H3C S5810 Series Operation Manual Download Page 551

Page: 551 / 820

3-3

Configuration Prerequisites

If you want to reference a time range in a rule, define it with the

time-range

command first.

Configuration Procedure

Follow these steps to configure an advanced IPv6 ACL:

To do…

Use the command…

Remarks

Enter system view

system-view

––

Create an advanced IPv6
ACL and enter its view

acl ipv6

number

acl6-number

[

name

acl6-name

] [

match-order

{

auto

config

} ]

Required

The default match order is

config

If you specify a name for an
IPv6 ACL when creating the
ACL, you can use the

acl

ipv6 name

acl6-name

command to enter the view of
the ACL later.

Create or modify a rule

rule

[

rule-id

] {

deny

permit

}

protocol

[ {

ack

ack-value

fin

fin-value

psh

psh-value

rst

rst-value

syn

syn-value

urg

urg-value

} * |

destination

{

dest

dest-prefix | dest/dest-prefix | any

} |

destination-port operator port1

[

port2

] |

dscp

dscp | fragment

icmpv6-type

{

icmpv6-type

icmpv6-code

icmpv6-message

} |

logging

source

{

source

source-prefix | source/source-prefix |
any

} |

source-port operator port1

[

port2

] |

time-range

time-range-name

] *

Required

To create or modify multiple
rules, repeat this step.

When an advanced IPv6 ACL
is referenced by a QoS policy
for traffic classification:

If the QoS policy is applied
to the inbound or
outbound direction, the
keywords of

logging

ack

fin

psh

rst

syn

, and

urg

are not supported.

If the QoS policy is applied
to the outbound direction,
the keywords of

icmp6-type

is not

supported.

Set the rule numbering step

step

step-value

Optional

5 by default

Configure a description for
the advanced IPv6 ACL

description

text

Optional

By default, an advanced IPv6
ACL has no ACL description.

Configure a rule description

rule

rule-id comment

text

Optional

By default, an IPv6 ACL rule
has no rule description.

Note that:

You can only modify the existing rules of an ACL that uses the match order of

config

. When

modifying a rule of such an ACL, you may choose to change just some of the settings, in which

case the other settings remain the same.

Summary of Contents for S5810 Series

Page 1: ...H3C S5810 Series Ethernet Switches Operation Manual Hangzhou H3C Technologies Co Ltd http www h3c com Manual Version 6W100 20090626 Product Version Release 1102...

Page 2: ...G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the property of their respective o...

Page 3: ...w IGMP Snooping Multicast VLAN 05 QoS Volume QoS AAA IP Source Guard SSH2 0 PKI 06 Security Volume SSL Public Key ACL Login Basic System Configuration Device Management File System Management HTTP SNM...

Page 4: ...ols Convention Description Means reader be extremely careful Improper operation may cause bodily injury Means reader be careful Improper operation may cause data loss or damage to equipment Means an a...

Page 5: ...rovides information about products and technologies as well as solutions Technical Support Document Technical Documents Provides several categories of product documentation such as installation operat...

Page 6: ...bsite 1 1 Software Release Notes 1 1 2 Product Features 2 1 Introduction to Product 2 1 Feature Lists 2 1 3 Features 3 1 Access Volume 3 1 IP Services Volume 3 3 IP Routing Volume 3 4 IP Multicast Vol...

Page 7: ...the H3C website Table 1 1 Download documentation from the H3C website How to apply for an account Access the homepage of H3C at http www h3c com and click Registration at the top right In the displaye...

Page 8: ...cuments are divided into the volumes as listed in Table 2 1 Table 2 1 Feature list Volume Features Ethernet Interface Link Aggregation Port Isolation Loopback Interface and Null Interface DLDP LLDP MS...

Page 9: ...rface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring the Storm Constrain Function on an Ethernet Interface Link aggregation Link aggreg...

Page 10: ...ion to MSTP z Configuring the Root Bridge z Configuring Leaf Nodes z Performing mCheck z Configuring the VLAN Ignore Feature z Configuring Digest Snooping z Configuring No Agreement Check z Configurin...

Page 11: ...TCP Attributes z Configuring ICMP to Send Error Packets ARP Address Resolution Protocol ARP is used to resolve an IP address into a data link layer address This document describes z ARP Overview z Co...

Page 12: ...es in IP Multicast volume Features Description Multicast Overview This document describes the main concepts in multicast z Introduction to Multicast z Multicast Models z Multicast Architecture z Multi...

Page 13: ...om traveling through thus improving the network security This document describes z Configuring a Static Binding Entry z Configuring Dynamic Binding Function SSH2 0 SSH ensures secure login to a remote...

Page 14: ...me message user privilege levels and so on This document describes z Configuration display z Basic configurations z CLI features Device Management Through the device management function you can view t...

Page 15: ...Center classifies and manages all types of system information This document describes z Information Center Overview z Setting to Output System Information to the Console z Setting to Output System Inf...

Page 16: ...nt Device and Its Member Devices z Adding a Candidate Device to a Cluster z Configuring Advanced Cluster Functions Stack Management A stack is a set of network devices Administrators can group multipl...

Page 17: ...lication Layer Gateway AM accounting management ANSI American National Standard Institute AP Access Point ARP Address Resolution Protocol AS Autonomous System ASBR Autonomous System Border Router ASCI...

Page 18: ...Telegraph Consultative Committee CE Customer Edge CFD Connectivity Fault Detection CFM Configuration File Management CHAP Challenge Handshake Authentication Protocol CIDR Classless Inter Domain Routi...

Page 19: ...Priority DSP Digital Signal Processor DTE Data Terminal Equipment DU Downstream Unsolicited D V Distance Vector Routing Algorithm DVMRP Distance Vector Multicast Routing Protocol DWDM Dense Wavelengt...

Page 20: ...t GR Graceful Restart GRE Generic Routing Encapsulation GTS Generic Traffic Shaping GVRP GARP VLAN Registration Protocol H Return HA High Availability HABP HW Authentication Bypass Protocol HDLC High...

Page 21: ...PSec IP Security IPTN IP Phone Telephony Network IPv6 Internet protocol version 6 IPX Internet Packet Exchange IRF Intelligent Resilient Framework IS Intermediate System ISATAP Intra Site Automatic Tu...

Page 22: ...LRTT Loop Round Trip Time LSA Link State Advertisement LSAck Link State Acknowledgment LSDB Link State Database LSP Label Switch Path LSPAGENT Label Switched Path AGENT LSPDU Link State Protocol Data...

Page 23: ...verhead MSTI Multi Spanning Tree Instance MSTP Multiple Spanning Tree Protocol MT Multicast Tunnel MTBF Mean Time Between Failure MTI Multicast Tunnel Interface MTU Maximum Transmission Unit MVRF Mult...

Page 24: ...OC 3 OID Object Identifier OL Optical Line OSI Open Systems Interconnection OSPF Open Shortest Path First P Return P2MP Point to MultiPoint P2P Point To Point PAP Password Authentication Protocol PCB...

Page 25: ...tual Channel PW Pseudo wires Q Return QACL QoS ACL QinQ 802 1Q in 802 1Q QoS Quality of Service QQIC Querier s Query Interval Code QRV Querier s Robustness Variable R Return RA Registration Authority...

Page 26: ...Fairness Frame SD Signal Degrade SDH Synchronous Digital Hierarchy SETS Synchronous Equipment Timing Source SF Sampling Frequency SFM Source Filtered Multicast SFTP Secure FTP Share MDT Share Multicas...

Page 27: ...ibution Tree T Return TA Terminal Adapter TACACS Terminal Access Controller Access Control System TDM Time Division Multiplexing TCP Transmission Control Protocol TE Traffic Engineering TEDB TE DataBa...

Page 28: ...I Virtual Path Identifier VPLS Virtual Private Local Switch VPN Virtual Private Network VRID Virtual Router ID VRRP Virtual Router Redundancy Protocol VSI Virtual Switch Interface VT Virtual Tributary...

Page 29: ...abling Forwarding of Jumbo Frames z Enabling Loopback Detection on an Ethernet Interface z Configuring the MDI Mode for an Ethernet Interface z Testing the Cable on an Ethernet Interface z Configuring...

Page 30: ...he conditions of the communications links This document describes z Introduction to LLDP z Performing Basic LLDP Configuration z Configuring LLDP Trapping MSTP MSTP is used to eliminate loops in a LAN...

Page 31: ...AN GVRP GVRP is a GARP application This document describes z GARP overview z GVRP configuration z GARP Timers configuration Port Mirroring Port mirroring copies packets passing through a port to anoth...

Page 32: ...to Power Down on an Ethernet Interface 1 4 Configuring a Port Group 1 5 Configuring Storm Suppression 1 5 Setting the Interval for Collecting Ethernet Interface Statistics 1 6 Enabling Forwarding of J...

Page 33: ...view system view Enter Ethernet interface view interface interface type interface number Enable a specified double Combo port undo shutdown Optional By default of the two ports in a Combo port the one...

Page 34: ...ernet interfaces z Full duplex mode full Interfaces operating in this mode can send and receive packets simultaneously z Half duplex mode half Interfaces operating in this mode can either send or rece...

Page 35: ...ts do not support the duplex command or the speed command Configuring Flow Control on an Ethernet Interface When flow control is enabled on both sides if traffic congestion occurs at the ingress inter...

Page 36: ...loopback test if an interface is down only the former is available on it if the interface is shut down both are unavailable z The speed duplex mdi and shutdown commands are not applicable during loop...

Page 37: ...view Create a manual port group and enter manual port group view port group manual port group name Required Add Ethernet interfaces to the manual port group group member interface list Required Config...

Page 38: ...adcast multicast and unknown unicast storm suppression ratios on a port using different suppression standards percentage of the total bandwidth packets per second or kilobytes per second the system au...

Page 39: ...ops may cause broadcast storms The purpose of loopback detection is to detect loops on an interface When loopback detection is enabled on an Ethernet interface the device periodically checks whether t...

Page 40: ...n be used to connect Ethernet devices crossover cable and straight through cable To accommodate these two types of cables an Ethernet interface on a device can operate in one of the following three Me...

Page 41: ...e packet If such an entry exists but the egress interface in the entry is the receiving interface itself the device discards this packet However if bridging is enabled on the receiving interface the d...

Page 42: ...can specify the system to act as follows when the traffic detected exceeds the threshold z Blocking the interface In this case the interface is blocked and thus stops forwarding the traffic of this ty...

Page 43: ...next period Thus it is normal that a period longer than one statistic period is waited for a control action to happen if you enable the function while the packet storm is present However the action w...

Page 44: ...1 12 To do Use the command Remarks Display the information about storm constrain display storm constrain broadcast multicast unicast interface interface type interface number Available in any view...

Page 45: ...Dynamic Aggregation Group 1 6 Configuring an Aggregate Interface 1 7 Configuring the Description of an Aggregate Interface 1 7 Enabling LinkUp LinkDown Trap Generation for an Aggregate Interface 1 8...

Page 46: ...ese member ports can dynamically back up each other Basic Concepts of Link Aggregation Aggregate interface An aggregate interface is a logical Layer 2 or Layer 3 aggregate interface Aggregation group...

Page 47: ...aces to determine the interfaces that can operate as selected interfaces This allows the two systems to reach an agreement on which link aggregation member ports should be placed in selected state Ope...

Page 48: ...ment which makes dynamic aggregation instable Static aggregation mode LACP is disabled on the member ports in a static aggregation group In a static aggregation group the system sets a port to selecte...

Page 49: ...are the same compare the system MAC addresses The system with the smaller MAC address wins out z Compare the port IDs of the ports on the system with the smaller system ID A port ID comprises a port L...

Page 50: ...ber port Link Aggregation Configuration Task List Complete the following tasks to configure link aggregation Task Remarks Configuring a Static Aggregation Group Configuring an Aggregation Group Config...

Page 51: ...s the corresponding aggregation group At the same time the member ports of the aggregation group if any leave the aggregation group z To guarantee a successful static aggregation ensure that the ports...

Page 52: ...z Removing a dynamic aggregate interface also removes the corresponding aggregation group At the same time the member ports of the aggregation group if any leave the aggregation group z To guarantee...

Page 53: ...p generation is enabled globally and on all interfaces Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enable linkUp linkDown trap generation for the aggregate int...

Page 54: ...nd Remarks Enter system view system view Configure the global link aggregation load sharing mode link aggregation load sharing mode destination ip destination mac destination port ingress port source...

Page 55: ...these configurations consistent you should configure the port manually z Reference port Select a port as the reference port from the ports that are in up state and with the same class two configuratio...

Page 56: ...t1 0 1 port link aggregation group 1 DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEthernet1 0 2 port link aggregation group 1 DeviceA GigabitEthernet1 0 2 q...

Page 57: ...rface bridge aggregation 1 DeviceA Bridge Aggregation1 link aggregation mode dynamic DeviceA Bridge Aggregation1 quit Assign Ethernet interfaces GigabitEthernet1 0 1 through GigabitEthernet1 0 3 to ag...

Page 58: ...Port Isolation 1 1 Configuring the Isolation Group for a Isolation Group Device 1 2 Assigning a Port to the Isolation Group 1 2 Specifying the Uplink Port for the Isolation Group 1 2 Displaying and Ma...

Page 59: ...ere is no restriction on the number of ports assigned to an isolation group The member port of an aggregation group cannot be configured as the uplink port of an isolation group and vice versa If you...

Page 60: ...m view system view Enter Ethernet interface view interface interface type interface number Enter Layer 2 aggregate interface view interface bridge aggregation interface number Enter interface view or...

Page 61: ...configured these ports are set to the unselected state in the aggregation group that is these ports cannot forward user traffic Configure the current port as the uplink port of the isolation group por...

Page 62: ...orts GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 to the isolation group Device system view Device interface gigabitethernet 1 0 1 Device GigabitEthernet1 0 1 port isolate ena...

Page 63: ...1 5 Port isolate group information Uplink port support YES Group ID 1 Uplink port GigabitEthernet1 0 4 Group members GigabitEthernet1 0 1 GigabitEthernet1 0 2 GigabitEthernet1 0 3...

Page 64: ...ration 1 1 Loopback Interface 1 1 Introduction to Loopback Interface 1 1 Configuring a Loopback Interface 1 1 Null Interface 1 2 Introduction to Null Interface 1 2 Configuring Null 0 Interface 1 2 Dis...

Page 65: ...ion or security server to permit or deny packets generated by a device you can streamline the rule by configuring it to permit or deny packets carrying the loopback interface address identifying the d...

Page 66: ...ace is always up However you can neither use it to forward data packets nor configure an IP address or link layer protocol on it With a null interface specified as the next hop of a static route to a...

Page 67: ...n of an interface is the interface name followed by the Interface string Displaying and Maintaining Logical Interfaces To do Use the command Remarks Display information about loopback interfaces displ...

Page 68: ...etting the Interval for Sending Advertisement Packets 1 10 Setting the DelayDown Timer 1 10 Setting the Port Shutdown Mode 1 11 Configuring DLDP Authentication 1 11 Resetting DLDP State 1 12 Resetting...

Page 69: ...shooting Overview Sometimes unidirectional links may appear in networks On a unidirectional link one end can receive packets from the other end but the other end cannot Unidirectional links result in...

Page 70: ...nd DLDP ensures that physical logical unidirectional links can be detected and shut down and prevents failure of other protocols such as STP If both ends of a link are operating normally at the physic...

Page 71: ...isement packets which defaults to 5 seconds Probe timer Determines the interval to send Probe packets which defaults to 0 5 seconds That is a device in the probe state sends two Probe packets every se...

Page 72: ...mal DLDP mode when an entry timer expires the device removes the corresponding neighbor entry and sends an Advertisement packet with RSY tag z In enhanced DLDP mode when an entry timer expires the Enh...

Page 73: ...The receiving side checks the values of the two fields of received DLDP packets and drops the packets with the two fields conflicting with the corresponding local configuration z Plain text authentic...

Page 74: ...onding neighbor entry does not exist creates the neighbor entry triggers the Entry timer and transits to Probe state Advertisement packet with RSY tag Retrieving the neighbor information If the corres...

Page 75: ...rmation If not no process is performed LinkDown packet Check to see if the local port operates in Enhanced mode If yes and the local port is not in Disable state the local transits to Disable state 3...

Page 76: ...s state when it is just detected and is being probed No information indicating the state of the neighbor is received A neighbor is in this state only when it is being probed It transits to Two way sta...

Page 77: ...DP globally dldp enable Required Globally disabled by default Enter Ethernet port view interface interface type interface number Enter Ethernet port view or port group view Enter port group view port...

Page 78: ...me for the device to detect unidirectional links thus causing more traffic forwarding errors if the interval is too short unnecessary Advertisement packets can be generated to consume bandwidth Theref...

Page 79: ...dministrator z Auto mode In this mode when a unidirectional link is detected DLDP transits to Disable state generates log and traps and set the port as DLDP Down Follow these steps to set port shutdow...

Page 80: ...Port view Port Group View The DLDP state that the port transits to upon the DLDP state reset operation depends on its physical state If the port is physically down it transits to Inactive state if the...

Page 81: ...ion Example Network requirements z Device A and Device B are connected through two fiber pairs in which two fibers are cross connected as shown in Figure 1 4 z It is desired that the unidirectional li...

Page 82: ...A DeviceA display dldp DLDP global status enable DLDP interval 6s DLDP work mode enhance DLDP authentication mode none DLDP unidirectional shutdown auto DLDP delaydown timer 2s The number of enabled p...

Page 83: ...time 11 The output information indicates that both GigabitEthernet 1 0 49 and GigabitEthernet 1 0 50 are in Advertisement state and the links are up which means unidirectional links are not detected...

Page 84: ...erating Mode 1 8 Setting the LLDP Re Initialization Delay 1 8 Enable LLDP Polling 1 8 Configuring the TLVs to Be Advertised 1 9 Configuring the Management Address and Its Encoding Format 1 9 Setting t...

Page 85: ...The protocol operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information including its major functions managemen...

Page 86: ...E a multicast MAC address Source MAC address The MAC address of the sending port If the port does not have a MAC address the MAC address of the sending bridge is used Type The Ethernet type for the up...

Page 87: ...ypes of TLVs of which the chassis ID TLV port ID TLV TTL TLV and end of LLDPDU TLV end TLV in the figure are mandatory TLVs that must be carried and other TLVs are optional TLVs TLVs are type length a...

Page 88: ...evice System Description Description of the sending device System Capabilities Identifies the primary functions of the sending device and the primary functions that have been enabled Management Addres...

Page 89: ...TLVs Type Description LLDP MED Capabilities Allows a MED endpoint to advertise the supported LLDP MED TLVs and its device type Network Policy Allows a network device or MED endpoint to advertise LAN t...

Page 90: ...ion changes To prevent the network from being overwhelmed by LLDP frames at times of frequent local device information change an interval is introduced between two successive LLDP frames This interval...

Page 91: ...Ethernet interface view takes effect only on the current port and those made in port group view takes effect on all ports in the current port group Performing Basic LLDP Configuration Enabling LLDP To...

Page 92: ...s on a port the port initializes the protocol state machines after a certain delay By adjusting the LLDP re initialization delay you can avoid frequent initializations caused by frequent LLDP operatin...

Page 93: ...ce type country code ca type ca value 1 10 elin address tel number network policy power over ethernet Optional By default all types of LLDP TLVs except location identification TLV are advertisable Con...

Page 94: ...on a recipient device You can configure the TTL of locally sent LLDP frames to determine how long information about the local device can be saved on a neighbor device by setting the TTL multiplier Th...

Page 95: ...ated in Ethernet II frames If the neighbor devices encapsulate LLDPDUs in SNAP frames you can configure the encapsulation format for LLDPDUs as SNAP thus guaranteeing communication with the other devi...

Page 96: ...bal interface interface type interface number Available in any view Display the information contained in the LLDP TLVs received through a port display lldp neighbor information interface interface typ...

Page 97: ...ernet1 0 2 lldp admin status rx SwitchA GigabitEthernet1 0 2 quit 2 Configure Switch B Enable LLDP globally SwitchB system view SwitchB lldp enable Enable LLDP on GigabitEthernet1 0 1 setting the LLDP...

Page 98: ...eived unknown TLV 3 As the sample output shows GigabitEthernet1 0 1 of Switch A connects a MED device and GigabitEthernet1 0 2 of Switch A connects a non MED device Both ports operate in Rx mode that...

Page 99: ...f received unknown TLV 5 Port 2 GigabitEthernet1 0 2 Port status of LLDP Enable Admin status Rx_Only Trap flag No Roll time 0s Number of neighbors 0 Number of MED neighbors 0 Number of CDP neighbors 0...

Page 100: ...witched Network 1 21 Configuring Timers of MSTP 1 22 Configuring the Timeout Factor 1 23 Configuring the Maximum Port Rate 1 24 Configuring Ports as Edge Ports 1 25 Setting the Link Type of a Port to...

Page 101: ...isites 1 36 Configuration Procedure 1 36 Configuration Example 1 36 Configuring No Agreement Check 1 37 Configuration Prerequisites 1 38 Configuration Procedure 1 38 Configuration Example 1 39 Configu...

Page 102: ...ning Tree Protocol MSTP This chapter describes the characteristics of STP RSTP and MSTP and the relationship among them Introduction to STP Why STP The Spanning Tree Protocol STP was developed based o...

Page 103: ...e root bridge is called the root port The root port is responsible for communication with the root bridge Each non root bridge has one and only one root port The root bridge has no root port 3 Designa...

Page 104: ...e spanning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the...

Page 105: ...rity than that of the configuration BPDU generated by the port the device discards the received configuration BPDU and does not process the configuration BPDU of this port z If the received configurat...

Page 106: ...ice z The designated port ID is replaced with the ID of this port 3 The device compares the calculated configuration BPDU with the configuration BPDU on the port of which the port role is to be define...

Page 107: ...eceives the configuration BPDU of Device B 1 0 1 BP1 Device A finds that the configuration BPDU of the local port 0 0 0 AP1 is superior to the received configuration BPDU and therefore discards the re...

Page 108: ...ort BP1 0 0 0 AP1 Designated port BP2 0 5 1 BP2 z Port CP1 receives the configuration BPDU of Device A 0 0 0 AP2 Device C finds that the received configuration BPDU is superior to the configuration BP...

Page 109: ...ison processes described in the table above a spanning tree with Device A as the root bridge is established as shown in Figure 1 3 Figure 1 3 The final calculated spanning tree The spanning tree calcu...

Page 110: ...e transition in STP the newly elected root ports or designated ports require twice the forward delay time before transiting to the forwarding state to ensure that the new configuration BPDU has propag...

Page 111: ...ortcomings of STP and RSTP In addition to the support for rapid network convergence it also allows data flows of different VLANs to be forwarded along separate paths thus providing a better load shari...

Page 112: ...MST region consists of multiple devices in a switched network and the network segments among them These devices have the following characteristics z All are MSTP enabled z They have the same region n...

Page 113: ...panning tree being independent of another Each spanning tree is referred to as a multiple spanning tree instance MSTI In Figure 1 4 for example multiple spanning trees can exist in each MST region eac...

Page 114: ...is blocked the alternate port becomes the new root port or master port z Backup port The backup port of a designated port When the designated port is blocked the backup port becomes a new designated p...

Page 115: ...nfiguration BPDUs to calculate spanning trees The only difference between the two protocols is that an MSTP BPDU carries the MSTP configuration on the device from which this BPDU is sent 1 CIST calcul...

Page 116: ...node In each MSTI one and only one device acts as the root bridge while all others as leaf nodes Complete these tasks to configure MSTP Task Remarks Configuring an MST Region Required Specifying the...

Page 117: ...in this case make sure that this VLAN is mapped to the CIST MSTI 0 when configuring the VLAN to MSTI mapping table For the detailed information of GVRP refer to GVRP Configuration of the Access Volume...

Page 118: ...ctive MST region configuration information display stp region configuration The display command can be executed in any view Two or more MSTP enabled devices belong to the same MST region only if they...

Page 119: ...red By default a device does not function as the root bridge Specifying the current device as a secondary root bridge of a specific spanning tree Follow these steps to specify the current device as a...

Page 120: ...Specify the current device as the root bridge of MSTI 1 and a secondary root bridge of MSTI 2 Sysname system view Sysname stp instance 1 root primary Sysname stp instance 2 root secondary Configuring...

Page 121: ...n if all devices in a spanning tree have the same priority the one with the lowest MAC address will be selected as the root bridge of the spanning tree Configuration example Set the device priority in...

Page 122: ...k are interconnected through a specific path composed of a series of devices The network diameter is the number of devices on the path composed of the most devices Configuration procedure Follow these...

Page 123: ...ps to configure the timers of MSTP To do Use the command Remarks Enter system view system view Configure the forward delay timer stp timer forward delay centi seconds Optional 1 500 centiseconds 15 se...

Page 124: ...y launch spanning tree calculations thus reducing the auto sensing capability of the network We recommend that you use the default setting The settings of hello time forward delay and max age must mee...

Page 125: ...send within each hello time The maximum rate of a port is related to the physical status of the port and the network structure Configuration procedure Follow these steps to configure the maximum rate...

Page 126: ...know whether a port is directly connected to a terminal you need to manually configure the port to be an edge port After that this port can transition rapidly from the blocked state to the forwarding...

Page 127: ...a point to point link are root ports or designated ports the ports can rapidly transition to the forwarding state after a proposal agreement handshake process Configuration procedure Follow these ste...

Page 128: ...ket format recognition mode of a port is auto namely the port automatically distinguishes the two MSTP packet formats and determines the format of packets it will send based on the recognized format Y...

Page 129: ...sname system view Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 stp compliance dot1s Enabling the Output of Port State Transition Information In a large scale MSTP enabled netwo...

Page 130: ...for the device globally before any other MSTP related configuration can take effect z To control MSTP flexibly you can use the undo stp enable command to disable the MSTP feature for certain ports so...

Page 131: ...rts the following standards z dot1d 1998 The device calculates the default path cost for ports based on IEEE 802 1d 1998 z dot1t The device calculates the default path cost for ports based on IEEE 802...

Page 132: ...To do Use the command Remarks Enter system view system view Enter Ethernet interface view or Layer 2 aggregate interface view interface interface type interface number Enter interface view or port gr...

Page 133: ...t group view port group manual port group name Required Use either command Configurations made in interface view will take effect on the current port only configurations made in port group view will t...

Page 134: ...ver it will not be able to migrate automatically back to the MSTP or RSTP mode but will remain working in the STP compatible mode under the following circumstances z The device running STP is shut dow...

Page 135: ...Device A allows the traffic of VLAN 1 to pass through and port C allows the traffic of VLAN2 to pass through port B on Device B allows the traffic of VLAN 1 to pass through and port D allows the traf...

Page 136: ...n Display the VLAN Ignore enabled VLAN DeviceB display stp ignored vlan STP Ignored VLAN 2 Configuring Digest Snooping As defined in IEEE 802 1s interconnected devices are in the same region only when...

Page 137: ...its private key to calculate the configuration digest z With the Digest Snooping feature enabled comparison of configuration digest is not needed for in the same region check so the VLAN to MSTI mappi...

Page 138: ...ment Check In RSTP and MSTP two types of messages are used for rapid state transition on designated ports z Proposal sent by designated ports to request rapid transition z Agreement used to acknowledg...

Page 139: ...from the upstream device and thus sends no agreement packets to the upstream device As a result the designated port of the upstream device fails to transit rapidly and can only change to the forwardi...

Page 140: ...by default To make the No Agreement Check feature take effect enable it on the root port Configuration Example Network requirements z Device A connects to a third party s device that has different MS...

Page 141: ...start a new spanning tree calculation process This will cause a change of network topology Under normal conditions these ports should not receive configuration BPDUs However if someone forges configu...

Page 142: ...guard function to protect the root bridge If the root guard function is enabled on a port of a root bridge this port will keep playing the role of designated port on all MSTIs Once this port receives...

Page 143: ...ate interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Required Use either command Configurations...

Page 144: ...in any view View the historical information of port role calculation for the specified MSTI or all MSTIs display stp instance instance id history Available in any view View the statistics of TC TCN BP...

Page 145: ...Device C Figure 1 12 Network diagram for MSTP configuration G E 1 0 1 G E 1 0 1 G E 1 0 1 G E 1 0 1 Configuration procedure 1 VLAN and VLAN member port configuration Create VLAN 10 VLAN 20 and VLAN 3...

Page 146: ...l 0 Activate MST region configuration DeviceB mst region active region configuration DeviceB mst region quit Specify the current device as the root bridge of MSTI 3 DeviceB stp instance 3 root primary...

Page 147: ...on each device after the network is stable Display brief spanning tree information on Device A DeviceA display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet1 0 1 ALTE DISCARDING NO...

Page 148: ...spanning tree information on Device D DeviceD display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet1 0 1 ROOT FORWARDING NONE 0 GigabitEthernet1 0 2 ALTE DISCARDING NONE 0 GigabitEt...

Page 149: ...ember Ports for a Smart Link Group 1 6 Configuring Role Preemption for a Smart Link Group 1 6 Enabling the Sending of Flush Messages 1 7 Smart Link Device Configuration Example 1 7 Configuring an Asso...

Page 150: ...ble for users who have high demand on convergence speed For more information about STP refer to MSTP Configuration in the Access Volume Smart Link is a feature developed to address the slow convergenc...

Page 151: ...her port role in a smart link group When both ports in a smart link group are up the slave port is placed in the standby state When the master port fails the slave port takes over to forward traffic A...

Page 152: ...ND entries To keep traffic forwarding stable the master port that has been blocked due to link failure does not take over immediately upon its recovery Instead link switchover will occur at next link...

Page 153: ...mpleting the smart link group configuration z Disable STP and RRPP on the ports you want to add to the smart link group and make sure that the ports are not member ports of any aggregation group or se...

Page 154: ...ure member ports for a smart link group in interface view To do Use the command Remarks Enter system view system view Enter Ethernet interface view or layer 2 aggregate interface view interface interf...

Page 155: ...ges cannot be sent properly Smart Link Device Configuration Example Network requirements z Create smart link group 1 z The protected VLANs of smart link group 1 are mapped to MSTI 0 through 8 z Config...

Page 156: ...onfigured on Device C and E Follow these steps to enable the receiving of flush messages To do Use the command Remarks Enter system view system view Enter Ethernet interface view or Layer 2 aggregate...

Page 157: ...ormation display smart link group group id all Available in any view Display information about the received flush messages display smart link flush Available in any view Clear the statistics about flu...

Page 158: ...ush enable 2 Configuration on Device E Disable STP on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 DeviceE system view DeviceE interface gigabitethernet 1 0 1 DeviceE GigabitEthernet1 0 1 undo stp...

Page 159: ...bitEthernet 1 0 3 DeviceA system view DeviceA interface gigabitethernet 1 0 1 DeviceA GigabitEthernet1 0 1 smart link flush enable DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1...

Page 160: ...ugh DeviceC interface gigabitethernet 1 0 1 DeviceC GigabitEthernet1 0 1 undo stp enable DeviceC GigabitEthernet1 0 1 port link type trunk DeviceC GigabitEthernet1 0 1 port trunk permit vlan 1 to 200...

Page 161: ...ce gigabitethernet 1 0 1 DeviceB GigabitEthernet1 0 1 port link type trunk DeviceB GigabitEthernet1 0 1 port trunk permit vlan 1 to 200 DeviceB GigabitEthernet1 0 1 smart link flush enable control vla...

Page 162: ...port trunk permit vlan 1 to 200 DeviceA GigabitEthernet1 0 1 smart link flush enable control vlan 10 101 DeviceA GigabitEthernet1 0 1 quit DeviceA interface gigabitethernet 1 0 2 DeviceA GigabitEther...

Page 163: ...w 1 1 Terminology 1 1 How Monitor Link Works 1 1 Configuring Monitor Link 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Monitor Link Configuration Example 1 2 Displaying and Maintain...

Page 164: ...port can be assigned to only one monitor link group Both Layer 2 Ethernet ports and Layer 2 aggregate interfaces can be assigned to a monitor link group Uplink The uplink is the link monitored by the...

Page 165: ...is step to add more uplink ports In monitor link group view port interface type interface number downlink Configure the downlink for the monitor link group In Ethernet port view or Layer 2 aggregate i...

Page 166: ...link failure and perform link switchover in the smart link group For detailed information about smart link refer to Smart Link Configuration in the Access Volume Figure 1 1 Network diagram for smart...

Page 167: ...lush enable 3 Configuration on Device B Create monitor link group 1 DeviceB system view DeviceB monitor link group 1 Configure GigabitEthernet 1 0 1 as an uplink port and GigabitEthernet 1 0 2 as a do...

Page 168: ...quit DeviceD interface gigabitethernet 1 0 1 DeviceD GigabitEthernet1 0 1 smart link flush enable DeviceD GigabitEthernet1 0 1 quit DeviceD interface gigabitethernet 1 0 2 DeviceD GigabitEthernet1 0 2...

Page 169: ...guring Basic VLAN Settings 1 3 Configuring Basic Settings of a VLAN Interface 1 4 Port Based VLAN Configuration 1 5 Introduction to Port Based VLAN 1 5 Assigning an Access Port to a VLAN 1 6 Assigning...

Page 170: ...VLAN was introduced The idea is to break a LAN down into separate VLANs that is Layer 2 broadcast domains whereby frames are switched between ports assigned to the same VLAN VLANs are isolated from ea...

Page 171: ...as shown in Figure 1 3 Figure 1 3 The position and format of VLAN tag A VLAN tag comprises four fields tag protocol identifier TPID priority canonical format indicator CFI and VLAN ID z The 16 bit TP...

Page 172: ...ubnet z Policy z Other criteria This chapter covers port based VLAN Configuring Basic VLAN Settings Follow these steps to configure basic VLAN settings To do Use the command Remarks Enter system view...

Page 173: ...ss and specify it as the gateway of the VLAN to forward traffic destined for an IP network segment different from that of the VLAN Follow these steps to configure basic settings of a VLAN interface To...

Page 174: ...hybrid port can carry multiple VLANs to receive and send traffic for them Unlike a trunk port a hybrid port allows traffic of all VLANs to pass through VLAN untagged You can configure a port connecte...

Page 175: ...its VLAN is carried on the port but is different from the default one Hybrid Check whether the default VLAN is permitted on the port z If yes tag the frame with the default VLAN tag z If not drop the...

Page 176: ...y to the current port z In port group view the subsequent configurations apply to all ports in the port group z In Layer 2 aggregate interface view the subsequent configurations apply to the Layer 2 a...

Page 177: ...e the default VLAN of the trunk port s port trunk pvid vlan vlan id Optional VLAN 1 is the default VLAN by default z To change the link type of a port from trunk to hybrid or vice versa you must set t...

Page 178: ...type to access first z Before assigning a hybrid port to a VLAN create the VLAN first z After configuring the default VLAN for a hybrid port you must use the port hybrid vlan command to configure the...

Page 179: ...a trunk port and configure its default VLAN ID as 100 DeviceA GigabitEthernet1 0 1 port link type trunk DeviceA GigabitEthernet1 0 1 port trunk pvid vlan 100 Configure GigabitEthernet 1 0 1 to deny th...

Page 180: ...capsulation IEEE 802 1q Port priority 0 Last 300 seconds input 0 packets sec 0 bytes sec Last 300 seconds output 0 packets sec 0 bytes sec Input total 0 packets 0 bytes 0 broadcasts 0 multicasts Input...

Page 181: ...rotocols and Standards 1 4 GVRP Configuration Task List 1 4 Configuring GVRP Functions 1 4 Configuring GARP Timers 1 5 Displaying and Maintaining GVRP 1 7 GVRP Configuration Examples 1 7 GVRP Configur...

Page 182: ...pant is present on a port on your device the port is regarded as a GARP participant GARP messages and timers 1 GARP messages A GARP application entity exchanges information with other GARP application...

Page 183: ...ster its attribute information Then a LeaveAll timer starts again z The settings of GARP timers apply to all GARP applications such as GVRP on a LAN z On a GARP enabled network a device may send Leave...

Page 184: ...for GVRP indicating the VLAN ID attribute Attribute List Contains one or multiple attributes Attribute Consists of an Attribute Length an Attribute Event and an Attribute Value Attribute Length Numbe...

Page 185: ...ed registration type thus allows only manually configured VLANs to pass through even though it is configured to carry all VLANs z Forbidden Disables the port to dynamically register and deregister VLA...

Page 186: ...ts z If both GVRP and remote port mirroring are used GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates to be received by the monitor port For more informati...

Page 187: ...value Optional 20 centiseconds by default Configure the Leave timer garp timer leave timer value Optional 60 centiseconds by default As shown in Table 1 2 the values of GARP timers are dependent on ea...

Page 188: ...he global GVRP state display gvrp status Available in any view Display the information about dynamic VLAN operations performed on a port display gvrp vlan operation interface interface type interface...

Page 189: ...trunk permit vlan all Enable GVRP on trunk port GigabitEthernet 1 0 1 DeviceB GigabitEthernet1 0 1 gvrp DeviceB GigabitEthernet1 0 1 quit Create VLAN 3 a static VLAN DeviceB vlan 3 3 Verify the config...

Page 190: ...quit Create VLAN 2 a static VLAN DeviceA vlan 2 2 Configure Device B Enable GVRP globally DeviceB system view DeviceB gvrp Configure port GigabitEthernet 1 0 1 as a trunk port allowing all VLANs to p...

Page 191: ...trunk permit vlan all Enable GVRP on GigabitEthernet 1 0 1 and set the GVRP registration type to forbidden on the port DeviceA GigabitEthernet1 0 1 gvrp DeviceA GigabitEthernet1 0 1 gvrp registration...

Page 192: ...1 11 Display dynamic VLAN information on Device A DeviceA display vlan dynamic No dynamic vlans exist Display dynamic VLAN information on Device B DeviceB display vlan dynamic No dynamic vlans exist...

Page 193: ...figuring Remote Port Mirroring 1 5 Configuration Prerequisites 1 5 Configuring a Remote Source Mirroring Group on the Source Device 1 5 Configuring a Remote Destination Mirroring Group on the Destinat...

Page 194: ...or remote z In local port mirroring the mirroring port or ports and the monitor port are located on the same device z In remote port mirroring the mirroring port or ports and the monitor port can be...

Page 195: ...lyze Figure 1 1 Local port mirroring implementation PC Mirroring port Monitor port Data monitoring device Mirroring port How the device processes packets Monitor port Traffic mirrored to Remote port m...

Page 196: ...u must create the remote destination mirroring group When receiving a packet the destination device compares the VLAN ID carried in the packet with the ID of the probe VLAN configured in the remote de...

Page 197: ...r system view system view Create a local mirroring group mirroring group group id local Required In system view mirroring group group id mirroring port mirroring port list both inbound outbound interf...

Page 198: ...the destination device If GVRP is enabled GVRP may register the remote probe VLAN to unexpected ports resulting in undesired duplicates For information on GVRP refer to GVRP Configuration in the Acce...

Page 199: ...ce view you can assign only the current interface to the mirroring group To monitor multiple ports repeat the step In system view mirroring group groupid reflector port reflector port id interface int...

Page 200: ...e mirroring group z You are recommended to use a remote probe VLAN exclusively for the mirroring purpose z A port can belong to only one mirroring group Configuring a Remote Destination Mirroring Grou...

Page 201: ...ure operation of your device do not enable STP MSTP or RSTP on the monitor port z You are recommended to use a monitor port only for port mirroring This is to ensure that the data monitoring device re...

Page 202: ...Marketing department Configuration procedure Configure Switch C Create a local port mirroring group SwitchC system view SwitchC mirroring group 1 local Add port GigabitEthernet 1 0 1 and GigabitEthern...

Page 203: ...ce mirroring group For the mirroring group configure VLAN 2 as the remote probe VLAN ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 as mirroring ports and port GigabitEthernet 1 0 4 as the refl...

Page 204: ...1 port trunk permit vlan 2 Configure port GigabitEthernet 1 0 2 as a trunk port that permits the packets of VLAN 2 to pass through DeviceB GigabitEthernet1 0 1 quit DeviceB interface gigabitethernet 1...

Page 205: ...1 12 After finishing the configuration you can monitor all the packets received and sent by Department 1 and Department 2 on the Server...

Page 206: ...etwork z Configuring TCP Attributes z Configuring ICMP to Send Error Packets ARP Address Resolution Protocol ARP is used to resolve an IP address into a data link layer address This document describes...

Page 207: ...FTP is an application layer protocol for sharing files between server and client over a TCP IP network The Trivial File Transfer Protocol TFTP provides functions similar to those provided by FTP This...

Page 208: ...Addressing Overview 1 1 IP Address Classes 1 1 Special IP Addresses 1 2 Subnetting and Masking 1 2 Configuring IP Addresses 1 3 Assigning an IP Address to an Interface 1 3 IP Addressing Configuration...

Page 209: ...xample is 01010000100000001000000010000000 in binary To make IP addresses in 32 bit form easier to read they are written in dotted decimal notation each being four octets in length for example 10 1 1...

Page 210: ...es the host with a host ID of 16 on the local network z IP address with an all zero host ID Identifies a network z IP address with an all one host ID Identifies a directed broadcast address For exampl...

Page 211: ...55 255 255 0 respectively Configuring IP Addresses An interface can communicate with other hosts after it obtains an IP address Besides directly assigning an IP address to an interface you may configu...

Page 212: ...N interface 1 on the switch z Set the switch as the gateway on all PCs in the two networks Figure 1 3 Network diagram for IP addressing configuration Configuration procedure Assign a primary IP addres...

Page 213: ...tl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 3 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 4 ttl 255 time 26 ms Reply from 172 16 2 2 bytes 56 Sequence 5 ttl 255 time 26 ms...

Page 214: ...of Directed Broadcasts to a Directly Connected Network 1 1 Enabling Forwarding of Directed Broadcasts to a Directly Connected Network 1 2 Configuration Example 1 2 Configuring TCP Attributes 1 3 Enab...

Page 215: ...er size z Enabling ICMP error packets sending Enabling Reception and Forwarding of Directed Broadcasts to a Directly Connected Network Directed broadcast packets are broadcast on a specific network In...

Page 216: ...xecuted last time does not include the acl acl number the ACL configured previously will be removed Configuration Example Network requirements As shown in Figure 1 1 the host s interface and VLAN inte...

Page 217: ...or and waits for a response 3 After receiving the SYN ACK message the originator returns an ACK message Thus the TCP connection is established Attackers may mount SYN Flood attacks during TCP connecti...

Page 218: ...er As a result the server cannot process normal services Protection against Naptha attacks reduces the risk of such attacks by accelerating the aging of TCP connections in a state After the feature is...

Page 219: ...en a TCP connection is changed into FIN_WAIT_2 state the finwait timer is started If no FIN packets is received within the timer interval the TCP connection will be terminated If a FIN packet is recei...

Page 220: ...n of a packet is not itself and the TTL field of the packet is 1 it will send a TTL timeout ICMP error message z When the device receives the first fragment of an IP datagram whose destination is the...

Page 221: ...d by default Enable sending of ICMP timeout packets ip ttl expires enable Required Disabled by default Enable sending of ICMP destination unreachable packets ip unreachables enable Required Disabled b...

Page 222: ...ackets reset ip statistics Available in user view Clear statistics of TCP connections reset tcp statistics Available in user view Clear statistics of UDP traffic reset udp statistics Available in user...

Page 223: ...ive Acknowledgement 2 2 Introduction to ARP Active Acknowledgement 2 2 Configuring ARP Active Acknowledgement 2 2 Configuring Source MAC Address Based ARP Attack Detection 2 3 Introduction to Source M...

Page 224: ...f the destination device Therefore a mapping between the IP address and the physical address is needed ARP is the protocol to implement the mapping function ARP Message Format ARP messages are classif...

Page 225: ...address and the MAC address of Host A respectively and the target IP address and the target MAC address are the IP address of Host B and an all zero MAC address respectively Because the ARP request i...

Page 226: ...ng a long static ARP entry you must configure a VLAN and an outbound interface for the entry besides the IP address and the MAC address z A short static ARP entry has only an IP address and a MAC addr...

Page 227: ...mber of dynamic ARP entries that an interface can learn To do Use the command Remarks Enter system view system view Enter Ethernet interface view interface interface type interface number Set the maxi...

Page 228: ...Remarks Enter system view system view Enable the ARP entry check arp check enable Optional By default the device is disabled from learning multicast MAC addresses ARP Configuration Example Network re...

Page 229: ...both the IP address of the device issuing the packet the sender MAC address is the MAC address of the device and the target MAC address is the broadcast address ff ff ff ff ff ff A device implements t...

Page 230: ...ay the ARP entry for a specified IP address display arp ip address begin exclude include regular expression Available in any view Display the aging time for dynamic ARP entries display arp timer aging...

Page 231: ...number of ARP packets to bring a great impact to the CPU For details about ARP attack features and types refer to ARP Attack Protection Technology White Paper Currently ARP attacks and viruses are th...

Page 232: ...Use the command Remarks Enter system view system view Enable ARP source suppression arp source suppression enable Required Disabled by default Set the maximum number of packets with the same source IP...

Page 233: ...rotected MAC address A protected MAC address is excluded from ARP attack detection even if it is an attacker Only the ARP packets delivered to the CPU are detected Configuring Source MAC Address Based...

Page 234: ...by default Configuring ARP Packet Rate Limit Introduction to ARP Packet Rate Limit This feature allows you to limit the rate of ARP packets to be delivered to the CPU For example if an attacker sends...

Page 235: ...C through a switch After intercepting the traffic between Host A and Host C a hacker Host B forwards forged ARP replies to Host A and Host C respectively Upon receiving the ARP replies the two hosts...

Page 236: ...ies Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function For details refer to DHCP Configuration in the IP Service Volume Static IP Source Guard binding entries...

Page 237: ...by default that is all packets are considered to be invalid by default Configure a static IP to MAC binding for ARP detection arp detection static bind ip address mac address Optional Not configured...

Page 238: ...figure ARP detection based on specified objects To do Use the command Remarks Enter system view system view Specify objects for ARP detection arp detection validate dst mac ip src mac Required Not spe...

Page 239: ...0 SwitchA vlan10 arp detection enable Configure the upstream port as a trusted port and the downstream ports as untrusted ports a port is an untrusted port by default SwitchA vlan10 interface GigabitE...

Page 240: ...itchA arp detection validate dst mac ip src mac After the preceding configurations are completed when ARP packets arrive at interfaces GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 their MAC and IP...

Page 241: ...Configuring DHCP Snooping to Support Option 82 2 5 Prerequisites 2 5 Configuring DHCP Snooping to Support Option 82 2 5 Displaying and Maintaining DHCP Snooping 2 6 DHCP Snooping Configuration Exampl...

Page 242: ...use DHCP for IP address acquisition via a relay agent the DHCP server cannot be a Windows 2000 Server or Windows 2003 Server Introduction to DHCP Client With the DHCP client enabled an interface will...

Page 243: ...en the undo shutdown command or re enable the DHCP client on the interface by executing the undo ip address dhcp alloc command and then the ip address dhcp alloc command Displaying and Maintaining the...

Page 244: ...ervers If there is an unauthorized DHCP server on a network DHCP clients may obtain invalid IP addresses and network configuration parameters and cannot normally communicate with other network devices...

Page 245: ...nt of Trusted Ports Configuring a trusted port connected to a DHCP server Figure 2 1 Configure trusted and untrusted ports Trusted DHCP server DHCP snooping Untrusted Untrusted Unauthorized DHCP serve...

Page 246: ...n 82 Option 82 records the location information of the DHCP client The administrator can locate the DHCP client to further implement security control and accounting If DHCP snooping supports Option 82...

Page 247: ...normal format verbose Forward the message after adding the Option 82 padded in verbose format no Option 82 user defined Forward the message after adding the user defined Option 82 The handling strate...

Page 248: ...Configuring DHCP Snooping to Support Option 82 Follow these steps to configure DHCP snooping to support Option 82 To do Use the command Remarks Enter system view system view Enter interface view inte...

Page 249: ...is configured as replace you need to configure a padding format for Option 82 If the handling strategy is keep or drop you need not configure any padding format z If the Option 82 is padded with the...

Page 250: ...fy GigabitEthernet1 0 1 as trusted SwitchA interface GigabitEthernet 1 0 1 SwitchA GigabitEthernet1 0 1 dhcp snooping trust SwitchA GigabitEthernet1 0 1 quit DHCP Snooping Option 82 Support Configurat...

Page 251: ...GigabitEthernet1 0 2 dhcp snooping information circuit id string company001 SwitchA GigabitEthernet1 0 2 dhcp snooping information remote id string device001 SwitchA GigabitEthernet1 0 2 quit Configu...

Page 252: ...BOOTP client the interface can use BOOTP to get information such as IP address from the BOOTP server which simplifies your configuration Before using BOOTP an administrator needs to configure a BOOTP...

Page 253: ...protocols and standards related to BOOTP include z RFC 951 Bootstrap Protocol BOOTP z RFC 2132 DHCP Options and BOOTP Vendor Extensions z RFC 1542 Clarifications and Extensions for the Bootstrap Prot...

Page 254: ...ork diagram DHCP server Gateway A WINS server 10 1 1 4 25 Client Switch A Client DNS server 10 1 1 2 25 Vlan int1 10 1 1 1 25 Vlan int1 10 1 1 126 25 Configuration procedure The following describes on...

Page 255: ...he IPv4 DNS Client 1 3 Configuring Static Domain Name Resolution 1 3 Configuring Dynamic Domain Name Resolution 1 3 Displaying and Maintaining IPv4 DNS 1 4 IPv4 DNS Configuration Examples 1 4 Static D...

Page 256: ...ppings are stored in the local static name resolution table to improve efficiency Static Domain Name Resolution The static domain name resolution means setting up mappings between domain names and IP...

Page 257: ...ply the missing part For example a user can configure com as the suffix for aabbcc com The user only needs to type aabbcc to get the IP address of aabbcc com The resolver can add the suffix and delimi...

Page 258: ...previous one if there is any z You may create up to 50 static mappings between domain names and IPv4 addresses Configuring Dynamic Domain Name Resolution To send DNS queries to a correct server for r...

Page 259: ...uration Examples Static Domain Name Resolution Configuration Example Network requirements As shown in Figure 1 2 static domain name resolution is configured on the device and thus the device can use t...

Page 260: ...e resolution and the domain name suffix are configured on the device that serves as a DNS client and thus the device can use domain name host to access the host with the domain name host com and the I...

Page 261: ...e instructions to create a new zone named com Figure 1 4 Create a zone Create a mapping between host name and IP address Figure 1 5 Add a host In Figure 1 5 right click zone com and then select New Ho...

Page 262: ...is normal and that the corresponding destination IP address is 3 1 1 1 Sysname ping host Trying DNS resolve press CTRL_C to break Trying DNS server 2 1 1 2 PING host com 3 1 1 1 56 data bytes press C...

Page 263: ...d domain name is in the cache z If the specified domain name does not exist check that dynamic domain name resolution is enabled and the DNS client can communicate with the DNS server z If the specifi...

Page 264: ...Debugging an FTP Connection 1 6 Terminating an FTP Connection 1 6 FTP Client Configuration Example 1 7 Configuring the FTP Server 1 8 Configuring FTP Server Operating Parameters 1 8 Configuring Authen...

Page 265: ...files z ASCII mode transfers files as text like txt bat and cfg files Operation of FTP FTP adopts the client server model Your device can function either as the client or as the server as shown in Fig...

Page 266: ...FTP server configuration on the device Configure authentication and authorization Configure the username password authorized working directory for an FTP user The device does not support anonymous FTP...

Page 267: ...e interface or source IP address The primary IP address configured on the source interface is the source address of the transmitted packets The source address of the transmitted packets is selected fo...

Page 268: ...irectories on an FTP Server After the device serving as the FTP client has established a connection with an FTP server For how to establish an FTP connection refer to Establishing an FTP Connection yo...

Page 269: ...FTP server dir remotefile localfile Optional The ls command displays the name of a directory or file only while the dir command displays detailed information such as the file size and creation time Q...

Page 270: ...e the command Remarks Display the help information of FTP related commands supported by the remote FTP server remotehelp protocol command Optional Enable information display in a detailed manner verbo...

Page 271: ...lable memory space of the device is not enough use the fixdisk command to clear the memory or use the delete unreserved file url command to delete the files not in use and then perform the following o...

Page 272: ...to update a file when you upload the file use the put command to the FTP server z In fast mode the FTP server starts writing data to the storage medium after a file is transferred to the memory This p...

Page 273: ...password with the account The following configuration is used when the FTP server authenticates and authorizes a local FTP user If the FTP server needs to authenticate a remote FTP user you need to co...

Page 274: ...n the user level of the FTP login users that is any level from 0 to 3 is allowed FTP Server Configuration Example Network requirements z As shown in Figure 1 3 use Device as an FTP server and the PC a...

Page 275: ...1 1 1 1 none abc 331 Password required for abc Password 230 User logged in Download the configuration file config cfg of the device to the PC for backup ftp get config cfg back config cfg Upload the c...

Page 276: ...oot ROM program through FTP you must execute the bootrom update command to upgrade the Boot ROM Displaying and Maintaining FTP To do Use the command Remarks Display the configuration of the FTP client...

Page 277: ...s initiated by the client z In a normal file downloading process the client sends a read request to the TFTP server receives data from the server and then sends the acknowledgement to the server z In...

Page 278: ...r example due to network disconnection the device can still start up because the original system file is not overwritten This mode is more secure but consumes more memory You are recommended to use th...

Page 279: ...ient source interface interface type interface number ip source ip address Optional A device uses the source address determined by the matched route to communicate with the TFTP server by default Retu...

Page 280: ...he PC enable the TFTP server z Configure a TFTP working directory 2 Configure Device TFTP Client If the available memory space of the device is not enough use the fixdisk command to clear the memory o...

Page 281: ...tartup must be saved under the root directory of the storage medium You can copy or move a file to the root directory of the storage medium For the details of the boot loader command refer to Device M...

Page 282: ...escribes z Introduction to IP routing and routing table z Routing protocol overview Static Routing A static route is manually configured by the administrator The proper configuration and usage of stat...

Page 283: ...i Table of Contents 1 IP Routing Overview 1 1 IP Routing and Routing Table 1 1 Routing 1 1 Routing Table 1 1 Displaying and Maintaining a Routing Table 1 3...

Page 284: ...ace a packet destined for a certain destination should go out to reach the next hop the next router or the directly connected destination Routes in a routing table can be divided into three categories...

Page 285: ...to z Direct routes The destination is directly connected to the router z Indirect routes The destination is not directly connected to the router To prevent the routing table from getting too large you...

Page 286: ...able ip address1 mask length mask ip address2 mask length mask verbose Available in any view Display information about routes permitted by an IPv4 basic ACL display ip routing table acl acl number ver...

Page 287: ...1 Default Route 1 1 Application Environment of Static Routing 1 2 Configuring a Static Route 1 2 Configuration Prerequisites 1 2 Configuration Procedure 1 2 Displaying and Maintaining Static Routes 1...

Page 288: ...or has to modify the static routes manually Default Route If the destination address of a packet fails to match any entry in the routing table the packet will be discarded After a default route is con...

Page 289: ...nagement Ethernet port M GigabitEthernet you must specify the corresponding next hop for the output interface 3 Other attributes You can configure different preferences for different static routes so...

Page 290: ...ation in the System Volume Displaying and Maintaining Static Routes To do Use the command Remarks Display the current configuration information display current configuration Display the brief informat...

Page 291: ...Switch C SwitchC system view SwitchC ip route static 0 0 0 0 0 0 0 0 1 1 5 5 3 Configure the hosts The default gateways for the three hosts A B and C are 1 1 2 3 1 1 6 1 and 1 1 3 1 respectively The c...

Page 292: ...32 Direct 0 0 127 0 0 1 InLoop0 Use the ping command on Host B to check reachability to Host A assuming Windows XP runs on the two hosts C Documents and Settings Administrator ping 1 1 2 2 Pinging 1 1...

Page 293: ...ding Mechanism IGMP Snooping Running at the data link layer IGMP Snooping is a multicast control mechanism on the Layer 2 Ethernet switch and it is used for multicast group management and control This...

Page 294: ...of Information Transmission Techniques 1 1 Features of Multicast 1 4 Common Notations in Multicast 1 5 Advantages and Applications of Multicast 1 5 Multicast Models 1 6 Multicast Architecture 1 6 Mult...

Page 295: ...ltipoint data transmission over a network multicast greatly saves network bandwidth and reduces network load With the multicast technology a network operator can easily provide new value added service...

Page 296: ...over the network is proportional to the number of hosts that need the information If a large number of users need the information the information source needs to send a copy of the same information t...

Page 297: ...ficant waste of network resources Multicast As discussed above unicast and broadcast techniques are unable to provide point to multipoint data transmissions with the minimum network consumption Multic...

Page 298: ...cast is confined to the same subnet while multicast is not Features of Multicast Multicast has the following features z A multicast group is a multicast receiver set identified by an IP multicast addr...

Page 299: ...icast z G Indicates a rendezvous point tree RPT or a multicast packet that any multicast source sends to multicast group G Here represents any multicast source while G represents a specific multicast...

Page 300: ...ence between the SSM model and the ASM model is that in the SSM model receivers already know the locations of the multicast sources by some other means In addition the SSM model uses a multicast addre...

Page 301: ...he IP header 224 0 1 0 to 238 255 255 255 Globally scoped group addresses This block includes two types of designated group addresses z 232 0 0 0 8 SSM group addresses and z 233 0 0 0 8 Glop group add...

Page 302: ...tination address is a multicast MAC address because the packet is directed to a group formed by a number of receivers rather than to one specific receiver As defined by IANA the high order 24 bits of...

Page 303: ...tions of Layer 3 multicast protocols 1 Multicast management protocols Typically the internet group management protocol IGMP is used between hosts and Layer 3 multicast devices directly connected with...

Page 304: ...hanged between the hosts and Layer 3 multicast devices thus effectively controlling the flooding of multicast data in a Layer 2 network 2 Multicast VLAN In the traditional multicast on demand mode whe...

Page 305: ...cess the same multicast information from different peers received on different interfaces of the same device every multicast packet is subject to a reverse path forwarding RPF check on the incoming in...

Page 306: ...iguring Source IP Address of IGMP Queries 1 15 Configuring IGMP Snooping Proxying 1 15 Configuration Prerequisites 1 15 Enabling IGMP Snooping Proxying 1 15 Configuring a Source IP Address for the IGM...

Page 307: ...ii Configured Multicast Group Policy Fails to Take Effect 1 32...

Page 308: ...and multicast MAC addresses and forwards multicast data based on these mappings As shown in Figure 1 1 when IGMP Snooping is not running on the switch multicast packets are broadcast to all devices at...

Page 309: ...packets Router port Member port Ports involved in IGMP Snooping as shown in Figure 1 2 are described as follows z Router port A router port is a port on an Ethernet switch that leads the switch toward...

Page 310: ...namic router port the switch sets a timer initialized to the dynamic router port aging time IGMP general query of which the source address is not 0 0 0 0 or PIM hello The switch removes this port from...

Page 311: ...rted group the switch creates an entry adds the port as a dynamic member port to the outgoing port list and starts a member port aging timer for that port z If a forwarding table entry exists for the...

Page 312: ...ific query the switch forwards it through all its router ports in the VLAN and all member ports for that multicast group and performs the following to the port on which it received the IGMP leave mess...

Page 313: ...ding table for the entry for the multicast group If the forwarding entry is found with the receiving port contained as a dynamic member port in the outgoing port list the proxy resets the aging timer...

Page 314: ...nal Configuring IGMP Queries and Responses Optional Configuring IGMP Snooping Querier Configuring Source IP Address of IGMP Queries Optional Enabling IGMP Snooping Proxying Optional Configuring IGMP S...

Page 315: ...ggregate interface view or port group view z For IGMP Snooping configurations made on a Layer 2 aggregate interface do not interfere with configurations made on its member ports nor do they take part...

Page 316: ...e version of IGMP Snooping igmp snooping version version number Optional Version 2 by default If you switch IGMP Snooping from version 3 to version 2 the system will clear all IGMP Snooping forwarding...

Page 317: ...ional 105 seconds by default Configure dynamic member port aging time host aging time interval Optional 260 seconds by default Configuring aging timers for dynamic ports in a VLAN Follow these steps t...

Page 318: ...Simulated Joining Generally a host running IGMP responds to IGMP queries from the IGMP querier If a host fails to respond due to some reasons the multicast router may deem that no member of this mult...

Page 319: ...he switch will not forward them to that port In VLANs where only one host is attached to each port fast leave processing helps improve bandwidth and resource usage However if fast leave processing is...

Page 320: ...lish and maintain multicast forwarding entries thus to forward multicast traffic correctly at the network layer This router or Layer 3 switch is called an IGMP querier However a Layer 2 multicast swit...

Page 321: ...igure the IGMP last member query interval to fill their Max Response time field Namely for IGMP group specific queries the maximum response time equals to the IGMP last member query interval Configuri...

Page 322: ...Remarks Enter system view system view Enter VLAN view vlan vlan id Configure the source address of IGMP general queries igmp snooping general query source ip ip address current interface Optional 0 0...

Page 323: ...leave messages sent by the proxy igmp snooping leave source ip ip address current interface The default is 0 0 0 0 Configuring an IGMP Snooping Policy Configuration Prerequisites Before configuring an...

Page 324: ...t group view port group manual port group name Required Use either approach Configure a multicast group filter igmp snooping group policy acl number vlan vlan list Required No group filter is configur...

Page 325: ...tted over the network Follow these steps to configure IGMP report suppression To do Use the command Remarks Enter system view system view Enter IGMP Snooping view igmp snooping Enable IGMP report supp...

Page 326: ...gured for the switch or the port In addition in some specific applications a multicast group newly joined on the switch needs to replace an existing multicast group automatically A typical example is...

Page 327: ...1p precedence of IGMP messages so that they can be assigned higher forwarding priority when congestion occurs on their outgoing ports Configuring 802 1p precedence for IGMP messages globally Follow t...

Page 328: ...z The reset igmp snooping group command cannot clear the IGMP Snooping multicast group information for static joins IGMP Snooping Configuration Examples Group Policy and Simulated Joining Configuratio...

Page 329: ...net1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigabitethernet 1 0 2 RouterA GigabitEthernet1 0 2 pim dm RouterA GigabitEthernet1 0 2 quit...

Page 330: ...1 1 1 vlan 100 SwitchA GigabitEthernet1 0 4 quit 4 Verify the configuration Display the detailed IGMP Snooping multicast groups information in VLAN 100 on Switch A SwitchA display igmp snooping group...

Page 331: ...flows to the receivers attached to Switch C only along the path of Switch A Switch B Switch C z It is required to configure GigabitEthernet 1 0 3 that connects Switch A to Switch C as a static router...

Page 332: ...gn GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 to this VLAN and enable IGMP Snooping in the VLAN SwitchA vlan 100 SwitchA vlan100 port gigabitethernet 1 0 1 to gigabitethernet 1 0 3 SwitchA vl...

Page 333: ...1 0 5 quit 6 Verify the configuration Display the detailed IGMP Snooping multicast group information in VLAN 100 on Switch A SwitchA display igmp snooping group vlan 100 verbose Total 1 IP Group s Tot...

Page 334: ...As shown in Figure 1 6 in a Layer 2 only network environment two multicast sources Source 1 and Source 2 send multicast data to multicast groups 224 1 1 1 and 225 1 1 1 respectively Host A and Host C...

Page 335: ...in VLAN 100 SwitchA vlan100 igmp snooping enable SwitchA vlan100 igmp snooping drop unknown Enable the IGMP Snooping querier function in VLAN 100 SwitchA vlan100 igmp snooping querier Set the source I...

Page 336: ...3 Received IGMPv1 reports 0 Received IGMPv2 reports 12 Received IGMP leaves 0 Received IGMPv2 specific queries 0 Sent IGMPv2 specific queries 0 Received IGMPv3 reports 0 Received IGMPv3 reports with...

Page 337: ...view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 igmp enable RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA int...

Page 338: ...o one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 2 port GE1 0 3 D GE1 0 4 D MAC group s MAC group address 0100 5e01 0101 Host port s total 2 port GE1 0 3 GE1 0 4 Display...

Page 339: ...ing Analysis IGMP Snooping is not enabled Solution 1 Enter the display current configuration command to view the running status of IGMP Snooping 2 If IGMP Snooping is not enabled use the igmp snooping...

Page 340: ...his command in IGMP Snooping view or in the corresponding interface view to check whether the correct multicast group policy has been applied If not use the group policy or igmp snooping group policy...

Page 341: ...Prerequisites 1 3 Configuring Sub VLAN Based Multicast VLAN 1 3 Configuring Port Based Multicast VLAN 1 4 Configuration Prerequisites 1 4 Configuring User Port Attributes 1 5 Configuring Multicast VLA...

Page 342: ...ograms on demand service the Layer 3 device Router A needs to forward a separate copy of the multicast traffic in each user VLAN to the Layer 2 device Switch A This results in not only waste of networ...

Page 343: ...Ns When forwarding multicast data to Switch A Router A needs to send only one copy of multicast traffic to Switch A in the multicast VLAN and Switch A distributes the traffic to the multicast VLAN s s...

Page 344: ...figuration Task List Complete the following tasks to configure multicast VLAN Task Remarks Configuring Sub VLAN Based Multicast VLAN Configuring User Port Attributes Configuring Port Based Multicast V...

Page 345: ...t VLAN The total number of sub VLANs for all multicast VLANs on the switch cannot exceed 1024 Configuring Port Based Multicast VLAN When configuring port based multicast VLAN you need to configure the...

Page 346: ...ybrid Required Access by default Specify the user VLAN that comprises the current user port s as the default VLAN port hybrid pvid vlan vlan id Required VLAN 1 by default Configure the current user po...

Page 347: ...d VLAN as a multicast VLAN and enter multicast VLAN view multicast vlan vlan id Required Not a multicast VLAN by default Return to system view quit interface interface type interface number Enter inte...

Page 348: ...A respectively z The multicast source sends multicast data to multicast group 224 1 1 1 Host A Host B and Host C are receivers of the multicast group z Configure the sub VLAN based multicast VLAN feat...

Page 349: ...onfiguration for VLAN 2 Create VLAN 10 assign GigabitEthernet 1 0 1 to this VLAN and enable IGMP Snooping in the VLAN SwitchA vlan 10 SwitchA vlan10 port GigabitEthernet 1 0 1 SwitchA vlan10 igmp snoo...

Page 350: ...ource s Total 1 MAC Group s Router port s total 0 port IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 1 port GE1 0 3 D MAC gr...

Page 351: ...Ethernet 1 0 1 and to Switch A through GigabitEthernet 1 0 2 z IGMPv2 is required on Router A IGMPv2 Snooping is required on Switch A Router A acts as the IGMP querier z Switch A s GigabitEthernet 1 0...

Page 352: ...thernet 1 0 2 RouterA system view RouterA multicast routing enable RouterA interface gigabitethernet 1 0 1 RouterA GigabitEthernet1 0 1 pim dm RouterA GigabitEthernet1 0 1 quit RouterA interface gigab...

Page 353: ...2 quit The configuration for GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 is similar The detailed configuration steps are omitted Configure VLAN 10 as a multicast VLAN SwitchA multicast vlan 10 Ass...

Page 354: ...1 D IP group s the following ip group s match to one mac group IP group address 224 1 1 1 0 0 0 0 224 1 1 1 Host port s total 3 port GE1 0 2 D GE1 0 3 D Eth1 4 D MAC group s MAC group address 0100 5e...

Page 355: ...ed as follows Features Description QoS This document describes z QoS overview z QoS policy configuration z Priority mapping configuration z Traffic policing Configuration z Traffic shaping Configurati...

Page 356: ...icy 2 6 Applying the QoS Policy to an Interface 2 6 Applying the QoS Policy to a VLAN 2 7 Applying the QoS Policy Globally 2 8 Support for QoS actions in different directions 2 8 Displaying and Mainta...

Page 357: ...Configuration Example 5 2 Referencing Aggregation CAR in a Traffic Behavior 5 2 Configuration Prerequisites 5 2 Configuration Procedure 5 2 Configuration Example 5 3 Displaying and Maintaining Aggreg...

Page 358: ...t Function to Automatically Set the Shared Buffer 8 1 Configuring the Shared Buffer Manually 8 2 Displaying and Maintaining Port Buffer 8 2 Burst Configuration Example 8 3 Network Requirements 8 3 Con...

Page 359: ...alled best effort It delivers packets to their destinations as possibly as it can without any guarantee for delay jitter packet loss ratio and so on This service policy is only suitable for applicatio...

Page 360: ...s forwarded over a low speed link z The packet flows enter a device from several incoming interfaces and are forwarded out an outgoing interface whose rate is smaller than the total rate of these inco...

Page 361: ...gestion avoidance are the foundations for a network to provide differentiated services Mainly they implement the following functions z Traffic classification uses certain match criteria to organize pa...

Page 362: ...port number for example or for all packets to a certain network segment When packets are classified on the network boundary the precedence bits in the ToS field of the IP packet header are generally r...

Page 363: ...ccording to their DSCP values z Expedited Forwarding EF class In this class packets are forwarded regardless of link share of other traffic The class is suitable for preferential services requiring lo...

Page 364: ...precedence lies in Layer 2 packet headers and is applicable to occasions where Layer 3 header analysis is not needed and QoS must be assured at Layer 2 Figure 1 4 An Ethernet frame with an 802 1Q tag...

Page 365: ...802 1p Table 1 3 presents the values for 802 1p precedence Table 1 3 Description on 802 1p precedence 802 1p precedence decimal 802 1p precedence binary Description 0 000 best effort 1 001 background...

Page 366: ...nsiders a packet belongs to a class only when the packet matches all the criteria in the class z or The device considers a packet belongs to a class as long as the packet matches one of the criteria i...

Page 367: ...specified by its number or name The access list number argument specifies an ACL by its number which ranges from 2000 to 3999 the name acl name keyword argument combination specifies an ACL by its na...

Page 368: ...or these matching criteria or input multiple values for a list argument such as the 8021p list argument listed below in a traffic class avoid doing that Otherwise the QoS policy referencing the class...

Page 369: ...etailed information about traffic mirroring refer to Traffic Mirroring Configuration Insert a VLAN tag nest top most vlan id vlan id value Optional Redirect traffic to a specified target redirect cpu...

Page 370: ...e mappings are executed according to the order configured Follow these steps to define a policy To do Use the command Remarks Enter system view system view Create a policy and enter policy view qos po...

Page 371: ...fferent occasions z Applied to an interface the policy takes effect on the traffic sent or received on the interface z Applied to a VLAN the policy takes effect on the traffic sent or received on all...

Page 372: ...packets OSPF packets RIP packets BGP packets LDP packets RSVP packets and SSH packets and so on Configuration example Apply QoS policy test_policy to the inbound direction of GigabitEthernet 1 0 1 Sy...

Page 373: ...licy to the inbound direction globally Sysname system view Sysname qos apply policy test_policy global inbound Support for QoS actions in different directions Before creating and applying a QoS policy...

Page 374: ...figuration information display traffic behavior user defined behavior name Available in any view Display the configuration of user defined QoS policies display qos policy user defined policy name clas...

Page 375: ...et Precedences The local precedence and drop precedence are defined as follows z Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corre...

Page 376: ...ing trusting port priority An S5810 series switch can trust one of the following two priority types z Trusting the DSCP precedence of received packets In this mode the switch searches the dscp dot1p d...

Page 377: ...p mappings Input priority value dscp lp mapping dscp dot1p mapping dscp Local precedence lp 802 1p precedence dot1p 0 to 7 0 0 8 to 15 1 1 16 to 23 2 2 24 to 31 3 3 32 to 39 4 4 40 to 47 5 5 48 to 55...

Page 378: ...rity mapping table display qos map table dot1p dscp dot1p lp dscp dot1p dscp lp Optional Available in any view Configuration Example Network requirements Configure a dot1p lp mapping table as shown be...

Page 379: ...take effect on all ports in the port group Configure a priority for the port qos priority priority value Required The default port priority is 0 Configuration Example Network requirements Set the por...

Page 380: ...port group view port group manual port group name Use either command Settings in interface view Ethernet or WLAN ESS take effect on the current interface settings in port group view take effect on al...

Page 381: ...rks Display priority mapping table configuration information display qos map table dot1p dscp dot1p lp dscp dot1p dscp lp Available in any view Display the trusted precedence type on the port display...

Page 382: ...l policies are applied Generally token buckets are used to evaluate traffic specifications Traffic Evaluation and Token Bucket Token bucket features A token bucket can be considered as a container hol...

Page 383: ...acket transmission or forwarding rate allowed by the E bucket z Excess burst size EBS Size of the E bucket that is transient burst of traffic that the E bucket can forward Figure 4 1 A two bucket syst...

Page 384: ...ts whose evaluation result is conforming z Dropping the packets whose evaluation result is excess Traffic Shaping Traffic shaping provides measures to adjust the rate of outbound traffic actively A ty...

Page 385: ...interface of Switch A to avoid unnecessary packet loss Packets exceeding the limit are cached in Switch A Once resources are released traffic shaping takes out the cached packets and sends them out I...

Page 386: ...erface port group qos car inbound acl ipv6 acl number cir committed information rate cbs committed burst size ebs excess burst size pir peak information rate red action Required Display CAR policy inf...

Page 387: ...se the command Remarks Enter system view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port...

Page 388: ...erver and Host A respectively as follows z Limit the rate of packets from Server to 560 kbps When the traffic rate is below 560 kbps the traffic is forwarded normally When the traffic rate exceeds 560...

Page 389: ...eceived on GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 qos car inbound acl 2001 cir 560 red discard SwitchA GigabitEthernet1 0 1 qos car inbound acl 2002...

Page 390: ...ion CAR policy is to be applied z Traffic match criteria the ACL or CAR list must be predefined z Refer to ACL configuration in the Security Volume for how to define ACL rules Configuration Procedure...

Page 391: ...qos car aggcar 1 aggregative cir 200 cbs 2000 red discard Sysname interface gigabitethernet 1 0 1 Sysname GigabitEthernet1 0 1 qos car inbound acl 2000 name aggcar 1 Referencing Aggregation CAR in a...

Page 392: ...2 000 and red packets are dropped Reference aggregation CAR aggcar 1 in traffic behavior be1 Sysname system view Sysname qos car aggcar 1 aggregative cir 200 cbs 2000 red discard Sysname traffic beha...

Page 393: ...tion occurs Congestion management involves queue creation traffic classification packet enqueuing and queue scheduling Congestion Management Policies In general congestion management adopts queuing te...

Page 394: ...with the second highest priority and so on Thus you can assign mission critical packets to the high priority queue to ensure that they are always served first and common service packets to the low pri...

Page 395: ...series use group based WRR queuing You can assign the output queues to WRR scheduling group 1 and WRR scheduling group 2 as required Note that the queues in the same group must be consecutive The dev...

Page 396: ...ystem view system view Enter interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manual port group name Use either command...

Page 397: ...uing configuration information on interface s display qos wrr interface interface type interface number Optional Available in any view When you use the WRR queue scheduling algorithm make sure that qu...

Page 398: ...pplies to all the ports in the port group Configure SP queue scheduling qos wrr queue id group sp Required Configure WRR queue scheduling qos wrr queue id group group id weight schedule value Required...

Page 399: ...ysname GigabitEthernet1 0 1 qos wrr 2 group 1 weight 20 Sysname GigabitEthernet1 0 1 qos wrr 3 group 1 weight 70 Sysname GigabitEthernet1 0 1 qos wrr 4 group 1 weight 100 Sysname GigabitEthernet1 0 1...

Page 400: ...he CPU copies the matching packets on an interface to a CPU the CPU of the board where the traffic mirroring enabled interface resides z Mirroring traffic to a VLAN copies the matching packets on an i...

Page 401: ...Required Displaying and Maintaining Traffic Mirroring To do Use the command Remarks Display traffic behavior configuration information display traffic behavior user defined behavior name Available in...

Page 402: ...2000 Sysname classifier 1 quit Configure a traffic behavior and define the action of mirroring traffic to GigabitEthernet1 0 2 in the traffic behavior Sysname traffic behavior 1 Sysname behavior 1 mi...

Page 403: ...r you to set the shared buffer z Configuring the Burst Function to Automatically Set the Shared Buffer z Configuring the Shared Buffer Manually When manually setting the shared buffer area take the tr...

Page 404: ...nter system view system view Set in blocks the shared transmit buffer or shared receive buffer buffer manage ingress egress share size size value Optional By default there is no shared receive buffer...

Page 405: ...hosts irregularly z Each host connects to the switch through a 100 Mbps network adapter Configure the switch to process dense traffic from the server to guarantee that packets can reach the hosts Fig...

Page 406: ...c Binding Function SSH2 0 SSH ensures secure login to a remote device in a non secure network environment By encryption and strong authentication it protects the device against attacks This document d...

Page 407: ...scription ACL An ACL is used for identifying traffic based on a series of preset matching criteria This document describes z ACL overview and ACL types z ACL configuration z ACL Application for Packet...

Page 408: ...P Domain 1 15 Configuring AAA Accounting Methods for an ISP Domain 1 17 Configuring Local User Attributes 1 18 Configuring User Group Attributes 1 20 Configuring a NAS ID VLAN Binding 1 20 Displaying...

Page 409: ...to the Data Sent to HWTACACS Server 1 33 Setting Timers Regarding HWTACACS Servers 1 33 Displaying and Maintaining HWTACACS 1 34 AAA Configuration Examples 1 34 AAA for Telnet Users by an HWTACACS Se...

Page 410: ...e network access server NAS and the server maintains user information centrally In an AAA network a NAS is a server for users but a client for the AAA servers as shown in Figure 1 1 Figure 1 1 AAA net...

Page 411: ...multiple protocols Currently the device supports using RADIUS HWTACACS for AAA and RADIUS is often used in practice Introduction to RADIUS Remote Authentication Dial In User Service RADIUS is a distri...

Page 412: ...prevent user passwords from being intercepted in non secure networks RADIUS encrypts passwords before transmitting them A RADIUS server supports multiple user authentication methods Moreover a RADIUS...

Page 413: ...ADIUS client to tear down the connection and the RADIUS client sends a stop accounting request Accounting Request to the RADIUS server 9 The RADIUS server returns a stop accounting response Accounting...

Page 414: ...the Code Identifier Length Authenticator and Attribute fields The value of the field is in the range 20 to 4096 Bytes beyond the length are considered the padding and are neglected upon reception If t...

Page 415: ...ct Tunnel Connection 22 Framed Route 69 Tunnel Password 23 Framed IPX Network 70 ARAP Password 24 State 71 ARAP Features 25 Class 72 ARAP Zone Access 26 Vendor Specific 73 ARAP Security 27 Session Tim...

Page 416: ...other three bytes contain a code complying with RFC 1700 The vendor ID of H3C is 2011 z Vendor Type Indicates the type of the sub attribute z Vendor Length Indicates the length of the sub attribute z...

Page 417: ...s only the user password field in an authentication packet Protocol packets are complicated and authorization is independent of authentication Authentication and authorization can be deployed on diffe...

Page 418: ...continuance packet with the login password 1 A Telnet user sends an access request to the NAS 2 Upon receiving the request the HWTACACS client sends a start authentication packet to the HWTACACS serve...

Page 419: ...Modifications for Tunnel Protocol Support z RFC 2868 RADIUS Attributes for Tunnel Protocol Support z RFC 2869 RADIUS Extensions z RFC 1492 An Access Control Protocol Sometimes Called TACACS AAA Confi...

Page 420: ...ing and Maintaining AAA Optional RADIUS Configuration Task List Task Remarks Creating a RADIUS Scheme Required Specifying the RADIUS Authentication Authorization Servers Required Specifying the RADIUS...

Page 421: ...authentication authorization or accounting you must create the RADIUS or HWTACACS scheme first For RADIUS scheme configuration refer to Configuring RADIUS For HWTACACS scheme configuration refer to C...

Page 422: ...stem view system view Enter ISP domain view domain isp name Place the ISP domain to the state of active or blocked state active block Optional When created an ISP domain is in the active state by defa...

Page 423: ...multiple devices You can configure local authentication as the backup method to be used when the remote server is not available You can configure AAA authentication to work alone without authorizatio...

Page 424: ...he system z Local authorization Users are authorized by the access device according to the attributes configured for them z Remote authorization The access device cooperates with a RADIUS or HWTACACS...

Page 425: ...he default authorization method is used by default z The authorization method specified with the authorization default command is for all types of users and has a priority lower than that for a specif...

Page 426: ...methods complete these three tasks 1 For RADIUS or HWTACACS accounting configure the RADIUS or HWTACACS scheme to be referenced first The local and none authentication methods do not require any sche...

Page 427: ...n you need to create local users and configure user attributes on the device as needed A local user represents a set of user attributes configured on a device and is uniquely identified by the usernam...

Page 428: ...ation attributes for the local user authorization attribute acl acl number callback number callback number idle cut minute level level user profile profile name vlan vlan id work directory directory n...

Page 429: ...ure local user attributes for a user group to implement centralized management of user attributes for the local users in the group Currently you can configure authorization attributes for a user group...

Page 430: ...he RADIUS protocol is configured on a per scheme basis After creating a RADIUS scheme you need to configure the IP addresses and UDP ports of the RADIUS servers for the scheme The servers include auth...

Page 431: ...d Configure at least one of the commands No authentication server by default z It is recommended to specify only the primary RADIUS authentication authorization server if backup is not required z If b...

Page 432: ...nting server in a scheme and the secondary accounting server in another scheme Besides because RADIUS uses different UDP ports to receive authentication authorization and accounting packets the port f...

Page 433: ...mber of transmission attempts exceeds the specified limit but it still receives no response it considers that the authentication has failed Follow these steps to set the upper limit of RADIUS request...

Page 434: ...the device turns to the secondary server In this case z If the secondary server is available the device triggers the primary server quiet timer After the quiet timer times out the status of the prima...

Page 435: ...the RADIUS Server Follow these steps to configure the attributes related to data to be sent to the RADIUS server To do Use the command Remarks Enter system view system view Enable the RADIUS trap fun...

Page 436: ...three timers z RADIUS server response timeout response timeout If a NAS receives no response from the RADIUS server in a period of time after sending a RADIUS request authentication authorization or...

Page 437: ...o the corresponding part in the Access Volume z To configure the maximum number of retransmission attempts of RADIUS packets refer to the command retry in the command manual Configuring RADIUS Account...

Page 438: ...client enable Optional Enabled by default Displaying and Maintaining RADIUS To do Use the command Remarks Display the configuration information of a specified RADIUS scheme or all RADIUS schemes displ...

Page 439: ...cheme and enter HWTACACS scheme view hwtacacs scheme hwtacacs scheme name Required Not defined by default z Up to 16 HWTACACS schemes can be configured z A scheme can be deleted only when it is not re...

Page 440: ...ary HWTACACS authorization server primary authorization ip address port number Specify the secondary HWTACACS authorization server secondary authorization ip address port number Required Configure at...

Page 441: ...dresses of the primary and secondary accounting servers cannot be the same Otherwise the configuration fails z You can remove an accounting server only when no active TCP connection for sending accoun...

Page 442: ...ce to send HWTACACS packets In system view hwtacacs nas ip ip address Use either command By default the outbound port serves as the source IP address to send HWTACACS packets z If an HWTACACS server d...

Page 443: ...t buffered stop accounting requests that get no responses display stop accounting buffer hwtacacs scheme hwtacacs scheme name Available in any view Clear HWTACACS statistics reset hwtacacs statistics...

Page 444: ...g 10 1 1 1 49 Switch hwtacacs hwtac key authentication expert Switch hwtacacs hwtac key authorization expert Switch hwtacacs hwtac key accounting expert Switch hwtacacs hwtac user name format without...

Page 445: ...ting Its IP address is 10 1 1 1 On the switch set the shared keys for packets exchanged with the RADIUS server to expert Configuration of separate AAA for other types of users is similar to that given...

Page 446: ...in radius scheme rd Switch isp bbb quit Configure the default AAA methods for all types of users Switch domain bbb Switch isp bbb authentication default local Switch isp bbb authorization default hwta...

Page 447: ...navigation tree to enter the Service Configuration page Then click Add to enter the Add Access Device window and perform the following configurations z Set both the shared keys for authentication and...

Page 448: ...om the navigation tree to enter the All Access Users page Then click Add to enter the Add Device Management User window and perform the following configurations z Add a user named hello bbb and specif...

Page 449: ...interface2 quit Configure the IP address of VLAN interface 3 through which the switch access the server Switch interface vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switc...

Page 450: ...Switch isp bbb accounting login radius scheme rad Switch isp bbb quit When using SSH to log in a user enters a username in the form userid bbb for authentication using domain bbb 3 Verify the configu...

Page 451: ...d link layers 2 The IP address of the RADIUS server is correctly configured on the NAS 3 UDP ports for authentication authorization accounting configured on the NAS are the same as those configured on...

Page 452: ...ing Dynamic Binding Function 1 2 Displaying and Maintaining IP Source Guard 1 3 IP Source Guard Configuration Examples 1 3 Static Binding Entry Configuration Example 1 3 Dynamic Binding Function Confi...

Page 453: ...s including source IP address source MAC address and VLAN tag of the packet in the binding entries of the IP source guard If there is a match the port forwards the packet Otherwise the port discards t...

Page 454: ...x nor 0 0 0 0 z A static binding entry can be configured on only Layer 2 Ethernet ports Configuring Dynamic Binding Function After the dynamic binding function is enabled on a port IP source guard wi...

Page 455: ...onnected to port GigabitEthernet 1 0 1 of Switch A Configure static binding entries on Switch A and Switch B to meet the following requirements z On port GigabitEthernet 1 0 2 of Switch A only IP pack...

Page 456: ...thernet1 0 1 user bind ip address 192 168 0 2 mac address 0001 0203 0407 3 Verify the configuration On Switch A static binding entries are configured successfully SwitchA display user bind Total entri...

Page 457: ...splay that the dynamic binding function is configured successfully on port GigabitEthernet 1 0 1 SwitchA interface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 display this interface GigabitEthe...

Page 458: ...Guard Failed to Configure Static Binding Entries and Dynamic Binding Function Symptom Configuring static binding entries and dynamic binding function fails on a port Analysis IP Source Guard is not s...

Page 459: ...and Maintaining SSH 2 11 SSH Server Configuration Examples 2 12 When Switch Acts as Server for Password Authentication 2 12 When Switch Acts as Server for Publickey Authentication 2 14 SSH Client Conf...

Page 460: ...ents but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server Currently when acting as an SSH server the device supports two SSH version...

Page 461: ...pports the version the server and client will use the version Otherwise the negotiation fails 5 If the negotiation is successful the server and the client proceed with key and algorithm negotiation ot...

Page 462: ...lid the authentication fails otherwise the server authenticates the client by the digital signature Finally the server sends a message to the client to inform the success or failure of the authenticat...

Page 463: ...ommands in text format the text must be within 2000 bytes It is recommended that the commands are in the same view otherwise the server may not be able to perform the commands correctly z If the comma...

Page 464: ...key As SSH2 uses the DH algorithm to generate the session key on the SSH server and client respectively no session key transmission is required in SSH2 and the server key pair is not used z The lengt...

Page 465: ...user interface configured to support SSH you cannot change the authentication mode To change the authentication mode undo the SSH support configuration first Configuring a Client Public Key This confi...

Page 466: ...ublic key code end When you exit public key code view the system automatically saves the public key Return from public key view to system view peer public key end Importing a client public key from a...

Page 467: ...t SFTP refer to SFTP Overview z For successful login through SFTP you must set the user service type to sftp or all z As SSH1 does not support service type sftp if the client uses SSH1 to log into the...

Page 468: ...rks Enter system view system view Enable the SSH server to support SSH1 clients ssh server compatible ssh1x enable Optional By default the SSH server supports SSH1 clients Set the RSA server key pair...

Page 469: ...configured with the server host public key accesses the server for the first time the user can continue accessing the server and save the host public key on the client When accessing the server again...

Page 470: ...ey exchange algorithm ssh2 server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha1 sha1 96 prefer kex dh group exchange dh group1 dh group14 prefer...

Page 471: ...nd password are saved on the switch Figure 1 1 Switch acts as server for password authentication SSH client SSH server Host Switch 192 168 0 2 24 Vlan int1 192 168 0 1 24 Configuration procedure 1 Con...

Page 472: ...the service type for user client001 as Stelnet and the authentication mode as password This step is optional Switch ssh user client001 service type stelnet authentication type password 2 Configure th...

Page 473: ...interface When Switch Acts as Server for Publickey Authentication Network requirements z As shown in Figure 1 3 a local SSH connection is established between the host the SSH client and the switch the...

Page 474: ...o 3 Switch ui vty0 4 user privilege level 3 Switch ui vty0 4 quit Before performing the following tasks you must use the client software to generate an RSA key pair on the client save the public key i...

Page 475: ...key pair 1 While generating the key pair you must move the mouse continuously and keep the mouse off the green process bar shown in Figure 1 5 Otherwise the process bar stops moving and the key pair g...

Page 476: ...file name as key pub to save the public key Figure 1 6 Generate a client key pair 3 Likewise to save the private key click Save private key A warning window pops up to prompt you whether to save the p...

Page 477: ...e client Specify the private key file and establish a connection with the SSH server Launch PuTTY exe to enter the following interface In the Host Name or IP address text box enter the IP address of t...

Page 478: ...as Client for Password Authentication Network requirements z As shown in Figure 1 10 Switch A the SSH client needs to log into Switch B the SSH server through the SSH protocol z The username of the SS...

Page 479: ...level 3 SwitchB luser client001 quit Specify the service type for user client001 as Stelnet and the authentication type as password This step is optional SwitchB ssh user client001 service type stelne...

Page 480: ...code 94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 SwitchA pkey key code B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 SwitchA p...

Page 481: ...n for SSH connection SwitchB interface vlan interface 1 SwitchB Vlan interface1 ip address 10 165 87 136 255 255 255 0 SwitchB Vlan interface1 quit Set the authentication mode for the user interfaces...

Page 482: ...c key local create dsa Export the DSA public key to the file key pub SwitchA public key local export dsa ssh2 key pub SwitchA quit After generating a key pair on a client you need to transmit the save...

Page 483: ...TP client enabling a user to login from the device to a remote device for secure file transfer Configuring an SFTP Server Configuration Prerequisites z You have configured the SSH server For the detai...

Page 484: ...out value Optional 10 minutes by default Configuring an SFTP Client Specifying a Source IP Address or Interface for the SFTP Client You can configure a client to use only a specified source IP addres...

Page 485: ...eating or deleting a directory Follow these steps to work with the SFTP directories To do Use the command Remarks Enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher...

Page 486: ...3des aes128 des prefer stoc hmac md5 md5 96 sha1 sha1 96 Required Execute the command in user view Change the name of a specified file or directory on the SFTP server rename old name new name Optiona...

Page 487: ...onnection to the remote SFTP server To do Use the command Remarks Enter SFTP client view sftp server port number identity key dsa rsa prefer ctos cipher 3des aes128 des prefer ctos hmac md5 md5 96 sha...

Page 488: ...rface vty 0 4 SwitchB ui vty0 4 authentication mode scheme Set the protocol that a remote user uses to log in as SSH SwitchB ui vty0 4 protocol inbound ssh SwitchB ui vty0 4 quit Before performing the...

Page 489: ...SwitchA sftp 192 168 0 1 identity key rsa Input Username client001 Trying 192 168 0 1 Press CTRL K to abort Connected to 192 168 0 1 The Server is not authenticated Continue Y N y Do you want to save...

Page 490: ...e nogroup 1759 Aug 23 06 52 config cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 no...

Page 491: ...w Switch public key local create rsa Switch public key local create dsa Switch ssh server enable Enable the SFTP server Switch sftp server enable Configure an IP address for VLAN interface 1 which the...

Page 492: ...of SFTP client software The following takes the PSFTP of Putty Version 0 58 as an example z The PSFTP supports only password authentication Establish a connection with the remote SFTP server Run the...

Page 493: ...1 8 Retrieving a Certificate Manually 1 9 Configuring PKI Certificate Verification 1 10 Destroying a Local RSA Key Pair 1 11 Deleting a Certificate 1 11 Configuring an Access Control Policy 1 12 Disp...

Page 494: ...age the public keys Currently PKI employs the digital certificate mechanism to solve this problem The digital certificate mechanism binds public keys to their owners helping distribute public keys in...

Page 495: ...revoked certificates and provide an effective way for checking the validity of certificates A CA may publish multiple CRLs when the number of revoked certificates is so large that publishing them in a...

Page 496: ...f PKI The PKI technology can satisfy the security requirements of online transactions As an infrastructure PKI has a wide range of applications Here are some application examples VPN A virtual private...

Page 497: ...ing a Certificate Request in Manual Mode Required Use either approach Retrieving a Certificate Manually Optional Configuring PKI Certificate Optional Destroying a Local RSA Key Pair Optional Deleting...

Page 498: ...fqdn name str Optional No FQDN is specified by default Configure the IP address for the entity ip ip address Optional No IP address is specified by default Configure the locality of the entity locali...

Page 499: ...dedicated protocol for an entity to communicate with a CA z Polling interval and count After an applicant makes a certificate request the CA may need a long period of time if it verifies the certific...

Page 500: ...nd optional when the certificate request mode is manual In the latter case if you do not configure this command the fingerprint of the root certificate must be verified manually No fingerprint is conf...

Page 501: ...The key pair includes a public key and a private key The private key is kept by the user while the public key is transferred to the CA along with some other information For detailed information about...

Page 502: ...command with the pkcs10 and filename keywords and then send the file to the CA by an out of band means z Make sure the clocks of the entity and the CA are synchronous Otherwise the validity period of...

Page 503: ...L checking CRLs will be used in verification of a certificate Configuring CRL checking enabled PKI certificate verification Follow these steps to configure CRL checking enabled PKI certificate verific...

Page 504: ...file z Currently the URL of the CRL distribution point does not support domain name resolving Destroying a Local RSA Key Pair A certificate has a lifetime which is determined by the CA When the priva...

Page 505: ...ive subject name attribute id alt subject name fqdn ip issuer name subject name dn fqdn ip ctn equ nctn nequ attribute value Optional There is no restriction on the issuer name certificate subject nam...

Page 506: ...he certificate request from ra command to specify that the entity requests a certificate from an RA z The SCEP plug in is not required when RSA Keon is used In this case when configuring a PKI domain...

Page 507: ...etrieve CRLs properly 2 Configure the switch z Configure the entity DN Configure the entity name as aaa and the common name as switch Switch system view Switch pki entity aaa Switch pki entity aaa com...

Page 508: ...rieval success Retrieve CRLs and save them locally Switch pki retrieval crl domain torsa Connecting to server for retrieving CRL Please wait a while CRL retrieval success Request a local certificate m...

Page 509: ...stribution Points URI http 4 4 4 133 447 myca crl Signature Algorithm sha1WithRSAEncryption 836213A4 F2F74C1A 50F4100D B764D6CE B30C0133 C4363F2F 73454D51 E9F95962 EDE9E590 E7458FA6 765A0D3F C4047BC2...

Page 510: ...o the RA Right click on the CA server in the navigation tree and select Properties Policy Module Click Properties and then select Follow the settings in the certificate template if applicable Otherwis...

Page 511: ...C to abort Input the bits in the modulus default 1024 Generating Keys z Apply for certificates Retrieve the CA certificate and save it locally Switch pki retrieval certificate ca domain torsa Retrievi...

Page 512: ...C08 C5067DF9 CB4D05E6 55DC11B6 9F4C014D EA600306 81D403CF 2D93BC5A 8AF3224D 1125E439 78ECEFE1 7FA9AE7B 877B50B8 3280509F 6B Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier B68E4...

Page 513: ...e z For detailed information about HTTPS configuration refer to HTTP Server Configuration in the System Volume z The PKI domain to be referenced by the SSL policy must be created in advance For detail...

Page 514: ...permit mygroup2 Switch pki cert acp myacp quit 4 Apply the SSL server policy and certificate attribute based access control policy to HTTPS service and enable HTTPS service Apply SSL server policy mys...

Page 515: ...nection is physically proper z Retrieve a CA certificate z Regenerate a key pair z Specify a trusted CA z Use the ping command to check that the RA server is reachable z Specify the authority for cert...

Page 516: ...List 1 2 Configuring an SSL Server Policy 1 3 Configuration Prerequisites 1 3 Configuration Procedure 1 3 SSL Server Policy Configuration Example 1 4 Configuring an SSL Client Policy 1 6 Configuratio...

Page 517: ...er and client by using the digital signatures with the authentication of the client being optional The SSL server and client obtain certificates from a certificate authority CA through the Public Key...

Page 518: ...ing identity authentication of the server and client Through the SSL handshake protocol a session is established between a client and the server A session consists of a set of parameters including the...

Page 519: ...nd enter its view ssl server policy policy name Required Specify a PKI domain for the SSL server policy pki domain domain name Required By default no PKI domain is specified for an SSL server policy S...

Page 520: ...fy the client to use SSL 3 0 or TLS 1 0 to communicate with the server SSL Server Policy Configuration Example Network requirements z Device works as the HTTPS server z A host works as the client and...

Page 521: ...for the SSL server policy as 1 Device ssl server policy myssl pki domain 1 Enable client authentication Device ssl server policy myssl client verify enable Device ssl server policy myssl quit 3 Assoc...

Page 522: ...icy To do Use the command Remarks Enter system view system view Create an SSL client policy and enter its view ssl client policy policy name Required Specify a PKI domain for the SSL client policy pki...

Page 523: ...e problem z If the SSL server has no certificate request one for it z If the server certificate cannot be trusted install on the SSL client the root certificate of the CA that issues the local certifi...

Page 524: ...ymmetric Key Pair 1 2 Creating an Asymmetric Key Pair 1 2 Displaying or Exporting the Local RSA or DSA Host Public Key 1 3 Destroying an Asymmetric Key Pair 1 3 Configuring the Public Key of a Peer 1...

Page 525: ...sent for confidentiality The cipher text is transmitted in the network and then is decrypted by the receiver to obtain the original pain text Figure 1 1 Encryption and decryption There are two types o...

Page 526: ...Shamir Adleman Algorithm RSA and Digital Signature Algorithm DSA are all asymmetric key algorithms RSA can be used for data encryption and signature whereas DSA is used for signature only Asymmetric...

Page 527: ...key on the screen or export it to a specified file so as to configure the local RSA or DSA host public key on the remote end Follow these steps to display or export the local RSA or DSA host public ke...

Page 528: ...o Use the command Remarks Enter system view system view Enter public key view public key peer keyname Enter public key code view public key code begin Configure a public key of the peer Enter the key...

Page 529: ...A Create RSA key pairs on Device A DeviceA system view DeviceA public key local create rsa The range of public key size is 512 2048 NOTES If the key modulus is greater than 512 It will take a few minu...

Page 530: ...view with public key code end DeviceB pkey key code 30819F300D06092A864886F70D010101050003818D0030818902818100D90003F A95F5A44A2A2CD3F814F9854C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5...

Page 531: ...TRL C to abort Input the bits of the modulus default 1024 Generating Keys Display the public keys of the created RSA key pairs DeviceA display public key local rsa public Time of Key pair created 09 5...

Page 532: ...tp quit 3 Upload the public key file of Device A to Device B FTP the public key file devicea pub to Device B with the file transfer mode of binary DeviceA ftp 10 1 1 2 Trying 10 1 1 2 Press CTRL K to...

Page 533: ...03FA95F5A44A2A2CD3F814F985 4C4421B57CAC64CFFE4782A87B0360B600497D87162D1F398E6E5E51E5E353B3A9AB16C9E766BD995C669A78 4AD597D0FB3AA9F7202C507072B19C3C50A0D7AD3994E14ABC62DB125035EA326470034DC078B2BAA3BC...

Page 534: ...Prerequisites 2 2 Configuration Procedure 2 2 Configuring an Advanced IPv4 ACL 2 3 Configuration Prerequisites 2 3 Configuration Procedure 2 3 Configuring an Ethernet Frame Header ACL 2 5 Configuratio...

Page 535: ...ii 4 ACL Application for Packet Filtering 4 1 Filtering IPv4 Packets 4 1 Filtering IPv6 Packets 4 1 ACL Application Example 4 2...

Page 536: ...d ACLs refer to both IPv4 ACLs and IPv6 ACLs throughout this document Go to these sections for information you are interested in z Introduction to IPv4 ACL z Introduction to IPv6 ACL z ACL Application...

Page 537: ...n share the same name IPv4 ACL Match Order An ACL may consist of multiple rules which specify different matching criteria These criteria may have overlapping or conflicting parts The match order is fo...

Page 538: ...address wildcard masks are the same look at the Layer 4 port number ranges namely the TCP UDP port number ranges Then compare packets against the rule configured with the smaller port number range 5 I...

Page 539: ...v4 ACL You can control when a rule can take effect by referencing a time range in the rule A referenced time range can be one that has not been created yet The rule however can take effect only after...

Page 540: ...verlapping or conflicting parts The match order is for determining how a packet should be matched against the rules Two match orders are available for IPv6 ACLs z config Packets are compared against A...

Page 541: ...nges namely the TCP UDP port number ranges Then compare packets against the rule configured with the smaller port number range 5 If the port number ranges are the same compare packets against the rule...

Page 542: ...ime1 date1 to time2 date2 from time1 date1 to time2 date2 to time2 date2 Required Display the configuration and status of one or all time ranges display time range time range name all Optional Availab...

Page 543: ...e ends at the latest time that the system supports namely 24 00 12 31 2100 Configuring a Basic IPv4 ACL Basic IPv4 ACLs match packets based on only source IP address They are numbered from 2000 to 299...

Page 544: ...he match order of an ACL with the acl number acl number name acl name match order auto config command but only when the ACL does not contain any rules z The rule specified in the rule comment command...

Page 545: ...fication z If the QoS policy is applied to the inbound direction the logging keyword is not supported z If the QoS policy is applied to the outbound direction the keywords of logging precedence icmp t...

Page 546: ...Remarks Enter system view system view Create an Ethernet frame header ACL and enter its view acl number acl number name acl name match order auto config Required The default match order is config If y...

Page 547: ...rules still remain the same z You can modify the match order of an ACL with the acl number acl number name acl name match order auto config command but only when the ACL does not contain any rules z T...

Page 548: ...bout one or all IPv4 ACLs display acl acl number all name acl name Available in any view Display the usage of ACL resources display acl resource Available in any view Display the configuration and sta...

Page 549: ...6 address They are numbered in the range 2000 to 2999 Configuration Prerequisites If you want to reference a time range in a rule define it with the time range command first Configuration Procedure Fo...

Page 550: ...of the settings in which case the other settings remain the same z You cannot create a rule with or modify a rule to have the same permit deny statement as an existing rule in the ACL z When the ACL...

Page 551: ...sage logging source source source prefix source source prefix any source port operator port1 port2 time range time range name Required To create or modify multiple rules repeat this step When an advan...

Page 552: ...ing an IPv6 ACL This feature allows you to copy an existing IPv6 ACL to generate a new one which is of the same type and has the same match order rules rule numbering step and descriptions as the sour...

Page 553: ...me Available in any view Display the usage of ACL resources display acl resource Available in any view Display the configuration and status of one or all time ranges display time range time range name...

Page 554: ...system view system view Enter interface view interface interface type interface number Apply a basic or advanced IPv4 ACL to the interface to filter IPv4 packets packet filter acl number name acl nam...

Page 555: ...Configuration procedure Create a time range named study setting it to become active from 08 00 to 18 00 everyday DeviceA system view DeviceA time range study 8 00 to 18 00 daily Create basic IPv4 ACL...

Page 556: ...ace for Telnet Packets z Controlling Login Users Basic System Configuration Basic system configuration involves the configuration of device name system clock welcome message user privilege levels and...

Page 557: ...MAC Address Table Management A switch maintains a MAC address table for fast forwarding packets This document describes z MAC address table overview z Configuring MAC Address Entries z Configuring MAC...

Page 558: ...onfiguration z IPv6 Based VRRP configuration Cluster Management A cluster is a group of network devices Cluster management is to implement management of large numbers of distributed network devices Th...

Page 559: ...mple 2 7 Console Port Login Configuration with Authentication Mode Being Scheme 2 9 Configuration Procedure 2 9 Configuration Example 2 10 3 Logging In Through Telnet SSH 3 1 Logging In Through Telnet...

Page 560: ...8 Controlling Login Users 8 1 Introduction 8 1 Controlling Telnet Users 8 1 Prerequisites 8 1 Controlling Telnet Users by Source IP Addresses 8 1 Controlling Telnet Users by Source and Destination IP...

Page 561: ...et switch supports two types of user interfaces AUX and VTY z AUX port Used to manage and monitor users logging in via the console port The device provides AUX ports of EIA TIA 232 DTE type The port i...

Page 562: ...to uniquely specify a user interface or a group of user interfaces The numbering system starts from number 0 with a step of 1 The numbering approach numbers the two types of user interfaces in the se...

Page 563: ...ame string Optional Display the information about the current user interface all user interfaces display users all You can execute this command in any view Display the physical attributes and configur...

Page 564: ...methods By default you can log in to an H3C S5810 series Ethernet switch through its Console port only To log in to an Ethernet switch through its Console port the related configuration of the user te...

Page 565: ...perTerminal in Windows 9X Windows 2000 Windows XP and perform the configuration shown in Figure 2 2 through Figure 2 4 for the connection to be created Normally the parameters of a terminal are config...

Page 566: ...for information about the commands Console Port Login Configuration Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port l...

Page 567: ...Terminal configuration Set the timeout time of a user interface idle timeout minutes seconds Optional The default timeout time is 10 minutes Changing of Console port configuration terminates the conn...

Page 568: ...password of a remote user are configured on the RADIUS server Refer to user manual of RADIUS server for details Manage AUX users Set service type for AUX users Required Scheme Perform common configura...

Page 569: ...rk diagram Figure 2 5 Network diagram for AUX user interface configuration with the authentication mode being none Configuration procedure Enter system view Sysname system view Enter AUX user interfac...

Page 570: ...By default users logging in through the Console port are not authenticated while users logging in through the Telnet need to pass the password authentication Set the local password set authentication...

Page 571: ...n to the AUX user interface Sysname ui aux0 user privilege level 2 Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain...

Page 572: ...ystem view quit Optional By default the local AAA scheme is applied If you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to a...

Page 573: ...through Telnet and your user level is set to the administrator level level 3 After you telnet to the switch you need to limit the console user at the following aspects z Configure the name of the loca...

Page 574: ...heme Set the baud rate of the Console port to 19200 bps Sysname ui aux0 speed 19200 Set the maximum number of lines the screen can contain to 30 Sysname ui aux0 screen length 30 Set the maximum number...

Page 575: ...et Server The IP address of the VLAN of the switch is configured and the route between the switch and the Telnet terminal is available Switch The authentication mode and other settings are configured...

Page 576: ...ubnet mask as 255 255 255 0 Sysname system view Sysname telnet server enable Sysname interface vlan interface 1 Sysname Vlan interface1 ip address 202 38 160 92 255 255 255 0 Step 2 Before Telnet user...

Page 577: ...r to Basic System Configuration in the System Volume for information about command hierarchy Telnetting to Another Switch from the Current Switch You can Telnet to another switch from the current swit...

Page 578: ...ion about the commands Common Configuration Table 3 2 lists the common Telnet configuration Table 3 2 Common Telnet configuration Configuration Remarks Enter system view system view Make the switch to...

Page 579: ...terfaces Telnet Configuration with Authentication Mode Being Password Configure to authenticate users logging in to user interfaces using a local password and configure the local password Telnet Confi...

Page 580: ...2 Network diagram Figure 3 4 Network diagram for Telnet configuration with the authentication mode being none 3 Configuration procedure Enter system view and enable the Telnet service Sysname system...

Page 581: ...the user privilege level level command Configuration Example 1 Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging in t...

Page 582: ...erface views user interface vty first number last number Configure to authenticate users locally or remotely authentication mode scheme Required The specified AAA scheme determines whether to authenti...

Page 583: ...ied using the authorization attribute level level command When the RADIUS or HWTACACS authentication mode is used the user levels are set on the corresponding RADIUS or HWTACACS servers For more infor...

Page 584: ...ame ui vty0 authentication mode scheme Configure Telnet protocol is supported Sysname ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 Sysname ui vty0 scree...

Page 585: ...o it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is prop...

Page 586: ...le port be set to a value lower than the transmission speed of the modem Otherwise packets may get lost Step 3 Connect your PC the modems and the switch as shown in the following figure Figure 4 1 Est...

Page 587: ...ter the character at anytime for help Refer to the following chapters for information about the configuration commands If you perform no AUX user related configuration on the switch the commands of le...

Page 588: ...itch through its Console port by using a modem you will enter the AUX user interface The corresponding configuration on the switch is the same as those when logging into the switch locally through its...

Page 589: ...4 5 Configuration on switch when the authentication mode is scheme Refer to Console Port Login Configuration with Authentication Mode Being Scheme...

Page 590: ...e switch and the network management terminal is available Refer to the module IP Addressing and Performance and IP Routing for more Switch The user name and password for logging in to the Web based ne...

Page 591: ...tch By default VLAN 1 is the management VLAN z Connect to the console port Refer to section Setting Up the Connection to the Console Port z Execute the following commands in the terminal window to ass...

Page 592: ...http 10 153 17 82 Make sure the route between the Web based network management terminal and the switch is available Step 5 When the login interface shown in Figure 5 2 appears enter the user name and...

Page 593: ...rotocol is applied between the NMS and the agent To log in to a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging in to...

Page 594: ...security Specifying source IP address interfaces for Telnet packets also provides a way to successfully connect to servers that only accept packets with specific source IP addresses Specifying Source...

Page 595: ...or Telnet packets make sure the interface already exists z Before specifying the source IP address interface for Telnet packets make sure the route between the interface and the Telnet server is reach...

Page 596: ...net Users by Source and Destination IP Addresses Telnet By source MAC addresses Through Layer 2 ACLs Controlling Telnet Users by Source MAC Addresses SNMP By source IP addresses Through basic ACLs Con...

Page 597: ...ed by advanced ACL an advanced ACL ranges from 3000 to 3999 For the definition of ACL refer to ACL Configuration in the Security Volume Follow these steps to control Telnet users by source and destina...

Page 598: ...e ACL rule rule id permit deny rule string Required You can define rules as needed to filter by specific source MAC addresses Quit to system view quit Enter user interface view user interface type fir...

Page 599: ...nt Users by Source IP Addresses You can manage a H3C S5810 series Ethernet switch through network management software Network management users can access switches through SNMP You need to perform the...

Page 600: ...tion privacy read view read view write view write view notify view notify view acl acl number Apply the ACL while configuring the SNMP user name snmp agent usm user v1 v2c user name group name acl acl...

Page 601: ...ists ACLs you can control the access of Web users to the switches Prerequisites The control policies to be implemented on Web users are decided including the source IP addresses to be controlled and t...

Page 602: ...Example Network requirements Configure a basic ACL to allow only Web users using IP address 10 110 100 52 to access the switch Figure 8 3 Configure an ACL to control the access of HTTP users to the s...

Page 603: ...he Display of Copyright Information 1 6 Configuring a Banner 1 7 Configuring CLI Hotkeys 1 8 Configuring User Privilege Levels and Command Levels 1 9 Displaying and Maintaining Basic Configurations 1...

Page 604: ...lly when it has no configuration file or the configuration file is damaged z Current configuration The currently running configuration on the device z Saved configuration Configurations saved in the s...

Page 605: ...ser view system view Required Available in user view Exiting the Current View The system divides the command line interface into multiple command views which adopts a hierarchical structure For exampl...

Page 606: ...zone and daylight saving time You can view the system clock by using the display clock command Follow these steps to configure the system clock To do Use the command Remarks Set time and date clock da...

Page 607: ...ffset Configure clock timezone zone time add 1 Display 02 00 00 zone time Sat 01 01 2005 1 and 2 date time zone offset Configure clock datetime 2 00 2007 2 2 and clock timezone zone time add 1 Display...

Page 608: ...0 2007 1 1 1 00 2007 8 8 2 and clock datetime 3 00 2007 1 1 Display 03 00 00 ss Mon 01 01 2007 Configure clock timezone zone time add 1 and clock summer time ss one off 1 00 2007 1 1 1 00 2007 8 8 2 D...

Page 609: ...summer time ss one off 1 00 2008 1 1 1 00 2008 8 8 2 and clock datetime 3 00 2008 1 1 Display 03 00 00 ss Tue 01 01 2008 Enabling Disabling the Display of Copyright Information z With the display of...

Page 610: ...e is to input all the banner information right after the command keywords The start and end characters of the input text must be the same but are not part of the banner information In this case the in...

Page 611: ...in any view Refer to Table 1 2 for hotkeys reserved by the system By default the Ctrl G Ctrl L and Ctrl O hotkeys are configured with command line and the Ctrl T and Ctrl U commands are NULL z Ctrl G...

Page 612: ...the right Esc N Moves the cursor down by one line available before you press Enter Esc P Moves the cursor up by one line available before you press Enter Esc Specifies the cursor as the beginning of t...

Page 613: ...command download user management level setting as well as parameter setting within a system the last case involves those non protocol or non RFC provisioned commands Configuring user privilege level U...

Page 614: ...refer to AAA Commands in the Security Volume z For the introduction to SSH refer to SSH 2 0 Configuration in the Security Volume 2 Example of configuring user privilege level by using AAA authenticat...

Page 615: ...the user logging in from the current user interface user privilege level level Optional By default the user privilege level for users logging in from the console user interface is 3 and that for users...

Page 616: ...tion and use the following commands Sysname User view commands cluster Run cluster command debugging Enable system debugging functions display Display current system information ping Ping function qui...

Page 617: ...peration by others Users can switch from a high user privilege level to a low user privilege level without entering a password when switching from a low user privilege level to a high user privilege l...

Page 618: ...sic Configurations To do Use the command Remarks Display information on system version display version Display information on the system clock display clock Display information on terminal users displ...

Page 619: ...es the following features for you to configure and manage your devices z Hierarchical command protection where you can only execute the commands at your own or lower levels Refer to Configuring User P...

Page 620: ...f description Sysname terminal debugging Send debug information to terminal logging Send log information to terminal monitor Send information output to current terminal trapping Send trap information...

Page 621: ...d undo can form an undo command Almost every configuration command has an undo form undo commands are generally used to restore the system default disable a function or cancel a configuration For exam...

Page 622: ...n The device provides the function to filter the output information You can specify a regular expression to search the information you need You can use these two methods to filter the output informati...

Page 623: ...means numbers from 1 to 9 inclusive a h means from a to h inclusive A range of characters Matches any character in the specified range For example 16A can match a string containing any character among...

Page 624: ...t in install but not t in big top character1 w Used to match character1character2 character2 must be a number letter or underline and w equals A Za z0 9_ For example v w can match vlan with v being c...

Page 625: ...mand execution Ctrl E Moves the cursor to the end of the current line PageUp Displays information on the previous page PageDown Displays information on the next page Saving Commands in the History Buf...

Page 626: ...f there is any You may use arrow keys to access history commands in Windows 200X and XP Terminal or Telnet However the up arrow and down arrow keys are invalid in Windows 9X HyperTerminal because they...

Page 627: ...gh Command Lines 1 5 Upgrading the Boot File Through Command Lines 1 5 Configuring Temperature Alarm Thresholds for a Device 1 6 Clearing the 16 bit Interface Indexes Not Used in the Current System 1...

Page 628: ...the current working state of a device configure running parameters and perform daily device maintenance and management Device Management Configuration Task List Complete these tasks to configure devi...

Page 629: ...t off which is also called hard reboot or cold start This method impacts the device a lot Powering off a running device will cause data loss and hardware damages It is not recommended z Trigger the im...

Page 630: ...ice or you can power off the device then power it on and the system automatically uses the backup boot file to restart the device z If you are performing file operations when the device is to be reboo...

Page 631: ...views such as system view quit and the commands used to modify status of a user that is executing commands such as super the operation interface command view and status of the current user are not cha...

Page 632: ...emarks upgrade the Boot ROM program on devices bootrom update file file url main backup Required Available in user view Upgrading the Boot File Through Command Lines Follow the steps to upgrade the bo...

Page 633: ...etwork management software requires the device to provide a uniform stable 16 bit interface index That is a one to one relationship should be kept between the interface name and the interface index in...

Page 634: ...Form factor Pluggable Generally used for 10G Ethernet interfaces Yes No XENPAK 10 Gigabit Ethernet Transceiver Package Generally used for 10G Ethernet interfaces Yes Yes Identifying pluggable transce...

Page 635: ...of the pluggable transceiver s display transceiver alarm interface interface type interface number Available for all pluggable transceivers Display the currently measured value of the digital diagnosi...

Page 636: ...ftware version is soft version1 for Device Upgrade the software version of Device to soft version2 and configuration file to new config at a time when few services are processed for example at 3 am th...

Page 637: ...r note that the prompt may vary with servers Device ftp 2 2 2 2 Trying 2 2 2 2 Press CTRL K to abort Connected to 2 2 2 2 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User 2 2 2...

Page 638: ...fo Command execute auto update bat in system view will be executed at 03 00 12 11 2007 in 12 hours and 0 minutes After the device reboots use the display version command to check if the upgrade is suc...

Page 639: ...Medium 1 5 Displaying and Maintaining the NAND Flash Memory 1 6 Setting File System Prompt Modes 1 7 File System Operations Example 1 7 2 Configuration File Management 2 1 Configuration File Overview...

Page 640: ...cking Up the Startup Configuration File 2 7 Deleting the Startup Configuration File for the Next Startup 2 8 Restoring the Startup Configuration File 2 9 Displaying and Maintaining Device Configuratio...

Page 641: ...ons and Setting File System Prompt Modes Filename Formats When you specify a file you must enter the filename in one of the following formats Filename formats Format Description Length Example file na...

Page 642: ...iew Displaying the Current Working Directory To do Use the command Remarks Display the current working directory pwd Required Available in user view Changing the Current Working Directory To do Use th...

Page 643: ...cified directory or file information displaying file contents renaming copying moving removing restoring and deleting files You can create a file by copying downloading or using the save command Displ...

Page 644: ...storage space To delete a file in the recycle bin you need to execute the reset recycle bin command in the directory that the file originally belongs It is recommended to empty the recycle bin timely...

Page 645: ...s not bat use the rename command to change the suffix to bat 3 Execute the batch file Follow the steps below to execute a batch file To do Use the command Remarks Enter system view system view Execute...

Page 646: ...Displaying and repairing bad blocks It is common to have bad blocks when an NAND flash memory is shipped from the factory Bad block ratio varies with products of different vendors The frequently used...

Page 647: ...iew Set the operation prompt mode of the file system file prompt alert quiet Optional The default is alert File System Operations Example Display the files and the subdirectories under the current dir...

Page 648: ...1 8 Return to the upper directory Sysname cd Display the current working directory Sysname pwd flash...

Page 649: ...initialization when the device boots If this file does not exist the system boots using null configuration that is using the default parameters z Current configuration which refers to the currently r...

Page 650: ...tion files for the next boot of the device in the following two methods z Specify them when saving the current configuration For detailed configuration refer to Saving the Current Configuration z Spec...

Page 651: ...tartup may be lost if the device reboots or the power supply fails In this case the device will boot with the null configuration and after the device reboots you need to re specify a startup configura...

Page 652: ...Task List Complete these tasks to configure the configuration rollback Task Remarks Configuring Parameters for Saving the Current Running Configuration Required Saving the Current Running Configurati...

Page 653: ...number argument if the available memory space is small Saving the Current Running Configuration Automatically You can configure the system to save the current running configuration at a specified int...

Page 654: ...before the modification Follow the step below to save the current running configuration manually To do Use the command Remarks Save the current running configuration manually archive configuration Req...

Page 655: ...z Use the save command If you save the current configuration to the specified configuration file in the interactive mode the system automatically sets the file as the configuration file to be used at...

Page 656: ...p configuration file However in the case that the main and backup startup configuration files are the same if you perform the delete operation for once the system will not delete the configuration fil...

Page 657: ...can use the display startup command in user view to verify that the filename of the configuration file to be used at the next system startup is the same with that specified by the filename argument a...

Page 658: ...n ACL 1 2 Displaying and Maintaining HTTP 1 3 2 HTTPS Configuration 2 1 HTTPS Overview 2 1 HTTPS Configuration Task List 2 1 Associating the HTTPS Service with an SSL Server Policy 2 2 Enabling the HT...

Page 659: ...y the port number is 80 2 The client sends a request to the server 3 The server processes the request and sends back a response 4 The TCP connection is closed Logging In to the Device Through HTTP You...

Page 660: ...system view Configure the port number of the HTTP service ip http port port number Required By default the port number of the HTTP service is 80 If you execute the ip http port command for multiple t...

Page 661: ...ACLs the HTTP service is only associated with the last specified ACL z For the detailed introduction to ACL refer to ACL Configuration in the Security Volume Displaying and Maintaining HTTP To do Use...

Page 662: ...ss the device securely and prohibit the illegal clients z Encrypts the data exchanged between the HTTPS client and the device to ensure the data security and integrity thus realizing the security mana...

Page 663: ...nly associated with the last specified SSL server policy z When the HTTPS service is disabled the association between the HTTPS service and the SSL server is automatically removed To enable it again y...

Page 664: ...ssociate the HTTPS service with a certificate attribute access control policy To do Use the command Remarks Enter system view system view Associate the HTTPS service with a certificate attribute acces...

Page 665: ...ter system view system view Associate the HTTPS service with an ACL ip https acl acl number Required Not associated by default z If you execute the ip https acl command for multiple times to associate...

Page 666: ...pki entity en quit Configure a PKI domain Device pki domain 1 Device pki domain 1 ca identifier new ca Device pki domain 1 certificate request url http 10 1 2 2 8080 certsrv mscep mscep dll Device pki...

Page 667: ...PS service with the SSL server policy myssl Device ip https ssl server policy myssl 5 Associate the HTTPS service with a certificate attribute access control policy Associate the HTTPS service with ce...

Page 668: ...uction to SNMP Logging 1 5 Enabling SNMP Logging 1 5 Configuring SNMP Trap 1 6 Enabling the Trap Function 1 6 Configuring Trap Parameters 1 7 Displaying and Maintaining SNMP 1 8 SNMPv1 SNMPv2c Configu...

Page 669: ...NMP makes the management tasks independent of both the physical features of the managed devices and the underlying networking technologies Thus SNMP achieves effective management of devices from diffe...

Page 670: ...used to encrypt packets between the NMS and agents preventing the packets from being intercepted USM ensures a more secure communication between SNMP NMS and SNMP agent by authentication with privacy...

Page 671: ...s follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMPv1 SNMPv2c SNMPv3 for the version Configure a local engine ID for an SNMP entity snmp agent local engineid en...

Page 672: ...sys location version v1 v2c v3 all Required The defaults are as follows Hangzhou H3C Technologies Co Ltd for contact Hangzhou China for location and SNMPv1 SNMPv2c SNMPv3 for the version Configure a l...

Page 673: ...value configured and the error code and error index of the SET response These logs will be sent to the information center and the level of them is informational that is they are taken as the system p...

Page 674: ...ules as needed With the trap function enabled on a module the traps generated by the module will be sent to the information center The information center has seven information output destinations By d...

Page 675: ...in the trap queue You can set the size of the queue and the holding time of the traps in the queue and you can also send the traps to the specified destination host usually the NMS Follow these steps...

Page 676: ...e ID display snmp agent local engineid Display SNMP agent group information display snmp agent group group name Display basic information of the trap queue display snmp agent trap queue Display the mo...

Page 677: ...e sending of traps to the NMS with an IP address of 1 1 1 2 24 using public as the community name Sysname snmp agent trap enable Sysname snmp agent target host trap address udp domain 1 1 1 2 udp port...

Page 678: ...ser v3 managev3user managev3group authentication mode md5 authkey privacy mode des56 prikey Configure the contact person and physical location information of the Switch Sysname snmp agent sys info con...

Page 679: ...ou can omit this configuration Sysname terminal monitor Sysname terminal logging Enable the information center to output the system information with the severity level equal to or higher than informat...

Page 680: ...Index Error index with 0 meaning no error errorstatus Error status with noError meaning no error value Value set when the SET operation is performed This field is null meaning the value obtained with...

Page 681: ...MIB style may vary depending on the device model To implement NMS s flexible management of the device the device allows you to configure the MIB style that is you can switch between the two styles of...

Page 682: ...RMON Statistics Function 1 3 Configuration Prerequisites 1 3 Configuring the RMON Ethernet Statistics Function 1 4 Configuring the RMON History Statistics Function 1 4 Configuring the RMON Alarm Funct...

Page 683: ...packets reaches a certain value Both the RMON protocol and the simple network management protocol SNMP are used for remote network management z The RMON is implemented on the basis of the SNMP which i...

Page 684: ...roup The event group defines event indexes and controls the generation and notifications of the events triggered by the alarms defined in the alarm group and the private alarm group The events can be...

Page 685: ...atistics on various traffic information on the interface at present only Ethernet interfaces are supported and saves the statistics in the Ethernet statistics table ethernetStatsTable for query conven...

Page 686: ...terface interface type interface number Create an entry in the RMON history control table rmon history entry number buckets number interval sampling interval owner text Required z The entry number mus...

Page 687: ...umber description string log log trap log trapcommunity none trap trap community owner text Required Create an entry in the alarm table rmon alarm entry number alarm variable sampling interval absolut...

Page 688: ...tics interface type interface number Available in any view Display the RMON history control entry and history sampling information display rmon history interface type interface number Available in any...

Page 689: ...CRCAlignErrors 0 etherStatsCollisions 0 etherStatsDropEvents insufficient resources 0 Packets received according to length 64 235 65 127 67 128 255 4 256 511 1 512 1023 0 1024 1518 0 Create an event t...

Page 690: ...ies 1 2 MAC Address Table Based Frame Forwarding 1 2 Configuring MAC Address Table Management 1 3 Configuring MAC Address Table Entries 1 3 Configuring the Aging Timer for Dynamic MAC Address Entries...

Page 691: ...MAC address table entry can be dynamically learned or manually configured Dynamically learning MAC address entries Usually a device can populate its MAC address table automatically by learning the sou...

Page 692: ...s of MAC Address Table Entries A MAC address table may contain these types of entries z Static entries which are manually configured and never age out z Dynamic entries which can be manually configure...

Page 693: ...e steps to add modify or remove entries in the MAC address table globally To do Use the command Remarks Enter system view system view Add modify a MAC address entry mac address dynamic static mac addr...

Page 694: ...e MAC Learning Limit Configuring the MAC learning limit on ports As the MAC address table is growing the forwarding performance of your device may degrade To prevent the MAC address table from getting...

Page 695: ...ddress entries display mac address aging time Display MAC address statistics display mac address statistics Available in any view MAC Address Table Management Configuration Example Network requirement...

Page 696: ...nd Debugging 1 1 Ping 1 1 Introduction 1 1 Configuring Ping 1 1 Ping Configuration Example 1 2 Tracert 1 4 Introduction 1 4 Configuring Tracert 1 4 System Debugging 1 5 Introduction to System Debuggin...

Page 697: ...ping function is implemented through the Internet Control Message Protocol ICMP 1 The source device sends an ICMP echo request to the destination device 2 The source device determines whether the des...

Page 698: ...Device A to Device C Figure 1 1 Ping network diagram Configuration procedure Use the ping command to display whether an available route exists between Device A and Device C DeviceA ping 1 1 2 2 PING...

Page 699: ...atistics 5 packet s transmitted 5 packet s received 0 00 packet loss round trip min avg max 1 11 53 ms The principle of ping r is as shown in Figure 1 1 1 The source Device A sends an ICMP echo reques...

Page 700: ...s the packet responds by sending a TTL expired ICMP error message to the source with its IP address 1 1 1 2 encapsulated In this way the source device can get the address 1 1 1 2 of the first Layer 3...

Page 701: ...ocol debugging switch which controls protocol specific debugging information z Screen output switch which controls whether to display the debugging information on a certain screen As Figure 1 3 illust...

Page 702: ...minal is disabled by default Available in user view Enable the terminal display of debugging information terminal debugging Required Disabled by default Available in user view Enable debugging for a s...

Page 703: ...eviceA ip ttl expires enable DeviceA ip unreachables enable DeviceA tracert 1 1 2 2 traceroute to 1 1 2 2 1 1 2 2 30 hops max 40 bytes packet press CTRL_C to bre ak 1 1 1 1 2 14 ms 10 ms 20 ms 2 3 4 5...

Page 704: ...tem Information to a Log Host 1 9 Outputting System Information to the Trap Buffer 1 10 Outputting System Information to the Log Buffer 1 11 Outputting System Information to the SNMP Module 1 12 Confi...

Page 705: ...rs and developers in monitoring network performance and diagnosing network problems The following describes the working process of information center z Receives the log trap and debugging information...

Page 706: ...enormous information waiting for processing Classification of system information The system information of the information center falls into three types z Log information z Trap information z Debuggin...

Page 707: ...nels and output destinations can be changed through commands Besides you can configure channels 7 8 and 9 without changing the default configuration of the seven channels Table 1 2 Information channel...

Page 708: ...d to be output to the log file log information with severity level equal to or higher than informational is allowed to be output to the log host log information with severity level equal to or higher...

Page 709: ...or log file the system information is in the following format timestamp sysname module level digest content For example a monitor terminal connects to the device When a terminal logs in to the device...

Page 710: ...ify the system name Refer to Basic System Configuration Commands in the System Volume for details This field is a preamble used to identify a vendor It is displayed only when the output destination is...

Page 711: ...System Information to the SNMP Module Optional Configuring Synchronous Information Output Optional Outputting System Information to the Console Outputting system information to the console To do Use...

Page 712: ...by default Enable the display of log information on the console terminal logging Optional Enabled by default Enable the display of trap information on the console terminal trapping Optional Enabled by...

Page 713: ...rminal Follow these steps to enable the display of system information on a monitor terminal To do Use the command Remarks Enable the monitoring of system information on a monitor terminal terminal mon...

Page 714: ...l Refer to Default output rules of system information Specify the source IP address for the log information info center loghost source interface type interface number Optional By default the source in...

Page 715: ...none Optional The time stamp format for log trap and debugging information is date by default Outputting System Information to the Log Buffer You can configure to output log trap and debugging inform...

Page 716: ...aps to the SNMP module and then set the trap sending parameters for the SNMP module to further process traps For details refer to SNMP Configuration in the System Volume Follow these steps to configur...

Page 717: ...n such as log information is output before you input any information under the current command line prompt the system will not display the command line prompt after the system information output z If...

Page 718: ...Display the information of each output destination display info center Available in any view Display the state of the log buffer and the log information recorded display logbuffer reverse level sever...

Page 719: ...channel loghost in this example first and then configure the output rule as needed so that unnecessary information will not be output Configure the information output rule allow log information of AR...

Page 720: ...e process ID of syslogd kill the syslogd process and then restart syslogd using the r option to make the modified configuration take effect ps ae grep syslogd 147 kill HUP 147 syslogd r After the abov...

Page 721: ...Device info log Step 3 Edit file etc syslog conf and add the following contents Device configuration messages local5 info var log Device info log In the above configuration local5 is the name of the l...

Page 722: ...ut of log trap and debugging information of all modules on channel console Sysname info center source default channel console debug state off log state off trap state off As the default system configu...

Page 723: ...nal monitor Info Current terminal monitor is on Sysname terminal logging Info Current terminal logging is on After the above configuration takes effect if the specified module generates log informatio...

Page 724: ...ration Between the Track Module and the Interface Management Module 1 2 Configuring Collaboration Between the Track Module and the Application Modules 1 3 Configuring Track VRRP Collaboration 1 3 Conf...

Page 725: ...h the Track module More specifically the detection modules probe the link status network performance and so on and inform the application modules of the detection result through the Track module After...

Page 726: ...laboration between the Track module and the detection modules and between the Track module and the application modules Complete these tasks to configure Track module Task Remarks Configuring Collabora...

Page 727: ...reases by a specified value allowing a higher priority router in the VRRP group to become the master to maintain proper communication between the hosts in the LAN and the external network z Monitor th...

Page 728: ...tored Track object can be nonexistent so that you can first specify the Track object to be monitored using the vrrp vrid track command and then create the Track object using the track command z Refer...

Page 729: ...er you use the track command to create the Track object the association takes effect z If a static route needs route recursion the associated Track object must monitor the next hop of the recursive ro...

Page 730: ...iew SwitchA track 1 interface vlan interface 3 protocol ipv4 3 Configure a Track object on Switch A Configure Track object 1 and associate it with Reaction entry 1 of the NQA test group with the admin...

Page 731: ...ost A and you can see that Host B is reachable Use the display vrrp command to view the configuration result Display detailed information about VRRP group 1 on Switch A SwitchA Vlan interface2 display...

Page 732: ...eempt Mode Yes Delay Time 5 Auth Type Simple Key hello Virtual IP 10 1 1 10 Master IP 10 1 1 2 VRRP Track Information Track Object 1 State Negative Pri Reduced 30 Display detailed information about VR...

Page 733: ...as shown in Figure 1 3 2 Configure a static route on Switch A and associate it with the Track object Configure the address of the next hop of the static route to Switch C as 10 2 1 1 and configure the...

Page 734: ...3 SwitchB Vlan interface3 undo ip address Display information of the Track object on Switch A SwitchA display track all Track ID 1 Status Negative Reference object Track interface Interface status In...

Page 735: ...e for NTP Messages 1 10 Disabling an Interface from Receiving NTP Messages 1 11 Configuring the Maximum Number of Dynamic Sessions Allowed 1 11 Configuring Access Control Rights 1 12 Configuration Pre...

Page 736: ...within a network by changing the system clock on each station because this is a huge amount of workload and cannot guarantee the clock precision NTP however allows quick clock synchronization within...

Page 737: ...ce B Device A Device B Device A 10 00 00 am 11 00 01 am 10 00 00 am NTP message 10 00 00 am 11 00 01 am 11 00 02 am NTP message NTP message NTP message received at 10 00 03 am 1 3 2 4 The process of s...

Page 738: ...fields are described as follows z LI 2 bit leap indicator When set to 11 it warns of an alarm condition clock unsynchronized when set to any other value it is not to be processed by NTP z VN 3 bit ve...

Page 739: ...synchronization in one of the following modes z Client server mode z Symmetric peers mode z Broadcast mode z Multicast mode You can select operation modes of NTP as needed In case that the IP address...

Page 740: ...ends a request Clock synchronization message exchange Mode 3 and Mode 4 Periodically broadcasts clock synchronization messages Mode 5 Calculates the network delay between client and the server and ent...

Page 741: ...o exchange messages with the Mode field set to 3 client mode and 4 server mode to calculate the network delay between client and the server Then the client enters the multicast client mode and continu...

Page 742: ...a server the system will create a static association and the server will just respond passively upon the receipt of a message rather than creating an association static or dynamic In the symmetric mo...

Page 743: ...ou need to specify a symmetric passive peer on a symmetric active peer Following these steps to configure a symmetric active device To do Use the command Remarks Enter system view system view Specify...

Page 744: ...mber Required Enter the interface used to receive NTP broadcast messages Configure the device to work in the NTP broadcast client mode ntp service broadcast client Required Configuring the broadcast s...

Page 745: ...authentication keyid keyid ttl ttl number version number Required z A multicast server can synchronize broadcast clients only after its clock has been synchronized z You can configure up to 1024 mult...

Page 746: ...command the source interface of the broadcast or multicast NTP messages is the interface configured with the respective command Disabling an Interface from Receiving NTP Messages When NTP is enabled...

Page 747: ...full access This level of right permits the peer devices to perform synchronization and control query to the local device and also permits the local device to synchronize its clock to that of a peer d...

Page 748: ...he symmetric peer mode Otherwise the NTP authentication feature cannot be normally enabled z For the broadcast server mode or multicast server mode you need to associate the specified authentication k...

Page 749: ...er Follow these steps to configure NTP authentication for a server To do Use the command Remarks Enter system view system view Enable NTP authentication ntp service authentication enable Required Disa...

Page 750: ...ce display ntp service trace Available in any view NTP Configuration Examples Configuring NTP Client Server Mode Network requirements z The local clock of Device A is to be used as a reference source...

Page 751: ...B has been synchronized to Device A and the clock stratum level of Device B is 3 while that of Device A is 2 View the NTP session information of Device B which shows that an association has been set u...

Page 752: ...UTC Sep 19 2005 C6D95647 153F7CED As shown above Device B has been synchronized to Device A and the clock stratum level of Device B is 3 while that of Device C is 1 3 Configuration on Device C after D...

Page 753: ...3 0 1 32 3 0 1 31 3 3 64 16 6 4 4 8 1 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured Total associations 1 Configuring NTP Broadcast Mode Network requirements z Switch C s lo...

Page 754: ...chronization SwitchD Vlan interface2 display ntp service status Clock status synchronized Clock stratum 3 Reference clock ID 3 0 1 31 Nominal frequency 100 0000 Hz Actual frequency 100 0000 Hz Clock p...

Page 755: ...nfigure Switch D to work in the multicast client mode and receive multicast messages on VLAN interface 2 SwitchD system view SwitchD interface vlan interface 2 SwitchD Vlan interface2 ntp service mult...

Page 756: ...ks in the client mode and Device A is to be used as the NTP server of Device B with Device B as the client z NTP authentication is to be enabled on both Device A and Device B Figure 1 11 Network diagr...

Page 757: ...stratum level of Device B is 3 while that of Device A is 2 View the NTP session information of Device B which shows that an association has been set up Device B and Device A DeviceB display ntp servic...

Page 758: ...itchD ntp service authentication enable SwitchD ntp service authentication keyid 88 authentication mode md5 123456 SwitchD ntp service reliable authentication keyid 88 Configure Switch D to work in th...

Page 759: ...atum level of Switch D is 4 while that of Switch C is 3 View the NTP session information of Switch D which shows that an association has been set up between Switch D and Switch C SwitchD Vlan interfac...

Page 760: ...ion Between Virtual IP Address and MAC Address 1 8 Creating VRRP Group and Configuring Virtual IP Address 1 8 Configuring Router Priority Preemptive Mode and Tracking Function 1 9 Configuring VRRP Pac...

Page 761: ...th the gateway as the next hop for every host on a network segment All packets destined to other network segments are sent over the default route to the gateway and then be forwarded by the gateway Ho...

Page 762: ...bines a group of routers including a master and multiple backups on a LAN into a virtual router called VRRP group A VRRP group has the following features z A virtual router has an IP address A host on...

Page 763: ...s assigned a higher priority later z Preemptive mode When a backup finds its priority higher than that of the master the backup sends VRRP advertisements to start a new master election in the VRRP gro...

Page 764: ...re its existence VRRP packets are also used for checking the parameters of the virtual router and electing the master Figure 1 3 Format of a VRRPv2 packet As shown in Figure 1 3 an IPv4 based VRRP pac...

Page 765: ...ity of VRRP It provides backup not only when the interface to which a VRRP group is assigned fails but also when other interfaces such as uplink interfaces on the router become unavailable If the upli...

Page 766: ...refore can forward packets to external networks whereas Router B and Router C are backups and are thus in the state of listening If Router A fails Router B and Router C elect for a new master The new...

Page 767: ...e backups For load sharing among Router A Router B and Router C hosts on the LAN need to be configured to use VRRP group 1 2 and 3 as the default gateways respectively When configuring VRRP priorities...

Page 768: ...the packets from a host are forwarded to the IP address owner according the real MAC address Follow these steps to configure the association between MAC address and virtual IP address To do Use the co...

Page 769: ...nterface on the IP address owner to resolve the collision z The virtual IP address of the VRRP group cannot be 0 0 0 0 255 255 255 255 loopback addresses non class A B C addresses or other illegal IP...

Page 770: ...ptional Not configured by default z The running priority of an IP address owner is always 255 and you do not need to configure it An IP address owner always works in the preemptive mode z Do not confi...

Page 771: ...fic or different timer setting on routers can cause the Backup timer to time out abnormally and trigger a change of the state To solve this problem you can prolong the time interval to send VRRP packe...

Page 772: ...examples z Single VRRP Group Configuration Example z VRRP Interface Tracking Configuration Example z Multiple VRRP Group Configuration Example Single VRRP Group Configuration Example Network requirem...

Page 773: ...address to be 202 38 160 111 SwitchB Vlan interface2 vrrp vrid 1 virtual ip 202 38 160 111 Set Switch B to work in preemptive mode The preemption delay is five seconds SwitchB Vlan interface2 vrrp vri...

Page 774: ...n Mode Standard Run Method Virtual MAC Total number of virtual routers 1 Interface Vlan interface2 VRID 1 Adver Timer 1 Admin Status Up State Master Config Pri 100 Running Pri 100 Preempt Mode Yes Del...

Page 775: ...11 Configure the priority of Switch A in the VRRP group to 110 SwitchA Vlan interface2 vrrp vrid 1 priority 110 Configure the authentication mode of the VRRP group as simple and authentication key as...

Page 776: ...g Pri 110 Preempt Mode Yes Delay Time 0 Auth Type Simple Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Master IP 202 38 160 1 VRRP Track Information Track Interface Vlan3 State Up Pri...

Page 777: ...rface2 VRID 1 Adver Timer 5 Admin Status Up State Master Config Pri 100 Running Pri 100 Preempt Mode Yes Delay Time 0 Auth Type Simple Key hello Virtual IP 202 38 160 111 Virtual MAC 0000 5e00 0101 Ma...

Page 778: ...vlan 2 SwitchA vlan2 port gigabitethernet 1 0 5 SwitchA vlan2 quit SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 202 38 160 1 255 255 255 128 Create a VRRP group 1 and set its...

Page 779: ...p 2 to 110 SwitchB Vlan interface3 vrrp vrid 2 priority 110 3 Verify the configuration You can use the display vrrp verbose command to verify the configuration Display detailed information of the VRRP...

Page 780: ...the Internet through Switch A in VRRP group 2 Switch A is the backup Switch B is the master and hosts with the default gateway of 202 38 160 200 25 accesses the Internet through Switch B Troubleshooti...

Page 781: ...t their configurations are consistent in terms of number of virtual IP addresses virtual IP addresses advertisement interval and authentication Symptom 3 Frequent VRRP state transition Analysis The VR...

Page 782: ...een the Management Device and the Member Devices Within a Cluster 1 11 Configuring Cluster Management Protocol Packets 1 11 Cluster Member Management 1 12 Configuring the Member Devices 1 13 Enabling...

Page 783: ...configuration and management tasks By configuring a public IP address on one device you can configure and manage a group of devices without the trouble of logging in to each device separately z Provid...

Page 784: ...r A member device becomes a candidate device after it is removed from the cluster How a Cluster Works Cluster management is implemented through HW Group Management Protocol version 2 HGMPv2 which cons...

Page 785: ...NDP information of all the devices in a specific network range as well as the connection information of all its neighbors The information collected will be used by the management device or the network...

Page 786: ...Disconnect Connect z After a cluster is created a candidate device is added to the cluster and becomes a member device the management device saves the state information of its member device and identi...

Page 787: ...vice and the member candidate devices including the cascade ports Therefore z If the packets from the management VLAN cannot pass a port the device connected with the port cannot be added to the clust...

Page 788: ...Enabling NDP Optional Enabling NTDP Optional Manually Collecting Topology Information Optional Enabling the Cluster Function Optional Configuring the Member Devices Deleting a Member Device from a Cl...

Page 789: ...ndp enable Use either command By default NDP is enabled globally and also on all ports You are recommended to disable NDP on the port which connects with the devices that do not need to join the clust...

Page 790: ...om adding the device which needs not to join the cluster and collecting the topology information of this device Configuring NTDP Parameters By configuring the maximum hops for collecting topology info...

Page 791: ...s the request according to the delays Manually Collecting Topology Information The management device collects topology information periodically after a cluster is created In addition you can configure...

Page 792: ...tem view system view Specify the management VLAN management vlan vlan id Optional By default VLAN 1 is the management VLAN Enter cluster view cluster Configure the private IP address range for member...

Page 793: ...ter Configure the interval to send handshake packets timer interval Optional 10 seconds by default Configure the holdtime of a device holdtime hold time Optional 60 seconds by default Configuring Clus...

Page 794: ...date device to a cluster or remove a member device from a cluster If a member device needs to be rebooted for software upgrade or configuration update you can remotely reboot it through the management...

Page 795: ...er device from the cluster undo administrator address Required Configuring Access Between the Management Device and Its Member Devices After having successfully configured NDP NTDP and cluster you can...

Page 796: ...ication failure z If the member specified in this command does not exist the system prompts error when you execute the command if the switching succeeds your user level on the management device is ret...

Page 797: ...e are usually newly added nodes whose identities are to be confirmed by the administrator You can back up and restore the whitelist in the following two ways z Backing them up on the FTP server shared...

Page 798: ...eraction for a cluster To do Use the command Remarks Enter system view system view Enter cluster view cluster Configure the FTP server shared by the cluster ftp server ip address user name username pa...

Page 799: ...d by a cluster is ViewDefault and a cluster can access the ISO subtree Add a user for the SNMPv3 group shared by a cluster cluster snmp agent usm user v3 user name group name authentication mode md5 s...

Page 800: ...splay ntdp device list verbose Display the detailed NTDP information of a specified device display ntdp single device mac address mac address Display information of the cluster to which the current de...

Page 801: ...or in the cluster The LED displays S The current device is a member of the cluster Unit Steady green The LED displays c The current device is a candidate of the cluster Cluster Management Configuratio...

Page 802: ...terface gigabitethernet 1 0 1 SwitchA GigabitEthernet1 0 1 ntdp enable SwitchA GigabitEthernet1 0 1 quit Enable the cluster function SwitchA cluster enable 2 Configure the member device Switch C As th...

Page 803: ...to forward topology collection request packets on the first port as 15 ms SwitchB ntdp timer port delay 15 Configure the interval to collect topology information as 3 minutes SwitchB ntdp timer 3 Con...

Page 804: ...for the cluster abc_0 SwitchB cluster ftp server 63 172 55 1 abc_0 SwitchB cluster tftp server 63 172 55 1 abc_0 SwitchB cluster logging host 69 172 55 4 abc_0 SwitchB cluster snmp host 69 172 55 4 Ad...

Page 805: ...Configuring the Master Device of a Stack 1 3 Configuring a Private IP Address Pool for a Stack 1 3 Configuring Stack Ports 1 3 Creating a Stack 1 3 Configuring Stack Ports of a Slave Device 1 4 Loggi...

Page 806: ...stack management can help reduce customer investments and simplify network management Introduction to Stack A stack is a management domain that comprises several network devices connected to one anoth...

Page 807: ...ices as stack ports z The master device automatically adds the slave devices into the stack and assigns a number for each stack member z The administrator can log in to any slave device from the maste...

Page 808: ...the number of devices to be added to the stack Otherwise some devices may not be able to join the stack automatically for lack of private IP addresses Configuring Stack Ports On the master device con...

Page 809: ...t After a device joins a stack and becomes a slave device of the stack the prompt changes to stack_n Sysname where n is the stack number assigned by the master device and Sysname is the system name of...

Page 810: ...s Description Unit Steady green The LED displays the specific numbers The member ID of the device Stack Configuration Example Stack Configuration Example Network requirements z As shown in Figure 1 2...

Page 811: ...tethernet 1 0 52 On Switch C configure local port Ten GigabitEthernet 1 0 51 and Ten GigabitEthernet 1 0 52 as a stack port SwitchC system view SwitchC stack stack port 2 port ten gigabitethernet 1 0...

Page 812: ...1 7 Role Slave Sysname stack_3 DeviceD Device type S5810 50S MAC address 000f e200 1003...

Page 813: ...l Networking of Automatic Configuration 1 1 How Automatic Configuration Works 1 2 Work Flow of Automatic Configuration 1 2 Obtaining the IP Address of an Interface and Related Information Through DHCP...

Page 814: ...rs can save the configuration files on a specified server and the device can automatically obtain and execute the configuration files therefore greatly reducing the workload of administrators Typical...

Page 815: ...IP address and name of a TFTP server IP address of a DNS server and the configuration file name 2 After getting related parameters the device will send a TFTP request to obtain the configuration file...

Page 816: ...nformation for example the configuration file name domain name and IP address of the TFTP server and DNS server needed for obtaining the automatic configuration files that the device can obtain from t...

Page 817: ...re an IP address is statically bound to the MAC address or ID of the client and assign the statically bound IP address and other configuration parameters to the client You can configure an address all...

Page 818: ...z The configuration file specified by the Option 67 or file field in the DHCP response z The intermediate file with the file name as network cfg used to save the mapping between the IP address and th...

Page 819: ...its host name first and then requests the configuration file corresponding with the host name The device can obtain its host name in two steps obtaining the intermediate file from the TFTP server and...

Page 820: ...to the specified TFTP server if the device performs the automatic configuration and the TFTP server are not in the same segment because broadcasts can only be transmitted in a segment For the detailed...

Search results

Summary of Contents for S5810 Series

Reviews:

Related manuals for S5810 Series

Brands by name

Popular brands

H3C S5810 Series, Operation Manual

Search results

Summary of Contents for S5810 Series

Reviews:

Related manuals for S5810 Series

Brands by name

Popular brands