manualshive.com logo in svg

H3C H3C S5100-SI, Operation Manual, Page: 163 / 830

Share
Download
H3C H3C S5100-SI Operation Manual Download Page 163

 

1-7 

Configuring Port Security Features 

Configuring the NTK feature  

Follow these steps to configure the NTK feature: 

To do... 

Use the command... 

Remarks 

Enter system view 

system-view 

— 

Enter Ethernet port view 

interface

 

interface-type 

interface-number

 

— 

Configure the NTK feature 

port-security ntk-mode 

{

 ntkonly 

|

 

ntk-withbroadcasts 

|

 

ntk-withmulticasts 

Required 

By default, NTK is disabled on 
a port, namely all frames are 
allowed to be sent. 

 

 

Currently, the S5100-SI/EI series do not support the 

ntkonly 

NTK feature. 

 

Configuring intrusion protection 

Follow these steps to configure the intrusion protection feature: 

To do... 

Use the command... 

Remarks 

Enter system view 

system-view 

— 

Enter Ethernet port view 

interface

 

interface-type 

interface-number

 

— 

Set the corresponding action to 
be taken by the switch when 
intrusion protection is triggered 

port-security intrusion-mode 

{

 blockmac 

|

 disableport 

|

 

disableport-temporarily 

Required 

By default, intrusion 
protection is disabled. 

Return to system view 

quit 

— 

Set the timer during which the 
port remains disabled

 

port-security timer disableport 
timer

 

Optional 

20 seconds by default 

 

 

The 

port-security timer disableport

 command is used in conjunction with the 

port-security 

intrusion-mode

 

disableport-temporarily

 command to set the length of time during which the port 

remains disabled. 

 

Summary of Contents for H3C S5100-SI

Page 1: ...H3C S5100 SI EI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 20100115 C 1 05 Product Version Release 220X series...

Page 2: ...V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective...

Page 3: ...rt Binding Introduces port security port binding and the related configuration 11 DLDP Introduces DLDP and the related configuration 12 MAC Address Table Management Introduces MAC address forwarding t...

Page 4: ...ces PoE PoE profile and the related configuration 38 UDP Helper Introduces UDP Helper and the related configuration 39 Access Management Introduces Access Management and the related configuration 40 A...

Page 5: ...EI Series Ethernet Switches Installation Manual It provides information for the system installation H3C S5100 SI EI Series Ethernet Switches Command Manual Release 220X Series It is used for assistin...

Page 6: ...Documentation Feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 7: ...3C Website 1 1 Software Release Notes 1 1 2 Correspondence Between Documentation and Software 2 1 Manual List 2 1 Software Version 2 1 3 Product Overview 3 1 4 Networking Applications 4 1 Convergence...

Page 8: ...se of user guide only Unless otherwise noted all the information in the document set does not claim or imply any warranty For the latest software documentation go to the H3C website H3C Website Perfor...

Page 9: ...rsion of Release2200 Release2201 and Release2203P08 of the S5100 SI EI series products The supported features are different between these software versions For details refer to Table 2 1 Added and Mod...

Page 10: ...120 instead of 10 to 120 in seconds 14 802 1x and System Guard Deleted features The S5100 EI series Ethernet switches do not support to specify a secondary IP address of an interface 17 IP Address an...

Page 11: ...lusters The H3C S5100 series come in two series S5100 SI and S5100 EI which are available in the following models Table 3 1 H3C S5100 SI EI series Series Model 10 100 1000Base T autosensing Ethernet p...

Page 12: ...se X SFP port 10 100 1000Base T autosensing Ethernet port 17 14 18 16 19 13 S5100 16P SI S5100 16P EI S5100 16P PWR EI 20 15 25 22 26 24 27 21 S5100 24P SI S5100 24P EI S5100 26C EI S5100 26C PWR EI 2...

Page 13: ...orking applications are described as follows The following applications are for S5100 EI series Convergence Layer Devices In medium and small sized enterprises or branches of large enterprises S5100 E...

Page 14: ...of a data center S5100 EI series are deployed on the core network to provide 10GE GE access core network functions The server cluster can be connected to the core network at the Gigabit Ethernet rate...

Page 15: ...d 2 8 Configuration Procedure 2 8 Configuration Example 2 9 Console Port Login Configuration with Authentication Mode Being Scheme 2 10 Configuration Procedure 2 10 Configuration Example 2 11 3 Loggin...

Page 16: ...isabling the WEB Server 6 3 7 Logging In Through NMS 7 1 Introduction 7 1 Connection Establishment Using NMS 7 1 8 Configuring Source IP Address for Telnet Service Packets 8 1 Overview 8 1 Configuring...

Page 17: ...Configuration Web based Network Management Interface Logging In Through the Web based Network Management Interface Network Management Station Logging In Through NMS Introduction to the User Interface...

Page 18: ...with the smallest number based on the user login mode The login process of the user is restricted by the configurations under this user interface z The user interface assigned to a user depending on...

Page 19: ...system name for the switch sysname string Optional By default the system name is H3C Enable copyright information displaying copyright info enable Optional By default copyright displaying is enabled...

Page 20: ...fault you can locally log in to an S5100 SI EI Ethernet switch through its console port only Table 2 1 lists the default settings of a console port Table 2 1 The default settings of a console port Set...

Page 21: ...rminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP The following assumes that you are running Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4...

Page 22: ...to establish the connection Figure 2 4 Set port parameters 3 Turn on the switch You will be prompted to press the Enter key if the switch successfully completes POST power on self test The prompt such...

Page 23: ...By default the check mode of the console port is set to none which means no check bit Stop bits Optional The default stop bits of a console port is 1 Console port configuration Data bits Optional The...

Page 24: ...onfiguration of console port login To do Use the command Remarks Enter system view system view Enter AUX user interface view user interface aux 0 Set the baud rate speed speed value Optional The defau...

Page 25: ...peration is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Console Port Login Configurations for Different Authentication Mode...

Page 26: ...By default users logging in through the console port AUX user interface are not authenticated Configuration Example Network requirements Assume that the switch is configured to allow users to log in t...

Page 27: ...onsole port to 19 200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number of commands the history comma...

Page 28: ...Telnet and the user level is set to the administrator level level 3 Perform the following configurations for users logging in through the console port AUX user interface z Authenticate the users usin...

Page 29: ...20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility runn...

Page 30: ...sts by default Set the authentication password for the local user password simple cipher password Required Specify the service type for AUX users service type terminal level level Required Note that I...

Page 31: ...ysname system view Create a local user named guest and enter local user view Sysname local user guest Set the authentication password to 123456 in plain text Sysname luser guest password simple 123456...

Page 32: ...the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration you need to modify the configuration of the terminal emulation utility running on the PC accordingly in...

Page 33: ...ss is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance Configuration and Routing Protoco...

Page 34: ...arks Enter system view system view Enter one or more VTY user interface views user interface vty first number last number Configure the command level available to users logging in to VTY user interfac...

Page 35: ...imeout 0 command to disable the timeout function Telnet Configurations for Different Authentication Modes Table 3 3 Telnet configurations for different authentication modes Authentication mode Authent...

Page 36: ...nfigure Telnet with the authentication mode being none To do Use the command Remarks Enter system view system view Enter one or more VTY user interface views user interface vty first number last numbe...

Page 37: ...commands the history command buffer can store to 20 Sysname ui vty0 history command max size 20 Set the timeout time to 6 minutes Sysname ui vty0 idle timeout 6 Telnet Configuration with Authenticatio...

Page 38: ...entication mode being password Configuration procedure Enter system view Sysname system view Enter VTY 0 user interface view Sysname user interface vty 0 Configure to authenticate users logging in to...

Page 39: ...fy to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply RADIUS or HWTACACS scheme you need to perform the following configuration a...

Page 40: ...mmand buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes Network diagram Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme Configur...

Page 41: ...l in Windows 3 X or HyperTerminal in Windows 95 Windows 98 Windows NT Windows 2000 Windows XP on the PC terminal with the baud rate set to 9 600 bps data bits set to 8 parity check set to none and flo...

Page 42: ...login password The CLI prompt such as Sysname appears if the password is correct If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message...

Page 43: ...the Telnet server Refer to Telnet Configuration with Authentication Mode Being None Telnet Configuration with Authentication Mode Being Password and Telnet Configuration with Authentication Mode Being...

Page 44: ...to a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is a...

Page 45: ...authentication mode configuration Configuration on switch when the authentication mode is none Refer to Console Port Login Configuration with Authentication Mode Being None Configuration on switch whe...

Page 46: ...e 4 1 Establish the connection by using modems 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 th...

Page 47: ...authentication mode is specified enter the password when prompted If the password is correct the prompt such as Sysname appears You can then configure or manage the switch You can also enter the chara...

Page 48: ...4 5 If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI part for information about command level...

Page 49: ...detailed debugging information is provided to help users diagnose and locate network problems z Command history function This enables users to check the commands that they have lately executed and re...

Page 50: ...nsole user a user who logs into the switch through the Console port is a level 3 user and Telnet users are level 0 users You can use the user privilege level command to set the default user privilege...

Page 51: ...rom btm After the above configuration general Telnet users can use the tftp get command to download file bootrom btm and other files from TFTP server 192 168 0 1 and other TFTP servers Switching User...

Page 52: ...set password to switch to user level 3 Sysname super 3 Password User privilege level is 3 and only those commands can be used whose level is equal or less than this Privilege note 0 VISIT 1 MONITOR 2...

Page 53: ...re VLAN parameters Sysname vlan1 Execute the vlan command in system view VLAN interface view Configure VLAN interface parameters including the management VLAN parameters Sysname Vlan i nterface1 Execu...

Page 54: ...lic key view Execute the public key cod e end command to return to public key view Basic ACL view Define rules for a basic ACL with ID ranging from 2000 to 2999 Sysname acl basic 2000 Execute the acl...

Page 55: ...ies switches provide this view Sysname port gr oup 1 Execute the port group command in system view QinQ view Configure QinQ parameters Only S5100 EI series Ethernet switches provide this view Sysname...

Page 56: ...Sysname interface vlan interface 1 4094 VLAN interface number If only cr is displayed after you enter it means no parameter is available at the position and you can enter and execute the command dire...

Page 57: ...listed in the following table Follow these steps to view history commands Purpose Operation Remarks Display the latest executed history commands Execute the display history command command This comma...

Page 58: ...esponding character at the cursor position and move the cursor one character to the right if the command is shorter than 254 characters Backspace key Delete the character on the left of the cursor and...

Page 59: ...t The VLAN interface of the switch is assigned an IP address and the route between the switch and the Web network management terminal is reachable Refer to the IP Address Configuration IP Performance...

Page 60: ...the Web based network management system Configuring the Login Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through Web the banner page is...

Page 61: ...the user terminal the PC and the switch After the above mentioned configuration if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press Enter...

Page 62: ...http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Enabling the Web s...

Page 63: ...o perform related configuration on both the NMS and the switch Table 7 1 Requirements for logging in to a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is c...

Page 64: ...attacks are guarded and the security is improved On the other hand you can configure the Telnet server to accept only Telnet service packets with specific source IP addresses to make sure specific us...

Page 65: ...d exists z If a source IP address or source interface is specified you need to make sure that the route between the IP addresses or interface of both sides is reachable Displaying Source IP Address Co...

Page 66: ...d Implementation Related section By source IP address Through basic ACL By source and destination IP address Through advanced ACL Telnet By source MAC address Through Layer 2 ACL Controlling Telnet Us...

Page 67: ...as needed Table 9 2 ACL categories Category ACL number Matching criteria Basic ACL 2000 to 2999 Source IP address Advanced ACL 3000 to 3999 Source IP address and destination IP address Layer 2 ACL 400...

Page 68: ...10 110 100 52 are permitted to access the switch Network diagram Switch 10 110 100 46 Host A IP network Host B 10 110 100 52 Figure 9 1 Network diagram for controlling Telnet users using ACLs Configur...

Page 69: ...ing Required Quit to system view quit Apply the ACL while configuring the SNMP community name snmp agent community read write community name acl acl number mib view view name Apply the ACL while confi...

Page 70: ...dress You can manage an S5100 SI EI Ethernet switch remotely through Web Web users can access a switch through HTTP connections You need to perform the following two operations to control Web users by...

Page 71: ...r using the related command Follow the step below to log out a Web user To do Use the command Remarks Log out a Web user free web users all user id user id user name user name Required Available in us...

Page 72: ...9 7 Apply ACL 2030 to only permit the Web users sourced from the IP address of 10 110 100 52 to access the switch Sysname ip http acl 2030...

Page 73: ...ement 1 1 Introduction to Configuration File 1 1 Configuration Task List 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 3 Specifying a Configuration File for Next St...

Page 74: ...nd view The commands that are of the same command view are grouped into one section Sections are separated by comment lines A line is a comment line if it starts with the character z The sections are...

Page 75: ...k List Complete these tasks to configure configuration file management Task Remarks Saving the Current Configuration Optional Erasing the Startup Configuration File Optional Specifying a Configuration...

Page 76: ...xecution of this command If the filename you entered is different from that existing in the system this command will erase its main attribute to allow only one main attribute configuration file in the...

Page 77: ...to specify a configuration file for next startup To do Use the command Remarks Specify a configuration file for next startup startup saved configuration cfgfile backup main Required Available in user...

Page 78: ...mand Remarks Display the initial configuration file saved in the Flash of a switch display saved configuration unit unit id by linenum Display the configuration file used for this and next startup dis...

Page 79: ...uration 2 1 VLAN Configuration 2 1 VLAN Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying VLAN Configuration 2 3 Configuring a Port Based VLAN...

Page 80: ...packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself causing potential serious security problems Isolati...

Page 81: ...to the same VLAN regardless of their physical locations network construction and maintenance is much easier and more flexible VLAN Fundamentals VLAN tag To enable a network device to identify frames o...

Page 82: ...02 3 encapsulation format VLAN ID identifies the VLAN to which a packet belongs When a switch receives a packet carrying no VLAN tag the switch encapsulates a VLAN tag with the default VLAN ID of the...

Page 83: ...has a VLAN interface which can forward packets of the local VLAN to the destination IP addresses at the network layer Normally since VLANs can isolate broadcast domains each VLAN corresponds to an IP...

Page 84: ...ple VLANs to be sent untagged but a trunk port only allows the packets of the default VLAN to be sent untagged The three types of ports can coexist on the same device Assigning an Ethernet Port to Spe...

Page 85: ...t For an untagged packet For a tagged packet Processing of an outgoing packet z If the port has already been added to its default VLAN tag the packet with the default VLAN tag and then forward the pac...

Page 86: ...he type field in Ethernet II encapsulation is in the range of 0x0600 to 0xFFFF Packets with the value of the type or length field being in the range 0x05DD to 0x05FF are regarded as illegal packets an...

Page 87: ...encapsulation format In 802 2 SNAP encapsulation format the values of the DSAP field and the SSAP field are always 0xAA and the value of the control field is always 3 The switch differentiates betwee...

Page 88: ...atch the type value Invalid packets that cannot be matched 802 2 802 3 encapsulation Control field Invalid packets that cannot be matched dsap ssap value 802 2 SNAP encapsulation Match the dsap ssap v...

Page 89: ...ser defined template adopts the user defined encapsulation formats and values of some specific fields as the matching criteria After configuring the protocol template you must add a port to the protoc...

Page 90: ...ional Basic VLAN Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 to vlan i...

Page 91: ...prompt information Basic VLAN Interface Configuration Configuration prerequisites Before configuring a VLAN interface create the corresponding VLAN Configuration procedure Follow these steps to perfor...

Page 92: ...ce does not influence the physical status of the Ethernet ports belonging to this VLAN Displaying VLAN Configuration To do Use the command Remarks Display the VLAN interface information display interf...

Page 93: ...multiple VLANs To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Access port port access vlan vlan id Trunk port port trun...

Page 94: ...s the default VLAN by default z After configuring the default VLAN for a trunk or hybrid port you need to use the port trunk permit command or the port hybrid vlan command to configure the port to all...

Page 95: ...itchA vlan 201 SwitchA vlan201 port GigabitEthernet 1 0 2 SwitchA vlan201 quit z Configure Switch B Create VLAN 101 specify its descriptive string as DMZ and add GigabitEthernet1 0 11 to VLAN 101 Swit...

Page 96: ...a Port with a Protocol Based VLAN Required Displaying Protocol Based VLAN Configuration Optional Configuring a Protocol Template for a Protocol Based VLAN Configuration prerequisites Create a VLAN bef...

Page 97: ...et both the dsap id and ssap id arguments to 0xFF 0xE0 or 0xAA z When you use the mode keyword to configure a user defined protocol template if you set the etype id argument for ethernetii or snap pac...

Page 98: ...t1 0 10 on the S5100 SI EI switch z IP network and AppleTalk network workstations hosts coexist in the Workroom z The S5100 SI EI switch connects to VLAN 100 using IP network through GigabitEthernet1...

Page 99: ...the packets of VLAN 100 and VLAN 200 before forwarding the packets Sysname vlan100 quit Sysname interface GigabitEthernet 1 0 10 Sysname GigabitEthernet1 0 10 port link type hybrid Sysname GigabitEth...

Page 100: ...2 11 transmission by matching the corresponding protocol templates so as to realize the normal communication between workstations and servers...

Page 101: ...duction to Management VLAN 1 1 Management VLAN 1 1 Static Route 1 1 Default Route 1 1 Management VLAN Configuration 1 2 Prerequisites 1 2 Configuring the Management VLAN 1 2 Configuration Example 1 3...

Page 102: ...to a VLAN interface by using the corresponding commands and then apply for another IP address through BOOTP using the ip address bootp alloc command the former 0IP address will be released and the fin...

Page 103: ...uired By default VLAN 1 operates as the management VLAN Create the management VLAN interface and enter the corresponding VLAN interface view interface vlan interface vlan id Required Assign an IP addr...

Page 104: ...efault route Network diagram Figure 1 1 Network diagram for management VLAN configuration Configuration procedure Perform the following configurations after the current user logs in to Switch A throug...

Page 105: ...o a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading to a specified IP address range display ip routing table ip address1 mask1 ip address2...

Page 106: ...or Voice VLAN on Various Ports 1 4 Security Mode of Voice VLAN 1 6 Voice VLAN Configuration 1 6 Configuration Prerequisites 1 6 Configuring the Voice VLAN to Operate in Automatic Voice VLAN Assignment...

Page 107: ...t analog voice signals into digital signals to enable them to be transmitted in IP based networks Used in conjunction with other voice devices IP phones can offer large capacity and low cost voice com...

Page 108: ...port Option 184 it returns the IP address assigned to the IP phone but ignores the other four special requests in the Option 184 field Without information about voice VLAN the IP phone can only send u...

Page 109: ...a voice packet by checking its source MAC address against an organizationally unique identifier OUI list If a match is found the packet is considered as a voice packet Ports receiving packets of this...

Page 110: ...VLAN assignment automatic mode ports can not be added to or removed from a voice VLAN manually z Manual voice VLAN assignment mode In this mode you need to add a port to a voice VLAN or remove a port...

Page 111: ...y Access Not supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagged voice...

Page 112: ...sure the default VLAN of the port exists and is not a voice VLAN and the default VLAN and the voice VLAN is in the list of the tagged VLANs whose traffic is permitted by the access port Security Mode...

Page 113: ...legacy is disabled Set the voice VLAN assignment mode of the port to automatic voice vlan mode auto Optional The default voice VLAN assignment mode on a port is automatic z A port working in automati...

Page 114: ...equired Enable voice VLAN on a port voice vlan enable Required By default voice VLAN is disabled on a port Enable the voice VLAN legacy function on the port voice vlan legacy Optional By default voice...

Page 115: ...mit both voice data and service data in a voice VLAN If you have to do so make sure that the voice VLAN does not operate in security mode z The voice VLAN legacy feature realizes the communication bet...

Page 116: ...string being test Network diagram Figure 1 2 Network diagram for voice VLAN configuration automatic mode Internet 010 1001 OUI 0011 2200 0000 Mask ffff ff00 0000 GE1 0 1 VLAN 2 VLAN 2 Device A Device...

Page 117: ...security mode z The IP phone sends untagged packets It is connected to GigabitEthernet 1 0 1 a hybrid port Set this port to operates in manual mode z You need to add a user defined OUI address 0011 22...

Page 118: ...net 1 0 1 DeviceA GigabitEthernet1 0 1 voice vlan enable Verification Display the OUI addresses the corresponding OUI address masks and the corresponding description strings that the system supports D...

Page 119: ...GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 GVRP Configuration Tasks 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maint...

Page 120: ...portant functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to be registered on other devices it sends Join messages to these devices...

Page 121: ...veAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other three timers which are set on a port basis the LeaveAll timer is set...

Page 122: ...s Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attrib...

Page 123: ...hree port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN informati...

Page 124: ...iew system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type inter...

Page 125: ...All timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by...

Page 126: ...us implementing dynamic VLAN information registration and refresh z By configuring the GVRP registration modes of specific Ethernet ports you can enable the corresponding VLANs in the switched network...

Page 127: ...dure of Switch B is similar to that of Switch A and is thus omitted 3 Configure Switch C Enable GVRP on Switch C which is similar to that of Switch A and is thus omitted Create VLAN 5 SwitchC vlan 5 S...

Page 128: ...y vlan dynamic Total 3 dynamic VLAN exist s The following dynamic VLANs exist 5 7 8 Display the VLAN information dynamically registered on Switch E SwitchE GigabitEthernet1 0 1 display vlan dynamic No...

Page 129: ...1 10...

Page 130: ...Enabling Flow Control on a Port 1 4 Duplicating the Configuration of a Port to Other Ports 1 4 Configuring Loopback Detection for an Ethernet Port 1 5 Enabling Loopback Test 1 6 Enabling the System to...

Page 131: ...itEthernet1 0 16 GigabitEthernet1 0 19 GigabitEthernet1 0 13 S5100 16P SI S5100 16P EI S5100 16P PWR EI GigabitEthernet1 0 20 GigabitEthernet1 0 15 GigabitEthernet1 0 25 GigabitEthernet1 0 22 GigabitE...

Page 132: ...nterface MDI mode of the Ethernet port mdi across auto normal Optional Be default the MDI mode of an Ethernet port is auto Set the maximum frame size allowed on the Ethernet port to 9 216 bytes jumbof...

Page 133: ...to the default setting z The effect of executing speed auto 10 100 1000 equals to that of executing speed auto that is the port is configured to support all the auto negotiation speeds 10 Mbps 100 Mbp...

Page 134: ...figuration of a port to specific ports Specifically the following types of port configuration can be duplicated from one port to other ports VLAN configuration protocol based VLAN configuration LACP c...

Page 135: ...t loopback detection is disabled globally Set the interval for performing port loopback detection loopback detection interval time time Optional The default is 30 seconds Enter Ethernet port view inte...

Page 136: ...nternal loop test In the internal loop test self loop is established in the switching chip to locate the chip failure which is related to the port Note that z After you use the shutdown command on a p...

Page 137: ...view system view Enter Ethernet port view interface interface type interface number Set the interval to perform statistical analysis on port traffic flow interval interval Optional By default this int...

Page 138: ...ing Up Down log information and execute the shutdown command or the undo shutdown command on GigabitEthernet 1 0 1 No Up Down log information is generated or output for GigabitEthernet 1 0 1 Sysname G...

Page 139: ...opback detection Display information for a specified port group display port group group id Display brief information about port configuration display brief interface interface type interface number b...

Page 140: ...egation Group 1 3 Dynamic LACP Aggregation Group 1 4 Aggregation Group Categories 1 5 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggregatio...

Page 141: ...otifies the following information of the port to its peer by sending LACPDUs priority and MAC address of this system priority number and operation key of the port Upon receiving the information the pe...

Page 142: ...es the following three types of link aggregation exist z Manual aggregation z Static LACP aggregation z Dynamic LACP aggregation Manual Aggregation Group Introduction to manual aggregation group A man...

Page 143: ...tion group must contain at least one port When a static aggregation group contains only one port you cannot remove the port unless you remove the whole aggregation group LACP is enabled on the member...

Page 144: ...t number serves as the master port of the group and other selected ports serve as member ports of the group There is a limit on the number of selected ports in an aggregation group Therefore if the nu...

Page 145: ...tion resources are allocated to aggregation groups in the following order z An aggregation group containing special ports which require hardware aggregation resources has higher priority than any aggr...

Page 146: ...ot be added to an aggregation group z Do not add ports with IP filtering enabled to an aggregation group z Do not add ports with ARP intrusion detection enabled to an aggregation group z Do not add po...

Page 147: ...one or multiple dynamic aggregation groups For a static aggregation group a port can only be manually added removed to from the static aggregation group When you add an LACP enabled port to a manual a...

Page 148: ...marks Enter system view system view Configure the system priority lacp system priority system priority Optional By default the system priority is 32 768 Enter Ethernet port view interface interface ty...

Page 149: ...display link aggregation interface interface type interface number to interface type interface number Display local device ID display lacp system id Available in any view Clear LACP statistics about a...

Page 150: ...LACP aggregation mode Create static aggregation group 1 Sysname system view Sysname link aggregation group 1 mode static Add GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to aggregation group 1...

Page 151: ...tEthernet1 0 3 lacp enable The three LACP enabled ports can be aggregated into one dynamic aggregation group to implement load sharing only when they have the same basic configuration such as rate dup...

Page 152: ...of Contents 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Port Isolation Configuration 1 1 Displaying and Maintaining Port Isolation Configuration 1 2 Port Isolation Configuration Exa...

Page 153: ...way and improve your network security Currently you can create only one isolation group on an S5100SI EI Series Ethernet switch The number of Ethernet ports in an isolation group is not limited An is...

Page 154: ...an isolated port to an aggregation group causes all the ports in the aggregation group on the local unit to be added to the isolation group Displaying and Maintaining Port Isolation Configuration To d...

Page 155: ...solate Sysname GigabitEthernet1 0 2 quit Sysname interface GigabitEthernet1 0 3 Sysname GigabitEthernet1 0 3 port isolate Sysname GigabitEthernet1 0 3 quit Sysname interface GigabitEthernet1 0 4 Sysna...

Page 156: ...figuring Port Security Features 1 7 Ignoring the Authorization Information from the RADIUS Server 1 8 Configuring Security MAC Addresses 1 8 Displaying and Maintaining Port Security Configuration 1 9...

Page 157: ...kes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are prov...

Page 158: ...ort security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned or dynamic MAC addresses...

Page 159: ...MAC address entries on the port macAddressWithRa dius In this mode MAC address based authentication is performed for access users macAddressOrUser LoginSecure In this mode both MAC authentication and...

Page 160: ...OUI address does not match z On a port operating in either the macAddressElseUserLoginSecure mode or the macAddressElseUserLoginSecureExt mode Intrusion Protection is triggered only after both MAC bas...

Page 161: ...hentication configuration Setting the Maximum Number of MAC Addresses Allowed on a Port Port security allows more than one user to be authenticated on a port The number of authenticated users allowed...

Page 162: ...in noRestriction mode In this mode access to the port is not restricted You can set a port security mode as needed z Before setting the port security mode to autolearn you need to set the maximum numb...

Page 163: ...s to configure the intrusion protection feature To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the corresponding act...

Page 164: ...orization information to the device You can configure a port to ignore the authorization information from the RADIUS server Follow these steps to configure a port to ignore the authorization informati...

Page 165: ...lowed on the port is set z The security mode of the port is set to autolearn Configuring a security MAC address Follow these steps to configure a security MAC address To do Use the command Remarks Ent...

Page 166: ...stay silent for 30 seconds Network diagram Figure 1 1 Network diagram for port security configuration Configuration procedure Enter system view Switch system view Enable port security Switch port sec...

Page 167: ...ding Follow these steps to configure port binding To do Use the command Remarks Enter system view system view In system view am user bind mac addr mac address ip addr ip address interface interface ty...

Page 168: ...they steal from Host A to access the network Network diagram Figure 2 1 Network diagram for port binding configuration Configuration procedure Configure Switch A as follows Enter system view SwitchA...

Page 169: ...2 DLDP Status 1 4 DLDP Timers 1 4 DLDP Operating Mode 1 5 DLDP Implementation 1 6 DLDP Neighbor State 1 7 Link Auto recovery Mechanism 1 7 DLDP Configuration 1 8 Performing Basic DLDP Configuration 1...

Page 170: ...A it is a bidirectional link two way link If one of these fibers gets broken this is a unidirectional link one way link When a unidirectional link appears the local device can receive packets from th...

Page 171: ...s z As a link layer protocol it works together with the physical layer protocols to monitor the link status of a device z The auto negotiation mechanism at the physical layer detects physical signals...

Page 172: ...packets are used to notify unidirectional link emergencies a unidirectional link emergency occurs when the local port is down and the peer port is up Linkdown packets carry only the local port inform...

Page 173: ...corresponding neighbor immediately neither does it changes to the inactive state Instead it changes to the delaydown state first When a device changes to the delaydown state the related DLDP neighbor...

Page 174: ...port automatically or prompts you to disable the port manually Meanwhile DLDP deletes the neighbor entry DelayDown timer When a device in the active advertisement or probe DLDP state receives a port...

Page 175: ...e DLDP packets sent Active Advertisement packets with the RSY flag set or not set Advertisement Advertisement packets Probe Probe packets 2 A DLDP packet received is processed as follows z In authenti...

Page 176: ...ced mode no echo packet is received when the enhanced timer expires DLDP switches to the disable state outputs log and tracking information and sends flush packets Depending on the user defined DLDP d...

Page 177: ...The auto recovery mechanism does apply to ports that are shut down manually DLDP Configuration Performing Basic DLDP Configuration Follow these steps to perform basic DLDP configuration To do Use the...

Page 178: ...n the aggregation group as independent z When connecting two DLDP enabled devices make sure the software running on them is of the same version Otherwise DLDP may operate improperly z When you use the...

Page 179: ...igure 1 3 z Switch A and Switch B are connected through two pairs of fibers Both of them support DLDP All the ports involved operate in mandatory full duplex mode with their rates all being 1 000 Mbps...

Page 180: ...dp unidirectional shutdown auto Display the DLDP state SwitchA display dldp 1 When two switches are connected through fibers in a crossed way two or three ports may be in the disable state and the res...

Page 181: ...guring MAC Address Table Management 1 4 Configuration Task List 1 4 Configuring a MAC Address Entry 1 5 Setting the Aging Time of MAC Address Entries 1 6 Setting the Maximum Number of MAC Addresses a...

Page 182: ...MAC address table entries z Unicast forwarding If the destination MAC address carried in the packet is included in a MAC address table entry the switch forwards the packet through the forwarding egre...

Page 183: ...1 to ensure that User B can receive the packet Figure 1 3 MAC address learning diagram 2 3 Because the switch broadcasts the packet both User B and User C can receive the packet However User C is not...

Page 184: ...tances for example User B is unreachable or User B receives the packet but does not respond to it the switch cannot learn the MAC address of User B Hence the switch still broadcasts the packets destin...

Page 185: ...nfigured manually A switch discards the packets destined for or originated from the MAC addresses contained in blackhole MAC address entries Table 1 1 lists the different types of MAC address entries...

Page 186: ...e argument must belong to the VLAN specified by the vlan argument in the command Otherwise the entry will not be added z If the VLAN specified by the vlan argument is a dynamic VLAN after a static MAC...

Page 187: ...tion applies to all ports but only takes effect on dynamic MAC addresses that are learnt or configured to age Setting the Maximum Number of MAC Addresses a Port Can Learn The MAC address learning mech...

Page 188: ...in any VLAN z If the VLAN is configured as a remote probe VLAN used by port mirroring you can not disable MAC address learning of this VLAN Similarly after you disable MAC address learning this VLAN c...

Page 189: ...net 1 0 2 belongs to VLAN 1 Configuration procedure Enter system view Sysname system view Sysname Add a MAC address with the VLAN ports and states specified Sysname mac address static 000f e20f dc71 i...

Page 190: ...g the Timeout Time Factor 1 25 Configuring the Maximum Transmitting Rate on the Current Port 1 25 Configuring the Current Port as an Edge Port 1 26 Setting the Link Type of a Port to P2P 1 27 Enabling...

Page 191: ...l 1 44 Introduction 1 44 Configuring VLAN VPN tunnel 1 44 MSTP Maintenance Configuration 1 45 Introduction 1 45 Enabling Log Trap Output for Ports of MSTP Instance 1 45 Configuration Example 1 45 Enab...

Page 192: ...RSTP and Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Spanning Tree Protocol Overview Why STP Spanning tree prot...

Page 193: ...he port with the lowest path cost to the root bridge The root port is used for communicating with the root bridge A non root bridge device has one and only one root port The root bridge has no root po...

Page 194: ...ls see Configuring the Bridge Priority of the Current Switch 5 Path cost STP uses path costs to indicate the quality of links A small path cost indicates a higher link quality The path cost of a port...

Page 195: ...iority plus MAC address z Designated port ID designated port priority plus port number z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime for the...

Page 196: ...ared for their root path costs If the root path cost in a configuration BPDU plus the path cost corresponding to this port is S the configuration BPDU with the smallest S value has the highest priorit...

Page 197: ...figuration BPDU which will be sent out periodically z If the configuration BPDU on the port is superior the device stops updating the configuration BPDUs of the port and blocks the port so that the po...

Page 198: ...e configuration BPDU of each port and starts sending out configuration BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds th...

Page 199: ...ort CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its old one Device C launches a BPDU update process z At the same time port...

Page 200: ...ty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with...

Page 201: ...gnated port can transit fast under the following conditions the designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the f...

Page 202: ...mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU A D C B Region B0 VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to MSTI 1 VLAN 2 and 3 mapped...

Page 203: ...ing tree generated by STP or RSTP running on the switches For example the red lines in Figure 1 4 represent the CST 6 CIST A common and internal spanning tree CIST is the spanning tree in a switched n...

Page 204: ...of the two ports to eliminate the loop that occurs The blocked port is the backup port In Figure 1 5 switch A switch B switch C and switch D form an MST region Port 1 and port 2 on switch A connect u...

Page 205: ...ame time MSTP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network 2 Calculate an MSTI Within an MST region MSTP genera...

Page 206: ...nfigure MSTP Task Remarks Enabling MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are per...

Page 207: ...nsmitting Rate on the Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priori...

Page 208: ...onfiguration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configurati...

Page 209: ...Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region configurat...

Page 210: ...o new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails You can specify the ne...

Page 211: ...le switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configuration example Set the bridge priority of the current switch to 4 096 in MSTI 1 Sysname s...

Page 212: ...me system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp compliance dot1s Restore the default mode for GigabitEthernet 1 0 1 to recognize send MSTP packets Sysname Gigab...

Page 213: ...chanism disables the switches that are beyond the maximum hop count from participating in spanning tree calculation and thus limits the size of an MST region With such a mechanism the maximum hop coun...

Page 214: ...re the network diameter of a switched network an MSTP enabled switch adjusts its hello time forward delay and max age settings accordingly to better values The network diameter setting only applies to...

Page 215: ...As for the max age parameter if it is too small network congestion may be falsely regarded as link failures which results in frequent spanning tree recalculation If it is too large link problems may...

Page 216: ...tch stp timer factor number Required The timeout time factor defaults to 3 For a steady network the timeout time can be five to seven times of the hello time Configuration example Configure the timeou...

Page 217: ...rnet 1 0 1 Sysname GigabitEthernet1 0 1 stp transmit limit 15 Configuring the Current Port as an Edge Port Edge ports are ports that neither directly connects to other switches nor indirectly connects...

Page 218: ...le 2 Configure GigabitEthernet 1 0 1 as an edge port in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 stp edged port enable Setting the Li...

Page 219: ...ure the link of the port as a point to point link After you configure the link of a port as a point to point link the configuration applies to all the MSTIs the port belongs to If the actual physical...

Page 220: ...disable Optional By default MSTP is enabled on all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports...

Page 221: ...for calculating path costs of ports Currently a switch can calculate the path costs of ports based on one of the following standards z dot1d 1998 Adopts the IEEE 802 1D 1998 standard to calculate the...

Page 222: ...02 1T standard does The following formula is used to calculate the path cost of an aggregated link Path cost 200 000 000 link transmission rate Where link transmission rate is the sum of the rates of...

Page 223: ...Sysname stp pathcost standard dot1d 1998 2 Perform this configuration in Ethernet port view Sysname system view Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 undo stp instance 1...

Page 224: ...hernet 1 0 1 in MSTI 1 to be 16 1 Perform this configuration in system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 instance 1 port priority 16 2 Perform this configuration in...

Page 225: ...ed Configuration Example Perform the mCheck operation on GigabitEthernet 1 0 1 1 Perform this configuration in system view Sysname system view Sysname stp interface GigabitEthernet 1 0 1 mcheck 2 Perf...

Page 226: ...PDU guard function Sysname system view Sysname stp bpdu protection Configuring Root Guard A root bridge and its secondary root bridges must reside in the same region The root bridge of the CIST and it...

Page 227: ...view To do Use the command Remarks Enter system view system view Enter Ethernet port view Interface interface type interface number Enable the root guard function on the current port stp root protect...

Page 228: ...the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the loop guard function on the current port stp loop protection Required Th...

Page 229: ...ew system view Enable the TC BPDU attack guard function stp tc protection enable Required The TC BPDU attack guard function is disabled by default Set the maximum times that a switch can remove the MA...

Page 230: ...onfiguration ID contains information such as region ID and configuration digest As some other manufacturers switches adopt proprietary spanning tree protocols they cannot communicate with the other sw...

Page 231: ...operate normally Configuration procedure Follow these steps to configure digest snooping To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type...

Page 232: ...tree protocols in the same MST region z When the digest snooping feature is enabled globally the VLAN to instance mapping table cannot be modified z The digest snooping feature is not applicable to b...

Page 233: ...pstream switch As a result the designated port of the upstream switch fails to transit rapidly and can only turn to the forwarding state after a period twice the forward delay Some other manufacturers...

Page 234: ...figuration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the rapid transition feature in system view To do Use the command Remarks Enter system view...

Page 235: ...e service provider network and the lower part comprises the customer networks The service provider network comprises packet input output devices and the customer network has networks A and B On the se...

Page 236: ...MSTP enabled there may be many MSTP instances and so the status of a port may change frequently In this case maintenance personnel may expect that log trap information is output to the log host when...

Page 237: ...tch to send trap messages conforming to 802 1d standard to the network management device when the switch becomes the root bridge of instance 1 Sysname system view Sysname stp instance 1 dot1d trap new...

Page 238: ...yer Switch A and Switch B are configured as the root bridges of MSTI 1 and MSTI 3 respectively Switch C is configured as the root bridge of MSTI 4 Network diagram Figure 1 10 Network diagram for MSTP...

Page 239: ...er MST region view Sysname system view Sysname stp region configuration Configure the MST region Sysname mst region region name example Sysname mst region instance 1 vlan 10 Sysname mst region instanc...

Page 240: ...between the customer networks and the service provider network Network diagram Figure 1 11 Network diagram for VLAN VPN tunnel configuration Eth 1 0 1 Switch A Switch D Switch C Switch B Eth 1 0 1 GE...

Page 241: ...Ns Sysname GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch D Enable MSTP Sysname system view Sysname stp enable Enable the VLAN VPN tunnel function Sysname vlan vpn tunnel Add Gigab...

Page 242: ...ered Authentication 1 19 Configuring Guest VLAN 1 19 Configuring 802 1x Re Authentication 1 20 Configuring the 802 1x Re Authentication Timer 1 20 Displaying and Maintaining 802 1x Configuration 1 21...

Page 243: ...ii Configuring the System Guard Feature 4 1 Configuring the System Guard Feature 4 1 Displaying and Maintaining System Guard 4 2...

Page 244: ...ort based network access control protocol It authenticates and controls devices requesting for access in terms of the ports of LAN access devices With the 802 1x protocol employed a user side device c...

Page 245: ...thorization and Accounting AAA services to users It also stores user information such as user name password the VLAN a user belongs to priority and the Access Control Lists ACLs applied The four basic...

Page 246: ...goes offline the others are denied as well z MAC based authentication All supplicant systems connected to a port have to be authenticated individually in order to access the network And when a supplic...

Page 247: ...ket is an EAPoL start packet which initiates the authentication 02 Indicates that the packet is an EAPoL logoff packet which sends logging off requests 03 Indicates that the packet is an EAPoL key pac...

Page 248: ...ure 1 5 The format of the Data field of a Request packet or a Response packet z The Type field indicates the EAP authentication type A value of 1 indicates Identity and that the packet is used to quer...

Page 249: ...with a value of 79 and the Message authenticator field with a value of 80 Four authentication ways namely EAP MD5 EAP TLS transport layer security EAP TTLS tunneled transport layer security and Prote...

Page 250: ...process z Upon receiving the authentication request packet the switch sends an EAP request identity packet to ask the 802 1x client for the user name z The 802 1x client responds by sending an EAP re...

Page 251: ...d to rejected In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authent...

Page 252: ...Used in 802 1x In 802 1 x authentication the following timers are used to ensure that the supplicant system the switch and the RADIUS server interact in an orderly way z Handshake timer handshake peri...

Page 253: ...rom the supplicant system when this timer times out The second case is when the switch authenticates the 802 1x client who cannot request for authentication actively The switch sends multicast request...

Page 254: ...is configured to disable use of multiple network adapters proxies or IE proxies it prompts the 802 1x client to disable use of multiple network adapters proxies or IE proxies through messages after t...

Page 255: ...on Refer to AAA Operation for detailed information about the dynamic VLAN delivery function Enabling 802 1x re authentication 802 1x re authentication is timer triggered or packet triggered It re auth...

Page 256: ...switch re authenticates users periodically 802 1x re authentication will fail if a CAMS server is used and configured to perform authentication but not accounting This is because a CAMS server establ...

Page 257: ...S server and perform RADIUS client related configuration on the switches z You can also specify to adopt the RADIUS authentication scheme with a local authentication scheme as a backup In this case th...

Page 258: ...r dot1x port method macbased portbased Set port access method for specified ports In port view quit Optional The default port access method is MAC address based that is the macbased keyword is used by...

Page 259: ...shaking periods To prevent users being falsely considered offline you need to disable the online user handshaking function in this case z The handshake packet protection function requires the cooperat...

Page 260: ...e interface list argument the command applies to all ports You can also use this command in port view In this case this command applies to the current port only and the interface list argument is not...

Page 261: ...line user handshaking function first z The configuration listed in the above table takes effect only when it is performed on CAMS as well as on the switch In addition the client version checking funct...

Page 262: ...ated when they apply for dynamic IP addresses through DHCP Follow these steps to enable DHCP triggered authentication To do Use the command Remarks Enter system view system view Enable DHCP triggered...

Page 263: ...hen re authenticating a user a switch goes through the complete authentication process It transmits the username and password of the user to the server The server may authenticate the username and pas...

Page 264: ...stics interface interface list Available in user view Configuration Example 802 1x Configuration Example Network requirements z Authenticate users on all ports to control their accesses to the Interne...

Page 265: ...guration procedure Following configuration covers the major AAA RADIUS configuration commands Refer to AAA Operation for the information about these commands Configuration on the client and the RADIUS...

Page 266: ...s1 timer realtime accounting 15 Configure to send the user name to the RADIUS server with the domain name truncated Sysname radius radius1 user name format without domain Sysname radius radius1 quit C...

Page 267: ...Defense EAD solution can improve the overall defense power of a network In real applications however deploying EAD clients proves to be time consuming and inconvenient To address the issue the H3C S5...

Page 268: ...deployment feature takes effect only when the access control mode of an 802 1x enabled port is set to auto Configuring Quick EAD Deployment Configuration Prerequisites z Enable 802 1x on the switch z...

Page 269: ...e effect if you enable port security Setting the ACL timeout period The quick EAD deployment function depends on ACLs in restricting access of users failing authentication Each online user that has no...

Page 270: ...t Configuration Example Network requirements A user connects to the switch directly The switch connects to the Web server and the Internet The user will be redirected to the Web server to download the...

Page 271: ...decimal notation the user may not be redirected This is related with the operating system used on the PC In this case the PC considers the IP address string a name and tries to resolve the name If the...

Page 272: ...anagement devices can obtain the MAC addresses of the attached switches and thus the management of the attached switches is feasible HABP is built on the client server model Typically the HABP server...

Page 273: ...ttached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Follow these steps to...

Page 274: ...t filtering rules according the characteristics of the attack source Thus system guard is implemented Configuring the System Guard Feature Through the following configuration you can enable the system...

Page 275: ...ny view to display the running status of the system guard feature and to verify the configuration Table 4 2 Display and maintain system guard Operation Command Display the record of detected attacks d...

Page 276: ...umber of RADIUS Request Transmission Attempts 2 14 Configuring the Type of RADIUS Servers to be Supported 2 15 Configuring the Status of RADIUS Servers 2 15 Configuring the Attributes of Data to be Se...

Page 277: ...Users 2 28 HWTACACS Authentication and Authorization of Telnet Users 2 30 Troubleshooting AAA 2 31 Troubleshooting RADIUS Configuration 2 31 Troubleshooting HWTACACS Configuration 2 31 3 EAD Configura...

Page 278: ...ated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardwar...

Page 279: ...ervice for AAA is RADIUS What is RADIUS Remote Authentication Dial in User Service RADIUS is a distributed service based on client server structure It can prevent unauthorized access to your network a...

Page 280: ...RADIUS client a switch for example and a RADIUS server are verified through a shared key This enhances the security The RADIUS protocol combines the authentication and authorization processes together...

Page 281: ...accounting response Accounting Response 9 The access to network resources is ended RADIUS message format RADIUS messages are transported over UDP which does not guarantee reliable delivery of message...

Page 282: ...Identifier Length Authenticator and Attributes fields The bytes beyond the length are regarded as padding and are ignored upon reception If a received message is shorter than what the Length field in...

Page 283: ...0 CHAP Challenge 20 Callback ID 61 NAS Port Type 21 unassigned 62 Port Limit 22 Framed Route 63 Login LAT Port The RADIUS protocol has good scalability Attribute 26 Vender Specific defined in this pro...

Page 284: ...ation from authorization For example you can use one TACACS server for authentication and another TACACS server for authorization Combines authentication and authorization Is more suitable for securit...

Page 285: ...client sends an authentication continuance message carrying the username 4 The TACACS server returns an authentication response asking for the password Upon receiving the response the TACACS client r...

Page 286: ...ends an accounting start request to the TACACS server 11 The TACACS server returns an accounting response indicating that it has received the accounting start request 12 The user logs out the TACACS c...

Page 287: ...tes Required Configuring a combined AAA scheme Required None authentication Local authentication RADIUS authentication Configuring an AAA Scheme for an ISP Domain HWTACACS authentication z Use one of...

Page 288: ...e the form of the delimiter between the username and the ISP domain name domain delimiter at dot Optional By default the delimiter between the username and the ISP domain name is Create an ISP domain...

Page 289: ...n any z If the system does not find any available accounting server or fails to communicate with any accounting server when it performs accounting for a user it does not disconnect the user as long as...

Page 290: ...case no TACACS server is available That is if the communication between the switch and a TACACS server is normal the local scheme is not used if the TACACS server is not reachable or there is a key e...

Page 291: ...configuration for a domain When the scheme radius scheme or scheme local command is executed and the authentication command is not executed the authorization information returned from the RADIUS or lo...

Page 292: ...the switch If it finds a match it adds the port to the corresponding VLAN Otherwise the VLAN assignment fails and the user fails the authentication In actual applications to use this feature together...

Page 293: ...for the local user password simple cipher password Required Set the status of the local user state active block Optional By default the user is in active state that is the user is allowed to request n...

Page 294: ...the MAC address authentication can be assigned with an authorized VLAN The switch will not assign authorized VLANs for subsequent users passing MAC address authentication In this case you are recommen...

Page 295: ...ient Enabling the User Re Authentication at Restart Function Optional Configuring the RADIUS server Refer to the configuration of the RADIUS Server Complete the following tasks to configure RADIUS the...

Page 296: ...d configure at least one authentication authorization server and one accounting server and you should keep the RADIUS server port settings on the switch consistent with those on the RADIUS servers Act...

Page 297: ...tion response sent from the RADIUS server to the RADIUS client carries authorization information Therefore you need not and cannot specify a separate RADIUS authorization server z In an actual network...

Page 298: ...to configure the RADIUS authorization attribute ignoring function To do Use the command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme nam...

Page 299: ...al By default the maximum allowed number of continuous real time accounting failures is five If five continuous failures occur the switch cuts down the user connection z In an actual network environme...

Page 300: ...authorization shared key and the accounting shared key you set on the switch must be respectively consistent with the shared key on the authentication authorization server and the shared key on the a...

Page 301: ...cheme Configuring the Status of RADIUS Servers For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails to communicate...

Page 302: ...onfigure the attributes of data to be sent to RADIUS servers To do Use the command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Requ...

Page 303: ...z In the default RADIUS scheme system ISP domain names are removed from usernames by default z The purpose of setting the MAC address format of the Calling Station Id Type 31 field in RADIUS packets...

Page 304: ...servers and the corresponding timer in the switch system is called the response timeout timer of RADIUS servers If the switch gets no answer within the response timeout time it needs to retransmit th...

Page 305: ...Enter system view system view Enable the sending of trap message when a RADIUS server is down radius trap authentication server down accounting server down Optional By default the switch does not sen...

Page 306: ...date message 4 Once the switch receives the response from the CAMS it stops sending Accounting On messages 5 If the switch does not receive any response from the CAMS after it has tried the configured...

Page 307: ...TACACS protocol configuration is performed on a scheme basis Therefore you must create a HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Follow these steps to creat...

Page 308: ...remove an authentication server setting only when there is no active TCP connection that is sending authentication messages to the server Configuring TACACS Authorization Servers Follow these steps to...

Page 309: ...d port number of the secondary TACACS accounting server secondary accounting ip address port Required By default the IP address of the secondary accounting server is 0 0 0 0 and the port number is 0 E...

Page 310: ...Follow these steps to configure the attributes for data to be sent to TACACS servers To do Use the command Remarks Enter system view system view Create a HWTACACS scheme and enter its view hwtacacs s...

Page 311: ...tional By default the response timeout time is five seconds Set the time that the switch must wait before it can restore the status of the primary server to active timer quiet minutes Optional By defa...

Page 312: ...command Remarks Display RADIUS message statistics about local RADIUS server display local server statistics Display configuration information about one specific or all RADIUS schemes display radius sc...

Page 313: ...entication Network requirements In the network environment shown in Figure 2 2 you are required to configure the switch so that the Telnet users logging into the switch are authenticated by the RADIUS...

Page 314: ...gure a RADIUS scheme Sysname radius scheme cams Sysname radius cams accounting optional Sysname radius cams primary authentication 10 110 91 164 1812 Sysname radius cams key authentication aabbcc Sysn...

Page 315: ...AA authentication for Telnet users Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode scheme Sysname ui vty0 4 quit Create and configure a local user named telnet Sysname local user...

Page 316: ...authentication and authorization shared keys that are used to exchange messages with the TACACS server to aabbcc Configure the switch to strip domain names off usernames before sending usernames to t...

Page 317: ...nging the RADIUS server from the switch Take measures to make the switch communicate with the RADIUS server normally Symptom 2 RADIUS packets cannot be sent to the RADIUS server Possible reasons and s...

Page 318: ...es the validity of the session control packets it receives according to the source IP addresses of the packets It regards only those packets sourced from authentication or security policy server as va...

Page 319: ...s of access users such as username user type and password For local authentication you need to configure these attributes on the switch for remote authentication you need to configure these attributes...

Page 320: ...the switch to use port number 1812 to communicate with the server z Configure the authentication server type to extended z Configure the encryption password for exchanging messages between the switch...

Page 321: ...ert Sysname radius cams server type extended Configure the IP address of the security policy server Sysname radius cams security policy server 10 110 91 166 Associate the domain with the RADIUS scheme...

Page 322: ...1 2 Quiet MAC Address 1 2 Configuring Basic MAC Address Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 4 MAC Address Authentication Enhanced Function Config...

Page 323: ...ode where user names and passwords are configured on a switch in advance In this case the user name the password and the limits on the total number of user names are the matching criterion for success...

Page 324: ...of a user if the switch receives no response from the RADIUS server in this period it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network Qui...

Page 325: ...name Required The default ISP domain default domain is used by default Configure the MAC address authentication timers mac authentication timer offline detect offline detect value quiet quiet value s...

Page 326: ...tions for a switch this switch can authenticate access users according to their MAC addresses or according to fixed user names and passwords The switch will not learn MAC addresses of the clients fail...

Page 327: ...adds the port to the Guest VLAN Therefore the Guest VLAN can separate unauthenticated users on an access port When it comes to a trunk port or a hybrid port if a packet itself has a VLAN tag and be in...

Page 328: ...cation cannot be enabled for a port configured with a Guest VLAN z The Guest VLAN function for MAC address authentication does not take effect when port security is enabled Configuring the Maximum Num...

Page 329: ...ion interface interface list Available in any view Clear the statistics of global or on port MAC address authentication reset mac authentication statistics interface interface type interface number Av...

Page 330: ...domain named aabbcc net Sysname domain aabbcc net New Domain added Specify to perform local authentication Sysname isp aabbcc net scheme local Sysname isp aabbcc net quit Specify aabbcc net as the IS...

Page 331: ...4 IP Address Configuration Example I 1 4 IP Address Configuration Example II 1 5 2 IP Performance Optimization Configuration 2 1 IP Performance Overview 2 1 Introduction to IP Performance Configurati...

Page 332: ...dress is used to identify a host An example is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four...

Page 333: ...s 0 0 0 16 indicates the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast...

Page 334: ...nd Standards z RFC 1366 Guidelines for Management of IP Address Space z RFC 1367 Schedule for IP Address Space Management Guidelines Configuring IP Addresses S5100 Series Ethernet Switches support ass...

Page 335: ...eside on the same network segment A VLAN interface cannot be configured with a secondary IP address if the interface has been configured to obtain an IP address through BOOTP or DHCP z The S5100 EI se...

Page 336: ...nected to a LAN comprising two segments 172 16 1 0 24 and 172 16 2 0 24 To enable the hosts on the two network segments to communicate with the external network through the switch and the hosts on the...

Page 337: ...es 56 Sequence 5 ttl 255 time 26 ms 172 16 1 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 25 26 27 ms The output information shows the S5100 SI...

Page 338: ...forwarding information base FIB FIB is used to store the forwarding information of the switch and guide Layer 3 packet forwarding You can know the forwarding information of the switch by viewing the...

Page 339: ...es ICMP packets are usually sent by the network or transport layer protocols to notify corresponding devices so as to facilitate management Advantages of sending ICMP error packets ICMP redirect packe...

Page 340: ...antages z Sending a lot of ICMP packets will increase network traffic z If a device receives a lot of malicious packets that cause it to send ICMP error packets its performance will be reduced z As th...

Page 341: ...ength1 ip_address2 mask2 mask length2 longer longer Display the FIB entries permitted by a specific ACL display fib acl number Display the FIB entries in the buffer which begin with include or exclude...

Page 342: ...Agent Configuration 1 7 DHCP Relay Agent Configuration Example 1 7 Troubleshooting DHCP Relay Agent Configuration 1 8 3 DHCP Snooping Configuration 3 1 DHCP Snooping Overview 3 1 Introduction to DHCP...

Page 343: ...iguration Protocol DHCP is developed to solve these issues DHCP adopts a client server model where the DHCP clients send requests to DHCP servers for configuration parameters and the DHCP servers retu...

Page 344: ...R packet that first arrives and then broadcasts a DHCP REQUEST packet containing the assigned IP address carried in the DHCP OFFER packet 4 Acknowledge In this phase the DHCP servers acknowledge the I...

Page 345: ...P packets The following figure describes the packet format the number in the brackets indicates the field length in bytes Figure 1 2 DHCP packet format The fields are described as follows z op Operati...

Page 346: ...including packet type valid lease time IP address of a DNS server and IP address of the WINS server Protocol Specification Protocol specifications related to DHCP include z RFC2131 Dynamic Host Config...

Page 347: ...to DHCP Relay Agent Usage of DHCP Relay Agent Since the packets are broadcasted in the process of obtaining IP addresses DHCP is only applicable to the situation that DHCP clients and DHCP servers ar...

Page 348: ...option in the DHCP message It records the location information of the DHCP client With this option the administrator can locate the DHCP client to further implement security control and accounting Th...

Page 349: ...the packet with its own or leaves the original Option 82 unchanged in the packet and forwards the packet if not discarded to the DHCP server z If the request packet does not contain Option 82 the DHCP...

Page 350: ...DHCP server group z You can configure up to eight DHCP server IP addresses in a DHCP server group z You can map multiple VLAN interfaces to one DHCP server group But one VLAN interface can be mapped...

Page 351: ...re used z Before executing the address check enable command on the interface connected to the DHCP server you need to configure the static binding of the IP address to the MAC address of the DHCP serv...

Page 352: ...ling Option 82 support on a DHCP relay agent Follow these steps to enable Option 82 support on a DHCP relay agent To do Use the command Remarks Enter system view system view Enable Option 82 support o...

Page 353: ...ay Agent Configuration Example Network requirements VLAN interface 1 on the DHCP relay agent Switch A connects to the network where DHCP clients reside The IP address of VLAN interface 1 is 10 10 1 1...

Page 354: ...d checking the information about debugging and interface state You can display the information by executing the corresponding display command Solution z Check if an address pool that is on the same ne...

Page 355: ...yer z Layer 2 switches can track DHCP clients IP addresses through the DHCP snooping function at the data link layer When an unauthorized DHCP server exists in the network a DHCP client may obtains an...

Page 356: ...ess and other parameters for the clients Option 82 involves at most 255 sub options If Option 82 is defined at least one sub option must be defined Currently the DHCP relay agent supports two sub opti...

Page 357: ...82 in the standard format Refer to Figure 3 4 and Figure 3 5 for the standard format of the sub options with the default padding contents In the standard format the Circuit ID or Remote ID sub option...

Page 358: ...forward the packet For details see Table 3 2 Table 3 2 Ways of handling a DHCP packet without Option 82 Sub option configuration The DHCP Snooping device will Neither of the two sub options is config...

Page 359: ...d MAC address of the client cannot be recorded in the DHCP snooping table Consequently this client cannot pass the IP filtering of the DHCP snooping table thus it cannot access external networks To so...

Page 360: ...not recommended to configure both the DHCP snooping and selective Q in Q function on the switch which may result in the DHCP snooping to function abnormally Configuring DHCP Snooping to Support Option...

Page 361: ...e Enter Ethernet port view interface interface type interface number Configure a handling policy for requests that contain Option 82 received on the specified interface dhcp snooping information strat...

Page 362: ...circuit ID sub option contains the VLAN ID and port index related to the port that receives DHCP request packets from DHCP clients z If you have configured a circuit ID with the vlan vlan id argument...

Page 363: ...t z If you configure a remote ID sub option in both system view and on a port the remote ID sub option configured on the port applies when the port receives a packet and the global remote ID applies t...

Page 364: ...om this IP address cannot pass the IP filtering z A static entry has a higher priority than the dynamic DHCP snooping entry that has the same IP address as the static one That is if the static entry i...

Page 365: ...ID field in Option 82 to the system name of the switch Set the circuit ID sub option to abcd in DHCP packets from VLAN 1 on GigabitEthernet 1 0 3 Network diagram Figure 3 6 Network diagram for DHCP s...

Page 366: ...the switch and specify GigabitEthernet 1 0 1 as the DHCP snooping trusted port z Enable IP filtering on GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 to prevent attacks to the...

Page 367: ...0 2 quit Switch interface GigabitEthernet1 0 3 Switch GigabitEthernet1 0 3 ip check source ip address mac address Switch GigabitEthernet1 0 3 quit Switch interface GigabitEthernet1 0 4 Switch Gigabit...

Page 368: ...Before using BOOTP an administrator needs to configure a BOOTP parameter file for each BOOTP client on the BOOTP server The parameter file contains information such as MAC address and IP address of a...

Page 369: ...hop being the gateway assigned by the DHCP server To view detailed information about the default route run the display ip routing table command on the switch To improve security and avoid malicious a...

Page 370: ...dynamically obtain an IP address by using DHCP SwitchA system view SwitchA interface Vlan interface 1 SwitchA Vlan interface1 ip address dhcp alloc BOOTP Client Configuration Example Network requireme...

Page 371: ...igning an ACL Globally 1 9 Assigning an ACL to a VLAN 1 9 Assigning an ACL to a Port Group 1 10 Assigning an ACL to a Port 1 11 Displaying ACL Configuration 1 12 Example for Upper layer Software Refer...

Page 372: ...d destination IP addresses type of the protocols carried by IP protocol specific features and so on z Layer 2 ACL Rules are created based on the Layer 2 information such as source and destination MAC...

Page 373: ...h priority z If the types of parameter are the same for multiple rules then the sum of parameters weighting values of a rule determines its priority The smaller the sum the higher the match priority W...

Page 374: ...lease 2201 or earlier do not support Layer 2 ACL configuration z ACLs defined on S5100 SI series switches running Release 2201 or earlier can only be referenced by upper layer software they cannot be...

Page 375: ...ge the time range is active only when the periodic time range and the absolute time range are both matched Assume that a time range contains an absolute time section ranging from 00 00 January 1 2004...

Page 376: ...emains With the auto match order specified for the basic ACL you cannot modify any existent rule otherwise the system prompts error information z If you do not specify the rule id argument when creati...

Page 377: ...arried by IP and protocol specific features are determined Configuration Procedure Table 1 3 Define an advanced ACL rule Operation Command Description Enter system view system view Create an advanced...

Page 378: ...tcp source 129 9 0 0 0 0 255 255 destination 202 38 160 0 0 0 0 255 destination port eq www Configuring Layer 2 ACL Layer 2 ACLs filter packets according to their Layer 2 information such as the sour...

Page 379: ...ss 0011 4301 991e and with their 802 1p priority being 3 Sysname system view Sysname acl number 4000 Sysname acl ethernetframe 4000 rule deny cos 3 source 000d 88f5 97ed ffff ffff ffff dest 0011 4301...

Page 380: ...Assigning an ACL Globally Configuration prerequisites Before applying ACL rules to a VLAN you need to define the related ACLs For information about defining an ACL refer to section Configuring Basic A...

Page 381: ...packets of VLAN 10 on all the ports Sysname system view Sysname packet filter vlan 10 inbound ip group 2000 Assigning an ACL to a Port Group Configuration prerequisites Before applying ACL rules to a...

Page 382: ...define the related ACLs For information about defining an ACL refer to section Configuring Basic ACL section Configuring Advanced ACL section Configuring Layer 2 ACL Configuration procedure Table 1 8...

Page 383: ...ormation about remaining ACL resources supported on S5100 EI series only display acl remaining entry In any view Example for Upper layer Software Referencing ACLs Example for Controlling Telnet Login...

Page 384: ...Sysname acl number 2001 Sysname acl basic 2001 rule 1 permit source 10 110 100 46 0 Sysname acl basic 2001 quit Reference ACL 2001 to control users logging in to the Web server Sysname ip http acl 20...

Page 385: ...ch The IP address of the wage query server is 192 168 1 2 The R D department is connected to GigabitEthernet 1 0 1 of the switch Apply an ACL to deny requests from the R D department and destined for...

Page 386: ...MAC address of 0011 0011 0011 and the destination MAC address of 0011 0011 0012 Sysname acl number 4000 Sysname acl ethernetframe 4000 rule 1 deny source 0011 0011 0011 ffff ffff ffff dest 0011 0011 0...

Page 387: ...me range that is active from 8 00 to 18 00 in working days Sysname system view Sysname time range test 8 00 to 18 00 working day Define an ACL to deny packets destined for the database server Sysname...

Page 388: ...8 QoS Configuration 1 18 QoS Configuration Task List 1 18 Configuring Priority Trust Mode 1 19 Configuring Priority Mapping 1 20 Setting the Priority of Protocol Packets 1 24 Configuring Priority Mark...

Page 389: ...to QoS Profile 2 1 QoS Profile Application Mode 2 1 QoS Profile Configuration 2 2 Configuring a QoS Profile 2 2 Applying a QoS Profile 2 3 Displaying and Maintaining QoS Profile Configuration 2 4 Con...

Page 390: ...process Traditional Packet Forwarding Services On traditional IP networks devices treat all packets equally and handle them using the first in first out FIFO policy All packets share the resources of...

Page 391: ...ecedence of packets To meet these requirements networks must provide more improved services Major Traffic Control Technologies Figure 1 1 End to end QoS model As shown in Figure 1 1 traffic classifica...

Page 392: ...ng traffic based on ACLs The S5100 series support the following types of ACLs z Basic ACLs z Advanced ACLs z Layer 2 ACLs not available on Release2201 or any earlier releases of the SS5100 SI z For in...

Page 393: ...ffic here refers to service traffic that is all the packets passing by the switch Traffic classification identifies packets conforming to certain characteristics according to certain criteria It is th...

Page 394: ...ority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network In a Diff Serv network traffic is grouped into the following four classes and packets are processed a...

Page 395: ...cription 46 101110 ef 10 001010 af11 12 001100 af12 14 001110 af13 18 010010 af21 20 010100 af22 22 010110 af23 26 011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af4...

Page 396: ...1 0 0 0 0 0 0 0 Priority VLAN ID TPID Tag protocol identifier TCI Tag control information Byte 1 Byte 2 0 Byte 3 Byte 4 CFI 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 7 5 4 3 2 1 0 7 5 4 3 2 1 0 6 6 In Figure 1...

Page 397: ...red such as 802 1p precedence DSCP values local precedence and drop precedence The S5100 SI series switches do not support marking drop precedence for packets 1 For an 802 1q untagged packet When a pa...

Page 398: ...can be 802 1p precedence or DSCP precedence Table 1 5 describes how your switch handles a packet received on the port Table 1 5 Actions performed when packet priority is trusted Trusted priority type...

Page 399: ...nce values corresponding to the new DSCP val ue in the DSCP precedence to other precedence mapping table and then deliver the packet with the target 802 1p pr ecedence value after mapping in place of...

Page 400: ...e Target drop precedence value Target 802 1p precedence value 0 to 7 0 1 1 8 to 15 1 1 2 16 to 23 2 1 0 24 to 31 3 1 3 32 to 39 4 0 4 40 to 47 5 0 5 48 to 55 6 0 6 56 to 63 7 0 7 Table 1 9 The default...

Page 401: ...he output queue corresponding to the local precedence value z If DSCP marking is configured the traffic will be marked with the new DSCP value Traffic Policing and Traffic Shaping If user traffic is n...

Page 402: ...and is called conforming traffic otherwise the traffic does not conform to the specification and is called exceeding traffic A token bucket uses the following parameters z Average rate The rate at wh...

Page 403: ...z Dropping the nonconforming packets z Forwarding the conforming packets or nonconforming packets z Marking the conforming packets or nonconforming packets with 802 1p precedence and then forwarding...

Page 404: ...e they will be dropped Compared to traffic policing line rate applies to all the packets passing a port It is a simpler solution if you want to limit the rate of all the packets passing a port Traffic...

Page 405: ...schedules the eight queues strictly in the descending order of priority It sends packets in the queue with the highest priority first When the queue with the highest priority is empty it sends packet...

Page 406: ...ing that the packets in low priority queues may failed to be served for a long time Another advantage of WRR queuing is that though the queues are scheduled in order the service time for each queue is...

Page 407: ...he packets you are interested in Burst The burst function improves packet buffering and forwarding performance in the following scenarios z Dense broadcast or multicast traffic and massive burst traff...

Page 408: ...t available priority trust modes Configuration prerequisites z The priority trust mode to be used has been determined z The port where priority trust mode is to be configured has been determined z The...

Page 409: ...ted Configuration examples Configure trusting port priority on GigabitEthernet 1 0 1 and set the priority of GigabitEthernet 1 0 1 to 7 Sysname system view Sysname interface GigabitEthernet1 0 1 Sysna...

Page 410: ...cos3 map local prec cos4 map local prec cos5 map local prec cos6 map local prec cos7 map local prec Required Configure the CoS precedence to dro p precedence mapping table qos cos drop precedence map...

Page 411: ...ec edence mapping table qos dscp dscp map dscp list dscp value Required Configuration examples Configure the CoS precedence to local precedence mapping table for an S5100 EI series switch as follows 0...

Page 412: ...9 7 Sysname qos dscp local precedence map 40 41 42 43 44 45 46 47 0 Sysname qos dscp local precedence map 48 49 50 51 52 53 54 55 5 Sysname qos dscp local precedence map 56 57 58 59 60 61 62 63 6 Sysn...

Page 413: ...col Packets Refer to Protocol Priority for information about priority of protocol packets Configuration prerequisites z The protocol type has been determined z The priority type IP or DSCP and priorit...

Page 414: ...y protocol priority Protocol icmp IP Precedence flash 3 Configuring Priority Marking Refer to Priority Marking for information about marking packet priorities This feature is available only on the H3C...

Page 415: ...r the incoming packets matching the specific ACL rules in a VLAN To do Use the command Remarks Enter system view system view Mark a priority for the incoming packets matching the specific ACL rules in...

Page 416: ...ork segment 10 1 1 0 24 with DSCP value 56 assuming that GigabitEthernet 1 0 1 carries VLAN 2 and is connected to network segment 10 1 1 0 24 1 Method I configure priority marking for port GigabitEthe...

Page 417: ...he specific ACL rules globally To do Use the command Remarks Enter system view system view Configure traffic policing traffic limit inbound acl rule target rate conform con action exceed exceed action...

Page 418: ...erface number Configure traffic policing traffic limit inbound acl rule target rate conform con action exceed exceed action meter statistic Required Disabled by default Clear traffic policing statisti...

Page 419: ...an 2 inbound ip group 2000 128 exceed remark dscp 56 Configuring Traffic Shaping Refer to Traffic Policing and Traffic Shaping for information about traffic shaping This feature is available only on t...

Page 420: ...aximum traffic rate being 640 kbps and the burst size being 16 kbytes Sysname system view Sysname interface GigabitEthernet1 0 1 Sysname GigabitEthernet1 0 1 traffic shape 640 16 Configuring Line Rate...

Page 421: ...used for traffic classification have been defined Refer to the ACL module of this manual for information about defining ACL rules z The port that the ACL matching packets are to be redirected to has...

Page 422: ...ing for the incoming packets on a port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Configure traffic redirecting traf...

Page 423: ...ng for VLAN 2 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname traffic redirect vlan 2 inbound ip group 2000...

Page 424: ...stem view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 traffic...

Page 425: ...lgorithm For example you can assign queues 0 through 3 to group 1 and queues 4 through 7 to group 2 The queues in group 2 are scheduled preferentially using WRR The queues in group 1 are scheduled usi...

Page 426: ...ounting This feature is available only on the H3C S5100 EI series switches Configuration prerequisites The ACL rules for traffic classification have been defined Refer to the ACL module of this manual...

Page 427: ...nting for a port group Follow these steps to collect clear statistics about incoming ACL matching packets in a port group To do Use the command Remarks Enter system view system view Enter port group v...

Page 428: ...configure traffic accounting for port GigabitEthernet 1 0 1 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 0 0 0 0 255 Sysname acl basic 2000 quit Sysname...

Page 429: ...c classification have been defined Refer to the ACL module of this manual for information about defining ACL rules z The mirroring ports and mirroring direction have been determined z The monitor port...

Page 430: ...d acl rule monitor interface Required 3 Configuring traffic mirroring for a port group Follow these steps to configure traffic mirroring for a port group To do Use the command Remarks Enter system vie...

Page 431: ...rt GigabitEthernet 1 0 4 assume that GigabitEthernet 1 0 1 is connected to network segment 10 1 1 0 24 and carries VLAN 2 1 Method I configure traffic mirroring for port GigabitEthernet 1 0 1 Sysname...

Page 432: ...in any view Display the DSCP precedence to local precedence mapping display qos dscp local precedence m ap Available in any view Display queue scheduling configuration display queue scheduler Availabl...

Page 433: ...fic policing priority marking traffic redirecting or traffic accounting display qos global all mirrored to traffic limit traffic priority traffic redirect traffic statistic Available in any view Displ...

Page 434: ...from network segment 192 168 1 0 24 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule permit source 192 168 1 0 0 0 0 255 Sysname acl basic 2000 quit Create ACL 2001 and enter b...

Page 435: ...y and assign the three traffic flows to different queues for scheduling Figure 1 11 Network diagram for priority marking and queue scheduling configuration PC 3 PC 2 PC 1 Switch GE1 0 1 Server 1 192 1...

Page 436: ...and Switch B Configure VLAN mappings on the switches to enable the hosts on the two customer networks to communicate through public network VLANs z Switch A provides network access for terminal device...

Page 437: ...chA vlan500 quit SwitchA vlan 600 SwitchA vlan600 quit Configure GigabitEthernet 1 0 11 of Switch A as a trunk port and configure its default VLAN as VLAN 100 Assign GigabitEthernet 1 0 11 to VLAN 100...

Page 438: ...netframe 4000 rule permit source 100 SwitchA quit SwitchA acl number 4001 SwitchA acl ethernetframe 4001 rule permit source 200 SwitchA quit SwitchA acl number 4002 SwitchA acl ethernetframe 4002 rule...

Page 439: ...8 1 0 25 and access the Internet through the switch z The R D department is connected to GigabitEthernet 1 0 2 of the switch The hosts of the R D department are on network segment 192 168 2 0 25 and a...

Page 440: ...ch interface GigabitEthernet 1 0 1 Switch GigabitEthernet1 0 1 mirrored to inbound ip group 2000 monitor interface Switch GigabitEthernet1 0 1 quit Switch interface GigabitEthernet 1 0 3 Switch Gigabi...

Page 441: ...QoS profile to the port to maintain the same QoS configuration performed for the host Currently a QoS profile can contain configurations concerning packet filtering traffic policing and priority marki...

Page 442: ...oS profile contains source address information source MAC address information source IP address information or both Manual application mode You can use the apply command to manually apply a QoS profil...

Page 443: ...on traffic priority inbound acl rule dscp dscp value cos cos value Optional Applying a QoS Profile You can enable a QoS profile to be dynamically applied or apply it manually Configuration prerequisit...

Page 444: ...w these steps to apply a QoS profile manually To do Use the command Remarks Enter system view system view In system view apply qos profile profile name interface interface list Enter Ethernet port vie...

Page 445: ...er Switch Network AAA Server GE1 0 1 Configuration procedure 1 Configuration on the AAA server Configure the user authentication information and the user name to QoS profile mapping Refer to the user...

Page 446: ...to permit IP packets destined for any IP address Sysname acl number 3000 Sysname acl adv 3000 rule 1 permit ip destination any Sysname acl adv 3000 quit Define a QoS profile example to limit the rate...

Page 447: ...1 4 Traffic Mirroring 1 4 Mirroring Configuration 1 4 Configuring Local Port Mirroring 1 4 Configuring Remote Port Mirroring 1 5 Configuring MAC Based Mirroring 1 8 Configuring VLAN Based Mirroring 1...

Page 448: ...ring device for network monitoring and diagnosis The port where packets are duplicated is called the source mirroring port or monitored port and the port to which duplicated packets are sent is called...

Page 449: ...ementation of remote port mirroring Figure 1 2 Remote port mirroring application The switches involved in remote port mirroring function as follows z Source switch The source switch is the device wher...

Page 450: ...eceives remote mirrored packets Destination switch Destination port Receives packets forwarded from the trunk port and transmits the packets to the data detection device z Do not configure a default V...

Page 451: ...l inbound outbound traffic passing through a port is monitored traffic mirroring provides a finer monitoring granularity For detailed configuration about traffic mirroring refer to QoS QoS Profile Ope...

Page 452: ...group group id monitor port monitor port id interface interface type interface number Configure the destination port for the port mirroring group In port view mirroring group group id monitor port Us...

Page 453: ...t type is Access Configure the trunk port to permit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required Return to system view quit Create a remote source mirroring...

Page 454: ...te probe VLAN 2 Configuration procedure Table 1 4 Follow these steps to perform configurations on the intermediate switch To do Use the command Remarks Enter system view system view Create a VLAN and...

Page 455: ...Return to system view quit Create a remote destination mirroring group mirroring group group id remote destination Required Configure the destination port for the remote destination mirroring group m...

Page 456: ...g MAC Based Mirroring mirroring group group id mirroring mac mac vlan vlan id Required Configure the destination port for the mirroring group mirroring group group id monitor port monitor port id Requ...

Page 457: ...ired Configure the destination port for the mirroring group mirroring group group id monitor port monitor port id Required Note that you need not configure the destination port on the source switch wh...

Page 458: ...m the R D department and the marketing department through the data detection device Use the local port mirroring function to meet the requirement Perform the following configurations on Switch C z Con...

Page 459: ...2 of Switch B connects to GigabitEthernet 1 0 1 of Switch C z The data detection device is connected to GigabitEthernet 1 0 2 of Switch C The administrator wants to monitor the packets sent from Depa...

Page 460: ...ame mirroring group 1 mirroring port GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 inbound Sysname mirroring group 1 reflector port GigabitEthernet 1 0 4 Sysname mirroring group 1 remote probe vlan 10 C...

Page 461: ...ype trunk Sysname GigabitEthernet1 0 2 port trunk permit vlan 10 3 Configure the destination switch Switch C Create remote destination mirroring group 1 Sysname system view Sysname mirroring group 1 r...

Page 462: ...type remote destination status active monitor port GigabitEthernet1 0 2 remote probe vlan 10 After the configurations you can monitor all packets sent from Department 1 and 2 on the data detection de...

Page 463: ...oduction to ARP Attack Detection 1 4 Introduction to Gratuitous ARP 1 5 Configuring ARP 1 5 Configuring ARP Basic Functions 1 5 Configuring ARP Attack Detection 1 6 Configuring Gratuitous ARP 1 7 Disp...

Page 464: ...device must know the data link layer address MAC address for example of the destination host or the next hop To this end the IP address must be resolved into the corresponding data link layer address...

Page 465: ...ble 1 2 for the information about the field values Protocol type Type of protocol address to be mapped 0x0800 indicates an IP address Length of hardware address Hardware address length in bytes Length...

Page 466: ...me The aging period is set by the ARP aging timer ARP Process Figure 1 2 ARP process Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B The resolution proc...

Page 467: ...ost A and Host C respectively causing the two hosts to update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B Then the traffic between Host A an...

Page 468: ...itous packet conflict with those of its own it returns an ARP response to the sending device to notify of the IP address conflict By sending gratuitous ARP packets a network device can z Determine whe...

Page 469: ...ac address mac address Enable DHCP snooping dhcp snooping Required Use at least one of the commands By default no IP static binding is created and the DHCP snooping function is disabled Enter Ethernet...

Page 470: ...s the ARP attack detection based on the IP to MAC bindings Configuring Gratuitous ARP Follow these steps to configure gratuitous ARP To do Use the command Remarks Enter system view system view Enable...

Page 471: ...MAC address being 000f e201 0000 and the outbound port being GigabitEthernet 1 0 10 of VLAN 1 Configuration procedure Sysname system view Sysname undo arp check enable Sysname arp timer aging 10 Sysna...

Page 472: ...hcp snooping Specify GigabitEthernet 1 0 1 as the DHCP snooping trusted port and the ARP trusted port SwitchA interface GigabitEthernet1 0 1 SwitchA GigabitEthernet1 0 1 dhcp snooping trust SwitchA Gi...

Page 473: ...Example 1 4 2 Cluster 2 1 Cluster Overview 2 1 Introduction to HGMP 2 1 Roles in a Cluster 2 2 How a Cluster Works 2 3 Cluster Configuration Tasks 2 8 Configuring the Management Device 2 9 Configuring...

Page 474: ...becomes the main switch of the stack You can perform the following operations on a main switch z Configuring an IP address pool for the stack z Creating the stack z Switching to slave switch view Befo...

Page 475: ...tion Command Description Enter system view system view Configure an IP address pool for a stack stacking ip pool from ip address ip address number ip mask Required from ip address Start address of the...

Page 476: ...EI switch stack and cluster must share the same management VLAN if you want to configure stack within a cluster Switching to Slave Switch View After creating a stack you can switch to slave switch vi...

Page 477: ...d status of the main switch slave switches Display the stack status information on a slave switch display stacking Optional The display command can be executed in any view The displayed information in...

Page 478: ..._0 Sysname display stacking members Member number 0 Name stack_0 Sysname Device S5100EI MAC Address 000f e20f c43a Member status Admin IP 129 10 1 15 16 Member number 1 Name stack_1 Sysname Device S51...

Page 479: ...6 Switch back to Switch A stack_1 Sysname quit stack_0 Sysname Switch to Switch C a slave switch stack_0 Sysname stacking 2 stack_2 Sysname Switch back to Switch A stack_2 Sysname quit stack_0 Sysnam...

Page 480: ...e and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remo...

Page 481: ...guration Function Management device Configured with a external IP address z Provides an interface for managing all the switches in a cluster z Manages member devices through command redirection that i...

Page 482: ...not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 by using the ntdp timer command In this case the switch does not collect networ...

Page 483: ...within the specified hop count so as to provide the information of which devices can be added to a cluster Based on the neighbor information stored in the neighbor table maintained by NDP NTDP on the...

Page 484: ...ce Note the following when creating a cluster z You need to designate a management device for the cluster The management device of a cluster is the portal of the cluster That is any operations from ou...

Page 485: ...ackets exchanged keep the states of the member devices to be Active and are not responded z If the management device does not receive a handshake packet from a member device after a period three times...

Page 486: ...necting to the management device the candidate device cannot be added to the cluster In this case you can enable the packets of the management VLAN to be permitted on the port through the management V...

Page 487: ...d on the MAC address and VLAN ID and then forward the packet to its downstream switch If within the specified hops a switch with the specified destination MAC address is found this switch sends a resp...

Page 488: ...against opened socket and enhance switch security the S5100 series Ethernet switches provide the following functions so that a cluster socket is opened only when it is needed z Opening UDP port 40000...

Page 489: ...he interval to send NDP packets ndp timer hello seconds Optional By default the interval to send NDP packets is 60 seconds Enabling NTDP globally and on a specific port Table 2 6 Enable NTDP globally...

Page 490: ...ction Operation Command Description Enter system view system view Enable the cluster function globally cluster enable Required By default the cluster function is enabled Configuring cluster parameters...

Page 491: ...h a cluster in automatic mode Table 2 10 Establish a cluster in automatic mode Operation Command Description Enter system view system view Enter cluster view cluster Configure the IP address range for...

Page 492: ...ster This feature is only applicable to S5100 EI series switches 1 Configuration prerequisites z The cluster switches are properly connected z The shared servers are properly connected to the manageme...

Page 493: ...uster the candidate devices change to member devices and their UDP port 40000 is opened at the same time z When you execute the administrator address command on a device the device s UDP port 40000 is...

Page 494: ...ember device Table 2 17 Access the shared FTP TFTP server from a member device Operation Command Description Access the shared FTP server of the cluster ftp cluster Optional Download a file from the s...

Page 495: ...logy management function After the cluster topology becomes stable you can use the topology management commands on the cluster administrative device to save the topology of the current cluster as the...

Page 496: ...e Perform the following configuration on the management device Table 2 20 Configure cluster topology management function Operation Command Description Enter system view system view Enter cluster view...

Page 497: ...ion about the devices in the cluster blacklist display cluster black list Optional This command can be executed in any view Configuring the Cluster Synchronization Function After a cluster is establis...

Page 498: ...e groupname authentication mode md5 sha authpassstring privacy mode des56 privpassstring Required Not configured by default Create or update the public MIB view information for the cluster cluster snm...

Page 499: ...ynchronize the command Create a MIB view mib_a which includes all objects of the subtree org test_0 Sysname cluster cluster snmp agent mib view included mib_a org Member 2 succeeded in the mib view co...

Page 500: ...a public local user for the cluster on the management device and the username and password will be synchronized to the member devices of the cluster which is equal to creating this local user on all m...

Page 501: ...ation Table 2 22 Display and maintain cluster configuration Operation Command Description Display all NDP configuration and running information including the interval to send NDP packets the holdtime...

Page 502: ...net 1 0 1 z GigabitEthernet 1 0 1 belongs to VLAN 2 whose interface IP address is 163 172 55 1 z All the devices in the cluster share the same FTP server and TFTP server z The FTP server and TFTP serv...

Page 503: ...net 1 0 1 Sysname GigabitEthernet1 0 1 undo ntdp enable Sysname GigabitEthernet1 0 1 quit Enable NDP globally and on GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 Sysname system view Sysname ndp ena...

Page 504: ...r 17 mac address 000f e20f 0012 Set the holdtime of member device information to 100 seconds aaa_0 Sysname cluster holdtime 100 Set the interval to send handshake packets to 10 seconds aaa_0 Sysname c...

Page 505: ...e operations refer to the preceding description in this chapter z After the above configuration you can receive logs and SNMP trap messages of all cluster members on the NMS Enhanced Cluster Feature C...

Page 506: ...me cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034 a0e5 Backup the current topology aaa_0 Sysname cluster topology accept all sav...

Page 507: ...1 Configuring Basic Trap Functions 1 4 1 3 2 Configuring Extended Trap Function 1 5 1 4 Enabling Logging for Network Management 1 5 1 5 Displaying SNMP 1 6 1 6 SNMP Configuration Example 1 6 1 6 1 SNM...

Page 508: ...network management station NMS and agent z An NMS can be a workstation running client program At present the commonly used network management platforms include QuidView Sun NetManager IBM NetView and...

Page 509: ...arting from the root 1 1 Architecture of the MIB tree 1 1 2 1 2 1 2 5 6 B A MIB describes the hierarchical architecture of the tree and it is the set defined by the standard variables of the monitored...

Page 510: ...name for SNMPv1 and SNMPv2c z You can choose either of them as needed Set the maximum size of an SNMP packet for SNMP agent to receive or send snmp agent packet max size byte count Optional 1 500 byt...

Page 511: ...formation Create or update the view information snmp agent mib view included excluded view name oid tree mask mask value Optional By default the view name is ViewDefault and OID is 1 Note An S5100 SI...

Page 512: ...ize Optional The default is 100 Set the aging time for traps snmp agent trap life seconds Optional 120 seconds by default 1 3 2 Configuring Extended Trap Function The extended trap function refers to...

Page 513: ...e current device display snmp agent local engineid remote engineid Display group information about the device display snmp agent group group name Display SNMP user information display snmp agent usm u...

Page 514: ...Sysname snmp agent usm user v3 managev3user managev3group authentication mode md5 passmd5 privacy mode aes128 cfb128cfb128 Set the VLAN interface 2 as the interface used by NMS Add port GigabitEtherne...

Page 515: ...r each security level you need to set authorization mode authorization password encryption mode encryption password and so on In addition you need to set timeout time and maximum retry times You can q...

Page 516: ...more effectively and actively thus providing a satisfactory means of monitoring remote subnets z With RMON implemented the communication traffic between NMS and SNMP agents can be reduced thus facili...

Page 517: ...efined in event groups With an alarm entry defined in an alarm group a network device performs the following operations accordingly z Sampling the defined alarm variables periodically z Comparing the...

Page 518: ...o Use the command Remarks Enter system view system view Add an event entry rmon event event entry description string log trap trap community log trap log trapcommunity none owner text Optional Add an...

Page 519: ...arm prialarm entry number Display RMON events display rmon event event entry Display RMON event logs display rmon eventlog event entry Available in any view 2 4 RMON Configuration Example 1 Network re...

Page 520: ...ween samples reaches the rising threshold of 50 event 1 is triggered when the change ratio drops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6...

Page 521: ...ng the Version of IGMP Snooping 2 5 Configuring Timers 2 6 Configuring Fast Leave Processing 2 6 Configuring a Multicast Group Filter 2 7 Configuring the Maximum Number of Multicast Groups on a Port 2...

Page 522: ...ii...

Page 523: ...Information Transmission in the Unicast Mode In unicast the system establishes a separate data transmission channel for each user requiring this information and sends a separate copy of the informati...

Page 524: ...ion transmitted to users is significantly different in other cases this is an inefficient use of the network and when there is limited bandwidth bottlenecks can develop in information transmission In...

Page 525: ...ot add to the network burden remarkably The advantages of multicast over broadcast are as follows z A multicast data flow can be sent only to the receiver that requires the data z Multicast brings no...

Page 526: ...RPT or a multicast packet that any multicast source sends to multicast group G Here represents any multicast source while G represents a specific multicast group z S G Indicates a shortest path tree S...

Page 527: ...all valid they are filtered SSM model In the practical life users may be interested in the multicast data from only certain multicast sources The SSM model provides a transmission service that allows...

Page 528: ...ty IANA categorizes IP addresses into five classes A B C D and E Unicast packets use IP addresses of Class A B and C based on network scales Class D IP addresses are used as destination addresses of m...

Page 529: ...re reserved for network protocols on local networks The following table lists commonly used reserved IP multicast addresses Table 1 3 Reserved IP multicast addresses Class D address range Description...

Page 530: ...k a multicast MAC address is used as the destination address because the destination is a group with an uncertain number of members As stipulated by IANA the high order 24 bits of a multicast MAC addr...

Page 531: ...st routing protocols 0 describes where these multicast protocols are in a network Figure 1 5 Positions of Layer 3 multicast protocols AS 1 AS 2 Source Receiver Receiver Receiver PIM PIM MSDP IGMP IGMP...

Page 532: ...Layer 2 multicast protocols 1 IGMP Snooping Running on Layer 2 devices Internet Group Management Protocol Snooping IGMP Snooping are multicast constraining mechanisms that manage and control multicas...

Page 533: ...s subject to an RPF check z If the result of the RPF check shows that the RPF interface is the incoming interface of the existing S G entry this means that the S G entry is correct but the packet arri...

Page 534: ...multicast packet from Source arrives to VLAN interface 1 of Switch C and the corresponding forwarding entry does not exist in the multicast forwarding table of Switch C Switch C performs an RPF check...

Page 535: ...on these mappings As shown in Figure 2 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast...

Page 536: ...ernet 1 0 2 of Switch B are member ports The switch records all member ports on the local device in the IGMP Snooping forwarding table Port aging timers in IGMP Snooping and related messages and actio...

Page 537: ...rding table the switch resets the member port aging timer of the port z If the port is not in the forwarding table the switch installs an entry for this port in the forwarding table and starts the mem...

Page 538: ...this means that no members of that multicast group still exist under the port the switch deletes the forwarding entry corresponding to the port from the forwarding table when the aging timer expires...

Page 539: ...MP queries are likely to fail to pass the VLAN You can solve this problem by configuring VLAN tags for queries For details see 0 Configuring a VLAN Tag for Query Messages Configuring the Version of IG...

Page 540: ...mer of the multicast member port igmp snooping host aging time seconds Optional By default the aging time of multicast member ports is 260 seconds Configuring Fast Leave Processing With fast leave pro...

Page 541: ...a Multicast Group Filter On an IGMP Snooping enabled switch the configuration of a multicast group allows the service provider to define restrictions on multicast programs available to different user...

Page 542: ...med in system view takes effect on all ports of the switch if no VLAN is specified if one or more VLANs are specified the configuration takes effect on all ports in the specified VLAN s z The configur...

Page 543: ...not support IGMP and therefore cannot send general queries by default By enabling IGMP Snooping on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer 2 switched only and no multicast...

Page 544: ...Required By default unknown multicast flooding suppression If the function of dropping unknown multicast packets is enabled you cannot enable unknown multicast flooding suppression Configuring Static...

Page 545: ...st static router port vlan vlan id Required By default no static router port is configured In VLAN view Table 2 16 Configure a static router port in VLAN view Operation Command Remarks Enter system vi...

Page 546: ...imulated multicast group member igmp host join group address source ip source address vlan vlan id Optional Simulated joining is disabled by default z Before configuring a simulated host enable IGMP S...

Page 547: ...ifferent VLANs to share the same multicast VLAN This saves bandwidth because multicast streams are transmitted only within the multicast VLAN In addition because the multicast VLAN is isolated from us...

Page 548: ...to system view quit Enter Ethernet port view for the Layer 3 switch interface interface type interface number Define the port as a trunk or hybrid port port link type trunk hybrid Required port hybri...

Page 549: ...the reset command in user view to clear the statistics information about IGMP Snooping Table 2 21 Display and maintain IGMP Snooping Operation Command Remarks Display the current IGMP Snooping config...

Page 550: ...1 RouterA system view RouterA multicast routing enable RouterA interface GigabitEthernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 quit RouterA interface GigabitEthe...

Page 551: ...Ethernet1 0 4 This means that Host A and Host B have joined the multicast group 224 1 1 1 Configuring Multicast VLAN Network requirements As shown in Figure 2 4 Workstation is a multicast source Switc...

Page 552: ...you need to configure the ports that connect Switch A and Switch B to each other as hybrid ports The following text describes the configuration details You can also configure these ports as trunk por...

Page 553: ...lan10 quit Define GigabitEthernet 1 0 10 as a hybrid port add the port to VLAN 2 VLAN 3 and VLAN 10 and configure the port to forward tagged packets for VLAN 2 VLAN 3 and VLAN 10 SwitchB interface Gig...

Page 554: ...disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN at the same time If it is only disabled on the corres...

Page 555: ...ort belongs You can configure a static multicast MAC address entry to avoid this Table 3 1 Configure a multicast MAC address entry in system view Operation Command Remarks Enter system view system vie...

Page 556: ...ed on the local switch the packet will be flooded in the VLAN which the multicast packet belongs to When the function of dropping unknown multicast packets is enabled the switch will drop any multicas...

Page 557: ...11 Configuration Procedure 1 11 Configuring NTP Authentication 1 11 Configuration Prerequisites 1 12 Configuration Procedure 1 12 Configuring Optional NTP Parameters 1 14 Configuring an Interface on...

Page 558: ...hronize or be synchronized by other systems by exchanging NTP messages Applications of NTP As setting the system time manually in a network with many devices leads to a lot of workload and cannot ensu...

Page 559: ...e set as a reference clock It can serve as a reference clock source to synchronize the clock of other devices only after it is synchronized Implementation Principle of NTP Figure 1 1 shows the impleme...

Page 560: ...essage arrives at Device B Device B inserts its own timestamp 11 00 01 am T2 into the packet z When the NTP message leaves Device B Device B inserts its own timestamp 11 00 02 am T3 into the packet z...

Page 561: ...ssive peer Clock synchronization request packet Synchronize Network Active peer Works in passive peer mode automatically In peer mode both sides can be synchronized to each other Response packet In th...

Page 562: ...server while the local switch serves as the client Symmetric peer mode Configure the local S5100 SI EI switch to work in NTP symmetric peer mode In this mode the remote server serves as the symmetric...

Page 563: ...only after the local clock of the H3C S5100 SI EI Ethernet switch has been synchronized z When symmetric peer mode is configured on two Ethernet switches to synchronize the clock of the two switches...

Page 564: ...default the switch is not configured to work in the NTP client mode z The remote server specified by remote ip or server name serves as the NTP server and the local switch serves as the NTP client Th...

Page 565: ...he NTP message will be configured as the IP address of the specified interface z Typically the clock of at least one of the symmetric active and symmetric passive peers should be synchronized first ot...

Page 566: ...ew interface Vlan interface vlan id Configure the switch to work in the NTP broadcast client mode ntp service broadcast client Required Not configured by default Configuring NTP Multicast Mode For swi...

Page 567: ...ss Required Not configured by default Configuring Access Control Right With the following command you can configure the NTP service access control right to the local switch for a peer device There are...

Page 568: ...server synchronization query acl number Optional peer by default The access control right mechanism provides only a minimum degree of security protection for the local switch A more secure method is...

Page 569: ...y on the broadcast multicast server with the corresponding NTP broadcast multicast client Otherwise NTP authentication cannot be enabled normally z Configurations on the server and the client must be...

Page 570: ...cation key is configured Configure the specified key as a trusted key ntp service reliable authentication keyid key id Required By default no trusted authentication key is configured Enter VLAN interf...

Page 571: ...bling an Interface from Receiving NTP Messages Optional Configuring an Interface on the Local Switch to Send NTP Messages Follow these steps to configure an interface on the local switch to send NTP m...

Page 572: ...he maximum number of dynamic sessions that can be established on the local switch ntp service max dynamic sessions number Required By default up to 100 dynamic sessions can be established locally Disa...

Page 573: ...efore synchronization DeviceB display ntp service status Clock status unsynchronized Clock stratum 16 Reference clock ID none Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2...

Page 574: ...ed 4 candidate 5 configured Total associations 1 Configuring NTP Symmetric Peer Mode Network requirements z The local clock of Device A is set as the NTP master clock with the clock stratum level of 2...

Page 575: ...t information indicates that the clock of Device C is synchronized to that of Device B and the stratum level of its local clock is 2 one level lower than Device B View the information about the NTP se...

Page 576: ...nt DeviceA interface Vlan interface 2 DeviceA Vlan interface2 ntp service broadcast client After the above configurations Device A and Device D will listen to broadcast messages through their own VLAN...

Page 577: ...tions 1 Configuring NTP Multicast Mode Network requirements z The local clock of Device C is set as the NTP master clock with a clock stratum level of 2 Configure Device C to work in the NTP multicast...

Page 578: ...minal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2 18 Clock offset 198 7425 ms Root delay 27 47 ms Root dispersion 208 39 ms Peer dispersion 9 63 ms Reference time 17 03 32 022 U...

Page 579: ...s Device B is ready to synchronize with Device A Because the NTP authentication function is not enabled on Device A the clock of Device B will fail to be synchronized to that of Device A 2 To synchron...

Page 580: ...vice A with a clock stratum level of 3 one stratum level lower than that Device A View the information about NTP sessions of Device B you can see that a connection is established between Device B and...

Page 581: ...blic Key to a File 1 13 Configuring the SSH Client 1 14 SSH Client Configuration Task List 1 14 Configuring an SSH Client that Runs SSH Client Software 1 14 Configuring an SSH Client Assumed by an SSH...

Page 582: ...SSH can also provide data compression to increase transmission speed take the place of Telnet and provide a secure channel for transfers using File Transfer Protocol FTP SSH adopts the client server...

Page 583: ...nature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA is used for data encryp...

Page 584: ...use The server compares the version carried in the packet with that of its own to determine whether it can cooperate with the client z If the negotiation is successful the server and the client go on...

Page 585: ...the public key is invalid the authentication fails otherwise the server generates a digital signature to authenticate the client and then sends back a message to inform the success or failure of the...

Page 586: ...functions Configuring the SSH Server Configuring an SSH Client that Runs SSH Client Software An H3C switch Another H3C switch Configuring the SSH Server Configuring an SSH Client Assumed by an SSH2 Ca...

Page 587: ...d when the authentication mode is publickey Assigning a Public Key to an SSH User z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Data exc...

Page 588: ...server provides a number of management functions to prevent illegal operations such as malicious password guess guaranteeing the security of SSH connections You can specify the IP address or the inter...

Page 589: ...be compatible with SSH1 clients ssh server compatible ssh1x enable Optional By default the SSH server is compatible with SSH1 clients Configuring Key Pairs The SSH server s key pairs are for generati...

Page 590: ...estroy rsa Destroy key pair s Destroy the DSA key pair public key local destroy dsa Optional Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify a...

Page 591: ...fore logging in In this mode you do not need to create a key pair on each client You can configure the clients to use the same key pair that is created on one client for publickey authentication With...

Page 592: ...enjoy this level z Under the password or password publickey authentication mode the level of commands available to a logged in SSH user is determined by the AAA scheme Meanwhile for different users th...

Page 593: ...e the public key of a client manually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Required Enter public key edit view public key code begi...

Page 594: ...blic Key of a Client on the Server or Configuring whether first time authentication is supported an SSH client s or an SSH server s host public key can be imported from a public key file This task all...

Page 595: ...lient software For a client assumed by an SSH2 capable switch The authentication mode is password Configuring an SSH Client that Runs SSH Client Software Configuring an SSH Client Assumed by an SSH2 C...

Page 596: ...select SSH z Selecting the SSH version Since the device supports SSH2 0 now select 2 0 or lower for the client z Specifying the private key file On the server if public key authentication is enabled...

Page 597: ...bar in the blue box of shown in Figure 1 4 Otherwise the process bar stops moving and the key pair generating process is stopped Figure 1 4 Generate the client keys 2 After the key pair is generated...

Page 598: ...you whether to save the private key without any precaution Click Yes and enter the name of the file for saving the private key private in this case to save the private key Figure 1 6 Generate the clie...

Page 599: ...1 18 Figure 1 7 Generate the client keys 5 Specifying the IP address of the Server Launch PuTTY exe The following window appears Figure 1 8 SSH client configuration interface 1...

Page 600: ...9 appears Figure 1 9 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version Some SSH client software for example Tectia client software supports the D...

Page 601: ...nd click Open If the connection is normal a user will be prompted for a username Once passing the authentication the user can log in to the server Configuring an SSH Client Assumed by an SSH2 Capable...

Page 602: ...disabled an SSH client that is not configured with the server host public key will be denied of access to the server To access the server a user must configure in advance the server host public key l...

Page 603: ...ource ip ip address Optional By default no source IP address is configured Specify a source interface for the SSH client ssh2 source interface interface type interface number Optional By default no so...

Page 604: ...the IP address of the source interface specified for the SSH server display ssh server source ip Display the mappings between host public keys and SSH servers saved on a client display ssh server info...

Page 605: ...its authentication type ssh user username authentication type rsa ssh user username authentication type publickey z After RSA key pairs are generated the display rsa local key pair public command dis...

Page 606: ...n mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch u...

Page 607: ...as an example 1 Run PuTTY exe to enter the following configuration interface Figure 1 12 SSH client configuration interface 1 In the Host Name or IP address text box enter the IP address of the SSH se...

Page 608: ...cation succeeds you will log in to the server When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 1 14 an SSH connection is required between the h...

Page 609: ...the navigation tree In the System Configuration page click Modify of the Access Device item and then click Add to enter the Add Access Device page and perform the following configurations z Specify th...

Page 610: ...fy the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed z Add an account for device management 1 Configure the SSH server Create a VLAN interface on...

Page 611: ...key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch is...

Page 612: ...he category on the left pane of the window select Connection SSH The window as shown in Figure 1 16 appears Figure 1 16 SSH client configuration interface 2 Under Protocol options select 2 from Prefer...

Page 613: ...with the switch z The switch cooperates with an HWTACACS server to authenticate SSH users Network diagram Figure 1 17 Switch acts as server for password and HWTACACS authentication Configuration proc...

Page 614: ...domain bbb Switch isp bbb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user client001 authent...

Page 615: ...ill log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS se...

Page 616: ...irs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode...

Page 617: ...Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair 1 Run PuTTYGen exe choose SSH2 RSA and click Generate Figure 1 21 Generate a client key pair 1 Wh...

Page 618: ...re 1 22 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 1 23 Generate a client ke...

Page 619: ...is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with...

Page 620: ...26 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 1 27 SSH client configurati...

Page 621: ...Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface vlan interfa...

Page 622: ...SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to s...

Page 623: ...itchB public key local create rsa SwitchB public key local create dsa Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode sc...

Page 624: ...ate dsa Export the generated DSA key pair to a file named Switch001 SwitchA public key local export dsa ssh2 Switch001 After the key pair is generated you need to upload the pubic key file to the serv...

Page 625: ...the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA and...

Page 626: ...generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH client through FTP or TFTP z Configure Switch A Create a VLAN interface on the...

Page 627: ...ch002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connec...

Page 628: ...tion to File System 1 1 File System Configuration Tasks 1 1 Directory Operations 1 1 File Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 3 File System Configuration Example 1 4...

Page 629: ...e path and file name in one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used to specify a file in the current Flash memory Fo...

Page 630: ...that the execute command should be executed in system view Table 1 3 File operations To do Use the command Remarks Delete a file delete unreserved file url delete running files standby files unreserv...

Page 631: ...the switch adopts the null configuration when it starts up next time Flash Memory Operations Perform the following Flash memory operations using commands listed in Table 1 4 Perform the following con...

Page 632: ...drw Apr 04 2000 23 04 21 test 7239 KB total 3585 KB free with main attribute b with backup attribute b with both main and backup attribute Copy the file flash config cfg to flash test with 1 cfg as th...

Page 633: ...main backup and none as described in Table 1 6 Table 1 6 Descriptions on file attributes Attribute name Description Feature Identifier main Identifies main startup files The main startup file is prefe...

Page 634: ...e Perform the configuration listed in Table 1 7 in user view The display commands can be executed in any view Table 1 7 Configure file attributes To do Use the command Remarks Configure the app file w...

Page 635: ...the Boot menu after restarting the switch or specify a new Web file by using the boot web package command Otherwise Web server cannot function normally z Currently a configuration file has the extensi...

Page 636: ...mple A Switch Operating as an FTP Server 1 9 FTP Banner Display Configuration Example 1 11 FTP Configuration A Switch Operating as an FTP Client 1 12 SFTP Configuration 1 14 SFTP Configuration A Switc...

Page 637: ...red through command lines and the most popular application is FTP At present although E mail and Web are the usual methods for file transmission FTP still has its strongholds As an application layer p...

Page 638: ...ng a securer guarantee for data transmission In addition since the switch can be used as a client you can log in to remote devices to transfer files securely FTP Configuration Complete the following t...

Page 639: ...et switch at a given time when the latter operates as an FTP server z Operating as an FTP server an H3C S5100 SI EI series Ethernet switch cannot receive a file whose size exceeds its storage space Th...

Page 640: ...interface and source IP address for an FTP server To do Use the command Remarks Enter system view system view Specify the source interface for an FTP server ftp server source interface interface type...

Page 641: ...t switch will disconnect the user after the data transmission is completed Configuring the banner for an FTP server Displaying a banner With a banner configured on the FTP server when you access the F...

Page 642: ...Use the command Remarks Display the information about FTP server configurations on a switch display ftp server Display the source IP address set for an FTP server display ftp server source ip Display...

Page 643: ...ectory cdup Get the local working path on the FTP client lcd Display the working directory on the FTP server pwd Create a directory on the remote FTP server mkdir pathname Remove a directory on the re...

Page 644: ...nterface and source IP address for a switch acting as an FTP client so that it can connect to a remote FTP server Follow these steps to specify the source interface and source IP address for an FTP cl...

Page 645: ...equirements A switch operates as an FTP server and a remote PC as an FTP client The application switch bin of the switch is stored on the PC Upload the application to the remote switch through FTP and...

Page 646: ...s the Ethernet switch through FTP Input the username switch and password hello to log in and enter FTP view C ftp 1 1 1 1 Connected to 1 1 1 1 220 FTP service ready User 1 1 1 1 none switch 331 Passwo...

Page 647: ...tart the switch Thus the switch application is upgraded Sysname boot boot loader switch bin Sysname reboot For information about the boot boot loader command and how to specify the startup file for a...

Page 648: ...1 1 220 login banner appears 220 FTP service ready User 1 1 1 1 none switch 331 Password required for switch Password 230 shell banner appears 230 User logged in ftp FTP Configuration A Switch Operati...

Page 649: ...you need to delete files not in use from the Flash memory to make room for the file and then upload the file again The files in use cannot be deleted If you have to delete the files in use to make roo...

Page 650: ...emarks Enabling an SFTP server Required Configuring connection idle time Optional SFTP Configuration A Switch Operating as an SFTP Server Supported SFTP client software Basic configurations on an SFTP...

Page 651: ...client software see the corresponding configuration manual z Currently an H3C S5100 SI EI series Ethernet switch operating as an SFTP server supports the connection of only one SFTP user When multiple...

Page 652: ...ile remove remote file Optional Both commands have the same effect dir a l remote path Query a specified file on the SFTP server ls a l remote path Optional If no file name is provided all the files i...

Page 653: ...emarks Enter system view system view Specify an interface as the source interface of the specified SFTP client sftp source interface interface type interface number Specify an IP address as the source...

Page 654: ...ication timeout time retry number and update time of the server key adopt the default values Sysname ssh user client001 authentication type password Specify the service type as SFTP Sysname ssh user c...

Page 655: ...1 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub Received status End of file Received status Su...

Page 656: ...lly ended Upload file pu to the server and rename it as puk and then verify the result sftp client put pu puk This operation may take a long time please wait Local file pu Remote file puk Received sta...

Page 657: ...kets from the TFTP server An H3C S5100 SI EI series Ethernet switch can act as a TFTP client only When you download a file that is larger than the free space of the switch s flash memory z If the TFTP...

Page 658: ...d by the specified TFTP client to access a TFTP server tftp server acl acl number Optional Not specified by default Specifying the source interface or source IP address for an FTP client You can speci...

Page 659: ...e source IP address is different from the fixed one the former will be used for the connection this time z You may specify only one source interface or source IP address for the TFTP client at one tim...

Page 660: ...e on the switch to be 1 1 1 1 and ensure that the port through which the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan in...

Page 661: ...stem Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 10 Setting to Output System Information to a Log Host 1 11 Setting to Output System Information to the...

Page 662: ...gnosing network problems The information center of the system has the following features Classification of system information The system is available with three types of information z Log information...

Page 663: ...output directions Information channel number Default channel name Default output direction 0 console Console Receives log trap and debugging information 1 monitor Monitor terminal Receives log trap a...

Page 664: ...module HA High availability module HABP Huawei authentication bypass protocol module HTTPD HTTP server module HWCM Huawei Configuration Management private MIB module IFNET Interface management module...

Page 665: ...ns z If the output destination is console monitor terminal logbuffer trapbuffer or SNMP the system information is in the following format timestamp sysname module level digest unitid content Note z Th...

Page 666: ...to allow users to check and identify system events Note that there is a space between the timestamp and sysname host name fields The time stamp has the following two formats 1 Without the universal ti...

Page 667: ...en the sysname and module fields This field is a preamble used to identify a vendor It is displayed only when the output destination is log host nn This field is a version identifier of syslog It is d...

Page 668: ...on to the Trap Buffer Optional Setting to Output System Information to the Log Buffer Optional Setting to Output System Information to the SNMP NMS Optional Configuring Synchronous Information Output...

Page 669: ...s to configure to display time stamp with the UTC time zone To do Use the command Remarks Set the time zone for the system clock timezone zone name add minus time Required By default UTC time zone is...

Page 670: ...when configuring the system information output rules and use the debugging command to enable debugging for the corresponding modules Table 1 4 Default output rules for different output directions LOG...

Page 671: ...nd Setting to Output System Information to a Monitor Terminal System information can also be output to a monitor terminal which is a user terminal that has login connections through the AUX VTY or TTY...

Page 672: ...tput system information to a monitor terminal you need to enable the associated display function in order to display the output information on the monitor terminal Follow these steps to enable the dis...

Page 673: ...r channel name log trap debug level severity state state Optional Refer to Table 1 4 for the default output rules of system information Set the format of the time stamp to be sent to the log host info...

Page 674: ...e size buffersize Optional By default the switch uses information channel 4 to output log information to the log buffer which can holds up to 512 items by default Configure the output rules of system...

Page 675: ...ommand Remarks Display information on an information channel display channel channel number channel name Display the operation status of information center the configuration of information channels th...

Page 676: ...e host whose IP address is 202 38 1 10 as the log host Permit ARP and IP modules to output information with severity level higher than informational to the log host Switch info center loghost 202 38 1...

Page 677: ...the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After all the above operations...

Page 678: ...nf z A note must start in a new line starting with a sign z In each pair a tab should be used as a separator instead of a space z No space is permitted at the end of the file name z The device name fa...

Page 679: ...ing information to the console channels Switch undo info center source default channel console Enable log information output to the console Permit ARP and IP modules to output log information with sev...

Page 680: ...C time Switch clock timezone z8 add 08 00 00 Set the time stamp format of the log information to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch...

Page 681: ...g Disabling System Debugging 2 2 Displaying Debugging Status 2 3 Displaying Operating Information about Modules in System 2 3 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tra...

Page 682: ...or information you are interested in z Introduction to Loading Approaches z Local Boot ROM and Software Loading z Remote Boot ROM and Software Loading Introduction to Loading Approaches You can load s...

Page 683: ...tion date Apr 16 2007 11 29 53 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 000fe2123456 Press Ctrl B to enter Boot Menu Press Ctrl B The system displays Password To enter...

Page 684: ...negotiation characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data packets When receiving a complete packet the receiving program checks the...

Page 685: ...9600 bps as the download baudrate you need not modify the HyperTerminal s baudrate and therefore you can skip Step 4 and 5 below and proceed to Step 6 directly In this case the system will not display...

Page 686: ...HyperTerminal to the switch as shown in Figure 1 3 Figure 1 3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press En...

Page 687: ...dialog box Step 8 Click Send The system displays the page as shown in Figure 1 5 Figure 1 5 Sending file page Step 9 After the sending process completes the system displays the following information L...

Page 688: ...for loading the Boot ROM except that the system gives the prompt for host software loading instead of Boot ROM loading You can also use the xmodem get command to load host software through the Consol...

Page 689: ...rTerminal program on the configuration PC Start the switch Then enter the BOOT Menu At the prompt Enter your choice 0 9 in the BOOT Menu press 6 or Ctrl U and then press Enter to enter the Boot ROM up...

Page 690: ...xcept that the system gives the prompt for host software loading instead of Boot ROM loading When loading Boot ROM and host software using TFTP through BOOT menu you are recommended to use the PC dire...

Page 691: ...the following FTP related parameters as required Load File name switch btm Switch IP address 10 1 1 2 Server IP address 10 1 1 1 FTP User Name Switch FTP User Password abc Step 5 Press Enter The syste...

Page 692: ...M and host software remotely Remote Loading Using FTP Loading Procedure Using FTP Client 1 Loading the Boot ROM As shown in Figure 1 8 a PC is used as both the configuration device and the FTP server...

Page 693: ...the boot boot loader command to select the host software used for next startup of the switch After the above operations the Boot ROM and host software loading is completed Pay attention to the follow...

Page 694: ...with Ctrl Z Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 192 168 0 28 255 255 255 0 Step 3 Enable FTP service on the switch and configure the FTP user name to test and passwo...

Page 695: ...ep 6 Enter ftp 192 168 0 28 and enter the user name test password pass as shown in 0 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file swit...

Page 696: ...hat the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed abo...

Page 697: ...name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offset time Optional Execute this command in user view z When the system r...

Page 698: ...ol the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging inform...

Page 699: ...stem debugging Displaying Debugging Status To do Use the command Remarks Display all enabled debugging on the specified device display debugging unit unit id interface interface type interface number...

Page 700: ...cket percentage and the minimum average and maximum values of response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This c...

Page 701: ...3 2...

Page 702: ...iguration Device Management Configuration Task list Complete the following tasks to configure device management Task Remarks Rebooting the Ethernet Switch Optional Scheduling a Reboot on the Switch Op...

Page 703: ...eriod schedule reboot regularity at hh mm period Optional The switch timer can be set to precision of one minute that is the switch will reboot within one minute after the specified reboot date and ti...

Page 704: ...to upgrade the Boot ROM To do Use the command Remarks Upgrade the Boot ROM boot bootrom file url device name Required Identifying and Diagnosing Pluggable Transceivers Introduction to pluggable transc...

Page 705: ...the field is H3C it is considered an H3C customized pluggable transceiver z Electrical label information is also called permanent configuration data or archive information which is written to the stor...

Page 706: ...ce number module name Available in any view Remote Switch APP Upgrade Configuration Example Network requirements Telnet to the switch from a PC remotely and download applications from the FTP server t...

Page 707: ...ation part of this manual for configuration commands and steps about telnet user 3 Execute the telnet command on the PC to log into the switch The following prompt appears Sysname If the Flash memory...

Page 708: ...cify the downloaded program as the host software to be adopted when the switch starts next time Sysname boot boot loader switch bin The specified file will be booted next time on unit 1 Sysname displa...

Page 709: ...iguration 1 4 VLAN VPN Configuration Example 1 4 Transmitting User Packets through a Tunnel in the Public Network by Using VLAN VPN 1 4 2 Selective QinQ Configuration 2 1 Selective QinQ Overview 2 1 S...

Page 710: ...oviders backbone networks with both inner and outer VLAN tags In public networks packets of this type are transmitted by their outer VLAN tags that is the VLAN tags of public networks and the inner VL...

Page 711: ...he Tag packet of an Ethernet frame defined by IEEE 802 1Q Figure 1 3 The structure of the Tag packet of an Ethernet frame 0 31 15 TPID Priority VLAN ID CFI By default S5100 SI EI series switches adopt...

Page 712: ...tem view Enter Ethernet port view interface interface type interface number Enable the VLAN VPN feature on the port vlan vpn enable Required By default the VLAN VPN feature is disabled on a port TPID...

Page 713: ...PN uplink port z A VLAN VPN uplink port does not remove the outer VLAN tags of packets to be sent through it so a VLAN VPN uplink port must be configured as a trunk port or hybrid port and configured...

Page 714: ...ration Configuration procedure z Configure Switch A Enable the VLAN VPN feature on GigabitEthernet 1 0 11 of Switch A and tag the packets received on this port with the tag of VLAN 1040 as the outer V...

Page 715: ...d to configure the two ports to remove the outer VLAN tags before transmitting packets of VLAN 1040 Refer to Port Basic Configuration in this manual for detailed configuration z Configure the devices...

Page 716: ...the packet is forwarded which restores the packet to a packet tagged with only the private VLAN tag and enables it to be forwarded to its destination networks 5 It is the same case when a packet trave...

Page 717: ...fferent outer VLAN tags to the packets with different inner VLAN tags The selective QinQ feature makes the service provider network structure more flexible You can classify the terminal users on the p...

Page 718: ...etwork resources are well utilized and users of the same type are also isolated by their inner VLAN tags This helps to improve network security Inner to Outer Tag Priority Mapping As shown in Figure 1...

Page 719: ...n vpn priority old priority remark new priority Required By default the inner to outer tag priority mapping feature is not enabled Selective QinQ Configuration Example Processing Private Network Packe...

Page 720: ...GE1 0 5 For PC User VLAN100 108 For IP Phone VLAN200 230 SwitchA SwitchB GE1 0 11 GE1 0 12 GE1 0 13 Configuration procedure z Configure Switch A Create VLAN 1000 VLAN 1200 and VLAN 5 the default VLAN...

Page 721: ...AN 1000 as the outer VLAN tag when they are forwarded to the public network by Switch A and packets of VLAN 200 through VLAN 230 that is packets of IP phone users are tagged with the tag of VLAN 1200...

Page 722: ...to the clients in the same way you need to configure the selective QinQ feature on GigabitEthernet 1 0 12 and GigabitEthernet 1 0 13 The configuration on Switch B is similar to that on Switch A and is...

Page 723: ...onfiguration 1 4 HWPing Server Configuration 1 4 HWPing Client Configuration 1 4 Displaying HWPing Configuration 1 15 HWPing Configuration Examples 1 15 ICMP Test 1 15 DHCP Test 1 17 FTP Test 1 18 HTT...

Page 724: ...client and sometimes the corresponding HWPing servers as well to perform various HWPing tests All HWPing tests are initiated by a HWPing client and you can view the test results on the HWPing client...

Page 725: ...test you must specify a destination IP address and the destination address must be the IP address of a TCP UDP UDP listening service configured on the HWPing server Destination port destination port F...

Page 726: ...er in the test packets dns This parameter is used to specify a DNS domain name in a HWPing DNS test group dns server This parameter is used to set the DNS server IP address in a HWPing DNS test group...

Page 727: ...WPing server configurations To do Use the command Remarks Enter system view system view Enable the HWPing server function hwping server enable Required Disabled by default Configure a UDP listening se...

Page 728: ...probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes Configure the maximum number of histor...

Page 729: ...50 Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Start the test test enable Required Display test results display hwping results admin name opera...

Page 730: ...l By default the type of FTP operation is get that is the FTP operation will get a file from the FTP server Configure an FTP login username username name Configure an FTP login password password passw...

Page 731: ...y default each test makes one probe Configure the maximum number of history records that can be saved history records number Optional By default the maximum number is 50 Configure the automatic test i...

Page 732: ...nation port is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Optional By defa...

Page 733: ...tem view system view Enable the HWPing client function hwping agent enable Required By default the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator...

Page 734: ...fault the HWPing client function is disabled Create a HWPing test group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the destina...

Page 735: ...ault the maximum number is 50 Configure the type of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping results admin...

Page 736: ...Configure the number of probes per test count times Optional By default one probe is made per test Configure the maximum number of history records that can be saved history records number Optional By...

Page 737: ...utomatic test interval is zero seconds indicating no automatic test will be made Configure the probe timeout time timeout time Optional By default a probe times out in three seconds Configure the type...

Page 738: ...fails Configure the number of consecutive unsuccessful HWPing probes before Trap output probe failtimes times Optional By default Trap messages are sent each time a probe fails Displaying HWPing Conf...

Page 739: ...nistrator icmp history records 5 Display test results Sysname hwping administrator icmp display hwping results administrator icmp HWPing entry admin administrator tag icmp test result Destination ip a...

Page 740: ...ing agent enable Create a HWPing test group setting the administrator name to administrator and test tag to DHCP Sysname Hwping administrator dhcp Configure the test type as dhcp Sysname hwping admini...

Page 741: ...6 1020 1 0 2000 04 03 09 50 52 8 7 1018 1 0 2000 04 03 09 50 48 8 8 1020 1 0 2000 04 03 09 50 36 8 9 1020 1 0 2000 04 03 09 50 30 8 10 1028 1 0 2000 04 03 09 50 22 8 For detailed output description s...

Page 742: ...address of the FTP server as 10 2 2 2 Sysname hwping administrator ftp destination ip 10 2 2 2 Configure the FTP login username Sysname hwping administrator ftp username admin Configure the FTP login...

Page 743: ...rd Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 2000 04 03 04 00 18 8 3 9945 1 0 2000 04 03 04 00 02 9 4 15891 1 0 2000 04 03 03 59 52 9 5 15772 1 0 2000 04 03 03 59...

Page 744: ...2 Sysname hwping administrator http destination ip 10 2 2 2 Configure to make 10 probes per test Sysname hwping administrator http count 10 Set the probe timeout time to 30 seconds Sysname hwping adm...

Page 745: ...000 04 02 15 15 52 5 2 9 1 0 2000 04 02 15 15 52 5 3 3 1 0 2000 04 02 15 15 52 5 4 3 1 0 2000 04 02 15 15 52 5 5 3 1 0 2000 04 02 15 15 52 5 6 2 1 0 2000 04 02 15 15 52 4 7 3 1 0 2000 04 02 15 15 52 4...

Page 746: ...igure the IP address of the HWPing server as 10 2 2 2 Sysname hwping administrator Jitter destination ip 10 2 2 2 Configure the destination port on the HWPing server Sysname hwping administrator Jitte...

Page 747: ...ve DS Square Sum 161 SD lost packets number 0 DS lost packet number 0 Unknown result lost packet number 0 Sysname hwping administrator Jitter display hwping history administrator Jitter HWPing entry a...

Page 748: ...rence in this example This configuration may differ if the system uses any other version of SNMP For details see SNMP RMON Operation Manual z Configure HWPing Client Switch A Enable the HWPing client...

Page 749: ...g history administrator snmp HWPing entry admin administrator tag snmp history record Index Response Status LastRC Time 1 10 1 0 2000 04 03 08 57 20 0 2 10 1 0 2000 04 03 08 57 20 0 3 10 1 0 2000 04 0...

Page 750: ...onfigure to make 10 probes per test Sysname hwping administrator tcpprivate count 10 Set the probe timeout time to 5 seconds Sysname hwping administrator tcpprivate timeout 5 Start the test Sysname hw...

Page 751: ...n the two switches to test the RTT of UDP packets between this end HWPing client and the specified destination end HWPing server Network diagram Figure 1 9 Network diagram for the Udpprivate test Conf...

Page 752: ...Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop operation number 0 Other operation errors 0 Sysname hw...

Page 753: ...2 2 Sysname hwping administrator dns dns server 10 2 2 2 Configure to resolve the domain name www test com Sysname hwping administrator dns dns resolve target www test com Configure to make 10 probes...

Page 754: ...d Times 0 Sysname hwping administrator dns display hwping history administrator dns HWPing entry admin administrator tag dns history record Index Response Status LastRC Time 1 10 1 0 2006 11 28 11 50...

Page 755: ...nfiguring Domain Name Resolution 1 2 Configuring Static Domain Name Resolution 1 2 Configuring Dynamic Domain Name Resolution 1 3 Displaying and Maintaining DNS 1 3 DNS Configuration Examples 1 4 Stat...

Page 756: ...ase would increase efficiency Some frequently used addresses can be put in the static DNS database Currently S5100 SI EI series Ethernet switches support both static and dynamic DNS clients Static Dom...

Page 757: ...by users It is used when the name to be resolved is not complete The resolver can supply the missing part automatic domain name addition For example a user can configure com as the suffix for aabbcc...

Page 758: ...address is configured for the DNS server by default Configure DNS suffixes dns domain domain name Optional No DNS suffix is configured by default Note You may configure up to six DNS servers and ten...

Page 759: ...name ping host com PING host com 10 1 1 2 56 data bytes press CTRL_C to break Reply from 10 1 1 2 bytes 56 Sequence 1 ttl 127 time 3 ms Reply from 10 1 1 2 bytes 56 Sequence 2 ttl 127 time 3 ms Reply...

Page 760: ...ution Sysname system view Sysname dns resolve Configure the IP address 2 1 1 2 for the DNS server Sysname dns server 2 1 1 2 Configure com as the DNS suffix Sysname dns domain com Execute the ping hos...

Page 761: ...at the specified domain name is in the cache z If there is no defined domain name check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the s...

Page 762: ...aining Smart Link 1 6 Smart Link Configuration Example 1 6 Implementing Link Redundancy Backup 1 6 2 Monitor Link Configuration 2 1 Introduction to Monitor Link 2 1 Overview 2 1 How Monitor Link Works...

Page 763: ...edundancy backup and fast convergence to meet the user demand Smart Link has the following features z Active standby backup for dual uplink networking z Simple configuration and operation Basic Concep...

Page 764: ...nk group sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries Control VLAN for sending flush messages This control VLAN sends flush messages When link...

Page 765: ...their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of identifying flush messages from the smart link group and refreshing MAC forwarding entries and A...

Page 766: ...s of the smart link group To do Use the command Remarks Enter system view system view Create a smart link group and enter smart link group view smart link group group id Required Enable the function o...

Page 767: ...witch E Follow these steps to enable the specified port to process flush messages received from the specified control VLAN To do Use the command Remarks Enter system view system view System view smart...

Page 768: ...n the aggregation group automatically that is the other member ports in the aggregation group cannot process flush messages The function of processing flush messages must be manually configured for ea...

Page 769: ...0 1 quit SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 stp disable Return to system view SwitchA GigabitEthernet1 0 2 quit Create smart link group 1 and enter the corresponding...

Page 770: ...w Enable the function of processing flush messages received from VLAN 1 on GigabitEthernet 1 0 2 SwitchD smart link flush enable control vlan 1 port GigabitEthernet 1 0 2 4 Enable the function of proc...

Page 771: ...nd one or multiple downlink ports When the link for the uplink port of a monitor link group fails all the downlink ports in the monitor link group are forced down When the link for the uplink port rec...

Page 772: ...ally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of GigabitEthernet 1 0 1 z If Switch C is configured with monitor link group and monitor link group detec...

Page 773: ...e Uplink Port Required Configuring a Downlink Port Required Creating a Monitor Link Group Follow these steps to create a monitor link group To do Use the command Remarks Enter system view system view...

Page 774: ...uit interface interface type interface number Configure a downlink port for the monitor link group Configure the specified Ethernet port as a downlink port of the monitor link group Ethernet port view...

Page 775: ...server and Internet due to uplink link or port failure Network diagram Figure 2 3 Network diagram for Monitor Link configuration BLOCK Switch A Switch B GE1 0 1 GE1 0 2 Switch C Switch D Switch E GE1...

Page 776: ...hC system view Create monitor link group 1 and enter monitor link group view SwitchC monitor link group 1 Configure GigabitEthernet 1 0 1 as the uplink port of the monitor link group and GigabitEthern...

Page 777: ...6 ICMP Error Packets Sent within a Specified Time 1 13 Configuring the Hop Limit of ICMPv6 Reply Packets 1 14 Configuring IPv6 DNS 1 14 Displaying and Maintaining IPv6 1 15 IPv6 Configuration Example...

Page 778: ...was designed by the Internet Engineering Task Force IETF as the successor to Internet Protocol Version 4 IPv4 The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address si...

Page 779: ...ateful address configuration means that a host acquires an IPv6 address and related information from the server for example DHCP server z Stateless address configuration means that the host automatica...

Page 780: ...esses zeros in IPv6 addresses can be handled as follows z Leading zeros in each group can be removed For example the above mentioned address can be represented in shorter format as 2001 0 130F 0 0 9C0...

Page 781: ...dress 11111111 FF00 8 Anycast address Anycast addresses are taken from unicast address space and are not syntactically distinguishable from unicast addresses Unicast address There are several forms of...

Page 782: ...etection Each IPv6 unicast or anycast address has one corresponding solicited node address The format of a solicited node multicast address is as follows FF02 0 0 0 0 1 FFXX XXXX Where FF02 0 0 0 0 1...

Page 783: ...citation RS message After started a host sends a router solicitation message to request the router for an address prefix and other configuration information for the purpose of autoconfiguration Used t...

Page 784: ...s of node A and returns an NA message containing the link layer address of node B in the unicast mode 3 Node A acquires the link layer address of node B from the NA message After that node A and node...

Page 785: ...tion The function and implementation of these two types of domain name resolution are the same as those of an IPv4 DNS For details refer to DNS Operation in this manual Usually the DNS server connecti...

Page 786: ...blic IPv6 network you need to assign an IPv6 global unicast address to it IPv6 site local addresses and global unicast addresses can be configured in either of the following ways z EUI 64 format When...

Page 787: ...an IPv6 site local address or global unicast address is configured for an interface a link local address will be generated automatically The automatically generated link local address is the same as...

Page 788: ...h NS and NA messages and add it to the neighbor table Too large a neighbor table may lead to the forwarding performance degradation of the device Therefore you can restrict the size of the neighbor ta...

Page 789: ...er Specify the NS interval ipv6 nd ns retrans timer value Optional 1 000 milliseconds by default Configuring the neighbor reachable timeout time on an interface After a neighbor passed the reachabilit...

Page 790: ...default Set the synwait timer of IPv6 TCP packets tcp ipv6 timer syn timeout wait time Optional 75 seconds by default Configure the size of IPv6 TCP receiving sending buffer tcp ipv6 window size Optio...

Page 791: ...ctly use a host name when applying telnet applications and the system will resolve the host name into an IPv6 address Each host name can correspond to only one IPv6 address A newly configured IPv6 add...

Page 792: ...is manual Displaying and Maintaining IPv6 To do Use the command Remarks Display DNS domain name suffix information display dns domain dynamic Display IPv6 dynamic domain name cache information display...

Page 793: ...splay the statistics of IPv6 UDP packets display udp ipv6 statistics Clear IPv6 dynamic domain name cache information reset dns ipv6 dynamic host Clear IPv6 neighbor information reset ipv6 neighbors a...

Page 794: ...2 ipv6 address auto link local Configure an EUI 64 address for the interface VLAN interface 2 SwitchA Vlan interface2 ipv6 address 2001 64 eui 64 Configure a global unicast address for the interface V...

Page 795: ...F02 1 FF00 2 FF02 1 FF00 1 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless a...

Page 796: ...ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 3 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Sequence 4 hop limit 255 time 60 ms Reply from 2001 20F E2FF FE00 1 bytes 56 Se...

Page 797: ...1 20 0 00 packet loss round trip min avg max 50 60 70 ms...

Page 798: ...ipv6 command is commonly used for testing the reachability of a host This command sends an ICMPv6 message to the destination host and records the time for the response message to be received For detai...

Page 799: ...s the destination host As there is no application using the UDP port the destination returns a port unreachable ICMP error message z The source receives the port unreachable ICMP error message and und...

Page 800: ...lient application of IPv6 to set up an IPv6 Telnet connection with Device A which serves as the Telnet server If Device A again connects to Device B through Telnet the Device A is the Telnet client an...

Page 801: ...a LAN there is a Telnet server and a TFTP server for providing Telnet service and TFTP service to the switch respectively It is required that you telnet to the telnet server from SWA and download file...

Page 802: ...3 1 SWA ipv6 route static 3001 64 3003 1 SWA quit Trace the IPv6 route from SWA to SWC SWA tracert ipv6 3002 1 traceroute to 3002 1 30 hops max 60 bytes packet 1 3003 1 30 ms 0 ms 0 ms 2 3002 1 10 ms...

Page 803: ...t can be pinged through check whether the UDP port that was included in the tracert ipv6 command is used by an application on the host If yes you need to use the tracert ipv6 command with an unreachab...

Page 804: ...ng the PoE Mode on a Port 1 5 Configuring the PD Compatibility Detection Function 1 5 Configuring PoE Over Temperature Protection on the Switch 1 6 Upgrading the PSE Processing Software Online 1 6 Dis...

Page 805: ...ists of three components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information col...

Page 806: ...he display command z The switch provides two modes auto and manual to manage the power feeding to ports in the case of PSE power overload z The switch provides over temperature protection mechanism Wh...

Page 807: ...Setting the Maximum Output Power on a Port Optional Setting PoE Management Mode and PoE Priority of a Port Optional Setting the PoE Mode on a Port Optional Configuring the PD Compatibility Detection...

Page 808: ...oE priority settings S5100 SI EI series switches support two PoE management modes auto and manual The auto mode is adopted by default z auto When the switch is close to its full load in supplying powe...

Page 809: ...upport the spare mode After the PoE feature is enabled on the port perform the following configuration to set the PoE mode on a port Table 1 7 Set the PoE mode on a port Operation Command Description...

Page 810: ...escription Enter system view system view Upgrade the PSE processing software online poe update refresh full filename Required The specified PSE processing software is a file with the extension s19 z I...

Page 811: ...5100 SI EI series Ethernet switch supporting PoE Switch B can be PoE powered z The GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 ports of Switch A are connected to Switch B and an AP respectively th...

Page 812: ...2 poe enable SwitchA GigabitEthernet1 0 2 poe max power 2500 SwitchA GigabitEthernet1 0 2 quit Enable the PoE feature on GigabitEthernet 1 0 8 and set the PoE priority of GigabitEthernet 1 0 8 to crit...

Page 813: ...figuration Configuring PoE Profile Table 2 1 Configure PoE profile Operation Command Description Enter system view system view Create a PoE profile and enter PoE profile view poe profile profilename R...

Page 814: ...uration command can be used to query which PoE profile is applied to a port However the command cannot be used to query which PoE features in a PoE profiles are applied successfully Displaying PoE Pro...

Page 815: ...1 PoE profile application Configuration procedure Create Profile1 and enter PoE profile view SwitchA system view SwitchA poe profile Profile1 In Profile1 add the PoE policy configuration applicable to...

Page 816: ...le Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 SwitchA display poe profile name Profile2 Poe profile Profile2 2 action poe en...

Page 817: ...1 UDP Helper Configuration 1 1 Introduction to UDP Helper 1 1 Configuring UDP Helper 1 2 Displaying and Maintaining UDP Helper 1 3 UDP Helper Configuration Example 1 3 Cross Network Computer Search Th...

Page 818: ...ay specified UDP packets In other words UDP Helper functions as a relay agent that converts UDP broadcast packets into unicast packets and forwards them to a specified destination server With UDP Help...

Page 819: ...rface vlan id Specify the destination server to which the UDP packets are to be forwarded udp helper server ip address Required No destination server is specified by default z You need to enable UDP H...

Page 820: ...h Switch A and are routable to each other It is required to configure UDP Helper on the switch so that PC A can find PC B through computer search Broadcasts with UDP port 137 are used for searching Ne...

Page 821: ...agement Configuration 1 1 Access Management Overview 1 1 Configuring Access Management 1 2 Access Management Configuration Examples 1 2 Access Management Configuration Example 1 2 Combining Access Man...

Page 822: ...he access management function aims to manage user access rights on access switches It enables you to manage the external network access rights of the hosts connected to ports of an access switch To im...

Page 823: ...t be in the same network segment as the interface IP address of the VLAN which the port belongs to z If an access management address pool configured contains IP addresses that belong to the static ARP...

Page 824: ...200 24 Sysname Vlan interface1 quit Configure the access management IP address pool on GigabitEthernet 1 0 1 Sysname interface GigabitEthernet 1 0 1 Sysname GigabitEthernet1 0 1 am ip pool 202 10 20 1...

Page 825: ...on on Switch A For information about port isolation and the corresponding configuration refer to the Port Isolation Operation Enable access management Sysname system view Sysname am enable Set the IP...

Page 826: ...bitEthernet 1 0 2 Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 am ip pool 202 10 20 25 26 202 10 20 55 11 Add GigabitEthernet 1 0 2 to the port isolation group Sysname GigabitE...

Page 827: ...i Table of Contents 1 Acronyms 1 1...

Page 828: ...Service D DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Reg...

Page 829: ...ndent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PoE Power over Ethernet Q QoS Quality of Service R RIP Routing Information Protocol R...

Page 830: ...1 3 V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking...

Reviews:

No comments