manualshive.com logo in svg

H3C H3C S5100-EI, Operation Manual

The H3C S5100-EI offers unrivaled performance and reliability in a compact form. Get started with ease by accessing the comprehensive Installation Manual, available for free download on manualshive.com. This thorough manual guides you through the setup process, ensuring seamless integration and optimum performance of your H3C S5100-EI.

Share
Download
background image

Operation Manual – 802.1x and System Guard 
H3C S5100-SI/EI Series Ethernet Switches 

Chapter 1  802.1x Configuration

 

1-1 

Chapter 1  802.1x Configuration 

When configuring 802.1x, go to these sections for information you are interested in: 

z

 

Introduction to 802.1x 

z

 

Introduction to 802.1x Configuration 

z

 

Basic 802.1x Configuration 

z

 

Advanced 802.1x Configuration 

z

 

Displaying and Maintaining 802.1x Configuration 

z

 

Configuration Example 

1.1  Introduction to 802.1x 

The 802.1x protocol (802.1x for short) was developed by IEEE802 LAN/WAN 

committee to address security issues of wireless LANs. It was then used in Ethernet as 

a common access control mechanism for LAN ports to address mainly authentication 

and security problems. 

802.1x is a port-based network access control protocol. It authenticates and controls 

devices requesting for access in terms of the ports of LAN access devices. With the 

802.1x protocol employed, a user-side device can access the LAN only when it passes 

the authentication. Those fail to pass the authentication are denied when accessing the 

LAN.  

This section covers these topics: 

z

 

Architecture of 802.1x Authentication 

z

 

The Mechanism of an 802.1x Authentication System 

z

 

Encapsulation of EAPoL Messages 

z

 

802.1x Authentication Procedure 

z

 

Timers Used in 802.1x 

z

 

802.1x Implementation on an S5100-SI/EI Series Switch 

1.1.1  Architecture of 802.1x Authentication 

As shown in 

Figure 1-1

, 802.1x adopts a client/server architecture with three entities: a 

supplicant system, an authenticator system, and an authentication server system. 

Summary of Contents for H3C S5100-EI

Page 1: ...H3C S5100 SI EI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20081128 C 1 04 Product Version Release 2201 ...

Page 2: ... V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective owners Notice The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensure accuracy of the contents but all statement...

Page 3: ...nfiguration 7 Port Basic Configuration Introduces basic port configuration 8 Link Aggregation Introduces link aggregation and the related configuration 09 Port Isolation Introduces port isolation and the related configuration 10 Port Security Port Binding Introduces port security port binding and the related configuration 11 DLDP Introduces DLDP and the related configuration 12 MAC Address Table M...

Page 4: ...Introduces SSH2 0 and the related configuration 28 File System Management Introduces basic configuration for file system management 29 FTP SFTP TFTP Introduces basic configuration for FTP SFTP and TFTP and the applications 30 Information Center Introduces information center configuration 31 System Maintenance and Debugging Introduces daily system maintenance and debugging 32 VLAN VPN Introduces VL...

Page 5: ... y Alternative items are grouped in braces and separated by vertical bars A minimum of one or a maximum of all can be selected x y Optional alternative items are grouped in square brackets and separated by vertical bars Many or none can be selected 1 n The argument s before the ampersand sign can be entered 1 to n times A line starting with the sign is comments II GUI conventions Convention Descri...

Page 6: ...anual It is used for assisting the users in using various commands Obtaining Documentation You can access the most up to date H3C product documentation on the World Wide Web at this URL http www h3c com The following are the columns from which you can obtain different categories of product documentation Products Solutions Provides information about products and technologies Technical Support Docum...

Page 7: ...hapter 2 Correspondence Between Documentation and Software 2 1 2 1 Software Version 2 1 2 2 Manual List 2 1 Chapter 3 Product Overview 3 1 3 1 Preface 3 1 3 2 System Features of the S5100 Series 3 3 3 2 1 System Features of the S5100 SI Series 3 3 3 2 2 System Features of the S5100 EI Series 3 4 Chapter 4 Networking Applications 4 1 4 1 Convergence Layer Devices 4 1 4 2 Access Layer Devices 4 2 4 ...

Page 8: ...asis due to product version upgrade or some other reasons Therefore the contents in the CD ROM may not be the latest version This manual serves the purpose of user guide only Unless otherwise noted all the information in the document set does not claim or imply any warranty For the latest software documentation go to the H3C website 1 2 H3C Website Perform the following steps to query and download...

Page 9: ...eries Ethernet Switches Chapter 1 Obtaining the Documentation 1 2 1 3 Software Release Notes With software upgrade new software features may be added You can acquire the information about the newly added software features through software release notes ...

Page 10: ...ftware version of Release2201 of the S5100 SI EI series products Compared with Release 2200 a new feature is added in Release 2201 For details refer to Table 2 1 Table 2 1 Added features in Release 2201 Added feature in Release 2201 Manual Identifying and Diagnosing Pluggable Transceivers 32 System Maintenance and Debugging 2 2 Manual List Manual name Version H3C S5100 SI EI Series Ethernet Switch...

Page 11: ...s hereinafter referred to as S5100 SI EI series are Gigabit Ethernet switching products developed by H3C Technologies Co Ltd H3C S5100 SI EI series provide a variety of service features and powerful QACL functions S5100 SI EI series are designed as convergence and access devices for intranets and metropolitan area networks MANs and can also be used for connecting data center server clusters The H3...

Page 12: ...I 8 2 S5100 16P PWR EI 16 S5100 26C PWR EI 24 S5100 EI S5100 50C PWR EI 48 4 1 An SFP port and its corresponding 10 100 1000Base T autosensing Ethernet port form a Combo port That is only one of the two ports forming the Combo port can be used at a time Table 3 2 shows the mapping relations between the ports forming the Combo port Table 3 2 Mapping relations between the ports forming the Combo por...

Page 13: ...260 mm 1 7 17 3 10 2 in Weight 1 6 kg 3 5 lb 2 3 kg 5 1 lb 4 kg 8 8 lb 4 kg 8 8 lb Service ports 8 10 100 1000Ba se T autosensing Ethernet ports 2 1000Base X SFP ports 16 10 100 1000B ase T autosensing Ethernet ports 4 Gigabit SFP Combo ports 24 10 100 1000 Base T autosensing Ethernet ports 4 Gigabit SFP Combo ports 48 10 100 1000 Base T autosensing Ethernet ports 4 Gigabit SFP Combo ports Managem...

Page 14: ... 24 10 100 1000B ase T autosensing Ethernet ports 4 Gigabit SFP Combo ports 48 10 100 1000B ase T autosensing Ethernet ports 4 Gigabit SFP Combo ports Management port One console port Power supply system The S5100 EI series support AC input and DC input AC input Rated voltage range 100 VAC to 240 VAC 50 Hz or 60Hz Max voltage range 90 VAC to 264 VAC 47 Hz to 63 Hz DC input for the S5100 24P EI and...

Page 15: ...put Rated voltage range 100 VAC to 240 VAC 50 Hz or 60Hz Max voltage range 90 VAC to 264 VAC 47 Hz to 63 Hz DC input Rated voltage range 48 VDC to 60 VDC Max voltage range 36 VDC to 72 VDC Max power consumption 68 W 116 W Fan 2 3 Operating temperature 0 C to 45 C 32 F to 113 F Relative humidity noncondensi ng 10 to 90 Table 3 6 System features of the S5100 EI series 3 Item S5100 8P PWR EI S5100 16...

Page 16: ...The S5100 EI series support AC input and DC input AC input Rated voltage range 100 VAC to 240 VAC 50 Hz or 60Hz Max voltage range 90 VAC to 264 VAC 47 Hz to 63 Hz DC input for S5100 26C PWR EI and S5100 50C PWR EI Voltage range 52 VDC to 55 VDC Max power consum ption 100 W 170 W AC input 500 W DC input 435 W AC input 540 W DC input 840 W When all the ports provid e PoE extern ally Max power suppli...

Page 17: ...tack cards for Gigabit Ethernet to the desktop GTTD access of enterprise networks user access and convergence of carrier networks and connection of data center server clusters Several typical networking applications are described as follows The following applications are for S5100 EI series 4 1 Convergence Layer Devices In medium and small sized enterprises or branches of large enterprises S5100 E...

Page 18: ...ies also provide powerful QACL features to allow users to better design and plan their networks Figure 4 2 Application of S5100 EI series in the access layer 4 3 Data Center Access In the networking of a data center S5100 EI series are deployed on the core network to provide 10GE GE access core network functions The server cluster can be connected to the core network at the Gigabit Ethernet rate t...

Page 19: ...edure 2 7 2 5 2 Configuration Example 2 7 2 6 Console Port Login Configuration with Authentication Mode Being Password 2 9 2 6 1 Configuration Procedure 2 9 2 6 2 Configuration Example 2 9 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 11 2 7 1 Configuration Procedure 2 11 2 7 2 Configuration Example 2 13 Chapter 3 Logging In Through Telnet 3 1 3 1 Introduction 3 1 3 ...

Page 20: ... 4 Error Prompts 5 12 5 4 5 Command Edit 5 12 Chapter 6 Logging In Through the Web based Network Management Interface 6 1 6 1 Introduction 6 1 6 2 Establishing an HTTP Connection 6 1 6 3 Configuring the Login Banner 6 2 6 3 1 Configuration Procedure 6 2 6 3 2 Configuration Example 6 3 6 4 Enabling Disabling the WEB Server 6 4 Chapter 7 Logging In Through NMS 7 1 7 1 Introduction 7 1 7 2 Connection...

Page 21: ...tes 9 4 9 3 2 Controlling Network Management Users by Source IP Addresses 9 4 9 3 3 Configuration Example 9 5 9 4 Controlling Web Users by Source IP Address 9 6 9 4 1 Prerequisites 9 6 9 4 2 Controlling Web Users by Source IP Addresses 9 6 9 4 3 Logging Out a Web User 9 7 9 4 4 Configuration Example 9 7 ...

Page 22: ... table shows the configurations corresponding to each method Method Tasks Logging In Through the Console Port Logging In Through Telnet Logging In Using a Modem Command Line Interface CLI Configuration Web based Network Management Interface Logging In Through the Web based Network Management Interface Network Management Station Logging In Through NMS 1 2 Introduction to the User Interface 1 2 1 Su...

Page 23: ...en a User and a User Interface You can monitor and manage users logging in through different modes by setting different types of user interfaces An S5100 SI EI switch provides one AUX user interface and five VTY user interfaces z A user interface does not necessarily correspond to a specific user z When a user logs in the system automatically assigns the user a free user interface with the smalles...

Page 24: ...ailable in user view A user interface is not locked by default Specify to send messages to all user interfaces a specified user interface send all number type number Optional Available in user view Free a user interface free user interface type number Optional Available in user view Enter system view system view Set the banner header incoming legal login shell text Optional By default no banner is...

Page 25: ...emarks Display the information about the current user interface all user interfaces display users all Display the physical attributes and configuration of the current a specified user interface display user interface type number number Display the information about the current web users display web users Optional Available in any view ...

Page 26: ...also the prerequisite to configure other login methods By default you can locally log in to an S5100 SI EI Ethernet switch through its console port only Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Setting Default Baud rate 9 600 bps Flow control None Check mode Parity None Stop bits 1 Data bits 8 To log in to a switch through the console ...

Page 27: ...such as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP The following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally both sides that is the serial port of the PC and the console port of the switch are configured as those listed in Table 2 1 Figure 2 2 Create a conn...

Page 28: ...cessfully completes POST power on self test The prompt such as H3C appears after you press the Enter key as shown in Figure 2 5 Figure 2 5 HyperTerminal CLI 4 You can then configure the switch or check the information about the switch by executing the corresponding commands You can also acquire help by typing the character Refer to related parts in this manual for information about the commands us...

Page 29: ...tional The default data bits of a console port is 8 AUX user interface configuration Configure the command level available to the users logging in to the AUX user interface Optional By default commands of level 3 are available to the users logging in to the AUX user interface Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum...

Page 30: ...ommand Remarks Enter system view system view Enter AUX user interface view user interface aux 0 Set the baud rate speed speed value Optional The default baud rate of a console port is 9 600 bps Set the check mode parity even none odd Optional By default the check mode of a console port is none that is no check is performed Set the stop bits stopbits 1 1 5 2 Optional The stop bits of a console port...

Page 31: ...utes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function 2 4 Console Port Login Configurations for Different Authentication Modes Table 2 3 Console ...

Page 32: ...t Login Configuration with Authentication Mode Being None 2 5 1 Configuration Procedure Follow these steps to configure console port login with the authentication mode being none To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux 0 Configure not to authenticate users authentication mode none Required By default users logging in through the ...

Page 33: ...erface configuration with the authentication mode being none III Configuration procedure Enter system view Sysname system view Enter AUX user interface view Sysname user interface aux 0 Specify not to authenticate users logging in through the console port Sysname ui aux0 authentication mode none Specify commands of level 2 are available to users logging in to the AUX user interface Sysname ui aux0...

Page 34: ...icate users using the local password authentication mod e password Required By default users logging in to a switch through the console port are not authenticated while those logging in through Modems or Telnet are authenticated Set the local password set authentication password cipher simple password Required 2 6 2 Configuration Example I Network requirements Assume the switch is configured to al...

Page 35: ...ing the local password Sysname ui aux0 authentication mode password Set the local password to 123456 in plain text Sysname ui aux0 set authentication password simple 123456 Specify commands of level 2 are available to users logging in to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the console port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum numb...

Page 36: ...n Mode Being Scheme 2 7 1 Configuration Procedure Follow these steps to configure console port login with the authentication mode being scheme To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux 0 Configure to authenticate users in the scheme mode authentication mode scheme command authorization Required The specified AAA scheme determines w...

Page 37: ...S configuration on the switch Refer to the AAA part for more z Configure the user name and password accordingly on the AAA server Refer to the user manual of AAA server Create a local user Enter local user view local user user name Required No local user exists by default Set the authentication password for the local user password simple cipher password Required Specify the service type for AUX us...

Page 38: ...as guest z Set the authentication password of the local user to 123456 in plain text z Set the service type of the local user to Terminal and the command level to 2 z Configure to authenticate the users in the scheme mode z The baud rate of the console port is 19 200 bps z The screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of the AUX u...

Page 39: ...authenticate users logging in through the console port in the scheme mode Sysname ui aux0 authentication mode scheme Set the baud rate of the console port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command...

Page 40: ...erminal You can also log in to a switch through SSH SSH is a secure shell added to Telnet Refer to the SSH Operation for related information Table 3 1 Requirements for Telnetting to a switch Item Requirement The IP address is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration...

Page 41: ...lly after a user logs into the VTY user interface Make terminal services available Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the history command buffer can contain up to 10 commands VTY terminal configu...

Page 42: ...er interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 that is the history command...

Page 43: ...ver Refer to Console Port Login Configuration with Authentication Mode Being Scheme Note To improve security and prevent attacks to the unused Sockets TCP 23 and TCP 22 ports for Telnet and SSH services respectively will be enabled or disabled after corresponding configurations z If the authentication mode is none TCP 23 will be enabled and TCP 22 will be disabled z If the authentication mode is p...

Page 44: ...tion Example I Network requirements Assume current user logins through the console port and the current user level is set to the administrator level level 3 Perform the following configurations for users logging in through VTY 0 using Telnet z Do not authenticate the users z Commands of level 2 are available to the users z Telnet protocol is supported z The screen can contain up to 30 lines z The ...

Page 45: ...he timeout time to 6 minutes Sysname ui vty0 idle timeout 6 3 3 Telnet Configuration with Authentication Mode Being Password 3 3 1 Configuration Procedure Follow these steps to configure Telnet with the authentication mode being password To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure to au...

Page 46: ...me of VTY 0 is 6 minutes II Network diagram Figure 3 2 Network diagram for Telnet configuration with the authentication mode being password III Configuration procedure Enter system view Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 using the password Sysname ui vty0 authentication mode password Set the local pas...

Page 47: ...ocal RADIUS or HWTACACS Users are authenticated locally by default Quit to system view quit Enter the default ISP domain view domain domain name Configure the AAA scheme to be applied to the domain scheme local none radius scheme radius scheme name local hwtacacs scheme hwtacacs scheme nam e local Configure the authentic ation scheme Quit to system view quit Optional By default the local AAA schem...

Page 48: ...CS you need to specify the user level of a user on the corresponding RADIUS or HWTACACS server Note Refer to the AAA part of this manual for information about AAA RADIUS and HWTACACS 3 4 2 Configuration Example I Network requirements Assume current user logins through the console port and the user level is set to the administrator level level 3 Perform the following configurations for users loggin...

Page 49: ...TY 0 Sysname luser guest service type telnet level 2 Sysname luser guest quit Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to VTY 0 in the scheme mode Sysname ui vty0 authentication mode scheme Configure Telnet protocol is supported Sysname ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 Sysname...

Page 50: ... as H3C appears as shown in the following figure Figure 3 5 The terminal window z Perform the following operations in the terminal window to assign IP address 202 38 160 92 24 to VLAN interface 1 of the switch Sysname system view Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 202 38 160 92 255 255 255 0 2 Perform Telnet related configuration on the switch Refer to Telnet Con...

Page 51: ...n and prompts for login password The CLI prompt such as Sysname appears if the password is correct If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later A H3C series Ethernet switch can accommodate up to five Telnet connections at same time 6 After successfully Telnetting to the ...

Page 52: ... the telnet command and then configure it Figure 3 8 Network diagram for Telnetting to another switch from the current switch 1 Perform Telnet related configuration on the switch operating as the Telnet server Refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication Mode Being Scheme ...

Page 53: ... you need to configure the administrator side and the switch properly as listed in the following table Table 4 1 Requirements for logging in to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the console port of the ...

Page 54: ...lly through its console port except that z When you log in through the console port using a modem the baud rate of the console port is usually set to a value lower than the transmission speed of the modem Otherwise packets may get lost z Other settings of the console port such as the check mode the stop bits and the data bits remain the default The configuration on the switch depends on the authen...

Page 55: ... 2 Perform the following configuration to the modem directly connected to the switch Refer to Modem Configuration for related configuration 3 Connect your PC the modems and the switch as shown in Figure 4 1 Make sure the modems are properly connected to telephone lines Console port PSTN Telephone line Modem serial cable Telephone number of the romote end 82882285 Modem Modem Figure 4 1 Establish t...

Page 56: ...Operation Manual Login H3C S5100 SI EI Series Ethernet Switches Chapter 4 Logging In Using a Modem 4 4 Figure 4 2 Create a connection Figure 4 3 Set the telephone number Figure 4 4 Call the modem ...

Page 57: ...orrect the prompt such as Sysname appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configuration commands Note If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI part for information about comma...

Page 58: ...tection After users of different levels log in they can only use commands at their own or lower levels This prevents users from using unauthorized commands to configure switches z Online help Users can gain online help at any time by entering a question mark z Debugging Abundant and detailed debugging information is provided to help users diagnose and locate network problems z Command history func...

Page 59: ...mands provide support for services Commands concerning file system FTP TFTP XModem downloading user management and level setting are at this level II User privilege level Users logged into the switch fall into four user privilege levels which correspond to the four command levels respectively Users at a specific level can only use the commands at the same level or lower levels By default the Conso...

Page 60: ...t users level 0 users are able to download files through TFTP Change the tftp get command in user view shell from level 3 to level 0 Originally only level 3 users can change the level of a command Sysname system view Sysname command privilege level 0 view shell tftp Sysname command privilege level 0 view shell tftp 192 168 0 1 Sysname command privilege level 0 view shell tftp 192 168 0 1 get Sysna...

Page 61: ...r level Table 5 2 Switch to a specific user level Operation Command Remarks Switch to a specified user level super level Required Execute this command in user view Note z If no user level is specified in the super password command or the super command level 3 is used by default z For security purpose the password entered is not displayed when you switch to another user level You will remain at the...

Page 62: ... user enters user view where the user can perform some simple operations such as checking the operation status and statistics information of the switch After executing the system view command the user enters system view where the user can go to other views by entering corresponding commands Table 5 3 lists the CLI views provided by S5100 SI EI series Ethernet switches operations that can be perfor...

Page 63: ...s including the management VLAN parameters Sysname Vla n interface1 Execute the interface Vlan interface command in system view Loopback interface view Configure loopback interface parameters Sysname Loo pBack0 Execute the interface loopback command in system view NULL interface view Configure NULL interface parameters Sysname NU LL0 Execute the interface null command in system view Local user vie...

Page 64: ...cute the public key peer command in system view Execute the peer public key end command to return to system view Edit the RSA public key for SSH users Sysname rsa key code Public key editing view Edit the RSA or DSA public key for SSH users Sysname pee r key code Execute the public key cod e begin command in public key view Execute the public key c ode end command to return to public key view Basi...

Page 65: ...p parameters Sysname hw ping a123 a1 23 Execute the hwping command in system view HWTACA CS view Configure HWTACACS parameters Sysname hwt acacs a123 Execute the hwtacacs scheme command in system view PoE profile view Configure PoE profile parameters Only S5100 PWR EI series switches provide this view Sysname po e profile a123 Execute the poe profile command in system view Smart link group view Co...

Page 66: ...eturn command 5 4 CLI Features 5 4 1 Online Help When configuring the switch you can use the online help to get related help information The CLI provides two types of online help complete and partial I Complete online help 1 Enter a question mark in any view on your terminal to display all the commands available in the view and their brief descriptions The following takes user view as an example S...

Page 67: ...Partial online help 1 Enter a character string and then a question mark next to it All the commands beginning with the character string will be displayed on your terminal For example Sysname p ping pwd 2 Enter a command a space a character string and a question mark next to it All the keywords beginning with the character string if available are displayed on your terminal For example Sysname displ...

Page 68: ...by performing the operations listed in the following table Follow these steps to view history commands Purpose Operation Remarks Display the latest executed history commands Execute the display history command command This command displays the command history Recall the previous history command Press the up arrow key or Ctrl P This operation recalls the previous history command if available Recall...

Page 69: ... ambiguous Wrong parameter A parameter entered is wrong found at position An error is found at the position 5 4 5 Command Edit The CLI provides basic command edit functions and supports multi line editing The maximum number of characters a command can contain is 254 Table 5 6 lists the CLI edit operations Table 5 6 Edit operations Press To A common key Insert the corresponding character at the cur...

Page 70: ...nd press Tab if the input parameter uniquely identifies a complete keyword the system substitutes the complete keyword for the input parameter if more than one keywords match the input parameter you can display them one by one in complete form by pressing Tab repeatedly if no keyword matches the input parameter the system displays your original input on a new line without any change ...

Page 71: ...h and the PC operating as the network management terminal Table 6 1 Requirements for logging in to a switch through the Web based network management system Item Requirement The VLAN interface of the switch is assigned an IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Pro...

Page 72: ...ake sure the route between the Web based network management terminal and the switch is available 5 When the login authentication interface as shown in Figure 6 2 appears enter the user name and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Figure 6 2 The login page of the Web based network management system 6 3 Configuring th...

Page 73: ...guration Example I Network requirements z A user logs in to the switch through Web z The banner page is desired when a user logs into the switch II Network diagram Figure 6 3 Network diagram for login banner configuration III Configuration Procedure Enter system view Sysname system view Configure the banner Welcome to be displayed when a user logs into the switch through Web Sysname header login W...

Page 74: ...g the WEB Server Follow these steps to enable Disable the WEB Server To do Use the command Remarks Enter system view system view Enable the Web server ip http shutdown Required By default the Web server is enabled Disable the Web server undo ip http shutdown Required Note To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after th...

Page 75: ...mation To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 7 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is configured The route between the NMS and the switch is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Pro...

Page 76: ...ch interface of the switch is used to transmit packets between the Telnet client and the Telnet server This conceals the IP address of the actual interface used As a result external attacks are guarded and the security is improved On the other hand you can configure the Telnet server to accept only Telnet service packets with specific source IP addresses to make sure specific users can log into th...

Page 77: ...al Note To perform the configurations listed in Table 8 1 and Table 8 2 make sure that z The IP address specified is that of the local device z The interface specified exists z If a source IP address or source interface is specified you need to make sure that the route between the IP addresses or interface of both sides is reachable 8 3 Displaying Source IP Address Configuration Execute the displa...

Page 78: ...lnet SNMP and WEB by defining Access Control List ACL as listed in Table 9 1 Table 9 1 Ways to control different types of login users Login mode Control method Implementation Related section By source IP address Through basic ACL By source and destination IP address Through advanced ACL Telnet By source MAC address Through Layer 2 ACL Controlling Telnet Users SNMP By source IP addresses Through ba...

Page 79: ...sers by ACL is achieved by the following two ways z inbound Applies the ACL to the users Telnetting to the local switch through the VTY user interface z outbound Applies the ACL to the users Telnetting to other devices through the current user interface This keyword is unavailable to Layer 2 ACLs You can configure the following three types of ACLs as needed Table 9 2 ACL categories Category ACL nu...

Page 80: ...anced ACL to control Telnet users acl acl number inbound outbound Apply an ACL to control Telnet users by ACL Apply a Layer 2 ACL to control Telnet users acl acl number inbound Required Use either command z The inbound keyword specifies to filter the users trying to Telnet to the current switch z The outbound keyword specifies to filter users trying to Telnet to other switches from the current swi...

Page 81: ...ontrol users accessing the switch through SNMP To control whether an NMS can manage the switch you can use this function 9 3 1 Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying 9 3 2 Controlling Network Management Users by Source IP Addresses Controlling network ma...

Page 82: ...the ACL while configuring the SNMP user name snmp agent usm user v1 v2c user name group name acl acl number snmp agent usm user v3 user name group name cipher authentication mode md5 sha auth password privacy mode des56 aes128 priv password acl acl number Required According to the SNMP version and configuration customs of NMS users you can reference an ACL when configuring community name group nam...

Page 83: ...wing two operations to control Web users by source IP addresses z Defining an ACL z Applying the ACL to control Web users To control whether a Web user can manage the switch you can use this function 9 4 1 Prerequisites The controlling policy against Web users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying 9 4 2 Controlling Web Us...

Page 84: ...mand Remarks Log out a Web user free web users all user id user id user name user name Required Available in user view 9 4 4 Configuration Example I Network requirements Only the Web users sourced from the IP address of 10 110 100 52 are permitted to access the switch II Network diagram Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Figure 9 3 Network diagram for controlling Web users...

Page 85: ...nual Login H3C S5100 SI EI Series Ethernet Switches Chapter 9 User Control 9 8 Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch Sysname ip http acl 2030 ...

Page 86: ...ontents Chapter 1 Configuration File Management 1 1 1 1 Introduction to Configuration File 1 1 1 2 Configuration Task List 1 2 1 2 1 Saving the Current Configuration 1 2 1 2 2 Erasing the Startup Configuration File 1 4 1 2 3 Specifying a Configuration File for Next Startup 1 5 1 2 4 Displaying Switch Configuration 1 6 ...

Page 87: ... rebooting II Format of configuration file Configuration files are saved as text files for ease of reading They z Save configuration in the form of commands z Save only non default configuration settings z The commands are grouped into sections by command view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment lin...

Page 88: ... startup you can specify to use the main or backup configuration file IV Startup with the configuration file When booting the system chooses the configuration files following the rules below 1 If the main configuration file exists the switch initializes with this configuration 2 If the main configuration file does not exist but the backup configuration file exists the switch initializes with the b...

Page 89: ...ation file containing the original configuration information or and a configuration file with the extension cfgtmp temporary configuration file containing the current configuration information in the Flash you can change the extension cfgbak or cfgtmp to cfg using the rename command The switch will use the renamed configuration file to initialize itself when it starts up next time For details of t...

Page 90: ...command to erase the configuration file To do Use the command Remarks Erase the startup configuration file from the storage switch reset saved configuration backup main Required Available in user view You may need to erase the configuration file for one of these reasons z After you upgrade software the old configuration file does not match the new software z The startup configuration file is corru...

Page 91: ...p configuration file z If you save the current configuration to the main configuration file the system will automatically set the file as the main startup configuration file z You can also use the startup saved configuration cfgfile main command to set the file as main startup configuration file II Assigning backup attribute to the startup configuration file z If you save the current configuration...

Page 92: ...t unit id by linenum Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the switch display current configuration vlan vlan id by linenum Display the validated configuration in current view display this by linenum Display current configuration display current configuration configuration configuration type interface in...

Page 93: ...tocol Based VLAN 1 11 Chapter 2 VLAN Configuration 2 1 2 1 VLAN Configuration 2 1 2 1 1 VLAN Configuration Task List 2 1 2 1 2 Basic VLAN Configuration 2 1 2 1 3 Basic VLAN Interface Configuration 2 2 2 1 4 Displaying VLAN Configuration 2 3 2 2 Configuring a Port Based VLAN 2 3 2 2 1 Port Based VLAN Configuration Task List 2 3 2 2 2 Configuring the Link Type of an Ethernet Port 2 4 2 2 3 Assigning...

Page 94: ... the packet The above scenarios could result in the following network problems z Large quantity of broadcast packets or unknown unicast packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolating broadcast domains is the solution for the above problems The t...

Page 95: ... you can isolate them at Layer 2 To enable communication between VLANs routers or Layer 3 switches are required z Flexible virtual workgroup creation As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible 1 1 3 VLAN Fundamentals I VLAN tag To enable a network device to identify f...

Page 96: ...in canonical format value 1 indicates that the MAC addresses are encapsulated in non canonical format The field is set to 0 by default z The 12 bit VLAN ID field identifies the VLAN the frame belongs to The VLAN ID range is 0 to 4095 As 0 and 4095 are reserved by the protocol a VLAN ID actually ranges from 1 to 4094 Note The Ethernet II encapsulation format is used here Besides the Ethernet II enc...

Page 97: ...orwarded according to this table z Independent VLAN learning IVL where the switch maintains an independent MAC address forwarding table for each VLAN The source MAC address of a packet received in a VLAN on a port is recorded to the MAC address forwarding table of this VLAN only and packets received in a VLAN are forwarded according to the MAC address forwarding table for the VLAN Currently the H3...

Page 98: ...ANs Thus packets received on a port will be transmitted through the corresponding VLAN only so as to isolate hosts to different broadcast domains and divide them into different virtual workgroups Ports on Ethernet switches have the three link types access trunk and hybrid For the three types of ports the process of being added into a VLAN and the way of forwarding packets are different Port based ...

Page 99: ...N create the VLAN first 1 2 3 Configuring the Default VLAN ID for a Port An access port can belong to only one VLAN Therefore the VLAN an access port belongs to is also the default VLAN of the access port A hybrid trunk port can belong to multiple VLANs so you should configure a default VLAN ID for the port After a port is added to a VLAN and configured with a default VLAN the port receives and se...

Page 100: ... default VLAN tag and then forward the packet z If the port has not been added to its default VLAN discard the packet z If the VLAN ID is one of the VLAN IDs allowed to pass through the port receive the packet z If the VLAN ID is not one of the VLAN IDs allowed to pass through the port discard the packet Send the packet if the VLAN ID is allowed to pass through the port Use the port hybrid vlan co...

Page 101: ...respectively The number in the bracket indicates the field length in bytes The maximum length of an Ethernet packet is 1500 bytes that is 0x05DC in hexadecimal so the length field in 802 2 802 3 encapsulation is in the range of 0x0000 to 0x05DC Whereas the type field in Ethernet II encapsulation is in the range of 0x0600 to 0xFFFF Packets with the value of the type or length field being in the ran...

Page 102: ... z 802 2 Sub Network Access Protocol SNAP encapsulation encapsulates packets according to the 802 3 standard packet format including the length DSAP SSAP control organizationally unique identifier OUI and protocol ID PID fields Figure 1 8 802 2 SNAP encapsulation format In 802 2 SNAP encapsulation format the values of the DSAP field and the SSAP field are always 0xAA and the value of the control f...

Page 103: ...FFFF 0 to 0x05DC Value is not 3 Value is 3 Both are AA Both are FF Other values Receive packets Type Length field Ethernet II encapsulation Match the type value Invalid packets that cannot be matched 802 2 802 3 encapsulation Control field Invalid packets that cannot be matched dsap ssap value 802 2 SNAP encapsulation Match the dsap ssap value 802 2 LLC encapsulation Match the type value 802 3 raw...

Page 104: ...standard templates and user defined templates z The standard template adopts the RFC defined packet encapsulation formats and values of some specific fields as the matching criteria z The user defined template adopts the user defined encapsulation formats and values of some specific fields as the matching criteria After configuring the protocol template you must add a port to the protocol based VL...

Page 105: ...figuration Optional Displaying VLAN Configuration Optional 2 1 2 Basic VLAN Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan id2 all Optional Create a VLAN and enter VLAN view vlan vlan id Required By default there is only one VLAN that is the default VLAN VLAN 1 Ass...

Page 106: ...a static VLAN and the switch will output the prompt information 2 1 3 Basic VLAN Interface Configuration I Configuration prerequisites Before configuring a VLAN interface create the corresponding VLAN II Configuration procedure Follow these steps to perform basic VLAN interface configuration To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interfac...

Page 107: ...always be down regardless of the status of the ports in the VLAN Note The operation of enabling disabling a VLAN s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN 2 1 4 Displaying VLAN Configuration To do Use the command Remarks Display the VLAN interface information display interface Vlan interface vlan id Display the VLAN information display vla...

Page 108: ...cess first 2 2 3 Assigning an Ethernet Port to a VLAN You can assign an Ethernet port to a VLAN in Ethernet port view or VLAN view 1 In Ethernet port view Follow these steps to assign an Ethernet port to one or multiple VLANs To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Access port port access vlan vlan id Trunk port...

Page 109: ...k or hybrid port Follow these steps to configure the default VLAN for a port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Trunk port port trunk pvid vlan vlan id Configure the default VLAN for the port Hybrid port port hybrid pvid vlan vlan id Optional VLAN 1 is the default VLAN by default Caution z After configuring...

Page 110: ... two servers are assigned to VLAN 101 with the descriptive string being DMZ and the PCs are assigned to VLAN 201 z The devices within each VLAN can communicate with each other but that in different VLANs cannot communicate with each other directly II Network diagram Figure 2 1 Network diagram for VLAN configuration III Configuration procedure z Configure Switch A Create VLAN 101 specify its descri...

Page 111: ...uit z Configure the link between Switch A and Switch B Because the link between Switch A and Switch B need to transmit data of both VLAN 101 and VLAN 102 you can configure the ports at the end of the link as trunk ports and permit packets of the two VLANs to pass through Configure GigabitEthernet1 0 3 of Switch A SwitchA interface GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 port link type t...

Page 112: ...LAN before configuring the VLAN as a protocol based VLAN II Configuration procedure Follow these steps to configure the protocol template for a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the protocol template for the VLAN protocol vlan protocol index at ip ipx ethernetii llc raw snap mode ethernetii etype etype id llc dsap dsap id ssap s...

Page 113: ... as that of snap packets To prevent two commands from processing packets of the same protocol type in different ways the system does not allow you to set both the dsap id and ssap id arguments to 0xFF 0xE0 or 0xAA z When you use the mode keyword to configure a user defined protocol template if you set the etype id argument for ethernetii or snap packets to 0x0800 0x8137 or 0x809B the matching pack...

Page 114: ... id to vlan id all Display the protocol information and protocol indexes configured on the specified port display protocol vlan interface interface type interface number to interface type interface number all Available in any view 2 3 5 Protocol Based VLAN Configuration Example I Network requirements z As shown in Figure 2 2 Workroom connects to the LAN through port GigabitEthernet1 0 10 on the S5...

Page 115: ...0 quit Sysname vlan 200 Sysname vlan200 port GigabitEthernet 1 0 12 Configure protocol templates for VLAN 200 and VLAN 100 matching AppleTalk protocol and IP protocol respectively Sysname vlan200 protocol vlan at Sysname vlan200 quit Sysname vlan 100 Sysname vlan100 protocol vlan ip To ensure the normal operation of IP network you need to configure a user defined protocol template for VLAN 100 to ...

Page 116: ...rnet1 0 10 port hybrid protocol vlan vlan 100 0 to 1 Sysname GigabitEthernet1 0 10 port hybrid protocol vlan vlan 200 0 Display the associations between GigabitEthernet1 0 10 and the VLAN protocol templates to verify your configuration Sysname GigabitEthernet1 0 10 display protocol vlan interface GigabitEthernet 1 0 10 Interface GigabitEthernet1 0 10 VLAN ID Protocol Index Protocol Type 100 0 ip 1...

Page 117: ...LAN Configuration 1 1 1 1 Introduction to Management VLAN 1 1 1 1 1 Management VLAN 1 1 1 1 2 Static Route 1 1 1 1 3 Default Route 1 2 1 2 Management VLAN Configuration 1 2 1 2 1 Prerequisites 1 2 1 2 2 Configuring the Management VLAN 1 2 1 2 3 Configuration Example 1 3 1 3 Displaying and Maintaining management VLAN configuration 1 5 ...

Page 118: ...IP address cannot be configured at the same time That is the latest IP address obtained causes the previously IP address to be released For example if you assign an IP address to a VLAN interface by using the corresponding commands and then apply for another IP address through BOOTP using the ip address bootp alloc command the former 0IP address will be released and the final IP address of the VLA...

Page 119: ...s a route destined to the network 0 0 0 0 with the mask 0 0 0 0 1 2 Management VLAN Configuration 1 2 1 Prerequisites Before configuring the management VLAN make sure the VLAN operating as the management VLAN exists If VLAN 1 the default VLAN is the management VLAN just go ahead 1 2 2 Configuring the Management VLAN Table 1 1 Configure the management VLAN Operation Command Remarks Enter system vie...

Page 120: ...t the management VLAN ID is consistent with the cluster management VLAN ID configured with the management vlan vlan id command Otherwise the configuration fails Refer to the Cluster Operation Manual for detailed introduction to the cluster z Refer to the VLAN module for detailed introduction to VLAN interfaces 1 2 3 Configuration Example I Network requirements For a user to manage Switch A remotel...

Page 121: ...h A through the Console port Enter system view Sysname system view Create VLAN 10 and configure VLAN 10 as the management VLAN Sysname vlan 10 Sysname vlan10 quit Sysname management vlan 10 Create the VLAN 10 interface and enter VLAN interface view Sysname interface vlan interface 10 Configure the IP address of VLAN 10 interface as 1 1 1 1 24 Sysname Vlan interface10 ip address 1 1 1 1 255 255 255...

Page 122: ...ss display ip routing table ip address mask longer match verbose Display the routes leading to a specified IP address range display ip routing table ip address1 mask1 ip address2 mask2 verbose Display the routing information of the specified protocol display ip routing table protocol protocol inactive verbose Display the routes that match a specified basic access control list ACL display ip routin...

Page 123: ...gnment Mode of a Port 1 4 1 1 5 Support for Voice VLAN on Various Ports 1 5 1 1 6 Security Mode of Voice VLAN 1 7 1 2 Voice VLAN Configuration 1 7 1 2 1 Configuration Prerequisites 1 7 1 2 2 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment Mode 1 8 1 2 3 Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode 1 9 1 3 Displaying and Maintaining Voice VLAN ...

Page 124: ...ANs and perform QoS related configuration for voice traffic as required thus ensuring the transmission priority of voice traffic and voice quality 1 1 1 How an IP Phone Works IP phones can convert analog voice signals into digital signals to enable them to be transmitted in IP based networks Used in conjunction with other voice devices IP phones can offer large capacity and low cost voice communic...

Page 125: ... An IP phone goes through the following three phases to become capable of transmitting voice data 1 After the IP phone is powered on it sends an untagged DHCP request message containing four special requests in the Option 184 field besides the request for an IP address The message is broadcast in the default VLAN of the receiving port After receiving the DHCP request message DHCP Server 1 which re...

Page 126: ...onse message to the IP phone After the IP phone receives the tagged response message it sends voice data packets tagged with the voice VLAN tag to communicate with the voice gateway In this case the port connecting to the IP phone must be configured to allow the packets tagged with the voice VLAN tag to pass Note z An untagged packet carries no VLAN tag z A tagged packet carries the tag of a VLAN ...

Page 127: ...the Voice Traffic Transmission Priority In order to improve transmission quality of voice traffic the switch by default re marks the priority of the traffic in the voice VLAN as follows z Set the CoS 802 1p priority to 6 z Set the DSCP value to 46 1 1 4 Configuring Voice VLAN Assignment Mode of a Port A port can work in automatic voice VLAN assignment mode or manual voice VLAN assignment mode You ...

Page 128: ...c transmitted by an IP voice device carries VLAN tags and 802 1x authentication and guest VLAN is enabled on the port which the IP voice device is connected to assign different VLAN IDs for the voice VLAN the default VLAN of the port and the 802 1x guest VLAN to ensure the effective operation of these functions 1 1 5 Support for Voice VLAN on Various Ports Voice VLAN packets can be forwarded by ac...

Page 129: ...lt VLAN of the port must be a voice VLAN and the access port is in the voice VLAN This can be done by adding the port to the voice VLAN manually Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagge d voice traffic Hybrid Supported Make sure the default VLAN of ...

Page 130: ...ged VLANs whose traffic is permitted by the access port Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN Manual Hybrid Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the default VLAN and the voice VLAN is in the list of the tagged VLANs whose tr...

Page 131: ...ddress Enable the voice VLAN security mode voice vlan security enable Optional By default the voice VLAN security mode is enabled Set the voice VLAN aging timer voice vlan aging minutes Optional The default aging timer is 1440 minutes Enable the voice VLAN function globally voice vlan vlan id enable Required Enter Ethernet port view interface interface type interface number Required Enable the voi...

Page 132: ...arts in order to make the established voice connections work normally the system does not need to be triggered by the voice traffic to add the port in automatic voice VLAN assignment mode to the local devices of the voice VLAN but does so immediately after the restart 1 2 3 Configuring the Voice VLAN to Operate in Manual Voice VLAN Assignment Mode Follow these steps to configure a voice VLAN to op...

Page 133: ... mode on a port to manual undo voice vlan mode auto Required The default voice VLAN assignment mode on a port is automatic Quit to system view quit Enter VLAN view vlan vlan id Access port Add the port to the VLAN port interface list Enter port view interface interface type interface num Add the port to the VLAN port trunk permit vlan vlan id port hybrid vlan vlan id tagged untagged Required By de...

Page 134: ...l be dropped Therefore you are suggested not to transmit both voice data and service data in a voice VLAN If you have to do so make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication between H3C device and other vendor s voice device by automatically adding the voice VLAN tag to the voice data coming from other vendors voice device...

Page 135: ...gged packets It is connected to GigabitEthernet 1 0 1 a hybrid port with VLAN 6 being its default VLAN Set this port to operates in automatic mode z You need to add a user defined OUI address 0011 2200 000 with the mask being ffff ff00 0000 and the description string being test II Network diagram Internet 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 GE1 0 1 VLAN 2 VLAN 2 Device A Device B Figur...

Page 136: ...abitEthernet 1 0 1 to permit packets with the tag of VLAN 6 DeviceA GigabitEthernet1 0 1 port hybrid pvid vlan 6 DeviceA GigabitEthernet1 0 1 port hybrid vlan 6 tagged Enable the voice VLAN function on GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 voice vlan enable 1 4 2 Voice VLAN Configuration Example Manual Mode I Network requirements Create a voice VLAN and configure it to operate in manu...

Page 137: ...ng to test DeviceA voice vlan mac address 0011 2200 0000 mask ffff ff00 0000 description test Create VLAN 2 and configure it as a voice VLAN DeviceA vlan 2 DeviceA vlan2 quit DeviceA voice vlan 2 enable Configure GigabitEthernet 1 0 1 to operate in manual mode DeviceA interface GigabitEthernet 1 0 1 DeviceA GigabitEthernet1 0 1 undo voice vlan mode auto Configure GigabitEthernet 1 0 1 as a hybrid ...

Page 138: ...0003 6b00 0000 ffff ff00 0000 Cisco phone 000f e200 0000 ffff ff00 0000 H3C Aolynk phone 0011 2200 0000 ffff ff00 0000 test 00d0 1e00 0000 ffff ff00 0000 Pingtel phone 00e0 7500 0000 ffff ff00 0000 Polycom phone 00e0 bb00 0000 ffff ff00 0000 3Com phone Display the status of the current voice VLAN DeviceA display voice vlan status Voice Vlan status ENABLE Voice Vlan ID 2 Voice Vlan security mode Se...

Page 139: ... GVRP 1 1 1 1 1 GARP 1 1 1 1 2 GVRP 1 4 1 1 3 Protocol Specifications 1 5 1 2 GVRP Configuration 1 5 1 2 1 GVRP Configuration Tasks 1 5 1 2 2 Enabling GVRP 1 5 1 2 3 Configuring GVRP Timers 1 6 1 2 4 Configuring GVRP Port Registration Mode 1 7 1 3 Displaying and Maintaining GVRP 1 8 1 4 GVRP Configuration Example 1 8 1 4 1 GVRP Configuration Example 1 8 ...

Page 140: ...ant application entities are called GARP applications One example is GVRP When a GARP application entity is present on a port on your device this port is regarded a GARP application entity I GARP messages and timers 1 GARP messages GARP members communicate with each other through the messages exchanged between them The messages performing important functions for GARP fall into three types Join Lea...

Page 141: ...the message after the timer times out z Join To make sure the devices can receive Join messages each Join message is sent twice If the first Join message sent is not responded for a specific period a second one is sent The period is determined by this timer z Leave When a GARP entity expects to deregister a piece of attribute information it sends out a Leave message Any GARP entity receiving this ...

Page 142: ...te When a port receives an attribute recant the port will deregister this attribute The protocol packets of GARP entities use specific multicast MAC addresses as their destination MAC addresses When receiving these packets the switch distinguishes them by their destination MAC addresses and delivers them to different GARP application for example GVRP for further processing III GARP message format ...

Page 143: ... 2 GVRP As an implementation of GARP GARP VLAN registration protocol GVRP maintains dynamic VLAN registration information and propagates the information to the other switches through GARP With GVRP enabled on a device the VLAN registration information received by the device from other devices is used to dynamically update the local VLAN registration information including the information about the ...

Page 144: ...ely VLAN 1 that is the port propagates only the information about VLAN 1 to the other GARP members 1 1 3 Protocol Specifications GVRP is defined in IEEE 802 1Q standard 1 2 GVRP Configuration 1 2 1 GVRP Configuration Tasks Complete the following tasks to configure GVRP Task Remarks Enabling GVRP Required Configuring GVRP Timers Optional Configuring GVRP Port Registration Mode Optional 1 2 2 Enabli...

Page 145: ...aveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type interface number Configure the Hold Join and Leave timers garp timer hold join leave timer value Optional By default the Hold Join and Leave timers are set to 10 20 and 60 centiseconds respectively Note that z The setting of each timer m...

Page 146: ...threshold by changing the timeout time of the Join timer This upper threshold is less than the timeout time of the LeaveAll timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by changing the timeout time of the Leave timer 32 765 centiseconds Note The follow...

Page 147: ...arp statistics interface interface list Available in any view 1 4 GVRP Configuration Example 1 4 1 GVRP Configuration Example I Network requirements z Enable GVRP on all the switches in the network so that the VLAN configurations on Switch C and Switch E can be applied to all switches in the network thus implementing dynamic VLAN information registration and refresh z By configuring the GVRP regis...

Page 148: ...bitEthernet1 0 2 port trunk permit vlan all Enable GVRP on GigabitEthernet1 0 2 SwitchA GigabitEthernet1 0 2 gvrp SwitchA GigabitEthernet1 0 2 quit Configure GigabitEthernet1 0 3 to be a trunk port and to permit the packets of all the VLANs SwitchA interface GigabitEthernet 1 0 3 SwitchA GigabitEthernet1 0 3 port link type trunk SwitchA GigabitEthernet1 0 3 port trunk permit vlan all Enable GVRP o...

Page 149: ...B SwitchB display vlan dynamic Total 3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch E SwitchE display vlan dynamic Total 1 dynamic VLAN exist s The following dynamic VLANs exist 8 7 Configure GigabitEthernet1 0 1 on Switch E to operate in fixed GVRP registration mode and display the VLAN information dynamically registere...

Page 150: ...ion information dynamically registered on Switch A Switch B and Switch E Configure GigabitEthernet1 0 1 on Switch E to operate in forbidden GVRP registration mode SwitchE GigabitEthernet1 0 1 gvrp registration forbidden Display the VLAN information dynamically registered on Switch A SwitchA display vlan dynamic Total 2 dynamic VLAN exist s The following dynamic VLANs exist 5 8 Display the VLAN inf...

Page 151: ...miting Traffic on individual Ports 1 4 1 1 5 Enabling Flow Control on a Port 1 4 1 1 6 Duplicating the Configuration of a Port to Other Ports 1 5 1 1 7 Configuring Loopback Detection for an Ethernet Port 1 6 1 1 8 Enabling Loopback Test 1 7 1 1 9 Enabling the System to Test Connected Cable 1 8 1 1 10 Configuring the Interval to Perform Statistical Analysis on Port Traffic 1 8 1 1 11 Disabling Up D...

Page 152: ... Model 1000Base X SFP port 10 100 1000Base T autosensing Ethernet port GigabitEthernet1 0 17 GigabitEthernet1 0 14 GigabitEthernet1 0 18 GigabitEthernet1 0 16 GigabitEthernet1 0 19 GigabitEthernet1 0 13 S5100 16P SI S5100 16P EI S5100 16P PWR EI GigabitEthernet1 0 20 GigabitEthernet1 0 15 GigabitEthernet1 0 25 GigabitEthernet1 0 22 GigabitEthernet1 0 26 GigabitEthernet1 0 24 GigabitEthernet1 0 27 ...

Page 153: ... Enable the Ethernet port undo shutdown Optional By default the port is enabled Use the shutdown command to disable the port Set the description string for the Ethernet port description text Optional By default the description string of an Ethernet port is null Set the duplex mode of the Ethernet port duplex auto full half Optional By default the duplex mode of the port is auto auto negotiation Se...

Page 154: ...otiation speed for a port by using the speed auto command Take a 10 100 1000 Mbps port as an example z If you expect that 10 Mbps is the only available auto negotiation speed of the port you just need to configure speed auto 10 z If you expect that 10 Mbps and 100 Mbps are the available auto negotiation speeds of the port you just need to configure speed auto 10 100 z If you expect that 10 Mbps an...

Page 155: ...oadcast traffic on individual ports When a type of incoming traffic exceeds the threshold you set the system drops the packets exceeding the traffic limit to reduce the traffic ratio of this type to the reasonable range so as to keep normal network service Follow these steps to limit traffic on port To do Use the command Remarks Enter system view system view Limit broadcast traffic received on eac...

Page 156: ...ort configuration can be duplicated from one port to other ports VLAN configuration protocol based VLAN configuration LACP configuration QoS configuration GARP configuration STP configuration and initial port configuration Refer to the command manual for the configurations that can be duplicated Follow these steps to duplicate the configuration of a port to specific ports To do Use the command Rem...

Page 157: ...nd removes the corresponding MAC forwarding entry Follow these steps to configure loopback detection for an Ethernet port To do Use the command Remarks Enter system view system view Enable loopback detection globally loopback detection enable Required By default loopback detection is disabled globally Set the interval for performing port loopback detection loopback detection interval time time Opt...

Page 158: ...ally after a specific period Follow these steps to enable loopback test To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable loopback test loopback external internal Required Note z external Performs external loop test In the external loop test self loop headers must be used on the port of the switch for 1000M port th...

Page 159: ...quired Note z Optical port including Combo optical port does not support VCT virtual cable test function z Combo electrical port supports VCT function only when it is in UP condition using undo shutdown command normal Ethernet electrical port always supports this function 1 1 10 Configuring the Interval to Perform Statistical Analysis on Port Traffic By performing the following configuration you c...

Page 160: ...he status of Ethernet ports in a network changes frequently large amount of log information may be sent to the terminal which consumes more network resources Additionally too frequent log information is not convenient for you to view You can limit the amount of the log information sent to the terminal by disabling the Up Down log output function on some Ethernet ports selectively For information a...

Page 161: ...name GigabitEthernet1 0 1 undo shutdown 1 1 12 Configuring a Port Group To make the configuration task easier for users certain devices allow users to configure on a single port as well as on multiple ports in a port group In port group view the user only needs to input the configuration command once on one port and that configuration will apply to all ports in the port group This effectively redu...

Page 162: ...lay information for a specified port group display port group group id Display brief information about port configuration display brief interface interface type interface number begin include exclude regular expression Display the Combo ports and the corresponding optical electrical ports display port combo Display port information about a specified unit display unit unit id interface Available in...

Page 163: ...ggregation Group 1 3 1 2 2 Static LACP Aggregation Group 1 3 1 2 3 Dynamic LACP Aggregation Group 1 4 1 3 Aggregation Group Categories 1 6 1 4 Link Aggregation Configuration 1 7 1 4 1 Configuring a Manual Aggregation Group 1 7 1 4 2 Configuring a Static LACP Aggregation Group 1 8 1 4 3 Configuring a Dynamic LACP Aggregation Group 1 9 1 4 4 Configuring a Description for an Aggregation Group 1 10 1 ...

Page 164: ... Link Aggregation Control Protocol LACP is defined in IEEE 802 3ad It uses link aggregation control protocol data units LACPDUs for information exchange between LACP enabled devices With LACP enabled on a port LACP notifies the following information of the port to its peer by sending LACPDUs priority and MAC address of this system priority number and operation key of the port Upon receiving the in...

Page 165: ...enabled or disabled Attribute of the link point to point or otherwise connected to the port Port path cost STP priority STP packet format Loop protection Root protection Port type whether the port is an edge port QoS Rate limiting Priority marking 802 1p priority Congestion avoidance Traffic redirecting Traffic accounting Link type Link type of the ports trunk hybrid or access GVRP GVRP state on p...

Page 166: ...e system determines the mater port with one of the following settings being the highest in descending order as the master port full duplex high speed full duplex low speed half duplex high speed half duplex low speed The ports with their rate duplex mode and link type being the same as that of the master port are selected ports and the rest are unselected ports z There is a limit on the number of ...

Page 167: ...er port full duplex high speed full duplex low speed half duplex high speed half duplex low speed The ports with their rate duplex mode and link type being the same as that of the master port are selected port and the rest are unselected ports z The ports connected to a peer device different from the one the master port is connected to or those connected to the same peer device as the master port ...

Page 168: ...ximum number supported by the device the system will negotiate with its peer end to determine the states of the member ports according to the port IDs of the preferred device that is the device with smaller system ID The following is the negotiation procedure 1 Compare device IDs system priority system MAC address between the two parties First compare the two system priorities then the two system ...

Page 169: ...groups will be non load sharing ones Load sharing aggregation resources are allocated to aggregation groups in the following order z An aggregation group containing special ports which require hardware aggregation resources has higher priority than any aggregation group containing no special port z A manual or static aggregation group has higher priority than a dynamic aggregation group unless the...

Page 170: ...e static ARP protocol cannot be added to an aggregation group z Ports where the IP MAC address binding is configured cannot be added to an aggregation group z Port security enabled ports cannot be added to an aggregation group z The port with Voice VLAN enabled cannot be added to an aggregation group z Do not add ports with IP filtering enabled to an aggregation group z Do not add ports with ARP i...

Page 171: ... occur z When you change a dynamic static group to a manual group the system will automatically disable LACP on the member ports When you change a dynamic group to a static group the system will remain the member ports LACP enabled 2 When a manual or static aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group 1 4 2 Configuring a Static L...

Page 172: ...rt 2 of the local device to port 1 of the peer device Otherwise packets may be lost 1 4 3 Configuring a Dynamic LACP Aggregation Group A dynamic LACP aggregation group is automatically created by the system based on LACP enabled ports The adding and removing of ports to from a dynamic aggregation group are automatically accomplished by LACP You need to enable LACP on the ports which you want to pa...

Page 173: ...etween the aggregation peers and thus affect the selected unselected status of member ports in the dynamic aggregation group 1 4 4 Configuring a Description for an Aggregation Group To do Use the command Remarks Enter system view system view Configure a description for an aggregation group link aggregation group agg id description agg name Optional By default no description is configured for an ag...

Page 174: ...ace type interface number Display local device ID display lacp system id Available in any view Clear LACP statistics about a specified port or port range reset lacp statistics interface interface type interface number to interface type interface number Available in user view 1 6 Link Aggregation Configuration Example 1 6 1 Ethernet Port Aggregation Configuration Example I Network requirements z Sw...

Page 175: ... group 1 Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 port link aggregation group 1 2 Adopting static LACP aggregation mode Create static aggregation group 1 Sysname system view Sysname link aggregation group 1 mode static Add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to aggregation group 1 Sysname interface GigabitEthernet 1 0 1 S...

Page 176: ...igabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 lacp enable Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 lacp enable Caution The three LACP enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration such as rate duplex mode and so on ...

Page 177: ...witches Table of Contents i Table of Contents Chapter 1 Port Isolation Configuration 1 1 1 1 Port Isolation Overview 1 1 1 2 Port Isolation Configuration 1 1 1 3 Displaying and Maintaining Port Isolation Configuration 1 2 1 4 Port Isolation Configuration Example 1 2 ...

Page 178: ...your network in a more flexible way and improve your network security Currently you can create only one isolation group on an S5100SI EI Series Ethernet switch The number of Ethernet ports in an isolation group is not limited Note z An isolation group only isolates the member ports in it z Port isolation is independent of VLAN configuration 1 2 Port Isolation Configuration You can perform the foll...

Page 179: ...ously are still isolated even when you remove the aggregation group in system view z Adding an isolated port to an aggregation group causes all the ports in the aggregation group on the local unit to be added to the isolation group 1 3 Displaying and Maintaining Port Isolation Configuration To do Use the command Remarks Display information about the Ethernet ports added to the isolation group disp...

Page 180: ...o User View with Ctrl Z Sysname interface GigabitEthernet1 0 2 Sysname GigabitEthernet1 0 2 port isolate Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 port isolate Sysname GigabitEthernet1 0 3 quit Sysname interface GigabitEthernet1 0 4 Sysname GigabitEthernet1 0 4 port isolate Sysname GigabitEthernet1 0 4 quit Sysname quit Display informatio...

Page 181: ...2 3 Setting the Port Security Mode 1 7 1 2 4 Configuring Port Security Features 1 8 1 2 5 Ignoring the Authorization Information from the RADIUS Server 1 10 1 2 6 Configuring Security MAC Addresses 1 10 1 3 Displaying and Maintaining Port Security Configuration 1 11 1 4 Port Security Configuration Example 1 12 1 4 1 Port Security Configuration Example 1 12 Chapter 2 Port Binding Configuration 2 1 ...

Page 182: ...ets The events that cannot pass 802 1x authentication or MAC authentication are considered illegal With port security enabled upon detecting an illegal packet or illegal event the system triggers the corresponding port security features and takes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability 1 1 2 Port Security Featu...

Page 183: ...atically learns MAC addresses and changes them to security MAC addresses This security mode will automatically change to the secure mode after the amount of security MAC addresses on the port reaches the maximum number configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC add...

Page 184: ...r to the userLoginSecure mode except that besides the packets of the single 802 1x authenticated user the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port When the port changes from the normal mode to this security mode the system automatically removes the existing dynamic authenticated MAC address entries on the port macAddressWit hRadius In this ...

Page 185: ...ressElseUserLoginSecure mode except that there can be more than one 802 1x authenticated user on the port macAddressAnd UserLoginSecur e In this mode a port firstly performs MAC authentication for a user and then performs 802 1x authentication for the user if the user passes MAC authentication The user can access the network after passing the two authentications In this mode up to one user can acc...

Page 186: ... Configuring intrusion protection Configuring Port Security Features Configuring the Trap feature Optional Choose one or more features as required Ignoring the Authorization Information from the RADIUS Server Optional Configuring Security MAC Addresses Optional 1 2 1 Enabling Port Security I Configuration Prerequisites Before enabling port security you need to disable 802 1x and MAC authentication...

Page 187: ...Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed however cannot exceed the configured upper limit By setting the maximum number of MAC addresses allowed on a port you can z Control the maximum number of users who are allowed to access the network through the port z Control t...

Page 188: ... 802 1x user plus one user whose source MAC address has a specified OUI value Enter Ethernet port view interface interface type interface number Set the port security mode port security port mode autolearn mac and userlogin sec ure mac and userlogin sec ure ext mac authentication mac else userlogin sec ure mac else userlogin sec ure ext secure userlogin userlogin secure userlogin secure ext userlo...

Page 189: ... you need to restore the port security mode to noRestriction with the undo port security port mode command If the port security port mode mode command has been executed on a port none of the following can be configured on the same port z Maximum number of MAC addresses that the port can learn z Reflector port for port mirroring z Link aggregation 1 2 4 Configuring Port Security Features I Configur...

Page 190: ...t intrusion protection is disabled Return to system view quit Set the timer during which the port remains disabled port security timer disableport timer Optional 20 seconds by default Note The port security timer disableport command is used in conjunction with the port security intrusion mode disableport temporarily command to set the length of time during which the port remains disabled Caution I...

Page 191: ...he RADIUS server Follow these steps to configure a port to ignore the authorization information from the RADIUS server To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Ignore the authorization information from the RADIUS server port security authorization ignore Required By default a port uses the authorization informati...

Page 192: ...ty is enabled z The maximum number of security MAC addresses allowed on the port is set z The security mode of the port is set to autolearn II Configuring a security MAC address Follow these steps to configure a security MAC address To do Use the command Remarks Enter system view system view In system view mac address security mac address interface interface type interface number vlan vlan id inte...

Page 193: ...ops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds II Network diagram Figure 1 1 Network diagram for port security configuration III Configuration procedure Enter system view Switch system view Enable port security Switch port security enable Enter GigabitEthernet1 0 1 port view ...

Page 194: ...ng H3C S5100 SI EI Series Ethernet Switches Chapter 1 Port Security Configuration 1 13 Switch GigabitEthernet1 0 1 port security intrusion mode disableport temporarily Switch GigabitEthernet1 0 1 quit Switch port security timer disableport 30 ...

Page 195: ...d on the port whose MAC address and IP address are identical with the bound MAC address and IP address This improves network security and enhances security monitoring 2 1 2 Configuring Port Binding Follow these steps to configure port binding To do Use the command Remarks Enter system view system view In system view am user bind mac addr mac address ip addr ip address interface interface type inte...

Page 196: ...tion Example 2 3 1 Port Binding Configuration Example I Network requirements It is required to bind the MAC and IP addresses of Host A to GigabitEthernet 1 0 1 on Switch A so as to prevent malicious users from using the IP address they steal from Host A to access the network II Network diagram Figure 2 1 Network diagram for port binding configuration III Configuration procedure Configure Switch A ...

Page 197: ...ation Manual Port Security Port Binding H3C S5100 SI EI Series Ethernet Switches Chapter 1 Port Security Configuration 2 3 SwitchA GigabitEthernet1 0 1 am user bind mac addr 0001 0002 0003 ip addr 10 12 1 1 ...

Page 198: ...f Contents Chapter 1 DLDP Configuration 1 1 1 1 Overview 1 1 1 1 1 Introduction 1 1 1 1 2 DLDP Fundamentals 1 2 1 2 DLDP Configuration 1 7 1 2 1 Performing Basic DLDP Configuration 1 7 1 2 2 Resetting DLDP State 1 8 1 2 3 Displaying and Maintaining DLDP 1 9 1 3 DLDP Configuration Example 1 9 ...

Page 199: ...ckets from the local device Unidirectional link can cause problems such as loops in a Spanning Tree Protocol STP enabled network Unidirectional links can be caused by z Fiber cross connection as shown in Figure 1 1 z Fibers that are not connected or disconnected as shown in Figure 1 2 the hollow lines in which refer to fibers that are not connected or disconnected The Device Link Detection Protoco...

Page 200: ...s can work normally at the physical layer DLDP can detect whether these links are connected correctly and whether packets can be exchanged normally at both ends However the auto negotiation mechanism cannot implement this detection Note z In order for DLDP to detect fiber disconnection in one direction you need to configure the port to work in mandatory full duplex mode at a mandatory rate z When ...

Page 201: ...e it does not removes the corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to the delaydown state first When a device changes to the delaydown state the related DLDP neighbor information remains and the Delaydown timer is triggered II DLDP timers Table 1 2 DLDP timers Timer Description Advertisement sending timer Interval between sending advertise...

Page 202: ...bor If no echo packet is received from the neighbor when the enhanced timer expires the state of the local end is set to unidirectional communication state and the state machine turns into the disable state DLDP outputs log and tracking information and sends flush packets Depending on the user defined DLDP down mode DLDP disables the local port automatically or prompts you to disable the port manu...

Page 203: ...he enhanced timer expires the state of the local end is set to unidirectional link and the neighbor entry is aged out IV DLDP implementation 1 If the DLDP enabled link is up DLDP sends DLDP packets to the peer device and analyzes and processes the DLDP packets received from the peer device DLDP in different states sends different types of packets Table 1 4 Types of packets sent by DLDP DLDP state ...

Page 204: ...packet Sets the neighbor flag bit to bidirectional link Echo packet Checks whether the local device is in the probe state Yes Checks whether neighbor information in the packet is the same as that on the local device Yes If all neighbors are in the bidirectional link state DLDP switches from the probe state to the advertisement state and sets the echo waiting timer to 0 3 If no echo packet is recei...

Page 205: ...the command Remarks Enter system view system view Enable DLDP globally dldp enable Enter Ethernet port view interface interface type interface number Enable DLDP Enable DLDP on a port Enable DLDP dldp enable Required By default DLDP is disabled Set the authentication mode and password dldp authentication mode none simple simple password md5 md5 password Optional By default the authentication mode ...

Page 206: ...ts each link in the aggregation group as independent z When connecting two DLDP enabled devices make sure the software running on them is of the same version Otherwise DLDP may operate improperly z When you use the dldp enable dldp disable command in system view to enable disable DLDP on all optical ports of the switch the configuration takes effect on the existing optical ports instead of those a...

Page 207: ...and Maintaining DLDP To do Use the command Remarks Display the DLDP configuration of a unit or a port display dldp unit id interface type interface number Available in any view 1 3 DLDP Configuration Example I Network requirements As shown in Figure 1 3 z Switch A and Switch B are connected through two pairs of fibers Both of them support DLDP All the ports involved operate in mandatory full duple...

Page 208: ... duplex full SwitchA GigabitEthernet1 0 50 speed 1000 SwitchA GigabitEthernet1 0 50 quit SwitchA interface gigabitethernet 1 0 51 SwitchA GigabitEthernet1 0 51 duplex full SwitchA GigabitEthernet1 0 51 speed 1000 SwitchA GigabitEthernet1 0 51 quit Enable DLDP globally SwitchA dldp enable Set the interval for sending DLDP packets to 15 seconds SwitchA dldp interval 15 Configure DLDP to work in enha...

Page 209: ... with the other end connected to no device z If the device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end is in the inactive state z If the device operates in the enhance DLDP mode the end that receives optical signals is in the disable state the other end is in the inactive state Restore the ports shut down by DLDP SysnameA dldp ...

Page 210: ... 1 1 1 3 Managing MAC Address Table 1 4 1 2 Configuring MAC Address Table Management 1 5 1 2 1 Configuration Task List 1 5 1 2 2 Configuring a MAC Address Entry 1 5 1 2 3 Setting the Aging Time of MAC Address Entries 1 7 1 2 4 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 7 1 2 5 Disabling MAC Address learning for a VLAN 1 8 1 3 Displaying MAC Address Table Information 1 9 1 4 Con...

Page 211: ...ing the MAC address to forwarding port association Each entry in a MAC address table contains the following fields z Destination MAC address z ID of the VLAN which a port belongs to z Forwarding egress port numbers on the local switch When forwarding a packet an Ethernet switch adopts one of the two forwarding methods based upon the MAC address table entries z Unicast forwarding If the destination...

Page 212: ...tted to GigabitEthernet 1 0 1 At this time the switch records the source MAC address of the packet that is the address MAC A of User A to the MAC address table of the switch forming an entry shown in Figure 1 2 Figure 1 1 MAC address learning diagram 1 Figure 1 2 MAC address table entry of the switch 1 2 After learning the MAC address of User A the switch starts to forward the packet Because there...

Page 213: ...records the association between the MAC address of User B and the corresponding port to the MAC address table of the switch Figure 1 4 MAC address learning diagram 3 4 At this time the MAC address table of the switch includes two forwarding entries shown in Figure 1 5 When forwarding the response packet the switch unicasts the packet instead of broadcasting it to User A through GigabitEthernet 1 0...

Page 214: ...e MAC address recorded in the entry are received within the aging time Note Aging timer only takes effect on dynamic MAC address entries II Entries in a MAC address table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods z Static MAC address entry Also known as permanent MAC address entry This type of MAC address entries ...

Page 215: ...ry Manually configured Unavailable Yes 1 2 Configuring MAC Address Table Management 1 2 1 Configuration Task List Table 1 2 Configure MAC address table management Task Remarks Configuring a MAC Address Entry Required Setting the Aging Time of MAC Address Entries Optional Setting the Maximum Number of MAC Addresses a Port Can Learn Optional Disabling MAC Address learning for a VLAN Optional 1 2 2 C...

Page 216: ...ise the entry will not be added z If the VLAN specified by the vlan argument is a dynamic VLAN after a static MAC address is added it will become a static VLAN II Adding a MAC address entry in Ethernet port view Table 1 4 Add a MAC address entry in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Add a...

Page 217: ...recommended to use the default aging time namely 300 seconds The no aging keyword specifies that MAC address entries do not age out Note MAC address aging configuration applies to all ports but only takes effect on dynamic MAC addresses that are learnt or configured to age 1 2 4 Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mechanism enables an Ethernet swit...

Page 218: ...pecific VLANs to improve stability and security for the users belong to these VLANs and prevent unauthorized accesses Table 1 7 Disable MAC address learning for a VLAN Operation Command Description Enter system view system view Enter VLAN view vlan vlan id Disable the switch from learning MAC addresses in the VLAN mac address max mac count 0 Required By default a switch learns MAC addresses in any...

Page 219: ...0 2 To prevent the switch from broadcasting packets destined for the server it is required to add the MAC address of the server to the MAC address table of the switch which then forwards packets destined for the server through GigabitEthernet 1 0 2 z The MAC address of the server is 000f e20f dc71 z Port GigabitEthernet 1 0 2 belongs to VLAN 1 II Configuration procedure Enter system view Sysname s...

Page 220: ...etwork 1 27 1 3 9 Configuring the MSTP Time related Parameters 1 28 1 3 10 Configuring the Timeout Time Factor 1 29 1 3 11 Configuring the Maximum Transmitting Rate on the Current Port 1 30 1 3 12 Configuring the Current Port as an Edge Port 1 31 1 3 13 Specifying Whether the Link Connected to a Port Is Point to point Link 1 33 1 3 14 Enabling MSTP 1 34 1 4 Configuring Leaf Nodes 1 35 1 4 1 Config...

Page 221: ...Introduction 1 47 1 7 2 Configuring Digest Snooping 1 48 1 8 Configuring Rapid Transition 1 49 1 8 1 Introduction 1 49 1 8 2 Configuring Rapid Transition 1 51 1 9 Configuring VLAN VPN Tunnel 1 52 1 9 1 Introduction 1 52 1 9 2 Configuring VLAN VPN tunnel 1 53 1 10 STP Maintenance Configuration 1 54 1 10 1 Introduction 1 54 1 10 2 Enabling Log Trap Output for Ports of MSTP Instance 1 54 1 10 3 Confi...

Page 222: ... Devices running this protocol detect loops in the network by exchanging packets with one another and eliminate the loops detected by blocking specific ports until the network is pruned into one with tree topology As a network with tree topology is loop free it prevents packets in it from being duplicated and forwarded endlessly and prevents device performance degradation Currently in addition to ...

Page 223: ...bridge has no root port 3 Designated bridge and designated port Refer to the following table for the description of designated bridge and designated port Table 1 1 Designated bridge and designated port Classification Designated bridge Designated port For a device A designated bridge is a device that is directly connected to a switch and is responsible for forwarding BPDUs to this switch The port t...

Page 224: ...logy by transmitting configuration BPDUs between network devices Configuration BPDUs contain sufficient information for network devices to complete the spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of root bridge priority and MAC address z Root path cost the cost of the shortest path to the root bridge z Designated bridge ID designated bridg...

Page 225: ...ion BPDU Each device sends out its configuration BPDU and receives configuration BPDUs from other devices The process of selecting the optimum configuration BPDU is as follows Table 1 2 Selection of the optimum configuration BPDU Step Description 1 Upon receiving a configuration BPDU on a port the device performs the following processing z If the received configuration BPDU has a lower priority th...

Page 226: ...liant device on the network assumes itself to be the root bridge with the root bridge ID being its own bridge ID By exchanging configuration BPDUs the devices compare one another s root bridge ID The device with the smallest root bridge ID is elected as the root bridge z Selection of the root port and designated ports The process of selecting the root port and designated ports is as follows Table ...

Page 227: ...e port only receives configuration BPDUs but does not forward data or send configuration BPDUs Note When the network topology is stable only the root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each non root bridge and designated ports have been successfu...

Page 228: ...uration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the configuration received message and discards the received configuration BPDU z Port AP2 receives the configuration BPDU of Device C 2 0 2 CP1 Device A finds that the BPDU of the local port 0 0 0 AP2 is superior to the received configuration BPDU and discards the received conf...

Page 229: ...e configuration BPDU of BP2 If the calculated BPDU is superior BP2 will act as the designated port and the configuration BPDU on this port will be replaced with the calculated configuration BPDU which will be sent out periodically Root port BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPD...

Page 230: ...han the root path cost of CP1 10 root path cost of the BPDU 0 path cost corresponding to CP2 10 the BPDU of CP2 is elected as the optimum BPDU and CP2 is elected as the root port the messages of which will not be changed z After comparison between the configuration BPDU of CP1 and the calculated designated port configuration BPDU port CP1 is blocked with the configuration BPDU of the port remainin...

Page 231: ... timeout In this case the device generates configuration BPDUs with itself as the root bridge and sends configuration BPDUs and TCN BPDUs This triggers a new spanning tree calculation so that a new path is established to restore the network connectivity However the newly calculated configuration BPDU will not be propagated throughout the network immediately so the old root ports and designated por...

Page 232: ... optimized version of STP RSTP allows a newly elected root port or designated port to enter the forwarding state much quicker under certain conditions than in STP As a result it takes a shorter time for the network to reach the final topology stability Note z In RSTP the state of a root port can transit fast under the following conditions the old root port on the device has stopped forwarding data...

Page 233: ...ning multiple spanning trees that are independent of one another z MSTP prunes a ring network into a network with tree topology preventing packets from being duplicated and forwarded in a network endlessly Furthermore it offers multiple redundant paths for forwarding data and thus achieves load balancing for forwarding VLAN data z MSTP is compatible with STP and RSTP 1 2 2 Basic MSTP Terminologies...

Page 234: ...hed in one MST region These spanning trees are independent of each other For example each region in Figure 1 4 contains multiple spanning trees known as MSTIs Each of these spanning trees corresponds to a VLAN III VLAN to MSTI mapping table A VLAN to MSTI mapping table is maintained for each MST region The table is a collection of mappings between VLANs and MSTIs For example in Figure 1 4 the VLAN...

Page 235: ...connects an MST region to the common root The path from the master port to the common root is the shortest path between the MST region and the common root In the CST the master port is the root port of the region which is considered as a node The master port is a special boundary port It is a root port in the IST CIST while a master port in the other MSTIs z A region boundary port is located on th...

Page 236: ... boundary port It is a root port in the CIST while a master port in all the other MSTIs in the region Connecting to the common root bridge Region boundary ports Port 1 Port 2 Master port Alternate port Designated port Port 3 Port 4 Port 5 A B C D Port 6 Backup port MST region Figure 1 5 Port roles X Port state In MSTP a port can be in one of the following three states z Forwarding state Ports in t...

Page 237: ...CSTs together with the ISTs form the CIST of the network II Calculate an MSTI In an MST region different MSTIs are generated for different VLANs based on the VLAN to MSTI mappings Each spanning tree is calculated independently in the same way as how STP RSTP is calculated III Implement STP algorithm In the beginning each switch regards itself as the root and generates a configuration BPDU for each...

Page 238: ...figuration BPDUs with both the same Instance bridge ID and the same Internal path costs Designated bridge ID ID of sending port ID of receiving port are compared in turn 3 A spanning tree is calculated as follows z Determining the root bridge Root bridges are selected by configuration BPDU comparing The switch with the smallest root ID is chosen as the root bridge z Determining the root port For e...

Page 239: ...guard z Loop guard z TC BPDU attack guard z BPDU packet drop 1 2 5 STP related Standards STP related standards include the following z IEEE 802 1D spanning tree protocol z IEEE 802 1w rapid spanning tree protocol z IEEE 802 1s multiple spanning tree protocol 1 3 Configuring Root Bridge Complete the following tasks to configure the root bridge Task Remarks Enabling MSTP Required To prevent network ...

Page 240: ...e default value is recommended Configuring the Current Port as an Edge Port Optional Specifying Whether the Link Connected to a Port Is Point to point Link Optional Note In a network containing switches with both GVRP and MSTP enabled GVRP messages travel along the CIST If you want to advertise a VLAN through GVRP be sure to map the VLAN to the CIST MSTI 0 when configuring the VLAN to MSTI mapping...

Page 241: ... configuration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configuration Available in any view Note NTDP packets sent by devices in a cluster can only be transmitted within the MSTI where the management VLAN of the cluster resides Configuring MST region related parame...

Page 242: ... being mapped to MSTI 2 Sysname system view Sysname stp region configuration Sysname mst region region name info Sysname mst region instance 1 vlan 2 to 10 Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region configuration Admin configuration Format selector 0 Re...

Page 243: ...TI identified by the instance id argument If the value of the instance id argument is set to 0 the stp root primary stp root secondary command specify the current switch as the root bridge or the secondary root bridge of the CIST A switch can play different roles in different MSTIs That is it can be the root bridges in an MSTI and be a secondary root bridge in another MSTI at the same time But in ...

Page 244: ...a secondary root bridge its priority cannot be modified III Configuration example Configure the current switch as the root bridge of MSTI 1 and a secondary root bridge of MSTI 2 Sysname system view Sysname stp instance 1 root primary Sysname stp instance 2 root secondary 1 3 4 Configuring the Bridge Priority of the Current Switch Root bridges are selected according to the bridge priorities of swit...

Page 245: ...end packets in legacy format z 802 1s mode Ports in this mode recognize send packets in dot1s format A port acts as follows according to the format of MSTP packets forwarded by a peer switch or router When a port operates in the automatic mode z The port automatically determines the format legacy or dot1s of received MSTP packets and then determines the format of the packets to be sent accordingly...

Page 246: ...t of the packets received Follow these steps to configure how a port recognizes and sends MSTP packets in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure how a port recognizes and sends MSTP packets stp compliance auto dot1s legacy Required By default a port recognizes and sends MSTP packets...

Page 247: ...he switch is MSTP capable I Configuration procedure Follow these steps to configure the MSTP operation mode To do Use the command Remarks Enter system view system view Configure the MSTP operation mode stp mode stp rstp mstp Required An MSTP enabled switch operates in the MSTP mode by default II Configuration example Specify the MSTP operation mode as STP compatible Sysname system view Sysname stp...

Page 248: ...ount of an MST region is 20 The bigger the maximum hop count the larger the MST region is Note that only the maximum hop settings on the switch operating as a region root can limit the size of the MST region II Configuration example Configure the maximum hop count of the MST region to be 30 Sysname system view Sysname stp max hops 30 1 3 8 Configuring the Network Diameter of the Switched Network I...

Page 249: ...MSTP time related parameters exist forward delay hello time and max age You can configure the three parameters to control the process of spanning tree calculation I Configuration procedure Follow these steps to configure MSTP time related parameters To do Use the command Remarks Enter system view system view Configure the forward delay parameter stp timer forward delay centiseconds Required The fo...

Page 250: ...y be unable to be detected in time which prevents spanning trees being recalculated in time and makes the network less adaptive The default value is recommended As for the configuration of the three time related parameters that is the hello time forward delay and max age parameters the following formulas must be met to prevent frequent network jitter 2 x forward delay 1 second max age Max age 2 x ...

Page 251: ... to configure the timeout time factor To do Use the command Remarks Enter system view system view Configure the timeout time factor for the switch stp timer factor number Required The timeout time factor defaults to 3 For a steady network the timeout time can be five to seven times of the hello time II Configuration example Configure the timeout time factor to be 6 Sysname system view Sysname stp ...

Page 252: ...switch defaults to 10 As the maximum transmitting rate parameter determines the number of the configuration BPDUs transmitted in each hello time set it to a proper value to prevent MSTP from occupying too many network resources The default value is recommended III Configuration example Set the maximum transmitting rate of GigabitEthernet 1 0 1 to 15 1 Configure the maximum transmitting rate in sys...

Page 253: ...port view Follow these steps to configure a port as an edge port in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the port as an edge port stp edged port enable Required By default all the Ethernet ports of a switch are non edge ports On a switch with BPDU guard disabled an edge port becom...

Page 254: ...t to point link in one of the following two ways I Specify whether the link connected to a port is point to point link in system view Follow these steps to specify whether the link connected to a port is point to point link in system view To do Use the command Remarks Enter system view system view Specify whether the link connected to a port is point to point link stp interface interface list poin...

Page 255: ... the link connected to GigabitEthernet 1 0 1 as a point to point link 1 Perform this configuration in system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 point to point force true 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp point to point force true 1 3 14 Enabling MSTP I Con...

Page 256: ...calculation this operation saves CPU resources of the switch Other MSTP related settings can take effect only after MSTP is enabled on the switch II Configuration example Enable MSTP on the switch and disable MSTP on GigabitEthernet 1 0 1 1 Perform this configuration in system view Sysname system view Sysname stp enable Sysname stp interface GigabitEthernet 1 0 1 disable 2 Perform this configurati...

Page 257: ...nal Note In a network containing switches with both GVRP and MSTP enabled GVRP messages travel along the CIST If you want to advertise a VLAN through GVRP be sure to map the VLAN to the CIST MSTI 0 when configuring the VLAN to MSTI mapping table 1 4 1 Configuration Prerequisites The role root branch or leaf of each switch in each MSTI is determined 1 4 2 Configuring the MST Region Refer to Configu...

Page 258: ...ollowing standards z dot1d 1998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports z dot1t Adopts the IEEE 802 1t standard to calculate the default path costs of ports z legacy Adopts the proprietary standard to calculate the default path costs of ports Follow these steps to specify the standard for calculating path costs To do Use the command Remarks Enter system vi...

Page 259: ...ightly less than that of the port operating in half duplex mode When calculating the path cost of an aggregated link the 802 1D 1998 standard does not take the number of the ports on the aggregated link into account whereas the 802 1T standard does The following formula is used to calculate the path cost of an aggregated link Path cost 200 000 000 link transmission rate Where link transmission rat...

Page 260: ...t of GigabitEthernet 1 0 1 in MSTI 1 to be 2 000 1 Perform this configuration in system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 instance 1 cost 2000 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp instance 1 cost 2000 IV Configuration example B Configure the path cost of Gig...

Page 261: ...tance id port priority priority Required The default port priority is 128 II Configure port priority in Ethernet port view Follow these steps to configure port priority in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure port priority for the port stp instance instance id port priority priori...

Page 262: ...ected to it When the STP enabled downstream switch is then replaced by an MSTP enabled switch the port cannot automatically transit to the MSTP mode It remains in the STP compatible mode In this case you can force the port to transit to the MSTP mode by performing the mCheck operation on the port Similarly a port on an RSTP enabled switch operating as an upstream switch turns to the STP compatible...

Page 263: ...form this configuration in system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 mcheck 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp mcheck 1 6 Configuring Guard Functions 1 6 1 Introduction The following guard functions are available on an MSTP enabled switch BPDU guard root gu...

Page 264: ... root guard function Ports with this function enabled can only be kept as designated ports in all MSTIs When a port of this type receives configuration BPDUs with higher priorities it turns to the discarding state rather than become a non designated port and stops forwarding packets as if it is disconnected from the link It resumes the normal state if it does not receive any configuration BPDUs wi...

Page 265: ... received within a period is less than the maximum times the switch performs a removing operation upon receiving a TC BPDU After the number of the TC BPDUs received reaches the maximum times the switch stops performing the removing operation For example if you set the maximum times for a switch to remove the MAC address table and ARP entries to 100 and the switch receives 200 TC BPDUs in the perio...

Page 266: ...Enable the root guard function on specified ports stp interface interface list root protection Required The root guard function is disabled by default Follow these steps to enable the root guard function in Ethernet port view To do Use the command Remarks Enter system view system view Enter Ethernet port view Interface interface type interface number Enable the root guard function on the current p...

Page 267: ...fault II Configuration example Enable the loop guard function on GigabitEthernet 1 0 1 Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp loop protection 1 6 6 Configuring TC BPDU Attack Guard I Configuration prerequisites MSTP runs normally on the switch II Configuration procedure Follow these steps to configure the TC BPDU attack guard function To do Use...

Page 268: ...net 1 0 1 Sysname GigabitEthernet1 0 1 bpdu drop any 1 7 Configuring Digest Snooping 1 7 1 Introduction According to IEEE 802 1s two interconnected switches can communicate with each other through MSTIs in an MST region only when the two switches have the same MST region related configuration Interconnected MSTP enabled switches determine whether or not they are in the same MST region by checking ...

Page 269: ...ng Digest Snooping Configure the digest snooping feature on a switch to enable it to communicate with other switches adopting proprietary protocols to calculate configuration digests in the same MST region through MSTIs I Configuration prerequisites The switch to be configured is connected to another manufacturer s switch adopting a proprietary spanning tree protocol MSTP and the network operate n...

Page 270: ...region name revision level and VLAN to MSTI mapping z The digest snooping feature must be enabled on all the switch ports that connect to another manufacturer s switches adopting proprietary spanning tree protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to MSTI mapping table cannot be modified z The digest snooping feature is not applicable to bounda...

Page 271: ...tion mechanism Figure 1 7 The MSTP rapid transition mechanism The cooperation between MSTP and RSTP is limited in the process of rapid transition For example when the upstream switch adopts RSTP the downstream switch adopts MSTP and the downstream switch does not support RSTP compatible mode the root port on the downstream switch receives no agreement packet from the upstream switch and thus sends...

Page 272: ...ackets from the upstream designated ports instead of waiting for agreement packets from the upstream switch This enables designated ports of the upstream switch to change their states rapidly 1 8 2 Configuring Rapid Transition I Configuration prerequisites As shown in Figure 1 8 a H3C series switch is connected to another manufacturer s switch The former operates as the downstream switch and the l...

Page 273: ...ports z If you configure the rapid transition feature on a designated port the feature does not take effect on the port 1 9 Configuring VLAN VPN Tunnel 1 9 1 Introduction The VLAN VPN Tunnel function enables STP packets to be transparently transmitted between geographically dispersed customer networks through specified VLAN VPNs in service provider networks through which spanning trees can be gene...

Page 274: ...nable Enable the VLAN VPN tunnel function globally vlan vpn tunnel Required The VLAN VPN tunnel function is disabled by default Enter Ethernet port view interface interface type interface number Make sure that you enter the Ethernet port view of the port for which you want to enable the VLAN VPN tunnel function Enable the VLAN VPN function for the Ethernet port vlan vpn enable Required By default ...

Page 275: ...stp instance instance id portlog Required By default log trap output is disabled for the ports of all instances Enable log trap output for the ports of all instances stp portlog all Required By default log trap output is disabled for the ports of all instances 1 10 3 Configuration Example Enable log trap output for the ports of instance 1 Sysname system view Sysname stp instance 1 portlog Enable l...

Page 276: ...ndard to the network management device when the switch becomes the root bridge of instance 1 Sysname system view Sysname stp instance 1 dot1d trap newroot enable 1 12 Displaying and Maintaining MSTP To do Use the command Remarks Display the state and statistics information about spanning trees of the current device display stp instance instance id interface interface list slot slot number brief Di...

Page 277: ... Switch B operate on the convergence layer Switch C and Switch D operate on the access layer VLAN 10 and VLAN 30 are limited in the convergence layer and VLAN 40 is limited in the access layer Switch A and Switch B are configured as the root bridges of MSTI 1 and MSTI 3 respectively Switch C is configured as the root bridge of MSTI 4 II Network diagram Figure 1 10 Network diagram for MSTP configur...

Page 278: ...r the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instance 3 vlan 30 Sysname mst region instance 4 vlan 40 Sysname mst region revision level 0 Activate the settings of the MST region manually Sysname mst region active region configuration Specify Switch B as the root bridge of MSTI 3 Sysname stp instance 3 root primary 3 Configure Swit...

Page 279: ...N VPN tunnel Configuration Example I Network requirements z S5100 switches operate as the access devices of the service provider network that is Switch C and Switch D in the network diagram z Switch A and Switch B are the access devices for the customer networks z Switch C and Switch D are connected to each other through the configured trunk ports of the switches The VLAN VPN tunnel function is en...

Page 280: ...on Sysname vlan vpn tunnel Add GigabitEthernet 1 0 1 to VLAN 10 Sysname vlan 10 Sysname Vlan10 port GigabitEthernet 1 0 1 Sysname Vlan10 quit Disable STP on GigabitEthernet 1 0 1 and then enable the VLAN VPN function on it Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 port access vlan 10 Sysname GigabitEthernet1 0 1 vlan vpn enable Sysname GigabitEthernet1 0 1 quit Configure...

Page 281: ...STP on GigabitEthernet 1 0 2 and then enable the VLAN VPN function on it Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 port access vlan 10 Sysname GigabitEthernet1 0 2 stp disable Sysname GigabitEthernet1 0 2 quit Configure GigabitEthernet 1 0 1 as a trunk port Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 port link type trunk Add the trunk port to all...

Page 282: ...figuring Proxy Checking 1 20 1 4 2 Configuring Client Version Checking 1 21 1 4 3 Enabling DHCP triggered Authentication 1 21 1 4 4 Configuring Guest VLAN 1 22 1 4 5 Configuring 802 1x Re Authentication 1 23 1 4 6 Configuring the 802 1x Re Authentication Timer 1 23 1 5 Displaying and Maintaining 802 1x Configuration 1 24 1 6 Configuration Example 1 24 1 6 1 802 1x Configuration Example 1 24 Chapte...

Page 283: ...able of Contents ii 3 4 Displaying and Maintaining HABP Configuration 3 2 Chapter 4 System Guard Configuration 4 1 4 1 System Guard Overview 4 1 4 2 Configuring the System Guard Feature 4 1 4 2 1 Configuring the System Guard Feature 4 1 4 3 Displaying and Maintaining System Guard 4 2 ...

Page 284: ...ss mainly authentication and security problems 802 1x is a port based network access control protocol It authenticates and controls devices requesting for access in terms of the ports of LAN access devices With the 802 1x protocol employed a user side device can access the LAN only when it passes the authentication Those fail to pass the authentication are denied when accessing the LAN This sectio...

Page 285: ...authentication service to the authenticator system Normally in the form of a RADIUS server the authentication server system serves to perform Authentication Authorization and Accounting AAA services to users It also stores user information such as user name password the VLAN a user belongs to priority and the Access Control Lists ACLs applied The four basic concepts related to the above three enti...

Page 286: ...a unidirectional port which sends packets to supplicant systems only By default a controlled port is a unidirectional port IV The way a port is controlled A port of a H3C series switch can be controlled in the following two ways z Port based authentication When a port is controlled in this way all the supplicant systems connected to the port can access the network without being authenticated after...

Page 287: ...Encapsulation of EAPoL Messages I The format of an EAPoL packet EAPoL is a packet encapsulation format defined in 802 1x To enable EAP protocol packets to be transmitted between supplicant systems and authenticator systems through LANs EAP protocol packets are encapsulated in EAPoL format The following figure illustrates the structure of an EAPoL packet Figure 1 3 The format of an EAPoL packet In ...

Page 288: ...lated ASF Alert packets which are terminated by authenticator systems II The format of an EAP packet For an EAPoL packet with the value of the Type field being EAP packet its Packet body field is an EAP packet whose format is illustrated in Figure 1 4 0 15 Code Data Length 7 Identifier 2 4 N Figure 1 4 The format of an EAP packet In an EAP packet z The Code field indicates the EAP packet type whic...

Page 289: ...ze of the string field is 253 bytes EAP packets with their size larger than 253 bytes are fragmented and are encapsulated in multiple EAP message fields The type code of the EAP message field is 79 Figure 1 6 The format of an EAP message field The Message authenticator field whose format is shown in Figure 1 7 is used to prevent unauthorized interception to access requesting packets during authent...

Page 290: ...5 challenge packets to the supplicant system which in turn encrypts the passwords using the MD5 keys z EAP TLS allows the supplicant system and the RADIUS server to check each other s security certificate and authenticate each other s identity guaranteeing that data is transferred to the right destination and preventing data from being intercepted z EAP TTLS is a kind of extended EAP TLS EAP TLS i...

Page 291: ... 802 1x client to initiate an access request by sending an EAPoL start packet to the switch with its user name and password provided The 802 1x client program then forwards the packet to the switch to start the authentication process z Upon receiving the authentication request packet the switch sends an EAP request identity packet to ask the 802 1x client for the user name z The 802 1x client resp...

Page 292: ...ate to allow the supplicant system to access the network z The supplicant system can also terminate the authenticated state by sending EAPoL Logoff packets to the switch The switch then changes the port state from accepted to rejected Note In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authentica...

Page 293: ... that the randomly generated key in the EAP terminating mode is generated by the switch and that it is the switch that sends the user name the randomly generated key and the supplicant system encrypted password to the RADIUS server for further authentication 1 1 5 Timers Used in 802 1x In 802 1 x authentication the following timers are used to ensure that the supplicant system the switch and the R...

Page 294: ...ponse from the supplicant system when this timer times out z Transmission timer tx period This timer sets the tx period and is triggered by the switch in two cases The first case is when the client requests for authentication The switch sends a unicast request identity packet to a supplicant system and then triggers the transmission timer The switch sends another request identity packet to the sup...

Page 295: ...ant system but sends no Trap packets z Sends Trap packets without disconnecting the supplicant system This function needs the cooperation of 802 1x client and a CAMS server z The 802 1x client needs to be capable of detecting multiple network adapters proxies and IE proxies z The CAMS server is configured to disable the use of multiple network adapters proxies or IE proxies By default an 802 1x cl...

Page 296: ...lso enables supplicant systems that are not authenticated to upgrade their 802 1x client programs With this function enabled z The switch sends authentication triggering request EAP Request Identity packets to all the 802 1x enabled ports z After the maximum number retries have been made and there are still ports that have not sent any response back the switch will then add these ports to the gues...

Page 297: ...te the username and password any more z An authentication server running CAMS authenticates the username and password during re authentication of a user in the EAP authentication mode but does not in PAP or CHAP authentication mode PC Internet PC PC RADIUS Server Switch Figure 1 10 802 1x re authentication 802 1x re authentication can be enabled in one of the following two ways z The RADIUS server...

Page 298: ...tion AAA scheme Local authentication RADIUS scheme 802 1x configuration Figure 1 11 802 1x configuration z 802 1x users use domain names to associate with the ISP domains configured on switches z Configure the AAA scheme a local authentication scheme or a RADIUS scheme to be adopted in the ISP domain z If you specify to use a local authentication scheme you need to configure the user names and pas...

Page 299: ...e basic 802 1x functions To do Use the command Remarks Enter system view system view Enable 802 1x globally dot1x Required By default 802 1x is disabled globally In system view dot1x interface interface list interface interface type interface number dot1x Enable 802 1x for specified ports In port view quit Required By default 802 1x is disabled on all ports In system view dot1x port control author...

Page 300: ...efault port access method is MAC address based that is the macbased keyword is used by default Set authentication method for 802 1x users dot1x authentication method chap pap eap Optional By default a switch performs CHAP authentication in EAP terminating mode Enable online user handshaking dot1x handshake enable Optional By default online user handshaking is enabled Enter Ethernet port view inter...

Page 301: ...hether or not a user is online z As clients that are not of H3C do not support the online user handshaking function switches cannot receive handshake acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online user handshaking function in this case z The handshake packet protection function requires the cooperation of th...

Page 302: ...conds z quiet period value 60 seconds z server timeout value 100 seconds z supp timeout value 30 seconds z tx period value 30 seconds z ver period value 30 seconds Enable the quiet period timer dot1x quiet period Optional By default the quiet period timer is disabled Note z As for the dot1x max user command if you execute it in system view without specifying the interface list argument the command...

Page 303: ...disabled In system view dot1x supp proxy check logoff trap interface interface list interface interface type interface number dot1x supp proxy check logoff trap Enable proxy checking for a port specified ports In port view quit Required By default the 802 1x proxy checking is disabled on a port Note z The proxy checking function needs the cooperation of H3C s 802 1x client iNode program z The prox...

Page 304: ... dot1x retry version max max retry version value Optional By default the maximum number of retires to send version checking request packets is 3 Set the client version checking period timer dot1x timer ver period ver period value Optional By default the timer is set to 30 seconds Note As for the dot1x version user command if you execute it in system view without specifying the interface list argum...

Page 305: ... Required The default port access method is MAC address based That is the macbased keyword is used by default In system view dot1x guest vlan vlan id interface interface list interface interface type interface number dot1x guest vlan vlan id Enable the guest VLAN function In port view quit Required By default the guest VLAN function is disabled Caution z The guest VLAN function is available only w...

Page 306: ...thentication server running CAMS authenticates the username and password during re authentication of a user in the EAP authentication mode but does not in PAP or CHAP authentication mode 1 4 6 Configuring the 802 1x Re Authentication Timer After 802 1x re authentication is enabled on the switch the switch determines the re authentication interval in one of the following two ways 1 The switch uses ...

Page 307: ...uthenticate users on all ports to control their accesses to the Internet The switch operates in MAC based access control mode z All supplicant systems that pass the authentication belong to the default domain named aabbcc net The domain can accommodate up to 30 users As for authentication a supplicant system is authenticated locally if the RADIUS server fails And as for accounting a supplicant sys...

Page 308: ...entication are localuser and localpass in plain text respectively The idle disconnecting function is enabled II Network diagram Figure 1 12 Network diagram for AAA configuration with 802 1x and RADIUS enabled III Configuration procedure Note Following configuration covers the major AAA RADIUS configuration commands Refer to AAA Operation for the information about these commands Configuration on th...

Page 309: ...oney Set the interval and the number of the retries for the switch to send packets to the RADIUS servers Sysname radius radius1 timer 5 Sysname radius radius1 retry 5 Set the timer for the switch to send real time accounting packets to the RADIUS servers Sysname radius radius1 timer realtime accounting 15 Configure to send the user name to the RADIUS server with the domain name truncated Sysname r...

Page 310: ...ries Ethernet Switches Chapter 1 802 1x Configuration 1 27 Sysname domain default enable aabbcc net Create a local access user account Sysname local user localuser Sysname luser localuser service type lan access Sysname luser localuser password simple localpass ...

Page 311: ... EAD Deployment Overview As an integrated solution an Endpoint Admission Defense EAD solution can improve the overall defense power of a network In real applications however deploying EAD clients proves to be time consuming and inconvenient To address the issue the H3C S5100 SI EI series provides the forcible deployment of EAD clients with 802 1x authentication easing the work of EAD client deploy...

Page 312: ...t that EAD client deployment may involve Note The quick EAD deployment feature takes effect only when the access control mode of an 802 1x enabled port is set to auto 2 2 Configuring Quick EAD Deployment 2 2 1 Configuration Prerequisites z Enable 802 1x on the switch z Set the access mode to auto for 802 1x enabled ports 2 2 2 Configuration Procedure I Configuring a free IP range A free IP range i...

Page 313: ...s not support port security The configured free IP range cannot take effect if you enable port security II Setting the ACL timeout period The quick EAD deployment function depends on ACLs in restricting access of users failing authentication Each online user that has not passed authentication occupies a certain amount of ACL resources After a user passes authentication the occupied ACL resources w...

Page 314: ...erface interface list Available in any view 2 3 Quick EAD Deployment Configuration Example I Network requirements A user connects to the switch directly The switch connects to the Web server and the Internet The user will be redirected to the Web server to download the authentication client and upgrade software when accessing the Internet through IE before passing authentication After passing auth...

Page 315: ...he specified URL server no matter what URL the user enters in the IE address bar Solution z If a user enters an IP address in a format other than the dotted decimal notation the user may not be redirected This is related with the operating system used on the PC In this case the PC considers the IP address string a name and tries to resolve the name If the resolution fails the PC will access a spec...

Page 316: ... SI EI Series Ethernet Switches Chapter 2 Quick EAD Deployment Configuration 2 6 z Check that you have configured an IP address in the free IP range for the Web server and a correct URL for redirection and that the server provides Web services properly ...

Page 317: ...when traveling between HABP enabled switches through which management devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible HABP is built on the client server model Typically the HABP server sends HABP requests to the client periodically to collect the MAC address es of the attached switch es The client responds to the requests a...

Page 318: ...BP Client Configuration HABP clients reside on switches attached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Follow these steps to configure an HABP client To do Use the command Remarks Enter system view system view Enable HABP habp enable Optional HABP is enabled by defaul...

Page 319: ...teristics of the attack source and then you can adopt different filtering rules according the characteristics of the attack source Thus system guard is implemented 4 2 Configuring the System Guard Feature Through the following configuration you can enable the system guard feature set the threshold for the number of packets when an attack is detected and the length of the isolation after an attack ...

Page 320: ...After the above configuration execute the display command in any view to display the running status of the system guard feature and to verify the configuration Table 4 2 Display and maintain system guard Operation Command Display the record of detected attacks display system guard attack record Display the state of the system guard feature display system guard state ...

Page 321: ...tion Authorization Servers 2 13 2 2 3 Configuring RADIUS Accounting Servers 2 14 2 2 4 Configuring Shared Keys for RADIUS Messages 2 16 2 2 5 Configuring the Maximum Number of RADIUS Request Transmission Attempts 2 17 2 2 6 Configuring the Type of RADIUS Servers to be Supported 2 17 2 2 7 Configuring the Status of RADIUS Servers 2 18 2 2 8 Configuring the Attributes of Data to be Sent to RADIUS Se...

Page 322: ...ining HWTACACS Protocol Configuration 2 33 2 5 AAA Configuration Examples 2 33 2 5 1 Remote RADIUS Authentication of Telnet SSH Users 2 33 2 5 2 Local Authentication of FTP Telnet Users 2 35 2 5 3 HWTACACS Authentication and Authorization of Telnet Users 2 36 2 6 Troubleshooting AAA 2 37 2 6 1 Troubleshooting RADIUS Configuration 2 37 2 6 2 Troubleshooting HWTACACS Configuration 2 38 Chapter 3 EAD...

Page 323: ...lidity Generally this method is not recommended z Local authentication User information including username password and some other attributes is configured on this device and users are authenticated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardware z Re...

Page 324: ...connected to the same access device may belong to different domains Since the users of different ISPs may have different attributes such as different forms of username and password different service types access rights it is necessary to distinguish the users by setting ISP domains You can configure a set of ISP domain attributes including AAA policy RADIUS scheme and so on for each ISP domain ind...

Page 325: ...ree databases see Figure 1 1 z Users This database stores information about users such as username password protocol adopted and IP address z Clients This database stores information about RADIUS clients such as shared key z Dictionary The information stored in this database is used to interpret the attributes and attribute values in the RADIUS protocol Figure 1 1 Databases in a RADIUS server In a...

Page 326: ...If the authentication fails the server returns an Access Reject response 4 The RADIUS client accepts or denies the user depending on the received authentication result If it accepts the user the RADIUS client sends a start accounting request Accounting Request with the Status Type attribute value start to the RADIUS server 5 The RADIUS server returns a start accounting response Accounting Response...

Page 327: ... The client transmits this message to the server to determine if the user can access the network This message carries user information It must contain the User Name attribute and may contain the following attributes NAS IP Address User Password and NAS Port 2 Access Accept Direction server client The server transmits this message to the client if all the attribute values carried in the Access Requ...

Page 328: ...gth Authenticator and Attributes fields The bytes beyond the length are regarded as padding and are ignored upon reception If a received message is shorter than what the Length field indicates it is discarded 4 The Authenticator field 16 bytes is used to authenticate the response from the RADIUS server and is used in the password hiding algorithm There are two kinds of authenticators Request Authe...

Page 329: ...Talk Link 16 Login TCP Port 38 Framed AppleTalk Network 17 unassigned 39 Framed AppleTalk Zone 18 Reply Message 40 59 reserved for accounting 19 Callback Number 60 CHAP Challenge 20 Callback ID 61 NAS Port Type 21 unassigned 62 Port Limit 22 Framed Route 63 Login LAT Port The RADIUS protocol has good scalability Attribute 26 Vender Specific defined in this protocol allows a device vendor to extend...

Page 330: ...rences between HWTACACS and RADIUS Table 1 3 Differences between HWTACACS and RADIUS HWTACACS RADIUS Adopts TCP providing more reliable network transmission Adopts UDP Encrypts the entire message except the HWTACACS header Encrypts only the password field in authentication message Separates authentication from authorization For example you can use one TACACS server for authentication and another T...

Page 331: ...HWTACACS server Figure 1 5 Network diagram for a typical HWTACACS application II Basic message exchange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication authorization and accounting for a user Figure 1 6 illustrates the basic message exchange procedure ...

Page 332: ...tication start request to the TACACS server 2 The TACACS server returns an authentication response asking for the username Upon receiving the response the TACACS client requests the user for the username 3 After receiving the username from the user the TACACS client sends an authentication continuance message carrying the username 4 The TACACS server returns an authentication response asking for t...

Page 333: ...er returns an authorization response indicating that the user has passed the authorization 9 After receiving the response indicating an authorization success the TACACS client pushes the configuration interface of the switch to the user 10 The TACACS client sends an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the...

Page 334: ...s Creating an ISP Domain and Configuring Its Attributes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of the authentication methods z You need to configure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication Configuring Dynamic VLAN ...

Page 335: ...ring the Attributes of a Local User Optional AAA configuration Cutting Down User Connections Forcibly Optional 2 1 1 Creating an ISP Domain and Configuring Its Attributes Follow these steps to create an ISP domain and configure its attributes To do Use the command Remarks Enter system view system view Configure the form of the delimiter between the username and the ISP domain name domain delimiter...

Page 336: ...senger function is disabled Set the self service server location function self service url disable enable url string Optional By default the self service server location function is disabled Note that z On an S5100 SI EI series switch each access user belongs to an ISP domain You can configure up to 16 ISP domains on the switch When a user logs in if no ISP domain name is carried in the username t...

Page 337: ...f other networking devices such as switches in a network a CAMS server can implement the AAA functions and right management 2 1 2 Configuring an AAA Scheme for an ISP Domain You can configure either a combined AAA scheme or separate AAA schemes I Configuring a combined AAA scheme You can use the scheme command to specify an AAA scheme for an ISP domain Follow these steps to configure a combined AA...

Page 338: ...there is a key error or NAS IP error the local scheme is used z If you execute the scheme local or scheme none command to adopt local or none as the primary scheme the local authentication is performed or no authentication is performed In this case you cannot specify any RADIUS scheme or HWTACACS scheme at the same time z If you configure to use none as the primary scheme FTP users of the domain c...

Page 339: ...scheme is configured Note RADIUS scheme and local scheme do not support the separation of authentication and authorization Therefore pay attention when you make authentication and authorization configuration for a domain When the scheme radius scheme or scheme local command is executed and the authentication command is not executed the authorization information returned from the RADIUS or local sc...

Page 340: ...witch Then upon receiving an integer ID assigned by the RADIUS authentication server the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID If no such a VLAN exists the switch first creates a VLAN with the assigned ID and then adds the port to the newly created VLAN z String If the RADIUS authentication server assigns string type of VLAN IDs you can set the VLAN ass...

Page 341: ...ring the Attributes of a Local User When local scheme is chosen as the AAA scheme you should create local users on the switch and configure the relevant attributes The local users are users set on the switch with each user uniquely identified by a username To make a user who is requesting network service pass local authentication you should add an entry in the local user database on the switch for...

Page 342: ...he user level level Optional By default the privilege level of the user is 0 Configure the authorized VLAN for the local user authorization vlan string Required By default no authorized VLAN is configured for the local user Set the attributes of the user whose service type is lan access attribute ip ip address mac mac address idle cut second access limit max user number vlan vlan id location nas i...

Page 343: ...d level that a user can access after login is determined by the level of the user interface z If the clients connected to a port have different authorized VLANs only the first client passing the MAC address authentication can be assigned with an authorized VLAN The switch will not assign authorized VLANs for subsequent users passing MAC address authentication In this case you are recommended to co...

Page 344: ...red Configuring RADIUS Authentication Authorization Servers Required Configuring RADIUS Accounting Servers Required Configuring Shared Keys for RADIUS Messages Optional Configuring the Maximum Number of RADIUS Request Transmission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes of Data to...

Page 345: ...Refer to the configuration of the RADIUS client The RADIUS service configuration is performed on a RADIUS scheme basis In an actual network environment you can either use a single RADIUS server or two RADIUS servers primary and secondary servers with the same configuration but different IP addresses in a RADIUS scheme After creating a new RADIUS scheme you should configure the IP address and UDP p...

Page 346: ...hese steps to create a RADIUS scheme To do Use the command Remarks Enter system view system view Enable RADIUS authentication port radius client enable Optional By default RADIUS authentication port is enabled Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Note A RADIUS scheme can be...

Page 347: ...ed not and cannot specify a separate RADIUS authorization server z In an actual network environment you can specify one server as both the primary and secondary authentication authorization servers as well as specifying two RADIUS servers as the primary and secondary authentication authorization servers respectively z The IP address and port number of the primary authentication server used by the ...

Page 348: ...uest buffering stop accounting buffe r enable Optional By default stop accounting request buffering is enabled Set the maximum number of transmission attempts of a buffered stop accounting request retry stop accounting retry times Optional By default the system tries at most 500 times to transmit a buffered stop accounting request Set the maximum allowed number of continuous real time accounting f...

Page 349: ...umber of continuously failed real time accounting requests to the RADIUS server reaches the set maximum number the switch cuts down the user connection z The IP address and port number of the primary accounting server of the default RADIUS scheme system are 127 0 0 1 and 1646 respectively z Currently RADIUS does not support the accounting of FTP users 2 2 4 Configuring Shared Keys for RADIUS Messa...

Page 350: ...y for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires If the switch gets no answer after it has tried the maximum number of times to transmit the request the switch considers that the request fails Follow these steps to configure the maximum transmission attempts of a RADIUS request To do Use the command Remarks Enter...

Page 351: ...ing the Status of RADIUS Servers For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails to communicate with the primary server due to some server trouble the switch will turn to the secondary server and exchange messages with the secondary server After the primary server remains in the block state for a set time set...

Page 352: ...ati on server state secondary authentication block active Set the status of the secondary RADIUS accounting server state secondary accounting block active Optional By default the RADIUS servers specified with IP addresses in the RADIUS scheme are all in the active state 2 2 8 Configuring the Attributes of Data to be Sent to RADIUS Servers Follow these steps to configure the attributes of data to b...

Page 353: ...nit for outgoing RADIUS flows are byte and one packet respectively Set the MAC address format of the Calling Station Id Type 31 field in RADIUS packets calling station id mode mode1 mode2 lowercase uppercase Optional By default the MAC address format is XXXX XXXX XXXX in lowercase RADIUS scheme view nas ip ip address Set the source IP address of outgoing RADIUS messages System view radius nas ip i...

Page 354: ...e user because the usernames sent to it are the same z In the default RADIUS scheme system ISP domain names are removed from usernames by default z The purpose of setting the MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the switch s compatibility with different RADIUS servers This setting is necessary when the format of Calling Station Id field recogni...

Page 355: ...r up to 16 network access servers NAS That is when acting as the local RADIUS server the switch can provide authentication service to up to 16 network access servers including the switch itself at the same time z When acting as the local RADIUS server the switch does not support EAP authentication 2 2 10 Configuring Timers for RADIUS Servers After sending out a RADIUS request authentication author...

Page 356: ...periodically sends online users accounting information to RADIUS server at the set interval Follow these steps to set timers for RADIUS servers To do Use the command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Set the response timeout time of ...

Page 357: ...rt function applies only to the environment where the RADIUS authentication authorization and accounting server is CAMS In an environment that a CAMS server is used to implement AAA functions if the switch reboots after an exclusive user a user whose concurrent online number is set to 1 on the CAMS gets authenticated and authorized and begins being charged the switch will give a prompt that the us...

Page 358: ...d the Accounting On message any more Note The switch can automatically generate the main attributes NAS ID NAS IP address and session ID contained in Accounting On messages However you can also manually configure the NAS IP address with the nas ip command If you choose to manually configure the attribute be sure to configure an appropriate valid IP address If this attribute is not configured the s...

Page 359: ...ng the TACACS client Configuring the Timers Regarding TACACS Servers Optional Configuring the TACACS server Refer to the configuration of TACACS servers 2 3 1 Creating a HWTACACS Scheme The HWTACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to create a HWTA...

Page 360: ...and port number of the secondary TACACS authentication server secondary authentication ip address port Optional By default the IP address of the secondary authentication server is 0 0 0 0 and the port number is 0 Caution z You are not allowed to configure the same IP address for both primary and secondary authentication servers If you do this the system will prompt that the configuration fails z Y...

Page 361: ...u do this the system will prompt that the configuration fails z You can remove a server only when it is not used by any active TCP connection for sending authorization messages 2 3 4 Configuring TACACS Accounting Servers Follow these steps to configure TACACS accounting servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs scheme h...

Page 362: ...Configuring Shared Keys for HWTACACS Messages When using a TACACS server as an AAA server you can set a key to improve the communication security between the switch and the TACACS server The TACACS client and server adopt MD5 algorithm to encrypt HWTACACS messages before they are exchanged between the two parties The two parties verify the validity of the HWTACACS messages received from each other...

Page 363: ...vers data flow format packet giga packet kilo packet mega packet one packet Optional By default in a TACACS scheme the data unit and packet unit for outgoing HWTACACS flows are byte and one packet respectively HWTACACS scheme view nas ip ip address Set the source IP address of outgoing HWTACACS messages System view hwtacacs nas ip ip address Optional By default no source IP address is set the IP a...

Page 364: ...utes Optional By default the switch must wait five minutes before it can restore the status of the primary server to active Set the real time accounting interval timer realtime accounting minutes Optional By default the real time accounting interval is 12 minutes Caution z To control the interval at which users are charge in real time you can set the real time accounting interval After the setting...

Page 365: ...user name user name Display information about local users display local user domain isp name idle cut disable enable vlan vlan id service type ftp lan access ssh telnet terminal state active block user name user name Available in any view 2 4 2 Displaying and Maintaining RADIUS Protocol Configuration To do Use the command Remarks Display RADIUS message statistics about local RADIUS server display ...

Page 366: ...chemes display hwtacacs hwtacacs scheme name statistics Display buffered non response stop accounting requests display stop accounting buffer hwtacacs scheme hwtacacs scheme name Available in any view Clear HWTACACS message statistics reset hwtacacs statistics accounting authentication authorization all Delete buffered non response stop accounting requests reset stop accounting buffer hwtacacs sch...

Page 367: ...n the RADIUS server set the shared key it uses to exchange messages with the switch to aabbcc set the authentication port number and add Telnet usernames and login passwords The Telnet usernames added to the RADIUS server must be in the format of userid isp name if you have configured the switch to include domain names in the usernames to be sent to the RADIUS server in the RADIUS scheme II Networ...

Page 368: ...to the switch by a name in the format of userid cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain 2 5 2 Local Authentication of FTP Telnet Users Note The configuration procedure for local authentication of FTP users is similar to that for Telnet users The following text only takes Telnet users as example to describe the configuration proced...

Page 369: ...d to z Change the server IP address and the UDP port number of the authentication server to 127 0 0 1 and 1645 respectively in the configuration step Configure a RADIUS scheme in Remote RADIUS Authentication of Telnet SSH Users z Enable the local RADIUS server function set the IP address and shared key for the network access server to 127 0 0 1 and aabbcc respectively z Configure local users 2 5 3...

Page 370: ...rization aabbcc Sysname hwtacacs hwtac user name format without domain Sysname hwtacacs hwtac quit Configure the domain name of the HWTACACS scheme to hwtac Sysname domain hwtacacs Sysname isp hwtacacs scheme hwtacacs scheme hwtac 2 6 Troubleshooting AAA 2 6 1 Troubleshooting RADIUS Configuration The RADIUS protocol operates at the application layer in the TCP IP protocol suite This protocol presc...

Page 371: ...een the switch and the RADIUS server is disconnected blocked Take measures to make the links connected unblocked z None or incorrect RADIUS server IP address is set on the switch Be sure to set a correct RADIUS server IP address z One or all AAA UDP port settings are incorrect Be sure to set the same UDP port numbers as those on the RADIUS server Symptom 3 The user passes the authentication and ge...

Page 372: ...ntrol their access rights With EAD a switch z Verifies the validity of the session control packets it receives according to the source IP addresses of the packets It regards only those packets sourced from authentication or security policy server as valid z Dynamically adjusts the VLAN rate packet scheduling priority and Access Control List ACL for user terminals according to session control packe...

Page 373: ...rity standard the security policy server reissues an ACL to the switch which then assigns access right to the client so that the client can access more network resources 3 3 EAD Configuration The EAD configuration includes z Configuring the attributes of access users such as username user type and password For local authentication you need to configure these attributes on the switch for remote aut...

Page 374: ...work requirements In Figure 3 2 z A user is connected to GigabitEthernet 1 0 1 on the switch z The user adopts 802 1x client supporting EAD extended function z You are required to configure the switch to use RADIUS server for remote user authentication and use security policy server for EAD control on users The following are the configuration tasks z Connect the RADIUS authentication server 10 110...

Page 375: ...omain system Sysname isp system quit Configure a RADIUS scheme Sysname radius scheme cams Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams accounting optional Sysname radius cams key authentication expert Sysname radius cams server type extended Configure the IP address of the security policy server Sysname radius cams security policy server 10 110 91 166 Associate...

Page 376: ...cepts 1 2 1 2 1 MAC Address Authentication Timers 1 2 1 2 2 Quiet MAC Address 1 2 1 3 Configuring Basic MAC Address Authentication Functions 1 3 1 4 MAC Address Authentication Enhanced Function Configuration 1 5 1 4 1 MAC Address Authentication Enhanced Function Configuration Task List 1 5 1 4 2 Configuring a Guest VLAN 1 5 1 4 3 Configuring the Maximum Number of MAC Address Authentication Users A...

Page 377: ...assword manually For S5100 SI EI Series Ethernet switches MAC address authentication can be implemented locally or on a RADIUS server After determining the authentication method users can select one of the following types of user name as required z MAC address mode where the MAC address of a user serves as the user name for authentication z Fixed mode where user names and passwords are configured ...

Page 378: ...to the configured local passwords and usernames z The service type of a local user needs to be configured as lan access 1 2 Related Concepts 1 2 1 MAC Address Authentication Timers The following timers function in the process of MAC address authentication z Offline detect timer At this interval the switch checks to see whether an online user has gone offline Once detecting that a user becomes offl...

Page 379: ... interface type interface number mac authentication Enable MAC address authentication for the specified port s or the current port In interface view quit Use either method Disabled by default Set the user name in MAC address mode for MAC address authentication mac authentication authmode usernameasmacaddress usernameformat with hyphen without hyphen lowercase uppercase fixedpassword password Optio...

Page 380: ... The default timeout values are as follows 300 seconds for offline detect timer 60 seconds for quiet timer and 100 seconds for server timeout timer Caution z If MAC address authentication is enabled on a port you cannot configure the maximum number of dynamic MAC address entries for that port through the mac address max mac count command and vice versa z If MAC address authentication is enabled on...

Page 381: ...pleting configuration tasks in Configuring Basic MAC Address Authentication Functions for a switch this switch can authenticate access users according to their MAC addresses or according to fixed user names and passwords The switch will not learn MAC addresses of the clients failing in the authentication into its local MAC address table thus prevent illegal users from accessing the network In some...

Page 382: ...e connected to an existing port failed to pass authentication the switch adds the port to the Guest VLAN Therefore the Guest VLAN can separate unauthenticated users on an access port When it comes to a trunk port or a hybrid port if a packet itself has a VLAN tag and be in the VLAN that the port allows to pass the packet will be forwarded perfectly without the influence of the Guest VLAN That is p...

Page 383: ...AN and then configure a new Guest VLAN for this port z 802 1x authentication cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC address authentication does not take effect when port security is enabled 1 4 3 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port You can configure the maximum number of MAC address authent...

Page 384: ... Authentication Configuration To do Use the command Remarks Display global or on port information about MAC address authentication display mac authentication interface interface list Available in any view Clear the statistics of global or on port MAC address authentication reset mac authentication statistics interface interface type interface number Available in user view 1 6 MAC Address Authentic...

Page 385: ...d 88 f6 44 c1 z Set the service type to lan access Sysname luser 00 0d 88 f6 44 c1 service type lan access Sysname luser 00 0d 88 f6 44 c1 quit Add an ISP domain named aabbcc net Sysname domain aabbcc net New Domain added Specify to perform local authentication Sysname isp aabbcc net scheme local Sysname isp aabbcc net quit Specify aabbcc net as the ISP domain for MAC address authentication Sysnam...

Page 386: ...LAN Interface IP Address Configuration Examples 1 5 1 4 1 IP Address Configuration Example I 1 5 1 4 2 IP Address Configuration Example II 1 6 Chapter 2 IP Performance Optimization Configuration 2 1 2 1 IP Performance Overview 2 1 2 1 1 Introduction to IP Performance Configuration 2 1 2 1 2 Introduction to FIB 2 1 2 1 3 Protocols and Standards 2 1 2 2 Configuring IP Performance Optimization 2 1 2 ...

Page 387: ...N Interface IP Address Configuration Examples 1 1 IP Addressing Overview 1 1 1 IP Address Classes On an IP network a 32 bit address is used to identify a host An example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1 1 for the address just mentioned Each...

Page 388: ...reserved for loopback test Packets destined to these addresses are processed locally as input packets rather than sent to the link B 128 0 0 0 to 191 255 255 255 C 192 0 0 0 to 223 255 255 255 D 224 0 0 0 to 239 255 255 255 Multicast addresses E 240 0 0 0 to 255 255 255 255 Reserved for future use except for the broadcast address 255 255 255 255 1 1 2 Special IP Addresses The following IP addresse...

Page 389: ...ss B network is subnetted Figure 1 2 Subnet a Class B network In the absence of subnetting some special addresses such as the addresses with the net ID of all zeros and the addresses with the host ID of all ones are not assignable to hosts The same is true for subnetting When designing your network you should note that subnetting is somewhat a tradeoff between subnets and accommodated hosts For ex...

Page 390: ...refer to VLAN Operation in this manual Besides directly assigning an IP address to a VLAN interface you may configure a VLAN interface to obtain an IP address through BOOTP or DHCP as alternatives If you change the way an interface obtains an IP address from manual assignment to BOOTP for example the IP address obtained from BOOTP will overwrite the old one manually assigned Note This chapter only...

Page 391: ... network segment as that of a loopback interface on a device z A VLAN interface cannot be configured with a secondary IP address if the interface has been configured to obtain an IP address through BOOTP or DHCP 1 3 Displaying IP Addressing Configuration To do Use the command Remarks Display information about a specified or all Layer 3 interfaces display ip interface interface type interface numbe...

Page 392: ...172 16 1 0 24 and 172 16 2 0 24 To enable the hosts on the two network segments to communicate with the external network through the switch and the hosts on the LAN can communicate with each other do the following z Assign two IP addresses to VLAN interface 1 on the switch z Set the switch as the gateway on all PCs in the two networks II Network diagram Figure 1 4 Network diagram for IP address co...

Page 393: ...ence 5 ttl 255 time 26 ms 172 16 1 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 25 26 27 ms The output information shows the switch can communicate with the hosts on the subnet 172 16 1 0 24 Ping a host on the subnet 172 16 2 0 24 from the switch to check the connectivity Switch ping 172 16 2 2 PING 172 16 2 2 56 data bytes press CTRL_C to br...

Page 394: ...orted by S5100 SI EI Series Ethernet Switches includes z Configuring TCP attributes z Disabling ICMP to send error packets 2 1 2 Introduction to FIB Every switch stores a forwarding information base FIB FIB is used to store the forwarding information of the switch and guide Layer 3 packet forwarding You can know the forwarding information of the switch by viewing the FIB table Each FIB entry inclu...

Page 395: ...on receiving the last non FIN packet The connection is broken after the timer expires z Size of TCP receive send buffer Follow these steps to configure TCP attributes To do Use the command Remarks Enter system view system view Configure the TCP synwait timer tcp timer syn timeout time value Optional 75 seconds by default Configure the TCP finwait timer tcp timer fin timeout time value Optional 675...

Page 396: ...he transport layer protocol of the packet is not supported by the local device the device sends a protocol unreachable ICMP error packet to the source z When receiving a packet with the destination being local and transport layer protocol being UDP if the packet s port number does not match the running process the device will send the source a port unreachable ICMP error packet z If the source use...

Page 397: ...TCP connection status display tcp status Display TCP connection statistics display tcp statistics Display UDP traffic statistics display udp statistics Display IP traffic statistics display ip statistics Display ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket socktype sock type task id socket id Display the forwarding informati...

Page 398: ...ies Ethernet Switches Chapter 2 IP Performance Optimization Configuration 2 5 To do Use the command Remarks Clear IP traffic statistics reset ip statistics Clear TCP traffic statistics reset tcp statistics Clear UDP traffic statistics reset udp statistics Available in user view ...

Page 399: ...roduction to IP Filtering 2 5 2 2 Configuring DHCP Snooping 2 6 2 2 1 Configuring DHCP Snooping 2 6 2 2 2 Configuring DHCP Snooping to Support Option 82 2 7 2 2 3 Configuring IP Filtering 2 11 2 3 Displaying DHCP Snooping Configuration 2 12 2 4 DHCP Snooping Configuration Examples 2 12 2 4 1 DHCP Snooping Option 82 Support Configuration Example 2 12 2 4 2 IP Filtering Configuration Example 2 14 Ch...

Page 400: ...uration becomes a tough task for the network administrators With the emerging of wireless networks and the using of laptops the position change of hosts and frequent change of IP addresses also require new technology Dynamic Host Configuration Protocol DHCP is developed to solve these issues DHCP adopts a client server model where the DHCP clients send requests to DHCP servers for configuration pa...

Page 401: ...rs an IP address After the DHCP server receives the DHCP DISCOVER packet from the DHCP client it chooses an unassigned IP address from the address pool according to the priority order of IP address assignment and then sends the IP address and other configuration information together in a DHCP OFFER packet to the DHCP client The sending mode is decided by the flag filed in the DHCP DISCOVER packet ...

Page 402: ...By default a DHCP client updates its IP address lease automatically by unicasting a DHCP REQUEST packet to the DHCP server when half of the lease time elapses The DHCP server responds with a DHCP ACK packet to notify the DHCP client of a new IP lease if the server can assign the same IP address to the client Otherwise the DHCP server responds with a DHCP NAK packet to notify the DHCP client that t...

Page 403: ...s Elapsed time after the DHCP client initiates a DHCP request z flags The first bit is the broadcast response flag bit used to identify that the DHCP response packet is a unicast set to 0 or broadcast set to 1 Other bits are reserved z ciaddr IP address of a DHCP client z yiaddr IP address that the DHCP server assigns to a client z siaddr IP address of the DHCP server z giaddr IP address of the fi...

Page 404: ...1 5 1 4 Protocol Specification Protocol specifications related to DHCP include z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the Bootstrap Protocol z RFC3046 DHCP Relay Agent Information option ...

Page 405: ... function of the DHCP relay agent operating at the network layer z Layer 2 switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer When an unauthorized DHCP server exists in the network a DHCP client may obtains an illegal IP address To ensure that the DHCP clients obtain IP addresses from valid DHCP servers you can specify a port to be a trusted port...

Page 406: ...relay agent or a device enabled with DHCP snooping receives a client s request it adds the Option 82 to the request message and sends it to the server The administrator can locate the DHCP client to further implement security control and accounting The Option 82 supporting server can also use such information to define individual assignment policies of IP address and other parameters for the clien...

Page 407: ...es the type and length of a circuit ID or remote ID The remote ID type field and circuit ID type field are determined by the option storage format They are both set to 0 in the case of HEX format and to 1 in the case of ASCII format Figure 2 2 Extended format of the circuit ID sub option Figure 2 3 Extended format of the remote ID sub option In practice some network devices do not support the type...

Page 408: ...Option 82 Neither of the two sub options is configured Forward the packet after replacing the original Option 82 with the default content The storage format of Option 82 content is the one specified with the dhcp snooping information format command or the default HEX format if this command is not executed Circuit ID sub option is configured Forward the packet after replacing the circuit ID sub opt...

Page 409: ...tion sequence When the DHCP snooping device receives a DHCP response packet from the DHCP server the DHCP snooping device will delete the Option 82 field if contained before forwarding the packet or will directly forward the packet if the packet does not contain the Option 82 field 2 1 3 Introduction to IP Filtering A denial of service DoS attack means an attempt of an attacker sending a large num...

Page 410: ...ts of the client can be correctly forwarded III IP filtering The switch can filter IP packets in the following two modes z Filtering the source IP address in a packet If the source IP address and the number of the port that receives the packet are consistent with entries in the DHCP snooping table or static binding table the switch regards the packet as a valid packet and forwards it otherwise the...

Page 411: ...t connected to the DHCP client must be in the same VLAN z You are not recommended to configure both the DHCP snooping and selective Q in Q function on the switch which may result in the DHCP snooping to function abnormally 2 2 2 Configuring DHCP Snooping to Support Option 82 Note Enable DHCP snooping and specify trusted ports on the switch before configuring DHCP snooping to support Option 82 Comp...

Page 412: ... dhcp snooping information strategy drop keep replace Optional The default handling policy is replace Enter Ethernet port view interface interface type interface number Configure a handling policy for requests that contain Option 82 received on the specified interface dhcp snooping information strategy drop keep replace Optional The default policy is replace Note If a handling policy is configured...

Page 413: ...it ID or remote ID sub option the format of the sub option is ASCII instead of the one specified with the dhcp snooping information format command IV Configuring the circuit ID sub option Follow these steps to configure the circuit ID sub option To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the circuit ID su...

Page 414: ...terfaces You can configure Option 82 as the system name sysname of the device or any customized character string in the ASCII format z In Ethernet port view the remote ID takes effect only on the current interface You can configure Option 82 as any customized character string in the ASCII format for different VLANs That is to say you can add different configuration rules for packets from different...

Page 415: ...Option 82 is added however the remote ID is subject to the one configured on the primary port z The remote ID configured on a port will not be synchronized in the case of port aggregation VI Configuring the padding format for Option 82 Follow these steps to configure the padding format for Option 82 To do Use the command Remarks Enter system view system view Configure the padding format dhcp snoop...

Page 416: ...P client can obtain the IP address of the static entry that is the dynamic DHCP snooping entry cannot be generated z The VLAN ID of the IP static binding configured on a port is the VLAN ID of the port 2 3 Displaying DHCP Snooping Configuration To do Use the command Remarks Display the user IP MAC address mapping entries recorded by the DHCP snooping function display dhcp snooping unit unit id Dis...

Page 417: ...P snooping Option 82 support configuration III Configuration procedure Enable DHCP snooping on the switch Switch system view Switch dhcp snooping Specify GigabitEthernet 1 0 5 as the trusted port Switch interface GigabitEthernet1 0 5 Switch GigabitEthernet1 0 5 dhcp snooping trust Switch GigabitEthernet1 0 5 quit Enable DHCP snooping Option 82 support Switch dhcp snooping information enable Set th...

Page 418: ...t 1 0 1 as the DHCP snooping trusted port z Enable IP filtering on GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 to prevent attacks to the server from clients using fake source IP addresses z Create static binding entries on the switch so that Host A using a fixed IP address can access external networks II Network diagram Switch DHCP Snooping Host A IP 1 1 1 1 MAC 0001 0001...

Page 419: ...1 0 2 ip check source ip address mac address Switch GigabitEthernet1 0 2 quit Switch interface GigabitEthernet1 0 3 Switch GigabitEthernet1 0 3 ip check source ip address mac address Switch GigabitEthernet1 0 3 quit Switch interface GigabitEthernet1 0 4 Switch GigabitEthernet1 0 4 ip check source ip address mac address Switch GigabitEthernet1 0 4 quit Create static binding entries on GigabitEthern...

Page 420: ...fter you specify an interface as a Bootstrap Protocol BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to configure a BOOTP parameter file for each BOOTP client on the BOOTP server The parameter file contains information such as MAC address and IP address of a BOOTP cli...

Page 421: ...ace to obtain IP address through DHCP or BOOTP ip address bootp alloc dhcp alloc Required By default no IP address is configured for the VLAN interface Note z Currently an S5100 SI EI Ethernet switch functioning as the DHCP client can use an IP address for 24 days at most That is the DHCP client can obtain an address lease for no more than 24 days even though the DHCP server offers a longer lease ...

Page 422: ...cp alloc command enables the DHCP client and UDP port 68 z Using the undo ip address dhcp alloc command disables the DHCP client and UDP port 68 3 4 Displaying DHCP BOOTP Client Configuration To do Use the command Remarks Display related information on a DHCP client display dhcp client verbose Display related information on a BOOTP client display bootp client interface Vlan interface vlan id Optio...

Page 423: ...A system view SwitchA interface Vlan interface 1 SwitchA Vlan interface1 ip address dhcp alloc 3 5 2 BOOTP Client Configuration Example I Network requirement Switch A s port belonging to VLAN1 is connected to the LAN VLAN interface 1 obtains an IP address from the DHCP server by using BOOTP II Network diagram See Figure 3 1 III Configuration procedure The following describes only the configuration...

Page 424: ...ACL 1 8 1 3 ACL Assignment 1 10 1 3 1 Assigning an ACL Globally 1 10 1 3 2 Assigning an ACL to a VLAN 1 11 1 3 3 Assigning an ACL to a Port Group 1 12 1 3 4 Assigning an ACL to a Port 1 12 1 4 Displaying ACL Configuration 1 13 1 5 Example for Upper layer Software Referencing ACLs 1 14 1 5 1 Example for Controlling Telnet Login Users by Source IP 1 14 1 5 2 Example for Controlling Web Login Users b...

Page 425: ...ir application purposes ACLs fall into the following four types z Basic ACL Rules are created based on source IP addresses only z Advanced ACL Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addresses type of the protocols carried by IP protocol specific features and so on z Layer 2 ACL Rules are created based on the Layer 2 information such as ...

Page 426: ...rity If rule A and rule B are still the same after comparison in the above order the weighting principles will be used in deciding their priority order Each parameter is given a fixed weighting value This weighting value and the value of the parameter itself will jointly decide the final matching order Involved parameters with weighting values from high to low are icmp type established dscp tos pr...

Page 427: ...eferenced by routing policies z Used to control Telnet SNMP and Web login users Note z When an ACL is directly applied to hardware for packet filtering the switch will permit packets if the packets do not match the ACL z When an ACL is referenced by upper layer software to control Telnet SNMP and Web login users the switch will deny packets if the packets do not match the ACL 1 1 3 Types of ACLs S...

Page 428: ...me range time range time name start time to end time days of the week from start time start date to end time end date from start time start date to end time end date to end time end date Required Note that z If only a periodic time section is defined in a time range the time range is active only when the system time is within the defined periodic time section If multiple periodic time sections are...

Page 429: ...me range test 8 00 to 18 00 working day Sysname display time range test Current time is 13 27 32 Apr 16 2005 Saturday Time range test Inactive 08 00 to 18 00 working day Define an absolute time range spans from 15 00 1 28 2006 to 15 00 1 28 2008 Sysname system view Sysname time range test from 15 00 1 28 2006 to 15 00 1 28 2008 Sysname display time range test Current time is 13 30 32 Apr 16 2005 S...

Page 430: ...he rule id argument when creating an ACL rule the rule will be numbered automatically If the ACL has no rules the rule is numbered 0 otherwise the number of the rule will be the greatest rule number plus one If the current greatest rule number is 65534 however the system will display an error message and you need to specify a number for the rule z The content of a modified or created rule cannot b...

Page 431: ...exible than those defined for basic ACLs I Configuration Prerequisites z To configure a time range based advanced ACL rule you need to create the corresponding time ranges first For information about of time range configuration refer to section 1 2 1 Configuring Time Range z The settings to be specified in the rule such as source and destination IP addresses the protocols carried by IP and protoco...

Page 432: ...d the newly created rules will be inserted in the existent ones by depth first principle but the numbers of the existent rules are unaltered III Configuration Example Configure ACL 3000 to permit the TCP packets sourced from the network 129 9 0 0 16 and destined for the network 202 38 160 0 24 and with the destination port number being 80 Sysname system view Sysname acl number 3000 Sysname acl adv...

Page 433: ...nd the unmodified part of the ACL remains z If you do not specify the rule id argument when creating an ACL rule the rule will be numbered automatically If the ACL has no rules the rule is numbered 0 otherwise the number of the rule will be the greatest rule number plus one If the current greatest rule number is 65534 however the system will display an error message and you need to specify a numbe...

Page 434: ...can assign ACLs in the above mentioned ways as required Caution z ACLs assigned globally take precedence over those that are assigned to VLANs That is when a packet matches a rule of a globally assigned ACL and a rule of an ACL assigned to a VLAN the device will perform the action defined in the rule of the globally assigned ACL if the actions defined in the two rules conflict z When a packet matc...

Page 435: ...s Before applying ACL rules to a VLAN you need to define the related ACLs For information about defining an ACL refer to section 1 2 2 Configuring Basic ACL section 1 2 3 Configuring Advanced ACL section 1 2 4 Configuring Layer 2 ACL II Configuration procedure Table 1 6 Assign an ACL to a VLAN Operation Command Description Enter system view system view Apply an ACL to a VLAN packet filter vlan vla...

Page 436: ... view port group group id Apply an ACL to the port group packet filter inbound acl rule Required For description on the acl rule argument refer to ACL Command Note After an ACL is assigned to a port group it will be automatically assigned to the ports that are subsequently added to the port group III Configuration example Apply ACL 2000 to port group 1 to filter the inbound packets on all the port...

Page 437: ...ysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 packet filter inbound ip group 2000 1 4 Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information and verify the configuration Table 1 9 Display ACL configuration Operation Command Description Display a configured ACL or all t...

Page 438: ... Figure 1 1 Network diagram for controlling Telnet login users by source IP III Configuration procedure Define ACL 2000 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Reference ACL 2000 on VTY user interface to control Telnet login users Sysname user interface vty 0 4 Sysname ui vty0 4 acl 2000 inbound 1 5 2 Examp...

Page 439: ... 1 permit source 10 110 100 46 0 Sysname acl basic 2001 quit Reference ACL 2001 to control users logging in to the Web server Sysname ip http acl 2001 1 6 Example for Applying ACLs to Hardware 1 6 1 Basic ACL Configuration Example I Network requirements PC 1 and PC 2 connect to the switch through GigabitEthernet 1 0 1 PC1 s IP address is 10 1 1 1 Apply an ACL on Ethernet 1 0 1 to deny packets with...

Page 440: ...ket filter inbound ip group 2000 1 6 2 Advanced ACL Configuration Example I Network requirements Different departments of an enterprise are interconnected through a switch The IP address of the wage query server is 192 168 1 2 The R D department is connected to GigabitEthernet 1 0 1 of the switch Apply an ACL to deny requests from the R D department and destined for the wage server during the work...

Page 441: ...0011 and the destination MAC address of 0011 0011 0012 from 8 00 to 18 00 everyday II Network diagram Figure 1 5 Network diagram for Layer 2 ACL III Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 daily Define ACL 4000 to filter packets with the source MAC address of 0011 0011 0011 and the des...

Page 442: ...ver from 8 00 to 18 00 in working days II Network diagram GE1 0 1 PC 1 PC 3 Database server PC 2 VLAN 10 GE1 0 2 GE1 0 3 192 168 1 2 Figure 1 6 Network diagram for applying an ACL to a VLAN III Configuration procedure Define a periodic time range that is active from 8 00 to 18 00 in working days Sysname system view Sysname time range test 8 00 to 18 00 working day Define an ACL to deny packets des...

Page 443: ...1 16 1 3 10 Flow Based Traffic Accounting 1 19 1 3 11 Burst 1 19 1 3 12 Traffic Mirroring 1 19 1 4 QoS Configuration 1 20 1 4 1 QoS Configuration Task List 1 20 1 4 2 Configuring Priority Trust Mode 1 20 1 4 3 Configuring Priority Mapping 1 22 1 4 4 Setting the Priority of Protocol Packets 1 25 1 4 5 Configuring Priority Marking 1 26 1 4 6 Configuring Traffic Policing 1 29 1 4 7 Configuring Traffi...

Page 444: ...xample 1 52 Chapter 2 QoS Profile Configuration 2 1 2 1 Overview 2 1 2 1 1 Introduction to QoS Profile 2 1 2 1 2 QoS Profile Application Mode 2 1 2 2 QoS Profile Configuration 2 2 2 2 1 Configuring a QoS Profile 2 2 2 2 2 Applying a QoS Profile 2 3 2 2 3 Displaying and Maintaining QoS Profile Configuration 2 4 2 3 Configuration Example 2 5 2 3 1 QoS Profile Configuration Example 2 5 ...

Page 445: ...warding process 1 1 2 Traditional Packet Forwarding Services On traditional IP networks devices treat all packets equally and handle them using the first in first out FIFO policy All packets share the resources of the network and devices How many resources the packets can obtain completely depends on the time they arrive This service is called best effort It delivers packets to their destinations ...

Page 446: ...recedence of packets To meet these requirements networks must provide more improved services 1 1 4 Major Traffic Control Technologies Figure 1 1 End to end QoS model As shown in Figure 1 1 traffic classification traffic policing traffic shaping congestion management and congestion avoidance form the foundation for differentiated service provisioning They deal with different issues of QoS z Traffic...

Page 447: ...vices by classifying packets with certain match criteria Traffic policing traffic shaping congestion management and congestion avoidance manage network traffic and resources in different ways to realize differentiated services 1 2 QoS Features Supported by the S5100 Series Ethernet Switches The S5100 series Ethernet switches support the QoS features listed in Table 1 1 Table 1 1 QoS features suppo...

Page 448: ...apping refer to VLAN Mapping z For information about traffic accounting refer to Flow Based Traffic Accounting z For information about traffic mirroring refer to Traffic Mirroring QoS actions You can configure the following QoS actions for traffic separately as required on the S5100 series z Priority trust mode z Protocol packet priority z Line rate available only on the S5100 SI z Burst z For inf...

Page 449: ...r protocol number destination address and destination port number for example or for all packets to a certain network segment 1 3 2 Priority Trust Mode I Introduction to precedence types 1 IP precedence ToS precedence and DSCP Figure 1 2 DS field and ToS byte As shown in Figure 1 2 the ToS field of the IP header contains eight bits the first three bits 0 to 2 represent IP precedence from 0 to 7 an...

Page 450: ... four subclasses AF1 to AF4 each containing three drop priorities for more granular classification The QoS level of the AF class is lower than that of the EF class z Class Selector CS class This class is derived from the IP ToS field and includes eight subclasses z Best Effort BE class This class is a special CS class that does not provide any assurance AF traffic exceeding the limit is degraded t...

Page 451: ...an 802 1q tag header As shown in Figure 1 3 each host supporting the 802 1q protocol adds a 4 byte 802 1q tag header after the source address field of the former Ethernet frame header when sending packets The 4 byte 802 1q tag header consists of a two byte tag protocol identifier TPID field whose value is 0x8100 and a two byte tag control information TCI field Figure 1 4 presents the format of the...

Page 452: ...ocessed preferentially As local precedence is used only for internal queuing a packet does not carry it after leaving the queue 4 Drop precedence Drop precedence is used for making packet drop decisions Packets with the highest drop precedence are dropped preferentially II Priority trust mode A switch can assign different types of precedence to received packets as configured such as 802 1p precede...

Page 453: ...erent trust modes z Trusting port priority In this mode the switch replaces the 802 1p precedence value of the received packet with the port priority looks up the 802 1p precedence to other precedence mapping table for the set of precedence values corresponding to the port priority of the receiving port and assigns the matching precedence value set to the packet z Trusting packet priority After co...

Page 454: ...one of the following modes z In the default mode deliver the packet with its original 802 1p precedence value unchanged z In the automap mode deliver the packet with the target 802 1p precedence value after mapping in place of its original one z In the remap mode look up the DSCP precedence to DSCP precedence mapping table for a new DSCP valu e corresponding to the current DSCP value then searc h ...

Page 455: ...of S5100 SI series switches 802 1p precedence value Target local precedence value Target DSCP value 0 1 16 1 0 0 2 0 8 3 1 24 4 2 32 5 2 40 6 3 48 7 3 56 Table 1 8 The default DSCP to other precedence mapping table of S5100 EI series switches DSCP values Target local precedence value Target drop precedence value Target 802 1p precedence value 0 to 7 0 1 1 8 to 15 1 1 2 16 to 23 2 1 0 24 to 31 3 1 ...

Page 456: ...cedence mapping table of S5100 SI series switches DSCP values Target local precedence value Target 802 1p precedence value 0 to 7 0 1 8 to 15 0 2 16 to 23 1 0 24 to 31 1 3 32 to 39 2 4 40 to 47 2 5 48 to 55 3 6 56 to 63 3 7 Table 1 10 The default DSCP precedence to DSCP precedence mapping table of S5100 SI EI series switches DSCP value Target DSCP value 0 0 1 1 2 2 3 3 61 61 62 62 63 63 ...

Page 457: ... If user traffic is not limited burst traffic will make your network more congested To better utilize the network resources and provide better services for more users you must take actions to control user traffic For example you can configure a flow to use only the resources committed to it in a time range thus avoiding network congestion caused by burst traffic Traffic policing and traffic shapin...

Page 458: ... permitted average rate of the traffic It is usually set to the committed information rate CIR z Burst size The capacity of the token bucket namely the maximum traffic size that is permitted in each burst It is usually set to the committed burst size CBS The set burst size must be greater than the maximum packet size Evaluation is performed each time a packet arrives If the number of tokens in the...

Page 459: ...arking the conforming packets or nonconforming packets with DSCP values and forwarding the packets IV Traffic shaping Traffic shaping provides measures to adjust the rate of outbound traffic actively A typical traffic shaping application is to limit the local traffic output rate according to the downstream traffic policing parameters The major difference between traffic shaping and traffic policin...

Page 460: ...e packets passing a port It is a simpler solution if you want to limit the rate of all the packets passing a port 1 3 7 Traffic Redirecting Traffic redirecting classifies traffic using ACLs and redirects the matched packets to specific ports With traffic redirecting you can change the way in which a packet is forwarded to achieve specific purposes 1 3 8 VLAN Mapping VLAN mapping classifies traffic...

Page 461: ...g schedules the eight queues strictly in the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packets in the queue with the second highest priority and so on By assigning mission critical packets to high priority queues and common service packets to low priority queues you can ensure that the missi...

Page 462: ...uing that the packets in low priority queues may failed to be served for a long time Another advantage of WRR queuing is that though the queues are scheduled in order the service time for each queue is not fixed With WRR if a queue is empty the next queue will be scheduled immediately In this way the bandwidth resources are fully utilized 3 SDWRR Compared with WRR SDWRR reduces scheduling delay an...

Page 463: ...tching packets With this function you can collect statistics about the packets you are interested in 1 3 11 Burst The burst function improves packet buffering and forwarding performance in the following scenarios z Dense broadcast or multicast traffic and massive burst traffic are present z High speed traffic is forwarded over a low speed link or traffic received from multiple interfaces at the sa...

Page 464: ...al Configuring Traffic Accounting Optional Enabling the Burst Function Optional Configuring Traffic Mirroring Optional 1 4 2 Configuring Priority Trust Mode Refer to Priority Trust Mode for details about available priority trust modes I Configuration prerequisites z The priority trust mode to be used has been determined z The port where priority trust mode is to be configured has been determined z...

Page 465: ...trust DSCP value of traffic Follow these steps to configure a port to trust DSCP value of traffic To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure to trust DSCP values priority trust dscp automap remap Required By default port priority is trusted III Configuration examples Configure trusting port priority on Gi...

Page 466: ...able To do Use the command Remarks Enter system view system view Configure the CoS precedence to lo cal precedence mapping table qos cos local precedence map cos0 map local prec cos1 map local prec cos2 map local prec cos3 map local prec cos4 map local prec cos5 map local prec cos6 map local prec cos7 map local prec Required Configure the CoS precedence to dr op precedence mapping table qos cos dr...

Page 467: ... configure the DSCP precedence to DSCP precedence mapping table To do Use the command Remarks Enter system view system view Configure DSCP precedence to DSCP pr ecedence mapping table qos dscp dscp map dscp list dscp value Required III Configuration examples Configure the CoS precedence to local precedence mapping table for an S5100 EI series switch as follows 0 to 2 1 to 3 2 to 4 3 to 1 4 to 7 5 ...

Page 468: ...9 20 21 22 23 4 Sysname qos dscp local precedence map 24 25 26 27 28 29 30 31 1 Sysname qos dscp local precedence map 32 33 34 35 36 37 38 39 7 Sysname qos dscp local precedence map 40 41 42 43 44 45 46 47 0 Sysname qos dscp local precedence map 48 49 50 51 52 53 54 55 5 Sysname qos dscp local precedence map 56 57 58 59 60 61 62 63 6 Sysname display qos dscp local precedence map dscp local precede...

Page 469: ... 37 7 38 7 39 7 40 0 41 0 42 0 43 0 44 0 45 0 46 0 47 0 48 5 49 5 50 5 51 5 52 5 53 5 54 5 55 5 56 6 57 6 58 6 59 6 60 6 61 6 62 6 63 6 1 4 4 Setting the Priority of Protocol Packets Refer to Protocol Priority for information about priority of protocol packets ...

Page 470: ...et SNMP and ICMP III Configuration examples Set the IP precedence value of ICMP packets to 3 Sysname system view Sysname protocol priority protocol type icmp ip precedence 3 After completing the above configuration display the list of protocol priorities manually specified Sysname display protocol priority Protocol icmp IP Precedence flash 3 1 4 5 Configuring Priority Marking Refer to Priority Mar...

Page 471: ...atching the specific ACL rules globally To do Use the command Remarks Enter system view system view Mark a priority for the incoming packets matching the specific ACL rules traffic priority inbound acl rule dscp dscp value cos cos value Required 2 Configuring priority marking for a VLAN Follow these steps to configure marking a priority for the incoming packets matching the specific ACL rules in a...

Page 472: ...r defined traffic classification rules configured for priority marking in the global scope or for a VLAN take precedence over the default rules used for processing protocol packets The device will execute priority marking preferentially which may affect device management implemented through Telnet and so on III Configuration examples Mark the incoming packets from network segment 10 1 1 0 24 with ...

Page 473: ...e rate limit have been determined II Configuration procedures You can configure traffic policing for the incoming packets matching the specific ACL rules globally in a VLAN in a port group or on a port 1 Configuring traffic policing globally Follow these steps to configure traffic policing for the incoming packets matching the specific ACL rules globally To do Use the command Remarks Enter system ...

Page 474: ...ew port group group id Configure traffic policing traffic limit inbound acl rule target rate conform con action exceed exceed action meter statistic Required Disabled by default Clear traffic policing statistics reset traffic limit inbound acl rule Optional 4 Configuring traffic policing for a port Follow these steps to configure traffic policing for the incoming packets matching the specific ACL ...

Page 475: ...k segment 10 1 1 0 24 1 Method I Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 traffic limit inbound ip group 2000 128 exceed remark dscp 56 2 Method II Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1...

Page 476: ...z Without queue queue id specified traffic shaping applies to all traffic z With queue queue id specified traffic shaping applies to traffic in the specified queue III Configuration example Configure traffic shaping for all the traffic to be transmitted through GigabitEthernet 1 0 1 with the maximum traffic rate being 640 kbps and the burst size being 16 kbytes Sysname system view Sysname interfac...

Page 477: ...ystem view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 line rate inbound 1024 1 4 9 Configuring Traffic Redirecting Refer to Traffic Redirecting for information about traffic redirecting Note This feature is available only on the H3C S5100 EI series switches I Configuration prerequisites z The ACL rules used for traffic classification have been defined Refer to the ACL mod...

Page 478: ...erface number Required 3 Configuring traffic redirecting for a port group Follow these steps to configure traffic redirecting for the incoming packets in a port group To do Use the command Remarks Enter system view system view Enter port group view port group group id Configure traffic redirecting traffic redirect inbound acl rule interface interface type interface number Required 4 Configuring tr...

Page 479: ...n examples Redirect all the incoming packets from network segment 10 1 1 0 24 to GigabitEthernet 1 0 7 assume that GigabitEthernet 1 0 1 belongs to VLAN 2 and is connected to network segment 10 1 1 0 24 1 Method I Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname interface GigabitEthernet1 0 1 Sysname Gigabi...

Page 480: ... remark vlan vlan id all packet tagged packet untagged packet Required By default VLAN mapping is not configured The S5100 EI series switches do not support the all packet keyword or the tagged packet keyword III Configuration example Configure VLAN mapping to change VLAN IDs of all the incoming packets from network segment 10 1 1 0 24 into 1001 on GigabitEthernet 1 0 1 assume that GigabitEthernet...

Page 481: ...r wrr group1 queue id queue weight 1 8 group2 queue id queue weight 1 8 Configure SDWRR queuing For S5100 SI series switches queue scheduler wrr group1 queue id queue weight 1 4 group2 queue id queue weight 1 4 Required By default SP queuing is used on all the output queues of a port The port of an S5100 SI series switch provides up to four output queues while the port of an S5100 EI series switch...

Page 482: ...cessive queue numbers to the same scheduling group III Configuration example Configure an S5100 EI series switch to use SP SDWRR for queue scheduling assigning queue 3 queue 4 and queue 5 to WRR scheduling group 1 with the weigh of 20 20 and 30 assigning queue 0 queue 1 and queue 2 to WRR group 2 with the weight of 20 20 and 40 using SP for scheduling queue 6 and queue 7 Display queue scheduling c...

Page 483: ...ect statistics of the packets matching a specific ACL rule traffic statistic inbound acl rule Required Clear statistics of the packets matching a specific ACL rule reset traffic statistic inbound acl rule Optional 2 Configuring traffic accounting for a VLAN Follow these steps to collect clear statistics about the incoming ACL matching packets in a VLAN To do Use the command Remarks Enter system vi...

Page 484: ...t statistics about incoming ACL matching packets traffic statistic inbound acl rule Required Clear statistics about incoming ACL matching packets reset traffic statistic inbound acl rule Optional Caution User defined traffic classification rules configured for traffic accounting in the global scope or for a VLAN take precedence over the default rules used for processing protocol packets The device...

Page 485: ...statistic vlan 2 inbound ip group 2000 1 4 13 Enabling the Burst Function Refer to Burst for information about the burst function I Configuration prerequisites The burst function is required II Configuration procedure Follow these steps to enable the burst function To do Use the command Remarks Enter system view system view Enable the burst function burst mode enable Required Disabled by default I...

Page 486: ...erface interface type interface number Configure the port as the monitor port monitor port Required Return to system view quit Mirror incoming ACL matching packets to the monitor port mirrored to inbound acl rule monitor interface Required 2 Configuring traffic mirroring for a VLAN Follow these steps to configure traffic mirroring for a VLAN To do Use the command Remarks Enter system view system v...

Page 487: ...command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure the port as the monitor port monitor port Required Return to system view quit Enter Ethernet port view interface interface type interface number Mirror incoming ACL matching packets on the port to the monitor port mirrored to inbound acl rule monitor interface Required Caution...

Page 488: ...0 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname interface GigabitEthernet 1 0 4 Sysname GigabitEthernet1 0 4 monitor port Sysname GigabitEthernet1 0 4 quit Sysname mirrored to vlan 2 inbound ip group 2000 monitor interface 1 4 15 Displaying and Maintaining QoS To do Use the command Remarks Display protocol packet priority configuration display pro...

Page 489: ...rity trust mode of a port or all the ports display qos interface interface type interface number unit id priority trust Available in any view Display traffic shaping configuration of a port or all the ports display qos interface interface type interface number unit id traffic shape Available in any view Display traffic policing configuration of a port or all the ports display qos interface interfa...

Page 490: ... statistic Available in any view Display port group level QoS configuration of traffic mirroring traffic policing priority marking traffic redirecting or traffic accounting display qos port group group id all mirrored to traffic limit traffic priority traffic redirect traffic statistic Available in any view 1 5 QoS Configuration Examples 1 5 1 Traffic Policing Configuration Example I Network requi...

Page 491: ...192 168 2 0 0 0 0 255 Sysname acl basic 2001 quit 2 Configure traffic policing Set the maximum rate of outbound IP packets sourced from the marketing department to 64 kbps Sysname traffic limit vlan 2 inbound ip group 2001 64 exceed drop Set the maximum rate of outbound IP packets sourced from the R D department to 128 kbps Sysname traffic limit vlan 1 inbound ip group 2000 128 exceed drop 1 5 2 P...

Page 492: ...ification Create ACL 3000 and enter advanced ACL view Sysname system view Sysname acl number 3000 Define ACL rules for classifying packets based on destination IP addresses Sysname acl adv 3000 rule 0 permit ip destination 192 168 0 1 0 Sysname acl adv 3000 rule 1 permit ip destination 192 168 0 2 0 Sysname acl adv 3000 rule 2 permit ip destination 192 168 0 3 0 Sysname acl adv 3000 quit 2 Configu...

Page 493: ...works to communicate through public network VLANs z Switch A provides network access for terminal devices in VLAN 100 and VLAN 200 through GigabitEthernet 1 0 11 and GigabitEthernet 1 0 12 On the other side of the public network Switch B provides network access for servers in VLAN 100 and VLAN 200 through GigabitEthernet 1 0 15 and GigabitEthernet 1 0 16 z Switch A provides access to the public ne...

Page 494: ...witchA vlan 500 SwitchA vlan500 quit SwitchA vlan 600 SwitchA vlan600 quit Configure GigabitEthernet 1 0 11 of Switch A as a trunk port and configure its default VLAN as VLAN 100 Assign GigabitEthernet 1 0 11 to VLAN 100 and VLAN 500 Configure GigabitEthernet 1 0 12 of Switch A as a trunk port and configure its default VLAN as VLAN 200 Assign GigabitEthernet 1 0 12 to VLAN 200 and VLAN 600 SwitchA...

Page 495: ...ckets from VLAN 500 and ACL 4003 to permit packets from VLAN 600 SwitchA acl number 4000 SwitchA acl ethernetframe 4000 rule permit source 100 SwitchA quit SwitchA acl number 4001 SwitchA acl ethernetframe 4001 rule permit source 200 SwitchA quit SwitchA acl number 4002 SwitchA acl ethernetframe 4002 rule permit source 500 SwitchA quit SwitchA acl number 4003 SwitchA acl ethernetframe 4003 rule pe...

Page 496: ...eting department is connected to GigabitEthernet 1 0 1 of the switch The hosts of the marketing department are on network segment 192 168 1 0 25 and access the Internet through the switch z The R D department is connected to GigabitEthernet 1 0 2 of the switch The hosts of the R D department are on network segment 192 168 2 0 25 and access the Internet through the switch z The data monitoring devi...

Page 497: ...ent during the specified time range Switch acl number 2000 Switch acl basic 2000 rule permit source 192 168 1 0 0 0 0 127 time range trname Switch acl basic 2000 quit Configure to mirror traffic matching ACL 2000 to GigabitEthernet 1 0 3 Switch interface GigabitEthernet 1 0 1 Switch GigabitEthernet1 0 1 mirrored to inbound ip group 2000 monitor interface Switch GigabitEthernet1 0 1 quit Switch int...

Page 498: ...c 2001 quit Configure to redirect traffic matching ACL 2001 to GigabitEthernet 1 0 3 Switch interface GigabitEthernet 1 0 2 Switch GigabitEthernet1 0 2 traffic redirect inbound ip group 2001 interface GigabitEthernet 1 0 3 ...

Page 499: ...sponding QoS profile to the port to maintain the same QoS configuration performed for the host Currently a QoS profile can contain configurations concerning packet filtering traffic policing and priority marking 2 1 2 QoS Profile Application Mode I Dynamic application mode A QoS profile can be applied dynamically to a user or a group of users passing the 802 1x authentication To apply QoS profiles...

Page 500: ...rofile contains source address information source MAC address information source IP address information or both II Manual application mode You can use the apply command to manually apply a QoS profile to a port 2 2 QoS Profile Configuration Complete the following tasks to configure a QoS profile Task Remarks Configuring a QoS Profile Required Applying a QoS Profile Required 2 2 1 Configuring a QoS...

Page 501: ...traffic priority inbound acl rule dscp dscp value cos cos value Optional 2 2 2 Applying a QoS Profile You can enable a QoS profile to be dynamically applied or apply it manually I Configuration prerequisites z To enable a QoS profile to be applied dynamically make sure 802 1x has been enabled both globally and on the port and the authentication mode has been determined For information about 802 1x...

Page 502: ...these steps to apply a QoS profile manually To do Use the command Remarks Enter system view system view In system view apply qos profile profile name interface interface list Enter Ethernet port view interface interface type interface number Apply a QoS profile to the specific ports In Ethernet port view Apply a QoS profile to the port apply qos profile profile name Use either approach By default ...

Page 503: ...tch Network AAA Server GE1 0 1 Figure 2 1 Network diagram for QoS profile configuration II Configuration procedure 1 Configuration on the AAA server Configure the user authentication information and the user name to QoS profile mapping Refer to the user manual of the AAA server for detailed configuration 2 Configuration on the switch Configure IP addresses for the RADIUS server Sysname system view...

Page 504: ...t net quit Create advanced ACL 3000 to permit IP packets destined for any IP address Sysname acl number 3000 Sysname acl adv 3000 rule 1 permit ip destination any Sysname acl adv 3000 quit Define a QoS profile example to limit the rate of matched packets to 128 kbps and drop the packets exceeding the rate limit Sysname qos profile example Sysname qos profile example traffic limit inbound ip group ...

Page 505: ...ing 1 4 1 1 4 VLAN Based Mirroring 1 4 1 1 5 Traffic Mirroring 1 4 1 2 Mirroring Configuration 1 4 1 2 1 Configuring Local Port Mirroring 1 5 1 2 2 Configuring Remote Port Mirroring 1 6 1 2 3 Configuring MAC Based Mirroring 1 9 1 2 4 Configuring VLAN Based Mirroring 1 10 1 3 Displaying Port Mirroring 1 11 1 4 Mirroring Configuration Examples 1 12 1 4 1 Local Port Mirroring Configuration Example 1 ...

Page 506: ...ith a data monitoring device for network monitoring and diagnosis The port where packets are duplicated is called the source mirroring port or monitored port and the port to which duplicated packets are sent is called the destination mirroring port or the monitor port as shown in the following figure PC Data detection device Network Source mirroring port Destination mirroring port Figure 1 1 Mirro...

Page 507: ...ts are sent from the reflector port of the source switch to the monitor port on the destination switch through the remote probe VLAN Figure 1 2 illustrates the implementation of remote port mirroring Figure 1 2 Remote port mirroring application The switches involved in remote port mirroring function as follows z Source switch The source switch is the device where the monitored port is located It c...

Page 508: ... switch or the destination switch Intermediate switch Trunk port Sends mirrored packets to the destination switch Two trunk ports are necessary for the intermediate switch to connect the devices at the source switch side and the destination switch side Trunk port Receives remote mirrored packets Destination switch Destination port Receives packets forwarded from the trunk port and transmits the pa...

Page 509: ...VLAN based mirroring is more extensive and it can be used to monitor packets of a specific VLAN or VLANs in the network 1 1 5 Traffic Mirroring Traffic mirroring uses ACL to monitor traffic that matches certain criteria on a specific port Unlike port mirroring where all inbound outbound traffic passing through a port is monitored traffic mirroring provides a finer monitoring granularity For detail...

Page 510: ... Configure the source port for the port mirroring group In port view quit Use either approach You can configure multiple source ports at a time in system view or you can configure the source port in specific port view The configurations in the two views have the same effect In system view mirroring group group id monitor port monitor port id interface interface type interface number Configure the ...

Page 511: ...nfiguration procedure Table 1 3 Follow these steps to perform configurations on the source switch To do Use the command Remarks Enter system view system view Create a VLAN and enter the VLAN view vlan vlan id vlan id is the ID of the remote probe VLAN Configure the current VLAN as the remote probe VLAN remote probe vlan enable Required Return to system view quit Enter the view of the Ethernet port...

Page 512: ...ess port and cannot be configured with the functions like VLAN VPN port loopback detection port security and so on z You cannot modify the duplex mode port rate and MDI attribute of a reflector port z Only an existing static VLAN can be configured as the remote probe VLAN To remove a remote probe VLAN you need to restore it to a normal VLAN first A remote port mirroring group gets invalid if the c...

Page 513: ... a switch acting as a destination switch 1 Configuration prerequisites z The destination port and the remote probe VLAN are determined z Layer 2 connectivity is ensured between the source and destination switches over the remote probe VLAN 2 Configuration procedure Table 1 5 Follow these steps to configure remote port mirroring on the destination switch To do Use the command Remarks Enter system v...

Page 514: ...onfiguring a destination switch note that z The destination port of remote port mirroring cannot be a member port of an existing mirroring group a member port of an aggregation group or a port enabled with LACP or STP z Only an existing static VLAN can be configured as the remote probe VLAN To remove a remote probe VLAN you need to restore it to a normal VLAN first A remote port mirroring group ge...

Page 515: ...figure the destination port on the source switch when configuring MAC based remote mirroring III Configuration example Configure MAC based mirroring to mirror packets whose source destination MAC addresses match 000f e20f 0101 to port GigabitEthernet 1 0 2 on the local device Configuration procedure Sysname system view Sysname mac address static 000f e20f 0101 interface Gigabitethernet 1 0 1 vlan ...

Page 516: ...ing group mirroring group group id monitor port monitor port id Required Note that you need not configure the destination port on the source switch when configuring VLAN based remote mirroring III Configuration example Configure VLAN based mirroring to mirror packets received on all ports in VLAN 2 to port GigabitEthernet 1 0 2 on the local device Configuration procedure Sysname system view Sysnam...

Page 517: ...itor the packets received on and sent from the R D department and the marketing department through the data detection device Use the local port mirroring function to meet the requirement Perform the following configurations on Switch C z Configure GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as mirroring source ports z Configure GigabitEthernet 1 0 3 as the mirroring destination port II Network...

Page 518: ...GigabitEthernet 1 0 1 of Switch A z Department 2 is connected to GigabitEthernet 1 0 2 of Switch A z GigabitEthernet 1 0 3 of Switch A connects to GigabitEthernet 1 0 1 of Switch B z GigabitEthernet 1 0 2 of Switch B connects to GigabitEthernet 1 0 1 of Switch C z The data detection device is connected to GigabitEthernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from De...

Page 519: ...the remote probe VLAN Sysname vlan 10 Sysname vlan10 remote probe vlan enable Sysname vlan10 quit Configure the source ports reflector port and remote probe VLAN for the remote source mirroring group Sysname mirroring group 1 mirroring port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 inbound Sysname mirroring group 1 reflector port GigabitEthernet 1 0 4 Sysname mirroring group 1 remote probe vlan ...

Page 520: ...GigabitEthernet1 0 1 port link type trunk Sysname GigabitEthernet1 0 1 port trunk permit vlan 10 Sysname GigabitEthernet1 0 1 quit Configure GigabitEthernet 1 0 2 as the trunk port allowing packets of VLAN 10 to pass Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 port link type trunk Sysname GigabitEthernet1 0 2 port trunk permit vlan 10 3 Configure the destination switch Swi...

Page 521: ...ernet1 0 1 port link type trunk Sysname GigabitEthernet1 0 1 port trunk permit vlan 10 Sysname GigabitEthernet1 0 1 quit Display configuration information about remote destination mirroring group 1 Sysname display mirroring group 1 mirroring group 1 type remote destination status active monitor port GigabitEthernet1 0 2 remote probe vlan 10 After the configurations you can monitor all packets sent...

Page 522: ... 1 3 1 1 4 ARP Process 1 4 1 1 5 Introduction to ARP Attack Detection 1 4 1 1 6 Introduction to Gratuitous ARP 1 6 1 2 Configuring ARP 1 6 1 2 1 Configuring ARP Basic Functions 1 6 1 2 2 Configuring ARP Attack Detection 1 7 1 3 Configuring Gratuitous ARP 1 8 1 4 Displaying and Debugging ARP 1 9 1 5 ARP Configuration Examples 1 10 1 5 1 ARP Basic Configuration Example 1 10 1 5 2 ARP Attack Detectio...

Page 523: ...a network layer packet to a destination host the device must know the data link layer address MAC address for example of the destination host or the next hop To this end the IP address must be resolved into the corresponding data link layer address Note Unless otherwise stated a data link layer address in this chapter refers to a 48 bit Ethernet MAC address 1 1 2 ARP Message Format ARP messages ar...

Page 524: ...ble 1 1 Description on the fields of an ARP packet Field Description Hardware Type Type of the hardware interface Refer to Table 1 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in bytes Length of protocol address Protocol address length in bytes Operator Indicates th...

Page 525: ...host in an Ethernet maintains an ARP table where the latest used IP address to MAC address mapping entries are stored S5100 SI EI series Ethernet switches provide the display arp command to display the information about ARP mapping entries ARP entries in an S5100 SI EI series Ethernet switch can either be static entries or dynamic entries as described in Table 1 3 Table 1 3 ARP entries ARP entry G...

Page 526: ...l zero MAC address Because the ARP request is sent in broadcast mode all hosts on this subnet can receive the request but only the requested host namely Host B will process the request 3 Host B compares its own IP address with the destination IP address in the ARP request If they are the same Host B saves the source IP address and source MAC address into its ARP mapping table encapsulates its MAC ...

Page 527: ...dle attack II ARP attack detection To guard against the man in the middle attacks launched by hackers or attackers S5100 SI EI series Ethernet switches support the ARP attack detection function All ARP both request and response packets passing through the switch are redirected to the CPU which checks the validity of all the ARP packets by using the DHCP snooping table or the manually configured IP...

Page 528: ...IP addresses carried in a received gratuitous packet conflict with those of its own it returns an ARP response to the sending device to notify of the IP address conflict By sending gratuitous ARP packets a network device can z Determine whether or not IP address conflicts exist between it and other network devices z Trigger other network devices to update its hardware address stored in their cache...

Page 529: ...entified by the interface type and interface number arguments must belong to the VLAN z Currently static ARP entries cannot be configured on the ports of an aggregation group 1 2 2 Configuring ARP Attack Detection Follow these steps to configure the ARP attack detection function To do Use the command Remarks Enter system view system view Create a static binding ip source static binding ip address ...

Page 530: ...ed to enable DHCP snooping and configure static IP binding entries on the switch These functions can cooperate with ARP attack detection to check the validity of packets For more information about DHCP snooping refer to DHCP Operation in this manual z Generally the uplink port of a switch is configured as a trusted port z Before enabling ARP restricted forwarding make sure you have enabled ARP att...

Page 531: ...erface is changed 1 4 Displaying and Debugging ARP To do Use the command Remarks Display specific ARP mapping table entries display arp static dynamic ip address Display the ARP mapping entries related to a specified string in a specified way display arp dynamic static begin include exclude regular expression Display the number of the ARP entries of a specified type display arp count dynamic stati...

Page 532: ... Sysname undo arp check enable Sysname arp timer aging 10 Sysname arp static 192 168 1 1 000f e201 0000 1 GigabitEthernet1 0 10 1 5 2 ARP Attack Detection Configuration Example I Network requirements As shown in Figure 1 4 GigabitEthernet 1 0 1 of Switch A connects to DHCP Server GigabitEthernet 1 0 2 connects to Client A GigabitEthernet 1 0 3 connects to Client B GigabitEthernet 1 0 1 GigabitEthe...

Page 533: ...snooping on Switch A SwitchA system view SwitchA dhcp snooping Specify GigabitEthernet 1 0 1 as the DHCP snooping trusted port and the ARP trusted port SwitchA interface GigabitEthernet1 0 1 SwitchA GigabitEthernet1 0 1 dhcp snooping trust SwitchA GigabitEthernet1 0 1 arp detection trust SwitchA GigabitEthernet1 0 1 quit Enable ARP attack detection on all ports in VLAN 1 SwitchA vlan 1 SwitchA vla...

Page 534: ... Displaying and Debugging a Stack 1 4 1 5 Stack Configuration Example 1 5 Chapter 2 Cluster 2 1 2 1 Cluster Overview 2 1 2 1 1 Introduction to HGMP 2 1 2 1 2 Roles in a Cluster 2 2 2 1 3 How a Cluster Works 2 3 2 2 Cluster Configuration Tasks 2 10 2 2 1 Configuring the Management Device 2 10 2 2 2 Configuring Member Devices 2 15 2 2 3 Managing a Cluster through the Management Device 2 17 2 2 4 Con...

Page 535: ...ck by performing configurations on one of the switches In this case the switch becomes the main switch of the stack You can perform the following operations on a main switch z Configuring an IP address pool for the stack z Creating the stack z Switching to slave switch view Before creating a stack you need to configure an IP address pool for the stack on the main switch When adding a switch to a s...

Page 536: ...ack through their stack ports to the stack 1 2 Main Switch Configuration The main switch configuration includes z Configuring the IP Address Pool and Creating the Stack z Switching to Slave Switch View 1 2 1 Configuring the IP Address Pool and Creating the Stack Table 1 1 Configure the IP address pool and create the stack Operation Command Description Enter system view system view Configure an IP ...

Page 537: ...work segment For example the 1 1 255 254 is not a qualified start address for a stack IP address pool z If the IP address of the management VLAN interface of the main switch or a slave switch is not of the same network segment as that of the stack address pool the main switch or the slave switch automatically removes the existing IP address and picks a new one from the stack address pool as its IP...

Page 538: ... Command Description Display the stack status information on the main switch display stacking members Optional The display command can be executed in any view When being executed with the members keyword not specified this command displays the main switch and the number of switches in the stack When being executed with the members keyword specified this command displays the member information of t...

Page 539: ...s B and Switch C through Switch A II Network diagram Figure 1 1 Network diagram for stack configuration III Configuration procedure Configure the IP address pool for the stack on Switch A Sysname system view Sysname stacking ip pool 129 10 1 15 3 Create the stack on switch A Sysname stacking enable stack_0 Sysname quit stack_0 Sysname Display the information about the stack on switch A stack_0 Sys...

Page 540: ...mber 2 Name stack_2 Sysname Device S5100EI MAC Address 000f e200 3135 Member status Up IP 129 10 1 17 16 Switch to Switch B a slave switch stack_0 Sysname stacking 1 stack_1 Sysname Display the information about the stack on switch B stack_1 Sysname display stacking Slave device for stack Member number 1 Management vlan 1 default vlan Main device mac address 000f e20f c43a Switch back to Switch A ...

Page 541: ...ch in a cluster plays one of the following three roles z Management device z Member device z Candidate device A cluster comprises of a management device and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remote devices in batches reducing the workload of th...

Page 542: ...nder specific conditions As mentioned above the three cluster roles are management device member device and candidate device Table 2 1 Description on cluster roles Role Configuration Function Management device Configured with a external IP address z Provides an interface for managing all the switches in a cluster z Manages member devices through command redirection that is it forwards the commands...

Page 543: ... from the cluster z A management device becomes a candidate device only after the cluster is removed Note After you create a cluster on an S5100 switch the switch collects the network topology information periodically and adds the candidate switches it finds to the cluster The interval for a management device to collect network topology information is determined by the NTDP timer If you do not wan...

Page 544: ... following neighbor information device ID port full half duplex mode product version the Boot ROM version and so on z An NDP enabled device maintains an NDP neighbor table Each entry in the NDP table can automatically ages out You can also clear the current NDP information manually to have neighbor information collected again z An NDP enabled device regularly broadcasts NDP packet through all its ...

Page 545: ... all the neighbor devices z The neighbor devices perform the same operation until the NTDP topology collection request is propagated to all the devices within the specified hops When an NTDP topology collection request is propagated in the network it is received and forwarded by large numbers of network devices which may cause network congestion and the management device busy processing of the NTD...

Page 546: ... network topology so as to manage and monitor network devices z Before performing any cluster related configuration task you need to enable the cluster function first Note On the management device you need to enable the cluster function and configure cluster parameters On the member candidate devices however you only need to enable the cluster function so that they can be managed by the management...

Page 547: ...iod three times of the interval to send handshake packets the state of the member device will also be changed from Active to Connect z If the management device receives a handshake packet or management packet from a member device that is in Connect state within the information holdtime it changes the state of the member device to Active otherwise it changes the state of the member device in Connec...

Page 548: ...management device and the member candidate devices Therefore z If the packets of management VLAN are not permitted on a candidate device port connecting to the management device the candidate device cannot be added to the cluster In this case you can enable the packets of the management VLAN to be permitted on the port through the management VLAN auto negotiation function z Packets of the manageme...

Page 549: ...esponding ARP entry of the IP address to find out the corresponding MAC address and VLAN ID and thus find out the port connected with the downstream switch 2 After finding out the port connected with the downstream switch the switch will send a multicast packet with the VLAN ID and specified hops to the port Upon receiving the packet the downstream switch compares its own MAC address with the dest...

Page 550: ...ons the switches play You also need to configure the related functions preparing for the communication between devices within the cluster Table 2 2 Cluster configuration tasks Configuration task Remarks Configuring the Management Device Required Configuring Member Devices Required Managing a Cluster through the Management Device Optional Configuring the Enhanced Cluster Features Optional 2 2 1 Con...

Page 551: ...uster function is closed On the management device the preceding functions are implemented as follows z When you create a cluster by using the build or auto build command UDP port 40000 is opened at the same time z When you remove a cluster by using the undo build or undo cluster enable command UDP port 40000 is closed at the same time II Enabling NDP globally and on specific ports Table 2 4 Enable...

Page 552: ...e 2 6 Enable NTDP globally and on a specific port Operation Command Description Enter system view system view Enable NTDP globally ntdp enable Required Enabled by default Enter Ethernet port view interface interface type interface number Enable NTDP on the Ethernet port ntdp enable Required Enabled by default V Configuring NTDP related parameters Table 2 7 Configure NTDP related parameters Operati...

Page 553: ...tion Operation Command Description Enter system view system view Enable the cluster function globally cluster enable Required By default the cluster function is enabled VII Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode as described below 1 Establishing a cluster and configuring cluster parameters in ...

Page 554: ...default the holdtime is 60 seconds Set the interval to send handshake packets timer interval Optional By default the interval to send handshake packets is 10 seconds 2 Establish a cluster in automatic mode Table 2 10 Establish a cluster in automatic mode Operation Command Description Enter system view system view Enter cluster view cluster Configure the IP address range for the cluster ip pool adm...

Page 555: ...ptional By default no shared TFTP server is configured Configure a shared logging host for the cluster logging host ip address Optional By default no shared logging host is configured Configure a shared SNMP host for the cluster snmp host ip address Optional By default no shared SNMP host is configured 2 2 2 Configuring Member Devices I Member device configuration tasks Table 2 12 Member device co...

Page 556: ...te devices change to member devices and their UDP port 40000 is opened at the same time z When you execute the administrator address command on a device the device s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 is closed at the same time z When you execute ...

Page 557: ...le Optional By default the cluster function is enabled V Accessing the shared FTP TFTP server from a member device Perform the following operations in user view on a member device Table 2 16 Access the shared FTP TFTP server from a member device Operation Command Description Access the shared FTP server of the cluster ftp cluster Optional Download a file from the shared TFTP server of the cluster ...

Page 558: ...mber mac address H H H administrator Optional You can use this command switch to the view of a member device and switch back Locate device through MAC address and IP address tracemac by mac mac address vlan vlan id by ip ip address nondp Optional These commands can be executed in any view 2 2 4 Configuring the Enhanced Cluster Features I Enhanced cluster feature overview 1 Cluster topology managem...

Page 559: ...AC address of the device that you need to restrict into the cluster blacklist even if the cluster function is enabled on this device and the device is normally connected to the current cluster this device cannot join the cluster and participate in the unified management and configuration of the cluster II Configure the enhanced cluster features Table 2 18 The enhanced cluster feature configuration...

Page 560: ... device display ntdp single device mac address mac address Display the topology of the current cluster display cluster current topology mac address mac address1 to mac address mac address2 member id member id1 to member id member id2 Display the information about the base topology of the cluster display cluster base topology mac address mac address member member id Display the information about al...

Page 561: ...s to verify your configuration Table 2 21 Display and maintain cluster configuration Operation Command Description Display all NDP configuration and running information including the interval to send NDP packets the holdtime and all neighbors discovered display ndp Display NDP configuration and running information on specified ports including the neighbors discovered by NDP on the ports display nd...

Page 562: ...as the management device the S5100 switch manages the two member devices The configuration for the cluster is as follows z The two member devices connect to the management device through GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 z The management device connects to the Internet through GigabitEthernet 1 0 1 z GigabitEthernet 1 0 1 belongs to VLAN 2 whose interface IP address is 163 172 55 1 z...

Page 563: ...Ethernet 1 0 2 and GigabitEthernet 1 0 3 Sysname system view Sysname ndp enable Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 ndp enable Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet 1 0 3 Sysname GigabitEthernet1 0 3 ndp enable Sysname GigabitEthernet1 0 3 quit Set the holdtime of NDP information to 200 seconds Sysname ndp timer aging 200 Set the inter...

Page 564: ... build aaa aaa_0 Sysname cluster Add the attached two switches to the cluster aaa_0 Sysname cluster add member 1 mac address 000f e20f 0011 aaa_0 Sysname cluster add member 17 mac address 000f e20f 0012 Set the holdtime of member device information to 100 seconds aaa_0 Sysname cluster holdtime 100 Set the interval to send handshake packets to 10 seconds aaa_0 Sysname cluster timer 10 Configure the...

Page 565: ...ecute the cluster switch to administrator command to return to management device view z In addition you can execute the reboot member member number mac address H H H eraseflash command on the management device to reboot a member device For detailed information about these operations refer to the preceding description in this chapter z After the above configuration you can receive logs and SNMP tra...

Page 566: ...r the enhanced cluster feature configuration III Configuration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034 a0e5 Backup the current topology aaa_0 Sysname cluster topology accept all save to local flash ...

Page 567: ... Configuring Trap Related Functions 1 6 1 3 1 Configuring Basic Trap Functions 1 6 1 3 2 Configuring Extended Trap Function 1 7 1 4 Enabling Logging for Network Management 1 7 1 5 Displaying SNMP 1 8 1 6 SNMP Configuration Example 1 8 1 6 1 SNMP Configuration Example 1 8 Chapter 2 RMON Configuration 2 1 2 1 Introduction to RMON 2 1 2 1 1 Working Mechanism of RMON 2 1 2 1 2 Commonly Used RMON Group...

Page 568: ... provides basic function set it is suitable for small sized networks with fast speed and low cost SNMP is based on User Datagram Protocol UDP and is thus widely supported by many products 1 1 1 SNMP Operation Mechanism SNMP is implemented by two components namely network management station NMS and agent z An NMS can be a workstation running client program At present the commonly used network manag...

Page 569: ... permissions can only query the switch information while those with read write permission can configure the switch as well z Set the basic ACL specified by the community name 1 1 3 Supported MIBs An SNMP packet carries management variables with it Management variable is used to describe the management objects of a switch To uniquely identify the management objects of the switch SNMP adopts a hiera...

Page 570: ...t system information and specify to enable SNMPv1 or SNMPv2c on the switch snmp agent sys info contact sys contact location sys location version v1 v2c v3 all Required By default the contact information for system maintenance is Hangzhou H3C Technologies Co Ltd the system location is Hangzhou China and the SNMP version is SNMPv3 Direct configu ration Set a commun ity name snmp agent community read...

Page 571: ...s 1 Follow these steps to configure basic SNMP functions SNMPv3 To do Use the command Remarks Enter system view system view Enable SNMP agent snmp agent Optional Disabled by default You can enable SNMP agent by executing this command or any of the commands used to configure SNMP agent Set system information and specify to enable SNMPv3 on the switch snmp agent sys info contact sys contact location...

Page 572: ...nd snmp agent packet max size byte count Optional 1 500 bytes by default Set the device engine ID snmp agent local engineid engineid Optional By default the device engine ID is enterprise number device information Create or update the view information snmp agent mib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 Note An S5100...

Page 573: ...ard authentication coldstart linkdown linkup warmstart system Enter port view or interface view interface interface type interface number Enable the port or interface to send traps enable snmp trap updown Enable the port to send traps Quit to system view quit Optional By default a port is enabled to send all types of traps Set the destination for traps snmp agent target host trap address udp domai...

Page 574: ...ls refer to RFC 1213 1 4 Enabling Logging for Network Management Follow these steps to enable logging for network management To do Use the command Remarks Enter system view system view Enable logging for network management snmp agent log set operation get operation all Optional Disabled by default Note z When SNMP logging is enabled on a device SNMP logs are output to the information center of the...

Page 575: ...roup name Display trap list information display snmp agent trap list Display the currently configured community name display snmp agent community read write Display the currently configured MIB view display snmp agent mib view exclude include viewname view name Available in any view 1 6 SNMP Configuration Example 1 6 1 SNMP Configuration Example I Network requirements z An NMS and Switch A SNMP ag...

Page 576: ...assword to passmd5 z encryption protocol to AES z encryption password to cfb128cfb128 Sysname snmp agent group v3 managev3group privacy write view internet Sysname snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode aes128 cfb128cfb128 Set the VLAN interface 2 as the interface used by NMS Add port GigabitEthernet 1 0 2 which is to be used for network mana...

Page 577: ...password authentication When you use H3C s QuidView NMS you need to set user names and choose the security level in Quidview Authentication Parameter For each security level you need to set authorization mode authorization password encryption mode encryption password and so on In addition you need to set timeout time and maximum retry times You can query and configure an Ethernet switch through th...

Page 578: ... period of time and the total number of packets successfully sent to a specific host z RMON is fully based on SNMP architecture It is compatible with the current SNMP implementations z RMON enables SNMP to monitor remote network devices more effectively and actively thus providing a satisfactory means of monitoring remote subnets z With RMON implemented the communication traffic between NMS and SN...

Page 579: ...arm group and extended alarm group to trigger alarms You can specify a network device to act in one of the following ways in response to an event z Logging the event z Sending traps to the NMS z Logging the event and sending traps to the NMS z No processing II Alarm group RMON alarm management enables monitoring on specific alarm variables such as the statistics of a port When the value of a monit...

Page 580: ...tore data of a specific port periodically V Statistics group Statistics group contains the statistics of each monitored port on a switch An entry in a statistics group is an accumulated value counting from the time when the statistics group is created The statistics include the number of the following items collisions packets with Cyclic Redundancy Check CRC errors undersize or oversize packets br...

Page 581: ...e1 event entry1 falling_threshold threshold value2 event entry2 entrytype forever cycle cycle period owner text Optional Before adding an extended alarm entry you need to use the rmon event command to define the event to be referenced by the extended alarm entry Enter Ethernet port view interface interface type interface number Add a history entry rmon history entry number buckets number interval ...

Page 582: ...Configuration Example I Network requirements z The switch to be tested is connected to a remote NMS through the Internet Ensure that the SNMP agents are correctly configured before performing RMON configuration z Create an entry in the extended alarm table to monitor the information of statistics on the Ethernet port if the change rate of which exceeds the set threshold the alarm events will be tr...

Page 583: ...ples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entrytype forever owner user1 Display the RMON extended alarm entry numbered 2 Sysname display rmon prialarm 2 Prialarm tab...

Page 584: ...n IGMP Snooping 2 2 2 1 3 Work Mechanism of IGMP Snooping 2 3 2 2 IGMP Snooping Configuration 2 5 2 2 1 Enabling IGMP Snooping 2 6 2 2 2 Configuring the Version of IGMP Snooping 2 6 2 2 3 Configuring Timers 2 7 2 2 4 Configuring Fast Leave Processing 2 7 2 2 5 Configuring a Multicast Group Filter 2 9 2 2 6 Configuring the Maximum Number of Multicast Groups on a Port 2 10 2 2 7 Configuring IGMP Que...

Page 585: ...es Table of Contents ii Chapter 3 Common Multicast Configuration 3 1 3 1 Common Multicast Configuration 3 1 3 1 1 Configuring a Multicast MAC Address Entry 3 1 3 1 2 Configuring Dropping Unknown Multicast Packets 3 2 3 2 Displaying Common Multicast Configuration 3 2 ...

Page 586: ... unicast broadcast and multicast The following sections describe and compare data interaction processes in unicast broadcast and multicast 1 1 1 Information Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this information and sends a separate copy of the information to the user as shown in Figure 1 1 Source Server Rece...

Page 587: ...dcast mode Figure 1 2 Information transmission in the broadcast mode Assume that Hosts B D and E need the information The source server broadcasts this information through routers and Hosts A and C on the network also receive this information As we can see from the information transmission process the security and legal use of paid service cannot be guaranteed In addition when only a small number ...

Page 588: ...3 Information transmission in the multicast mode Assume that Hosts B D and E need the information To transmit the information to the right users it is necessary to group Hosts B D and E into a receiver set The routers on the network duplicate and distribute the information based on the distribution of the receivers in this set Finally the information is correctly delivered to Hosts B D and E The a...

Page 589: ...smission and multicast transmission Step TV transmission Multicast transmission 1 A TV station transmits a TV program through a television channel A multicast source sends multicast data to a multicast group 2 A user tunes the TV set to the channel A receiver joins the multicast group 3 The user starts to watch the TV program transmitted by the TV station via the channel The receiver starts to rec...

Page 590: ...fic Multicast SSM I ASM model In the ASM model any sender can become a multicast source and send information to a multicast group numbers of receivers can join a multicast group identified by a group address and obtain multicast information addressed to that multicast group In this model receivers are not aware of the position of a multicast source in advance However they can join or leave the mul...

Page 591: ...nism host registration multicast routing and multicast application z Addressing mechanism Information is sent from a multicast source to a group of receivers through multicast addresses z Host registration A receiving host joins and leaves a multicast group dynamically using the membership registration mechanism z Multicast routing A router or switch transports packets from a multicast source to r...

Page 592: ...st group has the following characteristics z The membership of a group is dynamic A host can join and leave a multicast group at any time z A multicast group can be either permanent or temporary z A multicast group whose addresses are assigned by IANA is a permanent multicast group It is also called reserved multicast group Note that z The IP addresses of a permanent multicast group keep unchanged...

Page 593: ...s Class D address range Description 224 0 0 1 Address of all hosts 224 0 0 2 Address of all multicast routers 224 0 0 3 Unassigned 224 0 0 4 Distance vector multicast routing protocol DVMRP routers 224 0 0 5 Open shortest path first OSPF routers 224 0 0 6 Open shortest path first designated routers OSPF DR 224 0 0 7 Shared tree routers 224 0 0 8 Shared tree hosts 224 0 0 9 RIP 2 routers 224 0 0 11...

Page 594: ...icast packet is transported in an Ethernet network a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members As stipulated by IANA the high order 24 bits of a multicast MAC address are 0x01005e while the low order 23 bits of a MAC address are the low order 23 bits of the multicast IP address Figure 1 4 describes the mapping re...

Page 595: ...nctions of the Layer 2 and Layer 3 multicast protocols in a network For details about these protocols refer to the related chapters of this manual I Layer 3 multicast protocols Layer 3 multicast protocols include multicast group management protocols and multicast routing protocols Figure 1 5 describes where these multicast protocols are in a network AS 1 AS 2 Source Receiver Receiver Receiver PIM ...

Page 596: ... is a popular one Based on the forwarding mechanism PIM comes in two modes dense mode often referred to as PIM DM and sparse mode often referred to as PIM SM z An inter domain multicast routing protocol is used for delivery of multicast information between two ASs So far mature solutions include multicast source discovery protocol MSDP For the SSM model multicast routes are not divided into inter ...

Page 597: ...l be forwarded or discarded The RPF check mechanism is the basis for most multicast routing protocols to implement multicast forwarding The RPF mechanism enables multicast devices to forward multicast packets correctly based on the multicast route configuration In addition the RPF mechanism also helps avoid data loops caused by various reasons 1 4 1 Implementation of the RPF Mechanism Upon receivi...

Page 598: ...not independently maintain any type of unicast route instead it relies on the existing unicast routing information in creating multicast routing entries When performing an RPF check a router searches its unicast routing table The specific process is as follows The router automatically chooses an optimal unicast route by searching its unicast routing table using the IP address of the packet source ...

Page 599: ... to 192 168 0 0 24 is VLAN interface 2 This means that the interface on which the packet actually arrived is not the RPF interface The RPF check fails and the packet is discarded z A multicast packet from Source arrives to VLAN interface 2 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C The router performs an RPF check and finds in it...

Page 600: ...resses and forwards multicast data based on these mappings As shown in Figure 2 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are multicast to the receivers rather than broadcast to all hosts at Layer 2 Multicast packet transmission without IGMP Sno...

Page 601: ... or IGMP querier side of the Ethernet switch In the figure Ethernet 1 0 1 of Switch A and Ethernet 1 0 1 of Switch B are router ports A switch registers all its local router ports in its router port list z Member port A member port is a port on the multicast group member side of the Ethernet switch In the figure Ethernet 1 0 2 and Ethernet 1 0 3 of Switch A and Ethernet 1 0 2 of Switch B are membe...

Page 602: ...port is a router port existing in its router port list the switch resets the aging timer of this router port z If the receiving port is not a router port existing in its router port list the switch adds it into its router port list and sets an aging timer for this router port II When receiving a membership report A host sends an IGMP report to the multicast router in the following circumstances z ...

Page 603: ...VLAN Because the switch does not know whether any other member hosts of that multicast group still exists under the port to which the IGMP leave message arrived the switch does not immediately delete the forwarding entry corresponding to that port from the forwarding table instead it resets the aging timer of the member port Upon receiving the IGMP leave message from a host the IGMP querier resolv...

Page 604: ...Table 2 2 IGMP Snooping configuration tasks Operation Remarks Enabling IGMP Snooping Required Configuring the Version of IGMP Snooping Optional Configuring Timers Optional Configuring Fast Leave Processing Optional Configuring a Multicast Group Filter Optional Configuring the Maximum Number of Multicast Groups on a Port Optional Configuring IGMP Querier Optional Suppressing Flooding of Unknown Mul...

Page 605: ...Snooping and VLAN VPN are enabled on a VLAN at the same time IGMP queries are likely to fail to pass the VLAN You can solve this problem by configuring VLAN tags for queries For details see 2 2 12 Configuring a VLAN Tag for Query Messages 2 2 2 Configuring the Version of IGMP Snooping With the development of multicast technologies IGMPv3 has found increasingly wide application In IGMPv3 a host can...

Page 606: ... timer of the router port the aging timer of the multicast member ports and the query response timer Table 2 5 Configure timers Operation Command Remarks Enter system view system view Configure the aging timer of the router port igmp snooping router aging time seconds Optional By default the aging time of the router port is 105 seconds Configure the query response timer igmp snooping max response ...

Page 607: ...LANs igmp snooping fast leave vlan vlan list Required By default the fast leave processing feature is disabled Note z The fast leave processing function works for a port only if the host attached to the port runs IGMPv2 or IGMPv3 z The configuration performed in system view takes effect on all ports of the switch if no VLAN is specified if one or more VLANs are specified the configuration takes ef...

Page 608: ...not be sent to this port In this way the service provider can control the VOD programs provided for multicast users Make sure that an ACL rule has been configured before configuring this feature I Configuring a multicast group filter in system view Table 2 8 Configure a multicast group filter in system view Operation Command Remarks Enter system view system view Configure a multicast group filter ...

Page 609: ... in the specified VLAN s z The configuration performed in Ethernet port view takes effect on the port no matter which VLAN it belongs to if no VLAN is specified if one or more VLANs are specified the configuration takes effect on the port only if the port belongs to the specified VLAN s 2 2 6 Configuring the Maximum Number of Multicast Groups on a Port By configuring the maximum number of multicas...

Page 610: ...r 3 multicast devices can establish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called IGMP querier However a Layer 2 multicast switch does not support IGMP and therefore cannot send general queries by default By enabling IGMP Snooping on a Layer 2 switch in a VLAN where multicast traffic needs to be La...

Page 611: ...With the unknown multicast flooding suppression function enabled when receiving a multicast packet for an unknown multicast group an IGMP Snooping switch creates a nonflooding entry and relays the packet to router ports only instead of flooding the packet within the VLAN If the switch has no router ports it drops the multicast packet Table 2 12 Suppress flooding of unknown multicast traffic in the...

Page 612: ...N interface view Operation Command Remarks Enter system view system view Enter VLAN interface view interface vlan interface interface number Configure specified port s as static member port s of a multicast group in the VLAN multicast static group group address interface interface list Required By default no port is configured as a static multicast group member port 2 2 10 Configuring a Static Rou...

Page 613: ...e multicast group on the local subnet and remove the corresponding path To avoid this from happening you can configure a port of the VLAN of the switch as a multicast group member When the port receives IGMP query messages the multicast switch will respond As a result the port of the VLAN can continue to receive multicast traffic Through this configuration the following functions can be implemente...

Page 614: ...ess command to specify a multicast source address that the port will join as a simulated host This configuration takes effect when IMGPv3 Snooping is enabled in the VLAN 2 2 12 Configuring a VLAN Tag for Query Messages By configuring the VLAN tag carried in IGMP general and group specific queries forwarded and sent by IGMP Snooping switches you can enable multicast packet forwarding between differ...

Page 615: ...s bandwidth because multicast streams are transmitted only within the multicast VLAN In addition because the multicast VLAN is isolated from user VLANs this method also enhances the information security Multicast VLAN is mainly used in Layer 2 switching but you must make the corresponding configurations on the Layer 3 switch Table 2 19 Configure multicast VLAN on the Layer 3 switch Operation Comma...

Page 616: ... multicast VLAN service type multicast Required Return to system view quit Enter Ethernet port view for the Layer 3 switch interface interface type interface number Define the port as a trunk or hybrid port port link type trunk hybrid Required port hybrid vlan vlan list tagged untagged Specify the VLANs to be allowed to pass the Ethernet port port trunk permit vlan vlan list Required The multicast...

Page 617: ...he multicast VLAN If no router ports exist in the multicast VLAN all IGMP report messages are flooded within the multicast VLAN 2 3 Displaying and Maintaining IGMP Snooping After the configuration above you can execute the following display commands in any view to verify the configuration by checking the displayed information You can execute the reset command in user view to clear the statistics i...

Page 618: ...ulticast data to the multicast group 224 1 1 1 Host A and Host B are receivers of the multicast group 224 1 1 1 II Network diagram Multicast packets Source Router A Switch A Receiver Receiver Host B Host A Host C 1 1 1 1 24 GE1 0 4 GE1 0 2 GE1 0 3 IGMP querier GE1 0 1 GE1 0 1 10 1 1 1 24 GE1 0 2 1 1 1 2 24 VLAN100 Figure 2 3 Network diagram for IGMP Snooping configuration III Configuration procedu...

Page 619: ...able SwitchA vlan100 quit 4 Verify the configuration View the detailed information of the multicast group in VLAN 100 on Switch A SwitchA display igmp snooping group vlan100 Total 1 IP Group s Total 1 MAC Group s Vlan id 100 Total 1 IP Group s Total 1 MAC Group s Static Router port s Dynamic Router port s GigabitEthernet1 0 1 IP group s the following ip group s match to one mac group IP group addr...

Page 620: ...ayer 2 switch z VLAN 2 contains GigabitEthernet 1 0 1 and VLAN 3 contains GigabitEthernet 1 0 2 z The default VLANs of GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 are VLAN 2 and VLAN 3 respectively z VLAN 10 contains GigabitEthernet 1 0 10 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 GigabitEthernet 1 0 10 is connected to Switch A z VLAN 10 is a multicast VLAN z GigabitEthernet 1 0 1 sends ...

Page 621: ...Ethernet 1 0 1 SwitchA vlan20 quit SwitchA interface Vlan interface 20 SwitchA Vlan interface20 ip address 168 10 1 1 255 255 255 0 SwitchA Vlan interface20 pim dm SwitchA Vlan interface20 quit Configure VLAN 10 SwitchA vlan 10 SwitchA vlan10 quit Define GigabitEthernet 1 0 10 as a hybrid port add the port to VLAN 10 and configure the port to forward tagged packets for VLAN 10 SwitchA interface Gi...

Page 622: ... as a hybrid port add the port to VLAN 2 and VLAN 10 configure the port to forward untagged packets for VLAN 2 and VLAN 10 and set VLAN 2 as the default VLAN of the port SwitchB interface GigabitEthernet 1 0 1 SwitchB GigabitEthernet1 0 1 port link type hybrid SwitchB GigabitEthernet1 0 1 port hybrid vlan 2 10 untagged SwitchB GigabitEthernet1 0 1 port hybrid pvid vlan 2 SwitchB GigabitEthernet1 0...

Page 623: ...ping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time If it is only disabled on the corresponding VLAN use the igmp snooping enable command in VLAN view only to enable it on the corresponding VLAN 2 Multicast forwarding table set up by IGMP Snooping is wrong z Use the display igmp snooping group command to check if the multi...

Page 624: ...h the switch will flood the packet within the VLAN to which the port belongs You can configure a static multicast MAC address entry to avoid this Table 3 1 Configure a multicast MAC address entry in system view Operation Command Remarks Enter system view system view Create a multicast MAC address entry mac address multicast mac address interface interface list vlan vlan id Required The mac address...

Page 625: ...u can do that if IGMP Snooping is not enabled in the VLAN 3 1 2 Configuring Dropping Unknown Multicast Packets Generally if the multicast address of the multicast packet received on the switch is not registered on the local switch the packet will be flooded in the VLAN When the function of dropping unknown multicast packets is enabled the switch will drop any multicast packets whose multicast addr...

Page 626: ...Multicast Configuration 3 3 Table 3 4 Display common multicast configuration Operation Command Remarks Display the created multicast MAC table entries display mac address multicast static mac address vlan vlan id vlan vlan id count count You can execute the display commands in any view ...

Page 627: ...1 1 4 1 Configuration Prerequisites 1 12 1 4 2 Configuration Procedure 1 12 1 5 Configuring NTP Authentication 1 12 1 5 1 Configuration Prerequisites 1 13 1 5 2 Configuration Procedure 1 14 1 6 Configuring Optional NTP Parameters 1 16 1 6 1 Configuring an Interface on the Local Switch to Send NTP Messages 1 16 1 6 2 Configuring the Number of Dynamic Sessions Allowed on the Local Switch 1 16 1 6 3 ...

Page 628: ...t only be synchronized by other clock sources but also serve as a clock source to synchronize other clocks Besides it can synchronize or be synchronized by other systems by exchanging NTP messages 1 1 1 Applications of NTP As setting the system time manually in a network with many devices leads to a lot of workload and cannot ensure accuracy it is unfeasible for an administrator to perform the ope...

Page 629: ...the unsynchronized state and cannot serve as a reference clock z The local clock of an S5100 SI EI Ethernet switch cannot be set as a reference clock It can serve as a reference clock source to synchronize the clock of other devices only after it is synchronized 1 1 2 Implementation Principle of NTP Figure 1 1 shows the implementation principle of NTP Ethernet switch A Device A is connected to Eth...

Page 630: ...am T1 identifying when it is sent z When the message arrives at Device B Device B inserts its own timestamp 11 00 01 am T2 into the packet z When the NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z When Device A receives the NTP message the local time of Device A is 10 00 03am T4 At this time Device A has enough information to calculate the following...

Page 631: ...ymmetric peer mode Passive peer Clock synchronization request packet Synchronize Network Active peer Works in passive peer mode automatically In peer mode both sides can be synchronized to each other Response packet Figure 1 3 Symmetric peer mode In the symmetric peer mode the local S5100 SI EI Ethernet switch serves as the symmetric active peer and sends clock synchronization request first while ...

Page 632: ...I EI series Ethernet switches NTP implementation mode Configuration on S5100 SI EI series switches Server client mode Configure the local S5100 SI EI Ethernet switch to work in the NTP client mode In this mode the remote server serves as the local time server while the local switch serves as the client Symmetric peer mode Configure the local S5100 SI EI switch to work in NTP symmetric peer mode In...

Page 633: ... local S5100 SI EI Ethernet switch to work in NTP multicast client mode In this mode the local switch receives multicast NTP messages through the VLAN interface configured on the switch Caution z When an H3C S5100 SI EI Ethernet switch works in server mode or symmetric passive mode you need not to perform related configurations on this switch but do that on the client or the symmetric active peer ...

Page 634: ...ctions z UDP port 123 is opened only when the NTP feature is enabled z UDP port 123 is closed as the NTP feature is disabled These functions are implemented as follows z Execution of one of the ntp service unicast server ntp service unicast peer ntp service broadcast client ntp service broadcast server ntp service multicast client and ntp service multicast server commands enables the NTP feature a...

Page 635: ...d the source IP address of the NTP message will be configured as the primary IP address of the specified interface z A switch can act as a server to synchronize the clock of other switches only after its clock has been synchronized If the clock of a server has a stratum level lower than or equal to that of a client s clock the client will not synchronize its clock to the server s z You can configu...

Page 636: ...pecified interface z Typically the clock of at least one of the symmetric active and symmetric passive peers should be synchronized first otherwise the clock synchronization will not proceed z You can configure multiple symmetric passive peers for the local switch by repeating the ntp service unicast peer command The clock of the peer with the smallest stratum will be chosen to synchronize with th...

Page 637: ...adcast client mode To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the switch to work in the NTP broadcast client mode ntp service broadcast client Required Not configured by default 1 3 4 Configuring NTP Multicast Mode For switches working in the multicast mode you need to configure both the server and clients The mu...

Page 638: ...guring a switch to work in the multicast client mode Follow these steps to configure a switch to work in the NTP multicast client mode To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Configure the switch to work in the NTP multicast client mode ntp service multicast client ip address Required Not configured by default 1 4 Confi...

Page 639: ...e first matched right 1 4 1 Configuration Prerequisites Prior to configuring the NTP service access control right to the local switch for peer devices you need to create and configure an ACL associated with the access control right For the configuration of ACL refer to ACL Configuration in Security Volume 1 4 2 Configuration Procedure Follow these steps to configure the NTP service access control ...

Page 640: ... NTP authentication function is not enabled on the client the clock of the client can be synchronized to a server no matter whether the NTP authentication function is enabled on the server assuming that other related configurations are properly performed z For the NTP authentication function to take effect a trusted key needs to be configured on both the client and server after the NTP authenticat...

Page 641: ...ient mode ntp service unicast server remote ip server name authentication keyid key id Associ ate the specifi ed key with the corres pondin g NTP server Configure on the symmetric activ e peer in the symmetric peer mode ntp service unicast peer remote ip peer name authentication keyid key id Required For the client in the NTP broadcast multicast mode you just need to associate the specified key wi...

Page 642: ... authentication keyid key id z In NTP broadcast server mode and NTP multicast server mode you need to associate the specified key with the corresponding broadcast multicast client z You can associate an NTP broadcast multicast client with an authentication key while configuring NTP mode You can also use this command to associate them after configuring the NTP mode Note z The procedure for configur...

Page 643: ...ce unicast server or ntp service unicast peer command this interface will be used for sending NTP messages 1 6 2 Configuring the Number of Dynamic Sessions Allowed on the Local Switch A single device can have a maximum of 128 associations at the same time including static associations and dynamic associations A static association refers to an association that a user has manually created by using a...

Page 644: ...ns can be established locally 1 6 3 Disabling an Interface from Receiving NTP Messages Follow these steps to disable an interface from receiving NTP messages To do Use the command Remarks Enter system view system view Enter VLAN interface view interface Vlan interface vlan id Disable an interface from receiving NTP messages ntp service in interface disable Required By default a VLAN interface rece...

Page 645: ...guration III Configuration procedure Perform the following configurations on Device B View the NTP status of Device B before synchronization DeviceB display ntp service status Clock status unsynchronized Clock stratum 16 Reference clock ID none Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2 18 Clock offset 0 0000 ms Root delay 0 00 ms Root dispersion 0 00 ms Peer disper...

Page 646: ...NTP sessions of Device B You can see that Device B establishes a connection with Device A DeviceB display ntp service sessions source reference stra reach poll now offset delay disper 12345 1 0 1 11 127 127 1 0 2 1 64 1 350 1 15 1 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 1 8 2 Configuring NTP Symmetric Peer Mode I Network requirements z The lo...

Page 647: ... Device C as the peer of Device B DeviceB ntp service unicast peer 3 0 1 33 Device C and Device B are symmetric peers after the above configuration Device B works in symmetric active mode while Device C works in symmetric passive mode Because the stratum level of the local clock of Device B is 1 and that of Device C is 3 the clock of Device C is synchronized to that of Device B View the status of ...

Page 648: ...4 3 12 9 2 7 25 3 0 1 31 127 127 1 0 2 1 64 1 4408 6 38 7 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 1 8 3 Configuring NTP Broadcast Mode I Network requirements z The local clock of Device C is set as the NTP master clock with a stratum level of 2 Configure Device C to work in the NTP broadcast server mode and send NTP broadcast messages through...

Page 649: ...gh VLAN interface 2 Because Device A and Device C do not share the same network segment Device A cannot receive broadcast messages from Device C while Device D is synchronized to Device C after receiving broadcast messages from Device C View the NTP status of Device D after the clock synchronization DeviceD display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0...

Page 650: ...and advertise multicast NTP messages through VLAN interface 2 z Device A and Device D are two S5100 SI EI Ethernet switches Configure Device A and Device D to work in the NTP multicast client mode and listen to multicast messages through their own VLAN interface 2 II Network diagram Vlan int2 1 0 1 31 24 Vlan int2 3 0 1 31 24 Vlan int2 3 0 1 32 24 Device A Device B Device C Device D Figure 1 9 Net...

Page 651: ...ng multicast messages from Device C View the NTP status of Device D after the clock synchronization DeviceD display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 3...

Page 652: ... Configure Device B Enter system view DeviceB system view Set Device A as the NTP server DeviceB ntp service unicast server 1 0 1 11 Enable the NTP authentication function DeviceB ntp service authentication enable Configure an MD5 authentication key with the key ID being 42 and the key being aNiceKey DeviceB ntp service authentication keyid 42 authentication mode md5 aNiceKey Specify the key 42 as...

Page 653: ...ock status synchronized Clock stratum 3 Reference clock ID 1 0 1 11 Nominal frequence 60 0002 Hz Actual frequence 60 0002 Hz Clock precision 2 18 Clock offset 0 66 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that the clock of Device B is synchronized to that of Device A with a...

Page 654: ... to an SSH User 1 15 1 3 9 Exporting the Host Public Key to a File 1 16 1 4 Configuring the SSH Client 1 17 1 4 1 SSH Client Configuration Task List 1 17 1 4 2 Configuring an SSH Client that Runs SSH Client Software 1 17 1 4 3 Configuring an SSH Client Assumed by an SSH2 Capable Switch 1 25 1 5 Displaying and Maintaining SSH Configuration 1 29 1 6 Comparison of SSH Commands with the Same Functions...

Page 655: ...er authentication functions that prevent attacks such as DNS and IP spoofing Besides SSH can also provide data compression to increase transmission speed take the place of Telnet and provide a secure channel for transfers using File Transfer Protocol FTP SSH adopts the client server model The switch can be configured as an SSH client an SSH server or both at the same time As an SSH server the swit...

Page 656: ...m encrypts data using the public key and decrypts the data using the private key thus ensuring data security You can also use the asymmetric key algorithm for data signature For example user 1 adds his signature to the data using the private key and then sends the data to user 2 User 2 verifies the signature using the public key of user 1 If the signature is correct this means that the data origin...

Page 657: ...erver opens port 22 to listen to connection requests from clients z The client sends a TCP connection request to the server After the TCP connection is established the server sends the first packet to the client which includes a version identification string in the format of SSH primary protocol version number secondary protocol version number software version number The primary and secondary prot...

Page 658: ...if the authentication type is password the content is the password z The server starts to authenticate the user If authentication fails the server sends an authentication failure message to the client which contains the list of methods used for a new authentication process z The client selects an authentication type from the method list to perform authentication again z The above process repeats u...

Page 659: ...se the server sends back to the client an SSH_SMSG_FAILURE packet indicating that the processing fails or it cannot resolve the request The client sends a session request to the server which processes the request and establishes a session V Data exchange In this stage the server and the client exchanges data in this way z The client encrypts and sends the command to be executed to the server z The...

Page 660: ...the SSH server and clients Server Client Server side configuration Client side configuration An H3C switch Software that supports the SSH client functions Configuring the SSH Server Configuring an SSH Client that Runs SSH Client Software An H3C switch Another H3C switch Configuring the SSH Server Configuring an SSH Client Assumed by an SSH2 Capable Switch Note An SSH server forms a secure connecti...

Page 661: ...ould support By default the SSH server is compatible with SSH1 clients Key Configuring Key Pairs Required Authentication Creating an SSH User and Specifying an Authentication Type Required Authorization Specifying a Service Type for an SSH User on the Server Optional By default an SSH user can use the service type of stelnet Configuring the Public Key of a Client on the Server z Not necessary when...

Page 662: ... user interface view of one or more user interfaces user interface vty first number last number Configure the authentication mode as scheme authentication mode scheme command authorizatio n Required By default the user interface authentication mode is password Specify the supported protocol s protocol inbound all ssh Optional By default both Telnet and SSH are supported Caution z If you have confi...

Page 663: ...functions To do Use the command Remarks Enter system view system view Set the SSH authentication timeout time ssh server timeout seconds Optional By default the SSH authentication timeout time is 60 seconds Set the number of SSH authentication retry attempts ssh server authentication retries times Optional By default the number of SSH authentication retry attempts is 3 Set the RSA server key updat...

Page 664: ...rver is compatible with SSH1 clients 1 3 4 Configuring Key Pairs The SSH server s key pairs are for generating session keys and for SSH clients to authenticate the server The SSH client s key pairs are for the SSH server to authenticate the SSH clients in publickey authentication mode Both RSA and DSA key pairs are supported As different clients may support different public key algorithms the key ...

Page 665: ... must be greater than or equal to 768 Therefore a local key pair of more than 768 bits is recommended II Destroying key pairs The RSA or DSA keys may be exposed and you may want to destroy the keys and generate new ones Follow these steps to destroy key pairs To do Use the command Remarks Enter system view system view Destroy the RSA key pairs public key local destroy rsa Destroy key pair s Destro...

Page 666: ...e SSH connections than password authentication does At present the device supports RSA and DSA for publickey authentication After configuration authentication is implemented automatically without asking you to enter the password In this mode you need to create a key pair on each client and configure each client s public key on the server This may be complicated when multiple SSH clients want to ac...

Page 667: ...hentication type for SSH users is password and remote authentication RADIUS authentication for example is adopted you need not use the ssh user command to create an SSH user because it is created on the remote server And the user can use its username and password configured on the remote server to access the network z Under the publickey authentication mode the level of commands available to a log...

Page 668: ...t 1 3 7 Configuring the Public Key of a Client on the Server Note This configuration is not necessary if the password authentication mode is configured for SSH users With the publickey authentication mode configured for an SSH client you must configure the client s RSA or DSA host public key s on the server for authentication You can manually configure the public key or import it from a public key...

Page 669: ...adecimal digit string coded in the public key format Return to public key view from public key edit view public key code end Exit public key view and return to system view peer public key end Table 1 8 Follow these steps to import the public key from a public key file To do Use the command Remarks Enter system view system view Import the public key from a public key file public key peer keyname im...

Page 670: ...hether first time authentication is supported an SSH client s or an SSH server s host public key can be imported from a public key file This task allows you to export the host public key to a file on the client or server device with key pairs generated Table 1 10 Follow these steps to export the RSA host public key To do Use the command Remarks Enter system view system view Export the RSA host pub...

Page 671: ...server on the client so that the client can authenticate the server 1 4 1 SSH Client Configuration Task List Table 1 12 Complete the following tasks to configure the SSH client SSH client configuration task Scenario For a client running SSH client software For a client assumed by an SSH2 capable switch The authentication mode is password Configuring an SSH Client that Runs SSH Client Software Conf...

Page 672: ...upported Any other version or other client please be careful to use z Selecting the protocol for remote connection as SSH Usually a client can use a variety of remote connection protocols such as Telnet Rlogin and SSH To establish an SSH connection you must select SSH z Selecting the SSH version Since the device supports SSH2 0 now select 2 0 or lower for the client z Specifying the private key fi...

Page 673: ...on 1 19 Figure 1 3 Generate a client key 1 Note that while generating the key pair you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1 4 Otherwise the process bar stops moving and the key pair generating process is stopped ...

Page 674: ...s Ethernet Switches Chapter 1 SSH Configuration 1 20 Figure 1 4 Generate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key ...

Page 675: ...rivate key A warning window pops up to prompt you whether to save the private key without any precaution Click Yes and enter the name of the file for saving the private key private in this case to save the private key Figure 1 6 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse and select the public key file and then click Convert ...

Page 676: ...Manual SSH H3C S5100 SI EI Series Ethernet Switches Chapter 1 SSH Configuration 1 22 Figure 1 7 Generate the client keys 5 II Specifying the IP address of the Server Launch PuTTY exe The following window appears ...

Page 677: ...xt box enter the IP address of the server Note that there must be a route available between the IP address of the server and the client III Selecting a protocol for remote connection As shown in Figure 1 8 select SSH under Protocol IV Selecting an SSH version From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 9 appears ...

Page 678: ...tware supports DES algorithm negotiation ssh2 V Opening an SSH connection with password authentication From the window shown in Figure 1 9 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection To log out enter the quit command VI Opening an SSH connection with publickey authentication If a user ...

Page 679: ...sername Once passing the authentication the user can log in to the server 1 4 3 Configuring an SSH Client Assumed by an SSH2 Capable Switch Table 1 13 Complete the following tasks to configure an SSH client that is assumed by an SSH2 capable switch Task Remarks Configuring the SSH client for publickey authentication Required for publickey authentication unnecessary for password authentication Conf...

Page 680: ...ublic key can continue accessing the server when it accesses the server for the first time and it will save the host public key on the client for use in subsequent authentications z With first time authentication disabled an SSH client that is not configured with the server host public key will be denied of access to the server To access the server a user must configure in advance the server host ...

Page 681: ...first time authentication unless you are sure that the SSH server is reliable III Specifying a source IP address interface for the SSH client You can configure a souce IP address or the souce IP address by specifying the corresponding interface for the client to use to access the SSH server This improves the service manageability when the SSH client has multiple IP addresses and interfaces Table 1...

Page 682: ..._96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required In this command you can also specify the preferred key exchange algorithm encryption algorithms and HMAC algorithms between the server and client HMAC Hash based message authentication code Note that The identity key keyword is unnecessary in password authentication and optional in public key authentication Note When logging into the...

Page 683: ...ip Display the mappings between host public keys and SSH servers saved on a client display ssh server info Display the current source IP address or the IP address of the source interface specified for the SSH Client display ssh2 source ip Available in any view 1 6 Comparison of SSH Commands with the Same Functions After the SSH protocol supports the DSA asymmetric key algorithm some SSH configurat...

Page 684: ...erver ip server name assign publickey keyname Assign a public key to an SSH user ssh user username assign rsa key keyname ssh user username assign publickey keyname Create an SSH user and specify publickey authentication as its authentication type ssh user username authentication type rsa ssh user username authentication type publickey Note z After RSA key pairs are generated the display rsa local...

Page 685: ...uration procedure z Configure the SSH server Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection Switch system view Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 0 1 255 255 255 0 Switch Vlan interface1 quit Caution Generating the RSA and DSA key pairs on the server is prerequisite to SSH l...

Page 686: ...ser client001 authentication type password z Configure the SSH client Configure an IP address 192 168 0 2 in this case for the SSH client This IP address and that of the VLAN interface on the switch must be in the same network segment Configure the SSH client software to establish a connection to the SSH server Take SSH client software Putty version 0 58 as an example 1 Run PuTTY exe to enter the ...

Page 687: ...e client001 and password abc Once authentication succeeds you will log in to the server 1 7 2 When Switch Acts as Server for Password and RADIUS Authentication I Network requirements As shown in Figure 1 14 an SSH connection is required between the host SSH client and the switch SSH server for secure data exchange Password and RADIUS authentication is required z The host runs SSH2 0 client softwar...

Page 688: ...platform and select System Management System Configuration from the navigation tree In the System Configuration page click Modify of the Access Device item and then click Add to enter the Add Access Device page and perform the following configurations z Specify the IP address of the switch as 192 168 1 70 z Set both the shared keys for authentication and accounting packets to expert z Select LAN A...

Page 689: ...ane click Add to enter the Add Account page and perform the following configurations z Add a user named hello and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 16 Add an account for device management 2 Configure the SSH server Create a VLAN interface on the switch and assign it an IP address This address will be used as the...

Page 690: ...scheme Switch radius scheme rad Switch radius rad accounting optional Switch radius rad primary authentication 10 1 1 1 1812 Switch radius rad key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch isp bbb scheme radius scheme rad Switch isp bbb quit Config...

Page 691: ... PuTTY exe to enter the following configuration interface Figure 1 17 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the SSH server z From the category on the left pane of the window select Connection SSH The window as shown in Figure 1 18 appears ...

Page 692: ... can access after login is authorized by the CAMS server You can specify the level by setting the EXEC Privilege Level argument in the Add Account window shown in Figure 1 16 1 7 3 When Switch Acts as Server for Password and HWTACACS Authentication I Network requirements As shown in Figure 1 19 an SSH connection is required between the host SSH client and the switch SSH server for secure data exch...

Page 693: ...ch system view Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 1 70 255 255 255 0 Switch Vlan interface2 quit Caution Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user in...

Page 694: ...entication for the user Switch ssh user client001 authentication type password z Configure the SSH client Configure an IP address 192 168 1 1 in this case for the SSH client This IP address and that of the VLAN interface on the switch must be in the same network segment Configure the SSH client software to establish a connection to the SSH server Take SSH client software Putty Version 0 58 as an e...

Page 695: ...server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS server configuration manuals 1 7 4 When Switch Acts as Server for Publickey Authentication I Network requirements As shown in Figure 1 22 establish an SSH connection between the host SSH client and the switch SSH Server ...

Page 696: ...lan interface1 ip address 192 168 0 1 255 255 255 0 Switch Vlan interface1 quit Note Generating the RSA and DSA key pairs on the server is prerequisite to SSH login Generate RSA and DSA key pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme E...

Page 697: ...SH server through FTP or TFTP For details refer to the SSH client configuration part Import the client s public key named Switch001 from file public Switch public key peer Switch001 import sshkey public Assign the public key Switch001 to client client001 Switch ssh user client001 assign publickey Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair ...

Page 698: ...the mouse continuously and keep the mouse off the green process bar shown in Figure 1 24 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 1 24 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case ...

Page 699: ...pops up to prompt you whether to save the private key without any protection Click Yes and enter the name of the file for saving the private key private ppk in this case Figure 1 26 Generate a client key pair 4 Note After a public key pair is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure ...

Page 700: ... with the SSH server 2 Launch PuTTY exe to enter the following interface Figure 1 27 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the server 3 From the category on the left pane of the window select SSH under Connection The window as shown in Figure 1 28 appears ...

Page 701: ...EI Series Ethernet Switches Chapter 1 SSH Configuration 1 47 Figure 1 28 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears ...

Page 702: ...en If the connection is normal you will be prompted to enter the username 1 7 5 When Switch Acts as Client for Password Authentication I Network requirements As shown in Figure 1 30 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name for login is client001 and the SSH server s IP address is 10 165 87 136 Password authentication is ...

Page 703: ...chB user interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Create local user client001 and set the authentication password to abc the login protocol to SSH and user command privilege level to 3 SwitchB local user client001 SwitchB luser client001 password simple abc SwitchB luser cl...

Page 704: ... Without the owner s prior written consent no decompiling or reverse engineering shall be allowed SwitchB 1 7 6 When Switch Acts as Client for Publickey Authentication I Network requirements As shown in Figure 1 31 establish an SSH connection between Switch A SSH Client and Switch B SSH Server for secure data exchange The user name is client001 and the SSH server s IP address is 10 165 87 136 Publ...

Page 705: ... interface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH SwitchB ui vty0 4 protocol inbound ssh Set the user command privilege level to 3 SwitchB ui vty0 4 user privilege level 3 SwitchB ui vty0 4 quit Specify the authentication type of user client001 as publickey SwitchB ssh user client001 authentication type publickey Note Before doing the followi...

Page 706: ... public key local export dsa ssh2 Switch001 Note After the key pair is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish an SSH connection to the server 10 165 87 136 SwitchA ssh2 10 165 87 136 identity key dsa Username client001 Trying 10 165 87 136 Press CTRL K to abort...

Page 707: ...not supported III Configuration procedure z Configure Switch B Create a VLAN interface on the switch and assign an IP address for it to serve as the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Note Generating the RSA and DSA key pairs on the server is prerequisite to SSH...

Page 708: ...c key Switch001 to user client001 SwitchB ssh user client001 assign publickey Switch001 Export the generated DSA host public key pair to a file named Switch002 SwitchB public key local export dsa ssh2 Switch002 Note When first time authentication is not supported you must first generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH...

Page 709: ...tch002 and then upload the file to the SSH client through FTP or TFTP For details refer to the above part Configure Switch B Import the public key pair named Switch002 from the file Switch002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connection to server...

Page 710: ... Configuration 1 1 1 1 1 Introduction to File System 1 1 1 1 2 File System Configuration Tasks 1 1 1 1 3 Directory Operations 1 1 1 1 4 File Operations 1 2 1 1 5 Flash Memory Operations 1 3 1 1 6 Prompt Mode Configuration 1 4 1 1 7 File System Configuration Example 1 4 1 2 File Attribute Configuration 1 5 1 2 1 Introduction to File Attributes 1 5 1 2 2 Configuring File Attributes 1 6 ...

Page 711: ...emory Operations Optional Prompt Mode Configuration Optional Note S5100 SI EI series Ethernet switches allow you to input a file path and file name in one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used to specify a file in the current Flash memory For example the URL of a file named text txt in the root directory of the s...

Page 712: ...d z In the output information of the dir all command deleted files that is those stored in the recycle bin are embraced in brackets 1 1 4 File Operations The file system also provides file related functions listed in Table 1 3 Perform the following configuration in user view Note that the execute command should be executed in system view Table 1 3 File operations To do Use the command Remarks Dele...

Page 713: ...ose names are the same only the latest deleted file is kept in the recycle bin and can be restored z The files which are deleted by the delete command without the unreserved keyword are actually moved to the recycle bin and thus still take storage space You can clear the recycle bin by using the reset recycle bin command z The dir all command displays the files in the recycle bin in square bracket...

Page 714: ...ile system To do Use the command Remarks Enter system view system view Configure the prompt mode of the file system file prompt alert quiet Required By default the prompt mode of the file system is alert 1 1 7 File System Configuration Example Display all the files in the root directory of the file system Sysname dir all Directory of unit1 flash 1 rw 3579326 Mar 28 2007 10 51 22 s5100 bin 2 rw 123...

Page 715: ... 04 2000 17 30 06 dsakey 7 drw Apr 04 2000 23 04 21 test 7239 KB total 3585 KB free with main attribute b with backup attribute b with both main and backup attribute Sysname dir unit1 flash test Directory of unit1 flash test 1 rw 1235 Apr 05 2000 01 51 34 test cfg 2 rw 1235 Apr 05 2000 01 56 44 1 cfg 7239 KB total 3585 KB free with main attribute b with backup attribute b with both main and backup...

Page 716: ...ile can have both the main and backup attributes Files of this kind are labeled b Note that there can be only one app file one configuration file and one Web file with the main attribute in the Flash memory If a newly created file is configured to be with the main attribute the existing file with the main attribute in the Flash memory will lose its main attribute This circumstance also applies to ...

Page 717: ...omized password to enter the BOOT menu startup bootrom access enable Optional By default the user is enabled to use the customized password to enter the BOOT menu Display the information about the app file used as the startup file display boot loader unit unit id Display information about the Web file used by the device display web package Optional Available in any view Caution z The configuration...

Page 718: ...TP Client 1 7 1 2 3 Configuration Example A Switch Operating as an FTP Server 1 10 1 2 4 FTP Banner Display Configuration Example 1 13 1 2 5 FTP Configuration A Switch Operating as an FTP Client 1 14 1 3 SFTP Configuration 1 16 1 3 1 SFTP Configuration A Switch Operating as an SFTP Server 1 17 1 3 2 SFTP Configuration A Switch Operating as an SFTP Client 1 18 1 3 3 SFTP Configuration Example 1 20 ...

Page 719: ...mit files Before World Wide Web comes into being files are transferred through command lines and the most popular application is FTP At present although E mail and Web are the usual methods for file transmission FTP still has its strongholds As an application layer protocol FTP is used for file transfer between remote server and local client FTP uses TCP ports 20 and 21 for data transfer and contr...

Page 720: ... server The prerequisite is that a route exists between the switch and the PC 1 1 2 Introduction to SFTP Secure FTP SFTP is established based on an SSH2 connection It allows a remote user to log in to a switch to manage and transmit files providing a securer guarantee for data transmission In addition since the switch can be used as a client you can log in to remote devices to transfer files secur...

Page 721: ... local user is configured Configure a password for the specified user password simple cipher password Optional By default no password is configured Configure the service type as FTP service type ftp Required By default no service is configured II Enabling an FTP server Follow these steps to enable an FTP server To do Use the command Remarks Enter system view system view Enable the FTP server funct...

Page 722: ...ction idle time To do Use the command Remarks Enter system view system view Configure the connection idle time for the FTP server ftp timeout minutes Optional 30 minutes by default IV Specifying the source interface and source IP address for an FTP server You can specify the source interface and source IP address for an FTP server to enhance server security After this configuration FTP clients can...

Page 723: ... Otherwise a prompt appears to show that the configuration fails z You can specify only one source interface or source IP address for the FTP at one time That is only one of the commands ftp server source interface and ftp server source ip can be valid at one time If you execute both of them the new setting will overwrite the original one z If the switch FTP server is the command switch or member ...

Page 724: ... FTP server when you access the FTP server through FTP the configured banner is displayed on the FTP client Banner falls into the following two types z Login banner After the connection between an FTP client and an FTP server is established the FTP server outputs the configured login banner to the FTP client terminal Figure 1 1 Process of displaying a login banner z Shell banner After the connecti...

Page 725: ...ftp server source ip Display the login FTP client on an FTP server display ftp user Available in any view 1 2 2 FTP Configuration A Switch Operating as an FTP Client I Basic configurations on an FTP client By default a switch can operate as an FTP client In this case you can connect the switch to the FTP server to perform FTP related operations such as creating removing a directory by executing co...

Page 726: ...TP server pwd Create a directory on the remote FTP server mkdir pathname Remove a directory on the remote FTP server rmdir pathname Delete a specified file delete remotefile Optional dir remotefile localfile Query a specified file on the FTP server ls remotefile localfile Optional If no file name is specified all the files in the current directory are displayed The difference between these two com...

Page 727: ...eturn to user view bye Display the online help about a specified command concerning FTP remotehelp protocol command Optional Enable the verbose function verbose Optional Enabled by default II Specifying the source interface and source IP address for an FTP client You can specify the source interface and source IP address for a switch acting as an FTP client so that it can connect to a remote FTP s...

Page 728: ...urce interface source IP address set for one connection is prior to the fixed source interface source IP address set for each connection That is for a connection between an FTP client and an FTP server if you specify the source interface source IP address used for the connection this time and the specified source interface source IP address is different from the fixed one the former will be used f...

Page 729: ... as FTP You can log in to a switch through the Console port or by telnetting the switch See the Login module for detailed information Configure the FTP username as switch the password as hello and the service type as FTP Sysname Sysname system view Sysname ftp server enable Sysname local user switch Sysname luser switch password simple hello Sysname luser switch service type ftp 2 Configure the PC...

Page 730: ...indows When you log in to the FTP server through another FTP client refer to the corresponding instructions for operation description Caution z If available space on the Flash memory of the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you ...

Page 731: ...ith username switch and the password hello has been configured on the FTP server z The IP addresses 1 1 1 1 for a VLAN interface on the switch and 2 2 2 2 for the PC have been configured Ensure that a route exists between the switch and the PC z Configure the login banner of the switch as login banner appears and the shell banner as shell banner appears II Network diagram Figure 1 4 Network diagra...

Page 732: ...irements A switch operates as an FTP client and a remote PC as an FTP server The switch application named switch bin is stored on the PC Download it to the switch through FTP and use the boot boot loader command to specify switch bin as the application for next startup Reboot the switch to upgrade the switch application and then upload the switch configuration file named config cfg to directory sw...

Page 733: ... the switch is not enough to hold the file to be uploaded you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make room for the file to be uploaded you can only delete download them through the Boot ROM menu Connect to the FTP server using the ftp command in u...

Page 734: ...switch Thus the switch application is upgraded Sysname boot boot loader switch bin Sysname reboot Note For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual 1 3 SFTP Configuration Complete the following tasks to configure SFTP Task Remarks Enabling an SFTP server Required Configuring c...

Page 735: ...t within a specified time period it terminates the connection with the client thus preventing a user from occupying the connection for a long time without performing any operation Follow these steps to configure connection idle time To do Use the command Remarks Enter system view system view Configure the connection idle time for the SFTP server ftp timeout time out value Optional 10 minutes by de...

Page 736: ...kets due to timeout Similarly when you delete a large file from the server you are recommended to set the client packet timeout time to over 600 seconds 1 3 2 SFTP Configuration A Switch Operating as an SFTP Client I Basic configurations on an SFTP client By default a switch can operate as an SFTP client In this case you can connect the switch to the SFTP server to perform SFTP related operations ...

Page 737: ...mote path Query a specified file on the SFTP server ls a l remote path Optional If no file name is provided all the files in the current directory are displayed The difference between these two commands is that the dir command can display the file name directory as well as file attributes while the Is command can display only the file name and directory Download a remote file from the SFTP server ...

Page 738: ...r Follow these steps to specify the source interface or source IP address for an SFTP client To do Use the command Remarks Enter system view system view Specify an interface as the source interface of the specified SFTP client sftp source interface interface type interface number Specify an IP address as the source IP address of the specified SFTP client sftp source ip ip address Use either comman...

Page 739: ...the switch as SSH Sysname ui vty0 4 protocol inbound ssh Sysname ui vty0 4 quit Create a local user client001 Sysname local user client001 Sysname luser client001 password simple abc Sysname luser client001 service type ssh Sysname luser client001 quit Configure the authentication mode as password Authentication timeout time retry number and update time of the server key adopt the default values S...

Page 740: ...nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub rwxrwxrwx 1 noone nogroup 0 Sep 01 08 00 z Received status End of file Received status Success sftp client delete z The following files will be deleted z Are you sure to delete it Y N y This operation may take a long time P...

Page 741: ...ig cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 Received status End of file Received status Success Download the file pubkey2 from the server and rename it as public sftp client get pubkey2 public Th...

Page 742: ...noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06 33 new2 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk Received status End of file Received status Success sftp client Exit SFTP sftp client quit Bye Sysname ...

Page 743: ...ent packets to the TFTP server z To upload a file a client sends Write Request packets to the TFTP server then sends data to the TFTP server and receives acknowledgement packets from the TFTP server An H3C S5100 SI EI series Ethernet switch can act as a TFTP client only When you download a file that is larger than the free space of the switch s flash memory z If the TFTP server supports file size ...

Page 744: ...iguration A Switch Operating as a TFTP Client I Basic configurations on a TFTP client By default a switch can operate as a TFTP client In this case you can connect the switch to the TFTP server to perform TFTP related operations such as creating removing a directory by executing commands on the switch Follow these steps to perform basic configurations on a TFTP client To do Use the command Remarks...

Page 745: ... interface type interface number get source file dest file put source file url dest file Optional Not specified by default Specify the source IP address used for the current connection tftp tftp server source ip ip address get source file dest file put source file url dest file Optional Not specified by default Enter system view system view Specify an interface as the source interface a TFTP clien...

Page 746: ... may specify only one source interface or source IP address for the TFTP client at one time That is only one of the commands tftp source interface and tftp source ip can be effective at one time If both commands are configured the one configured later will overwrite the original one 2 2 2 TFTP Configuration Example I Network requirements A switch operates as a TFTP client and a PC as the TFTP serv...

Page 747: ...only delete download them through the Boot ROM menu Enter system view Sysname system view Sysname Configure the IP address of a VLAN interface on the switch to be 1 1 1 1 and ensure that the port through which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 1 1 1 1 255 25...

Page 748: ...00 SI EI Series Ethernet Switches Chapter 2 TFTP Configuration 2 6 Note For information about the boot boot loader command and how to specify the startup file for a switch refer to the System Maintenance and Debugging module of this manual ...

Page 749: ...UTC Time Zone 1 9 1 2 4 Setting to Output System Information to the Console 1 9 1 2 5 Setting to Output System Information to a Monitor Terminal 1 12 1 2 6 Setting to Output System Information to a Log Host 1 13 1 2 7 Setting to Output System Information to the Trap Buffer 1 14 1 2 8 Setting to Output System Information to the Log Buffer 1 15 1 2 9 Setting to Output System Information to the SNMP ...

Page 750: ...nter offers a powerful support for network administrators and developers in monitoring network performance and diagnosing network problems The information center of the system has the following features I Classification of system information The system is available with three types of information z Log information z Trap information z Debugging information II Eight levels of system information The...

Page 751: ...annels 0 through 5 have their default channel names and are associated with six output directions by default Both the channel names and the associations between the channels and output directions can be changed through commands Table 1 2 Information channels and output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debugg...

Page 752: ...le The system information can be classified by source module and then filtered Some module names and description are shown in Table 1 3 Table 1 3 Source module name list Module name Description 8021X 802 1X module ACL Access control list module ADBM Address base module AM Access management module ARP Address resolution protocol module CMD Command line module DEV Device management module DNS Domain...

Page 753: ...Socket module SSH Secure shell module SYSMIB System MIB module TAC HWTACACS module TELNET Telnet module TFTPC TFTP client module VLAN Virtual local area network module VTY Virtual type terminal module XM XModem module default Default settings for all the modules To sum up the major task of the information center is to output the three types of information of the modules onto the ten channels in te...

Page 754: ...ecified in the information center of the switch when logs are generated the switch sends the logs to the log host in the above format For detailed information refer to Setting to Output System Information to a Log Host z There is the syslog process on the Unix or Linux platform you can start the process to receive the logs sent from the switch in the Windows platform you need to install the specif...

Page 755: ...on center to the log host is with a precision of seconds while that of the system information sent from the system center to the Console monitor terminal logbuffer trapbuffer and the SNMP is with a precision of milliseconds z yyyy is the year z GMT hh mm ss is the UTC time zone which represents the time difference with the Greenwich standard time Because switches in a network may distribute in dif...

Page 756: ...ter source command in system view to view the module list Refer to Table 1 3 for module name and description Between module and level is a VII Level Severity System information can be divided into eight levels based on its severity from 1 to 8 Refer to Table 1 1 for definition and description of these severity levels Note that there is a forward slash between the level severity and digest fields V...

Page 757: ... Output System Information to the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional 1 2 2 Configuring Synchronous Information Output Synchronous information output refers to the feature that if the system information such as log trap or debugging information is output when the user is inputting commands the command line prompt in command editing mode a prompt or a Y...

Page 758: ...direction of the information center to date z Configure to add the UTC time zone to the output information Follow these steps to configure to display time stamp with the UTC time zone To do Use the command Remarks Set the time zone for the system clock timezone zone name add minus time Required By default UTC time zone is set for the system Enter system view system view Log host direction info cen...

Page 759: ...rmation Set the format of time stamp in the output information info center timestamp log trap debugging boot date none Optional By default the time stamp format of the log and trap output information is date and that of the debugging output information is boot Note To view the debugging information of some modules on the switch you need to set the type of the output information to debug when confi...

Page 760: ...m information to the console you need to enable the associated display function to display the output information on the console Follow these steps to enable the system information display on the console To do Use the command Remarks Enable the debugging log trap information terminal display function terminal monitor Optional Enabled by default Enable debugging information terminal display functio...

Page 761: ...gh information channel 1 Configure the output rules of system information info center source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of time stamp in the output information info center timestamp log trap debugging boot date none Optional By default t...

Page 762: ...nformation terminal display function terminal debugging Optional Disabled by default Enable log information terminal display function terminal logging Optional Enabled by default Enable trap information terminal display function terminal trapping Optional Enabled by default Note Make sure that the debugging log trap information terminal display function is enabled use the terminal monitor command ...

Page 763: ... as the source interface Configure the output rules of system information info center source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of the time stamp to be sent to the log host info center timestamp loghost date no year date none Optional By default...

Page 764: ...at of the output trap information is date 1 2 8 Setting to Output System Information to the Log Buffer Follow these steps to set to output system information to the log buffer To do Use the command Remarks Enter system view system view Enable the information center info center enable Optional Enabled by default Enable information output to the log buffer info center logbuffer channel channel numbe...

Page 765: ...nnel name Optional By default the switch outputs trap information to SNMP through channel 5 Configure the output rules of system information info center source modu name default channel channel number channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of time stamp in the output information info cente...

Page 766: ...pression Display the summary information recorded in the log buffer display logbuffer summary level severity Display the status of trap buffer and the information recorded in the trap buffer display trapbuffer unit unit id size buffersize Available in any view Clear information recorded in the log buffer reset logbuffer unit unit id Clear information recorded in the trap buffer reset trapbuffer un...

Page 767: ...rap state off 2 Configure the log host The operations here are performed on SunOS 4 0 The operations on other manufacturers Unix operation systems are similar Step 1 Execute the following commands as the super user root user mkdir var log Switch touch var log Switch information Step 2 Edit the file etc syslog conf as the super user root user to add the following selector action pairs Switch config...

Page 768: ... syslog conf you can sort information precisely for filtering 1 4 2 Log Output to a Linux Log Host I Network requirements The switch sends the following log information to the Linux log host whose IP address is 202 38 1 10 All modules log information with severity higher than errors II Network diagram Figure 1 2 Network diagram for log output to a Linux log host III Configuration procedure 1 Confi...

Page 769: ...e z No space is permitted at the end of the file name z The device name facility and received log information severity specified in file etc syslog conf must be the same with those corresponding parameters configured in commands info center loghost and info center source Otherwise log information may not be output to the log host normally Step 3 After the log file information is created and the fi...

Page 770: ...Network diagram for log output to the console III Configuration procedure Enable the information center Switch system view Switch info center enable Disable the function of outputting information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules to output log information with severity level higher t...

Page 771: ...information center II Network diagram Network Switch Host Figure 1 4 Network diagram III Configuration procedure Name the local time zone z8 and configure it to be eight hours ahead of UTC time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch info center ...

Page 772: ...2 2 2 3 Debugging the System 2 2 2 3 1 Enabling Disabling System Debugging 2 2 2 3 2 Displaying Debugging Status 2 4 2 3 3 Displaying Operating Information about Modules in System 2 4 Chapter 3 Network Connectivity Test 3 1 3 1 Network Connectivity Test 3 1 3 1 1 ping 3 1 3 1 2 tracert 3 1 Chapter 4 Device Management 4 1 4 1 Introduction to Device Management 4 1 4 2 Device Management Configuration...

Page 773: ...ring the Boot ROM and host software loading go to these sections for information you are interested in z Introduction to Loading Approaches z Local Boot ROM and Software Loading z Remote Boot ROM and Software Loading 1 1 Introduction to Loading Approaches You can load software locally by using z XModem through Console port z TFTP through Ethernet port z FTP through Ethernet port You can load softw...

Page 774: ... 1 2 1 BOOT Menu Starting H3C S5100 16P PWR EI BOOTROM Version 616 Copyright c 2004 2007 Hangzhou H3C Technologies Co Ltd Creation date Apr 16 2007 11 29 53 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 000fe2123456 Press Ctrl B to enter Boot Menu Press Ctrl B The system displays Password Note To enter the BOOT menu you should press Ctrl B within five seconds full start...

Page 775: ...check methods checksum and CRC and multiple attempts of error packet retransmission generally the maximum number of retransmission attempts is ten The XModem transmission procedure is completed by a receiving program and a sending program The receiving program sends negotiation characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data packet...

Page 776: ...200 bps is chosen and the system displays the following information Download baudrate is 115200 bps Please change the terminal s baudrate to 115200 bps and select XMODEM protocol Press enter key when ready Note If you have chosen 9600 bps as the download baudrate you need not modify the HyperTerminal s baudrate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this ca...

Page 777: ...Manual System Maintenance and Debugging H3C S5100 SI EI Series Ethernet Switches Chapter 1 Boot ROM and Host Software Loading 1 5 Figure 1 1 Properties dialog box Figure 1 2 Console port configuration dialog box ...

Page 778: ...rate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC Step 7 Choose Transfer Send File in HyperTerminal and click Browse in pop up dialog box as shown in Figure 1 4 Select t...

Page 779: ...on when it completes the loading Bootrom updating done Note z If the HyperTerminal s baudrate is not reset to 9600 bps the system prompts Your baudrate should be set to 9600 bps again Press enter key when ready z You need not reset the HyperTerminal s baudrate and can skip the last step if you have chosen 9600 bps In this case the system upgrades the Boot ROM automatically and prompts Bootrom upda...

Page 780: ...to the switch through the Console port Step 1 Execute the xmodem get command in user view In this case the switch is ready to receive files Step 2 Enable the HyperTerminal on the PC and configure XModem as the transfer protocol and configure communication parameters on the Hyper Terminal the same as that on the Console port Step 3 Choose the file to be loaded to the switch and then start to transm...

Page 781: ...M update menu shown below Bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu Enter your choice 0 3 Step 4 Enter 1 in the above menu to download the Boot ROM using TFTP Then set the following TFTP related parameters as required Load File name Switch btm Switch IP address 1 1 1 2 Server IP address 1 1 1 1 Step 5 Press ...

Page 782: ...on When loading Boot ROM and host software using TFTP through BOOT menu you are recommended to use the PC directly connected to the device as TFTP server to promote upgrading reliability 1 2 4 Loading by FTP through Ethernet Port I Introduction to FTP FTP is an application layer protocol in the TCP IP protocol suite It is used for file transfer between server and client and is widely used in IP ne...

Page 783: ...eter 0 Return to boot menu Enter your choice 0 3 Step 4 Enter 2 in the above menu to download the Boot ROM using FTP Then set the following FTP related parameters as required Load File name switch btm Switch IP address 10 1 1 2 Server IP address 10 1 1 1 FTP User Name Switch FTP User Password abc Step 5 Press Enter The system displays the following information Are you sure to update your bootrom Y...

Page 784: ...ng reliability 1 3 Remote Boot ROM and Software Loading If your terminal is not directly connected to the switch you can telnet to the switch and use FTP or TFTP to load the Boot ROM and host software remotely 1 3 1 Remote Loading Using FTP I Loading Procedure Using FTP Client 1 Loading the Boot ROM As shown in Figure 1 8 a PC is used as both the configuration device and the FTP server You can tel...

Page 785: ...other configurations that you want so as to avoid losing configuration information 2 Loading host software Loading the host software is the same as loading the Boot ROM program except that the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for next startup of the switch After the above operations the Boot ROM a...

Page 786: ...ubnet mask to 255 255 255 0 Note You can configure the IP address for any VLAN on the switch for FTP transmission However before configuring the IP address for a VLAN interface you have to make sure whether the IP addresses of this VLAN and PC are routable Sysname system view System View return to User View with Ctrl Z Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 192 168 0...

Page 787: ...ommand line interface Step 5 Use the cd command on the interface to enter the path that the Boot ROM upgrade file is to be stored Assume the name of the path is D Bootrom as shown in Figure 1 11 Figure 1 11 Enter Boot ROM directory Step 6 Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server ...

Page 788: ... ROM and Host Software Loading 1 16 Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file switch btm to the switch as shown in Figure 1 13 Figure 1 13 Upload file switch btm to the switch Step 8 Configure switch btm to be the Boot ROM at next startup and then restart the switch ...

Page 789: ...e file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch Note z The steps listed above are performed in the Windows operating system if you use other FTP client software refer to the corresponding user guide before operation z Only the configuration steps concerning loading are listed...

Page 790: ...te this command in user view The default value is 23 55 00 04 01 2000 when the system starts up Set the local time zone clock timezone zone name add minus HH MM SS Optional Execute this command in user view By default it is the UTC time zone Set the name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offset time Optional Exec...

Page 791: ...ay version Display the information about users logging onto the switch display users all Available in any view 2 3 Debugging the System 2 3 1 Enabling Disabling System Debugging The device provides various debugging functions For the majority of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The following two switches control ...

Page 792: ...monly used way to output debugging information You can also output debugging information to other directions For details refer to Information Center Operation You can use the following commands to enable the two switches Follow these steps to enable debugging and terminal display for a specific module To do Use the command Remarks Enable system debugging for specific module debugging module name d...

Page 793: ... When an Ethernet switch is in trouble you may need to view a lot of operating information to locate the problem Each functional module has its corresponding operating information display command s You can use the command here to display the current operating information about the modules in the system for troubleshooting your system To do Use the command Remarks Display the current operation info...

Page 794: ...splayed Otherwise the number of data bytes packet serial number time to live TTL and response time of the response packet are displayed z Final statistics including the numbers of sent packets and received response packets the irresponsive packet percentage and the minimum average and maximum values of response time 3 1 2 tracert You can use the tracert command to trace the gateways that a packet ...

Page 795: ...ICMP TTL timeout message in order to offer the path that the packet passed through to the destination To do Use the command Remarks View the gateways that a packet passes from the source host to the destination tracert a source ip f first ttl m max ttl p port q num packet w timeout string You can execute the tracert command in any view ...

Page 796: ...g of the running status of the system z Specify the APP to be used at the next reboot z Update the Boot ROM z Identifying and Diagnosing Pluggable Transceivers 4 2 Device Management Configuration 4 2 1 Device Management Configuration Task list Complete the following tasks to configure device management Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Optional C...

Page 797: ...pecified time Follow these steps to schedule a reboot on the switch To do Use the command Remarks Schedule a reboot on the switch and set the reboot date and time schedule reboot at hh mm mm dd yyyy yyyy mm dd Optional Schedule a reboot on the switch and set the delay time for reboot schedule reboot delay hh mm mm Optional Enter system view system view Schedule a reboot on the switch and set the r...

Page 798: ...e host software of the switch If multiple APPs exist in the Flash memory you can use the command here to specify the one that will be used when the switch reboots Use the following command to specify the APP to be used at reboot To do Use the command Remarks Specify the APP to be used at reboot boot boot loader backup attribute file url device name Required 4 2 6 Upgrading the Boot ROM You can use...

Page 799: ...55M 622M 2 5G interfaces Yes Yes GBIC GigaBit Interface Converter Generally used for 1000M Ethernet interfaces Yes Yes XFP 10 Gigabit small Form factor Pluggable Generally used for 10G Ethernet interfaces Yes No XENPAK 10 Gigabit EtherNet Transceiver Package Generally used for 10G Ethernet interfaces Yes Yes Note For pluggable transceivers supported by S5100 SI EI series Ethernet switches refer to...

Page 800: ...ard during device debugging or test The information includes name of the card device serial number and vendor name or vendor name specified III Diagnosing pluggable transceivers The system outputs alarm information for you to diagnose and troubleshoot faults of pluggable transceivers Optical transceivers customized by H3C also support the digital diagnosis function which enables a transceiver to m...

Page 801: ...nto the Flash memory display diagnostic information Display enabled debugging on a specified switch display debugging unit unit id interface interface type interface number module name Available in any view 4 4 Remote Switch APP Upgrade Configuration Example I Network requirements Telnet to the switch from a PC remotely and download applications from the FTP server to the Flash memory of the switc...

Page 802: ...lo who is authorized with the read write right on the directory Switch on the PC The detailed configuration is omitted here 2 On the switch configure a level 3 telnet user with the username as user and password as hello Authentication mode is by user name and password Note Refer to the Login Operation part of this manual for configuration commands and steps about telnet user 3 Execute the telnet c...

Page 803: ...name 8 Upgrade the Boot ROM Sysname boot bootrom boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded 9 Specify the downloaded program as the host software to be adopted when the switch starts next time Sysname boot boot loader switch bin The specified file will be booted next time on unit 1 Sysname display boot loader Unit 1 The c...

Page 804: ...ration 1 4 1 3 Displaying VLAN VPN Configuration 1 5 1 4 VLAN VPN Configuration Example 1 5 1 4 1 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN VPN 1 5 Chapter 2 Selective QinQ Configuration 2 1 2 1 Selective QinQ Overview 2 1 2 1 1 Selective QinQ Overview 2 1 2 1 2 Inner to Outer Tag Priority Mapping 2 2 2 2 Selective QinQ Configuration 2 2 2 2 1 Configuration Tas...

Page 805: ...gs private network packets with outer VLAN tags thus enabling the packets to be transmitted through the service providers backbone networks with both inner and outer VLAN tags In public networks packets of this type are transmitted by their outer VLAN tags that is the VLAN tags of public networks and the inner VLAN tags are treated as part of the payload Figure 1 1 describes the structure of the p...

Page 806: ...Otherwise the packet becomes a packet carrying the default VLAN tag of the port 1 1 3 Adjusting the TPID Values of VLAN VPN Packets Tag protocol identifier TPID is a field of the VLAN tag IEEE 802 1Q specifies the value of TPID to be 0x8100 Figure 1 3 illustrates the structure of the Tag packet of an Ethernet frame defined by IEEE 802 1Q 0 31 15 TPID Priority VLAN ID CFI Figure 1 3 The structure o...

Page 807: ... 802 1x 0x888E 1 2 VLAN VPN Configuration 1 2 1 Configuration Task List Table 1 2 VLAN VPN configuration tasks Task Remarks Enabling the VLAN VPN Feature for a Port Required TPID Adjusting Configuration Optional 1 2 2 Enabling the VLAN VPN Feature for a Port I Configuration Prerequisites z The port is not a VLAN VPN uplink port z The port is not a remote mirror reflection port II Configuration pro...

Page 808: ...isabled on the port z For proper packet transmission confirm the TPID value of the peer device in the public network before adjusting the TPID value II Configuration Procedure Table 1 4 Adjust the TPID value for VLAN VPN packets on a port Operation Command Description Enter system view system view Set the TPID value globally vlan vpn tpid value Required Do not set the TPID value to any of the prot...

Page 809: ... you can execute the display command in any view to view the running status of VLAN VPN and verify the configuration Table 1 5 Display VLAN VPN configuration Operation Command Description Display the VLAN VPN configurations of all the ports display port vlan vpn You can execute the display command in any view 1 4 VLAN VPN Configuration Example 1 4 1 Transmitting User Packets through a Tunnel in th...

Page 810: ... on GigabitEthernet 1 0 11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer VLAN tag SwitchA system view SwitchA vlan 1040 SwitchA vlan1040 port GigabitEthernet 1 0 11 SwitchA vlan1040 quit SwitchA interface GigabitEthernet 1 0 11 SwitchA GigabitEthernet1 0 11 vlan vpn enable SwitchA GigabitEthernet1 0 11 quit Set the global TPID value of Switch A to 0x9...

Page 811: ... permit vlan 1040 SwitchB GigabitEthernet1 0 22 vlan vpn uplink enable Note z Do not configure VLAN 1040 as the default VLAN of GigabitEthernet 1 0 12 of Switch A and GigabitEthernet 1 0 22 of Switch B Otherwise the outer VLAN tag of a packet will be removed during transmission z In this example both GigabitEthernet1 0 11 of Switch A and GigabitEthernet1 0 21 of Switch B are access ports In cases ...

Page 812: ...gh the VLAN VPN uplink port GigabitEthernet 1 0 12 3 The outer VLAN tag of the packet remains unchanged while the packet travels in the public network till it reaches GigabitEthernet1 0 22 of Switch B 4 After the packet reaches Switch B it is forwarded to GigabitEthernet1 0 21 of Switch B As the port belongs to VLAN 1040 and is an access port the outer VLAN tag the tag of VLAN 1040 of the packet i...

Page 813: ...inner to outer VLAN tag mapping according to which you can add different outer VLAN tags to the packets with different inner VLAN tags The selective QinQ feature makes the service provider network structure more flexible You can classify the terminal users on the port connecting to the access layer device according to their VLAN tags and add different outer VLAN tags to these users In the public n...

Page 814: ...In this way you can configure different forwarding policies for data of different type of users thus improving the flexibility of network management On the other hand network resources are well utilized and users of the same type are also isolated by their inner VLAN tags This helps to improve network security 2 1 2 Inner to Outer Tag Priority Mapping As shown in Figure 1 3 the user priority field...

Page 815: ...LAN tags is disabled Note You are not recommended to configure both the DHCP snooping and selective Q in Q function on the switch which may result in the DHCP snooping to function abnormally 2 2 3 Configuring the Inner to Outer Tag Priority Mapping Feature I Configuration Prerequisites Enabling the VLAN VPN feature on the current port II Configuration Procedure Table 2 2 Configure the inner to out...

Page 816: ...network GigabitEthernet 1 0 12 and GigabitEthernet1 0 13 of Switch B provide network access for PC servers belonging to VLAN 100 through VLAN 108 and voice gateways for IP phone users belonging to VLAN 200 through VLAN 230 respectively z The public network permits packets of VLAN 1000 and VLAN 1200 Apply QoS policies for these packets to reserve bandwidth for packets of VLAN 1200 That is packets o...

Page 817: ...uration procedure z Configure Switch A Create VLAN 1000 VLAN 1200 and VLAN 5 the default VLAN of GigabitEthernet 1 0 3 on SwitchA SwitchA system view SwitchA vlan 1000 SwitchA vlan1000 quit SwitchA vlan 1200 SwitchA vlan1200 quit SwitchA vlan 5 SwitchA vlan5 quit Configure GigabitEthernet 1 0 5 as a hybrid port and not to remove VLAN tags when forwarding packets of VLAN 5 VLAN 1000 and VLAN 1200 S...

Page 818: ...igabitEthernet1 0 3 vid 1000 quit SwitchA GigabitEthernet1 0 3 vlan vpn vid 1200 SwitchA GigabitEthernet1 0 3 vid 1200 raw vlan id inbound 200 to 230 After the above configuration packets of VLAN 100 through VLAN 108 that is packets of PC users are tagged with the tag of VLAN 1000 as the outer VLAN tag when they are forwarded to the public network by Switch A and packets of VLAN 200 through VLAN 2...

Page 819: ...port hybrid vlan 13 1200 untagged After the above configuration Switch B can forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through GigabitEthernet 1 0 12 and GigabitEthernet 1 0 13 respectively To make the packets from the servers be transmitted to the clients in the same way you need to configure the selective QinQ feature on GigabitEthernet 1 0 12 and GigabitEthernet 1 ...

Page 820: ...eters 1 2 1 2 HWPing Configuration 1 5 1 2 1 HWPing Server Configuration 1 5 1 2 2 HWPing Client Configuration 1 5 1 2 3 Displaying HWPing Configuration 1 18 1 3 HWPing Configuration Examples 1 18 1 3 1 ICMP Test 1 18 1 3 2 DHCP Test 1 20 1 3 3 FTP Test 1 22 1 3 4 HTTP Test 1 24 1 3 5 Jitter Test 1 26 1 3 6 SNMP Test 1 28 1 3 7 TCP Test Tcpprivate Test on the Specified Ports 1 31 1 3 8 UDP Test Ud...

Page 821: ...er and the response time of various services You need to configure HWPing client and sometimes the corresponding HWPing servers as well to perform various HWPing tests All HWPing tests are initiated by a HWPing client and you can view the test results on the HWPing client only When performing a HWPing test you need to configure a HWPing test group on the HWPing client A HWPing test group is a set ...

Page 822: ...ublic test UDP test Udpprivate test z These types of tests need the cooperation of the HWPing client and HWPing server z Do not perform a TCP UDP or jitter test on a well known port ports with a number ranging from 1 to 1023 or on a port with a port number greater than 50000 Otherwise your HWPing test may fail or the service corresponding to the well known port may become unavailable 1 1 3 HWPing ...

Page 823: ...st packets which will be used by the server as the destination address of response packets Source port source port For HWPing tests other than ICMP DHCP and DNS you can specify a source port number for test packets which will be used by the server as the destination port number of response packets Test type test type z You can use HWPing to test a variety of protocols see Table 1 1 for details z T...

Page 824: ...e of a file to be transferred between HWPing client and FTP server Number of jitter test packets to be sent per probe jitter packetnum z Jitter test is used to collect statistics about delay jitter in UDP packet transmission z In a jitter probe the HWPing client sends a series of packets to the HWPing server at regular intervals you can set the interval Once receiving such a packet the HWPing serv...

Page 825: ...erver enable Required Disabled by default Configure a UDP listening service hwping server udpecho ip address port num Required for UDP and jitter tests By default no UDP listening service is configured Configure a TCP listening service hwping server tcpconnect ip address port num Required for TCP tests By default no TCP listening service is configured Note that z The HWPing server function is need...

Page 826: ...urce ip ip address Optional By default no source IP address is configured Configure the test type test type icmp Optional By default the test type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes Configure the maximum number of history records that can be...

Page 827: ...e source interface source interface interface type interface number Required You can only configure a VLAN interface as the source interface By default no source interface is configured Configure the test type test type dhcp Required By default the test type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of his...

Page 828: ...r Optional By default no source port is configured Configure the test type test type ftp Required By default the test type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test interval...

Page 829: ...do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the destination IP address destination ip ip address Required You can configure an IP ...

Page 830: ...efault a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Configure the type of HTTP operation http operation get post Optional By default the type of HTTP operation is get that is the HTTP operation will get data from the HTTP server Start the test test enable Required Display test results display hwping results admin name opera...

Page 831: ...y default no source IP address is configured Configure the source port source port port number Optional By default no source port is configured Configure the test type test type jitter Required By default the test type is ICMP Configure the number of probes per test count times Optional By default each test makes one probe Configure the maximum number of history records that can be saved history r...

Page 832: ...e the command in any view 6 Configuring SNMP test on HWPing client Follow these steps to configure SNMP test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By def...

Page 833: ...pe of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping results admin name operation tag Required You can execute the command in any view 7 Configuring TCP test on HWPing client Follow these steps to configure TCP test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing c...

Page 834: ...ce port source port port number Optional By default no source port is specified Configure the test type test type tcpprivate tcppublic Required By default the test type is ICMP Configure the number of probes per test count times Optional By default one probe is made per time Configure the automatic test interval frequency interval Optional By default the automatic test interval is zero seconds ind...

Page 835: ...nation port port number z Required in a Udpprivate test z A Udppublic test is a UDP connection test on port 7 Use the hwping server udpecho ip address 7 command on the server to configure the listening service port otherwise the test will fail No port number needs to be configured on the client any destination port number configured on the client will not take effect z By default no destination po...

Page 836: ... Required The display command can be executed in any view 9 Configuring DNS test on HWPing client Follow these steps to configure DNS test on HWPing client To do Use the command Remarks Enter system view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name...

Page 837: ...of the DNS server dns server ip address Required By default no DNS server address is configured Start the test test enable Required Display test results display hwping results admin name operation tag Required The display command can be executed in any view II Configuring HWPing client to send Trap messages Trap messages are generated regardless of whether the HWPing test succeeds or fails You can...

Page 838: ...imes times Optional By default Trap messages are sent each time a probe fails 1 2 3 Displaying HWPing Configuration To do Use the command Remarks Display test history display hwping history administrator name operation tag Display the results of the latest test display hwping results administrator name operation tag Available in any view 1 3 HWPing Configuration Examples 1 3 1 ICMP Test I Network ...

Page 839: ...ut time to 5 seconds Sysname hwping administrator icmp timeout 5 Start the test Sysname hwping administrator icmp test enable Set the maximum number of history records that can be saved to 5 Sysname hwping administrator icmp history records 5 Display test results Sysname hwping administrator icmp display hwping results administrator icmp HWPing entry admin administrator tag icmp test result Destin...

Page 840: ...DHCP server are H3C S5100 SI EI series Ethernet switches Perform a HWPing DHCP test between the two switches to test the time required for the HWPing client to obtain an IP address from the DHCP server II Network diagram Figure 1 3 Network diagram for the DHCP test III Configuration procedure z Configure DHCP Server Switch B Configure DHCP server on Switch B For specific configuration of DHCP serv...

Page 841: ...age Round Trip Time 1018 1037 1023 Square Sum of Round Trip Time 10465630 Last complete test time 2000 4 3 9 51 30 9 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Sysname hwping admi...

Page 842: ...ired to upload a file to the server after the connection is established Both the username and password used to log in to the FTP server are admin The file to be uploaded to the server is cmdtree txt II Network diagram Figure 1 4 Network diagram for the FTP test III Configuration procedure z Configure FTP Server Switch B Configure FTP server on Switch B For specific configuration of FTP server refe...

Page 843: ...1 Start the test Sysname hwping administrator ftp test enable Display test results Sysname hwping administrator ftp display hwping results administrator ftp HWPing entry admin administrator tag ftp test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 3245 15891 12157 Square Sum of Round Trip Time 1644458573 Last complete test...

Page 844: ...g FTP test on HWPing client 1 3 4 HTTP Test I Network requirements An H3C S5100 SI EI series Ethernet switch serves as the HWPing client and a PC serves as the HTTP server Perform a HWPing HTTP test between the switch and the HTTP server to test the connectivity and the time required to download a file from the HTTP server after the connection to the server is established II Network diagram Figure...

Page 845: ...ults administrator http HWPing entry admin administrator tag http test result Destination ip address 10 2 2 2 Send operation times 10 Receive response times 10 Min Max Average Round Trip Time 47 87 74 Square Sum of Round Trip Time 57044 Last succeeded test time 2000 4 2 20 41 50 4 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation time...

Page 846: ...15 15 52 4 9 2 1 0 2000 04 02 15 15 52 4 10 2 1 0 2000 04 02 15 15 52 4 For detailed output description see the corresponding command manual Note For an HTTP test if configuring the destination address as the host name you must configure the IP address of the DNS server to resolve the host name into an IP address which is the destination IP address of this HTTP test 1 3 5 Jitter Test I Network req...

Page 847: ...P address of the HWPing server as 10 2 2 2 Sysname hwping administrator Jitter destination ip 10 2 2 2 Configure the destination port on the HWPing server Sysname hwping administrator Jitter destination port 9000 Configure to make 10 probes per test Sysname hwping administrator http count 10 Set the probe timeout time to 30 seconds Sysname hwping administrator Jitter timeout 30 Start the test Sysn...

Page 848: ...ve SD average 2 Negative DS average 1 Negative SD Square Sum 200 Negative DS Square Sum 161 SD lost packets number 0 DS lost packet number 0 Unknown result lost packet number 0 Sysname hwping administrator Jitter display hwping history administrator Jitter HWPing entry admin administrator tag Jitter history record Index Response Status LastRC Time 1 274 1 0 2000 04 02 08 14 58 2 2 278 1 0 2000 04 ...

Page 849: ...name snmp agent community read public Sysname snmp agent community write private Note z The SNMP network management function must be enabled on SNMP agent before it can receive response packets z The SNMPv2c version is used as reference in this example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual z Configure HWPing Client Swi...

Page 850: ... Round Trip Time 983 Last complete test time 2000 4 3 8 57 20 0 Extend result SD Maximal delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Sysname hwping administrator snmp display hwping history administrator s...

Page 851: ...address and port to listen on Sysname system view Sysname hwping server enable Sysname hwping server tcpconnect 10 2 2 2 8000 z Configure HWPing Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to tcpprivate Sysname Hwping administrator tcpprivate Configure the test type ...

Page 852: ...m busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Sysname hwping administrator tcpprivate display hwping history administrator tcpprivate HWPing entry admin administrator tag tcpprivate history record Index Response Status LastRC Time 1 4 1 0 2000 04 02 08 26 02 9 2 5 1 0 2000 04 02 08 26 02 8 3 4 1 0 2000 04 02 08 26 02...

Page 853: ...sname system view Sysname hwping agent enable Create a HWPing test group setting the administrator name to administrator and test tag to udpprivate Sysname Hwping administrator udpprivate Configure the test type as udpprivate Sysname hwping administrator udpprivate test type udpprivate Configure the IP address of the HWPing server as 10 2 2 2 Sysname hwping administrator udpprivate destination ip ...

Page 854: ...tion errors 0 Sysname hwping administrator udpprivate display hwping history administrator udpprivate HWPing entry admin administrator tag udpprivate history record Index Response Status LastRC Time 1 11 1 0 2000 04 02 08 29 45 5 2 12 1 0 2000 04 02 08 29 45 4 3 11 1 0 2000 04 02 08 29 45 4 4 11 1 0 2000 04 02 08 29 45 4 5 11 1 0 2000 04 02 08 29 45 4 6 11 1 0 2000 04 02 08 29 45 4 7 10 1 0 2000 0...

Page 855: ...ng administrator dns Configure the test type as dns Sysname hwping administrator dns test type dns Configure the IP address of the DNS server as 10 2 2 2 Sysname hwping administrator dns dns server 10 2 2 2 Configure to resolve the domain name www test com Sysname hwping administrator dns dns resolve target www test com Configure to make 10 probes per test Sysname hwping administrator dns count 10...

Page 856: ...sult DNS Resolve Current Time 10 DNS Resolve Min Time 6 DNS Resolve Times 10 DNS Resolve Max Time 10 DNS Resolve Timeout Times 0 DNS Resolve Failed Times 0 Sysname hwping administrator dns display hwping history administrator dns HWPing entry admin administrator tag dns history record Index Response Status LastRC Time 1 10 1 0 2006 11 28 11 50 40 9 2 10 1 0 2006 11 28 11 50 40 9 3 10 1 0 2006 11 2...

Page 857: ...mic Domain Name Resolution 1 1 1 2 Configuring Domain Name Resolution 1 3 1 2 1 Configuring Static Domain Name Resolution 1 3 1 2 2 Configuring Dynamic Domain Name Resolution 1 3 1 3 Displaying and Maintaining DNS 1 4 1 4 DNS Configuration Examples 1 4 1 4 1 Static Domain Name Resolution Configuration Example 1 4 1 4 2 Dynamic Domain Name Resolution Configuration Example 1 5 1 5 Troubleshooting DN...

Page 858: ... server resolve it into correct IP addresses There are two types of DNS services static and dynamic Each time the DNS server receives a name query it checks its static DNS database before looking up the dynamic DNS database Reduction of the searching time in the dynamic DNS database would increase efficiency Some frequently used addresses can be put in the static DNS database Currently S5100 SI EI...

Page 859: ... DNS client run on the same device while the DNS server and the DNS client usually run on different devices Dynamic domain name resolution allows the DNS client to store latest mappings between name and IP address in the dynamic domain name cache of the DNS client There is no need to send a request to the DNS server for a repeated query request next time The aged mappings are removed from the cach...

Page 860: ...o Use the command Remarks Enter system view system view Configure a mapping between a host name and an IP address ip host hostname ip address Required No IP address is assigned to a host name by default Note The IP address you assign to a host name last time will overwrite the previous one if there is any You may create up to 50 static mappings between domain names and IP addresses 1 2 2 Configuri...

Page 861: ... dynamic host Display the DNS resolution result nslookup type ptr ip address a domain name Available in any view Clear the information in the dynamic domain name cache reset dns dynamic host Available in user view 1 4 DNS Configuration Examples 1 4 1 Static Domain Name Resolution Configuration Example I Network requirements The switch uses static domain name resolution to access host 10 1 1 2 thro...

Page 862: ...ly from 10 1 1 2 bytes 56 Sequence 4 ttl 127 time 5 ms Reply from 10 1 1 2 bytes 56 Sequence 5 ttl 127 time 3 ms host com ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 2 3 5 ms 1 4 2 Dynamic Domain Name Resolution Configuration Example I Network requirements As shown in Figure 1 3 the switch serving as a DNS client uses dynamic domain name resol...

Page 863: ... address 2 1 1 2 for the DNS server Sysname dns server 2 1 1 2 Configure com as the DNS suffix Sysname dns domain com Execute the ping host command on Switch to verify that the communication between Switch and Host is normal and that the corresponding IP address is 3 1 1 1 Sysname ping host Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press CTRL_C to break Reply from 3 1 1 1 bytes...

Page 864: ...c host command to check that the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specified domain name exists in the cache but the IP address is incorrect check that the DNS client has the correct IP address of the DNS server z Check that the mapping betwe...

Page 865: ... 1 5 1 2 4 Precautions 1 6 1 3 Displaying and Maintaining Smart Link 1 7 1 4 Smart Link Configuration Example 1 7 1 4 1 Implementing Link Redundancy Backup 1 7 Chapter 2 Monitor Link Configuration 2 1 2 1 Introduction to Monitor Link 2 1 2 1 1 How Monitor Link Works 2 2 2 2 Configuring Monitor Link 2 3 2 2 1 Configuration Task List 2 3 2 2 2 Creating a Monitor Link Group 2 3 2 2 3 Configuring the ...

Page 866: ... convergence time Smart Link can achieve active standby link redundancy backup and fast convergence to meet the user demand Smart Link has the following features z Active standby backup for dual uplink networking z Simple configuration and operation 1 1 1 Basic Concepts in Smart Link I Smart link group A smart link group consists of two member ports one master port and one slave port Normally only...

Page 867: ...be updated throughout the network In this case the smart link group sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries V Control VLAN for sending flush messages This control VLAN sends flush messages When link switching occurs the device Switch A in Figure 1 1 broadcasts flush messages in this control VLAN VI Control VLAN for receiving flush mess...

Page 868: ...C forwarding entries and ARP entries of each device in the network may be out of date In order to guarantee correct packet transmission you must enable the Smart Link device to send flush messages to notify the other devices in the network to refresh their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of identifying flush messages from the smart lin...

Page 869: ...ding flush messages in the specified control VLAN Required Configuring Associated Devices Enable the function of processing flush messages received from the specified control VLAN Required 1 2 2 Configuring a Smart Link Device A Smart Link device refers to a device on which Smart Link is enabled and a smart link group is configured and that sends flush messages from the specified control VLAN A me...

Page 870: ...marks Enter system view system view Create a smart link group and enter smart link group view smart link group group id Required Configure a link aggregation group as a member of the smart link group link aggregation group group id master slave Optional Enable the function of sending flush messages in the specified control VLAN flush enable control vlan vlan id Optional By default no control VLAN ...

Page 871: ...id Required use either approach By default no control VLAN for receiving flush messages is specified 1 2 4 Precautions When configuring Smart Link pay attention to the following points 1 A port or a link aggregation group cannot serve as a member port for two smart link groups On the other hand a port or a link aggregation group cannot serve as a member for a smart link group and a monitor link gr...

Page 872: ...sh messages must be manually configured for each port in the aggregation group 11 The VLAN configured as a control VLAN to send and receive flush messages must exist You cannot directly remove the control VLAN When a dynamic VLAN is configured as the control VLAN for the smart link group this VLAN will become a static VLAN and the prompt information is displayed 1 3 Displaying and Maintaining Smar...

Page 873: ...e STP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 stp disable SwitchA GigabitEthernet1 0 1 quit SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 stp disable Return to system view SwitchA GigabitEthernet1 0 2 quit Create smart link group 1 and enter the corresponding smart link group view SwitchA smart l...

Page 874: ...rol vlan 1 port GigabitEthernet 1 0 2 3 Enable the function of processing flush messages received from VLAN 1 on Switch D Enter system view SwitchD system view Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 SwitchD smart link flush enable control vlan 1 port GigabitEthernet 1 0 2 4 Enable the function of processing flush messages received from VLAN 1...

Page 875: ...tion of Smart Link A monitor Link consists of an uplink port and one or multiple downlink ports When the link for the uplink port of a monitor link group fails all the downlink ports in the monitor link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 2 1 Network diagram for a monitor link group implementation As shown in Fi...

Page 876: ...monitor link group when the link for the uplink port GigabitEthernet 1 0 1 on Switch C fails the links in the smart link group are not switched because the link for the master port GigabitEthernet 1 0 1 of Switch A configured with smart link group operates normally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of GigabitEthernet 1 0 1 z If Switch C is co...

Page 877: ...te a monitor link group and configure member ports for it A monitor link group consists of an uplink port and one or multiple downlink ports The uplink port can be a manually configured or static LACP link aggregation group an Ethernet port or a smart link group The downlink ports can be manually configured link aggregation groups or static LACP link aggregation groups or Ethernet ports 2 2 1 Conf...

Page 878: ...he specified smart link group as the uplink port of the monitor link group smart link group group id uplink Monitor link group view port interface type interface number uplink quit interface interface type interface number Configure the uplink port for the monitor link group Configure the specified Ethernet port as the uplink port of the monitor link group Ethernet port view port monitor link grou...

Page 879: ...n z A smart link monitor link group with members cannot be deleted A smart link group as a monitor link group member cannot be deleted z The smart link monitor link function and the remote port mirroring function are incompatible with each other z If a single port is specified as a smart link monitor link group member do not use the lacp enable command on the port or add the port to another dynami...

Page 880: ...e II Network diagram BLOCK Switch A Switch B GE1 0 1 GE1 0 2 Switch C Switch D Switch E GE1 0 1 GE1 0 2 GE1 0 3 Server GE1 0 2 GE1 0 2 GE1 0 1 GE1 0 1 GE1 0 3 GE1 0 11 GE1 0 10 PC 1 PC 4 PC 3 PC 2 Figure 2 3 Network diagram for Monitor Link configuration III Configuration procedure 1 Enable Smart Link on Switch A and Switch B to implement link redundancy backup Perform the following configuration ...

Page 881: ...on procedure on Switch D is the same as that performed on Switch C Enter system view SwitchC system view Create monitor link group 1 and enter monitor link group view SwitchC monitor link group 1 Configure GigabitEthernet 1 0 1 as the uplink port of the monitor link group and GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as the downlink ports SwitchC mtlk group1 port GigabitEthernet 1 0 1 uplink...

Page 882: ...anual Smart Link Monitor Link H3C S5100 SI EI Series Ethernet Switches Chapter 2 Monitor Link Configuration 2 8 SwitchE smart link flush enable control vlan 1 port GigabitEthernet 1 0 10 to GigabitEthernet 1 0 11 ...

Page 883: ...figuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time 1 17 1 2 6 Configuring the Hop Limit of ICMPv6 Reply Packets 1 17 1 2 7 Configuring IPv6 DNS 1 18 1 2 8 Displaying and Maintaining IPv6 1 19 1 3 IPv6 Configuration Example 1 20 1 3 1 IPv6 Unicast Address Configuration 1 20 Chapter 2 IPv6 Application Configuration 2 1 2 1 Introduction to IPv6 Application 2 1 2 2 Con...

Page 884: ...otocol Version 6 IPv6 also called IP next generation IPng was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits 1 1 1 IPv6 Features I Header format simplification IPv6 cuts down some IPv4 header fields or moves them to extensio...

Page 885: ...figuration To simplify the host configuration IPv6 supports stateful address configuration and stateless address configuration z Stateful address configuration means that a host acquires an IPv6 address and related information from the server for example DHCP server z Stateless address configuration means that the host automatically configures an IPv6 address and related information based on its o...

Page 886: ...way IPv6 enhances the flexibility greatly to provide scalability for IP while improving the processing efficiency The Options field in IPv4 packets contains only 40 bytes while the size of IPv6 extension headers is restricted by that of IPv6 packets 1 1 2 Introduction to IPv6 Address I IPv6 addresses An IPv6 address is represented as a series of 16 bit hexadecimals separated by colons An IPv6 addr...

Page 887: ... IPv6 addresses mainly fall into three types unicast address multicast address and anycast address z Unicast address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast address is delivered to the interface identified by that address z Multicast address An identifier for a set of interfaces typically belonging to different nodes similar to an IPv4 mul...

Page 888: ...iders This type of address allows efficient routing aggregation to restrict the number of global routing entries z The link local address is used in the neighbor discovery protocol and the stateless autoconfiguration process Routers must not forward any packets with link local source or destination addresses to other links z IPv6 unicast site local addresses are similar to private IPv4 addresses R...

Page 889: ...orresponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1 FF is permanent and consists of 104 bits and XX XXXX is the last 24 bits of an IPv6 address V Interface identifier in IEEE EUI 64 format Interface identifiers in IPv6 unicast addresses are used to identify interfaces on a link and they are required to be ...

Page 890: ...nctions of ICMPv6 messages used by the NDP Table 1 3 Types and functions of ICMPv6 messages ICMPv6 message Function Used to acquire the link layer address of a neighbor Used to verify whether the neighbor is reachable Neighbor solicitation NS message Used to perform a duplicate address detection Used to respond to a neighbor solicitation message Neighbor advertisement NA message When the link laye...

Page 891: ...NDP functions H3C S5100 SI EI Series Ethernet Switches support the following three functions address resolution neighbor unreachability detection and duplicate address detection The subsequent sections present a detailed description of these three functions and relevant configuration The NDP mainly provides the following functions I Address resolution Similar to the ARP function in IPv4 a node acq...

Page 892: ...estination address is the IPv6 address of node B 2 If node A receives an NA message from node B node A considers that node B is reachable Otherwise node B is unreachable III Duplicate address detection After a node acquires an IPv6 address it should perform the duplicate address detection to determine whether the address is being used by other nodes similar to the gratuitous ARP function The dupli...

Page 893: ...erver can convert domain names into IPv4 addresses or IPv6 addresses In this way the DNS server has the functions of both IPv6 DNS and IPv4 DNS 1 1 5 Protocols and Standards Protocol specifications related to IPv6 include z RFC 1881 IPv6 Address Allocation Management z RFC 1887 An Architecture for IPv6 Unicast Address Allocation z RFC 1981 Path MTU Discovery for IP version 6 z RFC 2375 IPv6 Multic...

Page 894: ... site local addresses and global unicast addresses can be configured in either of the following ways z EUI 64 format When the EUI 64 format is adopted to form IPv6 addresses the IPv6 address prefix of an interface is the configured prefix and the interface identifier is derived from the link layer address of the interface z Manual configuration IPv6 site local addresses or global unicast addresses...

Page 895: ...i 64 Use either command By default no site local address or global unicast address is configured for an interface Note that the prefix specified by the prefix length argument in an EUI 64 address cannot exceed 64 bits in length Automatically generate a link local address ipv6 address auto link local Configure an IPv6 link local address Manually assign a link local address for an interface ipv6 add...

Page 896: ...he manually assigned one If the manually assigned link local address is deleted the automatically generated link local address takes effect z You must have carried out the ipv6 address auto link local command before you carry out the undo ipv6 address auto link local command However if an IPv6 site local address or global unicast address is already configured for an interface the interface still h...

Page 897: ...learned neighbors reaches the threshold the interface will stop learning neighbor information Follow these steps to configure the maximum number of neighbors dynamically learned To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Configure the maximum number of neighbors dynamically learned by an interface ipv6 neighbors m...

Page 898: ... do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Specify the NS interval ipv6 nd ns retrans timer value Optional 1 000 milliseconds by default V Configuring the neighbor reachable timeout time on an interface After a neighbor passed the reachability detection the device considers the neighbor to be reachable in a specific...

Page 899: ...imer expires the IPv6 TCP connection establishment fails z finwait timer When the IPv6 TCP connection status is FIN_WAIT_2 the finwait timer is triggered If no packet is received before the finwait timer expires the IPv6 TCP connection is terminated If FIN packets are received the IPv6 TCP connection status becomes TIME_WAIT If other packets are received the finwait timer is reset from the last pa...

Page 900: ...ts that are continuously sent out reaches the capacity of the token bucket the subsequent IPv6 ICMP error packets cannot be sent out until new tokens are put into the token bucket based on the specified update frequency Follow these steps to configure the maximum number of IPv6 ICMP error packets sent within a specified time To do Use the command Remarks Enter system view system view Configure the...

Page 901: ...on you should configure a DNS server so that a query request message can be sent to the correct server for resolution The system can support at most six DNS servers You can configure a domain name suffix so that you only need to enter some fields of a domain name and the system automatically adds the preset suffix for address resolution The system can support at most 10 domain name suffixes Follow...

Page 902: ...rmation of an interface display ipv6 interface interface type interface number brief Display neighbor information display ipv6 neighbors ipv6 address all dynamic interface interface type interface number static vlan vlan id begin exclude include regular expression Display the total number of neighbor entries satisfying the specified conditions display ipv6 neighbors all dynamic static interface in...

Page 903: ...udp ipv6 statistics Available in user view Note The display dns domain and display dns server commands are the same as those of IPv4 DNS For details about the commands refer to DNS Operation in this manual 1 3 IPv6 Configuration Example 1 3 1 IPv6 Unicast Address Configuration I Network requirements Two switches are directly connected through two Ethernet ports The Ethernet ports belong to VLAN 2 ...

Page 904: ...tchA system view SwitchB interface Vlan interface 2 SwitchB Vlan interface2 ipv6 address auto link local Configure an EUI 64 address for the interface VLAN interface 2 SwitchB Vlan interface2 ipv6 address 2001 64 eui 64 Configure a global unicast address for the interface VLAN interface 2 SwitchB Vlan interface2 ipv6 address 3001 2 64 IV Verification Display the brief IPv6 information of an interf...

Page 905: ...Hosts use stateless autoconfig for addresses On Switch A ping the link local address EUI 64 address and global unicast address of Switch B If the configurations are correct the above three types of IPv6 addresses can be pinged Caution When you use the ping ipv6 command to verify the reachability of the destination you must specify the i keyword if the destination address is a link local address Fo...

Page 906: ...2FF FE00 1 bytes 56 Sequence 3 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 4 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 5 hop limit 255 time 60 ms 2001 20F E2FF FE00 1 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 40 58 70 ms SwitchA Vlan interface2 ping ipv6 3001 2 PING 3001 2 56 da...

Page 907: ...Operation Manual IPv6 Management H3C S5100 SI EI Series Ethernet Switches Chapter 1 IPv6 Configuration 1 24 0 00 packet loss round trip min avg max 50 60 70 ms ...

Page 908: ...upported on H3C S5100 SI EI Series Ethernet Switches are z Ping z Traceroute z TFTP z Telnet 2 2 Configuring IPv6 Application 2 2 1 IPv6 Ping The ping ipv6 command is commonly used for testing the reachability of a host This command sends an ICMPv6 message to the destination host and records the time for the response message to be received For details about the ping command refer to System Mainten...

Page 909: ...ds an IP datagram with the Hop Limit of 1 z If the first hop device receiving the datagram reads the Hop Limit of 1 it will discard the packet and return an ICMP timeout error message Thus the source can get the first device s address in the route z The source sends a datagram with the Hop Limit of 2 and the second hop device returns an ICMP timeout error message The source gets the second device ...

Page 910: ...ese steps to download or upload files to TFTP servers To do Use the command Remarks Download Upload files from TFTP server tftp ipv6 remote system i interface type interface number get put source filename destination filename Required Available in user view Caution When you use the tftp ipv6 command to connect to the TFTP server you must specify the i keyword if the destination address is a link l...

Page 911: ...interface number port number Required Available in user view Caution When you use the telnet ipv6 command to connect to the Telnet server you must specify the i keyword if the destination address is a link local address II Displaying and maintaining IPv6 Telnet To do Use the command Remarks Display the use information of the users who have logged in display users all Available in any view 2 3 IPv6...

Page 912: ...III Configuration procedure Note You need configure IPv6 address at the switch s and server s interfaces and ensure that the route between the switch and the server is accessible before the following configuration Ping SWB s IPv6 address from SWA SWA ping ipv6 3003 1 PING 3003 1 64 data bytes press CTRL_C to break Reply from 3003 1 bytes 56 Sequence 1 hop limit 64 time 110 ms Reply from 3003 1 byt...

Page 913: ...ownloads a file from TFTP server 3001 3 SWA tftp ipv6 3001 3 get filetoget flash filegothere File will be transferred in binary mode Downloading file from remote tftp server please wait TFTP 13 bytes received in 1 243 second s File downloaded successfully SWA Connect to Telnet server 3001 2 SWA telnet ipv6 3001 2 Trying 3001 2 Press CTRL K to abort Connected to 3001 2 Telnet Server 2 4 Troubleshoo...

Page 914: ... was included in the tracert ipv6 command is used by an application on the host If yes you need to use the tracert ipv6 command with an unreachable UDP port 2 4 3 Unable to Run TFTP I Symptom Unable to download and upload files by performing TFTP operations II Solution z Check that the route between the device and the TFTP server is up z Check that the file system of the device is usable You can c...

Page 915: ...nd PoE Priority of a Port 1 4 1 2 5 Setting the PoE Mode on a Port 1 5 1 2 6 Configuring the PD Compatibility Detection Function 1 6 1 2 7 Configuring PoE Over Temperature Protection on the Switch 1 6 1 2 8 Upgrading the PSE Processing Software Online 1 7 1 2 9 Displaying PoE Configuration 1 7 1 3 PoE Configuration Example 1 8 1 3 1 PoE Configuration Example 1 8 Chapter 2 PoE Profile Configuration...

Page 916: ... application prospect PoE can be applied to IP phones wireless access points APs chargers for portable devices card readers network cameras and data collection system II PoE components PoE consists of three components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information collection...

Page 917: ...a wires 1 2 3 6 of category 3 5 twisted pairs z The PSE processing software on the switch can be upgraded online z The switch provides statistics about power supplying on each port and the whole equipment which you can query through the display command z The switch provides two modes auto and manual to manage the power feeding to ports in the case of PSE power overload z The switch provides over t...

Page 918: ...emote PD has an external power supply the PoE enabled S5100 SI EI switch and the external power supply will backup each other for the PD z Only the Ethernet electrical ports of the PoE enabled S5100 SI EI switch support the PoE feature 1 2 PoE Configuration 1 2 1 PoE Configuration Tasks Table 1 3 PoE configuration tasks Task Remarks Enabling the PoE Feature on a Port Required Setting the Maximum O...

Page 919: ...er that can be supplied by each Ethernet electrical port of a PoE enabled S5100 SI EI switch to its PD is 15 400 mW In practice you can set the maximum power on a port depending on the actual power of the PD in the range of 1 000 to 15 400 mW and in the granularity of 1 mW Table 1 5 Set the maximum output power on a port Operation Command Description Enter system view system view Enter Ethernet po...

Page 920: ...e switch PoE is close to its full load and a new PD is now added to port A the switch just gives a prompt that a new PD is added and will not supply power to this new PD After the PoE feature is enabled on the port perform the following configuration to set the PoE management mode and PoE priority of a port Table 1 6 Set the PoE management mode and PoE priority of a port Operation Command Descript...

Page 921: ...n Table 1 8 Configure the PD compatibility detection function Operation Command Description Enter system view system view Enable the PD compatibility detection function poe legacy enable Required Disabled by default 1 2 7 Configuring PoE Over Temperature Protection on the Switch When the internal temperature of the switch exceeds the PoE protection temperature the switch disables the PoE feature o...

Page 922: ... can be executed successfully use the full update mode to upgrade and thus restore the software z The refresh update mode is to upgrade the original processing software in the PSE through refreshing the software while the full update mode is to delete the original processing software in PSE completely and then reload the software z Generally the refresh update mode is used to upgrade the PSE proce...

Page 923: ...temperature protection Available in any view 1 3 PoE Configuration Example 1 3 1 PoE Configuration Example I Networking requirements Switch A is an S5100 SI EI series Ethernet switch supporting PoE Switch B can be PoE powered z The GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 ports of Switch A are connected to Switch B and an AP respectively the GigabitEthernet 1 0 8 port is intended to be conn...

Page 924: ...ower 12000 SwitchA GigabitEthernet1 0 1 quit Enable the PoE feature on GigabitEthernet 1 0 2 and set the PoE maximum output power of GigabitEthernet 1 0 2 to 2500 mW SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 poe enable SwitchA GigabitEthernet1 0 2 poe max power 2500 SwitchA GigabitEthernet1 0 2 quit Enable the PoE feature on GigabitEthernet 1 0 8 and set the PoE priority...

Page 925: ...100 SI EI Series Ethernet Switches Chapter 1 PoE Configuration 1 10 Enable the PD compatibility detect of the switch to allow the switch to supply power to part of the devices noncompliant with the 802 3af standard SwitchA poe legacy enable ...

Page 926: ...nding user groups z When users connect a PD to a PoE profile enabled port the PoE configurations in the PoE profile will be enabled on the port 2 2 PoE Profile Configuration 2 2 1 Configuring PoE Profile Table 2 1 Configure PoE profile Operation Command Description Enter system view system view Create a PoE profile and enter PoE profile view poe profile profilename Required If the PoE file is crea...

Page 927: ...ccording to the following rules z When the apply poe profile command is used to apply a PoE profile to a port the PoE profile is applied successfully only if one PoE feature in the PoE profile is applied properly When the display current configuration command is used for query it is displayed that the PoE profile is applied properly to the port z If one or more features in the PoE profile are not ...

Page 928: ...Ethernet 1 0 10 of Switch A are used by users of group A who have the following requirements z The PoE function can be enabled on all ports in use z Signal mode is used to supply power z The PoE priority for GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 is Critical whereas the PoE priority for GigabitEthernet 1 0 6 through GigabitEthernet 1 0 10 is High z The maximum power for GigabitEtherne...

Page 929: ... applicable to GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 ports for users of group A SwitchA poe profile Profile1 poe enable SwitchA poe profile Profile1 poe mode signal SwitchA poe profile Profile1 poe priority critical SwitchA poe profile Profile1 poe max power 3000 SwitchA poe profile Profile1 quit Display detailed configuration information for Profile1 SwitchA display poe profile name...

Page 930: ... high SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe enable poe priority high Apply the configured Profile1 to GigabitEthernet 1 0 1 through GigabitEthernet 1 0 5 ports SwitchA apply poe profile Profile1 interface GigabitEthernet1 0...

Page 931: ...Operation Manual Appendix H3C S5100 SI EI Series Ethernet Switches Table of Contents i Table of Contents Appendix A Acronyms A 1 ...

Page 932: ...uter B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multicast R...

Page 933: ...on Base N NBMA Non Broadcast MultiAccess NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PoE Power over Ethernet Q QoS Quality of Service R RIP Routing Information Protocol RMON Remote Network Moni...

Page 934: ...3 TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol ToS Type of Service TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking ...

Reviews:

No comments

Related manuals for H3C S5100-EI

8e6 Technologies Enterprise Filter Authentication R3000 Quick Start Manual preview
Enterprise Filter Authentication R3000
Brand: 8e6 Technologies Pages: 66
Profile LS901-E1 Instruction Manual preview
LS901-E1
Brand: Profile Pages: 6
TRENDnet TW-200 Specifications preview
TW-200
Brand: TRENDnet Pages: 2
Aztech DSL1000EW(L) Speci?Cations preview
DSL1000EW(L)
Brand: Aztech Pages: 2
Keithley 7011-C Instruction Manual preview
7011-C
Brand: Keithley Pages: 98
NETGEAR WAG302 Installation Manual preview
WAG302
Brand: NETGEAR Pages: 2
Perle P841 Specifications preview
P841
Brand: Perle Pages: 2
ZKTeco HVR0402 User Manual preview
HVR0402
Brand: ZKTeco Pages: 68
Pakedge Device & Software RK-1 Quick Start Manual preview
RK-1
Brand: Pakedge Device & Software Pages: 14
rtd IDAN-ID5915 User Manual preview
IDAN-ID5915
Brand: rtd Pages: 28
Supermicro SSG-927R-E2CJB User Manual preview
SSG-927R-E2CJB
Brand: Supermicro Pages: 62
AIC FB128-LX User Manual preview
FB128-LX
Brand: AIC Pages: 79
Multitech RouteFinder RF560VPN User Manual preview
RouteFinder RF560VPN
Brand: Multitech Pages: 82
Variscite VAR-SOM-MX6 HEAT PLATE KIT Quick Start Manual preview
VAR-SOM-MX6 HEAT PLATE KIT
Brand: Variscite Pages: 3
Korenix 5-port 10/100 Specifications preview
5-port 10/100
Brand: Korenix Pages: 3
Tripp Lite N306-04M Specification Sheet preview
N306-04M
Brand: Tripp Lite Pages: 2
Navico Network Expansion Port 2 Manual preview
Network Expansion Port 2
Brand: Navico Pages: 17
Aim RPM Bridge User Manual preview
RPM Bridge
Brand: Aim Pages: 12

Brands by name

Popular brands

Load more brands