H3C S3100 Series Operation Manual Download Page 969

Page: 969 / 1057

[SwitchA-Vlan-interface1] arp max-learning-num 500

[SwitchA-Vlan-interface1] quit

ARP/IP Attack Defense Configuration Example III

Network Requirements

Host A is assigned with an IP address statically and installed with an 802.1x client.

A CAMS authentication, authorization and accounting server serves as the authentication server.

Enable ARP attack detection and IP filtering based on bindings of authenticated 802.1x clients on

the switch to prevent ARP attacks.

Network Diagram

Figure 1-4

Network diagram for 802.1x based ARP/IP attack defense

Configuration Procedures

# Enter system view.

<Switch> system-view

# Enable 802.1x authentication globally.

[Switch] dot1x

# Enable ARP attack detection for VLAN 1.

[Switch] vlan 1

[Switch-vlan1] arp detection enable

[Switch-vlan1] quit

# Configure Ethernet 1/0/2 and Ethernet 1/0/3 as ARP trusted ports.

[Switch] interface Ethernet1/0/2

[Switch-Ethernet1/0/2] arp detection trust

[Switch-Ethernet1/0/2] quit

[Switch] interface Ethernet1/0/3

[Switch-Ethernet1/0/3] arp detection trust

[Switch-Ethernet1/0/3] quit

# Enable using IP-MAC bindings of authenticated 802.1x clients for ARP attack detection.

[Switch] ip source static import dot1x

# Enable 802.1x on Ethernet 1/0/1.

Summary of Contents for S3100 Series

Page 1: ...H3C S3100 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Document Version 20100908 C 1 00 Product Version Release 22XX Series...

Page 2: ...re Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the...

Page 3: ...Network administrators working with the S3100 series Organization H3C S3100 Series Ethernet Switches Operation Manual Release 22XX Series is organized as follows Part Features 01 CLI Operation z Intro...

Page 4: ...ggregation control protocol LACP z Manual aggregation z Static aggregation 11 Port Isolation Operation Port isolation group 12 Port Security Port Binding Operation z Configuring port security z Config...

Page 5: ...onfiguring an Auth Fail VLAN for web authentication z Configuring a web authentication free user z Configuring HTTPS access for web authentication z Customizing web authentication pages z Configuring...

Page 6: ...eduled task configuration 36 VLAN VPN Operation z VLAN VPN QinQ z Configuring TPID value applicable only to the S3100 EI series z Configuring BPDU tunnels applicable only to the S3100 EI series z Sele...

Page 7: ...eration Applicable only to the S3100 EI series z Configuring basic CFD settings z Configuring CC on MEPs z Configuring LB on MEPs z Configuring LT on MEPs Software Version H3C S3100 Series Ethernet Sw...

Page 8: ...D configuration applicable only to the S3100 EI series 48 CFD Operation MAC based VLAN configuration applicable only to the S3100 EI series 04 VLAN Operation Configuring QoS priority settings for voic...

Page 9: ...tory keep time history record enable hwping agent clear hwping agent max requests sendpacket passroute statistics statistics keep time test time begin and ttl 38 HWPing Operation ND snooping function...

Page 10: ...ntax choices separated by vertical bars from which you may select multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A...

Page 11: ...ation procedures Command references Provide a quick reference to all available commands Software configuration H3C Low End Ethernet Switches Configuration Example H3C Low End Ethernet Switches Configu...

Page 12: ...10 You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Page 13: ...he CLI 1 1 Command Hierarchy 1 1 Command Level and User Privilege Level 1 1 Modifying the Command Level 1 2 Switching User Level 1 3 CLI Views 1 7 CLI Features 1 12 Online Help 1 12 Terminal Display 1...

Page 14: ...execute a command by entering partially spelled command keywords as long as the keywords entered can be uniquely identified by the system Command Hierarchy Command Level and User Privilege Level To re...

Page 15: ...Console port is a level 3 user and can use commands of level 0 through level 3 while Telnet users are level 0 users and can only use commands of level 0 You can use the user privilege level command t...

Page 16: ...0 view shell tftp 192 168 0 1 get bootrom btm After the above configuration general Telnet users can use the tftp get command to download file bootrom btm and other files from TFTP server 192 168 0 1...

Page 17: ...ication mode and HWTACACS authentication mode are available at the same time to provide authentication redundancy The configuration of authentication mode for user level switching is performed by Leve...

Page 18: ...ure super password authentication for user level switching which can only be performed by level 3 users administrators Follow these steps to set a password for use level switching Operation Command Re...

Page 19: ...vel super level Required Execute this command in user view z If no user level is specified in the super password command or the super command level 3 is used by default z For security purpose the pass...

Page 20: ...configuration procedures Enable HWTACACS authentication for VTY 0 user level switching Sysname system view Sysname user interface vty 0 Sysname ui vty0 super authentication mode scheme Sysname ui vty0...

Page 21: ...mand in system view Aux1 0 0 port the console port view The S3100 series do not support configuration on port Aux1 0 0 Sysname Aux1 0 0 Execute the interface aux 1 0 0 command in system view VLAN view...

Page 22: ...Sysname rsa ke y code Public key editing view Edit the RSA or DSA public key for SSH users Sysname peer k ey code Execute the public key code begin command in public key view Execute the public key c...

Page 23: ...ing view Configure HWPing parameters Sysname hwpin g a123 a123 Execute the hwping command in system view HWTACA CS view Configure HWTACACS parameters Sysname hwtac acs a123 Execute the hwtacacs scheme...

Page 24: ...licy policy1 Execute the ssl client policy command in system view DHCP address pool view Configure DHCP address pool parameters Supported by only S3100 EI series switches Sysname dhcp p ool test Execu...

Page 25: ...debugging functions delete Delete a file dir List files on a file system display Display current system information Other information is omitted 2 Enter a command a space and a question mark If the qu...

Page 26: ...e screen is full When display output pauses you can perform the following operations as needed see Table 1 3 Table 1 2 Display related operations Operation Function Press Ctrl C Stop the display outpu...

Page 27: ...rror messages Error message Description The command does not exist The keyword does not exist The parameter type is wrong Unrecognized command The parameter value is out of range Incomplete command Th...

Page 28: ...online help That is when you input an incomplete keyword and press Tab if the input parameter uniquely identifies a complete keyword the system substitutes the complete keyword for the input parameter...

Page 29: ...ord 2 8 Configuration Procedure 2 8 Configuration Example 2 9 Console Port Login Configuration with Authentication Mode Being Scheme 2 10 Configuration Procedure 2 10 Configuration Example 2 12 3 Logg...

Page 30: ...g NMS 6 1 7 User Control 7 1 Introduction 7 1 Controlling Telnet Users 7 1 Prerequisites 7 1 Controlling Telnet Users by Source IP Addresses 7 1 Controlling Telnet Users by Source and Destination IP A...

Page 31: ...rough this port S3100 series Ethernet switches support two types of user interfaces AUX and VTY z AUX user interface A view when you log in through the AUX port AUX port is a line device port z Virtua...

Page 32: ...xecute this command in user view Free a user interface free user interface type number Optional Execute this command in user view Enter system view system view Set the banner header incoming legal log...

Page 33: ...9 600 bps Flow control None Check mode Parity None Stop bits 1 Data bits 8 To log into a switch through the Console port make sure the settings of both the Console port and the user terminal are the s...

Page 34: ...onsole port of the switch are configured as those listed in Table 2 1 On the Windows 2003 Server operating system you need to add the HyperTerminal program first and then log in to and manage the devi...

Page 35: ...uch as H3C appears after you press the Enter key as shown in Figure 2 5 Figure 2 5 HyperTerminal CLI 4 You can then configure the switch or check the information about the switch by executing the corr...

Page 36: ...le in all user interfaces Set the maximum number of lines the screen can contain Optional By default the screen can contain up to 24 lines Set history command buffer size Optional By default the histo...

Page 37: ...e Configure user name and password Configure user names and passwords for local RADIUS users Required z The user name and password of a local user are configured on the switch z The user name and pass...

Page 38: ...UX user interface and commands of level 0 are available to users logging into the VTY user interface Enable terminal services shell Optional By default terminal services are available in all user inte...

Page 39: ...Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure Enter system view Sysname system view Enter AUX user interface view Sysname user in...

Page 40: ...Console port is 9 600 bps Set the check mode parity even none odd Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional...

Page 41: ...igurations for users logging in through the Console port AUX user interface z Authenticate the users using passwords z Set the local password to 123456 in plain text z The commands of level 2 are avai...

Page 42: ...ode being scheme Operation Command Description Enter system view system view Enter the default ISP domain view domain domain name Specify the AAA scheme to be applied to the domain scheme local none r...

Page 43: ...ser interface Make terminal services available to the user interface shell Optional By default terminal services are available in all user interfaces Set the maximum number of lines the screen can con...

Page 44: ...20 commands z The timeout time of the AUX user interface is 6 minutes Network diagram Figure 2 8 Network diagram for AUX user interface configuration with the authentication mode being scheme Configur...

Page 45: ...y command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Sysname ui aux0 idle timeout 6 After the above configuration yo...

Page 46: ...itch Item Requirement The IP address is configured for the VLAN of the switch and the route between the switch and the Telnet terminal is reachable Refer to the IP Address Configuration IP Performance...

Page 47: ...t time of a user interface Optional The default timeout time is 10 minutes Telnet Configurations for Different Authentication Modes Table 3 3 lists Telnet configurations for different authentication m...

Page 48: ...3 and TCP 22 port will be enabled Telnet Configuration with Authentication Mode Being None Configuration Procedure Table 3 4 Telnet configuration with the authentication mode being none Operation Comm...

Page 49: ...erface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure not to authe...

Page 50: ...system view system view Enter one or more VTY user interface views user interface vty first number last number Configure to authenticate users logging into VTY user interfaces using the local passwor...

Page 51: ...tes You can use the idle timeout 0 command to disable the timeout function When the authentication mode is password the command level available to users logging into the user interface is determined b...

Page 52: ...tion Command Description Enter system view system view Enter the default ISP domain view domain domain name Configure the AAA scheme to be applied to the domain scheme local none radius scheme radius...

Page 53: ...e shell Optional Terminal services are available in all use interfaces by default Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can...

Page 54: ...ivilege level level command is not executed and the service type command specifies the available command level Level 0 The user privilege level level command is executed and the service type command d...

Page 55: ...up to 20 commands z The timeout time of VTY 0 is 6 minutes Network diagram Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme Configuration procedure Enter s...

Page 56: ...establishing connection to a Console port z Launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 95 Windows 98 Windows NT Windows 2000 Windows XP on the PC...

Page 57: ...your PC with the IP address of VLAN interface 1 of the switch as the parameter as shown in Figure 3 7 Figure 3 7 Launch Telnet 5 If the password authentication mode is specified enter the password whe...

Page 58: ...3 8 Network diagram for Telnetting to another switch from the current switch 2 Perform Telnet related configuration on the switch operating as the Telnet server Refer to section Telnet Configuration...

Page 59: ...em is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is properly configu...

Page 60: ...n the authentication mode is none Refer to section Console Port Login Configuration with Authentication Mode Being None Configuration on switch when the authentication mode is password Refer to sectio...

Page 61: ...omote end 82882285 Modem Modem 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 through Figure 4 4...

Page 62: ...such as Sysname appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the related parts in this manual for information about the configurat...

Page 63: ...ss Configuration IP Performance Configuration and Routing Protocol parts for related information Switch The user name and password for logging into the Web based network management system are configur...

Page 64: ...gin Banner Configuration Procedure If a login banner is configured with the header command when a user logs in through Web the banner page is displayed before the user login authentication page The co...

Page 65: ...tween the user terminal the PC and the switch After the above mentioned configuration if you enter the IP address of the switch in the address bar of the browser running on the user terminal and press...

Page 66: ...http shutdown Required To improve security and prevent attack to the unused Sockets TCP 80 port which is for HTTP service is enabled disabled after the corresponding configuration z Enabling the Web s...

Page 67: ...witch Table 6 1 Requirements for logging into a switch through an NMS Item Requirement The IP address of the VLAN interface of the switch is configured The route between the NMS and the switch is reac...

Page 68: ...lling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACL Section Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACL Se...

Page 69: ...d ACLs which are numbered from 3000 to 3999 Table 7 3 Control Telnet users by source and destination IP addresses Operation Command Description Enter system view system view Create an advanced ACL or...

Page 70: ...y specified source MAC addresses acl acl number inbound Required By default no ACL is applied for Telnet users Configuration Example Network requirements Only the Telnet users sourced from the IP addr...

Page 71: ...umber command the config keyword is specified by default Define rules for the ACL rule rule id deny permit rule string Required Quit to system view quit Apply the ACL while configuring the SNMP commun...

Page 72: ...a acl 2000 Controlling Web Users by Source IP Address You can manage an S3100 Ethernet switch remotely through Web Web users can access a switch through HTTP connections You need to perform the follow...

Page 73: ...b user by force Operation Command Description Disconnect a Web user by force free web users all user id user id user name user name Required Execute this command in user view Configuration Example Net...

Page 74: ...7 7 Sysname ip http acl 2030...

Page 75: ...t 1 1 Introduction to Configuration File 1 1 Management of Configuration File 1 2 Saving the Current Configuration 1 2 Erasing the Startup Configuration File 1 3 Specifying a Configuration File for Ne...

Page 76: ...rface configuration section physical port configuration section routing protocol configuration section user interface configuration and so on z End with a return The operating interface provided by th...

Page 77: ...these tasks to configure configuration file management Task Remarks Saving the Current Configuration Optional Erasing the Startup Configuration File Optional Specifying a Configuration File for Next...

Page 78: ...execution of this command If the filename you entered is different from that existing in the system this command will erase its backup attribute to allow only one backup attribute configuration file i...

Page 79: ...n specify a configuration file to be used for the next startup and configure the main backup attribute for the configuration file Assign main attribute to the startup configuration file z If you save...

Page 80: ...y saved configuration unit unit id by linenum Display the configuration file used for this and next startup display startup unit unit id Display the current VLAN configuration of the device display cu...

Page 81: ...ion of Protocol Based VLAN 1 9 2 VLAN Configuration 2 1 VLAN Configuration 2 1 VLAN Configuration Task List 2 1 Basic VLAN Configuration 2 1 Basic VLAN Interface Configuration 2 2 Displaying VLAN Conf...

Page 82: ...ii Associating a Port with a Protocol Based VLAN 2 10 Displaying Protocol Based VLAN Configuration 2 10 Protocol Based VLAN Configuration Example 2 11...

Page 83: ...quantity of broadcast packets or unknown unicast packets may exist in a network wasting network resources z A host in the network receives a lot of packets whose destination is not the host itself cau...

Page 84: ...ion between VLANs routers or Layer 3 switches are required z Flexible virtual workgroup creation As users from the same workgroup can be assigned to the same VLAN regardless of their physical location...

Page 85: ...orted by Ethernet The VLAN tag fields are also added to frames encapsulated in these formats for VLAN identification Refer to section Encapsulation Format of Ethernet Data for 802 2 802 3 encapsulatio...

Page 86: ...used to do Layer 3 forwarding The S3100 series Ethernet switches support VLAN interfaces configuration to forward packets in Layer 3 VLAN interface is a virtual interface in Layer 3 mode used to real...

Page 87: ...n carry multiple VLANs to receive and send traffic for them Except traffic of the default VLAN traffic passes through a trunk port will be VLAN tagged Usually ports connecting network devices are conf...

Page 88: ...its default VLAN tag the packet with the default VLAN tag and then forward the packet z If the port has not been added to its default VLAN discard the packet z If the VLAN ID is one of the VLAN IDs a...

Page 89: ...esponding VLAN or drops the frame if it is not In this case port based VLAN applied Approaches to creating MAC address to VLAN mappings In addition to creating MAC address to VLAN mappings at the CLI...

Page 90: ...d maintenance Encapsulation Format of Ethernet Data This section introduces the common encapsulation formats of Ethernet data for you to understand the procedure for the switch to identify the packet...

Page 91: ...g the packet with the protocol template The protocol template is the standard to determine the protocol to which a packet belongs Protocol templates include standard templates and user defined templat...

Page 92: ...tion Optional Basic VLAN Configuration Follow these steps to perform basic VLAN configuration To do Use the command Remarks Enter system view system view Create multiple VLANs in batch vlan vlan id1 t...

Page 93: ...an id Required By default there is no VLAN interface on a switch Specify the description string for the current VLAN interface description text Optional By default the description string of a VLAN int...

Page 94: ...n the VLAN z The operation of enabling disabling a VLAN s VLAN interface does not influence the physical status of the Ethernet ports belonging to this VLAN z For the S3100 SI series switch create the...

Page 95: ...rt to a specified VLAN port access vlan vlan id Optional By default all Access ports belong to VLAN 1 To add an Access port to a VLAN make sure the VLAN already exists Configuring a Hybrid Port Based...

Page 96: ...rnet port view interface interface type interface number Configure the port link type as Trunk port link type trunk Required Allow the specified VLANs to pass through the current Trunk port port trunk...

Page 97: ...reate VLAN 101 specify its descriptive string as DMZ and add Ethernet1 0 1 to VLAN 101 SwitchA system view SwitchA vlan 101 SwitchA vlan101 description DMZ SwitchA vlan101 port Ethernet 1 0 1 SwitchA...

Page 98: ...ubleshooting Ethernet Port Configuration Symptom Fail to configure the default VLAN ID of an Ethernet port Solution Take the following steps z Use the display interface or display port command to chec...

Page 99: ...rt Configure the link type of the port s as hybrid port link type hybrid Required Configure the current hybrid port s to permit packets of specific MAC based VLANs to pass through port hybrid vlan vla...

Page 100: ...procedure Follow these steps to configure the protocol template for a VLAN To do Use the command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the protocol template for...

Page 101: ...essing packets of the same protocol type in different ways the switch will prompt that you cannot set the etype id argument for Ethernet II packets to 0x0800 0x8137 or 0x809B Associating a Port with a...

Page 102: ...200 using AppleTalk network through Ethernet 1 0 12 z Configure the switch to automatically assign the IP and AppleTalk packets to proper VLANs for transmission so as to ensure the normal communicatio...

Page 103: ...link type hybrid Switch Ethernet1 0 10 port hybrid vlan 100 200 untagged Associate Ethernet 1 0 10 with protocol template 0 and 1 of VLAN 100 and protocol template 0 of VLAN 200 Switch Ethernet1 0 10...

Page 104: ...n 1 1 Introduction to Static Route 1 1 Static Route 1 1 Default Route 1 1 Static Route Configuration 1 2 Configuration Prerequisites 1 2 Configuring a Static Route 1 2 Displaying and Maintaining Stati...

Page 105: ...his destination will be forwarded to the next hop It is the most common type of static routes z Unreachable route route with the reject attribute If a static route to a destination has the reject attr...

Page 106: ...mask to 0 0 0 0 z Avoid configuring the next hop address of a static route to the address of an interface on the local switch z Different preferences can be configured to implement flexible route man...

Page 107: ...cs protocol all protocol Use the reset command in user view Delete all static routes delete static routes all Use the delete command in system view Troubleshooting a Static Route Symptom Both the phys...

Page 108: ...rface 1 4 Displaying IP Addressing Configuration 1 4 IP Address Configuration Examples 1 5 IP Address Configuration Example I 1 5 2 IP Performance Configuration 2 1 IP Performance Overview 2 1 Introdu...

Page 109: ...ddresses are divided into five classes as shown in the following figure in which the blue parts represent the address class Figure 1 1 IP address classes Table 1 1 describes the address ranges of thes...

Page 110: ...responding bits in an IP address In a subnet mask the part containing consecutive ones identifies the combination of net ID and subnet ID whereas the part containing consecutive zeros identifies the h...

Page 111: ...IP address obtained from BOOTP will overwrite the old one manually assigned z This chapter only covers how to assign an IP address manually For the other two approaches to IP address assignment refer...

Page 112: ...with the management vlan vlan id command Otherwise the configuration fails Refer to the Cluster Operation Manual for detailed introduction to the cluster z Refer to the VLAN module for detailed intro...

Page 113: ...amples IP Address Configuration Example I Network requirement Assign IP address 129 2 2 1 with mask 255 255 255 0 to VLAN interface 1 of the switch Network diagram Figure 1 3 Network diagram for IP ad...

Page 114: ...able are the same Configuring IP Performance Introduction to IP Performance Configuration Tasks Table 2 1 Introduction to IP performance configuration tasks Configuration task Description Configuring...

Page 115: ...nd management it still has the following disadvantages z Sending a lot of ICMP packets will increase network traffic z If receiving a lot of malicious packets that cause it to send ICMP error packets...

Page 116: ...orwarding information base FIB entries display fib Display the FIB entries matching the destination IP address display fib ip address1 mask1 mask length1 ip address2 mask2 mask length2 longer longer D...

Page 117: ...AN 1 6 Voice VLAN Configuration 1 7 Configuration Prerequisites 1 7 Configuring QoS Priority Settings for Voice Traffic on an Interface 1 7 Configuring the Voice VLAN to Operate in Automatic Voice VLA...

Page 118: ...convert analog voice signals into digital signals to enable them to be transmitted in IP based networks Used in conjunction with other voice devices IP phones can offer large capacity and low cost voi...

Page 119: ...responds as follows z If DHCP Server 1 does not support Option 184 it returns the IP address assigned to the IP phone but ignores the other four special requests in the Option 184 field Without infor...

Page 120: ...t switches determine whether a received packet is a voice packet by checking its source MAC address against an organizationally unique identifier OUI list If a match is found the packet is considered...

Page 121: ...LAN assignment automatic mode ports can not be added to or removed from a voice VLAN manually z Manual voice VLAN assignment mode In this mode you need to add a port to a voice VLAN or remove a port f...

Page 122: ...supported Trunk Supported Make sure the default VLAN of the port exists and is not a voice VLAN and the access port permits the traffic of the default VLAN and the voice VLAN Tagged voice traffic Hyb...

Page 123: ...wards all voice VLAN tagged traffic without matching the source MAC address of each received packet against its OUI list For a port in the manual mode with the default VLAN as the voice VLAN any untag...

Page 124: ...ferentiated Services Code Point DSCP values for voice traffic Voice traffic carries its own QoS priority settings You can configure the device either to modify or not to modify the QoS priority settin...

Page 125: ...net port view interface interface type interface number Required Enable the voice VLAN function on a port voice vlan enable Required By default voice VLAN is disabled Enable the voice VLAN legacy func...

Page 126: ...oui mask description text Optional Without this address the default OUI address is used Enable the voice VLAN security mode voice vlan security enable Optional By default the voice VLAN security mode...

Page 127: ...ice vlan error info command to locate such ports z When a voice VLAN operates in security mode the device in it permits only the packets whose source addresses are the identified voice OUI addresses P...

Page 128: ...or exit the voice VLAN automatically and voice traffic to be transmitted within the voice VLAN z Create VLAN 2 and configure it as the voice VLAN with the aging timer being 100 minutes z The IP phone...

Page 129: ...6 DeviceA Ethernet1 0 1 port hybrid vlan 6 tagged Enable the voice VLAN function on Ethernet 1 0 1 DeviceA Ethernet1 0 1 voice vlan enable Voice VLAN Configuration Example Manual Voice VLAN Assignment...

Page 130: ...ult VLAN of Ethernet 1 0 1 and add the voice VLAN to the list of untagged VLANs whose traffic is permitted by the port DeviceA Ethernet1 0 1 port hybrid pvid vlan 2 DeviceA Ethernet1 0 1 port hybrid v...

Page 131: ...GVRP 1 4 Protocol Specifications 1 4 GVRP Configuration 1 4 GVRP Configuration Tasks 1 4 Enabling GVRP 1 4 Configuring GVRP Timers 1 5 Configuring GVRP Port Registration Mode 1 6 Displaying and Maint...

Page 132: ...through the messages exchanged between them The messages performing important functions for GARP fall into three types Join Leave and LeaveAll z When a GARP entity wants its attribute information to b...

Page 133: ...ute information on this entity After that the entity restarts the LeaveAll timer to begin a new cycle z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z Unlike other...

Page 134: ...s Attribute Each general attribute consists of three parts Attribute Length Attribute Event and Attribute Value Each LeaveAll attribute consists of two parts Attribute Length and LeaveAll Event Attrib...

Page 135: ...hree port registration modes Normal Fixed and Forbidden as described in the following z Normal A port in this mode can dynamically register deregister VLANs and propagate dynamic static VLAN informati...

Page 136: ...view system view Configure the LeaveAll timer garp timer leaveall timer value Optional By default the LeaveAll timer is set to 1 000 centiseconds Enter Ethernet port view interface interface type inte...

Page 137: ...All timer You can change the threshold by changing the timeout time of the LeaveAll timer LeaveAll This lower threshold is greater than the timeout time of the Leave timer You can change threshold by...

Page 138: ...RP registration modes of specific Ethernet ports you can enable the corresponding VLANs in the switched network to communicate with each other Network diagram Figure 1 2 Network diagram for GVRP confi...

Page 139: ...ate VLAN 5 SwitchC vlan 5 SwitchC vlan5 quit 4 Configure Switch D Enable GVRP on Switch D which is similar to that of Switch A and is thus omitted Create VLAN 8 SwitchD vlan 8 SwitchD vlan8 quit 5 Con...

Page 140: ...8 Display the VLAN information dynamically registered on Switch E SwitchE Ethernet1 0 1 display vlan dynamic No dynamic vlans exist 8 Configure Ethernet1 0 1 on Switch E to operate in forbidden GVRP...

Page 141: ...Ports 1 4 Configure loopback detection for Ethernet port s 1 4 Enabling Loopback Test 1 6 Configuring a Port Group 1 7 Enabling the System to Test Connected Cable 1 8 Configuring the Interval to Perfo...

Page 142: ...sabled Configuring Combo port state Follow these steps to configure the state of a Combo port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface t...

Page 143: ...Series switches support this feature jumboframe enable Optional By default the maximum frame size allowed on an Ethernet port is 2048 bytes Configuring Port Auto Negotiation Speed You can configure a...

Page 144: ...sion ratio pps max pps Optional By default the switch does not suppress broadcast traffic Enter Ethernet port view interface interface type interface number Limit broadcast traffic received on the cur...

Page 145: ...ic ports copy configuration source interface type interface number aggregation group source agg id destination interface list aggregation group destination agg id aggregation group destination agg id...

Page 146: ...own function is enabled on the port the system will shut down the port and send log and trap messages to the terminal After the loop is removed you need to use the undo shutdown command to bring up th...

Page 147: ...f the device boots with null configuration this function is disabled Configure the system to run loopback detection on all VLANs of the current trunk or hybrid port loopback detection per vlan enable...

Page 148: ...ng prompts will be given when you perform loopback test on them Configuring a Port Group To make the configuration task easier for users certain devices allow users to configure on a single port as we...

Page 149: ...n you can set the interval to perform statistical analysis on the traffic of a port When you use the display interface interface type interface number command to display the information of a port the...

Page 150: ...log information output is enabled Configuration example By default a port is allowed to output the Up Down log information Execute the shutdown command or the undo shutdown command on Ethernet 1 0 1...

Page 151: ...rain control block shutdown Optional By default no action is taken when a type of traffic reaches the upper threshold Enable log trap information to be output when a type of traffic received on the po...

Page 152: ...rks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the port state change delay link delay delay time Required Defaults to 0 which indicates t...

Page 153: ...t id interface Display the storm control configurations display storm constrain interface interface type interface number begin exclude include regular expression Display the information about the por...

Page 154: ...LAN 6 through VLAN 50 and VLAN 100 to pass Ethernet1 0 1 Sysname Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Configure the default VLAN ID of Ethernet1 0 1 to 100 Sysname Ethernet1 0 1 port tru...

Page 155: ...Aggregation Group 1 3 Dynamic LACP Aggregation Group 1 4 Aggregation Group Categories 1 5 Link Aggregation Configuration 1 6 Configuring a Manual Aggregation Group 1 6 Configuring a Static LACP Aggreg...

Page 156: ...asic fields in LACPDUs which cover information including system LACP priority system MAC address port LACP priority port number and operational key With LACP enabled on a port LACP sends the above inf...

Page 157: ...include z STP configuration including STP status enabled or disabled link attribute point to point or not STP priority STP path cost STP packet format loop guard status root guard status edge port or...

Page 158: ...for manual aggregation Generally there is no limit on the rate and duplex mode of the ports also including initially down port you want to add to a manual aggregation group Static LACP Aggregation Gr...

Page 159: ...egation group A port in a dynamic aggregation group can be in one of the two states selected and unselected z Both the selected and the unselected ports can receive transmit LACP protocol packets z Th...

Page 160: ...regation resources to the aggregation groups with higher priorities When load sharing aggregation resources are used up by existing aggregation groups newly created aggregation groups will be non load...

Page 161: ...n group z The port with Voice VLAN enabled cannot be added to an aggregation group z Do not add ports with IP filtering enabled to an aggregation group z Do not add ports with ARP intrusion detection...

Page 162: ...to form one or multiple dynamic aggregation groups For a static aggregation group a port can only be manually added removed to from the static aggregation group When you add an LACP enabled port to a...

Page 163: ...Command Remarks Enter system view system view Configure the system priority lacp system priority system priority Optional By default the system priority is 32 768 Enter Ethernet port view interface i...

Page 164: ...and Remarks Display summary information of all aggregation groups display link aggregation summary Display detailed information of a specific aggregation group or all aggregation groups display link a...

Page 165: ...ysname Ethernet1 0 1 quit Sysname interface Ethernet1 0 2 Sysname Ethernet1 0 2 port link aggregation group 1 Sysname Ethernet1 0 2 quit Sysname interface Ethernet1 0 3 Sysname Ethernet1 0 3 port link...

Page 166: ...le Sysname Ethernet1 0 1 quit Sysname interface Ethernet1 0 2 Sysname Ethernet1 0 2 lacp enable Sysname Ethernet1 0 2 quit Sysname interface Ethernet1 0 3 Sysname Ethernet1 0 3 lacp enable The three L...

Page 167: ...i Table of Contents 1 Port Isolation Configuration 1 1 Port Isolation Overview 1 1 Port Isolation Configuration 1 1 Displaying Port Isolation Configuration 1 2 Port Isolation Configuration Example 1 2...

Page 168: ...net switch The number of Ethernet ports in an isolation group is not limited An isolation group only isolates the member ports in it Port Isolation Configuration You can perform the following operatio...

Page 169: ...group causes all the ports in the aggregation group being added to the isolation group Displaying Port Isolation Configuration After the above configuration you can execute the display command in any...

Page 170: ...me interface ethernet1 0 2 Sysname Ethernet1 0 2 port isolate Sysname Ethernet1 0 2 quit Sysname interface ethernet1 0 3 Sysname Ethernet1 0 3 port isolate Sysname Ethernet1 0 3 quit Sysname interface...

Page 171: ...N for a Port in macAddressOrUserLoginSecure mode 1 8 Ignoring the Authorization Information from the RADIUS Server 1 9 Configuring Security MAC Addresses 1 10 Displaying and Maintaining Port Security...

Page 172: ...kes pre defined actions automatically This reduces your maintenance workload and greatly enhances system security and manageability Port Security Features The following port security features are prov...

Page 173: ...r configured with the port security max mac count command After the port security mode is changed to the secure mode only those packets whose source MAC addresses are security MAC addresses learned ca...

Page 174: ...s the existing dynamic authenticated MAC address entries on the port macAddressWithRa dius In this mode MAC address based authentication is performed for access users macAddressOrUser LoginSecure In t...

Page 175: ...rLoginSecure or macAddressElseUserLoginSecureExt security mode the MAC address of a user failing MAC authentication is set as a quiet MAC address If the user initiates 802 1x authentication during the...

Page 176: ...ut 802 1x configuration refer to the sections covering 802 1x and System Guard z For details about MAC authentication configuration refer to the sections covering MAC authentication configuration Sett...

Page 177: ...ac authentication mac else userlogin secure mac else userlogin secure e xt secure userlogin userlogin secure userlogin secure ext userlogin secure or mac userlogin secure or mac ext userlogin withoui...

Page 178: ...all frames are allowed to be sent Configuring intrusion protection Follow these steps to configure the intrusion protection feature To do Use the command Remarks Enter system view system view Enter E...

Page 179: ...ervices only one user at a time 1 When the first user of the port initiates 802 1x or MAC address authentication z If the user fails the authentication the port is added to the guest VLAN and all the...

Page 180: ...authentication does not have any client software and therefore no such messages will be displayed z To change the security mode from macAddressOrUserLoginSecure mode of a port that is assigned to a g...

Page 181: ...the maximum number the port will learn new MAC addresses and turn them to security MAC addresses z If the amount of security MAC addresses reaches the maximum number the port will not be able to lear...

Page 182: ...rity MAC address entries port security timer autolearn age Required Aging of MAC address entries is disabled by default Enter Ethernet port view interface interface type interface number Set the maxim...

Page 183: ...stops learning MAC addresses If any frame with an unknown MAC address arrives intrusion protection is triggered and the port will be disabled and stay silent for 30 seconds Network diagram Figure 1 1...

Page 184: ...the Internet This port is assigned to VLAN 1 Normally the port Ethernet 1 0 2 is also assigned to VLAN z VLAN 10 is intended to be a guest VLAN It contains an update server for users to download and...

Page 185: ...ain for MAC address authentication Switch mac authentication domain system Enable port security Switch port security enable Specify the switch to trigger MAC address authentication at an interval of 6...

Page 186: ...provides the following binding policies z Port IP binding binds a port to an IP address On the bound port the switch forwards only the packets sourced from the bound IP address z Port MAC binding bind...

Page 187: ...at a time z A MAC address can be bound to only one port at a time z For the same port port IP MAC binding is mutually exclusive with port IP binding Displaying and Maintaining Port Binding Configurati...

Page 188: ...B Eth1 0 1 Switch A Switch B Configuration procedure Configure Switch A as follows Enter system view SwitchA system view Enter Ethernet 1 0 1 port view SwitchA interface Ethernet 1 0 1 Bind the MAC ad...

Page 189: ...DLDP Status 1 4 DLDP Timers 1 5 DLDP Operating Mode 1 6 DLDP Implementation 1 7 DLDP Neighbor State 1 8 Link Auto recovery Mechanism 1 9 DLDP Configuration 1 9 Performing Basic DLDP Configuration 1 9...

Page 190: ...ed for sending from A to B the other sending from B to A it is a bidirectional link two way link If one of these fibers gets broken this is a unidirectional link one way link When a unidirectional lin...

Page 191: ...ally or prompts you to disable it manually according to the configurations to avoid network problems A copper twisted pair cable such as a Category 5e twisted pair cable contains eight wires Some of t...

Page 192: ...hereafter Advertisement packet with the flush flag set to 1 A flush packet carries only the local port information instead of the neighbor information and is used to trigger neighbors to remove the i...

Page 193: ...nk recovers to implement the port auto recovery mechanism Recover probe packets carry only the local port information instead of the neighbor information They request for recover echo packets as the r...

Page 194: ...s you to disable the port manually At the same time DLDP deletes the neighbor entry Entry aging timer When a new neighbor joins a neighbor entry is created and the corresponding entry aging timer is e...

Page 195: ...ice sends up to eight Probe packets at a frequency of one packet per second to test the neighbor If no Echo packet is received from the neighbor when the Echo timer expires the device transits to the...

Page 196: ...enabled link is up DLDP sends DLDP packets to the peer device and analyzes processes the DLDP packets received from the peer device DLDP packets sent in different DLDP states are of different types Ta...

Page 197: ...Yes If all neighbors are in the bidirectional link state DLDP switches from the probe state to the advertisement state and sets the echo waiting timer to 0 3 If no echo packet is received from the nei...

Page 198: ...ket is consistent with that of the local port If yes the link between the local port and the neighbor is considered to be recovered to bidirectional the port changes from the disable state to the acti...

Page 199: ...Normally the interval is shorter than one third of the STP convergence time which is generally 30 seconds z DLDP does not process any link aggregation control protocol LACP event and treats each link...

Page 200: ...s Display the DLDP configuration of a unit or a port display dldp unit id interface type interface number Available in any view DLDP Configuration Example Network requirements As shown in Figure 1 4 z...

Page 201: ...abitEthernet1 1 1 speed 1000 SwitchA GigabitEthernet1 1 1 quit SwitchA interface gigabitethernet 1 1 2 SwitchA GigabitEthernet1 1 2 duplex full SwitchA GigabitEthernet1 1 2 speed 1000 SwitchA GigabitE...

Page 202: ...he device operates in the normal DLDP mode the end that receives optical signals is in the advertisement state the other end is in the inactive state z If the device operates in the enhance DLDP mode...

Page 203: ...guration Task List 1 6 Configuring a MAC Address Entry 1 7 Setting the MAC Address Aging Timer 1 8 Setting the Maximum Number of MAC Addresses a Port Can Learn 1 8 Disabling MAC Address learning for a...

Page 204: ...dress table recording the MAC address to forwarding port association Each entry in a MAC address table contains the following fields z Destination MAC address z ID of the VLAN which a port belongs to...

Page 205: ...he packet that is the address MAC A of User A to the MAC address table of the switch forming an entry shown in Figure 1 2 Figure 1 1 MAC address learning diagram 1 Figure 1 2 MAC address table entry o...

Page 206: ...gure 1 5 When forwarding the response packet from User B to User A the switch sends the response to User A through Ethernet 1 0 1 technically called unicast because MAC A is already in the MAC address...

Page 207: ...duce broadcast packets and are suitable for networks where network devices seldom change z Dynamic MAC address entry This type of MAC address entries age out after the configured aging time They are g...

Page 208: ...enter the switch through the marked VLAN the switch however cannot find the MAC addresses of the response packets in the MAC address table of the marked VLAN and have to broadcast the packets in the V...

Page 209: ...the MAC address entries of the marked VLAN can be copied to the MAC address table of the original VLAN When a response packet arrives at the downstream port the switch determines the outbound port fo...

Page 210: ...ace type interface number vlan vlan id Required z When you add a MAC address entry the port specified by the interface argument must belong to the VLAN specified by the vlan argument in the command Ot...

Page 211: ...seconds The capacity of the MAC address table on a switch is limited After the limit is reached the switch will forward the frames received with unknown source MAC addresses without learning MAC addr...

Page 212: ...number of the MAC addresses a port can learn is not limited If you have configured the maximum number of MAC addresses that a port can learn you cannot enable the MAC address authentication or port s...

Page 213: ...f the MAC address table To avoid the problem you are allowed to assign MAC addresses to the Ethernet ports on an S3100 series switch The idea is to assign a MAC address called the start port MAC addre...

Page 214: ...N If the configuration needs to be modified you need to remove the existing configuration first z With the MAC address replication feature disabled all the MAC address entries that the destination VLA...

Page 215: ...hernet 1 0 2 vlan 1 Add a black hole MAC address 000f e235 abcd with the VLAN and ports specified Sysname mac address blackhole 000f e235 abcd interface Ethernet 1 0 2 vlan 1 Display information about...

Page 216: ...it to VLAN 3 and VLAN 4 SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 port link type trunk SwitchA Ethernet1 0 2 port trunk permit vlan 3 4 Please wait Done SwitchA Ethernet1 0 2 quit Create...

Page 217: ...1 quit Configure VLAN marking on Ethernet 1 0 2 to replace the VLAN tag of packets that matches ACL 3001 with VLAN tag 3 SwitchA interface Ethernet 1 0 2 SwitchA Ethernet1 0 2 traffic remark vlanid in...

Page 218: ...g the Timeout Time Factor 1 25 Configuring the Maximum Transmitting Rate on the Current Port 1 25 Configuring the Current Port as an Edge Port 1 26 Setting the Link Type of a Port to P2P 1 27 Enabling...

Page 219: ...l 1 44 Introduction 1 44 Configuring VLAN VPN tunnel 1 45 MSTP Maintenance Configuration 1 45 Introduction 1 45 Enabling Log Trap Output for Ports of MSTP Instance 1 45 Configuration Example 1 46 Enab...

Page 220: ...RSTP and Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Spanning Tree Protocol Overview Why STP Spanning tree prot...

Page 221: ...he port with the lowest path cost to the root bridge The root port is used for communicating with the root bridge A non root bridge device has one and only one root port The root bridge has no root po...

Page 222: ...ls see Configuring the Bridge Priority of the Current Switch 5 Path cost STP uses path costs to indicate the quality of links A small path cost indicates a higher link quality The path cost of a port...

Page 223: ...iority plus MAC address z Designated port ID designated port priority plus port number z Message age lifetime for the configuration BPDUs to be propagated within the network z Max age lifetime for the...

Page 224: ...h cost the following fields are compared sequentially designated bridge IDs designated port IDs and then the IDs of the ports on which the configuration BPDUs are received The smaller these values the...

Page 225: ...root port and designated ports forward traffic while other ports are all in the blocked state they only receive STP packets but do not forward user traffic Once the root bridge the root port on each...

Page 226: ...on BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Device B finds that the received configuration BPDU is superior to the configuration...

Page 227: ...e process z At the same time port CP1 receives configuration BPDUs periodically from Device A Device C does not launch an update process after comparison CP1 0 0 0 AP2 CP2 0 5 1 BP2 Device C z By comp...

Page 228: ...ty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the device generates configuration BPDUs with...

Page 229: ...gnated port can transit fast under the following conditions the designated port is an edge port or a port connected with a point to point link If the designated port is an edge port it can enter the f...

Page 230: ...mapped to MSTI 2 Other VLANs mapped to CIST BPDU BPDU A D C B Region B0 VLAN 1 mapped to MSTI 1 VLAN 2 mapped to MSTI 2 Other VLANs mapped to CIST Region C0 VLAN 1 mapped to MSTI 1 VLAN 2 and 3 mapped...

Page 231: ...ing tree generated by STP or RSTP running on the switches For example the red lines in Figure 1 4 represent the CST 7 CIST A common and internal spanning tree CIST is the spanning tree in a switched n...

Page 232: ...of the two ports to eliminate the loop that occurs The blocked port is the backup port In Figure 1 5 switch A switch B switch C and switch D form an MST region Port 1 and port 2 on switch A connect u...

Page 233: ...STP regards each MST region as a switch to calculate the CSTs of the network The CSTs together with the ISTs form the CIST of the network 2 Calculate an MSTI Within an MST region MSTP generates differ...

Page 234: ...figure MSTP Task Remarks Enabling MSTP Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after other related configurations are perf...

Page 235: ...nsmitting Rate on the Current Port Optional The default value is recommended Configuring the Current Port as an Edge Port Optional Configuring the Path Cost for a Port Optional Configuring Port Priori...

Page 236: ...onfiguration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configurati...

Page 237: ...Sysname mst region instance 2 vlan 20 to 30 Sysname mst region revision level 1 Sysname mst region active region configuration Verify the above configuration Sysname mst region check region configurat...

Page 238: ...o new root bridge is configured If you configure multiple secondary root bridges for an MSTI the one with the smallest MAC address replaces the root bridge when the latter fails You can specify the ne...

Page 239: ...switch cannot be configured any more z During the selection of the root bridge if multiple switches have the same bridge priority the one with the smallest MAC address becomes the root bridge Configur...

Page 240: ...to the format of the packets received Follow these steps to configure how a port recognizes and sends MSTP packets in Ethernet port view To do Use the command Remarks Enter system view system view En...

Page 241: ...e Maximum Hop Count of an MST Region The maximum hop count configured on the region root is also the maximum hops of the MST region The value of the maximum hop count limits the size of the MST region...

Page 242: ...witches Configuration procedure Follow these steps to configure the network diameter of the switched network To do Use the command Remarks Enter system view system view Configure the network diameter...

Page 243: ...ed to the network The default value is recommended z An adequate hello time parameter enables a switch to detect link failures in time without occupying too many network resources And a too small hell...

Page 244: ...me factor to a larger number to avoid such cases Normally the timeout time can be four or more times of the hello time For a steady network the timeout time can be five to seven times of the hello tim...

Page 245: ...many network resources The default value is recommended Configuration example Set the maximum transmitting rate of Ethernet 1 0 1 to 15 1 Configure the maximum transmitting rate in system view Sysnam...

Page 246: ...re recommended to configure the Ethernet ports connected directly to terminals as edge ports and enable the BPDU guard function at the same time This not only enables these ports to turn to the forwar...

Page 247: ...point link stp point to point force true force false auto Required The auto keyword is adopted by default z If you configure the link connected to a port in an aggregation group as a point to point li...

Page 248: ...m view Enable MSTP stp enable Required MSTP is disabled by default Enter Ethernet port view interface interface type interface number Disable MSTP on the port stp disable Optional By default MSTP is e...

Page 249: ...long different physical links by configuring appropriate path costs on ports so that VLAN based load balancing can be implemented Path cost of a port can be determined by the switch or through manual...

Page 250: ...00 2 1 1 1 Normally the path cost of a port operating in full duplex mode is slightly less than that of the port operating in half duplex mode When calculating the path cost of an aggregated link the...

Page 251: ...Sysname Ethernet1 0 1 stp instance 1 cost 2000 Configuration example B Configure the path cost of Ethernet 1 0 1 in MSTI 1 to be calculated by the MSTP enabled switch according to the IEEE 802 1D 1998...

Page 252: ...change the role of the port and put the port into state transition A smaller port priority value indicates a higher possibility for the port to become the root port If all the ports of a switch have t...

Page 253: ...on the switch Configuration Procedure You can perform the mCheck operation in the following two ways Perform the mCheck operation in system view Follow these steps to perform the mCheck operation in s...

Page 254: ...users can attack a network by sending configuration BPDUs deliberately to edge ports to cause network jitter You can prevent this type of attacks by utilizing the BPDU guard function With this functio...

Page 255: ...It resumes the normal state if it does not receive any configuration BPDUs with higher priorities for a specified period z You are recommended to enable root guard on the designated ports of a root b...

Page 256: ...oops in the network The loop guard function suppresses loops With this function enabled if link congestions or unidirectional link failures occur both the root port and the blocked ports become design...

Page 257: ...n threshold command to set the maximum times for a switch to remove the MAC address table and ARP entries in a specific period When the number of the TC BPDUs received within a period is less than the...

Page 258: ...opping enabled a port will not receive or forward any BPDUs In this way switches are protected against forged BPDU attacks thus ensuring correct STP calculation z You can enable BPDU dropping on ports...

Page 259: ...est snooping on the port Then the S3100 Ethernet switch regards another manufacturer s switch as in the same region it records the configuration digests carried in the BPDUs received from another manu...

Page 260: ...sion level and VLAN to instance mapping z The digest snooping feature must be enabled on all the switch ports that connect to another manufacturer s switches adopting proprietary spanning tree protoco...

Page 261: ...ode the root port on the downstream switch receives no agreement packet from the upstream switch and thus sends no agreement packets to the upstream switch As a result the designated port of the upstr...

Page 262: ...ort 2 is the root port Figure 1 8 Network diagram for rapid transition configuration Configuration procedure 1 Configure the rapid transition feature in system view Follow these steps to configure the...

Page 263: ...ese customer networks and are independent of those of the service provider network As shown in Figure 1 9 the upper part is the service provider network and the lower part comprises the customer netwo...

Page 264: ...e links between service provider networks are trunk links MSTP Maintenance Configuration Introduction In a large scale network with MSTP enabled there may be many MSTP instances and so the status of a...

Page 265: ...figuration procedure Follow these steps to enable trap messages conforming to 802 1d standard To do Use the command Remarks Enter system view system view Enable trap messages conforming to 802 1d stan...

Page 266: ...MSTI 4 and MSTI 0 respectively In this network Switch A and Switch B operate on the convergence layer Switch C and Switch D operate on the access layer VLAN 10 and VLAN 30 are limited in the converge...

Page 267: ...vlan 30 Sysname mst region instance 4 vlan 40 Sysname mst region revision level 0 Activate the settings of the MST region manually Sysname mst region active region configuration Specify Switch B as t...

Page 268: ...and Switch B in the network diagram z Switch C and Switch D are connected to each other through the configured trunk ports of the switches The VLAN VPN tunnel function is enabled in system view thus...

Page 269: ...rt Sysname interface GigabitEthernet 1 0 2 Sysname GigabitEthernet1 0 2 port link type trunk Add the trunk port to all VLANs Sysname GigabitEthernet1 0 2 port trunk permit vlan all 4 Configure Switch...

Page 270: ...1 51 Sysname GigabitEthernet1 0 1 port trunk permit vlan all...

Page 271: ...IGMP Snooping Configuration 2 4 Enabling IGMP Snooping 2 4 Configuring the Version of IGMP Snooping 2 5 Configuring Timers 2 6 Configuring Fast Leave Processing 2 6 Configuring a Multicast Group Filte...

Page 272: ...MLD Snooping Proxying 3 15 Configuration Prerequisites 3 15 Enabling MLD Snooping Proxying 3 15 Configuring a Source IPv6 Address for the MLD Messages Sent by the Proxy 3 16 Configuring an MLD Snoopi...

Page 273: ...st User Control Policy Configuration Example 5 2 IPv6 Multicast Group Filter Configuration 5 5 IPv6 ACL Overview 5 5 IPv6 ACL Configuration 5 7 IPv6 Multicast Group Filter Configuration 5 10 IPv6 Mult...

Page 274: ...ablishes a separate data transmission channel for each user requiring this information and sends a separate copy of the information to the user as shown in Figure 1 1 Figure 1 1 Information transmissi...

Page 275: ...ization ratio of the network resources is very low and the bandwidth resources are greatly wasted Therefore broadcast is disadvantageous in transmitting data to specific users moreover broadcast occup...

Page 276: ...of multicast over broadcast are as follows z A multicast data flow can be sent only to the receiver that requires the data z Multicast brings no waste of network resources and makes proper use of ban...

Page 277: ...plications of Multicast Advantages of multicast Advantages of multicast include z Enhanced efficiency Multicast decreases network traffic and reduces server load and CPU load z Optimal performance Mul...

Page 278: ...ddition the SSM model uses a multicast address range that is different from that of the ASM model and dedicated multicast forwarding paths are established between receivers and the specified multicast...

Page 279: ...p of destination addresses called group address rather than one address All the receivers join a group Once they join the group the data sent to this group of addresses starts to be transported to the...

Page 280: ...ated routers OSPF DR 224 0 0 7 Shared tree routers 224 0 0 8 Shared tree hosts 224 0 0 9 RIP 2 routers 224 0 0 11 Mobile agents 224 0 0 12 DHCP server relay agent 224 0 0 13 All protocol independent m...

Page 281: ...address The P and T bits must also be set to 1 P z When set to 0 it indicates that this address is an IPv6 multicast address not based on a unicast prefix z When set to 1 it indicates that this addres...

Page 282: ...e multicast IP address Figure 1 6 describes the mapping relationship Figure 1 6 Multicast address mapping XXXX X XXXX XXXX XXXX XXXX XXXX XXXX 1110 XXXX 0XXX XXXX XXXX XXXX XXXX XXXX 0000 0001 0000 00...

Page 283: ...ction provides only general descriptions about applications and functions of the Layer 2 and Layer 3 multicast protocols in a network For details about part of these protocols refer to the related cha...

Page 284: ...ol MSDP and Multicast Border Gateway Protocol MBGP MSDP is used to propagate multicast source information among different ASs while MBGP an extension of the Multi protocol Border Gateway Protocol MP B...

Page 285: ...whether the packet will be forwarded or discarded The RPF check mechanism is the basis for most multicast routing protocols to implement multicast forwarding The RPF mechanism enables multicast devic...

Page 286: ...is the RPF neighbor The router considers the path along which the packet from the RPF neighbor arrived on the RPF interface to be the shortest path that leads back to the source Assume that unicast r...

Page 287: ...1 14 the interface on which the packet actually arrived The RPF check succeeds and the packet is forwarded...

Page 288: ...en IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at Layer 2 When IGMP Snooping is running on the switch multicast packets for known multicast groups are mul...

Page 289: ...ssages and actions Table 2 1 Port aging timers in IGMP Snooping and related messages and actions Timer Description Message before expiry Action after expiry Router port aging timer For each router por...

Page 290: ...y receive the message and this prevents the switch from knowing if members of that multicast group are still attached to these ports When receiving a leave message When an IGMPv1 host leaves a multica...

Page 291: ...ts automatically If the multicast group does not exist the switch drops this IGMP leave message IGMP Snooping Configuration The following table lists all the IGMP Snooping configuration tasks Table 2...

Page 292: ...gies IGMPv3 has found increasingly wide application In IGMPv3 a host can not only join a specific multicast group but also explicitly specify to receive or reject the information from a specific multi...

Page 293: ...rt the switch directly removes that port from the forwarding table entry for the specific group If only one host is attached to a port enable fast leave processing to improve bandwidth management Enab...

Page 294: ...ms available to different users In an actual application when a user requests a multicast program the user s host initiates an IGMP report Upon receiving this report message the switch checks the repo...

Page 295: ...ion takes effect on all ports in the specified VLAN s z The configuration performed in Ethernet port view takes effect on the port no matter which VLAN it belongs to if no VLAN is specified if one or...

Page 296: ...and therefore cannot send general queries by default By enabling IGMP Snooping querier on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer 2 switched only and no multicast routers...

Page 297: ...ommand Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the source IP address of IGMP general queries igmp snooping general query source ip current interface ip address Opt...

Page 298: ...c Member Port for a Multicast Group If the host connected to a port is interested in the multicast data for a specific group you can configure that port as a static member port for that multicast grou...

Page 299: ...N view Operation Command Remarks Enter system view system view Enter VLAN view vlan vlan id Configure a specified port as a static router port multicast static router port interface type interface num...

Page 300: ...by default z Before configuring a simulated host enable IGMP Snooping in VLAN view first z The port to be configured must belong to the specified VLAN otherwise the configuration does not take effect...

Page 301: ...orresponding configurations on the Layer 3 switch Table 2 18 Configure multicast VLAN on the Layer 3 switch Operation Command Remarks Enter system view system view Create a multicast VLAN and enter VL...

Page 302: ...port hybrid vlan vlan id list tagged untagged Required The multicast VLAN must be included and the port must be configured to forward tagged packets for the multicast VLAN z One port can belong to onl...

Page 303: ...GMP snooping on Layer 2 switches z As shown in Figure 2 3 Router A connects to a multicast source Source through Ethernet1 0 2 and to Switch A through Ethernet1 0 1 z Run PIM DM and IGMP on Router A R...

Page 304: ...thernet 1 0 4 SwitchA vlan100 igmp snooping enable SwitchA vlan100 quit 4 Verify the configuration View the detailed information of the multicast group in VLAN 100 on Switch A SwitchA display igmp sno...

Page 305: ...10 includes Ethernet 1 0 10 Ethernet1 0 1 and Ethernet 1 0 2 Ethernet 1 0 10 is connected to Switch A VLAN 10 is a multicast VLAN Host A User 1 Host A is connected to Ethernet 1 0 1 on Switch B Host B...

Page 306: ...Enable the IGMP Snooping feature on Switch B SwitchB system view SwitchB igmp snooping enable Configure VLAN 10 as the multicast VLAN and enable IGMP Snooping on it SwitchB vlan 10 SwitchB vlan10 serv...

Page 307: ...ng is disabled check whether it is disabled globally or in the specific VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globall...

Page 308: ...overy Snooping MLD snooping is an IPv6 multicast constraining mechanism that runs on Layer 2 devices to manage and control IPv6 multicast groups Introduction to MLD Snooping By analyzing received MLD...

Page 309: ...r 2 It brings the following advantages z Reducing Layer 2 broadcast packets thus saving network bandwidth z Enhancing the security of multicast traffic z Facilitating the implementation of per host ac...

Page 310: ...nd dynamic ports z On an MLD snooping enabled switch the ports that received MLD general queries with the source address other than 0 0 or IPv6 PIM hello messages are dynamic router ports Aging timers...

Page 311: ...tion addressed to that IPv6 multicast group Upon receiving an MLD report the switch forwards it through all the router ports in the VLAN resolves the address of the reported IPv6 multicast group and p...

Page 312: ...ed the MLD done message Upon receiving the MLD multicast address specific query the switch forwards it through all the router ports in the VLAN and all member ports for that IPv6 multicast group and p...

Page 313: ...looks up the multicast forwarding table for the entry for the multicast group If the forwarding entry is found with the receiving port contained as a dynamic port in the outgoing port list the proxy...

Page 314: ...Pv6 Address for the MLD Messages Sent by the Proxy Optional Configuring Dropping Unknown IPv6 Multicast Data Optional Configuring MLD Report Suppression Optional Configuring Maximum Multicast Groups t...

Page 315: ...ing enable Required Disabled by default z MLD snooping must be enabled globally before it can be enabled in a VLAN z When you enable MLD snooping in a specified VLAN this function takes effect for por...

Page 316: ...get manually removed Follow these steps to configure the maximum number of entries in the forwarding table To do Use the command Remarks Enter system view system view Enter MLD snooping view mld snoop...

Page 317: ...al 260 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow these steps to c...

Page 318: ...uter will deem that no member of this IPv6 multicast group exists on the network segment and therefore will remove the corresponding forwarding path To avoid this situation from happening you can enab...

Page 319: ...usage However if fast leave processing is enabled on a port to which more than one host is attached when one host leaves a multicast group the other hosts attached to the port and interested in the sa...

Page 320: ...ng MLD snooping querier on a Layer 2 switch in a VLAN where multicast traffic needs to be Layer 2 switched only and no Layer 3 multicast devices are present the Layer 2 switch will act as the MLD quer...

Page 321: ...es globally Follow these steps to configure MLD queries and responses globally To do Use the command Remarks Enter system view system view Enter MLD snooping view mld snooping Configure the maximum re...

Page 322: ...address of MLD query messages may affect MLD querier election within the segment Configuring MLD Snooping Proxying Configuration Prerequisites Before configuring MLD snooping proxying in a VLAN enabl...

Page 323: ...Before configuring an MLD snooping policy complete the following tasks z Enable MLD snooping in the VLAN Before configuring an MLD snooping policy prepare the following data z The maximum number of IP...

Page 324: ...s Enter system view system view Enter MLD snooping view mld snooping Enable MLD report suppression report aggregation Optional Enabled by default On an MLD snooping proxy MLD membership reports are su...

Page 325: ...cal example is channel switching namely by joining the new multicast group a user automatically switches from the current IPv6 multicast group to the new one To address this situation you can enable t...

Page 326: ...view system view Enter MLD Snooping view mld snooping Configure 802 1p precedence for MLD Messages dot1p priority priority number Required The default 802 1p precedence for MLD messages is 0 Configuri...

Page 327: ...gh Ethernet 1 0 2 and to Switch A through Ethernet 1 0 1 Router A is the MLD querier on the subnet z MLDv1 is required on Router A MLD snooping version 1 is required on Switch A and Router A will act...

Page 328: ...lan 100 SwitchA vlan100 port ethernet 1 0 1 to ethernet 1 0 4 SwitchA vlan100 mld snooping enable SwitchA vlan100 mld snooping drop unknown SwitchA vlan100 quit Configure an IPv6 multicast group filte...

Page 329: ...h Ethernet 1 0 1 z MLDv1 is to run on Router A and MLDv1 Snooping is to run on Switch A Switch B and Switch C with Router A acting as the MLD querier z Host A and host C are permanent receivers of IPv...

Page 330: ...witch B Eth1 0 1 E t h 1 0 2 E t h 1 0 3 E t h 1 0 1 Eth1 0 2 E t h 1 0 1 Eth1 0 2 Host C Host B Host A Receiver Receiver E t h 1 0 3 E t h 1 0 4 Eth1 0 5 Configuration procedure 1 Enable IPv6 forward...

Page 331: ...100 port ethernet 1 0 1 ethernet 1 0 2 SwitchB vlan100 mld snooping enable SwitchB vlan100 quit 5 Configure Switch C Enable MLD snooping globally SwitchC system view SwitchC mld snooping SwitchC mld s...

Page 332: ...shown above Ethernet 1 0 3 of Switch A has become a static router port Display the detailed MLD snooping multicast group information in VLAN 100 on Switch C SwitchC display mld snooping group vlan 100...

Page 333: ...multicast sources is chosen as the MLD snooping querier z To prevent flooding of unknown multicast traffic within the VLAN it is required to configure all the switches to drop unknown multicast data...

Page 334: ...s information of these MLD messages received Display the MLD message statistics on Switch B SwitchB vlan100 display mld snooping statistics Received MLD general queries 3 Received MLDv1 specific queri...

Page 335: ...port Ethernet 1 0 1 RouterA system view RouterA multicast ipv6 routing enable RouterA interface ethernet 1 0 1 RouterA Ethernet1 1 mld enable RouterA Ethernet1 1 pim ipv6 dm RouterA Ethernet1 1 quit...

Page 336: ...roup address FF1E 101 FF1E 101 Host port s total 2 port Eth1 0 3 D Eth1 0 4 D MAC group s MAC group address 3333 0000 0101 Host port s total 2 port Eth1 0 3 Eth1 0 4 Display information about MLD mult...

Page 337: ...0 4 Troubleshooting MLD Snooping Switch Fails in Layer 2 Multicast Forwarding Symptom A switch fails to implement Layer 2 multicast forwarding Analysis MLD snooping is not enabled Solution 1 Enter the...

Page 338: ...Ns require IPv6 multicast programs on demand service the Layer 3 device Router A needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device Switch A This results...

Page 339: ...D Snooping can uniformly manage the router ports and member ports in the IPv6 multicast VLAN When forwarding multicast data to Switch A Router A needs to send only one copy of multicast traffic to Swi...

Page 340: ...he IPv6 multicast VLAN to pass and untag the packets Thus upon receiving multicast packets tagged with the IPv6 multicast VLAN ID from the upstream device the Layer 2 device untags the multicast packe...

Page 341: ...Required By default an IPv6 multicast VLAN has no ports Configure IPv6 multicast VLAN ports in terface view Follow these steps to configure IPv6 multicast VLAN ports in interface view To do Use this c...

Page 342: ...e so that Router A just sends IPv6 multicast data to Switch A through the IPv6 multicast VLAN and Switch A forward the IPv6 multicast data to the receivers that belong to different user VLANs Figure 4...

Page 343: ...LAN 2 to pass and untag the packets when forwarding them SwitchA interface ethernet 1 0 2 SwitchA Ethernet1 0 2 port link type hybrid SwitchA Ethernet1 0 2 port hybrid pvid vlan 2 SwitchA Ethernet1 0...

Page 344: ...VLAN Vlan id 10 Total 1 IP Group s Total 1 IP Source s Total 1 MAC Group s Router port s total 1 port Eth1 0 1 D IP group s the following ip group s match to one mac group IP group address FF1E 101 FF...

Page 345: ...configured policies If a match is found the host is allowed to join the multicast group otherwise the join report is dropped by the access switch z Upon receiving an IGMP leave message from a host the...

Page 346: ...ation z A multicast user control policy is functionally similar to a multicast group filter A difference lies in that a control policy can control both multicast joining and leaving of users based on...

Page 347: ...ugh Ethernet 1 0 3 to the four VLANs respectively SwitchA system view SwitchA vlan 101 SwitchA vlan101 port ethernet 1 0 1 SwitchA vlan101 quit SwitchA vlan 102 SwitchA vlan102 port ethernet 1 0 2 Swi...

Page 348: ...radius scheme1 primary accounting 2 1 1 1 SwitchB radius scheme1 key accounting 321123 SwitchB radius scheme1 user name format without domain SwitchB radius scheme1 quit Create an ISP domain domain1...

Page 349: ...ilter Configuration IPv6 ACL Overview IPv6 ACL Classification IPv6 ACLs identified by ACL numbers fall into two categories as shown in Table 5 1 Table 5 1 IPv6 ACL categories Category ACL number Match...

Page 350: ...ocol range A rule configured with a specific protocol is prior to a rule with the protocol type set to IP IP means any protocol carried over IP 2 Source IPv6 address prefix A rule configured with a lo...

Page 351: ...They are numbered in the range 2000 to 2999 z Configuration Prerequisites If you want to reference a time range in a rule define it with the time range command first z Configuration Procedure Follow...

Page 352: ...CMP message code Advanced IPv6 ACLs are numbered in the range 3000 to 3999 Compared with basic IPv6 ACLs they allow of more flexible and accurate filtering z Configuration Prerequisites If you want to...

Page 353: ...among the existing rules in the depth first order Note that the IDs of the rules still remain the same z You can modify the rule order of an IPv6 ACL with the acl ipv6 number acl6 number name acl6 nam...

Page 354: ...nst the configured ACL rule If the port on which the report was received can join this IPv6 multicast group the switch adds an entry for this port in the MLD snooping forwarding table otherwise the sw...

Page 355: ...oup otherwise the join report is dropped by the access switch z Upon receiving a done message from a host the access switch matches the IPv6 multicast group and source addresses against the policies I...

Page 356: ...iguration Example Network requirements z As shown in Figure 5 2 Switch A is a Layer 3 switch It connects to IPv6 multicast Source 1 through VLAN interface 101 It connects to the RADIUS server through...

Page 357: ...oping quit Create VLAN 103 assign Ethernet 1 0 1 through Ethernet 1 0 3 to this VLAN and enable MLD snooping in this VLAN SwitchB vlan 103 SwitchB vlan103 port ethernet 1 0 1 to ethernet 1 0 3 SwitchB...

Page 358: ...IUS server On the RADIUS server configure the parameters related to Switch B For details refer to the configuration manual of the RADIUS server 5 Verify the configuration After the configurations the...

Page 359: ...5 15 MAC group address 3333 0000 0101 Host port s total 1 port Eth1 0 3 As shown above Ethernet 1 0 3 on Switch B has joined FF1E 101 but not FF1E 102...

Page 360: ...t servers on the network This affects the use of network bandwidth and transmission of multicast data of authorized users by taking network resources You can configure multicast source port suppressio...

Page 361: ...ually Generally when receiving a multicast packet for a multicast group not yet registered on the switch the switch will flood the packet within the VLAN to which the port belongs You can configure a...

Page 362: ...tered on the local switch the packet will be flooded in the VLAN When the function of dropping unknown multicast packets is enabled the switch will drop any multicast packets whose multicast address i...

Page 363: ...information about multicast source port suppression display multicast source deny interface interface type interface number Display the created multicast MAC table entries display mac address multicas...

Page 364: ...n 1 20 Enabling the Unicast Trigger Function for 802 1X Authentication 1 20 Configuring Guest VLAN 1 21 Configuring Auth Fail VLAN for 802 1X Authentication 1 21 Configuring 802 1x Re Authentication 1...

Page 365: ...ard Feature 4 1 Displaying and Maintaining System Guard 4 2 5 System Guard Configuration For S3100 SI 5 1 System Guard Overview 5 1 System Guard Configuration 5 1 Enabling the System Guard function 5...

Page 366: ...Figure 1 1 Architecture of 802 1x authentication z The supplicant system is an entity residing at one end of a LAN segment and is authenticated by the authenticator system at the other end of the LAN...

Page 367: ...m can send and receive authentication requests z The controlled port can be used to pass service packets when it is in authorized state It is blocked when not in authorized state In this case no packe...

Page 368: ...defined in 802 1x To enable EAP protocol packets to be transmitted between supplicant systems and authenticator systems through LANs EAP protocol packets are encapsulated in EAPoL format The followin...

Page 369: ...he Code Identifier Length and Data fields z The Data field carries the EAP packet whose format differs with the Code field A Success or Failure packet does not contain the Data field so the Length fie...

Page 370: ...rt the two newly added fields the EAP message field with a value of 79 and the Message authenticator field with a value of 80 Four authentication ways namely EAP MD5 EAP TLS transport layer security E...

Page 371: ...process z Upon receiving the authentication request packet the switch sends an EAP request identity packet to ask the 802 1x client for the user name z The 802 1x client responds by sending an EAP re...

Page 372: ...d to rejected In EAP relay mode packets are not modified during transmission Therefore if one of the four ways are used that is PEAP EAP TLS EAP TTLS or EAP MD5 to authenticate ensure that the authent...

Page 373: ...act in an orderly way z Handshake timer handshake period This timer sets the handshake period and is triggered after a supplicant system passes the authentication It sets the interval for a switch to...

Page 374: ...ersion period and is triggered after a switch sends a version request packet The switch sends another version request packet if it does receive version response packets from the supplicant system when...

Page 375: ...ion and validity of an 802 1x client to prevent unauthorized users or users with earlier versions of 802 1x client from logging in This function makes the switch to send version requesting packets aga...

Page 376: ...the device will keep the user in the guest VLAN If a user of a port in the guest VLAN initiates authentication and passes the authentication the device will add the user to the assigned VLAN or return...

Page 377: ...mong the S3100 series Ethernet switches only the S3100 EI series supports the Auth Fail VLAN function Enabling 802 1x re authentication 802 1x re authentication is timer triggered or packet triggered...

Page 378: ...henticates users periodically 802 1x re authentication will fail if a CAMS server is used and configured to perform authentication but not accounting This is because a CAMS server establishes a user s...

Page 379: ...er to the AAA Operation Manual for detailed information about AAA scheme configuration Basic 802 1x Configuration Configuration Prerequisites z Configure ISP domain and the AAA scheme to be adopted Yo...

Page 380: ...is the macbased keyword is used by default Set authentication method for 802 1x users dot1x authentication method chap pap eap Optional By default a switch performs CHAP authentication in EAP termina...

Page 381: ...on switches cannot receive handshaking acknowledgement packets from them in handshaking periods To prevent users being falsely considered offline you need to disable the online user handshaking functi...

Page 382: ...dvanced 802 1x configurations as listed below are all optional z Specifying a Mandatory Authentication Domain for a Port z Configuration concerning CAMS including multiple network adapters detecting p...

Page 383: ...n Default domain Not configured Default domain X Default domain user name format without domain user name format with domain Z X Z Z X Z user name format without domain Note that z You can view userna...

Page 384: ...the proxy detecting function you need to enable the online user handshaking function first z The configuration listed in Table 1 4 takes effect only when it is performed on CAMS as well as on the swi...

Page 385: ...DHCP on access users and users are authenticated when they apply for dynamic IP addresses through DHCP Table 1 6 Enable DHCP triggered authentication Operation Command Remarks Enter system view syste...

Page 386: ...C EPON EI Series Ethernet Switches Configuring Auth Fail VLAN for 802 1X Authentication Configuration prerequisites z Enable 802 1X authentication z Create the VLAN to be specified as the Auth Fail VL...

Page 387: ...ation on port s In port view dot1x re authenticate Required By default 802 1x re authentication is disabled on a port z To enable 802 1x re authentication on a port you must first enable 802 1x global...

Page 388: ...he 802 1x related configuration by executing the display command in any view You can clear 802 1x related statistics information by executing the reset command in user view Table 1 12 Display and debu...

Page 389: ...name is sent to the RADIUS servers with the domain name truncated z The user name and password for local 802 1x authentication are localuser and localpass in plain text respectively The idle disconnec...

Page 390: ...5 Set the timer for the switch to send real time accounting packets to the RADIUS servers Sysname radius radius1 timer realtime accounting 15 Configure to send the user name to the RADIUS server with...

Page 391: ...to provide authentication authorization and accounting services Specify aabbcc as the shared key for Switch to exchange packets with the RADIUS server z Configure hello as both the username and passw...

Page 392: ...bcc Switch radius radius1 key accounting aabbcc Switch radius radius1 server type extended Switch radius radius1 user name format with domain Switch radius radius1 quit Specify aabbcc as the mandatory...

Page 393: ...s and HTTP redirection Restricted access Before passing 802 1x authentication a user is restricted through ACLs to a specific range of IP addresses or a specific server Services like EAD client upgrad...

Page 394: ...ck EAD deployment disabled users cannot access the DHCP server if they fail 802 1x authentication With quick EAD deployment enabled users can obtain IP addresses dynamically before passing authenticat...

Page 395: ...g and Maintaining Quick EAD Deployment After performing the above configurations you can display and verify the quick EAD deployment related configuration by executing the display command in any view...

Page 396: ...s PC is configured as the IP address of the connected VLAN interface on the switch Configure the URL for HTTP redirection Sysname system view Sysname dot1x url http 192 168 0 111 Configure a free IP...

Page 397: ...otted decimal notation As a result the PC cannot receive any ARP response and therefore cannot be redirected To solve this problem the user needs to enter an IP address that is not in the free IP rang...

Page 398: ...o the HABP request packets and forward the HABP request packets to lower level switches HABP servers usually reside on management devices and HABP clients usually on attached switches For ease of swit...

Page 399: ...habp enable Optional HABP is enabled by default And a switch operates as an HABP client after you enable HABP for it Displaying HABP After performing the above configuration you can display and verif...

Page 400: ...o know the characteristics of the attack source and then you can adopt different filtering rules according the characteristics of the attack source Thus system guard is implemented Configuring the Sys...

Page 401: ...minutes Displaying and Maintaining System Guard After the above configuration execute the display command in any view to display the running status of the system guard feature and to verify the confi...

Page 402: ...nfiguration includes z Enabling the system guard function z Configuring system guard related parameters z Specifying system guard enabled ports Enabling the System Guard function Table 5 1 lists the o...

Page 403: ...rt if the number of packets the port received and sent to the CPU in a specified interval exceeds the specified threshold the system considers that the port is under attack and begins to limit the pac...

Page 404: ...figuring RADIUS Accounting Servers 2 16 Configuring Shared Keys for RADIUS Messages 2 17 Configuring the Maximum Number of RADIUS Request Transmission Attempts 2 18 Configuring the Type of RADIUS Serv...

Page 405: ...Telnet Users 2 33 HWTACACS Authentication and Authorization of Telnet Users 2 35 Troubleshooting AAA 2 36 Troubleshooting RADIUS Configuration 2 36 Troubleshooting HWTACACS Configuration 2 36 3 EAD Co...

Page 406: ...ated on this device instead of on a remote device Local authentication is fast and requires lower operational cost but has the deficiency that information storage capacity is limited by device hardwar...

Page 407: ...eme and so on for each ISP domain independently in ISP domain view Authentication authorization and accounting of a user depends on the AAA methods configured for the domain that the user belongs to T...

Page 408: ...g as a RADIUS client passes user information to a specified RADIUS server and takes appropriate action such as establishing terminating user connection depending on the responses returned from the ser...

Page 409: ...ient an authentication response Access Accept which contains the user s authorization information If the authentication fails the server returns an Access Reject response 4 The RADIUS client accepts o...

Page 410: ...4 Accounting Request Direction client server The client transmits this message to the server to request the server to start or end the accounting whether to start or to end the accounting is determine...

Page 411: ...ength fields Table 1 2 RADIUS attributes Type field value Attribute type Type field value Attribute type 1 User Name 23 Framed IPX Network 2 User Password 24 State 3 CHAP Password 25 Class 4 NAS IP Ad...

Page 412: ...liable transmission and encryption and therefore is more suitable for security control Table 1 3 lists the primary differences between HWTACACS and RADIUS Table 1 3 Differences between HWTACACS and RA...

Page 413: ...ange procedure in HWTACACS The following text takes telnet user as an example to describe how HWTACACS implements authentication authorization and accounting for a user Figure 1 7 illustrates the basi...

Page 414: ...message carrying the password to the TACACS server 6 The TACACS server returns an authentication response indicating that the user has passed the authentication 7 The TACACS client sends a user author...

Page 415: ...onfigure RADIUS or HWATACACS before performing RADIUS or HWTACACS authentication Configuring Dynamic VLAN Assignment Optional Configuring the Attributes of a Local User Optional AAA configuration Cutt...

Page 416: ...twork service Set the maximum number of access users that the ISP domain can accommodate access limit disable enable max user number Optional By default there is no limit on the number of access users...

Page 417: ...ser information security With the cooperation of other networking devices such as switches in a network a CAMS server can implement the AAA functions and right management Configuring an AAA Scheme for...

Page 418: ...local hwtacacs scheme hwtacacs scheme name local Required By default an ISP domain uses the local AAA scheme Specify an AAA scheme for LAN users scheme lan access local none radius scheme radius sche...

Page 419: ...the FTP service you should not configure the none scheme z If scheme switching occurs during authentication local authorization and accounting will be performed If no scheme switching occurs during a...

Page 420: ...cal and none authentication methods do not require any scheme 2 Determine the access mode or service type to be configured With AAA you can configure an authentication method specifically for each acc...

Page 421: ...hing processes do not affect each other For example if scheme switching occurs during authentication the primary HWTACACS authorization scheme is still used though the authorization hwtacacs scheme hw...

Page 422: ...AN z String If the RADIUS authentication server assigns string type of VLAN IDs you can set the VLAN assignment mode to string on the switch Then upon receiving a string ID assigned by the RADIUS auth...

Page 423: ...ss local authentication you should add an entry in the local user database on the switch for the user Table 2 7 Configure the attributes of a local user Operation Command Remarks Enter system view sys...

Page 424: ...is determined by the privilege level of the user For SSH users using RSA shared key for authentication the commands they can access are determined by the levels set on their user interfaces z If the c...

Page 425: ...mission Attempts Optional Configuring the Type of RADIUS Servers to be Supported Optional Configuring the Status of RADIUS Servers Optional Configuring the Attributes of Data to be Sent to RADIUS Serv...

Page 426: ...horization and accounting And for each type of server you can configure two servers in a RADIUS scheme primary server and secondary server A RADIUS scheme has some parameters such as IP addresses of t...

Page 427: ...eme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has already been created in the system Set the IP address and port number of the primary RADIUS...

Page 428: ...timeout Some users may need the attributes but some users may not Such conflict occurs if the RADIUS server does not support user based attribute assignment or it performs uniformed user management Th...

Page 429: ...sending mode of accounting start requests Operation Command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Configure the sending mode...

Page 430: ...erver secondary accounting ip address ipv6 ipv6 address port number key string Optional By default the IP address and UDP port number of the secondary accounting server are 0 0 0 0 and 1813 for a newl...

Page 431: ...maximum number the switch cuts down the user connection z The IP address and port number of the primary accounting server of the default RADIUS scheme system are 127 0 0 1 and 1646 respectively z Cur...

Page 432: ...request fails Table 2 16 Configure the maximum transmission attempts of a RADIUS request Operation Command Remarks Enter system view system view Create a RADIUS scheme and enter its view radius scheme...

Page 433: ...the primary server instead of communicating with the secondary server and at the same time restores the status of the primary server to active while keeping the status of the secondary server unchange...

Page 434: ...lows to RADIUS servers data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet mega packet one packet Optional By default in a RADIUS scheme the data unit and packet un...

Page 435: ...MAC address format of the Calling Station Id Type 31 field in RADIUS packets is to improve the switch s compatibility with different RADIUS servers This setting is necessary when the format of Calling...

Page 436: ...server The maximum time that the switch can wait for the response is called the response timeout time of RADIUS servers and the corresponding timer in the switch system is called the response timeout...

Page 437: ...ional By default the real time accounting interval is 12 minutes Enabling Sending Trap Message when a RADIUS Server Goes Down Table 2 22 Specify to send trap message when a RADIUS server goes down Ope...

Page 438: ...ing to the information NAS ID NAS IP address and session ID contained in the message and ends the accounting for the users depending on the last accounting update message 4 Once the switch receives th...

Page 439: ...e The HWTACACS protocol configuration is performed on a scheme basis Therefore you must create an HWTACACS scheme and enter HWTACACS view before performing other configuration tasks Table 2 25 Create...

Page 440: ...nfiguring TACACS Authorization Servers Table 2 27 Configure TACACS authorization servers Operation Command Remarks Enter system view system view Create an HWTACACS scheme and enter its view hwtacacs s...

Page 441: ...onal By default the stop accounting messages retransmission function is enabled and the system can transmit a buffered stop accounting request for 100 times z You are not allowed to configure the same...

Page 442: ...e user names sent from the switch to TACACS server carry ISP domain names data flow format data byte giga byte kilo byte mega byte Set the units of data flows to TACACS servers data flow format packet...

Page 443: ...nting interval is 12 minutes z To control the interval at which users are charge in real time you can set the real time accounting interval After the setting the switch periodically sends online users...

Page 444: ...ics display radius statistics Display buffered non response stop accounting requests display stop accounting buffer radius scheme radius scheme name session id session id time range start time stop ti...

Page 445: ...rs The IP address of the server is 10 110 91 164 z Set the shared keys for authentication authorization and accounting packets exchanged with the RADIUS server to aabbcc Configure the switch to remove...

Page 446: ...witch Ethernet1 0 1 dot1x Remote RADIUS Authentication of Telnet SSH Users The configuration procedure for remote authentication of SSH users by RADIUS server is similar to that for Telnet users The f...

Page 447: ...name domain cams Sysname isp cams access limit enable 10 Sysname isp cams quit Configure a RADIUS scheme Sysname radius scheme cams Sysname radius cams accounting optional Sysname radius cams primary...

Page 448: ...uthentication for Telnet users Sysname user interface vty 0 4 Sysname ui vty0 4 authentication mode scheme Sysname ui vty0 4 quit Create and configure a local user named telnet Sysname local user teln...

Page 449: ...set both authentication and authorization shared keys that are used to exchange messages with the TACACS server to aabbcc Configure the switch to strip domain names off user names before sending user...

Page 450: ...from the switch Take measures to make the switch communicate with the RADIUS server normally Symptom 2 RADIUS packets cannot be sent to the RADIUS server Possible reasons and solutions z The communica...

Page 451: ...es the validity of the session control packets it receives according to the source IP addresses of the packets It regards only those packets sourced from authentication or security policy server as va...

Page 452: ...ration includes z Configuring the attributes of access users such as user name user type and password For local authentication you need to configure these attributes on the switch for remote authentic...

Page 453: ...tication server type to extended z Configure the encryption password for exchanging messages between the switch and RADIUS server to expert z Configure the IP address 10 110 91 166 of the security pol...

Page 454: ...ams server type extended Configure the IP address of the security policy server Sysname radius cams security policy server 10 110 91 166 Associate the domain with the RADIUS scheme Sysname radius cams...

Page 455: ...iguring Basic MAC Authentication Functions 1 2 MAC Address Authentication Enhanced Function Configuration 1 4 MAC Address Authentication Enhanced Function Configuration Tasks 1 4 Configuring a Guest V...

Page 456: ...en authentications are performed on a RADIUS server the switch serves as a RADIUS client and completes MAC authentication in combination of the RADIUS server z In MAC address mode the switch sends the...

Page 457: ...ply by the switch until the quiet timer expires This prevents an invalid user from being authenticated repeatedly in a short time z If the quiet MAC is the same as the static MAC configured or an auth...

Page 458: ...ace number Set the offline detect timer for MAC authentication on the Ethernet port view mac authentication timer offline detect offline detect value Optional 300 seconds for offline detect timer by d...

Page 459: ...ction for MAC authentication After completing configuration tasks in Configuring Basic MAC Authentication Functions for a switch this switch can authenticate access users according to their MAC addres...

Page 460: ...ort even if users fail to pass authentication Table 1 3 Configure a guest VLAN or Auth Fail VLAN Operation Command Description Enter system view system view Enter Ethernet port view interface interfac...

Page 461: ...onfigure a new guest VLAN for this port z 802 1x authentication cannot be enabled for a port configured with a MAC authentication guest VLAN Configuring the Maximum Number of MAC Address Authenticatio...

Page 462: ...uiet no matter whether the authentication is failed Table 1 5 Configure the quiet MAC function on a port Operation Command Description Enter system view system view Enter Ethernet port view interface...

Page 463: ...uiring hyphened lowercase MAC addresses as the usernames and passwords Sysname mac authentication authmode usernameasmacaddress usernameformat with hyphen lowercase Add a local user z Specify the user...

Page 464: ...9 After doing so your MAC authentication configuration will take effect immediately Only users with the MAC address of 00 0d 88 f6 44 c1 are allowed to access the Internet through port Ethernet 1 0 2...

Page 465: ...e 1 4 Configuring a Web Authentication Free User 1 4 Configuring HTTPS Access for Web Authentication 1 4 Configuration Prerequisites 1 5 Configuration Procedure 1 5 Customizing Web Authentication Page...

Page 466: ...nfiguration Example Currently only the S3100 EI series support Web authentication Introduction to Web Authentication Web authentication is a port based authentication method that is used to control th...

Page 467: ...sabled globally by default interface interface type interface number web authentication select method shared designated extended Enable Web authentication on a port quit Required Disabled on port by d...

Page 468: ...orced to get offline z You can use the web authentication select method extended command to enable Web authentication on a hybrid port Configuring an Auth Fail VLAN for Web Authentication In some case...

Page 469: ...the MAFV for 802 1X authentication on a port has been assigned to a user the MAFV for Web authentication will not take effect for the user Configuring a Web Authentication Free User Follow these steps...

Page 470: ...r policy policy name Required HTTP is used by default z You must configure this command before enabling Web authentication That is after enabling Web authentication you cannot change the access protoc...

Page 471: ...Web authentication page file the device will display the loaded Web authentication pages The customized information configured in section Customizing Page Elements for the default authentication page...

Page 472: ...requests are used when users submit username and password pairs log on the system and log off the system Rules on Post request attributes 1 Observe the following requirements when editing a form of a...

Page 473: ...ing Web Authentication Transition A WLAN client is connected to a switch through a wireless access point AP It may move between the ports of the switch when it for example roams between different APs...

Page 474: ...Web Proxy Auto Discovery WPAD rather than configured manually you need to perform the following configuration in addition to the port configuration z If DNS and WINS servers are providing services in...

Page 475: ...ain an IP address through the DHCP server Set the IP address and port number of the Web authentication server Sysname system view Sysname web authentication web server ip 10 10 10 10 port 8080 Configu...

Page 476: ...me radius scheme radius1 Enable Web authentication globally It is recommended to take this step as the last step so as to avoid the case that a valid user cannot access the network due to that some ot...

Page 477: ...le Authentication Overview 1 1 Background 1 1 Triple Authentication Mechanism 1 1 Extended Functions 1 2 Triple Authentication Configuration 1 3 Triple Authentication Configuration Example 1 3 Network...

Page 478: ...which connects to the terminals needs to support all the three types of authentication and allow a terminal to access the network after passing a type of authentication Figure 1 1 Triple authenticati...

Page 479: ...ing online To make the client free from authentication you can execute the web authentication free user command or configure an ACL rule to permit packets sourced from the client to pass Extended Func...

Page 480: ...he three authentication methods 802 1X authentication Web authentication and MAC authentication can access the IP network More specifically z The terminals request IP addresses through DHCP They use I...

Page 481: ...to specific VLANs omitted Enable DHCP Switch system view Switch dhcp enable Exclude the gateway IP addresses from assignment Switch dhcp server forbidden ip 192 168 1 1 Switch dhcp server forbidden i...

Page 482: ...Switch radius rs1 key accounting radius Specify usernames sent to the RADIUS server to carry no domain names Switch radius rs1 user name format without domain Switch radius rs1 quit 3 Configure an IS...

Page 483: ...ernet1 0 1 quit 6 Configure 802 1X authentication Enable 802 1X authentication globally Switch dot1x Enable 802 1X authentication MAC based access control required on Ethernet 1 0 1 and specify VLAN 2...

Page 484: ...Rate Limit 1 5 Introduction to Gratuitous ARP 1 5 ARP Configuration 1 5 Configuring ARP Basic Functions 1 5 Configuring ARP Attack Detection 1 6 Configuring the ARP Packet Rate Limit Function 1 7 Gra...

Page 485: ...quest messages and ARP reply messages Figure 1 1 illustrates the format of these two types of ARP messages z As for an ARP request all the fields except the hardware address of the receiver field are...

Page 486: ...sender Hardware address of the receiver z For an ARP request packet this field is null z For an ARP reply packet this field carries the hardware address of the receiver IP address of the receiver IP a...

Page 487: ...IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all zero MAC...

Page 488: ...switches support the ARP attack detection function All ARP both request and response packets passing through the switch are redirected to the CPU which checks the validity of all the ARP packets by u...

Page 489: ...port will revert to the Up state after a configured period of time Introduction to Gratuitous ARP The following are the characteristics of gratuitous ARP packets z Both source and destination IP addre...

Page 490: ...ument must be the ID of an existing VLAN and the port identified by the interface type and interface number arguments must belong to the VLAN z Currently static ARP entries cannot be configured on the...

Page 491: ...discussing DHCP in this manual z Generally the uplink port of a switch is configured as a trusted port z Before enabling ARP restricted forwarding make sure you enable ARP attack detection and configu...

Page 492: ...t the port state auto recovery function is disabled Configure the port state auto recovery interval arp protective down recover interval interval Optional By default when the port state auto recovery...

Page 493: ...he ARP mapping entries related to a specified string in a specified way display arp dynamic static begin include exclude regular expression Display the number of the ARP entries of a specified type di...

Page 494: ...ooping on Switch A and specify Ethernet1 0 1 as the DHCP snooping trusted port z Enable ARP attack detection in VLAN 1 to prevent ARP man in the middle attacks and specify Ethernet1 0 1 as the ARP tru...

Page 495: ...A Ethernet1 0 2 arp rate limit enable SwitchA Ethernet1 0 2 arp rate limit 20 SwitchA Ethernet1 0 2 quit Enable the ARP packet rate limit function on Ethernet1 0 3 and set the maximum ARP packet rate...

Page 496: ...WINS Servers for the DHCP Client 2 9 Configuring Gateways for the DHCP Client 2 10 Configuring BIMS Server Information for the DHCP Client 2 10 Configuring Option 184 Parameters for the Client with V...

Page 497: ...iguring DHCP Snooping Trusted Untrusted Ports 3 6 Configuring Unauthorized DHCP Server Detection 3 7 Configuring DHCP Snooping to Support Option 82 3 7 Configuring IP Filtering 3 11 Displaying DHCP Sn...

Page 498: ...t dynamic allocation of network resources A typical DHCP application includes one DHCP server and multiple clients such as PCs and laptops as shown in Figure 1 1 Figure 1 1 Typical DHCP application DH...

Page 499: ...the assignment of the IP address to the client When the client receives the DHCP ACK packet it broadcasts an ARP packet with the assigned IP address as the destination address to detect the assigned...

Page 500: ...gents which a DHCP packet passes For each DHCP relay agent that the DHCP request packet passes the field value increases by 1 z xid Random number that the client selects when it initiates a request Th...

Page 501: ...ications related to DHCP include z RFC2131 Dynamic Host Configuration Protocol z RFC2132 DHCP Options and BOOTP Vendor Extensions z RFC1542 Clarifications and Extensions for the Bootstrap Protocol z R...

Page 502: ...LAN interfaces Introduction to DHCP Server Usage of DHCP Server Generally DHCP servers are used in the following networks to assign IP addresses z Large sized networks where manual configuration metho...

Page 503: ...rations in turn can be inherited by their client address So for the parameters that are common to the whole network segment or some subnets such as domain name you just need to configure them on the n...

Page 504: ...ent DHCP IP Address Preferences A DHCP server assigns IP addresses in interface address pools or global address pools to DHCP clients in the following sequence 1 IP addresses that are statically bound...

Page 505: ...rt 67 and UDP port 68 ports will be disabled Configuring the Global Address Pool Based DHCP Server Configuration Task List Complete the following tasks to configure the global address pool based DHCP...

Page 506: ...ddress pool mode Creating a DHCP Global Address Pool Follow these steps to create a DHCP address pool To do Use the command Remarks Enter system view system view Create a DHCP global address pool and...

Page 507: ...ound static bind mac address mac address Bind an IP address to the MAC address of a DHCP client or a client ID statically Configure the client ID to which the IP address is to be statically bound stat...

Page 508: ...DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip command from dynamic allocation The lease time can differ with a...

Page 509: ...bout DNS refer to DNS Operation in this manual Follow these steps to configure a domain name suffix for the DHCP client To do Use the command Remarks Enter system view system view Enter DHCP address p...

Page 510: ...WINS servers The character p stands for peer to peer The source node sends the unicast packet to the WINS server After receiving the unicast packet the WINS server returns the IP address corresponding...

Page 511: ...efore the DHCP server needs to offer DHCP clients the BIMS server IP address port number shared key from the DHCP address pool Follow these steps to configure BIMS server information for the DHCP clie...

Page 512: ...option is defined Voice VLAN Configuration sub option 3 The voice VLAN configuration sub option carries the ID of the voice VLAN and the flag indicating whether the voice VLAN identification function...

Page 513: ...onse packet to be sent to the DHCP client Only when the DHCP client specifies in Option 55 of the request packet that it requires Option 184 does the DHCP server add Option 184 in the response packet...

Page 514: ...meet customers requirements for example you cannot use the dns list command to configure more than eight DNS server addresses you can configure a self defined option for extension Follow these steps t...

Page 515: ...n IP addresses from the same network segment the number of DHCP clients cannot exceed the number of the IP addresses assignable in the VLAN interface address pool Configuration Task List An interface...

Page 516: ...dress of the interface Enabling the Interface Address Pool Mode on Interface s If the DHCP server works in the interface address pool mode it picks IP addresses from the interface address pools and as...

Page 517: ...ly allocated to DHCP clients Configuring the static IP address allocation mode Some DHCP clients such as WWW servers need fixed IP addresses This is achieved by binding IP addresses to the MAC address...

Page 518: ...ly assigned is unnecessary To avoid address conflicts the DHCP server automatically excludes IP addresses used by the gateway FTP server and so forth specified with the dhcp server forbidden ip comman...

Page 519: ...DHCP server The DHCP server provides the domain name suffix together with an IP address for a requesting DHCP client Follow these steps to configure a domain name suffix for the client To do Use the...

Page 520: ...cast The source node obtains the IP address of the destination node by sending the broadcast packet containing the host name of the destination node After receiving the broadcast packet the destinatio...

Page 521: ...address Configuring BIMS Server Information for the DHCP Client A DHCP client performs regular software update and backup using configuration files obtained from a BIMS server Therefore the DHCP serv...

Page 522: ...lling processor dhcp server voice config ncp ip ip address all interface interface type interface number to interface type interface number Required Not specified by default Specify the backup network...

Page 523: ...nterface number all Required By default no customized option is configured Be cautious when configuring self defined DHCP options because such configuration may affect the DHCP operation process Confi...

Page 524: ...e IP address to the requesting client The DHCP client probes the IP address by sending gratuitous ARP packets Follow these steps to configure IP address detecting To do Use the command Remarks Enter s...

Page 525: ...hree packets bring no response from the RADIUS server the DHCP server does not send Accounting START packets any more DHCP Accounting Configuration Prerequisites Before configuring DHCP accounting mak...

Page 526: ...ip Display information about address binding display dhcp server ip in use ip ip address pool pool name interface interface type interface number all Display the statistics on a DHCP server display dh...

Page 527: ...guration Example Network requirements z The DHCP server Switch A assigns IP address to clients in subnet 10 1 1 0 24 which is subnetted into 10 1 1 0 25 and 10 1 1 128 25 z The IP addresses of VLAN in...

Page 528: ...0 24 and the attributes will be based on the configuration of the parent address pool For this example the number of clients applying for IP addresses from VLAN interface 1 is recommended to be less...

Page 529: ...pool 1 nbns list 10 1 1 4 SwitchA dhcp pool 1 quit Configure DHCP address pool 2 including address range gateway and lease time SwitchA dhcp server ip pool 2 SwitchA dhcp pool 2 network 10 1 1 128 mas...

Page 530: ...face2 ip address 10 1 1 1 255 255 255 0 Sysname Vlan interface2 quit Configure VLAN interface 2 to operate in the DHCP server mode Sysname dhcp select global interface vlan interface 2 Enter DHCP addr...

Page 531: ...Sysname interface ethernet 1 0 1 Sysname Ethernet1 0 1 port access vlan 2 Sysname Ethernet1 0 1 quit Enter Ethernet 1 0 2 port view and add the port to VLAN 3 Sysname interface ethernet 1 0 2 Sysname...

Page 532: ...nt from the network and then check whether there is a host using the conflicting IP address by performing ping operation on another host on the network with the conflicting IP address as the destinati...

Page 533: ...ernet switch Figure 3 1 Typical network diagram for DHCP snooping application On S3100 SI series Ethernet switches DHCP snooping listens the DHCP REQUEST packets to retrieve the IP addresses the DHCP...

Page 534: ...ap and administratively shuts down the port as configured The port that is shut down administratively is in the closed state and cannot receive or forward packets however using the display current con...

Page 535: ...with the default padding contents That is the circuit ID or remote ID sub option defines the type and length of a circuit ID or remote ID The remote ID type field and circuit ID type field are determi...

Page 536: ...the circuit ID sub option of the original Option 82 with the configured circuit ID sub option in ASCII format Replace Remote ID sub option is configured Forward the packet after replacing the remote I...

Page 537: ...snooping enabled device and the number of the VLAN to which the port belongs to These records are saved as entries in the DHCP snooping table IP static binding table The DHCP snooping table only recor...

Page 538: ...Description Enter system view system view Enter Ethernet port view interface interface type interface number Specify the current port as a trusted port dhcp snooping trust Required By default after DH...

Page 539: ...e dhcp snooping server guard source mac mac address Optional By default the source MAC address of DHCP DISCOVER messages is the bridge MAC address of the switch Display information about unauthorized...

Page 540: ...e steps to enable DHCP snooping Option 82 support Operation Command Description Enter system view system view Enable DHCP snooping Option 82 support dhcp snooping information enable Required By defaul...

Page 541: ...hex ascii Optional By default the format is hex The dhcp snooping information format command applies only to the default content of the Option 82 field If you have configured the circuit ID or remote...

Page 542: ...sysname of the device or any customized character string in the ASCII format z In Ethernet port view the remote ID takes effect only on the current interface You can configure Option 82 as any customi...

Page 543: ...rt z The remote ID configured on a port will not be synchronized in the case of port aggregation Configure the padding format for Option 82 Follow these steps to configure the padding format for Optio...

Page 544: ...static entry z The VLAN ID of the IP static binding configured on a port is the default VLAN ID of the port Displaying DHCP Snooping Configuration After the above configurations you can verify the co...

Page 545: ...he switch Set the circuit ID sub option to abcd in DHCP packets from VLAN 1 on Ethernet 1 0 3 Network diagram Figure 3 8 Network diagram for DHCP snooping Option 82 support configuration Eth1 0 2 Clie...

Page 546: ...down administratively z To prevent attackers from filtering the detecting DHCP DISCOVER packets specify the source MAC address for such packets as 000f e200 1111 different from the bridge MAC address...

Page 547: ...hernet1 0 3 and Ethernet1 0 4 is connected to DHCP Client B and Client C z Enable DHCP snooping on the switch and specify Ethernet1 0 1 as the DHCP snooping trusted port z Enable IP filtering on Ether...

Page 548: ...rce ip address mac address Switch Ethernet1 0 2 quit Switch interface Ethernet1 0 3 Switch Ethernet1 0 3 ip check source ip address mac address Switch Ethernet1 0 3 quit Switch interface Ethernet1 0 4...

Page 549: ...limit refer to ARP Operation in this manual The following describes only the DHCP packet rate limit function After DHCP packet rate limit is enabled on an Ethernet port the switch counts the number o...

Page 550: ...the port state auto recovery interval dhcp protective down recover interval interval Optional The port state auto recovery interval is 300 seconds z Enable the port state auto recovery function before...

Page 551: ...Switch interface Ethernet1 0 1 Switch Ethernet1 0 1 dhcp snooping trust Switch Ethernet1 0 1 quit Enable auto recovery Switch dhcp protective down recover enable Set the port state auto recovery inter...

Page 552: ...nfiguration Application Background With the automatic configuration feature a device upon startup without any configuration file can automatically obtain a configuration file from a remote server for...

Page 553: ...The Option 55 in the request specifies the information the device needs such as a configuration file name and a TFTP server address 3 From the reply returned by the DHCP server the switch obtains its...

Page 554: ...e automatic configuration terminates During this period the command line input is disabled in case of deletion of commands mistakenly After the automatic configuration terminates the command line inpu...

Page 555: ...ient can obtain an address lease for no more than 24 days even though the DHCP server offers a longer lease period z An S3100 Ethernet switch functioning as a DHCP client supports default route creati...

Page 556: ...lient Configure VLAN interface 1 to dynamically obtain an IP address by using DHCP SwitchA system view SwitchA interface Vlan interface 1 SwitchA Vlan interface1 ip address dhcp alloc Displaying DHCP...

Page 557: ...n ACL Globally 1 12 Assigning an ACL to a VLAN 1 12 Assigning an ACL to a Port Group 1 13 Assigning an ACL to a Port 1 13 Displaying ACL Configuration 1 14 Example for Upper Layer Software Referencing...

Page 558: ...ed ACL Rules are created based on the Layer 3 and Layer 4 information such as the source and destination IP addresses type of the protocols carried by IP protocol specific features and so on z Layer 2...

Page 559: ...r comparison in the above order the weighting principles will be used in deciding their priority order Each parameter is given a fixed weighting value This weighting value and the value of the paramet...

Page 560: ...ACL is referenced by upper layer software to control Telnet SNMP and Web login users the switch will deny packets if the packets do not match the ACL Types of ACLs Supported by S3100 Series Ethernet S...

Page 561: ...active only when the system time is within the defined absolute time section If multiple absolute time sections are defined in a time range the time range is active only when the system time is within...

Page 562: ...l number acl number match order auto config Required config by default Define an ACL rule rule rule id deny permit rule string Required For information about rule string refer to ACL Command Configure...

Page 563: ...and processing of three packet priority levels type of service ToS priority IP priority and differentiated services codepoint DSCP priority Using advanced ACLs you can define classification rules tha...

Page 564: ...the existent ones by depth first principle but the numbers of the existent rules are unaltered Configuration example Configure ACL 3000 to permit the TCP packets sourced from the network 129 9 0 0 16...

Page 565: ...you need to specify a number for the rule z The content of a modified or created rule cannot be identical with that of any existing rule of the ACL otherwise the rule modification or creation will fai...

Page 566: ...system If you want to configure a new one you need to remove the existing one first z To specify the src port dest port icmpv6 type or icmpv6 code keyword in the command you need to specify the ip pro...

Page 567: ...c port or dest port keyword in the command you need to specify the ip protocol rule string rule mask combination as TCP or UDP that is 0x06 or 0x11 To specify the icmpv6 type or icmpv6 code keyword yo...

Page 568: ...ment the following four ways are available z Assigning ACLs globally for filtering the inbound packets on all the ports z Assigning ACLs to a VLAN for filtering the inbound packets on all the ports an...

Page 569: ...inbound packets on all the ports Sysname system view Sysname packet filter inbound ip group 2000 Assigning an ACL to a VLAN Configuration prerequisites Before applying ACL rules to a VLAN you need to...

Page 570: ...port group view port group group id Apply an ACL to the port group packet filter inbound acl rule Required For description on the acl rule argument refer to ACL Command After an ACL is assigned to a p...

Page 571: ...inbound ip group 2000 Displaying ACL Configuration After the above configuration you can execute the display commands in any view to view the ACL running information and verify the configuration Table...

Page 572: ...CL 2000 Sysname system view Sysname acl number 2000 Sysname acl basic 2000 rule 1 permit source 10 110 100 52 0 Sysname acl basic 2000 quit Reference ACL 2000 on VTY user interface to control Telnet l...

Page 573: ...ACL on Ethernet 1 0 1 to deny packets with the source IP address of 10 1 1 1 from 8 00 to 18 00 everyday Network diagram Figure 1 3 Network diagram for basic ACL configuration Configuration procedure...

Page 574: ...e from 8 00 to 18 00 everyday Sysname system view Sysname time range test 8 00 to 18 00 working day Define ACL 3000 to filter packets destined for wage query server Sysname acl number 3000 Sysname acl...

Page 575: ...0011 ffff ffff ffff dest 0011 0011 0012 ffff ffff ffff time range test Sysname acl ethernetframe 4000 quit Apply ACL 4000 on Ethernet 1 0 1 Sysname interface Ethernet1 0 1 Sysname Ethernet1 0 1 packe...

Page 576: ...Ethernet1 0 1 packet filter inbound user group 5000 Example for Applying an ACL to a Port Group Network requirements PC 1 PC 2 and PC 3 connect to the switch through Ethernet 1 0 1 Ethernet 1 0 2 and...

Page 577: ...stination 192 168 1 2 0 time range test Sysname acl adv 3000 quit Create port group 1 and add Ethernet 1 0 1 Ethernet 1 0 2 and Ethernet 1 0 3 in the port group 1 Sysname port group 1 Sysname port gro...

Page 578: ...S Configuration 1 13 Configuring Priority Trust Mode 1 13 Configuring Priority Mapping 1 15 Marking Packet Priority 1 17 Configuring Traffic Policing 1 19 Configuring Traffic Shaping 1 21 Configuring...

Page 579: ...ii Configuration Example 2 4 QoS Profile Configuration Example 2 4...

Page 580: ...only suitable for applications insensitive to bandwidth and delay such as WWW file transfer and E mail New Applications and New Requirements With the expansion of computer network more and more networ...

Page 581: ...s resource competition during network congestion Generally it puts packets into queues first and then schedules the packets with a certain algorithm Congestion management is usually applied in the out...

Page 582: ...information about line rate refer to Port Rate Limiting z For information about the burst function refer to Burst Congestion management SP applicable only to the S3100 EI series WRR and HQ WRR queue s...

Page 583: ...00 Routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network In a network providing differentiated services traffics are grouped into the foll...

Page 584: ...011010 af31 28 011100 af32 30 011110 af33 34 100010 af41 36 100100 af42 38 100110 af43 8 001000 cs1 16 010000 cs2 24 011000 cs3 32 100000 cs4 40 101000 cs5 48 110000 cs6 56 111000 cs7 0 000000 be def...

Page 585: ...in the 802 1p specifications 3 Local precedence Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds to one of the eight hardwa...

Page 586: ...packet priority types Trusted priority type Description 802 1p priority The switch searches for the local precedence corresponding to the 802 1p priority of the packet in the 802 1p to local precedenc...

Page 587: ...d for traffic classification z If 802 1p priority marking is configured the traffic will be mapped to the local precedence corresponding to the re marked 802 1p priority and assigned to the output que...

Page 588: ...affic with the token bucket When token bucket is used for traffic evaluation the number of the tokens in the token bucket determines the amount of the packets that can be forwarded If the number of to...

Page 589: ...shaping is a measure to regulate the output rate of traffic actively Its typical application is to control local traffic output based on the traffic policing indexes of downstream network nodes The m...

Page 590: ...ecting you can change the way in which a packet is forwarded to achieve specific purposes VLAN Marking VLAN marking allows you to replace the VLAN ID carried in the traffic matching a certain ACL rule...

Page 591: ...ndicates the proportion of obtaining resources On a 100 M port configure the weight value of WRR queue scheduling algorithm to 5 3 1 and 1 corresponding to w3 w2 w1 and w0 in order In this way the que...

Page 592: ...tion about mirroring refer to the Mirroring module of this manual QoS Configuration Table 1 9 QoS configuration tasks Task Remarks Configuring Priority Trust Mode Optional Configuring Priority Mapping...

Page 593: ...y Exit to system view quit Configure to trust packet priority priority trust Required By default the S3100 series switches trust port priority z If you configure to trust packet priority without speci...

Page 594: ...Sysname priority trust dscp Configure an S3100 EI switch to trust the DSCP precedence of the received packets Sysname system view Sysname priority trust Sysname priority trust dscp Configure to trust...

Page 595: ...le 1 13 Configure IP precedence to local precedence mapping table Operation Command Description Enter system view system view Configure IP precedence to local pre cedence mapping table qos ip preceden...

Page 596: ...SCP precedence of the packets Configuration prerequisites The following items are defined or determined before the configuration z The ACL rules used for traffic classification are specified Refer to...

Page 597: ...ckets passing a port and matching specific ACL rules Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Mark the priorities...

Page 598: ...packets matching specific ACL rules or for the packets that match specific ACL rules and are of a VLAN of a port group or pass a port Table 1 18 Configure traffic policing for all the packets matching...

Page 599: ...g traffic limit inbound acl rule target rate burst bucket burst bucket size conform con action exceed exceed action meter statistic Required By default traffic policing is disabled Clear the traffic p...

Page 600: ...Enter Ethernet port view interface interface type interface number Configure traffic shaping traffic shape queue queue id max rate burst size Required Traffic shaping is not enabled by default Config...

Page 601: ...ecting Only H3C S3100 EI series switches support this configuration Refer to section Traffic Redirecting for information about traffic redirecting Configuration prerequisites z The ACL rules used for...

Page 602: ...ure traffic redirecting traffic redirect inbound acl rule cpu interface interface type interface number Required z The traffic redirecting function configured on a VLAN is only applicable to packets t...

Page 603: ...28 Configure VLAN marking Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Configure VLAN marking to change the VLAN ID c...

Page 604: ...ion Configuration procedure Sysname system view Sysname queue scheduler wrr 12 8 4 1 Sysname display queue scheduler Queue scheduling mode weighted round robin weight of queue 0 12 weight of queue 1 8...

Page 605: ...ble 1 32 Generate traffic statistics on packets that are of a port group and match specific ACL rules Operation Command Description Enter system view system view Enter port group view port group group...

Page 606: ...ame acl number 2000 Sysname acl basic 2000 rule permit source 10 1 1 1 0 0 0 255 Sysname acl basic 2000 quit Sysname traffic statistic vlan 2 inbound ip group 2000 Sysname reset traffic statistic vlan...

Page 607: ...r system view system view Enter Ethernet port view of the destination port interface interface type interface number Define the current port as the destination port monitor port Required Exit current...

Page 608: ...t interface interface type interface number Define the current port as the destination port monitor port Required Exit current view quit Enter Ethernet port view of traffic mirroring configuration int...

Page 609: ...ationship display qos dscp local precedence map Display the IP precedence to local precedence mapping relationship display qos ip precedence local precedence m ap Display queue scheduling algorithm an...

Page 610: ...ct traffic statistic Display the configuration of traffic mirroring traffic policing priority marking traffic redirecting or traffic accounting performed for packets of a port group display qos port g...

Page 611: ...basic ACL view to classify packets sourced from the 192 168 2 0 24 network segment Sysname acl number 2001 Sysname acl basic 2001 rule permit source 192 168 2 0 0 0 0 255 Sysname acl basic 2001 quit 2...

Page 612: ...ion Mode Dynamic application mode A QoS profile can be applied dynamically to a user or a group of users passing 802 1x authentication To apply QoS profiles dynamically a user name to QoS profile mapp...

Page 613: ...isites z The ACL rules used for traffic classification are defined Refer to the ACL module of this manual for information about defining ACL rules z The type and number of actions in the QoS profile a...

Page 614: ...ce type interface number Configure the mode to apply a QoS profile as port based qos profile port based Specify the mode to apply a QoS profile Configure the mode to apply a QoS profile as user based...

Page 615: ...s and control their access to network resources A user name is someone and the authentication password is hello It is connected to Ethernet 1 0 1 of the switch and belongs to the test net domain It is...

Page 616: ...domain Sysname radius radius1 quit Create the user domain test net and specify radius1 as your RADIUS server group Sysname domain test net Sysname isp test net radius scheme radius1 Sysname isp test...

Page 617: ...1 1 Remote Port Mirroring 1 1 Mirroring Configuration 1 3 Configuring Local Port Mirroring 1 3 Configuring Remote Port Mirroring 1 4 Displaying Port Mirroring 1 7 Mirroring Configuration Example 1 7 L...

Page 618: ...device copies the packets of the source port to the reflector port which then broadcasts the packets in the remote probe VLAN After the remote device receives the packets it compares the VLAN ID of th...

Page 619: ...to the next intermediate switch or the destination switch through the remote probe VLAN No intermediate switch is present if the source and destination switches directly connect to each other z Desti...

Page 620: ...be VLAN run other protocol packets or carry other service packets on the remote prove VLAN and do not use the remote prove VLAN as the voice VLAN and protocol VLAN otherwise remote port mirroring may...

Page 621: ...fect When configuring local port mirroring note that z You need to configure the source and destination ports for the local port mirroring to take effect z The destination port cannot be a member port...

Page 622: ...ies do not support the both keyword in the source port configuration for a remote source mirroring group z All ports of a remote source mirroring group are on the same device Each remote source mirror...

Page 623: ...mit packets from the remote probe VLAN port trunk permit vlan remote probe vlan id Required Configuration on a switch acting as a destination switch 1 Configuration prerequisites z The destination por...

Page 624: ...roring VLAN is removed Displaying Port Mirroring After the above configurations you can execute the display commands in any view to view the mirroring running information so as to verify your configur...

Page 625: ...oring group 1 Sysname display mirroring group 1 mirroring group 1 type local status active mirroring port Ethernet1 0 1 both Ethernet1 0 2 both monitor port Ethernet1 0 3 After the configurations you...

Page 626: ...A Ethernet 1 0 1 and Ethernet 1 0 2 of Switch B and Ethernet 1 0 1 of Switch C as trunk ports allowing packets of VLAN 10 to pass z On Switch C create a remote destination mirroring group configure V...

Page 627: ...nterface Ethernet 1 0 1 Sysname Ethernet1 0 1 port link type trunk Sysname Ethernet1 0 1 port trunk permit vlan 10 Sysname Ethernet1 0 1 quit Configure Ethernet 1 0 2 as the trunk port allowing packet...

Page 628: ...nformation about remote destination mirroring group 1 Sysname display mirroring group 1 mirroring group 1 type remote destination status active monitor port Ethernet1 0 2 remote probe vlan 10 After th...

Page 629: ...ck Configuration Example 1 5 2 Cluster 2 1 Cluster Overview 2 1 Introduction to HGMP 2 1 Roles in a Cluster 2 2 How a Cluster Works 2 3 Cluster Configuration Tasks 2 8 Configuring the Management Devic...

Page 630: ...form the following operations on a main switch z Configuring an IP address pool for the stack z Creating the stack z Switching to slave switch view Before creating a stack you need to configure an IP...

Page 631: ...ack Operation Command Description Enter system view system view Configure an IP address pool for a stack stacking ip pool from ip address ip address number ip mask Required from ip address Start addre...

Page 632: ...its IP address z Since both stack and cluster use the management VLAN and only one VLAN interface is available on the S3100 switch stack and cluster must share the same management VLAN if you want to...

Page 633: ...ble the stack port function on the stack port stack port enable Disable the stack port function on the stack port undo stack port enable Use either approach Enabled by default After a switch joins in...

Page 634: ...Switch A Switch B and Switch C with each other through their stack ports to form a stack in which Switch A acts as the main switch while Switch B and Switch C act as slave switches z Configure Switch...

Page 635: ...0 1 16 16 Member number 2 Name stack_2 Sysname Device S3100 EI MAC Address 000f e200 3135 Member status Up IP 129 10 1 17 16 Switch to Switch B a slave switch stack_0 Sysname stacking 1 stack_1 Sysnam...

Page 636: ...e and multiple member devices To manage the devices in a cluster you need only to configure an external IP address for the management switch Cluster management enables you to configure and manage remo...

Page 637: ...guration Function Management device Configured with a external IP address z Provides an interface for managing all the switches in a cluster z Manages member devices through command redirection that i...

Page 638: ...not want the candidate switches to be added to a cluster automatically you can set the topology collection interval to 0 by using the ntdp timer command In this case the switch does not collect networ...

Page 639: ...within the specified hop count so as to provide the information of which devices can be added to a cluster Based on the neighbor information stored in the neighbor table maintained by NDP NTDP on the...

Page 640: ...ce Note the following when creating a cluster z You need to designate a management device for the cluster The management device of a cluster is the portal of the cluster That is any operations from ou...

Page 641: ...ackets exchanged keep the states of the member devices to be Active and are not responded z If the management device does not receive a handshake packet from a member device after a period three times...

Page 642: ...ice the candidate device cannot be added to the cluster In this case you can enable the packets of the management VLAN to be permitted on the port through the management VLAN auto negotiation function...

Page 643: ...he MAC address and VLAN ID and then forward the packet to its downstream switch If within the specified hops a switch with the specified destination MAC address is found this switch sends a response t...

Page 644: ...s provide the following functions so that a cluster socket is opened only when it is needed z Opening UDP port 40000 used for cluster only when the cluster function is implemented z Closing UDP port 4...

Page 645: ...ng NTDP globally and on a specific port Follow these steps to enable NTDP globally and on a specific port Operation Command Description Enter system view system view Enable NTDP globally ntdp enable R...

Page 646: ...uster function is enabled Configuring cluster parameters The establishment of a cluster and the related configuration can be accomplished in manual mode or automatic mode as described below 1 Establis...

Page 647: ...h Required Start automatic cluster establishment auto build recover Required Follow prompts to establish a cluster z After a cluster is built automatically ACL 3998 and ACL 3999 will automatically gen...

Page 648: ...configured Configure a shared SNMP host for the cluster snmp host ip address Optional By default no shared SNMP host is configured Configuring Member Devices Member device configuration tasks Complete...

Page 649: ...evice s UDP port 40000 is opened at the same time z When you execute the delete member command on the management device to remove a member device from a cluster the member device s UDP port 40000 is c...

Page 650: ...s to access the shared FTP TFTP server from a member device Operation Command Description Access the shared FTP server of the cluster ftp cluster Optional Download a file from the shared TFTP server o...

Page 651: ...n id by ip ip address nondp Optional These commands can be executed in any view Configuring the Enhanced Cluster Features Enhanced cluster feature overview 1 Cluster topology management function After...

Page 652: ...uster device blacklist Required Configure cluster topology management function 1 Configuration prerequisites Before configuring the cluster topology management function make sure that z The basic clus...

Page 653: ...Operation Command Description Enter system view system view Enter cluster view cluster Add the MAC address of a specified device to the cluster blacklist black list add mac mac address Optional By def...

Page 654: ...ement device 2 Configuration procedure Perform the following operations on the management device to synchronize SNMP configurations To do Use the command Remarks Enter system view system view Enter cl...

Page 655: ...allowing read only access right using this community name test_0 Sysname cluster cluster snmp agent community read read_a Member 2 succeeded in the read community configuration Member 1 succeeded in...

Page 656: ...mib view included mib_a org snmp agent usm user v3 user_a group_a undo snmp agent trap enable standard z Configuration file content on a member device only the SNMP related information is displayed te...

Page 657: ...ations cannot be synchronized to the devices that are on the cluster blacklist z If a member device leaves the cluster the public local user configurations will not be removed Displaying and Maintaini...

Page 658: ...erves as the management device z The rest are member devices Serving as the management device the S3100 switch manages the two member devices The configuration for the cluster is as follows z The two...

Page 659: ...sname system view Sysname ndp enable Sysname interface Ethernet 1 0 1 Sysname Ethernet1 0 1 ndp enable Sysname Ethernet1 0 1 quit Enable NTDP globally and on Ethernet1 0 1 Sysname ntdp enable Sysname...

Page 660: ...t the interval to collect topology information to 3 minutes Sysname ntdp timer 3 Enable the cluster function Sysname cluster enable Enter cluster view Sysname cluster Sysname cluster Configure a priva...

Page 661: ...itch to member number mac address H H H command on the management device to switch to member device view to maintain and manage a member device After that you can execute the cluster switch to adminis...

Page 662: ...onfiguration procedure Enter cluster view aaa_0 Sysname system view aaa_0 Sysname cluster Add the MAC address 0001 2034 a0e5 to the cluster blacklist aaa_0 Sysname cluster black list add mac 0001 2034...

Page 663: ...the PoE Mode on a Port 1 4 Configuring the PD Compatibility Detection Function 1 5 Configuring PoE Over Temperature Protection on the Switch 1 5 Upgrading the PSE Processing Software Online 1 6 Displa...

Page 664: ...hree components power sourcing equipment PSE PD and power interface PI z PSE PSE is comprised of the power and the PSE functional module It can implement PD detection PD power information collection P...

Page 665: ...es over temperature protection mechanism Using this mechanism the switch disables the PoE feature on all ports when its internal temperature exceeds 65 C 149 F for self protection and restores the PoE...

Page 666: ...ort is enabled by the default configuration file config def when the device is delivered z If you delete the default configuration file without specifying another one the PoE function on a port will b...

Page 667: ...example Port A has the priority critical When the switch PoE is close to its full load and a new PD is now added to port A the switch just gives a prompt that a new PD is added and will not supply pow...

Page 668: ...perature Protection on the Switch If this function is enabled the switch disables the PoE feature on all ports when its internal temperature exceeds 65 C 149 F for self protection and restores the PoE...

Page 669: ...software z Generally the refresh update mode is used to upgrade the PSE processing software z When the online upgrading procedure is interrupted for some unexpected reason for example the device resta...

Page 670: ...8 port even when Switch A is under full load Networking diagram Figure 1 1 Network diagram for PoE Switch A Network Eth1 0 2 Eth1 0 1 Eth1 0 8 Switch B AP AP Configuration procedure Upgrade the PSE p...

Page 671: ...hernet1 0 8 quit Set the PoE management mode on the switch to auto it is the default mode so this step can be omitted SwitchA poe power management auto Enable the PD compatibility detect of the switch...

Page 672: ...enabled port the PoE configurations in the PoE profile will be enabled on the port PoE Profile Configuration Configuring PoE Profile Table 2 1 Configure PoE profile Operation Command Description Ente...

Page 673: ...ed for query it is displayed that the PoE profile is applied properly to the port z If one or more features in the PoE profile are not applied properly on a port the switch will prompt explicitly whic...

Page 674: ...A z Apply PoE profile 1 for Ethernet 1 0 1 through Ethernet 1 0 5 z Apply PoE profile 2 for Ethernet 1 0 6 through Ethernet 1 0 10 Network diagram Figure 2 1 PoE profile application Network IP Phone...

Page 675: ...signal SwitchA poe profile Profile2 poe priority high SwitchA poe profile Profile2 poe max power 15400 SwitchA poe profile Profile2 quit Display detailed configuration information for Profile2 Switch...

Page 676: ...arameters 1 5 Configuring Basic Trap 1 5 Configuring Extended Trap 1 6 Enabling Logging for Network Management 1 6 Displaying SNMP 1 6 SNMP Configuration Examples 1 7 SNMP Configuration Examples 1 7 2...

Page 677: ...ject MIB Management Information Base according to the message types generates the corresponding Response packets and returns them to the NMS When a network device operates improperly or changes to oth...

Page 678: ...bles of the monitored network devices In the above figure the managed object B can be uniquely identified by a string of numbers 1 2 1 1 The number string is the object identifier OID of the managed o...

Page 679: ...y name snmp agent community read write community name acl acl number mib view view name Set an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notif...

Page 680: ...tify view acl acl number Required Encrypt a plain text password to generate a cipher text one snmp agent calculate password plain password mode md5 sha local engineid specified engineid engineid Optio...

Page 681: ...er system view system view Enable the switch to send Trap messages to NMS snmp agent trap enable configuration flash standard authentication coldstart linkdown linkup warmstart system Enter port view...

Page 682: ...Command Description Enter system view system view Configure extended Trap snmp agent trap ifmib link extended Optional By default the linkUp linkDown Trap message adopts the standard format defined in...

Page 683: ...read write Display the currently configured MIB view display snmp agent mib view exclude include viewname view name Available in any view SNMP Configuration Examples SNMP Configuration Examples Netwo...

Page 684: ...rface Vlan interface 2 Sysname Vlan interface2 ip address 10 10 10 2 255 255 255 0 Sysname Vlan interface2 quit Enable the SNMP agent to send Trap messages to the NMS whose IP address is 10 10 10 1 Th...

Page 685: ...1 9 Authentication related configuration on an NMS must be consistent with that of the devices for the NMS to manage the devices successfully...

Page 686: ...large scale internetworks Working Mechanism of RMON RMON allows multiple monitors It can collect data in the following two ways z Using the dedicated RMON probes When an RMON system operates in this...

Page 687: ...larm entry you can perform operations on the samples of alarm variables and then compare the operation results with the thresholds thus implement more flexible alarm functions With an extended alarm e...

Page 688: ...ld threshold value2 event entry2 owner text Optional Before adding an alarm entry you need to use the rmon event command to define the event to be referenced by the alarm entry Add an extended alarm e...

Page 689: ...in any view RMON Configuration Examples Network requirements z The switch to be tested is connected to a remote NMS through the Internet Ensure that the SNMP agents are correctly configured before per...

Page 690: ...rops under the falling threshold event 2 is triggered Sysname rmon prialarm 2 1 3 6 1 2 1 16 1 1 1 9 1 1 3 6 1 2 1 16 1 1 1 10 1 test 10 changeratio rising_threshold 50 1 falling_threshold 5 2 entryty...

Page 691: ...10 Configuration Procedure 1 10 Configuring NTP Authentication 1 11 Configuration Prerequisites 1 11 Configuration Procedure 1 12 Configuring Optional NTP Parameters 1 13 Configuring an Interface on t...

Page 692: ...f devices in a network with required accuracy by performing NTP configuration NTP is mainly applied to synchronizing the clocks of all devices in a network For example z In network management the anal...

Page 693: ...ks they need to synchronize the clocks of each other through NTP To help you to understand the implementation principle we suppose that z Before the system clocks of Device A and Device B are synchron...

Page 694: ...information to calculate the following two parameters z Delay for an NTP message to make a round trip between Device A and Device B Delay T4 T1 T3 T2 z Time offset of Device A relative to Device B Of...

Page 695: ...cast mode Figure 1 5 Multicast mode Client Multicast clock synchronization packets periodically Network Server Initiates a client server mode request after receiving the first multicast packet Works i...

Page 696: ...cast server mode In this mode the local switch sends multicast NTP messages through the VLAN interface configured on the switch z Configure the local S3100 Ethernet switch to work in NTP multicast cli...

Page 697: ...er ntp service multicast client and ntp service multicast server commands enables the NTP feature and opens UDP port 123 at the same time z Execution of the undo form of one of the above six commands...

Page 698: ...been synchronized If the clock of a server has a stratum level lower than or equal to that of a client s clock the client will not synchronize its clock to the server s z You can configure multiple se...

Page 699: ...will not proceed z You can configure multiple symmetric passive peers for the local switch by repeating the ntp service unicast peer command The clock of the peer with the smallest stratum will be ch...

Page 700: ...in the NTP multicast client mode will respond to the NTP messages so as to start the clock synchronization An H3C S3100 series Ethernet switch can work as a multicast server or a multicast client z Re...

Page 701: ...device to perform control query z server Server right This level of right permits the peer device to perform synchronization and control query to the local switch but does not permit the local switch...

Page 702: ...mmetric peer mode Configuration Prerequisites NTP authentication configuration involves z Configuring NTP authentication on the client z Configuring NTP authentication on the server Observe the follow...

Page 703: ...ote ip server name authentication keyid key id Associate the specified key with the correspo nding NTP server Configure on the symmetric active peer in the symmetric peer mode ntp service unicast peer...

Page 704: ...them after configuring the NTP mode The procedure for configuring NTP authentication on the server is the same as that on the client Besides the client and the server must be configured with the same...

Page 705: ...server side and dynamic associations will be created at the client side Table 1 15 Configure the number of dynamic sessions allowed on the local switch Operation Command Description Enter system view...

Page 706: ...iguration Configuration procedure Perform the following configurations on Device B View the NTP status of Device B before synchronization DeviceB display ntp service status Clock status unsynchronized...

Page 707: ...1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Symmetric Peer Mode Network requirements z The local clock of Device A is set as the NTP master c...

Page 708: ...output information indicates that the clock of Device C is synchronized to that of Device B and the stratum level of its local clock is 2 one level lower than Device B View the information about the N...

Page 709: ...face2 ntp service broadcast client After the above configurations Device A and Device D will listen to broadcast messages through their own Vlan interface2 and Device C will send broadcast messages th...

Page 710: ...ulticast server mode and advertise multicast NTP messages through Vlan interface2 z Device A and Device D are two S3100 Ethernet switches Configure Device A and Device D to work in the NTP multicast c...

Page 711: ...3 32 022 UTC Apr 2 2007 BF422AE4 05AEA86C The output information indicates that Device D is synchronized to Device C with a clock stratum level of 3 one stratum level lower than that Device C View the...

Page 712: ...ID being 42 and the key being aNiceKey DeviceA ntp service authentication keyid 42 authentication mode md5 aNiceKey Specify the key 42 as a trusted key DeviceA ntp service reliable authentication keyi...

Page 713: ...1 22 Total associations 1...

Page 714: ...0 Exporting the RSA or DSA Public Key 1 11 Configuring the SSH Client 1 12 SSH Client Configuration Task List 1 12 Configuring an SSH Client that Runs SSH Client Software 1 12 Configuring an SSH Clien...

Page 715: ...SSH server In the former case the device establishes a remote SSH connection to an SSH server In the latter case the device provides connections to multiple clients Furthermore SSH can also provide d...

Page 716: ...ey of user 1 If the signature is correct this means that the data originates from user 1 Both Revest Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are asymmetric key algorithms RSA...

Page 717: ...lgorithm negotiation packets to each other which contain public key algorithm lists supported by the server and the client encrypted algorithm list message authentication code MAC algorithm list and c...

Page 718: ...an SSH_SMSG_FAILURE packet indicating that the processing fails or it cannot resolve the request The client sends a session request to the server which processes the request and establishes a session...

Page 719: ...on the Server z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Assigning a Public Key to an SSH User z Not necessary when the authenticati...

Page 720: ...mmand is not available Similarly if the protocol inbound ssh command has been executed the authentication mode password and authentication mode none commands are not available Configuring the SSH Mana...

Page 721: ...EI series support the ssh server compatible ssh1x enable command Generating Destroying Key Pairs This configuration task lets you generate or destroy a key pair You must generate an RSA and DSA key pa...

Page 722: ...ir of more than 768 bits is recommended Creating an SSH User and Specifying an Authentication Type This task is to create an SSH user and specify an authentication type for it Specifying an authentica...

Page 723: ...le to a logged in SSH user can be configured using the user privilege level command on the server and all the users with this authentication mode will enjoy this level z Under the password or password...

Page 724: ...nually To do Use the command Remarks Enter system view system view Enter public key view public key peer keyname Required Enter public key edit view public key code begin Configure a public key for th...

Page 725: ...c key on the screen in a specified format or export it to a specified file so that you can configure the key at a remote end when necessary Table 1 11 Follow these steps to export the RSA public key T...

Page 726: ...Software Configuring an SSH Client Assumed by an SSH2 Capable Switch Whether first authentication is supported Configuring an SSH Client Assumed by an SSH2 Capable Switch Configuring an SSH Client tha...

Page 727: ...ile corresponding to the public key must be specified on the client RSA key pairs and DSA key pairs are generated by a tool of the client software The following takes the client software of PuTTY Vers...

Page 728: ...enerate the client keys 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case to save the public key Figure 1 4 Generate...

Page 729: ...e name of the file for saving the private key private in this case to save the private key Figure 1 5 Generate the client keys 4 To generate RSA public key in PKCS format run SSHKEY exe click Browse a...

Page 730: ...ote that there must be a route available between the IP address of the server and the client Selecting a protocol for remote connection As shown in Figure 1 7 select SSH under Protocol Selecting an SS...

Page 731: ...tion From the window shown in Figure 1 8 click Open If the connection is normal you will be prompted to enter the username and password Enter the username and password to establish an SSH connection T...

Page 732: ...on z Not necessary when the authentication mode is password z Required when the authentication mode is publickey Configuring whether first time authentication is supported Optional Establishing the co...

Page 733: ...nter system view system view Enable the device to support first time authentication ssh client first time enable Optional By default the client is enabled to run first time authentication Table 1 16 F...

Page 734: ...correct private key Displaying and Maintaining SSH Configuration To do Use the command Remarks Display the public key part of the current switch s key pairs display public key local dsa rsa public Dis...

Page 735: ...sign publickey keyname Create an SSH user and specify pubblickey authentication as its authentication type ssh user username authentication type rsa ssh user username authentication type publickey z A...

Page 736: ...n mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication mode scheme Enable the user interfaces to support SSH Switch ui vty0 4 protocol inbound ssh Switch u...

Page 737: ...as an example 1 Run PuTTY exe to enter the following configuration interface Figure 1 11 SSH client configuration interface In the Host Name or IP address text box enter the IP address of the SSH ser...

Page 738: ...thentication succeeds you will log in to the server When Switch Acts as Server for Password and RADIUS Authentication Network requirements As shown in Figure 1 13 an SSH connection is required between...

Page 739: ...ion from the navigation tree In the System Configuration window click Modify of the Access Device item and then click Add to enter the Add Access Device window and perform the following configurations...

Page 740: ...and specify the password z Select SSH as the service type z Specify the IP address range of the hosts to be managed Figure 1 15 Add an account for device management 1 Configure the SSH server Create a...

Page 741: ...key authentication expert Switch radius rad server type extended Switch radius rad user name format without domain Switch radius rad quit Apply the scheme to the ISP domain Switch domain bbb Switch is...

Page 742: ...he category on the left pane of the window select Connection SSH The window as shown in Figure 1 17 appears Figure 1 17 SSH client configuration interface 2 Under Protocol options select 2 from Prefer...

Page 743: ...with the switch z The switch cooperates with an HWTACACS server to authenticate SSH users Network diagram Figure 1 18 Switch acts as server for password and HWTACACS authentication Configuration proc...

Page 744: ...domain bbb Switch isp bbb scheme hwtacacs scheme hwtac Switch isp bbb quit Configure an SSH user specifying the switch to perform password authentication for the user Switch ssh user client001 authent...

Page 745: ...ill log in to the server The level of commands that you can access after login is authorized by the HWTACACS server For authorization configuration of the HWTACACS server refer to relevant HWTACACS se...

Page 746: ...y pairs Switch public key local create rsa Switch public key local create dsa Set the authentication mode for the user interfaces to AAA Switch user interface vty 0 4 Switch ui vty0 4 authentication m...

Page 747: ...Switch001 z Configure the SSH client taking PuTTY version 0 58 as an example Generate an RSA key pair 1 Run PuTTYGen exe choose SSH2 RSA and click Generate Figure 1 22 Generate a client key pair 1 Wh...

Page 748: ...re 1 23 Generate a client key pair 2 After the key pair is generated click Save public key and enter the name of the file for saving the public key public in this case Figure 1 24 Generate a client ke...

Page 749: ...is generated you need to upload the pubic key file to the server through FTP or TFTP and complete the server end configuration before you continue to configure the client Establish a connection with...

Page 750: ...27 SSH client configuration interface 2 Under Protocol options select 2 from Preferred SSH protocol version 4 Select Connection SSH Auth The following window appears Figure 1 28 SSH client configurati...

Page 751: ...Configure Switch B Create a VLAN interface on the switch and assign an IP address which the SSH client will use as the destination for SSH connection SwitchB system view SwitchB interface vlan interfa...

Page 752: ...SwitchA ssh2 10 165 87 136 Username client001 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not authenticated Do you continue to access it Y N y Do you want to s...

Page 753: ...itchB public key local create rsa SwitchB public key local create dsa Set the authentication mode for the user interfaces to AAA SwitchB user interface vty 0 4 SwitchB ui vty0 4 authentication mode sc...

Page 754: ...ate dsa Export the generated DSA key pair to a file named Switch001 SwitchA public key local export dsa ssh2 Switch001 After the key pair is generated you need to upload the pubic key file to the serv...

Page 755: ...the destination of the client SwitchB system view SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Generating the RSA and...

Page 756: ...generate a DSA key pair on the server and save the key pair in a file named Switch002 and then upload the file to the SSH client through FTP or TFTP z Configure Switch A Create a VLAN interface on the...

Page 757: ...ch002 SwitchA public key peer Switch002 import sshkey Switch002 Specify the host public key pair name of the server SwitchA ssh client 10 165 87 136 assign publickey Switch002 Establish the SSH connec...

Page 758: ...em 1 1 File System Configuration Tasks 1 1 Directory Operations 1 1 File Operations 1 2 Flash Memory Operations 1 3 Prompt Mode Configuration 1 3 File System Configuration Example 1 4 File Attribute C...

Page 759: ...and file name in one of the following ways z In universal resource locator URL format and starting with unit1 flash or flash This method is used to specify a file in the current Flash memory For exam...

Page 760: ...te command should be executed in system view Table 1 3 File operations To do Use the command Remarks Delete a file delete unreserved file url delete running files standby files unreserved Optional A d...

Page 761: ...ash Memory Operations Perform the following Flash memory operations using commands listed in Table 1 4 Perform the following configuration in user view Table 1 4 Operations on the Flash memory To do U...

Page 762: ...attribute Copy the file flash config cfg to flash test with 1 cfg as the name of the new file Sysname copy flash config cfg flash test 1 cfg Copy unit1 flash config cfg to unit1 flash test 1 cfg Y N y...

Page 763: ...backup startup file is used after a switch fails to start up using the main startup file In the Flash memory there can be only one app file one configuration file and one Web file with the backup att...

Page 764: ...e Management part in this manual Configuring File Attributes You can configure and view the main attribute or backup attribute of the startup file used for the next startup of a switch and change the...

Page 765: ...the Boot menu after restarting the switch or specify a new Web file by using the boot web package command Otherwise Web server cannot function normally z Currently a configuration file has the extensi...

Page 766: ...ample A Switch Operating as an FTP Server 1 6 FTP Banner Display Configuration Example 1 8 FTP Configuration A Switch Operating as an FTP Client 1 9 SFTP Configuration 1 11 SFTP Configuration A Switch...

Page 767: ...1 Roles that an H3C S3100 series Ethernet switch acts as in FTP Item Description Remarks FTP server An Ethernet switch can operate as an FTP server to provide file transmission services for FTP client...

Page 768: ...the service type to FTP To use FTP services a user must provide a user name and password for being authenticated by the FTP server Only users that pass the authentication have access to the FTP server...

Page 769: ...P 21 is disabled when you shut down the FTP server Configuring connection idle time After the idle time is configured if the server does not receive service requests from a client within a specified t...

Page 770: ...FTP server through FTP the configured banner is displayed on the FTP client Banner falls into the following two types z Login banner After the connection between an FTP client and an FTP server is es...

Page 771: ...erver display ftp user Available in any view FTP Configuration A Switch Operating as an FTP Client Basic configurations on an FTP client By default a switch can operate as an FTP client In this case y...

Page 772: ...le to the remote FTP server put localfile remotefile Rename a file on the remote server rename remote source remote dest Log in with the specified user name and password user username password Connect...

Page 773: ...ation Configure the FTP user name as switch the password as hello and the service type as FTP Sysname Sysname system view Sysname ftp server enable Sysname local user switch Sysname luser switch passw...

Page 774: ...If you have to delete the files in use to make room for the file to be uploaded you can only delete download them through the Boot ROM menu z H3C series switch is not shipped with FTP client applicat...

Page 775: ...in banner appears Sysname header shell shell banner appears 2 Configure the PC FTP client Access the Ethernet switch through FTP Enter the user name switch and the password hello to log in to the swit...

Page 776: ...og in to a switch through the Console port or by telnetting the switch See the Login module for detailed information If available space on the Flash memory of the switch is not enough to hold the file...

Page 777: ...ing module of this manual SFTP Configuration Table 1 10 SFTP configuration tasks Item Configuration task Description Enabling an SFTP server Required Configuring connection idle time Optional SFTP Con...

Page 778: ...nding configuration manual z Currently an H3C S3100 series Ethernet switch operating as an SFTP server supports the connection of only one SFTP user When multiple users attempt to log in to the SFTP s...

Page 779: ...ile remove remote file Optional Both commands have the same effect dir a l remote path Query a specified file on the SFTP server ls a l remote path Optional If no file name is provided all the files i...

Page 780: ...e 1 6 Network diagram for SFTP configuration Configuration procedure 1 Configure the SFTP server switch B Create key pairs Sysname system view Sysname public key local create rsa Sysname public key lo...

Page 781: ...1 Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Do you continue to access it Y N y Do you want to save the server s public...

Page 782: ...Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02...

Page 783: ...1 17 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk Received status End of file Received status Success sftp client Exit SFTP sftp client quit Bye Sysname...

Page 784: ...ads files from When you download a file that is larger than the free space of the switch s flash memory z If the TFTP server supports file size negotiation file size negotiation will be initiated betw...

Page 785: ...by default Specify an ACL rule used by the specified TFTP client to access a TFTP server tftp server acl acl number Optional Not specified by default TFTP Configuration Example Network requirements A...

Page 786: ...ch the switch connects with the PC belongs to this VLAN This example assumes that the port belongs to VLAN 1 Sysname interface Vlan interface 1 Sysname Vlan interface1 ip address 1 1 1 1 255 255 255 0...

Page 787: ...Output System Information to the Console 1 8 Setting to Output System Information to a Monitor Terminal 1 9 Setting to Output System Information to a Log Host 1 11 Setting to Output System Information...

Page 788: ...has a smaller severity level Table 1 1 Severity description Severity Severity value Description emergencies 1 The system is unavailable alerts 2 Information that demands prompt reaction critical 3 Cri...

Page 789: ...ing information 4 logbuffer Log buffer Receives log information a buffer inside the device for recording information 5 snmpagent SNMP NMS Receives trap information 6 channel6 Not specified Receives lo...

Page 790: ...nal line module MSTP Multiple spanning tree protocol module NAT Network address translation module NDP Neighbor discovery protocol module NTDP Network topology discovery protocol module NTP Network ti...

Page 791: ...ination is loghost the switch and the log host use the syslog protocol The system information is in the following format according to RFC 3164 The BSD Syslog Protocol Int_16 timestamp sysname nnmodule...

Page 792: ...terminal logbuffer trapbuffer and the SNMP is with a precision of milliseconds z yyyy is the year z GMT hh mm ss is the UTC time zone which represents the time difference with the Greenwich standard...

Page 793: ...and content fields For system information destined to the log host z If the character string ends with l it indicates the log information z If the character string ends with t it indicates the trap in...

Page 794: ...Required Disabled by default z If the system information is output before you input any information following the current command line prompt the system does not echo any command line prompt after the...

Page 795: ...ystem information output to the console info center console channel channel number channel name Optional By default the switch uses information channel 0 to output log debugging trap information to th...

Page 796: ...associated display function to display the output information on the console Table 1 9 Enable the system information display on the console Operation Command Description Enable the debugging log trap...

Page 797: ...ple Telnet users or dumb terminal users they share some configuration parameters including module filter language and severity level threshold In this case change to any such parameter made by one use...

Page 798: ...nformation to the log host the switch uses information channel 2 by default Configure the source interface through which log information is sent to the log host info center loghost source interface ty...

Page 799: ...rap debugging boot date none Optional By default the time stamp format of the output trap information is date Setting to Output System Information to the Log Buffer Table 1 14 Set to output system inf...

Page 800: ...o send information to a remote SNMP NMS properly related configurations are required on both the switch and the SNMP NMS Displaying and Maintaining Information Center After the above configurations yo...

Page 801: ...Switch system view Switch info center enable Disable the function of outputting information to log host channels Switch undo info center source default channel loghost Configure the host whose IP add...

Page 802: ...and the file etc syslog conf is modified execute the following command to send a HUP signal to the system daemon syslogd so that it can reread its configuration file etc syslog conf ps ae grep syslogd...

Page 803: ...d be used as a separator instead of a space z No space is permitted at the end of the file name z The device name facility and received log information severity specified in file etc syslog conf must...

Page 804: ...with severity level higher than informational to the console Switch info center console channel console Switch info center source arp channel console log level informational debug state off trap state...

Page 805: ...to be output to the log host to date Switch system view System View return to User View with Ctrl Z Switch info center timestamp loghost date Configure to add UTC time to the output information of th...

Page 806: ...about Modules in System 2 3 Command Alias Configuration 2 1 Introduction 2 1 Configuring Command Alias 2 1 3 Network Connectivity Test 3 1 Network Connectivity Test 3 1 ping 3 1 tracert 3 1 4 Device M...

Page 807: ...ii Configuring a Scheduled Task 5 1 Configuration Prerequisites 5 1 Configuring a Scheduled Task 5 1 Scheduled Task Configuration Example 5 2...

Page 808: ...hrough Ethernet port z FTP through Ethernet port You can load software remotely by using z FTP z TFTP The Boot ROM software version should be compatible with the host software version when you load th...

Page 809: ...tup mode after the information Press Ctrl B to enter BOOT Menu displays Otherwise the system starts to extract the program and if you want to enter the BOOT Menu at this time you will have to restart...

Page 810: ...g program proceeds to send another packet If the check fails the receiving program sends negative acknowledgement characters and the sending program retransmits the packet Loading Boot ROM Follow thes...

Page 811: ...ed to add the HyperTerminal program first and then log in to and manage the device as described in this document On the Windows 2008 Server Windows 7 Windows Vista or some other operating system you n...

Page 812: ...HyperTerminal to the switch as shown in Figure 1 3 Figure 1 3 Connect and disconnect buttons The new baudrate takes effect after you disconnect and reconnect the HyperTerminal program Step 6 Press En...

Page 813: ...dialog box Step 8 Click Send The system displays the page as shown in Figure 1 5 Figure 1 5 Sending file page Step 9 After the sending process completes the system displays the following information L...

Page 814: ...for loading the Boot ROM except that the system gives the prompt for host software loading instead of Boot ROM loading You can also use the xmodem get command to load host software through the Consol...

Page 815: ...rTerminal program on the configuration PC Start the switch Then enter the BOOT Menu At the prompt Enter your choice 0 9 in the BOOT Menu press 6 or Ctrl U and then press Enter to enter the Boot ROM up...

Page 816: ...except that the system gives the prompt for host software loading instead of Boot ROM loading When loading Boot ROM and host software using TFTP through BOOT menu you are recommended to use the PC di...

Page 817: ...P address 10 1 1 2 Server IP address 10 1 1 1 FTP User Name Switch FTP User Password abc Step 5 Press Enter The system displays the following information Are you sure to update your bootrom Yes or No...

Page 818: ...n device and the FTP server You can telnet to the switch and then execute the FTP commands to download the Boot ROM program switch btm from the remote FTP server whose IP address is 10 1 1 1 to the sw...

Page 819: ...The loading of Boot ROM and host software takes effect only after you restart the switch with the reboot command z If the space of the Flash memory is not enough you can delete the unused files in th...

Page 820: ...able FTP service on the switch and configure the FTP user name to test and password to pass Sysname Vlan interface1 quit Sysname ftp server enable Sysname local user test New local user added Sysname...

Page 821: ...Enter ftp 192 168 0 28 and enter the user name test password pass as shown in Figure 1 12 to log on to the FTP server Figure 1 12 Log on to the FTP server Step 7 Use the put command to upload the file...

Page 822: ...t the file to be downloaded is the host software file and that you need to use the boot boot loader command to select the host software used for the next startup of the switch z The steps listed above...

Page 823: ...1 16...

Page 824: ...ime it automatically adds the specified offset to the current time so as to toggle the system time to the summer time z When the system reaches the specified end time it automatically subtracts the sp...

Page 825: ...ontrol the display of debugging information z Protocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging in...

Page 826: ...it unit id interface interface type interface number module name You can execute the display command in any view Displaying Operating Information about Modules in System When an Ethernet switch is in...

Page 827: ...habits Configuring Command Alias Follow these steps to configure command aliases To do Use the command Remarks Enter system view system view Enable the command alias function command alias enable Req...

Page 828: ...response time tracert You can use the tracert command to trace the gateways that a packet passes from the source to the destination This command is mainly used to check the network connectivity It ca...

Page 829: ...onfiguring Real time Monitoring of the Running Status of the System Optional Specifying the APP to be Used at Reboot Optional Upgrading the Boot ROM Optional Identifying and Diagnosing Pluggable Trans...

Page 830: ...boot date and time Configuring Real time Monitoring of the Running Status of the System This function enables you to dynamically record the system running status such as CPU thus facilitating analysis...

Page 831: ...t or if the peer port is shut down the 1000 Mbps uplink port automatically enters the power save state so as to lower the power consumption of the switch Table 4 7 Follow these steps to enable auto po...

Page 832: ...ation Command Description Display main parameters of the pluggable transceiver s display transceiver interface interface type interface number Available for all pluggable transceivers Display part of...

Page 833: ...ment Operation Command Description Display the APP to be adopted at next startup display boot loader unit unit id Display the module type and operating status of each board display device manuinfo uni...

Page 834: ...P configuration Switch PC Network 1 1 1 1 2 2 2 2 Configuration procedure 1 Configure the following FTP server related parameters on the PC an FTP user with the username as switch and password as hell...

Page 835: ...om boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded 9 Specify the downloaded program as the host software to be adopted when the...

Page 836: ...commands in a scheduled task must be in the same view z You can specify up to ten commands in one scheduled task To execute more than ten commands you can specify multiple scheduled tasks Configuring...

Page 837: ...b name Available in any view z You can specify only one view for each scheduled task z After a scheduled task is configured modification of the system time will affect the execution of the task Howeve...

Page 838: ...ing at 18 00 week day Mon Tue Wed Thu Fri command shutdown Switch job pc3 Switch job pc3 view Ethernet1 0 3 Switch job pc3 time 1 repeating at 8 00 week day Mon Tue Wed Thu Fri command undo shutdown S...

Page 839: ...e QinQ Configuration 2 1 Selective QinQ Overview 2 1 Selective QinQ Overview 2 1 Selective QinQ Configuration 2 2 Selective QinQ Configuration Task List 2 2 Configuring Global Tag Mapping Rules for Se...

Page 840: ...rough the service providers backbone networks with both inner and outer VLAN tags In public networks packets of this type are transmitted by their outer VLAN tags that is the VLAN tags of public netwo...

Page 841: ...the VLAN tag in an Ethernet frame 0 31 15 TPID Priority VLAN ID CFI An S3100 switch determines whether a received frame is VLAN tagged by comparing its own TPID with the TPID field in the received fra...

Page 842: ...Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the VLAN VPN feature on the port vlan vpn enable Required By default the VLAN VPN featu...

Page 843: ...twork by Using VLAN VPN Network requirements As shown in Figure 1 4 Switch A and Switch B are both S3100 series switches They connect the users to the servers through the public network z PC users and...

Page 844: ...nable SwitchA Ethernet1 0 11 quit Set the global TPID value to 0x9200 for intercommunication with the devices in the public network and configure Ethernet 1 0 12 as a trunk port permitting packets of...

Page 845: ...e basic principles are introduced here That is you need to configure the devices connecting to Ethernet 1 0 12 of Switch A and Ethernet 1 0 22 of Switch B to permit the corresponding ports to transmit...

Page 846: ...e QinQ feature you can configure inner to outer VLAN tag mapping according to which you can add different outer VLAN tags to the packets with different inner VLAN tags The selective QinQ feature makes...

Page 847: ...s in VLAN 201 to VLAN 300 and forward the packets to the VoIP device which is responsible for processing IP telephone services To guarantee the quality of voice packet transmission you can configure Q...

Page 848: ...e Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable the selective QinQ feature vlan vpn selective enable Required By...

Page 849: ...tive QinQ Network diagram Figure 2 2 Network diagram for selective QinQ configuration Public Network VLAN1000 VLAN1200 PC User VLAN100 108 IP Phone User VLAN200 230 Eth1 0 3 Eth1 0 5 For PC User VLAN1...

Page 850: ...vlan vpn selective enable After the above configuration packets of VLAN 100 through VLAN 108 that is packets of PC users are tagged with the tag of VLAN 1000 as the outer VLAN tag when they are forwa...

Page 851: ...onfiguration Switch B can forward packets of VLAN 1000 and VLAN 1200 to the corresponding servers through Ethernet 1 0 12 and Ethernet 1 0 13 respectively To make the packets from the servers be trans...

Page 852: ...ets be transmitted across the provider s network without getting involved in the computation of the public network The BPDU Tunnel feature is designed to address the above requirements It enables some...

Page 853: ...ts destination address is called a tunnel packet In the service provider network the tunnel packet can be forwarded as a normal data packet z Before the device in the service provider network forwards...

Page 854: ...otocol NTDP neighbor topology discovery protocol cluster MRC cluster member remote control and HABP Huawei authentication bypass protocol z Proprietary protocols of other vendors including CDP CISCO d...

Page 855: ...make sure that NDP and NTDP are not enabled on any port in an aggregation group before enabling the service provider network to use aggregation group to transmit HGMP packets through BPDU tunnels z Th...

Page 856: ...e for STP BPDUs on Ethernet1 0 1 Sysname Ethernet1 0 1 bpdu tunnel stp Enable the VLAN VPN feature on Ethernet1 0 1 and use VLAN 100 to transmit user data packets through BPDU tunnels Sysname Ethernet...

Page 857: ...ernet1 0 4 vlan vpn enable Configure the destination MAC address for the packets transmitted in the tunnel Sysname Ethernet1 0 4 quit Sysname bpdu tunnel tunnel dmac 010f e233 8b22 Configure Ethernet1...

Page 858: ...Mapping Configuration Task List 1 4 Configuring a Global One to One VLAN Mapping Rule 1 4 Configuring a Port Level One to One VLAN Mapping Rule 1 5 Configuring Many to One VLAN Mapping 1 5 Configurin...

Page 859: ...ts of the two VLAN mapping types Implementation and Application of One to one VLAN mapping One to one VLAN mapping maps traffic from one VLAN to another VLAN for transmission On an S3100 EI switch you...

Page 860: ...VLAN mapping can map uplink traffic streams from multiple original VLANs to the same target VLAN and can correctly restore the original VLANs for downlink traffic streams z In the uplink direction yo...

Page 861: ...y to one VLAN mapping network the DHCP server is usually deployed above the distribution layer To record the client information correctly the DHCP server must know the port through which a user is con...

Page 862: ...u cannot enable one to one VLAN mapping on any other port z One to one VLAN mapping is mutually exclusive with VLAN ID marking z One to one VLAN mapping is mutually exclusive with IP filtering For mor...

Page 863: ...to one VLAN mapping rule is configured and one to one VLAN mapping is disabled on all ports z In a one to one VLAN mapping rule one original VLAN can be mapped to only one target VLAN and vice versa...

Page 864: ...inal VLAN information dhcp snooping information ignore vlanmapping Required By default this function is disabled and option 82 carries the target VLAN information Enter Ethernet port view of the downl...

Page 865: ...ts from original VLANs from a user and forward the traffic from the target VLANs from the distribution switch Ethernet 1 0 1 should be a trunk or hybrid port Configure Ethernet 1 0 1 as a hybrid port...

Page 866: ...ng vlan 3 remark 1003 SwitchA Ethernet1 0 1 quit Configure one to one VLAN mapping on port Ethernet 1 0 2 in the same way SwitchA interface Ethernet 1 0 12 SwitchA Ethernet1 0 12 vlan mapping vlan 1 r...

Page 867: ...y to one VLAN mapping rule on Ethernet 1 0 1 to map original VLANs 1 through 3 to target VLAN 1001 Sysname Ethernet1 0 1 vlan mapping n to 1 vlan 1 remark 1001 Sysname Ethernet1 0 1 vlan mapping n to...

Page 868: ...name dhcp snooping Sysname interface GigabitEthernet 1 1 1 Sysname GigabitEthernet1 1 1 dhcp snooping trust Sysname GigabitEthernet1 1 1 quit Configure DHCP snooping to support option 82 on Switch A S...

Page 869: ...onfiguration 1 4 HWPing Server Configuration 1 4 HWPing Client Configuration 1 4 Displaying HWPing Configuration 1 20 HWPing Configuration Examples 1 20 ICMP Test 1 20 DHCP Test 1 21 FTP Test 1 23 HTT...

Page 870: ...ient and sometimes the corresponding HWPing servers as well to perform various HWPing tests All HWPing tests are initiated by an HWPing client and you can view the test results on the HWPing client on...

Page 871: ...jitter test you must specify a destination port number and the destination port number must be the port number of a TCP or UDP listening service configured on the HWPing server Source interface sourc...

Page 872: ...ng discards some earliest records Automatic test interval frequency This parameter is used to set the interval at which the HWPing client periodically performs the same test automatically Probe timeou...

Page 873: ...e same for HWPing test types that need to configure HWPing server Follow these steps to perform HWPing server configurations To do Use the command Remarks Enter system view system view Enable the HWPi...

Page 874: ...re the number of probes per test count times Optional By default each test makes one probe Configure the packet size datasize size Optional By default the packet size is 56 bytes Configure a stuffing...

Page 875: ...e times out in three seconds Configure the type of service ToS tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping results ad...

Page 876: ...s Configure statistics interval and the maximum number of retained statistics information statistics interval interval max group number Optional By default statistics interval is 120 minutes and up to...

Page 877: ...m number is 50 Enable history record history record enable Optional By default history record is not enabled Configure the retaining time of history record history keep time keep time Optional By defa...

Page 878: ...isplay hwping results admin name operation tag Required You can execute the command in any view 4 Configuring HTTP test on HWPing client Follow these steps to configure HTTP test on HWPing client To d...

Page 879: ...ned statistics information statistics interval interval max group number Optional By default statistics interval is 120 minutes and up to two pieces of statistics information can be retained Configure...

Page 880: ...group and enter its view hwping administrator name operation tag Required By default no test group is configured Configure the test type test type jitter codec codec value Required By default the test...

Page 881: ...tistics information statistics keep time keep time Optional By default the retaining time of statistics information is 120 minutes Configure test start time and lifetime test time begin hh mm ss yyyy...

Page 882: ...no destination address is configured Configure the source IP address source ip ip address Optional By default no source IP address is configured Configure the source port source port port number Opti...

Page 883: ...default a probe times out in three seconds Configure the type of service tos value Optional By default the service type is zero Start the test test enable Required Display test results display hwping...

Page 884: ...tory records number Optional By default the maximum number is 50 Configure the retaining time of history record history keep time keep time Optional By default the retaining time of history record is...

Page 885: ...rt destination port port number z Required in a Udpprivate test z A Udppublic test is a UDP connection test on port 7 Use the hwping server udpecho ip address 7 command on the server to configure the...

Page 886: ...table bypass is disabled Configure the TTL ttl number Optional By default TTL is 20 The sendpacket passroute command voids the ttl command Configure the automatic test interval frequency interval Opt...

Page 887: ...es and up to two pieces of statistics information can be retained Configure the retaining time of statistics information statistics keep time keep time Optional By default the retaining time of statis...

Page 888: ...messages are generated regardless of whether the HWPing test succeeds or fails You can specify whether to output Trap messages by enabling disabling Trap sending Follow these steps to configure the H...

Page 889: ...ystem view Sysname hwping agent enable Create an HWPing test group setting the administrator name to administrator and test tag to ICMP Sysname hwping administrator icmp Configure the test type as icm...

Page 890: ...d manual DHCP Test Network requirements The HWPing client is an H3C S3100 series Ethernet switch while the DHCP server can be an H3C S5600 series Ethernet switch Perform an HWPing DHCP test between th...

Page 891: ...al delay 0 DS Maximal delay 0 Packet lost in test 0 Disconnect operation number 0 Operation timeout number 0 System busy operation number 0 Connection fail number 0 Operation sequence errors 0 Drop op...

Page 892: ...or and test tag to FTP Sysname hwping administrator ftp Configure the test type as ftp Sysname hwping administrator ftp test type ftp Configure the IP address of the FTP server as 10 2 2 2 Sysname hwp...

Page 893: ...ry admin administrator tag ftp history record Index Response Status LastRC Time 1 15822 1 0 2000 04 03 04 00 34 6 2 15772 1 0 2000 04 03 04 00 18 8 3 9945 1 0 2000 04 03 04 00 02 9 4 15891 1 0 2000 04...

Page 894: ...be timeout time to 30 seconds Sysname hwping administrator http timeout 30 Enable the saving of history records and set the maximum number of history records that can be saved to 10 Sysname hwping adm...

Page 895: ...04 02 15 15 52 4 8 3 1 0 2000 04 02 15 15 52 4 9 2 1 0 2000 04 02 15 15 52 4 10 2 1 0 2000 04 02 15 15 52 4 For detailed output description see the corresponding command manual When you use H3C S3100...

Page 896: ...ng administrator Jitter history record enable Sysname hwping administrator Jitter history records 10 Start the test Sysname hwping administrator Jitter test enable Display test results Sysname hwping...

Page 897: ...5 8 263 1 0 2000 04 02 08 14 56 2 9 270 1 0 2000 04 02 08 14 56 0 10 275 1 0 2000 04 02 08 14 55 7 For detailed output description see the corresponding command manual SNMP Test Network requirements...

Page 898: ...cords and set the maximum number of history records that can be saved to 10 Sysname hwping administrator snmp history record enable Sysname hwping administrator snmp history records 10 Start the test...

Page 899: ...on Sysname system view Sysname hwping server enable Sysname hwping server tcpconnect 10 2 2 2 8000 z Configure HWPing Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent...

Page 900: ...HWPing entry admin administrator tag tcpprivate history record Index Response Status LastRC Time 1 4 1 0 2000 04 02 08 26 02 9 2 5 1 0 2000 04 02 08 26 02 8 3 4 1 0 2000 04 02 08 26 02 8 4 5 1 0 2000...

Page 901: ...g administrator udpprivate history record enable Sysname hwping administrator udpprivate history records 10 Start the test Sysname hwping administrator udpprivate test enable Display test results Sysn...

Page 902: ...Client Switch A Enable the HWPing client Sysname system view Sysname hwping agent enable Create an HWPing test group setting the administrator name to administrator and test tag to dns Sysname hwping...

Page 903: ...Drop operation number 0 Other operation errors 0 Dns result DNS Resolve Current Time 10 DNS Resolve Min Time 6 DNS Resolve Times 10 DNS Resolve Max Time 10 DNS Resolve Timeout Times 0 DNS Resolve Fail...

Page 904: ...18 Configuring the Hop Limit of ICMPv6 Reply Packets 1 18 Configuring ND Snooping 1 18 Configuring the ND Detection 1 19 Configuring DHCPv6 Snooping 1 20 Configuring IPv6 Filtering 1 21 Configuring I...

Page 905: ...e significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits IPv6 Features Header format simplification IPv6 cuts down some IPv4 header fields or...

Page 906: ...s Support for QoS The Flow Label field in the IPv6 header allows the device to label packets in a flow and provide special handling for these packets Enhanced neighbor discovery mechanism The IPv6 nei...

Page 907: ...address An identifier for a single interface similar to an IPv4 unicast address A packet sent to a unicast address is delivered to the interface identified by that address z Multicast address An ident...

Page 908: ...y node Before acquiring a valid IPv6 address a node may fill this address in the source address field of an IPv6 packet but may not use it as a destination IPv6 address Multicast address Multicast add...

Page 909: ...ion Used to acquire the link layer address of a neighbor Used to verify whether the neighbor is reachable Neighbor solicitation NS message Used to perform a duplicate address detection Used to respond...

Page 910: ...ess of node B The NS message contains the link layer address of node A 2 After receiving the NS message node B judges whether the destination address of the packet is the corresponding solicited node...

Page 911: ...support ND snooping The ND snooping feature is used in Layer 2 switching networks It creates ND snooping entries using NS messages ND snooping entries are used to z Cooperate with the ND detection fun...

Page 912: ...is received the device stops sending out DAD NS messages and updates the corresponding entry If no corresponding NA message is received within five seconds after the first DAD NS message is sent the d...

Page 913: ...y intercept and modify the communication information Figure 1 5 ND attack diagram Switch Host A Host B IP_A MAC_A IP_B MAC_B IP_C MAC_C Host C Forged ND packets Forged ND packets A forged ND packet ha...

Page 914: ...e static binding command For more information see Configuring IPv6 Filtering z The security entry of DHCPv6 snooping is generated automatically through DHCPv6 snooping itself For more information see...

Page 915: ...igure 1 6 Configure trusted and untrusted ports Trusted DHCPv6 server DHCPv6 snooping Untrusted Untrusted Unauthorized DHCPv6 server DHCPv6 client DHCPv6 reply messages As shown in Figure 1 6 a DHCPv6...

Page 916: ...about ND snooping refer to Introduction to ND Snooping Introduction to IPv6 DNS In the IPv6 network a domain name system DNS supporting IPv6 converts domain names into IPv6 addresses Different from a...

Page 917: ...ute Optional Configuring IPv6 TCP Properties Optional Configuring the Maximum Number of IPv6 ICMP Error Packets Sent within a Specified Time Optional Configuring the Hop Limit of ICMPv6 Reply Packets...

Page 918: ...an IPv6 address ipv6 address ipv6 address prefix length ipv6 address prefix length Configure an IPv6 global unicast address or site local address Adopt the EUI 64 format to form an IPv6 address ipv6...

Page 919: ...cal address because the system automatically generates one for the interface If no IPv6 site local address or global unicast address is configured the interface has no link local address Configuring I...

Page 920: ...ge for duplicate address detection To do Use the command Remarks Enter system view system view Enter VLAN interface view interface interface type interface number Configure the attempts to send an NS...

Page 921: ...et is sent the synwait timer is triggered If no response packet is received before the synwait timer expires the IPv6 TCP connection establishment fails z finwait timer When the IPv6 TCP connection st...

Page 922: ...CMP error packets cannot be sent out until new tokens are put into the token bucket based on the specified update frequency Table 1 13 Configure the maximum number of IPv6 ICMP error packets sent with...

Page 923: ...s a large number of ND snooping entries the system resources will be consumed To prevent such a problem you can configure the uplink port as an ND snooping uplink port Follow these steps to configure...

Page 924: ...DHCPv6 snooping Follow these steps to configure DHCPv6 snooping To do Use the command Remarks Enter system view system view Enable DHCPv6 snooping dhcp snooping ipv6 enable Required Disabled by defau...

Page 925: ...oping ipv6 information enable Required Not enabled by default Specify the DHCPv6 option supported by DHCPv6 snooping dhcp snooping ipv6 information option 18 37 Required Option 37 is specified by defa...

Page 926: ...essage can be sent to the correct server for resolution The system can support at most six DNS servers You can configure a domain name suffix so that you only need to enter some fields of a domain nam...

Page 927: ...tion related to a specified socket display ipv6 socket socktype socket type task id socket id Available in any view Display the statistics of IPv6 packets and IPv6 ICMP packets display ipv6 statistics...

Page 928: ...g to VLAN 1 IPv6 addresses are configured for the interface Vlan interface1 on each switch to verify the connectivity between the two switches The global unicast address of Switch A is 3001 1 64 and t...

Page 929: ...s FE80 2E0 FCFF FE00 2006 Global unicast address es 3001 2 subnet is 3001 64 Joined group address es FF02 1 FF00 2 FF02 1 FF00 2006 FF02 1 MTU is 1500 bytes ND DAD is enabled number of DAD attempts 1...

Page 930: ...p limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 3 hop limit 64 time 6 ms Reply from 3001 2 bytes 56 Sequence 4 hop limit 64 time 5 ms Reply from 3001 2 bytes 56 Sequence 5 hop limit 64 time 6...

Page 931: ...user legality and to ensure the packets of legal users can be forwarded normally while those of illegal users are discarded Networking diagram Figure 1 10 Networking diagram for ND detection configur...

Page 932: ...1 1 64 and the MAC address of Client B is 0001 0203 0406 z Enable DHCPv6 snooping on the switch B and specify Ethernet 1 0 1 as the DHCPv6 snooping trusted port z Enable IPv6 filtering on Ethernet 1 0...

Page 933: ...et1 0 2 quit SwitchB interface Ethernet1 0 3 SwitchB Ethernet1 0 3 ipv6 check source ip address mac address SwitchB Ethernet1 0 3 quit SwitchB interface Ethernet1 0 4 SwitchB Ethernet1 0 4 ipv6 check...

Page 934: ...ails about the ping command refer to System Maintenance and Debugging After you execute the ping ipv6 command you can press Ctrl C to terminate the ping operation Table 2 1 Ping IPv6 To do Use the com...

Page 935: ...ICMP error message and understands that the packet has reached the destination and thus determines the route of the packet from source to destination Table 2 2 Traceroute IPv6 To do Use the command R...

Page 936: ...Device A is the Telnet client and Device B is the Telnet server Figure 2 2 Provide Telnet services Configuration prerequisites Enable Telnet on the Telnet server and configure the authentication metho...

Page 937: ...64 3001 3 64 Telnet_Server TFTP_Server Configuration procedure You need configure IPv6 address at the switch s and server s interfaces and ensure that the route between the switch and the server is a...

Page 938: ...emote Destination Symptom Unable to ping a remote destination and return an error message Solution z Check that the IPv6 addresses are configured correctly z Use the display ipv6 interface command to...

Page 939: ...ck it by running the dir command in user view z Check that the ACL configured for the TFTP server does not block the connection to the TFTP server Unable to Run Telnet Symptom Unable to login to Telne...

Page 940: ...nfiguring Domain Name Resolution 1 2 Configuring Static Domain Name Resolution 1 2 Configuring Dynamic Domain Name Resolution 1 3 Displaying and Maintaining DNS 1 3 DNS Configuration Example 1 4 Stati...

Page 941: ...tatic Domain Name Resolution The static domain name resolution means manually setting up mappings between domain names and IP addresses IP addresses of the corresponding domain names can be found in t...

Page 942: ...is not complete The resolver can supply the missing part automatic domain name addition For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the...

Page 943: ...ay configure up to six DNS servers and ten DNS suffixes Displaying and Maintaining DNS After the above configuration you can execute the display command and the nslookup type command in any view to di...

Page 944: ...Sysname system view Sysname ip host host com 10 1 1 2 Execute the ping host com command to verify that the device can use static domain name resolution to get the IP address 10 1 1 2 corresponding to...

Page 945: ...ations are done on the devices For the IP addresses of the interfaces see the figure above z There is a mapping between domain name host and IP address 3 1 1 1 16 on the DNS server z The DNS server wo...

Page 946: ...abling the dynamic domain name resolution the user cannot get the correct IP address Solution z Use the display dns dynamic host command to check that the specified domain name is in the cache z If th...

Page 947: ...nd Debugging Smart Link 1 6 Smart Link Configuration Example 1 7 Implementing Link Redundancy Backup 1 7 2 Monitor Link Configuration 2 1 Introduction to Monitor Link 2 1 How Monitor Link Works 2 2 Co...

Page 948: ...emand Smart Link has the following features z Active standby backup for dual uplink networking z Simple configuration and operation Basic Concepts in Smart Link Smart Link group A Smart Link group con...

Page 949: ...sends flush messages to notify other devices to refresh MAC address forwarding entries and ARP entries Control VLAN for sending flush messages This control VLAN sends flush messages When link switchi...

Page 950: ...device to send flush messages to notify the other devices in the network to refresh their own MAC forwarding entries and ARP entries In this case all the uplink devices must be capable of identifying...

Page 951: ...n group as a member of a Smart Link group Table 1 2 Configure Smart Link with ports as the members of the Smart Link group Operation Command Remarks Enter system view system view Create a Smart Link g...

Page 952: ...n Ethernet 1 0 2 and Ethernet 1 0 3 of Switch C Ethernet 1 0 2 and Ethernet 1 0 3 of Switch D and Ethernet 11 0 1 and Ethernet 1 0 12 of Switch E Table 1 4 Enable the specified port to process flush m...

Page 953: ...be synchronized to the other ports in the aggregation group automatically that is the other member ports in the aggregation group cannot process flush messages The function of processing flush messag...

Page 954: ...0 2 PC Switch D Switch E Eth1 0 3 Eth1 0 2 Eth1 0 1 Configuration procedure 1 Configure a Smart Link group on Switch A and configure member ports for it Enable the function of sending flush messages i...

Page 955: ...AN 1 on Ethernet 1 0 2 SwitchC smart link flush enable control vlan 1 port Ethernet 1 0 2 3 Enable the function of processing flush messages received from VLAN 1 on Switch D Enter system view SwitchD...

Page 956: ...up fails all the downlink ports in the Monitor Link group are forced down When the link for the uplink port recovers all the downlink ports in the group are re enabled Figure 2 1 Network diagram for a...

Page 957: ...configured with Smart Link group operates normally Actually however the traffic on Switch A cannot be up linked to Switch E through the link of Ethernet1 0 1 z If Switch C is configured with Monitor...

Page 958: ...link Port Required Configuring a Downlink Port Required Creating a Monitor Link Group Table 2 2 Create a Monitor Link group Operation Command Remarks Enter system view system view Create a Monitor Lin...

Page 959: ...specified Ethernet port as a downlink port of the Monitor Link group Ethernet port view port monitor link group group id downlink Required Use either approach z A Smart Link Monitor Link group with me...

Page 960: ...o access the server and Internet due to uplink link or port failure Network diagram Figure 2 3 Network diagram for Monitor Link configuration BLOCK Switch A Switch B Eth1 0 1 Eth1 0 2 Switch C Switch...

Page 961: ...C Enter system view SwitchC system view Create Monitor Link group 1 and enter Monitor Link group view SwitchC monitor link group 1 Configure Ethernet1 0 1 as the uplink port of the Monitor Link group...

Page 962: ...ttack Defense Based on 802 1x 3 Overview 3 Configuring 802 1x Based ARP IP Attack Defense 3 Configuring ARP Source MAC Address Consistency Check 4 Introduction 4 Enabling ARP Source MAC Address Consis...

Page 963: ...sent from the host to the gateway will be redirected to the fake MAC address and the client will be unable to access the external network Figure 1 1 Gateway spoofing attack To prevent gateway spoofing...

Page 964: ...based on gateway s IP address or based on gateway s IP and MAC addresses but not both on an Ethernet port Configuring the Maximum Number of Dynamic ARP Entries a VLAN Interface Can Learn Introduction...

Page 965: ...e feature of using IP to MAC bindings of authenticated 802 1x clients which obtain IP addresses through DHCP or manual assignment to implement ARP attack detection or IP filtering The feature avoids c...

Page 966: ...authenticated 802 1x client is forced to go offline z IP filtering based on IP MAC bindings of authenticated 802 1x clients requires 802 1x clients to provide IP addresses otherwise the IP addresses...

Page 967: ...192 168 100 1 24 and 000D 88F8 528C To prevent gateway spoofing attacks from Host A and Host B configure ARP packet filtering based on the gateway s IP and MAC addresses on Switch Network Diagram Figu...

Page 968: ...nsistency check on Switch A to block ARP packets with the sender MAC address different from the source MAC address in the Ethernet header z Limit the number of dynamic ARP entries learned on VLAN inte...

Page 969: ...4 Network diagram for 802 1x based ARP IP attack defense Configuration Procedures Enter system view Switch system view Enable 802 1x authentication globally Switch dot1x Enable ARP attack detection fo...

Page 970: ...8 Switch interface ethernet1 0 1 Switch Ethernet1 0 1 dot1x Enable IP filtering based on IP MAC bindings of authenticated 802 1x clients Switch Ethernet1 0 1 ip check dot1x enable...

Page 971: ...Re Initialization Delay 1 7 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address 1 8 Setting Other LLDP Parameters 1 9 Setting an Encapsulation Format...

Page 972: ...DP in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major...

Page 973: ...ng bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data unit LLDPDU FCS Frame check sequence a 32 bit CRC value used to determine the validity of the...

Page 974: ...nformation field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs and...

Page 975: ...N name on the port Protocol Identity Protocols supported on the port Currently H3C devices support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1...

Page 976: ...endpoint to advertise its vendor name Model Name Allows a MED endpoint to advertise its model name Asset ID Allows a MED endpoint to advertise its asset ID The typical case is that the user specifies...

Page 977: ...it interval resumes Receiving LLDP frames An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDP frame it receives for validity violation If valid the information...

Page 978: ...only receives LLDP frames z Disable mode A port in this mode does not send or receive LLDP frames Follow these steps to set LLDP operating mode To do Use the command Remarks Enter system view system v...

Page 979: ...ort description system capability system description system name dot1 tlv all port vlan id protocol vlan id vlan id vlan name vlan id dot3 tlv all link aggregation mac physic max frame size power med...

Page 980: ...l device can be saved on a neighbor device by setting the TTL multiplier The TTL is expressed as follows TTL Min 65535 TTL multiplier LLDPDU transmit interval As the expression shows the TTL can be up...

Page 981: ...ype interface number Required Set the encapsulation format for LLDPDUs to SNAP lldp encapsulation snap Required Ethernet II encapsulation format applies by default To restore the default use the undo...

Page 982: ...patible LLDP to operate in TxRx mode Follow these steps to enable LLDP to be compatible with CDP To do Use the command Remarks Enter system view system view Enable CDP compatibility globally lldp comp...

Page 983: ...the LLDP TLVs sent from neighboring devices display lldp neighbor information interface interface type interface number brief Available in any view Display LLDP statistics display lldp statistics glob...

Page 984: ...2 lldp enable SwitchA Ethernet1 0 2 lldp admin status rx SwitchA Ethernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB lldp enable Enable LLDP on Ethernet1 0 1 you c...

Page 985: ...ional TLV 0 Number of received unknown TLV 3 As the sample output shows Ethernet 1 0 1 of Switch A connects a MED device and Ethernet 1 0 2 of Switch A connects a non MED device Both ports operate in...

Page 986: ...d unknown TLV 0 As shown in the sample output Ethernet 1 0 2 of Switch A does not connect any neighboring devices CDP Compatible LLDP Configuration Example Of the S3100 series only the S3100 EI series...

Page 987: ...on Switch A Enable LLDP globally and enable LLDP to be compatible with CDP globally SwitchA lldp enable SwitchA lldp compliance cdp Enable LLDP you can skip this step because LLDP is enabled on ports...

Page 988: ...G2 Platform Cisco IP Phone 7960 Duplex Full CDP neighbor information of port 2 Ethernet1 0 2 CDP neighbor index 2 Chassis ID SEP00141CBCDBFF Port ID Port 1 Sofrware version P0030301MFG2 Platform Cisco...

Page 989: ...Certificate Request in Manual Mode 1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring...

Page 990: ...tificate mechanism to solve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI...

Page 991: ...lish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of...

Page 992: ...f PKI The PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private...

Page 993: ...ing a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting...

Page 994: ...fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locali...

Page 995: ...icated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certificate...

Page 996: ...nd optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is conf...

Page 997: ...RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along w...

Page 998: ...send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of the certificate will be abnormal z The pki request cer...

Page 999: ...CRL checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verif...

Page 1000: ...CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the private key leaks or the certificate...

Page 1001: ...me by default Return to system view quit Create a certificate attribute based access control policy and enter its view pki certificate access control policy policy name Required No access control poli...

Page 1002: ...cate from a CA Running RSA Keon The CA server runs RSA Keon in this configuration example Network requirements z The device submits a local certificate request to the CA server z The device acquires t...

Page 1003: ...ame Switch Switch pki entity aaa quit z Configure the PKI domain Create PKI domain torsa and enter its view Switch pki domain torsa Configure the name of the trusted CA as myca Switch pki domain torsa...

Page 1004: ...ng CRL Please wait a while CRL retrieval success Request a local certificate manually Switch pki request certificate domain torsa challenge word Certificate is being requested please wait Certificate...

Page 1005: ...65A0D3F C4047BC2 9C391FF0 7383C4DF 9A0CCFA9 231428AF 987B029C C857AD96 E4C92441 9382E798 8FCC1E4A 3E598D81 96476875 E2F86C33 75B51661 B6556C5E 8F546E97 5197734B C8C29AC7 E427C8E4 B9AAF5AA 80A75B3C You...

Page 1006: ...From the start menu select Control Panel Administrative Tools Internet Information Services IIS Manager and then select Web Sites from the navigation tree Right click on Default Web Site and select Pr...

Page 1007: ...4DCE 439C 1C1F 83AB SHA1 fingerprint 97E5 DDED AB39 3141 75FB DB5C E7F8 D7D7 7C9B 97B4 Is the finger print correct Y N y Saving CA RA certificates chain please wait a moment CA certificates retrieval...

Page 1008: ...4A663E75 F416B6F6 D41EE4FE X509v3 CRL Distribution Points URI http l00192b CertEnroll CA 20server crl URI file l00192b CertEnroll CA server crl Authority Information Access CA Issuers URI http l00192b...

Page 1009: ...proper For example the network cable may be damaged or loose z No CA certificate has been retrieved z The current key pair has been bound to a certificate z No trusted CA is specified z The URL of th...

Page 1010: ...ed z The LDAP server version is wrong Solution z Make sure that the network connection is physically proper z Retrieve a CA certificate z Specify the IP address of the LDAP server z Specify the CRL di...

Page 1011: ...List 1 2 Configuring an SSL Server Policy 1 2 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 6 Configuratio...

Page 1012: ...and the client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key...

Page 1013: ...nd master secret z SSL change cipher spec protocol Used for notification between a client and the server that the subsequent packets are to be protected and transmitted based on the newly negotiated c...

Page 1014: ...rver policy Specify the cipher suite s for the SSL server policy to support ciphersuite rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4_128_md5 rsa_rc4_128_sha Opt...

Page 1015: ...0 or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z The switch offers Web authentication to preform access authentication for clients z The clien...

Page 1016: ...nt verify enable Switch ssl server policy myssl quit 3 Configure Web authentication Set the IP address and port number of the Web authentication server Switch system view Switch web authentication web...

Page 1017: ...ing steps to access the Internet Step 1 Enter http 10 10 10 10 8080 in the address column of IE Step 2 Enter the correct user name and password and then click login The following page will be displaye...

Page 1018: ...name all Available in any view Troubleshooting SSL SSL Handshake Failure Symptom As the SSL server the device fails to handshake with the SSL client Analysis SSL handshake failure may result from the...

Page 1019: ...ot be trusted request and install a certificate for the client 2 You can use the display ssl server policy command to view the cipher suite used by the SSL server policy If the cipher suite used by th...

Page 1020: ...1 1 Associating the HTTPS Service with an SSL Server Policy 1 2 Enabling the HTTPS Service 1 2 Associating the HTTPS Service with a Certificate Attribute Access Control Policy 1 3 Associating the HTTP...

Page 1021: ...clients to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing th...

Page 1022: ...e through the Web function only when the HTTPS service is enabled Follow these steps to enable the HTTPS service To do Use the command Remarks Enter system view system view Enable the HTTPS service ip...

Page 1023: ...access control policy z If the HTTPS service is associated with a certificate attribute access control policy the client verify enable command must be configured in the SSL server policy Otherwise the...

Page 1024: ...ocedure Perform the following configurations on Device 1 Apply for a certificate for Device Configure a PKI entity Device system view Device pki entity en Device pki entity en common name http server1...

Page 1025: ...licy myacp and create a control rule Device pki certificate access control policy myacp Device pki cert acp myacp rule 1 permit mygroup1 Device pki cert acp myacp quit 4 Reference an SSL server policy...

Page 1026: ...Basic Ethernet OAM Functions 1 6 Configuring the Ethernet OAM Connection Detection Timers 1 6 Configuring Link Monitoring 1 7 Configuring Errored Symbol Event Detection 1 7 Configuring Errored Frame...

Page 1027: ...s is why an effective management and maintenance mechanism for Ethernet has been absent all along hindering the usage of Ethernet in MANs and WANs Implementing Operation Administration and Maintenance...

Page 1028: ...ed by bridges Ethernet OAMPDUs cannot be forwarded Source addr Source MAC address of the Ethernet OAMPDU It is the bridge MAC address of the sending side and is a unicast MAC address Type Type of the...

Page 1029: ...interconnected OAM entities notify the peer of their OAM configuration information and the OAM capabilities of the local nodes by exchanging Information OAMPDUs and determine whether Ethernet OAM conn...

Page 1030: ...k faults in various environments Ethernet OAM implements link monitoring through the exchange of Event Notification OAMPDUs Upon detecting a link error event listed in Table 1 4 the local OAM entity s...

Page 1031: ...Table 1 5 Critical link error events Ethernet OAM link events Description Link Fault Peer link signal is lost Dying Gasp An unexpected fault such as power failure occurred Critical event An undetermi...

Page 1032: ...erating mode oam mode active passive Optional The default is active Ethernet OAM mode Enable Ethernet OAM on the current port oam enable Required Ethernet OAM is disabled by default To change the Ethe...

Page 1033: ...toring After Ethernet OAM connections are established the link monitoring periods and thresholds configured in this section take effect on all Ethernet ports automatically Configuring Errored Symbol E...

Page 1034: ...riod period value Optional 1000 milliseconds by default Configure the errored frame period event triggering threshold oam errored frame period threshold threshold value Optional 1 by default Configuri...

Page 1035: ...ilable only on full duplex links that support remote loopback at both ends z Ethernet OAM remote loopback needs the support of the peer hardware z Enabling Ethernet OAM remote loopback interrupts data...

Page 1036: ...rror events reset oam interface interface type interface number Available in user view only Ethernet OAM Configuration Example Network requirements z Enable Ethernet OAM on Device A and Device B to au...

Page 1037: ...tput information the detection period of errored frame events is 20 seconds the detection threshold is 10 seconds and all the other parameters use the default values You can use the display oam critic...

Page 1038: ...1 12 The above information indicates that 35 errors occurred since Ethernet OAM is enabled on Device A 17 of which are caused by error frames The link is instable...

Page 1039: ...CFD Settings 1 6 Enabling CFD 1 6 Configuring the CFD Protocol Version 1 6 Configuring Service Instances 1 6 Configuring MEPs 1 7 Configuring MIP Generation Rules 1 7 Configuring CFD Functions 1 9 Co...

Page 1040: ...role The MD boundary is defined by some maintenance association end points MEPs configured on the ports An MD is identified by an MD name To accurately locate faults CFD introduces eight levels from...

Page 1041: ...sociation end points MEPs and maintenance association intermediate points MIPs z MEP Each MEP is identified by an integer called a MEP ID The MEPs of an MD define the range and boundary of the MD The...

Page 1042: ...an perform a function similar to ping and traceroute Like a MEP a MIP forwards packets at a higher level without any processing and only processes packet of its level or lower Figure 1 4 demonstrates...

Page 1043: ...e z Continuity check CC z Loopback LB z Linktrace LT Continuity check Continuity check is responsible for checking the connectivity between MEPs Connectivity faults are usually caused by device faults...

Page 1044: ...e following tasks z Grade the MDs in the entire network and define the boundary of each MD z Assign a name for each MD Make sure that the same MD has the same name on different devices z Define the MA...

Page 1045: ...ame MD must use the same CFD protocol version otherwise they cannot exchange CFD protocol packets Follow these steps to configure the CFD protocol version To do Use the command Remarks Enter system vi...

Page 1046: ...P Before creating MEPs configure the MEP list first An MEP list is a collection of local MEPs allowed to be configured in an MA and the remote MEPs to be monitored Follow these steps to configure a ME...

Page 1047: ...steps to configure the rules for generating MIPs To do Use the command Remarks Enter system view system view Configure the rules for generating MIPs cfd mip rule explicit default service instance inst...

Page 1048: ...y default The relationship between the interval field value in the CCM messages the interval between CCM messages and the timeout time of the remote MEP is illustrated in Table 1 1 Table 1 1 Relations...

Page 1049: ...nd the TTL field in the LTMs set to the maximum value 255 will be sent out Based on the LTRs that echo back the fault source can be located Follow these steps to configure LT on MEPs To do Use the com...

Page 1050: ...belong to VLAN 100 and the MAs in the two MDs all serve VLAN 100 z In MD_A there are three edge ports Ethernet 1 0 1 on Device A Ethernet 1 0 3 on Device D and Ethernet 1 0 4 on Device E configure in...

Page 1051: ...cfd service instance 1 md MD_A ma MA_A Configure Device E as you configure Device A Create MD_A level 5 on Device B create MA_A which serves VLAN 100 in MD_A and then create service instance 1 for MD...

Page 1052: ...fd meplist 1001 4002 5001 service instance 1 DeviceD cfd meplist 2001 4001 service instance 2 DeviceD interface ethernet 1 0 1 DeviceD Ethernet1 0 1 cfd mep 4001 service instance 2 outbound DeviceD Et...

Page 1053: ...etects a link fault you can use the LB function to locate the fault For example Enable LB on Device A to check the status of the link between MEP 1001 and MEP 5001 in service instance 1 DeviceA cfd lo...

Page 1054: ...i Table of Contents Appendix A Acronyms A 1...

Page 1055: ...DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GARP Generic Attribute Registration P...

Page 1056: ...AM Nonvolatile RAM O OSPF Open Shortest Path First P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode PKI Public Ke...

Page 1057: ...A 3 TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin X XID eXchange Identification XRN eXpandable Resilient Networking...

Search results

Summary of Contents for S3100 Series

Reviews:

Related manuals for S3100 Series

Brands by name

Popular brands

H3C S3100 Series, Operation Manual

Search results

Summary of Contents for S3100 Series

Reviews:

Related manuals for S3100 Series

Brands by name

Popular brands