H3C WA Series Configuration Manual Download | Manualshive

Page: 22 / 76

background image

6-2

The following is how an AP learns a MAC address when it receives a frame from a port, Port A for
example:

1) Check the source MAC address (MAC-SOURCE for example) of the frame. Assume that frames

with the source MAC address MAC-SOURCE can be forwarded through Port A.

2) Look up the MAC address table by the MAC address for a match and do the following:

z

If an entry is found for the MAC address, update the entry.

z

If no entry is found, add an entry for the MAC address to indicate from which port the frame is
received.

When receiving a frame destined for MAC-SOURCE, the AP looks up the MAC address table and
forwards it from Port A.

To adapt to network changes, MAC address table entries need to be constantly updated. Each
dynamically learned MAC address table entry has a life time, that is, an aging timer. If an entry has not
updated when the aging timer expires, it is deleted. If it updates before the aging timer expires, the
aging timer restarts.

Manually configuring MAC address entries

With dynamic MAC address learning, the AP does not tell illegitimate frames from legitimate ones. This
brings security hazards. For example, if a hacker sends frames with a forged source MAC address to a
port different from the one where the real MAC address is connected to, the AP will create an entry for
the forged MAC address, and forward frames destined for the legal user to the hacker instead.

To enhance the security of a port, you can manually add MAC address entries into the MAC address
table of the AP to bind specific user devices to the port. Because manually configured entries have
higher priority than dynamically learned ones, you can thus prevent hackers from stealing data using
forged MAC addresses.

Types of MAC Address Table Entries

A MAC address table may contain these types of entries:

z

Static entries, which are manually configured and never age out.

z

Dynamic entries, which can be manually configured or dynamically learned and may age out.

z

Blackhole entries, which are manually configured and never age out. Blackhole entries are
configured for filtering out frames with specific source or destination MAC addresses. For example,
to block all packets destined for a specific user for security concerns, you can configure the MAC
address of this user as a blackhole destination MAC address entry.

Dynamically-learned MAC addresses cannot overwrite static or blackhole MAC address entries, but the
latter can overwrite the former.

MAC Address Table-Based Frame Forwarding

When forwarding a frame, the AP uses the following two forwarding modes based on the MAC address
table:

«
...
20
21
22
23
24
...
»

Summary of Contents for WA Series

Page 1: ...H3C WA Series WLAN Access Points Layer 2 LAN Switching Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Document Version 6W100 20100910...

Page 2: ...re Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the...

Page 3: ...A series Conventions This section describes the conventions used in this documentation set Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter...

Page 4: ...uments Purposes Marketing brochures Describe product specifications and benefits Product description and specifications Technology white papers Provide an in depth description of software features and...

Page 5: ...tation on the World Wide Web at http www h3c com Click the links on the top navigation bar to obtain different categories of product documentation Technical Support Documents Technical Documents Provi...

Page 6: ...nd Null Interface Configuration 5 1 Loopback Interface 5 1 Introduction to Loopback Interface 5 1 Configuring a Loopback Interface 5 1 Null Interface 5 2 Introduction to Null Interface 5 2 Configuring...

Page 7: ...nfiguring the Mode a Port Uses to Recognize Send MSTP Packets 7 25 Enabling MSTP 7 26 Performing mCheck 7 27 Configuring Digest Snooping 7 28 Configuring No Agreement Check 7 30 Configuring Protection...

Page 8: ...ess points include the WA2200 series and WA2600 series Table 1 1 shows the applicable models and software versions Table 1 1 Applicable models and software versions Series Model Software version WA221...

Page 9: ...Not supported Supported 802 11n radio mode Not supported Supported 802 11n bandwidth mode Not supported Supported WLAN Configuration Guide 802 11n rate configuration Not supported Supported Optical E...

Page 10: ...that support the 802 11b g radio mode support this command Only APs that support the 802 11b g radio mode support this command radio type Keywords dot11an and dot11gn not supported Supported WLAN serv...

Page 11: ...hing Command Reference The maximum number of unknown unicast packets allowed on an Ethernet interface per second unicast suppression ratio pps max pps pps max pps ranges from 1 to 148810 pps max pps r...

Page 12: ...enting Layer 2 fast forwarding This document describes Layer 2 Ethernet interface attributes and configuration on the AP Configuring Basic Settings of an Ethernet Interface You can set an Ethernet int...

Page 13: ...d sending packets In this way flow control helps avoid packet drops Follow these steps to enable flow control on an Ethernet interface To do Use the command Remarks Enter system view system view Enter...

Page 14: ...ace Task Remarks Configuring Storm Suppression Optional Applicable to Layer 2 Ethernet interfaces Setting the Interface Statistics Polling Interval Optional Applicable to Layer 2 Ethernet interfaces E...

Page 15: ...terfaces Enabling Loopback Detection on an Ethernet Interface If an interface receives a packet that it sent out a loop has occurred Loops may cause broadcast storms which degrade network performance...

Page 16: ...oopback detection control on a trunk or hybrid port loopback detection control enable Optional Disabled by default z To use loopback detection on an Ethernet interface you must enable the function bot...

Page 17: ...4 6 To do Use the command Remarks Display the information about the loopback function display loopback detection Available in any view...

Page 18: ...an AP you can streamline the rule by configuring it to permit or deny packets carrying the loopback interface address identifying the AP Note that when a loopback interface is used for source address...

Page 19: ...of a static route to a specific network segment any packets routed to the network segment are dropped The null interface provides you a simpler way to filter packets than ACL In other words you can fi...

Page 20: ...s display interface loopback interface number Available in any view Display information about the null interface display interface null 0 Available in any view Clear the statistics on a loopback inter...

Page 21: ...s document covers only the configuration of static dynamic and blackhole unicast MAC address table entries Overview An AP maintains a MAC address table for frame forwarding Each entry in this table in...

Page 22: ...port different from the one where the real MAC address is connected to the AP will create an entry for the forged MAC address and forward frames destined for the legal user to the hacker instead To en...

Page 23: ...be performed in any order Configuring MAC Address Entries Usually an AP can populate its MAC address table automatically by learning the source MAC addresses of incoming frames To improve port securi...

Page 24: ...rce MAC addresses Disabling MAC address learning globally Disabling MAC address learning globally disables the learning function on all ports Follow these steps to disable MAC address learning globall...

Page 25: ...ivity for a long time all the dynamic entries in the MAC address table maintained by the AP will be deleted When it happens the AP broadcasts a large amount of data packets which may be listened to by...

Page 26: ...ciously on the network you can add a destination blackhole MAC address entry for the MAC address to drop all packets destined for the host for security sake z Set the aging timer for dynamic MAC addre...

Page 27: ...agement protocol the Spanning Tree Protocol STP eliminates Layer 2 loops by selectively blocking redundant links in a network and in the mean time allows for link redundancy Like many other protocols...

Page 28: ...e root bridge after network convergence only the root bridge generates and sends out configuration BPDUs at a certain interval and the other bridges just forward the BPDUs 2 Root port On a non root br...

Page 29: ...anning tree calculation Important fields in a configuration BPDU include z Root bridge ID consisting of the priority and MAC address of the root bridge z Root path cost the cost of the path to the roo...

Page 30: ...nfiguration BPDU of this port z If the received configuration BPDU has a higher priority than that of the configuration BPDU generated by the port the bridge replaces the content of the configuration...

Page 31: ...h the port role is to be defined and acts depending on the comparison result z If the calculated configuration BPDU is superior the bridge considers this port as the designated port and replaces the c...

Page 32: ...y change to the configuration BPDU of each port and starts sending out configuration BPDUs periodically AP1 0 0 0 AP1 AP2 0 0 0 AP2 z Port BP1 receives the configuration BPDU of Device A 0 0 0 AP1 Dev...

Page 33: ...z Then port CP2 receives the updated configuration BPDU of Device B 0 5 1 BP2 Because the received configuration BPDU is superior to its own configuration BPDU Device C launches a BPDU update process...

Page 34: ...mes faulty the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout In this case the bridge will generate a configurat...

Page 35: ...port or a port connected with a point to point link If the designated port is an edge port it can enter the forwarding state directly if the designated port is connected with a point to point link it...

Page 36: ...to instance 1 VLAN2 mapped to instance 2 Other VLANs mapped to CIST Region B0 VLAN1 mapped to instance 1 VLAN2 mapped to instance 2 Other VLANs mapped to CIST Region C0 VLAN1 mapped to instance 1 VLA...

Page 37: ...ction is the IST in the respective MST region 4 CST The CST is a single spanning tree that connects all MST regions in a switched network If you regard each MST region as a bridge the CST is a spannin...

Page 38: ...ata to the root bridge z Designated port a port responsible for forwarding data to the downstream network segment or bridge z Master port A port on the shortest path from the current region to the com...

Page 39: ...rt roles Port role right Port state below Root port master port Designated port Alternate port Backup port Forwarding Learning Discarding How MSTP works MSTP divides an entire Layer 2 network into mul...

Page 40: ...z Loop guard z TC BPDU guard z Support for hot swapping of interface cards and active standby changeover Protocols and Standards MSTP is documented in z IEEE 802 1d Spanning Tree Protocol z IEEE 802 1...

Page 41: ...ts Optional Configuring the leaf nodes Enabling MSTP Required Performing mCheck Optional Configuring Digest Snooping Optional Configuring No Agreement Check Optional Configuring Protection Functions O...

Page 42: ...nning tree calculation process which may result in network topology instability To reduce the possibility of topology instability caused by configuration MSTP will not immediately launch a new spannin...

Page 43: ...instance id root secondary Required By default the AP does not function as a secondary root bridge z After specifying the AP as the root bridge or a secondary root bridge you cannot change the priori...

Page 44: ...uring the AP as the root bridge or a secondary root bridge you cannot change the priority of the AP z During root bridge selection if all bridges in a spanning tree have the same priority the one with...

Page 45: ...network diameter you configured MSTP automatically sets an optimal hello time forward delay and max age for the bridge z The configured network diameter is effective for the CIST only and not for MST...

Page 46: ...cally the larger the network diameter is the longer the forward delay time should be Note that if the forward delay setting is too small temporary redundant paths may be introduced if the forward dela...

Page 47: ...idge is busy A spanning tree calculation that occurs in this case not only is unnecessary but also wastes the network resources In a very stable network you can avoid such unwanted spanning tree calcu...

Page 48: ...mmand Remarks Enter system view system view Enter Ethernet interface view or WLAN Mesh interface view interface interface type interface number Enter interface view or port group view Enter port group...

Page 49: ...state 802 1d 1998 802 1t Private standard 0 65535 200 000 000 200 000 10 Mbps Single Port Aggregate Link 2 Ports Aggregate Link 3 Ports Aggregate Link 4 Ports 100 100 100 100 2 000 000 1 000 000 666...

Page 50: ...the root port of a bridge If all other conditions are the same the port with the highest priority will be elected as the root port On an MSTP enabled bridge a port can have different priorities in dif...

Page 51: ...ystem view system view Enter Ethernet interface view or WLAN Mesh interface view interface interface type interface number Enter interface view or port group view Enter port group view port group manu...

Page 52: ...the MSTP packet format incompatibility guard function In MSTP mode if a port is configured to recognize send MSTP packets in a mode other than auto and receives a packet in a format different from th...

Page 53: ...TP or RSTP mode but will remain in the STP compatible mode under the following circumstances z The bridge running STP is shut down or removed z The bridge running STP migrates to the MSTP or RSTP mode...

Page 54: ...ling the Digest Snooping feature on the port connecting the local bridge to a third party device in the same MST region can make the two devices communicate with each other Before enabling digest snoo...

Page 55: ...lly to disable it on all associated ports z To avoid loops do not enable Digest Snooping on MST region edge ports z It is recommended that you enable Digest Snooping first and then MSTP To avoid traff...

Page 56: ...P the down stream bridge sends an agreement packet regardless of whether an agreement packet from the upstream bridge is received Figure 7 7 shows the rapid state transition mechanism on MSTP designat...

Page 57: ...on name revision level and VLAN to instance mappings on the two bridges thus assigning them to the same region Configuring No Agreement To make the No Agreement Check feature take effect enable it on...

Page 58: ...Under normal conditions these ports should not receive configuration BPDUs However if someone forges configuration BPDUs maliciously to attack the devices the network will become instable MSTP provid...

Page 59: ...e forwarding delay it will revert to its original state Make this configuration on a designated port Follow these steps to enable root guard To do Use the command Remarks Enter system view system view...

Page 60: ...immediate forwarding address entry flushes that the AP can perform within a certain period of time after receiving the first TC BPDU For TC BPDUs received in excess of the limit the AP performs forwar...

Page 61: ...of all MSTIs display stp root Available in any view Clear the statistics information of MSTP reset stp interface interface list Available in user view MSTP Configuration Example Network requirements C...

Page 62: ...P B Enter MST region view AP B system view AP B stp region configuration Configure the region name VLAN to instance mappings and revision level of the MST region AP B mst region region name example AP...

Page 63: ...ion revision level 0 Activate MST region configuration manually AP C mst region active region configuration AP C mst region quit Enable MSTP globally AP C stp enable View the MST region configuration...

Page 64: ...ettings z Configuring Basic Settings of a VLAN Interface z Port Based VLAN Configuration z MAC Based VLAN Configuration z VLAN Configuration Example Introduction to VLAN VLAN Overview Ethernet is a ne...

Page 65: ...3 Flexible virtual workgroup creation As users from the same workgroup can be assigned to the same VLAN regardless of their physical locations network construction and maintenance is much easier and m...

Page 66: ...the frame belongs to The VLAN ID range is 0 to 4095 As 0 and 4095 are reserved by the protocol a VLAN ID actually ranges from 1 to 4094 When receiving a frame a network device looks at its VLAN tag t...

Page 67: ...interfaces are virtual interfaces used for Layer 3 communication between different VLANs They do not exist as physical entities on network devices For each VLAN you can create one VLAN interface After...

Page 68: ...the default VLAN traffic passing through a trunk port will be VLAN tagged Usually ports connecting network devices are configured as trunk ports to allow members of the same VLAN to communicate with...

Page 69: ...e frame Trunk z Remove the tag and send the frame if the frame carries the default VLAN tag and the port belongs to the default VLAN z Send the frame without removing the tag if its VLAN is carried on...

Page 70: ...lan vlan id Optional By default all access ports belong to VLAN 1 Before assigning an access port to a VLAN create the VLAN first Assigning a Trunk Port to a VLAN A trunk port can carry multiple VLANs...

Page 71: ...quired Assign the hybrid port to the specified VLAN s port hybrid vlan vlan id list tagged untagged Required By default a hybrid port allows packets from only VLAN 1 to pass through untagged Configure...

Page 72: ...d VLAN applied Approaches to creating MAC address to VLAN mappings In addition to creating MAC address to VLAN mappings at the CLI you can use an authentication server to automatically issue MAC addre...

Page 73: ...display interface vlan interface vlan interface id Available in any view Display MAC address to VLAN entries display mac vlan all dynamic mac address mac address mask mac mask static vlan vlan id Ava...

Page 74: ...om VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass through AP Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Please wait Done AP Ethernet1 0 1 quit AP quit 2 Configure Device B as you configure...

Page 75: ...throttles 0 CRC 0 frame 0 overruns 0 aborts 0 ignored 0 parity errors Output total 0 packets 0 bytes 0 broadcasts 0 multicasts 0 pauses Output normal 0 packets 0 bytes 0 broadcasts 0 multicasts 0 pau...

Page 76: ...nd Maintaining Loopback and Null Interfaces 5 3 Displaying and Maintaining MAC Address Tables 6 6 Displaying and Maintaining MSTP 7 34 Displaying and Maintaining VLAN 8 10 G General Ethernet Interface...

Reviews:

No comments

Related manuals for WA Series

Brand: Cambium Networks Pages: 196

Brand: Cambium Networks Pages: 478

Brand: Cambium Pages: 301

Brand: Cambium Networks Pages: 287

RG-MAP552(SR) series

Brand: Ruijie Networks Pages: 19

Brand: MicroNet Pages: 46

Brand: Ericsson Pages: 8

Brand: Mustek Pages: 67

Brand: TRENDnet Pages: 58

Brand: Sapido Pages: 21

Brand: Sapido Pages: 102

Brand: PHICOMM Pages: 58

Brand: Digisol Pages: 86

Brand: P2 Wireless Technologies Pages: 15

Brand: Cambium Networks Pages: 52

Brand: geetek Pages: 4

Skyr@cer WBR 254G

Brand: Topcom Pages: 104

Brand: Orbic Pages: 43

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands