monitor Switch terminal logging Configuration Example Network requirements z As shown in Figure 1 4 the device is in the time zone of GMT 08 00 00 z The time stamp format of output log information is date z UTC time zone will be added to the output information of the information center Figure 1 4 Network diagram Internet PC Switch Configuration procedure Name the local time zone z8 and...

Page 583: ...nformation about Modules in System 2 3 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tracert 3 1 4 Device Management 4 1 Introduction to Device Management 4 1 Device Management Configuration 4 1 Device Management Configuration Tasks 4 1 Rebooting the Device 4 1 Scheduling a Reboot on the Device 4 2 Configuring Real time Monitoring of the Running Status of the System 4 2 Sp...

Page 584: ...es how to load the host configuration file to the device remotely Introduction to Loading Approaches You can load software remotely by using z FTP z TFTP If your terminal is not directly connected to the device you can telnet to the device and use FTP or TFTP to load the host configuration file remotely Remote Loading Using FTP Loading procedure using FTP client 1 Loading the host configuration fi...

Page 585: ...byte s sec ftp bye When using different FTP server software on PC different information will be output to the device Step 2 Update the host configuration file on Switch device_LSW startup saved configuration config cfg main Please wait Done Step 3 Restart Switch device_LSW reboot Before restarting Switch make sure you have saved all other configurations that you want so as to avoid losing configur...

Page 586: ...vice_LSW system view deviceView return to User View with Ctrl Z device_LSW interface Vlan interface 1 device_LSW Vlan interface1 ip add 192 168 0 51 255 255 255 0 Step 3 Enable FTP service on Switch and configure the FTP user name to test and password to pass device_LSW Vlan interface1 quit device_LSW ftp server enable device_LSW local user test New local user added device_LSW luser test password ...

Page 587: ...or d D cd update D Update ftp 192 168 0 51 Connected to 192 168 0 51 220 FTP service ready User 192 168 0 51 none test 331 Password required for test Password 230 User logged in ftp put startup cfg 200 Port command okay 150 Opening ASCII mode data connection for startup cfg 226 Transfer complete Step 8 Configure config cfg as the main configuration file at next startup and then restart Switch devi...

Page 588: ...nly the configuration steps concerning loading are listed here For detailed description on the corresponding configuration commands refer to the FTP SFTP TFTP part of this manual Remote Loading Using TFTP The remote loading using TFTP is similar to that using FTP The only difference is that TFTP is used to load software to Switch and Switch can only act as a TFTP client ...

Page 589: ... start date end time end date offset time Optional Execute this command in user view z When the system reaches the specified start time it automatically adds the specified offset to the current time so as to toggle the system time to the summer time z When the system reaches the specified end time it automatically subtracts the specified offset from the current time so as to toggle the summer time...

Page 590: ...eshoot the system faults The output of debugging information is determined by the following two settings z Protocol debugging setting which controls whether the debugging information of a protocol is output z Terminal display setting which controls whether the debugging information is output to the screen of a specific user The relationship between the two settings is as follows Figure 2 1 Debuggi...

Page 591: ...ay debugging unit unit id interface interface type interface number module name You can execute the display command in any view Displaying Operating Information about Modules in System When the device is in trouble you may need to view a lot of operating information to locate the problem Each functional module has its corresponding operating information display command s You can use the command he...

Page 592: ...f response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This command is mainly used to check the network connectivity It can also be used to help locate the network faults The executing procedure of the tracert command is as follows First the source host sends a data packet with the TTL of 1 and the first hop device retu...

Page 593: ... Monitoring of the Running Status of the System Optional Specifying the Main Configuration File to be Used at Next Reboot Optional Identifying and Diagnosing Pluggable Transceivers Optional Rebooting the Device You can perform the following operation in user view when the device is faulty or needs to be rebooted Before rebooting the system checks whether there is any configuration change If yes it...

Page 594: ...boot date and time Configuring Real time Monitoring of the Running Status of the System This function enables you to dynamically record the system running status such as CPU thus facilitating analysis and solution of the problems of the device Follow these steps to configure real time monitoring of the running status of the system To do Use the command Remarks Enter system view system view Enable ...

Page 595: ...nsceiver SFP Small Form factor Pluggable Generally used for 100M 1000M Ethernet interfaces or POS 155M 622M 2 5G interfaces Yes Yes GBIC GigaBit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit small Form factor Pluggable Generally used for 10G Ethernet interfaces Yes No XENPAK 10 Gigabit EtherNet Transceiver Package Generally used for 10G Ethernet interfaces...

Page 596: ...alarm interface interface type interface number Available for all pluggable transceivers Displaying and Maintaining the Device Management Configuration To do Use the command Remarks Display the module type and operating status of each board display device manuinfo unit unit id Display CPU usage of the device display cpu unit unit id Display the operating status of the fan display fan unit unit id ...

Page 597: ...ng VLAN VPN 1 4 VLAN VPN Configuration Example 1 5 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN VPN 1 5 2 Selective QinQ Configuration 2 1 Selective QinQ Overview 2 1 Selective QinQ Overview 2 1 Inner to Outer Tag Priority Mapping 2 2 Selective QinQ Configuration 2 2 Configuration Task List 2 2 Enabling the Selective QinQ Feature for a Port 2 2 Configuring the Inn...

Page 598: ...ecific ways establish dedicated tunnels for user traffic on public network devices and thus improve data security VLAN VPN feature is a simple yet flexible Layer 2 tunneling technology It tags private network packets with outer VLAN tags thus enabling the packets to be transmitted through the service providers backbone networks with both inner and outer VLAN tags In public networks packets of this...

Page 599: ...MAC address table of the default VLAN When a packet reaches a VLAN VPN enabled port z If the packet already carries a VLAN tag the packet becomes a dual tagged packet z Otherwise the packet becomes a packet carrying the default VLAN tag of the port Adjusting the TPID Values of VLAN VPN Packets Tag protocol identifier TPID is a field of the VLAN tag IEEE 802 1Q specifies the value of TPID to be 0x8...

Page 600: ...nfiguration Configuration Task List Complete the following tasks to configure VLAN VPN Task Remarks Enabling the VLAN VPN Feature for a Port Required TPID Adjusting Configuration Optional Enabling the VLAN VPN Feature for a Port Configuration Prerequisites z The port is not a VLAN VPN uplink port z The port is not a remote mirror reflection port Configuration procedure Follow these steps to enable...

Page 601: ... Enter Ethernet port view interface interface type interface number Set the port to be a VLAN VPN uplink port vlan vpn uplink enable Optional By default the VLAN VPN uplink function is disabled z A port cannot be configured as both a VLAN VPN port and a VLAN VPN uplink port at the same time z With the TPID being 0x8100 every port can be configured as a VLAN VPN uplink port However if the TPID valu...

Page 602: ... B to enable the PC users and PC servers to communicate with each through a VPN and employ VLAN VPN on Switch A and Switch B to enable the Terminal users and Terminal servers to communicate with each other through a VPN Figure 1 4 Network diagram for VLAN VPN configuration TPID 0x9200 VLAN 1040 GEth1 0 11 GEth1 0 12 GEth1 0 21 GEth1 0 22 VLAN 100 VLAN 200 PC User Terminal User SwitchA SwitchB VLAN...

Page 603: ...00 SwitchB interface GigabitEthernet1 0 22 SwitchB GigabitEthernet1 0 22 port link type trunk SwitchB GigabitEthernet1 0 22 port trunk permit vlan 1040 SwitchB GigabitEthernet1 0 22 vlan vpn uplink enable z Do not configure VLAN 1040 as the default VLAN of GigabitEthernet 1 0 12 of Switch A and GigabitEthernet 1 0 22 of Switch B Otherwise the outer VLAN tag of a packet will be removed during trans...

Page 604: ... 3 The outer VLAN tag of the packet remains unchanged while the packet travels in the public network till it reaches GigabitEthernet 1 0 22 of Switch B 4 After the packet reaches Switch B it is forwarded to GigabitEthernet 1 0 21 of Switch B As the port belongs to VLAN 1040 and is an access port the outer VLAN tag the tag of VLAN 1040 of the packet is removed before the packet is forwarded which r...

Page 605: ...re 2 1 Diagram for a selective QinQ implementation In this implementation Switch A is an access device of the service provider The users connecting to it include common customers in VLAN 8 to VLAN 100 VIPs in VLAN 101 to VLAN 200 and IP telephone users in VLAN 201 to VLAN 300 Packets of all these users are forwarded by Switch A to the public network After the selective QinQ feature and the inner t...

Page 606: ...e following tasks to configure selective QinQ Task Remarks Enabling the Selective QinQ Feature for a Port Required Configuring the Inner to Outer Tag Priority Mapping Feature Optional Enabling the Selective QinQ Feature for a Port The following configurations are required for the selective QinQ feature z Enabling the VLAN VPN feature on the current port z Configuring the current port to permit pac...

Page 607: ...ides public network access for PC users and IP phone users PC users belong to VLAN 100 through VLAN 108 and IP phone users belong to VLAN 200 through VLAN 230 GigabitEthernet 1 0 5 of Switch A is connected to the public network The peer end of Switch A is Switch B z GigabitEthernet 1 0 11 of Switch B is connected to the public network GigabitEthernet 1 0 12 and GigabitEthernet 1 0 13 of Switch B p...

Page 608: ...and configure VLAN 5 as its default VLAN Configure GigabitEthernet 1 0 5 not to remove VLAN tags when forwarding packets of VLAN 5 VLAN 1000 and VLAN 1200 SwitchA interface GigabitEthernet 1 0 5 SwitchA GigabitEthernet1 0 5 port link type hybrid SwitchA GigabitEthernet1 0 5 port hybrid pvid vlan 5 SwitchA GigabitEthernet1 0 5 port hybrid vlan 5 1000 1200 tagged SwitchA GigabitEthernet1 0 5 quit Co...

Page 609: ... quit SwitchB vlan 12 to 13 Configure GigabitEthernet 1 0 11 as a hybrid port and configure GigabitEthernet 1 0 11 not to remove VLAN tags when forwarding packets of VLAN 12 VLAN 13 VLAN 1000 and VLAN 1200 SwitchB system view SwitchB interface GigabitEthernet 1 0 11 SwitchB GigabitEthernet1 0 11 port link type hybrid SwitchB GigabitEthernet1 0 11 port hybrid vlan 12 13 1000 1200 tagged Configure G...

Page 610: ...quirement The key to this example is to enable the ports to receive and forward packets of specific VLANs So you can also configure the ports as access or trunk ports Refer to Port Basic Configuration for details z A selective QinQ enabled device tags a user packet with an outer VLAN tag regardless of the VLAN tag of the user packet so there is no need to configure user VLANs on the device z Make ...

Page 611: ...figuration 1 4 Configuration on a HWPing Server 1 4 HWPing Client Configuration 1 5 Displaying and Maintaining HWPing 1 17 HWPing Configuration Example 1 17 ICMP Test 1 17 DHCP Test 1 18 FTP Test 1 20 HTTP Test 1 22 Jitter Test 1 23 SNMP Test 1 25 TCP Test Tcpprivate Test on the Specified Ports 1 27 UDP Test Udpprivate Test on the Specified Ports 1 29 DNS Test 1 30 ...

Page 612: ... the response time of various services You need to configure HWPing client and sometimes the corresponding HWPing servers as well to perform various HWPing tests All HWPing tests are initiated by HWPing client and you can view the test results on HWPing client only When performing a HWPing test you need to configure a HWPing test group on the HWPing client A HWPing test group is a set of HWPing te...

Page 613: ...cause the service corresponding to the well known port 1 to 1023 being unavailable HWPing Test Parameters You need to configure corresponding test parameters for each type of HWPing test HWPing test parameters can be configured on HWPing client only For the configurations on HWPing client refer to section Table 1 2 HWPing test parameters Test parameter Description Destination address destination i...

Page 614: ...to be sent in a probe Packet size datasize z For ICMP UDP jitter test you can configure the size of test packets z For ICMP test the ICMP packet size refers to the length of ECHO REQUEST packets excluding IP and ICMP headers Maximum number of history records that can be saved history records This parameter is used to specify the maximum number of history records that can be saved in a test group W...

Page 615: ...he test is But a too small interval may somewhat impact your network Trap z A HWPing test will generate a Trap message no matter whether the test successes or not You can use the Trap device to enable or disable the output of trap messages z You can set the number of consecutive failed HWPing tests before Trap output You can also set the number of consecutive failed HWPing probes before Trap outpu...

Page 616: ...t groups for different tests without the need to enable HWPing client repeatedly for each test group Different types of HWPing tests are somewhat different in parameters and parameter ranges The following text describes the configuration on HWPing client for different test types 1 Configuring ICMP test on HWPing client Follow these steps to configure ICMP test on HWPing client To do Use the comman...

Page 617: ...e ToS tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping results admin name operation tag Required Available in any view For ICMP tests if no IP address is configured for the specified source interface the ICMP test will fail if a source IP address has been configured with the source ip command the source interface command...

Page 618: ...splay hwping results admin name operation tag Required You can execute the command in any view 3 Configuring FTP test on HWPing client Follow these steps to configure FTP test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and ent...

Page 619: ...is get that is the FTP operation will get a file from the FTP server Configure an FTP login username username name Configure an FTP login password password password Required By default neither username nor password is configured Configure a file name for the FTP operation filename file name Required By default no file name is configured for the FTP operation Start the test test enable Required Dis...

Page 620: ... the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test interval frequency interval Optional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the ...

Page 621: ...he destination port must be the port of a UDP listening service on the HWPing server By default no destination port is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source port is configured Configure the test type test type jitter Required By default th...

Page 622: ...st on HWPing client Follow these steps to configure SNMP test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the ...

Page 623: ...equired Display test results display hwping results admin name operation tag Required You can execute the command in any view 7 Configuring TCP test on HWPing client Follow these steps to configure TCP test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Cre...

Page 624: ...t type test type tcpprivate tcppublic Required By default the test type is ICMP Configure the number of probes per test count times Optional By default one probe is made per time Configure the automatic test interval frequency interval Optional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By ...

Page 625: ...ress 7 command on the server to configure the listening service port otherwise the test will fail No port number needs to be configured on the client any destination port number configured on the client will not take effect z By default no destination port number is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the ...

Page 626: ...emarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the source IP address source ip ip address Optional By default no source IP address is specified Configure...

Page 627: ...est succeeds or fails You can specify whether to output Trap messages by enabling disabling Trap sending Follow these steps to configure the HWPing client to send Trap messages To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwpi...

Page 628: ...HWPing Client IP network 10 1 1 1 8 10 2 2 2 8 Configuration procedure z Configure HWPing Client Switch A Enable HWPing client device system view device hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to ICMP device hwping administrator icmp Configure the test type as icmp device hwping administrator icmp test type icmp Configure the dest...

Page 629: ...ecord Index Response Status LastRC Time 1 3 1 0 2000 04 02 20 55 12 3 2 4 1 0 2000 04 02 20 55 12 3 3 4 1 0 2000 04 02 20 55 12 2 4 3 1 0 2000 04 02 20 55 12 2 5 3 1 0 2000 04 02 20 55 12 2 For detailed output description see the corresponding command manual DHCP Test Network requirements As shown in Figure 1 3 Switch A serves as a HWPing client and the DHCP server Switch B is an H3C S5600 series ...

Page 630: ...eration times 10 Receive response times 10 Min Max Average Round Trip Time 1018 1037 1023 Square Sum of Round Trip Time 10465630 Last complete test time 2000 4 3 9 51 30 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operatio...

Page 631: ...anual z Configure HWPing Client Switch A Configure the IP address for the Ethernet interface device system view device interface Vlan interface 1 device Vlan interface1 ip address 10 1 1 1 8 Enable the HWPing client device hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to FTP device hwping administrator ftp Configure the test type as ftp...

Page 632: ... Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 device hwping administrator ftp display hwping history administrator ftp HWPing entry admin administrator tag ftp history record Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 ...

Page 633: ...ent enable Create a HWPing test group setting the administrator name to administrator and test tag to HTTP device Hwping administrator http Configure the test type as http device hwping administrator http test type http Configure the IP address of the HTTP server as 10 2 2 2 device hwping administrator http destination ip 10 2 2 2 Configure to make 10 probes per test device hwping administrator ht...

Page 634: ...dministrator tag http history record Index Response Status LastRC Time 1 13 1 0 2000 04 02 15 15 52 5 2 9 1 0 2000 04 02 15 15 52 5 3 3 1 0 2000 04 02 15 15 52 5 4 3 1 0 2000 04 02 15 15 52 5 5 3 1 0 2000 04 02 15 15 52 5 6 2 1 0 2000 04 02 15 15 52 4 7 3 1 0 2000 04 02 15 15 52 4 8 3 1 0 2000 04 02 15 15 52 4 9 2 1 0 2000 04 02 15 15 52 4 10 2 1 0 2000 04 02 15 15 52 4 For detailed output descrip...

Page 635: ...est type Jitter Configure the IP address of the HWPing server as 10 2 2 2 device hwping administrator Jitter destination ip 10 2 2 2 Configure the destination port on the HWPing server device hwping administrator Jitter destination port 9000 Configure to make 10 probes per test device hwping administrator http count 10 Set the probe timeout time to 30 seconds device hwping administrator Jitter tim...

Page 636: ...uare Sum 161 SD lost packets number 0 DS lost packet number 0 Unknown result lost packet number 0 device hwping administrator Jitter display hwping history administrator Jitter HWPing entry admin administrator tag Jitter history record Index Response Status LastRC Time 1 274 1 0 2000 04 02 08 14 58 2 2 278 1 0 2000 04 02 08 14 57 9 3 280 1 0 2000 04 02 08 14 57 6 4 279 1 0 2000 04 02 08 14 57 3 5 ...

Page 637: ...kets z The SNMPv2c version is used as reference in this example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual z Configure HWPing Client Switch A Enable the HWPing client device system view device hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to snmp device Hwping ad...

Page 638: ...WPing entry admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 03 08 57 20 0 4 10 1 0 2000 04 03 08 57 19 9 5 9 1 0 2000 04 03 08 57 19 9 6 11 1 0 2000 04 03 08 57 19 9 7 10 1 0 2000 04 03 08 57 19 9 8 10 1 0 2000 04 03 08 57 19 9 9 10 1 0 2000 04 03 08 57 19 8 10 10 1 0 2000 04 03 08 57 19 8 ...

Page 639: ...nfigure to make 10 probes per test device hwping administrator tcpprivate count 10 Set the probe timeout time to 5 seconds device hwping administrator tcpprivate timeout 5 Start the test device hwping administrator tcpprivate test enable Display test results device hwping administrator tcpprivate display hwping results administrator tcpprivate HWPing entry admin administrator tag tcpprivate test r...

Page 640: ... end HWPing client and the specified destination end HWPing server with the port number set to 8000 Network diagram Figure 1 9 Network diagram for the Udpprivate test Switch A Switch B HWPing Client IP network 10 1 1 1 8 10 2 2 2 8 HWPing Server Configuration procedure z Configure HWPing Server Switch B Enable the HWPing server and configure the IP address and port to listen on device system view ...

Page 641: ...et lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 device hwping administrator udpprivate display hwping history administrator udpprivate HWPing entry admin administrator tag udpprivate history record Index Response Status LastRC Time 1 11 1 0...

Page 642: ... 10 2 2 2 device hwping administrator dns dns server 10 2 2 2 Configure to resolve the domain name www test com device hwping administrator dns dns resolve target www test com Configure to make 10 probes per test device hwping administrator dns count 10 Set the probe timeout time to 5 seconds device hwping administrator dns timeout 5 Start the test device hwping administrator dns test enable Displ...

Page 643: ...inistrator dns display hwping history administrator dns HWPing entry admin administrator tag dns history record Index Response Status LastRC Time 1 10 1 0 2006 11 28 11 50 40 9 2 10 1 0 2006 11 28 11 50 40 9 3 10 1 0 2006 11 28 11 50 40 9 4 7 1 0 2006 11 28 11 50 40 9 5 8 1 0 2006 11 28 11 50 40 9 6 6 1 0 2006 11 28 11 50 40 9 7 8 1 0 2006 11 28 11 50 40 9 8 9 1 0 2006 11 28 11 50 40 9 9 9 1 0 200...

Page 644: ...ing Domain Name Resolution 1 2 Configuring Static Domain Name Resolution 1 2 Configuring Dynamic Domain Name Resolution 1 3 DNS Configuration Example 1 3 Static Domain Name Resolution Configuration Example 1 3 Dynamic Domain Name Resolution Configuration Example 1 4 Displaying and Maintaining DNS 1 6 Troubleshooting DNS Configuration 1 6 ...

Page 645: ...ng time in the dynamic DNS database would increase efficiency Some frequently used addresses can be put in the static DNS database Static Domain Name Resolution The static domain name resolution means manually setting up mappings between domain names and IP addresses IP addresses of the corresponding domain names can be found in the static domain name resolution table for applications such as Teln...

Page 646: ...s used when the name to be resolved is not complete The resolver can supply the missing part automatic domain name addition For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The resolver can add the suffix and delimiter before passing the name to the DNS server z If there is no dot in the domain name such as aab...

Page 647: ...c domain name resolution To do Use the command Remarks Enter the system view system view Enable dynamic domain name resolution dns resolve Required Disabled by default Configure an IP address for the DNS server dns server ip address Required No IP address is configured for the DNS server by default Configure DNS suffixes dns domain domain name Optional No DNS suffix is configured by default You ma...

Page 648: ... 56 Sequence 2 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 127 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 4 ttl 127 time 5 ms Reply from 10 1 1 2 bytes 56 Sequence 5 ttl 127 time 3 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 2 3 5 ms Dynamic Domain Name Resolution Configuration Example Network requirements As...

Page 649: ...x device dns domain com Execute the ping host command on Switch to verify that the communication between Switch and Host is normal and that the corresponding IP address is 3 1 1 1 device ping host Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes 56 Sequence 1 ttl 255 time 3 ms Reply from 3 1 1 1 bytes 56 Sequence 2 ttl 255 time 1 ms Reply...

Page 650: ... reset dns dynamic host Available in user view Troubleshooting DNS Configuration Symptom After enabling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to check that the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client c...

Page 651: ...d Maintaining Smart Link 1 6 Smart Link Configuration Example 1 6 Implementing Link Redundancy Backup 1 6 2 Monitor Link Configuration 2 1 Introduction to Monitor Link 2 1 How Monitor Link Works 2 2 Configuring Monitor Link 2 3 Configuration Task List 2 3 Creating a Monitor Link Group 2 3 Configuring the Uplink Port 2 3 Configuring a Downlink Port 2 4 Displaying and Maintaining Monitor Link 2 5 Mo...

Page 652: ...ndancy backup and fast convergence to meet the user demand Smart Link has the following features z Active standby backup for dual uplink networking z Simple configuration and operation Basic Concepts in Smart Link Smart Link group A Smart Link group consists of two member ports one master port and one slave port Normally only one port master or slave is active and the other port is blocked that is...

Page 653: ...ink group sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries Control VLAN for sending flush messages This control VLAN sends flush messages When link switching occurs the device Switch A in Figure 1 1 broadcasts flush messages in this control VLAN Control VLAN for receiving flush messages This control VLAN is used for receiving and processing flu...

Page 654: ...ush messages to notify the other devices in the network to refresh their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of identifying flush messages from the Smart Link group and refreshing MAC forwarding entries and ARP entries z On a Smart Link enabled device if a port is blocked due to link failure the port remains blocked after the link recovers...

Page 655: ...rs of the Smart Link group To do Use the command Remarks Enter system view system view Create a Smart Link group and enter Smart Link group view smart link group group id Required Enable the function of sending flush messages in the specified control VLAN flush enable control vlan vlan id Required By default no control VLAN for sending flush messages is specified Smart Link group view port interfa...

Page 656: ...Switch E Follow these steps to enable the specified port to process flush messages received from the specified control VLAN To do Use the command Remarks Enter system view system view System view smart link flush enable control vlan vlan id port interface type interface number to interface type interface number interface interface type interface number Enable the specified port s to process flush ...

Page 657: ...her ports in the aggregation group automatically that is the other member ports in the aggregation group cannot process flush messages The function of processing flush messages must be manually configured for each port in the aggregation group z The VLAN configured as a control VLAN to send and receive flush messages must exist You cannot directly remove the control VLAN When a dynamic VLAN is con...

Page 658: ...1 stp disable SwitchA GigabitEthernet1 0 1 quit SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 stp disable Return to system view SwitchA GigabitEthernet1 0 2 quit Create Smart Link group 1 and enter the corresponding Smart Link group view SwitchA smart link group 1 Configure GigabitEthernet 1 0 1 as the master port and GigabitEthernet 1 0 2 as the slave port for Smart Link gr...

Page 659: ...the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 SwitchD smart link flush enable control vlan 1 port GigabitEthernet 1 0 2 4 Enable the function of processing flush messages received from VLAN 1 on Switch E Enter system view SwitchE system view Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 and GigabitEthernet 1...

Page 660: ... group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 2 1 Network diagram for a Monitor Link group implementation Switch A GE1 0 1 GE1 0 2 GE1 0 3 Uplink Downlink As shown in Figure 2 1 the Monitor Link group configured on the device Switch A consists of an uplink port GigabitEthernet 1 0 1 and two downlink ports GigabitEthernet...

Page 661: ...net 1 0 1 of Switch A configured with Smart Link group operates normally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of GigabitEthernet 1 0 1 z If Switch C is configured with Monitor Link group and Monitor Link group detects that the link for the uplink port GigabitEthernet 1 0 1 fails all the downlink ports in the group are shut down therefore Gigabit...

Page 662: ...on groups or Ethernet ports Configuration Task List Complete the following tasks to configure Monitor Link Task Remarks Creating a Monitor Link Group Required Configuring the Uplink Port Required Configuring a Downlink Port Required Creating a Monitor Link Group Follow these steps to create a Monitor Link group To do Use the command Remarks Enter system view system view Create a Monitor Link group...

Page 663: ...tor link group group id uplink Required Use any of the three approaches Configuring a Downlink Port Follow these steps to configure a downlink port To do Use the command Remarks Enter system view system view Enter the specified Monitor Link group view monitor link group group id Required Configure the specified link aggregation group as a downlink port of the Monitor Link group link aggregation gr...

Page 664: ...n group member z Using the copy command on a port does not copy the Smart Link Monitor Link group member information configured on the port to any other port Displaying and Maintaining Monitor Link To do Use the command Remarks Display the information about one or all Monitor Link groups display monitor link group group id all Available in any view Monitor Link Configuration Example Implementing C...

Page 665: ...sable STP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 stp disable SwitchA GigabitEthernet1 0 1 quit SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 stp disable Return to system view SwitchA GigabitEthernet1 0 2 quit Create Smart Link group 1 and enter Smart Link group view SwitchA smart link group 1 Co...

Page 666: ...link SwitchC mtlk group1 port GigabitEthernet 1 0 2 downlink SwitchC mtlk group1 port GigabitEthernet 1 0 3 downlink Return to system view Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 SwitchC mtlk group1 quit SwitchC smart link flush enable control vlan 1 port GigabitEthernet 1 0 2 to GigabitEthernet 1 0 3 3 Enable the fun...

Page 667: ...f a Port 1 4 Setting the PoE Mode on a Port 1 4 Configuring the PD Compatibility Detection Function 1 5 Upgrading the PSE Processing Software Online 1 5 Displaying and Maintaining PoE Configuration 1 6 PoE Configuration Example 1 6 PoE Configuration Example 1 6 2 PoE Profile Configuration 2 1 Introduction to PoE Profile 2 1 PoE Profile Configuration 2 1 Configuring PoE Profile 2 1 Displaying and M...

Page 668: ... and safety z Easy connection Network terminals only require an Ethernet cable but no external power supply z Standard PoE conforms to the 802 3af standard and uses a globally uniform power interfaces z Bright application prospect PoE can be applied to IP phones wireless access points APs chargers for portable devices card readers network cameras and data collection system PoE components PoE consi...

Page 669: ...and the whole equipment which you can query through the display command z The device provides two modes auto and manual to manage the power feeding to ports in the case of PSE power overload z The device provides over temperature protection mechanism When the internal temperature of the device exceeds the PoE protection temperature the device disables the PoE feature on all ports for self protecti...

Page 670: ...default the PoE function on a port is enabled by the default configuration file when the device is delivered z If you delete the default configuration file without specifying another one the PoE function on a port will be disabled after you restart the device Setting the Maximum Output Power on a Port The maximum power that can be supplied by each Ethernet electrical port of a PoE enabled device t...

Page 671: ...e Port A has the priority critical When the device PoE is close to its full load and a new PD is now added to port A the device just gives a prompt that a new PD is added and will not supply power to this new PD After the PoE feature is enabled on the port perform the following configuration to set the PoE management mode and PoE priority of a port Follow these steps to set the PoE management mode...

Page 672: ...ion To do Use the command Remarks Enter system view system view Enable the PD compatibility detection function poe legacy enable Required Disabled by default Upgrading the PSE Processing Software Online The online upgrading of PSE processing software can update the processing software or repair the software if it is damaged Before performing the following configuration download the PSE processing ...

Page 673: ...To do Use the command Remarks Display the PoE status of a specific port or all ports of the device display poe interface interface type interface number Display the PoE power information of a specific port or all ports of the device display poe interface power interface type interface number Display the PSE parameters display poe powersupply Available in any view PoE Configuration Example PoE Conf...

Page 674: ... power of GigabitEthernet 1 0 2 to 2500 mW SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 poe enable SwitchA GigabitEthernet1 0 2 poe max power 2500 SwitchA GigabitEthernet1 0 2 quit Enable the PoE feature on GigabitEthernet 1 0 8 and set the PoE priority of GigabitEthernet 1 0 8 to critical SwitchA interface GigabitEthernet 1 0 8 SwitchA GigabitEthernet1 0 8 poe enable Switc...

Page 675: ...the PoE configurations in the PoE profile will be enabled on the port PoE Profile Configuration Configuring PoE Profile Follow these steps to configure PoE profile To do Use the command Remarks Enter system view system view Create a PoE profile and enter PoE profile view poe profile profilename Required If the PoE file is created you will enter PoE profile view directly through the command Enable ...

Page 676: ...ort z If one or more features in the PoE profile are not applied properly on a port the device will prompt explicitly which PoE features in the PoE profile are not applied properly on which ports z The display current configuration command can be used to query which PoE profile is applied to a port However the command cannot be used to query which PoE features in a PoE profiles are applied success...

Page 677: ...net 1 0 1 through GigabitEthernet 1 0 5 ports is 3 000 mW whereas the maximum power for GigabitEthernet 1 0 6 through GigabitEthernet 1 0 10 is 15 400 mW Based on the above requirements two PoE profiles are made for users of group A z Apply PoE profile 1 for GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 z Apply PoE profile 2 for GigabitEthernet 1 0 6 through GigabitEthernet 1 0 10 Figure 2 1...

Page 678: ...ernet 1 0 10 ports for users of group A SwitchA poe profile Profile2 poe enable SwitchA poe profile Profile2 poe mode signal SwitchA poe profile Profile2 poe priority high SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe enable poe pr...

Page 679: ... Route 2 2 Displaying and Maintaining Static Routes 2 3 Static Route Configuration Example 2 3 Troubleshooting a Static Route 2 4 3 RIP Configuration 3 1 RIP Overview 3 1 Basic Concepts 3 1 RIP Startup and Operation 3 2 RIP Configuration Task List 3 3 Basic RIP Configuration 3 3 Configuration Prerequisites 3 3 Configuring Basic RIP Functions 3 3 RIP Route Control 3 4 Configuration Prerequisites 3 ...

Page 680: ...figuration Prerequisites 4 2 Defining a Route Policy 4 3 Defining if match Clauses and apply Clauses 4 3 Displaying and Maintaining IP Route Policy 4 4 IP Route Policy Configuration Example 4 4 Controlling RIP Packet Cost to Implement Dynamic Route Backup 4 4 Troubleshooting IP Route Policy 4 8 ...

Page 681: ...ns an IP address that represents a host subnet and specifies which physical port on the router should be used to forward the packets destined for the host subnet And the router forwards those packets through this port to the next router or directly to the destination host if the host is on a network directly connected to the router Routes in a routing table can be divided into three categories by ...

Page 682: ...categories z Subnet route The destination is a subnet z Host route The destination is a host In addition according to whether the network where the destination resides is directly connected to the router routes fall into the following categories z Direct route The router is directly connected to the network where the destination resides z Indirect route The router is not directly connected to the ...

Page 683: ...pically including RIP OSPF and IS IS z Exterior Gateway Protocols EGPs Work between autonomous systems The most popular one is BGP An autonomous system refers to a group of routers that share the same route policy and work under the same administration Routing algorithm z Distance vector protocols RIP and BGP BGP is also considered a path vector protocol z Link state protocols OSPF and IS IS The m...

Page 684: ...tocol has the highest priority among all the active protocols these routes will be considered valid and are used to forward packets thus achieving load sharing Route backup You can configure multiple routes to the same destination expecting the one with the highest priority to be the primary route and all the rest backup routes Route backup can help improve network reliability Automatic switching ...

Page 685: ...t routes permitted by a prefix list display ip routing table ip prefix ip prefix name verbose Display routes to a specified destination display ip routing table ip address mask mask length longer match verbose Display routes to specified destinations display ip routing table ip address1 mask1 mask length1 ip address2 mask2 mask length2 verbose Display routes discovered by a routing protocol displa...

Page 686: ...ally thus resulting in network interruption In this case the network administrator needs to modify the configuration of static routes manually Static routes are divided into three types z Reachable route normal route If a static route to a destination is of this type the IP packets destined for this destination will be forwarded to the next hop It is the most common type of static routes z Unreach...

Page 687: ...f related interfaces z Configuring IP addresses for related interfaces Configuring a Static Route Follow these steps to configure a static route To do Use the command Remarks Enter system view system view Configure a static route ip route static ip address mask mask length interface type interface number next hop preference preference value reject blackhole detect group group number description te...

Page 688: ...w Static Route Configuration Example Network requirements A small company requires that any two nodes in its office network communicate with each other and that the network structure be simple and stable The company hopes that the existing devices that do not support any dynamic routing protocol can be fully utilized In this case static routes can implement communication between any two nodes Acco...

Page 689: ...ip route static 0 0 0 0 0 0 0 0 1 1 3 1 Configure static routes on Switch C SwitchC system view SwitchC ip route static 1 1 1 0 255 255 255 0 1 1 2 1 SwitchC ip route static 1 1 4 0 255 255 255 0 1 1 3 2 2 Perform the following configurations on the host Set the default gateway address of Host A to 1 1 5 1 Detailed configuration procedure is omitted Set the default gateway address of Host B to 1 1...

Page 690: ...nce to a destination address In RIP the hop count from a router to its directly connected network is 0 and that to a network which can be reached through another router is 1 and so on To restrict the time to converge RIP prescribes that the cost is an integer ranging from 0 and 15 The hop count equal to or exceeding 16 is defined as infinite that is the destination network or host is unreachable T...

Page 691: ...outing loops may occur RIP uses the following mechanisms to prevent routing loops z Counting to infinity The metric value of 16 is defined as unreachable When a routing loop occurs the metric value of the route will increment to 16 z Split horizon A router does not send the routing information learned from a neighbor back to the neighbor to prevent routing loops and save the bandwidth RIP Startup ...

Page 692: ...nal Configuring split horizon Optional Configuring RIP 1 packet zero field check Optional Setting RIP 2 packet authentication mode Optional RIP Network Adjustment and Optimization Configuring RIP to unicast RIP packets Optional Basic RIP Configuration Configuration Prerequisites Before configuring basic RIP functions perform the following tasks z Configuring the link layer protocol z Configuring t...

Page 693: ...end RIP update packets rip output Enable the interface to receive and send RIP update packets rip work Optional Enabled by default Specifying the RIP version on an interface Follow these steps to specify the RIP version on an interface To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Specify the version of the RIP running on...

Page 694: ...tional routing metric To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Set the additional routing metric to be added for incoming RIP routes on this interface rip metricin value Optional 0 by default Set the additional routing metric to be added for outgoing RIP routes on this interface rip metricout value Optional 1 by defa...

Page 695: ...quired By default the router receives host routes Configuring RIP to filter incoming outgoing routes The route filtering function provided by a router enables you to configure inbound outbound filter policy by specifying an ACL address prefix list or route policy to make RIP filter incoming outgoing routes Besides you can configure RIP to receive only the RIP packets from a specific neighbor Follo...

Page 696: ...configure RIP to import routes from another protocol To do Use the command Remarks Enter system view system view Enter RIP view rip Configure a default cost for an incoming route default cost value Optional 1 by default Configure RIP to redistribute routes from another protocol import route protocol process id cost value route policy route policy name Required By default RIP does not redistribute ...

Page 697: ...e timer is 30 seconds and the Timeout timer 180 seconds When configuring the values of RIP timers you should take network performance into consideration and perform consistent configuration on all routers running RIP to avoid unnecessary network traffic and network route oscillation Configuring split horizon Follow these steps to configure split horizon To do Use the command Remarks Enter system v...

Page 698: ...th packets that are not encrypted Therefore simple authentication cannot be applied where high security is required Follow these steps to set RIP 2 packet authentication mode To do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Set RIP 2 packet authentication mode rip authentication mode simple password md5 rfc2082 key string ke...

Page 699: ...eset Available in RIP view RIP Configuration Example Network requirements A small sized company requires that any two nodes in its small office network communicate with each other and that the network devices automatically adapt themselves to any topology change so as to reduce the work of manual maintenance In this case RIP can implement communication between any two nodes According to the networ...

Page 700: ...196 38 165 0 SwitchB rip network 110 11 2 0 3 Configure Switch C Configure RIP SwitchC system view SwitchC rip SwitchC rip network 117 102 0 0 SwitchC rip network 110 11 2 0 Troubleshooting RIP Configuration Failed to Receive RIP Updates Symptom The device cannot receive any RIP update when the physical connection between the device and the peer routing device is normal Solution Check that z RIP i...

Page 701: ...or example may need to import the routing information discovered by other protocols to enrich its routing knowledge While importing routing information from another protocol it possibly only needs to import the routes meeting given conditions and control some attributes of the imported routes to make the routes meet the requirements of this protocol For the implementation of a route policy you nee...

Page 702: ... will pass the matching test of the route policy without entering the test of the next node IP Route Policy Configuration Task List Complete the following tasks to configure an IP route policy Task Remarks Defining a Route Policy Required Route Policy Configuration Defining if match Clauses and apply Clauses Required Route Policy Configuration A route policy is used to match given routing informat...

Page 703: ... next node z If multiple nodes are defined in a route policy at least one of them should be in permit mode When a route policy is applied to filtering routing information if a piece of routing information does not match any node the routing information will be denied by the route policy If all the nodes in the route policy are in deny mode all routing information will be denied by the route policy...

Page 704: ... all the routes will filter through the node z A node can comprise no if match clause or multiple if match clauses z Each node comprises a set of if match and apply clauses if match clauses define matching rules apply clauses specify the actions performed after a matching test against the node is successful and the actions can be the attribute settings of routing information Displaying and Maintai...

Page 705: ... RIP z For the OA server the main link is between Switch A and Switch C while the backup link is between Switch B and Switch C z For the service server the main link is between Switch B and Switch C while the backup link is between Switch A and Switch C z Apply a route policy to control the cost of routes received by Switch C to provide main and backup links for the services of the OA server and s...

Page 706: ...e being permit Define if match clauses Apply the cost 5 to routes matching the outgoing interface VLAN interface 2 and ACL 2000 SwitchC route policy in permit node 10 SwitchC route policy if match interface Vlan interface2 SwitchC route policy if match acl 2000 SwitchC route policy apply cost 5 SwitchC route policy quit Create node 20 with the matching mode being permit in the route policy Define ...

Page 707: ...table Routing Table public net Destination Mask Protocol Pre Cost Nexthop Interface 1 0 0 0 8 RIP 100 5 2 2 2 1 Vlan interface2 2 0 0 0 8 DIRECT 0 0 2 2 2 2 Vlan interface2 2 2 2 2 32 DIRECT 0 0 127 0 0 1 InLoopBack0 3 0 0 0 8 RIP 100 5 6 6 6 5 Vlan interface6 6 0 0 0 8 DIRECT 0 0 6 6 6 6 Vlan interface6 6 6 6 6 32 DIRECT 0 0 127 0 0 1 InLoopBack0 127 0 0 0 8 DIRECT 0 0 127 0 0 1 InLoopBack0 127 0...

Page 708: ...ceding nodes in a route policy 4 If the cost of a received RIP route is equal to 16 the cost specified by the apply cost command in a route policy will not be applied to the route that is the cost of the route is equal to 16 5 Using the filter policy command does not filter redistributed routes Troubleshooting IP Route Policy Symptom The route policy cannot filter routing information correctly whe...

Page 709: ... 1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 2 Displaying and Maintaining UDP Helper 1 3 UDP Helper Configuration Example 1 3 Cross Network Computer Search Through UDP Helper 1 3 ...

Page 710: ... With UDP Helper enabled the device decides whether to forward a received UDP broadcast packet according to the UDP destination port number of the packet z If the destination port number of the packet matches the one pre configured on the device the device modifies the destination IP address in the IP header and then sends the packet to the specified destination server z Otherwise the device sends...

Page 711: ...s Required No destination server is specified by default z You need to enable UDP Helper before specifying any UDP port to match UDP broadcasts otherwise the configuration fails When the UDP helper function is disabled all configured UDP ports are disabled including the default ports z The dns netbios ds netbios ns tacacs tftp and time keywords correspond to the six default ports You can configure...

Page 712: ...ey are connected through Switch A and are routable to each other It is required to configure UDP Helper on Switch A so that PC A can find PC B through computer search Broadcasts with UDP port 137 are used for searching Figure 1 1 Network diagram for UDP Helper configuration Configuration procedure Enable UDP Helper on Switch A SwitchA system view SwitchA udp helper enable Configure Switch A to for...

Page 713: ...i Table of Contents Appendix A Acronyms A 1 ...

Page 714: ...Class of Service D DDM Distributed Device Management DLA Distributed Link Aggregation DRR Distributed Resilient Routing DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GE Gigabit Ethernet I IAB Internet Architecture Board ICMP Internet Control Message Protocol IGMP Internet Group Mana...

Page 715: ...l Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode Q QoS Quality of Service R RMON Remote Network Monitoring RSTP Rapid Spanning Tree Protocol S SNMP Simple Network Management Protocol SP Strict Priority STP Spanning Tree Protocol T TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP...

Search results

Summary of Contents for WX3000 Series

Reviews:

Related manuals for WX3000 Series

Brands by name

Popular brands

3Com WX3000 Series, Operation Manual

Search results

Summary of Contents for WX3000 Series

Reviews:

Related manuals for WX3000 Series

Brands by name

Popular brands