manualshive.com logo in svg

H3C S5120-SI Series, Operation Manual

Share
Download
H3C S5120-SI Series Operation Manual Download Page 435

 

1-20 

(Omitted) 

You can also use some other 

display

 commands to view detailed information about the CA certificate. 

Refer to the 

display pki certificate ca

 

domain

 command in 

PKI Commands

Configuring a Certificate Attribute-Based Access Control Policy 

Network requirements 

z

 

The client accesses the remote HTTP Security (HTTPS) server through the HTTPS protocol. 

z

 

SSL is configured to ensure that only legal clients log into the HTTPS server. 

z

 

Create a certificate attribute-based access control policy to control access to the HTTPS server. 

Figure 1-4 

Configure a certificate attribute-based access control policy 

   

 

 

Configuration procedure 

 

 

z

 

For detailed information about SSL configuration, refer to 

SSL Configuration

z

 

For detailed information about HTTPS configuration, refer to 

HTTP Configuration

z

 

The PKI domain to be referenced by the SSL policy must be created in advance. For detailed 

configuration of the PKI domain, refer to 

Configure the PKI domain

 

1)  Configure the HTTPS server 

# Configure the SSL policy for the HTTPS server to use. 

<Switch> system-view 

[Switch] ssl server-policy myssl 

[Switch-ssl-server-policy-myssl] pki-domain 1 

[Switch-ssl-server-policy-myssl]

 

client-verify enable 

[Switch-ssl-server-policy-myssl] quit 

2)  Configure the certificate attribute group 

# Create certificate attribute group 

mygroup1 

and add two attribute rules. The first rule defines that the 

DN of the subject name includes the string 

aabbcc

, and the second rule defines that the IP address of 

the certificate issuer is 10.0.0.1.  

[Switch] pki certificate attribute-group mygroup1 

[Switch-pki-cert-attribute-group-mygroup1] attribute 1 subject-name dn ctn aabbcc 

[Switch-pki-cert-attribute-group-mygroup1] attribute 2 issuer-name ip equ 10.0.0.1 

Summary of Contents for S5120-SI Series

Page 1: ...H3C S5120 SI Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 6W101 20090625 Product Version Release 1101...

Page 2: ...G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective o...

Page 3: ...tion 10 IP Addressing Introduces IP address configuration 11 IP Performance Optimization Introduces IP performance fundamental and the related configuration 12 ARP Introduces ARP and the related confi...

Page 4: ...g table management and the related configuration 36 Cluster Management Introduces the configuration of Cluster and the related configuration 37 HTTP Introduces the configuration of HTTP and HTTPS 38 S...

Page 5: ...r Symbols Convention Description Means reader be extremely careful Improper operation may cause bodily injury Means reader be careful Improper operation may cause data loss or damage to equipment Mean...

Page 6: ...Provides information about products and technologies as well as solutions Technical Support Document Technical Documents Provides several categories of product documentation such as installation conf...

Page 7: ...e Release Notes 1 1 2 Correspondence Between Documentation and Software 2 1 Software Version 2 1 Manual List 2 1 3 Product Features 3 1 Introduction to Product 3 1 Feature Lists 3 1 Features 3 1 4 Net...

Page 8: ...the H3C website Table 1 1 Download documentation from the H3C website How to apply for an account Access the homepage of H3C at http www h3c com and click Registration at the top right In the displaye...

Page 9: ...C S5120 SI Series Ethernet Switches Command Manual are for the software version of Release 1101 of the S5120 SI series products Manual List Table 2 1 H3C S5120 SI Series Ethernet Switches Installation...

Page 10: ...I series provide GE electrical interfaces for user access or low end switch convergence in the downlink direction Whereas in the uplink direction they are aggregated to large capacity Layer 3 switches...

Page 11: ...ace z Enabling Bridging on an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an Ethernet Interface 03 Loopback Interface and Null Interfa...

Page 12: ...c route overview z Static route configuration 17 Mulitcast z Multicast overview z IGMP Snooping overview z Configuring Basic Functions of IGMP Snooping z Configuring IGMP Snooping Port Functions z Con...

Page 13: ...agement z File system management z Configuration File Management 32 System Maintaining and Debugging z Maintenance and debugging overview z Maintenance and debugging configuration 33 Basic System Conf...

Page 14: ...s can be used for Gigabit to the Desktop GTTD access in enterprise networks and connecting data center server clusters Several typical networking applications are presented in this section Distributio...

Page 15: ...S5120 SI series can serve as access switches to provide large access bandwidth and high port density Figure 4 2 Application of the S5120 SI series at the access layer S9500 S7500E S5120 SI Access Cor...

Page 16: ...e 2 10 Console Port Login Configuration with Authentication Mode Being Scheme 2 11 Configuration Procedure 2 11 Configuration Example 2 13 3 Logging In Through Telnet SSH 3 1 Introduction 3 1 Telnet C...

Page 17: ...requisites 7 1 Controlling Telnet Users by Source IP Addresses 7 1 Controlling Telnet Users by Source and Destination IP Addresses 7 2 Controlling Telnet Users by Source MAC Addresses 7 3 Configuratio...

Page 18: ...r Interface Supported User Interfaces H3C S5120 SI series Ethernet switch supports two types of user interfaces AUX and VTY Table 1 1 Description on user interface User interface Applicable user Port...

Page 19: ...lt Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Disconnect a specified user interface free user int...

Page 20: ...the screen length 0 command to disable the function to display information in pages Make terminal services available shell Optional By default terminal services are available in all user interfaces S...

Page 21: ...g examples take H3C as the command line prompt Introduction To log in through the Console port is the most common way to log in to a switch It is also the prerequisite to configure other login methods...

Page 22: ...PC to connect to the Console port launch a terminal emulation utility such as Terminal in Windows 3 X or HyperTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Fig...

Page 23: ...apters for information about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console...

Page 24: ...ion Set the timeout time of a user interface Optional The default timeout time is 10 minutes Changing of Console port configuration terminates the connection to the Console port To establish the conne...

Page 25: ...AUX users Required Scheme Perform common configuration Perform common configuration for Console port login Optional Refer to Common Configuration for details Changes of the authentication mode of Cons...

Page 26: ...terminal services are available in all user interfaces Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You...

Page 27: ...onsole user at the following aspects z The user is not authenticated when logging in through the Console port z Commands of level 2 are available to user logging in to the AUX user interface z The bau...

Page 28: ...guration of the terminal emulation program running on the PC to make the configuration consistent with that on the switch Refer to Setting Up the Connection to the Console Port for details Console Por...

Page 29: ...cut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available to the user interface shell Optional...

Page 30: ...itch is configured to allow you to login through Telnet and your user level is set to the administrator level level 3 After you telnet to the switch you need to limit the Console user at the following...

Page 31: ...Sysname ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Sysname ui aux0 history command max size 20 Set the timeout time of the AUX user interfa...

Page 32: ...tion password for the local user password simple cipher password Required Specify the service type for AUX users service type terminal Required Quit to system view quit Enter AUX user interface view u...

Page 33: ...ser interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the...

Page 34: ...through the Console port in the scheme mode Sysname ui aux0 authentication mode scheme Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines th...

Page 35: ...Server The IP address of the VLAN of the switch is configured and the route between the switch and the Telnet terminal is available Switch The authentication mode and other settings are configured Re...

Page 36: ...view Sysname telnet server enable Sysname interface vlan interface 1 Sysname Vlan interface1 ip address 202 38 160 92 255 255 255 0 Step 2 Before Telnet users can log in to the switch corresponding co...

Page 37: ...ssword Refer to Basic System Configuration for information about command hierarchy Telnetting to Another Switch from the Current Switch You can Telnet to another switch from the current switch In this...

Page 38: ...e 3 2 lists the common Telnet configuration Table 3 2 Common Telnet configuration Configuration Remarks Configure the command level available to users logging in to the VTY user interface Optional By...

Page 39: ...uration Perform common Telnet configuration Optional Refer to Table 3 2 Specify to perform local authentication or RADIUS authentication AAA configuration specifies whether to perform local authentica...

Page 40: ...a user interface Define a shortcut key for aborting tasks escape key default character Optional The default shortcut key combination for aborting tasks is Ctrl C Make terminal services available shell...

Page 41: ...want to perform the following configuration for Telnet users logging in to VTY 0 z Do not authenticate users logging in to VTY 0 z Commands of level 2 are available to users logging in to VTY 0 z Tel...

Page 42: ...password authentication mode password Required Set the local password set authentication password cipher simple password Required Configure the command level available to users logging in to the user...

Page 43: ...se the idle timeout 0 command to disable the timeout function Note that if you configure to authenticate the users in the password mode the command level available to users logging in to a switch depe...

Page 44: ...password Sysname ui vty0 authentication mode password Set the local password to 123456 in plain text Sysname ui vty0 set authentication password simple 123456 Specify commands of level 2 are availabl...

Page 45: ...local user password simple cipher password Required Specify the service type for VTY users service type telnet Required Quit to system view quit Enter one or more VTY user interface views user interf...

Page 46: ...d if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that if you configure to authenticate the users in th...

Page 47: ...rd of the local user to 123456 in plain text Sysname luser guest password simple 123456 Set the service type to Telnet Sysname luser guest service type Enter VTY 0 user interface view Sysname user int...

Page 48: ...en the switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging in to the Web bas...

Page 49: ...tch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the following commands in the terminal window to ass...

Page 50: ...http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 4 2 appears enter the user name and...

Page 51: ...anagement protocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 5 1 Requirements for log...

Page 52: ...es for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source IP address Interface for Telnet Packets The co...

Page 53: ...or Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reach...

Page 54: ...rolling Telnet Users by Source and Destination IP Addresses Telnet By source MAC addresses Through Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through bas...

Page 55: ...e implemented by advanced ACL an advanced ACL ranges from 3000 to 3999 For the definition of ACL refer to ACL Configuration Follow these steps to control Telnet users by source and destination IP addr...

Page 56: ...ule id permit deny rule string Required You can define rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type first number la...

Page 57: ...t Users by Source IP Addresses You can manage a H3C S5120 SI series Ethernet switch through network management software Network management users can access switches through SNMP You need to perform th...

Page 58: ...iew notify view notify view acl acl number snmp agent group v3 group name authentication privacy read view read view write view write view notify view notify view acl acl number Apply the ACL while co...

Page 59: ...name snmp agent usm user v2c h3cuser h3cgroup acl 2000 Controlling Web Users by Source IP Addresses The Ethernet switches support Web based remote management which allows Web users to access the switc...

Page 60: ...operation to force online Web users offline To do Use the command Remarks Force online Web users offline free web users all user id user id user name user name Required Use this command in user view C...

Page 61: ...7 8 Sysname ip http acl 2030...

Page 62: ...Group 1 3 Configuring an Auto negotiation Transmission Rate 1 4 Configuring Storm Suppression 1 5 Setting the Interval for Collecting Ethernet port Statistics 1 6 Enabling Forwarding of Jumbo Frames 1...

Page 63: ...Similarly if you configure the transmission rate for an Ethernet port by using the speed command with the auto keyword specified the transmission rate is determined through auto negotiation too For a...

Page 64: ...ess and egress interfaces Follow these steps to enable flow control on an Ethernet port To do Use the command Remarks Enter system view system view Enter Ethernet port view interface interface type in...

Page 65: ...port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port group manual port group name Use either command If configured in Ethernet po...

Page 66: ...ate of the server group Server 1 Server 2 and Server 3 is 1000 Mbps and the transmission rate of GigabitEthernet 1 0 4 which provides access to the external network for the server group is 1000 Mbps t...

Page 67: ...valid if you enable the storm constrain for the interface For information about the storm constrain function see Configuring the Storm Constrain Function on an Follow these steps to set storm suppress...

Page 68: ...es Due to tremendous amount of traffic occurring on an Ethernet port it is likely that some frames greater than the standard Ethernet frame size are received Such frames called jumbo frames will be dr...

Page 69: ...bled by default Configure the interval for port loopback detection loopback detection interval time time Optional 30 seconds by default Enter Ethernet port view interface interface type interface numb...

Page 70: ...different from the remote MDI mode z When crossover cables are used the local MDI mode must be the same as the remote MDI mode or the MDI mode of at least one end must be set to auto Follow these ste...

Page 71: ...eds the threshold Alternatively you can configure the storm suppression function to control a specific type of traffic As the function and the storm constrain function are mutually exclusive do not en...

Page 72: ...w the lower threshold from a point higher than the upper threshold Specify to send log when the traffic detected exceeds the upper threshold or drops down below the lower threshold from a point higher...

Page 73: ...on Available in any view Clear the statistics of an interface reset counters interface interface type interface number Available in user view Display the information about a manual port group or all t...

Page 74: ...nfiguration 1 1 Loopback Interface 1 1 Introduction to Loopback Interface 1 1 Configuring a Loopback Interface 1 2 Null Interface 1 2 Introduction to Null Interface 1 2 Configuring Null 0 Interface 1...

Page 75: ...ey are usually used as device identifications Therefore when you configure a rule on an authentication or security server to permit or deny packets generated by a device you can streamline the rule by...

Page 76: ...ull Interface Introduction to Null Interface A null interface is a completely software based logical interface A null interface is always up However you can neither use it to forward data packets nor...

Page 77: ...n text Optional By default the description of an interface is the interface name followed by the Interface string Displaying and Maintaining Loopback and Null Interfaces To do Use the command Remarks...

Page 78: ...atic Aggregation Group 1 5 Configuring a Dynamic Aggregation Group 1 6 Configuring an Aggregate Interface 1 7 Configuring the Description of an Aggregate Interface 1 7 Enabling LinkUp LinkDown Trap Ge...

Page 79: ...able connectivity because these member ports can dynamically back up each other Basic Concepts of Link Aggregation Aggregate interface An aggregate interface is a logical Layer 2 or Layer 3 aggregate...

Page 80: ...he partner of its system LACP priority system MAC address LACP port priority port number and operational key Upon receiving an LACPDU the partner compares the received information with the information...

Page 81: ...plex high speed full duplex low speed half duplex high speed and half duplex low speed with full duplex high speed being the most preferred If two ports with the same duplex mode speed pair are presen...

Page 82: ...port with smaller port number is selected as the reference port z If a port in up state is with the same port attributes and class two configuration as the reference port and the peer port of the port...

Page 83: ...n Aggregate Interface Optional Configuring an Aggregation Group These ports cannot be assigned to 802 1X enabled ports Configuring a Static Aggregation Group Follow these steps to configure a Layer 2...

Page 84: ...e a Layer 2 aggregate interface and enter the Layer 2 aggregate interface view interface bridge aggregation interface number Required When you create a Layer 2 aggregate interface a Layer 2 static agg...

Page 85: ...nterface You can perform the following configurations for an aggregate interface z Configuring the Description of an Aggregate Interface z Enabling LinkUp LinkDown Trap Generation for an Aggregate Int...

Page 86: ...interface is brought up the selected state of the ports in the corresponding aggregation group is re calculated Follow these steps to shut down an aggregate interface To do Use the command Remarks En...

Page 87: ...d configure the port manually z Reference port Select a port as the reference port from the ports that are in up state and with the same class two configurations as the corresponding aggregate interfa...

Page 88: ...1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link aggregation group 1 DeviceA GigabitEthernet1 0 2 quit DeviceA interface gigabitethernet 1 0 3 DeviceA GigabitEther...

Page 89: ...Assign Layer 2 Ethernet interfaces GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to aggregation group 1 DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 port link aggregatio...

Page 90: ...tion 1 1 Introduction to Port Isolation 1 1 Configuring an Isolation Group for a Multiple Isolation Group Device 1 1 Adding a Port to an Isolation Group 1 1 Displaying and Maintaining Isolation Groups...

Page 91: ...n the same VLAN Layer 2 data transmission between ports within and outside the isolation group is supported Configuring an Isolation Group for a Multiple Isolation Group Device Adding a Port to an Iso...

Page 92: ...re connected to GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 of Device z Device provides access to the Internet through GigabitEthernet 1 0 4 z GigabitEthernet 1 0 1 GigabitEt...

Page 93: ...late enable group 2 Device GigabitEthernet1 0 2 quit Device interface gigabitethernet 1 0 3 Device GigabitEthernet1 0 3 port isolate enable group 2 Display information of isolation group 2 Device disp...

Page 94: ...on to Port Mirroring 1 1 Classification of Port Mirroring 1 1 Implementing Port Mirroring 1 1 Configuring Local Port Mirroring 1 2 Displaying and Maintaining Port Mirroring 1 3 Port Mirroring Configur...

Page 95: ...e mirroring port and the monitor port are located on the same device z In remote port mirroring the mirroring port and the monitor port can be located on the same device or different devices Currently...

Page 96: ...te a local mirroring group mirroring group group id local Required In system view mirroring group group id mirroring port mirroring port list both inbound outbound interface interface type interface n...

Page 97: ...group group id local Available in any view Port Mirroring Configuration Examples Local Port Mirroring Configuration Example Network requirements On a network shown in Figure 1 2 z Department 1 is conn...

Page 98: ...oring group 1 mirroring port gigabitethernet 1 0 1 gigabitethernet 1 0 2 both DeviceC mirroring group 1 monitor port gigabitethernet 1 0 3 Display the configuration of all port mirroring groups Device...

Page 99: ...tion Delay 1 8 Enabling LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 8 Configuring the Management Address and Its Encoding Format 1 9 Setting Other LLDP Parameters 1 10 Setting the Encapsu...

Page 100: ...rafted the Link Layer Discovery Protocol LLDP in IEEE 802 1AB The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends lo...

Page 101: ...t have a MAC address the MAC address of the sending bridge is used Type The Ethernet type for the upper layer protocol It is 0x88CC for LLDP Data LLDP data FCS Frame check sequence a 32 bit CRC value...

Page 102: ...information field in octets and the value field contains the information itself LLDPDU TLVs fall into these categories basic management TLVs organizationally IEEE 802 1 and IEEE 802 3 specific TLVs a...

Page 103: ...ently H3C devices support receiving but not sending protocol identity TLVs 3 IEEE 802 3 organizationally specific TLVs Table 1 5 IEEE 802 3 organizationally specific TLVs Type Description MAC PHY Conf...

Page 104: ...e its asset ID The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking Location Identification Allows a network device to advert...

Page 105: ...ceiving LLDPDUs An LLDP enabled port operating in TxRx mode or Rx mode checks the TLVs carried in every LLDPDU it receives for validity violation If valid the information is saved and an aging timer i...

Page 106: ...oup view port group manual port group name Required Use either command Enable LLDP lldp enable Optional By default LLDP is enabled on a port Setting LLDP Operating Mode LLDP can operate in one of the...

Page 107: ...sends LLDPDUs to inform the neighboring devices of the change Follow these steps to enable LLDP polling To do Use the command Remarks Enter system view system view Enter Ethernet interface view inter...

Page 108: ...ng format of the management address as string on the connecting port to guarantee normal communication with the neighbor Follow these steps to configure a management address to be advertised and its e...

Page 109: ...mission is triggered lldp fast count count Optional 3 by default z The TTL can be up to 65535 seconds TTLs greater than it will be rounded down to 65535 seconds z LLDPDU transmit delay must be less th...

Page 110: ...isco IP phones As your LLDP enabled device cannot recognize CDP packets it does not respond to the requests of Cisco IP phones for the voice VLAN ID configured on the device This can cause a requestin...

Page 111: ...group view Enter port group view port group manual port group name Required Use either command Configure CDP compatible LLDP to operate in TxRx mode lldp compliance admin status cdp txrx Required By...

Page 112: ...splay the information contained in the LLDP TLVs received through a port display lldp neighbor information interface interface type interface number brief Available in any view Display LLDP statistics...

Page 113: ...ernet1 0 2 lldp admin status rx SwitchA GigabitEthernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB lldp enable Enable LLDP on GigabitEthernet1 0 1 setting the LLDP...

Page 114: ...D neighbors 0 Number of CDP neighbors 0 Number of sent optional TLV 0 Number of received unknown TLV 3 Tear down the link between Switch A and Switch B and then display the global LLDP status and port...

Page 115: ...o a Cisco IP phone z Configure voice VLAN 2 on Switch A Enable CDP compatibility of LLDP on Switch A to allow the Cisco IP phones to automatically configure the voice VLAN thus confining their voice t...

Page 116: ...rx SwitchA GigabitEthernet1 0 1 lldp compliance admin status cdp txrx SwitchA GigabitEthernet1 0 1 quit SwitchA interface gigabitethernet 1 0 2 SwitchA GigabitEthernet1 0 2 lldp enable SwitchA Gigabit...

Page 117: ...VLAN 1 8 Displaying and Maintaining VLAN 1 9 VLAN Configuration Example 1 9 2 Voice VLAN Configuration 2 1 Overview 2 1 Voice VLAN Assignment Modes 2 2 Security Mode and Normal Mode of Voice VLANs 2 3...

Page 118: ...VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN VLANs are isolated from ea...

Page 119: ...SA field as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority canonical format indicator CFI and VLAN ID z The...

Page 120: ...n a port at the same time When determining to which VLAN a packet passing through the port should be assigned the device looks up the VLANs in the default order of MAC based VLANs IP based VLANs proto...

Page 121: ...steps to configure basic settings of a VLAN interface To do Use the command Remarks Enter system view system view Create a VLAN interface and enter VLAN interface view interface vlan interface vlan in...

Page 122: ...connectivity Default VLAN By default VLAN 1 is the default VLAN for all ports You can configure the default VLAN for a port as required Use the following guidelines when configuring the default VLAN...

Page 123: ...is carried on the port z Drop the frame if its VLAN is not carried on the port Send the frame if its VLAN is carried on the port The frame is sent with the VLAN tag removed or intact depending on your...

Page 124: ...port access vlan vlan id Optional By default all access ports belong to VLAN 1 Before assigning an access port to a VLAN create the VLAN first Assigning a Trunk Port to a VLAN A trunk port can carry...

Page 125: ...do that on the aggregate interface it stops applying the configuration to the aggregation member ports If it fails to do that on an aggregation member port it simply skips the port and moves to the ne...

Page 126: ...guration to the aggregate interface and its aggregation member ports If the system fails to do that on the aggregate interface it stops applying the configuration to the aggregation member ports If it...

Page 127: ...mit vlan 1 Configure GigabitEthernet 1 0 1 to permit packets from VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass through DeviceA GigabitEthernet1 0 1 port trunk permit vlan 2 6 to 50 100 Please wa...

Page 128: ...ytes 0 broadcasts 0 multicasts Input 0 input errors 0 runts 0 giants 0 throttles 0 CRC 0 frame 0 overruns 0 aborts 0 ignored 0 parity errors Output total 0 packets 0 bytes 0 broadcasts 0 multicasts 0...

Page 129: ...determines whether a received packet is a voice packet by checking its source MAC address A packet whose source MAC address complies with the voice device Organizationally Unique Identifier OUI addre...

Page 130: ...on the device The system will remove a port from the voice VLAN if no packet is received from the port after the aging time expires Assigning removing ports to from a voice VLAN are automatically perf...

Page 131: ...fic to realize the voice VLAN feature you must configure the default VLAN of the connecting port as the voice VLAN In this case 802 1X authentication function cannot be realized z The default VLANs fo...

Page 132: ...or the device it is forwarded in the voice VLAN otherwise it is dropped Security mode Packets carrying other tags Forwarded or dropped depending on whether the port allows packets of these VLANs to pa...

Page 133: ...tting a Port to Operate in Manual Voice VLAN Assignment Mode Follow these steps to set a port to operate in manual voice VLAN assignment mode To do Use the command Remarks Enter system view system vie...

Page 134: ...rt to the voice VLAN manually Displaying and Maintaining Voice VLAN To do Use the command Remarks Display the voice VLAN state display voice vlan state Available in any view Display the OUI addresses...

Page 135: ...ty mode DeviceA voice vlan security enable Configure the allowed OUI addresses as MAC addresses prefixed by 0011 2200 0000 In this way Device A identifies packets whose MAC addresses match any of the...

Page 136: ...Voice VLANs 1 Current Voice VLANs 1 Voice VLAN security mode Security Voice VLAN aging time 30 minutes Voice VLAN enabled port and its mode PORT VLAN MODE GigabitEthernet1 0 2 3 AUTO Manual Voice VLA...

Page 137: ...igabitEthernet 1 0 1 to permit the voice traffic of VLAN 2 to pass through untagged DeviceA GigabitEthernet1 0 1 port hybrid pvid vlan 2 DeviceA GigabitEthernet1 0 1 port hybrid vlan 2 untagged Enable...

Page 138: ...2 10 PORT VLAN MODE GigabitEthernet1 0 1 2 MANUAL...

Page 139: ...Switched Network 1 21 Configuring Timers of MSTP 1 21 Configuring the Timeout Factor 1 23 Configuring the Maximum Port Rate 1 23 Configuring Ports as Edge Ports 1 24 Setting the Link Type of a Port t...

Page 140: ...requisites 1 34 Configuration Procedure 1 34 Configuration Example 1 35 Configuring No Agreement Check 1 36 Configuration Prerequisites 1 37 Configuration Procedure 1 37 Configuration Example 1 38 Con...

Page 141: ...nd Multiple Spanning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Introduction to STP Why STP STP was developed based on the 802 1...

Page 142: ...root bridge is called the root port The root port is responsible for communication with the root bridge Each non root bridge has one and only one root port The root bridge has no root port Designated...

Page 143: ...spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the...

Page 144: ...U has a lower priority than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the r...

Page 145: ...the ID of this device z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port r...

Page 146: ...port after comparison Device A z Port AP1 receives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received confi...

Page 147: ...ort BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BP...

Page 148: ...ning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree AP1 AP2 Device A With priority 0 Device B With priority 1 Device C With p...

Page 149: ...e transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propag...

Page 150: ...rtcomings of STP and RSTP In addition to the support for rapid network convergence it also allows data flows of different VLANs to be forwarded along separate paths thus providing a better load sharin...

Page 151: ...ing tree region MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have th...

Page 152: ...te the CIST of the entire network MSTI Multiple spanning trees can be generated in an MST region through MSTP one spanning tree being independent of another Each spanning tree is referred to as a mult...

Page 153: ...ate port The standby port for a root port or master port When the root port or master port is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a des...

Page 154: ...es are calculated each being called an MSTI Among these MSTIs MSTI 0 is the IST while all the others are MSTIs Similar to STP MSTP uses configuration BPDUs to calculate spanning trees The only differe...

Page 155: ...guring MSTP you need to know the position of each device in each MSTI root bridge or leave node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes Complete the...

Page 156: ...ations made in Layer 2 aggregate interface view can take effect only on the aggregate interface configurations made on an aggregation member port can take effect only after the port is removed from th...

Page 157: ...n name the same VLAN to MSTI mapping entries in the MST region and the same MST region revision level and they are interconnected via a physical link The configuration of MST region related parameters...

Page 158: ...y root bridge you cannot change the priority of the device z You can configure the current device as the root bridge or a secondary root bridge of an MSTI which is specified by instance instance id in...

Page 159: ...In RSTP mode all ports of the device send out RSTP BPDUs If the device detects that it is connected with a legacy STP device the port connecting with the legacy STP device will automatically migrate...

Page 160: ...maximum hops of an MST region you can restrict the region size The maximum hops configured on the regional root bridge will be used as the maximum hops of the MST region The regional root bridge alway...

Page 161: ...Use the command Remarks Enter system view system view Configure the network diameter of the switched network stp bridge diameter bridge number Optional 7 by default z The network diameter is a paramet...

Page 162: ...etting enables the device to timely detect link failures on the network without using excessive network resources If the hello time is set too long the device will take packet loss as a link failure a...

Page 163: ...ur because the upstream device is busy In this case you can avoid such unwanted spanning tree calculation by lengthening the timeout time Configuration procedure Follow these steps to configure the ti...

Page 164: ...et 1 0 1 Sysname GigabitEthernet1 0 1 stp transmit limit 5 Configuring Ports as Edge Ports If a port directly connects to a user terminal rather than another device or a shared LAN segment this port i...

Page 165: ...nt link is a link directly connecting two devices If the two ports across a point to point link are root ports or designated ports the ports can rapidly transition to the forwarding state after a prop...

Page 166: ...acket format recognition mode of a port is auto namely the port automatically distinguishes the two MSTP packet formats and determines the format of packets it will send based on the recognized format...

Page 167: ...ckets Sysname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 stp compliance dot1s Enabling the Output of Port State Transition Information In a large scale MSTP enabl...

Page 168: ...bly you can use the undo stp enable command to disable the MSTP feature for certain ports so that they will not take part in spanning tree calculation and thus to save the device s CPU resources Confi...

Page 169: ...ed on IEEE 802 1t z legacy The device calculates the default path cost for ports based on a private standard Follow these steps to specify a standard for the device to use when calculating the default...

Page 170: ...e instance id cost cost Required By default MSTP automatically calculates the path cost of each port z If you change the standard that the device uses in calculating the default path cost the port pat...

Page 171: ...ame priority value for all the ports on a device the specific priority of a port depends on the index number of the port Changing the priority of a port triggers a new spanning tree calculation proces...

Page 172: ...z MSTP has been correctly configured on the device z MSTP is configured to operate in MSTP mode or RSTP mode Configuration Procedure You can perform mCheck on a port through two approaches which lead...

Page 173: ...ture for a VLAN can make ports of the VLAN forward packets normally rather than comply with the calculated result of MSTP Configuration Procedure Follow these steps to configure VLAN Ignore To do Use...

Page 174: ...ame MST region via checking the configuration ID in BPDU packets The configuration ID includes the region name revision level configuration digest that is in 16 byte length and is the result calculate...

Page 175: ...eeded for in the same region check so the VLAN to MSTI mappings must be the same on associated ports z With global Digest Snooping enabled modification of VLAN to MSTI mappings and removing of the cur...

Page 176: ...d state transition on designated ports z Proposal sent by designated ports to request rapid transition z Agreement used to acknowledge rapid transition requests Both RSTP and MSTP devices can perform...

Page 177: ...m device adopts MSTP and does not work in RSTP mode the root port on the downstream device receives no agreement packet from the upstream device and thus sends no agreement packets to the upstream dev...

Page 178: ...ult To make the No Agreement Check feature take effect enable it on the root port Configuration Example Network requirements z Device A connects to a third party s device that has different MSTP imple...

Page 179: ...logy Under normal conditions these ports should not receive configuration BPDUs However if someone forges configuration BPDUs maliciously to attack the devices network instability will occur MSTP prov...

Page 180: ...will keep playing the role of designated port on all MSTIs Once this port receives a configuration BPDU with a higher priority from an MSTI it immediately sets that port to the listening state in the...

Page 181: ...rface view will take effect on the current port only configurations made in port group view will take effect on all ports in the port group Enable the loop guard function for the port s stp loop prote...

Page 182: ...lable in any view View the root bridge information of all MSTIs display stp root Available in any view View the list of VLANs with VLAN Ignore enabled display stp ignored vlan Available in any view Cl...

Page 183: ...region region name example DeviceA mst region instance 1 vlan 10 DeviceA mst region instance 2 vlan 20 DeviceA mst region instance 3 vlan 30 DeviceA mst region revision level 0 Activate MST region co...

Page 184: ...region configuration DeviceB mst region quit Define Device B as the root bridge of MSTI 3 DeviceB stp instance 3 root primary Enable MSTP globally DeviceB stp enable View the MST region configuration...

Page 185: ...29 31 to 4094 1 10 2 20 3 30 4 Configuration on Device D Enter MST region view DeviceD system view DeviceD stp region configuration DeviceD mst region region name example Configure the region name VLA...

Page 186: ...1 46 Instance Vlans Mapped 0 1 to 9 11 to 19 21 to 29 31 to 4094 1 10 2 20 3 30...

Page 187: ...onfiguration 1 1 IP Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 Displayi...

Page 188: ...xample is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1...

Page 189: ...es the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For exampl...

Page 190: ...C networks before being subnetted use these default masks also called natural masks 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively Configuring IP Addresses An interface can communicate with oth...

Page 191: ...information about a specified or all Layer 3 interfaces display ip interface interface type interface number Available in any view Display brief information about a specified or all Layer 3 interface...

Page 192: ...ing Reception of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configuring TCP Attributes 1 2 Enabling the SYN...

Page 193: ...Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Directed broadcast packets are broadcast on a specific network In the destination IP address of a directed bro...

Page 194: ...he establishment of a TCP connection involves the following three handshakes 1 The request originator sends a SYN message to the target server 2 After receiving the SYN message the target server estab...

Page 195: ...ame state any of the six and request for no data so as to exhaust the memory resource of the server As a result the server cannot process normal services Protection against Naptha attacks reduces the...

Page 196: ...en a TCP connection is changed into FIN_WAIT_2 state the finwait timer is started If no FIN packets is received within the timer interval the TCP connection will be terminated If a FIN packet is recei...

Page 197: ...unreachable ICMP error packet z If the destination of a packet is local while the transport layer protocol of the packet is not supported by the local device the device sends a protocol unreachable IC...

Page 198: ...isplay statistics of IP packets display ip statistics Available in any view Display ICMP statistics display icmp statistics Available in any view Display socket information display ip socket socktype...

Page 199: ...uring the ARP Active Acknowledgement Function 2 1 Configuring Source MAC Address Based ARP Attack Detection 2 1 Introduction 2 1 Configuration Procedure 2 2 Displaying and Maintaining Source MAC Addre...

Page 200: ...ly Figure 1 1 ARP message format The following describe the fields in Figure 1 1 z Hardware type This field specifies the hardware address type The value 1 represents Ethernet z Protocol type This fie...

Page 201: ...ost B and an all zero MAC address respectively Because the ARP request is a broadcast all hosts on this subnet can receive the request but only the requested host namely Host B will respond to the req...

Page 202: ...rmanent z A permanent static ARP entry can be directly used to forward packets When configuring a permanent static ARP entry you must configure a VLAN and an outbound interface for the entry besides t...

Page 203: ...ber of dynamic ARP entries that an interface can learn To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the maxim...

Page 204: ...Remarks Enter system view system view Enable the ARP entry check arp check enable Optional By default the device is disabled from learning multicast MAC addresses ARP Configuration Example Network re...

Page 205: ...IP address of the device issuing the packet the sender MAC address is the MAC address of the device and the target MAC address is the broadcast address ff ff ff ff ff ff A device implements the follo...

Page 206: ...ay the ARP entry for a specified IP address display arp ip address begin exclude include regular expression Available in any view Display the aging time for dynamic ARP entries display arp timer aging...

Page 207: ...t to the source MAC address of the ARP entry Then z If an ARP reply is received within five seconds the ARP packet is ignored z If not the gateway unicasts an ARP request to the MAC address of the ARP...

Page 208: ...tack detection even though it is an attacker You can specify certain MAC addresses such as that of a gateway or important servers as protected MAC addresses Follow these steps to configure protected M...

Page 209: ...P Packet Rate Limit Function Follow these steps to configure ARP packet rate limit in Ethernet interface view To do Use the command Remarks Enter system view system view Enter Ethernet interface view...

Page 210: ...dify the communication data Such an attack is called a man in the middle attack Figure 2 1 Man in the middle attack Switch Host A Host B IP_A MAC_A IP_B MAC_B IP_C MAC_C Host C Forged ARP reply Forged...

Page 211: ...packet is considered valid and can pass the detection If all the detection types are specified the system uses static IP to MAC binding entries first then DHCP snooping entries and then 802 1X securit...

Page 212: ...d against 802 1X security entries otherwise the packet is checked against 802 1X security entries If a match is found the packet is considered to be valid otherwise the packet is discarded z Before en...

Page 213: ...he latter applies Displaying and Maintaining ARP Detection To do Use the command Remarks Display the VLANs enabled with ARP detection display arp detection Available in any view Display the ARP detect...

Page 214: ...itEthernet1 0 3 dhcp snooping trust SwitchA GigabitEthernet1 0 3 quit Enable ARP detection for VLAN 10 SwitchA vlan 10 SwitchA vlan10 arp detection enable Configure the upstream port as a trusted port...

Page 215: ...on Configuration procedure 1 Add all the ports on Switch A into VLAN 10 the configuration procedure is omitted 2 Configure DHCP server the configuration procedure is omitted 3 Configure Host A and Hos...

Page 216: ...to the attacker instead As a result the hosts cannot access external networks To prevent such gateway spoofing attacks you can enable the gateway to send gratuitous ARP packets containing its primary...

Page 217: ...ooting DHCP Relay Agent Configuration 1 11 2 DHCP Client Configuration 2 1 Introduction to DHCP Client 2 1 Enabling the DHCP Client on an Interface 2 1 Displaying and Maintaining the DHCP Client 2 2 D...

Page 218: ...ii Displaying and Maintaining BOOTP Client Configuration 4 2 BOOTP Client Configuration Example 4 3...

Page 219: ...iguration Introduction to DHCP Relay Agent Application Environment Since DHCP clients request IP addresses via broadcast messages the DHCP server and clients must be on the same subnet Therefore a DHC...

Page 220: ...DHCP client The administrator can locate the DHCP client to further implement security control and accounting If the DHCP relay agent supports Option 82 it will handle a client s request according to...

Page 221: ...elay Agent Security Functions Optional Configuring the DHCP Relay Agent to Send a DHCP Release Request Optional Configuring the DHCP Relay Agent to Support Option 82 Optional Configuring the DHCP Rela...

Page 222: ...CP server group and add a server into the group dhcp relay server group group id ip ip address Required Not created by default Enter interface view interface interface type interface number Correlate...

Page 223: ...Disabled by default z The dhcp relay address check enable command is independent of other commands of the DHCP relay agent That is the invalid address check takes effect when this command is executed...

Page 224: ...the IP address of the DHCP server which assigned an IP address to the DHCP client and the receiving interface The administrator can use this information to check out any DHCP unauthorized servers Foll...

Page 225: ...type interface number Enable the relay agent to support Option 82 dhcp relay information enable Required Disabled by default Configure the handling strategy for requesting messages containing Option...

Page 226: ...DHCP Relay Agent Configuration To do Use the command Remarks Display information about DHCP server groups correlated to a specified or all interfaces display dhcp relay all interface interface type i...

Page 227: ...P relay agent Configuration procedure Specify IP addresses for the interfaces omitted Enable DHCP SwitchA system view SwitchA dhcp enable Add DHCP server 10 1 1 1 into DHCP server group 1 SwitchA dhcp...

Page 228: ...Specify IP addresses for the interfaces omitted Enable DHCP SwitchA system view SwitchA dhcp enable Add DHCP server 10 1 1 1 into DHCP server group 1 SwitchA dhcp relay server group 1 ip 10 1 1 1 Ena...

Page 229: ...agent to view the debugging information and interface state information for locating the problem Solution Check that z The DHCP is enabled on the DHCP server and relay agent z The address pool on the...

Page 230: ...P server cannot be a Windows 2000 Server or Windows 2003 Server Introduction to DHCP Client With the DHCP client enabled an interface will use DHCP to obtain configuration parameters such as an IP add...

Page 231: ...by executing the undo ip address dhcp alloc command and then the ip address dhcp alloc command Displaying and Maintaining the DHCP Client To do Use the command Remarks Display specified configuration...

Page 232: ...Recording IP to MAC mappings of DHCP clients Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers If there is an unauthorized DHCP server on a network DHCP clients may obtain inva...

Page 233: ...d Unauthorized DHCP server DHCP client DHCP reply messages As shown in Figure 3 1 a DHCP snooping device s port that is connected to an authorized DHCP server should be configured as a trusted port to...

Page 234: ...n 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting If DHCP snooping supports Option 82...

Page 235: ...normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 The handling strate...

Page 236: ...iguring DHCP Snooping to Support Option 82 Follow these steps to configure DHCP snooping to support Option 82 To do Use the command Remarks Enter system view system view Enter interface view interface...

Page 237: ...DHCP snooping to support Option 82 on the interface will not take effect After the interface quits the aggregation group the configuration will be effective z If the handling strategy of the DHCP sno...

Page 238: ...rwards DHCP server responses while the other two do not Switch A records clients IP to MAC address bindings in DHCP REQUEST messages and DHCP ACK messages received from trusted ports Figure 3 3 Networ...

Page 239: ...itEthernet1 0 2 to support Option 82 SwitchA interface GigabitEthernet 1 0 2 SwitchA GigabitEthernet1 0 2 dhcp snooping information enable SwitchA GigabitEthernet1 0 2 dhcp snooping information strate...

Page 240: ...BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to configure a BOOTP...

Page 241: ...protocols and standards related to BOOTP include z RFC 951 Bootstrap Protocol BOOTP z RFC 2132 DHCP Options and BOOTP Vendor Extensions z RFC 1542 Clarifications and Extensions for the Bootstrap Prot...

Page 242: ...erver 10 1 1 4 25 Client Switch A Client DNS server 10 1 1 2 25 Vlan int1 10 1 1 1 25 Vlan int1 10 1 1 126 25 Configuration procedure The following describes only the configuration on Switch A serving...

Page 243: ...Debugging an FTP Connection 1 6 Terminating an FTP Connection 1 6 FTP Client Configuration Example 1 6 Configuring the FTP Server 1 8 Configuring FTP Server Operating Parameters 1 8 Configuring Authen...

Page 244: ...files z ASCII mode transfers files as text like txt bat and cfg files Operation of FTP FTP adopts the client server model Your device can function either as the client or as the server as shown in Fig...

Page 245: ...nfiguration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP for security...

Page 246: ...source IP address The primary IP address configured on the source interface is the source address of the transmitted packets The source address of the transmitted packets is selected following these...

Page 247: ...For how to establish an FTP connection refer to Establishing an FTP Connection you can create or delete folders under the authorized directory of the FTP server Follow these steps to operate the dire...

Page 248: ...mand displays the name of a directory or file only while the dir command displays detailed information such as the file size and creation time Delete the specified file on the remote FTP server perman...

Page 249: ...debugging Optional Disabled by default Terminating an FTP Connection After the device serving as the FTP client has established a connection with the FTP server For how to establish an FTP connection...

Page 250: ...P Sysname ftp 10 1 1 1 Trying 10 1 1 1 Connected to 10 1 1 1 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User 10 1 1 1 none abc 331 Give me your password please Password 230 Lo...

Page 251: ...xample occurs during a file transfer z In normal mode the FTP server writes data to the storage medium while receiving data This means that any anomaly power failure for example during file transfer m...

Page 252: ...pport FTP anonymous user access Assign a password to the user password simple cipher password Required Assign the FTP service to the user service type ftp Required By default the system does not suppo...

Page 253: ...vel 3 the manage level Authorize ftp s access to the root directory of the flash and specify ftp to use FTP Sysname system view Sysname local user abc Sysname luser abc password simple pwd Sysname lus...

Page 254: ...e the Boot ROM 3 Upgrade Device Specify newest bin as the main startup file to be used at the next startup Sysname boot loader file newest bin main Reboot the device and the startup file is updated at...

Page 255: ...1 12...

Page 256: ...s initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In...

Page 257: ...e is not overwritten This mode is more secure but consumes more memory You are recommended to use the secure mode or if you use the normal mode specify a filename not existing in the current directory...

Page 258: ...quit Download or upload a file tftp server address get put sget source filename destination filename source interface interface type interface number ip source ip address Optional Available in user v...

Page 259: ...te the files not in use and then perform the following operations Enter system view Sysname system view Download application file newest bin from PC Sysname tftp 1 2 1 1 get newest bin Upload a config...

Page 260: ...i Table of Contents 1 IP Routing Basics Configuration 1 1 IP Routing and Routing Table 1 1 Routing 1 1 Routing Table 1 1 Displaying and Maintaining a Routing Table 1 3...

Page 261: ...interface a packet destined for a certain destination should go out to reach the next hop the next router or the directly connected destination Routes in a routing table can be divided into three cate...

Page 262: ...ed into z Direct routes The destination is directly connected to the router z Indirect routes The destination is not directly connected to the router To prevent the routing table from getting too larg...

Page 263: ...destination addresses in the specified range display ip routing table ip address1 mask length mask ip address2 mask length mask verbose Available in any view Display information about routes permitte...

Page 264: ...1 Default Route 1 1 Application Environment of Static Routing 1 2 Configuring a Static Route 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Displaying and Maintaining Static Routes 1...

Page 265: ...e static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded After a default route is configured on a router...

Page 266: ...configure the next hop address z If you specify a broadcast interface such as a VLAN interface as the output interface you must specify the corresponding next hop for the output interface 3 Other att...

Page 267: ...with the ip route static command the route is the default route Displaying and Maintaining Static Routes To do Use the command Remarks Display the current configuration information display current con...

Page 268: ...Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the three hosts A B and C are 1 1 2 3 1 1 6 1 and 1 1 3 1 respectively The c...

Page 269: ...Direct 0 0 127 0 0 1 InLoop0 Use the ping command on Host B to check reachability to Host A assuming Windows XP runs on the two hosts C Documents and Settings Administrator ping 1 1 2 2 Pinging 1 1 2...

Page 270: ...Prerequisites 2 7 Enabling IGMP Snooping 2 7 Configuring the Version of IGMP Snooping 2 8 Configuring IGMP Snooping Port Functions 2 9 Configuration Prerequisites 2 9 Configuring Aging Timers for Dyna...

Page 271: ...23 IGMP Snooping Querier Configuration Example 2 26 IGMP Snooping Proxying Configuration Example 2 28 Troubleshooting IGMP Snooping Configuration 2 31 Switch Fails in Layer 2 Multicast Forwarding 2 31...

Page 272: ...ltipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added service...

Page 273: ...over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information t...

Page 274: ...ficant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multic...

Page 275: ...cast is confined to the same subnet while multicast is not Features of Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast addr...

Page 276: ...icast z G Indicates a rendezvous point tree RPT or a multicast packet that any multicast source sends to multicast group G Here represents any multicast source while G represents a specific multicast...

Page 277: ...ence between the SSM model and the ASM model is that in the SSM model receivers already know the locations of the multicast sources by some other means In addition the SSM model uses a multicast addre...

Page 278: ...he IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8 Glop group add...

Page 279: ...tination address is a multicast MAC address because the packet is directed to a group formed by a number of receivers rather than to one specific receiver As defined by IANA the high order 24 bits of...

Page 280: ...he internet group management protocol IGMP is used between hosts and Layer 3 multicast devices directly connected with the hosts These protocols define the mechanism of establishing and maintaining gr...

Page 281: ...training mechanisms that manage and control multicast groups by listening to and analyzing IGMP messages exchanged between the hosts and Layer 3 multicast devices thus effectively controlling the floo...

Page 282: ...rwarding z To process the same multicast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check o...

Page 283: ...and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 2 1 when IGMP snooping is not running on the switch multicast packets are flooded to all devices at...

Page 284: ...device DR or IGMP querier In the figure GigabitEthernet 1 0 1 of Switch A and GigabitEthernet 1 0 1 of Switch B are router ports The switch registers all its local router ports in its router port list...

Page 285: ...age out How IGMP Snooping Works A switch running IGMP snooping performs different actions when it receives different IGMP messages as follows The description about adding or deleting a port in this s...

Page 286: ...the attached hosts listening to the reported multicast address will suppress their own reports upon receiving this report according to the IGMP report suppression mechanism on them and this will preve...

Page 287: ...port z If no IGMP report in response to the group specific query is received on the port before its aging timer expires this means that no hosts attached to the port are still listening to that group...

Page 288: ...found the proxy creates the entry adds the receiving port to the outgoing port list as a dynamic member port and starts an aging timer for the port and then sends a report to the group out all router...

Page 289: ...e effective only for the current port configurations made in Layer 2 aggregate interface view are effect only for the current interface configurations made in port group view are effective only for al...

Page 290: ...ocess z IGMP snooping version 2 can process IGMPv1 and IGMPv2 messages but not IGMPv3 messages which will be flooded in the VLAN z IGMP snooping version 3 can process IGMPv1 IGMPv2 and IGMPv3 messages...

Page 291: ...when the aging timer of the port for that group expires If multicast group memberships change frequently you can set a relatively small value for the dynamic member port aging timer and vice versa Con...

Page 292: ...tic router ports by default z A static S G joining can take effect only if a valid multicast source address is specified and IGMP snooping version 3 is currently running z A static member port does no...

Page 293: ...port configured as a simulated member host will age out like a dynamic member port Configuring Fast Leave Processing The fast leave processing feature allows the switch to process IGMP leave messages...

Page 294: ...uery interval z Maximum response time to IGMP general queries z Source address of IGMP general queries and z Source address of IGMP group specific queries Enabling IGMP Snooping Querier In an IP multi...

Page 295: ...sends an IGMP report to the corresponding multicast group An appropriate setting of the maximum response time for IGMP queries allows hosts to respond to queries quickly and avoids bursts of IGMP tra...

Page 296: ...eiving an IGMP query whose source IP address is 0 0 0 0 on a port the switch does not enlist that port as a dynamic router port This may prevent multicast forwarding entries from being correctly creat...

Page 297: ...ring a Source IP Address for the IGMP Messages Sent by the Proxy You can set the source IP addresses in the IGMP reports and leave messages sent by the IGMP snooping proxy on behalf of its attached ho...

Page 298: ...lobally Follow these steps to configure a multicast group filter globally To do Use the command Remarks Enter system view system view Enter IGMP snooping view igmp snooping Configure a multicast group...

Page 299: ...yer 2 device forwards only the first IGMP report per multicast group to the Layer 3 device and will not forward the subsequent IGMP reports from the same multicast group to the Layer 3 device This hel...

Page 300: ...reasons the number of multicast groups that can be joined on the current switch or port may exceed the number configured for the switch or the port In addition in some specific applications a multicas...

Page 301: ...t take effect Configuring 802 1p Precedence for IGMP Messages You can change 802 1p precedence of IGMP messages so that they can be assigned higher forwarding priority when congestion occurs on their...

Page 302: ...nabled VLAN z The reset igmp snooping group command cannot clear the IGMP snooping multicast group information for static joins IGMP Snooping Configuration Examples Group Policy and Simulated Joining...

Page 303: ...net1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit...

Page 304: ...1 1 1 vlan 100 SwitchA GigabitEthernet1 0 4 quit 4 Verify the configuration Display the detailed IGMP snooping multicast groups information in VLAN 100 on Switch A SwitchA display igmp snooping group...

Page 305: ...d to Switch C only along the path of Switch A Switch B Switch C z It is required to configure GigabitEthernet 1 0 3 that connects Switch A to Switch C as a static router port so that multicast traffic...

Page 306: ...gn GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to this VLAN and enable IGMP snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 3 SwitchA vl...

Page 307: ...1 0 5 quit 6 Verify the configuration Display the detailed IGMP snooping multicast group information in VLAN 100 on Switch A SwitchA display igmp snooping group vlan 100 verbose Total 1 IP Group s Tot...

Page 308: ...As shown in Figure 2 6 in a Layer 2 only network environment two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224 1 1 1 and 225 1 1 1 respectively Host A and Host C...

Page 309: ...in VLAN 100 SwitchA vlan100 igmp snooping enable SwitchA vlan100 igmp snooping drop unknown Enable the IGMP Snooping querier function in VLAN 100 SwitchA vlan100 igmp snooping querier Set the source I...

Page 310: ...3 Received IGMPv1 reports 0 Received IGMPv2 reports 12 Received IGMP leaves 0 Received IGMPv2 specific queries 0 Sent IGMPv2 specific queries 0 Received IGMPv3 reports 0 Received IGMPv3 reports with...

Page 311: ...view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA int...

Page 312: ...oup s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 2 port GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 2 port GE1 0 3 GE1...

Page 313: ...ing Analysis IGMP snooping is not enabled Solution 1 Enter the display current configuration command to view the running status of IGMP snooping 2 If IGMP snooping is not enabled use the igmp snooping...

Page 314: ...his command in IGMP snooping view or in the corresponding interface view to check whether the correct multicast group policy has been applied If not use the group policy or igmp snooping group policy...

Page 315: ...in not only waste of network bandwidth but also extra burden on the Layer 3 device Figure 3 1 Multicast transmission without multicast VLAN The multicast VLAN feature configured on the Layer 2 device...

Page 316: ...st VLAN and Switch A distributes the traffic to all the member ports in the multicast VLAN z For information about IGMP Snooping router ports and member ports refer to IGMP Snooping Configuration z Fo...

Page 317: ...long as the default VLAN Configure the user ports to permit packets of the multicast VLAN to pass and untag the packets Thus upon receiving multicast packets tagged with the multicast VLAN ID from the...

Page 318: ...icast VLAN view multicast vlan vlan id Required Not a multicast VLAN by default Assign ports to the multicast VLAN port interface list Required By default a multicast VLAN has no ports Configuring mul...

Page 319: ...uter A IGMPv2 Snooping is required on Switch A Router A acts as the IGMP querier z Switch A s GigabitEthernet 1 0 1 belongs to VLAN 10 GigabitEthernet 1 0 2 through GigabitEthernet 1 0 4 belong to VLA...

Page 320: ...0 2 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet...

Page 321: ...or GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration steps are omitted Configure VLAN 10 as a multicast VLAN SwitchA multicast vlan 10 Assign GigabitEthernet 1 0 2...

Page 322: ...oup s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 3 port GE1 0 2 D GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 3 port G...

Page 323: ...le 2 4 Applying the QoS Policy 2 5 Applying the QoS Policy to an Interface 2 5 Displaying and Maintaining QoS Policies 2 5 3 Priority Mapping Configuration 3 1 Priority Mapping Overview 3 1 Introducti...

Page 324: ...guration procedure 4 2 Line rate configuration example 4 2 5 Congestion Management Configuration 5 1 Overview 5 1 Congestion Management Policies 5 1 Congestion Management Configuration Methods 5 3 Con...

Page 325: ...alled best effort It delivers packets to their destinations as possibly as it can without any guarantee for delay jitter packet loss ratio and so on This service policy is only suitable for applicatio...

Page 326: ...s forwarded over a low speed link z The packet flows enter a device from several incoming interfaces and are forwarded out an outgoing interface whose rate is smaller than the total rate of these inco...

Page 327: ...gestion avoidance are the foundations for a network to provide differentiated services Mainly they implement the following functions z Traffic classification uses certain match criteria to organize pa...

Page 328: ...port number for example or for all packets to a certain network segment When packets are classified on the network boundary the precedence bits in the ToS field of the IP packet header are generally r...

Page 329: ...ccording to their DSCP values z Expedited Forwarding EF class In this class packets are forwarded regardless of link share of other traffic The class is suitable for preferential services requiring lo...

Page 330: ...precedence lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2 Figure 1 4 An Ethernet frame with an 802 1Q tag...

Page 331: ...802 1p Table 1 3 presents the values for 802 1p precedence Table 1 3 Description on 802 1p precedence 802 1p precedence decimal 802 1p precedence binary Description 0 000 best effort 1 001 background...

Page 332: ...nsiders a packet belongs to a class only when the packet matches all the criteria in the class z or The device considers a packet belongs to a class as long as the packet matches one of the criteria i...

Page 333: ...ce of the customer network The 8021p list argument is a list of CoS values in the range of 0 to 7 customer vlan id vlan id list Specifies to match the packets of specified VLANs of user networks The v...

Page 334: ...c mac address To create multiple if match clauses or specify multiple values for a list argument for any of the matching criteria listed above ensure that the operator of the class is OR Defining a Tr...

Page 335: ...a class and the behavior defined in the QoS policy applies to the class regardless of whether the match mode of the ACL clause is deny or permit QoS Policy Configuration Example Network requirements...

Page 336: ...e number Enter interface view or port group view Enter port group view port group manual port group name Use either command Settings in interface view take effect on the current interface settings in...

Page 337: ...or name Available in any view Display the configuration of user defined QoS policies display qos policy user defined policy name classifier tcl name Available in any view Display QoS policy configurat...

Page 338: ...e 802 1p precedence DSCP values and EXP values refer to Packet Precedences Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds...

Page 339: ...es switch can trust one of the following two priority types z Trusting the DSCP precedence of received packets In this mode the switch searches the dscp dot1p dscp mapping table based on the DSCP prec...

Page 340: ...t dscp lp and dscp dot1p mappings Input priority value dscp lp mapping dscp dot1p mapping dscp Local precedence lp 802 1p precedence dot1p 0 to 7 0 0 8 to 15 1 1 16 to 23 2 2 24 to 31 3 3 32 to 39 4 4...

Page 341: ...able view as required Configure the priority mapping table import import value list export export value Required Newly configured mappings overwrite the previous ones Display the configuration of the...

Page 342: ...do Use the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual...

Page 343: ...rocedure refer to Configuring a Priority Mapping Table Configuration Procedure Follow these steps to configure the trusted precedence type To do Use the command Remarks Enter system view system view E...

Page 344: ...dot1p Displaying and Maintaining Priority Mapping To do Use the command Remarks Display priority mapping table configuration information display qos map table dot1p dot1p dot1p dscp dot1p lp dscp dot1...

Page 345: ...y handled by the token bucket at line rate If there are enough tokens in the token bucket packets can be forwarded otherwise packets are put into QoS queues for congestion management In this way the t...

Page 346: ...ent interface settings in port group view take effect on all ports in the port group Configure the line rate for the interface port group qos lr inbound outbound cir committed information rate cbs com...

Page 347: ...stion management involves queue creation traffic classification packet enqueuing and queue scheduling Congestion Management Policies In general congestion management adopts queuing technology The syst...

Page 348: ...with the second highest priority and so on Thus you can assign mission critical packets to the high priority queue to ensure that they are always served first and common service packets to the low pri...

Page 349: ...scheduled in turn the service time for each queue is not fixed that is if a queue is empty the next queue will be scheduled immediately This improves bandwidth resource use efficiency SP WRR queuing Y...

Page 350: ...t 1 0 1 to adopt SP queuing 2 Configuration procedure Enter system view Sysname system view Configure GigabitEthernet1 0 1 to adopt SP queuing Sysname interface gigabitethernet 1 0 1 Sysname GigabitEt...

Page 351: ...GigabitEthernet1 0 1 qos wrr 2 group 2 weight 30 Sysname GigabitEthernet1 0 1 qos wrr 3 group 2 weight 50 Configuring SP WRR Queuing Configuration procedure Follow these steps to configure an SP WRR q...

Page 352: ...being 10 and 50 respectively 2 Configuration procedure Enter system view Sysname system view Enable the SP WRR queue scheduling algorithm on GigabitEthernet1 0 1 Sysname interface gigabitethernet 1 0...

Page 353: ...X Basic Configuration 1 13 Configuration Prerequisites 1 13 Configuring 802 1X Globally 1 13 Configuring 802 1X for a Port 1 14 Enabling the Online User Handshake Function 1 15 Enabling the Multicast...

Page 354: ...s the LAN only when it passes the authentication Those devices that fail to pass the authentication are denied access to the LAN To get more information about 802 1X go to these topics z Architecture...

Page 355: ...ch then can relay the packets to the RADIUS server In EAP termination mode EAP packets are terminated at the device converted to the RADIUS packets either with the Password Authentication Protocol PAP...

Page 356: ...ts z auto Places the port in the unauthorized state initially to allow only EAPOL packets to pass and turns the ports into the authorized state to allow access to the network after the users pass auth...

Page 357: ...between a client and a device EAPOL Logoff a value of 0x02 Packet for logoff request present between a client and a device z Length Length of the data that is length of the Packet body field in bytes...

Page 358: ...For information about RADIUS packet format refer to AAA Configuration EAP Message The EAP Message attribute is used to encapsulate EAP packets Figure 1 6 shows its encapsulation format The value of th...

Page 359: ...30 seconds by default This method can be used to authenticate clients which cannot send EAPOL Start packets and therefore cannot trigger authentication for example the 802 1X client provided by Windo...

Page 360: ...r the username of the client 4 When the client receives the EAP Request Identity packet it encapsulates the username in an EAP Response Identity packet and sends the packet to the device 5 Upon receiv...

Page 361: ...shake attempts end up with failure the device concludes that the client has gone offline and performs the necessary operations guaranteeing that the device always knows when a client goes offline 12 T...

Page 362: ...rmation from the client to the RADIUS server for authentication 802 1X Access Control Method H3C devices not only implement the port based access control method defined in the 802 1X protocol but also...

Page 363: ...the client is offline z Quiet timer quiet period When a client fails the authentication the device refuses further authentication requests from the client in this period of time z Periodic re authenti...

Page 364: ...t will be added to the guest VLAN and all users accessing the port will be authorized to access the resources in the guest VLAN The device adds a PGV configured port into the guest VLAN according to t...

Page 365: ...ning access rights When a user logs in through a port and the RADIUS server is configured with authorization ACLs the device will permit or deny data flows traversing through the port according to the...

Page 366: ...word information must be configured on the device and the service type must be set to lan access For detailed configuration of the RADIUS client refer to AAA Configuration Configuring 802 1X Globally...

Page 367: ...For detailed configuration refer to Configuring 802 1X for a Port The only difference between global configurations and configurations on a port lies in the applicable scope If both a global setting...

Page 368: ...tication In this case you can configure the user name format command but it does not take effect For information about the user name format command refer to AAA Commands z If the username of a client...

Page 369: ...face number Enable the multicast trigger function dot1x multicast trigger Optional Enabled by default Specifying a Mandatory Authentication Domain for a Port With a mandatory authentication domain spe...

Page 370: ...fault After an 802 1X user passes authentication if the authentication server assigns a re authentication interval for the user through the session timeout attribute the assigned re authentication int...

Page 371: ...ail VLAN If the traffic from a user side device carries VLAN tags and the 802 1X authentication and guest VLAN functions are configured on the access port you are recommended to configure different VL...

Page 372: ...cation when no response from the RADIUS server is received If the RADIUS accounting fails the device gets users offline z A server group with two RADIUS servers is connected to the switch The IP addre...

Page 373: ...localpass Switch luser localuser attribute idle cut 20 Switch luser localuser quit Create RADIUS scheme radius1 and enter its view Switch radius scheme radius1 Configure the IP addresses of the prima...

Page 374: ...unting default radius scheme radius1 local Set the maximum number of users for the domain as 30 Switch isp aabbcc net access limit enable 30 Enable the idle cut function and set the idle cut interval...

Page 375: ...802 1X and set VLAN 10 as the guest VLAN of the port If the device sends an EAP Request Identity packet from the port for the maximum number of times but still receives no response the device adds the...

Page 376: ...hentication Configuration procedure z The following configuration procedure uses many AAA RADIUS commands For detailed configuration of these commands refer to AAA Configuration z Configurations on th...

Page 377: ...Switch GigabitEthernet1 0 2 dot1x port control auto Switch GigabitEthernet1 0 2 quit Create VLAN 10 Switch vlan 10 Switch vlan10 quit Specify port GigabitEthernet 1 0 2 to use VLAN 10 as its guest VLA...

Page 378: ...ry authentication 10 1 1 1 1812 Switch radius 2000 primary accounting 10 1 1 2 1813 Switch radius 2000 key authentication abc Switch radius 2000 key accounting abc Switch radius 2000 user name format...

Page 379: ...CL 3000 assigned by the RADIUS server functions Switch ping 10 0 0 1 PING 10 0 0 1 56 data bytes press CTRL_C to break Request time out Request time out Request time out Request time out Request time...

Page 380: ...ions Forcibly 1 17 Configuring a NAS ID VLAN Binding 1 17 Displaying and Maintaining AAA 1 18 Configuring RADIUS 1 18 Creating a RADIUS Scheme 1 19 Specifying the RADIUS Authentication Authorization S...

Page 381: ...ii Troubleshooting RADIUS 1 32...

Page 382: ...centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA networking diagram When a user tries to establish a connection to the NAS...

Page 383: ...ication Dial In User Service RADIUS is a distributed information interaction protocol in a client server model RADIUS can protect networks against unauthorized access and is often used in network envi...

Page 384: ...prevent user passwords from being intercepted in non secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods Moreover a RADIUS...

Page 385: ...ADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 9 The RADIUS server returns a stop accounting response Accounting...

Page 386: ...the Code Identifier Length Authenticator and Attribute fields The value of the field is in the range 20 to 4096 Bytes beyond the length are considered the padding and are neglected upon reception If t...

Page 387: ...ct Tunnel Connection 22 Framed Route 69 Tunnel Password 23 Framed IPX Network 70 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Tim...

Page 388: ...sub attribute that can be encapsulated in Attribute 26 consists of the following four parts z Vendor ID four bytes Indicates the ID of the vendor Its most significant byte is 0 and the other three byt...

Page 389: ...od No accounting none local accounting local or remote accounting scheme For login users it is necessary to configure the authentication mode for logging into the user interface as scheme For detailed...

Page 390: ...ure ISP domains to perform AAA on accessing users In AAA users are divided into LAN users such as 802 1X users and login users such as SSH Telnet FTP and terminal access users Except for command line...

Page 391: ...rname without an ISP domain name the device uses the authentication method configured for the default ISP domain to authenticate the user Configuring ISP Domain Attributes Follow these steps to config...

Page 392: ...ADIUS the device can use the standard RADIUS protocol or extended RADIUS protocol in collaboration with systems like iMC to implement user authentication Remote authentication features centralized inf...

Page 393: ...tion and accounting Its responsibility is to send authorization requests to the specified authorization server and to send authorization information to users Authorization method configuration is opti...

Page 394: ...l types of users and has a priority lower than that for a specific access mode z RADIUS authorization is special in that it takes effect only when the RADIUS authorization scheme is the same as the RA...

Page 395: ...service type to be configured With AAA you can configure an accounting method specifically for each access mode and service type limiting the accounting protocols that can be used for access 3 Determ...

Page 396: ...you need to create local users and configure user attributes on the device as needed A local user represents a set of user attributes configured on a device and is uniquely identified by the username...

Page 397: ...ork directory directory name Optional By default no authorization attribute is configured for a local user Set the expiration time of the local user expiration date time Optional Not set by default Sp...

Page 398: ...control attributes and authorization attributes for a user group By default every newly added local user belongs to a user group named system and bears all attributes of the group User group system i...

Page 399: ...y local user idle cut disable enable service type ftp lan access ssh telnet terminal state active block user name user name vlan vlan id Available in any view Display configuration information about a...

Page 400: ...default A RADIUS scheme can be referenced by more than one ISP domain at the same time Specifying the RADIUS Authentication Authorization Servers Follow these steps to specify the RADIUS authenticatio...

Page 401: ...ying the RADIUS Accounting Servers and Relevant Parameters Follow these steps to specify the RADIUS accounting servers and perform related configurations To do Use the command Remarks Enter system vie...

Page 402: ...user when the number of accounting request transmission attempts for the user reaches the limit but it still receives no response to the accounting request z The IP addresses of the primary and secon...

Page 403: ...the command manual for configuring RADIUS server response timeout period Setting the Supported RADIUS Server Type Follow these steps to set the supported RADIUS server type To do Use the command Rema...

Page 404: ...authorization server state primary authentication active block Set the status of the primary RADIUS accounting server state primary accounting active block Set the status of the secondary RADIUS auth...

Page 405: ...e users using the same username but in different ISP domains will be considered the same user z The unit of data flows sent to the RADIUS server must be consistent with the traffic statistics unit of...

Page 406: ...so that the user has more opportunity to obtain the RADIUS service The NAS uses the RADIUS server response timeout timer to control the transmission interval z Primary server quiet timer timer quiet I...

Page 407: ...accounting on feature enabled a device sends whenever it reboots accounting on packets to the RADIUS server so that the server logs out users that have logged in through the device before the reboot...

Page 408: ...marks Display the configuration information of a specified RADIUS scheme or all RADIUS schemes display radius scheme radius scheme name Available in any view Display statistics about RADIUS packets di...

Page 409: ...pes of users is similar to that given in this example The only difference lies in the access type Figure 1 6 Configure AAA by separate servers for Telnet users Configuration procedure Configure the IP...

Page 410: ...efault radius scheme rd When telneting into the switch a user enters username telnet bbb for authentication using domain bbb AAA for SSH Users by a RADIUS Server Network requirements As shown in Figur...

Page 411: ...anagement Service as the service type z Select H3C as the access device type z Select the access device from the device list or manually add the device with the IP address of 10 1 1 2 z Click OK to fi...

Page 412: ...re the IP address of VLAN interface 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit...

Page 413: ...it Configure the AAA methods for the domain Switch domain bbb Switch isp bbb authentication login radius scheme rad Switch isp bbb authorization login radius scheme rad Switch isp bbb accounting login...

Page 414: ...tions Solution Check that 1 The communication links between the NAS and the RADIUS server work well at both physical and link layers 2 The IP address of the RADIUS server is correctly configured on th...

Page 415: ...1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 12 Disp...

Page 416: ...sm to solve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in large networks securely With digital certificates the PKI system provides...

Page 417: ...lish multiple CRLs when the number of revoked certificates is so large that publishing them in a single CRL may degrade network performance and it uses CRL distribution points to indicate the URLs of...

Page 418: ...f PKI The PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private...

Page 419: ...ing a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting...

Page 420: ...fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locali...

Page 421: ...dedicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certific...

Page 422: ...nd optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is conf...

Page 423: ...ate request The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed inform...

Page 424: ...command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of...

Page 425: ...L checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verific...

Page 426: ...nfiguration file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA Whe...

Page 427: ...ive subject name attribute id alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject nam...

Page 428: ...he certificate request from ra command to specify that the entity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain...

Page 429: ...etrieve CRLs properly 2 Configure the switch z Configure the entity DN Configure the entity name as aaa and the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa com...

Page 430: ...rieval success Retrieve CRLs and save them locally Switch pki retrieval crl domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success Request a local certificate m...

Page 431: ...09v3 CRL Distribution Points URI http 4 4 4 133 447 myca crl Signature Algorithm sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3...

Page 432: ...y the CA to the RA Right click on the CA server in the navigation tree and select Properties Policy Module Click Properties and then select Follow the settings in the certificate template if applicabl...

Page 433: ...dulus is greater than 512 It will take a few minutes Press CTRL C to abort Input the bits in the modulus default 1024 Generating Keys z Apply for certificates Retrieve the CA certificate and save it l...

Page 434: ...7F5E 2DA70BD9 1FAF07E5 1D167CE1 FC20394F 476F5C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent 65537 0x10001 X509v3...

Page 435: ...iguration refer to HTTP Configuration z The PKI domain to be referenced by the SSL policy must be created in advance For detailed configuration of the PKI domain refer to Configure the PKI domain 1 Co...

Page 436: ...icy and certificate attribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy myssl to HTTPS service Switch ip https ssl server policy myssl Apply the cer...

Page 437: ...trieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Specify the authority for certificate request z Configure the r...

Page 438: ...List 1 2 Configuring an SSL Server Policy 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 5 Configuratio...

Page 439: ...er and client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key...

Page 440: ...tion of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the session ID peer certif...

Page 441: ...s view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy Specify the...

Page 442: ...fy the client to use SSL 3 0 or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z Device works as the HTTPS server z A host works as the client and...

Page 443: ...le client authentication Device ssl server policy myssl client verify enable Device ssl server policy myssl quit 3 Associate HTTPS service with the SSL server policy and enable HTTPS service Configure...

Page 444: ...ient policy pki domain domain name Optional No PKI domain is configured by default Specify the preferred cipher suite for the SSL client policy prefer cipher rsa_aes_128_cbc_sha rsa_des_cbc_sha rsa_rc...

Page 445: ...e for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certificate to the SSL server or let the server requests a certifi...

Page 446: ...and Maintaining SSH 2 11 SSH Server Configuration Examples 2 12 When Switch Acts as Server for Password Authentication 2 12 When Switch Acts as Server for Publickey Authentication 2 14 SSH Client Conf...

Page 447: ...ents but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH version...

Page 448: ...pports the version the server and client will use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation ot...

Page 449: ...entication fails otherwise the server authenticates the client by the digital signature Finally the server sends a message to the client to inform the success or failure of the authentication Currentl...

Page 450: ...ommands in text format the text must be within 2000 bytes It is recommended that the commands are in the same view otherwise the server may not be able to perform the commands correctly z If the comma...

Page 451: ...on key on the SSH server and client respectively no session key transmission is required in SSH2 and the server key pair is not used z The length of the modulus of RSA server keys and host keys must b...

Page 452: ...ange the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a Client Public Key This configuration task is only necessary for SSH users using pu...

Page 453: ...c key view public key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end Importing a client public...

Page 454: ...H1 does not support service type sftp if the client uses SSH1 to log into the server you must set the service type to stelnet or all on the server Otherwise the client will fail to log in z The workin...

Page 455: ...server key pair update interval ssh server rekey interval hours Optional 0 by default that is the RSA server key pair is not updated Set the SSH user authentication timeout period ssh server authentic...

Page 456: ...client will use the saved server host public key to authenticate the server z Without first time authentication a client not configured with the server host public key will deny to access the server T...

Page 457: ...ge dh group1 dh group14 prefer stoc cipher 3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Use either command in user view Displaying and Maintaining SSH To do Use the command Remark...

Page 458: ...nerate RSA and DSA key pairs and enable the SSH server Switch system view Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Configure an IP address for VLA...

Page 459: ...nt software such as PuTTY and OpenSSH The following is an example of configuring SSH client using Putty Version 0 58 Establish a connection with the SSH server Launch PuTTY exe to enter the following...

Page 460: ...dress will serve as the destination of the SSH connection Switch interface vlan interface 1 Switch Vlan interface1 ip address 192 168 1 40 255 255 255 0 Switch Vlan interface1 quit Set the authenticat...

Page 461: ...assign publickey Switch001 2 Configure the SSH client Generate an RSA key pair Run PuTTYGen exe select SSH 2 RSA and click Generate Figure 1 4 Generate a client key pair 1 While generating the key pai...

Page 462: ...file name as key pub to save the public key Figure 1 6 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save the p...

Page 463: ...e client Specify the private key file and establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of t...

Page 464: ...as Client for Password Authentication Network requirements z As shown in Figure 1 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SS...

Page 465: ...level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication type as password This step is optional SwitchB ssh user client001 service type stelne...

Page 466: ...code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 SwitchA p...

Page 467: ...n for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces...

Page 468: ...c key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the save...

Page 469: ...TP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detai...

Page 470: ...out value Optional 10 minutes by default Configuring an SFTP Client Specifying a Source IP Address or Interface for the SFTP Client You can configure a client to use only a specified source IP addres...

Page 471: ...irectories To do Use the command Remarks Enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh g...

Page 472: ...irectory on the SFTP server rename old name new name Optional Download a file from the remote server and save it locally get remote file local file Optional Upload a local file to the remote SFTP serv...

Page 473: ...ommand Remarks Enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh...

Page 474: ...rface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Set the protocol that a remote user uses to log in as SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Before performing the...

Page 475: ...SwitchA sftp 192 168 0 1 identity key rsa Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Continue Y N y Do you want to save...

Page 476: ...e nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 no...

Page 477: ...w Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Enable the SFTP server Switch sftp server enable Configure an IP address for VLAN interface 1 which the...

Page 478: ...of SFTP client software The following takes the PSFTP of Putty Version 0 58 as an example z The PSFTP supports only password authentication Establish a connection with the remote SFTP server Run the...

Page 479: ...ymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer 1...

Page 480: ...sent for confidentiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types o...

Page 481: ...ir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption and signature whereas DSA is used for signature only Asymmetric key a...

Page 482: ...key on the screen or export it to a specified file so as to configure the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public ke...

Page 483: ...o Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public key of the peer Enter the key...

Page 484: ...A Create RSA key pairs on Device A DeviceA system view DeviceA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minu...

Page 485: ...view with public key code end DeviceB pkey key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5...

Page 486: ...TRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair created 09 5...

Page 487: ...tp quit 3 Upload the public key file of Device A to Device B FTP the public key file devicea pub to Device B with the file transfer mode of binary DeviceA ftp 10 1 1 2 Trying 10 1 1 2 Press CTRL K to...

Page 488: ...03FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC...

Page 489: ...Contents 1 HABP Configuration 1 1 Introduction to HABP 1 1 Configuring HABP 1 2 Configuring the HABP Server 1 2 Configuring an HABP Client 1 2 Displaying and Maintaining HABP 1 3 HABP Configuration E...

Page 490: ...ort 802 1 client Otherwise the management device will fail to perform centralized management of the cluster member devices For more information about the cluster function refer to Cluster Configuratio...

Page 491: ...n the HABP server and the HABP clients is implemented through the management VLAN Configuring HABP Complete the following tasks to configure HABP z Configuring the HABP Server z Configuring an HABP Cl...

Page 492: ...tics display habp traffic Available in any view HABP Configuration Example Network requirements As shown in Figure 1 2 Switch A is the management device and connects two access devices Switch B and Sw...

Page 493: ...and Switch C Configure Switch B and Switch C to work in HABP client mode This configuration is usually unnecessary because HABP is enabled and works in client mode by default 3 Verify your configurati...

Page 494: ...Basic ACL 2 2 Configuration Prerequisites 2 2 Configuration Procedure 2 2 Configuring an Advanced ACL 2 3 Configuration Prerequisites 2 3 Configuration Procedure 2 3 Configuring an Ethernet Frame Head...

Page 495: ...Order z ACL Step z Effective Period of an ACL z IP Fragments Filtering with ACL ACL Classification ACLs identified by ACL numbers fall into three categories as shown in Table 1 1 Table 1 1 ACL categor...

Page 496: ...address wildcard and compare packets against the rule configured with more zeros in the source IP address wildcard 2 If two rules are present with the same number of zeros in their source IP address...

Page 497: ...n of a packet against ACL rules stops immediately after a match is found The packet is then processed as per the rule ACL Step Meaning of the step The step defines the difference between two neighbori...

Page 498: ...network As for the configuration of a rule of an IPv4 ACL the fragment keyword specifies that the rule applies to non first fragment packets only and does not apply to non fragment packets or the fir...

Page 499: ...e range time range name all Optional Available in any view You may create a maximum of 256 time ranges A time range can be one of the following z Periodic time range created using the time range time...

Page 500: ...ant to reference a time range in a rule define it with the time range command first Configuration Procedure Follow these steps to configure a basic ACL To do Use the command Remarks Enter system view...

Page 501: ...address destination IP address protocol carried over IP and other protocol header fields such as the TCP UDP source port number TCP UDP destination port number TCP flag ICMP message type and ICMP mes...

Page 502: ...ule has no rule description Note that z You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of...

Page 503: ...e time range name Required To create or modify multiple rules repeat this step Set the rule numbering step step step value Optional 5 by default Configure a description for the Ethernet frame header A...

Page 504: ...marks Enter system view system view Copy an existing ACL to generate a new one of the same type acl copy source acl number name source acl name to dest acl number name dest acl name Required z The sou...

Page 505: ...et frame header ACL to the interface to filter Ethernet frames packet filter acl number name acl name inbound Required By default an interface does not filter Ethernet frames Filtering IPv4 Packets Fo...

Page 506: ...study 8 00 to 18 00 daily Create basic ACL 2009 DeviceA acl number 2009 Create a basic ACL rule to deny packets sourced from 192 168 1 2 32 during time range study DeviceA acl basic 2009 rule deny sou...

Page 507: ...ng the Boot ROM Program Through Command Lines 1 4 Upgrading the Boot File Through Command Lines 1 5 Clearing the 16 bit Interface Indexes Not Used in the Current System 1 5 Identifying and Diagnosing...

Page 508: ...evice Optional Configuring the Scheduled Automatic Execution Function Optional Upgrading the Boot ROM Program Through Command Lines Optional Upgrading the Boot File Through Command Lines Optional Clea...

Page 509: ...es You can set a time at which the device can automatically reboot or set a delay so that the device can automatically reboot within the delay The last two methods are command line operations Reboot t...

Page 510: ...execution function enables the system to automatically execute a specified command at a specified time in a specified view This function is used for scheduled system upgrade or configuration Follow t...

Page 511: ...z Only the last configuration takes effect if you execute the schedule job command repeatedly Upgrading Device Software Device Software Overview Device software consists of the Boot ROM program and th...

Page 512: ...2 Use a command to specify the boot file for the next boot of the device 3 Reboot the device to make the boot file take effect When multiple Boot ROM files are available on the storage media you can...

Page 513: ...in user view A confirmation is required when you execute this command If you fail to make a confirmation within 30 seconds or enter N to cancel the operation the command will not be executed Identify...

Page 514: ...n data or archive information which is written to the storage component of a card during device debugging or testing The information includes name of the card device serial number and vendor name or n...

Page 515: ...ot number Available in any view Display the reboot time of a device display schedule reboot Available in any view Display detailed configurations of the scheduled automatic execution function display...

Page 516: ...Server luser aaa password cipher hello FTP Server luser aaa service type ftp FTP Server luser aaa authorization attribute work directory flash aaa z Use text editor on the FTP server to edit batch fi...

Page 517: ...pdate bat To ensure correctness of the file you can use the more command to view the content of the file Execute the scheduled automatic execution function to enable the device to be automatically upg...

Page 518: ...e for NTP Messages 1 10 Disabling an Interface from Receiving NTP Messages 1 11 Configuring the Maximum Number of Dynamic Sessions Allowed 1 11 Configuring Access Control Rights 1 12 Configuration Pre...

Page 519: ...within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within...

Page 520: ...ce B Device A Device B Device A 10 00 00 am 11 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of s...

Page 521: ...fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit ve...

Page 522: ...synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the IP address...

Page 523: ...ends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and the server and ent...

Page 524: ...o exchange messages with the Mode field set to 3 client mode and 4 server mode to calculate the network delay between client and the server Then the client enters the multicast client mode and continu...

Page 525: ...a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creating an association static or dynamic In the symmetric mo...

Page 526: ...device ntp service unicast peer ip address peer name authentication keyid keyid priority source interface interface type interface number version number Required No symmetric passive peer is specified...

Page 527: ...mber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast s...

Page 528: ...authentication keyid keyid ttl ttl number version number Required z A multicast server can synchronize broadcast clients only after its clock has been synchronized z You can configure up to 1024 mult...

Page 529: ...command the source interface of the broadcast or multicast NTP messages is the interface configured with the respective command Disabling an Interface from Receiving NTP Messages When NTP is enabled...

Page 530: ...vice z peer full access This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that...

Page 531: ...he symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode or multicast server mode you need to associate the specified authentication k...

Page 532: ...er Follow these steps to configure NTP authentication for a server To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disa...

Page 533: ...ce display ntp service trace Available in any view NTP Configuration Examples Configuring NTP Client Server Mode Network requirements z The local clock of Device A is to be used as a reference source...

Page 534: ...ed to Device A and the clock stratum level of Device B is 3 while that of Device A is 2 View the NTP session information of Device B which shows that an association has been set up between Device B an...

Page 535: ...UTC Sep 19 2005 C6D95647 153F7CED As shown above Device B has been synchronized to Device A and the clock stratum level of Device B is 3 while that of Device C is 1 3 Configuration on Device C after D...

Page 536: ...1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 2 Configuring NTP Broadcast Mode Network requirements z Switch C s local clock is to be used as a reference source...

Page 537: ...chronization SwitchD Vlan interface2 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock p...

Page 538: ...interface 2 SwitchC interface vlan interface 2 SwitchC Vlan interface2 ntp service multicast server 2 Configuration on Switch D Configure Switch D to work in the multicast client mode and receive mult...

Page 539: ...e the multicast functions on Switch B before Switch A can receive multicast messages from Switch C Enable IP multicast routing and IGMP SwitchB system view SwitchB multicast routing enable SwitchB int...

Page 540: ...26 16 0 40 0 16 6 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Client Server Mode with Authentication Network requirements z The local c...

Page 541: ...t dispersion 1 05 ms Peer dispersion 7 81 ms Reference time 14 53 27 371 UTC Sep 19 2005 C6D94F67 5EF9DB22 As shown above Device B has been synchronized to Device A and the clock stratum level of Devi...

Page 542: ...itchD ntp service authentication enable SwitchD ntp service authentication keyid 88 authentication mode md5 123456 SwitchD ntp service reliable authentication keyid 88 Configure Switch D to work in th...

Page 543: ...atum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interfac...

Page 544: ...uction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 Configuring SNMP Trap 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 8 SNMPv1 SNMPv2c Configu...

Page 545: ...NMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technologies Thus SNMP achieves effective management of devices from diffe...

Page 546: ...used to encrypt packets between the NMS and agents preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy...

Page 547: ...s are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure a local engine ID for an SNMP entity snmp agent local engineid engineid...

Page 548: ...ed The defaults are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMP v3 for the version Configure a local engine ID for an SNMP entity snmp agent local engi...

Page 549: ...ndex of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system prompt information With parameters for the inform...

Page 550: ...t for the specific modules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information ou...

Page 551: ...in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destination host usually the NMS Follow these steps...

Page 552: ...e ID display snmp agent local engineid Display SNMP agent group information display snmp agent group group name Display basic information of the trap queue display snmp agent trap queue Display the mo...

Page 553: ...2 24 using public as the community name Sysname snmp agent trap enable Sysname snmp agent target host trap address udp domain 1 1 1 2 udp port 5000 params securityname public v1 Ensure that the SNMP v...

Page 554: ...Sysname system view Sysname undo snmp agent mib view ViewDefault Sysname snmp agent mib view included test interfaces Sysname snmp agent group v3 managev3group read view test write view test Sysname...

Page 555: ...ected through an Ethernet z The IP address of the NMS is 1 1 1 2 24 z The IP address of the agent is 1 1 1 1 24 z Configure SNMP logging on the agent to record the operations performed by the NMS to t...

Page 556: ...iption Jan 1 02 49 40 566 2006 The time when the SNMP log is generated seqNO Serial number of the SNMP log The system numbers the recorded SNMP logs automatically the serial number starts from 0 srcIP...

Page 557: ...MIB style may vary depending on the device model To implement NMS s flexible management of the device the device allows you to configure the MIB style that is you can switch between the two styles of...

Page 558: ...unction 1 3 Configuring the RMON Ethernet Statistics Function 1 4 Configuring the RMON History Statistics Function 1 4 Configuring the RMON Alarm Function 1 5 Configuration Prerequisites 1 5 Configura...

Page 559: ...e potion of broadcast packets received in the total packets reaches a certain value Both the RMON protocol and the Simple Network Management Protocol SNMP are used for remote network management z RMON...

Page 560: ...up Besides H3C also defines and implements the private alarm group which enhances the functions of the alarm group This section describes the five kinds of groups in general Event group The event grou...

Page 561: ...ethernetHistoryTable for query convenience of the management device The statistics data includes bandwidth utilization number of error packets and total number of packets A history group collects sta...

Page 562: ...tics Function Follow these steps to configure the RMON Ethernet statistics function To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type i...

Page 563: ...function z If the alarm variable is the MIB variable defined in the history group or the Ethernet statistics group you must make sure that the RMON Ethernet statistics function or the RMON history st...

Page 564: ...ld threshold value1 and falling threshold threshold value2 60 Prialarm Alarm variable formula alarm variable sampling interval sampling interval sampling type absolute changeratio or delta rising thre...

Page 565: ...sname display rmon statistics GigabitEthernet 1 0 1 Statistics entry 1 owned by user1 rmon is VALID Interface Ethernet1 1 ifIndex 3 etherStatsOctets 21657 etherStatsPkts 307 etherStatsBroadcastPkts 56...

Page 566: ...When traffic is above or below the thresholds Agent sends the corresponding traps to the NMS z Execute the display rmon statistics command on Agent to display the statistics result and query the stati...

Page 567: ...n startup enables risingOrFallingAlarm Latest value 0 Display statistics for interface GigabitEthernet 1 0 1 Sysname display rmon statistics GigabitEthernet 1 0 1 Statistics entry 1 owned by user1 rmo...

Page 568: ...Medium 1 5 Displaying and Maintaining the NAND Flash Memory 1 6 Setting File System Prompt Modes 1 7 File System Operations Example 1 7 2 Configuration File Management 2 1 Configuration File Overview...

Page 569: ...cking Up the Startup Configuration File 2 7 Deleting the Startup Configuration File for the Next Startup 2 8 Restoring the Startup Configuration File 2 9 Displaying and Maintaining Device Configuratio...

Page 570: ...ations and Setting File System Prompt Modes Filename Formats When you specify a file you must enter the filename in one of the following formats Filename formats Format Description Length Example file...

Page 571: ...iew Displaying the Current Working Directory To do Use the command Remarks Display the current working directory pwd Required Available in user view Changing the Current Working Directory To do Use th...

Page 572: ...cified directory or file information displaying file contents renaming copying moving removing restoring and deleting files You can create a file by copying downloading or using the save command Displ...

Page 573: ...storage space To delete a file in the recycle bin you need to execute the reset recycle bin command in the directory that the file originally belongs It is recommended to empty the recycle bin timely...

Page 574: ...s not bat use the rename command to change the suffix to bat 3 Execute the batch file Follow the steps below to execute a batch file To do Use the command Remarks Enter system view system view Execute...

Page 575: ...Displaying and repairing bad blocks It is common to have bad blocks when an NAND flash memory is shipped from the factory Bad block ratio varies with products of different vendors The frequently used...

Page 576: ...view Set the operation prompt mode of the file system file prompt alert quiet Optional The default is alert File System Operations Example Display the files and the subdirectories under the current di...

Page 577: ...1 8 Return to the upper directory Sysname cd Display the current working directory Sysname pwd flash...

Page 578: ...initialization when the device boots If this file does not exist the system boots using null configuration that is using the default parameters z Current configuration which refers to the currently r...

Page 579: ...he main and backup startup configuration files for the next boot of the device in the following two methods z Specify them when saving the current configuration For detailed configuration refer to Sav...

Page 580: ...current configuration and specify the configuration file as the main startup configuration file to be used at the next system startup z During the execution of the save safely backup main command the...

Page 581: ...n file but not in the current configuration file z The rollback operation removes the commands that are different in the replacement configuration file and in the current configuration file and then e...

Page 582: ...to the default meanwhile the saved configuration files are cleared z The value of the file number argument is determined by the memory space You are recommended to set a comparatively small value for...

Page 583: ...on and save it manually If the modification to the configuration fails or is complicated you can save the current running configuration manually before you modify it Therefore if it really fails the d...

Page 584: ...e for the Next System Startup A startup configuration file is the configuration file to be used at the next system startup You can specify a configuration file as the startup configuration file to be...

Page 585: ...d at the next system startup using commands On a device that has the main and backup startup configuration files you can choose to delete either the main or backup startup configuration file However i...

Page 586: ...s reachable the server is enabled with TFTP service and the client has read and write permission z After the command is successfully executed you can use the display startup command in user view to ve...

Page 587: ...the command Remarks Display the current configuration display current configuration configuration configuration interface interface type interface number by linenum begin include exclude text Availab...

Page 588: ...nd Debugging 1 1 Ping 1 1 Introduction 1 1 Configuring Ping 1 1 Ping Configuration Example 1 2 Tracert 1 4 Introduction 1 4 Configuring Tracert 1 4 System Debugging 1 5 Introduction to System Debuggin...

Page 589: ...ping function is implemented through the Internet Control Message Protocol ICMP 1 The source device sends an ICMP echo request to the destination device 2 The source device determines whether the des...

Page 590: ...Device A to Device C Figure 1 1 Ping network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING...

Page 591: ...atistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 11 53 ms The principle of ping r is as shown in Figure 1 1 1 The source Device A sends an ICMP echo reques...

Page 592: ...s the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated In this way the source device can get the address 1 1 1 2 of the first Layer 3...

Page 593: ...ity of protocols and features supported the system provides corresponding debugging information to help users diagnose errors The following two switches control the display of debugging information z...

Page 594: ...l monitor Optional The terminal monitoring on the console is enabled by default and that on the monitoring terminal is disabled by default Available in user view Enable the terminal display of debuggi...

Page 595: ...eviceA ip ttl expires enable DeviceA ip unreachables enable DeviceA tracert 1 1 2 2 traceroute to 1 1 2 2 1 1 2 2 30 hops max 40 bytes packet press CTRL_C to bre ak 1 1 1 1 2 14 ms 10 ms 20 ms 2 3 4 5...

Page 596: ...he Display of Copyright Information 1 6 Configuring a Banner 1 7 Configuring CLI Hotkeys 1 8 Configuring User Privilege Levels and Command Levels 1 9 Displaying and Maintaining Basic Configurations 1...

Page 597: ...run normally when it has no configuration file or the configuration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved...

Page 598: ...ser view system view Required Available in user view Exiting the Current View The system divides the command line interface into multiple command views which adopts a hierarchical structure For exampl...

Page 599: ...zone and daylight saving time You can view the system clock by using the display clock command Follow these steps to configure the system clock To do Use the command Remarks Set time and date clock da...

Page 600: ...ffset Configure clock timezone zone time add 1 Display 02 00 00 zone time Sat 01 01 2005 1 and 2 date time zone offset Configure clock datetime 2 00 2007 2 2 and clock timezone zone time add 1 Display...

Page 601: ...0 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 D...

Page 602: ...ummer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 3 00 2008 1 1 Display 03 00 00 ss Tue 01 01 2008 Enabling Disabling the Display of Copyright Information z With the display of co...

Page 603: ...the command keywords The start and end characters of the input text must be the same but are not part of the banner information In this case the input text together with the command keywords cannot e...

Page 604: ...in any view Refer to Table 1 2 for hotkeys reserved by the system By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with command line and the Ctrl T and Ctrl U commands are NULL z Ctrl G...

Page 605: ...the right Esc N Moves the cursor down by one line available before you press Enter Esc P Moves the cursor up by one line available before you press Enter Esc Specifies the cursor as the beginning of t...

Page 606: ...TP TFTP Xmodem command download user management level setting as well as parameter setting within a system the last case involves those non protocol or non RFC provisioned commands Configuring user pr...

Page 607: ...mmands z For the introduction to SSH refer to SSH 2 0 Configuration 2 Example of configuring user privilege level by using AAA authentication parameters Authenticate the users telnetting to the device...

Page 608: ...ging in from the current user interface user privilege level level Optional By default the user privilege level for users logging in from the console user interface is 3 and that for users logging fro...

Page 609: ...tion and use the following commands Sysname User view commands cluster Run cluster command debugging Enable system debugging functions display Display current system information ping Ping function qui...

Page 610: ...peration by others Users can switch from a high user privilege level to a low user privilege level without entering a password when switching from a low user privilege level to a high user privilege l...

Page 611: ...lay information on system version display version Display information on the system clock display clock Display information on terminal users display users all Display the valid configuration under cu...

Page 612: ...at your own or lower levels Refer to Configuring User Privilege Levels and Command Levels for details z Easy access to on line help by entering z Abundant debugging information for fault diagnosis z...

Page 613: ...view Sysname interface vlan interface 1 4094 VLAN interface number Sysname interface vlan interface 1 cr Sysname interface vlan interface 1 Where cr indicates that there is no parameter at this posit...

Page 614: ...ute a command the system automatically goes to the next line if the maximum length of the command is reached You cannot press Enter to go to the next line otherwise the system will automatically execu...

Page 615: ...exclude and include keywords is as follows z begin Displays the line that matches the regular expression and all the subsequent lines z exclude Displays the lines that do not match the regular express...

Page 616: ...12 can match 40812 or 408121212 But it cannot match 408 index Repeats a specified character group for once A character group refers to the string in before index refers to the sequence number starting...

Page 617: ...f the characters will be removed For example can match a string containing can match a string containing and b can match a string containing b Multiple screen output When there is a lot of information...

Page 618: ...erface For the detailed description of the history command max size command refer to Login Commands The following table lists the operations that you can perform In addition z The commands saved in th...

Page 619: ...f they have no syntax error Otherwise error information is reported Table 1 7 lists some common errors Table 1 7 Common command line errors Error information Cause The command was not found The keywor...

Page 620: ...ation to the Console 1 7 Outputting System Information to a Monitor Terminal 1 8 Outputting System Information to a Log Host 1 9 Outputting System Information to the Trap Buffer 1 10 Outputting System...

Page 621: ...rs and developers in monitoring network performance and diagnosing network problems The following describes the working process of information center z Receives the log trap and debugging information...

Page 622: ...enormous information waiting for processing Classification of System Information The system information of the information center falls into three types z Log information z Trap information z Debuggin...

Page 623: ...tput destinations can be changed through commands Besides you can configure channels 7 8 and 9 without changing the default configuration of the eight channels Table 1 2 Information channels and outpu...

Page 624: ...face log information with severity level equal to or higher than informational is allowed to be output to the log host log information with severity level equal to or higher than warning is allowed to...

Page 625: ...MP or log file the system information is in the following format timestamp sysname module level digest content For example a monitor terminal connects to the device When a terminal logs in to the devi...

Page 626: ...and to modify the system name Refer to Basic System Configuration Commands for details This field is a preamble used to identify a vendor It is displayed only when the output destination is log host n...

Page 627: ...P Module Optional Outputting System Information to the Web Interface Optional Configuring Synchronous Information Output Optional Outputting System Information to the Console Outputting system informa...

Page 628: ...ogging Optional Enabled by default Enable the display of trap information on the console terminal trapping Optional Enabled by default Outputting System Information to a Monitor Terminal System inform...

Page 629: ...nable the display of debugging information on a monitor terminal terminal debugging Required Disabled by default Enable the display of log information on a monitor terminal terminal logging Optional E...

Page 630: ...ate no year date none Optional date by default Outputting System Information to the Trap Buffer The trap buffer receives the trap information only and discards the log and debugging information even i...

Page 631: ...th a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can be o...

Page 632: ...el with a specified channel number info center channel channel number name channel name Optional Refer to Table 1 2 for default channel names Configure the channel through which system information can...

Page 633: ...ation info center source module name default channel channel number channel name debug level severity state state log level severity state state trap level severity state state Optional Refer to Defau...

Page 634: ...n in some cases for example z You only concern the states of some of the ports In this case you can use this function to disable the other ports from generating link up down logging information z The...

Page 635: ...og file display logfile summary Available in any view Display the state of the trap buffer and the trap information recorded display trapbuffer reverse size buffersize Available in any view Reset the...

Page 636: ...utput to the log host Note that the source modules allowed to output information depend on the device model Sysname info center source arp channel loghost log level informational state on Sysname info...

Page 637: ...l be able to record log information into the log file Outputting Log Information to a Linux Log Host Network requirements z Send log information to a Linux log host with an IP address of 1 2 0 1 16 z...

Page 638: ...on messages local5 info var log Device info log In the above configuration local5 is the name of the logging facility used by the log host to receive logs info is the information level The Linux syste...

Page 639: ...es on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configurations for different channels are different you need...

Page 640: ...ysname terminal logging Info Current terminal logging is on After the above configuration takes effect if the specified module generates log information the information center automatically sends the...

Page 641: ...Table Entries 1 2 MAC Address Table Based Frame Forwarding 1 2 Configuring a MAC Address Table 1 3 Configuring MAC Address Table Entries 1 3 Configuring the Aging Timer for Dynamic MAC Address Entries...

Page 642: ...ound the frame is forwarded rather than broadcast Thus broadcasts are reduced How a MAC Address Table Entry Is Created A MAC address table entry can be dynamically learned or manually configured Dynam...

Page 643: ...ses Types of MAC Address Table Entries A MAC address table may contain these types of entries z Static entries which are manually configured and never age out z Dynamic entries which can be manually c...

Page 644: ...ally by learning the source MAC addresses of received frames To improve port security you can manually add MAC address entries to the MAC address table to bind ports with MAC addresses thus fending of...

Page 645: ...ress entry Configuring the Aging Timer for Dynamic MAC Address Entries The MAC address table on your device is available with an aging mechanism for dynamic entries In this way dynamic MAC address ent...

Page 646: ...teps to configure the MAC learning limit on an Ethernet port Layer 2 aggregate interface or the Ethernet ports in a port group To do Use the command Remarks Enter system view system view Enter Etherne...

Page 647: ...ty sake add a destination blackhole MAC address entry on the device to prevent the host from receiving packets z Set the aging timer for dynamic MAC address entries to 500 seconds Configuration proced...

Page 648: ...1 7 1 mac address es found View the aging time of dynamic MAC address entries Sysname display mac address aging time Mac address aging time 500s...

Page 649: ...ishing a Cluster 1 9 Configuring Communication Between the Management Device and the Member Devices Within a Cluster 1 10 Cluster Member Management 1 11 Configuring the Member Devices 1 11 Enabling ND...

Page 650: ...configuration and management tasks By configuring a public IP address on one device you can configure and manage a group of devices without the trouble of logging in to each device separately z Provid...

Page 651: ...r A member device becomes a candidate device after it is removed from the cluster How a Cluster Works Cluster management is implemented through HW Group Management Protocol version 2 HGMPv2 which cons...

Page 652: ...NDP information of all the devices in a specific network range as well as the connection information of all its neighbors The information collected will be used by the management device or the network...

Page 653: ...Disconnect Connect z After a cluster is created a candidate device is added to the cluster and becomes a member device the management device saves the state information of its member device and identi...

Page 654: ...he management VLAN cannot pass a port the device connected with the port cannot be added to the cluster Therefore if the ports including the cascade ports connecting the management device and the memb...

Page 655: ...for a Cluster Optional z Disabling the NDP and NTDP functions on the management device and member devices after a cluster is created will not cause the cluster to be dismissed but will influence the...

Page 656: ...do not need to join the cluster preventing the management device from adding the device which needs not to join the cluster and collecting the topology information of this device Configuring NDP Para...

Page 657: ...the maximum hops for collecting topology information you can get topology information of the devices in a specified range thus avoiding unlimited topology collection After the interval for collecting...

Page 658: ...e topology information collection thus managing and monitoring the device on real time regardless of whether a cluster is created Follow these steps to configure to manually collect topology informati...

Page 659: ...ing Communication Between the Management Device and the Member Devices Within a Cluster In a cluster the management device and member devices communicate by sending handshake packets to maintain conne...

Page 660: ...mac address mac address password password Required Removing a member device To do Use the command Remarks Enter system view system view Enter cluster view cluster Remove a member device from the clus...

Page 661: ...er devices of a cluster To do Use the command Remarks Switch from the operation interface of the management device to that of a member device cluster switch to member number mac address mac address Re...

Page 662: ...a Cluster Configuring Topology Management The concepts of blacklist and whitelist are used for topology management An administrator can diagnose the network by comparing the current topology namely t...

Page 663: ...information topology restore from ftp server local flash Optional Configuring Interaction for a Cluster After establishing a cluster you can configure FTP TFTP server NM host and log host for the clus...

Page 664: ...interface name Optional To isolate management protocol packets of a cluster from packets outside the cluster you are recommended to configure to prohibit packets from the management VLAN from passing...

Page 665: ...ndp statistics interface interface list Available in user view Support for the display ntdp single device command depends on the device model Cluster Management Configuration Example Network requireme...

Page 666: ...terface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As th...

Page 667: ...port as 15 ms SwitchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Configure ports GigabitEthernet 1 2 and GigabitEthernet 1 3 as T...

Page 668: ...69 172 55 4 Add the device whose MAC address is 000f e201 0013 to the blacklist abc_0 SwitchB cluster black list add mac 000f e201 0013 abc_0 SwitchB cluster quit Add port GigabitEthernet 1 0 1 to VLA...

Page 669: ...n ACL 1 2 Displaying and Maintaining HTTP 1 3 2 HTTPS Configuration 2 1 HTTPS Overview 2 1 HTTPS Configuration Task List 2 1 Associating the HTTPS Service with an SSL Server Policy 2 2 Enabling the HT...

Page 670: ...y the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP You...

Page 671: ...ber of the HTTP service is 80 If you execute the ip http port command for multiple times the last configured port number is used Associating the HTTP Service with an ACL By associating the HTTP servic...

Page 672: ...1 3 Displaying and Maintaining HTTP To do Use the command Remarks Display information about HTTP display ip http Available in any view...

Page 673: ...nts to access the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the se...

Page 674: ...nly associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again y...

Page 675: ...e steps to associate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate att...

Page 676: ...rks Enter system view system view Associate the HTTPS service with an ACL ip https acl acl number Required Not associated by default z If you execute the ip https acl command for multiple times to ass...

Page 677: ...pki entity en quit Configure a PKI domain Device pki domain 1 Device pki domain 1 ca identifier new ca Device pki domain 1 certificate request url http 10 1 2 2 8080 certsrv mscep mscep dll Device pki...

Page 678: ...SSL server policy Associate the HTTPS service with the SSL server policy myssl Device ip https ssl server policy myssl 5 Associate the HTTPS service with a certificate attribute access control policy...

Page 679: ...Configuring the Master Device of a Stack 1 2 Configuring a Private IP Address Pool for a Stack 1 2 Configuring Stack Ports 1 3 Creating a Stack 1 3 Configuring Stack Ports of a Slave Device 1 3 Loggi...

Page 680: ...stack management can help reduce customer investments and simplify network management Introduction to Stack A stack is a management domain that comprises several network devices connected to one anoth...

Page 681: ...t Complete the following tasks to configure stack Task Remarks Configuring a Private IP Address Pool for a Stack Required Configuring Stack Ports Required Configuring the Master Device of a Stack Crea...

Page 682: ...pecified ports as stack ports stack stack port stack port num port interface list Required By default a port is not a stack port Creating a Stack After you execute the stack role master command on a s...

Page 683: ...tions for the slave device Follow the step below to log in to the CLI of a slave device from the master device To do Use the command Remarks Log in to the CLI of the specified slave device from the ma...

Page 684: ...witchA stack stack port 1 port gigabitethernet 1 0 1 Configure switch A as the master device SwitchA stack role master 2 Configure the slave devices On Switch B configure local ports GigabitEthernet 1...

Page 685: ...Slave Sysname stack_1 SwitchB Device type H3C S5120 MAC address 000f e200 1001 Number 2 Role Slave Sysname stack_2 DeviceC Device type H3C S5120 MAC address 000f e200 1002 Number 3 Role Slave Sysname...

Page 686: ...Application Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router...

Page 687: ...and Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain R...

Page 688: ...oint Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavel...

Page 689: ...ernet GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC H...

Page 690: ...IPSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IS Intermediate System ISATAP Intra Site Automatic Tunnel Addressing Protocol ISDN Inte...

Page 691: ...tate Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data Unit LSPM Label Switch Path Manageme...

Page 692: ...Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Multicast VPN Routing and Forwarding...

Page 693: ...ier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB Printed Circuit Board P...

Page 694: ...o wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority RADIUS Remote Authent...

Page 695: ...gnal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicast Distribution Tree...

Page 696: ...A Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBase TFTP Trivial File Tr...

Page 697: ...Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary VTY Virtu...

Reviews:

No comments

Brands by name

Popular brands

Load more brands