Huawei Quidway S3000-EI Series Operation Manual Download Page 117

Page: 117 / 392

Operation Manual - QoS/ACL
Quidway S3000-EI Series Ethernet Switches

Chapter 1 ACL Configuration

Huawei Technologies Proprietary

1-2

rule, i.e. in depth-first order). Once the user specifies the match-order of an access

control rule, he cannot modify it later, unless he deletes all the content and specifies the

match-order again.

The case includes: ACL cited by route policy function, ACL used for control logon user,

etc.

Note:

The depth-first principle is to put the statement specifying the smallest range of packets

on the top of the list. This can be implemented through comparing the wildcards of the

addresses. The smaller the wildcard is, the less hosts it can specify. For example,

129.102.1.1 0.0.0.0 specifies a host, while 129.102.1.1 0.0.255.255 specifies a network

segment, 129.102.0.1 through 129.102.255.255. Obviously, the former one is listed

ahead in the access control list.

The specific standard is as follows.

For basic access control list statements, comparing the source address wildcards

directly. If the wildcards are same, follow the configuration sequence.

For the access control list based on the interface filter, the rule that is configured with

any

is listed in the end, while others follow the configuration sequence.

For the advanced access control list, comparing the source address wildcards first. If

they are the same, then comparing the destination address wildcards. For the same

destination address wildcards, comparing the ranges of port number, the one with

smaller range is listed ahead. If the port numbers are in the same range, follow the

configuration sequence.

1.1.2 ACL Supported by the Ethernet Switch

For Ethernet Switch, ACLs are divided into the following categories:

Numbered basic ACL.

Named basic ACL.

Numbered advanced ACL.

Named advanced ACL.

Numbered Layer-2 ACL.

Named Layer-2 ACL.

Numbered user-defined ACL.

Named user-defined ACL.

The table below lists the limits to the numbers of different ACL on a switch.

Summary of Contents for Quidway S3000-EI Series

Page 1: ...I 1 Getting Started 2 Port 3 VLAN 4 Multicast 5 QoS ACL 6 Integrated Management 7 STP 8 Security 9 Network Protocol 10 System Management 11 Remote Power feeding 12 Appendix Quidway S3000 EI Series Ethernet Switches Operation Manual VRP3 10 ...

Page 2: ... service If you purchase the products from the sales agent of Huawei Technologies Co Ltd please contact our sales agent If you purchase the products from Huawei Technologies Co Ltd directly Please feel free to contact our local office customer care center or company headquarters Huawei Technologies Co Ltd Address Administration Building Huawei Technologies Co Ltd Bantian Longgang District Shenzhen...

Page 3: ...bridge Tellwin Inmedia VRP DOPRA iTELLIN HUAWEI OptiX C C08iNET NETENGINE OptiX iSite U SYS iMUSE OpenEye Lansway SmartAX infoX and TopEng are trademarks of Huawei Technologies Co Ltd All other trademarks and trade names mentioned in this manual are the property of their respective holders Notice The information in this manual is subject to change without notice Every effort has been made in the p...

Page 4: ...figuration and maintenance of S3000 EI Series Ethernet Switches Quidway S3000 EI Series Ethernet Switches Command Manual Introduces the commands of such modules as getting started port VLAN multicast protocols QoS ACL integrated management STP security network protocols remote power feeding and system management Organization Quidway S3000 EI Series Ethernet Switches Operation Manual consists of th...

Page 5: ... introduces system management and maintenance of Ethernet Switch including file system management system maintenance and network management configuration z Remote Power feeding This module introduces remote power feeding configuration z Appendix Intended Audience The manual is intended for the following readers z Network engineers z Network administrators z Customers who are familiar with network ...

Page 6: ...items are grouped in square brackets and separated by vertical bars Many or none can be selected A line starting with the sign is comments III GUI conventions Convention Description Button names are inside angle brackets For example click the OK button Window names menu items data table and field names are inside square brackets For example pop up the New User window Multi level menus are separate...

Page 7: ... the primary mouse button twice continuously and quickly without moving the pointer Drag Press and hold the primary mouse button and move the pointer to a certain position VI Symbols Eye catching symbols are also used in the manual to highlight the points worthy of special attention during the operation They are defined as follows Caution Warning Means reader be extremely careful during the operat...

Page 8: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual Getting Started ...

Page 9: ...of Command Line 3 5 3 3 2 Displaying Characteristics of Command Line 3 6 3 3 3 History Command of Command Line 3 6 3 3 4 Common Command Line Error Messages 3 7 3 3 5 Editing Characteristics of Command Line 3 7 Chapter 4 User Interface Configuration 4 1 4 1 User Interface Overview 4 1 4 2 User Interface Configuration 4 2 4 2 1 Entering User Interface View 4 2 4 2 2 Configuring the User Interface Su...

Page 10: ... Setting Deleting the Management VLAN Interface Description Character String 5 5 5 2 4 Enabling Disabling a Management VLAN Interface 5 6 5 2 5 Configuring the Hostname and Host IP Address 5 6 5 2 6 Configuring a Static Route 5 7 5 2 7 Configuring the Default Preference of Static Routes 5 7 5 3 Displaying and Debugging System IP 5 7 ...

Page 11: ...o fixed 10 100 1000Base T uplink ports The only difference between S3026E FM and S3026E FS Ethernet Switch is the fixed optical ports with different attributes they provide S3026E FM Ethernet Switch provides 12 fixed 100Base FX multi mode optical ports while S3026E FS Ethernet Switch provides 12 fixed 100Base FX single mode optical ports Each of them also provides one console port two 6 port 100M ...

Page 12: ...back pressure based flow control half duplex Broadcast Suppression Supports Broadcast Suppression Multicast Supports GARP Multicast Registration Protocol GMRP Supports Internet Group Management Protocol IGMP Snooping Link aggregation Supports link aggregation Mirror Support the mirror based on the traffic classification PoE Support Power over Ethernet PoE only on the S3026C PWR switch in S3000 EI ...

Page 13: ...rts configuration through dialing the Modem Supports SNMP management Supports Quidview NMS and RMON MIB Group 1 2 3 and 9 Supports system log Supports level alarms Supports Huawei Group Management Protocol HGMP V2 Supports output of the debugging information Supports PING and Tracert Supports the remote maintenance via Telnet or Modem or SSH Loading and update Supports to load and upgrade software...

Page 14: ...of a PC or a terminal to the Console port of the switch with the Console cable Console port RS 232 Serial port Console cable Figure 2 1 Setting up the local configuration environment via the Console port Step 2 Run terminal emulator such as Terminal on Windows 3X or the Hyper Terminal on Windows 9X on the Computer Set the terminal communication parameters as follows Set the baud rate to 9600 datab...

Page 15: ...onnection Figure 2 4 Setting communication parameters Step 3 The switch is powered on Display self test information of the switch and prompt you to press Enter to show the command line prompt such as Quidway Step 4 Input a command to configure the switch or view the operation state Input a for an immediate help For details of specific commands refer to the following chapters ...

Page 16: ...t Note By default the password is required for authenticating the Telnet user to log in the switch If a user logs in via the Telnet without password he will see the prompt Login password has not been set Quidway system view Quidway user interface vty 0 Quidway ui vty0 set authentication password simple xxxx xxxx is the preset login password of Telnet user Step 2 To set up the configuration environ...

Page 17: ...o get the immediate help For details of specific commands refer to the following chapters Note z When configuring the switch via Telnet do not modify the IP address of it unless necessary for the modification might cut the Telnet connection z By default when a Telnet user passes the password authentication to log on to the switch he can access the commands at Level 0 2 2 2 Telneting a Switch throu...

Page 18: ...refer to the section describing Connecting a PC to the Switch through Telnet Step 3 Perform the following operations on the Telnet Client Quidway telnet xxxx xxxx can be the hostname or IP address of the Telnet Server If it is the hostname you need to use the ip host command to specify Step 4 Enter the preset login password and you will see the prompt such Quidway If the prompt All user interfaces...

Page 19: ...ed to the terminal AT F Reset Modem factory settings ATS0 1 Set auto response ring once AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Force DSR to be high level ATEQ1 W Bar the modem to send command response or execution result and save the configurations After the configuration key in the AT V command to verify the Modem settings Note z The Modem configuration co...

Page 20: ...dem Modem serial port line Remote tel 82882285 Console port PSTN Figure 2 8 Setting up remote configuration environment Step 4 Dial for connection to the switch using the terminal emulator and Modem on the remote end The number dialed shall be the telephone number of the Modem connected to the switch See the two figures below Figure 2 9 Setting the dialed number ...

Page 21: ...aling on the remote PC Step 5 Enter the preset login password on the remote terminal emulator and wait for the prompt such as Quidway Then you can configure and manage the switch Enter to get the immediate help For details of specific commands refer to the following chapters Note By default when a Modem user logs in he can access the commands at Level 0 ...

Page 22: ...milar to Doskey to execute a history command z The command line interpreter searches for target not fully matching the keywords It is ok for you to key in the whole keyword or part of it as long as it is unique and not ambiguous 3 2 Command Line View Quidway series switches provide hierarchy protection for the command lines to avoid unauthorized user accessing illegally Commands are classified int...

Page 23: ...ord of the higher level is needed Suppose the user has set the super password level level simple cipher password For the sake of confidentiality on the screen the user cannot see the password that he entered Only when correct password is input for three times can the user switch to the higher level Otherwise the original user level will remain unchanged Different command views are implemented acco...

Page 24: ... port parameters Quidway Giga bitEthernet1 1 GigabitEthernet port view Key in interface gigabitethernet 1 1 in system view quit returns to system view return returns to user view VLAN view Configure VLAN parameters Quidway Vlan 1 Key in vlan 1 in system view quit returns to system view return returns to user view VLAN interface view Configure IP interface parameters for a VLAN or a VLAN aggregatio...

Page 25: ...asic ACL view Define the rule of basic ACL Quidway acl basic 2000 Key in acl number 2000 in system view quit returns to system view return returns to user view Advanced ACL view Define the rule of advanced ACL Quidway acl a dv 3000 Key in acl number 3000 in system view quit returns to system view return returns to user view Layer 2 ACL view Define the rule of layer 2 ACL Quidway acl li nk 4000 Key...

Page 26: ...lp You can get the help information through these online help commands which are described as follows 1 Input in any view to get all the commands in it and corresponding descriptions Quidway User view commands boot Set boot option cd Change current directory clock Specify the system clock copy Copy from one file to another debugging Enable system debugging functions delete Delete a file dir List f...

Page 27: ...stics of Command Line Command line interface provides the following display characteristics z For users convenience the instruction and help information can be displayed in both English and Chinese z For the information to be displayed exceeding one screen pausing function is provided In this case users can have three choices as shown in the table below Table 3 2 Functions of displaying Key or Com...

Page 28: ...he two keys differently In this case use the combination keys Ctrl P and Ctrl N instead for the same purpose 3 3 4 Common Command Line Error Messages All the input commands by users can be correctly executed if they have passed the grammar check Otherwise error messages will be reported to users The common error messages are listed in the following table Table 3 4 Common command line error message...

Page 29: ...rsor key or Ctrl B Move the cursor a character backward Rightwards cursor key or Ctrl F Move the cursor a character forward Up cursor key or Ctrl P Down cursor key or Ctrl N Retrieve the history command Tab Press Tab after typing the incomplete key word and the system will execute the partial help If the key word matching the typed one is unique the system will replace the typed one with the compl...

Page 30: ...og in the switch via the Console port A switch can only have one AUX user interface z VTY user interface VTY user interface is used to telnet the switch A switch can have up to five VTY user interface Note For Quidway series switches AUX port and Console port are the same one There is only the type of AUX user interface User interface is numbered in the following two ways absolute number and relat...

Page 31: ... user interfaces respectively Perform the following configuration in system view Table 4 1 Entering user interface view Operation Command Enter a single user interface view or multi user interface views user interface type first number last number 4 2 2 Configuring the User Interface Supported Protocol The following command is used for setting the supported protocol by the current user interface Y...

Page 32: ...UX Console Port The following commands can be used for configuring the attributes of the AUX Console port including speed flow control parity stop bit and data bit Perform the following configurations in user interface AUX user interface only view I Configuring the transmission speed on AUX Console port Table 4 3 Configuring the transmission speed on AUX Console port Operation Command Configure th...

Page 33: ... V Configuring the data bit of AUX Console port Table 4 7 Configuring the data bit of AUX Console port Operation Command Configure the data bit of AUX Console port databits 7 8 Restore the default data bit of AUX Console port undo databits By default AUX Console port supports 8 data bits 4 2 4 Configuring the Terminal Attributes The following commands can be used for configuring the terminal attri...

Page 34: ...nd on the user interface via which you log in z You will be asked to confirm before using undo shell on any legal user interface II Configuring idle timeout Table 4 9 Configuring idle timeout Operation Command Configure idle timeout idle timeout minutes seconds Restore the default idle timeout undo idle timeout By default idle timeout is enabled and set to 10 minutes on all the user interfaces Tha...

Page 35: ...buffer size Operation Command Set the history command buffer size history command max size value Restore the default history command buffer size undo history command max size By default the size of the history command buffer is 10 that is 10 history commands can be saved 4 2 5 Managing Users The management of users includes the setting of user logon authentication method level of command which a u...

Page 36: ...do set authentication password Configure for password authentication when a user logs in through a VTY 0 user interface and set the password to huawei Quidway user interface vty 0 Quidway ui vty0 authentication mode password Quidway ui vty0 set authentication password simple huawei 2 Perform local or remote authentication of username and password to the user interface Using authentication mode sch...

Page 37: ...user logging in service type ftp ftp directory directory lan access ssh level level telnet level level telnet level level ssh level level Restore the default command level used after a user logging in undo service type ftp ftp directory lan access ssh level telnet level telnet level ssh level By default the specified logon user can access the commands at Level 1 III Setting the command level used ...

Page 38: ...or she can only use the commands of level 3 or lower when logging into the switch from the VTY 0 user interface IV Set command priority The following command is used for setting the priority of a specified command in a certain view The command levels include visit monitoring system and management which are identified with 0 through 3 respectively An administrator assigns authorities as per user re...

Page 39: ...lly run the command Operation Command Configure to automatically run the command auto execute command text Configure not to automatically run the command undo auto execute command Note the following points z After executing this command the user interface can no longer be used to carry out the routine configurations for the local system Use this command with caution z Make sure that you will be ab...

Page 40: ...ary 4 11 Table 4 20 Displaying and debugging user interface Operation Command Clear a specified user interface free user interface type number Display the user application information of the user interface display users all Display the physical attributes and some configurations of the user interface display user interface type number number ...

Page 41: ...dress allocated to the devices which access into the Internet It consists of two fields net id field and host id field There are five types of IP address See the following figure 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 0 1 0 1 1 0 1 1 1 0 1 1 1 1 0 net id net id net id Multicast address Reserved address host id host id host id Class A Class B Class C C...

Page 42: ...rrent network and its network can be cited by the router without knowing its network number Network ID with the format of 127 X Y Z is reserved for self loop test and the packets sent to this address will not be output to the line The packets are processed internally and regarded as input packets B 128 0 0 0 to 191 255 2 55 255 128 0 0 0 to 191 254 0 0 Host ID with all the digits being 0 indicates...

Page 43: ...sk The mask divides the IP address into two parts subnet address and host address The bits 1s in the address and the mask indicate the subnet address and the other bits indicate the host address If there is no sub net division then its sub net mask is the default value and the length of 1 indicates the net id length Therefore for IP addresses of classes A B and C the default values of correspondin...

Page 44: ...8 38 128 0 101 Subnet address 138 38 160 0 110 Subnet address 138 38 192 0 111 Subnet address 138 38 224 0 Subnet number Host number Subnet address Figure 5 2 Subnet division of IP address 5 1 3 Static Route A static route is a special route which is manually configured by the network administrator The static route is applied in a comparatively simple network The proper configuration and usage of ...

Page 45: ...lnet and web management to switch Perform the following configuration in VLAN interface view Table 5 3 Assigning deleting the IP address for of the management VLAN interface Operation Command Assign the IP address of a management VLAN interface ip address ip address net mask Delete the IP address of a management VLAN interface undo ip address ip address net mask By default the management VLAN inte...

Page 46: ...hutdown The operation of enabling disabling management VLAN interface has no effect on the up down status of the Ethernet ports belong to the VLAN By default when all the Ethernet ports belonging to the management VLAN are in down status the management VLAN interface is also down i e the management VLAN interface is disabled When there is one or more Ethernet ports in up status the management VLAN...

Page 47: ... 7 Configuring the Default Preference of Static Routes The default preference will be the preference of the static route if its preference is not specified when configured You can change the default preference value of the static routes to be configured by using the following command Perform the following configurations in system view Table 5 8 Configuring the default preference of static routes O...

Page 48: ... ip routing table verbose View the detailed information of a specific route display ip routing table ip address mask longer match verbose view the route information in the specified address range display ip routing table ip_address1 mask1 ip_address2 mask2 verbose View the route filtered through specified basic access control list ACL display ip routing table acl acl number acl name verbose View t...

Page 49: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual Port ...

Page 50: ...rnet Port Broadcast Suppression Ratio 1 5 1 3 6 Set link type for Ethernet port 1 6 1 3 7 Add the Ethernet port to Specified VLANs 1 6 1 3 8 Set the Default VLAN ID for the Ethernet Port 1 7 1 3 9 Set loopback detection for the Ethernet port 1 8 1 3 10 Set the Time Interval of Calculating Port Statistics Information 1 9 1 3 11 Port Traffic Threshold Configuration 1 9 1 4 Display and Debug Ethernet...

Page 51: ...6 port 100Base FX multi mode module The uplink module slots support 100Base FX multi mode module 100Base FX single mode module 1000Base SX module 1000Base LX module 1000Base T electrical port module 1000Base ZX module 1000Base LX GL module and stack module S3026C PWR Ethernet switch provides 24 fixed 10 100Base T fixed Ethernet ports and two extended module slots which support one port 1000Base LX...

Page 52: ...t port z Set speed for Ethernet port z Set cable type for the Ethernet port z Enable Disable flow control for Ethernet port z Set Ethernet port broadcast suppression ratio z Set link type for Ethernet port z Add the Ethernet port to specified VLANs z Set the default VLAN ID for the Ethernet port z Set loopback detection for the Ethernet port z Set the time interval of calculating port statistics i...

Page 53: ...ernet undo description By default the port description is a null character string 1 3 1 Set Duplex Attribute of the Ethernet Port To configure a port to send and receive data packets at the same time set it to full duplex To configure a port to either send or receive data packets at a time set it to half duplex If the port has been set to auto negotiation mode the local and peer ports will automat...

Page 54: ...speed 10 100 auto Set Gigabit Ethernet port speed speed 10 100 1000 auto Restore the default speed on Ethernet port undo speed Note that the 100M electrical Ethernet port can operate at 10Mbps 100Mbps or auto negotiated speed as per different requirements 100M optical Ethernet port supports 100Mbps and can be configured to operate at 100 100Mbps or auto auto negotiation The optical Gigabit Etherne...

Page 55: ...n this way packet loss is reduced effectively The flow control function of the Ethernet port can be enabled or disabled through the following command Perform the following configuration in Ethernet port view Table 1 7 Enable Disable Flow Control for Ethernet Port Operation Command Enable Ethernet port flow control flow control Disable Ethernet port flow control undo flow control By default Etherne...

Page 56: ...he difference between the hybrid port and the trunk port is that the hybrid port allows the packets from multiple VLANs to be sent without tags but the trunk port only allows the packets from the default VLAN to be sent without tags Perform the following configuration in Ethernet port view Table 1 9 Set link type for Ethernet port Operation Command Configure the port as access port port link type ...

Page 57: ...the Ethernet port to specified VLANs the local port can forward packets of these VLANs The hybrid and trunk ports can be added to multiple VLANs thereby implementing the VLAN intercommunication between peers For the hybrid port you can configure to tag some VLAN packets based on which the packets can be processed differently 1 3 8 Set the Default VLAN ID for the Ethernet Port Since the access port...

Page 58: ...o which it belongs 1 3 9 Set loopback detection for the Ethernet port The following commands are used for enabling the port loopback detection and setting detection interval for the external loopback condition of each port If there is a loopback port found the switch will put it under control Perform the following configuration in corresponding view Table 1 12 Set loopback detection for the Ethern...

Page 59: ...nformation the switch calculates the average port speed during the time interval Perform the following configuration in Ethernet port view Table 1 13 Set the time interval of calculating port statistics information Operation Command Set the time interval of calculating port statistics information flow interval interval Restore the default time interval of calculating port statistics information un...

Page 60: ...messages Note The prompt character for Ethernet port view may vary with specific configuration II Port Traffic Threshold Configuration Example 1 Configuration requirements z The traffic threshold on the Ethernet0 1 port is 5000pps and the detection interval is 10 seconds z The system disables the port and sends trap messages when actual traffic on the port exceeds the specified threshold 2 Configu...

Page 61: ...lay interface interface_type interface_type interface_num interface_name Display hybrid port or trunk port display port hybrid trunk Display the state of loopback detection on the port display loopback detection Clear the statistics information of the port reset counters interface interface_type interface_type interface_num interface_name Note that the loopback test cannot be performed on the port...

Page 62: ...et0 18 as a trunk port and allows VLAN 2 6 through 50 and 100 to pass through Quidway Ethernet0 18 port link type trunk Quidway Ethernet0 18 port trunk permit vlan 2 6 to 50 100 Create the VLAN 100 Quidway vlan 100 Configure the default VLAN ID of Ethernet0 18 as 100 Quidway Ethernet0 18 port trunk pvid vlan 100 1 6 Ethernet Port Troubleshooting Fault Default VLAN ID configuration failed Troublesh...

Page 63: ... same slot must be consecutive If two slots are involved the slot numbers should also be consecutive and the first port in the second slot must be added to the group first In a link aggregation group the port with the smallest number serves as the master port and the others serve as member ports In one link aggregation group the link type of the master port and the member ports must be identical T...

Page 64: ...able 2 2 Display the information of the link aggregation Operation Command Display the information of the link aggregation display link aggregation master_port_num 2 4 Link Aggregation Configuration Example I Networking requirements The following example uses the link aggregation commands to aggregate several ports and implement the outgoing incoming payload balance among all the member ports The ...

Page 65: ... Other sub ports Ethernet0 2 Ethernet0 3 Mode both 2 5 Ethernet Link Aggregation Troubleshooting Fault You might see the prompt of configuration failure when configuring link aggregation Troubleshooting z Check the input parameter and see whether the starting number of Ethernet port is smaller than the end number If yes take the next step z Check whether the Ethernet ports that are in the configur...

Page 66: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual VLAN ...

Page 67: ...r vlan to Secondary VLAN 2 2 2 2 4 Configure VLAN ID of IGMP packets 2 3 2 3 Display and Debug isolate user vlan 2 3 2 4 isolate user vlan Configuration Example 2 3 Chapter 3 GARP GVRP Configuration 3 1 3 1 Configure GARP 3 1 3 1 1 GARP Overview 3 1 3 1 2 Set GARP Timer 3 2 3 1 3 Display and Debug GARP 3 3 3 2 Configure GVRP 3 3 3 2 1 GVRP Overview 3 3 3 2 2 Enable Disable Global GVRP 3 4 3 2 3 En...

Page 68: ...rnet Switches Table of Contents Huawei Technologies Proprietary ii 4 2 5 Enabling Disabling Voice VLAN Auto Mode 4 4 4 2 6 Setting the Aging Time of Voice VLAN 4 5 4 3 Displaying and Debugging of Voice VLAN 4 5 4 4 Voice VLAN Configuration Example 4 6 ...

Page 69: ...elpful in controlling network traffic saving device investment simplifying network management and improving security 1 2 Configure VLAN To configure a VLAN first create a VLAN according to the requirements Main VLAN configuration includes z Enable Disable VLAN feature z Create Delete a VLAN z Add Ethernet ports to a VLAN z Set Delete VLAN description character string 1 2 1 Enable Disable VLAN Feat...

Page 70: ... the VLAN view vlan_id specifies the VLAN ID Note that the default VLAN namely VLAN 1 cannot be deleted 1 2 3 Add Ethernet Ports to a VLAN You can use the following command to add the Ethernet ports to a VLAN Perform the following configuration in VLAN view Table 1 3 Add Ethernet ports to a VLAN Operation Command Add Ethernet ports to a VLAN port interface_list Remove Ethernet ports from a VLAN un...

Page 71: ...e display command in any view to display the running of the VLAN configuration and to verify the effect of the configuration Table 1 5 Display and debug VLAN Operation Command Display the related information about VLAN display vlan vlan_id all static dynamic 1 4 VLAN Configuration Example I Networking requirements Create VLAN2 and VLAN3 Add Ethernet port 0 1 and Ethernet port 0 2 to VLAN2 and add ...

Page 72: ...nfiguration Huawei Technologies Proprietary 1 4 Add Ethernet 0 1 and Ethernet 0 2 to VLAN2 Quidway vlan2 port ethernet 0 1 to ethernet 0 2 Create VLAN 3 and enters its view Quidway vlan2 vlan 3 Add Ethernet 0 3 and Ethernet 0 4 to VLAN3 Quidway vlan3 port ethernet0 3 to ethernet 0 4 ...

Page 73: ... isolation of the Layer 2 packets through assigning a Secondary VLAN for each user which only includes the ports and the Uplink ports connected to the user You can put the ports connected to different users into one Secondary VLAN to implement the Layer 2 packet intercommunication 2 2 Configure isolate user vlan Isolate user vlan configuration includes z Configure isolate user vlan z Configure sec...

Page 74: ...dd more than one port other than Uplink ports to a Secondary VLAN 2 2 3 Configure to Map isolate user vlan to Secondary VLAN You can use the following command to configure the isolate user vlan to map the Secondary VLAN Perform the following configurations in system view Table 2 3 Configure to map isolate user vlan to secondary VLAN Operation Command Configure to map isolate user vlan to secondary...

Page 75: ...e default VLAN ID of IGMP packets to be sent to the route interface undo isolate user vlan igsp enable By default IGMP packets are sent with isolate user vlan ID 2 3 Display and Debug isolate user vlan After the above configuration execute display command in any view to display the running of the isolate user vlan configuration and to verify the effect of the configuration Table 2 5 Display and de...

Page 76: ...ocedure Hereafter only listed the configuration procedure of the Switch B and Switch C Configure Switch B Configure isolate user vlan Quidway vlan 5 Quidway vlan5 isolate user vlan enable Quidway vlan5 port ethernet1 1 Configure Secondary VLAN Quidway vlan5 vlan 3 Quidway vlan3 port ethernet0 1 Quidway vlan3 vlan 2 Quidway vlan2 port ethernet0 2 Configure the isolate user vlan to Map the Secondary...

Page 77: ...itches Chapter 2 Isolate User Vlan Configuration Huawei Technologies Proprietary 2 5 Quidway vlan3 vlan 4 Quidway vlan4 port ethernet0 4 Configure the isolate user vlan to Map the Secondary VLAN Quidway vlan4 quit Quidway isolate user vlan 6 secondary 3 to 4 ...

Page 78: ...ormation of other GARP members according to the received declarations withdrawal declarations GARP members exchange information through sending messages There mainly are 3 types of GARP messages including Join Leave and LeaveAll When a GARP participant wants to register its attribute information on other switches it will send Join message outward When it wants to remove some attribute values from ...

Page 79: ... will be removed LeaveAll timer will be started as soon as the GARP participant is enabled LeaveAll message will be sent upon timeout so that other GARP participants will remove all the attribute values of this participant Then Leaveall timer is restarted and a new cycle begins When the switch receives some GARP registration information it will not send Join Message immediately Instead it will ena...

Page 80: ...cs interface interface list Display GARP timer display garp timer interface interface list Clear GARP statistics information reset garp statistics interface interface list Enable GARP event debugging debugging garp event Disable GARP event debugging undo debugging garp event 3 2 Configure GVRP 3 2 1 GVRP Overview GARP VLAN Registration Protocol GVRP is a GARP application Based on GARP operating me...

Page 81: ... the Trunk port 3 2 2 Enable Disable Global GVRP You can use the following command to enable disable global GVRP Perform the following configurations in system view Table 3 3 Enable Disable global GVRP Operation Command Enable global GVRP gvrp Disable global GVRP undo gvrp By default global GVRP is disabled 3 2 3 Enable Disable Port GVRP You can use the following command to enable disable the GVRP...

Page 82: ...mode all the VLANs except VLAN1 will be logged out and no other VLANs can be created and registered on this port Perform the following configurations in Ethernet port view Table 3 5 Set GVRP registration type Operation Command Set GVRP registration type gvrp registration normal fixed forbidden Restore the default GVRP registration type undo gvrp registration By default GVRP registration type is no...

Page 83: ...nfiguration procedure Configure Switch A Enable GVRP globally Quidway gvrp Set Ethernet0 10 as a Trunk port and allows all the VLANs to pass through Quidway interface ethernet0 10 Quidway Ethernet0 10 port link type trunk Quidway Ethernet0 10 port trunk permit vlan all Enable GVRP on the Trunk port Quidway Ethernet0 10 gvrp Configure Switch B Enable GVRP globally Quidway gvrp Set Ethernet0 11 as a...

Page 84: ...preset an OUI address or adopt the default OUI address as the standard Here the OUI address refers to that of a vendor Voice VLAN can be configured either manually or automatically In auto mode the system learns the source MAC address and automatically adds the ports to a Voice VLAN using the untagged packets sent out when IP Phone is powered on in manual mode however you need to add ports to a Vo...

Page 85: ...runk Support but the default VLAN of the connected port must exist and cannot be the voice VLAN The default VLAN is allowed to pass the connected port Tagged IP Phone Hybrid Support but the default VLAN of the connected port must exist and it is in the tagged VLAN list which is allowed to pass the connected port Access Support but the default VLAN of the connected port must be the Voice VLAN Trunk...

Page 86: ...e time 4 2 2 Enabling Disabling Voice VLAN Features on a Port Perform the following configuration in Ethernet port view Table 4 3 Configuring Voice VLAN features on a port Operation Command Enable the Voice VLAN features on a port voice vlan enable Disable the Voice VLAN features on a port undo voice vlan enable Only the Voice VLAN features in system view and port view are all enabled can the Voic...

Page 87: ...ce VLAN Security Mode In security mode the system can filter out the traffic whose source MAC is not OUI within the Voice VLAN while the other VLANs are not influenced Disabling security mode the system cannot filter anything Perform the following configuration in system view Table 4 6 Configuring the Voice VLAN security mode Operation Command Enable Voice VLAN security mode voice vlan security en...

Page 88: ... phase of Voice VLAN If OUI address is not learned by a port within the aging time the port is automatically deleted from Voice VLAN This command does not make sense in manual mode Perform the following configuration in system view Table 4 8 Configuring the aging time of Voice VLAN Operation command Set the aging time of Voice VLAN voice vlan aging minutes Restore the default aging time undo voice...

Page 89: ...0 minutes the OUI address to 0011 2200 0000 and configure the port Ethernet1 0 2 as the IP Phone access port The type of IP Phone is untagged II Network Diagram None III Configuration Steps Quidway vlan2 Quidway vlan2 port ethernet1 0 2 Quidway vlan2 interface ethernet1 0 2 Quidway Ethernet1 0 2 voice vlan enable Quidway Ethernet1 0 2 quit Quidway undo voice vlan mode auto Quidway voice vlan mac a...

Page 90: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual Multicast ...

Page 91: ...Enabling Disabling the function of fast removing a port from a multicast group 2 6 2 2 6 Setting the maximum number of multicast groups permited on a port 2 7 2 2 7 Configuring IGMP Snooping Filter 2 7 2 2 8 Multicast Source Port Suppression Configuration 2 8 2 3 Display and debug IGMP Snooping 2 9 2 4 IGMP Snooping Configuration Example 2 9 2 4 1 Enable IGMP Snooping 2 9 2 5 Troubleshoot IGMP Sno...

Page 92: ...eiving the message the switch adds the port to the multicast group and broadcasts the message throughout the VLAN thereby the multicast source in the VLAN knows the multicast member joined When the multicast source multicasts packets to its group the switch only forwards the packets to the ports connected to the members thereby implementing the Layer 2 multicast in VLAN The multicast information t...

Page 93: ...nfiguration execute display command in any view to display the running of the GMRP configuration and to verify the effect of the configuration Execute debugging command in user view to debug GMRP configuration Table 1 3 Display and debug GMRP Operation Command Display GMRP statistics display gmrp statistics interface interface_list Display GMRP global status display gmrp status Enable GMRP debuggi...

Page 94: ...logies Proprietary 1 3 III Configuration procedure 1 Configure LS_A Enable GMRP globally Quidway gmrp Enable GMRP on the port Quidway interface Ethernet 0 1 Quidway Ethernet0 1 gmrp 2 Configure LS_B Enable GMRP globally Quidway gmrp Enable GMRP on the port Quidway interface Ethernet 0 1 Quidway Ethernet0 1 gmrp ...

Page 95: ...an IGMP host it will add the host to the corresponding multicast table If the switch hears IGMP leave message from an IGMP host it will remove the host from the corresponding multicast table The switch continuously listens to the IGMP messages to create and maintain MAC multicast address table on Layer 2 And then it can forward the multicast packets transmitted from the upstream router according t...

Page 96: ... group z MAC multicast group The multicast group is identified with MAC multicast address and maintained by the Ethernet switch z Router port aging time Time set on the router port aging timer If the switch has not received any IGMP general query message before the timer times out it considers the port no longer as a router port z Multicast group member port aging time When a port joins an IP mult...

Page 97: ...icast router that a port is ready to join a multicast group and starts the aging timer for the port 2 IGMP specific query message Transmitted from the multicast router to the multicast members and used for querying if a specific group contains any member When received IGMP specific query message the switch only transmits the specific query message to the IP multicast group which is queried 3 IGMP ...

Page 98: ...this group and meanwhile starts a maximum response timer If the switch has not receive any report message from the multicast group the port will be removed from the corresponding MAC multicast group If the MAC multicast group does not have any member the switch will notify the multicast router to remove it from the multicast tree 2 2 Configure IGMP Snooping The main IGMP Snooping configuration inc...

Page 99: ...efault aging time undo igmp snooping router aging time By default the port aging time is 260s 2 2 3 Configure Maximum Response Time This task is to manually configure the maximum response time If the Ethernet switch receives no report message from a port in the maximum response time it will remove the port from the multicast group Perform the following configuration in system view Table 2 3 Config...

Page 100: ... respond igmp snooping then removes the port form the group By configuring the follwing command igmp snooping removes the port from the multicast group directly at receiving the IGMP Leave packet The fast remove function saves bandwidth when only one user remaining at the port Perform the following configuration in Ethernet port view Table 2 5 Enabling Disabling the function of fast removing a por...

Page 101: ...g some multicast filtering ACLs for users on the different switch ports so that different users can order different program sets In practice when ordering a multicast program set the user originates an IGMP report packet Upon receiving the packet the switch first compares it against the multicast ACLs configured on the inbound port If allowed the switch then adds the port to the forward port list ...

Page 102: ...ce Port Suppression Perform the following configuration in system view or Ethernet port view Table 2 8 Enable disable multicast source port suppression function Operation Command Enable multicast source port suppression multicast source deny interface interface list Disable multicast source port suppression undo multicast source deny interface interface list By default the multicast source port su...

Page 103: ...mmand in any view to display the running of the IGMP Snooping configuration and to verify the effect of the configuration Execute debugging command in user view to debug IGMP Snooping configuration Table 2 10 Display and debug IGMP Snooping Operation Command Display the information about current IGMP Snooping configuration display igmp snooping configuration Display IGMP Snooping statistics of rec...

Page 104: ...GMP Snooping Fault Multicast function cannot be implemented on the switch Troubleshooting 1 IGMP Snooping is disabled z Input the display current configuration command to display the status of IGMP Snooping z If the switch disabled IGMP Snooping you can input igmp snooping enable in the system view to enable IGMP Snooping 2 Multicast forwarding table set up by IGMP Snooping is wrong z Input the di...

Page 105: ...ommand display igmp snooping group to check if MAC multicast forwarding table in the bottom layer and that created by IGMP Snooping is consistent You may also input the display mac vlan command in any view to check if MAC multicast forwarding table under vlanid in the bottom layer and that created by IGMP Snooping is consistent z If they are not consistent please contact the maintenance personnel ...

Page 106: ... multicast data packet with unregistered multicast address the switch will drop this packet In this way the bandwidth is saved and the efficiency of the system is enhanced 3 2 Unknown Multicast Dropping Configuration Unknown Multicast Dropping Configuration includes z Enable unknown multicast dropping function 3 2 1 Enable Unknown Multicast Dropping Perform the following configuration in system vi...

Page 107: ...wn multicast blocked function the switch cannot forward some specific multicast packets such as VRRP packets You can enable to forward these types of packets by adding multicast MAC address entries 4 2 Adding Multicast MAC Address Entries Follow these steps to add multicast MAC address entries Table 4 1 Add multicast MAC address entries Operation Command Remarks Enter system view system view Add m...

Page 108: ...is saved Additionally the absolute isolation between the multicast VLAN and the user VLANs guarantees the security of the network 5 2 Multicast VLAN Configuration 5 2 1 Configuration Tasks Though multicast VLAN is mainly implemented at layer 2 switching you must configure it on both layer 2 and 3 switches The following table describes the multicast VLAN configuration tasks Table 5 1 Multicast VLAN...

Page 109: ... Enabling the multicast VLAN function service type multicast Required Quitting the VLAN view quit Entering the Ethernet port view connected with the layer 3 switch interface interface_type interface_num interface_type port type interface_num port number Defining the type of the port to trunk or hybrid port link type trunk hybrid Required port hybrid vlan vlan_id_list tagged untagged Setting the de...

Page 110: ...r 3 switch The IP address of the VLAN 20 interface is 168 10 1 1 The port E1 0 1 belongs to VLAN 20 and is connected with the workstation VLAN 10 acts as a multicast VLAN The port E1 0 10 is connected with switch B Switch B Layer 2 switch VLAN 2 includes the port E1 0 1 which is connected with PC1 the VLAN 3 includes the port E1 0 2 which is connected with PC2 The port E1 0 10 is connected with sw...

Page 111: ...ace to 168 10 1 1 and enable the PIM DM protocol Switch A system view Switch A multicast routing enable Switch A vlan 20 Switch A vlan20 interface vlan interface 20 Switch A Vlan interface20 ip address 168 10 1 1 255 255 255 0 Switch A Vlan interface20 pim dm Switch A Vlan interface20 quit Configure VLAN 10 Switch A vlan 10 Switch A vlan10 quit Define the type of the Ethernet 1 0 10 port to hybrid...

Page 112: ...port link type hybrid Switch B Ethernet 1 0 10 port hybrid vlan 2 3 10 tagged Switch B Ethernet 1 0 10 quit Define the type of the Ethernet 1 0 1 port to hybrid Then join the port to VLAN 2 and 10 with the untagged option for the port to transmit packets of these VLANs without carrying VLAN tag Finally set the default VLAN ID of the port to VLAN 2 Switch B interface Ethernet 1 0 1 Switch B Etherne...

Page 113: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual QoS ACL ...

Page 114: ...ample 1 11 1 3 4 User defined ACL Configuration Example 1 12 Chapter 2 QoS Configuration 2 1 2 1 QoS Overview 2 1 2 1 1 Traffic 2 1 2 1 2 Traffic Classification 2 1 2 1 3 Packet Filter 2 2 2 1 4 Traffic Policing 2 2 2 1 5 Port traffic Limit 2 2 2 1 6 Redirection 2 2 2 1 7 Traffic Priority 2 2 2 1 8 Queue Scheduling 2 2 2 1 9 Traffic Mirroring 2 4 2 1 10 Traffic Counting 2 4 2 2 Configuring QoS 2 4...

Page 115: ...g ACL Control over the TELNET Users 3 1 3 2 1 Defining ACL 3 1 3 2 2 Calling ACL to Control TELNET Users 3 2 3 2 3 Configuration Example 3 2 3 3 Configuring ACL Control over the SNMP Users 3 3 3 3 1 Defining ACL 3 3 3 3 2 Calling ACL to Control SNMP Users 3 3 3 3 3 Configuration Example 3 5 3 4 Configuring ACL Control over the HTTP Users 3 5 3 4 1 Defining ACL 3 6 3 4 2 Calling ACL to Control HTTP...

Page 116: ...ith the access control rule the issue of match order arises I Case of filtering or classifying data transmitted by the hardware ACL can be used to filter or classify the data transmitted by the hardware of switch In this case the match order of ACL s sub rules is determined by the switch hardware The match order defined by the user can t be effective Due the chips installed the hardware match orde...

Page 117: ...list The specific standard is as follows For basic access control list statements comparing the source address wildcards directly If the wildcards are same follow the configuration sequence For the access control list based on the interface filter the rule that is configured with any is listed in the end while others follow the configuration sequence For the advanced access control list comparing ...

Page 118: ...rst and then define ACL using the defined time range in the definition followed activating ACL to validate it 1 2 1 Configuring the Time Range The process of configuring a time range includes the steps of configuring the hour minute range date ranges and period range The hour minute range is expressed in the units of minute hour Date range is expressed in the units of minute hour date month and ye...

Page 119: ... a rule to the ACL You can add multiple rules to one ACL Note z If a specific time rang is not defined the ACL will always function after activated z During the process of defining the ACL you can use the rule command for several times to define multiple rules for an ACL z If ACL is used for filter or classify the data transmitted by the hardware of switch the match order defined in the acl comman...

Page 120: ...e of Service IP and DSCP priorities You can use the following command to define advanced ACL Perform the following configuration in corresponding view Table 1 5 Defining the advanced ACL Operation Command Enter advanced ACL view from system view acl number acl number name acl name advanced match order config auto Add a sub item to the ACL from advanced ACL view rule rule id permit deny protocol so...

Page 121: ...rce vlan id source mac addr source mac wildcard interface interface name interface type interface num any egress dest mac addr dest mac wildcard interface interface name interface type interface num any time range name Delete a sub item from the ACL from Layer 2 ACL view undo rule rule id Delete one ACL or all the ACL from system view undo acl number acl number name acl name all Layer 2 ACL can be...

Page 122: ...ledgement field 54 J IP version 26 XY IP header length and currently unused bit 58 K TOS field 27 Z Currently unused bits and flags bit 59 L IP packet length 28 a Window Size field 60 M ID number 30 b Others 62 N Flags field 32 The offsets listed in the above table are the field offsets in the SNAP tag 802 3 data frame In the user defined ACL you can use the rule mask and offset parameters to sele...

Page 123: ...ame Delete a sub item from the ACL from user defined ACL view undo rule rule id Delete one ACL or all the ACL from system view undo acl number acl number name acl name all The self defined ACL are identified with the numbers ranging from 5000 to 5999 1 2 3 Activating ACL The defined ACL can be active after activated globally on the switch This function is used to activate the ACL filtering or clas...

Page 124: ...about the ACL display acl config all acl number acl name Display the information about the ACL running state display acl running packet filter all Clear ACL counters reset acl counter all acl number acl name The matched information of display acl config command specifies the rules treated by the switch s CPU The matched information of the transmitted data by switch can be displayed by display qos ...

Page 125: ...time range Define time range from 8 00 to 18 00 Quidway time range huawei 8 00 to 18 00 working day 2 Define the ACL to access the payment server Enter the named advanced ACL named as traffic of payserver Quidway acl name traffic of payserver advanced match order config Define the rules for other department to access the payment server Quidway acl adv traffic of payserver rule 1 deny ip source any...

Page 126: ...e listed 1 Define the time range Define time range from 8 00 to 18 00 Quidway time range huawei 8 00 to 18 00 daily 2 Define the ACL for packet which source IP is 10 1 1 1 Enter the named basic ACL named as traffic of host Quidway acl name traffic of host basic Define the rules for packet which source IP is 10 1 1 1 Quidway acl basic traffic of host rule 1 deny source 10 1 1 1 0 time range huawei ...

Page 127: ...for packet which source MAC address is 00e0 fc01 0101 and destination MAC address is 00e0 fc01 0303 Enter the named link ACL named as traffic of link Quidway acl name traffic of link link Define the rules for packet which source MAC address is 00e0 fc01 0101 and destination MAC address is 00e0 fc01 0303 Quidway acl link traffic of link rule 1 deny ip ingress 00e0 fc01 0101 0 0 0 egress 00e0 fc01 0...

Page 128: ...ns only the commands related to ACL configurations are listed 1 Define the time range Define time range from 8 00 to 18 00 Quidway time range huawei 8 00 to 18 00 daily 2 Define the ACL for TCP packet Enter the named user defined ACL named as traffic of tcp Quidway acl name traffic of tcp user Define the rules for TCP packet Quidway acl user traffic of tcp rule 1 deny 06 ff 35 time range huawei 3 ...

Page 129: ...echnology Ethernet will become one of the major ways to access the common Internet users In order to implement the end to end QoS solution on the whole network it is inevitable to consider the question of how to guarantee the Ethernet QoS service This requires the Ethernet switching devices to apply the Ethernet QoS technology and deliver the QoS guarantee at different levels to different types of...

Page 130: ...operation 2 1 4 Traffic Policing In order to deliver better service with the limited network resources QoS monitors the traffic of the specific user on the ingress so that it can make a better use of the assigned resource 2 1 5 Port traffic Limit The port traffic limit is the port based traffic limit used for limiting the general speed of packet output on the port 2 1 6 Redirection You can specify...

Page 131: ...guarantee the key service packets of higher priority are transmitted first while the packets of lower service priority are transmitted during the idling gap between transmitting the packets of higher service priorities The SP also has the drawback that when congestion occurs if there are many packets queuing in the higher priority queue it will require a long time to transmit these packets of high...

Page 132: ...figuring trust packet priority z Packet filter z Traffic policing z Redirection configuration z Priority tag z Queue scheduling z Traffic mirroring z Traffic statistics Before configure the about QoS tasks you have to define the corresponding ACL Packet filter function can be realized by activate the ACL 2 2 1 Setting Port Priority You can use the following command to set the port priority The swi...

Page 133: ...guration in Ethernet port view Table 2 2 Configuring port priority replacement Operation Command Configure trust packet 802 1p priority priority trust Configure not trust packet 802 1p priority undo priority 2 2 3 Traffic Policing Traffic policing is the flow based traffic limit It takes corresponding actions to deal with the flow at exceeding speed such as discarding or lowering the priority You ...

Page 134: ...cel the configuration port traffic limit undo line rate Ethernet Switch supports the function of configuring configure a traffic limit for a single port For details about the command refer to the Command Manual 2 2 5 Configuring Packet Redirection Packet redirection is to redirect the packets to be forwarded to CPU or other output port You can use the following command to configure the packet redi...

Page 135: ...number acl name rule rule link group acl number acl name rule rule Ethernet Switch support a function to tag the packets with IP precedence specified by ip precedence in the traffic priority command DSCP specified by dscp in the traffic priority command or 802 1p preference specified by cos in the traffic priority command You can tag the packets with different priorities at requirements on QoS pol...

Page 136: ...tionship between 802 1p priority and output queue 802 1p priority Queue ID 1 2 0 0 3 1 4 5 2 6 7 3 Table 2 9 Relationship between local precedence and output queue Local precedence Queue ID 0 1 0 2 3 1 4 5 2 6 7 3 I Configuring the mapping relationship between COS and local precedence By default the system provides the default COS Local precedence mapping relationship Table 2 10 Default CoS Local ...

Page 137: ...ts default value undo qos cos local precedence map By default the switch uses the default mapping relationship II Configuring the queue scheduler You can use the following command to configure the queue scheduler Perform the following configuration in system view Table 2 12 Configuring the queue scheduling algorithm Operation Command Configure the queue scheduling algorithm queue scheduler strict ...

Page 138: ...p acl number acl name rule rule For details about the command refer to the Command Manual 2 2 9 Configuring Traffic Statistics The traffic statistics function is used for counting the data packets of the specified traffic that is this function counts the transmitted data which matches the ACL rules After the traffic statistics function is configured the user can use display qos global traffic stat...

Page 139: ...ace type interface num all Display the parameter settings of traffic limit display qos interface interface name interface type interface num traffic limit Display the port traffic limit display qos interface interface name interface type interface num line rate Display the settings of priority tag display qos global traffic priority Display the settings of redirection display qos global traffic re...

Page 140: ...onfiguration example III Configuration procedure Note In the following configurations only the commands related to QoS ACL configurations are listed 1 Define the traffic accessing the payment query server Enter the named advanced ACL view identified as traffic of payserver Quidway acl name traffic of payserver advanced match order config Define advanced ACL traffic of payserver Quidway acl adv tra...

Page 141: ...a connected user can log on to the device only if he can pass the password authentication This chapter mainly introduces how to configure the first level security control over these access measures that is how to configure to filter the logon users with ACL For detailed description about how to configure the first level security refer to getting started module of Operation Manual 3 2 Configuring A...

Page 142: ...ll In the defining process you can configure several rules for an ACL using the rule command repeatedly 3 2 2 Calling ACL to Control TELNET Users To control TELNET users with ACL you can call the defined ACL in user interface view You can use the following command to call an ACL Perform the following configuration in corresponding view Table 3 2 Calling ACL to control TELNET users Operation Comman...

Page 143: ... Users Huawei Quidway Ethernet switch series support the remote management with the network management software The network management users can access the switch with SNMP Controlling such users with ACL can help filter the illegal NM users and prevent them from accessing the local switch Take the following steps to control the SNMP users with ACL 1 Defining ACL 2 Calling ACL to control SNMP user...

Page 144: ... ACL when configuring SNMP username snmp agent usm user v1 v2c user name group name acl acl list snmp agent usm user v3 user name group name authentication mode md5 sha auth password privacy mode des56 priv password acl acl list SNMP community name attribute is a feature of SNMP V1 Therefore calling an ACL for SNMP community name configuration can filter the access to SNMP V1network management sys...

Page 145: ... acl basic 2020 quit Call the basic ACLs Quidway snmp agent community read huawei acl 2020 Quidway snmp agent group v2c huaweigroup acl 2020 Quidway snmp agent usm user v2c huaweiuser huaweigroup acl 2020 3 4 Configuring ACL Control over the HTTP Users Quidway Ethernet switch series support the remote management through WEB The users can access the switch through HTTP Controlling such users with A...

Page 146: ...sers with ACL call the defined ACL You can use the following commands to call an ACL Perform the following configuration in system view Table 3 4 Calling ACL to control HTTP users Operation Command Call an ACL to control the WEB NM users ip http acl acl number Cancel the ACL control function undo ip http acl For more about the commands refer to the Command Manual Note Only the numbered basic ACL c...

Page 147: ...r ACL Control Configuration Huawei Technologies Proprietary 3 7 III Configuration procedure Define the basic ACL Quidway acl number 2030 match order config Quidway acl basic 2030 rule 1 permit source 10 110 100 46 0 Quidway acl basic 2030 quit Call the basic ACL Quidway ip http acl 2030 ...

Page 148: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual Integrated Management ...

Page 149: ...2 2 1 NDP Overview 2 4 2 2 2 Enable Disable System NDP 2 5 2 2 3 Enable Disable Port NDP 2 5 2 2 4 Set NDP Holdtime 2 6 2 2 5 Set NDP Timer 2 6 2 2 6 Display and Debug NDP 2 6 2 3 Configure NTDP 2 7 2 3 1 NTDP Overview 2 7 2 3 2 Enable Disable System NTDP 2 8 2 3 3 Enable Disable Port NTDP 2 8 2 3 4 Set Hop Number for Topology Collection 2 9 2 3 5 Set hop delay and port delay for Collected Device ...

Page 150: ...y the Handshaking Message Interval 2 15 2 4 10 Configure Remote Control over the Member device 2 16 2 4 11 Configure the Cluster Server and Network Management and Log Hosts 2 17 2 4 12 Member Accessing 2 17 2 4 13 Display and Debug Cluster 2 18 2 5 HGMP V2 Configuration Example 2 18 Chapter 3 Cluster Multicast MAC Address Configuration 3 1 3 1 Configuring Cluster Multicast MAC Address 3 1 3 1 1 Co...

Page 151: ...s to the slave switch automatically as the switch joins the stack If a new switch is connected to the main switch via stack port the system will automatically add the new switch to the stack after the stack is established The connection of stack port automatically establishes the stack relationship If a slave stack port is disconnected that slave switch will exit the stack automatically 1 2 Config...

Page 152: ...able a stack Operation Command Enable a stack stacking enable Disable a stack undo stacking enable Please note that you can only operate on the main switch to disable a stack 1 2 3 Switch to a Slave Switch view to Perform the Configuration The following command can be used to switch from the main switch view to a slave switch view to change the configuration Please perform the following configurat...

Page 153: ...stack including stack number of main slave switches stack name stack device name MAC address and status etc When using this command on a slave switch you will find in the displayed information of the slave switch of the stack the stack number of the switch and MAC address of the main switch in the stack 1 4 Stack Function Configuration Example I Networking requirements Switch A Switch B and Switch...

Page 154: ...stack_1 Quidway Device Switch B MAC Address 00e0 fc07 58a0 Member status Up Member number 2 Name stack_2 Quidway Device Switch C MAC Address 00e0 fc07 58a1 Member status Up Switch to the slave switch Switch B to perform the configuration stack_0 Quidway stacking 1 stack_1 Quidway Display stack information on the slave switch Switch B stack_1 Quidway display stacking Slave device for stack Member n...

Page 155: ...Operation Manual Integrated Management Quidway S3000 EI Series Ethernet Switches Chapter 1 Stack Function Configuration Huawei Technologies Proprietary 1 5 stack_2 Quidway quit stack_0 Quidway ...

Page 156: ...ator device and several member devices compose a cluster The figure below illustrates a typical application of the cluster Administrator device Member device Member device Member device 69 110 1 1 Network management device Cluster 69 110 1 100 Candidate device network Figure 2 1 A cluster 2 1 2 Role of Switch The switches in a cluster have different status and functions and play different roles Yo...

Page 157: ...t e r Command switch Member switch Candidate switch R e m o v e f r o m a c l u s t e r D e s i g n a t e d a s c o m m a n d s w i t c h Added to a cluster R e m o v e f r o m a c l u s t e r Administrator device Member device Candidate device R e m o v e f r o m a c l u s t e r D e s i g n a t e d a s a d m i n i s t r a t o r d e v i c e Added to a cluster R e m o v e f r o m a c l u s t e r Co...

Page 158: ...plement the configuration and management over multiple switches There is no need to login to each member device and perform configuration on their Console ports respectively z Providing topology discovery and displaying function which is useful for network displaying and debugging z Saving IP address z Performing software upgrade and parameter configuration to multiple switches simultaneously z In...

Page 159: ...t supports different network layer protocols NDP is used for discovering the information of the directly connected neighbors including the device type software hardware version and connecting port of the adjacent devices It can also provide the information concerning device ID port address device capability and hardware platform etc All the devices supporting NDP maintain the NDP information table...

Page 160: ...stem NDP all the NDP information of the switch will be cleared and the switch will no longer process any NDP packets Perform the following configuration in system view Table 2 1 Enable Disable system NDP Operation Command Enable System NDP ndp enable interface port list Disable System NDP undo ndp enable interface port list By default System NDP is enabled 2 2 3 Enable Disable Port NDP You can set...

Page 161: ...econds 2 2 5 Set NDP Timer The NDP information of the adjacent nodes shall be updated frequently to guarantee the timely updating for local information You can use the following command to decide how often the NDP information will be updated Perform the following configuration in System view Table 2 4 Set NDP timer Operation Command Set NDP timer ndp timer hello seconds Set the NDP timer back to t...

Page 162: ... the cluster management According to the adjacent table information provided by NDP NTDP transmits and forwards NTDP topology collection request to collect NDP information and neighboring connection information of every device in a certain network After collecting the information the administrator device or the network administrator can perform some functions accordingly When the NDP on the member...

Page 163: ...rm the following configuration in system view Table 2 6 Enable Disable System NTDP Operation Command Enable System NTDP ntdp enable Disable System NTDP undo ntdp enable By default the System NTDP is enabled 2 3 3 Enable Disable Port NTDP You can use the following command to enable disable Port NTDP to decide to transmit receive and forward NTDP packet via which port After the system NTDP and port ...

Page 164: ...re the default hop number for topology collection undo ntdp hop Note that the settings are only valid on the first switch transmitting the topology collection request The broader collection scope requires more memory of the topology collecting device Normally collection is launched by the administrator device in cluster function By default the topology information of the switches 3 hops away from ...

Page 165: ... 3 6 Set Topology Collection Interval In order to learn the global topology changes in time it is necessary to periodically collect the topology information throughout the whole scope specified Perform the following configuration in system view Table 2 10 Set topology collection interval Operation Command Set topology collection interval ntdp timer interval in mins Restore the default topology col...

Page 166: ...urations of cluster management including how to enable and set up a cluster how to configure public network IP address for administrator device how to add delete a cluster member and how to configure the handshaking interval etc There must be a unique administrator device configured for every cluster A cluster contains only one administrator device When creating a cluster you are supposed to desig...

Page 167: ...nable the cluster function on the member devices and Candidate devices 2 4 2 Enable Disable Cluster Function Enable the cluster function before using it Perform the following configuration in system view Table 2 13 Enable Disable cluster function Operation Command Enable cluster function cluster enable Disable cluster function undo cluster enable Above commands can be used on any device supporting...

Page 168: ...nistrator ip address ip mask ip mask length Restore the default IP address pool of the cluster undo ip pool Before setting up a cluster the user should configure a private IP address pool for the member devices of the cluster Note that the above configuration can only be performed on administrator device and must be configured before the cluster is build The IP address pool of an existing cluster ...

Page 169: ...number to it automatically When a switch is added to a cluster the administrator will automatically set administrator s password as the switch s password 2 4 7 Set up a Cluster Automatically The system provides cluster auto setup function You can follow the prompts to setup a cluster step by step on an administrator capable device using the following command After auto build is executed the system...

Page 170: ...r timer value to the member devices By default the cluster holdtime is 60 seconds 2 4 9 Set Cluster Timer to Specify the Handshaking Message Interval The member devices and administrator device send handshake messages to communicate with each other in real time The administrator device monitors member states and link states inside the cluster through handshaking with members periodically After joi...

Page 171: ...device Normally the cluster packets can only be forwarded over VLAN1 In case of configuration error for example the member port connected to the administrator device is configured to VLAN2 the member device and the administrator device will not be able to communicate with each other However you can configure VLAN check on the administrator device to solve this problem After this task is conducted ...

Page 172: ...og hosts Perform the following configuration in cluster view Table 2 22 Configure FTP TFTP Servers and Logging SNMP Hosts for a Cluster Operation Command Configure FTP server for the whole cluster ftp server ip address Remove the FTP server from the cluster undo ftp server Configure TFTP server for the whole cluster tftp server ip address Remove the TFTP server from the cluster undo tftp server Co...

Page 173: ...member num mac address H H H administrator Note that when executed on the administrator device if the parameter member num specifying member number is omitted error message prompts Enter quit to stop switchover operation 2 4 13 Display and Debug Cluster After the above configuration execute display command in any view to display the running of the Cluster configuration and to verify the effect of ...

Page 174: ... 00e0 fc01 0012 Figure 2 3 HGMP networking III Configuration procedure 1 Configure the administrator device Enable global NDP on the device and port Ethernet0 1 and Ethernet0 2 Quidway ndp enable Quidway interface ethernet 0 1 Quidway Ethernet0 1 ndp enable Quidway Ethernet0 1 interface ethernet 0 2 Quidway Ethernet0 2 ndp enable Set to hold NDP information for 200 seconds Quidway ndp timer aging ...

Page 175: ...ter and give name to it Quidway cluster build huawei huawei_0 Quidway cluster Add the two connected switches into the cluster huawei_0 Quidway cluster add member 1 mac address 00e0 fc01 0011 huawei_0 Quidway cluster add member 17 mac address 00e0 fc01 0012 Set to hold the member information for 100 seconds huawei_0 Quidway cluster holdtime 100 huawei_0 Quidway cluster timer 10 Configure internal F...

Page 176: ...ations you can use the cluster switch to member num mac address H H H command to switch to the member device view to maintain and manage the member devices and use the cluster switch to administrator command to resume the administrator device view To reset a member device through the administrator device use the reboot member member num mac address H H H eraseflash command For detailed information...

Page 177: ...dress is used when NDP multicast packets NDTP multicast packet and HABP multicast packets are sent within the cluster thus avoiding the transmission problem of BPDU packets of the STP protocol when O E converter is used This configuration procedure only can be used to the administrative device Perform the following configuration in cluster view Table 3 1 Configure cluster multicast MAC address Ope...

Page 178: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual STP ...

Page 179: ...ity for a Switch 1 14 1 2 5 Configure the Max Hops in an MST Region 1 14 1 2 6 Configure the Switching Network Diameter 1 15 1 2 7 Configure the Time Parameters of a Switch 1 15 1 2 8 Configure the Max Transmission Speed on a Port 1 17 1 2 9 Configure a Port as an Edge Port 1 18 1 2 10 Configure the Path Cost of a Port 1 20 1 2 11 Configure the Priority of a Port 1 20 1 2 12 Configure the Port not...

Page 180: ...l regions each of which has a spanning tree independent of one another MSTP prunes the network into a loopfree tree to avoid proliferation it also provides multiple redundant paths for data forwarding to implement the VLAN data forwarding load balance 1 1 1 MSTP Concepts There are 4 MST region in Figure 1 1 The concept of MSTP will be introduced with this figure in the followed text Region A0 vlan...

Page 181: ...nternal Spanning Tree IST The entire switching network has a Common and Internal Spanning Tree CIST An MSTP region has an Internal Spanning Tree IST which is a fragment of CIST For example every MST region in figure2 1 has an IST IV CST Common Spanning Tree CST Connects the spanning trees of all the MST region Taking every MST region as a switch the CST can be regarded as their spanning tree gener...

Page 182: ... port Alternate port or BACKUP z The root port is the one through which the data are forwarded to the root z The designated port is the one through which the data are forwarded to the downstream network segment or switch z Master port is the port connecting the entire region to the Common Root Bridge and located on the shortest path between them z Alternate port is the backup of the master port Wh...

Page 183: ... calculation process of MSTI is same like RSTP In this way the packets of a VLAN travel along the corresponding MSTI inside the MST region and the CST between different regions Followed introduce the calculation process of one MSTI The fundamental of STP is that the switches exchange a special kind of protocol packet which is called configuration Bridge Protocol Data Units or BPDU in IEEE 802 1D t...

Page 184: ...lustrated in the Figure 1 3 Switch A forwards data to Switch B via the port AP1 So to Switch B the designated switch is Switch A and the designated port is AP1 Also in the figure above Switch B and Switch C are connected to the LAN and Switch B forwards packets to LAN So the designated switch of LAN is Switch B and the designated port is BP2 Note AP1 AP2 BP1 BP2 CP1 and CP2 respectively delegate t...

Page 185: ...BPDU of CP1 2 0 2 CP1 2 Select the optimum configuration BPDU Every switch transmits its configuration BPDU to others When a port receives a configuration BPDU with a lower priority than that of its own it will discard the message and keep the local BPDU unchanged When a higher priority configuration BPDU is received the local BPDU is updated And the optimum configuration BPDU will be elected thro...

Page 186: ...ated switch in the configuration BPDU of every port it regards itself as the root retains the configuration BPDU of each port and transmits configuration BPDU to others regularly thereafter By now the configuration BPDUs of the two ports are as follows Configuration BPDU of AP1 0 0 0 AP1 Configuration BPDU of AP2 0 0 0 AP2 Switch B BP1 receives the configuration BPDU from Switch A and finds that t...

Page 187: ...onfiguration BPDU will not be updated and retain 0 0 0 AP2 By comparison the configuration BPDU of CP2 is elected as the optimum one CP2 is elected as the root port whose BPDU will not change while CP1 will be blocked and retain its BPDU but it will not receive the data forwarded from Switch A until spanning tree calculation is triggered again by some changes For example the link from Switch B to ...

Page 188: ...transitional state mechanism is thus adopted to ensure the new configuration BPDU has been propagated throughout the network before the root port and designated port begin to send data again That is the root port and designated port should undergo a transitional state for a period of Forward Delay before they enter the forwarding state MSTP is compatible with STP and RSTP The MSTP switch can recog...

Page 189: ...alues You can configure these parameters per the actual conditions or simply take the defaults For detail information refer to the task description or the Command Manual Note When GVRP and MSTP startup on the switch simultaneously GVRP packets will propagate along CIST which is a spanning tree instance In this case if you want to issue a certain VLAN through GVRP on the network you should make sur...

Page 190: ...name STI VLAN mapping tables of an MST region and the MST region revision level Configuring the related parameters especially the VLAN mapping table of the MST region will lead to the recalculation of spanning tree and network topology flapping To bate such flapping MSTP triggers to recalculate the spanning tree according to the configurations only if one of the following conditions is met z The u...

Page 191: ...nning tree stp instance instance id root secondary bridge diameter bridgenum hello time centi senconds Specify current switch not to be the primary or secondary root undo stp instance instance id root After a switch is configured as primary root switch or secondary root switch user can t modify the bridge priority of the switch You can configure the current switch as the primary or secondary root ...

Page 192: ...Mode MSTP and RSTP are compatible and they can recognize the packets of each other However STP cannot recognize MSTP packets To implement the compatibility MSTP provides two operation modes STP compatible mode and MSTP mode In STP compatible mode the switch sends STP packets via every port and serves as a region itself In MSTP mode the switch ports send MSTP or STP packets when connected to the ST...

Page 193: ... priority for a switch Operation Command Configure the Bridge priority of the designated switch stp instance instance id bridge priority priority Restore the default Bridge priority of the designated switch undo stp instance instance id bridge priority When configuring the switch priority with the instance instance id parameter as 0 you are configuring the CIST priority of the switch Caution In th...

Page 194: ...ed by a series of switches Among these paths the one passing more switches than all others is the network diameter expressed as the number of passed switches You can use the following command to configure the diameter of the switching network Perform the following configuration in system view Table 1 8 Configure the switching network diameter Operation Command Configure the switching network diame...

Page 195: ...d throughout the network The switch sends Hello packet periodically at an interval specified by Hello Time to check if there is any link fault Max Age specifies when the configuration BPDU will expire The switch will discard the expired configuration BPDU You can use the following command to configure the time parameters for the switch Perform the following configuration in system view Table 1 9 C...

Page 196: ...ning tree and mistake the congestion as link fault However if the Max Age is too long the network device may not be able to discover the link fault and recalculate the spanning tree in time which will weaken the auto adaptation capacity of the network The default value is recommended To avoid frequent network flapping the values of Hello Time Forward Delay and Maximum Age should guarantee the foll...

Page 197: ...ith either of the above mentioned measures For more about the commands refer to the Command Manual This parameter only takes a relative value without units If it is set too large too many packets will be transmitted during every Hello Time and too many network resourced will be occupied The default value is recommended By default the max transmission speed on every Ethernet port of the switch is 3...

Page 198: ... from blocking state to forwarding state without any delay In the case that BPDU protection has not been enabled on the switch the configured edge port will turn into non edge port again when it receives BPDU from other port In the case that BPDU protection is enabled the port will be disabled The configuration of this parameter takes effect on all the STIs In other words if a port is configured a...

Page 199: ...nfiguration in Ethernet port view Table 1 15 Configure the Path Cost of a port Operation Command Configure the Path Cost of a port stp instance instance id cost cost Restore the default path cost of a port undo stp instance instance id cost You can configure the path cost of a port with either of the above mentioned measures For more about the commands refer to the Command Manual Upon the change o...

Page 200: ...iority undo stp instance instance id port priority You can configure the port priority with either of the above mentioned measures For more about the commands refer to the Command Manual Upon the change of port priority MSTP will recalculate the port role and transit the state Generally a smaller value represents a higher priority If all the Ethernet ports of a switch are configured with the same ...

Page 201: ... 1 19 Configure the port not to connect with the point to point link Operation Command Configure the port to connect with the point to point link stp point to point force true Configure the port not to connect with the point to point link stp point to point force false Configure MSTP to automatically detect if the port is directly connected with the point to point link stp point to point auto Conf...

Page 202: ...erates in either STP compatible or MSTP mode Suppose a port of an MSTP switch on a switching network is connected to an STP switch the port will automatically transit to operate in STP compatible mode However the port stays in STP compatible mode and cannot automatically transit back to MSTP mode when the STP switch is removed In this case you can perform mCheck operation to transit the port to MS...

Page 203: ...width in network design In case of configuration error or malicious attack the legal primary root may receive the BPDU with a higher priority and then loose its place which causes network topology change errors Due to the illegal change the traffic supposed to travel over the high speed link may be pulled to the low speed link and congestion will occur on the network Root protection function is us...

Page 204: ...ot protection Restore the disabled Root protection state as defaulted from system view undo stp interface interface list root protection Configure switch Root protection from Ethernet port view stp root protection Restore the disabled Root protection state as defaulted from Ethernet port view undo stp root protection Configure switch loop protection function from Ethernet port view stp loop protec...

Page 205: ...device stp enable Disable MSTP on a device stp disable Restore the disable state of MSTP as defaulted undo stp Only if MSTP has been enabled on the device will other MSTP configurations take effect By default MSTP is disabled 1 2 16 Enable Disable MSTP on a Port You can use the following command to enable disable MSTP on a port You may disable MSTP on some Ethernet ports of a switch to spare them ...

Page 206: ...tion execute display command in any view to display the running of the MSTP configuration and to verify the effect of the configuration Execute reset command in user view to clear the statistics of MSTP module Execute debugging command in user view to debug the MSTP module Table 1 26 Display and Debug MSTP Operation Command Show the configuration information about the current port and the switch d...

Page 207: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual Security ...

Page 208: ...bling Disabling Guest VLAN 1 7 1 2 9 Setting 802 1x Re authentication 1 8 1 2 10 Setting 802 1x Client Version Authentication 1 9 1 2 11 Configuring 802 1x Dynamic User Binding 1 11 1 2 12 Setting the Maximum Times of Authentication Request Message Retransmission 1 12 1 2 13 Configuring Timers 1 13 1 2 14 Enabling Disabling a Quiet Period Timer 1 14 1 3 Displaying and Debugging 802 1x 1 15 1 4 802...

Page 209: ...0 Setting the Maximum Retransmitting Times of Stopping Accounting Request 2 16 2 3 11 Setting the Supported Type of RADIUS Server 2 17 2 3 12 Setting RADIUS Server State 2 17 2 3 13 Setting Username Format Transmitted to RADIUS Server 2 18 2 3 14 Setting the Unit of Data Flow that Transmitted to RADIUS Server 2 19 2 3 15 Configuring Local RADIUS Authentication Server 2 19 2 4 Displaying and Debugg...

Page 210: ...02 1x defines port based network access control protocol and only defines the point to point connection between the access device and the access port The port can be either physical or logical The typical application environment is as follows Each physical port of the LAN Switch only connects to one user workstation based on the physical port and the wireless LAN access environment defined by the ...

Page 211: ...carried in higher layer protocol EAPoL Controlled Port Port unauthorized LAN Uncontrolled Port Services offered by Authenticators System Figure 1 1 802 1x system architecture 1 1 3 802 1x Authentication Process 802 1x configures EAP frame to carry the authentication information The Standard defines the following types of EAP frames z EAP Packet Authentication information frame used to carry the au...

Page 212: ...m becomes much securer and easier to manage 1 2 Configuring 802 1x The configuration tasks of 802 1x itself can be fulfilled in system view of the Ethernet switch When the global 802 1x is not enabled the user can configure the 802 1x state of the port The configured items will take effect after the global 802 1x is enabled Note When 802 1x is enabled on a port the max number of MAC address learni...

Page 213: ...g disabling 802 1x Operation Command Enable the 802 1x dot1x interface interface list Disable the 802 1x undo dot1x interface interface list You can configure 802 1x on individual port before it is enabled globally The configuration will take effect right after 802 1x is enabled globally By default 802 1x authentication has not been enabled globally and on any port 1 2 2 Setting the Port Access Co...

Page 214: ...the default port access control method undo dot1x port method interface interface list By default 802 1x authentication method on the port is macbased That is authentication is performed based on MAC addresses 1 2 4 Checking the Users that Log on the Switch via Proxy The following commands are used for checking the users that log on the switch via proxy Perform the following configurations in syst...

Page 215: ...ion in DHCP Environment If in DHCP environment the users configure static IP addresses you can set 802 1x to disable the switch to trigger the user ID authentication over them with the following command Perform the following configurations in system view Table 1 6 Setting the Authentication in DHCP Environment Operation Command Disable the switch to trigger the user ID authentication over the user...

Page 216: ...owing configurations in system view Table 1 7 Configuring the authentication method for 802 1x user Operation Command Configure authentication method for 802 1x user dot1x authentication method chap pap eap Restore the default authentication method for 802 1x user undo dot1x authentication method By default CHAP authentication is used for 802 1x user authentication 1 2 8 Enabling Disabling Guest V...

Page 217: ...ction attribute in the access accept packet which is sent to the switch to 1 The switch re authenticates the access user periodically after receiving this kind of packets You can also enable 802 1x re authentication on the switch through this configuration making the switch re authenticates the access users periodically I Enabling 802 1x re authentication Before enabling the 802 1x re authenticati...

Page 218: ...kes the session timeout value in the access accept packet as the authentication period Perform the following in system view Table 1 10 Configuring 802 1x re authentication timeout timer Operation Command Configure parameters of the timer dot1x timer reauth period reauth period value Return to the defaults undo dot1x timer reauth period By default reauth period value is 3600 seconds 1 2 10 Setting ...

Page 219: ...quest again When the switch receives no response for the configured maximum times it no longer authenticates the version of the client and perform the following authentications If configured this command functions on all ports that enabled version authentication function Perform the following in system view Table 1 12 Configuring the maximum retry times for the switch to send version request frame...

Page 220: ...ic user binding disabled port based authentication mode enables other users to access the network without being authenticated after a user passes the authentication Whereas when dynamic user binding is enabled a switch binds the corresponding IP address the MAC address the accessing port and the VLAN to which the accessing port belongs after a user passes the authentication which prevents other us...

Page 221: ...ers from changing their IP addresses after they pass the authentication 2 Configuration procedure Enable 802 1x globally Quidway system view System View return to User View with Ctrl Z Quidway dot1x Enable 802 1x dynamic user binding Quidway dot1x dynamic binding user enable Enable DHCP Snooping globally Required for 802 1x users who obtain IP addresses dynamically Quidway dhcp snooping Configure ...

Page 222: ... timeout value tx period tx period value ver period ver period value Restore default settings of the timers undo dot1x timer handshake period quiet period reauth period server timeout supp timeout tx period ver period handshake period This timer begins after the user has passed the authentication After setting handshake period system will send the handshake packet by the period Suppose the dot1x r...

Page 223: ...enticator begins to run If the Supplicant does not respond back with authentication reply packet successfully then the Authenticator will resend the authentication request packet tx period value Specify how long the duration of the transmission timeout timer is The value ranges from 10 to 120 in units of second and defaults to 30 reauth period Re authentication timeout timer During the time limit ...

Page 224: ...ot1x statistics interface interface list Enable the error event packet all debugging of 802 1x debugging dot1x error event packet all Disable the error event packet all debugging of 802 1x undo debugging dot1x error event packet all 1 4 802 1x Configuration Example I Networking requirements As shown in the following figure the workstation of a user is connected to the port Ethernet 0 1 of the Swit...

Page 225: ... access user is localuser and the password is localpass input in plain text The idle cut function is enabled II Networking diagram Supplicant Authentication Servers RADIUS Server Cluster IP Address 10 11 1 1 10 11 1 2 Internet Authenticator Switch Supplicant Authentication Servers RADIUS Server Cluster IP Address 10 11 1 1 10 11 1 2 Internet Authenticator Switch Supplicant Authentication Servers R...

Page 226: ...IUS server Quidway local server nas ip 127 0 0 1 key name Quidway radius scheme radius1 Quidway radius radius1 key authentication name Set the encryption key when the system exchanges packets with the accounting RADIUS server Quidway radius radius1 key accounting money Set the timeouts and times for the system to retransmit packets to the RADIUS server Quidway radius radius1 timer 5 Quidway radius...

Page 227: ... cut function for the user and set the idle cut parameter in the domain huawei163 net Quidway isp huawei163 net idle cut enable 20 2000 Add a local supplicant and sets its parameter Quidway local user localuser Quidway luser localuser service type lan access Quidway luser localuser password simple localpass Enable the 802 1x globally Quidway dot1x ...

Page 228: ...applying Client Server architecture in which client ends run as managed sources and the servers centralize and store user information AAA framework owns the good scalability and is easy to realize the control and centralized management of user information 2 1 2 RADIUS Protocol Overview As mentioned above AAA is a management framework so it can be implemented by some protocols RADIUS is such a prot...

Page 229: ...guration information like password etc to avoid being intercepted or stolen II RADIUS operation RADIUS server generally uses proxy function of the devices like access server to perform user authentication The operation process is as follows First the user send request message the client username and encrypted password is included in the message to RADIUS server Second the user will receive from RA...

Page 230: ...ttributes of local user z Disconnecting a user by force z Configuring Dynamic VLAN with RADIUS Server Among the above configuration tasks creating ISP domain is compulsory otherwise the supplicant attributes cannot be distinguished The other tasks are optional You can configure them at requirements 2 2 1 Creating Deleting ISP Domain What is Internet Service Provider ISP domain To make it simple IS...

Page 231: ...attributes of system are all default values 2 2 2 Configuring Relevant Attributes of ISP Domain The relevant attributes of ISP domain include the adopted RADIUS scheme state and maximum number of supplicants Where z The adopted RADIUS scheme is the one used by all the users in the ISP domain The RADIUS scheme can be used for RADIUS authentication or accounting By default the default RADIUS scheme ...

Page 232: ...pplicants and the idle cut function is disabled 2 2 3 Enabling Disabling the Messenger Alert Messenger alert function allows the clients to inform the online users about their remaining online time through message alert dialog box The implementation of this function is as follows z On the switch use the following command to enable this function and to configure the remaining online time threshold ...

Page 233: ...ed URL page used to change the user password on the self service server z Change user password on this page Perform the following configuration in ISP domain view Table 2 4 Configuring the self service server URL Operation Command Configure self service server URL and configure the URL address used to change the user password on the self service server self service url enable url string Remove the...

Page 234: ...e method that a local user uses to display password Operation Command Set the mode that a local user uses to display password local user password display mode cipher force auto Cancel the mode that the local user uses to display password undo local user password display mode Where auto means that the password display mode will be the one specified by the user at the time of configuring password se...

Page 235: ...ons in system view Table 2 8 Disconnecting a user by force Operation Command Disconnect a user by force cut connection all access type dot1x domain domain name interface portnum ip ip address mac mac address radius scheme radius scheme name vlan vlanid ucibindex ucib index user name user name By default no online user will be disconnected by force 2 2 8 Configuring Dynamic VLAN with RADIUS Server ...

Page 236: ...le and their converted integer form is within the VLAN range the switch just handles them as integer IDs and add the authentication port to the VLAN with the corresponding integer ID In this example the port is added into VLAN 1024 The dynamic VLAN with RADIUS server configuration includes z Configuring VLAN delivery mode z Configuring name of the delivered VLAN I Configuring VLAN delivery mode Pe...

Page 237: ...mber of RADIUS Server z Setting RADIUS packet encryption key z Setting response timeout timer of RADIUS server z Setting retransmission times of RADIUS request packet z Enabling the selection of RADIUS accounting option z Setting a real time accounting interval z Setting maximum times of real time accounting request failing to be responded z Enabling Disabling stopping accounting request buffer z ...

Page 238: ... numbers However at least you have to set one group of IP address and UDP port number for each pair of primary second servers to ensure the normal AAA operation You can use the following commands to configure the IP address and port number for RADIUS servers Perform the following configurations in RADIUS scheme view Table 2 12 Setting IP Address and Port Number of RADIUS Server Operation Command S...

Page 239: ...ocol uses different UDP ports to receive transmit authentication authorization and accounting packets you shall set two different ports accordingly Suggested by RFC2138 2139 authentication authorization port number is 1812 and accounting port number is 1813 However you may use values other than the suggested ones Especially for some earlier RADIUS Servers authentication authorization port number i...

Page 240: ...server it has to retransmit the request to guarantee RADIUS service for the user You can use the following command to set response timeout timer of RADIUS server Perform the following configurations in RADIUS scheme view Table 2 14 Setting response timeout timer of RADIUS server Operation Command Set response timeout timer of RADIUS server timer seconds Restore the response timeout timer of RADIUS...

Page 241: ...of RADIUS accounting option accounting optional Disable the selection of RADIUS accounting option undo accounting optional The user configured with accounting optional command in RADIUS scheme will no longer send real time accounting update packet or offline accounting packet The accounting optional command in RADIUS scheme view is only effective on the accounting that uses this RADIUS scheme By d...

Page 242: ...ponded RADIUS server usually checks if a user is online with timeout timer If the RADIUS server has not received the real time accounting packet from NAS for long it will consider that there is device failure and stop accounting Accordingly it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unpredictable failure exists Quidway Series Switches support to ...

Page 243: ... discards the messages after transmitting for specified times The following command can be used for setting to save the message or not If save use the command to set the maximum retransmission times Perform the following configurations in RADIUS scheme view Table 2 20 Enabling Disabling stopping accounting request buffer Operation Command Enable stopping accounting request buffer stop accounting b...

Page 244: ...ed type of RADIUS server Operation Command Setting the Supported Type of RADIUS Server server type huawei iphotel portal standard Restore the Supported Type of RADIUS Server to the default setting undo server type By default the newly created RADIUS scheme supports the server of standard type while the system RADIUS scheme created by the system supports the server of huawei type 2 3 12 Setting RAD...

Page 245: ...ame including ISP domain name In this case you have to remove the domain name before sending the username to the RADIUS server The following command of switch decides whether the username to be sent to RADIUS server carries ISP domain name or not Perform the following configurations in RADIUS scheme view Table 2 24 Setting username format transmitted to RADIUS server Operation Command Set Username...

Page 246: ...ization accounting servers to manage users is widely used in Quidway series switches Besides local authentication authorization service is also used in these products and it is called local RADIUS authentication server function i e realize basic RADIUS function on the switch Perform the following commands in system view to create delete local RADIUS authentication server Table 2 26 Creating Deleti...

Page 247: ...cal user display local user domain isp name idle cut disable enable service type telnet ftp lan access ssh state active block user name user name vlan vlan id Display the statistics of local RADIUS authentication server display local server statistics Display the configuration information of all the RADIUS schemes or a specified one display radius radius scheme name Display the statistics of RADIU...

Page 248: ...tication at the remote server is similar to configuring FTP users The following description is based on Telnet users I Networking Requirements In the environment as illustrated in the following figure it is required to achieve through proper configuration that the RADIUS server authenticates the Telnet users to be registered One RADIUS server as authentication server is connected to the switch and...

Page 249: ... cams primary authentication 10 110 91 164 1812 Quidway radius cams key authentication expert Quidway radius cams server type huawei Quidway radius cams user name format without domain Configuration association between domain and RADIUS Quidway radius cams quit Quidway domain cams Quidway isp cams radius scheme cams 2 5 2 Configuring FTP Telnet User Authentication at Local RADIUS Server Local RADI...

Page 250: ...as key authentication hello Quidway radius ias key accounting hello Quidway radius ias quit 2 Create ISP domain Quidway domain ias Quidway isp ias scheme radius scheme ias 3 Configure VLAN delivery mode as string Quidway isp ias vlan assignment mode string Quidway isp ias quit 4 Create a VLAN and specify its name Create a VLAN Quidway vlan 100 Configure name of the delivered VLAN Quidway vlan100 n...

Page 251: ...S from NAS So please ensure the normal communication between NAS and RADIUS z Fault two RADIUS packet cannot be transmitted to RADIUS server Troubleshooting 1 The communication lines on physical layer or link layer connecting NAS and RADIUS server may not work well So please ensure the lines work well 2 The IP address of the corresponding RADIUS server may not have been set on NAS Please set a pro...

Page 252: ...ble HABP includes HABP server and HABP client In general the server regularly sends HABP request packets to the client to collect the MAC addresses of the member switches while the client responds to the request packets and forwards them to the lower level switches HABP server is often enabled at the management switch while HABP client is at the member switches HABP attribute had better be enabled...

Page 253: ...s at the member switches Since the default HABP mode is client you only need to enable HABP attribute at a switch Please perform the following operations in system view Table 3 2 Configuring HABP client Operation Command Enable HABP attribute habp enable Restore HABP to the default value undo habp enable By default HABP attribute is disabled at a switch 3 3 Displaying and Debugging HABP Attribute ...

Page 254: ...al Security Quidway S3000 EI Series Ethernet Switches Chapter 3 HABP Configuration Huawei Technologies Proprietary 3 3 Operation Command Enable HABP debugging debugging habp Disable HABP debugging undo debugging habp ...

Page 255: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual Network Protocol ...

Page 256: ...Switch 2 1 2 2 2 Setting the Port as Trusted Port 2 2 2 3 Display and debug DHCP Snooping 2 2 Chapter 3 DHCP Client Configuration 3 1 3 1 Overview of DHCP Client 3 1 3 2 DHCP Client Configuration 3 2 3 2 1 Configuring a VLAN Interface to Obtain IP Address Using DHCP 3 2 3 3 Displaying and Debugging DHCP Client Configuration 3 3 Chapter 4 BOOTP Client Configuration 4 1 4 1 Overview of BOOTP Client ...

Page 257: ...thernet Switches Table of Contents Huawei Technologies Proprietary ii Chapter 6 IP Performance Configuration 6 1 6 1 IP Performance Configuration 6 1 6 1 1 Configure TCP Attributes 6 1 6 2 Display and debug IP Performance 6 2 6 3 Troubleshoot IP Performance 6 2 ...

Page 258: ...o hosts on the same network segment Host A and Host B The IP address of Host A is IP_A and the IP address of Host B is IP_B Host A will transmit messages to Host B Host A checks its own ARP mapping table first to make sure whether there are corresponding ARP entries of IP_B in the table If the corresponding MAC address is detected Host A will use the MAC address in the ARP mapping table to encapsu...

Page 259: ... 1 Manually add delete static ARP mapping Entries Operation Command Manually add a static ARP mapping entry arp static ip address mac address vlan id interface type interface number interface name Manually delete a static ARP mapping entry undo arp ip address Static ARP map entry will be always valid as long as Ethernet switch works normally But if the VLAN corresponding ARP mapping entry is delet...

Page 260: ...arns the ARP entry where the MAC address is multicast MAC address undo arp check enable By default the checking of ARP entry is enabled that is the device does not learn the ARP entry where the MAC address is multicast MAC address 1 3 Gratuitous ARP Configuration 1 3 1 Gratuitous ARP Overview Gratuitous ARP function is to implement the following functions by sending out gratuitous ARP packets z By...

Page 261: ...s of the gratuitous ARP are described in the following table Table 1 4 Configure gratuitous ARP Sequence number Configuration item Command Description 1 Enter system view Quidway system view 2 Enable ARP packet learning Quidway gratuitous arp learning enable Required Use the corresponding undo command to cancel the configuration 1 3 3 Configuration Example I Network requirements Enable gratuitous ...

Page 262: ...on Command Display ARP mapping table display arp static dynamic ip address Display the current setting of the dynamic ARP map aging timer display arp timer aging Reset ARP mapping table reset arp dynamic static interface interface type interface number interface name Enable ARP information debugging debugging arp packet Disable ARP information debugging undo debugging arp packet ...

Page 263: ... through DHCPREQUEST is the same as that assigned through DHCPACK So snooping DHCPREQUEST is another way to know clients IP addresses With DHCP Snooping enabled the switch can distract IP address and MAC address from the DHCPACK or DHCPREQUEST packets received and record them In addition pseudo DHCP servers in the network may cause users to get incorrect IP addresses To guarantee that users can ob...

Page 264: ...sted port Operation Command Set the port as trusted port dhcp snooping trust Restore the port as distrusted port undo dhcp snooping trust By default the ports of a switch are distrusted port 2 3 Display and debug DHCP Snooping After the above configuration execute display command in any view to display the clients IP address and MAC address bindings recorded through DHCP Snooping Table 2 3 Display...

Page 265: ... figure LAN DHCP Server DHCP Client DHCP Client DHCP Client DHCP Client Figure 3 1 Typical DHCP application To obtain valid dynamic IP addresses DHCP client exchanges different types of information with the server at different stages One of the following three situations may occur 1 DHCP client logs into the network for the first time When DHCP client logs into the network for the first time its c...

Page 266: ...reception of the DHCP_Request message the DHCP server returns the DHCP_ACK message if the requested IP address is still not allocated to indicate the client to continue use of the IP address z If the requested IP address becomes unavailable for example having been allocated to another client the DHCP server returns the DHCP_NAK message After receiving the DHCP_NAK message the client sends the DHCP...

Page 267: ...nterface does not obtain IP address using DHCP 3 3 Displaying and Debugging DHCP Client Configuration After the above configuration execute display command in any view to display the running of the DHCP Client configuration and to verify the effect of the configuration Execute debugging command in user view to debug DHCP Client configuration Table 3 2 Displaying and debugging DHCP Client configura...

Page 268: ... in the event of timeout is used to guarantee its reliable transmission BOOTP client also starts a retransmission timer when it sends the request message to the server If the timer expires before the return of the response message from the server the request message will be retransmitted The retransmission occurs every five seconds and the maximum number of retransmission is 3 that is the message ...

Page 269: ... execute display command in any view to display the running of the BOOTP client configuration and to verify the effect of the configuration Execute debugging command in user view to debug BOOTP client Table 4 2 Displaying and debugging BOOTP client Operation Command Display information of BOOTP client display bootp client interface vlan interface vlan_id Disable enable BOOTP client debugging undo ...

Page 270: ...n_2 PCn_x Organization 1 Organization 2 Organization n Figure 5 1 Typical Ethernet access networking scenario If not so many users are connected to the switch the ports allocated to different enterprises need to belong to the same VLAN and different enterprises should be isolated in the light of cost and security All these requirements can be achieved with the access management function by the Eth...

Page 271: ... Layer 2 isolation on a port so as to prevent the packets from being forwarded on Layer 2 between the specified port and some other ports group Perform the following configuration in Ethernet interface view Table 5 2 Configure Layer 2 isolation between ports Operation Command Configure Layer 2 isolation between ports am isolate interface list Cancel Layer 2 isolation between ports undo am isolate ...

Page 272: ...pecified MAC address then the packet is relayed only when its source IP address is the same as the specified IP address Perform the following configuration in the system view Table 5 3 Binding Port IP Address and MAC Address Operation Command Bind port IP address and MAC address am user bind interface interface name interface type interface number mac addr mac ip addr ip mac addr mac interface int...

Page 273: ...er bind interface interface name interface type interface number mac addr mac ip addr ip 5 4 Access Management Configuration Example I Networking requirements Organization 1 is connected to the port 1 of the switch and organization 2 to the port 2 The ports 1 and 2 belong to the same VLAN Organization 1 and organization 2 cannot communicate with each other II Networking diagram See Figure 5 1 III ...

Page 274: ...will be terminated Finwait timer ranges 76 to 3600 seconds By default finwait timer is 675 seconds z The receiving sending buffer size of connection oriented Socket is in the range from 1 to 32K bytes and is 8K bytes by default Perform the following configuration in System view Table 6 1 Configure TCP attributes Operation Command Configure synwait timer time for TCP connection establishment tcp ti...

Page 275: ... of current system display ip socket socktype sock type task id socket id Display the summary of the Forwarding Information Base display fib Reset IP statistics information reset ip statistics Reset TCP statistics information reset tcp statistics 6 3 Troubleshoot IP Performance Fault IP layer protocol works normally but TCP and UDP cannot work normally In the event of such a fault you can enable t...

Page 276: ...rietary 6 3 Quidway debugging tcp packet Then the TCP packets received or sent can be checked in real time Specific packet formats include TCP output packet Source IP address 202 38 160 1 Source port 1024 Destination IP Address 202 38 160 1 Destination port 4296 Sequence number 4185089 Ack number 0 Flag SYN Packet length 60 Data offset 10 ...

Page 277: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual System Management ...

Page 278: ...the FTP Server Authentication and Authorization 1 6 1 3 4 Configure the Running Parameters of FTP Server 1 7 1 3 5 Display and Debug FTP Server 1 7 1 3 6 Introduction to FTP Client 1 8 1 3 7 FTP client configuration example 1 8 1 3 8 FTP server configuration example 1 10 1 4 TFTP 1 11 1 4 1 TFTP Overview 1 11 1 4 2 Configure the File Transmission Mode 1 12 1 4 3 Download Files by means of TFTP 1 1...

Page 279: ...4 5 4 Sending the Configuration Information to Console terminal 4 14 4 5 5 Sending the Configuration Information to Telnet Terminal or Dumb Terminal 4 17 4 5 6 Sending the Configuration Information to Log Buffer 4 19 4 5 7 Sending the Configuration Information to Trap Buffer 4 21 4 5 8 Sending the Configuration Information to SNMP Network Management 4 23 4 5 9 Turn on off the Information Synchroni...

Page 280: ... 3 6 2 5 Add Delete an Entry to from the Statistics Table 6 4 6 3 Display and Debug RMON 6 4 6 4 RMON Configuration Example 6 4 Chapter 7 NTP Configuration 7 1 7 1 Brief Introduction to NTP 7 1 7 1 1 NTP Functions 7 1 7 1 2 Basic Operating Principle of NTP 7 1 7 2 NTP Configuration 7 3 7 2 1 Configure NTP Operating Mode 7 3 7 2 2 Configure NTP ID Authentication 7 7 7 2 3 Set NTP Authentication Key...

Page 281: ...m can be divided as follows z Directory operation z File operation z Storage device operation z Set the prompt mode of the file system 1 1 2 Directory Operation The file system can be used to create or delete a directory display the current working directory and display the information about the files or directories under a specified directory You can use the following commands to perform director...

Page 282: ...rl dest Copy a file copy fileurl source fileurl dest Move a file move fileurl source fileurl dest Display the information about directories or files dir all file url 1 1 4 Storage Device Operation The file system can be used to format a specified memory device You can use the following commands to format a specified memory device Perform the following configuration in user view Table 1 3 Storage d...

Page 283: ...file are arranged in the following order system configuration ethernet port configuration vlan interface configuration routing protocol configuration and so on z It ends with end The management over the configuration files includes z Display the Current configuration and Saved configuration of Ethernet Switch z Save the Current configuration z Erase configuration files from Flash Memory 1 2 2 Disp...

Page 284: ...rent configuration in the Flash Memory and the configurations will become the saved configuration when the system is powered on for the next time Perform the following configuration in user view Table 1 6 Save the current configuration Operation Command Save the current configuration save 1 2 4 Erase Configuration Files from Flash Memory The reset saved configuration command can be used to erase c...

Page 285: ... used for transmitting files between a remote server and a local host The Ethernet switch provides the following FTP services z FTP server You can run FTP client program to log in the server and access the files on it z FTP client After connected to the server through running the terminal emulator or Telnet on a PC you can access the files on it using FTP command Switch PC Network Switch Switch PC...

Page 286: ...tch and PC are reachable 1 3 2 Enable Disable FTP Server You can use the following commands to enable disable the FTP server on the switch Perform the following configuration in system view Table 1 10 Enable Disable FTP Server Operation Command Enable the FTP server ftp server enable Disable the FTP server undo ftp server FTP server supports multiple users to access at the same time A remote FTP c...

Page 287: ...authentication and authorization successfully can access the FTP server 1 3 4 Configure the Running Parameters of FTP Server You can use the following commands to configure the connection timeout of the FTP server If the FTP server receives no service request from the FTP client for a period of time it will cut the connection to it thereby avoiding the illegal access from the unauthorized users Th...

Page 288: ... has no configuration functions The switch connects the FTP clients and the remote server and inputs the command from the clients for corresponding operations such as creating or deleting a directory 1 3 7 FTP client configuration example I Networking requirement The switch serves as FTP client and the remote PC as FTP server The configuration on FTP server Configure a FTP user named as switch wit...

Page 289: ...user view to establish FTP connection then correct username and password to log into the FTP server Quidway ftp 2 2 2 2 Trying Press CTRL K to abort Connected 220 WFTPD 2 0 service by Texas Imperial Software ready for new user User none switch 331 Give me your password please Password 230 Logged in successfully ftp Type in the authorized directory of the FTP server ftp cd switch Use the put comman...

Page 290: ... app is stored on the PC Using FTP the PC can upload the switch app from the remote FTP server and download the vrpcfg txt from the FTP server for backup purpose II Networking diagram Switch PC Network Switch Switch PC Network Figure 1 3 Networking for FTP configuration 1 Configure the switch Log into the switch locally through the Console port or remotely using Telnet Quidway Start FTP function a...

Page 291: ...otocol TFTP is a simple protocol for file transmission Compared with FTP another file transmission protocol TFTP has no complicated interactive access interface or authentication control and therefore it can be used when there is no complicated interaction between the clients and server TFTP is implemented on the basis of UDP TFTP transmission is originated from the client end To download a file t...

Page 292: ...FTP server and set authorized TFTP directory 1 4 2 Configure the File Transmission Mode TFTP transmits files in two modes binary mode for program files and ASCII mode for text files You can use the following commands to configure the file transmission mode Perform the following configuration in system view Table 1 15 Configure the file transmission mode Operation Command Configure the file transmi...

Page 293: ...e switch serves as TFTP client and the remote PC as TFTP server Authorized TFTP directory is set on the TFTP server The IP address of a VLAN interface on the switch is 1 1 1 1 and that of the PC is 2 2 2 2 The interface on the switch connecting the PC belong to the same VLAN The switch application switch app is stored on the PC Using TFTP the switch can download the switch app from the remote TFTP...

Page 294: ...em view Quidway Configure IP address 1 1 1 1 for the VLAN interface ensure the port connecting the PC is also in this VALN VLAN 1 in this example Quidway interface vlan 1 Quidway vlan interface1 ip address 1 1 1 1 255 255 255 0 Quidway vlan interface1 quit Upload the vrpcfg txt to the TFTP server Quidway tftp put vrpcfg txt 1 1 1 2 vrpcfg txt Download the switch app from the TFTP server Quidway tf...

Page 295: ...ains the MAC_SOURCE the switch will update the corresponding entry otherwise it will add the new MAC address and the corresponding forwarding port as a new entry to the table The system forwards the packets whose destination addresses can be found in the MAC address table directly through the hardware and broadcasts those packets whose addresses are not contained in the table The network device wi...

Page 296: ...pe of entries such as dynamic entries or static entries You can use the following commands to add modify or delete the entries in MAC address table Perform the following configuration in system view Table 2 1 Set MAC address table entries Operation Command Add Modify an address entry mac address static dynamic hw addr interface interface name interface type interface num vlan vlan id Delete an add...

Page 297: ...ax Count of MAC Address Learned by a Port With the address learning function an Ethernet switch can learn new MAC addresses After received a packet destined some already learned MAC address the switch will forward it directly with the hardware instead of broadcasting But Too many MAC address items learned by a port will affect the switch operation performance User can control the MAC address items...

Page 298: ...ac address mac addr vlan vlan id static dynamic interface interface name interface type interface num vlan vlan id count Display the aging time of dynamic address table entries display mac address aging time 2 4 MAC Address Table Management Configuration Example I Networking requirements The user logs in the switch via the Console port to configure the address table management It is required to se...

Page 299: ...nterface ethernet 0 2 vlan 1 Set the address aging time to 500s Quidway mac address timer aging 500 Display the MAC address configurations in any view Quidway display mac address interface ethernet 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 00 e0 fc 35 dc 71 1 Static Ethernet0 2 NOAGED 00 e0 fc 17 a7 d6 1 Learned Ethernet0 2 AGING 00 e0 fc 5e b1 fb 1 Learned Ethernet0 2 AGING 00 e0 fc 55 f1 ...

Page 300: ...anagement Configuration The device management configuration includes z Reboot Ethernet switch z Designate the APP adopted when booting the Ethernet switch next time z Upgrade BootROM 3 2 1 Reboot Ethernet Switch It would be necessary for users to reboot the Ethernet switch when failure occurs Perform the following configuration in user view Table 3 1 Reboot Ethernet switch Operation Command Reboot...

Page 301: ...ration in user view Table 3 3 Upgrade BootROM Operation Command Upgrade BootROM boot bootrom file url 3 3 Display and Debug Device Management Configuration After the above configuration execute display command in any view to display the running of the Device management configuration and to verify the effect of the configuration Table 3 4 Display and debug Device management configuration Operation ...

Page 302: ...undo sysname 4 1 2 Set the System Clock Perform the operation of clock datetime command in the user view Table 4 2 Set the system clock Operation Command Set the system clock clock datetime HH MM SS YYYY MM DD 4 1 3 Set the Time Zone You can configure the name of the local time zone and the time difference between the local time and the standard Universal Time Coordinated UTC Perform the following...

Page 303: ...system configuration information z Commands for displaying the system running state z Commands for displaying the system statistics information For the display commands related to each protocols and different ports refer to the relevant chapters The following display commands are used for displaying the system state and the statistics information Perform the following operations in any view Table ...

Page 304: ...erminal debugging switch controls the debugging output on a specified user screen The figure below illustrates the relationship between two switches 1 2 3 Protocol debugging switch ON ON OFF ON OFF 1 3 1 3 Screen output switch 1 3 Debugging information Figure 4 1 Debug output You can use the following commands to control the above mentioned debugging Perform the following operations in user view T...

Page 305: ...isplay command which make it difficult for you to collect all the information needed In this case you can use display diagnostic information command You can perform the following operations in any view Table 4 7 display diagnostic information Operation Command display diagnostic information display diagnostic information 4 4 Testing Tools for Network Connection I ping The ping command can be used ...

Page 306: ... over until the packet reaches the destination The purpose to carry out the process is to record the source address of each ICMP TTL timeout message so as to provide the route of an IP packet to the destination Perform the following operation in any view Table 4 9 The tracert command Operation Command Trace route tracert a source IP f first TTL m max TTL p port q nqueries w timeout string 4 5 Logg...

Page 307: ...gging information is send to the log host the default format of timestamp is date and it can be changed to boot format or none format through the command info center timestamp log date boot none The date format of timestamp is mm dd hh mm ss yyyy mm is month field such as Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec dd is day field if the day is little than 10th one blank should be added such a...

Page 308: ...n debugging information and trap information The info center classifies every kind of information into 8 severity or urgent levels The log filtering rule is that the system prohibits outputting the information whose severity level is greater than the set threshold The more urgent the logging packet is the smaller its severity level is The level represented by emergencies is 0 and that represented ...

Page 309: ... the channels for log output Output direction Channel number Default channel name Console 0 console Monitor 1 monitor Info center loghost 2 loghost Trap buffer 3 trapbuf Logging buffer 4 logbuf snmp 5 snmpagent Note The settings in the six directions are independent from each other The settings will take effect only after enabling the information center The info center of Ethernet Switch has the f...

Page 310: ...and the time stamp format of information and so on You must turn on the switch of the corresponding module before defining output debugging information Loghost Refer to configuration cases for related log host configuration 2 Sending the configuration information to the console terminal Table 4 14 Sending the configuration information to the console terminal Device Configuration Default value Conf...

Page 311: ...witch Enable the terminal display function and this function for the corresponding information For Telnet terminal and dumb terminal to view the information you must enable the current terminal display function using the terminal monitor command 4 Sending the configuration information to log buffer Table 4 16 Sending the configuration information to log buffer Device Configuration Default value Co...

Page 312: ... turn on the switch of the corresponding module before defining output debugging information 6 Sending the configuration information to SNMP Table 4 18 Sending the configuration information to SNMP Device Configuration Default value Configuration description Enable info center By default info center is enabled Other configurations are valid only if the info center is enabled Set the information ou...

Page 313: ...ion and trap information in Fabric in every switch synchronized 4 5 3 Sending the Configuration Information to Loghost To send configuration information to loghost follow the steps below 1 Enabling info center Perform the following operation in system view Table 4 20 Enable disable info center Operation Command Enable info center info center enable Disable info center undo info center enable Note ...

Page 314: ...center source modu name default channel channel number channel name log trap debug level severity state state Cancel the configuration of information source undo info center source modu name default channel channel number channel name modu name specifies the module name default represents all the modules level refers to the severity levels severity specifies the severity level of information The i...

Page 315: ...e output format of the time stamp info center timestamp log trap debugging boot date none Output time stamp is disabled undo info center timestamp log trap debugging 4 Configuring loghost The configuration on the loghost must be the same with that on the switch For related configuration see the configuration examples in the later part 4 5 4 Sending the Configuration Information to Console terminal...

Page 316: ...information source info center source modu name default channel channel number channel name log trap debug level severity state state Cancel the configuration of information source undo info center source modu name default channel channel number channel name modu name specifies the module name default represents all the modules level refers to the severity levels severity specifies the severity le...

Page 317: ...p debugging 4 Enable terminal display function To view the output information at the console terminal you must first enable the corresponding log debugging and trap information functions at the switch For example if you have set the log information as the information sent to the console terminal now you need to use the terminal logging command to enable the terminal display function of log informa...

Page 318: ... are affected when the system processes much information because of information classification and outputting 2 Configuring to output information to Telnet terminal or dumb terminal Perform the following operation in system view Table 4 30 Configuring to output information to Telnet terminal or dumb terminal Operation Command Output information to Telnet terminal or dumb terminal info center monit...

Page 319: ... set to the channel that corresponds to Console direction Every channel has been set with a default record whose module name is default and the module number is 0xffff0000 However for different channels the default record may have different default settings of log trap and debugging When there is no specific configuration record for a module in the channel use the default one Note When there are m...

Page 320: ...formation on the switch then you can view the information at the Telnet terminal or dumb terminal Perform the following operation in user view Table 4 33 Enabling terminal display function Operation Command Enable terminal display function of log debugging and trap information terminal monitor Disable terminal display function of the above information undo terminal monitor Enable terminal display ...

Page 321: ...o center logbuffer channel channel number channel name size buffersize Cancel the configuration of outputting information to log buffer undo info center logbuffer channel size 3 Configuring information source on the switch By this configuration you can define the information that sent to log buffer is generated by which modules information type information level and so on Perform the following ope...

Page 322: ...ugging information of some modules on the switch you must select debugging as the information type when configuring information source meantime using the debugging command to turn on the debugging switch of those modules You can use the following commands to configure log information debugging information and the time stamp output format of trap information Perform the following operation in syste...

Page 323: ...uffer is generated by which modules information type information level and so on Perform the following operation in system view Table 4 40 Defining information source Operation Command Define information source info center source modu name default channel channel number channel name log trap debug level severity state state Cancel the configuration of information source undo info center source mod...

Page 324: ...put format of trap information Perform the following operation in system view Table 4 41 Configuring the output format of time stamp Operation Command Configure the output format of the time stamp info center timestamp log trap debugging boot date none Output time stamp is disabled undo info center timestamp log trap debugging 4 5 8 Sending the Configuration Information to SNMP Network Management ...

Page 325: ...n source info center source modu name default channel channel number channel name log trap debug level severity state state Cancel the configuration of information source undo info center source modu name default channel channel number channel name modu name specifies the module name default represents all the modules level refers to the severity levels severity specifies the severity level of inf...

Page 326: ...management workstation on the switch You have to configure SNMP on the switch and the remote workstation to ensure that the information is correctly sent to SNMP NM Then you can get correct information from network management workstation SNMP configuration on switch refers to Chapter 5 SNMP Configuration 4 5 9 Turn on off the Information Synchronization Switch in Fabric After the forming of a Fabr...

Page 327: ...pecified information on the specified switch as needed By default the log debugging and trap information synchronization switch of master in Fabric are all turned on The log debugging and trap information synchronization switch of other switches are turned on 4 5 10 Displaying and Debugging Info center After the above configuration performing the display command in any view you can view the runnin...

Page 328: ...ration steps 1 Configuration on the switch Enabling info center Quidway info center enable Set the host with the IP address of 202 38 1 10 as the loghost set the severity level threshold value as informational set the output language to English set that the modules which are allowed to output information are ARP and IP Quidway info center loghost 202 38 1 10 facility local4 language english Quidwa...

Page 329: ...ch Otherwise the log information probably cannot be output to the loghost correctly Step 3 After the establishment of information log file and the revision of etc syslog conf you should send a HUP signal to syslogd system daemon through the following command to make syslogd reread its configuration file etc syslog conf ps ae grep syslogd 147 kill HUP 147 After the above operation the switch system...

Page 330: ... the loghost set the severity level threshold value as informational set the output language to English set all the modules are allowed output information Quidway info center loghost 202 38 1 10 facility local7 language english Quidway info center source default channel loghost log level informational 2 Configuration on the loghost This configuration is performed on the loghost Step 1 Perform the ...

Page 331: ...the establishment of information log file and the revision of etc syslog conf you should view the number of syslogd system daemon through the following command kill syslogd daemon and reuse r option the start syslogd in daemon ps ae grep syslogd 147 kill 9 147 syslogd r Note For Linux loghost you must ensure that syslogd daemon is started by r option After the above operation the switch system can...

Page 332: ... 4 4 Schematic diagram of configuration III Configuration steps 1 Configuration on the switch Enabling info center Quidway info center enable Configure console terminal log output allow modules ARP and IP to output information the severity level is restricted within the range of emergencies to informational Quidway info center console channel console Quidway info center source arp channel console ...

Page 333: ...terms of structure SNMP can be divided into two parts namely Network Management Station and Agent Network Management Station is the workstation for running the client program At present the commonly used NM platforms include Sun NetManager and IBM NetView Agent is the server software operated on network devices Network Management Station can send GetRequest GetNextRequest and SetRequest messages t...

Page 334: ...managed object B can be uniquely specified by a string of numbers 1 2 1 1 The number string is the Object Identifier of the managed object The current SNMP Agent of Ethernet switch supports SNMP V1 V2C and V3 The MIBs supported are listed in the following table Table 5 1 MIBs supported by the Ethernet Switch MIB attribute MIB content References MIB II based on TCP IP network device RFC1213 RFC1493...

Page 335: ...rded SNMP Community is named with a character string which is called Community Name The various communities can have read only or read write access mode The community with read only authority can only query the device information whereas the community with read write authority can also configure the device You can use the following commands to set the community name Perform the following configura...

Page 336: ...e or disable the managed device to transmit trap message Perform the following configuration in system view Table 5 4 Enable Disable snmp agent to Send Trap Operation Command Enable to send trap snmp agent trap enable standard authentication coldstart linkdown linkup warmstart Disable to send trap undo snmp agent trap enable standard authentication coldstart linkdown linkup warmstart 5 3 4 Set the...

Page 337: ...ion The sysLocation is a management variable of the MIB system group used for specifying the location of managed devices You can use the following commands to set the sysLocation Perform the following configuration in system view Table 5 7 Set sysLocation Operation Command Set sysLocation snmp agent sys info location sysLocation Restore the default location of the Ethernet switch undo snmp agent s...

Page 338: ...n use the following commands to set or delete an SNMP group Perform the following configuration in system view Table 5 10 Set Delete an SNMP Group Operation Command Setting an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl list snmp agent group v3 group name authentication privacy read view read view write view write view not...

Page 339: ... groupname local engineid engine id 5 3 12 Create Update View Information or Deleting a View You can use the following commands to create update the information of views or delete a view Perform the following configuration in system view Table 5 13 Create Update view information or deleting a view Operation Command Create Update view information snmp agent mib view included excluded view name oid ...

Page 340: ... in user view to debug SNMP configuration Table 5 16 Display and debug SNMP Operation Command Display the statistics information about SNMP packets display snmp agent statistics Display the engine ID of the active device display snmp agent local engineid remote engineid Display the group name the security mode the states for all types of views and the storage mode of each group of the switch displ...

Page 341: ...view Set the community name group name and user Quidway snmp agent sys info version all Quidway snmp agent community write public Quidway snmp agent mib include internet 1 3 6 1 Quidway snmp agent group v3 managev3group write internet Quidway snmp agent usm v3 managev3user managev3group Set the VLAN interface 2 as the interface used by network management Add port Ethernet 0 3 to the VLAN 2 This po...

Page 342: ...dway snmp agent trap enable standard linkup Quidway snmp agent trap enable standard linkdown Quidway snmp agent target host trap address udp domain 129 102 149 23 udp port 5000 params securityname public IV Configure Network Management System The Ethernet Switch supports Huawei s iManager Quidview NMS Users can query and configure the Ethernet switch through the network management system For more ...

Page 343: ... can reduce the communication traffic between the NMS and the agent thus facilitates an effective management over the large interconnected networks RMON allows multiple monitors It can collect data in two ways z One is to collect data with a special RMON probe NMS directly obtains the management information from the RMON probe and controls the network resource In this way it can obtain all the inf...

Page 344: ...essage will be sent to NMS The events are defined in the event management The alarm management includes browsing adding and deleting the alarm entries You can use the following commands to add delete an entry to from the alarm table Perform the following configuration in system view Table 6 1 Add Delete an entry to from the alarm table Operation Command Add an entry to the alarm table rmon alarm e...

Page 345: ...ol table Perform the following configuration in Ethernet port view Table 6 3 Add Delete an entry to from the history control table Operation Command Add an entry to the history control table rmon history entry number buckets number interval sampling interval owner text string Delete an entry from the history control table undo rmon history entry number 6 2 4 Add Delete an Entry to from the Extende...

Page 346: ...tistics entry number owner text string Delete an entry from the statistics table undo rmon statistics entry number 6 3 Display and Debug RMON After the above configuration execute display command in any view to display the running of the RMON configuration and to verify the effect of the configuration Table 6 6 Display and debug RMON Operation Command Display the RMON statistics display rmon stati...

Page 347: ...ei rmon View the configurations in user view Quidway display rmon statistics Ethernet 2 1 Statistics entry 1 owned by huawei rmon is VALID Gathers statistics of interface Ethernet2 1 Received octets 270149 packets 1954 broadcast packets 1570 multicast packets 365 undersized packets 0 oversized packets 0 fragments packets 0 jabbers packets 0 CRC alignment errors 0 collisions 0 Dropped packet events...

Page 348: ...ime throughout the network NTP ensures the consistency of the following applications z For the increment backup between the backup server and client NTP ensures the clock synchronization between the two systems z For multiple systems that coordinate to process a complex event NTP ensures them to reference the same clock and guarantee the right order of the event z Guarantee the normal operation of...

Page 349: ...ting principle of NTP In the figure above Ethernet Switch A and Ethernet Switch B are connected via the Ethernet port They have independent system clocks Before implement automatic clock synchronization on both switches we assume that z Before synchronizing the system clocks on Ethernet Switch A and B the clock on Ethernet Switch A is set to 10 00 00am and that on B is set to 11 00 00am z Ethernet...

Page 350: ...ervice z Set maximum local sessions z Disable the NTP Service Globally 7 2 1 Configure NTP Operating Mode You can set the NTP operating mode of an Ethernet Switch according to its location in the network and the network structure For example you can set a remote server as the time server of the local equipment In this case the local Ethernet Switch works as an NTP client If you set a remote server...

Page 351: ...st server ip address NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 0 to 4294967295 interface name or interface type interface number specifies the IP address of an interface from which the source IP address of the NTP packets sent from the local Ethernet Switch to the time server will be taken priority indicates the time server will be t...

Page 352: ... number Cancel NTP broadcast server mode undo ntp service broadcast server NTP version number number ranges from 1 to 3 and defaults to 3 the authentication key ID keyid ranges from 0 to 4294967295 This command can only be configured on the interface where the NTP broadcast packets will be transmitted IV Configure NTP Broadcast Client Mode Designate an interface on the local Ethernet Switch to rec...

Page 353: ...icast IP address defaults to 224 0 1 1 This command can only be configured on the interface where the NTP multicast packet will be transmitted VI Configure NTP Multicast Client Mode Designate an interface on the local Ethernet Switch to receive NTP multicast messages and operate in multicast client mode The local Ethernet Switch listens to the multicast from the server When it receives the first m...

Page 354: ...t NTP authentication key Perform the following configurations in system view Table 7 8 Configure NTP authentication key Operation Command Configure NTP authentication key ntp service authentication keyid number authentication mode md5 value Remove NTP authentication key undo ntp service authentication keyid number Key number number ranges from 1 to 4294967295 the key value contains 1 to 32 ASCII c...

Page 355: ...cast server or ntp service unicast peer command also designates a transmitting interface use the one designated by them 7 2 6 Set NTP Master Clock This configuration task is to set the external reference clock or the local clock as the NTP master clock Perform the following configurations in system view Table 7 11 Set the external reference clock or the local clock as the NTP master clock Operatio...

Page 356: ...ed authority will be given Perform the following configurations in system view Table 7 13 Set authority to access a local Ethernet switch Operation Command Set authority to access a local Ethernet switch ntp service access query synchronization server peer acl number Cancel settings of the authority to access a local Ethernet switch undo ntp service access query synchronization server peer IP addr...

Page 357: ...the configurations according to the outputs In user view you can use the debugging command to debug NTP Table 7 15 NTP display and debugging Operation Command Display the status of NTP service display ntp service status Display the status of sessions maintained by NTP service display ntp service sessions verbose Display the brief information about every NTP time server on the way from the local eq...

Page 358: ...ster clock at stratum 2 Quidway1 ntp service refclock master 2 Configure Ethernet Switch Quidway2 Enter system view Quidway2 system view Set Quidway1 as the NTP server Quidway2 ntp service unicast server 1 0 1 11 The above examples synchronized Quidway2 by Quidway1 Before the synchronization the Quidway2 is shown in the following status Quidway2 display ntp service status clock status unsynchroniz...

Page 359: ...ence stra reach poll now offset delay disper 12345 1 0 1 11 LOCAL 0 3 377 64 16 0 4 0 0 0 9 note 1 source master 2 source peer 3 selected 4 candidate 5 configured II NTP peer configuration example 1 Network requirements On Quidway3 set local clock as the NTP master clock at stratum 2 On Quidway2 configure Quidway1 as the time server in server mode and set the local equipment as in client mode At t...

Page 360: ...y4 by Quidway5 After synchronization Quidway4 status is shown as follows Quidway4 display ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 3 0 1 31 Nominal frequency 60 0002 Hz Actual frequency 60 0002 Hz Clock precision 2 17 Clock offset 9 8258 ms Root delay 27 10 ms Root dispersion 49 29 ms Peer dispersion 10 94 ms Reference time 19 21 32 287 UTC Oct 24 2004 C5267F...

Page 361: ...ntp service broadcast server Configure Ethernet Switch Quidway4 Enter system view Quidway4 system view Enter Vlan interface2 view Quidway4 interface vlan interface 2 Quidway4 Vlan Interface2 ntp service broadcast client Configure Ethernet Switch Quidway1 Enter system view Quidway1 system view Enter Vlan interface2 view Quidway1 interface vlan interface 2 Quidway1 Vlan Interface2 ntp service broadc...

Page 362: ...et delay disper 12345 127 127 1 0 LOCAL 0 7 377 64 57 0 0 0 0 1 0 5 1 0 1 11 LOCAL 0 3 0 64 0 0 0 0 0 0 5 128 108 22 44 0 0 0 0 16 0 64 0 0 0 0 0 0 note 1 source master 2 source peer 3 selected 4 candidate 5 configured IV Configure NTP multicast mode 1 Network requirements Quidway3 sets the local clock as the master clock at stratum 2 and multicast packets from Vlan interface2 Set Quidway4 and Qui...

Page 363: ...face2 Quidway3 multicast messages from Vlan interface2 Since Quidway1 and Quidway3 are not located on the same segments Quidway1 cannot receive the multicast packets from Quidway3 while Quidway4 is synchronized by Quidway3 after receiving the multicast packet V Configure authentication enabled NTP server mode 1 Network requirements Quidway1 sets the local clock as the NTP master clock at stratum 2...

Page 364: ... Quidway2 ntp service reliable authentication keyid 42 Qudiway2 ntp service unicast server 1 0 1 11 authentication keyid 42 The above examples synchronized Quidway2 by Quidway1 Since Quidway1 has not been enabled authentication it cannot synchronize Quidway2 And now let us do the following additional configurations on Quidway1 Enable authentication Quidway1 ntp service authentication enable Set th...

Page 365: ...up SSH channels for local connection See Figure 8 1 Currently the switch which runs SSH server supports SSH version 1 5 2 3 1 1 Switch running SSH server 2 PC running SSH client 3 Ethernet LAN Figure 8 1 Setting up SSH channels in LAN Note In the above figure the VLAN for the Ethernet port must have been configured with VLAN interfaces and IP address The communication process between the server an...

Page 366: ...e switch if the usernames and passwords match exactly RSA authentication works in this way The RSA public key of the client user is configured at the server The client first sends the member modules of its RSA public key to the server which checks its validity If it is valid the server generates a random number which is sent to the client after being encrypted with RSA public key Both ends calcula...

Page 367: ...ximum Operation Command Set system protocol and link maximum protocol inbound all ssh telnet Caution If SSH protocol is specified to ensure a successful login you must configure the AAA authentication using the authentication mode scheme command The protocol inbound ssh configuration fails if you configure authentication mode password and authentication mode none When you configure SSH protocol su...

Page 368: ... switch Please perform the following configurations in system view Table 8 3 Configuring authentication type Operation Command Configure authentication type ssh user username authentication type password rsa all Remove authentication type setting undo ssh user username authentication type If the configuration is RSA authentication type then the RSA public key of client user must be configured on t...

Page 369: ...ely prevent malicious registration attempt Please perform the following configurations in system view Table 8 6 Defining SSH authentication retry value Operation Command Define SSH authentication retry value ssh server authentication retries times Restore the default retry value undo ssh server authentication retries By default the retry value is 3 VII Entering public key edit view and editing pub...

Page 370: ...lid characters Please perform the following configurations in the public key view Table 8 8 Starting terminating public key editing Operation Command Enter public key edit view public key code begin Terminate public key edit view public key code end Quit public key view peer public key end VIII Associating public key with SSH user Please perform the following configurations in system view Table 8 ...

Page 371: ...ware The former is configured in the server switch and the latter is in the client The following description takes the PuTTY as an example I Specifying server IP address Start PuTTY program and the client configuration interface pops up Figure 8 2 SSH client configuration interface 1 In the Host Name or IP address text box key in the IP address of the switch for example 10 110 28 10 You can also i...

Page 372: ...rietary 8 8 Figure 8 3 SSH client configuration interface 2 You can select 1 as shown in the figure IV Specifying RSA private key file If you want to enable RSA authentication you must specify RSA private key file which is not required for password authentication Click SSH Auth to enter the interface as shown in the following figure ...

Page 373: ...s Proprietary 8 9 Figure 8 4 SSH client configuration interface 3 Click the Browse button to enter the File Select interface Choose a desired file and click OK V Opening SSH connection Click the Open button to enter SSH client interface If it runs normally you are promoted to enter username and password See the following figure ...

Page 374: ...t Run the debugging command to debug the SSH Please perform the following configurations in any view Table 8 10 Display SSH information Operation Command Display host and server public keys display rsa local key pair public Display client RSA public key display rsa peer public key brief name keyname Display SSH state information and session display ssh server status session Display SSH user inform...

Page 375: ...nce this operation is unnecessary z For password authentication mode Quidway user interface vty 0 4 Quidway ui vty0 4 authentication mode scheme Quidway ui vty0 4 protocol inbound ssh Quidway local user client001 Quidway luser client001 password simple huawei Quidway luser client001 service type ssh Quidway ssh user client001 authentication type password Select the default values for SSH authentic...

Page 376: ...39A291ABDA704F5D93DC8FDF84C427463 Quidway key code 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 Quidway key code D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 Quidway key code 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC Quidway key code C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 Quidway key code BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 Quidway key code public key code end Quidway rsa...

Page 377: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual Remote Power feeding ...

Page 378: ... Power Feeding on a Port 1 3 1 2 3 Selecting the Power Feeding Mode on a Port 1 3 1 2 4 Setting the Maximum Power on a Power Feeding Port 1 4 1 2 5 Setting power management mode and Power Feeding Priority on a Port 1 4 1 2 6 Enabling Disabling the Compatibility Detection of PDs 1 5 1 2 7 Reset the PoE Configuration on the Switch 1 6 1 2 8 Upgrading the PoE Daughter Card 1 6 1 3 Displaying Remote P...

Page 379: ... twisted pairs to transfer data and use the spare lines 4 5 7 and 8 to transfer current You can opt for either power supply mode by inputting command lines or pressing the mode button z S3026C PWR supplies power to outside with 24 fixed Ethernet electrical ports It can feed power to up to 24 remotely attached Ethernet switches traveling a longest distance of 100m z Each Ethernet port can provide a...

Page 380: ... allow the S3026C PWR to supply power to PDs on spare lines and signal lines simultaneously Table 1 1 Configuring remote power feeding Device Configuration Default Description Enable remote power feeding on a port Enabled Press the mode button to detect power feeding on a port Select the power feeding mode on a port Power feeding through signal lines You can adjust the power feeding mode if necess...

Page 381: ...se detection on the connected PDs so as to find the some and feed power to them The detection itself does not impact the ongoing power feeding ports for it only detects those ports that are not in service Once it finds any PDs connected on certain ports are powered via spare lines the system will supply power to them The left LED of a port indicates the port power feeding status ON means the port ...

Page 382: ...er feeding port Operation Command Set the maximum power on an power feeding port poe max power max power Restore the default value undo poe max power By default a port supplies power under a maximum of 15400 milliwatt 1 2 5 Setting power management mode and Power Feeding Priority on a Port An S3026C PWR as a whole externally provides a total of 160W in extreme By default when reaching this maximum...

Page 383: ...nagement manual Restore the default value undo poe power management By default the power management mode is manual mode II Setting Power Feeding Priority on a Port Perform the following configurations in Ethernet port view to configure the power supply priority of the current port Table 1 6 Setting power feeding priority on a port Operation Command Set the power feeding priority of a port poe prio...

Page 384: ...n the switch reset poe configuration 1 2 8 Upgrading the PoE Daughter Card PoE function relies on the PoE daughter card inside the switch User can use this command to upgrade the application of PoE daughter card and the switch service is not interruptive during this process The process includes two steps 1 Download the software of PoE daughter card to switch Flash 2 Upgrade the PoE daughter card b...

Page 385: ...play poe powersupply For details about the parameters refer to the relevant command manual 1 4 Configuration Example 1 4 1 Power feeding Supply Configuration Example I Networking requirements Ethernet0 1 of the S3026C PWR connects to an S2016C Ethernet switch Ethernet0 2 connects to an Access Point AP and Ethernet0 24 is supposed to connect to an important AP The S3026C PWR supply power to its con...

Page 386: ...l to ensure preferential power supply for its PDs Quidway Ethernet0 24 poe priority critical Configure the power management mode in auto mode Quidway poe power management auto Enable the compatibility detection of PDs on the switch so that it can supply power to those PDs that do not comply with 802 3af Quidway undo poe legacy disable 1 4 2 Upgrading PoE daughter card Configuration Example I Netwo...

Page 387: ...switch Log into the switch locally through the Console port or remotely using Telnet Quidway Caution If the flash memory of the switch is not enough you need to first delete the existing programs in the flash memory and then upload the new ones Type in the right command in user view to establish FTP connection then correct username and password to log into the FTP server Quidway ftp 2 2 2 2 Trying...

Page 388: ...ry 1 10 Use the get command to download the new bin from the FTP server to the flash directory on the FTP server ftp get new bin Use the quit command to release FTP connection and return to user view ftp quit Quidway Enter system view Quidway system view Quidway Use the poe update command to upgrade the PoE daughter card Quidway poe update flash new bin ...

Page 389: ...Huawei Technologies Proprietary HUAWEI Quidway S3000 EI Series Ethernet Switches Operation Manual Appendix ...

Page 390: ...Operation Manual Appendix Quidway S3000 EI Series Ethernet Switches Table of Contents Huawei Technologies Proprietary i Table of Contents Appendix A Acronyms A 1 ...

Page 391: ...rotocol G GARP Generic Attribute Registration Protocol GE Gigabit Ethernet GVRP GARP VLAN Registration Protocol GMRP GARP Multicast Registration Protocol H HGMP Huawei Group Management Protocol I ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol IP Internet Protocol M MAC Medium Access Control MIB Management Information Base N NMS Network Management System NVRAM Nonvol...

Page 392: ... Proprietary A 2 S SNMP Simple Network Management Protocol STP Spanning Tree Protocol T TCP IP Transmission Control Protocol Internet Protocol TFTP Trivial File Transfer Protocol TTL Time To Live U UDP User Datagram Protocol V VLAN Virtual LAN VOD Video On Demand VT Virtual Terminal VTY Virtual Type Terminal ...

Search results

Summary of Contents for Quidway S3000-EI Series

Reviews:

Brands by name

Popular brands

Huawei Quidway S3000-EI Series, Operation Manual

Search results

Summary of Contents for Quidway S3000-EI Series

Reviews:

Brands by name

Popular brands