HP HP 830 Series Configuration Manual Download | Manualshive

Page: 434 / 530

background image

422

Managing PKI

Overview

The Public Key Infrastructure (PKI) offers an infrastructure for securing network services through public key

technologies and digital certificates, and for verifying the identities of the digital certificate owners.
A digital certificate is a binding of certificate owner identity information and a public key. Users can

obtain certificates, use certificates, and revoke certificates. By leveraging digital certificates and relevant

services such as certificate and blacklist distribution, PKI supports authenticating the entities involved in

communication, and guarantees the confidentiality, integrity, and non-repudiation of data.

PKI terms

Digital certificate

A digital certificate is a file signed by a certificate authority (CA) that contains a public key and the
related user identity information, such as an entity name and a digital signature from the CA. Typically,

a digital certificate also includes the validity period of the key, the name of the CA and the sequence

number of the certificate. A digital certificate must comply with the international standard of ITU-T_X.509.

This document involves local certificate and CA certificate. A local certificate is a digital certificate

signed by a CA for an entity. A CA certificate, also known as a "root certificate", is signed by the CA.

Certificate revocation list

An existing certificate might need to be revoked for different situations, for example, the username

changes, the private key leaks, or the user stops the business. Revoking a certificate will remove the

binding of the public key with the user identity information. In PKI, the revocation is made through

certificate revocation lists (CRLs). When a certificate is revoked, the CA publishes one or more CRLs to
show all certificates that have been revoked. The CRLs contain the serial numbers of all revoked

certificates and provide an effective method for checking the validity of certificates.
A CA might publish multiple CRLs when the number of revoked certificates is so large that publishing

them in a single CRL might degrade network performance.

CA policy

A CA policy is a set of criteria that a CA follows when processing certificate requests, issuing and

revoking certificates, and publishing CRLs. Usually, a CA advertises its policy in the form of certification

practice statement (CPS). A CA policy can be acquired through out-of-band means such as phone, disk,

and email. Because different CAs might use different methods to examine the binding of a public key
with an entity, make sure you understand the CA policy before selecting a trusted CA for certificate

request.

PKI architecture

A PKI system consists of entities, a CA, a registration authority (RA) and a PKI repository.

«
...
432
433
434
435
436
...
»

Summary of Contents for HP 830 Series

Page 1: ...HP 830 Series PoE Unified Wired WLAN Switch Switching Engine Web Based Configuration Guide Part number 5998 3947 Software version 3308P26 Document version 6W101 20130628 ...

Page 2: ...MATERIAL INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE Hewlett Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing performance or use of this material The only warranties for HP products and services are set forth in the express warranty statements accompan...

Page 3: ... 26 Specifying management IP addresses at the CLI 26 Accessing the controller engine from the switching engine s Web interface 27 Displaying information summary 28 Displaying system information 28 Basic system information 28 System resource state 29 Recent system logs 29 Displaying device information 29 Configuring basic device settings 31 Configuring system name 31 Configuring Web idle timeout pe...

Page 4: ...5 Configuring port mirroring 59 Terminologies of port mirroring 59 Local port mirroring implementation 59 Configuration guidelines 60 Recommended configuration procedures 60 Creating a mirroring group 61 Configuring ports for a mirroring group 61 Local port mirroring configuration example 63 Network requirements 63 Creating a local port mirroring group 63 Configuring the mirroring ports 64 Configu...

Page 5: ...onfiguring an SNMP view 102 Creating an SNMP view 102 Adding rules to an SNMP view 103 Configuring an SNMP community 104 Configuring an SNMP group 105 Configuring an SNMP user 106 Configuring SNMP trap function 108 Displaying SNMP packet statistics 109 SNMPv1 v2c configuration example 110 SNMPv3 configuration example 113 Displaying interface statistics 118 Configuring VLANs 119 Overview 119 VLAN f...

Page 6: ...s entries 156 MAC address table based frame forwarding 157 Displaying and configuring MAC address entries 157 Setting the aging time of MAC address entries 159 MAC address table configuration example 160 Configuring MSTP 161 Overview 161 Why MSTP 161 STP and RSTP limitations 161 Features of MSTP 161 Basic concepts in MSTP 162 MST region 162 VLAN to MSTI mapping table 163 IST 163 CST 163 CIST 163 M...

Page 7: ...guring LLDP settings on ports 200 Setting LLDP parameters for a single port 200 Configuring LLDP settings for ports in batch 203 Configuring global LLDP setup 204 Displaying LLDP information for a port 206 Displaying global LLDP information 210 Displaying LLDP information received from LLDP neighbors 212 LLDP configuration examples 212 LLDP basic settings configuration example 212 CDP compatible L...

Page 8: ...abling DHCP 262 Creating a static address pool for the DHCP server 263 Creating a dynamic address pool for the DHCP server 264 Enabling the DHCP server on an interface 266 Displaying assigned IP addresses 266 Configuring the DHCP relay agent 267 Recommended configuration procedure 267 Enabling DHCP and configuring advanced parameters for the DHCP relay agent 267 Creating a DHCP server group 269 En...

Page 9: ...onfiguration guidelines 311 Configuration procedure 312 Configuring 802 1X globally 312 Configuring 802 1X on a port 313 Configuring an 802 1X guest VLAN 315 Configuring an Auth Fail VLAN 316 802 1X configuration example 317 ACL assignment configuration example 323 Configuring port security 332 Overview 332 Port security features 332 Port security modes 332 Configuration guidelines 334 Configurati...

Page 10: ... procedure 391 Configuring an ISP domain 391 Configuring authentication methods for the ISP domain 392 Configuring authorization methods for the ISP domain 394 Configuring accounting methods for the ISP domain 395 AAA configuration example 397 Configuring RADIUS 402 Overview 402 Client server model 402 Security and authentication mechanisms 402 Basic RADIUS message exchange process 403 RADIUS pack...

Page 11: ...47 Authorized IP configuration example 448 Network requirements 448 Configuration procedure 448 Configuring ACLs 451 Overview 451 ACL categories 451 Match order 451 ACL rule numbering 452 Implementing time based ACL rules 453 IPv4 fragments filtering with ACLs 453 Configuration guidelines 453 ACL configuration procedures 453 Configuring a time range 454 Adding an IPv4 ACL 455 Configuring a rule fo...

Page 12: ...c behavior 485 Adding a policy 488 Configuring classifier behavior associations for the policy 488 Applying a policy to a port 489 Configuring queue scheduling on a port 490 Configuring rate limit on a port 491 Configuring priority mapping tables 493 Configuring priority trust mode on a port 493 ACL and QoS configuration example 496 Network requirements 496 Configuring Switch 496 Configuring PoE 5...

Page 13: ...re 1 Web based configuration interface 1 Navigation tree 2 Body area 3 Title area Navigation tree Organizes the Web based NM functions as a navigation tree where you can select and configure functions as needed The result is displayed in the body area Body area Allows you to configure and display features Title area On the left displays the path of the current configuration interface in the naviga...

Page 14: ...form quick configuration of the device Management Summary System Information Display the system information system resource status and the recent system operation logs Monitor Device Information Display the port power supply and fan information of the device Monitor Device Device Maintena nce Reboot Reboot the device Management Electronic Label Display the electronic label of the device Monitor Di...

Page 15: ...Create a port mirroring group Configure Remove Remove a port mirroring group Configure Modify Port Configure ports for a mirroring group Configure Users Summary Display the brief information about FTP and Telnet users Monitor Super Password Configure a password for a lower level user to switch from the current access level to the management level Management Create Create an FTP or Telnet user Mana...

Page 16: ...on Monitor Configure SNMP Configure Community Display SNMP community information Monitor Create modify and delete an SNMP community Configure Group Display SNMP group information Monitor Create modify and delete an SNMP group Configure User Display SNMP user information Monitor Create modify and delete an SNMP user Configure Trap Display the status of the SNMP trap function and information about t...

Page 17: ...ed by voice VLAN Monitor OUI Add Add the address of an OUI that can be identified by voice VLAN Configure OUI Remove Remove the address of an OUI that can be identified by voice VLAN Configure MAC MAC Display MAC address information Monitor Create and remove MAC addresses Configure Setup Display and configure MAC address aging time Configure MSTP Region Display information about MST regions Monito...

Page 18: ...ection configuration information Monitor Configure ARP detection Configure IGMP Snooping Basic Display global IGMP snooping configuration information or the IGMP snooping configuration information in a VLAN and the IGMP snooping multicast entry information Monitor Configure IGMP snooping globally or in a VLAN Configure Advanced Display the IGMP snooping configuration information on a port Monitor ...

Page 19: ...d the DHCP client information Monitor Enable disable DHCP configure advanced DHCP relay agent settings configure a DHCP server group and enable disable the DHCP relay agent on an interface Configure DHCP Snooping Display the status trusted and untrusted ports and DHCP client information of DHCP snooping Monitor Enable disable DHCP snooping and configure DHCP snooping trusted and untrusted ports Co...

Page 20: ...thentication methods for an ISP domain Management Authorization Display the authorization method configuration information of an ISP domain Monitor Specify authorization methods for an ISP domain Management Accounting Display the accounting method configuration information of an ISP domain Monitor Specify accounting methods for an ISP domain Management RADIUS RADIUS Server Display and set RADIUS s...

Page 21: ...ormation Monitor Add Add a time range Configure Remove Delete a time range Configure ACL IPv4 Summary Display IPv4 ACL configuration information Monitor Add Add an IPv4 ACL Configure Basic Setup Configure a rule for a basic IPv4 ACL Configure Advanced Setup Configure a rule for an advanced IPv4 ACL Configure Link Layer Setup Create a rule for a link layer ACL Configure Remove Delete an IPv4 ACL or...

Page 22: ...Delete a QoS policy or its classifier behavior associations Configure Port Policy Summary Display the QoS policy applied to a port Monitor Setup Apply a QoS policy to a port Configure Remove Remove the QoS policy from the port Configure Priority Mapping Priority Mapping Display priority mapping table information Monitor Modify the priority mapping entries Configure Port Priority Port Priority Disp...

Page 23: ...s typically present on the configuration wizard Applies all settings you made at each step and finishes the configuration task This button is typically present on the configuration wizard Accesses a configuration page to modify settings This icon is typically present in the Operation column in a list Deletes an entry This icon is typically present in the Operation column in a list Page display The...

Page 24: ... in the text box above the list select a search item from the drop down list and click the Search button to display the entries that match the criteria Figure 3 shows an example of searching for entries with VLAN ID 1 Figure 3 Basic search function example Advanced search function As shown in Figure 2 you can click the Advanced Search link to open the advanced search page as shown in Figure 4 Spec...

Page 25: ...k specify the search criteria on the advanced search page as shown in Figure 5 and click Apply The ARP entries with interface GigabitEthernet1 0 1 are displayed Figure 5 Advanced search function example 1 2 Click the Advanced Search link specify the search criteria on the advanced search page as shown in Figure 6 and click Apply The ARP entries with interface GigabitEthernet1 0 1 and IP address ra...

Page 26: ... certain orders On a list page you can click the blue heading item of each column to sort the entries based on the heading item you selected After you click the heading item is displayed with an arrow beside it as shown in Figure 8 The upward arrow indicates the ascending order and the downward arrow indicates the descending order Figure 8 Sorting function based on IP address in the descending ord...

Page 27: ... Windows XP If you are using a Windows operating system turn off the Windows firewall The Windows firewall limits the number TCP connections When the limit is reached you cannot log in to the Web interface Web browser requirements The device supports the following Web browsers Google Chrome 2 0 174 0 or higher Microsoft Internet Explorer 6 0 SP2 or higher Mozilla Firefox 3 0 or higher If you are u...

Page 28: ...from the main menu 2 Select the Security tab and select the content zone where the target Website resides as shown in Figure 10 Figure 10 Internet Explorer settings I 3 Click Custom Level 4 In the Security Settings dialog box enable Run ActiveX controls and plug ins Script ActiveX controls marked safe for scripting and Active scripting ...

Page 29: ...plorer settings II 5 Click OK to save your settings Enabling JavaScript in a Firefox browser 1 Launch the Firefox browser and select Tools Options 2 In the Options dialog box click the Content icon and select Enable JavaScript ...

Page 30: ...og in to the Web interface while the device is performing spanning tree calculation If you click the verification code displayed on the Web login page you can get a new verification code Up to five users can concurrently log in to the device through the Web interface After logging in to the Web interface you can select Device Users from the navigation tree create a new user and select Wizard or Ne...

Page 31: ...ss bar type the IP address http 192 168 0 101 and press Enter The login page of the Web interface see Figure 13 appears b Enter the username admin password admin and the verification code and click Login Figure 13 Logging in to the Web interface Logging in from the controller engine To log in to the switching engine from the controller engine 1 Log in to the controller engine as described in Loggi...

Page 32: ...rface CAUTION You cannot log out by directly closing the browser 1 Save the current configuration Because the system does not save the current configuration automatically HP recommends that you perform this step to avoid loss of configuration 2 Click Logout in the upper right corner of the Web interface ...

Page 33: ...ameters including the system name system location contact information and management IP address Basic service setup Entering the configuration wizard homepage Select Wizard from the navigation tree Figure 15 Configuration wizard homepage Configuring system parameters 1 On the wizard homepage click Next ...

Page 34: ...the physical location of the system You can also set the physical location in the setup page you enter by selecting Device SNMP For more information see Configuring SNMP Syscontact Set the contact information for users to get in touch with the device vendor for help You can also set the contact information in the setup page you enter by selecting Device SNMP For more information see Configuring SN...

Page 35: ...e used as the management IP address to access the device Configure a VLAN interface and its IP address in the page that you enter by selecting Network VLAN Interface For more information see Configuring VLAN interfaces Admin status Shut down or bring up the VLAN interface When errors occurred to the VLAN interface you can shut down the interface and then bring it up By default the VLAN interface i...

Page 36: ...ice Configure IPv6 link local address Auto Configure how the VLAN interface obtains an IPv6 link local address Auto Select this option to have the device automatically generate a link local address based on the link local address prefix FE80 64 and the link layer address of the interface Manual Select this option to manually assign an IPv6 link local address to the interface Manual IPv6 address Sp...

Page 37: ...25 Figure 18 Configuration complete ...

Page 38: ...anagement IP addresses at the CLI Step Command Remarks 1 Log in to the controller engine See login management in HP 830 Series PoE Unified Wired WLAN Switch and HP 10500 7500 20G Unified Wired WLAN Module Fundamentals Configuration Guide N A 2 Enter system view of the controller engine system view N A 3 Specify the management IP address of the switching engine oap management ip ip address slot 0 B...

Page 39: ...eed the upper limit wait for several minutes the Web idle timeout and then log in to the Web interface again Alternatively execute the free web users all command in user view at the CLI to log off all Web users To log in to the controller engine from the switching engine click Wlan Engine on the Web interface of the switching engine and then enter the login settings Figure 19 Accessing the control...

Page 40: ...terval for refreshing the system information in the Refresh Period list If you select a certain period the system refreshes the system information at the specified interval If you select Manual the system refreshes the information only when you click the Refresh button Figure 21 System information Basic system information Table 6 Field description Field Description Device Name Display the device m...

Page 41: ... logs are generated Level Severity of the system logs Description Description for the system logs The System Information page shows up to five of the most recent system logs about the login and logout events For more system logs click More to enter the Log List page You can also enter this page by selecting Device Syslog For more information see Device Displaying device information Select Summary ...

Page 42: ...30 If you select Manual the system refreshes the information only when you click the Refresh button Figure 22 Device information ...

Page 43: ...es after the configured period Configuring system name 1 Select Device Basic from the navigation tree The page for configuring the system name appears Figure 23 Configuring the system name 2 Enter the system name 3 Click Apply Configuring Web idle timeout period 1 Select Device Basic from the navigation tree 2 Click the Web Idle Timeout tab The page for configuring idle timeout period appears Figu...

Page 44: ...ox appears 5 Click OK If you select the box to the left of Check whether the current configuration is saved in the next startup configuration file the system will check the configuration before rebooting the device If the check succeeds the system reboots the device If the check fails a dialog box appears telling you that the current configuration and the saved configuration are inconsistent and t...

Page 45: ...t information for each individual module You can generate the diagnostic information file to receive as much information as possible in one operation during daily maintenance or when system failure occurs When you perform the diagnostic information generation operation the system saves the running statistics of multiple functional modules to a file named default diag and use the file to locate pro...

Page 46: ... the generation of the diagnostic file do not perform any operation on the Web interface To view this file after the diagnostic file is generated successfully select Device File Management or download this file to the local host For more information see Managing files ...

Page 47: ...lock of other devices only after its clock has been synchronized If the clock of a server has a stratum level higher than or equal to that of a client s clock the client will not synchronize its clock to the server s The synchronization process takes some time Therefore the clock status may be unsynchronized after your configuration In this case refresh the page to view the clock status and system...

Page 48: ...te of the local host The time is not changed Select the year month date and time and then click OK 4 Click Apply on the system time configuration page to save your configuration Configuring network time 1 Select Device System Time from the navigation tree 2 Click the Net Time tab The page for configuring the network time appears Figure 31 Network time configuration page 3 Configure the network tim...

Page 49: ...cation You can set two authentication keys each of which is composed of a key ID and key string ID is the ID of a key Key string is a character string for MD5 authentication key Key 2 External Reference Source NTP Server 1 Reference Key ID Specify the IP address of an NTP server and configure the authentication key ID used for the association with the NTP server The device synchronizes its time to...

Page 50: ...ice A as the NTP server a Select Device System Time from the navigation tree b Click the Net Time tab c Enter 24 in the ID field enter aNiceKey in the Key String field for key 1 enter 1 0 1 11 in the NTP Server 1 field and enter 24 in the Reference Key ID field d Click Apply Figure 33 Configuring Device A as the NTP server of Switch B Verifying the configuration After you complete configuration th...

Page 51: ...le Monitor terminal a terminal that has logged in to the device through the AUX VTY or TTY user interface Log buffer Log host Web interface Displaying syslogs To view system logs select Device Syslog from the navigation tree On the page that appears you can click Clear to clear all system logs saved in the log buffer on the Web interface You can click Refresh to manually refresh the page or you ca...

Page 52: ...40 Figure 34 Displaying syslogs Table 10 Field description Field Description Time Date Time date when the system log was generated Source Module that generated the system log ...

Page 53: ...r condition Warning Warning condition Notification Normal but significant condition Information Informational message Debugging Debug level message Digest Brief description of the system log Description Content of the system log Setting the log host 1 Select Device Syslog from the navigation tree 2 Click the Loghost tab The log host configuration page appears Figure 35 Setting the log host 3 Confi...

Page 54: ... tree 2 Click the Log Setup tab The syslog configuration page appears Figure 36 Syslog configuration page 3 Configure the buffer capacity and refresh interval as described in Table 12 4 Click Apply Table 12 Configuration items Item Description Buffer Capacity Set the number of logs that can be stored in the log buffer Refresh Interval Set the log refresh interval You can select manual refresh or a...

Page 55: ...Configuration from the navigation tree The Backup page appears Figure 37 Backing up the configuration 2 Click the Backup button The file download dialog box appears 3 Select to view the cfg file or to save the file to the local host Restoring the configuration This module uploads the cfg file on the host of the administrator to the device for the next startup To restore the configuration 1 Select ...

Page 56: ...es not support saving the configuration of two or more consecutive users The system prompts the users to try again if one user s configuration is being saved You can save the configuration by using one of the following ways fast or common Fast Click the Save button at the upper right of the auxiliary area and you can save the configuration to the configuration file Figure 39 Saving the configurati...

Page 57: ...nfiguration file and reboots the device To initialize the configuration 1 Select Device Configuration from the navigation tree 2 Click the Initialize tab The initialization confirmation page appears 3 Click Restore Factory Default Settings to restore the factory defaults Figure 41 Initializing the configuration ...

Page 58: ...k list Two categories of information are displayed Medium Information including the used space free space and the capacity of the medium File information including all files on the medium and the file sizes Downloading a file 1 Select Device File Management from the navigation tree The page shown in Figure 42 appears 2 From the Please select disk list select the medium where the file to be downloa...

Page 59: ...vigation tree The page shown in Figure 42 appears 2 In the Upload File area select the medium for saving the file from the Please select disk list 3 Click Browse to navigate to the file to be uploaded 4 Click Apply Removing a file 1 Select Device File Management from the navigation tree The page shown in Figure 42 appears 2 Perform one of the following operations Click the icon of a file to remove...

Page 60: ...n parameters include its state rate duplex mode link type PVID MDI mode flow control settings power saving mode MAC learning limit and storm suppression ratios For an aggregate interface these operation parameters include its state and MAC learning limit Setting operation parameters for a port 1 Select Device Port Management from the navigation tree 2 Click the Setup tab The setup page appears ...

Page 61: ...Table 13 4 Click Apply Table 13 Configuration items Item Description Port State Enable or disable the port In some cases modification to the interface parameters does not take effect immediately You need to shut down and then bring up the interface to make the modification take effect ...

Page 62: ...tiated to 10 100 or 1000 Mbps Duplex Set the duplex mode of the port Auto Autonegotiation Full Full duplex Half Half duplex Link Type Set the link type of the current port hybrid or trunk For more information see Configuring VLANs IMPORTANT To change the link type of a port from trunk to hybrid or vice versa you must first set its link type to access PVID Set the default VLAN ID of the interface F...

Page 63: ... mode is recommended The other two modes are useful only when the device cannot determine the cable types When straight through cables are used the local MDI mode must be different from the remote MDI mode When crossover cables are used the local MDI mode must be the same as the remote MDI mode or the MDI mode of at least one end must be set to auto Flow Control Enable or disable flow control on t...

Page 64: ...s that can be forwarded on an Ethernet port per second When you select this option you must enter a number in the box below this option kbps Sets the maximum number of kilobits of multicast traffic that can be forwarded on an Ethernet port every second When you select this option you must enter a number in the box below this option IMPORTANT Do not configure this item if the storm constrain functi...

Page 65: ...aggregate interface Displaying port operation parameters Displaying a specified operation parameter for all ports 1 Select Device Port Management from the navigation tree The Summary page appears by default 2 Select a parameter you want to view The parameter information for all the ports is displayed in the lower part of the page Figure 44 Summary page Displaying all the operation parameters for a...

Page 66: ...Figure 45 Detail page Port management configuration example Network requirements As shown in Figure 46 the network adapters of the Server A Server B and Server C are all operating at 1000 Mbps The switch connects to the external network through GigabitEthernet 1 0 4 that is operating at 1000 Mbps To avoid congestion at the egress port GigabitEthernet 1 0 4 configure the autonegotiation rate range ...

Page 67: ... Set the rate of GigabitEthernet 1 0 4 to 1000 Mbps a Select Device Port Management from the navigation tree b Click the Setup tab c Select 1000 from the Speed list d Select 4 on the chassis front panel 4 represents port GigabitEthernet 1 0 4 e Click Apply ...

Page 68: ... range on GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 as 100 Mbps a On the Setup page select Auto 100 from the Speed list b Select 1 2 and 3 on the chassis front panel 1 2 and 3 represent ports GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 c Click Apply ...

Page 69: ...ure 48 Batch configuring port rate 3 Display the rate settings of ports a Click the Summary tab b Select Speed to display the rate information of all ports on the lower part of the page as shown in Figure 49 ...

Page 70: ...58 Figure 49 Displaying the rate settings of ports ...

Page 71: ...ing sources For example assume that Port 1 is monitoring bidirectional traffic on Port 2 and Port 3 on the same device If a packet travels from Port 2 to Port 3 two duplicates of the packet will be received on Port 1 Mirroring direction The mirroring direction indicates that the inbound outbound or bidirectional traffic can be copied on a mirroring source Inbound Copies packets received on a mirro...

Page 72: ...d For more information see Creating a mirroring group Set the mirroring group type to Local in the Type list 2 Configure mirroring ports for the mirroring group Required For more information see Configuring ports for a mirroring group The mirroring group ID is the ID of the local mirroring group that has been created in step 1 Select the port type Mirror Port You can configure multiple mirror port...

Page 73: ...group as described in Table 14 4 Click Apply Table 14 Configuration items Item Description Mirroring Group ID ID of the mirroring group to be created in the range of 1 to 5 Type Set the type of the mirroring group to be added to Local Configuring ports for a mirroring group 1 Select Device Port Mirroring from the navigation tree 2 Click the Modify Port tab The page for configuring ports for a mirr...

Page 74: ...cal mirroring group Stream Orientation Set the direction of the traffic monitored by the monitor port of the mirroring group This configuration item is available when Mirror Port is selected in the Port Type list both Mirrors both received and sent packets on mirroring ports inbound Mirrors only packets received by mirroring port outbound Mirrors only packets sent by mirroring ports Select Port s ...

Page 75: ...e following configuration on Switch C Configure GigabitEthernet 1 0 1 and GigabitEthernet1 0 2 as mirroring ports Configure GigabitEthernet 1 0 3 as a monitor port Figure 53 Network diagram Creating a local port mirroring group 1 From the navigation tree select Device Port Mirroring 2 Click the Create tab The page for creating the mirroring group appears 3 Enter 1 for Mirroring Group ID 4 Set the ...

Page 76: ...al from the Mirroring Group ID list select Mirror Port from the Port Type list select both from the Stream Orientation list select 1 GigabitEthernet 1 0 1 and 2 GigabitEthernet 1 0 2 on the chassis front panel and click Apply A configuration progress dialog box appears 3 After the success notification appears click Close ...

Page 77: ...the Modify Port tab 2 Select 1 Local from the Mirroring Group ID list select Monitor Port from the Port Type list Select 3 GigabitEthernet 1 0 3 on the chassis front panel and click Apply A configuration progress dialog box appears 3 After the success notification appears click Close ...

Page 78: ...66 Figure 56 Configuring the monitor port ...

Page 79: ...nagement level users to switch to the management level Switching to the management level from a lower level Creating a user 1 Select Device Users from the navigation tree 2 Click the Create tab The page for creating a user appears Figure 57 Creating a local user 3 Configure a local user as described in Table 16 4 Click Apply Table 16 Configuration items Item Description Username Enter a username f...

Page 80: ...for the user Confirm Password Enter the same password again Otherwise the system will prompt that the two passwords are not consistent when you apply the configuration Password Encryption Encryption algorithm for the password Reversible The device uses a reversible encryption algorithm to encrypt the password before saving it Irreversible The device uses an irreversible encryption algorithm to enc...

Page 81: ...eversible encryption algorithm to encrypt the password before saving it Irreversible The device uses an irreversible encryption algorithm to encrypt the password before saving it Switching to the management level This function allows a user to switch from the current user level to the management level To switch to the management level a user must provide the correct super password The switchover o...

Page 82: ...70 Figure 59 Switching to the management level ...

Page 83: ...pback test A loopback plug is used on the port Packets forwarded by the port will be received by itself through the loopback plug The external loopback test can be used to check whether there is a hardware failure on the port To configure a loopback test 1 Select Device Loopback from the navigation tree The page for configuring the loopback test appears Figure 60 Loopback test configuration page 2...

Page 84: ...ack test on a port that is physically down You can perform neither test on a port that is manually shut down The system does not allow Rate Duplex Cable Type and Port Status configuration on a port under a loopback test An Ethernet port operates in full duplex mode when the loopback test is performed It restores its original duplex mode after the loopback test ...

Page 85: ...atus 1 Select Device VCT from the navigation tree The page for testing cable status appears 2 Select the port you want to test on the chassis front panel 3 Click Test The test result is returned within five seconds and displayed in the Result area Figure 62 Testing the status of the cable connected to an Ethernet port The result displays the cable status and length The cable status can be normal a...

Page 86: ...c statistics appears Figure 63 Setting the traffic statistics generating interval 3 Set the traffic statistics generating interval as described in Table 18 4 Click Apply Table 18 Configuration items Item Remarks Interval for generating traffic statistics Set the interval for generating port traffic statistics Select ports Select ports from the chassis front panel to apply the interval to them Disp...

Page 87: ...75 Figure 64 Displaying port traffic statistics ...

Page 88: ...ding the traffic of this type until the type of traffic drops down below the lower threshold A port blocked by the storm constrain function can still forward other types of traffic and collect statistics for the blocked traffic Shutdown Shuts down the port The port is shut down and stops forwarding all types of traffic It cannot automatically restore even when the type of traffic drops down below ...

Page 89: ...rm constrain 1 Select Device Storm Constrain from the navigation tree The page shown in Figure 65 appears 2 In the Port Storm Constrain area click Add The page for adding port storm constrain configuration appears Figure 66 Adding storm constrain settings for ports ...

Page 90: ...torm constrain for the selected port or ports pps Specifies the storm constrain upper threshold and lower threshold in pps ratio Specifies the storm constrain upper threshold and lower threshold in percentage of received packets to the transmission capability of each selected port kbps Specifies the storm constrain upper threshold and lower threshold in kbps IMPORTANT On a port you can set the thr...

Page 91: ... this approach NMSs can obtain all RMON MIB information RMON agents embedded in network devices NMSs exchange data with RMON agents by using basic SNMP operations to gather network management information Because this approach is resource intensive most RMON agent implementations provide only four groups of MIB information alarm event history and statistics HP devices provide the embedded RMON agen...

Page 92: ...trap to notify an NMS of the event Log Trap Logs event information in the event log table and sends a trap to the NMS None No action Alarm group The RMON alarm group monitors alarm variables such as the count of incoming packets etherStatsPkts on an interface After you define an alarm entry the system gets the value of the monitored alarm variable at the specified interval If the value of the moni...

Page 93: ...you create a statistics entry on an interface the system collects various traffic statistics on the interface including network collisions CRC alignment errors undersize oversize packets broadcasts multicasts bytes received and packets received The statistics are cleared at a reboot IMPORTANT You can create only one statistics entry on one interface Table 21 Configuring a RMON history group Task R...

Page 94: ...ing log the event send a trap to the NMS take no action and log the event and send a trap to the NMS IMPORTANT You cannot create an entry if the values of the specified alarm variable sampling interval sampling type rising threshold and falling threshold are identical to those of an existing entry in the system 3 Configuring an alarm entry Required You can create up to 60 alarm entries for an alar...

Page 95: ...g records that can be displayed and the history sampling interval Displaying RMON event logs If you configure the system to log an event after the event is triggered when you configure the event group the event is recorded in the RMON log Perform this task to display the details of the log table Configuring a statistics entry 1 Select Device RMON from the navigation tree The Statistics page appear...

Page 96: ... created on one interface Owner Set the owner of the statistics entry Configuring a history entry 1 Select Device RMON from the navigation tree 2 Click the History tab The History page appears Figure 70 History page 3 Click Add The page for adding a history entry appears Figure 71 Adding a history entry 4 Configure a history entry as described in Table 25 5 Click Apply ...

Page 97: ...mber the system deletes the earliest entry to save the latest one The statistics include total number of received packets on the current interface total number of broadcast packets and total number of multicast packets in a sampling period Interval Set the sampling period Owner Set the owner of the entry Configuring an event entry 1 Select Device RMON from the navigation tree 2 Click the Event tab...

Page 98: ...ed Log The system logs the event Trap The system sends a trap in the community name of null If you select both Log and Trap the system logs the event and sends a trap If neither is selected the system takes no action Configuring an alarm entry 1 Select Device RMON from the navigation tree 2 Click the Alarm tab The Alarm page appears Figure 74 Alarm page 3 Click Add The page for adding an alarm ent...

Page 99: ... Table 28 Interface Name Set the name of the interface whose traffic statistics are collected and monitored Sample Item Interval Set the sampling interval Sample Type Set the sampling type Absolute Absolute sampling to obtain the value of the variable when the sampling time is reached Delta Delta sampling to obtain the variation value of the variable during the sampling interval when the sampling ...

Page 100: ...reshold Rising Event Set the action that the system takes when the value of the alarm variable is higher than the alarm rising threshold If you select the Create Default Event box this option is not configurable Falling Threshold Set the alarm falling threshold Falling Event Set the action that the system takes when the value of the alarm variable is lower than the alarm falling threshold If you s...

Page 101: ...IB node etherStatsMulticastPkts Number of Received Packets With CRC Check Failed Total number of packets with CRC errors received on the interface corresponding to the MIB node etherStatsCRCAlignErrors Number of Received Packets Smaller Than 64 Bytes Total number of undersize packets shorter than 64 octets received by the interface corresponding to the MIB node etherStatsUndersizePkts Number of Re...

Page 102: ...ts65to127Octets Number of Received 128 to 255 Bytes Packets Total number of received packets with 128 to 255 octets on the interface corresponding to the MIB node etherStatsPkts128to255Octets Number of Received 256 to 511 Bytes Packets Total number of received packets with 256 to 511 octets on the interface corresponding to the MIB node etherStatsPkts256to511Octets Number of Received 512 to 1023 B...

Page 103: ...ignment errors during the sampling period corresponding to the MIB node etherHistoryCRCAlignErrors UndersizePkts Number of undersize packets received during the sampling period corresponding to the MIB node etherHistoryUndersizePkts OversizePkts Number of oversize packets received during the sampling period corresponding to the MIB node etherHistoryOversizePkts Fragments Number of fragments receiv...

Page 104: ...event when the number of bytes received on the interface exceeds the configured threshold within a specific period Figure 79 Network diagram Configuration procedure 1 Configure RMON to gather statistics for GigabitEthernet 1 0 1 a Select Device RMON from the navigation tree The Statistics page appears b Click Add The page in Figure 80 appears c Select GigabitEthernet1 0 1 from the Interface Name l...

Page 105: ...tatistics for GigabitEthernet 1 0 1 a Click the icon corresponding to GigabitEthernet 1 0 1 b View this information shown in Figure 81 Figure 81 Displaying RMON statistics 3 Create an event to start logging after the event is triggered a Click the Event tab ...

Page 106: ...d bytes on GigabitEthernet 1 0 1 When the received bytes exceed the rising or falling threshold logging is enabled a Click the Alarm tab b Click Add The page in Figure 84 appears c Select Number of Received Bytes from the Static Item list select GigabitEthernet1 0 1 from the Interface Name list enter 10 in the Interval field select Delta from the Simple Type list enter 1 rmon in the Owner field en...

Page 107: ...ion about event 1 on the Web interface 1 Select Device RMON from the navigation tree 2 Click the Log tab The page that displays log information appears The information indicates that event 1 has generated one log which is triggered because the alarm value 22050 exceeds the rising threshold 1000 The sampling type is absolute Figure 85 Log information for event 1 ...

Page 108: ...an energy saving policy for the port as described in Table 30 4 Click Apply Table 30 Configuration items Item Description Time Range Set the time period when the port is in the state of energy saving IMPORTANT Up to five energy saving policies with different time ranges can be configured on a port Specify the start time and end time in units of 5 minutes such as 08 05 to 10 15 Otherwise the start ...

Page 109: ...d If you configure the lowest speed limit on a port that does not support 10 Mbps the configuration cannot take effect Shutdown Shut down the port An energy saving policy can have all the three energy saving schemes configured of which the shutdown scheme takes the highest priority ...

Page 110: ...to monitor and manage the SNMP capable devices in the network SNMP agent Works on a managed device to receive and handle requests from the NMS and send traps to the NMS when some events such as interface state change occur Management Information Base MIB Specifies the variables for example interface status and CPU usage maintained by the SNMP agent for the SNMP manager to read and set Figure 87 Re...

Page 111: ...curity model USM to secure SNMP communication You can configure authentication and privacy mechanisms to authenticate and encrypt SNMP packets for integrity authenticity and confidentiality Recommended configuration procedure SNMPv3 differs from SNMPv1 and SNMPv2c in many ways Their configuration procedures are described in separate sections Table 31 Configuring SNMPv1 or SNMPv2c Step Remarks 1 En...

Page 112: ...ugh the management of the group 4 Configuring an SNMP user Required Before creating an SNMP user you need to create the SNMP group to which the user belongs IMPORTANT After you change the local engine ID the existing SNMPv3 users become invalid and you must re create the SNMPv3 users For more information about engine ID see Enabling SNMP agent 5 Configuring SNMP trap function Optional Allows you t...

Page 113: ...D The validity of a user after it is created depends on the engine ID of the SNMP agent If the engine ID when the user is created is not identical to the current engine ID the user is invalid Maximum Packet Size Configure the maximum size of an SNMP packet that the agent can receive or send Contact Set a character string to describe contact information for system maintenance Location Set a charact...

Page 114: ...g an SNMP view Creating an SNMP view 1 Select Device SNMP from the navigation tree 2 Click the View tab The View page appears Figure 90 View page 3 Click Add The Add View window appears Figure 91 Creating an SNMP view 1 4 Enter the view name 5 Click Apply The page in Figure 92 appears ...

Page 115: ...e OID and subtree mask MIB Subtree OID Set the MIB subtree OID such as 1 4 5 3 1 or name such as system MIB subtree OID identifies the position of a node in the MIB tree and it can uniquely identify a MIB subtree Subtree Mask Set the subtree mask a hexadecimal string Its length must be an even number in the range of 2 to 32 If no subtree mask is specified the default subtree mask all Fs will be us...

Page 116: ... to the specified view on the page shown in Figure 90 and then you can enter the page to modify the view Configuring an SNMP community 1 Select Device SNMP from the navigation tree 2 Click the Community tab The page for configuring an SNMP community appears Figure 94 Configuring an SNMP community 3 Click Add The page for creating an SNMP community appears ...

Page 117: ...cess the agent Read and write The NMS can perform both read and write operations to the MIB objects when it uses this community name to access the agent View Specify the view associated with the community to limit the MIB objects that can be accessed by the NMS ACL Associate the community with a basic ACL to allow or prohibit the access to the agent from the NMS with the specified source IP addres...

Page 118: ...ead view of the SNMP group Write View Select the write view of the SNMP group If no write view is configured the NMS cannot perform the write operations to all MIB objects on the device Notify View Select the notify view of the SNMP group The notify view can send trap messages If no notify view is configured the agent does not send traps to the NMS ACL Associate a basic ACL with the group to restr...

Page 119: ...gure the SNMP user as described in Table 37 5 Click Apply Table 37 Configuration items Item Description User Name Set the SNMP user name Security Level Select the security level for the SNMP group NoAuth NoPriv No authentication no privacy Auth NoPriv Authentication without privacy Auth Priv Authentication and privacy ...

Page 120: ...irm authentication password must be the same as the authentication password Confirm Authentication Password Privacy Mode Select a privacy mode including DES56 AES128 and 3DES when the security level is Auth Priv Privacy Password Set the privacy password when the security level is Auth Priv The confirm privacy password must be the same as the privacy password Confirm Privacy Password ACL Associate ...

Page 121: ... traps on the NMS Typically such as using IMC or MIB Browser as the NMS you can use the default port number To change this parameter to another value you need to make sure that the configuration is the same as the configuration on the NMS Security Model Select the security model which is the SNMP version The model must be the same as the model running on the NMS Otherwise the NMS cannot receive an...

Page 122: ...in Figure 103 the NMS at 1 1 1 2 24 uses SNMPv1 or SNMPv2c to manage the switch agent at 1 1 1 1 24 and the switch automatically sends traps to report events to the NMS Figure 103 Network diagram Configuring the agent 1 Enable SNMP a Select Device SNMP from the navigation tree The SNMP configuration page appears ...

Page 123: ...ck the Community tab b Click Add The page for adding an SNMP community appears Figure 105 Configuring an SNMP read only community c Enter public in the Community Name field and select Read only from the Access Right list d Click Apply 3 Configure a read and write community a Click Add on the Community tab page The page for adding an SNMP community appears ...

Page 124: ...ct Read and write from the Access Right list c Click Apply 4 Enable SNMP traps a Click the Trap tab The Trap page appears Figure 107 Enabling SNMP traps b Select Enable SNMP Trap c Click Apply 5 Configure a target host SNMP traps a Click Add on the Trap page The page for adding a target host of SNMP traps appears ...

Page 125: ...figuration After the configuration an SNMP connection is established between the NMS and the agent The NMS can get and configure the values of some parameters on the agent through MIB nodes Disable or enable an idle interface on the agent and you can see the interface state change traps on the NMS SNMPv3 configuration example Network requirements As shown in Figure 109 the NMS 1 1 1 2 24 uses SNMP...

Page 126: ...SNMP agent b Select the Enable option and select the v3 option c Click Apply 2 Configure an SNMP view a Click the View tab b Click Add The page for creating an SNMP view appears Figure 111 Creating an SNMP view 1 c Enter view1 in the View Name field d Click Apply The page in Figure 112 appears e Select the Included option enter interfaces in the MIB subtree OID field and click Add ...

Page 127: ...iew 2 3 Configure an SNMP group a Click the Group tab b Click Add The page in Figure 113 appears c Enter group1 in the Group Name field select view1 from the Read View list and select view1 from the Write View list d Click Apply Figure 113 Creating an SNMP group 4 Configure an SNMP user a Click the User tab b Click Add The page in Figure 114 appears ...

Page 128: ...authkey in the Authentication Password and Confirm Authentication Password fields select DES56 from the Privacy Mode list and enter prikey in the Privacy Password and Confirm Privacy Password fields d Click Apply Figure 114 Creating an SNMP user 5 Enable SNMP traps a Click the Trap tab The Trap page appears Figure 115 Enabling SNMP traps b Select Enable SNMP Trap c Click Apply ...

Page 129: ...n the agent Otherwise you cannot perform corresponding operations To configure the NMS 1 Specify the SNMP version for the NMS as v3 2 Create an SNMP user user1 3 Enable both authentication and privacy functions 4 Use MD5 for authentication and DES56 for encryption 5 Set the authentication key to authkey and the privacy key to prikey For information about configuring the NMS see the NMS manual Veri...

Page 130: ... Number of received unicast packets InNUcastPkts Number of received non unicast packets InDiscards Number of valid packets discarded in the inbound direction InErrors Number of received invalid packets InUnknownProtos Number of received unknown protocol packets OutOctets Total octets of all packets sent through the interface OutUcastPkts Number of unicast packets sent through the interface OutNUca...

Page 131: ...ers the following benefits Confining broadcast traffic within individual VLANs This reduces bandwidth waste and improves network performance Improving LAN security By assigning user groups to different VLANs you can isolate them at Layer 2 To enable communication between VLANs routers or Layer 3 switches are required Flexible virtual workgroup creation As users from the same workgroup can be assig...

Page 132: ...fault VLAN ID The 12 bit VLAN ID field identifies the VLAN the frame belongs to The VLAN ID range is 0 to 4095 As 0 and 4095 are reserved a VLAN ID actually ranges from 1 to 4094 A network device handles an incoming frame depending on whether the frame is VLAN tagged and the value of the VLAN tag if any The Ethernet II encapsulation format is used in this section In addition to the Ethernet II enc...

Page 133: ...t will be VLAN tagged Usually ports that connect network devices are configured as trunk ports As shown in Figure 121 Device A and Device B need to transmit packets of VLAN 2 and VLAN 3 and you must configure the ports interconnecting Device A and Device B as trunk ports and assign them to VLAN 2 and VLAN 3 Hybrid port A hybrid port allows traffic of some VLANs to pass through untagged and traffic...

Page 134: ...ts of different link types handle frames Actions Access Trunk Hybrid In the inbound direction for an untagged frame Tags the frame with the PVID tag Checks whether the PVID is permitted on the port If yes tags the frame with the PVID tag If not drops the frame In the inbound direction for a tagged frame Receives the frame if its VLAN ID is the same as the PVID Drops the frame if its VLAN ID is dif...

Page 135: ...ons on the Detail Modify VLAN and Modify Port tabs 3 Modifying a VLAN Required Configure untagged members tagged members or remove members from a VLAN Recommended configuration procedure modifying the VLANs to which a port belongs Step Remarks 1 Creating VLANs Required Create one or multiple VLANs 2 Modifying ports Required Configure a port as a tagged or untagged member of a VLAN remove a port fr...

Page 136: ... whose description string is to be modified Click the ID of the VLAN to be modified in the list in the middle of the page Description Set the description string of the selected VLAN By default the description string of a VLAN is its VLAN ID such as VLAN 0001 Selecting VLANs 1 Select Network VLAN from the navigation tree The Select VLAN tab is displayed by default for you to select VLANs ...

Page 137: ...ption to display all VLANs or select the Display a subnet of all configured VLANs option to enter the VLAN IDs to be displayed 3 Click Select Modifying a VLAN 1 Select Network VLAN from the navigation tree 2 Click Modify VLAN to enter the page for modifying a VLAN ...

Page 138: ... box prompts that the configuration succeeds Table 41 Configuration items Item Description Please select a VLAN to modify Select the VLAN to be modified The VLANs available for selection are existing VLANs selected on the page for selecting VLANs Modify Description Modify the description string of the selected VLAN By default the description string of a VLAN is its VLAN ID such as VLAN 0001 ...

Page 139: ...ot A Member Removes the port from the VLAN Select ports to be modified and assigned to this VLAN Select the ports to be modified in the selected VLAN When you configure an access port as a tagged member of a VLAN the link type of the port is automatically changed into hybrid Modifying ports 1 Select Network VLAN from the navigation tree 2 Click Modify Port Figure 125 Modifying ports 3 Modify the V...

Page 140: ... A Member as the membership type When you set the VLAN IDs follow these guidelines You cannot configure an access port as an untagged member of a nonexistent VLAN When you configure an access port as a tagged member of a VLAN or configure a trunk port as an untagged member of multiple VLANs in bulk the link type of the port is automatically changed into hybrid You can configure a hybrid port as a ...

Page 141: ...Apply Figure 127 Configuring GigabitEthernet 1 0 1 as a trunk port and its PVID as 100 2 Create VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 a Select Network VLAN from the navigation tree b Click Create to enter the page for creating VLANs c Enter VLAN IDs 2 6 50 100 d Click Apply ...

Page 142: ...LAN 100 as an untagged member a Click Select VLAN to enter the page for selecting VLANs b Select the option before Display a subnet of all configured VLANs and enter 1 100 in the field c Click Select Figure 129 Setting a VLAN range d Click Modify VLAN to enter the page for modifying the ports in a VLAN ...

Page 143: ...30 Assigning GigabitEthernet 1 0 1 to VLAN 100 as an untagged member 4 Assign GigabitEthernet 1 0 1 to VLAN2 and VLAN 6 through VLAN 50 as a tagged member a Click Modify Port to enter the page for modifying the VLANs to which a port belongs b Select GigabitEthernet 1 0 1 on the chassis front device panel select the Tagged option and enter VLAN IDs 2 6 50 c Click Apply A configuration progress dial...

Page 144: ...132 Figure 131 Assigning GigabitEthernet 1 0 1 to VLAN 2 and to VLANs 6 through 50 as a tagged member Configuring Switch B Configure Switch B as you configure Switch A ...

Page 145: ...ually assigned one takes effect After the manually assigned link local address is removed the automatically generated one takes effect For an IPv6 VLAN interface whose IPv6 link local address is generated automatically after you assign an IPv6 site local address or global unicast address removing the IPv6 site local address or global unicast address also removes the generated IPv6 link local addre...

Page 146: ...Manual IPv4 Address Configure an IPv4 address for the VLAN interface This field is available after you select the Manual option Mask Length Set the subnet mask length or enter a mask in dotted decimal notation format This field is available after you select the Manual option Configure IPv6 Link Local Address Auto Configure the way in which the VLAN interface gets an IPv6 link local address Select ...

Page 147: ...modification After you change the IP address of the VLAN interface you are using to log in to the device you will be disconnected from the device You can use the changed IP address to re log in To modify a VLAN interface 1 Select Network VLAN Interface from the navigation tree 2 Click the Modify tab to enter the page for modifying a VLAN interface Figure 133 Modifying a VLAN interface 3 Modify a V...

Page 148: ...the VLAN interface according to the link local address prefix FE80 64 and the link layer address of the VLAN interface Manual Configures an IPv6 link local address for the VLAN interface manually Manual Admin Status Select Up or Down from the Admin Status list to bring up or shut down the selected VLAN interface When the VLAN interface fails shut down and then enable the VLAN interface which may r...

Page 149: ...or 1 0001 e300 0000 Siemens phone 2 0003 6b00 0000 Cisco phone 3 0004 0d00 0000 Avaya phone 4 00d0 1e00 0000 Pingtel phone 5 0060 b900 0000 Philips NEC phone 6 00e0 7500 0000 Polycom phone 7 00e0 bb00 0000 3Com phone An OUI address is usually the first 24 bits of a MAC address in binary format It is a globally unique identifier assigned to a vendor by the IEEE However OUI addresses are used by the...

Page 150: ...ice VLAN are performed manually Manual mode is suitable for scenarios where only IP phones access the network through the device and ports on the device transmit only voice traffic as shown in Figure 135 In this mode ports assigned to a voice VLAN transmit voice traffic exclusively which prevents the impact of data traffic on the transmission of voice traffic Figure 135 Only IP phones access the n...

Page 151: ...the voice VLAN to pass through untagged Security mode and normal mode of voice VLANs Depending on their inbound packet filtering mechanisms voice VLAN enabled ports operate in one of the following modes Normal mode In this mode both voice packets and non voice packets are allowed to pass through a voice VLAN enabled inbound port When receiving a voice packet the port forwards it without checking i...

Page 152: ...w these guidelines To remove a VLAN functioning as a voice VLAN disable its voice VLAN function first In automatic voice VLAN assignment mode a hybrid port can process only tagged voice traffic However the protocol based VLAN function requires hybrid ports to process untagged traffic If a VLAN is configured as the voice VLAN and a protocol based VLAN at the same time the protocol based VLAN cannot...

Page 153: ...nfigure the aging timer 2 Assigning the port to the voice VLAN Required After an access port is assigned to the voice VLAN the voice VLAN automatically becomes the default VLAN of the access port For more information see Configuring VLANs 3 Configuring the voice VLAN as the default VLAN of a hybrid or trunk port Optional This task is required if the incoming voice traffic is untagged and the link ...

Page 154: ...e voice VLANs operate in security mode Voice VLAN aging time Set the voice VLAN aging timer The voice VLAN aging timer setting only applies to a port in automatic voice VLAN assignment mode The voice VLAN aging timer starts as soon as the port is assigned to the voice VLAN If no voice packet has been received before the timer expires the port is removed from the voice VLAN Configuring voice VLAN o...

Page 155: ...e VLAN function on the port Voice VLAN ID Set the voice VLAN ID of a port when the voice VLAN port state is set to Enable Select Ports Select the port on the chassis front panel You can select multiple ports to configure them in bulk The numbers of the selected ports will be displayed in the Ports selected for voice VLAN field To set the voice VLAN assignment mode of a port to automatic you must m...

Page 156: ... on a port in automatic voice VLAN assignment mode Network requirements As shown in Figure 139 Configure VLAN 2 as the voice VLAN allowing only voice traffic to pass through The IP phone connected to hybrid port GigabitEthernet 1 0 1 sends untagged voice traffic GigabitEthernet 1 0 1 operates in automatic VLAN assignment mode Set the voice VLAN aging timer to 30 minutes Configure GigabitEthernet 1...

Page 157: ...e b Click the Create tab c Enter VLAN ID 2 d Click Create Figure 140 Creating VLAN 2 2 Configure GigabitEthernet 1 0 1 as a hybrid port a Select Device Port Management from the navigation tree b Click the Setup tab c Select Hybrid from the Link Type list d Select GigabitEthernet 1 0 1 from the chassis front panel ...

Page 158: ...et 1 0 1 as a hybrid port 3 Configure the voice VLAN function globally a Select Network Voice VLAN from the navigation tree b Click the Setup tab c Select Enable from the Voice VLAN security list d Set the voice VLAN aging timer to 30 minutes e Click Apply ...

Page 159: ...elect Enable from the Voice VLAN port state list d Enter voice VLAN ID 2 e Select GigabitEthernet 1 0 1 from the chassis front panel f Click Apply Figure 143 Configuring voice VLAN on GigabitEthernet 1 0 1 5 Add OUI addresses to the OUI list a Click the OUI Add tab b Enter OUI address 0011 2200 0000 c Select FFFF FF00 0000 from the Mask list d Enter description string test e Click Apply ...

Page 160: ...g configurations the OUI Summary tab is displayed by default as shown in Figure 145 You can view the information about the newly added OUI address Figure 145 Displaying the current OUI list of the device 2 Click the Summary tab to enter the page shown in Figure 146 You can view the current voice VLAN information ...

Page 161: ... only voice traffic The IP phone connected to hybrid port GigabitEthernet 1 0 1 sends untagged voice traffic GigabitEthernet 1 0 1 operates in manual voice VLAN assignment mode and allows voice packets whose source MAC addresses match the OUI addresses specified by OUI address 001 1 2200 0000 and mask ffff ff00 0000 to pass through The description of the OUI address entry is test Figure 147 Networ...

Page 162: ... 148 Creating VLAN 2 2 Configure GigabitEthernet 1 0 1 as a hybrid port and configure its default VLAN as VLAN 2 a Select Device Port Management from the navigation tree b Click the Setup tab c Select Hybrid from the Link Type list d Select the PVID box and enter 2 in the field e Select GigabitEthernet 1 0 1 from the chassis front panel f Click Apply ...

Page 163: ... untagged member a Select Network VLAN from the navigation tree b Click the Modify Port tab c Select GigabitEthernet 1 0 1 from the chassis front panel d Select the Untagged option e Enter VLAN ID 2 f Click Apply A configuration progress dialog box appears g After the configuration process is complete click Close ...

Page 164: ...gabitEthernet 1 0 1 a Select Network Voice VLAN from the navigation tree b Click the Port Setup tab c Select Manual from the Voice VLAN port mode list d Select Enable from the Voice VLAN port state list e Enter 2 in the VLAN IDs field f Select GigabitEthernet 1 0 1 from the chassis front panel g Click Apply ...

Page 165: ...iguring voice VLAN on GigabitEthernet 1 0 1 5 Add OUI addresses to the OUI list a Click the OUI Add tab b Enter OUI address 0011 2200 0000 c Select FFFF FF00 0000 as the mask d Enter description string test e Click Apply ...

Page 166: ...g configurations the OUI Summary tab is displayed by default as shown in Figure 153 You can view the information about the newly added OUI address Figure 153 Displaying the current OUI list of the device 2 Click the Summary tab to enter the page shown in Figure 154 You can view the current voice VLAN information ...

Page 167: ...155 Figure 154 Displaying the current voice VLAN information ...

Page 168: ... port When a frame arrives at a port Port A for example the device performs the following tasks Verifies the source MAC address for example MAC SOURCE of the frame Looks up the source MAC address in the MAC address table Updates an entry if it finds one If the device does not find an entry it adds an entry for MAC SOURCE and Port A The device performs this learning process each time it receives a ...

Page 169: ...ou configure a dynamic MAC address entry if an automatically learned MAC address entry with the same MAC address but a different outgoing port already exists the manually configured one does not take effect To adapt to network changes and prevent inactive entries from occupying table space an aging mechanism is adopted for dynamic MAC address entries Each time a dynamic MAC address entry is learne...

Page 170: ...Add in the bottom to enter the page for creating MAC address entries Figure 156 Creating a MAC address entry 3 Configure a MAC address entry 4 Click Apply Table 52 Configuration items Item Description MAC Set the MAC address to be added ...

Page 171: ...tries learned by the device Other Other types of MAC address entries VLAN ID Set the ID of the VLAN to which the MAC address belongs Port Set the port to which the MAC address belongs This port must belong to the specified VLAN Setting the aging time of MAC address entries 1 Select Network MAC from the navigation tree 2 Click the Setup tab The page for setting the MAC address entry aging time appe...

Page 172: ...Ethernet 1 0 1 in VLAN 1 Creating a static MAC address entry 1 Select Network MAC from the navigation tree By default the MAC tab is displayed 2 Click Add 3 Configure a MAC address entry a Enter MAC address 00e0 fc35 dc71 b Select static in the Type list c Select 1 in the VLAN list d Select GigabitEthernet1 0 1 in the Port list 4 Click Apply Figure 158 Creating a static MAC address entry ...

Page 173: ...s cannot be blocked based on VLAN and the packets of all VLANs are forwarded along the same spanning tree For more information about STP and RSTP see HP 830 Series PoE Unified Wired WLAN Switch Switching Engine Layer 2 Configuration Guide Features of MSTP Developed based on IEEE 802 1s MSTP overcomes the limitations of STP and RSTP In addition to the support for rapid network convergence it also a...

Page 174: ...g them These devices have the following characteristics All are MSTP enabled They have the same region name They have the same VLAN to MSTI mapping configuration They have the same MSTP revision level configuration They are physically linked with one another For example all the devices in region A0 in Figure 159 have the same MST region configuration The same region name The same VLAN to MSTI mapp...

Page 175: ...s a single spanning tree that connects all MST regions in a switched network If you regard each MST region as a device the CST is a spanning tree calculated by these devices through STP or RSTP CSTs are indicated by red lines in Figure 159 CIST Jointly constituted by ISTs and the CST the CIST is a single spanning tree that connects all devices in a switched network In Figure 159 for example the IS...

Page 176: ...olves the following port roles Root port A port responsible for forwarding data to the root bridge Designated port A port responsible for forwarding data to the downstream network segment or device Master port A port on the shortest path from the current region to the common root bridge connecting the MST region to the common root bridge If the region is seen as a node the master port is the root ...

Page 177: ...AC addresses but does not forward user traffic Discarding The port does not learn MAC addresses or forwards user traffic A port can have different port states in different MSTIs A port state is not exclusively associated with a port role Table 54 lists the port states supported by each port role indicates that the port state is available for the corresponding port role and indicates that the port ...

Page 178: ...etwork MSTI calculation Within an MST region MSTP generates different MSTIs for different VLANs based on the VLAN to MSTI mappings MSTP performs a separate calculation process which is similar to spanning tree calculation in STP RSTP for each spanning tree In MSTP a VLAN packet is forwarded along the following paths Within an MST region the packet is forwarded along the corresponding MSTI Between ...

Page 179: ...he forwarding state and the network security can be ensured Recommended MSTP configuration procedure Step Remarks 1 Configuring an MST region Optional Configure the MST region related parameters and VLAN to MSTI mappings By default the MST region related parameters adopt the default values and all VLANs in an MST region are mapped to MSTI 0 2 Configuring MSTP globally Required Enable STP globally ...

Page 180: ...Table 55 Configuration items Item Description Region Name MST region name The MST region name is the bridge MAC address of the device by default Revision Level Revision level of the MST region Manual Instance ID and VLAN ID Manually add VLAN to MSTI mappings Click Apply to add the VLAN to MSTI mapping entries to the list Modulo The device automatically maps 4094 VLANs to the corresponding MSTIs ba...

Page 181: ...gure the global MSTP configuration as described in Table 56 4 Click Apply Table 56 Configuration items Item Description Enable STP Globally Select whether to enable STP globally Other MSTP configurations take effect only after you enable STP globally BPDU Guard Select whether to enable BPDU guard BPDU guard can protect the device from malicious BPDU attacks making the network topology stable ...

Page 182: ...IST only not for MSTIs The bridge diameter cannot be configured together with the timers Timers Configure the timers Forward Delay Set the delay for the root and designated ports to transit to the forwarding state Hello Time Set the interval at which the device sends hello packets to the surrounding devices to make sure the paths are fault free Max Age Set the maximum length of time a configuratio...

Page 183: ... TC BPDU guard function you can prevent frequent flushing of forwarding address entries HP does not recommend that you disable this function tc protection threshold Set the maximum number of immediate forwarding address entry flushes the device can perform within a certain period of time after receiving the first TC BPDU Configuring MSTP on a port 1 Select Network MSTP from the navigation tree 2 C...

Page 184: ...t Specify whether the port is connected to a point to point link Auto Configure the device to automatically detect whether or not the link type of the port is point to point Force False The link type for the port is not point to point link Force True The link type for the port is point to point link If a port is configured as connecting to a point to point link the setting takes effect for the por...

Page 185: ... keeping receiving BPDUs from the upstream device a device can maintain the state of the root port and other blocked ports These BPDUs may get lost because of network congestion or unidirectional link failures The device will re elect a root port and blocked ports may transit to the forwarding state causing loops in the network The loop guard function is used to address such a problem Displaying M...

Page 186: ...c DOWN The port is down Port Protocol Indicates whether STP is enabled on the port Port Role Role of the port which can be Alternate Backup Root Designated Master or Disabled Port Priority Priority of the port Port Cost Legacy Path cost of the port The field in the bracket indicates the standard used for port path cost calculation which can be legacy dot1d 1998 or dot1t Config indicates the config...

Page 187: ...oping Indicates whether digest snooping is enabled on the port Rapid transition Indicates whether the current port rapidly transitions to the forwarding state Num of Vlans Mapped Number of VLANs mapped to the current MSTI PortTimes Major parameters for the port Hello Hello timer MaxAge Max Age timer FWDly Forward delay timer MsgAge Message Age timer Remain Hop Remaining hops BPDU Sent Statistics o...

Page 188: ...s of MSTI 1 and MSTI 2 are Switch A and Switch B respectively and the root bridge of MSTI 3 is Switch C Figure 166 Network diagram Permit next to a link in the figure is followed by the VLANs the packets of which are permitted to pass this link Configuring Switch A 1 Configure an MST region a Select Network MSTP from the navigation tree By default the Region tab is displayed b Click the Modify but...

Page 189: ...dd the VLAN to MSTI mapping entries to the VLAN to MSTI mapping list j Click Activate Figure 168 Configuring an MST region 2 Configure MSTP globally a Select Network MSTP from the navigation tree b Click the Global tab to enter the page for configuring MSTP globally c Select Enable in the Enable STP Globally list d Select MSTP in the Mode list e Select the box before Instance f Set the Instance ID...

Page 190: ...Global tab to enter the page for configuring MSTP globally c Select Enable from the Enable STP Globally list d Select MSTP from the Mode list e Select the box to the left of Instance f Set the Instance ID field to 2 g Set the Root Type field to Primary h Click Apply Configuring Switch C 1 Configure an MST region The procedure here is the same as that of configuring an MST region on Switch A 2 Conf...

Page 191: ... Type field to Primary h Click Apply Configuring Switch D 1 Configure an MST region The procedure is the same as that of configuring an MST region on Switch A 2 Configure MSTP globally a Select Network MSTP from the navigation tree b Click Global to enter the page for configuring MSTP globally c Select Enable from the Enable STP Globally list d Select MSTP from the Mode list e Click Apply Figure 1...

Page 192: ... port in an aggregation group can be in one of the following states Selected A Selected port can forward user traffic Unselected An Unselected port cannot forward user traffic The rate of an aggregate interface is the sum of the selected member ports rates The duplex mode of an aggregate interface is consistent with that of the selected member ports All selected member ports use the same duplex mo...

Page 193: ... Such configurations for example MSTP can be configured on aggregate interfaces and member ports but are not considered during operational key calculation The change of a class two configuration setting may affect the select state of link aggregation member ports and the ongoing service To prevent unconsidered change a message warning of the hazard will be displayed when you attempt to change a cl...

Page 194: ...on procedure applies Compare the system ID comprising the system LACP priority and the system MAC address of the actor with that of the partner The system with the lower LACP priority wins If they are the same compare the system MAC addresses The system with the smaller MAC address wins Compare the port IDs of the ports on the system with the smaller system ID A port ID comprises a port LACP prior...

Page 195: ...tion guidelines Follow these guidelines when you configure a link aggregation group In an aggregation group the port to be a Selected port must be the same as the reference port in port attributes and class two configurations To keep these configurations consistent you should configure the port manually Reference port Select a port as the reference port from the ports that are in up state and with...

Page 196: ... Required Create a static aggregate interface and configure member ports for the static aggregation group automatically created by the system when you create the aggregate interface By default no link aggregation group exists 2 Displaying information about an aggregate interface Optional Perform this task to view detailed information of an existing aggregation group Recommended dynamic aggregation...

Page 197: ...ed information of LACP enabled ports and the corresponding remote partner ports Creating a link aggregation group 1 Select Network Link Aggregation from the navigation tree 2 Click Create Figure 171 Creating a link aggregation group 3 Configure a link aggregation group as described in Table 61 4 Click Apply ...

Page 198: ...gned to the link aggregation group from the chassis front panel You can view the result in the Summary area at the bottom of the page Displaying information about an aggregate interface 1 Select Network Link Aggregation from the navigation tree The Summary tab is displayed by default The list on the upper part of the page displays information about all the aggregate interfaces 2 Select an aggregat...

Page 199: ...nly Selected ports can transmit and receive user data Standby Ports Number of Unselected ports in each link aggregation group Unselected ports cannot transmit or receive user data Member Port A member port of the link aggregation group corresponding to the selected aggregate interface State Select state of a member port Selected or Unselected Reason for being Unselected Reason why the state of a m...

Page 200: ...ed ports but also on LACP disabled ports System Priority Set a system LACP priority 5 In the Set global LACP parameters area set the system priority 6 Click Apply in the area Displaying information about LACP enabled ports 1 Select Network LACP from the navigation tree The Summary tab is displayed by default The upper part of the page displays a list of all LACP enabled ports on the device and inf...

Page 201: ...P priority of the port State Active state of the port If a port is Selected its state is active and the ID of the aggregation group it belongs to will be displayed Inactive Reason Reason code indicating why a port is inactive or Unselected for receiving transmitting user data For the meanings of the reason codes see the bottom of the page shown in Figure 174 Partner Port Name of the peer port ...

Page 202: ...on the link G Indicates that the receive state machine of the sending system is using the default operational partner information H Indicates that the receive state machine of the sending system is in expired state Oper Key Operational key of the local port Table 65 Field description Field Description Unit Number of the remote system Port Name of the remote port Partner ID LACP priority and MAC ad...

Page 203: ...p 1 a Enter link aggregation interface ID 1 b Select the Static LACP Disabled option for the aggregate interface type c Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 on the chassis front panel 4 Click Apply Figure 176 Creating static link aggregation group 1 Approach 2 Create dynamic link aggregation group 1 1 Select Network Link Aggregation from the navigation tree ...

Page 204: ...1 b Select the Dynamic LACP Enabled option for aggregate interface type c Select GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 on the chassis front panel 4 Click Apply Figure 177 Creating dynamic link aggregation group 1 ...

Page 205: ...nected devices At the same time the device stores the device information received in LLDPDUs sent from the LLDP neighbors in a standard MIB LLDP enables a network management system to quickly detect and identify Layer 2 network topology changes For more information about MIBs see Configuring SNMP Basic concepts LLDPDU formats LLDP sends device information in LLDP data units LLDPDUs LLDPDUs are enc...

Page 206: ...layer protocol It is 0xAAAA 0300 0000 88CC for LLDP Data LLDP data unit FCS Frame check sequence a 32 bit CRC value used to determine the validity of the received Ethernet frame LLDPDUs LLDP uses LLDPDUs to exchange information An LLDPDU comprises multiple TLV sequences each carrying a type of device information as shown in Figure 180 Figure 180 LLDPDU encapsulation format An LLDPDU can carry up 2...

Page 207: ...DU Port Description Specifies the port description of the sending port Optional System Name Specifies the assigned name of the sending device System Description Specifies the description of the sending device System Capabilities Identifies the primary functions of the sending device and the primary functions that have been enabled Management Address Specifies the management address used to reach h...

Page 208: ...work policy configuration and address and directory management LLDP MED TLVs satisfy the voice device vendors requirements for cost effectiveness ease of deployment and ease of management In addition LLDP MED TLVs make deploying voice devices in Ethernet easier LLDP MED TLVs are shown in Table 71 Table 71 LLDP MED TLVs Type Description LLDP MED Capabilities Allows a network device to advertise the...

Page 209: ...y connected devices both periodically and when the local configuration changes To prevent the network from being overwhelmed by LLDPDUs at times of frequent local device information change an interval is introduced between two successive LLDPDUs This interval is shortened to 1 second in either of the following cases A new neighbor is discovered A new LLDPDU is received carrying device information ...

Page 210: ...otocol for Media Endpoint Devices Configuration guidelines When you configure LLDP follow these guidelines To make LLDP take effect enable it both globally and at port level To advertise LLDP MED TLVs other than the LLDP MED capabilities TLV include the LLDP MED capabilities TLV To remove the LLDP MED capabilities TLV remove all other LLDP MED TLVs To remove the MAC PHY configuration TLV remove th...

Page 211: ...ay the local LLDP information neighbor information statistics and status information of a port where The local LLDP information refers to the TLVs to be advertised by the local device to neighbors The neighbor information refers to the TLVs received from neighbors 5 Displaying global LLDP information Optional You can display the local global LLDP information and statistics 6 Displaying LLDP inform...

Page 212: ...a single port and set LLDP parameters for multiple ports in batch Setting LLDP parameters for a single port 1 Select Network LLDP from the navigation tree By default the Port Setup tab is displayed 2 Click the icon for the port you are configuring On the page as shown in Figure 182 the LLDP settings of the port are displayed ...

Page 213: ...n items Item Description Interface Name Displays the name of the port or ports you are configuring DLDP State Displays the LLDP enabling status on the port you are configuring This field is not available when you batch configure ports Basic Settings LLDP Operating Mode Set the LLDP operating mode on the port or ports you are configuring TxRx Sends and receives LLDPDUs Tx Sends but does not receive...

Page 214: ...g sent when topology is instable tune the minimum trap transit interval on the Global Setup tab Base TLV Settings Port Description Select the box to include the port description TLV in transmitted LLDPDUs System Capabilities Select the box to include the system capabilities TLV in transmitted LLDPDUs System Description Select the box to include the system description TLV in transmitted LLDPDUs Sys...

Page 215: ...dentification TLV in transmitted LLDPDUs and set the emergency call number Address Select Address to encode the civic address information of the network connectivity device in the location identification TLV in transmitted LLDPDUs In addition set the device type which can be a DHCP server switch or LLDP MED endpoint country code and network device address When you configure the network device addr...

Page 216: ... ports as described in Table 72 5 Click Apply A progress dialog box appears 6 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds Configuring global LLDP setup 1 Select Network LLDP from the navigation tree 2 Click the Global Setup tab ...

Page 217: ... 255 seconds for CDP compatible LLDP to work properly with Cisco IP phones Fast LLDPDU Count Set the number of LLDPDUs sent each time fast LLDPDU transmission is triggered TTL Multiplier Set the TTL multiplier The TTL TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device You can configure the TTL of locally sent LLDPDUs to dete...

Page 218: ...DUs caused by frequent local configuration changes an LLDPDU transmit delay is introduced After sending an LLDPDU the port must wait for the specified interval before it can send another one LLDPDU transmit delay must be less than the TTL to make sure the LLDP neighbors can receive LLDPDUs to update information about the device you are configuring before it is aged out Tx Interval Set the LLDPDU t...

Page 219: ...ssification Port power classification of the PD Unknown Class0 Class1 Class2 Class3 Class4 Media policy type Media policy type Unknown Voice Voice signaling Guest voice Guest voice signaling Soft phone voice Videoconferencing Streaming video Video signaling PoE PSE power source Type of PSE power source advertised by the local device Primary Backup Port PSE priority PSE priority of the port Unknown...

Page 220: ...hassis ID Chassis ID depending on the chassis type which can be a MAC address of the device Port ID type Port ID type Interface alias Port component MAC address Network address Interface name Agent circuit ID Locally assigned or the local configuration Port ID Port ID value System capabilities supported Primary network function of the system Repeater Bridge Router System capabilities enabled Netwo...

Page 221: ...port the media stream capabilities and the capabilities of generic endpoint devices Class III A communication endpoint device The class III endpoint devices directly support end users of the IP communication system Providing all capabilities of generic and media endpoint devices Class III endpoint devices are used directly by end users Media policy type Media policy type Unknown Voice Voice signal...

Page 222: ... Unknown Unknown PSE priority Critical Priority level 1 High Priority level 2 Low Priority level 3 4 Click the Statistics Information tab to display the LLDP statistics Figure 187 The statistic information tab 5 Click the Status Information tab to display the LLDP status information Figure 188 The status information tab Displaying global LLDP information 1 Select Network LLDP from the navigation t...

Page 223: ...ield Description Chassis ID Local chassis ID depending on the chassis type defined System capabilities supported Primary network function advertised by the local device Repeater Bridge Router System capabilities enabled Enabled network function advertised by the local device Repeater Bridge Router ...

Page 224: ...rectly support end users of the IP communication system Providing all capabilities of generic and media endpoint devices Class III endpoint devices are used directly by end users Displaying LLDP information received from LLDP neighbors 1 Select Network LLDP from the navigation tree 2 Click the Neighbor Summary tab to display the global LLDP neighbor information as shown in Figure 190 Figure 190 Th...

Page 225: ... 2 Set the LLDP operating mode to Rx on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 a Select Network LLDP from the navigation tree By default the Port Setup tab is displayed as shown in Figure 192 b Select port GigabitEthernet1 0 1 and GigabitEthernet1 0 2 c Click Modify Selected The page shown in Figure 193 appears NMS Switch A MED Switch B GE1 0 2 GE1 0 1 GE1 0 1 ...

Page 226: ...he port setup tab d Select Rx from the LLDP Operating Mode list 3 Click Apply A progress dialog box appears 4 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Page 227: ...lobal LLDP a Click the Global Setup tab as shown in Figure 194 b Select Enable from the LLDP Enable list 6 Click Apply A progress dialog box appears 7 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Page 228: ...ting mode to Tx on GigabitEthernet 1 0 1 a Select Network LLDP from the navigation tree By default the Port Setup tab is displayed b Click the icon for port GigabitEthernet1 0 1 c Select Tx from the LLDP Operating Mode list 3 Click Apply A progress dialog box appears 4 Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Page 229: ...log box prompts that the configuration succeeds Verifying the configuration 1 Display the status information of port GigabitEthernet1 0 1 on Switch A a Select Network LLDP from the navigation tree By default the Port Setup tab is displayed b Click the GigabitEthernet1 0 1 port name in the port list c Click the Status Information tab at the lower half of the page The output shows that port GigabitE...

Page 230: ... The output shows that port GigabitEthernet 1 0 2 is connected to a non MED neighbor device Switch B as shown in Figure 197 Figure 197 The status information tab 2 3 Tear down the link between Switch A and Switch B 4 Click Refresh to display the status information of port GigabitEthernet1 0 2 on Switch A The updated status information of port GigabitEthernet 1 0 2 shows that no neighbor device is ...

Page 231: ... VLAN and configure CDP compatible LLDP to enable the Cisco IP phones to automatically configure the voice VLAN confining their voice traffic within the voice VLAN to be separate from other types of traffic Figure 199 Network diagram Configuring Switch A 1 Create VLAN 2 a Select Network VLAN from the navigation tree b Click Create to enter the page for creating VLANs c Enter 2 in the VLAN IDs fiel...

Page 232: ... 1 0 2 as trunk ports a Select Device Port Management from the navigation tree b Click the Setup tab to enter the page for configuring ports c Select Trunk from the Link Type list d Select port GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel e Click Apply ...

Page 233: ...on tree b Click the Port Setup tab to enter the page for configuring the voice VLAN function on ports c Select Auto from the Voice VLAN port mode list select Enable from the Voice VLAN port state list enter the voice VLAN ID 2 and select port GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel d Click Apply ...

Page 234: ...abled the default 5 Set both the LLDP operating mode and the CDP operating mode to TxRx on ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 a Select Network LLDP from the navigation tree By default the Port Setup tab is displayed b Select port GigabitEthernet1 0 1 and GigabitEthernet1 0 2 c Click Modify Selected The page shown in Figure 204 is displayed ...

Page 235: ...t TxRx from the LLDP Operating Mode list and select TxRx from the CDP Operating Mode list e Click Apply A progress dialog box appears f Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Page 236: ...ility of LLDP a Click the Global Setup tab b Select Enable from the LLDP Enable list c Select Enable from the CDP Compatibility list d Click Apply A progress dialog box appears e Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Page 237: ...uration Display information about LLDP neighbors on Switch A after completing the configuration The output shows Switch A has discovered the Cisco IP phones attached to ports GigabitEthernet1 0 1 and GigabitEthernet1 0 2 and obtained their device information ...

Page 238: ...lue of the hardware address length field is 6 For an IPv4 address the value of the protocol address length field is 4 OP Operation code which describes type of the ARP message Value 1 represents an ARP request and value 2 represents an ARP reply Sender hardware address Hardware address of the device sending the message Sender protocol address Protocol address of the device sending the message Targ...

Page 239: ... the MAC address into the packet and sends the packet to Host B Figure 207 ARP address resolution process If Host A and Host B are on different subnets Host A sends a packet to Host B as follows 1 Host A sends an ARP request to the gateway The target IP address in the ARP request is the IP address of the gateway 2 The gateway responds with its MAC address in an ARP reply to Host A 3 Host A uses th...

Page 240: ... MAC address is the broadcast address ff ff ff ff ff ff A device sends a gratuitous ARP packet for either of the following purposes Determine whether its IP address is already used by another device If the IP address is already used the device is informed of the conflict by an ARP reply Inform other devices of the change of its MAC address Enabling learning of gratuitous ARP packets This feature e...

Page 241: ...RP entry IMPORTANT The VLAN ID must be the ID of the VLAN that has already been created and the port must belong to the VLAN The corresponding VLAN interface must have been created Port Removing ARP entries 1 Select Network ARP Management from the navigation tree to enter the default ARP Table page shown in Figure 208 2 Remove ARP entries To remove specific ARP entries select the boxes of target A...

Page 242: ...s from another network segment Enable the device to send gratuitous ARP packets upon receiving ARP requests from another network segment Disabled by default Static ARP configuration example Network Requirements As shown in Figure 21 1 hosts are connected to Switch A which is connected to Router B through interface GigabitEthernet 1 0 1 belonging to VLAN 100 The IP address of Router B is 192 168 1 ...

Page 243: ...2 Creating VLAN 100 2 Add GigabitEthernet 1 0 1 to VLAN 100 a Click the Modify Port tab b Select interface GigabitEthernet 1 0 1 in the Select Ports field c Select the Untagged option in the Select membership type field d Enter 100 for VLAN IDs e Click Apply A configuration process dialogu box appears f After the configuration process is complete click Close ...

Page 244: ...ce 100 a Select Network VLAN Interface from the navigation tree b Click the Create tab c Enter 100 for VLAN ID d Select the Configure Primary IPv4 Address box e Select the Manual option f Enter 192 168 1 2 for IPv4 Address g Type 24 or 255 255 255 0 for Mask Length h Click Apply ...

Page 245: ...nter the default ARP Table page Click Add Perform the following operations as shown in Figure 215 b Click Add c Enter 192 168 1 1 for IP Address d Enter 00e0 fc01 0000 for MAC Address e Select the Advanced Options box f Enter 100 for VLAN ID g Select GigabitEthernet1 0 1 for Port h Click Apply Figure 215 Creating a static ARP entry ...

Page 246: ...rded If the sender MAC address of the received ARP packet is an OUI MAC address the packet is considered valid 3 If no match is found the ARP packet is considered invalid and is discarded ARP packet validity check This feature does not check ARP packets received from an ARP trusted port It checks ARP packets received from ARP untrusted ports based on the following objects src mac Checks whether th...

Page 247: ...ton To remove ports from the Trusted Ports list box select one or multiple ports from the list box and click the button ARP Packet Validity Check Select ARP packet validity check modes including Discard the ARP packet whose sender MAC address is different from the source MAC address in the Ethernet header Discard the ARP packet whose target MAC address is all 0s all 1s or inconsistent with the des...

Page 248: ...t of all ports but the incoming port IGMP snooping enables a Layer 2 switch to forward multicast packets destined for a known multicast group address out of only ports that have multicast receivers This feature improves bandwidth efficiency enhances multicast security and helps per host accounting for multicast users Figure 217 Multicast forwarding before and after IGMP snooping runs Basic concept...

Page 249: ...ooping forwarding table Unless otherwise specified router ports and member ports in this document consist of dynamic and static ports Dynamic router ports include ports that receive IGMP general queries with the source IP address other than 0 0 0 0 and ports that receive PIM hello messages Aging timers for dynamic ports in IGMP snooping and related messages and actions Timer Description Message be...

Page 250: ...ng entry matches the group address the switch creates a forwarding entry for the group adds the port that received the IGMP report as a dynamic member port to the forwarding entry and starts an aging timer for the port If a forwarding entry matches the group address but the port that received the IGMP report is not in the forwarding entry for the group the switch adds the port as a dynamic member ...

Page 251: ...the following judgment for the port that received the IGMP leave message If the port assuming that it is a dynamic member port receives an IGMP report in response to the group specific query before its aging timer expires it indicates that some host attached to the port is receiving or expecting to receive multicast data for the multicast group The switch restarts the aging timer for the port If t...

Page 252: ... snooping configured on a port takes effect only after IGMP snooping is enabled in the VLAN or IGMP is enabled in the VLAN interface 4 Displaying IGMP snooping multicast table entries Optional Enabling IGMP snooping globally 1 Select Network IGMP snooping from the navigation tree 2 Click Enable for IGMP snooping 3 Click Apply Figure 219 Basic IGMP snooping configurations Configuring IGMP snooping ...

Page 253: ...messages but cannot process IGMPv3 messages which will be flooded in the VLAN IGMPv3 snooping can process IGMPv1 IGMPv2 and IGMPv3 messages IMPORTANT If you change IGMPv3 snooping to IGMPv2 snooping the system clears all IGMP snooping forwarding entries that are dynamically added Drop Unknown Enable or disable the function of dropping unknown multicast packets Unknown multicast data refers to mult...

Page 254: ...s this issue you can enable IGMP snooping querier on a Layer 2 device so that the device can generate and maintain multicast forwarding entries at the data link layer therefore providing IGMP querier functions Query interval Configure the IGMP query interval General Query Source IP Specify the source IP address of general queries Special Query Source IP Specify the source IP address of group speci...

Page 255: ...e bandwidth and resources If a port has multiple hosts attached and the function of dropping unknown multicast packets has been enabled on the switch or in the VLAN where the port resides you should not enable IGMP snooping fast leave processing on this port because other hosts attached to this port in the same multicast group cannot receive the multicast data for the group Fast Leave Enable or di...

Page 256: ...tes all multicast sources Group Address Multicast group address Router Port s All router ports Member Port s All member ports IGMP snooping configuration example Network requirements IGMPv2 runs on Router A and IGMPv2 snooping runs on Switch A Router A acts as the IGMP querier Perform the configuration so Host A can receive the multicast data addressed to the multicast group 224 1 1 1 and Switch A...

Page 257: ...net 1 1 Details not shown Configuring Switch A 1 Create VLAN 100 a From the navigation tree select Network VLAN b Click the Create tab c Enter 100 as the VLAN ID d Click Apply Figure 225 Creating VLAN 100 Source Router A Switch A Receiver Host A Host B 1 1 1 1 24 GE1 0 2 GE1 0 3 IGMP querier GE1 0 1 Eth1 1 10 1 1 1 24 Eth1 2 1 1 1 2 24 VLAN 100 ...

Page 258: ...igabitEthernet 1 0 2 and GigabitEthernet 1 0 3 in the Select Ports field c Select the Untagged option for Select membership type d Enter 100 as the VLAN ID e Click Apply Figure 226 Assigning a port to the VLAN 3 Enable IGMP snooping globally a From the navigation tree select Network IGMP snooping b Select the Enable option c Click Apply ...

Page 259: ...n for IGMP snooping c Select the 2 option for Version d Select the Enable option for Drop Unknown e Select the Enable option for Querier f Click Apply Figure 228 Enabling IGMP snooping in the VLAN 5 Enable the fast leave function on GigabitEthernet 1 0 3 a Click the Advanced tab b Select GigabitEthernet1 0 3 from the Port list c Enter VLAN ID 100 d Select the Enable option for Fast Leave e Click A...

Page 260: ...ormation about IGMP snooping multicast entries Figure 230 IGMP snooping multicast entry list 3 Click the icon corresponding to the multicast entry 0 0 0 0 224 1 1 1 to display information about this entry Figure 231 IGMP snooping multicast entry information 4 The output shows that GigabitEthernet 1 0 3 of Switch A is listening to the multicast streams destined for multicast group 224 1 1 1 ...

Page 261: ...y routing protocols Each entry in the FIB table specifies a physical interface that packets destined for a certain address should go out to reach the next hop the next router or the directly connected destination A route entry has the following items Destination IP address Destination IP address or destination network Mask IPv4 prefix length IPv6 Specifies together with the destination address the...

Page 262: ...ace the static route does not take effect When you specify the output interface note the following If NULL 0 or a loopback interface is specified as the output interface there is no need to configure the next hop address If a point to point interface is specified as the output interface you do not need to specify the next hop and there is no need to change the configuration after the peer address ...

Page 263: ...for the specified network segment are sent out of the interface Creating an IPv4 static route 1 Select Network IPv4 Routing from the navigation tree 2 Click the Create tab The page for configuring IPv4 static route appears Figure 233 Creating an IPv4 static route 3 Create an IPv4 static route as described in Table 84 4 Click Apply Table 84 Configuration items Item Description Destination IP Addres...

Page 264: ...0 the destination IP address is unreachable Displaying the IPv6 active route table Select Network IPv6 Routing from the navigation tree to enter the page Figure 234 IPv6 active route table Table 85 Field description Field Description Destination IP Address Destination IP address and prefix length of the IPv6 route Prefix Length Protocol Protocol that discovered the IPv6 route Preference Preference...

Page 265: ... value for the static route The smaller the number the higher the preference For example specifying the same preference for multiple static routes to the same destination enables load sharing on the routes while specifying different priorities for them enables route backup Next Hop Enter the next hop address in the same format as the destination IP address Interface Select the outgoing interface Y...

Page 266: ...s the next hop and the other with Switch C as the next hop 3 On Switch C configure a default route with Switch B as the next hop Configuration procedure 1 Configure a default route to Switch B on Switch A a Select Network IPv4 Routing from the navigation tree of Switch A b Click the Create tab c Enter 0 0 0 0 for Destination IP Address 0 for Mask and 1 1 4 2 for Next Hop d Click Apply ...

Page 267: ...witch C on Switch B a Select Network IPv4 Routing from the navigation tree of Switch B b Click the Create tab The page for configuring a static route appears c Enter 1 1 2 0 for Destination IP Address 24 for Mask and 1 1 4 1 for Next Hop d Click Apply Figure 238 Configuring a static route ...

Page 268: ...ble Enter the IPv4 route page of Switch A Switch B and Switch C to verify that the newly configured static routes are displayed as active routes on the pages 2 Ping Host C from Host A assuming both hosts run Windows XP C Documents and Settings Administrator ping 1 1 3 2 Pinging 1 1 3 2 with 32 bytes of data Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 Reply from 1 1 3 2 bytes 32 time 1ms TTL 128 R...

Page 269: ...itch A as the next hop and the other with Switch C as the next hop 3 On Switch C configure a default route with Switch B as the next hop Configuration procedure 1 Configure a default route to Switch B on Switch A a Select Network IPv6 Routing from the navigation tree of Switch A b Click the Create tab c Enter for Destination IP Address select 0 from the Prefix Length list and enter 4 2 for Next Ho...

Page 270: ...the Create tab The page for configuring a static route appears c Enter 1 for Destination IP Address select 64 from the Prefix Length list and enter 4 1 for Next Hop d Click Apply Figure 242 Configuring a static route e Enter 3 for Destination IP Address select 64 from the Prefix Length list and enter 5 1 for Next Hop f Click Apply 3 Configure a default route to Switch B on Switch C ...

Page 271: ...gured static routes are displayed as active routes on the pages 2 Ping Host C from Switch A SwitchA system view SwitchA ping ipv6 3 2 PING 3 2 56 data bytes press CTRL_C to break Reply from 3 2 bytes 56 Sequence 1 hop limit 254 time 63 ms Reply from 3 2 bytes 56 Sequence 2 hop limit 254 time 62 ms Reply from 3 2 bytes 56 Sequence 3 hop limit 254 time 62 ms Reply from 3 2 bytes 56 Sequence 4 hop li...

Page 272: ...ackets cannot be forwarded even if you configure an IPv6 address on an interface To configure IPv6 services 1 Select Network IPv6 Service from the navigation tree and you are placed in the IPv6 Service tab 2 Select the Enable option for IPv6 Service to enable IPv6 services globally Figure 244 Enabling IPv6 services ...

Page 273: ...es the client server model Figure 245 shows a typical DHCP application Figure 245 A typical DHCP application DHCP snooping NOTE The DHCP snooping enabled device must be either between the DHCP client and relay agent or between the DHCP client and server It does not work if it is between the DHCP relay agent and DHCP server As a DHCP security feature DHCP snooping can implement the following Record...

Page 274: ...he same subnet make sure the address pool is on the same network segment as the interface with the DHCP server enabled Otherwise the clients fail to obtain IP addresses If a DHCP client obtains an IP address via a DHCP relay agent an IP address pool on the same network segment as the DHCP relay agent interface must be configured Otherwise the client fails to obtain an IP address Creating a dynamic...

Page 275: ... the default DHCP Server page shown in Figure 246 2 Select the Static option in the Address Pool field to view all static address pools 3 Click Add to enter the static address pool configuration page Figure 247 Creating a static address pool 4 Configure the static address pool as described in Table 87 5 Click Apply to complete the configuration ...

Page 276: ...t that wants to access an external host needs to send requests to a gateway You can specify gateways in each address pool and the DHCP server assigns gateway addresses while assigning an IP address to the client Up to eight gateways can be specified in a DHCP address pool separated by commas DNS Server Address Enter the DNS server addresses for the client To allow the client to access a host on th...

Page 277: ...Configure the address lease duration for the address pool Unlimited indicates the infinite duration days hours minutes Client Domain Name Enter the domain name suffix for the client With the suffix assigned the client only needs to enter part of a domain name and the system adds the domain name suffix for name resolution Gateway Address Enter the gateway addresses for the client DHCP clients that ...

Page 278: ... 1 Select Network DHCP from the navigation tree to enter the default DHCP Server page shown in Figure 246 2 In the Interface Configuration field click the icon next to a specific interface to enter the page shown in Figure 249 3 Select the Enable option 4 Click Apply Figure 249 Configuring a DHCP server interface Displaying assigned IP addresses 1 Select Network DHCP DHCP Server from the navigatio...

Page 279: ...n takes effect If the DHCP relay agent is enabled on an Ethernet subinterface a packet received from a client on this interface must contain a VLAN tag and the VLAN tag must be the same as the VLAN ID of the subinterface Otherwise the packet is discarded The DHCP relay agent works on interfaces with IP addresses manually configured only If an Ethernet subinterface serves as a DHCP relay agent it c...

Page 280: ...figuration field as shown in Figure 250 Figure 250 DHCP relay agent configuration page 3 Enable DHCP service and configure advanced parameters for DHCP relay agent as shown in Table 90 4 Click Apply Table 90 Configuration items Item Description DHCP Service Enable or disable global DHCP ...

Page 281: ...the DHCP relay agent simply conveys the message to the DHCP server thus it does not remove the IP address from dynamic client entries To solve this problem the periodic refresh of dynamic client entries feature is introduced With this feature the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay agent interface to periodically send a DHCP REQUEST message to the...

Page 282: ... DHCP relay agent interface 3 Configure the DHCP relay agent on the interface as shown in Table 92 4 Click Apply Table 92 Configuration items Item Description Interface Name This field displays the name of a specific interface DHCP Relay Enable or disable the DHCP relay agent on the interface If the DHCP relay agent is disabled the DHCP server is enabled on the interface Address Match Check Enable...

Page 283: ...e page as shown in Figure 254 Figure 254 Creating a static IP to MAC binding 4 Configure the static IP to MAC binding as described in Table 93 5 Click Apply Table 93 Configuration items Item Description IP Address Enter the IP address of a DHCP client MAC Address Enter the MAC address of the DHCP client Interface Name Select the Layer 3 interface connected with the DHCP client IMPORTANT The interf...

Page 284: ...o support Option 82 By default an interface is untrusted and DHCP snooping does not support Option 82 IMPORTANT You need to specify the ports connected to the authorized DHCP servers as trusted to make sure DHCP clients can obtain valid IP addresses The trusted port and the port connected to the DHCP client must be in the same VLAN Displaying clients IP to MAC bindings Optional Display clients IP ...

Page 285: ...HCP snooping functions on an interface 1 Select Network DHCP from the navigation tree 2 Click the DHCP Snooping tab to enter the page shown in Figure 255 3 Click the icon of a specific interface in the Interface Config field to enter the page shown in Figure 256 ...

Page 286: ...egy Select the handling strategy for DHCP requests containing Option 82 The strategies include Drop The message is discarded if it contains Option 82 Keep The message is forwarded without its Option 82 being changed Replace The message is forwarded after its original Option 82 is replaced with the Option 82 padded in normal format Displaying clients IP to MAC bindings 1 Select Network DHCP from th...

Page 287: ...ess DHCP server configuration examples DHCP networking involves two types The DHCP server and clients are on the same subnet The DHCP server and clients are not on the same subnet and communicate with each other via a DHCP relay agent The DHCP server configuration for the two types is the same Static IP address assignment configuration example Network requirements As shown in Figure 258 configure ...

Page 288: ...wn in Figure 260 the Static option is selected by default b Enter static pool for IP Pool Name c Enter 10 1 1 5 for IP Address d Enter 255 255 255 128 for Mask e Enter 000f e200 0002 for Client MAC Address f Enter 10 1 1 126 for Gateway Address g Enter 10 1 1 2 for DNS Server Address h Click Apply ...

Page 289: ... 1 1 0 24 which is subnetted into 10 1 1 0 25 and 10 1 1 128 25 The IP addresses of VLAN interface 1 and VLAN interface 9 on Switch A are 10 1 1 1 25 and 10 1 1 129 25 respectively In subnet 10 1 1 0 25 configure the address lease duration as ten days and twelve hours domain name suffix aabbcc com DNS server address 10 1 1 2 25 WINS server address 10 1 1 4 25 and gateway address 10 1 1 126 25 In t...

Page 290: ...etwork diagram Configuring Switch A 1 Enable DHCP a Select Network DHCP DHCP Server from the navigation tree to enter the DHCP Server page b Select the Enable option in the DHCP Service field Figure 263 Enabling DHCP 2 Configure the dynamic DHCP address named pool0 WINS server 10 1 1 4 25 Client Switch B Client DNS server 10 1 1 2 25 Switch A DHCP server Vlan int9 10 1 1 129 25 Vlan int1 10 1 1 1 ...

Page 291: ...10 1 1 2 for DNS Server Address h Click Apply Figure 264 Configuring common attributes for pool0 3 Configure the dynamic DHCP address pool named pool1 a Click Add to enter the page as shown in Figure 265 b Enter pool1 for IP Pool Name c Enter 10 1 1 0 for IP Address d Enter 255 255 255 128 for Mask e Enter 10 days 12 hours 0 minutes 0 seconds for Lease Duration f Enter 10 1 1 126 for Gateway Addre...

Page 292: ...d pool2 a Click Add to perform the following configurations as shown in Figure 266 b Enter pool2 for IP Pool Name c Enter 10 1 1 128 for IP Address d Enter 255 255 255 128 for Mask e Enter 5 days 0 hours 0 minutes 0 seconds for Lease Duration f Enter 10 1 1 254 for Gateway Address g Click Apply ...

Page 293: ...dress of VLAN interface 1 is 10 10 1 1 24 and the IP address of VLAN interface 2 is 10 1 1 1 24 VLAN interface 2 is connected to the DHCP server whose IP address is 10 1 1 1 24 The switch forwards messages between DHCP clients and the DHCP server Figure 267 Network diagram Configuration procedure 1 Enable DHCP DHCP server Switch A DHCP relay agent DHCP client DHCP client DHCP client DHCP client Vl...

Page 294: ...t Enable for DHCP Service as shown in Figure 268 c Click Apply Figure 268 Enabling DHCP 2 Configure a DHCP server group a In the Server Group field click Add b Enter 1 for Server Group ID and enter 10 1 1 1 for IP Address as shown in Figure 269 c Click Apply Figure 269 Adding a DHCP server group ...

Page 295: ...figuration example Network requirements As shown in Figure 271 a DHCP snooping device Switch B is connected to a DHCP server through GigabitEthernet 1 0 1 and to DHCP clients through GigabitEthernet 1 0 2 and GigabitEthernet 1 0 3 Enable DHCP snooping on Switch B and configure DHCP snooping to support Option 82 Configure the handling strategy for DHCP requests containing Option 82 as replace Enabl...

Page 296: ...tab c Select the Enable option next to DHCP Snooping to enable DHCP snooping Figure 272 Enabling DHCP snooping 2 Configure DHCP snooping functions on GigabitEthernet 1 0 1 a Click the icon of GigabitEthernet 1 0 1 on the interface list b Select the Trust option next to Interface State as shown in Figure 273 c Click Apply ...

Page 297: ... 82 Support d Select Replace for Option 82 Strategy e Click Apply Figure 274 Configuring DHCP snooping functions on GigabitEthernet 1 0 2 4 Configure DHCP snooping functions on GigabitEthernet 1 0 3 a Click the icon of GigabitEthernet 1 0 3 on the interface list b Select the Untrust option for Interface State as shown in Figure 275 c Select the Enable option next to Option 82 Support d Select Repl...

Page 298: ... can serve as the SFTP server allowing a remote user to log in to the SFTP server for secure file management and transfer The device can also serve as an SFTP client enabling a user to login from the device to a remote device for secure file transfer HTTP service HTTP is used for transferring webpage information across the Internet It is an application layer protocol in the TCP IP protocol suite Y...

Page 299: ...P service with an ACL Only the clients that pass the ACL filtering are permitted to use the FTP service You can view this configuration item by clicking the expanding button in front of FTP Telnet Enable Telnet service Enable or disable the Telnet service The Telnet service is disabled by default SSH Enable SSH service Enable or disable the SSH service The SSH service is disabled by default SFTP E...

Page 300: ... service Enable or disable the HTTPS service The HTTPS service is disabled by default Port Number Set the port number for HTTPS service You can view this configuration item by clicking the expanding button in front of HTTPS IMPORTANT When you modify a port make sure the port is not used by any other service ACL Associate the HTTPS service with an ACL Only the clients that pass the ACL filtering ar...

Page 301: ...oute By using the traceroute facility you can display the Layer 3 devices involved in delivering a packet from source to destination This function is useful for identification of failed nodes You can traceroute the IP address or the host name of the destination device If the target host name cannot be resolved a prompt appears A traceroute operation involves the following steps 1 The source device...

Page 302: ...ee The IPv4 Ping tab appears Figure 277 Ping configuration page 2 Type the IP address or the host name of the destination device in the Destination IP address or host name field 3 Click Start 4 View the result in the Summary area Figure 278 Ping operation result ...

Page 303: ... the sending of ICMP timeout packets and execute the ip unreachables enable command on the destination device to enable the sending of ICMP destination unreachable packets To perform a traceroute operation 1 Select Network Diagnostic Tools from the navigation tree 2 Click the IPv4 Traceroute tab Figure 279 Traceroute configuration page 3 Type the IP address or host name of the destination device i...

Page 304: ...292 Figure 280 Traceroute operation result ...

Page 305: ... device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for an insecure environment One shared user account for all users A single username and password are used for all MAC authentication users on the access device The username and password are not required to be a MAC address This policy is suitable for a secure envi...

Page 306: ...d by the authentication server restores If the authentication server assigns no VLAN the initial default VLAN applies A hybrid port is always assigned to a server assigned VLAN as an untagged member After the assignment do not reconfigure the port as a tagged member in the VLAN If MAC based VLAN is enabled on a hybrid port the device maps the server assigned VLAN to the MAC address of the user The...

Page 307: ...sername and password for each account is the same as the MAC address of the MAC authentication users Configuration procedure Step Remarks 1 Configuring MAC authentication globally Required Enable MAC authentication globally and configure the advanced parameters By default MAC authentication is disabled globally 2 Configuring MAC authentication on a port Required Enable MAC authentication on a port...

Page 308: ...or traffic from a user before it regards the user idle Quiet Time Set the interval for the device to wait before it can perform MAC authentication for a user who has failed MAC authentication Server Timeout Time Set the interval for the device to wait for a response from a RADIUS server before it considers the RADIUS server to be unavailable Authentication ISP Domain Specify the ISP domain for MAC...

Page 309: ...ntication on a port 3 Configure MAC authentication for a port as described in Table 98 4 Click Apply Table 98 Configuration items Item Description Port Select a port on which you want to enable MAC authentication Enable MAC VLAN Select the box to enable MAC based VLAN on the port IMPORTANT You can enable MAC authentication only on hybrid ports Auth Fail VLAN Specify an existing VLAN as the MAC aut...

Page 310: ... addresses are hyphenated and in lower case The access device detects whether a user has gone offline every 180 seconds When a user fails authentication the device does not authenticate the user within 180 seconds Figure 283 Network diagram Configuring a local user Add a local user setting the username and password as 00 e0 fc 12 34 56 the MAC address of the user and the service type to LAN access...

Page 311: ...he ISP domain aabbcc net the LAN access AuthN box and Local from the list Figure 285 Configuring the authentication method for the ISP domain 6 Click Apply A configuration progress dialog box appears as shown in Figure 286 7 After the configuration process is complete click Close ...

Page 312: ...ct the Enable MAC Authentication box 3 Click Advanced to configure advanced MAC authentication settings a Set the offline detection period to 180 seconds set the quiet timer to 180 seconds and select aabbcc net from the Authentication ISP Domain list b Select the MAC with hyphen option as the authentication information format 4 Click Apply Figure 287 Configuring MAC authentication globally ...

Page 313: ...m MAC authentication on port GigabitEthernet 1 0 1 to control Internet access Make sure an authenticated user can access the Internet but not the FTP server at 10 0 0 1 Use MAC based user accounts for MAC authentication users The MAC addresses are not hyphenated Figure 289 Network diagram Configuration prerequisites Make sure the RADIUS server and the switch can reach each other On the RADIUS serv...

Page 314: ...nting Server from the Server Type list enter 10 1 1 2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box and select active from the Primary Server Status list 5 Click Apply Figure 291 Configuring a RADIUS accounting server 6 Click the RADIUS Setup tab 7 Select extended from the Server Type list select the Authentication Server Shared Key and Accounting Server Shared Key optio...

Page 315: ...303 Figure 292 Configuring RADIUS parameters Configuring AAA 1 From the navigation tree select Authentication AAA The Domain Setup tab appears 2 Enter test in the Domain Name field 3 Click Apply ...

Page 316: ...on tab 5 Select the ISP domain test the Default AuthN box authentication method RADIUS and authentication scheme system from the Name list Figure 294 Configuring the authentication method for the ISP domain 6 Click Apply A configuration progress dialog box appears ...

Page 317: ...ode RADIUS and authorization scheme system from the Name list Figure 296 Configuring the authorization method for the ISP domain 10 Click Apply A configuration progress dialog box appears 11 After the configuration process is complete click Close 12 Click the Accounting tab 13 Select the ISP domain test the Default Accounting box accounting method RADIUS and accounting scheme system from the Name ...

Page 318: ...ration process is complete click Close Configuring an ACL 1 From the navigation tree select QoS ACL IPv4 The Create tab appears 2 Enter the ACL number 3000 3 Click Apply Figure 298 Creating ACL 3000 4 Click the Advanced Setup tab to configure an ACL rule a Select the ACL 3000 select the Rule ID box and enter the rule ID 0 b Select the action Deny ...

Page 319: ...0 0 0 0 d Click Add Figure 299 Configuring an ACL rule Configuring MAC authentication 1 From the navigation tree select Authentication MAC Authentication 2 Select the Enable MAC Authentication box 3 Click Advanced 4 Select the authentication ISP domain test and authentication information format MAC without hyphen and click Apply ...

Page 320: ...click Apply Figure 301 Enabling MAC authentication for port GigabitEthernet 1 0 1 Verifying the configuration After the host passes the authentication ping the FTP server from the host to see whether ACL 3000 assigned by the authentication server takes effect C ping 10 0 0 1 Pinging 10 0 0 1 with 32 bytes of data Request timed out Request timed out Request timed out ...

Page 321: ...309 Request timed out Ping statistics for 10 0 0 1 Packets Sent 4 Received 0 Lost 4 100 loss ...

Page 322: ...eeking access to the LAN It must have 802 1X software to authenticate to the network access device Network access device Authenticates the client to control access to the LAN In a typical 802 1X environment the network access device uses an authentication server to perform authentication Authentication server Provides authentication services for the network access device The authentication server ...

Page 323: ...response after sending the maximum number of handshake requests it considers that the client has logged off For information about how to enable the online user handshake function see Configuring 802 1X on a port Quiet timer Starts when the access device sends a RADIUS Access Request packet to the authentication server If the server does not receive a response when this timer expires the access dev...

Page 324: ...ion 802 1X Figure 303 802 1X global configuration 2 In the 802 1X Configuration area select the Enable 802 1X box 3 Select an authentication method CHAP Sets the access device to perform EAP termination and use the CHAP to communicate with the RADIUS server PAP Sets the access device to perform EAP termination and use the PAP to communicate with the RADIUS server EAP Sets the access device to rela...

Page 325: ...equest attempts The network access device retransmits an authentication request if it does not receive a response to the request it has sent to the client within a period of time set by the TX Period or the Supplicant Timeout Time value The network access device stops retransmitting the request if it has made the maximum number of request transmission attempts but has not received a response TX Pe...

Page 326: ... To use both 802 1X and portal authentication on a port you must select MAC Based Port Authorization Select a port authorization state for 802 1X Options include Auto Places the port initially in the unauthorized state to allow only EAPOL packets to pass After a user passes authentication this option sets the port in the authorized state to allow access to the network Force Authorized Places the p...

Page 327: ...he access device and enables periodic online user re authentication even if the function is not configured Support for the server assignment of re authentication timer and the re authentication timer configuration on the server vary with server models The VLAN assignment status must be consistent before and after re authentication If the authentication server has assigned a VLAN before re authenti...

Page 328: ...2 1X Auth Fail VLAN has a high priority Port intrusion protection on a port that performs MAC based access control The 802 1X guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature Configuring an Auth Fail VLAN Configuration prerequisites Create the VLAN to be specified as the 802 1X Auth Fail VLA...

Page 329: ... and secondary accounting servers and the host at 10 1 1 2 as the secondary authentication and primary accounting servers Assign all users to the ISP domain test Configure the shared key as name for packets between the access device and the authentication server and the shared key as money for packets between the access device and the accounting server Exclude the ISP domain name from the username...

Page 330: ...1 Configuring a RADIUS scheme 1 From the navigation tree select Authentication RADIUS The RADIUS Server tab appears 2 Select Authentication Server from the Server Type list enter 10 1 1 1 in the Primary Server IP box and 1812 in the Primary Server UDP Port box select active from the Primary Server Status list enter 10 1 1 2 in the Secondary Server IP box and 1812 in the Secondary Server UDP Port b...

Page 331: ...r IP box and 1813 in the Secondary Server UDP Port box and select active from the Secondary Server Status list 5 Click Apply Figure 310 Configuring RADIUS accounting servers 6 Click the RADIUS Setup tab 7 Select standard from the Server Type list select the Authentication Server Shared Key and Accounting Server Shared Key options and enter abc in the four shared key boxes 5 as the server timeout t...

Page 332: ...guring RADIUS parameters Configuring AAA 1 From the navigation tree select Authentication AAA The Domain Setup tab appears 2 Enter test in the Domain Name field and select Enable from the Default Domain list 3 Click Apply ...

Page 333: ...on tab 5 Select the ISP domain test the Default AuthN box authentication method RADIUS and authentication scheme system from the Name list Figure 313 Configuring the authentication method for the ISP domain 6 Click Apply A configuration progress dialog box appears ...

Page 334: ...thod RADIUS and authorization scheme system from the Name list Figure 315 Configuring the authorization method for the ISP domain 10 Click Apply A configuration progress dialog box appears 11 After the configuration process is complete click Close 12 Click the Accounting tab 13 Select the domain name test the Default Accounting box accounting method RADIUS and accounting scheme system from the Nam...

Page 335: ...rt Use the RADIUS server at 10 1 1 1 as the authentication and authorization server and the RADIUS server at 10 1 1 2 as the accounting server Assign an ACL to GigabitEthernet 1 0 1 to deny the access of 802 1X users to the FTP server at 10 0 0 1 24 Figure 317 Network diagram Configuration prerequisites Configure the IP addresses of the interfaces Details not shown Configuring a RADIUS scheme 1 Fr...

Page 336: ...tab select Accounting Server from the Server Type list enter 10 1 1 2 in the Primary Server IP box and 1813 in the Primary Server UDP Port box and select active from the Primary Server Status list 5 Click Apply Figure 319 Configuring a RADIUS accounting server 6 Click the RADIUS Setup tab 7 Select extended from the Server Type list select the Authentication Server Shared Key and Accounting Server ...

Page 337: ...guring RADIUS parameters Configuring AAA 1 From the navigation tree select Authentication AAA The Domain Setup tab appears 2 Enter test in the Domain Name field and select Enable from the Default Domain list 3 Click Apply ...

Page 338: ...on tab 5 Select the ISP domain test the Default AuthN box authentication method RADIUS and authentication scheme system from the Name list Figure 322 Configuring the authentication method for the ISP domain 6 After the configuration process is complete click Close ...

Page 339: ...Figure 324 Configuring the AAA authorization method for the ISP domain 9 Click Apply A configuration progress dialog box appears 10 After the configuration process is complete click Close 11 Click the Accounting tab 12 Select the domain name test the Accounting Optional box Enable from the Accounting Optional list Default Accounting box accounting method RADIUS and accounting scheme system from th...

Page 340: ... select QoS ACL IPv4 2 Click the Create tab enter the ACL number 3000 and click Apply Figure 326 Creating ACL 3000 3 Click the Advanced Setup tab to configure an ACL rule a Select 3000 from the ACL list b Select the Rule ID box enter the rule ID 0 and select the action Deny c In the IP Address Filter area select the Destination IP Address box enter 10 0 0 1 in the field and enter 0 0 0 0 in the De...

Page 341: ...329 Figure 327 ACL rule configuration Configuring 802 1X 1 From the navigation tree select Authentication 802 1X 2 Select the Enable 802 1X box 3 Select the authentication method CHAP 4 Click Apply ...

Page 342: ...329 802 1X configuration of GigabitEthernet 1 0 1 Verifying the configuration After the user passes authentication and is online use the ping command to test whether ACL 3000 takes effect 1 From the navigation tree select Network Diagnostic Tools The IPv4 Ping page appears 2 Enter the destination IP address 10 0 0 1 3 Click Start to start the ping operation ...

Page 343: ...331 Figure 330 Ping operation summary ...

Page 344: ...on rather than port security For more information about 802 1X and MAC authentication see Configuring 802 1X and Configuring MAC authentication Port security features Outbound restriction The outbound restriction feature prevents traffic interception by checking the destination MAC addresses in outbound frames The feature guarantees that frames are sent only to devices that have passed authenticat...

Page 345: ... a time However in 802 1X MAC Based Or OUI mode The port also permits frames from a wired terminal whose MAC address contains a specified OUI For frames from a wireless user the port first performs OUI check If the OUI check fails the port performs 802 1X authentication MAC Auth Or 802 1X Single Host This mode is a combination of the 802 1X Single Host and MAC Auth modes 802 1X authentication has ...

Page 346: ...lost if they are saved before the device restarts One secure MAC address can be added to only one port in the same VLAN You can bind a MAC address to one port in the same VLAN Secure MAC addresses can be learned by a port in basic port security mode or manually configured in the Web interface When the maximum number of secure MAC addresses is reached no more can be added The port allows only packe...

Page 347: ...ne user whose MAC address contains a specified OUI to pass authentication at the same time By default no OUI values are configured Configuring global settings for port security 1 From the navigation tree select Authentication Port Security Figure 331 Port security configuration page 2 In the Port Security Configuration area click Advanced Figure 332 Port security configuration 3 Configure global p...

Page 348: ...c port security control 1 From the navigation tree select Authentication Port Security The Security Ports And Secure MAC Address List area in Figure 333 displays the port security control settings Figure 333 Security Ports And Secure MAC Address List area 2 Click Add Figure 334 Configuring basic port security control 3 Configure basic port security control settings as described in Table 105 4 Clic...

Page 349: ... come up unless you manually bring it up Block MAC Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards the frames All subsequent frames sourced from a blocked MAC address will be dropped A blocked MAC address is restored to normal state after being blocked for 3 minutes The interval is fixed and cannot be changed Enable Outbound Restriction Select the box...

Page 350: ...ecure MAC address is configured Secure MAC Address Enter the MAC address that you want to configure as a secure MAC address VLAN ID Enter the ID of the VLAN in which the secure MAC address is configured The VLAN must already exist on the selected port Configuring advanced port security control 1 From the navigation tree select Authentication Port Security 2 In the Advanced Port Security Configurat...

Page 351: ...rotection and select an action to be taken upon detection of illegal frames Available actions include Disable Port Temporarily Disables the port for a period of time The period can be configured in the global settings For more information see Configuring global settings for port security Disable Port Permanently Disables the port permanently upon detecting an illegal frame received on the port The...

Page 352: ... authentication server to the device after an 802 1X user or MAC authenticated user passes authentication Configuring permitted OUIs 1 From the navigation tree select Authentication Port Security 2 In the Advanced Port Security Configuration area click Permitted OUIs Figure 339 Permitted OUIs 3 Enter the 48 bit MAC address in the format of H H H in the OUI Value box and click Add The system automa...

Page 353: ...fy the system to disable the port temporarily for 30 seconds d Select the Intrusion box e Click Apply Figure 341 Configuring port security Configuring the basic port security control 1 In the Security Ports And Secure MAC Address List area click Add The Apply Port Security Control page appears 2 Select GigabitEthernet1 0 1 3 Enter 3 as the maximum number of MAC addresses 4 Select the Enable Intrus...

Page 354: ... Security MAC Address List area displays the learned secure MAC addresses as shown in Figure 343 When the maximum number of MAC addresses is reached intrusion protection is triggered Figure 343 Secure MAC address list 2 Select Device Port Management in the navigation tree and then click the Detail tab On the Detail tab select port GigabitEthernet 1 0 1 to view its details Figure 344 shows that the...

Page 355: ... seconds and reselect GigabitEthernet 1 0 1 to view its latest data Figure 345 shows that the port state is active Figure 345 Port management port active If you remove MAC addresses from the secure MAC address list the port will still continue to learn new MAC addresses ...

Page 356: ... accounting methods of ISP domain system The switch sends usernames without domain names to the RADIUS server Configure port GigabitEthernet 1 0 1 of the switch to Allow only one 802 1X user to be authenticated Allow up to three OUI values to be configured and allow one terminal that uses any of the OUI values to access the port in addition to an 802 1X user Figure 346 Network diagram Configuratio...

Page 357: ...he Primary Server Status list 5 Click Apply Figure 348 Configuring a RADIUS accounting server 6 Click the RADIUS Setup tab 7 Select extended from the Server Type list select Authentication Server Shared Key enter name in the field and the Confirm Authentication Shared Key field select Accounting Server Shared Key enter money in the field and the Confirm Accounting Shared Key field and select witho...

Page 358: ...avigation tree select Authentication AAA 2 Click the Authentication tab 3 Select the ISP domain system the Default AuthN box authentication method RADIUS from the list and authentication scheme system from the Name list Figure 350 Configuring AAA authentication 4 Click Apply ...

Page 359: ...ault AuthZ box authorization method RADIUS from the list and authorization scheme system from the Name list Figure 352 Configuring AAA authorization 8 Click Apply A configuration progress dialog box appears 9 When the configuration process is complete click Close 10 Click Accounting tab 11 Select the ISP domain system the Default Accounting box accounting method RADIUS and accounting scheme system...

Page 360: ...ity 1 From the navigation tree select Authentication Port Security 2 Select the Enable Port Security box and click Apply Figure 354 Configuring global port security settings 3 In the Advanced Port Security Configuration area click Ports Enabled With Advanced Features and then click Add 4 Select GigabitEthernet1 0 1 and select the security mode 802 1X MAC Based Or OUI 5 Click Apply ...

Page 361: ...he Advanced Port Security Configuration area click Permitted OUIs 7 Enter 1234 0100 0000 in the OUI Value field and click Add Figure 356 Configuring permitted OUI values 8 Repeat the previous two steps to add OUI values of the MAC addresses 1234 0200 0000 and 1234 0300 0000 to the permitted OUI list ...

Page 362: ...ample present advertisements and deliver community and personalized services In this way broadband network providers equipment vendors and content service providers form an industrial ecological system Extended portal functions By forcing patching and anti virus policies extended portal functions help users to defend against viruses Portal authentication supports the following extended functions S...

Page 363: ...passed identity authentication and security check to access granted Internet resources Portal server A portal server listens to authentication requests from authentication clients and exchanges client authentication information with the access device It provides free portal services and pushes web authentication pages to users A portal server can be an entity independent of the access device or an...

Page 364: ...r security check If the client passes security check the security policy server authorizes the user to access the Internet resources NOTE To implement security check the client must be the HP iNode client Portal authentication supports NAT traversal whether it is initiated by a web client or an HP iNode client When the portal authentication client is on a private network but the portal server is o...

Page 365: ...r 3 interfaces that connect authentication clients Portal authentication performed on a Layer 3 interface can be direct authentication or cross subnet authentication In direct authentication no Layer 3 forwarding devices exist between the authentication client and the access device In cross subnet authentication Layer 3 forwarding devices may exist between the authentication client and the access ...

Page 366: ...rtal client Only Layer 3 portal authentication that uses a remote portal server supports EAP authentication Layer 2 portal authentication process Figure 360 Local Layer 2 portal authentication process The process of local Layer 2 portal authentication is as follows 1 The portal authentication client sends an HTTP or HTTPS request Upon receiving the HTTP request the access device redirects it to th...

Page 367: ... portal server if it is destined for other websites The portal server provides a web page for the user to enter the username and password 2 The portal server and the access device exchange Challenge Handshake Authentication Protocol CHAP messages For Password Authentication Protocol PAP authentication this step is skipped 3 The portal server assembles the username and password into an authenticati...

Page 368: ...ed to the local portal server which then pushes a web authentication page for the user to enter the username and password The listening IP address of the local portal server is the IP address of a Layer 3 interface on the access device that can communicate with the portal authentication client 2 The access device and the RADIUS server exchange RADIUS packets to authenticate the user 3 If the user ...

Page 369: ...t that the EAP request types vary with the EAP authentication phases 7 After the authentication client passes the EAP authentication the RADIUS server sends an authentication reply to the access device This reply carries the EAP Success message in the EAP Message attribute 8 The access device sends an authentication reply to the portal server This reply carries the EAP Success message in the EAP M...

Page 370: ...for portal authentication Optional Configure web proxy server ports an auto redirection URL the time that the device must wait before redirecting an authenticated user to the auto redirection URL and the portal user moving function 3 Configuring a portal free rule Optional Configure a portal free rule specifying the source and destination information for packet filtering A portal free rule allows ...

Page 371: ...ied external websites without portal authentication Packets matching a portal free rule will not trigger portal authentication and the users can directly access the specified external websites By default no portal free policy is configured Configuring the Layer 2 portal service 1 Select Authentication Portal from the navigation tree The portal server configuration page appears Figure 364 Portal se...

Page 372: ...able 108 Configuration items Item Description Interface Select the Layer 2 interface to be enabled with portal authentication Authentication Domain Specify the authentication domain for Layer 2 portal users After you specify an authentication domain on a Layer 2 interface the device uses the authentication domain for authentication authorization and accounting AAA of the portal users on the interf...

Page 373: ...authentication page access failures caused by interface failures A loopback interface does not forward received packets to any network avoiding impact on system performance when there are many network access requests Protocol Select the protocol to be used for communication between the portal client and local portal server Available protocols are HTTP and HTTPS PKI Domain Specify the PKI domain fo...

Page 374: ...nfigure the parameters for the Layer 3 local portal service For configuration details see Table 1 1 1 Method Specify the portal authentication mode which can be Direct Direct portal authentication Layer3 Cross subnet portal authentication IMPORTANT Cross subnet portal authentication mode does not require Layer 3 forwarding devices to be present between the authentication client and the access devi...

Page 375: ...ter by selecting Authentication AAA from the navigation tree For more information see Configuring AAA Figure 367 Adding a portal server Table 110 Configuration items Item Description Server Name Type a name for the remote portal server IP Type the IP address of the remote portal server Key Type the shared key to be used for communication between the device and the remote portal server Port Type th...

Page 376: ... The available PKI domains are those specified on the page you enter by selecting Authentication PKI from the navigation tree For more information see Configuring PKI IMPORTANT The service management and portal authentication modules always reference the same PKI domain Changing the referenced PKI domain in either module also changes that referenced in the other module Configuring advanced paramet...

Page 377: ...ust wait before redirecting an authenticated portal user to the auto redirection URL Enable Support for Portal User Moving Specify whether to enable support for portal user moving In scenarios where there are hubs Layer 2 switches or APs between users and the access devices if an authenticated user moves from an access port to another Layer 2 portal authentication enabled port of the device withou...

Page 378: ...Description Number Specify a sequence number for the portal free rule Source interface Specify a source interface for the portal free rule Source IP address Specify a source IP address and mask for the portal free rule Mask Source MAC Specify a source MAC address for the portal free rule IMPORTANT If you configure both the source IP address and the source MAC address make sure that the mask of the...

Page 379: ... server as the remote RADIUS server for authentication authorization and accounting Use the remote DHCP server to assign IP addresses to users The listening IP address of the local portal server is 4 4 4 4 The switch uses HTTP to transmit authentication data Enable authorized users to access external network resources Figure 372 Network diagram Configuration prerequisites Before configuring portal...

Page 380: ...he IP address 1 1 1 2 and port number 1812 select active from the Primary Server Status list and click Apply Figure 373 Configuring the RADIUS authentication server 3 Configure a RADIUS accounting server On the RADIUS server configuration page select Accounting Server as the server type and enter the IP address 1 1 1 2 and port number 1813 select active from the Primary Server Status list and clic...

Page 381: ... Select the Accounting Server Shared Key box enter the key expert and then enter the key again in the Confirm Accounting Shared Key field e Select without domain as the username format f Click Apply Figure 375 Configuring the RADIUS scheme 5 Configure AAA a Select Authentication AAA from the navigation tree b On the Domain Setup tab enter the domain name test select Enable for the Default Domain f...

Page 382: ...t the Default AuthN box select RADIUS from the Default AuthN list select system from the Name list to use it as the authentication scheme and click Apply A configuration progress dialog box appears Table 114 Configuration progress dialog box d After the configuration process is complete click Close ...

Page 383: ...ly A configuration progress dialog box appears f After the configuration process is complete click Close Figure 378 Configuring the authorization method for the ISP domain g On the Accounting tab select ISP domain test select the Default Accounting box select RADIUS from Default Accounting list select system from the Name list to use it as the accounting scheme and click Apply The configuration pr...

Page 384: ... 379 Configuring the accounting method for the ISP domain 6 Configure DHCP relay a Select Network DHCP from the navigation tree b Click the DHCP Relay tab c Select Enable for the DHCP Service field d Click Apply ...

Page 385: ...appears enter the server group ID 1 and the IP address 1 1 1 3 and click Apply Figure 381 Configuring a DHCP server group g In the Interface Config area click the icon of interface VLAN interface 8 h On the page that appears select Enable for DHCP Relay select 1 for Server Group ID and click Apply ...

Page 386: ... the Portal Application Layer 2 Interfaces area click Add c On the page that appears select interface GigabitEthernet1 0 1 enter the server IP address 4 4 4 4 select protocol HTTP and click Apply Figure 383 Applying the portal server to a Layer 2 interface Verifying the configuration Before accessing a web page user userpt is in VLAN 8 the initial VLAN and is assigned an IP address on subnet 192 1...

Page 387: ...nting Figure 384 Network diagram Configuration procedure Make sure that the IP address of the access device added on the portal server is the IP address of the interface connected to the host 2 2 2 1 in this example and the IP address group associated with the access device is the subnet where the host resides 2 2 2 0 24 in this example Configure IP addresses for the host switch and servers as sho...

Page 388: ...ng a RADIUS accounting server 3 Configure RADIUS scheme system for exchanges between the device and the RADIUS servers a Click the RADIUS Setup tab b Select extended as the server type c Select the Authentication Server Shared Key box enter the key expert and then enter the key again in the Confirm Authentication Shared Key field d Select the Accounting Server Shared Key box enter the key expert a...

Page 389: ...87 Configuring the RADIUS scheme 4 Configure AAA a Select Authentication AAA from the navigation tree b On the Domain Setup tab enter the domain name test select Enable for the Default Domain field and click Apply ...

Page 390: ...d click Apply A configuration progress dialog box appears d After the configuration process is complete click Close Figure 389 Configuring the authentication method for the ISP domain e On the Authorization tab select the ISP domain test select the Default AuthZ box select RADIUS from the Default AuthZ list select system from the Name list to use it as the authorization scheme and click Apply A co...

Page 391: ...ion method for the ISP domain g On the Accounting tab select the ISP domain test select the Default Accounting box select RADIUS from Default Accounting list select system from the Name list to use it as the accounting scheme and click Apply The configuration progress dialog box appears h After the configuration process is complete click Close ...

Page 392: ... Application Layer 3 Interfaces area click Add c On the page that appears select the interface Vlan interface100 select Add for Portal Server to add a portal server select the Direct portal authentication mode enter the portal server name newpt the portal server IP address 192 168 0 111 the shared key portal the port number 50100 and the redirection URL http 192 168 0 111 8080 portal for portal au...

Page 393: ...rtal authentication the host can access only the portal server After passing portal authentication the host can access Internet resources Use the IMC server as the RADIUS server for user authentication authorization and accounting Figure 394 Network diagram Switch A Host Vlan int4 20 20 20 1 24 Portal server 192 168 0 111 24 RADIUS server 192 168 0 112 24 Vlan int2 192 168 0 100 24 Switch B Vlan i...

Page 394: ...the following configuration on Switch A to implement cross subnet portal authentication 1 Configure the RADIUS authentication server a Select Authentication RADIUS from the navigation tree The RADIUS server configuration page appears as shown in Figure 395 b Select Authentication Server as the server type enter the IP address 192 168 0 112 and port number 1812 select active from the Primary Server...

Page 395: ...ect extended as the server type c Select the Authentication Server Shared Key box enter the key expert and then enter the key again in the Confirm Authentication Shared Key field d Select the Accounting Server Shared Key box enter the key expert and then enter the key again in the Confirm Accounting Shared Key field e Select without domain as the username format f Click Apply ...

Page 396: ...97 Configuring the RADIUS scheme 4 Configure AAA a Select Authentication AAA from the navigation tree b On the Domain Setup tab enter the domain name test select Enable for the Default Domain field and click Apply ...

Page 397: ...d click Apply A configuration progress dialog box appears d After the configuration process is complete click Close Figure 399 Configuring the authentication method for the ISP domain e On the Authorization tab select the ISP domain test select the Default AuthZ box select RADIUS from the Default AuthZ list select system from the Name list to use it as the authorization scheme and click Apply A co...

Page 398: ...ion method for the ISP domain g On the Accounting tab select the ISP domain test select the Default Accounting box select RADIUS from Default Accounting list select system from the Name list to use it as the accounting scheme and click Apply The configuration progress dialog box appears h After the configuration process is complete click Close ...

Page 399: ...l Application Layer 3 Interfaces area click Add c On the page that appears select the interface Vlan interface4 select Add for Portal Server to add a portal server select the Layer3 portal authentication mode enter the portal server name newpt the portal server IP address 192 168 0 111 the shared key portal the port number 50100 and the redirection URL http 192 168 0 111 8080 portal for portal aut...

Page 400: ...388 Figure 403 Applying the portal server to a Layer 3 interface On Switch B you must configure a default route to subnet 192 168 0 0 24 with the next hop as 20 20 20 1 Details not shown ...

Page 401: ... maintains user information centrally In an AAA network the NAS is a server for users and is a client for AAA servers Figure 404 AAA application scenario The NAS uses the authentication server to authenticate any user who tries to log in use network resources or access other networks The NAS transparently transmits authentication authorization and accounting information between the user and the se...

Page 402: ...unting AAA allows you to manage users based on their access types LAN users Users on a LAN who must pass 802 1X or MAC address authentication to access the network Login users Users who want to log in to the device including SSH users Telnet users Web users FTP users and terminal users Portal users Users who must pass portal authentication to access the network PPP users Users who access through P...

Page 403: ... By default all types of users use local authentication 3 Configuring authorization methods for the ISP domain Optional Specify the authorization methods for different types of users By default all types of users use local authorization 4 Configuring accounting methods for the ISP domain Required Specify the accounting methods for different types of users By default all types of users use local ac...

Page 404: ...domain as a non default domain There can only be one default domain at a time If you specify a second domain as the default domain the original default domain becomes a non default domain Configuring authentication methods for the ISP domain 1 Select Authentication AAA from the navigation tree 2 Click the Authentication tab Figure 407 Authentication method configuration page 3 Select an ISP domain...

Page 405: ...method for login users by using one of the following options HWTACACS HWTACACS authentication You must specify the HWTACACS scheme to be used Local Local authentication None No authentication This method trusts all users and HP does not recommend it for general use RADIUS RADIUS authentication You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default AuthN a...

Page 406: ...e of the following options HWTACACS HWTACACS authorization You must specify the HWTACACS scheme to be used Local Local authorization default setting None This method trusts all users and assigns default rights to them RADIUS RADIUS authorization You must specify the RADIUS scheme to be used Not Set The device uses the default authorization setting which is local authorization LAN access AuthZ Name...

Page 407: ...thod trusts all users and assigns default rights to them RADIUS RADIUS authorization You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default AuthZ area for PPP users Portal AuthZ Name Secondary Method Configure the authorization method for portal users by using one of the following options Local Local authorization None This method trusts all users and ass...

Page 408: ...nting updates for the user Default Accounting Name Secondary Method Configure the default accounting method and secondary accounting method for all types of users by using one of the following options HWTACACS HWTACACS accounting You must specify the HWTACACS scheme to be used Local Local accounting default setting None No accounting RADIUS RADIUS accounting You must specify the RADIUS scheme to b...

Page 409: ... RADIUS accounting You must specify the RADIUS scheme to be used Not Set The device uses the settings in the Default Accounting area for PPP users Portal Accounting Name Secondary Method Configure the accounting method for portal users by using one of the following options Local Local accounting None No accounting RADIUS RADIUS accounting You must specify the RADIUS scheme to be used Not Set The d...

Page 410: ...t enter the password abc confirm the password and select the service type Telnet Service e Click Apply Figure 411 Configuring a local user 4 Configure ISP domain test a Select Authentication AAA from the navigation tree The Domain Setup tab appears b Enter the domain name test c Click Apply ...

Page 411: ...k the Authentication tab b Select the domain test the Login AuthN box and authentication method Local Figure 413 Configuring the ISP domain to use local authentication c Click Apply A configuration progress dialog box appears as shown in Figure 286 d After the configuration process is complete click Close ...

Page 412: ...guration progress dialog box appears d After the configuration progress is complete click Close Figure 415 Configuring the ISP domain to use local authorization 7 Configure the ISP domain to use local accounting a Click the Accounting tab b Select the domain test the Login Accounting box and accounting method Local c Click Apply A configuration progress dialog box appears d After the configuration...

Page 413: ... Figure 416 Configuring the ISP domain to use local accounting Verifying the configuration Telnet to the switch and enter the username telnet test and password abc You are serviced as a user in domain test ...

Page 414: ...mation to RADIUS servers and reject or accept user access requests depending on the responses from RADIUS servers The RADIUS server runs on the computer or workstation at the network center and maintains information related to user authentication and network service access It receives connection requests authenticates users and returns access control information for example rejecting or accepting ...

Page 415: ...orithm and the shared key 3 The RADIUS server authenticates the username and password If the authentication succeeds the server returns an Access Accept message containing the user s authorization information If the authentication fails the server returns an Access Reject message 4 The RADIUS client permits or denies the user according to the returned authentication result If it permits the user t...

Page 416: ...If any attribute value carried in the Access Request is unacceptable the authentication fails and the server sends an Access Reject response 4 Accounting Request From the client to the server A packet of this type carries user information for the server to start or stop accounting for the user The Acct Status Type attribute in the packet indicates whether to start or stop accounting 5 Accounting R...

Page 417: ...Its format and content depend on the Type and Length sub fields Table 120 Commonly used RADIUS attributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct Terminate Cause 6 Service Type 50 Acct Multi Session Id 7 Framed Protocol 51 Acct Link Count 8 Framed IP...

Page 418: ... Type 87 NAS Port Id 41 Acct Delay Time 88 Framed Pool 42 Acct Input Octets 89 unassigned 43 Acct Output Octets 90 Tunnel Client Auth id 44 Acct Session Id 91 Tunnel Server Auth id Extended RADIUS attributes Attribute 26 Vendor Specific an attribute defined by RFC 2865 allows a vendor to define extended attributes to implement functions that the standard RADIUS protocol does not provide A vendor c...

Page 419: ...e primary server If the primary server fails the device changes the state of the primary server to blocked starts a quiet timer for the server and turns to a secondary server in the active state a secondary server configured earlier has a higher priority If the secondary server is unreachable the device changes the state of the secondary server to blocked starts a quiet timer for the server and co...

Page 420: ... address of the response to active if the current status of the server is blocked Set a proper real time accounting interval based on the number of users Table 121 Recommended real time accounting intervals Number of users Real time accounting interval in minutes 1 to 99 3 100 to 499 6 500 to 999 12 1000 15 Configuring RADIUS The RADIUS scheme configured through the Web interface is named system I...

Page 421: ... address is to be removed the port number is 1812 for authentication or 1813 for accounting Primary Server Status Set the status of the primary server Options are active The server is operating correctly blocked The server is down If the IP address of the primary server is not specified or the specified IP address is to be removed the status is blocked Secondary Server IP Specify the IP address of...

Page 422: ... down If the IP address of the secondary server is not specified or the specified IP address is to be removed the status is blocked Configuring RADIUS parameters 1 From the navigation tree select Authentication RADIUS 2 Click the RADIUS Setup tab Figure 422 RADIUS parameter configuration 3 Configure RADIUS parameters as described in Table 123 4 Click Apply ...

Page 423: ...ansmission Times Set the maximum number of transmitting attempts IMPORTANT The server response timeout time multiplied by the maximum number of RADIUS packet transmission attempts must not exceed 75 Realtime Accounting Interval Set the interval for sending real time accounting information The interval must be a multiple of three To implement real time accounting the device must periodically send r...

Page 424: ...f Packets Specify the unit for data packets sent to the RADIUS server One packet Kilo packet Mega packet Giga packet Security Policy Server Specify the IP address of the security policy server RADIUS configuration example Network requirements As shown in Figure 423 configure the switch to use the RADIUS server for user authentication and accounting record the online duration of the Telnet user Con...

Page 425: ...entication server 4 On the RADIUS Server tab select Accounting Server from the Server Type list enter 10 110 91 146 in the Primary Server IP box and 1813 in the Primary Server UDP Port box and select active from the Primary Server Status list 5 Click Apply Figure 425 Configuring the RADIUS accounting server 6 Click the RADIUS Setup tab 7 Select standard from the Server Type list select the Authent...

Page 426: ...guring RADIUS parameters Configuring AAA 1 From the navigation tree select Authentication AAA The Domain Setup tab appears 2 Enter test in the Domain Name field and select Enable from the Default Domain list 3 Click Apply ...

Page 427: ...on tab 5 Select the ISP domain test the Default AuthN box authentication method RADIUS and authentication scheme system from the Name list Figure 428 Configuring the authentication method for the ISP domain 6 Click Apply A configuration progress dialog box appears ...

Page 428: ...d authorization scheme system from the Name list Figure 430 Configuring the authorization method for the ISP domain 10 Click Apply A configuration progress dialog box appears 11 After the configuration process is complete click Close 12 Click the Accounting tab 13 Select the domain name test the Accounting Optional box the Default Accounting box accounting method RADIUS and accounting scheme syste...

Page 429: ...417 Figure 431 Configuring the accounting method for the ISP domain 14 Click Apply A configuration progress dialog box appears 15 After the configuration process is complete click Close ...

Page 430: ...set of local user attributes You can configure local user attributes for a user group to implement centralized management of user attributes for the local users in the group All local users in a user group inherit the user attributes of the group However if you configure user attributes for a local user the settings for the local user take precedence over the settings for the user group By default...

Page 431: ...r group configuration see Configuring a user group Service type Select the service types for the local user to use including Web FTP Telnet PPP Portal LAN access accessing through the Ethernet such as 802 1X users and SSH If you do not specify any service type for a local user who uses local authentication the user cannot pass authentication and cannot log in The service type of the guest administ...

Page 432: ...s Management A user can perform all operations except for security log file reading and management IMPORTANT This option is effective only for FTP Telnet and SSH users VLAN Specify the VLAN to be authorized to the local user after the user passes authentication This option is effective only for LAN users ACL Specify the ACL to be used by the access device to restrict the access of the local user a...

Page 433: ...lect an authorization level for the user group Visitor Monitor Configure or Management in ascending order of priority VLAN Specify the VLAN to be authorized to users of the user group after the users pass authentication ACL Specify the ACL to be used by the access device to control the access of users of the user group after the users pass authentication User profile Specify the user profile for t...

Page 434: ...te also known as a root certificate is signed by the CA Certificate revocation list An existing certificate might need to be revoked for different situations for example the username changes the private key leaks or the user stops the business Revoking a certificate will remove the binding of the public key with the user identity information In PKI the revocation is made through certificate revoca...

Page 435: ...on database It stores and manages information such as certificate requests certificates keys CRLs and logs and it provides a simple query function LDAP is a protocol for accessing and managing PKI information An LDAP server stores user information and digital certificates from the RA server and provides directory navigation service From an LDAP server an entity can retrieve digital certificates of...

Page 436: ... server Both the communication parties can verify the identity of each other through digital certificates Configuration guidelines When you configure PKI follow these guidelines Make sure the clocks of entities and the CA are synchronous Otherwise the validity period of certificates will be abnormal The Windows 2000 CA server has some restrictions on the data length of a certificate request If the...

Page 437: ...ended as a reference for other applications such as IKE and SSL 3 Generating an RSA key pair Required Generate a local RSA key pair By default no local RSA key pair exists Generating an RSA key pair is an important step in certificate request The key pair includes a public key and a private key The private key is kept by the user and the public key is transferred to the CA IMPORTANT To maintain co...

Page 438: ...tains an RSA key pair you must delete the existing key pair Otherwise the retrieving operation will fail 7 Retrieving and displaying a certificate Optional Retrieve an existing certificate 8 Retrieving and displaying a CRL Optional Retrieve a CRL and display its contents Configuration procedure for automatic requests Task Remarks 1 Creating a PKI entity Required Create a PKI entity and configure t...

Page 439: ...n will fail 4 Retrieving and displaying a certificate Optional Retrieve an existing certificate 5 Retrieving and displaying a CRL Optional Retrieve a CRL and display its contents Creating a PKI entity 1 From the navigation tree select Authentication PKI The PKI entity list page is displayed by default Figure 437 PKI entity list 2 Click Add on the page Figure 438 PKI entity configuration page 3 Con...

Page 440: ...le www whatever com is an FQDN where www indicates the host name and whatever com the domain name Country Region Code Enter the country or region code for the entity State Enter the state or province for the entity Locality Enter the locality for the entity Organization Enter the organization name for the entity Organization Unit Enter the unit name for the entity Creating a PKI domain 1 From the ...

Page 441: ...bility of certificate registration distribution and revocation and query In offline mode this item is optional In other modes this item is required Entity Name Select the local PKI entity When submitting a certificate request to a CA an entity needs to include its identity information Available PKI entities are those that have been configured Institution Select the authority for certificate reques...

Page 442: ...ify SHA1 as the hash algorithm enter an SHA1 fingerprint The fingerprint must be a string of 40 characters in hexadecimal notation If you do not specify the fingerprint hash do not enter any fingerprint The entity will not verify the CA root certificate and you must use a trusted CA server IMPORTANT The fingerprint must be configured if you specify the certificate request mode as Auto If you speci...

Page 443: ...RL distribution point is not set you should receive the CA certificate and a local certificate and then receive a CRL through SCEP IMPORTANT CRL distribution points do not support domain name resolution Generating an RSA key pair 1 From the navigation tree select Authentication PKI 2 Click the Certificate tab Figure 441 Certificate configuration page 3 Click Create Key 4 Set the key length 5 Click...

Page 444: ...CA certificate or local certificate from the CA server and save it locally in offline or online mode In offline mode you must retrieve a certificate by an out of band means such as FTP disk or email and then import it into the local PKI system By default the retrieved certificate is saved in a file under the root directory of the device and the filename is domain name_ca cer for the CA certificate...

Page 445: ... and name of the certificate file to import If the certificate file is saved on the device select Get File From Device and then specify the path and name of the file on the device If no file is specified the system by default gets the file domain name_ca cer for the CA certificate or domain name_local cer for the local certificate under the root directory of the device If the certificate file is s...

Page 446: ...gure 445 Certificate information Requesting a local certificate 1 From the navigation tree select Authentication PKI 2 Click the Certificate tab 3 Click Request Cert Figure 446 Local certificate request page ...

Page 447: ...eans like FTP disk or email 5 Click Apply If you request the certificate in offline mode the system displays the offline certificate request information You can submit the information to the CA by an out of band means Figure 447 Offline certificate request information page Retrieving and displaying a CRL 1 From the navigation tree select Authentication PKI 2 Click the CRL tab Figure 448 CRL page 3...

Page 448: ... Authority Key Identifier Identifier of the CA that issued the certificate and the certificate version X509v3 keyid Pubic key identifier A CA might have multiple key pairs and this field identifies which key pair is used for the CRL signature No Revoked Certificates No certificates are revoked Revoked Certificates Information about the revoked certificates Serial Number Serial number of the revoke...

Page 449: ...ttributes After configuring the basic attributes configure the parameters on the Jurisdiction Configuration page of the CA server This includes selecting the proper extension profiles enabling the SCEP autovetting function and adding the IP address list for SCEP autovetting 3 Configure the CRL publishing behavior After completing the configuration perform CRL configurations In this example select ...

Page 450: ...or certificate request the URL must be in the format of http host port Issuing Jurisdiction ID where Issuing Jurisdiction ID is the hexadecimal string generated on the CA and select Manual as the certificate request mode d Click the collapse button before Advanced Configuration e In the advanced configuration area click the Enable CRL Checking box and enter http 4 4 4 133 447 myca crl as the CRL U...

Page 451: ...b b Click Create Key c Enter 1024 as the key length and click Apply to generate an RSA key pair Figure 453 Generating an RSA key pair 4 Retrieve the CA certificate a Click Retrieve Cert on the Certificate tab b Select torsa as the PKI domain select CA as the certificate type and click Apply ...

Page 452: ... request has been submitted d Click OK to finish the operation Figure 455 Requesting a local certificate 6 Retrieve the CRL a Click the CRL tab b Click Retrieve CRL of the PKI domain of torsa Figure 456 Retrieving the CRL Verifying the configuration After the configuration you can view detailed information about the retrieved CA certificate and local certificate on the Certificate tab or view deta...

Page 453: ...ts in different VLANs Within the same VLAN ports in an isolation group can communicate with those outside the isolation group at Layer 2 Configuring a port isolation group Recommended configuration procedure Step Remarks 1 Adding port isolation groups Required By default no port isolation group exists 2 Configuring member ports for a port isolation group Required By default a port isolation group ...

Page 454: ...31 4 Click Apply Table 131 Configuration item Item Description Isolate group ID Enter the IDs of the port isolation groups you want to add Configuring member ports for a port isolation group 1 Select Security Port Isolate Group from the navigation tree 2 Click the Port Setup tab ...

Page 455: ...isolated port or ports Uplink port Assign the port to the isolation group as the uplink port The device does not support uplink ports Select port s Select the ports to assign to the isolation group To select ports you can click ports on the chassis front panel If aggregate interfaces are configured they will be listed on the chassis panel After selecting Isolated port for Config type you can selec...

Page 456: ...ork requirements As shown in Figure 459 Campus network users Host A Host B and Host C are connected to GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 of Switch Switch is connected to the external network through GigabitEthernet 1 0 1 GigabitEthernet 1 0 1 GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 belong to the same VLAN Configure Host A Host B and...

Page 457: ...etup tab b Select 1 from the Isolate group ID list c Select Isolated port for Config Type d Select 2 3 4 on the chassis front panel 2 3 4 represent ports GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 respectively e Click Apply A configuration progress dialog box appears f After the configuration process is complete click Close in the dialog box ...

Page 458: ...ion group 1 Viewing information about the isolation group 1 Click Summary 2 Display port isolation group 1 which contains isolated ports GigabitEthernet 1 0 2 GigabitEthernet 1 0 3 and GigabitEthernet 1 0 4 Figure 462 Information about port isolation group 1 ...

Page 459: ... configuration page Figure 463 Authorized IP configuration page 3 Configure authorized IP as described in Table 133 4 Click Apply Table 133 Configuration items Item Description Telnet IPv4 ACL Associate the Telnet service with an IPv4 ACL To configure the IPv4 ACL to be selected select QoS ACL IPv4 IPv6 ACL Associate the Telnet service with an IPv6 ACL To configure the IPv6 ACL to be selected sele...

Page 460: ...net and HTTP requests from Host B Figure 464 Network diagram Configuration procedure 1 Create an ACL a Select QoS ACL IPv4 from the navigation tree b Click the Create tab c Enter 2001 for ACL Number d Click Apply Figure 465 Creating an ACL 2 Configure an ACL rule to permit Host B a Click the Basic Setup tab The page for configuring an ACL rule appears ...

Page 461: ...the Source Wildcard field c Click Add Figure 466 Configuring an ACL rule to permit Host B 3 Configure authorized IP a Select Security Authorized IP from the navigation tree b Click the Setup tab The authorized IP configuration page appears c Select 2001 for IPv4 ACL in the Telnet field and select 2001 for IPv4 ACL in the Web HTTP field d Click Apply ...

Page 462: ...450 Figure 467 Configuring authorized IP ...

Page 463: ...and Layer 4 header fields Ethernet frame header ACLs 4000 to 4999 IPv4 and IPv6 Layer 2 header fields such as source and destination MAC addresses 802 1p priority and link layer protocol type Match order The rules in an ACL are sorted in a specific order When a packet matches a rule the device stops the match process and performs the action defined in the rule If an ACL contains overlapping or con...

Page 464: ... ignored The 0s and 1s in a wildcard mask can be noncontiguous For example 0 255 0 255 is a valid wildcard mask ACL rule numbering ACL rule numbering step If you do not assign an ID to the rule you are adding the system automatically assigns it a rule ID The rule numbering step sets the increment by which the system automatically numbers rules For example the default ACL rule numbering step is 5 I...

Page 465: ...ation guidelines When you configure an ACL follow these guidelines You cannot add a rule with or modify a rule to have the same permit deny statement as an existing rule in the ACL You can only modify the existing rules of an ACL that uses the match order of config When modifying a rule of such an ACL you may choose to change just some of the settings in which case the other settings remain the sa...

Page 466: ...he added IPv6 ACL depends on the ACL number that you specify 3 Configuring a rule for a basic IPv6 ACL Required Complete one of the tasks according to the ACL category 4 Configuring a rule for an advanced IPv6 ACL Configuring a time range 1 Select QoS Time Range from the navigation tree 2 Click the Create tab to enter the time range configuration page Figure 468 Adding a time range 3 Configure a t...

Page 467: ...ge The time of the day is in the hh mm format 24 hour clock and the date is in the MM DD YYYY format To Set the end time and date of the absolute time range The time of the day is in the hh mm format 24 hour clock and the date is in the MM DD YYYY format The end time must be later than the start time NOTE You can define both a periodic time range and an absolute time range to add a compound time r...

Page 468: ...ACL rules in the depth first match order Configuring a rule for a basic IPv4 ACL 1 Select QoS ACL IPv4 from the navigation tree 2 Click the Basic Setup tab to enter the rule configuration page for a basic IPv4 ACL Figure 470 Configuring an basic IPv4 ACL 3 Configure a rule for a basic IPv4 ACL as described in Table 137 4 Click Add Table 137 Configuration items Item Description ACL Select the basic...

Page 469: ...s box the rule applies to all fragments and non fragments Check Logging Select this box to keep a log of matched IPv4 packets A log entry contains the ACL rule number operation for the matched packets protocol that IP carries source destination address source destination port number and number of matched packets Source IP Address Select the Source IP Address box and enter a source IPv4 address and...

Page 470: ...4 ACL 3 Configure a rule for an advanced IPv4 ACL as described in Table 138 4 Click Add Table 138 Configuration items Item Description ACL Select the advanced IPv4 ACL for which you want to configure rules Available ACLs are advanced IPv4 ACLs ...

Page 471: ...ess Select the Source IP Address box and enter a source IP address and a source wildcard mask in dotted decimal notation Destination Wildcard Protocol Select the protocol to be carried by IP If you select 1 ICMP you can configure the ICMP message type and code If you select 6 TCP or 17 UDP you can configure the TCP or UDP port ICMP Type ICMP Message Specify the ICMP message type and code These ite...

Page 472: ...cify the DSCP value If you specify the ToS precedence or IP precedence when you specify the DSCP value the specified TOS or IP precedence does not take effect TOS Specify the ToS preference Precedence Specify the IP precedence Time Range Select the time range during which the rule takes effect Configuring a rule for an Ethernet frame header ACL 1 Select QoS ACL IPv4 from the navigation tree 2 Clic...

Page 473: ...em Description ACL Select the Ethernet frame header ACL for which you want to configure rules Available ACLs are Ethernet frame header ACLs Rule ID Select the Rule ID box and enter a number for the rule If you do not specify the rule number the system will assign one automatically If the rule number you specify already exists this procedure modifies the configuration of the existing rule ...

Page 474: ...AP and SSAP fields in the LLC encapsulation by configuring the following items LSAP Type Indicates the frame encapsulation format LSAP Mask Indicates the LSAP mask LSAP Mask Protocol Type Select the Protocol Type box and specify the link layer protocol type by configuring the following items Protocol Type Indicates the frame type It corresponds to the type code field of Ethernet_II and Ethernet_SN...

Page 475: ...against ACL rules in the depth first match order Configuring a rule for a basic IPv6 ACL 1 Select QoS ACL IPv6 from the navigation tree 2 Click the Basic Setup tab to enter the rule configuration page for a basic IPv6 ACL Figure 474 Configuring a rule for a basic IPv6 ACL 3 Add a rule for a basic IPv6 ACL as described in Table 141 4 Click Add Table 141 Configuration items Item Description Select A...

Page 476: ...x to keep a log of matched IPv6 packets A log entry contains the ACL rule number operation for the matched packets protocol that the IP carries source destination address source destination port number and number of matched packets Source IP Address Select the Source IP Address box and enter a source IPv6 address and prefix length The IPv6 address must be in a format like X X X X An IPv6 address c...

Page 477: ...ACL for which you want to configure rules Rule ID Select the Rule ID box and enter a number for the rule If you do not specify the rule number the system will assign one automatically If the rule number you specify already exists this procedure modifies the configuration of the existing rule Operation Select the operation to be performed for IPv6 packets matching the rule Permit Allows matched pac...

Page 478: ...ighboring fields by colon Destination Prefix Protocol Select the protocol to be carried by IP If you select 58 ICMPv6 you can configure the ICMP message type and code If you select 6 TCP or 17 UDP you can configure the TCP or UDP specific items ICMPv6 Type Named ICMPv6 Type Specify the ICMPv6 message type and code These items are available only when you select 58 ICMPv6 from the Protocol list If y...

Page 479: ...re implementing new services such as tele education telemedicine video telephone videoconference and Video on Demand VoD Enterprise users expect to connect their regional branches together with VPN technologies to carry out operational applications for example to access the database of the company or to monitor remote devices through Telnet These new applications have special requirements for band...

Page 480: ...rce use efficiency Network resource memory in particular exhaustion and system breakdown Congestion hinders resource assignment for traffic and degrades service performance Congestion is unavoidable in switched networks and multi user application environments Countermeasures A simple solution for congestion is to increase network bandwidth However it cannot solve all the problems that cause conges...

Page 481: ...of service ToS field of the IP packet header You can also use header information such as IP addresses MAC addresses IP protocol field and port numbers You can define a class for packets with the same quintuple source address source port number protocol number destination address and destination port number for example or for all packets to a network segment When packets are classified on the netwo...

Page 482: ...ield where a differentiated services code point DSCP value is represented by the first six bits 0 to 5 and is in the range 0 to 63 The remaining two bits 6 and 7 are reserved Table 143 Description on IP Precedence IP Precedence decimal IP Precedence binary Description 0 000 routine 1 001 priority 2 010 immediate 3 011 flash 4 100 flash override 5 101 critical 6 110 internet 7 111 network Table 144...

Page 483: ...802 1Q tag header As shown in Figure 479 the 4 byte 802 1Q tag header consists of the tag protocol identifier TPID two bytes in length whose value is 0x8100 and the tag control information TCI two bytes in length Figure 480 shows the format of the 802 1Q tag header The priority in the 802 1Q tag header is called 802 1p priority because its use is defined in IEEE 802 1p Table 145 presents the value...

Page 484: ...dwidth resource assignment delay and jitter In this section two common hardware queue scheduling algorithms are introduced Strict Priority SP queuing and Weighted Round Robin WRR queuing SP queuing SP queuing is designed for mission critical applications that require preferential service to reduce response delay when congestion occurs Figure 481 SP queuing A typical switch provides eight queues pe...

Page 485: ...y In this way the queue with the lowest priority is assured of a minimum of 20 Mbps bandwidth and the disadvantage of SP queuing that packets in low priority queues may fail to be served for a long time is avoided WRR queuing improves bandwidth resource use efficiency by not setting a fixed service time for each queue If a queue is empty the next queue will be scheduled immediately You can impleme...

Page 486: ...n rate CIR Burst size The capacity of the token bucket or the maximum traffic size permitted in each burst It is typically set to the committed burst size CBS The set burst size must be greater than the maximum packet size One evaluation is performed on each arriving packet In each evaluation if the number of tokens in the bucket is enough the traffic conforms to the specification and the tokens f...

Page 487: ...assigns to the packet a set of predefined parameters including the 802 1p priority DSCP values IP precedence and local precedence For more information about 802 1p priority DSCP values and IP precedence see Packet precedences Local precedence is a locally significant precedence that the device assigns to a packet A local precedence value corresponds to an output queue Packets with the highest loca...

Page 488: ...to DSCP mapping table which applies to only IP packets DSCP to Queue DSCP to local mapping table which applies to only IP packets Table 146 through Table 147 list the default priority mapping tables Table 146 The default CoS to DSCP CoS to Queue mapping table Input CoS value Local precedence Queue DSCP 0 2 0 1 0 8 2 1 16 3 3 24 4 4 32 5 5 40 6 6 48 7 7 56 Table 147 The default DSCP to CoS DSCP to ...

Page 489: ... avoid packet drop Commonly used local packets are link maintenance packets ISIS packets OSPF packets RIP packets BGP packets LDP packets RSVP packets and SSH packets and so on When you configure queuing for a traffic behavior In a policy a traffic behavior with EF configured cannot be associated with the default class while a traffic behavior with WFQ configured can only be associated with the de...

Page 490: ...dd a class and specify the logical relationship between the match criteria in the class 2 Configuring classification rules Required Configure match criteria for the class 3 Adding a traffic behavior Required Add a traffic behavior 4 Configure actions for the behavior Configuring traffic mirroring and traffic redirecting for a traffic behavior Configuring other actions for a traffic behavior Use ei...

Page 491: ...ration procedure Step Remarks 1 Configuring priority mapping tables Required Set priority mapping tables Priority trust mode configuration procedure Step Remarks 1 Configuring priority trust mode on a port Required Set the priority trust mode of a port Adding a class 1 Select QoS Classifier from the navigation tree 2 Click the Create tab to enter the page for adding a class Figure 486 Adding a cla...

Page 492: ... mpls exp1 mpls exp2 mpls exp3 mpls exp4 mpls exp5 mpls exp6 and mpls exp7 Operator Specify the logical relationship between rules of the classifier and Specifies the relationship between the rules in a class as logic AND The device considers that a packet belongs to a class only when the packet matches all the rules in the class or Specifies the relationship between the rules in a class as logic ...

Page 493: ...tch all packets Select the box to match all packets DSCP Define a rule to match DSCP values If multiple rules are configured for a class the new configuration does not overwrite the previous You can configure up to eight DSCP values at a time If multiple identical DSCP values are specified the system considers them as a single value The relationship between different DSCP values is OR After config...

Page 494: ...alues are specified the system considers them as a single value The relationship between different 802 1p priority values is OR After configuration all the 802 1p priority values are arranged in ascending order automatically Customer 802 1p Define a rule to match the customer 802 1p priority values If multiple rules are configured for a class the new configuration does not overwrite the previous Y...

Page 495: ...ne a rule to match customer VLAN IDs If multiple rules are configured for a class the new configuration does not overwrite the previous You can configure multiple VLAN IDs at a time If the same VLAN ID is specified multiple times the system considers them as a single value The relationship between different VLAN IDs is logical OR You can specify VLAN IDs by using one of the following methods Enter...

Page 496: ...s The system defined behaviors include ef af and be Configuring traffic mirroring and traffic redirecting for a traffic behavior 1 Select QoS Behavior from the navigation tree 2 Click Port Setup to enter the port setup page for a traffic behavior Figure 489 Port setup page for a traffic behavior 3 Configure traffic mirroring and traffic redirecting as described in Table 152 4 Click Apply Table 152...

Page 497: ...e previous Redirect Set the action of redirecting traffic to the specified destination port Please select a port Specify the port to be configured as the destination port of traffic mirroring or traffic directing on the chassis front panel Configuring other actions for a traffic behavior 1 Select QoS Behavior from the navigation tree 2 Click Setup to enter the page for setting a traffic behavior ...

Page 498: ...486 Figure 490 Setting a traffic behavior 3 Configure other actions for a traffic behavior as described in Table 153 4 Click Apply ...

Page 499: ...n of marking 802 1p priority Local Precedence Configure the action of marking local precedence for packets Select the Local Precedence box and then select the local precedence value to be marked for packets in the following list Select Not Set to cancel the action of marking local precedence DSCP Configure the action of marking DSCP value for packets Select the DSCP box and then select the DSCP va...

Page 500: ...icy Figure 491 Adding a policy 3 Add a policy as described in Table 154 4 Click Create Table 154 Configuration items Item Description Policy Name Specify a name for the policy to be added Some devices have their own system defined policies The policy name you specify cannot overlap with system defined policies The system defined policy is the policy default Configuring classifier behavior associat...

Page 501: ... Description Please select a policy Select an existing policy in the list Classifier Name Select an existing classifier in the list Behavior Name Select an existing behavior in the list Applying a policy to a port 1 Select QoS Port Policy from the navigation tree 2 Click Setup to enter the page for applying a policy to a port Figure 493 Applying a policy to a port ...

Page 502: ...ing packets of the specified ports Outbound Applies the policy to the outgoing packets of the specified ports Please select port s Click to select ports to which the QoS policy is to be applied on the chassis front panel Configuring queue scheduling on a port 1 Select QoS Queue from the navigation tree 2 Click Setup to enter the queue scheduling configuration page Figure 494 Configuring queue sche...

Page 503: ...ice Group Specify the group the current queue is to be assigned to This list is available after you select a queue ID The following groups are available for selection SP Assigns a queue to the SP group 1 Assigns a queue to WRR group 1 2 Assigns a queue to WRR group 2 Weight Set a weight for the current queue This list is available when group 1 or group 2 is selected Please select port s Click to s...

Page 504: ...ct a direction to which the rate limit is to be applied Inbound Limits the rate of packets received on the specified port Outbound Limits the rate of packets sent by the specified port Both Limits the rate of packets received on the specified port and packets sent by the specified port CIR Set the committed information rate CIR which is the average traffic rate CBS Set the committed burst size CBS...

Page 505: ...in Table 159 3 Click Apply Table 159 Configuration items Item Description Mapping Type Select the priority mapping table to be configured which can be CoS to DSCP CoS to Queue DSCP to CoS DSCP to DSCP or DSCP to Queue Input Priority Value Set the output priority value for an input priority value Output Priority Value Restore Click Restore to display the default settings of the current priority map...

Page 506: ...ort Figure 498 The page for modifying port priority 3 Configure the port priority for a port as described in Table 160 4 Click Apply Table 160 Configuration items Item Description Interface Interface to be configured Priority Set a local precedence value for the port ...

Page 507: ... a priority trust mode for the port Untrust Packet priority is not trusted CoS 802 1p priority of the incoming packets is trusted and used for priority mapping DSCP DSCP value of the incoming packets is trusted and used for priority mapping ...

Page 508: ...hosts from accessing the FTP server from 8 00 to 18 00 every day 2 Configure a QoS policy to drop the packets matching the ACL 3 Apply the QoS policy in the inbound direction of GigabitEthernet 1 0 1 Figure 499 Network diagram Configuring Switch 1 Define a time range to cover the time range from 8 00 to 18 00 every day a Select QoS Time Range from the navigation tree b Click the Create tab c Enter...

Page 509: ... Figure 500 Defining a time range covering 8 00 to 18 00 every day 2 Add an advanced IPv4 ACL a Select QoS ACL IPv4 from the navigation tree b Click the Create tab c Enter the ACL number 3000 d Click Apply ...

Page 510: ... Click the Advanced Setup tab b Select 3000 in the ACL list c Select the Rule ID box and enter rule ID 2 d Select Permit in the Action list e Select the Destination IP Address box and enter IP address 10 1 1 1 and destination wildcard 0 0 0 0 f Select test time in the Time Range list g Click Add ...

Page 511: ...499 Figure 502 Defining an ACL rule for traffic to the FTP server 4 Add a class a Select QoS Classifier from the navigation tree b Click the Create tab c Enter the class name class1 d Click Create ...

Page 512: ...500 Figure 503 Adding a class 5 Define classification rules a Click the Setup tab b Select the class name class1 in the list c Select the ACL IPv4 box and select ACL 3000 in the following list ...

Page 513: ... 504 Defining classification rules d Click Apply A progress dialog box appears as shown in Figure 505 e Click Close on the progress dialog box when the progress dialog box prompts that the configuration succeeds ...

Page 514: ...ior name behavior1 d Click Create Figure 506 Adding a traffic behavior 7 Configure actions for the traffic behavior a Click the Setup tab b Select behavior1 in the list c Select the Filter box and then select Deny in the following list d Click Apply A progress dialog box appears e Click Close when the progress dialog box prompts that the configuration succeeds ...

Page 515: ...503 Figure 507 Configuring actions for the behavior 8 Add a policy a Select QoS QoS Policy from the navigation tree b Click the Create tab c Enter the policy name policy1 d Click Create ...

Page 516: ...Select behavior1 from the Behavior Name list e Click Apply Figure 509 Configuring classifier behavior associations for the policy 10 Apply the QoS policy in the inbound direction of interface GigabitEthernet 1 0 1 a Select QoS Port Policy from the navigation tree b Click the Setup tab c Select policy1 from the Please select a policy list d Select Inbound from the Direction list ...

Page 517: ...t 1 0 1 f Click Apply A configuration progress dialog box appears g Click Close when the progress dialog box prompts that the configuration succeeds Figure 510 Applying the QoS policy in the inbound direction of GigabitEthernet 1 0 1 ...

Page 518: ... the PD A PSE can be built in Endpoint or external Midspan A built in PSE is integrated into the device and an external PSE is independent of the device The device has only one built in PSE PI An Ethernet interface with the PoE capability is called PoE interface A PoE interface can be an FE or GE interface PD A PD receives power from the PSE You can also connect a PD to a redundant power source fo...

Page 519: ...is not enabled with the PoE function You can enable PoE for a PoE port if the PoE port does not result in PoE power overload Otherwise you cannot enable PoE for the PoE port By default PoE is enabled on a PoE port IMPORTANT When the sum of the power consumption of all ports exceeds the maximum power of PSE the system considers the PSE as overloaded Power Max Set the maximum power for the PoE port ...

Page 520: ... of a PoE port is low IMPORTANT A guard band of 19 watts is reserved for each PoE interface on the device to prevent a PD from being powered off because of a sudden increase of power If the remaining power of the PSE is lower than 19 watts and no priority is configured for a PoE interface the PSE does not supply power to the new PD If the remaining power of the PSE is lower than 19 watts but prior...

Page 521: ...SEs Click Disable All Displaying information about PSE and PoE ports 1 Select PoE PoE from the navigation tree to enter the Summary tab The upper part of the page displays the PSE summary 2 To view the configuration and power information click a port on the chassis front panel Figure 514 PoE summary with GigabitEthernet 1 0 1 selected PoE configuration example Network requirements As shown in Figu...

Page 522: ...onfiguring PoE 1 Enable PoE on GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 and set their power supply priority to critical a Select PoE PoE from the navigation tree b Click the Setup tab c On the tab click to select ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 from the chassis front panel select Enable from the Power State list and select Critical from the Power Priority list d Click ...

Page 523: ... click to select port GigabitEthernet 1 0 11 from the chassis front panel select Enable from the Power State list and select the box before Power Max and enter 12950 c Click Apply Figure 517 Configuring the PoE port supplying power to AP After the configuration takes effect the IP telephones and AP are powered and can operate correctly ...

Page 524: ...ing you will receive email notification of product enhancements new driver versions firmware updates and other product resources Related information Documents To find related documents browse to the Manuals page of the HP Business Support Center website http www hp com support manuals For related documentation navigate to the Networking section and select a networking category For a complete list ...

Page 525: ...eparated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names button names field names and menu items are in bold text For example the New User window appears cl...

Page 526: ...eric switch such as a Layer 2 or Layer 3 switch or a router that supports Layer 2 forwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the switching engine on a unified wired WLAN switch Represents an access point Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device ...

Page 527: ...ion prerequisites 390 Configuration procedure 391 Configuration procedure 447 Configuration procedure 295 Configuration procedure 312 Configuration procedures 334 Configuring 802 1X globally 312 Configuring 802 1X on a port 313 Configuring a history entry 84 Configuring a local user 418 Configuring a port isolation group 441 Configuring a statistics entry 83 Configuring a user group 420 Configurin...

Page 528: ...g an IPv6 static route 252 Creating VLANs 123 D Destroying the RSA key pair 432 DHCP 261 DHCP relay agent configuration example 281 DHCP server configuration examples 275 DHCP snooping 261 DHCP snooping configuration example 283 Displaying and configuring MAC address entries 157 Displaying device information 29 Displaying files 46 Displaying global LLDP information 210 Displaying IGMP snooping mul...

Page 529: ...uthentication configuration examples 367 Protocols and standards 198 Protocols and standards 166 Q QoS configuration procedures 477 R RADIUS configuration example 412 Rebooting the device 32 Recommended configuration procedure 81 Recommended configuration procedure 262 Recommended configuration procedure 99 Recommended configuration procedure 239 Recommended configuration procedures 424 Recommende...

Page 530: ...v3 configuration example 1 13 Specifying management IP addresses at the CLI 26 Switching to the management level 69 System time configuration example 37 T Traceroute 289 Traceroute operation 291 U Uploading a file 47 Using MAC authentication with other features 294 V VLAN configuration example 128 Voice VLAN configuration examples 144 W Web interface 1 Web user level 2 Web based NM functions 2 Why...

Reviews:

No comments

Related manuals for HP 830 Series

3CR860-95 - OfficeConnect Secure Router

Brand: 3Com Pages: 2

Brand: 3Com Pages: 26

Brand: Enginko Pages: 19

APS6-400 Series

Brand: Eaton Pages: 114

Brand: Lucent Technologies Pages: 20

SmartMesh IA-510 D2511

Brand: Dust Networks Pages: 30

Brand: Draytek Pages: 2

Brand: Genie Pages: 6

IPAM-1600s Series

Brand: C-Com Pages: 148

Brand: E-LINX Pages: 24

Brand: Z-Wave Pages: 6

Brand: AMX Pages: 2

Brand: NC-link Pages: 20

ConnectX-3 Pro MCX349A-XCCN

Brand: Mellanox Technologies Pages: 35

Brand: TP-Link Pages: 37

Brand: Buffalo Pages: 2

Brand: VideoWave Pages: 12

Brand: ADTRAN Pages: 9

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands