manualshive.com logo in svg

HPE OfficeConnect 1950 Series, User Manual

The HPE OfficeConnect 1950 Series is a cutting-edge networking solution designed to enhance productivity in your office. To help you maximize its functionalities, download the comprehensive User Manual for free from our website. Master every feature and unlock the product's full potential effortlessly.

Share
Download
background image

 

42 

{

 

ARP source suppression. 

{

 

ARP packet source MAC consistency check. 

{

 

ARP active acknowledgement. 

{

 

Source MAC-based ARP attack detection. 

{

 

Authorized ARP. 

 

ARP scanning and fixed ARP. 

 

The access device supports the following features: 

{

 

ARP packet rate limit. 

{

 

ARP gateway protection. 

{

 

ARP filtering. 

{

 

ARP detection. 

Unresolvable IP attack protection 

If a device receives a large number of unresolvable IP packets from a host, the following situations 
can occur: 

 

The device sends a large number of ARP requests, overloading the target subnets. 

 

The device keeps trying to resolve the destination IP addresses, overloading its CPU. 

To protect the device from such IP attacks, you can configure the following features: 

 ARP 

source 

suppression

—Stops resolving packets from a host if the number of unresolvable 

IP packets from the host exceeds the upper limit within 5 seconds. The device continues ARP 
resolution when the interval elapses. This feature is applicable if the attack packets have the 
same source addresses. 

 

ARP blackhole routing

—Creates a blackhole route destined for an unresolvable IP address. 

The device drops all matching packets until the blackhole route ages out. This feature is 
applicable regardless of whether the attack packets have the same source addresses. 

ARP packet source MAC consistency check 

This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet 
header is different from the sender MAC address in the message body. This feature allows the 
gateway to learn correct ARP entries. 

ARP active acknowledgement 

Configure this feature on gateways to prevent user spoofing. 

ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. 

In strict mode, a gateway performs more strict validity checks before creating an ARP entry: 

 

Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but 
does not create an ARP entry. 

 

Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP 
address: 

{

 

If yes, the gateway performs active acknowledgement. When the ARP reply is verified as 
valid, the gateway creates an ARP entry. 

{

 

If not, the gateway discards the packet. 

Source MAC-based ARP attack detection 

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from 
the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to 
an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the 
following methods: 

 Monitor

—Only generates log messages. 

Summary of Contents for OfficeConnect 1950 Series

Page 1: ...HPE OfficeConnect 1950 Switch Series User Guide Part number 5998 8111 Document version 6W103 20160825 ...

Page 2: ... and 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license Links to third party websites take you outside the Hewlett Packard Enterprise website Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterpris...

Page 3: ...s of a table entry 9 Rebooting the device 10 Feature navigator 11 Dashboard menu 11 Device menu 11 Network menu 12 Resources menu 16 QoS menu 17 Security menu 17 PoE menu 18 Log menu 18 Device management 19 Settings 19 System time sources 19 Clock synchronization protocols 19 NTP SNTP operating modes 19 NTP SNTP time source authentication 20 Administrators 20 User account management 21 Role based ...

Page 4: ...ty 38 DHCP snooping 38 IP 39 IP address classes 39 Subnetting and masking 39 IP address configuration methods 40 MTU for an interface 40 ARP 40 Types of ARP table entries 40 Gratuitous ARP 41 ARP attack protection 41 DNS 44 Dynamic domain name resolution 44 Static domain name resolution 45 DNS proxy 45 DDNS 45 IPv6 46 IPv6 address formats 46 IPv6 address types 46 EUI 64 address based interface ide...

Page 5: ...8 Applying a QoS policy 68 Hardware queuing 68 SP queuing 69 WRR queuing 69 WFQ queuing 70 Queue scheduling profile 71 Priority mapping 71 Port priority 71 Priority map 72 Rate limit 72 Security features 73 Packet filter 73 IP source guard 73 Overview 73 Interface specific static IPv4SG bindings 73 802 1X 73 802 1X architecture 73 802 1X authentication methods 74 Access control methods 74 Port aut...

Page 6: ...ation example 105 Dynamic DNS configuration example 106 DDNS configuration example with www 3322 org 107 Static IPv6 address configuration example 108 ND configuration example 109 Port mirroring configuration example 110 IPv4 static route configuration example 111 IPv4 local PBR configuration example 112 IGMP snooping configuration example 112 MLD snooping configuration example 114 DHCP configurat...

Page 7: ...144 password 145 ping 145 ping ipv6 146 poe update 146 quit 147 reboot 147 summary 148 telnet 150 telnet ipv6 151 transceiver phony alarm disable 151 upgrade 152 xtd cli mode 154 Document conventions and icons 156 Conventions 156 Network topology icons 157 Support and other resources 158 Accessing Hewlett Packard Enterprise Support 158 Accessing updates 158 Websites 159 Customer self repair 159 Re...

Page 8: ...ow to manage the device from the CLI Appendix A Managing the device from the CLI This user guide does not include step by step configuration procedures because the webpages are task oriented by design A configuration page typically provides links to any pages that are required to complete the task Users do not have to navigate to multiple pages For tasks that require navigation to multiple pages t...

Page 9: ...G960A HPE OfficeConnect 1950 24G 2SFP 2XGT Switch Release 3111P02 Release 3113P05 JG961A HPE OfficeConnect 1950 48G 2SFP 2XGT Switch JG962A HPE OfficeConnect 1950 24G 2SFP 2XGT PoE 370W Switch JG963A HPE OfficeConnect 1950 48G 2SFP 2XGT PoE 370W Switch JH295A HPE OfficeConnect 1950 12XGT 4SFP Switch Release 5103P03 ...

Page 10: ...sure correct display of webpage contents after software upgrade or downgrade clear data cached by the browser before you log in Enable active scripting or JavaScript depending on the Web browser If you are using a Microsoft Internet Explorer browser you must enable the following security settings Run ActiveX controls and plug ins Script ActiveX controls marked safe for scripting Default login sett...

Page 11: ...dress Find the MAC address label on the device and use the following rules to determine the last two bytes for the IP address Last two bytes of the MAC address Last two bytes for the IP address All 0s 0 1 All Fs 255 1 Not all 0s or all Fs Decimal values of the last two bytes of the MAC address For example MAC address IP address 08004E080000 169 254 0 1 08004E08FFFF 169 254 255 1 08004E082A3F 169 2...

Page 12: ...he login information To change the password of the login user admin at the first login click the Admin icon To add new user accounts and assign access permissions to different users select Device Maintenance Administrators Logging out of the Web interface IMPORTANT For security purposes log out of the Web interface immediately after you finish your tasks You cannot log out by closing the browser T...

Page 13: ... save the configuration 2 Navigation tree Organizes feature menus in a tree 3 Content pane Displays information and provides an area for you to configure features Depending on the content in this pane the webpages include the following types Feature page Contains functions or features that a feature module can provide see Using a feature page Table page Displays entries in a table see Using a tabl...

Page 14: ... in Figure 2 a feature page contains information about a feature module including its table entry statistics features and functions From a feature page you can configure features provided by a feature module Figure 2 Sample feature page Using a table page As shown in Figure 3 a table page displays entries in a table To sort entries by a field in ascending or descending order click the field For ex...

Page 15: ...st be configured on another page the configuration page typically provides a link You do not need to navigate to the destination page For example you must use an ACL when you configure a packet filter If no ACLs are available when you perform the task you can click the Add icon to create an ACL In this situation you do not need to navigate to the ACL management page ...

Page 16: ...ounter icon Counter Identify the total number of table entries Navigation icon Next Access the lower level page to display information or configure settings Status control icon Status control Control the enable status of the feature If ON is displayed the feature is enabled To disable the feature click the button If OFF is displayed the feature is disabled To enable the feature click the button Se...

Page 17: ...ctor Select fields to be displayed Advanced settings icon Advanced settings Access the configuration page to configure settings Performing basic tasks This section describes the basic tasks that must be frequently performed when you configure or manage the device Saving the configuration Typically settings take effect immediately after you create them However the system does not automatically save...

Page 18: ...he device Reboot is required for some settings for example the stack setup to take effect To reboot the device 1 Save the configuration 2 Select Device Maintenance Reboot 3 On the reboot page click the reboot button ...

Page 19: ...urces ACL IPv4 from the navigation tree NOTE In the navigator tables a menu is in boldface if it has submenus Dashboard menu The dashboard menu provides an overview of the system and its running status including System logs System utilization System info This menu does not contain submenus Device menu Use Table 3 to navigate to the tasks you can perform from the Device menu Table 3 Device menu nav...

Page 20: ...nostics Collect diagnostic information used for system diagnostics and troubleshooting Reboot Reboot the device About Display basic device information including Device name Serial number Version information Electronic label Legal statement Virtualization IRF Configure the following settings to set up an HPE OfficeConnect 1950 stack Member ID Priority Domain ID Stack port bindings Display the stack...

Page 21: ...es dynamic MAC entries and blackhole MAC entries Display existing MAC entries STP Enable or disable STP globally Enable or disable STP on interfaces Configure the STP operating mode as STP RSTP PVST or MSTP Configure instance priorities Configure MST regions LLDP Enable or disable LLDP Modify the LLDP operating mode Modify the interface mode Configure LLDP to advertise the specified TLVs DHCP Snoo...

Page 22: ... aging time for stale ND entries Minimize link local ND entries Configure hop limit Configure RA prefix attributes including Address prefix Prefix length Valid lifetime Preferred lifetime Configure RA settings for an interface including RA message suppression Maximum and minimum intervals for sending RA messages Hop limit M flag O flag Router lifetime NS retransmission interval Router preference N...

Page 23: ... operate in the DHCP server mode Configure DHCP address pools Configure the IP address conflict detection Configure DHCP relay agent functions including Configure DHCP services Configure the DHCP relay agent mode Configure the IP address of the DHCP server Configure settings for DHCP relay entry include Recording of DHCP relay entries Periodic refreshing of DHCP relay entries Interval for refreshi...

Page 24: ... menu navigator Menus Tasks ACLs IPv4 Create modify or delete an IPv4 basic ACL Create modify or delete an IPv4 advanced ACL IPv6 Create modify or delete an IPv6 basic ACL Create modify or delete an IPv6 advanced ACL Ethernet Create modify or delete an Ethernet frame header ACL Time Range Time Range SSL SSL Create modify or delete an SSL client policy Create modify or delete an SSL server policy P...

Page 25: ...gate to the tasks you can perform from the Security menu Table 7 Security menu navigator Menus Tasks Packet Filter Packet Filter Create modify or delete a packet filter for an interface a VLAN or the system Configure the default action for the packet filter IP Source Guard Configure an interface specific static IPv4 source guard binding Access Control 802 1X Enable or disable 802 1X Configure the ...

Page 26: ...oE menu navigator Menus Tasks PoE Configure the maximum PoE power and power alarm threshold for the device Enable or disable PoE on an interface Configure the maximum PoE power power supply priority PD description and fault description for an interface Log menu Use Table 9 to navigate to the tasks you can perform from the Log menu Table 9 Log menu navigator Menus Tasks Log System Log Display log i...

Page 27: ...ates the system time The system time calculated by using the UTC time from a time source is more precise Make sure the time zone and daylight saving setting are the same as the parameters of the place where the device resides If the system time does not change accordingly when the daylight saving period ends refresh the Web interface Clock synchronization protocols The device supports the followin...

Page 28: ...ed to multiple time servers it selects an optimal clock and synchronizes its local clock to the optimal reference source You must specify the IP address of the symmetric passive peer on the symmetric active peer A symmetric active peer and a symmetric passive peer can be synchronized to each other If both of them are synchronized the peer with a higher stratum is synchronized to the peer with a lo...

Page 29: ...to VLANs You can perform the following tasks on an accessible interface VLAN Create or remove the interface or VLAN Configure attributes for the interface or VLAN Apply the interface or VLAN to other parameters Predefined user roles The system provides predefined user roles These user roles have access to all system resources interfaces and VLANs Their access permissions differ If the predefined u...

Page 30: ...mbination of characters from the following types Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Special characters See Table 11 Table 11 Special characters Character name Symbol Character name Symbol Ampersand sign Apostrophe Asterisk At sign Back quote Back slash Blank space N A Caret Colon Comma Dollar sign Dot Equal sign Exclamation point Left angle bracket Left brace Left brac...

Page 31: ...ce the last change is less than this interval the system denies the request For example if you set this interval to 48 hours a user cannot change the password twice within 48 hours The set minimum interval is not effective when a user is prompted to change the password at the first login or after its password aging time expires Password expiration Password expiration imposes a lifecycle on a user ...

Page 32: ...TP and VTY users It does not take effect on the following types of users Nonexistent users users not configured on the device Users logging in to the device through console ports If a user fails to use a user account to log in after making the maximum number of consecutive attempts login attempt limit takes the following actions Adds the user account and the user s IP address to the password contr...

Page 33: ...stack port you must bind a minimum of one physical interface to it The physical interfaces assigned to a stack port automatically form an aggregate stack link When you connect two neighboring stack members connect the physical interfaces of IRF port 1 on one member to the physical interfaces of IRF port 2 on the other Stack physical interfaces Stack physical interfaces connect stack member devices...

Page 34: ... united Member priority Member priority determines the possibility of a member device to be elected the master A member with higher priority is more likely to be elected the master The default member priority is 1 You can change the member priority of a device to affect the master election result ...

Page 35: ...ace 1 Layer 2 aggregation group 1 is created You can assign Layer 2 Ethernet interfaces only to a Layer 2 aggregation group The port rate of an aggregate interface equals the total rate of its Selected member ports Its duplex mode is the same as that of the Selected member ports Aggregation states of member ports in an aggregation group A member port in an aggregation group can be in any of the fo...

Page 36: ... the reference port A Selected port must have the same operational key and attribute configurations as the reference port The system chooses a reference port from the member ports that are in up state and have the same attribute configurations as the aggregate interface The candidate ports are sorted in the following order a Highest port priority b Full duplex high speed c Full duplex low speed d ...

Page 37: ...stem chooses a reference port from the member ports that are in up state and have the same attribute configurations as the aggregate interface A Selected port must have the same operational key and attribute configurations as the reference port The local system the actor and the peer system the partner negotiate a reference port by using the following workflow a The two systems compare their syste...

Page 38: ...rt If ports have the same priority the system proceeds to the next step The system compares their port numbers The smaller the port number the smaller the port ID The port with the smallest port number and the same attribute configurations as the aggregate interface is chosen as the reference port After the reference port is chosen the system with the smaller system ID sets the state of each membe...

Page 39: ...s when monitored traffic meets one of the following conditions Exceeds the upper threshold Drops below the lower threshold Port isolation The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs Ports in an isolation group cannot communicate with each other However they can communicate with ports outside the isolation group VLAN The Virtual Local Area N...

Page 40: ...ets destined for another IP subnet Voice VLAN A voice VLAN is used for transmitting voice traffic The device can configure QoS parameters for voice packets to ensure higher transmission priority of the voice packets OUI addresses A device identifies voice packets based on their source MAC addresses A packet whose source MAC address complies with an Organizationally Unique Identifier OUI address of...

Page 41: ...ng their MAC addresses If the PVID of the port is the voice VLAN and the port operates in manual VLAN assignment mode the port forwards all the received untagged packets in the voice VLAN Security mode The port uses the source MAC addresses of the received packets to match the OUI addresses of the device Packets that fail the match will be dropped MAC An Ethernet device uses a MAC address table to...

Page 42: ...ods and possibly affect the device performance To reduce floods on a stable network set a long aging timer or disable the timer to prevent dynamic entries from unnecessarily aging out Reducing floods improves the network performance Reducing flooding also improves the security because it reduces the chances for a data frame to reach unintended destinations MAC address learning MAC address learning...

Page 43: ... mode automatically transits to the STP mode when it receives STP BPDUs from a peer device The port does not transit to the RSTP mode when it receives RSTP BPDUs from a peer device MSTP basic concepts MSTP divides a switched network into multiple spanning tree regions MST regions MSTP maintains multiple independent spanning trees in an MST region and each spanning tree is mapped to specific VLANs ...

Page 44: ...rt states Disabled Blocking Listening Learning and Forwarding The Disabled Blocking and Listening states correspond to the Discarding state in RSTP and MSTP LLDP The Link Layer Discovery Protocol LLDP operates on the data link layer to exchange device information between directly connected devices With LLDP a device sends local device information as TLV type length and value triplets in LLDP Data ...

Page 45: ...er restarts When the aging timer decreases to zero the saved information ages out By setting the TTL multiplier you can configure the TTL of locally sent LLDPDUs The TTL is expressed by using the following formula TTL Min 65535 TTL multiplier LLDP frame transmission interval 1 As the expression shows the TTL can be up to 65535 seconds TTLs greater than 65535 will be rounded down to 65535 seconds L...

Page 46: ...lter ARP packets from unauthorized clients Backs up DHCP snooping entries automatically The auto backup function saves DHCP snooping entries to a backup file and allows the DHCP snooping device to download the entries from the backup file at device reboot The entries on the DHCP snooping device cannot survive a reboot The auto backup helps some other features provide services if these features mus...

Page 47: ...artup for temporary communication This address is never a valid destination address Addresses starting with 127 are reserved for loopback test Packets destined to these addresses are processed locally as input packets rather than sent to the link B 128 0 0 0 to 191 255 255 255 N A C 192 0 0 0 to 223 255 255 255 N A D 224 0 0 0 to 239 255 255 255 Multicast addresses E 240 0 0 0 to 255 255 255 255 R...

Page 48: ...et an appropriate MTU for an interface based on the network environment to avoid fragmentation ARP ARP resolves IP addresses into MAC addresses on Ethernet networks Types of ARP table entries An ARP table stores dynamic and static ARP entries Dynamic ARP entry ARP automatically creates and updates dynamic entries A dynamic ARP entry is removed when its aging timer expires or the output interface g...

Page 49: ...timely manner This feature can implement the following functions Prevent gateway spoofing Gateway spoofing occurs when an attacker uses the gateway address to send gratuitous ARP packets to the hosts on a network The traffic destined for the gateway from the hosts is sent to the attacker instead As a result the hosts cannot access the external network To prevent such gateway spoofing attacks you c...

Page 50: ...able regardless of whether the attack packets have the same source addresses ARP packet source MAC consistency check This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body This feature allows the gateway to learn correct ARP entries ARP active acknowledgement Configure this feature on gat...

Page 51: ...U An ARP detection enabled device will send all received ARP packets to the CPU for inspection Processing excessive ARP packets will make the device malfunction or even crash To solve this problem configure the ARP packet rate limit Configure this feature when ARP detection is enabled or when ARP flood attacks are detected If logging for ARP packet rate limit is enabled the device sends the highes...

Page 52: ...nterfaces and have passed user validity check as follows If the packets are ARP requests they are forwarded through the trusted interface If the packets are ARP replies they are forwarded according to their destination MAC address If no match is found in the MAC address table they are forwarded through the trusted interface ARP does not have security mechanisms and is vulnerable to network attacks...

Page 53: ... static DNS mapping for a device so that you can Telnet to the device by using the domain name After a user specifies a name the device checks the static name resolution table for an IP address If no IP address is available it contacts the DNS server for dynamic name resolution which takes more time than static name resolution To improve efficiency you can put frequently queried name to IP address...

Page 54: ...ddress can be represented in the shortest format as 2001 0 130F 9C0 876A 130B An IPv6 address consists of an address prefix and an interface ID which are equivalent to the network ID and the host ID of an IPv4 address An IPv6 address prefix is written in IPv6 address prefix length notation The prefix length is a decimal number indicating how many leftmost bits of the IPv6 address are in the addres...

Page 55: ...Anycast addresses use the unicast address space and have the identical structure of unicast addresses N A EUI 64 address based interface identifiers An interface identifier is 64 bit long and uniquely identifies an interface on a link Interfaces generate EUI 64 address based interface identifiers differently On an IEEE 802 interface such as a VLAN interface the interface identifier is derived from...

Page 56: ...to the link local address prefix FE80 10 and the EUI 64 address based interface identifier Manual assignment An IPv6 link local address is manually configured An interface can have only one link local address As a best practice use the automatic generation method to avoid link local address conflicts If both methods are used manual assignment takes precedence If you first use automatic generation ...

Page 57: ...tions and flag bits Redirect 137 Informs the source host of a better next hop on the path to a particular destination Neighbor entries A neighbor entry stores information about a neighboring node on the link Neighbor entries can be dynamically configured through NS and NA messages or manually configured You can configure a static neighbor entry by using one of the following methods Method 1 Associ...

Page 58: ...s flag Specifies unlimited hops in RA messages M flag Determines whether a host uses stateful autoconfiguration to obtain an IPv6 address If the M flag is set the host uses stateful autoconfiguration for example from a DHCPv6 server to obtain an IPv6 address If the flag is not set the host uses stateless autoconfiguration to generate an IPv6 address according to its link layer address and the pref...

Page 59: ...o obtain Host B s MAC address However Host B cannot receive the NS message because they belong to different broadcast domains To solve this problem enable common ND proxy on Interface A and Interface B of the Device The Device replies to the NS message from Host A and forwards packets from other hosts to Host B Local ND proxy As shown in Figure 8 Host A belongs to VLAN 2 and Host B belongs to VLAN...

Page 60: ...irrored packets are transmitted by the remote probe VLAN from the source device to the destination device Static routing Static routes are manually configured If a network s topology is simple you only need to configure static routes for the network to work correctly Static routes cannot adapt to network topology changes If a fault or a topological change occurs in the network the network administ...

Page 61: ...vice as an IPv6 multicast constraining mechanism It creates Layer 2 IPv6 multicast forwarding entries from MLD packets that are exchanged between the hosts and the Layer 3 device The Layer 2 device forwards multicast data based on Layer 2 IPv6 multicast forwarding entries A Layer 2 IPv6 multicast forwarding entry contains the VLAN IPv6 multicast group address IPv6 multicast source address and host...

Page 62: ...n address pool depending on the client location Client on the same subnet as the server The DHCP server compares the IP address of the receiving interface with the subnets of all address pools If a match is found the server selects the address pool with the longest matching subnet Client on a different subnet than the server The DHCP server compares the IP address in the giaddr field of the DHCP r...

Page 63: ...ess the DHCP server pings the IP address If the server receives a response within the specified period it selects and pings another IP address If it does not receive a response the server continues to ping the IP address until a specific number of ping packets are sent If it still does not receive a response the server assigns the IP address to the requesting client DHCP relay agent The DHCP relay...

Page 64: ...TP or HTTPS to prevent unauthorized Web access If you does not specify an ACL for HTTP or HTTPS or the specified ACL does not exist or does not have rules the device permits all HTTP or HTTPS logins If the specifies ACL has rules only users permitted by the ACL can log in to the Web interface through HTTP or HTTPS SSH SSH is not available in Release 3111P02 Secure Shell SSH is a network security p...

Page 65: ...e value is in the range of 1 to 15 A smaller value represents a higher accuracy If the devices in a network cannot synchronize to an authoritative time source you can perform the following tasks Select a device that has a relatively accurate clock from the network Use the local clock of the device as the reference clock to synchronize other devices in the network You can configure the local clock ...

Page 66: ...termined by the subtree OID 1 3 6 1 6 1 2 1 and the subtree mask 0xDB 11011011 in binary includes all the nodes under the subtree OID 1 3 1 6 2 1 where represents any number NOTE If the number of bits in the subtree mask is greater than the number of nodes of the OID the excessive bits of the subtree mask will be ignored during subtree mask OID matching If the number of bits in the subtree mask is...

Page 67: ... the NMS uses Create an SNMPv3 group and assign the username to the group The user has the same access right as the group When you create the group specify one or more MIB views for the group The MIB views include read only MIB view read write MIB view or notify MIB view You can specify only one MIB view of a type for a group Read only MIB view only allows the group to read the values of the objec...

Page 68: ...ons depend on the modules that use ACLs ACL types and match criteria Table 15 shows the ACL types available on the switch and the fields that can be used to filter or match traffic Table 15 ACL types and match criteria Type ACL number IP version Match criteria Basic ACLs 2000 to 2999 IPv4 Source IPv4 address IPv6 Source IPv6 address Advanced ACLs 3000 to 3999 IPv4 Source IPv4 address Destination I...

Page 69: ... earlier Ethernet frame header ACL 1 More 1s in the source MAC address mask more 1s means a smaller MAC address 2 More 1s in the destination MAC address mask 3 Rule configured earlier NOTE A wildcard mask also called an inverse mask is a 32 bit binary number represented in dotted decimal notation In contrast to a network mask the 0 bits in a wildcard mask represent do care bits and the 1 bits repr...

Page 70: ... can include multiple periodic statements and absolute statements The active period of a time range is calculated as follows 1 Combining all periodic statements 2 Combining all absolute statements 3 Taking the intersection of the two statement sets as the active period of the time range SSL Secure Sockets Layer SSL is a cryptographic protocol that provides communication security for TCP based appl...

Page 71: ... device is replaced The local certificate has expired Managing peer public keys To encrypt information sent to a peer device or authenticate the digital signature of the peer device you must configure the peer device s public key on the local device You can import view and delete peer public keys on the local device Table 17 describes the peer public key configuration methods Table 17 Peer public ...

Page 72: ...The chain of these certificates forms a chain of trust Local certificate Digital certificate issued by a CA to a PKI entity which contains the entity s public key CRL A certificate revocation list CRL is a list of serial numbers for certificates that have been revoked A CRL is created and signed by the CA that originally issued the certificates The CA publishes CRLs periodically to revoke certific...

Page 73: ...I domain nor contained in the certificate to be imported When you import local certificates follow these guidelines If the certificate to be imported contains the CA certificate chain you also import the CA certificate by importing the local certificate You can directly import the local certificate if its associated CA certificate already exists on the device If the certificate file to be imported...

Page 74: ... group Contains multiple attribute rules each defining a matching criterion for an attribute in the certificate issuer name subject name or alternative subject name field If a certificate matches all attribute rules in a certificate attribute group associated with an access control rule the system determines that the certificate matches the access control rule In this scenario the match process st...

Page 75: ...ins the specified attribute value equ The DN is the same as the specified attribute value Any FQDN or IP address is the same as the specified attribute value nequ The DN is not the same as the specified attribute value None of the FQDNs or IP addresses are the same as the specified attribute value A certificate matches an attribute rule only if it contains an attribute that matches the criterion d...

Page 76: ...erface The QoS policy applied to the outgoing traffic on an interface does not regulate local packets Local packets refer to critical protocol packets sent by the local system for operation maintenance The most common local packets include link maintenance packets VLAN The QoS policy takes effect on the traffic sent or received on all ports in the VLAN QoS policies cannot be applied to dynamic VLA...

Page 77: ... queue with the second highest priority and so on You can assign mission critical packets to a high priority queue to make sure they are always serviced first Common service packets can be assigned to low priority queues to be transmitted when high priority queues are empty The disadvantage of SP queuing is that packets in the lower priority queues cannot be transmitted if packets exist in the hig...

Page 78: ...s empty round robin queue scheduling is performed for group 2 On an interface enabled with group based WRR queuing you can assign queues to the SP group Queues in the SP group are scheduled with SP The SP group has higher scheduling priority than the WRR groups Only group based WRR queuing is supported in the current software version and only WRR group 1 is supported WFQ queuing Figure 11 WFQ queu...

Page 79: ...and queue 2 are scheduled according to their weights WRR group 2 is scheduled when queue 7 queue 6 queue 5 queue 4 and queue 3 are all empty Queue 0 has the lowest priority and it is scheduled when all other queues are empty Priority mapping When a packet arrives a device assigns values of priority parameters to the packet for the purpose of queue scheduling and congestion control Priority mapping...

Page 80: ...generation rate while bursty traffic is allowed A token bucket has the following configurable parameters Mean rate at which tokens are put into the bucket which is the permitted average rate of traffic It is typically set to the committed information rate CIR Burst size or the capacity of the token bucket It is the maximum traffic size permitted in each burst It is typically set to the committed b...

Page 81: ...or scenarios where a few hosts exist on a LAN and their IP addresses are manually configured For example you can configure a static IPv4SG binding on an interface that connects to a server This binding allows the interface to receive packets only from the server Static IPv4SG bindings on an interface implements the following functions Filter incoming IPv4 packets on the interface Cooperate with AR...

Page 82: ...tocol to support MAC based access control Port based access control Once an 802 1X user passes authentication on a port all subsequent users can access the network through the port without authentication When the authenticated user logs off all other users are logged off MAC based access control Each user is separately authenticated on a port When a user logs off no other online users are affected...

Page 83: ...e 802 1X authentication Auth Fail VLAN The 802 1X Auth Fail VLAN on a port accommodates users who have failed 802 1X authentication because of the failure to comply with the organization s security strategy For example the VLAN accommodates users who have entered a wrong password The Auth Fail VLAN does not accommodate 802 1X users who have failed authentication for authentication timeouts or netw...

Page 84: ...the user logs off the initial PVID of the port is restored If the authentication server does not authorize a VLAN the initial PVID applies The user and all subsequent 802 1X users are assigned to the initial port VLAN After the user logs off the port VLAN remains unchanged NOTE The initial PVID of an 802 1X enabled port refers to the PVID used by the port before the port is assigned to any 802 1X ...

Page 85: ...access resources only in the 802 1X Auth Fail VLAN A user who has passed authentication fails reauthentication because all the RADIUS servers are unreachable and the user is logged out of the device The device assigns the 802 1X critical VLAN to the port as the PVID Mandatory authentication domain You can place all 802 1X users in a mandatory authentication domain for authentication authorization ...

Page 86: ...ollowing order the port specific domain the global domain and the default domain Offline detect timer This timer sets the interval that the device waits for traffic from a user before the device regards the user idle If a user connection has been idle within the interval the device logs the user out and stops accounting for the user Quiet timer This timer sets the interval that the device must wai...

Page 87: ...rver model When no server is reachable for MAC reauthentication the device keeps the MAC authentication users online or logs off the users depending on the keep online feature configuration on the device Keep online By default the device logs off online MAC authentication users if no server is reachable for MAC reauthentication The keep online feature keeps authenticated MAC authentication users o...

Page 88: ...upports the following categories of security modes MAC learning control Includes two modes autoLearn and secure MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode Authentication Security modes in this category implement MAC authentication 802 1X authentication or a combination of these two authentication methods Upon receiving a frame the port in a security m...

Page 89: ...rt in secure mode A port in secure mode allows only frames sourced from the following MAC addresses to pass Secure MAC addresses Manually configured static and dynamic MAC addresses Perform 802 1X authentication userLogin A port in this mode performs 802 1X authentication and implements port based access control The port can service multiple 802 1X users Once an 802 1X user passes authentication o...

Page 90: ...dressElseUserLoginSecure mode except that this mode supports multiple 802 1X and MAC authentication users as the Ext keyword implies Port security features Intrusion protection mode The intrusion protection feature checks the source MAC addresses in inbound frames for illegal frames and takes one of the following actions in response to illegal frames Block MAC Adds the source MAC addresses of ille...

Page 91: ...ticky MAC addresses and you can manually configure sticky MAC addresses Authorization information ignore A port can be configured to ignore the authorization information received from the server local or remote after an 802 1X or MAC authentication user passes authentication Max users This function specifies the maximum number of secure MAC addresses that port security allows on a port The maximum...

Page 92: ...s this problem the access device needs to be able to detect the reachability changes of the portal server quickly and take corresponding actions to deal with the changes With the detection feature enabled the device periodically detects portal login logout or heartbeat packets sent by a portal authentication server to determine the reachability of the server If the device receives a portal packet ...

Page 93: ...l authentication process cannot complete if the communication between the access device and the portal Web server is broken To address this problem you can enable portal Web server detection on the access device With the portal Web server detection feature the access device simulates a Web access process to initiate a TCP connection to the portal Web server If the TCP connection can be established...

Page 94: ...luding the page elements that the authentication pages will use for example back jpg for authentication page Logon htm Follow the authentication page customization rules when you edit the authentication page files File name rules The names of the main authentication page files are fixed see Table 20 You can define the names of the files other than the main authentication page files File names and ...

Page 95: ...Authentication pages logonSuccess htm and online htm must contain the logoff Post request The following example shows part of the script in page online htm form action logon cgi method post p input type SUBMIT value Logoff name PtButton style width 60px form Page file compression and saving rules You must compress the authentication pages and their page elements into a standard zip file The name o...

Page 96: ...nable fail permit for both a portal authentication server and a portal Web server on an interface the interface performs the following operations Disables portal authentication when either server is unreachable Resumes portal authentication when both servers are reachable After portal authentication resumes unauthenticated users must pass portal authentication to access the network Users who have ...

Page 97: ...The device supports the following authentication methods No authentication This method trusts all users and does not perform authentication For security purposes do not use this method Local authentication The device authenticates users by itself based on the locally configured user information including the usernames passwords and attributes Local authentication allows high speed and low cost but...

Page 98: ...ferent ISPs The device supports multiple ISP domains including a system defined ISP domain named system One of the ISP domains is the default domain If a user does not provide an ISP domain name for authentication the device considers the user belongs to the default ISP domain The device chooses an authentication domain for each user in the following order The authentication domain specified for t...

Page 99: ...ADIUS server considers them to be online You can configure the interval for which the device waits to resend the accounting on packet and the maximum number of retries The RADIUS server must run on IMC to correctly log out users when a card reboots on the distributed device to which the users connect Session control A RADIUS server running on IMC can use session control packets to inform disconnec...

Page 100: ...wer module fails or the fan tray fails 3 Error Error condition For example the link state changes or a storage card is unplugged 4 Warning Warning condition For example an interface is disconnected or the memory resources are used up 5 Notification Normal but significant condition For example a terminal logs in to the device or the device reboots 6 Informational Informational message For example a...

Page 101: ...ress of the NTP server select the unicast server mode and enter the authentication key ID 2 Configure the NTP server On the NTP server enable the NTP service and configure NTP authentication on the NTP server For more information about the configuration procedure see the NTP server documentation Details not shown Verifying the configuration Verify that the system clock is in synchronized state and...

Page 102: ...work admin user role Select HTTP as the permitted access type 3 Enable the HTTP and HTTPS services a From the navigation tree select Network Service HTTP HTTPS b Enable the HTTP service c Enable the HTTPS service Verifying the configuration 1 Verify that the administrator account is successfully added Details not shown 2 Enter http 192 168 1 20 in the address bar to verify the following items You ...

Page 103: ...ndings link and then access the details page for IRF port 1 to assign XGE 1 0 49 and XGE 1 0 50 to IRF port 1 d Click the advanced link to perform the following tasks Set the domain ID to 10 If the software version is Release 3111P02 save the running configuration and then reboot the device If the software version is Release 5103P03 activate IRF port configuration save the running the configuratio...

Page 104: ...navigation tree select Device Virtualization IRF 3 Access the topology information page to verify the following items The stack contains member device 2 Switch A and member device 3 Switch B The stack ports are connected NTP configuration example Network requirements As shown in Figure 15 Configure the local clock of Device A as a reference source with the stratum level 2 Set Device B to client mo...

Page 105: ...access all nodes in the default MIB view Configure an IPv4 basic ACL to allow only the SNMPv2c NMS at 1 1 1 2 24 to use community name readandwrite to access the device e Enable traps and set the destination host to 1 1 1 2 with the security string readandwrite and security model v2c 2 Configure the SNMP NMS a Specify SNMPv2c b Create read and write community readandwrite For information about con...

Page 106: ...tEthernet 1 0 3 to the tagged port list 3 Configure Switch B in the same way Switch A is configured Details not shown Verifying the configuration 1 Access the link aggregation page and verify that ports GigabitEthernet 1 0 1 through GigabitEthernet 1 0 3 have been assigned to the link aggregation group Details not shown 2 Verify that Host A can ping Host B Details not shown 3 Verify that Host A ca...

Page 107: ...ts As shown in Figure 19 Host A and Host C belong to Department A VLAN 100 is assigned to Department A Host B and Host D belong to Department B VLAN 200 is assigned to Department B Configure VLANs so that only hosts in the same department can communicate with each other Figure 19 Network diagram Configuration procedure 1 Configure Switch A a From the navigation tree select Network Links VLAN b Cre...

Page 108: ... neither of them can ping Host A or Host C Details not shown Voice VLAN configuration example Network requirements As shown in Figure 20 IP phone A sends and recognizes only untagged voice packets To enable GigabitEthernet 1 0 1 to transmit only voice packets perform the following tasks on Switch A Create VLAN 2 This VLAN will be used as a voice VLAN Add GigabitEthernet 1 0 1 to VLAN 2 Add the OUI...

Page 109: ...dd a blackhole MAC address entry for Host B Set the aging timer to 500 seconds for dynamic MAC address entries Figure 21 Network diagram Configuration procedure 1 From the navigation tree select Network Links MAC 2 Add a static MAC address entry for the MAC address 000f e235 dc71 The outgoing interface is GigabitEthernet 1 0 1 and the VLAN is 1 3 Add a blackhole MAC address entry for the MAC addre...

Page 110: ...t c Configure VLANs on Switch C From the navigation tree select Network Links VLAN Create VLAN 10 Access the details page for VLAN 10 Add ports GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 to the tagged port list d Configure VLANs on Switch D From the navigation tree select Network Links VLAN Create VLAN 30 Access the details page for VLAN 30 Add ports GigabitEthernet 1 0 1 and GigabitEthernet ...

Page 111: ...frames Then Switch A can discover neighbors 2 Configure LLDP on Switch B a From the navigation tree select Network Links LLDP b Enable LLDP globally on Switch B c Access the interface status page and enable LLDP on GigabitEthernet 1 0 1 d Access interface configuration page of advanced settings to perform the following tasks Enable the nearest bridge agent function on GigabitEthernet 1 0 1 Configu...

Page 112: ...nterface that connects to the client to record DHCP snooping entries 4 Access the advanced settings page to perform the following tasks Save the DHCP snooping entries to a remote server Specify the URL as ftp 10 1 1 1 database dhcp Specify the username and password for logging into the remote server Verifying the configuration 1 Verify that the DHCP client can obtain an IP address and configuratio...

Page 113: ...a From the navigation tree select Network IP ARP b Access the page for adding a static ARP entry to perform the following tasks Configure the IP as 192 168 1 1 Configure the MAC address as 10 e0 fc 01 00 01 Configure VLAN 10 for the entry Select GigabitEthernet 1 0 1 for the entry Verifying the configuration Verify that the static ARP entry is successfully added Details not shown Static DNS config...

Page 114: ...s The switch can use static domain name resolution to resolve domain name host com into IP address 10 1 1 2 Dynamic DNS configuration example Network requirements As shown in Figure 27 the DNS server at 2 1 1 2 16 has a com domain that stores the mapping between domain name host and IP address 3 1 1 1 16 Configure dynamic DNS and the DNS suffix com on the device that acts as a DNS client The devic...

Page 115: ...er and the DDNS server can update the mapping on the DNS server Configure DNS on the switch so that the switch can resolve www 3322 org into the IP address 61 160 239 78 Figure 28 Network diagram Configuration procedure 1 On the DDNS server create an account Access the website at http www 3322 org and set the account name to abc and the password to 123 Details not shown 2 On the DNS server create ...

Page 116: ...Network IP DNS d Configure the IP address of the DNS server as 1 1 1 1 Verifying the configuration 1 Change the IP address of the VLAN interface 10 on the switch to 2 1 1 2 24 2 After a period ping the domain name whatever 3322 org from the host to verify that the domain name is resolved to the IP address 2 1 1 2 Static IPv6 address configuration example Network requirements As shown in Figure 29 ...

Page 117: ...on Switch A generates an IPv6 global unicast addresses through stateless address autoconfiguration Figure 30 Network diagram Configuration procedure 1 Configure Switch B a From the navigation tree select Network Links VLAN b Create VLAN 10 c Access the details page for VLAN 10 to perform the following tasks Add GigabitEthernet 1 0 2 to the tagged port list Create VLAN interface 10 Assign the IP ad...

Page 118: ...FF FE5A 2AC8 and the address prefix is the same as that advertised by Switch B Port mirroring configuration example Network requirements As shown in Figure 31 GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 of the switch are connected to the marketing department and the technical department respectively The switch is connected to the server through GigabitEthernet 1 0 3 Configure local port mirror...

Page 119: ...igation tree select Network Routing Static Routing b Configure the route Set the destination address to 0 0 0 0 Set the mask length to 0 Set the next hop address to 1 1 4 2 Switch B NOTE If the switch has only one uplink port you only need to configure a default route that points to the upstream device 2 On Switch B configure static routes to reach Host A and Host C a Configure a static route to t...

Page 120: ...er 5 b Set the match mode to permit c Select the IPv4 ACL match criterion d Create an IPv4 advanced ACL 3001 and configure a rule to permit TCP packets e Select IPv4 ACL 3001 as the match criterion for the policy pbr f Set the next hop address to 1 1 2 2 for matching packets 4 Click Forwarding policy of locally generated IP packets and choose pbr to apply the policy to the local device Verifying t...

Page 121: ...e the source IP address of IGMP queries as a non zero IP address Figure 34 Network diagram Configuration procedure 1 Configure Switch A a From the navigation tree select Network Multicast IGMP Snooping b Enable IGMP snooping for VLAN 1 c Specify the IGMP snooping version as 2 d Enable dropping unknown multicast data e Enable the switch to act as the IGMP querier f Set the source IP address to 192 ...

Page 122: ...snooping configuration example Network requirements As shown in Figure 35 The network is a Layer 2 only network Host A and Host B are receivers of IPv6 multicast group FF1E 101 All host receivers run MLDv1 and all switches run MLDv1 snooping Switch A which is close to the multicast source acts as the MLD querier To prevent the switches from flooding unknown packets in the VLAN enable all the switc...

Page 123: ...ntries to check that the forwarding entry for the IPv6 multicast group exists DHCP configuration example Network requirements As shown in Figure 36 the DHCP client and the DHCP server are on different subnets Configure the DHCP relay agent on switch B so that the DHCP client can obtain IP addresses through DHCP Figure 36 Network diagram Configuration procedure 1 Configure the DHCP server a From th...

Page 124: ...service Configure VLAN interface 10 to operate in DHCP relay agent mode Specify the IP address of the DHCP server as 10 1 1 1 g Access the advanced settings page to perform the following tasks Enable the DHCP relay agent to record client information Enable the relay agent to fresh relay entries periodically Set the refresh internal to 100 seconds 3 Configure the DHCP client a From the navigation t...

Page 125: ... Enable the Stelnet service 3 Configure the VLAN and VLAN interface a From the navigation tree select Network Links VLAN b Create VLAN 2 c Add port GigabitEthernet 1 0 2 to the untagged port list of VLAN 2 d Create VLAN interface 2 and configure its IP address as 192 168 1 40 24 4 Configure the Stelnet client login authentication method as scheme a Log in to the switch through the console port b C...

Page 126: ...2 1 1 The rate of traffic for accessing the Internet is limited to 15 Mbps Figure 38 Network diagram Configuration procedure 1 Configure QoS policies a From the navigation tree select QoS QoS QoS Policy b Apply a QoS policy to the incoming traffic of GigabitEthernet 1 0 2 c Access the details page for the QoS policy to modify the applied QoS policy as follows Create IPv4 ACL 2000 and add a rule to...

Page 127: ...ce values 0 1 and 2 respectively 3 Configure hardware queuing a From the navigation tree select QoS QoS Hardware Queuing b Access the details page for GigabitEthernet 1 0 1 to perform the following tasks Configure the queuing algorithm as WRR byte count Modify the byte counts of queues 0 1 and 2 as 2 1 and 1 respectively 4 Configure rate limit a From the navigation tree select QoS QoS Rate Limit b...

Page 128: ...Permit 256 Source 192 168 2 0 0 0 0 255 Destination 192 168 0 100 0 Create a time range named work Specify the start time as 08 00 Specify the end time as 18 00 Select Monday through Friday Deny 256 Destination 192 168 0 100 0 N A 4 Enable rule match counting for the ACL Verifying the configuration 1 Ping the database server from different departments to verify the following items You can access t...

Page 129: ... 1 and MAC address 00 01 02 03 04 06 d Add an IP source guard entry for Host C The entry contains interface GigabitEthernet 1 0 2 IP address 192 168 0 3 and MAC address 00 01 02 03 04 05 2 Configure Device B a Configure IP addresses for the interfaces Details not shown b From the navigation tree select Security Packet Filter IP Source Guard c Add an IP source guard entry for Host B The entry conta...

Page 130: ...DIUS server Use name as the authentication and accounting shared keys for secure RADIUS communication between the switch and the RADIUS server Use ports 1812 and 1813 for authentication and accounting respectively Figure 41 Network diagram Configuration procedure 1 Configure IP addresses for the interfaces as shown in Figure 38 Details not shown 2 Configure a RADIUS scheme on the switch a From the...

Page 131: ...e navigation tree select Security Authentication RADIUS 2 Verify the configuration of RADIUS scheme 802 1X Details not shown 3 From the navigation tree select Security Authentication ISP Domains 4 Verify the configuration of ISP domain dm1X Details not shown 5 Use the configured user account to pass authentication 6 From the navigation tree select Security Access Control 802 1X 7 Verify that the n...

Page 132: ...iguration of local user dotuser Details not shown 3 From the navigation tree select Security Authentication ISP Domains 4 Verify the configuration of ISP domain abc Details not shown 5 Use the user account dotuser and password 12345 to pass authentication 6 From the navigation tree select Security Access Control 802 1X 7 Verify that the number of online users is not 0 on GigabitEthernet 1 0 1 Deta...

Page 133: ...r 3 Configure an ISP domain on the switch a From the navigation tree select Security Authentication ISP Domains b Add ISP domain macauth and set the domain state to Active c Set the access service to LAN access d Configure the ISP domain to use RADIUS scheme macauth for authentication authorization and accounting of LAN users 4 Configure MAC authentication on the switch a From the navigation tree ...

Page 134: ...WithOUI mode to control Internet access of users Configure the switch to meet the following requirements Use the RADIUS server to perform authentication authorization and accounting for users Use name as the authentication and accounting shared keys for secure RADIUS communication between the switch and the RADIUS server Use ports 1812 and 1813 for authentication and accounting respectively Authen...

Page 135: ...h a From the navigation tree select Security Access Control Port Security b Enable port security c On the advanced settings page for GigabitEthernet 1 0 1 set the port security mode to userLoginWithOUI d On the 802 1X tab of the advanced settings page for GigabitEthernet 1 0 1 set the 802 1X mandatory domain to portsec e On the advanced settings page for port security add five OUI values to the OU...

Page 136: ...igure a RADIUS scheme on the switch a From the navigation tree select Security Authentication RADIUS b Add RADIUS scheme rs1 c Configure the primary authentication server Set the IP address to 192 168 0 112 Set the authentication port number to 1812 Set the shared key to radius Set the server state to Active d Configure the primary accounting server Set the IP address to 192 168 0 112 Set the acco...

Page 137: ... port to 50100 c Add a portal Web server Specify the server name as newpt Specify the URL The URL must be the same as the URL of the portal Web server used in the network This example uses http 192 168 0 111 8080 portal d Add an interface policy Select interface VLAN interface 100 In the IPv4 configuration area enable portal authentication and select the Direct method Select portal Web server newp...

Page 138: ...tion tree select Security Authentication RADIUS b Add RADIUS scheme rs1 c Configure the primary authentication server Set the IP address to 192 168 0 113 Set the authentication port number to 1812 Set the shared key to radius Set the server state to Active d Configure the primary accounting server Set the IP address to 192 168 0 113 Set the accounting port number to 1813 Set the shared key to radi...

Page 139: ...ay agent mode d Configure the IP address of the DHCP server as 192 168 0 112 e Open the DHCP server advanced settings page and enable the Record DHCP relay client information feature 6 Configure authorized ARP on the switch a From the navigation tree select Network IP ARP b Open the advanced settings page c Open the ARP attack protection page d Enable authorized ARP on VLAN interface 100 7 Configu...

Page 140: ...own in Figure 47 Switch A supports portal authentication The host accesses Switch A through Switch B A portal server acts as both a portal authentication server and a portal Web server A RADIUS server acts as the authentication accounting server Configure Switch A for cross subnet portal authentication Before passing the authentication the host can access only the portal Web server After passing t...

Page 141: ...the VLAN and the VLAN interface on Switch A a From the navigation tree select Network Links VLAN b Create VLAN 4 c Open the details page for VLAN 4 d Create VLAN interface 4 and assign IP address 20 20 20 1 to it 5 Configure portal authentication on Switch A a From the navigation tree select Security Access Control Portal b Add a portal authentication server Specify the server name as newpt Specif...

Page 142: ...eb server A RADIUS server acts as the authentication accounting server Configure direct portal authentication on the switch Before a user passes portal authentication the user can access only the local portal Web server After passing portal authentication the user can access other network resources Figure 48 Network diagram Configuration procedure 1 Configure a RADIUS scheme on the switch a From t...

Page 143: ...Web server Specify the server name as newpt Specify the URL as http 2 2 2 1 2331 portal The URL can be the IP address of the interface enabled with portal authentication or a loopback interface s address other than 127 0 0 1 c Add a local portal Web server Select HTTP Select the default logon page abc zip The default logon page file must have existed in the root directory of the switch s storage m...

Page 144: ...y pairs for SSH a From the navigation tree select Resources Public key Public key b Add local DSA ECDSA and RSA key pairs 2 Configure the SSH server a From the navigation tree select Network Service SSH b Enable the Stelnet service 3 Configure the VLAN and VLAN interface a From the navigation tree select Network Links VLAN b Create VLAN 2 c Access the details page for VLAN 2 to perform the followi...

Page 145: ...Add a user account on the server Details not shown Configure the authentication authorization and accounting settings Details not shown Configure the user role feature to assign authenticated SSH users the network admin user role Details not shown Verifying the configuration Initiate an SSH connection to the switch and enter the correct username and password The user logs in to the switch Verify t...

Page 146: ...avigation tree select PoE PoE 2 Enable PoE for GigabitEthernet 1 0 1 and GigabitEthernet 1 0 2 set the power supply priority to critical 3 Enable PoE for GigabitEthernet 1 0 3 and set the maximum PoE power for the interface to 9000 milliwatts ...

Page 147: ...v6 address prefix length ipv6 address prefix length default gateway ipv6 gateway address Assigns an IPv6 global unicast address to VLAN interface 1 ipsetup ipv6 auto Enables VLAN interface 1 to obtain an IPv6 global unicast address through stateless autoconfiguration password Modifies the login password for a user ping host Identifies whether the destination IPv4 address is reachable and display r...

Page 148: ... use of Hewlett Packard Enterprise support personnel when troubleshooting an issue This is not a supported feature for operation in customer networks Restores the default display poe pse Use display poe pse to display PSE information Syntax display poe pse pse id Views User view Predefined user roles network admin network operator Parameters pse id Specifies a PSE by its ID Usage guidelines If you...

Page 149: ... Max Power Maximum power of the PSE Remaining Guaranteed Power Remaining guaranteed power of the PSE Maximum guaranteed power of the PSE Total maximum power of all critical PIs of the PSE PSE CPLD Version PSE CPLD version number PSE Software Version PSE software version number PSE Hardware Version PSE hardware version number Legacy PD Detection Nonstandard PD detection status Enabled Disabled Powe...

Page 150: ...User view Predefined user roles network admin Usage guidelines You can use either of the following methods to assign an IPv4 address to VLAN interface 1 DHCP VLAN interface 1 acts as a DHCP client to dynamically obtain an IPv4 address from the DHCP server Manual Allows you to use the ipsetup ip address command to assign an IPv4 address to this interface Whichever method is used the newly obtained ...

Page 151: ...N interface 1 DHCP VLAN interface 1 acts as a DHCP client to dynamically obtain an IPv4 address from the DHCP server Manual Allows you to use the ipsetup ip address command to assign an IPv4 address to this interface Whichever method is used the newly obtained IPv4 address overwrites the existing IPv4 address Examples Assign 192 168 1 2 to the interface and specify 192 168 1 1 as the default gatew...

Page 152: ...interface 1 and specify 2 3 as the default gateway Sysname ipsetup ipv6 address 2 2 64 default gateway 2 3 Related commands ipsetup ipv6 auto ipsetup ipv6 auto Use ipsetup ipv6 auto to configure VLAN interface 1 to obtain an IPv6 global unicast address through stateless autoconfiguration Syntax ipsetup ipv6 auto Default No IPv6 global unicast address can be obtained for VLAN interface 1 through st...

Page 153: ...lay related statistics Syntax ping host Views User view Predefined user roles network admin Parameters host Specifies the destination IPv4 address or host name The host name must be a case insensitive string of 1 to 253 characters that can contain only letters digits hyphens underscores _ and dots Usage guidelines To terminate a ping operation press Ctrl C Examples Ping IP address 1 1 2 2 Sysname ...

Page 154: ...ring of 1 to 253 characters that can contain only letters digits hyphens underscores _ and dots Usage guidelines To terminate a ping operation press Ctrl C Examples Ping IPv6 address 2001 2 Sysname ping ipv6 2001 2 Ping6 56 data bytes 2001 1 2001 2 press CTRL_C to break 56 bytes from 2001 2 icmp_seq 0 hlim 64 time 62 000 ms 56 bytes from 2001 2 icmp_seq 1 hlim 64 time 23 000 ms 56 bytes from 2001 ...

Page 155: ...ice in either of the following modes Refresh mode Updates the PSE firmware without deleting it You can use the refresh mode in most cases Full mode Deletes the current PSE firmware and reloads a new one Use the full mode if the PSE firmware is damaged and you cannot execute any PoE commands Examples Upgrade the firmware of PSE 7 in service Sysname poe update refresh POE 168 bin pse 7 quit Use quit...

Page 156: ...For data security the device does not reboot if you reboot the device while the device is performing file operations Use the force keyword only when the device fails or a reboot command without the force keyword cannot perform a reboot task correctly A reboot command with the force keyword might result in file system corruption because it does not perform data protection Examples Reboot all stack ...

Page 157: ...IPv6 subnet mask length IPv6 global address IPv6 subnet mask length IPv6 default gateway Software images on slot 1 Current software images flash 1950 cmw710 boot r3111p02 bin flash 1950 cmw710 system r3111p02 bin Main startup software images flash 1950 cmw710 boot r3111p02 bin flash 1950 cmw710 system r3111p02 bin Backup startup software images flash 1950 cmw710 boot a0007 ft bin flash 1950 cmw710...

Page 158: ...contain only letters digits hyphens underscores _ and dots service port Specifies the TCP port number for the Telnet service on the remote host The value range is 0 to 65535 and the default is 23 source Specifies a source IPv4 address or source interface for outgoing Telnet packets If you do not specify this keyword the command uses the primary IPv4 address of the routing outbound interface as the...

Page 159: ...remote host The value range is 0 to 65535 and the default is 23 Usage guidelines To terminate the current Telnet connection press Ctrl K or execute the quit command Examples Telnet to the host at 5000 1 Sysname telnet ipv6 5000 1 transceiver phony alarm disable Use transceiver phony alarm disable to disable transceiver module source alarm Use undo transceiver phony alarm disable to enable transcei...

Page 160: ...ase insensitive string The file must be stored in the root directory of a storage medium in the system The value range is 1 to 63 characters for the storage medium base filename bin segments of the file path This length limit does not include the stack member ID or slot number in front of the storage medium segment system system package Specifies the file path of a bin system image file a case ins...

Page 161: ...om bin already exists Overwrite Y N y Verifying server file Downloading file boot bin from remote TFTP server please wait Done This command will upgrade the Boot ROM file on the specified board s Continue Y N y Now Upgrade the Boot ROM of slot 1 please wait Done Download file all ipe from the root directory of the TFTP server and use the ipe file at the next startup Sysname upgrade 192 168 8 2 run...

Page 162: ...s the main startup software images at the next reboot on slot 1 xtd cli mode Use xtd cli mode to switch to extended CLI mode Use undo xtd cli mode to restore the default Syntax xtd cli mode undo xtd cli mode Default You can display and execute part of the commands on the device Views User view Predefined user roles network admin Usage guidelines Extended CLI is for the use of Hewlett Packard Enter...

Page 163: ...g Extended CLI mode is intended for developers to test the system Before using commands in extended CLI mode contact the Technical Support and make sure you know the potential impact on the device and the network ...

Page 164: ... which you select at least one x y Asterisk marked square brackets enclose optional syntax choices separated by vertical bars from which you select one choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI conventions Convention Description Boldface Window names...

Page 165: ...rwarding and other Layer 2 features Represents an access controller a unified wired WLAN module or the access controller engine on a unified wired WLAN switch Represents an access point Represents a wireless terminator unit Represents a wireless terminator Represents a mesh access point Represents omnidirectional signals Represents directional signals Represents a security product such as a firewa...

Page 166: ...s provide a mechanism for accessing software updates through the product interface Review your product documentation to identify the recommended software update method To download product updates go to either of the following Hewlett Packard Enterprise Support Center Get connected with updates page www hpe com support e updates Software Depot website www hpe com support softwaredepot To view and u...

Page 167: ...r self repair CSR programs allow you to repair your product If a CSR part needs to be replaced it will be shipped directly to you so that you can install it at your convenience Some parts do not qualify for CSR Your Hewlett Packard Enterprise authorized service provider will determine whether a repair can be accomplished by CSR For more information about CSR contact your local service provider or ...

Page 168: ...number edition and publication date located on the front cover of the document For online help content include the product name product version help edition and publication date located on the legal notices page ...

Page 169: ...sequence 54 DHCP IP address conflict detection 55 IP 39 IP address classes 39 Address Resolution Protocol Use ARP administrator configuration 93 password control 20 22 RBAC 20 21 user account 20 21 aggregating link See Ethernet link aggregation aging MAC address table timer 34 allocating DHCP IP address allocation sequence 54 alternate port MST 35 Anycast IPv6 address type 46 applying PBR apply cl...

Page 170: ...ntication 122 AAA TACACS server SSH user 136 administrator 93 ARP 40 ARP static entry 104 DDNS 45 DDNS www 3322 org 107 device maintenance 93 DHCP 115 DHCP snooping 103 direct security portal authentication local portal Web server 87 Ethernet link aggregation 27 97 examples 93 interface storm control 31 IP 39 IP source guard IPSG 73 IPv4 dynamic DNS 106 IPv4 local PBR 112 IPv4 source guard static ...

Page 171: ...e also Option relay agent 55 relay agent entry periodic refresh 55 relay agent relay entry recording 55 snooping See DHCP snooping DHCP snooping configuration 103 discarding MST discarding port state 36 displaying settings of table entry 9 DNS 45 See also DDNS DDNS configuration 45 DDNS configuration www 3322 org 107 dynamic domain name resolution 44 IPv4 dynamic DNS 106 IPv4 static DNS 105 proxy ...

Page 172: ...eriodic packet send 41 group Ethernet link aggregation group 27 Ethernet link aggregation member port state 27 guest VLAN 802 1X authentication 76 H hardware congestion management queue scheduling profile 71 hardware queuing configuration 68 SP queuing 69 WFQ queuing 70 WRR queuing 69 I ICMPv6 IPv6 ND protocol 49 icon Web interface 8 ID IP address class Host ID 39 IP address class Net ID 39 IGMP s...

Page 173: ... proxy 51 IP source guard IPSG configuration 73 IPv4 See IPv4 source guard IPng 46 See also IPv6 IP to MAC DHCP snooping 38 IPv4 IP 39 IP address classes 39 IP addressing masking 39 IP addressing subnetting 39 IPv4 local PBR configuration 112 IPv4 source guard static binding configuration 121 IPv4 static routing configuration 111 IPv6 46 See also IPng address formats 46 address type 46 EUI 64 addr...

Page 174: ...em log destinations 92 information center system log levels 92 login first time 3 Web interface 2 logout Web 4 loop spanning tree configuration 34 M MAC 802 1X MAC based access control 74 MAC address entry configuration 101 MAC address table address learning 34 configuration 33 dynamic aging timer 34 entry types 33 MAC addressing ARP 40 gratuitous ARP 41 IP services gratuitous ARP packet learning ...

Page 175: ...hbor entry 49 IPv6 ND protocol 49 network 802 1X architecture 73 802 1X authentication method 74 802 1X authentication trigger 75 802 1X Auth Fail VLAN 75 802 1X authorization state 74 802 1X critical VLAN 76 802 1X EAD assistant 77 802 1X guest VLAN 76 802 1X local authentication configuration 123 802 1X mandatory authentication domain 77 802 1X online user handshake 75 802 1X periodic online use...

Page 176: ...t 802 1X 73 ARP 40 ARP attack protection 41 DDNS configuration 45 DHCP 53 DHCP relay agent 55 DHCP server 53 DHCP snooping 38 DNS 44 Ethernet link aggregation configuration 27 FTP 57 gratuitous ARP 41 HTTP 56 HTTPS 56 IGMP snooping 53 IP 39 IPv4 local PBR configuration 112 IPv4 static routing configuration 111 IPv6 46 Layer 2 LAN switching port isolation configuration 31 LLDP configuration 36 MAC ...

Page 177: ...uest rules 87 parameter IPv6 RA message parameter 49 password SSH Secure Telnet server configuration password authentication enabled 117 PBR policy 52 Track collaboration 53 performing saving configuration 9 Web basic tasks 9 periodic gratuitous ARP packet send 41 policy IPv4 local PBR configuration 112 PBR 52 52 QoS application 68 QoS definition 68 QoS policy configuration 68 policy based routing...

Page 178: ...ing 121 configuring IPv4 static DNS 105 configuring IPv4 static routing 111 configuring IPv6 ND neighbor entry 49 configuring LLDP 103 configuring MAC address entry 101 configuring MSTP 101 configuring ND 109 configuring network services 97 configuring NTP 96 configuring PoE 137 configuring port isolation 98 configuring port mirroring 110 configuring QoS 118 configuring RADIUS based MAC authentica...

Page 179: ...ueue scheduling profile 71 Secure Telnet server configuration password authentication enabled 117 security 802 1X 73 802 1X authentication method 74 802 1X authentication trigger 75 802 1X Auth Fail VLAN 75 802 1X critical VLAN 76 802 1X EAD assistant 77 802 1X guest VLAN 76 802 1X local authentication configuration 123 802 1X mandatory authentication domain 77 802 1X online user handshake 75 802 ...

Page 180: ... IPv4 dynamic DNS 106 IPv4 source guard static binding configuration 121 IPv4 static DNS 105 MAC address table entry 33 routing See static routing storm interface storm control 31 STP mode set 35 subnetting IP addressing 39 suppressing interface storm control configuration 31 switch IPv4 local PBR configuration 112 IPv4 static routing configuration 111 system FTP 57 HTTP 56 HTTPS 56 information ce...

Page 181: ...relay agent 55 DHCP server 53 IGMP snooping 53 interface configuration 32 IP source guard IPSG configuration 73 IPv4 source guard static binding configuration 121 Layer 2 LAN switching port isolation configuration 31 LLDP CDP compatibility 38 port mirroring configuration 52 port based configuration 31 QoS policy application 68 voice VLAN assignment mode 33 voice VLAN assignment mode automatic 33 v...

Page 182: ...action protocols 86 portal Web server 85 RBAC 21 resources features 60 security features 73 SNTP operating mode 19 SNTP time source authentication 20 system time source 19 table page 6 user account management 21 using Web interface 5 webpage types 6 Web interface configuration page 7 feature page 6 layout 5 table page 6 webpage types 6 Web login concurrent login user 3 default settings 2 first tim...

Reviews:

No comments

Related manuals for OfficeConnect 1950 Series

D-Link DUB-H4 - Hub - USB Installation Manual preview
DUB-H4 - Hub - USB
Brand: D-Link Pages: 4
D-Link DSS-16+ Quick Install Manual preview
DSS-16+
Brand: D-Link Pages: 2
Cabletron Systems SmartCell 6A000 User Manual preview
SmartCell 6A000
Brand: Cabletron Systems Pages: 114
Cabletron Systems MRX Installation Manual preview
MRX
Brand: Cabletron Systems Pages: 62
Cabletron Systems CyberSWITCH CSX150 Quick Start Manual preview
CyberSWITCH CSX150
Brand: Cabletron Systems Pages: 49
Cabletron Systems Cabletron CyberSWITCH CSX5500 User Manual preview
Cabletron CyberSWITCH CSX5500
Brand: Cabletron Systems Pages: 729
Fema DCM Series Assembly And Operating Instructions Manual preview
DCM Series
Brand: Fema Pages: 96
Brightlink 16x16 Manual preview
16x16
Brand: Brightlink Pages: 33
United Electric Controls 54 Series Assembly, Installation And Operation Instructions preview
54 Series
Brand: United Electric Controls Pages: 6
Gilat SkyEdge II-c Capricorn Pro 4 AC Series Installation Notes preview
SkyEdge II-c Capricorn Pro 4 AC Series
Brand: Gilat Pages: 2
ATZ HDMI-161SM Manual preview
HDMI-161SM
Brand: ATZ Pages: 8
Gefen EXT-DVIKVM-441DL User Manual preview
EXT-DVIKVM-441DL
Brand: Gefen Pages: 32
Little Giant ACS-3 Installation, Operation, Maintenance & Repair Parts preview
ACS-3
Brand: Little Giant Pages: 2
TRENDnet TE100-S5 Lühike Paigaldusjuhend preview
TE100-S5
Brand: TRENDnet Pages: 11
PKP PSA10 Instruction Manual preview
PSA10
Brand: PKP Pages: 11
Comtech EF Data CRS-280 Installation And Operation Manual preview
CRS-280
Brand: Comtech EF Data Pages: 70
Radware Alteon 5208 Memory Upgrade Procedure preview
Alteon 5208
Brand: Radware Pages: 4
Global Streams GlobeCaster STUDIO 4000 Manual preview
GlobeCaster STUDIO 4000
Brand: Global Streams Pages: 144

Brands by name

Popular brands

Load more brands