H3C H3C S3100 8C SI Operation Manual Download Page 681

Page: 681 / 944

Operation Manual – SSH
H3C S3100 Series Ethernet Switches

Chapter 1 SSH Configuration

1-7

1.3.1 Configuring the User Interfaces for SSH Clients

An SSH client accesses the device through a VTY user interface. Therefore, you need

to configure the user interfaces for SSH clients to allow SSH login. Note that the

configuration takes effect at the next login.

Table 1-3

Follow these steps to configure the user interface for SSH clients:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enter user interface
view of one or more
user interfaces

user-interface vty

first-number

[

last-number

]

—

Configure the
authentication mode
as scheme

authentication-mode

scheme

[

command-authorization

]

Required

By default, the user
interface authentication
mode is password.

Specify the supported
protocol(s)

protocol inbound

{

all

ssh

telnet

}

Optional

By default, both Telnet
and SSH are supported.

Caution:

If you have configured a user interface to support SSH protocol, you must configure

AAA authentication for the user interface by using the

authentication-mode

scheme

command to ensure successful login.

On a user interface, if the

authentication-mode password

authentication-mode none

command has been executed, the

protocol inbound

ssh

command is not available. Similarly, if the

protocol inbound ssh

command

has been executed, the

authentication-mode password

and

authentication-mode none

commands are not available.

1.3.2 Configuring the SSH Management Functions

The SSH server provides a number of management functions. Some functions can

prevent illegal operations such as malicious password guess, further guaranteeing the

security of SSH connections.

Summary of Contents for H3C S3100 8C SI

Page 1: ...H3C S3100 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20080710 C 1 05 ...

Page 2: ... V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statement...

Page 3: ...ance fundamental and the related configuration 7 Voice VLAN Introduces voice VLAN fundamental and the related configuration 8 GVRP Introduces GVRP and the related configuration 9 Port Basic Configuration Introduces basic port configuration 10 Link Aggregation Introduces link aggregation and the related configuration 11 Port Isolation Introduces port isolation and the related configuration 12 Port ...

Page 4: ...age network devices through SNMP and RMON 28 NTP Introduces NTP and the related configuration 29 SSH Introduces SSH and the related configuration 30 File System Management Introduces basic configuration for file system management 31 FTP SFTP TFTP Introduces basic configuration for FTP SFTP TFTP and the applications 32 Information Center Introduces the configuration to analyze and diagnose networks...

Page 5: ...um of one or a maximum of all can be selected x y Optional alternative items are grouped in square brackets and separated by vertical bars Many or none can be selected 1 n The argument s before the ampersand sign can be entered 1 to n times A line starting with the sign is comments II GUI conventions Convention Description Boldface Window names button names field names and menu items are in Boldfa...

Page 6: ...he safety information of H3C S3100 series Ethernet switches Obtaining Documentation You can access the most up to date H3C product documentation on the World Wide Web at this URL http www h3c com The following are the columns from which you can obtain different categories of product documentation Products Solutions Provides information about products and technologies Technical Support Document Tec...

Page 7: ...2 H3C Website 1 1 1 3 Software Release Notes 1 2 Chapter 2 Correspondence Between Documentation and Software 2 1 2 1 Manual List 2 1 2 2 Software Version 2 1 Chapter 3 Product Overview 3 1 3 1 Overview 3 1 3 2 Software Features 3 1 Chapter 4 Network Design 4 1 4 1 MAN Access Solution 4 1 4 2 Education Network Solution 4 1 4 3 Multi Service Carrier VLAN Solution 4 2 ...

Page 8: ...product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version This manual serves the purpose of user guide only Unless otherwise noted all the information in the document set does not claim or imply any warranty For the latest software documentation go to the H3C website 1 2 H3C Website Perform the following steps to query and download the product...

Page 9: ...es Ethernet Switches Chapter 1 Obtaining the Documentation 1 2 1 3 Software Release Notes With software upgrade new software features may be added You can acquire the information about the newly added software features through software release notes ...

Page 10: ...are Version H3C S3100 Series Ethernet Switches Operation Manual and H3C S3100 Series Ethernet Switches Command Manual are for the software versions list in Table 2 1 of the S3100 SI series and S3100 EI series switches Table 2 1 Corresponding software versions of this manual Switch Software Version S3100 SI series Release2102 Release2107 S3100 EI series Release2104 Release2107 Release2107P01 The su...

Page 11: ...er public key import 29 SSH FTP disconnect 31 FTP SFTP TFTP Identifying and Diagnosing Pluggable Transceivers 33 System Maintenance and Debugging Release2107 IPv6 Management 36 IPv6 Management Table 2 3 Added features compared with the earlier software version of S3100 EI Software Version Added Features Compared With The Earlier Version Manual Configuring loopback detection for a list of ports in ...

Page 12: ...zes the features provided by each module Table 3 1 Software features of the S3100 series Part Features 1 CLI z CLI z Hierarchically grouped commands z CLI online help 2 Login z Logging into a switch through the Console port z Logging into a switch through an Ethernet port by using Telnet or SSH z Logging into a switch through the Console port by using modem z Logging into a switch through Web or N...

Page 13: ...eries switches 13 DLDP Device link detection protocol DLDP Supported by only S3100 EI series switches 14 MAC Address Table Management z Manually configuring dynamic static and black hole MAC addresses z Configuring the aging time for MAC addresses z MAC address learning limit z Disabling ports in a VLAN from learning MAC addresses Supported by only S3100 EI series switches 15 MSTP z STP RSTP MSTP ...

Page 14: ...oup Management Protocol HGMP v2 z Neighbor discovery protocol NDP z Neighbor topology discovery protocol NTDP z Stack 26 PoE PoE Profile z Power over Ethernet PoE z PoE profile 27 SNMP RMON z Simple network management protocol SNMP v3 compatible with SNMP v1 v2 z Remote monitoring RMON 28 NTP z Network time protocol NTP 29 SSH z SSH1 Supported by only S3100 EI series switches z SSH2 z Operating as...

Page 15: ... Configuring BPDU Tunnel Supported by only S3100 EI series switches z Selective QinQ Supported by only S3100 EI series switches 35 HWPing HWPing 36 IPv6 Management z Supporting IPv6 address z IPv6 based Ping Traceroute TFTP and Telnet 37 DNS z Static Domain Name System DNS z Dynamic DNS Supported by only S3100 EI series switches 38 Smart Link Monitor Link z Smart Link Supported by only S3100 EI se...

Page 16: ... interfaces and in the uplink direction they connect to an aggregation layer Layer 3 switches or MA5200 intelligent service gateways which further connect to the core of the MAN through routers This provides you a comprehensive gigabit to backbone 100 Mbps to desktop MAN solution Figure 4 1 Network diagram for a MAN using S3100 series 4 2 Education Network Solution In a campus network the S3100 se...

Page 17: ...ment of various application technologies enterprise users are increasingly relying on network services They hope the networks can offer secure reliable leased lines VOIP and video conference services thus reducing their operating costs Additionally apart from simple Internet surfing individual users expect more abundant services from the networks e g IPTV video chatting real time gaming etc Meanwh...

Page 18: ...rs can implement uniform planning and precise management VLAN layout is simple and is not affected by the customer side End office Switch Campus Switch S3100 EI DSLAM IP MAN Figure 4 3 DSLAM convergence application Another more complicated configuration example is when the LAN is connected to dense Home Gateways HG Generally the ex factory setting of an HG is simple as it uses a fixed VLAN tag to ...

Page 19: ...Operation Manual Product Overview H3C S3100 Series Ethernet Switches Chapter 4 Network Design 4 4 Figure 4 4 New vlan management scheme ...

Page 20: ...roduction to the CLI 1 1 1 2 Command Hierarchy 1 1 1 2 1 Command Level and User Privilege Level 1 1 1 2 2 Modifying the Command Level 1 2 1 2 3 Switching User Level 1 3 1 3 CLI Views 1 7 1 4 CLI Features 1 12 1 4 1 Online Help 1 12 1 4 2 Terminal Display 1 13 1 4 3 Command History 1 13 1 4 4 Error Prompts 1 14 1 4 5 Command Edit 1 15 ...

Page 21: ...p at any time by entering a question mark z Debugging Abundant and detailed debugging information is provided to help users diagnose and locate network problems z Command history function This enables users to check the commands that they have lately executed and re execute the commands z Partial matching of commands The system will use partially matching method to search for commands This allows ...

Page 22: ...spond to the four command levels respectively Users at a specific level can only use the commands at the same level or lower levels By default the Console user a user who logs into the switch through the Console port is a level 3 user and Telnet users are level 0 users You can use the user privilege level command to set the default user privilege level for users logging in through a certain user i...

Page 23: ...l tftp Sysname command privilege level 0 view shell tftp 192 168 0 1 Sysname command privilege level 0 view shell tftp 192 168 0 1 get Sysname command privilege level 0 view shell tftp 192 168 0 1 get bootrom btm After the above configuration general Telnet users can use the tftp get command to download file bootrom btm and other files from TFTP server 192 168 0 1 and other TFTP servers 1 2 3 Swit...

Page 24: ... backup authentication mode super authentication mode super password scheme Specify the authentication mode for user level switching HWTACACS authentication preferred with the super password authentication as the backup authentication mode super authentication mode scheme super password Optional By default super password authentication is adopted for user level switching Note When both the super p...

Page 25: ...ing a level 3 user must perform the commands listed in Table 1 5 to configure the HWTACACS authentication scheme used for low to high user level switching With HWTACACS authentication enabled you can pass the HWTACACS authentication successfully only after you provide the right user name and the corresponding password as prompted Note that if you have passed the HWTACACS authentication when loggin...

Page 26: ... by default z For security purpose the password entered is not displayed when you switch to another user level You will remain at the original user level if you have tried three times but failed to enter the correct authentication information V Configuration example After a general user telnets to the switch his her user level is 0 Now the network administrator wants to allow general users to swit...

Page 27: ...r level switching in the ISP domain named system Sysname domain system Sysname isp system authentication super hwtacacs scheme acs Switch to user level 3 assuming that you log into the switch as a VTY 0 user by Telnet Sysname super 3 Username user system Password User privilege level is 3 and only those commands can be used whose level is equal or less than this Privilege note 0 VISIT 1 MONITOR 2 ...

Page 28: ...igure Ethernet port parameters 1000 Mbps Ethernet port view Sysname Gig abitEthernet1 1 1 Execute the interface gigabitethernet command in system view Aux1 0 0 port the console port view The S3100 series do not support configuration on port Aux1 0 0 Sysname Au x1 0 0 Execute the interface aux 1 0 0 command in system view VLAN view Configure VLAN parameters Sysname vla n1 Execute the vlan command i...

Page 29: ... the sftp command in system view MST region view Configure MST region parameters Sysname mst region Execute the stp region configuration command in system view Cluster view Configure cluster parameters Sysname clu ster Execute the cluster command in system view Configure the RSA public key for SSH users Sysname rsa public key Execute the rsa peer public key command in system view Public key view C...

Page 30: ...ame acl ethernetframe 4000 Execute the acl number command in system view QoS profile view Define QoS profile Supported by only S3100 EI series switches Sysname qos profile a123 Execute the qos profile command in system view RADIUS scheme view Configure RADIUS scheme parameters Sysname radi us 1 Execute the radius scheme command in system view ISP domain view Configure ISP domain parameters Sysname...

Page 31: ...e sml k group1 Execute the smart link group command in system view Monitor link group view Configure monitor link group parameters Supported by only S3100 EI series switches Sysname mtl k group1 Execute the monitor link group command in system view QinQ view Configure QinQ parameters Supported by only S3100 EI series switches Sysname Eth ernet1 0 1 vid 20 Execute the vlan vpn vid command in Ethern...

Page 32: ...ging Enable system debugging functions delete Delete a file dir List files on a file system display Display current system information Other information is omitted 2 Enter a command a space and a question mark If the question mark is at a keyword position in the command all available keywords at the position and their descriptions will be displayed on your terminal Sysname clock datetime Specify t...

Page 33: ... the unique keyword is displayed in its complete form If there are multiple keywords beginning with the characters you can have them displayed one by one in complete form by pressing Tab repeatedly 1 4 2 Terminal Display The CLI provides the screen splitting feature to have display output suspended when the screen is full When display output pauses you can perform the following operations as neede...

Page 34: ...able Note z The Windows 9x HyperTerminal explains the up and down arrow keys in a different way and therefore the two keys are invalid when you access history commands in such an environment However you can use Ctrl P and Ctrl N instead to achieve the same purpose z When you enter the same command multiple times consecutively only one history command entry is created by the command line interface ...

Page 35: ...n 254 characters Backspace key Delete the character on the left of the cursor and move the cursor one character to the left Left arrow key or Ctrl B Move the cursor one character to the left Right arrow key or Ctrl F Move the cursor one character to the right Up arrow key or Ctrl P Down arrow key or Ctrl N Display history commands Tab Use the partial online help That is when you input an incomplet...

Page 36: ...figuration with Authentication Mode Being Password 2 9 2 5 1 Configuration Procedure 2 9 2 5 2 Configuration Example 2 11 2 6 Console Port Login Configuration with Authentication Mode Being Scheme 2 13 2 6 1 Configuration Procedure 2 13 2 6 2 Configuration Example 2 15 Chapter 3 Logging in through Telnet 3 1 3 1 Introduction 3 1 3 1 1 Common Configuration 3 1 3 1 2 Telnet Configurations for Differ...

Page 37: ... 1 6 1 Introduction 6 1 6 2 Connection Establishment Using NMS 6 1 Chapter 7 User Control 7 1 7 1 Introduction 7 1 7 2 Controlling Telnet Users 7 1 7 2 1 Prerequisites 7 1 7 2 2 Controlling Telnet Users by Source IP Addresses 7 2 7 2 3 Controlling Telnet Users by Source and Destination IP Addresses 7 2 7 2 4 Controlling Telnet Users by Source MAC Addresses 7 3 7 2 5 Configuration Example 7 4 7 3 C...

Page 38: ...AUX port and the Console port of an H3C Ethernet switch are the same port refereed to as Console port in the following part You will be in the AUX user interface if you log in through this port S3100 series Ethernet switches support two types of user interfaces AUX and VTY z AUX user interface A view when you log in through the AUX port AUX port is a line device port z Virtual type terminal VTY us...

Page 39: ...e numbered VTY0 VTY1 and so on 1 2 3 Common User Interface Configuration Table 1 2 Common user interface configuration Operation Command Description Lock the current user interface lock Optional Execute this command in user view A user interface is not locked by default Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this comm...

Page 40: ... first number last number Display the information about the current user interface all user interfaces display users all Display the physical attributes and configuration of the current a specified user interface display user interface type number number Display the information about the current web users display web users Optional You can execute the display command in any view ...

Page 41: ...t settings of a Console port Setting Default Baud rate 9 600 bps Flow control None Check mode Parity None Stop bits 1 Data bits 8 To log into a switch through the Console port make sure the settings of both the Console port and the user terminal are the same After logging into a switch you can perform configuration for AUX users Refer to section 2 3 Console Port Login Configuration for more 2 2 Lo...

Page 42: ...yperTerminal in Windows 9X Windows 2000 Windows XP The following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally both sides that is the serial port of the PC and the Console port of the switch are configured as those listed in Table 2 1 Figure 2 2 Create a connection Figure 2 3 Specify the port u...

Page 43: ...sfully completes POST power on self test The prompt such as H3C appears after you press the Enter key as shown in Figure 2 5 Figure 2 5 HyperTerminal CLI 4 You can then configure the switch or check the information about the switch by executing the corresponding commands You can also acquire help by typing the character Refer to related parts in this manual for information about the commands used ...

Page 44: ...rt configuration Data bits Optional The default data bits of a Console port is 8 AUX user interface configuration Configure the command level available to the users logging into the AUX user interface Optional By default commands of level 3 are available to the users logging into the AUX user interface Make terminal services available Optional By default terminal services are available in all user...

Page 45: ...s of the terminal emulation utility running on your PC accordingly in the dialog box shown in Figure 2 4 2 3 2 Console Port Login Configurations for Different Authentication Modes Table 2 3 lists Console port login configurations for different authentication modes Table 2 3 Console port login configurations for different authentication modes Authentication mode Console port login configuration Rem...

Page 46: ...e configured on the switch z The user name and password of a RADIUS user are configured on the RADIUS server Refer to user manual of RADIUS server for more Manage AUX users Set service type for AUX users Required Scheme Perform common configuration Perform common configuration for Console port login Optional Refer to Table 2 2 Note Changes made to the authentication mode for Console port login tak...

Page 47: ...ional The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface and commands of level 0 are available to users logging into the VTY user interface Enable terminal services shell Optional By default terminal s...

Page 48: ... requirements Assume that the switch is configured to allow users to log in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the Console port AUX user interface z Do not authenticate the users z Commands of level 2 are available to the users logging into the AUX user interface z The baud rate of the Consol...

Page 49: ...the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accord...

Page 50: ...s 1 1 5 2 Optional The default stop bits of a Console port is 1 Configure the Console port Set the data bits databits 7 8 Optional The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Make terminal servi...

Page 51: ...ts Assume the switch is configured to allow users to log in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the Console port AUX user interface z Authenticate the users using passwords z Set the local password to 123456 in plain text z The commands of level 2 are available to the users z The baud rate of ...

Page 52: ...level 2 are available to users logging into the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 2...

Page 53: ...default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA part for more z Configure the user na...

Page 54: ...he default stop bits of a Console port is 1 Configure the Console port Set the data bits databits 7 8 Optional The default data bits of a Console port is 8 Configure the command level available to users logging into the user interface user privilege level level Optional By default commands of level 3 are available to users logging into the AUX user interface Make terminal services available to the...

Page 55: ...tch depends on the command level specified in the service type terminal level level command 2 6 2 Configuration Example I Network requirements Assume the switch is configured to allow users to log in through Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Configure the local ...

Page 56: ...he service type to Terminal Specify commands of level 2 are available to users logging into the AUX user interface Sysname luser guest service type terminal level 2 Sysname luser guest quit Enter AUX user interface view Sysname user interface aux 0 Configure to authenticate users logging in through the Console port in the scheme mode Sysname ui aux0 authentication mode scheme Set the baud rate of ...

Page 57: ...ging in through the Console Port 2 17 Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in the dialog box shown in Figure 2 4 to log into the switch successfully ...

Page 58: ...on Table 3 1 Requirements for Telnetting to a switch Item Requirement The IP address is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for more Switch The authentication mode and other settings are configured Refer to Table 3 2 and Table 3 3 Tel...

Page 59: ...efault terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain up to 10 commands VTY terminal configuration Set the timeout time of a user interface Optional The default timeout time is 10 minutes ...

Page 60: ...ver for more Manage VTY users Set service type for VTY users Required Scheme Perform common configuration Perform common Telnet configuration Optional Refer to Table 3 2 Note To improve security and prevent attacks to the unused Sockets TCP 23 and TCP 22 ports for Telnet and SSH services respectively will be enabled or disabled after corresponding configurations z If the authentication mode is non...

Page 61: ...r interfaces Configure the protocols to be supported by the VTY user interface protocol inbound all ssh telnet Optional By default both Telnet protocol and SSH protocol are supported Set the commands to be executed automatically after a user login to the user interface successfully auto execute command text Optional By default no command is executed automatically after a user logs into the VTY use...

Page 62: ... into a switch depends on the user privilege level level command 3 2 2 Configuration Example I Network requirements Assume current user logins through the Console port and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through VTY 0 using Telnet z Do not authenticate the users z Commands of level 2 are available to the users z Tel...

Page 63: ...Configuration with Authentication Mode Being Password 3 3 1 Configuration Procedure Table 3 5 Telnet configuration with the authentication mode being password Operation Command Description Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure to authenticate users logging into VTY user interfaces using the local password auth...

Page 64: ...fer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time of the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no...

Page 65: ...ew Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging into VTY 0 using the password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sysname ui vty0 set authentication password simple 123456 Specify commands of level 2 are available to users logging into VTY 0 Sysname ui vty0 user privi...

Page 66: ...s applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA part for more z Configure the user name and password accordingly on...

Page 67: ...Optional Both Telnet protocol and SSH protocol are supported by default Set the commands to be executed automatically after a user login to the user interface successfully auto execute command text Optional By default no command is executed automatically after a user logs into the VTY user interface Make terminal services available shell Optional Terminal services are available in all use interfac...

Page 68: ...t terminal level level command as listed in Table 3 7 Table 3 7 Determine the command level when users logging into switches are authenticated in the scheme mode Scenario Authenticati on mode User type Command Command level The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user privilege level level command ...

Page 69: ...service type command specifies the available command level Determined by the user privilege level level command The user privilege level level command is not executed and the service type command does not specify the available command level Level 0 The user privilege level level command is not executed and the service type command specifies the available command level Determined by the service typ...

Page 70: ...to 30 lines z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes II Network diagram Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme III Configuration procedure Enter system view Sysname system view Create a local user named guest and enter local user view Sysname local user guest Set the authentication passw...

Page 71: ...tch from a Terminal 1 Assign an IP address to VLAN interface 1 of the switch VLAN 1 is the default VLAN of the switch z Connect the serial port of your PC terminal to the Console port of the switch as shown in Figure 3 4 Figure 3 4 Diagram for establishing connection to a Console port z Launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 95 Windows 98 Wi...

Page 72: ...erform Telnet related configuration on the switch Refer to section 3 2 Telnet Configuration with Authentication Mode Being None section 3 3 Telnet Configuration with Authentication Mode Being Password and section 3 4 Telnet Configuration with Authentication Mode Being Scheme for more 3 Connect your PC terminal and the Switch to an Ethernet as shown in Figure 3 6 Make sure the port through which th...

Page 73: ... display the information about the switch by executing corresponding commands You can also type at any time for help Refer to the relevant parts in this manual for the information about the commands Note z A Telnet connection is terminated if you delete or modify the IP address of the VLAN interface in the Telnet session z By default commands of level 0 are available to Telnet users authenticated ...

Page 74: ...uthentication Mode Being Scheme for more 2 Telnet to the switch operating as the Telnet client 3 Execute the following command on the switch operating as the Telnet client Sysname telnet xxxx Note that xxxx is the IP address or the host name of the switch operating as the Telnet server You can use the ip host to assign a host name to a switch 4 After successful login the CLI prompt such as Sysname...

Page 75: ...m Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is properly configured The modem is properly connected to PSTN and a telephone set Switch side The authentication mode and other related se...

Page 76: ...rwise packets may get lost z Other settings of the Console port such as the check mode the stop bits and the data bits remain the default The configuration on the switch depends on the authentication mode the user is in Refer to Table 2 3 for the information about authentication mode configuration I Configuration on switch when the authentication mode is none Refer to section 2 4 Console Port Logi...

Page 77: ... 1 Modem Configuration for related configuration 3 Connect your PC the modems and the switch as shown in Figure 4 1 Make sure the modems are properly connected to telephone lines Console port PSTN Telephone line Modem serial cable Telephone number of the romote end 82882285 Modem Modem Figure 4 1 Establish the connection by using modems 4 Launch a terminal emulation utility on the PC and set the t...

Page 78: ...rompted If the password is correct the prompt such as Sysname appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configuration commands Note If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI part...

Page 79: ...ssigned an IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The user name and password for logging into the Web based network management system are configured IE is available PC operating as the network management terminal The ...

Page 80: ...2 appears enter the user name and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Figure 5 2 The login page of the Web based network management system 5 3 Configuring the Login Banner 5 3 1 Configuration Procedure If a login banner is configured with the header command when a user logs in through Web the banner page is displaye...

Page 81: ...tch through Web z The banner page is desired when a user logs into the switch II Network diagram Figure 5 3 Network diagram for login banner configuration III Configuration Procedure Enter system view Sysname system view Configure the banner Welcome to be displayed when a user logs into the switch through Web Sysname header login Welcome Assume that a route is available between the user terminal t...

Page 82: ...ng the WEB Server Table 5 3 Enable Disable the WEB Server Operation Command Description Enter system view system view Enable the Web server ip http shutdown Required By default the Web server is enabled Disable the Web server undo ip http shutdown Required Note To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the correspon...

Page 83: ...orm related configuration on both the NMS and the switch Table 6 1 Requirements for logging into a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is configured The route between the NMS and the switch is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The basic SNMP fun...

Page 84: ...ntrolling Telnet Users by Source and Destination IP Addresses Telnet By source MAC address Through Layer 2 ACL Section 7 2 4 Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACL Section 7 3 Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACL Section 7 4 Controlling Web Users by Source IP Address WEB Disconne...

Page 85: ...rs by source IP addresses acl acl number inbound outbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 7 2 3 Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet users by source and destination IP addresses is a...

Page 86: ... 2 4 Controlling Telnet Users by Source MAC Addresses Controlling Telnet users by source MAC addresses is achieved by applying Layer 2 ACLs which are numbered from 4000 to 4999 Table 7 4 Control Telnet users by source MAC addresses Operation Command Description Enter system view system view Create or enter Layer 2 ACL view acl number acl number Define rules for the ACL rule rule id deny permit rul...

Page 87: ...e a basic ACL Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Apply the ACL Sysname user interface vty 0 4 Sysname ui vty0 4 acl 2000 inbound 7 3 Controlling Network Management Users by Source IP Addresses You can manage an S3100 Ethernet switch through network management software Network management users can acces...

Page 88: ...e ACL rule rule id deny permit rule string Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp agent community read write community name acl acl number mib view view name Apply the ACL while configuring the SNMP group name snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number snmp agent group v...

Page 89: ...ber 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Apply the ACL to only permit SNMP users sourced from the IP addresses of 10 110 100 52 to access the switch Sysname snmp agent community read aaa acl 2000 Sysname snmp agent group v2c groupa acl 2000 Sysname snmp agent usm user v2c usera groupa acl 2000 7 4 Controlling Web Users by Source IP Address Yo...

Page 90: ...umber acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id deny permit rule string Required Quit to system view quit Apply the ACL to control Web users ip http acl acl number Optional By default no ACL is applied for Web users 7 4 3 Disconnecting a Web User by Force The administrator can disconnect a Web u...

Page 91: ... 7 3 Network diagram for controlling Web users using ACLs III Configuration procedure Define a basic ACL Sysname system view Sysname acl number 2030 Sysname acl basic 2030 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2030 quit Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch Sysname ip http acl 2030 ...

Page 92: ... Chapter 1 Configuration File Management 1 1 1 1 Introduction to Configuration File 1 1 1 2 Management of Configuration File 1 2 1 2 1 Saving the Current Configuration 1 2 1 2 2 Erasing the Startup Configuration File 1 4 1 2 3 Specifying a Configuration File for Next Startup 1 4 1 2 4 Displaying Device Configuration 1 5 ...

Page 93: ...ands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line if it starts with the character z The sections are listed in this order system configuration section logical interface configuration section physical port configuration section routing protocol configuration section user interface configuration and so on z End with a...

Page 94: ... with the backup configuration 3 If neither the main nor the backup configuration file exists z For an S3100 SI Ethernet switch the switch starts up without loading the configuration file z For an S3100 EI Ethernet switch if the default configuration file config def exists the switch initializes with the default configuration file if the default configuration file does not exist the switch starts ...

Page 95: ...e current configuration the configuration file you get has main attribute If this configuration file already exists and has backup attribute the file will have both main and backup attributes after execution of this command If the filename you entered is different from that existing in the system this command will erase its main attribute to allow only one main attribute configuration file in the ...

Page 96: ...file is corrupted or not the one you needed The following two situations exist z While the reset saved configuration main command erases the configuration file with main attribute it only erases the main attribute of a configuration file having both main and backup attribute z While the reset saved configuration backup command erases the configuration file with backup attribute it only erases the ...

Page 97: ...te to the startup configuration file z If you save the current configuration to the backup configuration file the system will automatically set the file as the backup startup configuration file z You can also use the startup saved configuration cfgfile backup command to set the file as backup startup configuration file Caution The configuration file must use cfg as its extension name and the start...

Page 98: ...num Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the device display current configuration vlan vlan id by linenum Display the validated configuration in current view display this by linenum Display current configuration display current configuration configuration configuration type interface interface type inte...

Page 99: ...2 VLAN Configuration 2 1 2 1 VLAN Configuration 2 1 2 1 1 VLAN Configuration Task List 2 1 2 1 2 Basic VLAN Configuration 2 1 2 1 3 Basic VLAN Interface Configuration 2 2 2 1 4 Displaying VLAN Configuration 2 3 2 2 Configuring a Port Based VLAN 2 3 2 2 1 Configuring an Access Port Based VLAN 2 3 2 2 2 Configuring a Hybrid Port Based VLAN 2 4 2 2 3 Configuring a Trunk Port Based VLAN 2 5 2 2 4 Disp...

Page 100: ...e packet The above scenarios could result in the following network problems z Large quantity of broadcast packets or unknown unicast packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolating broadcast domains is the solution for the above problems The trad...

Page 101: ...u can isolate them at Layer 2 To enable communication between VLANs routers or Layer 3 switches are required z Flexible virtual workgroup creation As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible 1 1 3 VLAN Fundamentals I VLAN tag To enable a Layer 2 switch to identify fram...

Page 102: ...cal format value 1 indicates that the MAC addresses are encapsulated in non canonical format The field is set to 0 by default z The 12 bit VLAN ID field identifies the VLAN the frame belongs to The VLAN ID range is 0 to 4095 As 0 and 4095 are reserved by the protocol a VLAN ID actually ranges from 1 to 4094 Note The Ethernet II encapsulation format is used here Besides the Ethernet II encapsulatio...

Page 103: ...t of a VLAN are forwarded according to the VLAN s own MAC address forwarding table Currently the H3C S3100 series Ethernet switches adopt the IVL mode only For more information about the MAC address forwarding table refer to the MAC Address Forwarding Table Management part of the manual 1 1 4 VLAN Interface Hosts in different VLANs cannot communicate with each other directly unless routers or Laye...

Page 104: ...ave the three link types access trunk and hybrid For the three types of ports the process of being added into a VLAN and the way of forwarding packets are different Port based VLANs are easy to implement and manage and applicable to hosts with relatively fixed positions 1 2 1 Link Types of Ethernet Ports The link type of an Ethernet port on the S3100 series can be one of the following z Access An ...

Page 105: ... VLAN Therefore the VLAN an access port belongs to is also the default VLAN of the access port A hybrid trunk port can belong to multiple VLANs so you should configure a default VLAN ID for the port After a port is added to a VLAN and configured with a default VLAN the port receives and sends packets in a way related to its link type For detailed description refer to the following tables Table 1 1...

Page 106: ...ssing of an outgoing packet z If the port has already been added to its default VLAN tag the packet with the default VLAN tag and then forward the packet z If the port has not been added to its default VLAN discard the packet z If the VLAN ID is one of the VLAN IDs allowed to pass through the port receive the packet z If the VLAN ID is not one of the VLAN IDs allowed to pass through the port disca...

Page 107: ... and 802 2 802 3 defined by RFC 1042 The two encapsulation formats are described in the following figures Ethernet II packet Figure 1 4 Ethernet II encapsulation format 802 2 802 3 packet Figure 1 5 802 2 802 3 encapsulation format In the two figures DA and SA refer to the destination MAC address and source MAC address of the packet respectively The number in the bracket indicates the field length...

Page 108: ...he protocol to which a packet belongs Protocol templates include standard templates and user defined templates z The standard template adopts the RFC defined packet encapsulation formats and values of some specific fields as the matching criteria z The user defined template adopts the user defined encapsulation formats and values of some specific fields as the matching criteria After configuring t...

Page 109: ...uration Optional Displaying VLAN Configuration Optional 2 1 2 Basic VLAN Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Create a VLAN and enter VLAN view vlan vlan id Required By default there is only one VLAN that is the default VLAN VLAN 1 Assign...

Page 110: ...tatic VLAN and the switch will output the prompt information 2 1 3 Basic VLAN Interface Configuration I Configuration prerequisites Before configuring a VLAN interface create the corresponding VLAN II Configuration procedure Follow these steps to perform basic VLAN interface configuration To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface v...

Page 111: ...fluence the physical status of the Ethernet ports belonging to this VLAN z An S3100 series switch can be configured with a single VLAN interface only and the VLAN must be the management VLAN For details about the management VLAN refer to the Management VLAN Configuration part of this manual 2 1 4 Displaying VLAN Configuration To do Use the command Remarks Display the VLAN interface information dis...

Page 112: ...ce interface type interface number Configure the port link type as Access port link type access Optional The link type of a port is Access by default Add the current Access port to a specified VLAN port access vlan vlan id Optional By default all Access ports belong to VLAN 1 Note To add an Access port to a VLAN make sure the VLAN already exists 2 2 2 Configuring a Hybrid Port Based VLAN A Hybrid ...

Page 113: ...uring them to pass through a Hybrid port z The default VLAN IDs of the Hybrid ports on the local and the peer devices must be the same Otherwise packets cannot be transmitted properly 2 2 3 Configuring a Trunk Port Based VLAN A Trunk port may belong to multiple VLANs and you can only perform this configuration in Ethernet port view Follow these steps to configure the Trunk port based VLAN To do Us...

Page 114: ... trunk ports display port hybrid trunk Available in any view 2 2 5 Port Based VLAN Configuration Example I Network requirements z As shown in Figure 2 1 Switch A and Switch B each connect to a server and a workstation Host z For data security concerns the two servers are assigned to VLAN 101 with the descriptive string being DMZ and the PCs are assigned to VLAN 201 z The devices within each VLAN c...

Page 115: ...11 SwitchB vlan101 quit Create VLAN 201 and add Ethernet1 0 12 to VLAN 201 SwitchB vlan 201 SwitchB vlan201 port Ethernet 1 0 12 SwitchB vlan201 quit z Configure the link between Switch A and Switch B Because the link between Switch A and Switch B need to transmit data of both VLAN 101 and VLAN 102 you can configure the ports at the end of the link as trunk ports and permit packets of the two VLAN...

Page 116: ...efer to Port Basic Configuration in this manual 2 3 Configuring a Protocol Based VLAN Note The contents of this section are only applicable to the S3100 EI series among S3100 series switches 2 3 1 Protocol Based VLAN Configuration Task List Complete these tasks to configure protocol based VLAN Task Remarks Configuring a Protocol Template for a Protocol Based VLAN Required Associating a Port with a...

Page 117: ...tended encapsulation formats are not supported on the S3100 series currently z Because the IP protocol is closely associated with the ARP protocol you are recommended to configure the ARP protocol type when configuring the IP protocol type and associate the two protocol types with the same port to avoid that ARP packets and IP packets are not assigned to the same VLAN which will cause IP address r...

Page 118: ...otocol information and protocol indexes configured on the specified VLAN display protocol vlan vlan vlan id to vlan id all Display the protocol information and protocol indexes configured on the specified port display protocol vlan interface interface type interface number to interface type interface number all Available in any view 2 3 5 Protocol Based VLAN Configuration Example I Network require...

Page 119: ...00 Switch vlan200 port Ethernet 1 0 12 Configure protocol templates for VLAN 200 and VLAN 100 matching AppleTalk protocol and IP protocol respectively Switch vlan200 protocol vlan at Switch vlan200 quit Switch vlan 100 Switch vlan100 protocol vlan ip To ensure the normal operation of IP network you need to configure a user defined protocol template for VLAN 100 to match the ARP protocol assume Eth...

Page 120: ...0 of VLAN 200 Switch Ethernet1 0 10 port hybrid protocol vlan vlan 100 0 to 1 Switch Ethernet1 0 10 port hybrid protocol vlan vlan 200 0 Display the associations between Ethernet 1 0 10 and the VLAN protocol templates to verify your configuration Switch Ethernet1 0 10 display protocol vlan interface Ethernet 1 0 10 Interface Ethernet1 0 10 VLAN ID Protocol Index Protocol Type 100 0 ip 100 1 ethern...

Page 121: ... Configuration 1 1 1 1 Introduction to Management VLAN 1 1 1 1 1 Management VLAN 1 1 1 1 2 Static Route 1 1 1 1 3 Default Route 1 2 1 2 Management VLAN Configuration 1 2 1 2 1 Prerequisites 1 2 1 2 2 Configuring the Management VLAN 1 2 1 2 3 Configuration Example 1 3 1 3 Displaying and Maintaining management VLAN configuration 1 5 ...

Page 122: ...address cannot be configured at the same time That is the latest IP address obtained causes the previously IP address to be released For example if you assign an IP address to a VLAN interface by using the corresponding commands and then apply for another IP address through BOOTP using the ip address bootp alloc command the former IP address will be released and the final IP address of the VLAN in...

Page 123: ... a route destined to the network 0 0 0 0 with the mask 0 0 0 0 1 2 Management VLAN Configuration 1 2 1 Prerequisites Before configuring the management VLAN make sure the VLAN operating as the management VLAN exists If VLAN 1 the default VLAN is the management VLAN just go ahead 1 2 2 Configuring the Management VLAN Table 1 1 Configure the management VLAN Operation Command Remarks Enter system view...

Page 124: ...he management VLAN ID is consistent with the cluster management VLAN ID configured with the management vlan vlan id command Otherwise the configuration fails Refer to the Cluster Operation Manual for detailed introduction to the cluster z Refer to the VLAN module for detailed introduction to VLAN interfaces 1 2 3 Configuration Example I Network requirements For a user to manage Switch A remotely t...

Page 125: ... the following configurations after the current user logs in to Switch A through the Console port Enter system view SwitchA system view Create VLAN 10 and configure VLAN 10 as the management VLAN SwitchA vlan 10 SwitchA vlan10 quit SwitchA management vlan 10 Create the VLAN 10 interface and enter VLAN interface view SwitchA interface vlan interface 10 Configure the IP address of VLAN 10 interface ...

Page 126: ...ion about the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading to a specified IP address range display ip routing table ip address1 mask1 ip address2 mask2 verbose Display the routing information of the specified protocol display ip routing table protocol prot...

Page 127: ...laying IP Addressing Configuration 1 4 1 4 IP Address Configuration Examples 1 5 1 4 1 IP Address Configuration Example I 1 5 Chapter 2 IP Performance Configuration 2 1 2 1 IP Performance Overview 2 1 2 1 1 Introduction to IP Performance Configuration 2 1 2 1 2 Introduction to FIB 2 1 2 2 Configuring IP Performance 2 1 2 2 1 Introduction to IP Performance Configuration Tasks 2 1 2 2 2 Configuring ...

Page 128: ...n in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each IP address breaks down into two parts z Net ID The first several bits of the IP address defining a network also known as class bits z Host ID Identifies a host on a network For administration sake IP addresses are divided into five classes as shown in the following figure in which...

Page 129: ...IP addresses z IP address with an all zeros net ID Identifies a host on the local network For example IP address 0 0 0 16 indicates the host with a host ID of 16 on the local network z IP address with an all zeros host ID Identifies a network z IP address with an all ones host ID Identifies a directed broadcast address For example a packet with the destination address of 192 168 1 255 will be broa...

Page 130: ...ple a Class B network can accommodate 65 534 216 2 Of the two deducted Class B addresses one with an all ones host ID is the broadcast address and the other with an all zeros host ID is the network address hosts before being subnetted After you break it down into 512 29 subnets by using the first 9 bits of the host ID for the subnet you have only 7 bits for the host ID and thus have only 126 27 2 ...

Page 131: ...fault Note z A newly specified IP address overwrites the previous one if there is any z The IP address of a VLAN interface must not be on the same network segment as that of a loopback interface on a device 1 3 Displaying IP Addressing Configuration After the above configuration you can execute the display command in any view to display the operating status and configuration on the interface to ve...

Page 132: ...ration Example I I Network requirement Assign IP address 129 2 2 1 with mask 255 255 255 0 to VLAN interface 1 of the switch II Network diagram Figure 1 3 Network diagram for IP address configuration III Configuration procedure Configure an IP address for VLAN interface 1 Switch system view Switch interface Vlan interface 1 Switch Vlan interface1 ip address 129 2 2 1 255 255 255 0 ...

Page 133: ...ket forwarding You can know the forwarding information of the switch through the FIB table Each FIB entry includes destination address mask length next hop current flag timestamp and outbound interface When the switch is running normally the contents of the FIB and the routing table are the same 2 2 Configuring IP Performance 2 2 1 Introduction to IP Performance Configuration Tasks Table 2 1 Intro...

Page 134: ... receive send buffer tcp window window size Optional By default the buffer is 8 kilobytes 2 2 3 Disabling ICMP to Send Error Packets Sending error packets is a major function of ICMP protocol In case of network abnormalities ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate control and management By default S3100 Series Et...

Page 135: ...s undo icmp redirect send Required Enabled by default Disable sending ICMP destination unreachable packets undo icmp unreach send Required Enabled by default 2 3 Displaying and Maintaining IP Performance Configuration After the above configurations you can execute the display command in any view to display the running status to verify your IP performance configuration Use the reset command in user...

Page 136: ...et id Display the forwarding information base FIB entries display fib Display the FIB entries matching the destination IP address display fib ip address1 mask1 mask length1 ip address2 mask2 mask length2 longer longer Display the FIB entries filtering through a specific ACL display fib acl number Display the FIB entries in the buffer which begin with include or exclude the specified character stri...

Page 137: ... 1 5 Support for Voice VLAN on Various Ports 1 5 1 1 6 Security Mode of Voice VLAN 1 7 1 2 Voice VLAN Configuration 1 7 1 2 1 Configuration Prerequisites 1 7 1 2 2 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode 1 8 1 2 3 Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode 1 9 1 3 Displaying and Maintaining Voice VLAN 1 11 1 4 Voice VLAN Configu...

Page 138: ...d perform QoS related configuration for voice traffic as required thus ensuring the transmission priority of voice traffic and voice quality 1 1 1 How an IP Phone Works IP phones can convert analog voice signals into digital signals to enable them to be transmitted in IP based networks Used in conjunction with other voice devices IP phones can offer large capacity and low cost voice communication ...

Page 139: ... IP phone goes through the following three phases to become capable of transmitting voice data 1 After the IP phone is powered on it sends an untagged DHCP request message containing four special requests in the Option 184 field besides the request for an IP address The message is broadcast in the default VLAN of the receiving port After receiving the DHCP request message DHCP Server 1 which resid...

Page 140: ...onse message to the IP phone After the IP phone receives the tagged response message it sends voice data packets tagged with the voice VLAN tag to communicate with the voice gateway In this case the port connecting to the IP phone must be configured to allow the packets tagged with the voice VLAN tag to pass Note z An untagged packet carries no VLAN tag z A tagged packet carries the tag of a VLAN ...

Page 141: ...ffic Transmission Priority In order to improve transmission quality of voice traffic the switch by default re marks the priority of the traffic in the voice VLAN as follows z Set the CoS 802 1p priority to 6 z Set the DSCP value to 46 1 1 4 Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode You can configure...

Page 142: ...ion and guest VLAN is enabled on the port which the IP voice device is connected to assign different VLAN IDs for the voice VLAN the default VLAN of the port and the 802 1x guest VLAN to ensure the effective operation of these functions 1 1 5 Support for Voice VLAN on Various Ports Voice VLAN packets can be forwarded by access ports trunk ports and hybrid ports You can enable a trunk or hybrid por...

Page 143: ...AN manually Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagge d voice traffic Hybrid Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the default VLAN and the voice VLAN is in the list of the tagged VLANs whose traffic is p...

Page 144: ...d Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN Manual Hybrid Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the default VLAN and the voice VLAN is in the list of the tagged VLANs whose traffic is permitted by the access port 1 1 6 Security Mode of Voice VLAN On S3100 series Eth...

Page 145: ...ess Enable the voice VLAN security mode voice vlan security enable Optional By default the voice VLAN security mode is enabled Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1440 minutes Enable the voice VLAN function globally voice vlan vlan id enable Required Enter Ethernet port view interface interface type interface number Required Enable the voice ...

Page 146: ...ts in order to make the established voice connections work normally the system does not need to be triggered by the voice traffic to add the port in automatic voice VLAN assignment mode to the local devices but does so immediately after the restart or the changes 1 2 3 Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to operate...

Page 147: ...de on a port to manual undo voice vlan mode auto Required The default voice VLAN assignment mode on a port is automatic Quit to system view quit Enter VLAN view vlan vlan id Access port Add the port to the VLAN port interface list Enter port view interface interface type interface num Add the port to the VLAN port trunk permit vlan vlan id port hybrid vlan vlan id tagged untagged Required By defau...

Page 148: ...a and service data in a voice VLAN If you have to do so make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication between H3C device and other vendor s voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors voice device The voice vlan legacy command can be executed before voice VLAN is ena...

Page 149: ...nsmitted within the voice VLAN z Create VLAN 2 and configure it as the voice VLAN with the aging timer being 100 minutes z The IP phone sends tagged packets It is connected to Ethernet 1 0 1 a hybrid port with VLAN 6 being its default VLAN Set this port to operate in automatic voice VLAN assignment mode z You need to add a user defined OUI address 0011 2200 000 with the mask being ffff ff00 0000 a...

Page 150: ...gure VLAN 6 as the default VLAN of Ethernet 1 0 1 and configure Ethernet 1 0 1 to permit packets with the tag of VLAN 6 DeviceA Ethernet1 0 1 port hybrid pvid vlan 6 DeviceA Ethernet1 0 1 port hybrid vlan 6 tagged Enable the voice VLAN function on Ethernet 1 0 1 DeviceA Ethernet1 0 1 voice vlan enable 1 4 2 Voice VLAN Configuration Example Manual Voice VLAN Assignment Mode I Network requirements C...

Page 151: ... address 0011 2200 000 and set the description string to test DeviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test Create VLAN 2 and configure it as a voice VLAN DeviceA vlan 2 DeviceA vlan2 quit DeviceA voice vlan 2 enable Configure Ethernet 1 0 1 to operate in manual voice VLAN assignment mode DeviceA interface Ethernet 1 0 1 DeviceA Ethernet1 0 1 undo voice vlan mo...

Page 152: ...ss Mask Description 0003 6b00 0000 ffff ff00 0000 Cisco phone 000f e200 0000 ffff ff00 0000 H3C Aolynk phone 0011 2200 0000 ffff ff00 0000 test 00d0 1e00 0000 ffff ff00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3Com phone Display the status of the current voice VLAN DeviceA display voice vlan status Voice Vlan status ENABLE Voice Vlan ID 2 Voice V...

Page 153: ...RP 1 1 1 1 1 GARP 1 1 1 1 2 GVRP 1 4 1 1 3 Protocol Specifications 1 5 1 2 GVRP Configuration 1 5 1 2 1 GVRP Configuration Tasks 1 5 1 2 2 Enabling GVRP 1 5 1 2 3 Configuring GVRP Timers 1 6 1 2 4 Configuring GVRP Port Registration Mode 1 7 1 3 Displaying and Maintaining GVRP 1 8 1 4 GVRP Configuration Example 1 8 1 4 1 GVRP Configuration Example 1 8 ...

Page 154: ...RP application entity is present on a port on your device this port is regarded a GARP application entity I GARP messages and timers 1 GARP messages GARP members communicate with each other through the messages exchanged between them The messages performing important functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be register...

Page 155: ...d for a specific period a second one is sent The period is determined by this timer z Leave When a GARP entity expects to deregister a piece of attribute information it sends out a Leave message Any GARP entity receiving this message starts its Leave timer and deregisters the attribute information if it does not receives a Join message again before the timer times out z LeaveAll Once a GARP entity...

Page 156: ...ities use specific multicast MAC addresses as their destination MAC addresses When receiving these packets the switch distinguishes them by their destination MAC addresses and delivers them to different GARP application for example GVRP for further processing III GARP message format The GARP packets are in the following format Figure 1 1 Format of GARP packets The following table describes the fie...

Page 157: ...on of GARP GARP VLAN registration protocol GVRP maintains dynamic VLAN registration information and propagates the information to the other switches through GARP With GVRP enabled on a device the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information including the information about the VLAN members the ports thr...

Page 158: ... VLAN 1 that is the port propagates only the information about VLAN 1 to the other GARP members 1 1 3 Protocol Specifications GVRP is defined in IEEE 802 1Q standard 1 2 GVRP Configuration 1 2 1 GVRP Configuration Tasks Complete the following tasks to configure GVRP Task Remarks Enabling GVRP Required Configuring GVRP Timers Optional Configuring GVRP Port Registration Mode Optional 1 2 2 Enabling ...

Page 159: ...All timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number Configure the Hold Join and Leave timers garp timer hold join leave timer value Optional By default the Hold Join and Leave timers are set to 10 20 and 60 centiseconds respectively Note that z The setting of each timer must...

Page 160: ...e This lower threshold is greater than twice the timeout time of the Join timer You can change the threshold by changing the timeout time of the Join timer This upper threshold is less than the timeout time of the LeaveAll timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can c...

Page 161: ...timer interface interface list Display GVRP statistics display gvrp statistics interface interface list Display the global GVRP status display gvrp status Clear GARP statistics reset garp statistics interface interface list Available in any view 1 4 GVRP Configuration Example 1 4 1 GVRP Configuration Example I Network requirements z Enable GVRP on all the switches in the network so that the VLAN c...

Page 162: ... 1 port link type trunk SwitchA Ethernet1 0 1 port trunk permit vlan all Enable GVRP on Ethernet1 0 1 SwitchA Ethernet1 0 1 gvrp SwitchA Ethernet1 0 1 quit Configure Ethernet1 0 2 to be a trunk port and to permit the packets of all the VLANs SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 port link type trunk SwitchA Ethernet1 0 2 port trunk permit vlan all Enable GVRP on Ethernet1 0 2 Swit...

Page 163: ...RP on Switch E which is similar to that of Switch A and is thus omitted Create VLAN 5 and VLAN 7 SwitchE vlan 5 SwitchE vlan5 quit SwitchE vlan 7 SwitchE vlan7 quit 6 Display the VLAN information dynamically registered on Switch A Switch B and Switch E Display the VLAN information dynamically registered on Switch A SwitchA display vlan dynamic Total 3 dynamic VLAN exist s The following dynamic VLA...

Page 164: ...ing dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch E SwitchE Ethernet1 0 1 display vlan dynamic No dynamic vlans exist 8 Configure Ethernet1 0 1 on Switch E to operate in forbidden GVRP registration mode and display the VLAN registration information dynamically registered on Switch A Switch B and Switch E Configure Ethernet1 0 1 on Switch E to operate in fo...

Page 165: ...rt to Other Ports 1 3 1 1 5 Configuring Loopback Detection for an Ethernet Port 1 4 1 1 6 Configuring Loopback Detection for Ethernet Port s 1 5 1 1 7 Enabling Loopback Test 1 7 1 1 8 Configuring a Port Group 1 7 1 1 9 Enabling the System to Test Connected Cable 1 8 1 1 10 Configuring the Interval to Perform Statistical Analysis on Port Traffic 1 9 1 1 11 Disabling Up Down Log Output on a Port 1 9...

Page 166: ...Ethernet Port Configuration 1 1 1 Initially Configuring a Port Table 1 1 Initially configure a port Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the Ethernet port undo shutdown Optional By default the port is enabled Use the shutdown command to disable the port Set the description string for the Ethernet port desc...

Page 167: ...wed on an Ethernet port is 2048 bytes 1 1 2 Limiting Traffic on individual Ports By performing the following configurations you can limit the incoming broadcast unknown multicast unknown unicast traffic on individual ports When a type of incoming traffic exceeds the threshold you set the system drops the packets exceeding the traffic limit to reduce the traffic ratio of this type to the reasonable...

Page 168: ... packets to the local switch or reduce the sending rate temporarily when it receives the message and vice versa By this way packet loss is avoided and the network service operates normally Table 1 3 Enable flow control on a port Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable flow control on the Ethernet port flow co...

Page 169: ...n Ethernet ports the switch can monitor if an external loopback occurs on them If there is a loopback port found the switch will deal with the loopback port according to your configuration 1 If a loop is found on an access port the system will set the port to the block state ports in this state cannot forward data packets send log messages to the terminal and remove the corresponding MAC forwardin...

Page 170: ... for Ethernet port s Operation Command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Optional By default the global loopback detection function is enabled if the device boots with the default configuration file config def if the device boots with null configuration this function is disabled Enable loopback detection on the specified ports in bul...

Page 171: ... with null configuration this function is disabled Enable the loopback port auto shutdown function loopback detection shutdown enable Optional By default the loopback port auto shutdown function is enabled on ports if the device boots with the default configuration file config def if the device boots with null configuration this function is disabled Configure the system to run loopback detection o...

Page 172: ...be received by itself The external loop test can locate the hardware failures on the port z internal Performs internal loop test In the internal loop test self loop is established in the switching chip to locate the chip failure which is related to the port Note that z After you use the shutdown command on a port the port cannot run loopback test z You cannot use the speed duplex mdi and shutdown ...

Page 173: ...nnected Cable You can enable the system to test the cable connected to a specific port The test result will be returned in five seconds The system can test these attributes of the cable Receive and transmit directions RX and TX short circuit open circuit or not the length of the faulty cable Table 1 8 Enable the system to test connected cables Operation Command Remarks Enter system view system vie...

Page 174: ...ort traffic Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Set the interval to perform statistical analysis on port traffic flow interval interval Optional By default this interval is 300 seconds 1 1 11 Disabling Up Down Log Output on a Port An Ethernet port has two physical link statuses UP and Down When the physical ...

Page 175: ...n command or the undo shutdown command on Ethernet 1 0 1 and the system outputs Up Down log information of Ethernet 1 0 1 Sysname system view System View return to User View with Ctrl Z Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 shutdown Apr 5 07 25 37 634 2000 Sysname L2INF 5 PORT LINK STATUS CHANGE 1 Ethernet1 0 1 is DOWN Sysname Ethernet1 0 1 undo shutdown Apr 5 07 25 56 244 2000 Sy...

Page 176: ...splay the combo ports on the current device display port combo Display port information about a specified unit display unit unit id interface You can execute the display commands in any view Clear port statistics reset counters interface interface type interface type interface number You can execute the reset command in user view After 802 1x is enabled on a port clearing the statistics on the por...

Page 177: ...ort Sysname Ethernet1 0 1 port link type trunk Allow packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass Ethernet1 0 1 Sysname Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet1 0 1 to 100 Sysname Ethernet1 0 1 port trunk pvid vlan 100 1 3 Troubleshooting Ethernet Port Configuration Symptom Fail to configure the default VLAN ID of an Ethernet po...

Page 178: ... Group 1 2 1 2 2 Static LACP Aggregation Group 1 3 1 2 3 Dynamic LACP Aggregation Group 1 4 1 3 Aggregation Group Categories 1 5 1 4 Link Aggregation Configuration 1 7 1 4 1 Configuring a Manual Aggregation Group 1 7 1 4 2 Configuring a Static LACP Aggregation Group 1 8 1 4 3 Configuring a Dynamic LACP Aggregation Group 1 9 1 4 4 Configuring a Description for an Aggregation Group 1 10 1 5 Displayi...

Page 179: ...LACPDUs priority and MAC address of this system priority number and operation key of the port Upon receiving the information the peer compares the information with the information of other ports on the peer device to determine the ports that can be aggregated In this way the two parties can reach an agreement in adding removing the port to from a dynamic aggregation group Operation key is generate...

Page 180: ...n group must contain at least one port When a manual aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group LACP is disabled on the member ports of manual aggregation groups and you cannot enable LACP on ports in a manual aggregation group II Port status in manual aggregation group A port in a manual aggregation group can be in one of the ...

Page 181: ... you remove a static aggregation group all the member ports in up state form one or multiple dynamic aggregations with LACP enabled LACP cannot be disabled on static aggregation ports II Port status of static aggregation group A port in a static aggregation group can be in one of the two states selected or unselected z Both the selected and the unselected ports in the up state can transceive LACP ...

Page 182: ...status of dynamic aggregation group A port in a dynamic aggregation group can be in one of the two states selected and unselected z Both the selected and the unselected ports can receive transmit LACP protocol packets z The selected ports can receive transmit user service packets but the unselected ports cannot z In a dynamic aggregation group the selected port with the smallest port number serves...

Page 183: ...ng for IP packets based on the source IP address and destination IP address and for non IP packets based on the source MAC address z The S3100 SI series Ethernet switches perform load sharing based on the source MAC address and destination MAC address for both IP and non IP packets In general the system only provides limited load sharing aggregation resources so the system needs to reasonably allo...

Page 184: ...allest master port number has higher priority than other groups When an aggregation group of higher priority appears the aggregation groups of lower priorities release their hardware resources For single port aggregation groups they can transceive packets normally without occupying aggregation resources Caution A load sharing aggregation group contains at least two selected ports but a non load sh...

Page 185: ...resses multicast MAC addresses or the static ARP protocol cannot be added to an aggregation group z Ports where the IP MAC address binding is configured cannot be added to an aggregation group z Port security enabled ports cannot be added to an aggregation group z The port with Voice VLAN enabled cannot be added to an aggregation group z Do not add ports with IP filtering enabled to an aggregation...

Page 186: ...ds of type change can occur z When you change a dynamic static group to a manual group the system will automatically disable LACP on the member ports When you change a dynamic group to a static group the system will remain the member ports LACP enabled 2 When a manual or static aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group 1 4 2 C...

Page 187: ...up For example suppose port 1 of the local device is connected to port 2 of the peer device To avoid cross connecting cables do not connect port 2 of the local device to port 1 of the peer device Otherwise packets may be lost 1 4 3 Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP enabled ports The adding and removing...

Page 188: ...priority lacp port priority port priority Optional By default the port priority is 32 768 Note Changing the system priority may affect the priority relationship between the aggregation peers and thus affect the selected unselected status of member ports in the dynamic aggregation group 1 4 4 Configuring a Description for an Aggregation Group Perform the following tasks to configure a description f...

Page 189: ...r configuration Execute the reset command in user view to clear LACP statistics on ports Table 1 5 Display and maintain link aggregation configuration Operation Command Remarks Display summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group or all aggregation groups display link aggregation verbose agg id Display l...

Page 190: ...on on the three ports between switch A and B II Network diagram Figure 1 1 Network diagram for link aggregation configuration III Configuration procedure Note The following only lists the configuration on Switch A you must perform the similar configuration on Switch B to implement link aggregation 1 Adopting manual aggregation mode Create manual aggregation group 1 Sysname system view Sysname link...

Page 191: ...nterface Ethernet1 0 2 Sysname Ethernet1 0 2 port link aggregation group 1 Sysname Ethernet1 0 2 quit Sysname interface Ethernet1 0 3 Sysname Ethernet1 0 3 port link aggregation group 1 3 Adopting dynamic LACP aggregation mode Enable LACP on Ethernet1 0 1 through Ethernet1 0 3 Sysname system view Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 lacp enable Sysname Ethernet1 0 1 quit Sysname i...

Page 192: ...net Switches Table of Contents i Table of Contents Chapter 1 Port Isolation Configuration 1 1 1 1 Port Isolation Overview 1 1 1 2 Port Isolation Configuration 1 1 1 3 Displaying Port Isolation Configuration 1 2 1 4 Port Isolation Configuration Example 1 2 ...

Page 193: ...oup on an S3100 Series Ethernet switch The number of Ethernet ports in an isolation group is not limited Note z An isolation group only isolates the member ports in it z Port isolation is independent of VLAN configuration 1 2 Port Isolation Configuration You can perform the following operations to add an Ethernet ports to an isolation group thus isolating Layer 2 and Layer 3 data among the ports i...

Page 194: ...ding a port of an isolation group to an aggregation group causes all the ports in the aggregation group being added to the isolation group 1 3 Displaying Port Isolation Configuration After the above configuration you can execute the display command in any view to display the result of your port isolation configuration thus verifying your configuration Table 1 2 Display port isolation configuration...

Page 195: ...tem view System View return to User View with Ctrl Z Sysname interface ethernet1 0 2 Sysname Ethernet1 0 2 port isolate Sysname Ethernet1 0 2 quit Sysname interface ethernet1 0 3 Sysname Ethernet1 0 3 port isolate Sysname Ethernet1 0 3 quit Sysname interface ethernet1 0 4 Sysname Ethernet1 0 4 port isolate Sysname Ethernet1 0 4 quit Sysname quit Display information about the ports in the isolation...

Page 196: ... Setting the Port Security Mode 1 7 1 2 4 Configuring Port Security Features 1 8 1 2 5 Ignoring the Authorization Information from the RADIUS Server 1 10 1 2 6 Configuring Security MAC Addresses 1 10 1 3 Displaying and Maintaining Port Security Configuration 1 11 1 4 Port Security Configuration Example 1 12 1 4 1 Port Security Configuration Example 1 12 Chapter 2 Port Binding Configuration 2 1 2 1...

Page 197: ... The events that cannot pass 802 1x authentication or MAC authentication are considered illegal With port security enabled upon detecting an illegal packet or illegal event the system triggers the corresponding port security features and takes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability 1 1 2 Port Security Features...

Page 198: ... mode the port automatically learns MAC addresses and changes them to security MAC addresses This security mode will automatically change to the secure mode after the amount of security MAC addresses on the port reaches the maximum number configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses ...

Page 199: ...o the userLoginSecure mode except that besides the packets of the single 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port When the port changes from the normal mode to this security mode the system automatically removes the existing dynamic authenticated MAC address entries on the port macAddressWit hRadius In this mod...

Page 200: ...rLoginSecur e In this mode a port firstly performs MAC authentication for a user and then performs 802 1x authentication for the user if the user passes MAC authentication The user can access the network after passing the two authentications In this mode up to one user can access the network macAddressAnd UserLoginSecur eExt This mode is similar to the macAddressAndUserLoginSecure mode except that...

Page 201: ...nfiguring intrusion protection Configuring Port Security Features Configuring the Trap feature Optional Choose one or more features as required Ignoring the Authorization Information from the RADIUS Server Optional Configuring Security MAC Addresses Optional 1 2 1 Enabling Port Security I Configuration Prerequisites Before enabling port security you need to disable 802 1x and MAC authentication gl...

Page 202: ...ting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed however cannot exceed the configured upper limit By setting the maximum number of MAC addresses allowed on a port you can z Control the maximum number of users who are allowed to access the network through the port z Control the ...

Page 203: ...2 1x user plus one user whose source MAC address has a specified OUI value Enter Ethernet port view interface interface type interface number Set the port security mode port security port mode autolearn mac and userlogin sec ure mac and userlogin sec ure ext mac authentication mac else userlogin sec ure mac else userlogin sec ure ext secure userlogin userlogin secure userlogin secure ext userlogin...

Page 204: ...u can change the port security mode you need to restore the port security mode to noRestriction with the undo port security port mode command If the port security port mode mode command has been executed on a port none of the following can be configured on the same port z Maximum number of MAC addresses that the port can learn z Reflector port for port mirroring z Link aggregation 1 2 4 Configurin...

Page 205: ...ntrusion protection is disabled Return to system view quit Set the timer during which the port remains disabled port security timer disableport timer Optional 20 seconds by default Note The port security timer disableport command is used in conjunction with the port security intrusion mode disableport temporarily command to set the length of time during which the port remains disabled Caution If y...

Page 206: ...RADIUS server Follow these steps to configure a port to ignore the authorization information from the RADIUS server To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Ignore the authorization information from the RADIUS server port security authorization ignore Required By default a port uses the authorization information ...

Page 207: ...is enabled z The maximum number of security MAC addresses allowed on the port is set z The security mode of the port is set to autolearn II Configuring a security MAC address Follow these steps to configure a security MAC address To do Use the command Remarks Enter system view system view In system view mac address security mac address interface interface type interface number vlan vlan id interfa...

Page 208: ...the port stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds II Network diagram Figure 1 1 Network diagram for port security configuration III Configuration procedure Enter system view Switch system view Enable port security Switch port security enable Enter Ethernet1 0 1 port v...

Page 209: ...Port Binding H3C S3100 Series Ethernet Switches Chapter 1 Port Security Configuration 1 13 Switch Ethernet1 0 1 port security intrusion mode disableport temporarily Switch Ethernet1 0 1 quit Switch port security timer disableport 30 ...

Page 210: ...ser to a specific port After the binding the switch forwards only the packets received on the port whose MAC address and IP address are identical with the bound MAC address and IP address This improves network security and enhances security monitoring 2 1 2 Configuring Port Binding Follow these steps to configure port binding To do Use the command Remarks Enter system view system view In system vi...

Page 211: ...nterface number ip addr ip address mac addr mac address Available in any view 2 3 Port Binding Configuration Example 2 3 1 Port Binding Configuration Example I Network requirements It is required to bind the MAC and IP addresses of Host A to Ethernet 1 0 1 on Switch A so as to prevent malicious users from using the IP address they steal from Host A to access the network II Network diagram 10 12 1 ...

Page 212: ...tches Chapter 2 Port Binding Configuration 2 3 SwitchA system view Enter Ethernet 1 0 1 port view SwitchA interface Ethernet 1 0 1 Bind the MAC address and the IP address of Host A to Ethernet 1 0 1 SwitchA Ethernet1 0 1 am user bind mac addr 0001 0002 0003 ip addr 10 12 1 1 ...

Page 213: ...P Fundamentals 1 2 1 2 1 DLDP Implementation 1 2 1 2 2 DLDP Status 1 6 1 2 3 DLDP Timers 1 7 1 2 4 DLDP Operating Mode 1 8 1 2 5 DLDP Neighbor State 1 8 1 2 6 Link Auto recovery Mechanism 1 9 1 3 DLDP Configuration 1 10 1 3 1 Performing Basic DLDP Configuration 1 10 1 3 2 Resetting DLDP State 1 11 1 3 3 Displaying and Maintaining DLDP 1 12 1 4 DLDP Configuration Example 1 12 ...

Page 214: ...l STP loops Unidirectional links can be caused by z Fiber cross connection as shown in Figure 1 1 z Fibers that are not connected or disconnected as shown in Figure 1 2 the hollow lines in which refer to fibers that are not connected or disconnected Device link detection protocol DLDP can detect the link status of an optical fiber cable or copper twisted pair such as super category 5 twisted pair ...

Page 215: ...ds of links can work normally at the physical layer DLDP can detect whether these links are connected correctly and whether packets can be exchanged normally at both ends However the auto negotiation mechanism cannot implement this detection Note z In order for DLDP to detect fiber disconnection in one direction you need to configure the port to work in mandatory full duplex mode at a mandatory ra...

Page 216: ...al device Probe Probe packets are used to probe the existence of a neighbor Echo packets are required from the corresponding neighbor Probe packets carry the local port information Neighbor information is optional for probe packets A probe packet carrying neighbor information probes the specified neighbors A probe packet carrying no neighbor information probes all the neighbors Echo Response to pr...

Page 217: ...ing a linkdown packet if the peer end operates in the enhanced mode it enters the disable state and sets the receiving port to the DLDP down state auto shutdown mode or gives an alarm to the user manual shutdown mode Recover Probe Recover probe packets are used to detect whether a link recovers to implement the port auto recovery mechanism Recover probe packets carry only the local port informatio...

Page 218: ...e DLDP resets the aging timer of the entry Flush packet Removes the neighbor entry from the local device Creates the neighbor entry if it does not exist on the local device Probe packet Sends echo packets containing both neighbor and its own information to the peer Resets the aging timer of the entry if the neighbor entry already exists on the local device No Drops the echo packet No Drops the ech...

Page 219: ...bled but the corresponding link is down Active DLDP is enabled and the link is up or an neighbor entry is cleared Advertisement All neighbors communicate normally in both directions or DLDP remains in active state for more than five seconds and enters this status It is a stable state where no unidirectional link is found Probe DHCP sends packets to check whether the link is a unidirectional It ena...

Page 220: ...imer is enabled When an advertisement packet is received from a neighbor the neighbor entry is updated and the corresponding entry aging timer is updated In the normal mode if no packet is received from the neighbor when the entry aging timer expires DLDP sends an advertisement packet with an RSY tag and deletes the neighbor entry In the enhanced mode if no packet is received from the neighbor whe...

Page 221: ...down timer expires Otherwise it removes the DLDP neighbor information and changes to the inactive state 1 2 4 DLDP Operating Mode DLDP can operate in two modes normal and enhanced Table 1 7 DLDP operating mode and neighbor entry aging DLDP operating mode DLDP detects whether neighbors exist or not when neighbor tables are aging The entry aging timer is enabled or not during neighbor entry aging Th...

Page 222: ... recover echo packet which means that the unidirectional link is restored to a bidirectional link it is brought up by DLDP The detailed process is as follows 1 A port in the DLDP down state sends a recover probe packet every 2 seconds Recover probe packets carry only the local port information 2 Upon receiving a recover probe packet the peer end responds with a recover echo packet 3 Upon receiving...

Page 223: ... none Set the interval of sending DLDP packets dldp interval timer value Optional By default the interval is 5 seconds Set the delaydown timer dldp delaydown timer delaydown time Optional By default the delaydown timer expires after 1 second it is triggered Set the DLDP handling mode when an unidirectional link is detected dldp unidirectional shutdown auto manual Optional By default the handling m...

Page 224: ...m view to enable disable DLDP on all optical ports of the switch the configuration takes effect on the existing optical ports instead of those added subsequently z Make sure the authentication mode and password configured on both sides are the same for DLDP to operate properly z When DLDP works in enhanced mode the system can identify two types of unidirectional links one is caused by fiber cross ...

Page 225: ...ion Command Description Display the DLDP configuration of a unit or a port display dldp unit id interface type interface number Available in any view 1 4 DLDP Configuration Example I Network requirements As shown in Figure 1 3 z Switch A and Switch B are connected through two pairs of fibers Both of them support DLDP All the ports involved operate in mandatory full duplex mode with their rates all...

Page 226: ...ce gigabitethernet 1 1 1 SwitchA GigabitEthernet1 1 1 duplex full SwitchA GigabitEthernet1 1 1 speed 1000 SwitchA GigabitEthernet1 1 1 quit SwitchA interface gigabitethernet 1 1 2 SwitchA GigabitEthernet1 1 2 duplex full SwitchA GigabitEthernet1 1 2 speed 1000 SwitchA GigabitEthernet1 1 2 quit Enable DLDP globally SwitchA dldp enable Set the interval for sending DLDP packets to 15 seconds SwitchA ...

Page 227: ...th the other end connected to no device z If the device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end is in the inactive state z If the device operates in the enhance DLDP mode the end that receives optical signals is in the disable state the other end is in the inactive state Restore the ports shut down by DLDP SwitchA dldp rese...

Page 228: ... 2 Configuring MAC Address Table Management 1 5 1 2 1 MAC Address Table Management Configuration Task List 1 5 1 2 2 Configuring a MAC Address Entry 1 6 1 2 3 Setting the MAC Address Aging Timer 1 7 1 2 4 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 7 1 2 5 Disabling MAC Address learning for a VLAN 1 8 1 2 6 Assigning MAC Addresses for Ethernet Ports 1 9 1 3 Displaying MAC Addres...

Page 229: ...e packets to the corresponding ports according to the destination MAC address of the packets To forward packets quickly a switch maintains a MAC address table which is a Layer 2 address table recording the MAC address to forwarding port association Each entry in a MAC address table contains the following fields z Destination MAC address z ID of the VLAN which a port belongs to z Forwarding egress ...

Page 230: ...r A and User B are both in VLAN 1 When User A communicates with User B the packet from User A needs to be transmitted to Ethernet 1 0 1 At this time the switch records the source MAC address of the packet that is the address MAC A of User A to the MAC address table of the switch forming an entry shown in Figure 1 2 Figure 1 1 MAC address learning diagram 1 Figure 1 2 MAC address table entry of the...

Page 231: ... the packet Normally User B will respond to User A as shown in Figure 1 4 When the response packet from User B is sent to Ethernet 1 0 4 the switch records the association between the MAC address of User B and the corresponding port to the MAC address table of the switch Figure 1 4 MAC address learning diagram 3 4 At this time the MAC address table of the switch includes two forwarding entries sho...

Page 232: ...rectly drops any packet with a broadcast source MAC address 1 1 3 Managing MAC Address Table I Aging of MAC address table To fully utilize a MAC address table which has a limited capacity the switch uses an aging mechanism for updating the table That is the switch starts an aging timer for an entry when dynamically creating the entry The switch removes the MAC address entry if no more packets with...

Page 233: ... of MAC address entries and their characteristics Table 1 1 Characteristics of different types of MAC address entries MAC address entry Configuration method Aging time Reserved or not at reboot if the configuration is saved Static MAC address entry Manually configured Unavailable Yes Dynamic MAC address entry Manually configured or generated by MAC address learning mechanism Available No Blackhole...

Page 234: ... a MAC address entry mac address static dynamic blackhole mac address interface interface type interface number vlan vlan id Required Caution z When you add a MAC address entry the port specified by the interface argument must belong to the VLAN specified by the vlan argument in the command Otherwise the entry will not be added z If the VLAN specified by the vlan argument is a dynamic VLAN after a...

Page 235: ...z If the aging timer is set too short the switch may remove valid MAC address entries This decreases the forwarding performance of the switch Follow these steps to set aging time of MAC address entries To do Use the command Remarks Enter system view system view Set the MAC address aging timer mac address timer aging age no aging Required The default is 300 seconds Normally you are recommended to u...

Page 236: ...learnt from a port reaches the set value the port stops learning MAC addresses Follow these steps to set the maximum number of MAC addresses a port can learn To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the maximum number of MAC addresses the port can learn mac address max mac count count Required By default the ...

Page 237: ...s no effect on enabling the MAC address authentication on the ports that belong to the VLAN 1 2 6 Assigning MAC Addresses for Ethernet Ports By default no Ethernet port of an S3100 switch is configured with a MAC address Therefore when the switch sends Layer 2 protocol packets for example BPDUs of STP it uses the MAC address predefined in the protocol as the source address to send the BPDUs As swi...

Page 238: ... With the port MAC address configuration the switch uses the MAC address of a port as the source MAC address when sending the following Layer 2 PDUs out of the port z LACP z STP z NDP NTDP z GVRP z DLDP Port MAC address configuration does not affect service packet forwarding 1 3 Displaying MAC Address Table Information To do Use the command Remarks Display information about the MAC address table d...

Page 239: ...gh Ethernet 1 0 2 z The MAC address of the server is 000f e20f dc71 z Port Ethernet 1 0 2 belongs to VLAN 1 II Configuration procedure Enter system view Sysname system view Sysname Add a MAC address with the VLAN ports and states specified Sysname mac address static 000f e20f dc71 interface Ethernet 1 0 2 vlan 1 Display information about the current MAC address table Sysname display mac address in...

Page 240: ...rk 1 27 1 3 9 Configuring the MSTP Time related Parameters 1 28 1 3 10 Configuring the Timeout Time Factor 1 29 1 3 11 Configuring the Maximum Transmitting Speed on the Current Port 1 30 1 3 12 Configuring the Current Port as an Edge Port 1 31 1 3 13 Specifying Whether the Link Connected to a Port Is Point to point Link 1 33 1 3 14 Enabling MSTP 1 34 1 4 Configuring Leaf Nodes 1 35 1 4 1 Configura...

Page 241: ...roduction 1 48 1 7 2 Configuring Digest Snooping 1 49 1 8 Configuring Rapid Transition 1 50 1 8 1 Introduction 1 50 1 8 2 Configuring Rapid Transition 1 52 1 9 Configuring VLAN VPN Tunnel 1 53 1 9 1 Introduction 1 53 1 9 2 Configuring VLAN VPN tunnel 1 54 1 10 STP Maintenance Configuration 1 55 1 10 1 Introduction 1 55 1 10 2 Enabling Log Trap Output for Ports of MSTP Instance 1 55 1 10 3 Configur...

Page 242: ... uses bridge protocol data units BPDUs also known as configuration messages as its protocol packets STP identifies the network topology by transmitting BPDUs between STP compliant network devices BPDUs contain sufficient information for the network devices to complete the spanning tree calculation In STP BPDUs come in two types z Configuration BPDUs used to calculate spanning trees and maintain th...

Page 243: ...le for forwarding BPDUs to this switch The port through which the designated bridge forwards BPDUs to this device For a LAN A designated bridge is a device responsible for forwarding BPDUs to this LAN segment The port through which the designated bridge forwards BPDUs to this LAN segment Figure 1 1 shows designated bridges and designated ports In the figure AP1 and AP2 BP1 and BP2 and CP1 and CP2 ...

Page 244: ...o the root bridge z Designated bridge ID designated bridge priority plus MAC address z Designated port ID designated port priority plus port name z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime for the configuration BPDUs to be kept in a switch z Hello time configuration BPDU interval z Forward delay forward delay of the port Note For the c...

Page 245: ...d chooses the optimum configuration BPDU Note Principle for configuration BPDU comparison z The configuration BPDU that has the lowest root bridge ID has the highest priority z If all the configuration BPDUs have the same root bridge ID they will be compared for their root path costs If the root path cost in a configuration BPDU plus the path cost corresponding to this port is S the configuration ...

Page 246: ... based on the comparison result z If the calculated configuration BPDU is superior this port will serve as the designated port and the configuration BPDU on the port will be replaced with the calculated configuration BPDU which will be sent out periodically z If the configuration BPDU on the port is superior the device stops updating the configuration BPDUs of the port and blocks the port so that ...

Page 247: ...ice The following table shows the initial state of each device Table 1 4 Initial state of each device Device Port name BPDU of port AP1 0 0 0 AP1 Device A AP2 0 0 0 AP2 BP1 1 0 1 BP1 Device B BP2 1 0 1 BP2 CP1 2 0 2 CP1 Device C CP2 2 0 2 CP2 z Comparison process and result on each device The following table shows the comparison process and result on each device ...

Page 248: ... the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port 1 0 1 BP1 and updates the configuration BPDU of BP1 z Port BP2 receives the configuration BPDU of Device C 2 0 2 CP2 Device B finds that the configuration BPDU of the local port 1 0 1 BP2 is superior to the received configuration BPDU and discard...

Page 249: ... AP2 Designate d port CP2 0 10 2 CP2 z Next port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device...

Page 250: ...er to time the configuration BPDU while it sends out this configuration BPDU through the designated port z If the configuration BPDU received on the designated port has a lower priority than the configuration BPDU of the local port the port will immediately sends out its better configuration BPDU in response z If a path becomes faulty the root port on this path will no longer receive new configura...

Page 251: ...be propagated throughout the entire network z Hello time the interval for sending hello packets Hello packets are used to check link state A switch sends hello packets to its neighboring devices at a regular interval the hello time to check whether the links are faulty z Max time lifetime of the configuration BPDUs stored in a switch A configuration BPDU that has expired is discarded by the switch...

Page 252: ...ing tree II Features of MSTP The multiple spanning tree protocol MSTP overcomes the shortcomings of STP and RSTP In addition to support for rapid network convergence it also allows data flows of different VLANs to be forwarded along their own paths thus providing a better load sharing mechanism for redundant links MSTP features the following z MSTP supports mapping VLANs to MST instances by means ...

Page 253: ...hes into one MST region by using the corresponding MSTP configuration commands As shown in Figure 1 4 all the switches in region A0 are of the same MST region related configuration including z Region name z VLAN to MSTI mapping that is VLAN 1 is mapped to MSTI 1 VLAN 2 is mapped to instance 2 and the other VLANs are mapped to CIST z MSTP revision level not shown in Figure 1 4 II MSTI A multiple sp...

Page 254: ...cts all MST regions in the network If you regard each MST region in the network as a switch then the CST is the spanning tree generated by STP or RSTP running on the switches VI CIST A CIST is the spanning tree in a switched network that connects all switches in the network It comprises the ISTs and the CST In Figure 1 4 the ISTs in the MST regions and the CST connecting the MST regions form the C...

Page 255: ...rt or master port z A backup port is the secondary port of a designated port and is used for rapid transition With the designated port being blocked the backup port becomes the new designated port fast and begins to forward data seamlessly When two ports of an MSTP enabled switch are interconnected the switch blocks one of the two ports to eliminate the loop that occurs The blocked port is the bac...

Page 256: ...ee states z Forwarding state Ports in this state can forward user packets and receive send BPDU packets z Learning state Ports in this state can receive send BPDU packets z Discarding state Ports in this state can only receive BPDU packets Port roles and port states are not mutually dependent Table 1 6 lists possible combinations of port states and port roles Table 1 6 Combinations of port states ...

Page 257: ...tself as the root and generates a configuration BPDU for each port on it as a root with the root path cost being 0 the ID of the designated bridge being that of the switch and the designated port being itself 1 Each switch sends out its configuration BPDUs and operates in the following way when receiving a configuration BPDU on one of its ports from another switch z If the priority of the configur...

Page 258: ...the root port of the switch z Determining the designated port First the switch calculates a designated port configuration BPDU for each of its ports using the root port configuration BPDU and the root port path cost with the root ID being replaced with that of the root port configuration BPDU root path cost being replaced with the sum of the root path cost of the root port configuration BPDU and t...

Page 259: ... Operation Description Related section Enable MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are performed Section 1 3 14 Enabling MSTP Configure an MST region Required Section 1 3 2 Configuring an MST Region Specify the current switch as a root bridge secondary root bridge Required Secti...

Page 260: ...s are recommended Section 1 3 9 Configuring the MSTP Time related Parameters Configure the timeout time factor Optional Section 1 3 10 Configuring the Timeout Time Factor Configure the maximum transmitting speed of the port Optional The default value is recommended Section 1 3 11 Configuring the Maximum Transmitting Speed on the Current Port Configure the current port as an edge port Optional Sect...

Page 261: ... can be used to configure VLAN mapping tables By default all VLANs in an MST region are mapped to spanning tree instance 0 Configure the MSTP revision level for the MST region revision level level Required The default revision level of an MST region is level 0 Activate the configuration of the MST region manually active region configuration Required Display the configuration of the current MST reg...

Page 262: ...level z The H3C series support only the MST region name VLAN to MSTI mapping table and revision level Switches with the settings of these parameters being the same are assigned to the same MST region II Configuration example Configure an MST region with the name being info the MSTP revision level being level 1 VLAN 2 through VLAN 10 being mapped to spanning tree instance 1 and VLAN 20 through VLAN...

Page 263: ...dary bridge diameter bridgenumber hello time centi seconds Required Using the stp root primary stp root secondary command you can specify the current switch as the root bridge or the secondary root bridge of the spanning tree instance identified by the instance id argument If the value of the instance id argument is set to 0 the stp root primary stp root secondary command specify the current switc...

Page 264: ...ge by setting the priority of the switch to 0 Note that once a switch is configured as the root bridge or a secondary root bridge its priority cannot be modified III Configuration example Configure the current switch as the root bridge of spanning tree instance 1 and a secondary root bridge of spanning tree instance 2 Sysname system view Sysname stp instance 1 root primary Sysname stp instance 2 r...

Page 265: ...e send packets in legacy format z 802 1s mode Ports in this mode recognize send packets in dot1s format A port acts as follows according to the format of MSTP packets forwarded by a peer switch or router When a port operates in the automatic mode z The port automatically determines the format legacy or dot1s of received MSTP packets and then determines the format of the packets to be sent accordin...

Page 266: ...ng to the format of the packets received Table 1 13 Configure the mode a port recognizes and sends MSTP packets in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure the mode a port recognizes and sends MSTP packets stp compliance auto dot1s legacy Required By default a port recognizes and send...

Page 267: ...es to neighboring devices In this case the switch is MSTP capable I Configuration procedure Table 1 14 Configure the MSTP operation mode Operation Command Description Enter system view system view Configure the MSTP operation mode stp mode stp rstp mstp Required An MSTP enabled switch operates in the MSTP mode by default II Configuration example Specify the MSTP operation mode as STP compatible Sy...

Page 268: ...ired By default the maximum hop count of an MST region is 20 The bigger the maximum hop count the larger the MST region is Note that only the maximum hop settings on the switch operating as a region root can limit the size of the MST region II Configuration example Configure the maximum hop count of the MST region to be 30 Sysname system view Sysname stp max hops 30 1 3 8 Configuring the Network D...

Page 269: ...e MSTP time related parameters exist forward delay hello time and max age You can configure the three parameters to control the process of spanning tree calculation I Configuration procedure Table 1 17 Configure MSTP time related parameters Operation Command Description Enter system view system view Configure the forward delay parameter stp timer forward delay centiseconds Required The forward del...

Page 270: ...e unable to be detected in time which prevents spanning trees being recalculated in time and makes the network less adaptive The default value is recommended As for the configuration of the three time related parameters that is the hello time forward delay and max age parameters the following formulas must be met to prevent frequent network jitter 2 x forward delay 1 second max age Max age 2 x hel...

Page 271: ... Operation Command Description Enter system view system view Configure the timeout time factor for the switch stp timer factor number Required The timeout time factor defaults to 3 For a steady network the timeout time can be five to seven times of the hello time II Configuration example Configure the timeout time factor to be 6 Sysname system view Sysname stp timer factor 6 1 3 11 Configuring the...

Page 272: ...parameter determines the number of the configuration BPDUs transmitted in each hello time set it to a proper value to prevent MSTP from occupying too many network resources The default value is recommended III Configuration example Set the maximum transmitting speed of Ethernet 1 0 1 to 15 1 Configure the maximum transmitting speed in system view Sysname system view Sysname stp interface Ethernet1...

Page 273: ...ion Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure the port as an edge port stp edged port enable Required By default all the Ethernet ports of a switch are non edge ports On a switch with BPDU guard disabled an edge port becomes a non edge port again once it receives a BPDU from another port Note You are recommended t...

Page 274: ...ways I Specify whether the link connected to a port is point to point link in system view Table 1 23 Specify whether the link connected to a port is point to point link in system view Operation Command Description Enter system view system view Specify whether the link connected to a port is point to point link stp interface interface list point to point force true force false auto Required The aut...

Page 275: ...guration example Configure the link connected to Ethernet 1 0 1 as a point to point link 1 Perform this configuration in system view Sysname system view Sysname stp interface Ethernet1 0 1 point to point force true 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 stp point to point force true 1 3 14 Enabling MSTP I Configu...

Page 276: ...you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree calculation this operation saves CPU resources of the switch Other MSTP related settings can take effect only after MSTP is enabled on the switch II Configuration example Enable MSTP on the switch and disable MSTP on Ethernet 1 0 1 1 Perform this configuration in system view Sysname system view Sysnam...

Page 277: ...ed on the current port Optional The default value is recommended Section 1 3 11 Configuring the Maximum Transmitting Speed on the Current Port Configure the current port as an edge port Optional Section 1 3 12 Configuring the Current Port as an Edge Port Configure the path cost for a port Optional Section 1 4 7 Configuring the Path Cost for a Port Configure the port priority Optional Section 1 4 8...

Page 278: ...section 1 3 12 Configuring the Current Port as an Edge Port 1 4 7 Configuring the Path Cost for a Port The path cost parameter reflects the rate of the link connected to the port For a port on an MSTP enabled switch the path cost may be different in different spanning tree instances You can enable flows of different VLANs to travel along different physical links by configuring appropriate path cos...

Page 279: ...rts 100 95 95 95 2 000 000 1 000 000 666 666 500 000 2 000 1 800 1 600 1 400 100 Mbps Half duplex Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link 4 ports 19 15 15 15 200 000 100 000 66 666 50 000 200 180 160 140 1 000 Mbps Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link 4 ports 4 3 3 3 20 000 10 000 6 666 5 000 20 18 16 14 10 Gbps Full duplex...

Page 280: ... Operation Command Description Enter system view System view Enter Ethernet port view interface interface type interface number Configure the path cost for the port stp instance instance id cost cost Required A MSTP enabled switch can calculate path costs for all its ports automatically Changing the path cost of a port may change the role of the port and put it in state transition Executing the st...

Page 281: ... 0 1 instance 1 cost Sysname stp pathcost standard dot1d 1998 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 undo stp instance 1 cost Sysname Ethernet1 0 1 quit Sysname stp pathcost standard dot1d 1998 1 4 8 Configuring Port Priority Port priority is an important criterion on determining the root port In the same conditi...

Page 282: ...sition A smaller port priority value indicates a higher possibility for the port to become the root port If all the ports of a switch have the same port priority value the port priorities are determined by the port indexes Changing the priority of a port will cause spanning tree recalculation You can configure port priorities according to actual networking requirements III Configuration example Co...

Page 283: ...ating as an upstream switch turns to the STP compatible mode when it has an STP enabled switch connected to it When the STP enabled downstream switch is then replaced by an MSTP enabled switch the port cannot automatically transit to the RSTP mode It remains in the STP compatible mode In this case you can force the port to transit to the RSTP mode by performing the mCheck operation on the port 1 5...

Page 284: ...PCs or file servers These ports are usually configured as edge ports to achieve rapid transition But they resume non edge ports automatically upon receiving configuration BPDUs which causes spanning tree recalculation and network topology jitter Normally no configuration BPDU will reach edge ports But malicious users can attack a network by sending configuration BPDUs deliberately to edge ports to...

Page 285: ... designated port and the blocked ports turns to the forwarding state This may cause loops in the network The loop guard function suppresses loops With this function enabled if link congestions or unidirectional link failures occur both the root port and the blocked ports become designated ports and turn to the discarding state In this case they stop forwarding packets and thereby loops can be prev...

Page 286: ... period V BPDU dropping In a STP enabled network some users may send BPDU packets to the switch continuously in order to destroy the network When a switch receives the BPDU packets it will forward them to other switches As a result STP calculation is performed repeatedly which may occupy too much CPU of the switches or cause errors in the protocol state of the BPDU packets In order to avoid this p...

Page 287: ...tion on specified ports stp interface interface list root protection Required The root guard function is disabled by default Table 1 38 Enable the root guard function in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view Interface interface type interface number Enable the root guard function on the current port stp root protection Required The ...

Page 288: ... Configuration example Enable the loop guard function on Ethernet 1 0 1 Sysname system view Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 stp loop protection 1 6 6 Configuring TC BPDU Attack Guard I Configuration prerequisites MSTP runs normally on the switch II Configuration procedure Table 1 40 Configure the TC BPDU attack guard function Operation Command Description Enter system view sy...

Page 289: ...hernet1 0 1 bpdu drop any 1 7 Configuring Digest Snooping 1 7 1 Introduction According to IEEE802 1s two interconnected switches can communicate with each other through MSTIs in an MST region only when the two switches have the same MST region related configuration Interconnected MSTP enabled switches determine whether or not they are in the same MST region by checking the configuration IDs of the...

Page 290: ...ring Digest Snooping Configure the digest snooping feature on a switch to enable it to communicate with other switches adopting proprietary protocols to calculate configuration digests in the same MST region through MSTIs I Configuration prerequisites The switch to be configured is connected to another manufacturer s switch adopting a proprietary spanning tree protocol MSTP and the network operate...

Page 291: ...ietary spanning tree protocols must be configured with exactly the same MST region related configurations including region name revision level and VLAN to MSTI mapping z The digest snooping feature must be enabled on all the switch ports that connect to another manufacturer s switches adopting proprietary spanning tree protocols in the same MST region z When the digest snooping feature is enabled ...

Page 292: ...designated ports in RSTP and MSTP Figure 1 6 The RSTP rapid transition mechanism Figure 1 7 The MSTP rapid transition mechanism The cooperation between MSTP and RSTP is limited in the process of rapid transition For example when the upstream switch adopts RSTP the downstream switch adopts MSTP and the downstream switch does not support RSTP compatible mode the root port on the downstream switch re...

Page 293: ...ckets to their upstream ports after they receive proposal packets from the upstream designated ports instead of waiting for agreement packets from the upstream switch This enables designated ports of the upstream switch to change their states rapidly 1 8 2 Configuring Rapid Transition I Configuration prerequisites As shown in Figure 1 8 a H3C series switch is connected to another manufacturer s sw...

Page 294: ...pid transition feature stp no agreement check Required By default the rapid transition feature is disabled on a port Note z The rapid transition feature can be enabled on only root ports or alternate ports z If you configure the rapid transition feature on a designated port the feature does not take effect on the port 1 9 Configuring VLAN VPN Tunnel 1 9 1 Introduction Note Only the S3100 SI series...

Page 295: ...work Network A Network B Customer networks Service provider network Packet input output device Packet input output device Figure 1 9 VLAN VPN tunnel network hierarchy 1 9 2 Configuring VLAN VPN tunnel Table 1 45 Configure VLAN VPN tunnel Operation Command Description Enter system view system view Enable MSTP globally stp enable Enable the VLAN VPN tunnel function globally vlan vpn tunnel Required ...

Page 296: ...n check the status changes of those ports through alarm information 1 10 2 Enabling Log Trap Output for Ports of MSTP Instance Table 1 46 Enable log trap output for ports of MSTP instance Operation Command Description Enter system view system view Enable log trap output for the ports of a specified instance stp instance instance id portlog Required By default log trap output is disabled for the po...

Page 297: ...sages conforming to 802 1d standard Operation Command Description Enter system view system view Enable trap messages conforming to 802 1d standard in an instance stp instance instance id dot1d trap newroot topologychange enable Required II Configuration example Enable a switch to send trap messages conforming to 802 1d standard to the network management device when the switch becomes the root brid...

Page 298: ... VLANs to be forwarded along different spanning tree instances The detailed configurations are as follows z All switches in the network belong to the same MST region z Packets of VLAN 10 VLAN 30 VLAN 40 and VLAN 20 are forwarded along spanning tree instance 1 instance 3 instance 4 and instance 0 respectively In this network Switch A and Switch B operate on the convergence layer Switch C and Switch...

Page 299: ...evel 0 Activate the settings of the MST region manually Sysname mst region active region configuration Specify Switch A as the root bridge of spanning tree instance 1 Sysname stp instance 1 root primary 2 Configure Switch B Enter MST region view Sysname system view Sysname stp region configuration Configure the region name VLAN to MSTI mapping table and revision level for the MST region Sysname ms...

Page 300: ...uration Configure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instance 3 vlan 30 Sysname mst region instance 4 vlan 40 Sysname mst region revision level 0 Activate the settings of the MST region manually Sysname mst region active region configuration 1 14 VLAN VPN tunnel Configuration Example I Network requirements z Switch C and S...

Page 301: ...MSTP Sysname system view Sysname stp enable Add Ethernet 1 0 1 to VLAN 10 Sysname vlan 10 Sysname Vlan10 port Ethernet1 0 1 2 Configure Switch B Enable MSTP Sysname system view Sysname stp enable Add Ethernet 1 0 1 to VLAN 10 Sysname vlan 10 Sysname Vlan10 port Ethernet1 0 1 3 Configure Switch C Enable MSTP Sysname system view Sysname stp enable Enable the VLAN VPN tunnel function Sysname vlan vpn...

Page 302: ...t1 0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP Sysname system view Sysname stp enable Enable the VLAN VPN tunnel function Sysname vlan vpn tunnel Add GigabitEthernet 1 0 2 to VLAN 10 Sysname vlan 10 Sysname Vlan10 port GigabitEthernet1 0 2 Enable the VLAN VPN function on it Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 port access vlan 10 Sysname GigabitE...

Page 303: ...f IGMP Snooping 2 1 2 1 2 Basic Concepts in IGMP Snooping 2 2 2 1 3 Work Mechanism of IGMP Snooping 2 3 2 2 IGMP Snooping Configuration 2 5 2 2 1 Enabling IGMP Snooping 2 5 2 2 2 Configuring the Version of IGMP Snooping 2 6 2 2 3 Configuring Timers 2 7 2 2 4 Configuring Fast Leave Processing 2 7 2 2 5 Configuring a Multicast Group Filter 2 9 2 2 6 Configuring the Maximum Number of Multicast Groups...

Page 304: ...Common Multicast Configuration 3 1 3 1 Common Multicast Configuration 3 1 3 1 1 Configuring Suppression on the Multicast Source Port 3 1 3 1 2 Configuring a Multicast MAC Address Entry 3 2 3 1 3 Configuring Dropping Unknown Multicast Packets 3 3 3 2 Displaying Common Multicast Configuration 3 3 ...

Page 305: ...he network packets are sent in three modes unicast broadcast and multicast The following sections describe and compare data interaction processes in unicast broadcast and multicast 1 1 1 Information Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this information and sends a separate copy of the information to the user...

Page 306: ...formation no matter the information is needed or not Figure 1 2 shows information transmission in broadcast mode Source Server Receiver Receiver Receiver Host A Host B Host C Host D Host E Packets for all the network Figure 1 2 Information transmission in the broadcast mode Assume that Hosts B D and E need the information The source server broadcasts this information through routers and Hosts A an...

Page 307: ...rest nodes as shown in Figure 1 3 Source Server Receiver Receiver Receiver Host A Host B Host C Host D Host E Packets for the multicast group Figure 1 3 Information transmission in the multicast mode Assume that Hosts B D and E need the information To transmit the information to the right users it is necessary to group Hosts B D and E into a receiver set The routers on the network duplicate and di...

Page 308: ...transmission of TV programs as shown in Table 1 1 Table 1 1 An analogy between TV transmission and multicast transmission Step TV transmission Multicast transmission 1 A TV station transmits a TV program through a television channel A multicast source sends multicast data to a multicast group 2 A user tunes the TV set to the channel A receiver joins the multicast group 3 The user starts to watch t...

Page 309: ... 2 Multicast Models Based on the multicast source processing modes there are three multicast models z Any Source Multicast ASM z Source Filtered Multicast SFM z Source Specific Multicast SSM I ASM model In the ASM model any sender can become a multicast source and send information to a multicast group numbers of receivers can join a multicast group identified by a group address and obtain multicas...

Page 310: ... should the receivers receive information from z Multicast addressing mechanism Where should the multicast source transports information z Multicast routing How is information transported IP multicast is a kind of peer to peer service Based on the protocol layer sequence from bottom to top the multicast mechanism contains addressing mechanism host registration multicast routing and multicast appli...

Page 311: ...ata packet is transported hop by hop from the source address to the destination address In an IP multicast environment there are a group of destination addresses called group address rather than one address All the receivers join a group Once they join the group the data sent to this group of addresses starts to be transported to the receivers All the members in this group can receive the data pac...

Page 312: ... local use only As specified by IANA the IP addresses ranging from 224 0 0 0 to 224 0 0 255 are reserved for network protocols on local networks The following table lists commonly used reserved IP multicast addresses Table 1 3 Reserved IP multicast addresses Class D address range Description 224 0 0 1 Address of all hosts 224 0 0 2 Address of all multicast routers 224 0 0 3 Unassigned 224 0 0 4 Di...

Page 313: ...n MAC address is the MAC address of the receiver When a multicast packet is transported in an Ethernet network a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members As stipulated by IANA the high order 24 bits of a multicast MAC address are 0x01005e while the low order 23 bits of a MAC address are the low order 23 bits of ...

Page 314: ...ions of the Layer 2 and Layer 3 multicast protocols in a network For details about these protocols refer to the related chapters of this manual I Layer 3 multicast protocols Layer 3 multicast protocols include multicast group management protocols and multicast routing protocols Figure 1 5 describes where these multicast protocols are in a network AS 1 AS 2 Source Receiver Receiver Receiver PIM PIM...

Page 315: ...arding mechanism PIM comes in two modes dense mode often referred to as PIM DM and sparse mode often referred to as PIM SM z An inter domain multicast routing protocol is used for delivery of multicast information between two ASs So far mature solutions include multicast source discovery protocol MSDP For the SSM model multicast routes are not divided into inter domain routes and intra domain rout...

Page 316: ...echanism is the basis for most multicast routing protocols to implement multicast forwarding The RPF mechanism enables multicast devices to forward multicast packets correctly based on the multicast route configuration In addition the RPF mechanism also helps avoid data loops caused by various reasons 1 4 1 Implementation of the RPF Mechanism Upon receiving a multicast packet that a multicast sour...

Page 317: ... independently maintain any type of unicast route instead it relies on the existing unicast routing information in creating multicast routing entries When performing an RPF check a router searches its unicast routing table The specific process is as follows The router automatically chooses an optimal unicast route by searching its unicast routing table using the IP address of the packet source as ...

Page 318: ... 192 168 0 0 24 is VLAN interface 2 This means that the interface on which the packet actually arrived is not the RPF interface The RPF check fails and the packet is discarded z A multicast packet from Source arrives to VLAN interface 2 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C The router performs an RPF check and finds in its u...

Page 319: ...ese mappings As shown in Figure 2 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 However multicast packets for unknown multicast groups are still broadcast at Layer 2 Multic...

Page 320: ... IGMP querier side of the Ethernet switch In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B are router ports A switch registers all its local router ports in its router port list z Member port A member port is a port on the multicast group member side of the Ethernet switch In the figure Ethernet 1 0 2 and Ethernet 1 0 3 of Switch A and Ethernet 1 0 2 of Switch B are member p...

Page 321: ...t is a router port existing in its router port list the switch resets the aging timer of this router port z If the receiving port is not a router port existing in its router port list the switch adds it into its router port list and sets an aging timer for this router port II When receiving a membership report A host sends an IGMP report to the multicast router in the following circumstances z Upo...

Page 322: ...N Because the switch does not know whether any other member hosts of that multicast group still exists under the port to which the IGMP leave message arrived the switch does not immediately delete the forwarding entry corresponding to that port from the forwarding table instead it resets the aging timer of the member port Upon receiving the IGMP leave message from a host the IGMP querier resolves ...

Page 323: ... Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Groups on a Port Optional Configuring IGMP Snooping Querier Optional Configuring Static Member Port for a Multicast Group Optional Configuring a Static Router Port Optional Config...

Page 324: ...r queries For details see Configuring a VLAN Tag for Query Messages 2 2 2 Configuring the Version of IGMP Snooping With the development of multicast technologies IGMPv3 has found increasingly wide application In IGMPv3 a host can not only join a specific multicast group but also explicitly specify to receive or reject the information from a specific multicast source Working with PIM SSM IGMPv3 ena...

Page 325: ...ast member ports Table 2 5 Configure timers Operation Command Remarks Enter system view system view Configure the aging timer of the router port igmp snooping router aging time seconds Optional By default the aging time of the router port is 105 seconds Configure the aging timer of the multicast member port igmp snooping host aging time seconds Optional By default the aging time of multicast membe...

Page 326: ...ult the fast leave processing feature is disabled Note z The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3 z The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified if one or more VLANs are specified the configuration takes effect on all ports in the specified VLAN s z The configuration...

Page 327: ... be sent to this port In this way the service provider can control the VOD programs provided for multicast users Make sure that an ACL rule has been configured before configuring this feature I Configuring a multicast group filter in system view Table 2 8 Configure a multicast group filter in system view Operation Command Remarks Enter system view system view Configure a multicast group filter igm...

Page 328: ...s z The configuration performed in Ethernet port view takes effect on the port no matter which VLAN it belongs to if no VLAN is specified if one or more VLANs are specified the configuration takes effect on the port only if the port belongs to the specified VLAN s 2 2 6 Configuring the Maximum Number of Multicast Groups on a Port By configuring the maximum number of multicast groups that can be jo...

Page 329: ...ng IGMP a multicast router or Layer 3 multicast switch is responsible for sending IGMP general queries so that all Layer 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called IGMP querier However a Layer 2 multicast switch does not support IGMP and therefore cannot send ge...

Page 330: ...Port for a Multicast Group If the host connected to a port is interested in the multicast data for a specific group you can configure that port as a static member port for that multicast group I In Ethernet port view Table 2 12 Configure a static multicast group member port in Ethernet port view Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface ty...

Page 331: ...gure a static router port in Ethernet port view Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the current port as a static router port multicast static router port vlan vlan id Required By default no static router port is configured II In VLAN view Table 2 15 Configure a static router port in VLAN view Operation...

Page 332: ...sends the same IGMP report to itself to ensure that the IGMP entry does not age out z When the simulated joining function is disabled on an Ethernet port the simulated host sends an IGMP leave message Therefore to ensure that IGMP entries will not age out the port must receive IGMP general queries periodically Table 2 16 Configure a port as a simulated group member Operation Command Remarks Enter ...

Page 333: ... is in effect 2 2 12 Configuring Multicast VLAN In traditional multicast implementations when users in different VLANs listen to the same multicast group the multicast data is copied on the multicast router for each VLAN that contains receivers This is a big waste of network bandwidth In an IGMP Snooping environment by configuring a multicast VLAN and adding ports to the multicast VLAN you can all...

Page 334: ...ify the VLANs to be allowed to pass the Ethernet port port trunk permit vlan vlan list Required The multicast VLAN defined on the Layer 2 switch must be included and the port must be configured to forward tagged packets for the multicast VLAN if the port type is hybrid Table 2 19 Configure multicast VLAN on the Layer 2 switch Operation Command Remarks Enter system view system view Enable IGMP Snoo...

Page 335: ... packets for the multicast VLAN Note z One port can belong to only one multicast VLAN z The port connected to a user terminal must be a hybrid port z The multicast member ports must be in the same VLAN with the router port Otherwise the multicast member port cannot receive multicast packets z If a router port is in a multicast VLAN the router port must be configured as a trunk port or a hybrid por...

Page 336: ...s in any view Clear IGMP Snooping statistics reset igmp snooping statistics You can execute the reset command in user view 2 4 IGMP Snooping Configuration Examples 2 4 1 Configuring IGMP Snooping I Network requirements To prevent multicast traffic from being flooded at Layer 2 enable IGMP snooping on Layer 2 switches z As shown in Figure 2 3 Router A connects to a multicast source Source through E...

Page 337: ...ask for each interface as per Figure 2 3 The detailed configuration steps are omitted 2 Configure Router A Enable IP multicast routing enable PIM DM on each interface and enable IGMP on Ethernet1 0 1 RouterA system view RouterA multicast routing enable RouterA interface Ethernet 1 0 1 RouterA Ethernet1 0 1 igmp enable RouterA Ethernet1 0 1 quit RouterA interface Ethernet 1 0 2 RouterA Ethernet1 0 ...

Page 338: ...24 1 1 1 Static host port s Dynamic host port s Ethernet1 0 3 Ethernet1 0 4 MAC group s MAC group address 0100 5e01 0101 Host port s Ethernet1 0 3 Ethernet1 0 4 As shown above the multicast group 224 1 1 1 is established on Switch A with the dynamic router port Ethernet1 0 1 and dynamic member ports Ethernet1 0 3 and Ethernet1 0 4 This means that Host A and Host B have joined the multicast group 2...

Page 339: ... User 1 Host A is connected to Ethernet 1 0 1 on Switch B Host B User 2 Host B is connected to Ethernet 1 0 2 on Switch B In this configuration example you need to configure the ports that connect Switch A and Switch B to each other as hybrid ports The following text describes the configuration details You can also configure these ports as trunk ports The configuration procedure is omitted here Fo...

Page 340: ...VLAN 10 SwitchA interface Ethernet 1 0 10 SwitchA Ethernet1 0 10 port link type hybrid SwitchA Ethernet1 0 10 port hybrid vlan 10 tagged SwitchA Ethernet1 0 10 quit Configure the interface IP address of VLAN 10 as 168 10 2 1 and enable PIM DM and IGMP SwitchA interface Vlan interface 10 SwitchA Vlan interface10 ip address 168 10 2 1 255 255 255 0 SwitchA Vlan interface10 igmp enable 2 Configure Sw...

Page 341: ...rnet1 0 2 port link type hybrid SwitchB Ethernet1 0 2 port hybrid vlan 3 10 untagged SwitchB Ethernet1 0 2 port hybrid pvid vlan 3 SwitchB Ethernet1 0 2 quit 2 5 Troubleshooting IGMP Snooping Symptom Multicast function does not work on the switch Solution Possible reasons are 1 IGMP Snooping is not enabled z Use the display current configuration command to check the status of IGMP Snooping z If IG...

Page 342: ...ce port suppression Some users may deploy unauthorized multicast servers on the network This affects the use of network bandwidth and transmission of multicast data of authorized users by taking network resources You can configure multicast source port suppression on certain ports to prevent unauthorized multicast servers attached to these ports from sending multicast traffic to the network I Conf...

Page 343: ...ss entry by configuring a multicast MAC address entry manually Generally when receiving a multicast packet for a multicast group not yet registered on the switch the switch will flood the packet within the VLAN to which the port belongs You can configure a static multicast MAC address entry to avoid this Table 3 4 Configure a multicast MAC address entry in system view Operation Command Remarks Ent...

Page 344: ...n do that if IGMP Snooping is not enabled in the VLAN 3 1 3 Configuring Dropping Unknown Multicast Packets Generally if the multicast address of the multicast packet received on the switch is not registered on the local switch the packet will be flooded in the VLAN When the function of dropping unknown multicast packets is enabled the switch will drop any multicast packets whose multicast address ...

Page 345: ...ion Operation Command Remarks Display the statistics information about multicast source port suppression display multicast source deny interface interface type interface number Display the created multicast MAC table entries display mac address multicast static mac address vlan vlan id vlan vlan id count count These commands can be executed in any view ...

Page 346: ...iguring Proxy Checking 1 18 1 4 2 Configuring Client Version Checking 1 19 1 4 3 Enabling DHCP triggered Authentication 1 20 1 4 4 Configuring Guest VLAN 1 20 1 4 5 Configuring 802 1x Re Authentication 1 21 1 4 6 Configuring the 802 1x Re Authentication Timer 1 21 1 5 Displaying and Debugging 802 1x 1 22 1 6 Configuration Example 1 23 1 6 1 802 1x Configuration Example 1 23 Chapter 2 Quick EAD Dep...

Page 347: ...uard Feature 4 1 4 2 1 Configuring the System Guard Feature 4 1 4 3 Displaying and Maintaining System Guard 4 2 Chapter 5 System Guard Configuration For S3100 SI 5 1 5 1 System Guard Overview 5 1 5 2 System Guard Configuration 5 1 5 2 1 Enabling the System Guard function 5 1 5 2 2 Configuring System Guard Related Parameters 5 2 5 2 3 Enabling System Guard on Ports 5 2 5 3 Displaying and Maintainin...

Page 348: ...d when accessing the LAN 1 1 1 Architecture of 802 1x Authentication As shown in Figure 1 1 802 1x adopts a client server architecture with three entities a supplicant system an authenticator system and an authentication server system Supplicant PAE Supplicant System Services offered by Authenticator s System Authenticator PAE Authenticator System Authentication Server System Authentication Server...

Page 349: ...supplicant systems when they log into the LAN and controls the status authorized unauthorized of the controlled ports according to the authentication result z The supplicant system PAE responds to the authentication requests received from the authenticator system and submits user authentication information to the authenticator system It also sends authentication requests and disconnection requests...

Page 350: ...x authentication system z EAP protocol packets transmitted between the supplicant system PAE and the authenticator system PAE are encapsulated as EAPoL packets z EAP protocol packets transmitted between the authenticator system PAE and the RADIUS server can either be encapsulated as EAP over RADIUS EAPoR packets or be terminated at system PAEs The system PAEs then communicate with RADIUS servers t...

Page 351: ...s key information 04 Indicates that the packet is an EAPoL encapsulated ASF Alert packet which is used to support the alerting messages of ASF alerting standards forum z The Length field indicates the size of the Packet body field A value of 0 indicates that the Packet Body field does not exist z The Packet body field differs with the Type field Note that EAPoL Start EAPoL Logoff and EAPoL Key pac...

Page 352: ...the Data field of a Request packet or a Response packet z The Type field indicates the EAP authentication type A value of 1 indicates Identity and that the packet is used to query the identity of the peer A value of 4 represents MD5 Challenge similar to PPP CHAP and indicates that the packet includes query information z The Type Date field differs with types of Request and Response packets III New...

Page 353: ...h the authentication server Normally this mode requires that the RADIUS server support the two newly added fields the EAP message field with a value of 79 and the Message authenticator field with a value of 80 Four authentication ways namely EAP MD5 EAP TLS transport layer security EAP TTLS tunneled transport layer security and PEAP protected extensible authentication protocol are available in the...

Page 354: ... timer Handshake request EAP Request Identity Handshake response EAP Response Identity EAPOL Logoff Port unauthorized Authenticator System PAE Figure 1 8 802 1x authentication procedure in EAP relay mode The detailed procedure is as follows z A supplicant system launches an 802 1x client to initiate an access request by sending an EAPoL start packet to the switch with its user name and password pr...

Page 355: ...acket and an EAP success packet to the switch to indicate that the supplicant system is authenticated z The switch changes the state of the corresponding port to accepted state to allow the supplicant system to access the network z The supplicant system can also terminate the authenticated state by sending EAPoL Logoff packets to the switch The switch then changes the port state from accepted to r...

Page 356: ...y the switch and that it is the switch that sends the user name the randomly generated key and the supplicant system encrypted password to the RADIUS server for further authentication 1 1 5 Timers Used in 802 1x In 802 1 x authentication the following timers are used to ensure that the supplicant system the switch and the RADIUS server interact in an orderly way z Handshake timer handshake period ...

Page 357: ...eriod This timer sets the tx period and is triggered by the switch in two cases The first case is when the client requests for authentication The switch sends a unicast request identity packet to a supplicant system and then triggers the transmission timer The switch sends another request identity packet to the supplicant system if it does not receive the reply packet from the supplicant system wh...

Page 358: ...stem but sends no Trap packets z Sends Trap packets without disconnecting the supplicant system This function needs the cooperation of 802 1x client and a CAMS server z The 802 1x client needs to capable of detecting multiple network adapters proxies and IE proxies z The CAMS server is configured to disable the use of multiple network adapters proxies or IE proxies By default an 802 1x client prog...

Page 359: ... enables supplicant systems that are not authenticated to upgrade their 802 1x client programs With this function enabled z The switch sends authentication request EAP Request Identity packets to all the 802 1x enabled ports z After the maximum number retries have been made and there are still ports that have not sent any response back the switch will then add these ports to the Guest VLAN z Users...

Page 360: ...username and password any more z An authentication server running CAMS authenticates the username and password during re authentication of a user in the EAP authentication mode but does not in PAP or CHAP authentication mode PC Internet PC PC RADIUS Server Switch Figure 1 10 802 1x re authentication 802 1x re authentication can be enabled in one of the following two ways z The RADIUS server trigge...

Page 361: ... scheme Local authentication RADIUS scheme 802 1x configuration Figure 1 11 802 1x configuration z 802 1x users use domain names to associate with the ISP domains configured on switches z Configure the AAA scheme a local authentication scheme or a RADIUS scheme to be adopted in the ISP domain z If you specify to use a local authentication scheme you need to configure the user names and passwords m...

Page 362: ...ot1x interface interface list interface interface type interface number dot1x Enable 802 1x for specifie d ports In port view quit Required By default 802 1x is disabled on all ports In system view dot1x port control authorized force unauthorized force auto interface interface list interface interface type interface number dot1x port control authorized force unauthorized force auto Set port access...

Page 363: ...t z If you enable 802 1x for a port it is not available to add the port to an aggregation group Meanwhile if a port has been added to an aggregation group it is prohibited to enable 802 1x for the port z Changing the access control method on a port by the dot1x port method command will forcibly log out the online 802 1x users on the port z When a device operates as an authentication server its aut...

Page 364: ...send request packets dot1x retry max retry value Optional By default the maximum retry times to send a request packet is 2 That is the authenticator system sends a request packet to a supplicant system for up to two times by default Set 802 1x timers dot1x timer handshake period handshake period value quiet period quiet period value server timeout server timeout value supp timeout supp timeout val...

Page 365: ...xy detecting and so on z Client version checking configuration z DHCP triggered authentication z Guest VLAN configuration z 802 1x re authentication configuration z Configuration of the 802 1x re authentication timer You need to configure basic 802 1x functions before configuring the above 802 1x features 1 4 1 Configuring Proxy Checking Table 1 3 Configure proxy checking Operation Command Remarks...

Page 366: ...r system view system view In system view dot1x version check interface interface list interface interface type interface number dot1x version check Enable 802 1x client version checking In port view quit Required By default 802 1x client version checking is disabled on a port Set the maximum number of retires to send version checking request packets dot1x retry version max max retry version value ...

Page 367: ...le DHCP triggered authentication dot1x dhcp launch Required By default DHCP triggered authentication is disabled 1 4 4 Configuring Guest VLAN Table 1 6 Configure Guest VLAN Operation Command Remarks Enter system view system view Configure port access method dot1x port method portbased Required The default port access method is MAC address based That is the macbased keyword is used by default In sy...

Page 368: ...able 802 1x re authent ication on port s In port view dot1x re authenticate Required By default 802 1x re authentication is disabled on a port Note z To enable 802 1x re authentication on a port you must first enable 802 1x globally and on the port z When re authenticating a user a switch goes through the complete authentication process It transmits the username and password of the user to the ser...

Page 369: ...t attribute field as the re authentication interval The following introduces how to configure the 802 1x re authentication timer on the switch Table 1 8 Configure the re authentication interval Operation Command Remarks Enter system view system view Configure a re authentication interval dot1x timer reauth period reauth period value Optional By default the re authentication interval is 3 600 secon...

Page 370: ...are 10 11 1 1 and 10 11 1 2 The RADIUS server with an IP address of 10 11 1 1 operates as the primary authentication server and the secondary accounting server The other operates as the secondary authentication server and primary accounting server The password for the switch and the authentication RADIUS servers to exchange message is name And the password for the switch and the accounting RADIUS ...

Page 371: ...Create a RADIUS scheme named radius1 and enter RADIUS scheme view Sysname radius scheme radius1 Assign IP addresses to the primary authentication and accounting RADIUS servers Sysname radius radius1 primary authentication 10 11 1 1 Sysname radius radius1 primary accounting 10 11 1 2 Assign IP addresses to the secondary authentication and accounting RADIUS server Sysname radius radius1 secondary au...

Page 372: ...ify to adopt radius1 as the RADIUS scheme of the user domain If RADIUS server is invalid specify to adopt the local authentication scheme Sysname isp aabbcc net scheme radius scheme radius1 local Specify the maximum number of users the user domain can accommodate to 30 Sysname isp aabbcc net access limit enable 30 Enable the idle disconnecting function and set the related parameters Sysname isp aa...

Page 373: ...D client deployment 2 1 2 Operation of Quick EAD Deployment Quick EAD deployment is achieved with the two functions restricted access and HTTP redirection I Restricted access Before passing 802 1x authentication a user is restricted through ACLs to a specific range of IP addresses or a specific server Services like EAD client upgrading download and dynamic address assignment are available on the s...

Page 374: ...nable 802 1x on the switch z Set the access mode to auto for 802 1x enabled ports 2 2 2 Configuration Procedure I Configuring a free IP range A free IP range is an IP range that users can access before passing 802 1x authentication Table 2 1 Configure a free IP range To do Use the command Remarks Enter system view system view Configure the URL for HTTP redirection dot1x url url string Required Con...

Page 375: ...es not support port security The configured free IP range cannot take effect if you enable port security II Setting the ACL timeout period The quick EAD deployment function depends on ACLs in restricting access of users failing authentication Each online user that has not passed authentication occupies a certain amount of ACL resources After a user passes authentication the occupied ACL resources ...

Page 376: ...guration information about quick EAD deployment display dot1x sessions statistics interface interface list This command can be executed in any view 2 3 Quick EAD Deployment Configuration Examples I Network requirements A user connects to the switch directly The switch connects to the Web server and the Internet The user will be redirected to the Web server to download the authentication client and...

Page 377: ... URL server no matter what URL the user enters in the IE address bar Solution z If a user enters an IP address in a format other than the dotted decimal notation the user may not be redirected This is related with the operating system used on the PC In this case the PC considers the IP address string a name and tries to resolve the name If the resolution fails the PC will access a specific website...

Page 378: ...0 Series Ethernet Switches Chapter 2 Quick EAD Deployment Configuration 2 6 z Check that you have configured an IP address in the free IP range for the Web server and a correct URL for redirection and that the server provides Web services properly ...

Page 379: ...switches and thus the management of the attached switches is feasible HABP is implemented by HABP server and HABP client Normally an HABP server sends HABP request packets regularly to HABP clients to collect the MAC addresses of the attached switches HABP clients respond to the HABP request packets and forward the HABP request packets to lower level switches HABP servers usually reside on managem...

Page 380: ...s attached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Table 3 2 Configure an HABP client Operation Command Remarks Enter system view system view Enable HABP habp enable Optional HABP is enabled by default And a switch operates as an HABP client after you enable HABP for it...

Page 381: ...e CPU is under attack the rate of packets to be processed in the CPU in a certain queue will exceed the threshold value In this case you can determine that the CPU is under attack Through analyzing these packets you get to know the characteristics of the attack source and then you can adopt different filtering rules according the characteristics of the attack source Thus system guard is implemente...

Page 382: ... threshold value is 200 packets Set the length of the isolation after an attack is detected system guard timer interval isolate timer Optional By default the length of the isolation after an attack is detected is 10 minutes 4 3 Displaying and Maintaining System Guard After the above configuration execute the display command in any view to display the running status of the system guard feature and ...

Page 383: ...led port exceeds the set threshold the port is regarded to be under attack The switch then limits the rate of the port and resumes port checking operation after a specific period elapses 5 2 System Guard Configuration The system guard configuration includes z Enabling the system guard function z Configuring system guard related parameters z Specifying system guard enabled ports 5 2 1 Enabling the ...

Page 384: ... guard related parameters are as follows interval time 5 seconds threshold 64 timeout 60 seconds 5 2 3 Enabling System Guard on Ports Table 5 3 lists the operations to enable system guard on ports Table 5 3 Enable system guard on ports Operation Command Description Enter system view system view Enable system guard on specified ports system guard permit interface list Required Note After system gua...

Page 385: ...aintaining the System Guard Function After the above configuration you can display and verify your configuration by performing the operation listed in Table 5 4 Table 5 4 Display and debug the system guard function Operation Command Description Display system guard configuration display system guard config This command can be executed in any view ...

Page 386: ... 2 13 2 2 2 Configuring RADIUS Authentication Authorization Servers 2 13 2 2 3 Configuring RADIUS Accounting Servers 2 14 2 2 4 Configuring Shared Keys for RADIUS Messages 2 16 2 2 5 Configuring the Maximum Number of RADIUS Request Transmission Attempts 2 17 2 2 6 Configuring the Type of RADIUS Servers to be Supported 2 18 2 2 7 Configuring the Status of RADIUS Servers 2 18 2 2 8 Configuring the A...

Page 387: ...les 2 32 2 5 1 Remote RADIUS Authentication of Telnet SSH Users 2 32 2 5 2 Local Authentication of FTP Telnet Users 2 34 2 5 3 HWTACACS Authentication and Authorization of Telnet Users 2 35 2 6 Troubleshooting AAA 2 36 2 6 1 Troubleshooting RADIUS Configuration 2 36 2 6 2 Troubleshooting HWTACACS Configuration 2 37 Chapter 3 EAD Configuration 3 1 3 1 Introduction to EAD 3 1 3 2 Typical Network App...

Page 388: ...ty Generally this method is not recommended z Local authentication User information including user name password and some other attributes is configured on this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardware z Remot...

Page 389: ...nnected to the same access device may belong to different domains Since the users of different ISPs may have different attributes such as different forms of user name and password different service types access rights it is necessary to distinguish the users by setting ISP domains You can configure a set of ISP domain attributes including AAA policy RADIUS scheme and so on for each ISP domain inde...

Page 390: ...databases see Figure 1 1 z Users This database stores information about users such as user name password protocol adopted and IP address z Clients This database stores information about RADIUS clients such as shared key z Dictionary The information stored in this database is used to interpret the attributes and attribute values in the RADIUS protocol Figure 1 1 Databases in a RADIUS server In addi...

Page 391: ... RADIUS server sends back to the RADIUS client an authentication response Access Accept which contains the user s authorization information If the authentication fails the server returns an Access Reject response 4 The RADIUS client accepts or denies the user depending on the received authentication result If it accepts the user the RADIUS client sends a start accounting request Accounting Request...

Page 392: ...nd may contain the following attributes NAS IP Address User Password and NAS Port 2 Access Accept Direction server client The server transmits this message to the client if all the attribute values carried in the Access Request message are acceptable that is the user passes the authentication 3 Access Reject Direction server client The server transmits this message to the client if any attribute v...

Page 393: ...nse from the RADIUS server and is used in the password hiding algorithm There are two kinds of authenticators Request Authenticator and Response Authenticator 5 The Attributes field contains specific authentication authorization accounting information to provide the configuration details of a request or response message This field contains a list of field triplet Type Length and Value z The Type f...

Page 394: ...e 20 Callback ID 61 NAS Port Type 21 unassigned 62 Port Limit 22 Framed Route 63 Login LAT Port The RADIUS protocol has good scalability Attribute 26 Vender Specific defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS Figure 1 4 depicts the format of attribute 26 The Vendor ID field used to identify a vendor occupies four ...

Page 395: ...le network transmission Adopts UDP Encrypts the entire message except the HWTACACS header Encrypts only the password field in authentication message Separates authentication from authorization For example you can use one TACACS server for authentication and another TACACS server for authorization Combines authentication and authorization Is more suitable for security control Is more suitable for a...

Page 396: ...er Figure 1 6 illustrates the basic message exchange procedure Figure 1 6 AAA implementation procedure for a telnet user The basic message exchange procedure is as follows 1 A user sends a login request to the switch acting as a TACACS client which then sends an authentication start request to the TACACS server 2 The TACACS server returns an authentication response asking for the username Upon rec...

Page 397: ...icating that the user has passed the authentication 7 The TACACS client sends a user authorization request to the TACACS server 8 The TACACS server returns an authorization response indicating that the user has passed the authorization 9 After receiving the response indicating an authorization success the TACACS client pushes the configuration interface of the switch to the user 10 The TACACS clie...

Page 398: ...ring a combined AAA scheme for an ISP domain Task Remarks Creating an ISP Domain and Configuring Its Attributes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configurin g an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of the authentication methods z You need to configure RADIUS or HWATACACS before performing RA...

Page 399: ...iguring Dynamic VLAN Assignment Optional Configuring the Attributes of a Local User Optional AAA configuration Cutting Down User Connections Forcibly Optional 2 1 2 Creating an ISP Domain and Configuring Its Attributes Table 2 3 Create an ISP domain and configure its attributes Operation Command Remarks Enter system view system view Configure the form of the delimiter between the user name and the...

Page 400: ...ional By default the messenger function is disabled Set the self service server location function self service url disable enable url string Optional By default the self service server location function is disabled Note that z On an S3100 series switch each access user belongs to an ISP domain You can configure up to 16 ISP domains on the switch When a user logs in if no ISP domain name is carried...

Page 401: ...g an AAA Scheme for an ISP Domain You can configure either of the following AAA schemes I Configuring a combined AAA scheme You can use the scheme command to specify an AAA scheme for an ISP domain If you specify a RADIUS or HWTACACS scheme the authentication authorization and accounting will be uniformly implemented by the RADIUS or TACACS server s specified in the RADIUS or HWTACACS scheme In th...

Page 402: ...nas ip related problem no local authentication is performed otherwise local authentication is performed z If you execute the scheme local or scheme none command to adopt local or none as the primary scheme the local authentication is performed or no authentication is performed In this case you cannot specify any RADIUS scheme or HWTACACS scheme at the same time z If you execute the scheme none com...

Page 403: ...ocal none Optional By default no separate authentication scheme is configured Configure a HWTACACS authentication scheme for user level switching authentication super hwtacacs scheme hwtacacs scheme name Optional By default no HWTACACS authentication scheme is configured Configure an authorization scheme for the ISP domain authorization none hwtacacs scheme hwtacacs scheme name Optional By default...

Page 404: ...ccessfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server so as to control the network resources that different users can access Currently the switch supports the following two types of assigned VLAN IDs integer and string z Integer If the RADIUS authentication server assigns integer type of VLAN IDs you can set the VLAN assignment mode to integer ...

Page 405: ... it as an integer VLAN ID the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range if it is the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID VLAN 1024 for example z To implement dynamic VLAN assignment on a port where both MSTP and 802 1x are enabled you must set the MSTP port to an edge port z This function ...

Page 406: ...is allowed to request network services Authorize the user to access specified type s of service service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the privilege level of the user level level Optional By default the privilege level of the user is 0 Configure the authorization VLAN for the local user author...

Page 407: ...level that a user can access after login is determined by the level of the user interface z If the clients connected to a port have different authorization VLANs only the first client passing the MAC address authentication can be assigned with an authorization VLAN The switch will not assign authorization VLANs for subsequent users passing MAC address authentication In this case you are recommende...

Page 408: ...guring RADIUS Authentication Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes of Data to be Sent ...

Page 409: ...nt Refer to the configuration of the RADIUS client The RADIUS service configuration is performed on a RADIUS scheme basis In an actual network environment you can either use a single RADIUS server or two RADIUS servers primary and secondary servers with the same configuration but different IP addresses in a RADIUS scheme After creating a new RADIUS scheme you should configure the IP address and UD...

Page 410: ...urations Table 2 11 Create a RADIUS scheme Operation Command Remarks Enter system view system view Enable RADIUS authentication port radius client enable Optional By default RADIUS authentication port is enabled Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Note A RADIUS scheme can ...

Page 411: ...ote z The authentication response sent from the RADIUS server to the RADIUS client carries authorization information Therefore you need not and cannot specify a separate RADIUS authorization server z In an actual network environment you can specify one server as both the primary and secondary authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary...

Page 412: ...t number of the secondary accounting server are 0 0 0 0 and 1813 for a newly created RADIUS scheme Enable stop accounting request buffering stop accounting buffer enable Optional By default stop accounting request buffering is enabled Set the maximum number of transmission attempts of a buffered stop accounting request retry stop accounting retry times Optional By default the system tries at most ...

Page 413: ...he number of continuously failed real time accounting requests to the RADIUS server reaches the set maximum number the switch cuts down the user connection z The IP address and port number of the primary accounting server of the default RADIUS scheme system are 127 0 0 1 and 1646 respectively z Currently RADIUS does not support the accounting of FTP users 2 2 4 Configuring Shared Keys for RADIUS M...

Page 414: ...is protocol uses UDP packets to carry its data Therefore it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires If the switch gets no answer after it has tried the maximum number of times to transmit the request the switch considers that the request fails Table 2 15 Configure the maximum transmission atte...

Page 415: ...ect extended as the server type in a RADIUS scheme 2 2 7 Configuring the Status of RADIUS Servers For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails to communicate with the primary server due to some server trouble the switch will turn to the secondary server and exchange messages with the secondary server After...

Page 416: ...tive Optional By default the RADIUS servers specified with IP addresses in the RADIUS scheme are all in the active state 2 2 8 Configuring the Attributes of Data to be Sent to RADIUS Servers Table 2 18 Configure the attributes of data to be sent to RADIUS servers Operation Command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Requi...

Page 417: ...ormat command is designed for you to specify whether or not ISP domain names are carried in the user names to be sent to RADIUS server z For a RADIUS scheme if you have specified to remove ISP domain names from user names you should not use this RADIUS scheme in more than one ISP domain Otherwise such errors may occur the RADIUS server regards two different users having the same name but belonging...

Page 418: ...ddresses of the servers must be set to the addresses of this switch z The message encryption key set by the local server nas ip ip address key password command must be identical with the authentication authorization message encryption key set by the key authentication command in the RADIUS scheme view of the RADIUS scheme on the specified NAS that uses this switch as its authentication server z Th...

Page 419: ...e time restores the status of the primary server to active while keeping the status of the secondary server unchanged To control the interval at which users are charged in real time you can set the real time accounting interval After the setting the switch periodically sends online users accounting information to RADIUS server at the set interval Table 2 20 Set timers for RADIUS servers Operation ...

Page 420: ...n applies only to the environment where the RADIUS authentication authorization and accounting server is CAMS In an environment that a CAMS server is used to implement AAA functions if the switch reboots after an exclusive user a user whose concurrent online number is set to 1 on the CAMS gets authenticated and authorized and begins being charged the switch will give a prompt that the user has alr...

Page 421: ... send the Accounting On message any more Note The switch can automatically generate the main attributes NAS ID NAS IP address and session ID contained in Accounting On messages However you can also manually configure the NAS IP address with the nas ip command If you choose to manually configure the attribute be sure to configure an appropriate valid IP address If this attribute is not configured t...

Page 422: ...g the TACACS client Configuring the Timers Regarding TACACS Servers Optional Configuring the TACACS server Refer to the configuration of TACACS servers 2 3 1 Creating a HWTACACS Scheme The HWTACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Table 2 24 Create a HWTACACS scheme ...

Page 423: ... port number of the secondary TACACS authentication server secondary authentication ip address port Optional By default the IP address of the secondary authentication server is 0 0 0 0 and the port number is 0 Caution z You are not allowed to configure the same IP address for both primary and secondary authentication servers If you do this the system will prompt that the configuration fails z You ...

Page 424: ... you do this the system will prompt that the configuration fails z You can remove a server only when it is not used by any active TCP connection for sending authorization messages 2 3 4 Configuring TACACS Accounting Servers Table 2 27 Configure TACACS accounting servers Operation Command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme hwtacacs sche...

Page 425: ... 5 Configuring Shared Keys for HWTACACS Messages When using a TACACS server as an AAA server you can set a key to improve the communication security between the switch and the TACACS server The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties The two parties verify the validity of the HWTACACS messages received from each ot...

Page 426: ...mega byte Set the units of data flows to TACACS servers data flow format packet giga packet kilo packet mega packet one packet Optional By default in a TACACS scheme the data unit and packet unit for outgoing HWTACACS flows are byte and one packet respectively HWTACACS scheme view nas ip ip address Set the source IP address of outgoing HWTACACS messages System view hwtacacs nas ip ip address Optio...

Page 427: ...ary server to active Set the real time accounting interval timer realtime accounting minutes Optional By default the real time accounting interval is 12 minutes Caution z To control the interval at which users are charge in real time you can set the real time accounting interval After the setting the switch periodically sends online users accounting information to the TACACS server at the set inte...

Page 428: ...me You can execute the display command in any view Table 2 32 Display and maintain RADIUS protocol information Operation Command Remarks Display RADIUS message statistics about local RADIUS authentication server display local server statistics Display configuration information about one specific or all RADIUS schemes display radius scheme radius scheme name Display RADIUS message statistics displa...

Page 429: ...ples 2 5 1 Remote RADIUS Authentication of Telnet SSH Users Note The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that for Telnet users The following text only takes Telnet users as example to describe the configuration procedure for remote authentication I Network requirements In the network environment shown in Figure 2 1 you are required to confi...

Page 430: ...uthentication for Telnet users Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode scheme Sysname ui vty0 4 quit Configure an ISP domain Sysname domain cams Sysname isp cams access limit enable 10 Sysname isp cams quit Configure a RADIUS scheme Sysname radius scheme cams Sysname radius cams accounting optional Sysname radius cams primary authentication 10 110 91 164 1812 Sysname r...

Page 431: ...twork requirements In the network environment shown in Figure 2 2 you are required to configure the switch so that the Telnet users logging into the switch are authenticated locally II Network diagram Figure 2 2 Local authentication of Telnet users III Configuration procedure Method 1 Using local authentication scheme Enter system view Sysname system view Adopt AAA authentication for Telnet users ...

Page 432: ... shared key for the network access server to 127 0 0 1 and aabbcc respectively z Configure local users 2 5 3 HWTACACS Authentication and Authorization of Telnet Users I Network requirements You are required to configure the switch so that the Telnet users logging into the switch are authenticated and authorized by the TACACS server A TACACS server with IP address 10 110 91 164 is connected to the ...

Page 433: ...itch and the RADIUS server of the ISP exchange user information with each other Symptom 1 User authentication authorization always fails Possible reasons and solutions z The user name is not in the userid isp name or userid isp name format or the default ISP domain is not correctly specified on the switch Use the correct user name format or set a default ISP domain on the switch z The user is not ...

Page 434: ...DIUS server Symptom 3 The user passes the authentication and gets authorized but the accounting information cannot be transmitted to the RADIUS server Possible reasons and solutions z The accounting port number is not properly set Be sure to set a correct port number for RADIUS accounting z The switch requests that both the authentication authorization server and the accounting server use the same...

Page 435: ...ol their access rights With EAD a switch z Verifies the validity of the session control packets it receives according to the source IP addresses of the packets It regards only those packets sourced from authentication or security policy server as valid z Dynamically adjusts the VLAN rate packet scheduling priority and access control list ACL for user terminals according to session control packets ...

Page 436: ...pliant with the required security standard the security policy server reissues an ACL to the switch which then assigns access right to the client so that the client can access more network resources 3 3 EAD Configuration The EAD configuration includes z Configuring the attributes of access users such as user name user type and password For local authentication you need to configure these attribute...

Page 437: ...requirements In Figure 3 2 z A user is connected to Ethernet 1 0 1 on the switch z The user adopts 802 1x client supporting EAD extended function z You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users The following are the configuration tasks z Connect the RADIUS authentication server 10 110 91 164 and ...

Page 438: ... Configuration Configure a domain Sysname system view Sysname domain system Sysname isp system quit Configure a RADIUS scheme Sysname radius scheme cams Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams accounting optional Sysname radius cams key authentication expert Sysname radius cams server type extended Configure the IP address of the security policy server Sys...

Page 439: ...Authentication Timers 1 2 1 2 2 Quiet MAC Address 1 2 1 3 Configuring Basic MAC Authentication Functions 1 3 1 4 MAC Address Authentication Enhanced Function Configuration 1 4 1 4 1 MAC Address Authentication Enhanced Function Configuration Tasks 1 4 1 4 2 Configuring a Guest VLAN 1 5 1 4 3 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port 1 7 1 4 4 Config...

Page 440: ...ts on the total number of user names are the matching criterion for successful authentication For details refer to AAA of this manual for information about local user attributes 1 1 1 Performing MAC Authentication on a RADIUS Server When authentications are performed on a RADIUS server the switch serves as a RADIUS client and completes MAC authentication in combination of the RADIUS server z In MA...

Page 441: ...AC authentication the switch does not initiate any MAC authentication of the user during a period defined by this timer z Server timeout timer During authentication of a user if the switch receives no response from the RADIUS server in this period it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network 1 2 2 Quiet MAC Address When a user fa...

Page 442: ...er method Disabled by default Set the user name in MAC address mode for MAC authentication mac authentication authmode usernameasmacaddress usernameformat with hyphen without hyphen lowercase uppercase fixedpassword password Optional By default the MAC address of a user is used as the user name Set the user name in fixed mode for MAC authenticati on mac authentication authmode usernamefixed Config...

Page 443: ...t you cannot configure port security through the port security enable command on that port and vice versa z You can configure MAC authentication on a port before enabling it globally However the configuration will not take effect unless MAC authentication is enabled globally 1 4 MAC Address Authentication Enhanced Function Configuration 1 4 1 MAC Address Authentication Enhanced Function Configurat...

Page 444: ...egal users from accessing the network In some cases if the clients failing in the authentication are required to access some restricted resources in the network such as the virus library update server you can use the Guest VLAN You can configure a Guest VLAN for each port of the switch When a client connected to a port fails in MAC address authentication this port will be added into the Guest VLAN...

Page 445: ...sers on an access port When it comes to a trunk port or a hybrid port if a packet itself has a VLAN tag and be in the VLAN that the port allows to pass the packet will be forwarded perfectly without the influence of the Guest VLAN That is packets can be forwarded to the VLANs other than the Guest VLAN through the trunk port and the hybrid port even users fail to pass authentication Table 1 3 Confi...

Page 446: ... VLAN and then configure a new Guest VLAN for this port z 802 1x authentication cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC authentication does not take effect when port security is enabled 1 4 3 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port You can configure the maximum number of MAC address authenticati...

Page 447: ...nnected to this port will be set as a quiet MAC address if its authentication fails When this function is disabled the MAC address will not become quiet no matter whether the authentication is failed Table 1 5 Configure the quiet MAC function on a port Operation Command Description Enter system view system view Eneter Ethernet port view interface interface type interface number Configure quiet MAC...

Page 448: ...ication performed is locally and the MAC address of the PC 00 0d 88 f6 44 c1 is used as both the user name and password II Network Diagram Figure 1 1 Network diagram for MAC authentication configuration III Configuration Procedure Enable MAC authentication on port Ethernet 1 0 2 Sysname system view Sysname mac authentication interface Ethernet 1 0 2 Set the user name in MAC address mode for MAC au...

Page 449: ... quit Specify aabbcc net as the ISP domain for MAC authentication Sysname mac authentication domain aabbcc net Enable MAC authentication globally This is usually the last step in configuring access control related features Otherwise a user may be denied of access to the networks because of incomplete configuaration Sysname mac authentication After doing so your MAC authentication configuration wil...

Page 450: ... 5 1 1 7 Introduction to ARP Packet Rate Limit 1 6 1 1 8 Introduction to Gratuitous ARP 1 7 1 2 ARP Configuration 1 7 1 2 1 Configuring ARP Basic Functions 1 7 1 2 2 Configuring ARP Source MAC Address Consistency Check 1 8 1 2 3 Configuring ARP Attack Detection 1 8 1 2 4 Configuring the ARP Packet Rate Limit Function 1 10 1 3 Gratuitous ARP Packet Configuration 1 11 1 4 Displaying and Debugging AR...

Page 451: ...or example of the destination host or the next hop To this end the IP address must be resolved into the corresponding data link layer address Note Unless otherwise stated a data link layer address in this chapter refers to a 48 bit Ethernet MAC address 1 1 2 ARP Message Format ARP messages are classified as ARP request messages and ARP reply messages Figure 1 1 illustrates the format of these two ...

Page 452: ... 1 1 Description on the fields of an ARP packet Field Description Hardware Type Type of the hardware interface Refer to Table 1 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in bytes Length of protocol address Protocol address length in bytes Operator Indicates the t...

Page 453: ...ch host in an Ethernet maintains an ARP table where the latest used IP address to MAC address mapping entries are stored S3100 series Ethernet switches provide the display arp command to display the information about ARP mapping entries ARP entries in an S3100 series Ethernet switch can either be static entries or dynamic entries as described in Table 1 3 Table 1 3 ARP entries ARP entry Generation...

Page 454: ...st is sent in broadcast mode all hosts on this subnet can receive the request but only the requested host namely Host B will process the request 3 Host B compares its own IP address with the destination IP address in the ARP request If they are the same Host B saves the source IP address and source MAC address into its ARP mapping table encapsulates its MAC address into an ARP reply and unicasts t...

Page 455: ...tack According to the ARP design after receiving an ARP response a host adds the IP to MAC mapping of the sender into its ARP mapping table even if the MAC address is not the real one This can reduce the ARP traffic in the network but it also makes ARP spoofing possible In Figure 1 3 Host A communicates with Host C through a switch To intercept the traffic between Host A and Host C the hacker Host...

Page 456: ...the ARP restricted forwarding function enabled ARP request packets are forwarded through trusted ports only ARP response packets are forwarded according to the MAC addresses in the packets or through trusted ports if the MAC address table contains no such destination MAC addresses 1 1 7 Introduction to ARP Packet Rate Limit To prevent the man in the middle attack a switch enabled with the ARP atta...

Page 457: ...es z Trigger other network devices to update its hardware address stored in their caches The gratuitous ARP packet learning function When the gratuitous ARP packet learning function is enabled on a switch and the switch receives a gratuitous ARP packet the switch can add the information carried in the packet to its own dynamic ARP mapping table if it finds no corresponding ARP entry for the ARP pa...

Page 458: ...t must be the ID of an existing VLAN and the port identified by the interface type and interface number arguments must belong to the VLAN z Currently static ARP entries cannot be configured on the ports of an aggregation group 1 2 2 Configuring ARP Source MAC Address Consistency Check Table 1 5 Configure ARP Source MAC Address Consistency Check To do Use the command Remarks Enter system view syste...

Page 459: ...tion function arp detection enable Required By default ARP attack detection is disabled on all ports Quit to system view quit Enter Ethernet port view interface interface type interface number Configure the port as an ARP trusted port arp detection trust Optional By default a port is an untrusted port Quit to system view quit Enter VLAN view vlan vlan id Enable ARP restricted forwarding arp restri...

Page 460: ... IP to MAC bindings z When you use the ARP attack detection in cooperation with VLAN mapping you need to enable ARP attack detection in both the original VLAN and the mapped VLAN For more information about VLAN mapping refer to VLAN VPN Operation in this manual z You are not recommended to configure ARP attack detection on the ports of an aggregation group 1 2 4 Configuring the ARP Packet Rate Lim...

Page 461: ...ket Operation Command Remarks Enter system view system view Enable the gratuitous ARP packet learning function gratuitous arp learning enable Required By default the gratuitous ARP packet learning function is disabled Note The sending of gratuitous ARP packets is enabled as long as an S3100 switch operates No command is needed for enabling this function That is the device sends gratuitous ARP pack...

Page 462: ...ied port display arp detection statistics interface interface type interface number Display the setting of the ARP aging timer display arp timer aging Available in any view Clear specific ARP entries reset arp dynamic static interface interface type interface number Available in user view 1 5 ARP Configuration Example 1 5 1 ARP Basic Configuration Example I Network requirement z Disable ARP entry ...

Page 463: ...le attacks and specify Ethernet1 0 1 as the ARP trusted port z Enable the ARP packet rate limit function on Ethernet1 0 2 and Ethernet1 0 3 of Switch A so as to prevent Client A and Client B from attacking Switch A through ARP traffic z Enable the port state auto recovery function on the ports of Switch A and set the recovery interval to 200 seconds II Network diagram Figure 1 4 ARP attack detecti...

Page 464: ...2 SwitchA Ethernet1 0 2 arp rate limit enable SwitchA Ethernet1 0 2 arp rate limit 20 SwitchA Ethernet1 0 2 quit Enable the ARP packet rate limit function on Ethernet1 0 3 and set the maximum ARP packet rate allowed on the port to 50 pps SwitchA interface Ethernet1 0 3 SwitchA Ethernet1 0 3 arp rate limit enable SwitchA Ethernet1 0 3 arp rate limit 50 SwitchA Ethernet1 0 3 quit Configure the port ...

Page 465: ... 2 Configuring DHCP Snooping Trusted Untrusted Ports 2 7 2 3 Configuring Unauthorized DHCP Server Detection 2 8 2 3 1 Configuring DHCP Snooping to Support Option 82 2 9 2 3 2 Configuring IP Filtering 2 13 2 4 Displaying DHCP Snooping Configuration 2 14 2 5 DHCP Snooping Configuration Example 2 15 2 5 1 DHCP Snooping Option 82 Support Configuration Example 2 15 2 5 2 Unauthorized DHCP Server Detect...

Page 466: ...Operation Manual DHCP H3C S3100 Series Ethernet Switches Table of Contents ii 4 5 Displaying DHCP BOOTP Client Configuration 4 3 ...

Page 467: ...nd requests to DHCP servers for configuration parameters and the DHCP servers return the corresponding configuration information such as IP addresses to implement dynamic allocation of network resources A typical DHCP application includes one DHCP server and multiple clients such as PCs and laptops as shown in Figure 1 1 Figure 1 1 Typical DHCP application 1 2 DHCP IP Address Assignment 1 2 1 IP A...

Page 468: ...s an IP address If more than one DHCP server sends DHCP OFFER packets to the DHCP client the DHCP client only accepts the DHCP OFFER packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet 4 Acknowledge In this phase the DHCP servers acknowledge the IP address Upon receiving the DHCP REQUEST packet only the selected DH...

Page 469: ... with a DHCP NAK packet to notify the DHCP client that the IP address will be reclaimed when the lease time expires If the DHCP client fails to update its IP address lease when half of the lease time elapses it will update its IP address lease by broadcasting a DHCP REQUEST packet to the DHCP servers again when seven eighths of the lease time elapses The DHCP server performs the same operations as...

Page 470: ...of a DHCP client z yiaddr IP address that the DHCP server assigns to a client z siaddr IP address of the DHCP server z giaddr IP address of the first DHCP relay agent that the DHCP client passes after it sent the request packet z chaddr Hardware address of the DHCP client z sname Name of the DHCP server z file Path and name of the boot configuration file that the DHCP server specifies for the DHCP...

Page 471: ...CP snooping function which listens DHCP broadcast packets Figure 2 1 illustrates a typical network diagram for DHCP snooping application where Switch A is an S3100 series Ethernet switch DHCP Client Switch A DHCP Snooping DHCP Client DHCP Client DHCP Client Switch B DHCP Relay Internet Eth1 0 2 Eth1 0 1 DHCP Server Figure 2 1 Typical network diagram for DHCP snooping application On S3100 SI series...

Page 472: ... do not support the DHCP snooping trusted port function due to limited ACL resources however they provide the unauthorized DHCP server detection feature to guard against network troubles caused by unauthorized DHCP servers or prevent an attacker from assigning IP addresses to clients as a valid DHCP server After you enable this feature on a downstream port which is connected to DHCP clients direct...

Page 473: ... Padding content and frame format of Option 82 There is no specification for what should be padded in Option 82 Manufacturers can pad it as required By default the sub options of Option 82 for S3100 EI Series Ethernet Switches enabled with DHCP snooping are padded as follows z sub option 1 circuit ID sub option Padded with the port index smaller than the physical port number by 1 and VLAN ID of th...

Page 474: ...D or Remote ID sub option does not contain the two byte type and length fields of the circuit ID or remote ID Figure 2 4 Standard format of the circuit ID sub option Figure 2 5 Standard format of the remote ID sub option III Mechanism of DHCP snooping Option 82 With DHCP snooping and DHCP snooping Option 82 support enabled when the DHCP snooping device receives a DHCP client s request containing O...

Page 475: ...ng device will add the option field with the configured sub option and then forward the packet For details see Table 2 2 Table 2 2 Ways of handling a DHCP packet without Option 82 Sub option configuration The DHCP Snooping device will Neither of the two sub options is configured Forward the packet after adding Option 82 with the default contents The format of Option 82 is the one specified with th...

Page 476: ... to which the port belongs to These records are saved as entries in the DHCP snooping table II IP static binding table The DHCP snooping table only records information about clients that obtains IP address dynamically through DHCP If a fixed IP address is configured for a client the IP address and MAC address of the client cannot be recorded in the DHCP snooping table Consequently this client cann...

Page 477: ...g is enabled on an S3100 Ethernet switch clients connected with this switch cannot obtain IP addresses dynamically through BOOTP z You are not recommended to configure both the DHCP snooping and selective Q in Q function on an S3100 EI switch which may result in the DHCP snooping to function abnormally 2 2 2 Configuring DHCP Snooping Trusted Untrusted Ports Table 2 4 Configure DHCP Snooping Truste...

Page 478: ...the DHCP clients must be in the same VLAN 2 3 Configuring Unauthorized DHCP Server Detection Note Only the S3100 SI series among S3100 series switches support the unauthorized DHCP server detection Table 2 5 Configure unauthorized DHCP server detection Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable unauthorized ...

Page 479: ...AC address for DHCP DISCOVER messages the IGMP snooping function cannot learn router interfaces through PIM messages For information about router interfaces refer to Multicast Operation 2 3 1 Configuring DHCP Snooping to Support Option 82 Note z Only the S3100 EI series among S3100 series switches support the DHCP snooping Option 82 support feature z Enable DHCP snooping and specify trusted ports ...

Page 480: ...ng policy for requests that contain Option 82 dhcp snooping information strategy drop keep replace Optional The default handling policy is replace Enter Ethernet port view interface interface type interface number Configure a handling policy for requests that contain Option 82 received on the specified interface dhcp snooping information strategy drop keep replace Optional The default policy is re...

Page 481: ...d If you have configured the circuit ID or remote ID sub option the format of the sub option is ASCII instead of the one specified with the dhcp snooping information format command IV Configure the circuit ID sub option Table 2 10 Configure the circuit ID sub option Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Config...

Page 482: ...nterfaces You can configure Option 82 as the system name sysname of the device or any customized character string in the ASCII format z In Ethernet port view the remote ID takes effect only on the current interface You can configure Option 82 as any customized character string in the ASCII format for different VLANs That is to say you can add different configuration rules for packets from differen...

Page 483: ...ation group you can use this command to configure the primary and member ports respectively When Option 82 is added however the remote ID is subject to the one configured on the primary port z The remote ID configured on a port will not be synchronized in the case of port aggregation VI Configure the padding format for Option 82 Table 2 12 Configure the padding format for Option 82 Operation Comma...

Page 484: ...er IP filtering is enabled with the mac address keyword specified on a port the mac address argument must be specified otherwise the packets sent from this IP address cannot pass the IP filtering z A static entry has a higher priority than the dynamic DHCP snooping entry that has the same IP address as the static one That is if the static entry is configured after the dynamic entry is recorded the...

Page 485: ...series ethernet switches only S3100 EI series switches support the display dhcp snooping trust and display ip source static binding commands 2 5 DHCP Snooping Configuration Example 2 5 1 DHCP Snooping Option 82 Support Configuration Example I Network requirements As shown in Figure 2 6 Ethernet1 0 5 of the switch S3100 EI is connected to the DHCP server and Ethernet1 0 1 Ethernet1 0 2 and Ethernet...

Page 486: ...itch dhcp snooping Specify Ethernet1 0 5 as the trusted port Switch interface Ethernet1 0 5 Switch Ethernet1 0 5 dhcp snooping trust Switch Ethernet1 0 5 quit Enable DHCP snooping Option 82 support Switch dhcp snooping information enable Set the remote ID sub option in Option 82 to the system name sysname of the DHCP snooping device Switch dhcp snooping information remote id sysname Set the circui...

Page 487: ...r is detected on Ethernet 1 0 3 the interface is shut down administratively z To prevent attackers from filtering the detecting DHCP DISCOVER packets specify the source MAC address for such packets as 000f e200 1111 different from the bridge MAC address of the switch on the switch II Network diagram Eth1 0 1 DHCP server Switch Eth1 0 2 Eth1 0 3 ClientA ClientB Figure 2 7 Network diagram for unauth...

Page 488: ... Ethernet1 0 3 dhcp snooping server guard method shutdown 2 5 3 IP Filtering Configuration Example I Network requirements As shown in Figure 2 8 Ethernet1 0 1 of the S3100 EI switch is connected to DHCP server and Ethernet1 0 2 is connected to Host A The IP address and MAC address of Host A are 1 1 1 1 and 0001 0001 0001 respectively Ethernet1 0 3 and Ethernet1 0 4 is connected to DHCP Client B an...

Page 489: ...ace Ethernet1 0 1 Switch Ethernet1 0 1 dhcp snooping trust Switch Ethernet1 0 1 quit Enable IP filtering on Ethernet1 0 2 Ethernet1 0 3 and Ethernet1 0 4 to filter packets based on the source IP addresses MAC addresses Switch interface Ethernet1 0 2 Switch Ethernet1 0 2 ip check source ip address mac address Switch Ethernet1 0 2 quit Switch interface Ethernet1 0 3 Switch Ethernet1 0 3 ip check sou...

Page 490: ...Operation Manual DHCP H3C S3100 Series Ethernet Switches Chapter 2 DHCP Snooping Configuration 2 20 Switch Ethernet1 0 2 ip source static binding ip address 1 1 1 1 mac address 0001 0001 0001 ...

Page 491: ... impact on the device CPU For details about ARP packet rate limit refer to ARP Operation in this manual The following describes only the DHCP packet rate limit function After DHCP packet rate limit is enabled on an Ethernet port the switch counts the number of DHCP packets received on this port per second If the number of DHCP packets received per second exceeds the specified value packets are pas...

Page 492: ...maximum rate is 15 pps Enable the port state auto recovery function dhcp protective down recover enable Optional By default the port state auto recovery function is disabled Set the port state auto recovery interval dhcp protective down recover interval interval Optional The port state auto recovery interval is 300 seconds Note z Enable the port state auto recovery function before setting the auto...

Page 493: ... and Ethernet1 0 11 is connected to client A z Enable DHCP snooping on the switch and specify Ethernet1 0 1 as the DHCP snooping trusted port z Configure DHCP packet rate limit on Ethernet1 0 11 and set the maximum DHCP packet rate allowed on the port to 100 pps z Set the port state auto recovery interval to 30 seconds on the switch II Networking diagram Ethernet1 0 2 Client A Client B Ethernet1 0...

Page 494: ...witch dhcp protective down recover enable Set the port state auto recovery interval to 30 seconds Switch dhcp protective down recover interval 30 Enter port view Switch interface Ethernet 1 0 11 Enable DHCP packet rate limit on Ethernet1 0 11 Switch Ethernet1 0 11 dhcp rate limit enable Set the maximum DHCP packet rate allowed on Ethernet1 0 11 to 100 pps Switch Ethernet1 0 11 dhcp rate limit 100 ...

Page 495: ...P an administrator needs to configure a BOOTP parameter file for each BOOTP client on the BOOTP server The parameter file contains information such as MAC address and IP address of a BOOTP client When a BOOTP client sends a request to the BOOTP server the BOOTP server will search for the BOOTP parameter file and return it to the client A BOOTP client dynamically obtains an IP address from a BOOTP ...

Page 496: ... at most That is the DHCP client can obtain an address lease for no more than 24 days even though the DHCP server offers a longer lease period Note To improve security and avoid malicious attack to the unused SOCKETs S3100 Ethernet switches provide the following functions z UDP 67 and UDP 68 ports used by DHCP are enabled only when DHCP is enabled z UDP 67 and UDP 68 ports are disabled when DHCP i...

Page 497: ...erface 1 to dynamically obtain an IP address by using DHCP SwitchA system view SwitchA interface Vlan interface 1 SwitchA Vlan interface1 ip address dhcp alloc 4 5 Displaying DHCP BOOTP Client Configuration Table 4 2 Displaying DHCP BOOTP Client Operation Command Description Display related information on a DHCP client display dhcp client verbose Display related information on a BOOTP client displ...

Page 498: ...8 1 3 ACL Assignment 1 10 1 3 1 Assigning an ACL Globally 1 10 1 3 2 Assigning an ACL to a VLAN 1 11 1 3 3 Assigning an ACL to a Port Group 1 12 1 3 4 Assigning an ACL to a Port 1 12 1 4 Displaying ACL Configuration 1 13 1 5 Example for Upper layer Software Referencing ACLs 1 14 1 5 1 Example for Controlling Telnet Login Users by Source IP 1 14 1 5 2 Example for Controlling Web Login Users by Sour...

Page 499: ...application purposes ACLs fall into the following four types z Basic ACL Rules are created based on source IP addresses only z Advanced ACL Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addresses type of the protocols carried by IP protocol specific features and so on z Layer 2 ACL Rules are created based on the Layer 2 information such as sou...

Page 500: ...y If rule A and rule B are still the same after comparison in the above order the weighting principles will be used in deciding their priority order Each parameter is given a fixed weighting value This weighting value and the value of the parameter itself will jointly decide the final matching order Involved parameters with weighting values from high to low are icmp type established dscp tos prece...

Page 501: ...renced by routing policies z Used to control Telnet SNMP and Web login users Note z When an ACL is directly applied to hardware for packet filtering the switch will permit packets if the packets do not match the ACL z When an ACL is referenced by upper layer software to control Telnet SNMP and Web login users the switch will deny packets if the packets do not match the ACL 1 1 3 Types of ACLs Supp...

Page 502: ...range time range time name start time to end time days of the week from start time start date to end time end date from start time start date to end time end date to end time end date Required Note that z If only a periodic time section is defined in a time range the time range is active only when the system time is within the defined periodic time section If multiple periodic time sections are de...

Page 503: ...range test 8 00 to 18 00 working day Sysname display time range test Current time is 13 27 32 Apr 16 2005 Saturday Time range test Inactive 08 00 to 18 00 working day Define an absolute time range spans from 15 00 1 28 2006 to 15 00 1 28 2008 Sysname system view Sysname time range test from 15 00 1 28 2006 to 15 00 1 28 2008 Sysname display time range test Current time is 13 30 32 Apr 16 2005 Satu...

Page 504: ...rule id argument when creating an ACL rule the rule will be numbered automatically If the ACL has no rules the rule is numbered 0 otherwise the number of the rule will be the greatest rule number plus one If the current greatest rule number is 65534 however the system will display an error message and you need to specify a number for the rule z The content of a modified or created rule cannot be i...

Page 505: ...ble than those defined for basic ACLs I Configuration Prerequisites z To configure a time range based advanced ACL rule you need to create the corresponding time ranges first For information about of time range configuration refer to section 1 2 1 Configuring Time Range z The settings to be specified in the rule such as source and destination IP addresses the protocols carried by IP and protocol s...

Page 506: ...he newly created rules will be inserted in the existent ones by depth first principle but the numbers of the existent rules are unaltered III Configuration Example Configure ACL 3000 to permit the TCP packets sourced from the network 129 9 0 0 16 and destined for the network 202 38 160 0 24 and with the destination port number being 80 Sysname system view Sysname acl number 3000 Sysname acl adv 30...

Page 507: ...the unmodified part of the ACL remains z If you do not specify the rule id argument when creating an ACL rule the rule will be numbered automatically If the ACL has no rules the rule is numbered 0 otherwise the number of the rule will be the greatest rule number plus one If the current greatest rule number is 65534 however the system will display an error message and you need to specify a number f...

Page 508: ...ation about port group refer to Port Basic Configuration z Assigning ACLs to a port for filtering the inbound packets on a port You can assign ACLs in the above mentioned ways as required Caution In terms of priority the ACLs assigned globally ACLs assigned to a VLAN and ACLs assigned to a port group or a port rank in descending order If a packet matches multiple rules in these ACLs and is permitt...

Page 509: ...rmation about defining an ACL refer to section 1 2 2 Configuring Basic ACL section 1 2 3 Configuring Advanced ACL section 1 2 4 Configuring Layer 2 ACL II Configuration procedure Table 1 6 Assign an ACL to a VLAN Operation Command Description Enter system view system view Apply an ACL to a VLAN packet filter vlan vlan id inbound acl rule Required For description on the acl rule argument refer to A...

Page 510: ...to the port group packet filter inbound acl rule Required For description on the acl rule argument refer to ACL Command Note After an ACL is assigned to a port group it will be automatically assigned to the ports that are subsequently added to the port group III Configuration example Apply ACL 2000 to port group 1 to filter the inbound packets on all the ports in the port group Sysname system view...

Page 511: ...ysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 packet filter inbound ip group 2000 1 4 Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information and verify the configuration Table 1 9 Display ACL configuration Operation Command Description Display a configured ACL or all the ACLs displa...

Page 512: ...gure 1 1 Network diagram for controlling Telnet login users by source IP III Configuration procedure Define ACL 2000 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Reference ACL 2000 on VTY user interface to control Telnet login users Sysname user interface vty 0 4 Sysname ui vty0 4 acl 2000 inbound 1 5 2 Example ...

Page 513: ... 1 permit source 10 110 100 46 0 Sysname acl basic 2001 quit Reference ACL 2001 to control users logging in to the Web server Sysname ip http acl 2001 1 6 Example for Applying ACLs to Hardware 1 6 1 Basic ACL Configuration Example I Network requirements PC 1 and PC 2 connect to the switch through Ethernet 1 0 1 PC1 s IP address is 10 1 1 1 Apply an ACL on Ethernet 1 0 1 to deny packets with the so...

Page 514: ...ter inbound ip group 2000 1 6 2 Advanced ACL Configuration Example I Network requirements Different departments of an enterprise are interconnected through a switch The IP address of the wage query server is 192 168 1 2 The R D department is connected to Ethernet 1 0 1 of the switch Apply an ACL to deny requests from the R D department and destined for the wage server during the working hours 8 00...

Page 515: ...1 and the destination MAC address of 0011 0011 0012 from 8 00 to 18 00 everyday II Network diagram Figure 1 5 Network diagram for Layer 2 ACL III Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 daily Define ACL 4000 to filter packets with the source MAC address of 0011 0011 0011 and the destin...

Page 516: ...k diagram Eth1 0 1 PC 1 PC 3 Database server PC 2 Port group 1 Eth1 0 2 Eth1 0 3 192 168 1 2 Figure 1 6 Network diagram for applying an ACL to a port group III Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 in working days Sysname system view Sysname time range test 8 00 to 18 00 working day Define an ACL to deny packets destined for the database server Sysn...

Page 517: ...Operation Manual ACL H3C S3100 Series Ethernet Switches Chapter 1 ACL Configuration 1 19 Sysname port group 1 packet filter inbound ip group 3000 ...

Page 518: ...ueue Scheduling 1 14 1 3 8 Flow Based Traffic Accounting 1 15 1 3 9 Burst 1 15 1 3 10 Traffic Mirroring 1 16 1 4 QoS Configuration 1 16 1 4 1 Configuring Priority Trust Mode 1 16 1 4 2 Configuring Priority Mapping 1 19 1 4 3 Marking Packet Priority 1 21 1 4 4 Configuring Traffic Policing 1 23 1 4 5 Configuring Traffic Shaping 1 26 1 4 6 Configuring Port Rate Limiting 1 26 1 4 7 Configuring Traffic...

Page 519: ...net Switches Table of Contents ii 2 2 QoS Profile Configuration 2 2 2 2 1 Configuring a QoS Profile 2 2 2 2 2 Applying a QoS Profile 2 3 2 2 3 Displaying QoS Profile Configuration 2 4 2 3 Configuration Example 2 5 2 3 1 QoS Profile Configuration Example 2 5 ...

Page 520: ...ources available to the packets completely depend on the time they arrive This service policy is known as Best effort which delivers the packets to their destination with the best effort with no assurance and guarantee for delivery delay jitter packet loss ratio reliability and so on The traditional Best Effort service policy is only suitable for applications insensitive to bandwidth and delay suc...

Page 521: ...undations for a network to provide differentiated services Mainly they implement the following functions z Traffic classification identifies traffic based on certain matching rules It is a prerequisite for differentiated services and is usually applied in the inbound direction of a port z Traffic policing confines traffic to a specific specification and is usually applied in the inbound direction ...

Page 522: ...le 1 1 QoS features supported by the S3100 series Ethernet switches Category Features Refer to Traffic classification Incoming traffic classification based on ACLs of the following types z Basic ACLs z Advanced ACLs z Layer 2 ACLs z For detailed information about ACLs refer to the ACL module in this manual z For information about traffic classification refer to Traffic Classification QoS action Qo...

Page 523: ...e traffic that is all the packets passing the switch Traffic classification means identifying packets that conform to certain characteristics according to certain rules It is the foundation for providing differentiated services In traffic classification the priority bit in the type of service ToS field in IP packet header can be used to identify packets of different priorities The network administ...

Page 524: ... DS field indicate differentiated service codepoint DSCP in the range of 0 to 63 and the last two bits bit 6 and bit 7 are reserved Table 1 2 Description on IP Precedence IP Precedence decimal IP Precedence binary Description 0 000 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network In a network providing differentiated services traff...

Page 525: ...sses z Best Effort BE class This class is a special class without any assurance in the CS class The AF class can be degraded to the BE class if it exceeds the limit Current IP network traffic belongs to this class by default Table 1 3 Description on DSCP precedence values DSCP value decimal DSCP value binary Description 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 01...

Page 526: ...header when sending packets The 4 byte 802 1Q tag header consists of the tag protocol identifier TPID two bytes in length whose value is 0x8100 and the tag control information TCI two bytes in length Figure 1 4 describes the detailed contents of an 802 1Q tag header Figure 1 4 802 1Q tag headers In the figure above the priority field three bits in length in TCI is 802 1p priority also known as CoS...

Page 527: ...recedence mapping table and assigns the local precedence to the packet 2 For an 802 1q tagged packet For incoming 802 1q tagged packets you can configure the switch to trust packet priority with the priority trust command or to trust port priority with the undo priority trust command By default the S3100 series switches trust port priority z Trusting port priority In this mode the switch replaces ...

Page 528: ...precedence mapping table and assigns the local precedence to the packet The S3100 series switches provide 802 1p to local precedence DSCP to local precedence and IP to local precedence mapping tables for priority mapping Table 1 6 through Table 1 8 list the default settings of these tables You can configure these default priority mapping tables at the CLI For detailed configuration refer to Config...

Page 529: ...sponding to the local precedence z If local precedence marking is configured the traffic will be assigned to the output queue corresponding to the re marked local precedence z If IP precedence or DSCP marking is configured the traffic will be marked with new IP precedence or DSCP precedence 1 3 4 Traffic Policing and Traffic Shaping The network will be made more congested by plenty of continuous b...

Page 530: ...he number of the tokens in the token bucket determines the amount of the packets that can be forwarded If the number of tokens in the bucket is enough to forward the packets the traffic is conforming to the specification otherwise the traffic is nonconforming or excess Parameters concerning token bucket include z Average rate The rate at which tokens are put into the bucket namely the permitted av...

Page 531: ...evaluation results These actions include z Discarding the nonconforming packets z Forwarding the conforming packets or nonconforming packets z Marking the conforming packets with 802 1p precedence and then forwarding the packets z Marking the conforming packets or nonconforming packets with DSCP precedence and forwarding the packets IV Traffic shaping Traffic shaping is a measure to regulate the o...

Page 532: ...ion of the device B 1 3 5 Port Rate Limiting Port rate limiting refers to limiting the total rate of inbound or outbound packets on a port Port rate limiting can be implemented through token buckets That is if you perform port rate limiting configuration for a port the token bucket determines the way to process the packets to be sent by this port or packets reaching the port Packets can be sent or...

Page 533: ...rential queue classifies the four output queues on the port into four classes which are queue 3 queue 2 queue 1 and queue 0 Their priorities decrease in order In queue scheduling SP sends packets in the queue with higher priority strictly following the priority order from high to low When the queue with higher priority is empty packets in the queue with lower priority are sent You can put critical...

Page 534: ...g time is avoided Another advantage of WRR queue is that though the queues are scheduled in order the service time for each queue is not fixed that is to say if a queue is empty the next queue will be scheduled In this way the bandwidth resources are made full use 3 HQ WRR queuing HQ WRR is an improvement over WRR Assume there are four priority queues on a port and queue 3 allocated with the highe...

Page 535: ...d duplicates the matched packets to the destination port For information about port mirroring refer to the Mirroring module of this manual 1 4 QoS Configuration Table 1 9 QoS configuration tasks Task Remarks Configuring Priority Trust Mode Optional Configuring Priority Mapping Optional Marking Packet Priority Optional Configuring Traffic Policing Optional Configuring Traffic Shaping Optional Confi...

Page 536: ...de to be configured is determined II Configuration procedure You can configure to trust port priority or packet priority Table 1 10 shows the detailed configuration procedure Table 1 10 Configure priority trust mode Operation Command Description Enter system view system view Configure to trust port priority undo priority trust Optional By default the S3100 series switches trust port priority Enter...

Page 537: ...ly without having to configure the priority trust command z On the S3100 EI series switches to configure to trust DSCP precedence of packets you should configure the priority trust command first and then use the priority trust command to specify the DSCP precedence Configure to trust packet priority Specify the trusted priority type priority trust cos dscp ip precedence Required z If you configure...

Page 538: ...rity trust cos 1 4 2 Configuring Priority Mapping You can modify the CoS precedence to local precedence DSCP precedence to local precedence and IP precedence to local precedence mapping tables as required to mark packets with different priorities I Configuration prerequisites The target CoS precedence to local precedence DSCP precedence to local precedence and IP precedence to local precedence map...

Page 539: ...ble qos ip precedence local precedence map ip0 map local prec ip1 map local prec ip2 map local prec ip3 map local prec ip4 map local prec ip5 map local prec ip6 map local prec ip7 map local prec Required Note The IP precedence to local precedence mapping table is not available on S3100 EI series Ethernet switches III Configuration example z Configure the CoS precedence to local precedence mapping ...

Page 540: ... priority local precedence and DSCP precedence of the packets I Configuration prerequisites The following items are defined or determined before the configuration z The ACL rules used for traffic classification are specified Refer to the ACL module of this manual for related information z The type and value of the precedence to be marked for the packets matching the ACL rules are determined II Con...

Page 541: ...orities for packets matching specific ACL rules traffic priority inbound acl rule dscp dscp value cos cos value local precedence pre value Required Table 1 17 Mark the priority for packets passing a port and matching specific ACL rules Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Mark the priorities for packets match...

Page 542: ...icing Note Only H3C S3100 EI series switches support this configuration Refer to section Traffic Policing and Traffic Shaping for information about traffic policing Note that the target rate argument is committed information rate CIR and the burst bucket size argument is committed burst size CBS I Configuration prerequisites z The ACL rules used for traffic classification are defined Refer to the ...

Page 543: ... Description Enter system view system view Configure traffic policing traffic limit vlan vlan id inbound acl rule target rate burst bucket burst bucket size conform con action exceed exceed action meter statistic Required By default traffic policing is disabled Clear the traffic policing statistics reset traffic limit vlan vlan id inbound acl rule Optional Table 1 20 Configure traffic policing for...

Page 544: ...onal Note Traffic policing configured on a VLAN is only applicable to packets tagged with 802 1Q header III Configuration example z Ethernet 1 0 1 belongs to VLAN 2 and is connected to the 10 1 1 0 24 network segment z Perform traffic policing on the packets from the 10 1 1 0 24 network segment setting the rate to 128 kbps z Mark the DSCP precedence as 56 for the inbound packets exceeding the rate...

Page 545: ... Table 1 22 Configure traffic shaping Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure traffic shaping traffic shape queue queue id max rate burst size Required Traffic shaping is not enabled by default III Configuration examples Perform traffic shaping for all the traffic to be transmitted through Ethernet 1 0...

Page 546: ...ate inbound outbound target rate Required By default port rate limiting is disabled III Configuration example z Configure port rate limiting for inbound packets on Ethernet 1 0 1 z The rate limit is 1 024 Kbps Configuration procedure Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 line rate inbound 1024 1 4 7 Configuring Traffic Redirecting Note Only H3C S3100 EI series ...

Page 547: ...n Command Description Enter system view system view Configure traffic redirecting traffic redirect vlan vlan id inbound acl rule cpu interface interface type interface number Required Table 1 26 Redirect packets that are of a port group and match specific ACL rules Operation Command Description Enter system view system view Enter port group view port group group id Configure traffic redirecting tr...

Page 548: ...1 1 0 24 network segment z Redirect all the packets from the 10 1 1 0 24 network segment to Ethernet 1 0 7 1 Method I Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Sysname acl basic 2000 quit Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 traffic redirect inbound ip group 2000 interface Ethernet1 0 7 2 Method II Sysname system view ...

Page 549: ...Note The SP queue scheduling algorithm is not available on H3C S3100 SI series Ethernet switches III Configuration example Adopt the WRR queue scheduling algorithm with the weight for queue 0 queue 1 queue 2 and queue 3 as 12 8 4 and 1 Display the configuration information after configuration Configuration procedure Sysname system view Sysname queue scheduler wrr 12 8 4 1 Sysname display queue sch...

Page 550: ...Clear the statistics on the packets matching specific ACL rules reset traffic statistic inbound acl rule Optional Table 1 30 Generate traffic statistics on packets that are of a VLAN and match specific ACL rules Operation Command Description Enter system view system view Generate the statistics on the packets matching specific ACL rules traffic statistic vlan vlan id inbound acl rule Required Clea...

Page 551: ...r III Configuration example z Ethernet 1 0 1 is connected to the 10 1 1 0 24 network segment z Generate statistics on the packets sourced from the 10 1 1 0 24 network segment z Clear the statistics 1 Method I Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Sysname acl basic 2000 quit Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 traf...

Page 552: ...procedure Sysname system view Sysname burst mode enable 1 4 11 Configuring Traffic Mirroring Note Only H3C S3100 EI series switches support this configuration Refer to section Traffic Mirroring for information about traffic mirroring I Configuration prerequisites z The ACL rules for traffic classification are defined Refer to the ACL module of this manual for information about defining ACL rules z...

Page 553: ...iew Enter Ethernet port view of the destination port interface interface type interface number Define the current port as the destination port monitor port Required Exit current view quit Reference ACLs for identifying traffic flows and perform traffic mirroring for packets that match mirrored to vlan vlan id inbound acl rule cpu monitor interface Required Table 1 36 Configure traffic mirroring fo...

Page 554: ... cpu monitor interface Required Note The traffic mirroring function configured on a VLAN is only applicable to packets tagged with 802 1Q header III Configuration example Network requirements z Ethernet 1 0 1 is connected to the 10 1 1 0 24 network segment z Duplicate the packets from network segment 10 1 1 0 24 to the destination mirroring port Ethernet 1 0 4 1 Method I Sysname system view Sysnam...

Page 555: ... Display the IP precedence to local precedenc e mapping relationship display qos ip precedence local precede nce map Display queue scheduling algorithm and related parameters display queue scheduler Display the QoS related configuration of a port or all the ports display qos interface interface type interface number unit id all Display rate limiting configuration of a port or all the ports display...

Page 556: ...ackets of a VLAN display qos vlan vlan id all mirrored to traffic limit traffic priority traffic redirect traffic statistic Display the configuration of traffic mirroring traffic policing priority marking traffic redirecting or traffic accounting performed for packets of a port group display qos port group group id all mirrored to traffic limit traffic priority traffic redirect traffic statistic 1...

Page 557: ...cl basic 2000 rule permit source 192 168 1 0 0 0 0 255 Sysname acl basic 2000 quit Create ACL 2001 and enter basic ACL view to classify packets sourced from the 192 168 2 0 24 network segment Sysname acl number 2001 Sysname acl basic 2001 rule permit source 192 168 2 0 0 0 0 255 Sysname acl basic 2001 quit 2 Configure traffic policing Set the maximum rate of outbound IP packets sourced from the R ...

Page 558: ...configurations concerning packet filtering traffic policing and priority marking 2 1 2 QoS Profile Application Mode I Dynamic application mode A QoS profile can be applied dynamically to a user or a group of users passing 802 1x authentication To apply QoS profiles dynamically a user name to QoS profile mapping table is required on the AAA server For a switch operating in this mode after a user pa...

Page 559: ...on Description Related section Configure a QoS Profile Required Section Configuring a QoS Profile Configure to apply a QoS Profile dynamically Optional Section Applying a QoS Profile Apply a QoS Profile manually Optional Section Applying a QoS Profile 2 2 1 Configuring a QoS Profile I Configuration prerequisites z The ACL rules used for traffic classification are defined Refer to the ACL module of...

Page 560: ...lue Optional 2 2 2 Applying a QoS Profile You can configure to apply a QoS profile dynamically or simply apply a QoS profile manually I Configuration prerequisites z To configure to apply a QoS profile dynamically make sure 802 1x is enabled both globally and on the port and the authentication mode is determined For information about 802 1x refer to the 802 1x and System Guard module of this manua...

Page 561: ... QoS profile manually Operation Command Description Enter system view system view In system view apply qos profile profile name interface interface list Enter Ethernet port view interface interface type interface number Apply a QoS profile to specific ports In Etherne t port view Apply a QoS profile to the current port apply qos profile profile name Select either of the operations By default a por...

Page 562: ...the outbound IP packets of the user to 128 kbps and configuring to drop the packets exceeding the target packet rate II Network diagram User Switch Network AAA Server Eth1 0 1 Figure 2 1 Network diagram for QoS profile configuration III Configuration procedure 1 Configuration on the AAA server Configure the user authentication information and the matching relationship between the user name and the...

Page 563: ...ain test net and specify radius1 as your RADIUS server group Sysname domain test net Sysname isp test net radius scheme radius1 Sysname isp test net quit Create ACL 3000 to permit IP packets destined for any IP address Sysname acl number 3000 Sysname acl adv 3000 rule 1 permit ip destination any Sysname acl adv 3000 quit Define a QoS profile named example to limit the rate of matched packets to 12...

Page 564: ... 1 1 1 Local Port Mirroring 1 1 1 1 2 Remote Port Mirroring 1 2 1 2 Mirroring Configuration 1 4 1 2 1 Configuring Local Port Mirroring 1 4 1 2 2 Configuring Remote Port Mirroring 1 5 1 2 3 Displaying Port Mirroring 1 8 1 3 Mirroring Configuration Example 1 9 1 3 1 Local Port Mirroring Configuration Example 1 9 1 3 2 Remote Port Mirroring Configuration Example 1 10 ...

Page 565: ...device copies packets passing through one or more source ports of the device to the destination port z Remote port mirroring implements port mirroring through the remote source mirroring group and remote destination mirroring group The device copies the packets of the source port to the reflector port which then broadcasts the packets in the remote probe VLAN After the remote device receives the p...

Page 566: ... remote port mirroring Figure 1 2 Remote port mirroring application The switches involved in the remote port mirroring implementation play the following three roles z Source switch The monitored port resident switch It copies traffic to the reflector port which then transmits the traffic to an intermediate switch or destination switch through the remote probe VLAN z Intermediate switch Switches be...

Page 567: ...rmediate switch to connect the devices at the source switch side and the destination switch side Trunk port Receives remote mirrored packets Destination switch Destination port Receives packets forwarded from the trunk port and transmits the packets to the data detection device Caution z Do not configure a default VLAN a management VLAN or a dynamic VLAN as the remote probe VLAN z Configure all po...

Page 568: ...up group id local Required In system view mirroring group group id mirroring port mirroring port list both inbound outbound interface interface type interface number mirroring group group id mirroring port both inbound outbound Configure the source port for the port mirroring group In port view quit Use either approach You can configure multiple source ports at a time in system view or you can con...

Page 569: ...z Layer 2 connectivity is ensured between the source and destination switches over the remote probe VLAN z The direction of the packets to be monitored is determined 2 Configuration procedure Table 1 4 Configuration on the source switch Operation Command Description Enter system view system view Create a VLAN and enter the VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN Configure...

Page 570: ...The reflector port cannot be a member port of an aggregation group or a port enabled with LACP or STP It must be an access port and cannot be configured with the functions like VLAN VPN port loopback detection packet filtering QoS port security and so on z It is recommended not to configure the VLAN mapping and the selective QinQ function on the reflector port otherwise port mirroring may not func...

Page 571: ...ss Configure the trunk port to permit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required III Configuration on a switch acting as a destination switch 1 Configuration prerequisites z The destination port and the remote probe VLAN are determined z Layer 2 connectivity is ensured between the source and destination switches over the remote probe VLAN 2 Configuratio...

Page 572: ...ng group group id remote probe vlan remote probe vlan id Required When configuring a destination switch note that z The destination port of remote port mirroring cannot be a member port of an aggregation group or a port enabled with LACP or STP z Only an existing static VLAN can be configured as the remote probe VLAN To remove a remote probe VLAN you need to restore it to a normal VLAN first A rem...

Page 573: ...he R D department and the marketing department through the data detection device Use the local port mirroring function to meet the requirement Perform the following configurations on Switch C z Configure Ethernet 1 0 1 and Ethernet 1 0 2 as mirroring source ports z Configure Ethernet 1 0 3 as the mirroring destination port II Network diagram Switch C The R D department Switch A Switch B Eth1 0 2 E...

Page 574: ...thernet 1 0 1 of Switch B z Ethernet 1 0 2 of Switch B connects to Ethernet 1 0 1 of Switch C z The data detection device is connected to Ethernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from Department 1 and 2 through the data detection device Use the remote port mirroring function to meet the requirement Perform the following configurations z Use Switch A as the sou...

Page 575: ...he source ports reflector port and remote probe VLAN for the remote source mirroring group Sysname mirroring group 1 mirroring port Ethernet 1 0 1 Ethernet 1 0 2 inbound Sysname mirroring group 1 reflector port Ethernet 1 0 4 Sysname mirroring group 1 remote probe vlan 10 Configure Ethernet 1 0 3 as trunk port allowing packets of VLAN 10 to pass Sysname interface Ethernet 1 0 3 Sysname Ethernet1 0...

Page 576: ...rnet 1 0 2 Sysname Ethernet1 0 2 port link type trunk Sysname Ethernet1 0 2 port trunk permit vlan 10 3 Configure the destination switch Switch C Create remote destination mirroring group 1 Sysname system view Sysname mirroring group 1 remote destination Configure VLAN 10 as the remote probe VLAN Sysname vlan 10 Sysname vlan10 remote probe vlan enable Sysname vlan10 quit Configure the destination ...

Page 577: ...ches Chapter 1 Mirroring Configuration 1 13 mirroring group 1 type remote destination status active monitor port Ethernet1 0 2 remote probe vlan 10 After the configurations you can monitor all packets sent from Department 1 and 2 on the data detection device ...

Page 578: ...iguration 1 4 1 4 Displaying and Debugging a Stack 1 4 1 5 Stack Configuration Example 1 5 Chapter 2 Cluster 2 1 2 1 Cluster Overview 2 1 2 1 1 Introduction to HGMP 2 1 2 1 2 Roles in a Cluster 2 2 2 1 3 How a Cluster Works 2 4 2 2 Cluster Configuration Tasks 2 10 2 2 1 Configuring the Management Device 2 10 2 2 2 Configuring Member Devices 2 15 2 2 3 Managing a Cluster through the Management Devi...

Page 579: ...e an IP address pool for the stack on the main switch When adding a switch to a stack the main switch picks an IP address from the IP address pool and assigns the IP address to it automatically After a stack is created the main switch automatically adds the switches that connected to its stack ports to the stack If a stack port connection is disconnected the corresponding slave switch quits the st...

Page 580: ...p mask Required from ip address Start address of the IP address pool ip address number Number of the IP addresses in the IP addresses pool A pool contains 16 addresses by default ip mask Mask of the IP address pool By default the IP addresses pool is not configured Create a stack stacking enable Required Note Remove the IP address configured for the existing Layer 3 interface first if you want to ...

Page 581: ...y one VLAN interface is available on the S3100 switch stack and cluster must share the same management VLAN if you want to configure stack within a cluster 1 2 2 Maintaining Slave Switches After creating a stack you can switch to slave switch view from the main switch to configure slave switches Operation Command Description Switch to slave switch view stacking number Required Number Serial number...

Page 582: ... After a switch joins in a stack or becomes the master switch of a stack the switch will send forward stack join in requests through this stack port 1 3 Slave Switch Configuration Just make sure the slave switch is connected to the main switch through the stack ports No configuration is needed 1 4 Displaying and Debugging a Stack Operation Command Description Display the stack status information o...

Page 583: ...tch and the MAC address of the main switch in the stack is also displayed 1 5 Stack Configuration Example I Network requirements Connect Switch A Switch B and Switch C with each other through their stack ports to form a stack in which Switch A acts as the main switch while Switches B and C act as slave switches Configure Switches B and Switch C through Switch A II Network diagram Figure 1 1 Networ...

Page 584: ... members Member number 0 Name stack_0 Sysname Device S3100 EI MAC Address 000f e20f c43a Member status Admin IP 129 10 1 15 16 Member number 1 Name stack_1 Sysname Device S3100 MAC Address 000f e200 3130 Member status Up IP 129 10 1 16 16 Member number 2 Name stack_2 Sysname Device S3100 EI MAC Address 000f e200 3135 Member status Up IP 129 10 1 17 16 Switch to Switch B a slave switch stack_0 Sysn...

Page 585: ...Series Ethernet Switches Chapter 1 Stack 1 7 Switch back to Switch A stack_1 Sysname quit stack_0 Sysname Switch to Switch C a slave switch stack_0 Sysname stacking 2 stack_2 Sysname Switch back to Switch A stack_2 Sysname quit stack_0 Sysname ...

Page 586: ...in a cluster plays one of the following three roles z Management device z Member device z Candidate device A cluster comprises of a management device and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remote devices in batches reducing the workload of the n...

Page 587: ...n specify the role a switch plays A switch in a cluster can also switch to other roles under specific conditions As mentioned above the three cluster roles are management device member device and candidate device Table 2 1 Description on cluster roles Role Configuration Function Management device Configured with a external IP address z Provides an interface for managing all the switches in a clust...

Page 588: ...the device collects network topology information and tries to discover and determine candidate devices which can then be added to the cluster through configurations z A candidate device becomes a member device after being added to a cluster z A member device becomes a candidate device after it is removed from the cluster z A management device becomes a candidate device only after the cluster is re...

Page 589: ...idate device information collected through NTDP I Introduction to NDP NDP is a protocol used to discover adjacent devices and provide information about them NDP operates on the data link layer and therefore it supports different network layer protocols NDP is able to discover directly connected neighbors and provide the following neighbor information device type software hardware version and conne...

Page 590: ...formation collection is as follows z The management device sends NTDP topology collection requests periodically through its NTDP enabled ports z Upon receiving an NTDP topology collection request the device returns a NTDP topology collection response to the management device and forwards the request to its neighbor devices through its NTDP enable ports The topology collection response packet conta...

Page 591: ...gement device z The management device of the cluster recognizes and controls all the member devices in the cluster no matter where they are located in the network and how they are connected z The management device collects topology information about all member candidate devices to provide useful information for you to establish the cluster z By collecting NDP NTDP information the management device...

Page 592: ...nd mark the member device as Active z The management device and the member devices exchange handshake packets periodically Note that the handshake packets exchanged keep the states of the member devices to be Active and are not responded z If the management device does not receive a handshake packet from a member device after a period three times of the interval to send handshake packets it change...

Page 593: ...can be implemented z Enabling the management packets including NDP packets NTDP packets and handshake packets to be transmitted in the management VLAN only through which the management packets are isolated from other packets and network security is improved z Enabling the management device and the member devices to communicate with each other in the management VLAN Cluster management requires the ...

Page 594: ... its MAC address table according to the MAC address and VLAN ID in the command to find out the port connected with the downstream switch z If you use the tracemac command to trace the device by its IP address the switch will query the corresponding ARP entry of the IP address to find out the corresponding MAC address and VLAN ID and thus find out the port connected with the downstream switch 2 Aft...

Page 595: ...tion Tasks Before configuring a cluster you need to determine the roles and functions the switches play You also need to configure the related functions preparing for the communication between devices within the cluster Complete the following tasks to configure cluster Configuration task Remarks Configuring the Management Device Required Configuring Member Devices Required Managing a Cluster throu...

Page 596: ...mplemented as follows z When you create a cluster by using the build or auto build command UDP port 40000 is opened at the same time z When you remove a cluster by using the undo build or undo cluster enable command UDP port 40000 is closed at the same time II Enabling NDP globally and on specific ports Follow these steps to enable NDP globally and on specific ports Operation Command Description E...

Page 597: ... NTDP globally ntdp enable Required Enabled by default Enter Ethernet port view interface interface type interface number Enable NTDP on the Ethernet port ntdp enable Required Enabled by default V Configuring NTDP related parameters Follow these steps to configure NTDP related parameters Operation Command Description Enter system view system view Configure the range to collect topology information...

Page 598: ...cluster enable Required By default the cluster function is enabled VII Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode as described below 1 Establishing a cluster and configuring cluster parameters in manual mode Follow these steps to establish a cluster and configure cluster parameters in manual mode ...

Page 599: ... By default the interval to send handshake packets is 10 seconds 2 Establish a cluster in automatic mode Follow these steps to establish a cluster in automatic mode Operation Command Description Enter system view system view Enter cluster view cluster Configure the IP address range for the cluster ip pool administrator ip address ip mask ip mask length Required Start automatic cluster establishmen...

Page 600: ...TP server is configured Configure a shared logging host for the cluster logging host ip address Optional By default no shared logging host is configured Configure a shared SNMP host for the cluster snmp host ip address Optional By default no shared SNMP host is configured 2 2 2 Configuring Member Devices I Member device configuration tasks Complete the following tasks to configure the member devic...

Page 601: ...s change to member devices and their UDP port 40000 is opened at the same time z When you execute the administrator address command on a device the device s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 is closed at the same time z When you execute the undo ...

Page 602: ...nable Optional By default the cluster function is enabled V Accessing the shared FTP TFTP server from a member device Follow these steps to access the shared FTP TFTP server from a member device Operation Command Description Access the shared FTP server of the cluster ftp cluster Optional Download a file from the shared TFTP server of the cluster tftp cluster get source file destination file Optio...

Page 603: ... and switch back Locate device through MAC address and IP address tracemac by mac mac address vlan vlan id by ip ip address nondp Optional These commands can be executed in any view 2 2 4 Configuring the Enhanced Cluster Features I Enhanced cluster feature overview 1 Cluster topology management function After the cluster topology becomes stable you can use the topology management commands on the c...

Page 604: ...bled on this device and the device is normally connected to the current cluster this device cannot join the cluster and participate in the unified management and configuration of the cluster II Configure the enhanced cluster features Complete the following tasks to configure the enhanced cluster feature Task Remarks Configure cluster topology management function Required Configure cluster device b...

Page 605: ... device display ntdp single device mac address mac address Display the topology of the current cluster display cluster current topology mac address mac address1 to mac address mac address2 member id member id1 to member id member id2 Display the information about the base topology of the cluster display cluster base topology mac address mac address member member id Display the information about al...

Page 606: ...ecuted in any view 2 3 Displaying and Maintaining Cluster Configuration Operation Command Description Display all NDP configuration and running information including the interval to send NDP packets the holdtime and all neighbors discovered display ndp Display NDP configuration and running information on specified ports including the neighbors discovered by NDP on the ports display ndp interface p...

Page 607: ...s compose a cluster where z An S3100 series switch serves as the management device z The rest are member devices Serving as the management device the S3100 switch manages the two member devices The configuration for the cluster is as follows z The two member devices connect to the management device through Ethernet 1 0 2 and Ethernet 1 0 3 z The management device connects to the Internet through E...

Page 608: ...ration procedure 1 Configure the member devices taking one member as an example Enable NDP globally and on Ethernet1 0 1 Sysname system view Sysname ndp enable Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 ndp enable Sysname Ethernet1 0 1 quit Enable NTDP globally and on Ethernet1 0 1 Sysname ntdp enable Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 ntdp enable Sysname Ethernet1 ...

Page 609: ... Ethernet1 0 3 ntdp enable Sysname Ethernet1 0 3 quit Set the topology collection range to 2 hops Sysname ntdp hop 2 Set the member device forward delay for topology collection requests to 150 ms Sysname ntdp timer hop delay 150 Set the member port forward delay for topology collection requests to 15 ms Sysname ntdp timer port delay 15 Set the interval to collect topology information to 3 minutes ...

Page 610: ... 172 55 1 aaa_0 Sysname cluster tftp server 63 172 55 1 aaa_0 Sysname cluster logging host 69 172 55 4 aaa_0 Sysname cluster snmp host 69 172 55 4 3 Perform the following operations on the member devices taking one member as an example After adding the devices under the management device to the cluster perform the following operations on a member device Connect the member device to the remote shar...

Page 611: ...c address H H H eraseflash command on the management device to reboot a member device For detailed information about these operations refer to the preceding description in this chapter z After the above configuration you can receive logs and SNMP trap messages of all cluster members on the NMS 2 4 2 Enhanced Cluster Feature Configuration Example I Network requirements z The cluster operates proper...

Page 612: ...he enhanced cluster feature configuration III Configuration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034 a0e5 Backup the current topology aaa_0 Sysname cluster topology accept all save to local flash ...

Page 613: ... Priority of a Port 1 4 1 2 5 Setting the PoE Mode on a Port 1 5 1 2 6 Configuring the PD Compatibility Detection Function 1 6 1 2 7 Configuring PoE Over Temperature Protection on the Switch 1 6 1 2 8 Upgrading the PSE Processing Software Online 1 7 1 2 9 Displaying PoE Configuration 1 7 1 3 PoE Configuration Example 1 8 1 3 1 PoE Configuration Example 1 8 Chapter 2 PoE Profile Configuration 2 1 2...

Page 614: ...wer interfaces z Bright application prospect PoE can be applied to IP phones wireless access points APs chargers for portable devices card readers network cameras and data collection system II PoE components PoE consists of three components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power...

Page 615: ...data wires 1 2 3 6 of category 3 5 twisted pairs z The PSE processing software on the switch can be upgraded online z The switch provides statistics about power supplying on each port and the whole equipment which you can query through the display command z The switch provides two modes auto and manual to manage the power feeding to ports in the case of PSE power overload z The switch provides ove...

Page 616: ...nfiguration tasks Task Remarks Enabling the PoE Feature on a Port Required Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection Function Optional Configuring PoE Over Temperature Protection on the Switch Optional Upgrading the PSE Processing Software Onl...

Page 617: ...umber Set the maximum output power on the port poe max power max power Required 15 400 mW by default 1 2 4 Setting PoE Management Mode and PoE Priority of a Port When a switch is close to its full load in supplying power you can adjust the power supply of the switch through the cooperation of the PoE management mode and the port PoE priority settings S3100 series switches support two PoE managemen...

Page 618: ... the PoE management mode for the switch poe power management auto manual Required auto by default Enter Ethernet port view interface interface type interface number Se the PoE priority of a port poe priority critical high low Required low by default 1 2 5 Setting the PoE Mode on a Port PoE mode of a port falls into two types signal mode and spare mode z Signal mode DC power is carried over the dat...

Page 619: ...ature Protection on the Switch If this function is enabled the switch disables the PoE feature on all ports when its internal temperature exceeds 65 C 149 F for self protection and restores the PoE feature settings on all its ports when the temperature drops below 60 C 140 F Table 1 8 Configure PoE over temperature protection on the switch Operation Command Description Enter system view system vie...

Page 620: ... be executed successfully use the full update mode to upgrade and thus restore the software z The refresh update mode is to upgrade the original processing software in the PSE through refreshing the software while the full update mode is to delete the original processing software in PSE completely and then reload the software z Generally the refresh update mode is used to upgrade the PSE processin...

Page 621: ...h display poe temperature protection Available in any view 1 3 PoE Configuration Example 1 3 1 PoE Configuration Example I Networking requirements Switch A is an S3100 series Ethernet switch supporting PoE Switch B can be PoE powered z The Ethernet 1 0 1 and Ethernet 1 0 2 ports of Switch A are connected to Switch B and an AP respectively the Ethernet 1 0 8 port is intended to be connected with an...

Page 622: ...hernet1 0 1 poe enable SwitchA Ethernet1 0 1 poe max power 12000 SwitchA Ethernet1 0 1 quit Enable the PoE feature on Ethernet 1 0 2 and set the PoE maximum output power of Ethernet 1 0 2 to 2500 mW SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 poe enable SwitchA Ethernet1 0 2 poe max power 2500 SwitchA Ethernet1 0 2 quit Enable the PoE feature on Ethernet 1 0 8 and set the PoE priority o...

Page 623: ... S3100 Series Ethernet Switches Chapter 1 PoE Configuration 1 10 Enable the PD compatibility detect of the switch to allow the switch to supply power to part of the devices noncompliant with the 802 3af standard SwitchA poe legacy enable ...

Page 624: ...user groups z When users connect a PD to a PoE profile enabled port the PoE configurations in the PoE profile will be enabled on the port 2 2 PoE Profile Configuration 2 2 1 Configuring PoE Profile Table 2 1 Configure PoE profile Operation Command Description Enter system view system view Create a PoE profile and enter PoE profile view poe profile profilename Required If the PoE file is created yo...

Page 625: ...ng to the following rules z When the apply poe profile command is used to apply a PoE profile to a port the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly When the display current configuration command is used for query it is displayed that the PoE profile is applied properly to the port z If one or more features in the PoE profile are not applie...

Page 626: ...g PoE Ethernet 1 0 1 through Ethernet 1 0 10 of Switch A are used by users of group A who have the following requirements z The PoE function can be enabled on all ports in use z Signal mode is used to supply power z The PoE priority for Ethernet 1 0 1 through Ethernet 1 0 5 is Critical whereas the PoE priority for Ethernet 1 0 6 through Ethernet 1 0 10 is High z The maximum power for Ethernet 1 0 ...

Page 627: ...e Profile1 In Profile1 add the PoE policy configuration applicable to Ethernet 1 0 1 through Ethernet 1 0 5 ports for users of group A SwitchA poe profile Profile1 poe enable SwitchA poe profile Profile1 poe mode signal SwitchA poe profile Profile1 poe priority critical SwitchA poe profile Profile1 poe max power 3000 SwitchA poe profile Profile1 quit Display detailed configuration information for ...

Page 628: ...file2 poe priority high SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe enable poe priority high Apply the configured Profile1 to Ethernet 1 0 1 through Ethernet 1 0 5 ports SwitchA apply poe profile Profile1 interface Ethernet1 0 1 ...

Page 629: ... 1 3 1 3 Configuring Trap Parameters 1 6 1 3 1 Configuring Basic Trap 1 6 1 3 2 Configuring Extended Trap 1 7 1 4 Enabling Logging for Network Management 1 8 1 5 Displaying SNMP 1 8 1 6 SNMP Configuration Examples 1 9 1 6 1 SNMP Configuration Examples 1 9 Chapter 2 RMON Configuration 2 1 2 1 Introduction to RMON 2 1 2 1 1 Working Mechanism of RMON 2 1 2 1 2 Commonly Used RMON Groups 2 2 2 2 RMON C...

Page 630: ...ement platforms include QuidView Sun NetManager IBM NetView and so on z Agent is server side software running on network devices such as switches An NMS can send GetRequest GetNextRequest and SetRequest messages to the agents Upon receiving the requests from the NMS an agent performs Read or Write operation on the managed object MIB Management Information Base according to the message types genera...

Page 631: ...a switch To uniquely identify the management objects of the switch SNMP adopts a hierarchical naming scheme to organize the managed objects It is like a tree with each tree node representing a managed object as shown in Figure 1 1 Each node in this tree can be uniquely identified by a path starting from the root A 2 6 1 5 2 1 1 2 1 B Figure 1 1 Architecture of the MIB tree The management informati...

Page 632: ...UP MIB QINQ MIB 802 x MIB HGMP MIB NTP MIB Device management Interface management 1 2 Configuring Basic SNMP Functions SNMPv3 configuration is quite different from that of SNMPv1 and SNMPv2c Therefore the configuration of basic SNMP functions is described by SNMP versions as listed in Table 1 2 and Table 1 3 Table 1 2 Configure basic SNMP functions SNMPv1 and SNMPv2c Operation Command Description ...

Page 633: ...d access permissi on Indirect configu ration Add a user to an SNMP group snmp agent usm user v1 v2c user name group name acl acl number Required z You can set an SNMPv1 SNMPv2 c community name through direct configuration z Indirect configuration is compatible with SNMPv3 The added user is equal to the community name for SNMPv1 and SNMPv2c z You can choose either of them as needed Set the maximum ...

Page 634: ... v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Required Encrypt a plain text password to generate a cipher text one snmp agent calculate password plain password mode md5 sha local engineid specified engineid engineid Optional This command is used if password in cipher text is needed for adding a new user Add a user to an SNMP ...

Page 635: ...d closes UDP ports used by SNMP agent and SNMP trap as well 1 3 Configuring Trap Parameters 1 3 1 Configuring Basic Trap Trap messages refer to those sent by managed devices to the NMS without request They are used to report some urgent and important events for example the rebooting of managed devices Note that basic SNMP configuration is performed before you configure basic trap Table 1 4 Configu...

Page 636: ...p life seconds Optional 120 seconds by default 1 3 2 Configuring Extended Trap The extended Trap includes the following z Interface description and interface type are added into the linkUp linkDown Trap message When receiving this extended Trap message NMS can immediately determine which interface on the device fails according to the interface description and type z In all Trap messages sent from ...

Page 637: ...n Enter system view system view Enable logging for network management snmp agent log set operation get operation all Optional Disabled by default Note Use the display logbuffer command to view the log of the get and set operations requested by the NMS 1 5 Displaying SNMP After the above configuration you can execute the display command in any view to view the running status of SNMP and to verify t...

Page 638: ...isplay Trap list information display snmp agent trap list Display the currently configured community name display snmp agent community read write Display the currently configured MIB view display snmp agent mib view exclude include viewname view name Available in any view 1 6 SNMP Configuration Examples 1 6 1 SNMP Configuration Examples I Network requirements z An NMS and Switch A SNMP agent are c...

Page 639: ...uthentication protocol to HMAC MD5 z authentication password to passmd5 z encryption protocol to DES z encryption password to cfb128cfb128 Sysname snmp agent group v3 managev3group privacy write view internet Sysname snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode des56 cfb128cfb128 Set the VLAN interface 2 as the interface used by NMS Add port Ethern...

Page 640: ...3C s QuidView NMS SNMPv3 adopts user name and password authentication When you use H3C s QuidView NMS you need to set user names and choose the security level in Quidview Authentication Parameter For each security level you need to set authorization mode authorization password encryption mode encryption password and so on In addition you need to set timeout time and maximum retry times You can que...

Page 641: ...vely and actively thus providing a satisfactory means of monitoring remote subnets z With RMON implemented the communication traffic between NMS and SNMP agents can be reduced thus facilitating the management of large scale internetworks 2 1 1 Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways z Using the dedicated RMON probes When an RMON system ...

Page 642: ...m variables such as the statistics of a port When the value of a monitored variable exceeds the threshold an alarm event is generated which then triggers the network device to act in the way defined in the events Events are defined in event groups With an alarm entry defined in an alarm group a network device performs the following operations accordingly z Sampling the defined alarm variables peri...

Page 643: ...ns packets with cyclic redundancy check CRC errors undersize or oversize packets broadcast packets multicast packets and received bytes and packets With the RMON statistics management function you can monitor the use of a port and make statistics on the errors occurred when the ports are being used 2 2 RMON Configuration Before performing RMON configuration make sure the SNMP agents are correctly ...

Page 644: ...d alarm entry Enter Ethernet port view interface interface type interface number Add a history entry rmon history entry number buckets number interval sampling interval owner text Optional Add a statistics entry rmon statistics entry number owner text Optional Note z The rmon alarm and rmon prialarm commands take effect on existing nodes only z For each port only one RMON statistics entry can be c...

Page 645: ...ew 2 4 RMON Configuration Examples I Network requirements z The switch to be tested is connected to a remote NMS through the Internet Ensure that the SNMP agents are correctly configured before performing RMON configuration z Create an entry in the extended alarm table to monitor the information of statistics on the Ethernet port if the change rate of which exceeds the set threshold the alarm even...

Page 646: ...eaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 Display the RMON extended alarm entry numbered 2 Sysname display rmon prialarm 2 Prialarm table 2 o...

Page 647: ... 1 Configuration Prerequisites 1 12 1 4 2 Configuration Procedure 1 12 1 5 Configuring NTP Authentication 1 12 1 5 1 Configuration Prerequisites 1 13 1 5 2 Configuration Procedure 1 14 1 6 Configuring Optional NTP Parameters 1 15 1 6 1 Configuring an Interface on the Local Switch to Send NTP messages 1 16 1 6 2 Configuring the Number of Dynamic Sessions Allowed on the Local Switch 1 16 1 6 3 Disab...

Page 648: ...erform the operation However an administrator can synchronize the clocks of devices in a network with required accuracy by performing NTP configuration NTP is mainly applied to synchronizing the clocks of all devices in a network For example z In network management the analysis of the log information and debugging information collected from different devices is meaningful and valid only when netwo...

Page 649: ...t is synchronized 1 1 2 Implementation Principle of NTP Figure 1 1 shows the implementation principle of NTP Ethernet switch A Device A is connected to Ethernet switch B Device B through Ethernet ports Both having their own system clocks they need to synchronize the clocks of each other through NTP To help you to understand the implementation principle we suppose that z Before the system clocks of...

Page 650: ...am T1 identifying when it is sent z When the message arrives at Device B Device B inserts its own timestamp 11 00 01 am T2 into the packet z When the NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z When receiving a response packet the local time of Device A is 10 00 03 am T4 At this time Device A has enough information to calculate the following two ...

Page 651: ...ultiple NTP modes to synchronize the clock I Server client mode Figure 1 2 Server client mode II Symmetric peer mode Figure 1 3 Symmetric peer mode In the symmetric peer mode the local S3100 Ethernet switch serves as the symmetric active peer and sends clock synchronization request first while the remote server serves as the symmetric passive peer automatically If both of the peers have reference ...

Page 652: ...C S3100 series Ethernet switches NTP implementation mode Configuration on S3100 series switches Server client mode Configure the local S3100 Ethernet switch to work in the NTP client mode In this mode the remote server serves as the local time server while the local switch serves as the client Symmetric peer mode Configure the local S3100 switch to work in NTP symmetric peer mode In this mode the ...

Page 653: ...t switch to work in NTP multicast client mode In this mode the local switch receives multicast NTP messages through the VLAN interface configured on the switch Caution z When an H3C S3100 Ethernet switch works in server mode or symmetric passive mode you need not to perform related configurations on this switch but do that on the client or the symmetric active peer z The NTP server mode NTP broadc...

Page 654: ...e unicast server ntp service unicast peer ntp service broadcast client ntp service broadcast server ntp service multicast client and ntp service multicast server commands enables the NTP feature and opens UDP port 123 at the same time z Execution of the undo form of one of the above six commands disables all implementation modes of the NTP feature and closes UDP port 123 at the same time 1 3 1 Con...

Page 655: ...f other switches only after its clock has been synchronized If the clock of a server has a stratum level lower than or equal to that of a client s clock the client will not synchronize its clock to the server s z You can configure multiple servers by repeating the ntp service unicast server command The client will choose the optimal reference source 1 3 2 Configuring the NTP Symmetric Peer Mode Fo...

Page 656: ...ically the clock of at least one of the symmetric active and symmetric passive peers should be synchronized first otherwise the clock synchronization will not proceed z You can configure multiple symmetric passive peers for the local switch by repeating the ntp service unicast peer command The clock of the peer with the smallest stratum will be chosen to synchronize with the local clock of the swi...

Page 657: ...peration Command Description Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the switch to work in the NTP broadcast client mode ntp service broadcast client Required Not configured by default 1 3 4 Configuring NTP Multicast Mode For switches working in the multicast mode you need to configure both the server and clients The multicast server perio...

Page 658: ... a switch to work in the multicast client mode Table 1 8 Configure a switch to work in the NTP multicast client mode Operation Command Description Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the switch to work in the NTP multicast client mode ntp service multicast client ip address Required Not configured by default 1 4 Configuring Access Cont...

Page 659: ... the first matched right 1 4 1 Configuration Prerequisites Prior to configuring the NTP service access control right to the local switch for peer devices you need to create and configure an ACL associated with the access control right For the configuration of ACL refer to ACL Configuration in Security Volume 1 4 2 Configuration Procedure Table 1 9 Configure the NTP service access control right to ...

Page 660: ...TP authentication function is not enabled on the client the clock of the client can be synchronized to a server no matter whether the NTP authentication function is enabled on the server assuming that other related configurations are properly performed z For the NTP authentication function to take effect a trusted key needs to be configured on both the client and server after the NTP authenticatio...

Page 661: ...t mode ntp service unicast server remote ip server name authentication keyid key id Associ ate the specifi ed key with the corres pondin g NTP server Configure on the symmetric active peer in the symmetric peer mode ntp service unicast peer remote ip peer name authentication keyid key id Required For the client in the NTP broadcast multicast mode you just need to associate the specified key with t...

Page 662: ...rver ntp service multicast server authentication keyid key id z In NTP broadcast server mode and NTP multicast server mode you need to associate the specified key with the corresponding broadcast multicast client z You can associate an NTP broadcast multicast client with an authentication key while configuring NTP mode You can also use this command to associate them after configuring the NTP mode ...

Page 663: ...on is a temporary association created by the system during operation A dynamic association will be removed if the system fails to receive messages from it over a specific long time In the server client mode for example when you carry out a command to synchronize the time to a server the system will create a static association and the server will just respond passively upon the receipt of a message...

Page 664: ... switch and verify the effect of the configurations Table 1 17 Display NTP configuration Operation Command Description Display the status of NTP services display ntp service status Display the information about the sessions maintained by NTP display ntp service sessions verbose Display the brief information about NTP servers along the path from the local device to the reference clock source displa...

Page 665: ...8 Clock offset 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer dispersion 0 00 ms Reference time 00 00 00 000 UTC Jan 1 1900 00000000 00000000 Set Device A as the NTP server of Device B DeviceB system view DeviceB ntp service unicast server 1 0 1 11 After the above configurations Device B is synchronized to Device A View the NTP status of Device B DeviceB display ntp service status Clock...

Page 666: ... Total associations 1 1 8 2 Configuring NTP Symmetric Peer Mode I Network requirements z The local clock of Device A is set as the NTP master clock with the clock stratum level of 2 z Device C an S3100 Ethernet switch uses Device A as the NTP server and Device A works in server mode automatically z The local clock of Device B is set as the NTP master clock with the clock stratum level of 1 Set Dev...

Page 667: ...s Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that the clock of Device C is synchronized to that of Device B and the stratum level of its local clock is 2 one level lower than Device B View the information about the NTP sessions of Device C you can see that a connection is establ...

Page 668: ...adcast server which sends broadcast messages through Vlan interface2 DeviceC interface Vlan interface 2 DeviceC Vlan interface2 ntp service broadcast server 2 Configure Device A perform the same configuration on Device D Enter system view DeviceA system view Set Device A as a broadcast client DeviceA interface Vlan interface 2 DeviceA Vlan interface2 ntp service broadcast client After the above co...

Page 669: ...View the information about the NTP sessions of Device D and you can see that a connection is established between Device D and Device C DeviceD display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 2 1 64 377 26 1 199 53 9 7 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 1 8 4 Configuring NTP Mult...

Page 670: ... the same configuration on Device D Enter system view DeviceA system view Set Device A as a multicast client to listen to multicast messages through Vlan interface2 DeviceA interface Vlan interface 2 DeviceA Vlan interface2 ntp service multicast client After the above configurations Device A and Device D respectively listen to multicast messages through their own Vlan interface2 and Device C adver...

Page 671: ...ablished between Device D and Device C DeviceD display ntp service sessions source reference stra reach poll now offset delay disper 1234 3 0 1 31 127 127 1 0 2 1 64 377 26 1 199 53 9 7 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 1 8 5 Configuring NTP Server Client Mode with Authentication I Network requirements z The local clock of Device A is set a...

Page 672: ... A Because the NTP authentication function is not enabled on Device A the clock of Device B will fail to be synchronized to that of Device A 2 To synchronize Device B you need to perform the following configurations on Device A Enable the NTP authentication function DeviceA system view DeviceA ntp service authentication enable Configure an MD5 authentication key with the key ID being 42 and the ke...

Page 673: ...k of Device B is synchronized to that of Device A with a clock stratum level of 3 one stratum level lower than that Device A View the information about NTP sessions of Device B You can see that a connection is established between Device B and Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 255 64 8 2 8 17 7 1 2 not...

Page 674: ... 8 Assigning a Public Key to an SSH User 1 13 1 3 9 Exporting the RSA or DSA Public Key 1 13 1 4 Configuring the SSH Client 1 14 1 4 1 SSH Client Configuration Task List 1 14 1 4 2 Configuring an SSH Client that Runs SSH Client Software 1 15 1 4 3 Configuring an SSH Client Assumed by an SSH2 Capable Switch 1 22 1 5 Displaying and Maintaining SSH Configuration 1 25 1 6 Comparison of SSH Commands wi...

Page 675: ...at prevent attacks such as DNS and IP spoofing SSH adopts the client server model The device can be configured as an SSH client or an SSH server In the former case the device establishes a remote SSH connection to an SSH server In the latter case the device provides connections to multiple clients Furthermore SSH can also provide data compression to increase transmission speed take the place of Te...

Page 676: ...y you cannot use the private key through the public key Asymmetric key algorithm encrypts data using the public key and decrypts the data using the private key thus ensuring data security You can also use the asymmetric key algorithm for data signature For example user 1 adds his signature to the data using the private key and then sends the data to user 2 User 2 verifies the signature using the p...

Page 677: ...ntification string in the format of SSH primary protocol version number secondary protocol version number software version number The primary and secondary protocol version numbers constitute the protocol version number while the software version number is used for debugging z The client receives and resolves the packet If the protocol version of the server is lower but supportable the client uses...

Page 678: ... process repeats until the authentication succeeds or the connection is torn down when the authentication times reach the upper limit SSH provides two authentication methods password authentication and publickey authentication z In password authentication the client encrypts the username and password encapsulates them into a password authentication request and sends the request to the server Upon ...

Page 679: ... Client Configuration Task List Many devices can act as the SSH server and client This document describes two cases z The H3C switch acts as the SSH server to cooperate with software that supports the SSH client functions z The H3C switch acts as the SSH server to cooperate with another H3C switch that acts as an SSH client Complete the following tasks to configure the SSH server and clients Serve...

Page 680: ...uired Authentication Specifying a Service Type for an SSH User Optional By default an SSH user can use the service type of stelnet Configuring the Public Key of a Client on the Server z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Assigning a Public Key to an SSH User z Not necessary when the authentication mode is password z Required ...

Page 681: ...rface authentication mode is password Specify the supported protocol s protocol inbound all ssh telnet Optional By default both Telnet and SSH are supported Caution z If you have configured a user interface to support SSH protocol you must configure AAA authentication for the user interface by using the authentication mode scheme command to ensure successful login z On a user interface if the auth...

Page 682: ... update the RSA server keys Configure a login header header shell text Optional By default no login header is configured Caution z You can configure a login header only when the service type is stelnet For configuration of service types refer to Specifying a Service Type for an SSH User z For details of the header command refer to the corresponding section in Login Command z Currently only the S31...

Page 683: ...2 and 2048 The default length is 1024 In case a key pair already exists the system will ask whether to replace the existing key pair Table 1 5 Follow these steps to create or destroy key pairs To do Use the command Remarks Enter system view system view Generate an RSA key pair public key local create rsa Required By default no RSA key pair is created Destroy the RSA key pair public key local destr...

Page 684: ...ommended 1 3 5 Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type for it Specifying an authentication type for a new user is a must to get the user login Table 1 6 Follow these steps to configure an SSH user and specify an authentication type for the user To do Use the command Remarks Enter system view system view ssh au...

Page 685: ...server And the user can use its username and password configured on the remote server to access the network z Under the publickey authentication mode the level of commands available to a logged in SSH user can be configured using the user privilege level command on the server and all the users with this authentication mode will enjoy this level z Under the password or password publickey authentica...

Page 686: ...r case you can manually copy the client s public key to the server In the latter case the system automatically converts the format of the public key generated by the client to complete the configuration on the server but the client s public key should be transferred from the client to the server beforehand through FTP TFTP Table 1 8 Follow these steps to configure the public key of a client manual...

Page 687: ...ser Caution This configuration task is unnecessary if the SSH user s authentication mode is password For the publickey authentication mode you must specify the client s public key on the server for authentication Table 1 10 Follow these steps to assign a public key for an SSH user To do Use the command Remarks Enter system view system view Assign a public key to an SSH user ssh user username assig...

Page 688: ...key format can be SSH1 SSH2 and OpenSSH 1 4 Configuring the SSH Client The configurations required on the SSH client are related to the authentication mode that the SSH server uses In addition if an SSH client does not support first time authentication you need to configure the public key of the server on the client so that the client can authenticate the server 1 4 1 SSH Client Configuration Task...

Page 689: ...or remote connection Required Selecting an SSH version Required Opening an SSH connection with password authentication Required for password authentication unnecessary for publickey authentication Opening an SSH connection with publickey authentication Required for publickey authentication unnecessary for password authentication Note z Selecting the protocol for remote connection as SSH Usually a ...

Page 690: ...enerate a client key run PuTTYGen exe and select from the Parameters area the type of key you want to generate either SSH 2 RSA or SSH 2 DSA then click Generate Figure 1 2 Generate a client key 1 Note that while generating the key pair you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1 3 Otherwise the process bar stops moving and ...

Page 691: ...thernet Switches Chapter 1 SSH Configuration 1 17 Figure 1 3 Generate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key ...

Page 692: ...ate key A warning window pops up to prompt you whether to save the private key without any precaution Click Yes and enter the name of the file for saving the private key private in this case to save the private key Figure 1 5 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse and select the public key file and then click Convert ...

Page 693: ...on Manual SSH H3C S3100 Series Ethernet Switches Chapter 1 SSH Configuration 1 19 Figure 1 6 Generate the client keys 5 II Specifying the IP address of the Server Launch PuTTY exe The following window appears ...

Page 694: ...box enter the IP address of the server Note that there must be a route available between the IP address of the server and the client III Selecting a protocol for remote connection As shown in Figure 1 7 select SSH under Protocol IV Selecting an SSH version From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 8 appears ...

Page 695: ...re supports DES algorithm negotiation ssh2 V Opening an SSH connection with password authentication From the window shown in Figure 1 8 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection To log out enter the quit command VI Opening an SSH connection with publickey authentication If a user nee...

Page 696: ...rompted for a username Once passing the authentication the user can log in to the server 1 4 3 Configuring an SSH Client Assumed by an SSH2 Capable Switch Table 1 14 Complete the following tasks to configure an SSH client that is assumed by an SSH2 capable switch Task Remarks Configuring the SSH client for publickey authentication z Not necessary when the authentication mode is password z Required...

Page 697: ...ublic key can continue accessing the server when it accesses the server for the first time and it will save the host public key on the client for use in subsequent authentications z With first time authentication disabled an SSH client that is not configured with the server host public key will be denied of access to the server To access the server a user must configure in advance the server host ...

Page 698: ...stem view system view Start the client to establish a connection with an SSH server ssh2 host ip host name port num identity key dsa rsa prefer_kex dh_group1 dh_exchange_group prefer_ctos_cipher des aes128 prefer_stoc_cipher des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required In this command you can also specify the preferred key exchange algorithm...

Page 699: ...sake of SSH configuration compatibility the original commands are still supported Table 1 18 lists both the original commands and current commands Table 1 18 List of SSH configuration commands with the same functions Operation Original commands Current commands Display local RSA public key s display rsa local key pair public display public key local rsa public Display information about the peer RS...

Page 700: ...r public key when the S3100 EI switch is working in SSH1 compatible mode but only one public key the host public key when the switch is working in SSH2 mode z The result of the display rsa local key pair public command or the public key converted with the SSHKEY tool contains no information such as the authentication type so they cannot be directly used as parameters in the public key peer command...

Page 701: ...ation mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch ui vty0 4 quit Create local client client001 and set the authentication password to abc protocol type to SSH and command privilege level to 3 for the client Switch local user client001 Switch luser client001 password simple abc Switch luser client001 service type ssh level 3 Switch luser client...

Page 702: ...SH Configuration 1 28 Figure 1 11 SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH server 2 From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 12 appears ...

Page 703: ...name client001 and password abc Once authentication succeeds you will log in to the server 1 7 2 When Switch Acts as Server for Password and RADIUS Authentication I Network requirements As shown in Figure 1 13 an SSH connection is required between the host SSH client and the switch SSH server for secure data exchange Password authentication is required z The host runs SSH2 0 client software to est...

Page 704: ...rm and select System Management System Configuration from the navigation tree In the System Configuration window click Modify of the Access Device item and then click Add to enter the Add Access Device window and perform the following configurations z Specify the IP address of the switch as 192 168 1 70 z Set both the shared keys for authentication and accounting packets to expert z Select LAN Acc...

Page 705: ...k Add to enter the Add Account window and perform the following configurations z Add a user named hello and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 15 Add an account for device management 2 Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the IP ad...

Page 706: ...eme Switch radius scheme rad Switch radius rad accounting optional Switch radius rad primary authentication 10 1 1 1 1812 Switch radius rad key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme radius scheme rad Switch isp bbb quit Configure...

Page 707: ...TTY exe to enter the following configuration interface Figure 1 16 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the SSH server z From the category on the left pane of the window select Connection SSH The window as shown in Figure 1 17 appears ...

Page 708: ...you can access after login is authorized by the CAMS server You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 1 15 1 7 3 When Switch Acts as Server for Password and HWTACACS Authentication I Network requirements As shown in Figure 1 18 an SSH connection is required between the host SSH client and the switch SSH server for secure data e...

Page 709: ...system view Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 1 70 255 255 255 0 Switch Vlan interface2 quit Caution Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user inter...

Page 710: ...ication for the user Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 1 1 in this case for the SSH client This IP address and that of the VLAN interface on the switch must be in the same network segment Configure the SSH client software to establish a connection to the SSH server Take SSH client software Putty Version 0 58 as an exam...

Page 711: ...ver The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS server configuration manuals 1 7 4 When Switch Acts as Server for Publickey Authentication I Network requirements As shown in Figure 1 21 establish an SSH connection between the host SSH client and the switch SSH Server for...

Page 712: ... interface1 ip address 192 168 0 1 255 255 255 0 Switch Vlan interface1 quit Note Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enab...

Page 713: ...SSH server through FTP or TFTP For details refer to Configuring the SSH Client Import the client s public key named Switch001 from file public Switch public key peer Switch001 import sshkey public Assign the public key Switch001 to client client001 Switch ssh user client001 assign publickey Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair 1 Run ...

Page 714: ... mouse continuously and keep the mouse off the green process bar shown in Figure 1 23 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 1 23 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case ...

Page 715: ...s up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the private key private ppk in this case Figure 1 25 Generate a client key pair 4 Note After a public key pair is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the...

Page 716: ...th the SSH server 2 Launch PuTTY exe to enter the following interface Figure 1 26 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the server 3 From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 27 appears ...

Page 717: ...Series Ethernet Switches Chapter 1 SSH Configuration 1 43 Figure 1 27 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears ...

Page 718: ...If the connection is normal you will be prompted to enter the username 1 7 5 When Switch Acts as Client for Password Authentication I Network requirements As shown in Figure 1 29 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name for login is client001 and the SSH server s IP address is 10 165 87 136 Password authentication is req...

Page 719: ... user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 and set the authentication password to abc the login protocol to SSH and user command privilege level to 3 SwitchB local user client001 SwitchB luser client001 password simple abc SwitchB luser clien...

Page 720: ...thout the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB 1 7 6 When Switch Acts as Client for Publickey Authentication I Network requirements As shown in Figure 1 30 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name is client001 and the SSH server s IP address is 10 165 87 136 Publick...

Page 721: ...terface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 SwitchB ui vty0 4 user privilege level 3 SwitchB ui vty0 4 quit Specify the authentication type of user client001 as publickey SwitchB ssh user client001 authentication type publickey Note Before doing the following ...

Page 722: ...blic key local export dsa ssh2 Switch001 Note After the key pair is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 identity key dsa Username client001 Trying 10 165 87 136 Press CTRL K to abort Co...

Page 723: ... supported III Configuration procedure z Configure Switch B Create a VLAN interface on the switch and assign an IP address for it to serve as the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Note Generating the RSA and DSA key pairs on the server is prerequisite to SSH lo...

Page 724: ...ey Switch001 to user client001 SwitchB ssh user client001 assign publickey Switch001 Export the generated DSA host public key pair to a file named Switch002 SwitchB public key local export dsa ssh2 Switch002 Note When first time authentication is not supported you must first generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH cl...

Page 725: ...002 and then upload the file to the SSH client through FTP or TFTP For details refer to the above part Configure Switch B Import the public key pair named Switch002 from the file Switch002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connection to server 10...

Page 726: ...1 Introduction to File System 1 1 1 1 2 File System Configuration Tasks 1 1 1 1 3 Directory Operations 1 1 1 1 4 File Operations 1 2 1 1 5 Flash Memory Operations 1 3 1 1 6 Prompt Mode Configuration 1 4 1 1 7 File System Configuration Example 1 4 1 2 File Attribute Configuration 1 5 1 2 1 Introduction to File Attributes 1 5 1 2 2 Booting with the Startup File 1 6 1 2 3 Configuring File Attributes ...

Page 727: ...ry Operations Optional Prompt Mode Configuration Optional Note S3100 series Ethernet switches allow you to input a file path and file name in one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used to specify a file in the current Flash memory For example the URL of a file named text txt in the root directory of the switch is ...

Page 728: ... In the output information of the dir all command deleted files that is those stored in the recycle bin are embraced in brackets 1 1 4 File Operations The file system also provides file related functions listed in Table 1 3 Perform the following configuration in user view Note that the execute command should be executed in system view Table 1 3 File operations To do Use the command Remarks Delete ...

Page 729: ... names are the same only the latest deleted file is kept in the recycle bin and can be restored z The files which are deleted by the delete command without the unreserved keyword are actually moved to the recycle bin and thus still take storage space You can clear the recycle bin by using the reset recycle bin command z The dir all command displays the files in the recycle bin in square brackets z...

Page 730: ... system To do Use the command Remarks Enter system view system view Configure the prompt mode of the file system file prompt alert quiet Required By default the prompt mode of the file system is alert 1 1 7 File System Configuration Example Display all the files in the root directory of the file system Sysname dir all Directory of unit1 flash 1 rw 3579326 Mar 28 2007 10 51 22 s3100 bin 2 rw 1235 A...

Page 731: ... 2000 17 30 06 dsakey 7 drw Apr 04 2000 23 04 21 test 7239 KB total 3585 KB free with main attribute b with backup attribute b with both main and backup attribute Sysname dir unit1 flash test Directory of unit1 flash test 1 rw 1235 Apr 05 2000 01 51 34 test cfg 2 rw 1235 Apr 05 2000 01 56 44 1 cfg 7239 KB total 3585 KB free with main attribute b with backup attribute b with both main and backup at...

Page 732: ... file can have both the main and backup attributes Files of this kind are labeled b Note that there can be only one app file one configuration file and one Web file with the main attribute in the Flash memory If a newly created file is configured to be with the main attribute the existing file with the main attribute in the Flash memory will lose its main attribute This circumstance also applies t...

Page 733: ...iguration file when the device boots refer to the Configuration File Management part in this manual 1 2 3 Configuring File Attributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch and change the main or backup attribute of the file Perform the configuration listed in Table 1 7 in user view The display commands can be exe...

Page 734: ...e configuration of the main or backup attribute of a Web file takes effect immediately without restarting the switch z After upgrading a Web file you need to specify the new Web file in the Boot menu after restarting the switch or specify a new Web file by using the boot web package command Otherwise Web server cannot function normally z Currently a configuration file has the extension of cfg and ...

Page 735: ... Client 1 6 1 2 3 Configuration Example A Switch Operating as an FTP Server 1 7 1 2 4 FTP Banner Display Configuration Example 1 10 1 2 5 FTP Configuration A Switch Operating as an FTP Client 1 11 1 3 SFTP Configuration 1 13 1 3 1 SFTP Configuration A Switch Operating as an SFTP Server 1 13 1 3 2 SFTP Configuration A Switch Operating as an SFTP Client 1 15 1 3 3 SFTP Configuration Example 1 17 Cha...

Page 736: ...er An H3C S3100 series Ethernet switch can act as an FTP client or the FTP server in FTP employed data transmission Table 1 1 Roles that an H3C S3100 series Ethernet switch acts as in FTP Item Description Remarks FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP clients You can log in to a switch operating as an FTP server by running an FTP cl...

Page 737: ... A Switch Operating as an FTP Client Basic configurations on an FTP client 1 2 1 FTP Configuration A Switch Operating as an FTP Server I Creating an FTP user Configure the user name and password for the FTP user and set the service type to FTP To use FTP services a user must provide a user name and password for being authenticated by the FTP server Only users that pass the authentication have acce...

Page 738: ...erver z You cannot access an H3C S3100 series switch operating as an FTP server through Microsoft Internet Explorer To do so use other client software Note To protect unused sockets against attacks the S3100 Ethernet switch provides the following functions z TCP 21 is enabled only when you start the FTP server z TCP 21 is disabled when you shut down the FTP server III Configuring connection idle t...

Page 739: ...ata to from the FTP server the S3100 Ethernet switch will disconnect the user after the data transmission is completed V Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the FTP server through FTP the configured banner is displayed on the FTP client Banner falls into the following two types z Login banner After the connection b...

Page 740: ...ther command or both By default no banner is configured Note For details about the header command refer to the Login part of the manual VI Displaying FTP server information After the above configurations you can execute the display commands in any view to display the running status of the FTP server and verify your configurations Table 1 8 Display FTP server information Operation Command Descripti...

Page 741: ...nt Operation Command Description Enter FTP client view ftp cluster remote server port number Specify to transfer files in ASCII characters ascii Specify to transfer files in binary streams binary Use either command By default files are transferred in ASCII characters Set the data transfer mode to passive passive Optional passive by default Change the working directory on the remote FTP server cd p...

Page 742: ... source remote dest Log in with the specified user name and password user username password Connect to a remote FTP server open ip address server name port disconnect Terminate the current FTP connection without exiting FTP client view close quit Terminate the current FTP connection and return to user view bye Display the online help about a specified command concerning FTP remotehelp protocol com...

Page 743: ...FTP You can log in to a switch through the Console port or by telnetting the switch See the Login module for detailed information Configure the FTP user name as switch the password as hello and the service type as FTP Sysname Sysname system view Sysname ftp server enable Sysname local user switch Sysname luser switch password simple hello Sysname luser switch service type ftp 2 Configure the PC FT...

Page 744: ...Windows When you log in to the FTP server through another FTP client refer to the corresponding instructions for operation description Caution z If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you...

Page 745: ... been configured on the FTP server z The IP addresses 1 1 1 1 for a VLAN interface on the switch and 2 2 2 2 for the PC have been configured Ensure that a route exists between the switch and the PC z Configure the login banner of the switch as login banner appears and the shell banner as shell banner appears II Network diagram IP network FTP Server FTP Client SwitchA PC VLAN Int1 1 1 1 1 8 2 2 2 2...

Page 746: ... A switch operates as an FTP client and a remote PC as an FTP server The switch application named switch bin is stored on the PC Download it to the switch through FTP and use the boot boot loader command to specify switch bin as the application for next startup Reboot the switch to upgrade the switch application and then upload the switch configuration file named config cfg to the switch directory...

Page 747: ...ed you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make room for the file to be uploaded you can only delete download them through the Boot ROM menu Connect to the FTP server using the ftp command in user view You need to provide the IP address of the FTP ...

Page 748: ... the startup file for a switch refer to the System Maintenance and Debugging module of this manual 1 3 SFTP Configuration Table 1 10 SFTP configuration tasks Item Configuration task Description Enabling an SFTP server Required Configuring connection idle time Optional SFTP Configuration A Switch Operating as an SFTP Server Supported SFTP client software SFTP Configuration A Switch Operating as an ...

Page 749: ...erforming any operation Table 1 12 Configure connection idle time Operation Command Description Enter system view system view Configure the connection idle time for the SFTP server ftp timeout time out value Optional 10 minutes by default III Supported SFTP client software An H3C S3100 series Ethernet switch operating as an SFTP server can interoperate with SFTP client software including SSH Tecti...

Page 750: ...en you delete a large file from the server you are recommended to set the client packet timeout time to over 600 seconds 1 3 2 SFTP Configuration A Switch Operating as an SFTP Client I Basic configurations on an SFTP client By default a switch can operate as an SFTP client In this case you can connect the switch to the SFTP server to perform SFTP related operations such as creating removing a dire...

Page 751: ...e path Query a specified file on the SFTP server ls a l remote path Optional If no file name is provided all the files in the current directory are displayed The difference between these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can display only the file name and directory Download a remote file from the SFTP server get...

Page 752: ...B Log in to switch B through switch A to manage and transmit files An SFTP user with the user name client001 and password abc exists on the SFTP server II Network diagram Figure 1 6 Network diagram for SFTP configuration III Configuration procedure 1 Configure the SFTP server switch B Create key pairs Sysname system view Sysname public key local create rsa Sysname public key local create dsa Creat...

Page 753: ...nfigure the IP address of the VLAN interface on switch A It must be in the same segment with the IP address of the VLAN interface on switch B In this example configure it as 192 168 0 2 Sysname system view Sysname interface vlan interface 1 Sysname Vlan interface1 ip address 192 168 0 2 255 255 255 0 Sysname Vlan interface1 quit Connect to the remote SFTP server Enter the user name client001 and t...

Page 754: ...roup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Success Add a directory new1 and then check whether the new directory is successfully created sftp client mkdir new1 Received status Success New directory created sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg...

Page 755: ...ceived status End of file Received status Success Downloading file successfully ended Upload the file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received status Success Uploading file successfully ended sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 config cfg rwx...

Page 756: ...TP server An H3C S3100 series Ethernet switch can act as a TFTP client only When an S3100 series Ethernet switch serving as a TFTP client downloads files from When you download a file that is larger than the free space of the switch s flash memory z If the TFTP server supports file size negotiation file size negotiation will be initiated between the switch and the server and the file download oper...

Page 757: ...Table 2 2 Basic configurations on a TFTP client Operation Command Description Download a file from a TFTP server tftp tftp server get source file dest file Optional Upload a file to a TFTP server tftp tftp server put source file dest file Optional Enter system view system view Set the file transmission mode tftp ascii binary Optional Binary by default Specify an ACL rule used by the specified TFTP...

Page 758: ...r by telnetting the switch See the Login module for detailed information Caution If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make room for the file to be...

Page 759: ...r Sysname tftp 1 1 1 2 put config cfg config cfg After downloading the file use the boot boot loader command to specify the downloaded file switch bin to be the startup file used when the switch starts the next time and restart the switch Thus the switch application is upgraded Sysname boot boot loader switch bin Sysname reboot Note For information about the boot boot loader command and how to spe...

Page 760: ...the UTC Time Zone 1 9 1 2 4 Setting to Output System Information to the Console 1 10 1 2 5 Setting to Output System Information to a Monitor Terminal 1 12 1 2 6 Setting to Output System Information to a Log Host 1 14 1 2 7 Setting to Output System Information to the Trap Buffer 1 15 1 2 8 Setting to Output System Information to the Log Buffer 1 15 1 2 9 Setting to Output System Information to the ...

Page 761: ...ble with three types of information z Log information z Trap information z Debugging information II Eight levels of system information The information is classified into eight levels by severity and can be filtered by level More emergent information has a smaller severity level Table 1 1 Severity description Severity Severity value Description emergencies 1 The system is unavailable alerts 2 Infor...

Page 762: ...ands Table 1 2 Information channels and output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log trap and debugging information facilitating remote maintenance 2 loghost Log host Receives log trap and debugging information and information will be stored in files f...

Page 763: ...802 1x module ACL Access control list module ADBM Address base module AM Access management module ARP Address resolution protocol module CMD Command line module DEV Device management module DNS Domain name system module ETH Ethernet module FIB Forwarding module FTM Fabric topology management module FTPS FTP server module HA High availability module HABP Huawei authentication bypass protocol module...

Page 764: ... module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module VTY Virtual type terminal module XM Xmodem module default Default settings for all the modules To sum up the major task of the information center is to output the three types of information of the modules onto the ten channels in terms of the eight severity levels and according to the user s settings and t...

Page 765: ...switch sends the logs to the log host in the above format For detailed information refer to Setting to Output System Information to a Log Host z There is the syslog process on the Unix or Linux platform you can start the process to receive the logs sent from the switch in the Windows platform you need to install the specific software and it will operate as the syslog host z Some log host software ...

Page 766: ... sent from the system center to the Console monitor terminal logbuffer trapbuffer and the SNMP is with a precision of milliseconds z yyyy is the year z GMT hh mm ss is the UTC time zone which represents the time difference with the Greenwich standard time Because switches in a network may distribute in different time zones when the time displayed in the time stamps of output information is the loc...

Page 767: ...module name and description Between module and level is a VII Level Severity System information can be divided into eight levels based on its severity from 1 to 8 Refer to Table 1 1 for definition and description of these severity levels Note that there is a forward slash between the level severity and digest fields VIII Digest The digest field is a string of up to 32 characters outlining the syst...

Page 768: ... the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional 1 2 2 Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log trap or debugging information is output when the user is inputting commands the command line prompt in command editing mode a prompt or a Y N string in interaction mode...

Page 769: ...mp with the UTC Time Zone To add UTC time zone to the time stamp in the information center output information you must z Set the local time zone z Set the time stamp format in the output direction of the information center to date z Configure to add the UTC time zone to the output information Table 1 6 Configure to display time stamp with the UTC time zone Operation Command Description Set the tim...

Page 770: ...nel channel number channel name Optional By default the switch uses information channel 0 to output log debugging trap information to the console Configure the output rules of system information info center source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to Table 1 8 for the default output rules of system information Set the for...

Page 771: ...fer default all modules Enabl ed warnin gs Disable d debuggi ng Disable d debuggi ng SNMP NMS default all modules Disabl ed debug ging Enable d warning s Disable d debuggi ng II Enabling system information display on the console After setting to output system information to the console you need to enable the associated display function to display the output information on the console Table 1 9 Ena...

Page 772: ...to a monitor terminal Operation Command Description Enter system view system view Enable the information center info center enable Optional Enabled by default Enable system information output to Telnet terminal or dumb terminal info center monitor channel channel number channel name Optional By default a switch outputs log debugging trap information to a user terminal through information channel 1...

Page 773: ...to a monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Table 1 11 Enable the display of system information on a monitor terminal Operation Command Description Enable the debugging log trap information terminal display function terminal monitor Optional Enabled by default Enable debugging information terminal displ...

Page 774: ...nfigure the source interface through which log information is sent to the log host info center loghost source interface type interface number Optional By default no source interface is configured and the system automatically selects an interface as the source interface Configure the output rules of system information info center source modu name default channel channel number channel name log trap...

Page 775: ...ter source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to Table 1 8 for the default output rules of system information Set the format of time stamp in the output information info center timestamp log trap debugging boot date none Optional By default the time stamp format of the output trap information is date 1 2 8 Setting to Outpu...

Page 776: ...S Operation Command Description Enter system view system view Enable the information center info center enable Optional Enabled by default Enable information output to the SNMP NMS info center snmp channel channel number channel name Optional By default the switch outputs trap information to SNMP through channel 5 Configure the output rules of system information info center source modu name defaul...

Page 777: ...splay info center unit unit id Display the status of log buffer and the information recorded in the log buffer display logbuffer unit unit id level severity size buffersize begin exclude include regular expression Display the summary information recorded in the log buffer display logbuffer summary level severity Display the status of trap buffer and the information recorded in the trap buffer disp...

Page 778: ...tion with severity level higher than informational to the log host Switch info center loghost 202 38 1 10 facility local4 Switch info center source arp channel loghost log level informational debug state off trap state off Switch info center source ip channel loghost log level informational debug state off trap state off 2 Configure the log host The operations here are performed on SunOS 4 0 The o...

Page 779: ...he log file information is created and the file etc syslog conf is modified execute the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After all the above operations the switch can make records in the corresponding log file Note Through combined configuration of the device name fac...

Page 780: ...t user to add the following selector action pairs Switch configuration messages local7 info var log Switch information Note Note the following items when you edit file etc syslog conf z A note must start in a new line starting with a sign z In each pair a tab should be used as a separator instead of a space z No space is permitted at the end of the file name z The device name facility and received...

Page 781: ...he two modules ARP and IP with severity higher than informational II Network diagram Figure 1 3 Network diagram for log output to the console III Configuration procedure Enable the information center Switch system view Switch info center enable Disable the function of outputting information to the console channels Switch undo info center source default channel console Enable log information output...

Page 782: ...on of the information center II Network diagram Network Switch PC Figure 1 4 Network diagram III Configuration procedure Name the local time zone z8 and configure it to be eight hours ahead of UTC time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch info...

Page 783: ... 2 2 3 Debugging the System 2 2 2 3 1 Enabling Disabling System Debugging 2 2 2 3 2 Displaying Debugging Status 2 4 2 3 3 Displaying Operating Information about Modules in System 2 4 Chapter 3 Network Connectivity Test 3 1 3 1 Network Connectivity Test 3 1 3 1 1 ping 3 1 3 1 2 tracert 3 1 Chapter 4 Device Management 4 1 4 1 Introduction to Device Management 4 1 4 2 Device Management Configuration ...

Page 784: ...This chapter introduces how to load the Boot ROM and host software to a switch locally and remotely 1 1 Introduction to Loading Approaches You can load software locally by using z XModem through Console port z TFTP through Ethernet port z FTP through Ethernet port You can load software remotely by using z FTP z TFTP Note The Boot ROM software version should be compatible with the host software ver...

Page 785: ... 2 1 BOOT Menu Starting H3C S3100 26TP EI W BOOTROM Version 506 Copyright c 2004 2007 Hangzhou H3C Technologies Co Ltd Creation date Apr 17 2007 10 12 36 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 000fe2123456 Press Ctrl B to enter Boot Menu Press Ctrl B The system displays Password Note To enter the BOOT menu you should press Ctrl B within five seconds full startup ...

Page 786: ...ck methods checksum and CRC and multiple attempts of error packet retransmission generally the maximum number of retransmission attempts is ten The XModem transmission procedure is completed by a receiving program and a sending program The receiving program sends negotiation characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data packets W...

Page 787: ... bps is chosen and the system displays the following information Download baudrate is 115200 bps Please change the terminal s baudrate to 115200 bps and select XMODEM protocol Press enter key when ready Note If you have chosen 9600 bps as the download baudrate you need not modify the HyperTerminal s baudrate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this case ...

Page 788: ...on Manual System Maintenance and Debugging H3C S3100 Series Ethernet Switches Chapter 1 Boot ROM and Host Software Loading 1 5 Figure 1 1 Properties dialog box Figure 1 2 Console port configuration dialog box ...

Page 789: ...e takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC Step 7 Choose Transfer Send File in HyperTerminal and click Browse in pop up dialog box as shown in Figure 1 4 Select the ...

Page 790: ...when it completes the loading Bootrom updating done Note z If the HyperTerminal s baudrate is not reset to 9600 bps the system prompts Your baudrate should be set to 9600 bps again Press enter key when ready z You need not reset the HyperTerminal s baudrate and can skip the last step if you have chosen 9600 bps In this case the system upgrades the Boot ROM automatically and prompts Bootrom updatin...

Page 791: ...the switch through the Console port Step 1 Execute the xmodem get command in user view In this case the switch is ready to receive files Step 2 Enable the HyperTerminal on the PC and configure XModem as the transfer protocol and configure communication parameters on the Hyper Terminal the same as that on the Console port Step 3 Choose the file to be loaded to the switch and then start to transmit ...

Page 792: ...pdate menu shown below Bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Step 4 Enter 1 in the above menu to download the Boot ROM using TFTP Then set the following TFTP related parameters as required Load File name switch btm Switch IP address 1 1 1 2 Server IP address 1 1 1 1 Step 5 Press Ent...

Page 793: ...n When loading Boot ROM and host software using TFTP through BOOT menu you are recommended to use the PC directly connected to the device as TFTP server to promote upgrading reliability 1 2 4 Loading by FTP through Ethernet Port I Introduction to FTP FTP is an application layer protocol in the TCP IP protocol suite It is used for file transfer between server and client and is widely used in IP net...

Page 794: ...to boot menu Enter your choice 0 3 Step 4 Enter 2 in the above menu to download the Boot ROM using FTP Then set the following FTP related parameters as required Load File name switch btm Switch IP address 10 1 1 2 Server IP address 10 1 1 1 FTP User Name Switch FTP User Password abc Step 5 Press Enter The system displays the following information Are you sure to update your bootrom Yes or No Y N S...

Page 795: ...d Software Loading If your terminal is not directly connected to the switch you can telnet to the switch and use FTP or TFTP to load the Boot ROM and host software remotely 1 3 1 Remote Loading Using FTP I Loading Procedure Using FTP Client 1 Loading the Boot ROM As shown in Figure 1 8 a PC is used as both the configuration device and the FTP server You can telnet to the switch and then execute th...

Page 796: ...u want so as to avoid losing configuration information 2 Loading host software Loading the host software is the same as loading the Boot ROM program except that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for next startup of the switch After the above operations the Boot ROM and host software loading is ...

Page 797: ...et mask to 255 255 255 0 Note You can configure the IP address for any VLAN on the switch for FTP transmission However before configuring the IP address for a VLAN interface you have to make sure whether the IP addresses of this VLAN and PC are routable Sysname system view System View return to User View with Ctrl Z Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 192 168 0 28...

Page 798: ...and line interface Step 5 Use the cd command on the interface to enter the path that the Boot ROM upgrade file is to be stored Assume the name of the path is D Bootrom as shown in Figure 1 11 Figure 1 11 Enter Boot ROM directory Step 6 Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server ...

Page 799: ...M and Host Software Loading 1 16 Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file switch btm to the switch as shown in Figure 1 13 Figure 1 13 Upload file switch btm to the switch Step 8 Configure switch btm to be the Boot ROM at next startup and then restart the switch ...

Page 800: ...e to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch Note z The steps listed above are performed in the Windows operating system if you use other FTP client software refer to the corresponding user guide before operation z Only the configuration steps concerning loading are listed here...

Page 801: ...it is the UTC time zone Set the name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offset time Optional Execute this command in user view z When the system reaches the specified start time it automatically adds the specified offset to the current time so as to toggle the system time to the summer time z When the system reach...

Page 802: ...isplay version Display the information about users logging onto the switch display users all You can execute the display commands in any view 2 3 Debugging the System 2 3 1 Enabling Disabling System Debugging The device provides various debugging functions For the majority of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The ...

Page 803: ...o other directions For details refer to Information Center Operation You can use the following commands to enable the two switches Table 2 3 Enable debugging and terminal display for a specific module Operation Command Description Enable system debugging for specific module debugging module name debugging option Required Disabled for all modules by default Enable terminal display for debugging ter...

Page 804: ...n Ethernet switch is in trouble you may need to view a lot of operating information to locate the problem Each functional module has its corresponding operating information display command s You can use the command here to display the current operating information about the modules in the system for troubleshooting your system Table 2 5 Display the current operation information about the modules i...

Page 805: ...the response packet are displayed z Final statistics including the numbers of sent packets and received response packets the irresponsive packet percentage and the minimum average and maximum values of response time 3 1 2 tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This command is mainly used to check the network connectivit...

Page 806: ... Network Connectivity Test 3 2 Table 3 2 The tracert command Operation Command Description View the gateways that a packet passes from the source host to the destination tracert a source ip f first ttl m max ttl p port q num packet w timeout string You can execute the tracert command in any view ...

Page 807: ...ice management configuration tasks Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Optional Configuring Real time Monitoring of the Running Status of the System Optional Specifying the APP to be Used at Reboot Optional Upgrading the Boot ROM Optional Identifying and Diagnosing Pluggable Transceivers Optional 4 2 2 Rebooting the Ethernet Switch You can perform ...

Page 808: ...ime for reboot schedule reboot delay hh mm mm Optional Enter system view system view Schedule a reboot on the switch and set the reboot period schedule reboot regularity at hh mm period Optional Note The switch timer can be set to precision of one minute that is the switch will reboot within one minute after the specified reboot date and time 4 2 4 Configuring Real time Monitoring of the Running S...

Page 809: ...e used at reboot boot boot loader backup attribute file url device name Required 4 2 6 Upgrading the Boot ROM You can use the Boot ROM program saved in the Flash memory of the switch to upgrade the running Boot ROM With this command a remote user can conveniently upgrade the BootRom by uploading the Boot ROM to the switch through FTP and running this command The Boot ROM can be used when the switc...

Page 810: ... S3100 series Ethernet switches refer to H3C S3100 Series Ethernet Switches Installation Manual II Identifying pluggable transceivers As pluggable transceivers are of various types and from different vendors you can perform the following configurations to identify main parameters of the pluggable transceivers including transceiver type connector type central wavelength of the laser sent transfer d...

Page 811: ...o support the digital diagnosis function which enables a transceiver to monitor the main parameters such as temperature voltage laser bias current TX power and RX power When these parameters are abnormal you can take corresponding measures to prevent transceiver faults Table 4 9 Display pluggable transceiver information Operation Command Description Display the current alarm information of the plu...

Page 812: ...file with the extension diag into the Flash memory display diagnostic information Display enabled debugging on the switch display debugging unit unit id interface interface type interface number module name You can execute the display command in any view 4 4 Remote Switch APP Upgrade Configuration Example I Network requirements Telnet to the switch from a PC remotely and download applications from...

Page 813: ...who is authorized with the read write right on the directory Switch on the PC The detailed configuration is omitted here 2 On the switch configure a level 3 telnet user with the username as user and password as hello Authentication mode is by user name and password Note Refer to the Login Operation part of this manual for configuration commands and steps about telnet user 3 Execute the telnet comm...

Page 814: ...e 8 Upgrade the Boot ROM Sysname boot bootrom boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded 9 Specify the downloaded program as the host software to be adopted when the switch starts next time Sysname boot boot loader switch bin The specified file will be booted next time on unit 1 Sysname display boot loader Unit 1 The curr...

Page 815: ...Configuration 2 2 2 2 1 Selective QinQ Configuration Task List 2 2 2 2 2 Configuring Global Tag Mapping Rules for Selective QinQ 2 3 2 2 3 Enabling the Selective QinQ Feature for a Port 2 3 2 3 Selective QinQ Configuration Example 2 4 2 3 1 Processing Private Network Packets by Their Types 2 4 Chapter 3 VLAN Mapping Configuration 3 1 3 1 VLAN Mapping Overview 3 1 3 1 1 Introduction to VLAN Mapping...

Page 816: ...itches Table of Contents ii 4 2 1 Configuration Prerequisites 4 4 4 2 2 Configuring a BPDU Tunnel 4 4 4 3 Displaying and Maintaining BPDU Tunnel Configuration 4 5 4 4 BPDU Tunnel Configuration Example 4 5 4 4 1 Transmitting STP Packets Through a Tunnel 4 5 ...

Page 817: ...ve data security VLAN VPN feature is a simple yet flexible Layer 2 tunneling technology It tags private network packets with outer VLAN tags thus enabling the packets to be transmitted through the service providers backbone networks with both inner and outer VLAN tags In public networks packets of this type are transmitted by their outer VLAN tags that is the VLAN tags of public networks and the i...

Page 818: ...ing the default VLAN tag of the port 1 1 3 Configuring the TPID for VLAN VPN Packets Note The contents of this section are only applicable to the S3100 EI series among S3100 series switches A VLAN tag uses the tag protocol identifier TPID field to identify the protocol type of the tag The value of this field is 0x8100 for IEEE 802 1Q Figure 1 3 illustrates the structure of the IEEE 802 1Q VLAN tag...

Page 819: ...nd handling you cannot set the TPID value to any of the values in the table below Table 1 1 Commonly used protocol type values in Ethernet frames Protocol type Value ARP 0x0806 IP 0x0800 MPLS 0x8847 0x8848 IPX 0x8137 IS IS 0x8000 LACP 0x8809 802 1x 0x888E 1 2 VLAN VPN Configuration 1 2 1 VLAN VPN Configuration Task List Complete the following tasks to configure VLAN VPN Task Remarks Enabling the V...

Page 820: ...e same port 1 2 3 Configuring the TPID Value for VLAN VPN Packets Note This section is only applicable to S3100 EI series switches For your device to correctly identify the VLAN tagged frames from the public network make sure that the TPID you will use is the same as that used on the peer device in the public network Follow these steps to configure the TPID for VLAN VPN packets To do Use the comma...

Page 821: ...100 series switches They connect the users to the servers through the public network z PC users and PC servers are in VLAN 100 created in the private network while terminal users and terminal servers are in VLAN 200 which is also created in the private network The VLAN VPN connection is established in VLAN 1040 of the public network z Switches of other vendors are used in the public network They u...

Page 822: ... and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag SwitchA system view SwitchA vlan 1040 SwitchA vlan1040 port Ethernet 1 0 11 SwitchA vlan1040 quit SwitchA interface Ethernet 1 0 11 SwitchA Ethernet1 0 11 vlan vpn enable SwitchA Ethernet1 0 11 quit Set the global TPID value to 0x9200 for intercommunication with the devices in the public network and configur...

Page 823: ...d Ethernet 1 0 22 of Switch B Otherwise the outer VLAN tag of a packet will be removed during transmission z In this example both Ethernet1 0 11 of Switch A and Ethernet1 0 21 of Switch B are access ports In cases where the ports are trunk ports or hybrid ports you need to configure the two ports to remove the outer VLAN tags before transmitting packets of VLAN 1040 Refer to VLAN in this manual fo...

Page 824: ...ravels in the public network till it reaches Ethernet1 0 22 of Switch B 4 After the packet reaches Switch B it is forwarded through Ethernet1 0 21 of Switch B As the port belongs to VLAN 1040 and is an access port the outer VLAN tag the tag of VLAN 1040 of the packet is removed before the packet is forwarded which restores the packet to a packet tagged with only the private VLAN tag and enables it...

Page 825: ...enhanced application of the VLAN VPN feature With the selective QinQ feature you can configure inner to outer VLAN tag mapping according to which you can add different outer VLAN tags to the packets with different inner VLAN tags The selective QinQ feature makes the service provider network structure more flexible You can classify the terminal users on the port connecting to the access layer devic...

Page 826: ...eir inner VLAN tags For example you can configure to add the tag of VLAN 1002 to the packets of IP telephone users in VLAN 201 to VLAN 300 and forward the packets to the VoIP device which is responsible for processing IP telephone services To guarantee the quality of voice packet transmission you can configure QoS policies in the public network to reserve bandwidth for packets of VLAN 1002 and for...

Page 827: ...r VLAN tags to the packets with the specific inner VLAN tags raw vlan id inbound vlan id list Required By default the feature of adding an outer VLAN tag to the packets with the specific inner VLAN tags is disabled Note Do not enable both the selective QinQ function and the DHCP snooping function on a switch Otherwise the DHCP snooping function may operate improperly 2 2 3 Enabling the Selective Q...

Page 828: ...k Ethernet 1 0 12 and Ethernet1 0 13 of Switch B provide network access for PC servers belonging to VLAN 100 through VLAN 108 and voice gateways for IP phone users belonging to VLAN 200 through VLAN 230 respectively z The public network permits packets of VLAN 1000 and VLAN 1200 Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200 That is packets of VLAN 1200 have hig...

Page 829: ...efault VLAN of Ethernet 1 0 3 on SwitchA SwitchA system view SwitchA vlan 1000 SwitchA vlan1000 quit SwitchA vlan 1200 SwitchA vlan1200 quit SwitchA vlan 5 SwitchA vlan5 quit Configure Ethernet 1 0 5 as a hybrid port and configure it not to remove VLAN tags when forwarding packets of VLAN 5 VLAN 1000 and VLAN 1200 SwitchA interface Ethernet 1 0 5 SwitchA Ethernet1 0 5 port link type hybrid SwitchA...

Page 830: ...n vpn vid 1200 SwitchA vid 1200 raw vlan id inbound 200 to 230 Enable the selective QinQ feature on Ethernet 1 0 3 SwitchA vid 1200 quit SwitchA interface Ethernet 1 0 3 SwitchA Ethernet1 0 3 vlan vpn selective enable After the above configuration packets of VLAN 100 through VLAN 108 that is packets of PC users are tagged with the tag of VLAN 1000 as the outer VLAN tag when they are forwarded to t...

Page 831: ...kets of VLAN 13 and VLAN 1200 SwitchB interface Ethernet 1 0 13 SwitchB Etherent1 0 13 port link type hybrid SwitchB Etherent1 0 13 port hybrid pvid vlan 13 SwitchB Etherent1 0 13 port hybrid vlan 13 1200 untagged After the above configuration Switch B can forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through Ethernet 1 0 12 and Ethernet 1 0 13 respectively To make the pa...

Page 832: ... mapping function enabled when the switch receives a packet tagged with a network VLAN tag it looks up the mapping rules configured for the matched VLAN tag and then replaces the existing VLAN tag with the corresponding one if the matched mapping rule exists Figure 3 1 shows the structure of a packet tagged with a private network VLAN tag Figure 3 1 The structure of a packet tagged with a private ...

Page 833: ...tion Task List Table 3 1 VLAN mapping configuration task list Task Description Enabling the VLAN Mapping Function Based on a Global VLAN Mapping Rule Enabling the VLAN Mapping Function Based on a Port level VLAN Mapping Rule Use either of the tasks Caution The VLAN mapping function and the VLAN VPN function are mutually exclusive on the same port 3 2 2 Enabling the VLAN Mapping Function Based on a...

Page 834: ...e VLAN mapping function based on a global VLAN mapping rule for a port also enables the selective QinQ function on the port 3 2 3 Enabling the VLAN Mapping Function Based on a Port level VLAN Mapping Rule Table 3 3 Enable the VLAN mapping function based on a port level VLAN mapping rule Operation Command Description Enter system view system view Enter Ethernet port view interface interface type in...

Page 835: ...the ARP part of the manual z You are not allowed to configure both the VLAN mapping function and the IP filtering function on the device For description of the IP filter function refer to the DHCP part of the manual 3 3 VLAN Mapping Configuration Example 3 3 1 Replacing the Private Network VLAN Tag through VLAN Mapping I Network requirements Two customer networks are connected to the public networ...

Page 836: ...nfiguration procedure Note In this example the VLAN mapping function is enabled based on port level VLAN mapping rules Create customer VLANs VLAN 100 and VLAN 200 and service VLANs VLAN 500 and VLAN 600 on Switch A SwitchA system view SwitchA vlan 100 SwitchA vlan100 quit SwitchA vlan 200 SwitchA vlan200 quit SwitchA vlan 500 SwitchA vlan500 quit SwitchA vlan 600 SwitchA vlan600 quit ...

Page 837: ...0 tagged SwitchA Ethernet1 0 12 quit Note z If you configure Ethernet 1 0 11 and Ethernet 1 0 12 as trunk ports you also need to add the two ports to the corresponding customer VLANs and service VLANs z In the above example VLAN 1 is the default VLAN and permitted to pass through all the ports by default If you have changed default VLAN of a port you need to configure the port to permit the defaul...

Page 838: ...rnet 1 0 11 and Ethernet 1 0 12 to the corresponding public network VLAN tags as defined in the VLAN mapping rules and then forwards the packet to public network for transmission In order that the customer packets can be exchanged properly between the two customer networks you need to define the same VLAN mapping rules on Switch B on the other end of the public network The detailed configuration p...

Page 839: ...an organization are connected together through a public network you can combine the corresponding network nodes into one so as to maintain the branch networks as a whole This requires the packets of some of the user s Layer 2 protocol packets be transmitted across the provider s network without getting involved in the computation of the public network The BPDU Tunnel feature is designed to address...

Page 840: ...PDU packet coming from a customer network reaches an edge device in the service provider network the edge device changes the destination MAC address carried in the packet from a protocol specific MAC address to a private multicast MAC address which can be defined using a command A packet with this multicast address as its destination address is called a tunnel packet In the service provider networ...

Page 841: ...work from processing the tunnel packets as other protocol packets the MAC address of a tunnel packet must be a multicast address uniquely assigned to the BPDU tunnel in the service provider network 4 2 BPDU Tunnel Configuration You can establish BPDU tunnels between S3100 series Ethernet switches for the packets of the following protocols z LACP link aggregation control protocol z STP spanning tre...

Page 842: ...properly 4 2 2 Configuring a BPDU Tunnel Follow these steps to configure a BPDU tunnel To do Use the command Remarks Enter system view system view Configure a private multicast MAC address for packets transmitted along the tunnel bpdu tunnel tunnel dmac mac address Optional By default the destination MAC address for packets transmitted along a BPDU tunnel is 010f e200 0003 Enter Ethernet port view...

Page 843: ...before enabling the service provider network to use aggregation group to transmit HGMP packets through BPDU tunnels z The bpdu tunnel cdp command is mutually exclusive with the voice vlan legacy command Refer to Voice VLAN part of this manual for details z If a BPDU tunnel enabled port receives a tunnel packet from the customer s network errors occur in the network and the tunnel packet will be dr...

Page 844: ...le STP on Ethernet1 0 1 Sysname system view Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 stp disable Enable the BPDU tunnel feature for STP BPDUs on Ethernet1 0 1 Sysname Ethernet1 0 1 bpdu tunnel stp Enable the VLAN VPN feature on Ethernet1 0 1 and use VLAN 100 to transmit user data packets through BPDU tunnels Sysname Ethernet1 0 1 port access vlan 100 Sysname Ethernet1 0 1 vlan vpn en...

Page 845: ...able VLAN VPN and use VLAN 100 to transmit user data packets through BPDU tunnels Sysname Ethernet1 0 4 port access vlan 100 Sysname Ethernet1 0 4 vlan vpn enable Configure the destination MAC address for the packets transmitted in the tunnel Sysname Ethernet1 0 4 quit Sysname bpdu tunnel tunnel dmac 010f e233 8b22 Configure Ethernet1 0 3 as a trunk port that permits packets of all VLANs Sysname i...

Page 846: ... 1 2 1 2 HWPing Configuration 1 5 1 2 1 Configuration on a HWPing Server 1 5 1 2 2 HWPing Client Configuration 1 6 1 2 3 Displaying HWPing Configuration 1 20 1 3 HWPing Configuration Example 1 20 1 3 1 ICMP Test 1 20 1 3 2 DHCP Test 1 22 1 3 3 FTP Test 1 24 1 3 4 HTTP Test 1 26 1 3 5 Jitter Test 1 28 1 3 6 SNMP Test 1 30 1 3 7 TCP Test Tcpprivate Test on the Specified Ports 1 33 1 3 8 UDP Test Udp...

Page 847: ...s the corresponding HWPing servers as well to perform various HWPing tests All HWPing tests are initiated by HWPing client and you can view the test results on HWPing client only When performing a HWPing test you need to configure a HWPing test group on the HWPing client A HWPing test group is a set of HWPing test parameters A test group contains several test parameters and is uniquely identified ...

Page 848: ...ervice corresponding to the well known port may become unavailable Caution H3C S3100 SI series Ethernet switches do not support HWPing DNS tests 1 1 3 HWPing Test Parameters You need to configure corresponding test parameters for each type of HWPing test HWPing test parameters can be configured on HWPing client only For the configurations on HWPing client refer to section 1 2 2 HWPing Client Confi...

Page 849: ...rm a type of test you must first create a test group of this type One test group can be of only one HWPing test type z If you modify the test type of a test group using the test type command the parameter settings test results and history records of the original test type will be all cleared Number of probes per test count z For tests except jitter test only one test packet is sent in a probe In a...

Page 850: ... username and password The two parameters are used to set the username and password to be used for FTP operation File name for FTP operation filename Name of a file to be transferred between HWPing client and FTP server Number of jitter test packets to be sent per probe jitter packetnum z Jitter test is used to collect statistics about delay jitter in UDP packet transmission z In a jitter probe th...

Page 851: ...t servers 1 2 1 Configuration on a HWPing Server You can enable both the HWPing client and HWPing server functions on an H3C S3100 Ethernet switch that is the switch can serve as a HWPing client and server simultaneously I HWPing server configuration tasks Table 1 3 HWPing server configuration tasks Item Description Related section Enable the HWPing server function The HWPing server function is ne...

Page 852: ...reate multiple test groups for different tests without the need to enable HWPing client repeatedly for each test group Different types of HWPing tests are somewhat different in parameters and parameter ranges The following text describes the configuration on HWPing client for different test types 1 Configuring ICMP test on HWPing client Table 1 5 Configure ICMP test on HWPing client Operation Comm...

Page 853: ...val frequency interval Optional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the type of service ToS tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping results a...

Page 854: ...igure a VLAN interface as the source interface By default no source interface is configured Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the probe timeout time timeout time Optional By default a probe ti...

Page 855: ... number Optional By default no source port is configured Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test interval frequency interval Optional By default the automatic test interval is zer...

Page 856: ...ent Table 1 8 Configure HTTP test on HWPing client Operation Command Description Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test type test type http Req...

Page 857: ... number Optional By default no source port is configured Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test interval frequency interval Optional By default the automatic test interval is zer...

Page 858: ...ction hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test type test type jitter Required By default the test type is ICMP Configure the destination IP address destination ip ip address Required The destination address mu...

Page 859: ...interval Optional By default the automatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Configure the number of test packets that will be sent in each jitter probe jitter packetnum number...

Page 860: ...ss is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By default no source port is configured Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records that can be saved history reco...

Page 861: ...fault no test group is configured Configure the test type test type tcpprivate tcppublic Required By default the test type is ICMP Configure the destination address destination ip ip address Required This IP address and the one configured on the HWPing server for listening services must be the same By default no destination address is configured Configure the destination port destination port port...

Page 862: ...ut time Optional By default a probe times out in three seconds Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the type of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping results admin name operation tag Required The ...

Page 863: ...address 7 command on the server to configure the listening service port otherwise the test will fail No port number needs to be configured on the client any destination port number configured on the client will not take effect z By default no destination port number is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure t...

Page 864: ...n any view 9 Configuring DNS test on HWPing client Table 1 13 Configure DNS test on HWPing client Operation Command Description Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is config...

Page 865: ...ess of the DNS server dns server ip address Required By default no DNS server address is configured Start the test test enable Required Display test results display hwping results admin name operation tag Required The display command can be executed in any view II Configuring HWPing client to send Trap messages Trap messages are generated regardless of whether the HWPing test succeeds or fails You...

Page 866: ...ach time a probe fails 1 2 3 Displaying HWPing Configuration After the above mentioned configuration you can use the display commands to view the results of the latest test and history information Table 1 15 Display HWPing test results Operation Command Description Display test history display hwping history administrator name operation tag Display the results of the latest test display hwping res...

Page 867: ...me hwping administrator icmp destination ip 10 2 2 2 Configure to make 10 probes per test Sysname hwping administrator icmp count 10 Set the probe timeout time to 5 seconds Sysname hwping administrator icmp timeout 5 Start the test Sysname hwping administrator icmp test enable Set the maximum number of history records that can be saved to 5 Sysname hwping administrator icmp history records 5 Displ...

Page 868: ... 04 02 20 55 12 2 5 3 1 0 2000 04 02 20 55 12 2 For detailed output description see the corresponding command manual 1 3 2 DHCP Test I Network requirements The HWPing client is an H3C S3100 series Ethernet switch while the DHCP server can be an H3C S5600 series Ethernet switch Perform a HWPing DHCP test between the two switches to test the time required for the HWPing client to obtain an IP addres...

Page 869: ...est results Sysname hwping administrator dhcp display hwping results administrator dhcp HWPing entry admin administrator tag dhcp test result Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 1018 1037 1023 Square Sum of Round Trip Time 10465630 Last complete test time 2000 4 3 9 51 30 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disco...

Page 870: ...username and password used to log in to the FTP server are admin The file to be uploaded to the server is cmdtree txt II Network diagram Figure 1 4 Network diagram for the FTP test III Configuration procedure z Configure FTP Server Switch B Configure FTP server on Switch B For specific configuration of FTP server refer to the FTP SFTP TFTP part of the manual z Configure HWPing Client Switch A Enab...

Page 871: ... Sysname hwping administrator ftp display hwping results administrator ftp HWPing entry admin administrator tag ftp test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 3245 15891 12157 Square Sum of Round Trip Time 1644458573 Last complete test time 2000 4 3 4 0 34 6 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet...

Page 872: ...switch serves as the HWPing client and a PC serves as the HTTP server Perform a HWPing HTTP test between the switch and the HTTP server to test the connectivity and the time required to download a file from the HTTP server after the connection to the server is established II Network diagram Figure 1 5 Network diagram for the HTTP test III Configuration procedure z Configure HTTP Server Use Windows...

Page 873: ... Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 47 87 74 Square Sum of Round Trip Time 57044 Last succeeded test time 2000 4 2 20 41 50 4 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operatio...

Page 874: ... For detailed output description see the corresponding command manual Note When you use H3C S3100 EI Series Switches as HWPing Client for http test if configuring the destination address as the host name you must configure the IP address of the DNS server to resolve the host name into an IP address which is the destination IP address of this HTTP test 1 3 5 Jitter Test I Network requirements Both ...

Page 875: ...ddress of the HWPing server as 10 2 2 2 Sysname hwping administrator Jitter destination ip 10 2 2 2 Configure the destination port on the HWPing server Sysname hwping administrator Jitter destination port 9000 Configure to make 10 probes per test Sysname hwping administrator http count 10 Set the probe timeout time to 30 seconds Sysname hwping administrator Jitter timeout 30 Start the test Sysname...

Page 876: ...verage 2 Negative DS average 1 Negative SD Square Sum 200 Negative DS Square Sum 161 SD lost packets number 0 DS lost packet number 0 Unknown result lost packet number 0 Sysname hwping administrator Jitter display hwping history administrator Jitter HWPing entry admin administrator tag Jitter history record Index Response Status LastRC Time 1 274 1 0 2000 04 02 08 14 58 2 2 278 1 0 2000 04 02 08 1...

Page 877: ...version v2c Sysname snmp agent community read public Sysname snmp agent community write private Note z The SNMP network management function must be enabled on SNMP agent before it can receive response packets z The SNMPv2c version is used as reference in this example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual z Configure HW...

Page 878: ... 9 11 10 Square Sum of Round Trip Time 983 Last complete test time 2000 4 3 8 57 20 0 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Sysname hwping administrator snmp display hwping h...

Page 879: ...s and port to listen on Sysname system view Sysname hwping server enable Sysname hwping server tcpconnect 10 2 2 2 8000 z Configure HWPing Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to tcpprivate Sysname Hwping administrator tcpprivate Configure the test type as tcp...

Page 880: ...m busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Sysname hwping administrator tcpprivate display hwping history administrator tcpprivate HWPing entry admin administrator tag tcpprivate history record Index Response Status LastRC Time 1 4 1 0 2000 04 02 08 26 02 9 2 5 1 0 2000 04 02 08 26 02 8 3 4 1 0 2000 04 02 08 26 02...

Page 881: ...ing client Sysname system view Sysname hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to udpprivate Sysname Hwping administrator udpprivate Configure the test type as udpprivate Sysname hwping administrator udpprivate test type udpprivate Configure the IP address of the HWPing server as 10 2 2 2 Sysname hwping administrator udpprivate de...

Page 882: ...tion errors 0 Sysname hwping administrator udpprivate display hwping history administrator udpprivate HWPing entry admin administrator tag udpprivate history record Index Response Status LastRC Time 1 11 1 0 2000 04 02 08 29 45 5 2 12 1 0 2000 04 02 08 29 45 4 3 11 1 0 2000 04 02 08 29 45 4 4 11 1 0 2000 04 02 08 29 45 4 5 11 1 0 2000 04 02 08 29 45 4 6 11 1 0 2000 04 02 08 29 45 4 7 10 1 0 2000 0...

Page 883: ...administrator dns Configure the test type as dns Sysname hwping administrator dns test type dns Configure the IP address of the DNS server as 10 2 2 2 Sysname hwping administrator dns dns server 10 2 2 2 Configure to resolve the domain name www test com Sysname hwping administrator dns dns resolve target www test com Configure to make 10 probes per test Sysname hwping administrator dns count 10 Se...

Page 884: ...t DNS Resolve Current Time 10 DNS Resolve Min Time 6 DNS Resolve Times 10 DNS Resolve Max Time 10 DNS Resolve Timeout Times 0 DNS Resolve Failed Times 0 Sysname hwping administrator dns display hwping history administrator dns HWPing entry admin administrator tag dns history record Index Response Status LastRC Time 1 10 1 0 2006 11 28 11 50 40 9 2 10 1 0 2006 11 28 11 50 40 9 3 10 1 0 2006 11 28 1...

Page 885: ...ing the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time 1 16 1 2 6 Configuring the Hop Limit of ICMPv6 Reply Packets 1 16 1 2 7 Configuring IPv6 DNS 1 17 1 2 8 Displaying and Maintaining IPv6 1 18 1 3 IPv6 Configuration Example 1 19 1 3 1 IPv6 Unicast Address Configuration 1 19 Chapter 2 IPv6 Application Configuration 2 1 2 1 Introduction to IPv6 Application 2 1 2 2 IPv6 App...

Page 886: ...ternet Engineering Task Force IETF as the successor to Internet protocol version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits 1 1 1 IPv6 Features I Header format simplification IPv6 cuts down some IPv4 header fields or move them to extension headers to reduce the load of basic IPv6 headers IPv6 uses a fixed length heade...

Page 887: ...uration To simplify the host configuration IPv6 supports stateful address configuration and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from the server for example DHCP server z Stateless address configuration means that the host automatically configures an IPv6 address and related information based on its own ...

Page 888: ... IPv6 enhances the flexibility greatly to provide scalability for IP while improving the processing efficiency The Options field in IPv4 packets contains only 40 bytes while the size of IPv6 extension headers is restricted by that of IPv6 packets 1 1 2 Introduction to IPv6 Address I IPv6 addresses An IPv6 address is represented as a series of 16 bit hexadecimals separated by colons An IPv6 address...

Page 889: ...v6 addresses mainly fall into three types unicast address multicast address and anycast address z Unicast address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast address is delivered to the interface identified by that address z Multicast address An identifier for a set of interfaces typically belonging to different nodes similar to an IPv4 multic...

Page 890: ...g aggregation to restrict the number of global routing entries z The link local address is used in the neighbor discovery protocol and the stateless autoconfiguration process Routers must not forward any packets with link local source or destination addresses to other links z IPv6 unicast site local addresses are similar to private IPv4 addresses Routers must not forward any packets with site loca...

Page 891: ...ddress is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 address V Interface identifier in IEEE EUI 64 format Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be unique on that link Interface identifiers in IPv6 unicast addresses are curren...

Page 892: ...ge Used to perform a duplicate address detection Used to respond to a neighbor solicitation message Neighbor advertisement NA message When the link layer address changes the local node initiates a neighbor advertisement message to notify neighbor nodes of the change Router solicitation RS message After started a host sends a router solicitation message to request the router for an address prefix a...

Page 893: ...ode B Figure 1 3 Address resolution The address resolution procedure is as follows 1 Node A multicasts an NS message The source address of the NS message is the IPv6 address of the interface of node A and the destination address is the solicited node multicast address of node B The NS message contains the link layer address of node A 2 After receiving the NS message node B judges whether the desti...

Page 894: ... corresponding solicited node multicast address of the IPv6 address to be detected The NS message also contains the IPv6 address 2 If node B uses this IPv6 address node B returns an NA message The NA message contains the IPv6 address of node B 3 Node A learns that the IPv6 address is being used by node B after receiving the NA message from node B Otherwise node B is not using the IPv6 address and ...

Page 895: ...cation z RFC 2464 Transmission of IPv6 Packets over Ethernet Networks z RFC 2526 Reserved IPv6 Subnet Anycast Addresses z RFC 3307 Allocation Guidelines for IPv6 Multicast Addresses z RFC 3513 Internet Protocol Version 6 IPv6 Addressing Architecture z RFC 3596 DNS Extensions to Support IP Version 6 1 2 IPv6 Configuration Task List Table 1 4 Complete these tasks to configure IPv6 Task Remarks Confi...

Page 896: ...nterface z Manual assignment IPv6 link local addresses can be assigned manually Table 1 5 Configure an IPv6 unicast address To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Manually assign an IPv6 address ipv6 address ipv6 address prefix length ipv6 address prefix length Configure an IPv6 global unicast address or site ...

Page 897: ...ly assigned one If the manually assigned link local address is deleted the automatically generated link local address takes effect z You must have carried out the ipv6 address auto link local command before you carry out the undo ipv6 address auto link local command However if an IPv6 site local address or global unicast address is already configured for an interface the interface still has a link...

Page 898: ...op learning neighbor information Table 1 7 Configure the maximum number of neighbors dynamically learned To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynamically learned by an interface ipv6 neighbors max learning num number Optional The default value is 2 048 III Configure ...

Page 899: ...ystem view Enter VLAN interface view interface interface type interface number Specify the NS interval ipv6 nd ns retrans timer value Optional 1 000 milliseconds by default V Configure the neighbor reachable timeout time on an interface After a neighbor passed the reachability detection the device considers the neighbor to be reachable in a specific period However the device will examine whether t...

Page 900: ...r expires the IPv6 TCP connection establishment fails z finwait timer When the IPv6 TCP connection status is FIN_WAIT_2 the finwait timer is triggered If no packet is received before the finwait timer expires the IPv6 TCP connection is terminated If FIN packets are received the IPv6 TCP connection status becomes TIME_WAIT If other packets are received the finwait timer is reset from the last packe...

Page 901: ...or packets that are continuously sent out reaches the capacity of the token bucket the subsequent IPv6 ICMP error packets cannot be sent out until new tokens are put into the token bucket based on the specified update frequency Table 1 13 Configure the maximum number of IPv6 ICMP error packets sent within a specified time To do Use the command Remarks Enter system view system view Configure the ma...

Page 902: ...tion function In addition you should configure a DNS server so that a query request message can be sent to the correct server for resolution The system can support at most six DNS servers You can configure a domain name suffix so that you only need to enter some fields of a domain name and the system automatically adds the preset suffix for address resolution The system can support at most 10 doma...

Page 903: ...ipv6 interface interface type interface number brief Display neighbor information display ipv6 neighbors ipv6 address all dynamic interface interface type interface number static vlan vlan id begin exclude include regular expression Display the total number of neighbor entries satisfying the specified conditions display ipv6 neighbors all dynamic static interface interface type interface number vl...

Page 904: ...cs Available in user view Note The display dns domain and display dns server commands are the same as those of IPv4 DNS For details about the commands refer to DNS 1 3 IPv6 Configuration Example 1 3 1 IPv6 Unicast Address Configuration I Network requirements Two switches are directly connected through two Ethernet ports The Ethernet ports belong to VLAN 1 IPv6 addresses are configured for the inte...

Page 905: ...lan interface1 ipv6 address 3001 2 64 IV Verification Display the brief IPv6 information of an interface on Switch A SwitchA Vlan interface1 display ipv6 interface vlan interface 1 Vlan interface1 current state UP Line protocol current state UP IPv6 is enabled link local address is FE80 20F E2FF FE47 4CA3 Global unicast address es 3001 1 subnet is 3001 64 Joined group address es FF02 1 FF00 1 FF02...

Page 906: ...ss is a link local address For the operation of IPv6 ping refer to section 2 2 1 IPv6 Ping SwitchA Vlan interface1 ping ipv6 FE80 2E0 FCFF FE00 2006 i Vlan interface 1 PING FE80 2E0 FCFF FE00 2006 56 data bytes press CTRL_C to break Reply from FE80 2E0 FCFF FE00 2006 bytes 56 Sequence 1 hop limit 64 time 77 ms Reply from FE80 2E0 FCFF FE00 2006 bytes 56 Sequence 2 hop limit 64 time 6 ms Reply from...

Page 907: ...from 3001 2 bytes 56 Sequence 2 hop limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 5 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 6 ms 3001 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 5 20 79 ms ...

Page 908: ...ing the reachability of a host This command sends an ICMPv6 message to the destination host and records the time for the response message to be received For details about the ping command refer to System Maintenance and Debugging After you execute the ping ipv6 command you can press Ctrl C to terminate the ping operation Table 2 1 Ping IPv6 To do Use the command Remarks Ping IPv6 ping ipv6 a sourc...

Page 909: ...the first device s address in the route z The source sends a datagram with the Hop Limit of 2 and the second hop device returns an ICMP timeout error message The source gets the second device s address in the route z This process continues until the datagram reaches the destination host As there is no application using the UDP port the destination returns a port unreachable ICMP error message z Th...

Page 910: ...terface number get put source filename destination filename Required Available in user view Caution When you use the tftp ipv6 command to connect to the TFTP server you must specify the i keyword if the destination address is a link local address 2 2 4 IPv6 Telnet Telnet protocol belongs to application layer protocols of the TCP IP protocol suite and is used to provide remote login and virtual ter...

Page 911: ...server you must specify the i keyword if the destination address is a link local address II Display and maintain IPv6 Telnet Table 2 5 Display and maintain IPv6 Telnet To do Use the command Remarks Display the use information of the users who have logged in display users all Available in any view 2 3 IPv6 Application Configuration Example 2 3 1 IPv6 Applications I Network requirements In Figure 2 ...

Page 912: ...ensure that the route between the switch and the server is accessible before the following configuration Ping SWB s IPv6 address from SWA SWA ping ipv6 3003 1 PING 3003 1 64 data bytes press CTRL_C to break Reply from 3003 1 bytes 56 Sequence 1 hop limit 64 time 110 ms Reply from 3003 1 bytes 56 Sequence 2 hop limit 64 time 31 ms Reply from 3003 1 bytes 56 Sequence 3 hop limit 64 time 31 ms Reply ...

Page 913: ...lash filegothere File will be transferred in binary mode Downloading file from remote tftp server please wait TFTP 13 bytes received in 1 243 second s File downloaded successfully SWA Connect to Telnet server 3001 2 SWA telnet ipv6 3001 2 Trying 3001 2 Press CTRL K to abort Connected to 3001 2 Telnet Server 2 4 Troubleshooting IPv6 Application 2 4 1 Unable to Ping a Remote Destination I Symptom Un...

Page 914: ...ed by an application on the host If yes you need to use the tracert ipv6 command with an unreachable UDP port 2 4 3 Unable to Run TFTP I Symptom Unable to download and upload files by performing TFTP operations II Solution z Check that the route between the device and the TFTP server is up z Check that the file system of the device is usable You can check it by running the dir command in user view...

Page 915: ... Domain Name Resolution 1 1 1 2 Configuring Domain Name Resolution 1 3 1 2 1 Configuring Static Domain Name Resolution 1 3 1 2 2 Configuring Dynamic Domain Name Resolution 1 3 1 3 Displaying and Maintaining DNS 1 4 1 4 DNS Configuration Example 1 4 1 4 1 Static Domain Name Resolution Configuration Example 1 4 1 4 2 Dynamic Domain Name Resolution Configuration Example 1 5 1 5 Troubleshooting DNS 1 ...

Page 916: ...ooking up the dynamic DNS database Reduction of the searching time in the dynamic DNS database would increase efficiency Some frequently used addresses can be put in the static DNS database Note Currently when acting as a DNS client an S3100 EI series Ethernet switch supports both static and dynamic domain name resolution while an S3100 SI Ethernet switch supports only static domain name resolutio...

Page 917: ...ame resolution allows the DNS client to store latest mappings between name and IP address in the dynamic domain name cache of the DNS client There is no need to send a request to the DNS server for a repeated query request next time The aged mappings are removed from the cache after some time and latest entries are required from the DNS server The DNS server decides how long a mapping is valid and...

Page 918: ...host name and an IP address ip host hostname ip address Required No IP address is assigned to a host name by default Note z The IP address you assign to a host name last time will overwrite the previous one if there is any z You may create up to 50 static mappings between domain names and IP addresses 1 2 2 Configuring Dynamic Domain Name Resolution Table 1 2 Configure dynamic domain name resoluti...

Page 919: ...Table 1 3 Display and maintain DNS Operation Command Remarks Display static DNS database display ip host Display the DNS server information display dns server dynamic Display the DNS suffixes display dns domain dynamic Display the information in the dynamic domain name cache display dns dynamic host Available in any view Display the DNS resolution result nslookup type ptr ip address a domain name ...

Page 920: ...ress CTRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 3 ttl 127 time 2 ms Reply from 10 1 1 2 bytes 56 Sequence 4 ttl 127 time 5 ms Reply from 10 1 1 2 bytes 56 Sequence 5 ttl 127 time 3 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss roun...

Page 921: ...1 1 16 on the DNS server z The DNS server works normally Enable dynamic domain name resolution Sysname system view Sysname dns resolve Configure the IP address 2 1 1 2 for the DNS server Sysname dns server 2 1 1 2 Configure com as the DNS suffix Sysname dns domain com Execute the ping host command on Switch to verify that the communication between Switch and Host is normal and that the correspondi...

Page 922: ...ynamic domain name resolution the user cannot get the correct IP address II Solution z Use the display dns dynamic host command to check that the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specified domain name exists in the cache but the IP address i...

Page 923: ... 5 1 2 4 Precautions 1 6 1 3 Displaying and Debugging Smart Link 1 7 1 4 Smart Link Configuration Example 1 7 1 4 1 Implementing Link Redundancy Backup 1 7 Chapter 2 Monitor Link Configuration 2 1 2 1 Introduction to Monitor Link 2 1 2 1 1 How Monitor Link Works 2 2 2 2 Configuring Monitor Link 2 3 2 2 1 Configuration Tasks 2 3 2 2 2 Creating a Monitor Link Group 2 3 2 2 3 Configuring the Uplink P...

Page 924: ...standby link redundancy backup and fast convergence to meet the user demand Smart Link has the following features z Active standby backup for dual uplink networking z Simple configuration and operation 1 1 1 Basic Concepts in Smart Link I Smart Link group A Smart Link group consists of two member ports one master port and one slave port Normally only one port master or slave is active and the othe...

Page 925: ...forwarding entries and ARP entries must be updated throughout the network In this case the Smart Link group sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries V Control VLAN for sending flush messages This control VLAN sends flush messages When link switching occurs the device Switch A in Figure 1 1 broadcasts flush messages in this control VLAN ...

Page 926: ... switching occurs in the Smart Link group MAC forwarding entries and ARP entries of each device in the network may be out of date In order to guarantee correct packet transmission you must enable the Smart Link device to send flush messages to notify the other devices in the network to refresh their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of i...

Page 927: ...g flush messages in the specified control VLAN Required Configuring Associated Devices Enable the function of processing flush messages received from the specified control VLAN Required 1 2 2 Configuring a Smart Link Device A Smart Link device refers to a device on which Smart Link is enabled and a Smart Link group is configured and that sends flush messages from the specified control VLAN A membe...

Page 928: ... a link aggregation group as a member of the Smart Link group link aggregation group group id master slave Optional Enable the function of sending flush messages in the specified control VLAN flush enable control vlan vlan id Optional By default no control VLAN for sending flush messages is specified 1 2 3 Configuring Associated Devices An associated device mentioned in this document refers to a d...

Page 929: ...ot serve as a member port for two Smart Link groups On the other hand a port or a link aggregation group cannot serve as a member for a Smart Link group and a Monitor Link group at the same time 2 STP cannot be enabled on the member ports of a Smart Link group An STP enabled port or a link aggregation group with an STP enabled port cannot serve as a member port for a Smart Link group 3 A Smart Lin...

Page 930: ...art Link group this VLAN will become a static VLAN and the prompt information is displayed 1 3 Displaying and Debugging Smart Link After the above mentioned configuration you can use the following display commands in any view to view the Smart Link group information and the statistics information of flush messages received and processed by current device so as to verify the configuration Use the r...

Page 931: ...ush messages in Control VLAN 1 Enter system view switchA system view Enter Ethernet port view Disable STP on Ethernet1 0 1 and Ethernet1 0 2 SwitchA interface Ethernet 1 0 1 SwitchA Ethernet1 0 1 stp disable SwitchA Ethernet1 0 1 quit SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 stp disable Return to system view SwitchA Ethernet1 0 2 quit Create Smart Link group 1 and enter the correspon...

Page 932: ... flush enable control vlan 1 port Ethernet 1 0 2 3 Enable the function of processing flush messages received from VLAN 1 on Switch D Enter system view SwitchD system view Enable the function of processing flush messages received from VLAN 1 on Ethernet 1 0 2 SwitchD smart link flush enable control vlan 1 port Ethernet 1 0 2 4 Enable the function of processing flush messages received from VLAN 1 on...

Page 933: ...link ports When the link for the uplink port of a Monitor Link group fails all the downlink ports in the Monitor Link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Switch A Eth1 0 1 Eth1 0 2 Eth1 0 3 Uplink Downlink Figure 2 1 Network diagram for a Monitor Link group implementation As shown in Figure 2 1 the Monitor Link group c...

Page 934: ...nd Ethernet1 0 2 is the slave port z If Switch C is not configured with Monitor Link group when the link for the uplink port Ethernet1 0 1 on Switch C fails the links in the Smart Link group are not switched because the link for the master port Ethernet1 0 1 of Switch A configured with Smart Link group operates normally Actually however the traffic on Switch A cannot be up linked to Switch E throu...

Page 935: ...you must create a Monitor Link group and configure member ports for it A Monitor Link group consists of an uplink port and one or multiple downlink ports The uplink port can be a manually configured or static LACP link aggregation group an Ethernet port or a Smart Link group The downlink ports can be manually configured link aggregation groups or static LACP link aggregation groups or Ethernet por...

Page 936: ...specified Smart Link group as the uplink port of the Monitor Link group smart link group group id uplink Monitor Link group view port interface type interface number uplink quit interface interface type interface number Configure the uplink port for the Monitor Link group Configure the specified Ethernet port as the uplink port of the Monitor Link group Ethernet port view port monitor link group g...

Page 937: ...not be deleted z The Smart Link Monitor Link function and the remote port mirroring function are incompatible with each other z If a single port is specified as a Smart Link Monitor Link group member do not use the lacp enable command on the port or add the port to another dynamic link aggregation group because doing so will cause the port to become an aggregation group member z Using the copy com...

Page 938: ...re II Network diagram BLOCK Switch A Switch B Eth1 0 1 Eth1 0 2 Switch C Switch D Switch E Eth1 0 1 Eth1 0 2 Eth1 0 3 Server Eth1 0 2 Eth1 0 2 Eth1 0 1 Eth1 0 1 Eth1 0 3 Eth1 0 11 Eth1 0 10 PC 1 PC 4 PC 3 PC 2 Internet Figure 2 3 Network diagram for Monitor Link configuration III Configuration procedure 1 Enable Smart Link on Switch A and Switch B to implement link redundancy backup Perform the fo...

Page 939: ...Switch C The operation procedure on Switch D is the same as that performed on Switch C Enter system view SwitchC system view Create Monitor Link group 1 and enter Monitor Link group view SwitchC monitor link group 1 Configure Ethernet1 0 1 as the uplink port of the Monitor Link group and Ethernet1 0 2 and Ethernet1 0 3 as the downlink ports SwitchC mtlk group1 port Ethernet 1 0 1 uplink SwitchC mt...

Page 940: ...peration Manual Smart Link Monitor Link H3C S3100 Series Ethernet Switches Chapter 2 Monitor Link Configuration 2 8 SwitchE smart link flush enable control vlan 1 port Ethernet 1 0 10 to Ethernet 1 0 11 ...

Page 941: ...Operation Manual Appendix H3C S3100 Series Ethernet Switches Table of Contents i Table of Contents Appendix A Acronyms A 1 ...

Page 942: ...r B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multicast Regi...

Page 943: ... Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode Q QoS Quality of Service R RIP Routing Information Protocol RMON Remote Network Monitoring RSTP Rapid Spanning Tree Protocol S...

Page 944: ...es Appendix A Acronyms A 3 TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking ...

Search results

Summary of Contents for H3C S3100 8C SI

Reviews:

Related manuals for H3C S3100 8C SI

Brands by name

Popular brands

H3C H3C S3100 8C SI, Operation Manual

Search results

Summary of Contents for H3C S3100 8C SI

Reviews:

Related manuals for H3C S3100 8C SI

Brands by name

Popular brands