Huawei Quidway S3100 Series Operation Manual Download Page 205

Page: 205 / 514

Operation Manual – 802.1x
Quidway S3100 Series Ethernet Switches

Chapter 1 802.1x Configuration

Huawei Technologies Proprietary

1-3

Port-based authentication. When a port is controlled in this way, all the supplicant

systems connected to the port can access the network without being

authenticated after one supplicant system among them passes the authentication.

And when the authenticated supplicant system goes offline, the others are denied

as well.

MAC address-based authentication. All supplicant systems connected to a port

have to be authenticated individually in order to access the network. And when a

supplicant system goes offline, the others are not affected.

1.1.2 The Mechanism of an 802.1x Authentication System

IEEE 802.1x authentication system uses extensible authentication protocol (EAP) to

exchange information between the supplicant system and the authentication server.

Supplicant system

PAE

Authenticator

System PAE

EAPoL

EAP/PAP/CHAP exchanges
carried by RADIUS protocol

Supplicant system

PAE

Authenticator

System PAE

Authentication server

EAP/PAP/CHAP exchanges
carried by RADIUS protocol

Supplicant system

PAE

Authenticator

System PAE

Authentication server

EAPoL

EAP/PAP/CHAP exchanges
carried by RADIUS protocol

Supplicant system

PAE

Authenticator

System PAE

Authentication server

EAP/PAP/CHAP exchanges
carried by RADIUS protocol

Figure 1-2

The mechanism of an 802.1x authentication system

EAP protocol packets transmitted between the supplicant system and the

authenticator system are encapsulated as EAPoL packets.

EAP protocol packets transmitted between the supplicant system PAE and the

RADIUS server can either be encapsulated as EAPoR (EAP over RADIUS)

packets or be terminated at system PAEs (The system PAEs then communicate

with RADIUS servers through PAP (password authentication protocol) or CHAP

(challenge-handshake authentication protocol) protocol packets.)

When a supplicant system passes the authentication, the authentication server

passes the information about the supplicant system to the authenticator system.

The authenticator system in turn determines the state (authorized or unauthorized)

of the controlled port according to the instructions (accept or reject) received from

the RADIUS server.

1.1.3 Encapsulation of EAPoL Messages

I. The format of an EAPoL packet

EAPoL is a packet encapsulation format defined in 802.1x. To enable EAP protocol

packets to be transmitted between supplicant systems and authenticator systems

through LANs, EAP protocol packets are encapsulated in EAPoL format. The following

figure illustrates the structure of an EAPoL packet.

PAE Ethernet type

Protocol version

Length

Packet body

Type

PAE Ethernet type

Protocol version

Length

Packet body

Type

Figure 1-3

The format of an EAPoL packet

Summary of Contents for Quidway S3100 Series

Page 1: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual VRP3 10 Huawei Technologies Proprietary ...

Page 2: ...cts from the sales agent of Huawei Technologies Co Ltd please contact our sales agent If you purchase the products from Huawei Technologies Co Ltd directly Please feel free to contact our local office customer care center or company headquarters Huawei Technologies Co Ltd Address Administration Building Huawei Technologies Co Ltd Bantian Longgang District Shenzhen P R China Postal Code 518129 Webs...

Page 3: ... iTELLIN HUAWEI OptiX C C08iNET NETENGINE OptiX iSite U SYS iMUSE OpenEye Lansway SmartAX infoX and TopEng are trademarks of Huawei Technologies Co Ltd All other trademarks and trade names mentioned in this manual are the property of their respective holders Notice The information in this manual is subject to change without notice Every effort has been made in the preparation of this manual to ens...

Page 4: ...sting the users in using various commands Organization Quidway S3100 Series Ethernet Switches Operation Manual consists of the following parts z Product Overview Introduces the technical specifications service features and network design of the Ethernet Switch z CLI Introduces the command hierarchy command view and CLI features of the Ethernet Switch z Login Introduces several ways to log onto an ...

Page 5: ...ions z Centralized MAC Address Authentication Introduces centralized MAC address authentication and the related configuration z ARP Introduces ARP and the related configuration z DHCP Snooping Introduces DHCP snooping and the related configuration z ACL Introduces ACL and the related configuration z QoS Introduces QoS and the related configuration z IGMP Snooping Introduces IGMP snooping and the r...

Page 6: ...tem Maintenance and Debugging Introduces daily maintenance and debugging to the system z Appendix Lists the acronyms in this manual Intended Audience The manual is intended for the following readers z Network engineers z Network administrators z Customers who are familiar with network fundamentals Conventions The manual uses the following conventions I General conventions Convention Description Ar...

Page 7: ...kets and separated by vertical bars Many or none can be selected A line starting with the sign is comments III GUI conventions Convention Description Button names are inside angle brackets For example click the OK button Window names menu items data table and field names are inside square brackets For example pop up the New User window Multi level menus are separated by forward slashes For example...

Page 8: ...uickly without moving the pointer Drag Press and hold the primary mouse button and move the pointer to a certain position VI Symbols Eye catching symbols are also used in the manual to highlight the points worthy of special attention during the operation They are defined as follows Caution Warning Danger Means reader be extremely careful during the operation Note Comment Tip Knowhow Thought Means ...

Page 9: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Product Overview Huawei Technologies Proprietary ...

Page 10: ... Contents Chapter 1 Product Overview 1 1 1 1 Introduction 1 1 1 2 Technical Specifications 1 2 1 2 1 S3126T S3116T S3108T 1 2 1 2 2 S3126C S3116C S3108C 1 2 1 3 Service Features 1 3 1 3 1 S3126T S3116T S3108T 1 4 1 3 2 S3126C S3116C S3108C 1 6 Chapter 2 Network Design 2 1 2 1 MAN Access Solution 2 1 2 2 Education Network Solution 2 1 ...

Page 11: ...evices for 100 Mbps to desktop applications In metropolitan area networks MANs or various industry networks they connect end users or aggregate low end switches through 100 Mbps electrical interfaces in the downlink direction and converge at an IP switching center or a large capacity Layer 3 switch in the uplink direction through GE interface or link aggregation Currently the S3100 series include ...

Page 12: ...TX autosensing ports 1x 10 100 1000BASE T port 8x 10 100BASE TX autosensing ports 1x 10 100 1000BASE T port Management port One console port Power supply AC input Rated voltage range 100 VAC to 240 VAC 50 Hz or 60 Hz Max voltage range 90 VAC to 264 VAC 47 Hz to 63 Hz PoE Not supported Not supported Not supported Max power consumption 20 W 12 W 10 W Fan None None None Operating temperature 0 C to 4...

Page 13: ...m 24 86 mi 1000BASE LH70 LC connector 70 km 43 50 mi 1000BASE STACK not supported by S3108C 100BASE TX PD Powered Device not supported by S3126C Management port One console port Power supply Two models of switches are available one supports AC input and the other supports DC input AC input Rated voltage range 100 VAC to 240 VAC 50 Hz or 60 Hz Max voltage range 90 VAC to 264 VAC 47 Hz to 63 Hz DC i...

Page 14: ...stration protocol VLAN interface One VLAN virtual interface Broadcast storm suppression Port bandwidth percentage based suppression Multicast IGMP Snooping Internet group management protocol snooping Spanning tree protocol STP RSTP rapid STP MSTP multiple STP Up to 16 spanning tree instances Port aggregation Manual link aggregation through command line FE GE Fast Ethernet Gigabit Ethernet link agg...

Page 15: ...and line interface Remote configuration through Telnet Configuration through console port SNMP simple network management protocol 1 2 3 9 group MIBs of RMON Remote Monitoring Huawei Quidview NMS Web based network management System log Hierarchical alarm Maintenance Debug information output Ping traceroute multicast traceroute Telnet VCT virtual cable test QoS ACL Four output queues on each port 80...

Page 16: ...hing capacity All ports support wire speed forwarding 8 8 Gbps All ports support wire speed forwarding 7 2 Gbps All ports support wire speed forwarding 3 6 Gbps Wire speed Layer 2 switching Packet forwarding rate 6 55 Mpps 5 36 Mpps 2 68 Mpps Switching mode Store and forward VLAN Up to 4 K IEEE 802 1Q compliant VLAN GVRP VLAN interface One VLAN virtual interface Broadcast storm suppression Port ba...

Page 17: ...l IEEE 802 3x flow control full duplex Back pressure based flow control half duplex Loading and upgrade XModem FTP TFTP Management Configuration through CLI Remote configuration through Telnet Configuration through console port SNMP 1 2 3 9 group MIBs of RMON Huawei Quidview NMS Web based network management System log Hierarchical alarm Maintenance Debug information output Ping traceroute multicas...

Page 18: ... 1 8 Item S3126C S3116C S3108C Security Hierarchical user management and password protection Guest VLAN IEEE 802 1x authentication MAC address based authentication Centralized MAC address authentication SSH2 0 DHCP dynamic host configuration protocol DHCP Client DHCP snooping NTP Supported HGMP V2 Supported Supported Not supported ...

Page 19: ...ct to an aggregation layer Layer 3 switches or Quidway MA5200 intelligent service gateways which further connect to the core of the MAN through routers This provides you a comprehensive gigabit to backbone 100 Mbps to desktop MAN solution Figure 2 1 Network diagram for a MAN using S3100 series 2 2 Education Network Solution In a campus network the S3100 series can serve as desktop switching device...

Page 20: ...peration Manual Product Overview Quidway S3100 Series Ethernet Switches Chapter 2 Network Design Huawei Technologies Proprietary 2 2 Figure 2 2 Network diagram for an education network using S3100 series ...

Page 21: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual CLI Huawei Technologies Proprietary ...

Page 22: ... 1 1 1 1 Introduction to the CLI 1 1 1 2 Command Protection Command View 1 1 1 2 1 Switching between User Levels 1 2 1 2 2 Configuring the Level of a Specific Command in a Specific View 1 3 1 2 3 CLI Views 1 3 1 3 CLI Features 1 7 1 3 1 Online Help 1 7 1 3 2 Terminal Display 1 8 1 3 3 Command History 1 9 1 3 4 Error Messages 1 9 1 3 5 Command Edit 1 10 ...

Page 23: ...s fall into four protection levels visit monitor system and manage z Visit level Commands at this level are mainly used to diagnose network and change the language mode of user interface and cannot be saved in configuration files For example the ping tracert and language mode commands are at this level z Monitor level Commands at this level are mainly used to maintain the system and diagnose servi...

Page 24: ...user level identified by the level argument super password level level simple cipher password Optional A password is necessary only when a user switches from a lower user level to a higher user level II Switching to another user level Table 1 2 lists operations to switch to another user level Table 1 2 Switch to another user level Operation Command Description Switch to the user level identified b...

Page 25: ...cific view command privilege level level view view command Required Use this command with caution to prevent inconvenience on maintenance and operation 1 2 3 CLI Views CLI views are designed for different configuration tasks They are interrelated You will enter user view once you log into a switch successfully where you can perform operations such as displaying operation status and statistical inf...

Page 26: ...the system view command in user view Execute the quit or return command to return to user view Ethernet port view Configure Ethernet port parameters Quidway Eth ernet1 0 1 Execute the interface ethernet 1 0 1 command in system view Execute the quit command to return to system view Execute the return command to return to user view VLAN view Configure VLAN parameters Quidway Vla n1 Execute the vlan ...

Page 27: ...w Execute the return command to return to user view User interface view Configure user interface parameters Quidway ui0 Execute the user interface 0 command in system view Execute the quit command to return to system view Execute the return command to return to user view FTP client view Configure FTP client parameters ftp Execute the ftp command in user view Execute the quit command to return to u...

Page 28: ... key code begin command in public key view Execute the public key co de end command to return to public key view Basic ACL view Define rules for a basic ACL ACLs with their IDs ranging from 2000 to 2999 are basic ACLs Quidway acl basic 2000 Execute the acl number 2000 command in system view Execute the quit command to return to system view Execute the return command to return to user view Advance ...

Page 29: ...racter in any view on your terminal to display all the commands available in the view and their brief descriptions The following takes user view as an example Quidway User view commands boot Set boot option cd Change the current path clock Specify the system clock cluster Run cluster command copy Copy the file debugging Enable system debugging functions delete Delete the file dir Display the file ...

Page 30: ...nds beginning with the string For example Quidway pi ping Enter a command a space and a string followed by a character on your terminal to display all the keywords that belong to the command and begin with the string if available For example Quidway display ver version Enter a command the first several characters of an available keyword which uniquely identifies the keyword and press Tab to comple...

Page 31: ... down arrow key or Ctrl N This operation recalls the next history command if available Note As the Up and Down keys have different meanings in HyperTerminal running on Windows 9x these two keys can be used to recall history commands only in terminals running Windows 3 x or Telnet running in Windows 3 x You can press Ctrl P or Ctrl N in Windows 9x to achieve the same purpose 1 3 4 Error Messages If...

Page 32: ...lete the character on the left of the cursor and move the cursor one character to the left The left arrow key or Ctrl B Move the cursor one character to the left The right arrow key or Ctrl F Move the cursor one character to the right The up arrow key or Ctrl P The down arrow key or Ctrl N Access history commands The Tab key Utilize the partial online help That is when you enter an incomplete keyw...

Page 33: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Login Huawei Technologies Proprietary ...

Page 34: ...sole Port Login Configuration with Authentication Mode Being Password 2 9 2 5 1 Configuration Procedure 2 9 2 5 2 Configuration Example 2 11 2 6 Console Port Login Configuration with Authentication Mode Being Scheme 2 12 2 6 1 Configuration Procedure 2 12 2 6 2 Configuration Example 2 15 Chapter 3 Logging in through Telnet 3 1 3 1 Introduction 3 1 3 1 1 Common Configuration 3 1 3 1 2 Telnet Config...

Page 35: ...roduction 6 1 6 2 Connection Establishment Using NMS 6 2 Chapter 7 Controlling Login Users 7 1 7 1 Introduction 7 1 7 2 Controlling Telnet Users 7 1 7 2 1 Prerequisites 7 1 7 2 2 Controlling Telnet Users by Source IP Addresses 7 1 7 2 3 Controlling Telnet Users by Source and Destination IP Addresses 7 2 7 2 4 Configuration Example 7 3 7 3 Controlling Network Management Users by Source IP Addresses...

Page 36: ... Interface 1 2 1 Supported User Interfaces The S3100 series Ethernet switch supports two types of user interfaces AUX and VTY Table 1 1 Description on user interface User interface Applicable user Port used Description AUX Users logging in through the Console port Console port Each switch can accommodate one AUX user VTY Telnet users and SSH users Ethernet port Each switch can accommodate up to fi...

Page 37: ...interface is not locked by default Specify to send messages to all user interfaces a specified user interface send all number type number Optional Execute this command in user view Disconnect a specified user interface free user interface type number Optional Execute this command in user view Enter system view system view Enter user interface view user interface type first number last number Set t...

Page 38: ...ogies Proprietary 1 3 Caution The auto execute command command may cause you unable to perform common configuration in the user interface so use it with caution Before executing the auto execute command command and save your configuration make sure you can log into the switch in other modes and cancel the configuration ...

Page 39: ...e port Table 2 1 The default settings of a Console port Setting Default Baud rate 9 600 bps Flow control Off Check mode No check bit Stop bits 1 Data bits 8 After logging into a switch you can perform configuration for AUX users Refer to section 2 3 Console Port Login Configuration for more 2 2 Setting up the Connection to the Console Port z Connect the serial port of your PC terminal to the Conso...

Page 40: ...hrough the Console Port Huawei Technologies Proprietary 2 2 created Normally the parameters of a terminal are configured as those listed in Table 2 1 And the type of the terminal is set to VT100 Figure 2 2 Create a connection Figure 2 3 Specify the port used to establish the connection ...

Page 41: ...by executing commands You can also acquire help by type the character Refer to the following chapters for information about the commands 2 3 Console Port Login Configuration 2 3 1 Common Configuration Table 2 2 lists the common configuration of Console port login Table 2 2 Common configuration of Console port login Configuration Description Baud rate Optional The default baud rate is 9 600 bps Che...

Page 42: ... contain up to 10 commands Terminal configuration Set the timeout time of a user interface Optional The default timeout time is 10 minutes Caution Changing of Console port configuration terminates the connection to the Console port To establish the connection again you need to modify the configuration of the termination emulation utility running on your PC accordingly Refer to section 2 2 Setting ...

Page 43: ...l authentication or RADIUS authentication Optional Local authentication is performed by default Refer to the AAA RADIUS module for more Configure user name and password Configure user names and passwords for local remote users Required z The user name and password of a local user are configured on the switch z The user name and password of a remote user are configured on the DADIUS server Refer to...

Page 44: ... is 9 600 bps Set the check mode parity even none odd Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The stop bits of a Console port is 1 Configure the Console port Set the data bits databits 7 8 Optional The default data bits of a Console port is 8 Configure the command level available to users logging into the ...

Page 45: ...hat the command level available to users logging into a switch depends on both the authentication mode password scheme none command and the user privilege level level command as listed in the following table Table 2 5 Determine the command level A Scenario Authentication mode User type Command Command level The user privilege level level command not executed Level 3 None authentication mode none U...

Page 46: ...ystem view Quidway system view Enter AUX user interface view Quidway user interface aux 0 Specify not to authenticate users logging in through the Console port Quidway ui aux0 authentication mode none Specify commands of level 2 are available to users logging into the AUX user interface Quidway ui aux0 user privilege level 2 Set the baud rate of the Console port to 19 200 bps Quidway ui aux0 speed...

Page 47: ...e password Required Set the baud rate speed speed value Optional The default baud rate of an AUX port also the Console port is 9 600 bps Set the check de mo parity even none odd Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a Console port is 1 Configur e the Console port Set the data bit...

Page 48: ...econds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the idle timeout 0 command to disable the timeout function Note that the level the commands of which are available to users logging into a switch depends on...

Page 49: ...terface z The baud rate of the Console port is 19 200 bps z The screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of the AUX user interface is 6 minutes II Network diagram User PC running Telnet Ethernet1 0 1 Ethernet User PC running Telnet Ethernet1 0 1 Ethernet Figure 2 6 Network diagram for AUX user interface configuration with the aut...

Page 50: ...guration with Authentication Mode Being Scheme 2 6 1 Configuration Procedure Table 2 8 Console port login configuration with the authentication mode being scheme Operation Command Description Enter system view system view Enter the default ISP domain view domain system Specify the AAA scheme to be applied to the omain d scheme local radius scheme radius scheme name local none Configu re the authen...

Page 51: ...thenticate users locally or remotely Users are authenticated locally by default Set the baud rate speed speed value Optional The default baud rate of the AUX port also the Console port is 9 600 bps Set the check mode parity even none odd Optional By default the check mode of a Console port is set to none that is no check bit Set the stop bits stopbits 1 1 5 2 Optional The default stop bits of a Co...

Page 52: ...er size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time for the user interface idle timeout minutes seconds Optional The default timeout time of a user interface is 10 minutes With the timeout time being 10 minutes the connection to a user interface is terminated if no operation is performed in the user interface within 10 minutes You can use the ...

Page 53: ...mode scheme Users logging into the Console port and pass AAA RADI US or local authenticati on The user privilege level level command is executed and the service type terminal level level command specifies the available command level Determined by the service type terminal level level command 2 6 2 Configuration Example I Network requirements Assume that you are a level 3 VTY user and want to perfo...

Page 54: ...w Create a local user named guest and enter local user view Quidway local user guest Set the authentication password to 123456 in plain text Quidway luser guest password simple 123456 Set the service type to Terminal Quidway luser guest service type terminal level 2 Quidway luser guest quit Enter AUX user interface view Quidway user interface aux 0 Configure to authenticate users logging in throug...

Page 55: ...es Proprietary 2 17 Set the maximum number of lines the screen can contain to 30 Quidway ui aux0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Quidway ui aux0 history command max size 20 Set the timeout time of the AUX user interface to 6 minutes Quidway ui aux0 idle timeout 6 ...

Page 56: ...e Refer to the Management VLAN Configuration module for more Switch The authentication mode and other settings are configured Refer to Table 3 2 and Table 3 3 Telnet is running Telnet terminal The IP address of the management VLAN of the switch is available 3 1 1 Common Configuration Table 3 2 lists the common Telnet configuration Table 3 2 Common Telnet configuration Configuration Description Con...

Page 57: ...n up to 10 commands VTY terminal configuration Set the timeout time of a user interface Optional The default timeout time is 10 minutes 3 1 2 Telnet Configurations for Different Authentication Modes Table 3 3 lists Telnet configurations for different authentication modes Table 3 3 Telnet configurations for different authentication modes Authentication mode Telnet configuration Description None Per...

Page 58: ...r are configured on the switch z The user name and password of a remote user are configured on the DADIUS server Refer to user manual of RADIUS server for more Manage VTY users Set service type for VTY users Required Scheme Perform common configuration Perform common Telnet configuration Optional Refer to Table 3 2 3 2 Telnet Configuration with Authentication Mode Being None 3 2 1 Configuration Pr...

Page 59: ...t the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time of the VTY user interface idle timeout minutes se...

Page 60: ...ment 3 2 2 Configuration Example I Network requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0 Do not authenticate users logging into VTY 0 Commands of level 2 are available to users logging into VTY 0 Telnet protocol is supported The screen can contain up to 30 lines The history command buffer can contain up to 20...

Page 61: ...tain to 30 Quidway ui vty0 screen length 30 Set the maximum number of commands the history command buffer can store to 20 Quidway ui vty0 history command max size 20 Set the timeout time to 6 minutes Quidway ui vty0 idle timeout 6 3 3 Telnet Configuration with Authentication Mode Being Password 3 3 1 Configuration Procedure Table 3 6 Telnet configuration with the authentication mode being password...

Page 62: ...een can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set the history command buffer size history command max size value Optional The default history command buffer size is 10 That is a history command buffer can store up to 10 commands by default Set the timeout time of the user interface idle timeout minutes seconds Optiona...

Page 63: ...ork requirements Assume that you are a level 3 AUX user and want to perform the following configuration for Telnet users logging into VTY 0 z Authenticate users logging into VTY 0 using the local password z Set the local password to 123456 in plain text z Commands of level 2 are available to users logging into VTY 0 z Telnet protocol is supported z The screen can contain up to 30 lines z The histo...

Page 64: ...3456 in plain text Quidway ui vty0 set authentication password simple 123456 Specify commands of level 2 are available to users logging into VTY 0 Quidway ui vty0 user privilege level 2 Configure Telnet protocol is supported Quidway ui vty0 protocol inbound telnet Set the maximum number of lines the screen can contain to 30 Quidway ui vty0 screen length 30 Set the maximum number of commands the hi...

Page 65: ...f you specify to apply the local AAA scheme you need to perform the configuration concerning local user as well If you specify to apply an existing scheme by providing the radius scheme name argument you need to perform the following configuration as well z Perform AAA RADIUS configuration on the switch Refer to the AAA RADIUS module for more z Configure the user name and password accordingly on t...

Page 66: ... default Make terminal services available shell Optional Terminal services are available in all use interfaces by default Set the maximum number of lines the screen can contain screen length screen length Optional By default the screen can contain up to 24 lines You can use the screen length 0 command to disable the function to display information in pages Set history command buffer size history c...

Page 67: ...e command does not specify the available command level Level 0 The user privilege level level command is not executed and the rvice type command fies the available command level se speci Determined by the service type command The user privilege l level command is executed and the service type command does not specify the available command level leve Level 0 VTY users that are AAA RADIUS authentica...

Page 68: ...evel command is not executed and the service type command does not specify the available command level Level 0 The user privilege level level command is not executed and the rvice type command fies the available command level se speci Determined by the service type command The user privilege level level command is executed and the service type command does not specify the available command level L...

Page 69: ...re available to users logging into VTY 0 z Telnet protocol is supported in VTY 0 z The screen can contain up to 30 lines z The history command buffer can store up to 20 commands z The timeout time of VTY 0 is 6 minutes II Network diagram Console cable RS 232 Console port Console cable RS 232 Figure 3 3 Network diagram for Telnet configuration with the authentication mode being scheme III Configura...

Page 70: ...elneting to a Switch from a Terminal You can Telnet to a switch and then to configure the switch if the interface of the management VLAN of the switch is assigned an IP address To assign an IP address to the interface of the management VLAN of a switch you can log into the switch through its Console port enter VLAN interface view and execute the ip address command Following are procedures to estab...

Page 71: ... the following figure Figure 3 5 Launch Telnet Step 4 Enter the password when the Telnet window displays Login authentication and prompts for login password The CLI prompt such as Quidway appears if the password is correct If all VTY user interfaces of the switch are in use you will fail to establish the connection and receive the message that says All user interfaces are used please try later A Q...

Page 72: ...led as Telnet client you can Telnet to another switch labeled as Telnet server by executing the telnet command and then to configure the later Telnet client PC Telnet server Telnet client PC Telnet server h Figure 3 6 Network diagram for Telneting to another switch from the current switc Step 1 Configure the user name and password for Telnet on the switch operating as the Telnet server Refer to se...

Page 73: ...wei Technologies Proprietary 3 18 Step 5 After successfully Telneting to the switch you can configure the switch or display the information about the switch by executing corresponding commands You can also type at any time for help Refer to the following chapters for the information about the commands ...

Page 74: ...ed in the following table Table 4 1 Requirements for logging into a switch using a modem Item Requirement The PC can communicate with the modem connected to it The modem is properly connected to PSTN Administrator side The telephone number of the switch side is available The modem is connected to the Console port of the switch properly The modem is properly configured The modem is properly connect...

Page 75: ... 2 Switch Configuration Note After logging into a switch through its Console port by using a modem you will enter the AUX user interface The corresponding configuration on the switch is the same as those when logging into the switch locally through its Console port except that z When you log in through the Console port using a modem the baud rate of the Console port is usually set to a value lower...

Page 76: ...Console Port Login Configuration with Authentication Mode Being Scheme for more Step 2 Perform the following configuration on the modem directly connected to the switch AT F Restore the factory settings ATS0 1 Configure to answer automatically after the first ring AT D Ignore DTR signal AT K0 Disable flow control AT R1 Ignore RTS signal AT S0 Set DSR to high level by force ATEQ1 W Disable the mode...

Page 77: ...e line Mode S m erial cable Telephone number Console port PC s 82882285 PSTN Figure 4 1 Establish the connection by using modem Step 4 Launch a terminal emulation utility on the PC and set the telephone number to call the modem directly connected to the switch as shown in Figure 4 2 and Figure 4 3 Note that you need to set the telephone number to that of the modem directly connected to the switch ...

Page 78: ...d is correct the prompt such as Quidway appears You can then configure or manage the switch You can also enter the character at anytime for help Refer to the following chapters for information about the configuration commands Note If you perform no AUX user related configuration on the switch the commands of level 3 are available to modem users Refer to the CLI Overview module for information abou...

Page 79: ...into a switch through the Web based network management system Item Requirement The management VLAN of the switch is configured The route between the switch and the network management terminal is available Refer to the Management VLAN Configuration module for more Switch The user name and password for logging into the Web based network management system are configured IE is available PC operating a...

Page 80: ...ty check set to off and flow control set to off z Turn on the switch When the switch is starting the information about self testing appears on the terminal window When you press Enter after the self testing finishes the prompt such as Quidway appears as shown in the following figure Figure 5 2 The terminal window z Execute the following commands in the terminal window to assign an IP address to th...

Page 81: ...vel 3 Set the password to admin Quidway luser admin password simple admin z Configure a static route from the switch to the gateway Quidway ip route static 0 0 0 0 255 255 255 255 Step 3 Establish an HTTP connection between your PC and the switch as shown in the following figure PC HTTP Connection Sw itch PC HTTPConnection PC HTTP Connection Sw itch PC HTTPconnection PC HTTP Connection Sw itch PC ...

Page 82: ...ent System Huawei Technologies Proprietary 5 4 Step 5 When the login interface shown in Figure 5 4 appears enter the user name and the password configured in step 2 and click Login to bring up the main page of the Web based network management system Figure 5 4 The login page of the Web based network management system ...

Page 83: ...nd as the server z SNMP simple network management protocol is applied between the NMS and the agent To log into a switch through an NMS you need to perform related configuration on both the NMS and the switch Table 6 1 Requirements for logging into a switch through an NMS Item Requirement The management VLAN of the switch is configured The route between the NMS and the switch is available Refer to...

Page 84: ... 6 Logging in through NMS Huawei Technologies Proprietary 6 2 6 2 Connection Establishment Using NMS PC S3100 NMS Network PC S3100 series switch NMS Netw ork PC S3100 NMS Network PC S3100 series switch NMS Netw ork Figure 6 1 Network diagram for logging in through an NMS ...

Page 85: ...ing Telnet Users by Source and Destination IP Addresses SNMP By source IP addresses Through basic ACLs Section 7 3 Controlling Network Management Users by Source IP Addresses By source IP addresses Through basic ACLs Section 7 4 Controlling Web Users by Source IP Address WEB Disconnect Web users by force By executing commands in CLI Section 7 4 3 Disconnecting a Web User by Force 7 2 Controlling T...

Page 86: ...und outbound Required The inbound keyword specifies to filter the users trying to Telnet to the current switch The outbound keyword specifies to filter users trying to Telnet to other switches from the current switch 7 2 3 Controlling Telnet Users by Source and Destination IP Addresses Controlling Telnet users by source and destination IP addresses is achieved by applying advanced ACLs which are n...

Page 87: ...he outbound keyword specifies to filter users trying to Telnet to other switches from the current switch Note You can define ACL rules to filter the source IP destination IP source port and destination port But the system cannot match such advanced fields as fragment tos precedence and dscp defined in ACL rules here 7 2 4 Configuration Example I Network requirements Only the Telnet users sourced f...

Page 88: ...rs by source IP addresses z Defining an ACL z Applying the ACL to control users accessing the switch through SNMP 7 3 1 Prerequisites The controlling policy against network management users is determined including the source IP addresses to be controlled and the controlling actions permitting or denying 7 3 2 Controlling Network Management Users by Source IP Addresses Controlling network managemen...

Page 89: ...rivacy mode des56 priv password acl acl number Optional Note You can specify different ACLs while configuring the SNMP community name the SNMP group name and the SNMP user name As SNMP community name is a feature of SNMP V1 and SNMP V2 the specified ACLs in the command that configures SNMP community names the snmp agent community command take effect in the network management systems that adopt SNM...

Page 90: ...ource 10 110 100 52 0 Quidway acl basic 2000 rule 2 permit source 10 110 100 46 0 Quidway acl basic 2000 rule 3 deny source any Quidway acl basic 2000 quit Apply the ACL to only permit SNMP users sourced from the IP addresses of 10 110 100 52 and 10 110 100 46 to access the switch Quidway snmp agent community read huawei acl 2000 Quidway snmp agent group v2c huaweigroup acl 2000 Quidway snmp agent...

Page 91: ...r basic ACL view acl number acl number match order config auto As for the acl number command the config keyword is specified by default Define rules for the ACL rule rule id permit deny source sour addr sour wildcard any time range time name fragment Required Quit to system view quit Apply the ACL to control Web users ip http acl acl number Optional 7 4 3 Disconnecting a Web User by Force The admi...

Page 92: ...etwork diagram for controlling Web users using ACL III Configuration procedure Define a basic ACL Quidway system view Quidway acl number 2030 match order config Quidway acl basic 2030 rule 1 permit source 10 110 100 46 0 Quidway acl basic 2030 rule 2 deny source any Apply the ACL to only permit the Web users sourced from the IP address of 10 110 100 46 to access the switch Quidway ip http acl 2030...

Page 93: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual VLAN Huawei Technologies Proprietary ...

Page 94: ...Contents Chapter 1 VLAN Configuration 1 1 1 1 VLAN Overview 1 1 1 1 1 Introduction to VLAN 1 1 1 1 2 VLAN Classification 1 2 1 2 VLAN Configuration 1 2 1 2 1 Basic VLAN Configuration 1 2 1 2 2 Creating VLANs in Batches 1 3 1 2 3 Configuring a Port Based VLAN 1 3 1 3 Displaying a VLAN 1 3 1 4 VLAN Configuration Example 1 4 ...

Page 95: ...directly Figure 1 1 illustrates a VLAN implementation VLAN A VLAN B VLAN A VLAN B VLAN A VLAN B LAN Switch LAN Switch Router Figure 1 1 A VLAN implementation A VLAN can span across multiple switches or even routers This enables hosts in a VLAN to be dispersed in a more loose way That is hosts in a VLAN can belong to different physical network segment VLAN enjoys the following advantages 1 Broadcas...

Page 96: ...AN Among these VLANs the members of a port based VLAN are defined in terms of switch ports You can add ports to which close related hosts are connected to the same port based VLAN This is also the simplest yet most effective way to create VLANs Note Currently S3100 series switches only support port based VLANs 1 2 VLAN Configuration 1 2 1 Basic VLAN Configuration Table 1 1 Basic VLAN configuration...

Page 97: ...system view system view Create a VLAN and enter VLAN view vlan vlan id Required The vlan id argument ranges from 1 to 4 094 Add specified Ethernet ports to the VLAN port interface list Required By default all the ports belong to the default VLAN Caution The configuration listed in Table 1 3 is only applicable to access ports To add trunk ports and hybrid ports to a VLAN you can use the port trunk ...

Page 98: ...0 3 and Ethernet1 0 4 ports to VLAN 3 II Network diagram VLAN3 Switch VLAN3 E1 0 4 VLAN2 VLAN3 VLAN2 E1 0 1 VLAN3 VLAN3 VLAN2 VLAN3 VLAN3 E1 0 3 VLAN3 E1 0 2 VLAN2 VLAN3 Switch VLAN3 E1 0 4 VLAN2 VLAN3 VLAN2 E1 0 1 VLAN3 VLAN3 VLAN2 VLAN3 VLAN3 E1 0 3 VLAN3 E1 0 2 VLAN2 Figure 1 2 Network diagram for VLAN configuration III Configuration procedure Create VLAN 2 and enter VLAN view Quidway system vi...

Page 99: ...Quidway S3100 Series Ethernet Switches Chapter 1 VLAN Configuration Huawei Technologies Proprietary 1 5 Quidway vlan2 vlan 3 Add Ethernet1 0 3 and Ethernet1 0 4 ports to VLAN 3 Quidway vlan3 port ethernet1 0 3 ethernet1 0 4 ...

Page 100: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Management VLAN Huawei Technologies Proprietary ...

Page 101: ... Static Route 1 1 1 2 Management VLAN Configuration 1 2 1 2 1 Prerequisites 1 2 1 2 2 Configuring the Management VLAN 1 2 1 2 3 Configuration Example 1 3 1 3 Displaying and Debugging Management VLAN 1 5 Chapter 2 DHCP BOOTP Client Configuration 2 1 2 1 Introduction to DHCP Client 2 1 2 2 Introduction to BOOTP Client 2 3 2 3 DHCP BOOTP Client Configuration 2 4 2 3 1 Prerequisites 2 4 2 3 2 Configur...

Page 102: ...writes the one obtained in the previously configured way and the overwritten IP address is then released For example if you assign an IP address to a VLAN interface by using the corresponding commands and then apply for another IP address through BOOTP using the ip address bootp alloc command the former IP address will be removed and the final IP address of the VLAN interface is the one obtained t...

Page 103: ... VLAN to be the management VLAN management vlan vlan id Required By default VLAN 1 operates as the management VLAN Create the management VLAN interface and enter VLAN interface view interface vlan interface vlan id Required Assign an IP address to the management VLAN interface ip address ip address net mask bootp alloc dhcp alloc Required By default the management VLAN interface has no IP address ...

Page 104: ...nagement vlan vlan id command is consistent with that of the management VLAN z Shutting down or bringing up a management VLAN interface has no effect on the up down status of the Ethernet ports in the management VLAN Note If the Stack function is enabled on the switch the secondary devices of a stack will repeatedly joint and leave the primary device after you use the shutdown command on the manag...

Page 105: ...d configure VLAN 10 to be the management VLAN QuidwayA vlan 10 QuidwayA vlan10 quit QuidwayA management vlan 10 Create the VLAN 10 interface and enter VLAN interface view QuidwayA interface vlan interface 10 Configure the IP address of VLAN 10 interface to be 1 1 1 1 QuidwayA Vlan interface10 ip address 1 1 1 1 255 255 255 0 QuidwayA Vlan interface10 quit Configure a default route QuidwayA ip rout...

Page 106: ... detailed information about the routing table display ip routing table verbose Display the routes leading to a specified IP address display ip routing table ip address mask longer match verbose Display the routes leading to specified IP addresses display ip routing table ip address1 mask1 ip address2 mask2 verbose Display the routes filtered by a specified access control list ACL display ip routin...

Page 107: ...ber of the computers exceeds that of the available IP addresses The dynamic host configuration protocol DHCP is developed to meet these requirements It adopts the client server model The DHCP client requests configuration information from the DHCP server dynamically and the DHCP server returns corresponding configuration information based on policies A typical DHCP implementation usually involves ...

Page 108: ...mation with the DHCP server in different phases Usually the following three modes are involved 1 The DHCP client accesses the network for the first time In this case the DHCP client goes through the following four phases to establish connections with the DHCP server z Discovery The DHCP client discovers a DHCP server by broadcasting DHCP_Discover packets in the network Only the DHCP servers respon...

Page 109: ...DHCP client the DHCP server responds with a DHCP_NAK packet which enables the DHCP client to request for a new IP address by sending a DHCP_Discover packet once again 3 The DHCP client extends the lease of an IP address IP addresses assigned dynamically are only valid for a specified period of time and the DHCP servers reclaim their assigned IP addresses at the expiration of these periods Therefor...

Page 110: ...nfiguring the management VLAN you need to create the VLAN to be operating as the management VLAN As VLAN1 is created by default you do not need to create it if you configure VLAN 1 to be the management VLAN 2 3 2 Configuring a DHCP BOOTP Client Table 2 1 Configure DHCP BOOTP client Operation Command Remark Enter system view system view Required Configure a specified VLAN to be the management VLAN ...

Page 111: ...m the following configuration for the switch z Configuring the management VLAN interface to obtain an IP address through DHCP z Configuring a default route II Configuration procedures Enter system view QuidwayA system view Create VLAN 10 and configure VLAN 10 to be the management VLAN QuidwayA vlan 10 QuidwayA vlan10 quit QuidwayA management vlan 10 Create VLAN 10 interface and enter VLAN interfac...

Page 112: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual GVRP Huawei Technologies Proprietary ...

Page 113: ...ble of Contents Chapter 1 GVRP Configuration 1 1 1 1 Introduction to GVRP 1 1 1 1 1 GVRP Mechanism 1 1 1 1 2 GVRP Packet Format 1 3 1 1 3 Protocol Specifications 1 4 1 2 GVRP Configuration 1 4 1 2 1 Configuration Prerequisite 1 4 1 2 2 Configuration Procedure 1 4 1 3 Displaying GVRP 1 6 1 4 Configuration Example 1 6 ...

Page 114: ...s get to and so on and propagate the local VLAN registration information to other switches so that all the switching devices in the same switching network can have the same VLAN information The VLAN registration information includes not only the static registration information configured locally but also the dynamic registration information from other switches 1 1 1 GVRP Mechanism I GARP Timers Th...

Page 115: ... re register all the attribute information on this entity After that the entity restarts the LeaveAll timer to begin a new cycle II GVRP port registration mode GVRP has the following port registration modes z Normal In this mode both dynamic and manual creation registration and unregistration of VLANs are allowed z Fixed In this mode when you create a static VLAN on a switch and the packets of thi...

Page 116: ...e packet fields in the above figure Table 1 1 Description of the packet fields Field Description Value Protocol ID Protocol ID 1 Message Each message consists of two parts Attribute Type and Attribute List Attribute Type It is defined by specific GARP application The attribute type of GVRP is 0x01 Attribute List It contains multiple attributes Attribute Each general attribute consists of three par...

Page 117: ...on tasks include configuring the timers enabling GVRP and configuring the GVRP port registration mode 1 2 1 Configuration Prerequisite The port on which GVRP will be enabled must be set to a Trunk port 1 2 2 Configuration Procedure Table 1 2 Configuration procedure Operation Command Description Enter system view system view Configure the LeaveAll timer garp timer leaveall timer value Optional By d...

Page 118: ...her value to change the timeout range of this timer The following table describes the relations between the timers Table 1 3 Relations between the timers Timer Lower threshold Upper threshold Hold 10 centiseconds This upper threshold is less than or equal to one half of the timeout time of the Join timer You can change the threshold by changing the timeout time of the Join timer Join This lower th...

Page 119: ...n user view to clear the GARP statistics Table 1 4 Display GVRP Operation Command Display the GARP statistics display garp statistics interface interface list Display the timeouts of the GARP timers display garp timer interface interface list Display the GVRP statistics display gvrp statistics interface interface list Display the global GVRP status display gvrp status Clear the GARP statistics in ...

Page 120: ...dway interface Ethernet1 0 1 Quidway Ethernet1 0 1 port link type trunk Quidway Ethernet1 0 1 port trunk permit vlan all Enable GVRP on the Trunk port Quidway Ethernet1 0 1 gvrp z Configure switch B Enable GVRP globally Quidway system view Quidway gvrp Set the port Ethernet1 0 2 to a Trunk port and allow all VLAN packets to pass through the port Quidway interface Ethernet1 0 2 Quidway Ethernet1 0 ...

Page 121: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Port Huawei Technologies Proprietary ...

Page 122: ...king Basic Port Configuration 1 4 1 2 2 Setting the Ethernet Port Broadcast Suppression Ratio 1 5 1 2 3 Enabling Flow Control on a Port 1 5 1 2 4 Configuring Access Port Attribute 1 6 1 2 5 Configuring Hybrid Port Attribute 1 6 1 2 6 Configuring Trunk Port Attribute 1 7 1 2 7 Copying Port Configuration to Other Ports 1 7 1 2 8 Setting Loopback Detection for an Ethernet Port 1 8 1 2 9 Configuring t...

Page 123: ...nsing ports One 10 100 1000BASE T port None S3126C Ethernet switch 24 10 100BASE TX auto sensing ports 2 S3116C Ethernet switch 16 10 100BASE TX auto sensing ports 2 S3108C Ethernet switch Eight 10 100BASE TX auto sensing ports 1 The Ethernet ports of the S3100 series switches have the following characteristics z The 10 100BASE TX Ethernet ports support MDI MDI X autosensing By manual configuratio...

Page 124: ...fault VLAN to be sent without tags You can configure all the three types of ports on the same device However note that you cannot directly switch a port between trunk and hybrid and you must set the port as access before the switching For example to change a trunk port to hybrid you must first set it as access and then hybrid 1 1 3 Configuring the Default VLAN ID for an Ethernet Port An access por...

Page 125: ...changed and send the packet Hybrid Receive the packet and add the default tag to the packet z If the VLAN ID is just the default VLAN ID receive the packet z If the VLAN ID is not the default VLAN ID but is one of the VLAN IDs allowed to pass through the port receive the packet z If the VLAN ID is neither the default VLAN ID nor one of the VLAN IDs allowed to pass through the port discard the pack...

Page 126: ...n Table 1 3 Make basic port configuration Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Enable the Ethernet port undo shutdown By default the port is enabled Use the shutdown command to disable the port Set the description of the Ethernet port description text By default no description is defined for an Ethernet port Set ...

Page 127: ... takes effect only on current port Table 1 4 Set the Ethernet port broadcast suppression ratio Operation Command Remarks Enter system view system view Set the global broadcast suppression ratio broadcast suppression ratio By default the ratio is 100 that is the system does not suppress broadcast traffic globally Enter Ethernet port view interface interface type interface number Set the broadcast s...

Page 128: ...he port is access Add the current access port into the specified VLAN port access vlan vlan id Optional 1 2 5 Configuring Hybrid Port Attribute Table 1 7 Configure hybrid port attribute Operation Command Remarks Enter system view system view Enter Ethernet port view interface interface type interface number Set the link type for the port as hybrid port link type hybrid Required Set the default VLA...

Page 129: ...n of some other ports consistent with a specified port you can copy the configuration of the specified port to these ports The configuration may include z VLAN settings Includes the permitted VLAN types and default VLAN ID z QoS settings Includes traffic limiting priority marking and default 802 1p priority z STP settings Includes STP enabling disabling link attribute point to point or not STP pri...

Page 130: ... and removes the corresponding MAC forwarding entry z If loopback is found on a trunk or hybrid port the system sends a Trap message to the client When the loopback port control function is enabled on these ports the system disables the port sends a Trap message to the client and removes the corresponding MAC forwarding entry Table 1 10 Set loopback detection for an Ethernet port Operation Command...

Page 131: ...ble command in system view loopback detection will be disabled on all ports 1 2 9 Configuring the Ethernet Port to Run Loopback Test You can configure the Ethernet port to run loopback test to check if it operates normally The port running loopback test cannot forward data packets normally The loopback test terminates automatically after a specific period Table 1 11 Configure the Ethernet port to ...

Page 132: ...laying and Debugging Ethernet Port After the above configuration enter the display commands in any view to display the running of the Ethernet port configuration and thus verify your configuration Enter the reset counters command in user view to clear the statistics of the port Table 1 13 Display and debug Ethernet port Operation Command Remarks Display port configuration information display inter...

Page 133: ...witch A Configure Switch B in the similar way Enter Ethernet1 0 1 port view Quidway interface Ethernet1 0 1 Set Ethernet1 0 1 as a trunk port and allow the packets of VLAN 2 VLAN 6 through VLAN 50 and VLAN 100 to pass the port Quidway Ethernet1 0 1 port link type trunk Quidway Ethernet1 0 1 port trunk permit vlan 2 6 to 50 100 Create VLAN 100 Quidway vlan 100 Configure the default VLAN ID of Ether...

Page 134: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Link Aggregation Huawei Technologies Proprietary ...

Page 135: ...r 1 Link Aggregation Configuration 1 1 1 1 Overview 1 1 1 1 1 Introduction to Link Aggregation 1 1 1 1 2 Manual Aggregation 1 2 1 1 3 Aggregation Group Categories 1 2 1 2 Link Aggregation Configuration 1 3 1 2 1 Configuring a Manual Aggregation Group 1 3 1 3 Displaying and Debugging Link Aggregation 1 4 1 4 Link Aggregation Configuration Example 1 4 ...

Page 136: ...aggregation group their basic configuration must be the same The basic configuration includes STP QoS VLAN port attributes and other associated settings z STP configuration including STP status enabled or disabled link attribute point to point or not STP priority maximum transmission speed loop prevention status root protection status edge port or not z QoS configuration including traffic limiting...

Page 137: ... serves as the master port of the group and other selected ports serve as member ports of the group In a manual aggregation group the system sets the ports to selected or unselected state by using these rules z The system sets the port with the highest priority to selected state and others to unselected state The priorities of the ports descend in the following order full duplex high speed full du...

Page 138: ...her priority than the other one If the two groups can gain the same speed the one with smaller master port number has higher priority than the other one When an aggregation group of higher priority appears the aggregation groups of lower priorities release their hardware resources For single port aggregation groups if they can transceive packets normally without occupying aggregation resources the...

Page 139: ...g is implemented on the four ports with smaller port numbers and the rest ports serve as link backups 1 3 Displaying and Debugging Link Aggregation After the above configuration execute the display commands in any view to display the running of the link aggregation configuration and verify your configuration Table 1 2 Display and debug link aggregation Operation Command Display summary information...

Page 140: ...guration for Switch A configure Switch B in the similar way Create manual aggregation group 1 Quidway link aggregation group 1 mode manual Add the Ethernet ports Ethernet1 0 1 through Ethernet1 0 3 to aggregation group 1 Quidway interface ethernet1 0 1 Quidway Ethernet1 0 1 port link aggregation group 1 Quidway Ethernet1 0 1 interface ethernet1 0 2 Quidway Ethernet1 0 2 port link aggregation group...

Page 141: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Port Isolation Huawei Technologies Proprietary ...

Page 142: ... Proprietary i Table of Contents Chapter 1 Port Isolation Configuration 1 1 1 1 Port Isolation Overview 1 1 1 1 1 Introduction to Port Isolation 1 1 1 1 2 Port Isolation and Port Aggregation 1 1 1 2 Port Isolation Configuration 1 1 1 3 Displaying Port Isolation 1 2 1 4 Port Isolation Configuration Example 1 2 ...

Page 143: ...s an isolation group can accommodate is not limited Note The port isolation function is independent of the VLANs which the Ethernet ports belongs to 1 1 2 Port Isolation and Port Aggregation When a member port of an aggregation group is added to an isolation group the other ports in the same aggregation group are added to the isolation group automatically 1 2 Port Isolation Configuration Table 1 1...

Page 144: ...tion Configuration Example I Network requirements z PC 2 PC 3 and PC 4 are connected to Ethernet1 0 2 Ethernet1 0 3 and Ethernet1 0 4 ports z The switch connects to the Internet through Ethernet1 0 1 port z It is desired that PC 2 PC 3 and PC 4 cannot communicate with each other II Network diagram Internet Ethernet1 0 2 Ethernet Ethernet1 0 1 PC2 PC3 Switch Ethernet1 0 3 1 0 4 PC4 Internet Etherne...

Page 145: ... 2 port isolate Quidway Ethernet1 0 2 quit Quidway interface ethernet1 0 3 Quidway Ethernet1 0 3 port isolate Quidway Ethernet1 0 3 quit Quidway interface ethernet1 0 4 Quidway Ethernet1 0 4 port isolate Quidway Ethernet1 0 4 quit Quidway Display the information about the ports in the isolation group Quidway display isolate port Isolated port s on UNIT 1 Ethernet1 0 2 Ethernet1 0 3 Ethernet1 0 4 ...

Page 146: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual MAC Address Forwarding Table Huawei Technologies Proprietary ...

Page 147: ... Table 1 1 1 1 2 Entries in a MAC Address Table 1 1 1 1 3 MAC Address Learning Mechanism 1 2 1 1 4 Aging Time of MAC Address Entries 1 3 1 1 5 Limitations on the Number of MAC Addresses Learnt 1 3 1 2 MAC Address Table Management 1 4 1 2 1 Configuring a MAC Address Entry and the Aging Time 1 4 1 2 2 Setting the Maximum Number of MAC Addresses a Port can Learn 1 4 1 3 Displaying and Maintaining a M...

Page 148: ...eries its MAC address table for the forwarding port number according to the destination MAC address carried in the packet and then forwards the packet through the port 1 1 2 Entries in a MAC Address Table Entries in a MAC address table fall into the following categories according to their characteristics and configuration methods z Static MAC address entry Also known as permanent MAC address entry...

Page 149: ...implemented as follows z When a switch receives a packet from one of its ports referred to as Port A the switch extracts the source MAC address referred to as MAC S of the packet and considers that the packets destined for MAC S can be forwarded through Port A z If the MAC address table already contains MAC S the switch refreshes the aging time of the corresponding MAC address entry Otherwise the ...

Page 150: ...following when setting the aging time z If the aging time is too long the number of the invalid MAC address entries maintained by the switch may be too many to make room for the MAC address table In this case the MAC address table cannot vary with network changes in time z If the aging time is too short MAC address entries that are still valid may be removed This results in large amount of broadca...

Page 151: ...ntry and the Aging Time You can add modify or remove one MAC address entry remove all MAC address entries concerning a specific port unicast MAC addresses only or remove specific type of MAC address entries such as dynamic or static MAC address entries Table 1 2 Configure a MAC address entry Operation Command Description Enter system view system view Add modify a MAC address entry mac address stat...

Page 152: ...ult the number of the MAC addresses a port can learn is not limited 1 3 Displaying and Maintaining a MAC Address Table To verify your configuration you can display information about the MAC address table by executing the display command in any view Table 1 4 Display and maintain the MAC address table Operation Command Display information about the MAC address table display mac address display opti...

Page 153: ...way system view System View return to User View with Ctrl Z Add a static MAC address entry Quidway mac address static 00e0 fc35 dc71 interface ethernet1 0 2 vlan 1 Set the aging time to 500 seconds Quidway mac address timer aging 500 Display information about the MAC address table Quidway display mac address interface ethernet1 0 2 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME 00 e0 fc 35 dc 71 1 S...

Page 154: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual MSTP Huawei Technologies Proprietary ...

Page 155: ...Configuration 1 15 1 2 9 Timeout Time Factor Configuration 1 18 1 2 10 Maximum Transmitting Speed Configuration 1 18 1 2 11 Edge Port Configuration 1 20 1 2 12 Point to point Link Related Configuration 1 21 1 2 13 MSTP Configuration 1 23 1 3 Leaf Node Configuration 1 24 1 3 1 Prerequisites 1 25 1 3 2 MST Region Configuration 1 25 1 3 3 MSTP Operation Mode Configuration 1 25 1 3 4 Timeout Time Fact...

Page 156: ...tion 1 34 1 5 5 Loop Prevention Configuration 1 35 1 5 6 TC BPDU Attack Prevention Configuration 1 36 1 6 Digest Snooping Configuration 1 36 1 6 1 Introduction 1 36 1 6 2 Digest Snooping Configuration 1 37 1 7 Rapid Transition Configuration 1 38 1 7 1 Introduction 1 38 1 7 2 Rapid Transition Configuration 1 40 1 8 MSTP Displaying and Debugging 1 41 1 9 MSTP Implementation Example 1 41 ...

Page 157: ...rwarded endlessly in the ring network Besides this MSTP can also provide multiple redundant paths for packet forwarding and balances the forwarding loads of different VLANs MSTP is compatible with both STP and RSTP It overcomes the drawback of STP and RSTP It not only enables spanning trees to converge rapidly but also enables packets of different VLANs to be forwarded along their respective paths...

Page 158: ...ly interconnected MSTP enabled switches and the corresponding network segments connected to these switches These switches have the same region name the same VLAN to spanning tree mapping configuration and the same MSTP revision level A switched network can contain multiple MST regions You can group multiple switches into one MST region by using the corresponding MSTP configuration commands For exa...

Page 159: ...twork If you regard each MST region in the network as a switch then the CST is the spanning tree generated by STP or RSTP running on the switches In Figure 1 1 the lines in red depict the CST VI CIST A CIST is the spanning tree in a switched network that connects all switches in the network It comprises the ISTs and the CST In Figure 1 1 the ISTs in the MST regions and the CST connecting the MST r...

Page 160: ...ed to each other In this case the switch blocks one of the two ports The blocked port is a backup port In Figure 1 2 switch A B C and D form an MST region Port 1 and port 2 on switch A connect upstream to the common root Port 5 and port 6 on switch C form a loop Port 3 and port 4 on switch D connect downstream to other MST regions This figure shows the roles these ports play Note z A port can play...

Page 161: ...ence is that the configuration BPDUs for MSTP carry the MSTP configuration information on the switches I Generating the CIST Through configuration BPDU comparing the switch that is of the highest priority in the network is chosen as the root of the CIST In each MST region an IST is figured out by MSTP At the same time MSTP regards each MST region as a switch to figure out the CST of the network Th...

Page 162: ...as follows z Selecting the root bridge The root bridge is selected by configuration BPDU comparing The switch with the smallest root ID is chosen as the root bridge z Selecting the root port For each switch except the one chosen as the root bridge in a network the port that receives the configuration BPDU with the highest priority is chosen as the root port of the switch z Selecting the designated...

Page 163: ...urations about root bridges Table 1 2 Root bridge configuration Operation Description Related section MSTP configuration Required To prevent network topology jitter caused by other related configurations you are recommended to enable MSTP after performing other configurations Section 1 2 13 MSTP Configuration MST region configuration Required Section 1 2 2 MST Region Configuration Root bridge seco...

Page 164: ...ection 1 2 11 Edge Port Configuration Point to point link related configuration Optional Section 1 2 12 Point to point Link Related Configuration Note In a network that contains switches with both GVRP and MSTP employed GVRP packets are forwarded along the CIST If you want to broadcast packets of a specific VLAN through GVRP be sure to map the VLAN to the CIST when configuring the MSTP VLAN mappin...

Page 165: ...manually active region configuration Required Display the configuration of the current MST region check region configuration Optional Display the currently valid configuration of the MST region display stp region configuration You can execute this command in any view Configuring MST region related parameters especially the VLAN mapping table results in spanning trees being regenerated To reduce ne...

Page 166: ... Quidway mst region active region configuration Verify the above configuration Quidway mst region check region configuration Admin configuration Format selector 0 Region name info Revision level 1 Instance Vlans Mapped 0 11 to 19 31 to 4094 1 1 to 10 2 20 to 30 1 2 3 Root Bridge Secondary Root Bridge Configuration MSTP can automatically choose a switch as a root bridge You can also manually specif...

Page 167: ...specify the current switch as the root bridge or the secondary root bridge of the CIST A switch can play different roles in different spanning tree instances That is it can be the root bridges in a spanning tree instance and be a secondary root bridge in another spanning tree instance at the same time But in one spanning tree instance a switch cannot be the root bridge and the secondary root bridg...

Page 168: ...bridge or a secondary root bridge its priority cannot be modified III Configuration example Configure the current switch as the root bridge of spanning tree instance 1 and a secondary root bridge of spanning tree instance 2 Quidway system view System View return to User View with Ctrl Z Quidway stp instance 1 root primary Quidway stp instance 2 root secondary 1 2 4 Bridge Priority Configuration Ro...

Page 169: ...e In this mode the protocol packets sent out of the ports of the switch are STP packets If the switched network contains STP enabled switches you can configure the current MSTP enabled switch to operate in this mode by using the stp mode stp command z RSTP compliant mode In this mode the protocol packets sent out of the ports of the switch are RSTP packets If the switched network contains RSTP ena...

Page 170: ... beyond the maximum hops from participating in spanning tree generation and thus limits the size of an MST region With such a mechanism the maximum hops configured on the switch operating as the root bridge of the IST or an MSTI in a MST region becomes the network diameter of the spanning tree which limits the size of the spanning tree in the current MST region The switches that are not root bridg...

Page 171: ...witch adjusts its Hello time Forward delay and Max age settings accordingly The network diameter setting only applies to CIST it is invalid for MSTIs II Configuration example Configure the network diameter of the switched network to 6 Quidway system view System View return to User View with Ctrl Z Quidway stp bridge diameter 6 1 2 8 MSTP Time related Configuration You can configure three MSTP time...

Page 172: ...ion BPDU is obsolete Obsolete configuration BPDUs will be discarded I Configuration procedure Table 1 10 Configure MSTP time related parameters Operation Command Description Enter system view system view Configure the Forward delay parameter stp timer forward delay centiseconds Required The Forward delay parameter defaults to 1 500 centiseconds 15 seconds Configure the Hello time parameter stp tim...

Page 173: ... age parameter if it is too small network congestions may be falsely regarded as link problems which results in spanning trees being frequently regenerated If it is too large link problems may be unable to be found in time which in turn handicaps spanning trees being regenerated in time and makes the network less adaptive The default is recommended As for the configuration of these three time rela...

Page 174: ...d this Normally the timeout time can be four or more times of the Hello time For a steady network the timeout time can be five to seven times of the Hello time I Configuration procedure Table 1 11 Configure timeout time factor Operation Command Description Enter system view system view Configure the timeout time factor for the switch stp timer factor number Required The timeout time factor default...

Page 175: ...thernet port view interface interface type interface number Configure the maximum transmitting speed stp transmit limit packetnum Required The maximum transmitting speed of all Ethernet ports on a switch defaults to 3 As the maximum transmitting speed parameter determines the number of the configuration BPDUs transmitted in each Hello time set it to a proper value to avoid MSTP from occupying too ...

Page 176: ...nfigure the specified ports as edge ports stp interface interface list edged port enable Required By default all the Ethernet ports of a switch are non edge ports II Configuration procedure in Ethernet port view Table 1 15 Configure a port as an edge port in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface nu...

Page 177: ...by exchanging synchronization packets eliminating the forwarding delay You can specify whether or not the link connected to a port is a point to point link in one of the following two ways I Configuration procedure in system view Table 1 16 Specify whether or not the links connected to the specified ports are point to point links in system view Operation Command Description Enter system view syste...

Page 178: ...cted to the port is not a point to point link The auto keyword specifies to automatically determine whether or not the link connected to the port is a point to point link Note Among aggregated ports you can only configure the links of master ports as point to point links If an autonegotiating port operates in full duplex mode after negotiation you can configure the link of the port as a point to p...

Page 179: ... system view Enable MSTP stp enable Required MSTP is disabled by default Disable MSTP on specified ports stp interface interface list disable Optional By default MSTP is enabled on all ports after you enable MSTP in system view To enable a switch to operate more flexibly you can disable MSTP on specific ports As MSTP disabled ports do not participate in spanning tree generation this operation save...

Page 180: ...able MSTP on Ethernet1 0 1 port z Configure in system view Quidway system view System View return to User View with Ctrl Z Quidway stp enable Quidway stp interface ethernet1 0 1 disable z Configure in Ethernet port view Quidway system view System View return to User View with Ctrl Z Quidway stp enable Quidway interface ethernet1 0 1 Quidway Ethernet1 0 1 stp disable 1 3 Leaf Node Configuration Tab...

Page 181: ...ation Optional Section 1 3 8 Port Priority Configuration Point to point link related configuration Optional Section 1 2 12 Point to point Link Related Configuration Note In a network that contains switches with both GVRP and MSTP employed GVRP packets are forwarded along the CIST If you want to broadcast packets of a specific VLAN through GVRP be sure to map the VLAN to the CIST when configuring t...

Page 182: ...ad balancing can be achieved by VLANs The switch can automatically calculate the path costs of ports but you can also manually configure them I Standards for calculating path costs of ports Currently a switch can calculate the path costs of ports based on one of the following standards z dot1d 1998 Adopts the IEEE 802 1D 1998 standard to calculate the default path costs of ports z dot1t Adopts the...

Page 183: ...ed link 3 ports Aggregated link 4 ports 4 3 3 3 20 000 10 000 6 666 5 000 20 18 16 14 10 Gbps Full duplex Aggregated link 2 ports Aggregated link 3 ports Aggregated link 4 ports 2 1 1 1 2 000 1 000 666 500 2 1 1 1 Normally the path cost of a port operating in full duplex mode is slightly less than that of the port operating in half duplex mode When calculating the path cost of an aggregated link t...

Page 184: ...e role of the port and put it in state transition If you execute the stp cost command with the instance id argument being 0 the path cost you set is for the CIST III Configuration example A Configure the path cost of Ethernet1 0 1 port in spanning tree instance 1 to be 2 000 z Configure in system view Quidway system view System View return to User View with Ctrl Z Quidway stp interface ethernet1 0...

Page 185: ...LANs to be forwarded along different physical paths so that load balancing can be achieved by VLANs You can configure port priority in the following two ways I Configuring port priority in system view Table 1 25 Configure port priority for specified ports in system view Operation Command Description Enter system view system view Configure port priority for specified ports stp interface interface l...

Page 186: ... View return to User View with Ctrl Z Quidway interface ethernet1 0 1 Quidway Ethernet1 0 1 stp instance 1 port priority 16 1 3 9 Point to point Link Related Configuration Refer to section 1 2 12 Point to point Link Related Configuration 1 3 10 MSTP Configuration Refer to section 1 2 13 MSTP Configuration 1 4 The mCheck Configuration As mentioned previously ports on an MSTP enabled switch can oper...

Page 187: ... view Enter Ethernet port view interface interface type interface number Perform the mCheck operation stp mcheck Required Caution The stp mcheck command takes effect only when the switch operate in MSTP mode and does not take effect when the switch operates in STP RSTP mode 1 4 3 Configuration Example Perform the mCheck operation on Ethernet1 0 1 port assuming that the switch operates in MSTP mode...

Page 188: ...root bridges must reside in the same region A CIST and its secondary root bridges are usually located in the high bandwidth core region Configuration errors or attacks may result in configuration BPDUs with their priorities higher than that of a root bridge which causes new root bridge to be elected and network topology jitter to occur In this case flows that should travel along high speed links m...

Page 189: ...led the switch performs only one removing operation in a specified period it is 10 seconds by default after it receives a TC BPDU The switch also checks to see if other TC BPDUs arrive in this period and performs another removing operation in the next period if a TC BPDU is received Such a mechanism prevents a switch from busying itself in performing removing operations Caution Among loop preventi...

Page 190: ...on specified ports stp interface interface list root protection Required The root protection function is disabled by default Table 1 31 Enable the root protection function on a port in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable the root protection function on current port stp root protecti...

Page 191: ...oop prevention function on specified ports stp interface interface list loop protection Required By default the loop prevention function is disabled II Enabling the loop prevention function on a port in Ethernet port view Table 1 33 Enable the loop prevention function on a port in Ethernet port view Operation Command Description Enter system view system view Enter Ethernet port view interface inte...

Page 192: ...erconnected MSTP switches determine whether or not they are in the same MST region by checking the configuration IDs of the BPDUs between them A configuration ID contains information such as region ID and configuration digest As some partners switches adopt proprietary spanning tree protocols they cannot interwork with other switches in an MST region even if they are configured with the same MST r...

Page 193: ...ary spanning tree protocol The MSTP network operates normally II Configuration procedure Table 1 35 Configure the digest snooping feature Operation Command Description Enter system view system view Enter Ethernet port view interface interface type interface number Enable the digest snooping feature stp config digest snooping Required The digest snooping feature is disabled on the port by default R...

Page 194: ...the MST region z To change MST region related configuration be sure to disable the digest snooping feature first to prevent possible broadcast storms 1 7 Rapid Transition Configuration 1 7 1 Introduction Designated ports on switches adopting RSTP or MSTP use the following two types of packets to implement rapid transition z Proposal packets Packets sent by designated ports to request rapid transit...

Page 195: ...port change to Forw arding state Send agreement packets Root port blocks other non edge ports Designated port Root port Upstream sw itch Dow nstream switch Send proposal packets to request rapid transition Send agreement packets Root port changes to Forw arding state and sends agreement packets to upstream switch Designated port change to Forw arding state Send agreement packets Root port blocks o...

Page 196: ...itch is running a proprietary spanning tree protocol that is similar to RSTP in the way to implement rapid transition on designated ports Port 1 is a designated port The downstream switch is running MSTP Port 2 is the root port Port 1 Quidway Switch Switch coming from other manufacturers Port 2 Port 1 Quidway Switch Switch coming from other manufacturers Port 2 Figure 1 5 Network diagram for rapid...

Page 197: ...onfigurations by executing the display commands in any view Table 1 38 Display and debug MSTP Operation Command Display spanning tree related information about the current switch display stp instance instance id interface interface list slot slot number brief Display region configuration display stp region configuration Clear MSTP related statistics reset stp interface interface list 1 9 MSTP Impl...

Page 198: ...10 20 Permit VLAN 20 30 Permit VLAN 20 30 Permit all VLAN Permit VLAN 20 40 Switch A Switch C Switch B Switch D Permit VLAN 10 20 Permit VLAN 10 20 Permit VLAN 20 30 Permit VLAN 20 30 Permit all VLAN Permit VLAN 20 40 Figure 1 6 Network diagram for implementing MSTP Note The Permit shown in Figure 1 6 means the corresponding link permits packets of specific VLANs III Configuration procedure z Conf...

Page 199: ...idway mst region active region configuration Specify Switch B as the root bridge of spanning tree instance 3 Quidway stp instance 3 root primary z Configure Switch C Enter MST region view Quidway system view System View return to User View with Ctrl Z Quidway stp region configuration Configure the MST region Quidway mst region region name example Quidway mst region instance 1 vlan 10 Quidway mst r...

Page 200: ...prietary 1 44 Configure the MST region Quidway mst region region name example Quidway mst region instance 1 vlan 10 Quidway mst region instance 3 vlan 30 Quidway mst region instance 4 vlan 40 Quidway mst region revision level 0 Activate the settings of the MST region Quidway mst region active region configuration ...

Page 201: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual 802 1x Huawei Technologies Proprietary ...

Page 202: ...iguration 1 15 1 5 Advanced 802 1x Configuration 1 16 1 5 1 Prerequisites 1 17 1 5 2 Configuring Proxy Checking 1 17 1 5 3 Configuring Client Version Checking 1 18 1 5 4 Enabling DHCP triggered Authentication 1 18 1 5 5 Configuring Guest VLAN 1 19 1 6 Displaying and Debugging 802 1x 1 19 1 7 802 1x Configuration Example 1 20 Chapter 2 HABP Configuration 2 1 2 1 Introduction to HABP 2 1 2 2 HABP Se...

Page 203: ...uthentication server system Services pr ovided by authenticator Authenticator PAE Authenticator system Port under control Port not authorized Port not Under control LAN WLAN Supplicant PAE Supplicant system Authentication server Authentication server system Services pr ovided by authenticator Authenticator PAE Authenticator system Controlled port Port not authorized Uncontrolled port LAN WLAN Supp...

Page 204: ...responds to the authentication requests received from the authenticator system and submits user authentication information to the authenticator system It can also send authentication and disconnection requests to the authenticator system PAE II Controlled port and uncontrolled port The Authenticator system provides ports for supplicant systems to access a LAN A port of this kind is divided into a ...

Page 205: ...er Authentication server EAP PAP CHAP exchanges carried by RADIUS protocol Figure 1 2 The mechanism of an 802 1x authentication system z EAP protocol packets transmitted between the supplicant system and the authenticator system are encapsulated as EAPoL packets z EAP protocol packets transmitted between the supplicant system PAE and the RADIUS server can either be encapsulated as EAPoR EAP over R...

Page 206: ...f the Packet body field A value of 0 indicates that the Packet Body field does not exist z The Packet body field differs with the Type field Note that EAPoL Start EAPoL Logoff and EAPoL Key packets are only transmitted between the supplicant system and the authenticator system EAP packets are encapsulated by RADIUS protocol to allow them successfully reach the authentication servers Network manage...

Page 207: ...packet for EAP authentication Refer to the Introduction to RADIUS protocol section in the AAA and RADIUS Operation Manual for format of a RADIUS protocol packet The EAP message field shown in Figure 1 6 is used to encapsulate EAP packets The maximum size of the string field is 253 bytes EAP packets with their size larger than 253 bytes are fragmented and stored in multiple EAP message fields The t...

Page 208: ...th a value of 79 and the Message authenticator field with a value of 80 Three authentication ways EAP MD5 EAP TLS transport layer security and PEAP protected extensible authentication protocol are available for the EAP relay mode z EAP MD5 authenticates the supplicant system The RADIUS server sends MD5 keys contained in EAP request MD5 challenge packets to the supplicant system which in turn encry...

Page 209: ...hallenge EAP Success EAP Response MD5 Challenge RADIUS Access Requ EAP Response Identi RADIUS Access Challen EAP Request MD5 Chall est ty ge enge RADIUS Access Acce EAP Success RADIUS Access Reques EAP Response MD5 Challe pt t nge Port authorized Handshake timer time out Handshake requesting packet EAP Request Identity Handshake response packet EAP Response Identity EAPoL Logoff Supplicant system ...

Page 210: ...ate to allow the supplicant system access the network z The supplicant system can also terminate the authenticated state by sending EAPoL Logoff packets to the switch The switch then changes the port state from accepted to rejected Note In EAP relay mode packets are not modified during transmission Therefore if one of the three ways are used that is PEAP EAP TLS or EAP MD5 to authenticate ensure t...

Page 211: ...APOL RADIUS EAPOL Start EAP Request Identity EAP Response Identity EAP Request MD5 Challenge EAP Success EAP Response MD5 Challenge RADIUS Access Reque CHAP Response MD5 Chal st lenge RADIUS Access Acce CHAP Success pt Port accepted Handshake ti mer time out Handshake request packet EAP Request Identity Handshake reply packet EAP Response Identity EAPOL Logoff Port rejected Figure 1 9 802 1x authe...

Page 212: ...command an online user is considered offline when the switch does not receive response packets from it in a period N times of the handshake period z Quiet period timer This timer sets the quiet period When a supplicant system fails to pass the authentication the switch quiets for the set period before it processes another authentication request re initiated by the supplicant system 1 1 6 802 1x Im...

Page 213: ... proxies By default an 802 1x client program allows use of multiple network adapters a proxy server and an IE proxy server If CAMS is configured to disable use of multiple network adapters proxies or IE proxies it prompts the 802 1x client to disable use of multiple network adapters proxies or IE proxies through messages after the supplicant system passes the authentication Note z The client check...

Page 214: ...umber of authentication retries is reached the switch adds the ports that do not return response packets to Guest VLAN z Users belonging to the Guest VLAN can access the resources of the Guest VLAN without being authenticated But they need to be authenticated before accessing external resources Normally the Guest VLAN function is coupled with the dynamic VLAN delivery function 1 2 802 1x Configura...

Page 215: ...eme as a backup In this case the local authentication scheme is adopted when the RADIUS server fails Refer to the AAA RADIUS Operation Manual for detailed information about AAA configuration 1 3 Basic 802 1x Configuration To utilize 802 1x features you need to perform basic 802 1x configuration 1 3 1 Prerequisites z Configure ISP domain and its AAA scheme specify the authentication scheme RADIUS o...

Page 216: ...ing mode Enter ISP domain view to configure the ISP domain domain isp name Optional The default ISP domain is system This command is required if the name of the ISP domain to which the current 802 1x user belongs is not system Configure the AAA scheme to be adopted in the ISP domain scheme radius scheme radius scheme name local local none Optional By default a switch adopts a local authentication ...

Page 217: ... view Port access control mode and port access method can also be configured in port view z If you perform a configuration in system view and do not specify the interface list argument the configuration applies to all ports Configurations performed in Ethernet port view apply to the current Ethernet port only and the interface list argument is not needed in this case z 802 1x configurations take e...

Page 218: ...ds z quiet period value 60 seconds z tx period value 30 seconds z supp timeout value 30 seconds z server timeout value 100 seconds Trigger the quiet period timer dot1x quiet period Optional By default a quiet period timer is disabled Note z As for the dot1x max user command if you execute it in system view without specifying the interface list argument the command applies to all ports You can also...

Page 219: ...re allowed on 802 1x client If you specify CAMS to disable use of multiple network cards proxy server and IE proxy CAMS sends messages to 802 1x client to request the latter to disable the use of multiple network cards proxy server and IE proxy when a user passes the authentication Table 1 3 Configure user proxy checking Operation Command Description Enter system view system view Enable user check...

Page 220: ...rsion value Optional Defaults to 3 Configure the client version chec king period timer dot1x timer ver period ver period value Optional The default ver period value is 30 seconds Note As for the dot1x version user command if you execute it in system view without specifying the interface list argument the command applies to all ports You can also use this command in port view In this case this comm...

Page 221: ...sabled Caution z The Guest VLAN function is available only when the switch operates in a port based authentication mode z Only one Guest VLAN can be configured for each switch z Supplicant systems that are not authenticated fail to pass the authentication or are offline belong to Guest VLANs z The Guest VLAN function is not available to switches that are configured not to authenticate users that u...

Page 222: ...et which accommodates up to 30 clients Authentication is performed either on the RADIUS server or locally in case that the RADIUS server fails to respond A client is disconnected in one of the following two situations RADIUS accounting fails the connected user has not included the domain name in the username and there is a continuous below 2000 bytes of traffic for over 20 minutes z The switch is ...

Page 223: ...pectively The idle disconnecting function is enabled II Network diagram Supplicant Authentication serv RADIUS server clu IP address 10 11 1 1 10 11 1 2 ers ster Internet Authenticator Switch Supplicant Authentication se RADIUS server c IP address 10 11 10 1 rver luster 1 1 1 1 2 Internet Authenticator Switch Ethernet1 0 1 Supplicant Authentication serv RADIUS server clu IP address 10 11 1 1 10 11 ...

Page 224: ...radius radius1 secondary accounting 10 11 1 1 Set the password for the switch and the authentication RADIUS servers to exchange messages Quidway radius radius1 key authentication name Set the password for the switch and the accounting RADIUS servers to exchange messages Quidway radius radius1 key accounting money Set the interval and the number of retries for the switch to send packets to the RADI...

Page 225: ... net scheme radius scheme radius1 local Specify the maximum number of users the user domain can accommodate to 30 Configure the domain capacity to be 30 Quidway isp aabbcc net access limit enable 30 Enable the idle disconnecting function and set the related parameters Quidway isp aabbcc net idle cut enable 20 2000 Create a local access user account Quidway local user localuser Quidway luser localu...

Page 226: ...h to a given port This allows HABP packets to bypass 802 1x authentication and to be forwarded between HABP enabled switches Therefore the management devices can get the MAC addresses of their attached switches to manage them effectively HABP is implemented by HABP server and HABP client Normally an HABP server sends HABP request packets regularly to HABP clients to collect the MAC addresses of th...

Page 227: ...reside on switches attached to HABP servers After you enable HABP for a switch the switch operates as an HABP client by default So you only need to enable HABP on a switch to make it an HABP client Table 2 2 Configure an HABP client Operation Command Description Enter system view system view Enable HABP habp enable Required HABP is disabled by default And a switch operates as an HABP client after ...

Page 228: ...system guard configuration includes z Enabling the system guard function z Configuring system guard related parameters z Specifying system guard enabled ports 3 2 1 Enabling the System guard function Table 3 1 lists the operations to enable the system guard function Table 3 1 Enable the system guard function Operation Commands Description Enter system view system view Enable the system guard funct...

Page 229: ...perations to specify system guard enabled ports Table 3 3 Specify system guard enabled ports Operation Command Description Enter system view system view Specify system guard enabled ports system guard permit interface list Required 3 3 Displaying and Debugging the System guard Function After the above configuration you can display and verify your configuration by performing the operation listed in...

Page 230: ...gure 3 1 Network diagram for system guard configuration III Configuration procedure Perform system guard related configuration on S3100 2 S3100 2 system view System View return to User View with Ctrl Z S3100 2 system guard enable S3100 2 system guard mode rate limit 5 256 300 S3100 2 system guard permit Ethernet 1 0 1 to Ethernet 1 0 2 Perform system guard related configuration on S3100 3 S3100 3 ...

Page 231: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual AAA RADIUS Huawei Technologies Proprietary ...

Page 232: ...S Scheme 1 18 1 5 2 Configuring RADIUS Authentication Authorization Servers 1 18 1 5 3 Configuring RADIUS Accounting Servers 1 19 1 5 4 Configuring Shared Keys for RADIUS Packets 1 21 1 5 5 Configuring the Maximum Number of Transmission Attempts of RADIUS Requests 1 22 1 5 6 Configuring the Supported RADIUS Server Type 1 23 1 5 7 Configuring the Status of RADIUS Servers 1 23 1 5 8 Configuring the ...

Page 233: ...are not authenticated Generally this method is not recommended z Local authentication User information including user name password and attributes is configured on this device Local authentication is fast and requires lower operational cost But the information storage capacity is limited by device hardware z Remote authentication Users are authenticated remotely through the RADIUS protocol both st...

Page 234: ...compositions of user name and password different service types rights it is necessary to distinguishes the users by setting ISP domains You can configure a set of ISP domain attributes including AAA policy RADIUS scheme and so on for each ISP domain independently in ISP domain view 1 1 3 Introduction to RADIUS AAA is a management framework It can be implemented by not only one protocol But in prac...

Page 235: ...Clients This database stores the information about RADIUS clients such as shared keys z Dictionary This database stores the information used to interpret the attributes and attribute values of the RADIUS protocol RADIUS server Users Clients Dictionary RADIUS server Users Clients Dictionary Figure 1 1 Databases in RADIUS server In addition the RADIUS server can act as the client of some other AAA s...

Page 236: ...ting Request stop 8 Accounting Response 9 Inform the user the access is ended 6 The user starts to access the resources Figure 1 2 Basic message exchange procedure of RADIUS The basic message exchange procedure of RADIUS is as follows 1 The user enters the user name and password 2 The RADIUS client receives the user name and password and then sends an authentication request Access Request to the R...

Page 237: ...termine if the user can access the network This packet carries user information It must contain the User Name attribute and may contain the following attributes NAS IP Address User Password and NAS Port 2 Access Accept Direction server client The server transmits this packet to the client if all the attribute values carried in the Access Request packet are acceptable that is the user passes the au...

Page 238: ...ify the packet returned from the RADIUS server it is also used in the password hiding algorithm There are two kinds of authenticators Request and Response 5 The Attribute field contains special authentication authorization and accounting information to provide the configuration details of a request or response packet This field is represented by a field triplet Type Length and Value z The Type fie...

Page 239: ...lenge 20 Callback ID 61 NAS Port Type 21 unassigned 62 Port Limit 22 Framed Route 63 Login LAT Port The RADIUS protocol takes well scalability Attribute 26 Vender Specific defined in this protocol allows a device vendor to extend RADIUS to implement functions that are not defined in standard RADIUS Figure 1 4 depicts the structure of attribute 26 The Vendor ID field representing the code of the ve...

Page 240: ...tion Create an ISP domain Required Section 1 3 2 Configure the attributes of the ISP domain Optional Section 1 3 3 Configure an AAA scheme for the ISP domain Required Section 1 3 4 If local authentication is adopted refer to section 1 4 2 If RADIUS authentication is adopted refer to section 1 5 Configure the attributes of a local user Optional Section 1 4 2 AAA configuration Cut down user connecti...

Page 241: ...butes for data to be sent to RADIUS servers Optional Section 1 5 8 Configure a local RADIUS authentication server Optional Section 1 5 9 Configure the timers for RADIUS servers Optional Section 1 5 10 RADIUS configuration Configure the user re authentication upon device restart function Optional Section 1 5 12 1 3 AAA Configuration The goal of AAA configuration is to protect network devices agains...

Page 242: ...em view system view Create an ISP domain or enter the view of an existing ISP domain domain isp name Required Activate deactivate the ISP domain state active block Optional By default once an ISP domain is created it is in the active state and all the users in this domain are allowed to access the network Set the maximum number of access users that can be contained in the ISP domain access limit d...

Page 243: ...mmunicate with any accounting server it will not disconnect the user as long as the accounting optional command has been executed z The self service server location function must cooperate with a self service supported RADIUS server such as CAMS Through self service users can manage and control their accounts or card numbers by themselves A server installed with the self service software is called...

Page 244: ...eme radius scheme name Optional This command has the same effect as the scheme radius scheme command Caution z You can execute the scheme command with the radius scheme name argument to adopt an already configured RADIUS scheme to implement all the three AAA functions If you adopt the local scheme only the authentication and authorization functions are implemented the accounting function cannot be...

Page 245: ...s z For FTP users Only authentication is supported for FTP users Authentication RADIUS local or RADIUS local Perform the following configuration in ISP domain view Table 1 7 Configure separate AAA schemes Operation Command Description Enter system view system view Create an ISP domain or enter the view of an existing ISP domain domain isp name Required Configure an authentication scheme for the IS...

Page 246: ... assigned by the RADIUS server so as to control the network resources that different users can access Currently the switch supports the following two types of VLAN IDs assigned by its RADIUS authentication server z Integer The switch adds a port to the corresponding VLAN according to the VLAN ID integer value assigned by the RADIUS authentication server If the VLAN does not exist it first creates ...

Page 247: ...ng to an integer value and judges if the value is in the valid VLAN ID range if it is the switch adds the authenticated port to the VLAN with the value as the VLAN ID VLAN 1024 for example z To implement dynamic VLAN deliver on a port where both MSTP and 802 1x are enabled you must set the MSTP port to an edge port 1 4 2 Configuring the Attributes of a Local User When local scheme is chosen as the...

Page 248: ...they are created that is they are allowed to request network services Authorize the user to access the specified type s of service s service type ftp lan access telnet ssh terminal level level Required By default the system does not authorize the user to access any service Set the priority level of the user level level Optional By default the priority level of the user is 0 Set the attributes of t...

Page 249: ... down user connection forcibly Operation Command Description Enter system view system view Cut down user connections forcibly cut connection all access type dot1x mac authentication domain domain name interface interface type interface number ip ip address mac mac address radius scheme radius scheme name vlan vlan id ucibindex ucib index user name user name Required 1 5 RADIUS Configuration The RA...

Page 250: ...e configured with these parameters in an ISP domain view For specific configuration commands refer to section 1 3 AAA Configuration 1 5 1 Creating a RADIUS Scheme The RADIUS protocol configuration is performed on a RADIUS scheme basis You should first create a RADIUS scheme and enter its view before performing other RADIUS protocol configurations Table 1 11 Create a RADIUS scheme Operation Command...

Page 251: ...and UDP port number of the secondary server are 0 0 0 0 and 1812 respectively Caution z The authentication response sent from the RADIUS server to the RADIUS client carries the authorization information Therefore no separate authorization server can be specified z In an actual network environment you can either specify two RADIUS servers as the primary and secondary authentication authorization se...

Page 252: ...er Optional By default the IP address and UDP port number of the secondary accounting server are 0 0 0 0 and 1813 Enable stop accounting packet buffering stop accounting buffer enable Optional By default stop accounting packet buffering is enabled Set the maximum number of transmission attempts of the buffered stop accounting packets retry stop accounting retry times Optional By default the system...

Page 253: ...ccounting server until it gets a response or the maximum number of transmission attempts is reached in this case it discards the request z You can set the maximum number of real time accounting request attempts that bring no response If the switch makes all the allowed real time accounting request attempts but does not get any answer it cuts down the connection of the user z The IP address and the...

Page 254: ...ers are also different 1 5 5 Configuring the Maximum Number of Transmission Attempts of RADIUS Requests The communication in RADIUS is unreliable because this protocol adopts UDP packets to carry data Therefore it is necessary for the switch to retransmit a RADIUS request if it gets no response from the RADIUS server after the response timeout timer expires If the maximum number of transmission at...

Page 255: ...cheme When the switch fails to communicate with the primary server due to some server trouble the switch will actively exchange packets with the secondary server After the time the primary server keeps in the block state exceeds the time set with the timer quiet command the switch will try to communicate with the primary server again when it receives a RADIUS request If the primary server recovers...

Page 256: ...in the default RADIUS scheme system are in the block state 1 5 8 Configuring the Attributes for Data to be Sent to RADIUS Servers Table 1 18 Configure the attributes for data to be sent to the RADIUS servers Operation Command Description Enter system view system view Create a RADIUS scheme and enter its view radius scheme radius scheme name Required By default a RADIUS scheme named system has alre...

Page 257: ...r names to the RADIUS server For this reason the user name format command is designed for you to specify whether or not ISP domain names are carried in the user names sent to the RADIUS server z For a RADIUS scheme if you have specified that no ISP domain names are carried in the user names you should not adopt this RADIUS scheme in more than one ISP domain Otherwise such errors may occur the RADI...

Page 258: ...it the packet to ensure that the user can obtain the RADIUS service This wait time is called response timeout time of RADIUS servers and the timer in the switch system that is used to control this wait time is called the response timeout timer of RADIUS servers For the primary and secondary servers authentication authorization servers or accounting servers in a RADIUS scheme When the switch fails ...

Page 259: ...y default the primary server waits five minutes before restoring the active state Set the real time accounting interval timer realtime accounting minutes Optional By default the real time accounting interval is 12 minutes 1 5 11 Configuring Whether or not to Send Trap Message When RADIUS Server is Down Table 1 21 Configure whether or not to send trap message when RADIUS server is down Operation Co...

Page 260: ...tication upon device restart function is designed to resolve the above problem After this function is enabled every time the switch restarts 1 The switch generates an Accounting On packet which mainly contains the following information NAS ID NAS IP address source IP address and session ID 2 The switch sends the Accounting On packet to CAMS at regular intervals 3 Once the CAMS receives the Account...

Page 261: ...e name Enable the user re authentication upon device restart function accounting on enable send times interval interval By default this function is disabled and the system can send at most 15 Accounting On packets consecutively at intervals of three seconds 1 6 Displaying AAA RADIUS Information After the above configurations you can execute the display commands in any view to view the operation of...

Page 262: ...lay the statistics about RADIUS packets display radius statistics Display the buffered no response stop accounting request packets display stop accounting buffer radius scheme radius server name session id session id time range start time stop time user name user name Delete the buffered no response stop accounting request packets reset stop accounting buffer radius scheme radius server name sessi...

Page 263: ... for authentication z Add Telnet user names and login passwords The Telnet user name added to the RADIUS server must be in the format of userid isp name if you have configure the switch to include domain names in the user names to be sent to the RADIUS server II Network diagram Authentication Server IP address 10 110 91 164 Internet Sw itch Telnet user Internet Authentication Server IP address 10 ...

Page 264: ...he RADIUS scheme Quidway domain cams Quidway isp cams scheme radius scheme cams A Telnet user logging into the switch by a name in the format of userid cams belongs to the cams domain and will be authenticated according to the configuration of the cams domain 1 7 2 Local Authentication of FTP Telnet Users Note The configuration procedure for the local authentication of FTP users is similar to that...

Page 265: ...ain Method 2 using a local RADIUS server This method is similar to the remote authentication method described in section 1 7 1 You only need to change the server IP address the authentication password and the UDP port number for authentication service in configuration step Configure a RADIUS scheme in section 1 7 1 to 127 0 0 1 huawei and 1645 respectively and configure local users 1 8 Troubleshoo...

Page 266: ...ch and the RADIUS server is disconnected blocked Take measures to make the links connected unblocked z None or incorrect RADIUS server IP address is set on the switch Be sure to set a correct RADIUS server IP address z One or all AAA UDP port settings are incorrect Be sure to set the same UDP port numbers as those on the RADIUS server Symptom 3 The user passes the authentication and gets authorize...

Page 267: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Centralized MAC Address Authentication Huawei Technologies Proprietary ...

Page 268: ...Configuration 1 2 1 2 1 Enabling Centralized MAC Address Authentication Globally and for a Port 1 2 1 2 2 Configuring Centralized MAC Address Authentication Mode 1 3 1 2 3 Configuring a User Name and Password to be used in Fixed Mode 1 3 1 2 4 Configuring the ISP Domain for MAC Address Authentication Users 1 3 1 2 5 Configuring the Timers Used in Centralized MAC Address Authentication 1 4 1 3 Disp...

Page 269: ...ries Ethernet switches authentication can be performed locally or on a RADIUS server 1 When a RADIUS server is used for authentication the switch serves as a RADIUS client Authentication is carried out through the cooperation of switches and the RADIUS server z In MAC address mode a switch sends user MAC addresses detected to the RADIUS serve as both user names and passwords The rest handling proc...

Page 270: ... address max mac count command is unavailable for the ports with centralized MAC address authentication enabled Similarly the centralized MAC address authentication is unavailable for the ports with the maximum number of learned MAC addresses configured 1 2 1 Enabling Centralized MAC Address Authentication Globally and for a Port Table 1 1 Enable centralized MAC address authentication Operation Co...

Page 271: ...efixed keyword specifies the centralized MAC address authentication mode to be the fixed mode By default the MAC address mode is adopted 1 2 3 Configuring a User Name and Password to be used in Fixed Mode When the fixed mode is adopted you need to configure the user names and passwords Table 1 3 Configure a user name and password to be used in fixed mode Operation Command Description Enter system ...

Page 272: ...period for a switch After a user fails to pass the authentication performed by a switch the switch quiets for a specific period the quiet period before it authenticates users again z Server timeout timer During authentication the switch prohibits the user from accessing the network through the corresponding port if the connection between the switch and RADIUS server times out Table 1 5 Configure t...

Page 273: ...nces between the two lie in the following z Centralized MAC address authentication needs to be enabled both globally and for port z In MAC address mode Mac address of locally authenticated user is used as both user name and password z In MAC address mode MAC address of user authenticated by RADIUS server need to be configured as both user name and password on the RADIUS server The following sectio...

Page 274: ...ce type of the local user to lan access Quidway luser 00 e0 fc 01 01 01 service type lan access Enable centralized MAC address authentication globally Quidway mac authentication Configure the domain name for centralized MAC address authentication users as aabbcc163 net Quidway mac authentication domain aabbcc163 net For domain related configuration refer to Chapter 11 802 1x Configuration of this ...

Page 275: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual ARP Huawei Technologies Proprietary ...

Page 276: ... 1 1 4 ARP Implementation Procedure 1 3 1 1 5 Introduction to Gratuitous ARP 1 4 1 2 ARP Configuration 1 5 1 2 1 Adding a Static ARP Mapping Entry Manually 1 5 1 2 2 Configuring the ARP Aging Timer for Dynamic ARP Entries 1 6 1 2 3 Enabling the ARP Entry Checking Function 1 6 1 3 Gratuitous ARP Packet Learning configuration 1 6 1 3 1 Configuring Sending of Gratuitous ARP Packets 1 6 1 3 2 Configur...

Page 277: ...to resolve the IP address of the destination into the corresponding MAC address 1 1 2 ARP Packet Structure ARP packets are classified into ARP request packets and ARP reply packets Figure 1 1 illustrates the structure of these two types of ARP packets z As for an ARP request packet all the fields except the hardware address of the receiver field are set The hardware address of the receiver is what...

Page 278: ...ta packets which can be z 1 ARP request packets z 2 ARP reply packets z 3 RARP request packets z 4 RARP reply packets Hardware address of the sender Hardware address of the sender IP address of the sender IP address of the sender Hardware address of the receiver z For an ARP request packet this field is null z For an ARP reply packet this field carries the hardware address of the receiver IP addre...

Page 279: ...f an ARP table Field Description IF index Index of the physical interface port on the device owning the physical address and IP address contained in the entry Physical address Physical address of the device that is the MAC address IP address IP address of the device Type Entry type which can be z 1 An entry falling out of the following three cases z 2 Invalid entry z 3 Dynamic entry z 4 Static ent...

Page 280: ...with its MAC address inserted to the packet Note that the ARP reply packet is a unicast packet instead of a broadcasted packet z Upon receiving the ARP reply packet Host A extracts the IP address and the corresponding MAC address of Host B from the packet adds them to its ARP mapping table and then transmits all the packets in the queue with their destination being Host B Normally ARP performs add...

Page 281: ...2 1 Adding a Static ARP Mapping Entry Manually Table 1 5 Add a static ARP mapping entry manually Operation Command Description Enter system view system view Add a static ARP mapping entry manually arp static ip address mac address vlan id interface type interface number Required The ARP mapping table is empty when a switch is just started And the address mapping entries are created by ARP Caution ...

Page 282: ...to create multicast MAC address ARP entries for MAC addresses learned by performing the operations listed in Table 1 7 Table 1 7 Enable the ARP entry checking function Operation Command Description Enter system view system view Enable the ARP entry checking function that is disable the switch from creating multicast MAC address ARP entries for MAC addresses learned arp check enable Optional By def...

Page 283: ...d in user view to clear ARP mapping entries Table 1 9 Display and debug ARP Operation Command Remark Display specific ARP mapping table entries display arp static dynamic ip address This command can be executed in any view Display the ARP mapping entries related to a specified string in a specified way display arp dynamic static ip address begin include exclude text This command can be executed in...

Page 284: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual DHCP Snooping Huawei Technologies Proprietary ...

Page 285: ...oprietary i Table of Contents Chapter 1 DHCP Snooping Configuration 1 1 1 1 DHCP Snooping Overview 1 1 1 1 1 Implementation of the DHCP Snooping Function 1 1 1 1 2 DHCP Snooping Entry Updating 1 2 1 2 DHCP Snooping Configuration 1 3 1 2 1 Enabling the DHCP Snooping Function 1 3 1 3 Displaying DHCP Snooping 1 3 ...

Page 286: ...r IP address by listening DHCP broadcast packets which is achieved by employing the DHCP snooping function Figure 1 1 illustrates the diagram of a network with the DHCP snooping function implemented In this network the DHCP snooping function is enabled on Switch A an S3100 series Ethernet switch DHCP Client DHCP Client DHCP Client Ethernet DHCP Client Switch A DHCP snooping employed Internet DHCP ...

Page 287: ...2 The interaction between a DHCP client and a DHCP server With the DHCP snooping function enabled a switch acquires the IP address which a host obtains from the DHCP server and its MAC address in the following two ways z Listening DHCP_ACK packets z Listening DHCP_REQUEST packets 1 1 2 DHCP Snooping Entry Updating I DHCP Snooping table Upon the DHCP Snooping function is enabled on an S3100 series ...

Page 288: ...on as well for the switch to enable DHCP Snooping entries to be added removed dynamically when the users go offline online and thus to prevent memory overuse 1 2 DHCP Snooping Configuration 1 2 1 Enabling the DHCP Snooping Function Table 1 1 Enable the DHCP snooping function Operation Command Description Enter system view system view Enable the DHCP snooping function dhcp snooping Required By defa...

Page 289: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual ACL Huawei Technologies Proprietary ...

Page 290: ...on Switch 1 1 1 2 Time Range based ACL 1 2 1 2 1 Introduction to Time Range 1 2 1 2 2 Implementation of Time Range based ACL 1 2 1 3 ACL Supported by S3100 Series Switches 1 2 1 4 Time Range Configuration 1 2 1 4 1 Configuration Procedure 1 3 1 4 2 Configuration Example 1 3 1 5 ACL Configuration 1 4 1 5 1 Prerequisites 1 4 1 5 2 Creating a Basic ACL 1 4 1 5 3 Creating an Advanced ACL 1 4 1 5 4 Con...

Page 291: ...s source IP address destination IP address the types and features of the protocols carried by IP z Layer 2 ACL where rules are defined on the basis of Layer 2 information such as source MAC address destination MAC address VLAN priority and Layer 2 protocol type 1 1 1 ACL Implementation Mode on Switch I Implemented by hardware ACL can be delivered to hardware directly for packets to be filtered and...

Page 292: ... you for the time range when you define a time range based ACL rule it does not take effect in this case A time range based ACL rule takes effect only when it is configured with a time range and the system time is within the time range 1 3 ACL Supported by S3100 Series Switches The following table lists the ACLs supported by S3100 series switches Table 1 1 ACLs supported by the S3100 series switch...

Page 293: ...lute time ranges configured takes effect only when the system time is within both the time ranges z A time range based ACL rule with only the end time of the time range configured takes effect from the time when it is created to the specified end time z A time range based ACL rule with the end time of the time range not configured takes effect from the time when it is created to the most forward t...

Page 294: ...new ACL rule is created and the switch allocates a rule number for it automatically 1 5 2 Creating a Basic ACL The ACL number of a basic ACL ranges from 2000 to 2999 Table 1 3 Create a basic ACL Operation Command Description Enter system view system view Create a basic ACL acl number acl number match order config auto By default the config keyword is specified that is ACL rules are matched in the ...

Page 295: ...fault the matching order is config that is ACL rules are matched in the order they are created Define a rule rule rule id permit deny rule string Required Specify the comment for the rule rule rule id comment text Optional Specify ACL description description text Optional Display ACL information display acl all acl number You can execute the display command in any view The rule string argument in ...

Page 296: ...ation for the ACL rule dest addr dest wildcard specifies the destination address in dotted decimal notation The any keyword represents for any source address precedence precedence Packet priority IP priority The precedence argument ranges from 0 to 7 tos tos Packet priority ToS priority The tos argument ranges from 0 to 15 dscp dscp Packet priority DSCP priority The dscp argument ranges from 0 to ...

Page 297: ... only when the operator argument is range port1 port2 optional parameter TCP UDP port number which can be port names or numbers ranging from 0 to 65535 established The identifier for the establishment of TCP connection Specifies the rule to match the packets with ack or rst tags This keyword is for TCP only If you specify ICMP as the protocol type you can specify the parameters listed in Table 1 7...

Page 298: ...et redirect Type 5 Code 0 net tos redirect Type 5 Code 2 net unreachable Type 3 Code 0 parameter problem Type 12 Code 0 port unreachable Type 3 Code 3 protocol unreachable Type 3 Code 2 reassembly timeout Type 11 Code 1 source quench Type 4 Code 0 source route failed Type 3 Code 5 timestamp reply Type 14 Code 0 timestamp request Type 13 Code 0 ttl exceeded Type 11 Code 0 1 5 4 Configuration Exampl...

Page 299: ...es matched Configure ACL 3000 to deny the packets with their source addresses being 1 1 1 1 and destination addresses being 2 2 2 2 Quidway system view Quidway acl number 3000 Quidway acl adv 3000 rule deny ip source 1 1 1 1 0 destination 2 2 2 2 0 Quidway acl adv 3000 display acl 3000 Advanced ACL 3000 1 rule Acl s step is 1 rule 0 deny ip source 1 1 1 1 0 destination 2 2 2 2 0 0 times matched ...

Page 300: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual QoS Huawei Technologies Proprietary ...

Page 301: ...e Queue Mapping Table 1 8 1 5 5 Configuration Example 1 8 1 6 Configuring Packet Priority 1 9 1 6 1 Prerequisites 1 9 1 6 2 Configuration Procedure 1 9 1 6 3 Configuration Example 1 10 1 7 Configuring Queue Scheduling Algorithm 1 11 1 7 1 Prerequisites 1 11 1 7 2 Configuration Procedure 1 11 1 7 3 Configuration Example 1 11 1 8 Configuring Local Port Monitoring 1 12 1 8 1 Prerequisites 1 12 1 8 2 ...

Page 302: ...anual QoS Quidway S3100 Series Ethernet Switches Table of Contents Huawei Technologies Proprietary ii 1 11 1 Configuration Procedure 1 22 1 11 2 Configuration Example 1 22 1 12 Displaying and Maintaining QoS 1 22 ...

Page 303: ...nce and DSCP precedence Figure 1 1 DS field and ToS byte As shown in Figure 1 1 the TOS field of an IP header contains eight bits among which the first three represent the IP precedence ranging from 0 to 7 Bits 3 to 6 a total of 4 bits represent the TOS precedence ranging from 0 to 15 The TOS field of an IP packet header is redefined as Differentiated Services DS field in RFC2474 among which the f...

Page 304: ...or network resources To address this issue queue scheduling was introduced The following are two ways of implementing it Weighted Round Robin WRR and High Queue WRR HQ WRR 1 WRR With each port supporting four output queues WRR performs a round robin scheduling to ensure that all queues are served Each queue is allocated with a weight value w3 w2 w1 and w0 denoting the resource proportions allocate...

Page 305: ...t limits the rate that a port receives or sends packets 1 2 QoS Functions and Related Commands Table 1 1 QoS functions and related commands QoS Specifications Related Command Related section Port priority Support priority priority level Configuring Port Priority Packet trust priority Support priority trust Configuring Packet Trust Priority Priority to local precedence queue mapping Support qos cos...

Page 306: ...ing group group id mirroring port mirroring port list inbound outbound mirroring group group id reflector port reflector port mirroring group group id local remote source remote destination mirroring group group id remote probe vlan remote probe vlan id Configuring RSPAN Port rate limit Rate limit applies to both inbound and outbound packets with a rate value of 64 kbps line rate Setting Rate Limi...

Page 307: ...onfigure port priority level for Ethernet1 0 1 II Configuration procedure Quidway system view System View return to User View with Ctrl Z Quidway interface Ethernet1 0 1 Quidway Ethernet1 0 1 priority 7 1 4 Configuring Packet Trust Priority Users can configure the switch to trust the priority of inbound packets rather than priority of the receiving port 1 4 1 Configuration Procedure Table 1 3 Conf...

Page 308: ...s 1 5 1 Prerequisites New mapping relationships have been established to modify the 802 1p priority local precedence queue IP precedence local precedence queue and DSCP precedence local precedence queue mapping tables 1 5 2 Configuring 802 1p Priority Local Precedence Queue Mapping Table Table 1 4 Configure the 802 1p priority local precedence queue mapping table Operation Command Description Ente...

Page 309: ...able Operation Command Description Enter system view system view Set the mapping table qos ip precedence local precedence map ip0 map local prec ip1 map local prec ip2 map local prec ip3 map local prec ip4 map local prec ip5 map local prec ip6 map local prec ip7 map local prec Required Display the mapping table display qos ip precedence local precedence map Can be executed in any view The followin...

Page 310: ...al precedence map dscp list local precedence Required Display the mapping table display qos dscp local precedence map Can be executed in any view The following table shows the default DSCP precedence local precedence queue mapping table Table 1 9 Default DSCP precedence local precedence queue mapping table DSCP precedence Local precedence queue 0 15 0 16 31 1 32 47 2 48 63 3 1 5 5 Configuration Ex...

Page 311: ...ing Packet Priority 1 6 1 Prerequisites z The mapping relationship between the priority and local precedence queue has been established Refer to 1 5 Configuring Priority Local Precedence Queue Mapping z The kind of priority chosen from 802 1p priority IP precedence and DSCP precedence to be used for putting packets into queues is determined 1 6 2 Configuration Procedure Table 1 11 Determine the pr...

Page 312: ... mapping relationship Table 1 12 802 1p priority local precedence queue mapping table 802 1p priority Local precedence queue 0 0 1 0 2 1 3 1 4 2 5 2 6 3 7 3 II Configuration procedure Quidway system view System View return to User View with Ctrl Z Quidway qos cos local precedence map 0 0 1 1 2 2 3 3 Quidway display qos cos local precedence map cos local precedence map cos 802 1p 0 1 2 3 4 5 6 7 lo...

Page 313: ...ated 1 7 2 Configuration Procedure Table 1 13 Configure the queue scheduling algorithm Operation Command Description Enter system view system view Set the queue scheduling algorithm queue scheduler hq wrr queue0 weight queue1 weight queue2 weight wrr queue0 weight queue1 weight queue2 weight queue3 weight Required Defaults to WRR algorithm with a weight ratio of 1 2 3 4 Display the queue schedulin...

Page 314: ... precedence queue 0 0 1 1 2 2 3 3 Quidway priority trust Quidway priority trust cos Quidway display priority trust Priority trust mode cos Quidway queue scheduler wrr 2 3 4 5 Quidway display queue scheduler Queue scheduling mode weighted round robin weight of queue 0 2 weight of queue 1 3 weight of queue 2 4 weight of queue 3 5 1 8 Configuring Local Port Monitoring 1 8 1 Prerequisites z The monito...

Page 315: ...ound and outbound packets of the port Display local port monitoring settings display mirroring group local Can be executed in any view 1 8 3 Configuration Example I Network requirements z To monitor and analyze inbound and outbound packets of ports connected to Ethernet1 0 2 via monitoring devices z The monitoring devices are attached to Ethernet1 0 1 Configure as follows z Set Ethernet1 0 2 as th...

Page 316: ...e switches RSPAN application is shown in Figure 1 4 Source Switch Intermediate Switch Reflector port Source Port Destination Switch Trunk port Destination port Remote probe VLAN Source Switch Intermediate Switch Reflector port Source Port Destination Switch Trunk port Destination port Remote probe VLAN Figure 1 4 RSPAN application The following three types of switches implements the RSPAN function...

Page 317: ... monitors remote monitored packets To realize port remote management it is necessary to define a dedicated VLAN called Remote probe VLAN on the three switches All monitored packets are transmitted from the source switch to the destination switch via this Remote probe VLAN thus packets on remote ports of the source switch can be monitored on the destination switch The Remote probe VLAN has the foll...

Page 318: ...f the Trunk port interface interface type interface number Configure to permit Remote probe VLAN packets to pass through the Trunk port port trunk permit vlan remote probe vlan id Required Exit the current view quit Configure the remote source mirroring group mirroring group group id remote source Required Configure the remote source monitoring port mirroring group group id mirroring port mirrorin...

Page 319: ... view Create Remote probe VLAN and enter the VLAN view vlan vlan id The parameter vlan id represents the ID of Remote probe VLAN Exit the current view quit Enter Ethernet port view of the Trunk port interface interface type interface number Configure to permit Remote probe VLAN packets to pass through the Trunk port port trunk permit vlan remote probe vlan id Required This setting is needed for in...

Page 320: ...ng group group id remote destination Required Configure the remote destination monitoring port mirroring group group id monitor port monitor port Required Do not enable STP on the remote destination monitoring port After a port has been configured as a remote destination monitoring port users cannot modify its port type or default VLAN ID Configure the remote probe VLAN for the remote destination ...

Page 321: ...N configure as follows z Define VLAN10 as the remote probe VLAN z Switch A acts as the destination switch Ethernet1 0 2 which is connected to the data detect device acts as the destination monitoring port Do not enable STP on Ethernet1 0 2 z Switch B acts as the intermediate switch z Switch C acts as the source switch Specify Ethernet1 0 2 as the source monitoring port Ethernet1 0 5 as the reflect...

Page 322: ...1 0 1 Quidway Ethernet1 0 1 port trunk permit vlan 10 Quidway Ethernet1 0 1 quit Quidway interface ethernet1 0 2 Quidway Ethernet1 0 2 port trunk permit vlan 10 Configurations on switch A Quidway system view Quidway vlan 10 Quidway vlan10 remote probe vlan enable Quidway vlan10 quit Quidway interface ethernet1 0 1 Quidway Ethernet1 0 1 port trunk permit vlan 10 Quidway Ethernet1 0 1 quit Quidway m...

Page 323: ...nterface interface type interface number unit id line rate Can be executed in any view 1 10 3 Configuration Example I Network requirements The switch connects to a PC through Ethernet1 0 1 The goal is to control outbound packets from the PC so that only packets with a rate limit less than 128 kbps can pass through Ethernet1 0 1 whereas those with a rate limit above 128 kbps will simply be discarde...

Page 324: ...e Required Display unknown multicast packet discarding settings display current configuration Can be executed in any view 1 11 2 Configuration Example I Network requirements Enable the unknown multicast packet discarding function II Configuration procedure Quidway system view System View return to User View with Ctrl Z Quidway unknown multicast drop enable Quidway display current configuration sys...

Page 325: ...table display qos dscp local precedence ma p Display the trusted priority display priority trust Display the queue scheduling algorithm in use display queue scheduler Display the port mirroring group configurations display mirroring group group id all local remote destination remote source Display all QoS settings of the port display qos interface interface type interface number unit id all Displa...

Page 326: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual IGMP Snooping Huawei Technologies Proprietary ...

Page 327: ...iguring IGMP Snooping Filtering ACL 1 7 1 2 5 Configuring Multicast VLAN 1 8 1 3 Displaying Information About IGMP Snooping 1 10 1 4 IGMP Snooping Configuration Example 1 10 1 4 1 Example 1 1 10 1 4 2 Example 2 1 11 1 5 Troubleshooting IGMP Snooping 1 14 Chapter 2 Routing Port Join to Multicast Group Configuration 2 1 2 1 Routing Port Join to Multicast Group Configuration 2 1 2 1 1 Introduction 2 ...

Page 328: ...itch the switch uses IGMP Snooping to analyze and process the IGMP messages Table 1 1 IGMP message processing on the switch Received message type Sender Receiver Switch processing IGMP host report message Host Switch Add the host to the corresponding multicast group IGMP leave message Host Switch Remove the host from the multicast group By listening to IGMP messages the switch establishes and main...

Page 329: ...p member tream Multicast packet transmission without IGMP Snooping Multicast packet trans with IGMP Sn mission ooping Internet Video stream Muliticast Multicast group member Non group member Non group member Internet Video st Muliticast ream Multicast group member Non group member Non gr oup member Multicast packet transmission without IGMP Snooping Internet Video stream VOD server Layer 2 Etherne...

Page 330: ...itch processes four different types of IGMP messages it received as shown in Table 1 3 Table 1 3 IGMP Snooping messages Mes sage Sen der Recei ver Purpo se Switch action If yes reset the aging timer of the router port IGMP general query message Multicast router Multicast member switch Query if the multica st groups contain any memb er Check if the message comes from the original router port If not...

Page 331: ... group If not Create a MAC multicast group and notify the multicast router that a member is ready to join the multicast group Add the port to the MAC multicast group and start the aging timer of the port Add all ports in the VLAN owning this port to the forward port list of the MAC multicast group Add the port to the IP multicast group If no response is received from the port before the timer time...

Page 332: ...nooping You can use the command here to enable IGMP Snooping so that it can establish and maintain MAC multicast forwarding tables at layer 2 Table 1 4 Enable IGMP Snooping Operation Command Description Enter system view system view Enable IGMP Snooping globally igmp snooping enable Required IGMP Snooping is disabled globally Enter VLAN view vlan vlan id Enable IGMP Snooping on the VLAN igmp snoop...

Page 333: ...ble 1 5 Configure timers Operation Command Description Enter system view system view Configure the aging time of the router port igmp snooping router aging time seconds Optional By default the aging time of the router port is 105 seconds Configure the query response timeout time igmp snooping max response time seconds Optional By default the query response timeout time is 10 seconds Configure the ...

Page 334: ...wing them to access the multicast streams in different multicast groups In practice when a user orders a multicast program an IGMP report message is generated When the message arrives at the switch the switch examines the multicast filtering ACL configured on the access port to determine if the port can join the corresponding multicast group or not If yes it adds the port to the forward port list ...

Page 335: ...ke users in different VLANs share the same multicast VLAN This saves bandwidth since multicast streams are transmitted only within the multicast VLAN and also guarantees security because the multicast VLAN is isolated from user VLANs Multicast VLAN is mainly used in Layer 2 switching but you must make corresponding configuration on the Layer 3 switch Table 1 8 Configure multicast VLAN on Layer 3 s...

Page 336: ...quired Enable multicast VLAN service type multicast Required Exit the VLAN view quit Enter the view of the Ethernet port connected to the Layer 3 switch interface interface type interface number Define the port as a trunk or hybrid port port link type trunk hybrid port hybrid vlan vlan id list tagged untagged Specify the VLANs to be allowed to pass through the Ethernet port trunk pvid vlan vlan id...

Page 337: ... Snooping Operation Command Description Display the current IGMP Snooping configuration display igmp snooping configuration Display IGMP Snooping message statistics display igmp snooping statistics Display IP and MAC multicast groups in one or all VLANs display igmp snooping group vlan vlanid You can execute the display commands in any view Clear IGMP Snooping statistics reset igmp snooping statis...

Page 338: ...nooping on VLAN 10 where no Layer 3 multicast protocol is enabled Quidway vlan 10 Quidway vlan10 igmp snooping enable 1 4 2 Example 2 Configure multicast VLAN on Layer 2 and Layer 3 switches I Network requirements Table 1 11 describes the network devices involved in this example and the configurations you should make on them Table 1 11 Network devices and their configurations Device Description Sw...

Page 339: ...the users in VLAN 2 and VLAN 3 can receive multicast streams through the multicast VLAN II Network diagram PC 2 PC 2 PC 2 PC 2 PC 1 PC 1 PC 1 PC 1 Switch A Workstation Switch B PC 2 PC 2 PC 2 PC 2 PC 1 PC 1 PC 1 PC 1 Switch A Workstation Workstation Switch B Figure 1 4 Network diagram for multicast VLAN configuration III Configuration procedure The following configuration is based on the prerequis...

Page 340: ...A Vlan interface10 pim dm Switch A Vlan interface10 igmp enable 2 Configure Switch B Enable IGMP Snooping globally Switch B system view Switch B igmp snooping enable Configure VLAN 10 as a multicast VLAN and enable IGMP Snooping on it Switch B vlan 10 Switch B vlan10 service type multicast Switch B vlan10 igmp snooping enable Switch B vlan10 quit Define the Ethernet 1 0 10 port as a hybrid port ad...

Page 341: ...and to check the status of IGMP Snooping z If IGMP Snooping is disabled check whether it is disabled globally or on the corresponding VLAN If it is disabled globally use the igmp snooping enable command in both system view and VLAN view to enable it both globally and on the corresponding VLAN If it is only disabled on the VLAN use the igmp snooping enable command in VLAN view to enable it on the c...

Page 342: ...terface of the switch as a multicast group member When the interface receives IGMP query packets it will respond thus ensuring that the network segment of the interface can normally receive multicast packets 2 1 2 Configuring Routing Port to Join to Multicast Group Table 2 1 Configure routing port to join to multicast group Operation Command Description Enter system view system view Enter Ethernet...

Page 343: ...s entry to avoid this case 3 2 Configuring a Multicast MAC Address Entry The following table describes how to configure a multicast MAC address entry Table 3 1 Configure a multicast MAC address entry Operation Command Description Enter system view system view Add a multicast MAC address entry mac address multicast mac address interface interface list vlan vlan id Required mac address must be a mul...

Page 344: ...orward port of the entry z The system does not support the configuration of multicast MAC address on an IRF port If you do this the system will give you a prompt that the multicast MAC address configuration fails z You cannot enable port aggregation on a port where you have configured a multicast MAC address and you cannot configure a multicast MAC address on an aggregation port 3 3 Displaying Mul...

Page 345: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Stack Cluster Huawei Technologies Proprietary ...

Page 346: ...1 Cluster Overview 2 1 2 1 1 Introduction to Cluster 2 1 2 1 2 Cluster Roles 2 2 2 1 3 Introduction to NDP 2 3 2 1 4 Introduction to NTDP 2 4 2 1 5 Introduction to Cluster Roles 2 4 2 2 Management Device Configuration 2 5 2 2 1 Enabling NDP Globally and for Specific Ports 2 5 2 2 2 Configuring NDP related Parameters 2 6 2 2 3 Enabling NTDP Globally and for Specific Ports 2 6 2 2 4 Configuring NTDP...

Page 347: ...by performing configurations on one of the switches In this case the switch becomes the main switch of the stack You can perform the following operations on a main switch z Configuring an IP address pool for the stack z Creating the stack z Switching to slave switch view Before creating a stack you need to configure an IP address pool for the stack on the main switch When adding a switch to a stac...

Page 348: ...nnected to the stack through their stack ports to the stack 1 2 Main Switch Configuration The main switch configuration includes z Configuring the IP Address Pool and Creating the Stack z Switching to Slave Switch View 1 2 1 Configuring the IP Address Pool and Creating the Stack Table 1 1 Configure the IP address pool and create the stack Operation Command Description Enter system view system view...

Page 349: ...se errors may occur when adding a switch to the stack z IP addresses in the IP address pool of a stack must be of the same network segment For example the 1 1 255 254 is not a qualified start address for a stack IP address pool z If the IP address of the management VLAN interface of the main switch or a slave switch is not of the same network segment as that of the stack address pool the main swit...

Page 350: ...tions Operation Command Description Display the stack status information on the main switch display stacking members Optional The display command can be executed in any view When being executed with the members keyword not specified this command displays the main switch and the number of switches in the stack When being executed with the members keyword specified this command displays the member i...

Page 351: ...witch B Internet Switch A Switch C Switch B Figure 1 1 Network diagram for stack configuration III Configuration procedure Configure the IP address pool for the stack on Switch A Quidway system view Quidway stacking ip pool 129 10 1 15 0 Create the stack on switch A Quidway stacking enable stack_0 Quidway quit stack_0 Quidway Display the information about the stack on switch A stack_0 Quidway disp...

Page 352: ...evice S3100 MAC Address 00e0 fc00 3135 Member status Up IP 129 10 1 17 16 Switch to Switch B a slave switch stack_0 Quidway stacking 1 stack_1 Quidway Display the information about the stack on switch B stack_1 Quidway display stacking Slave device for stack Member number 1 Main switch mac address 00e0 fc00 3130 Switch back to Switch A stack_1 Quidway quit stack_0 Quidway Switch to Switch C a slav...

Page 353: ... for the member devices in a cluster are redirected by the management device Figure 2 1 illustrates a typical cluster implementation Management Device Member Device Member Device 69 110 1 1 Network Management Device Cluster 6 Candidate Device 9 110 1 100 Network Member Device Management Device Member Device Member Device 69 110 1 1 Network Management Device Cluster 6 Candidate Device 9 110 1 100 N...

Page 354: ...e cluster and then deliver configuration and management commands to them z Member management You can add a device to a cluster or remove a device from a cluster on the management device You can also configure management device authentication and handshake interval for a member device on the management device Cluster related configurations are described in the following sections 2 1 2 Cluster Roles...

Page 355: ...u s t e r R e m o v e f r o m a c l u s t e r D e s i g n a t e d a s a m a n a g e m e n t d e v i c e A Candidate device Member device d d e d t o a c l u s t e r Management device Figure 2 2 Role changing rule z Each cluster has one and only one management device A management device collects NDP NTDP information to discover and determine candidate devices which can be then added into the cluste...

Page 356: ... the topology information within the specified hops for cluster management Based on the NDP information table created by NDP NTDP transmits and forwards NTDP topology collection request to collect the NDP information and neighboring connection information of each device in a specific network range for the management device or the network administrator to implement needed functions Upon detecting a...

Page 357: ... manages and monitors the devices in the cluster by collecting and processing NDP NTDP packets NDP NTDP packets contain network topology information All the above mentioned operations need the support of the cluster function Note You need to enable the cluster function and configure cluster parameters on a management device However you only need to enable the cluster function on the member devices...

Page 358: ...g aging in seconds The aging in seconds argument is the holdtime of NDP information Configure the interval to send NDP packets ndp timer hello seconds The seconds argument is the interval to send NDP packets 2 2 3 Enabling NTDP Globally and for Specific Ports Table 2 4 Enable NTDP globally and for specific ports Operation Command Description Enter system view system view Enable NTDP globally ntdp ...

Page 359: ...tion request packets ntdp timer port delay time Optional The time argument is the delay time Configure the interval to collect topology information ntdp timer interval in minutes Optional The interval in minutes argument is the desired interval Quit system view Quit Start topology information collection ntdp explore Optional Note By default an S3100 series switch operating as a candidate switch jo...

Page 360: ...be assigned to the cluster Configure a multicast MAC address for the cluster cluster mac H H H Optional This is to set a multicast MAC address for the cluster Set the interval for the management device to send multicast packets cluster mac syn interval time interval Optional The time interval argument is the interval to send multicast packets Configure the holdtime for a switch holdtime seconds Op...

Page 361: ...build recover Required This is to set up a cluster based on your instructions 2 3 Member Device Configuration Member device configuration involves z Enabling NDP globally and for specific ports z Enabling NTDP globally and for specific ports z Enabling the cluster function 2 3 1 Enabling NDP Globally and for Specific Ports Table 2 9 Enable NDP globally and for specific ports Operation Command Desc...

Page 362: ...em view Enter cluster view cluster Add a candidate device to a cluster add member member number mac address H H H password password This is to add a new member The member number H H H and password arguments are the ID MAC address and password of the device to be added to the cluster Remove a member device from the cluster delete member member num Optional This is to remove a member device from the...

Page 363: ...tional This command can be executed in any view Display the global NTDP information display ntdp Optional This command can be executed in any view Display device information collected through NTDP display ntdp device list verbose Optional This command can be executed in any view Display state and statistics information about a cluster display cluster Optional This command can be executed in any vi...

Page 364: ...011 SNMP Cluster host log host Network FTP serv er TFTP serv er E1 0 3 E1 0 2 E1 1 E1 1 E1 0 1 6 63 172 55 1 VL Member dev ice 00e0 f c01 9 172 55 4 AN2 interf ace IP address 163 172 55 1 MAC address 0012 Management dev ice Member dev ice MAC address 00e0 f c01 0011 Cluster Network FTP serv er TFTP serv er E1 0 3 E1 0 2 E1 1 E1 1 E1 0 1 6 63 172 55 1 VL Member dev ice 00e0 f c01 9 172 55 4 AN2 int...

Page 365: ...ble Configure the hop count to collect topology to be 2 Quidway ntdp hop 2 Configure the delay time for topology collection request packets to be forwarded on member devices to be 150 ms Quidway ntdp timer hop delay 150 Configure the delay time for topology collection request packets to be forwarded through the ports of member devices to be 15 ms Quidway ntdp timer port delay 15 Configure the inte...

Page 366: ... 2 Configure the member devices taking one member as an example Enable NDP globally and for Ethernet1 1 port Quidway ndp enable Quidway interface ethernet 1 1 Quidway Ethernet1 1 ndp enable Enable NTDP globally and for Ethernet1 1 port Quidway ntdp enable Quidway interface ethernet 1 1 Quidway Ethernet1 1 ntdp enable Enable the cluster function Quidway cluster enable Note Upon the completion of th...

Page 367: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual SNMP Huawei Technologies Proprietary ...

Page 368: ...ion 1 1 1 1 SNMP Overview 1 1 1 1 1 SNMP Operation Mechanism 1 1 1 1 2 SNMP Versions 1 1 1 1 3 MIBs Supported by the Device 1 2 1 2 Configuring SNMP Basic Functions 1 3 1 3 Configuring Trap 1 6 1 3 1 Configuration Prerequisites 1 6 1 3 2 Configuration Tasks 1 6 1 4 Displaying SNMP 1 7 1 5 SNMP Configuration Example 1 8 1 5 1 SNMP Configuration Example 1 8 ...

Page 369: ...r products 1 1 1 SNMP Operation Mechanism SNMP can be divided into two parts namely Network Management Station and Agent Network management station NMS is the workstation for running the client program At present the commonly used NM platforms include Quidview Sun NetManager and IBM NetView Agent is the server software operated on network devices The NMS can send GetRequest GetNextRequest and SetR...

Page 370: ...agement objects of a device To uniquely identify the management objects of the device in SNMP messages SNMP adopts the hierarchical naming scheme to identify the managed objects It is like a tree and each tree node represents a managed object as shown in the figure below Thus the object can be identified with the unique path starting from the root A 1 5 1 1 1 B 2 6 2 2 Figure 1 1 Architecture of t...

Page 371: ...MIB RFC1253 Public MIB IF MIB RFC1573 DHCP MIB DHCP MIB QACL MIB ADBM MIB IGMP Snooping MIB RSTP MIB VLAN MIB Device management Interface management QACL MIB ADBM MIB RSTP MIB VLAN MIB Device management Private MIB Interface management 1 2 Configuring SNMP Basic Functions The configuration of SNMP V3 configuration is different from that of SNMP V1 and SNMP V2C therefore SNMP basic function configu...

Page 372: ... the system location is Beijing China and the SNMP version is SNMP V3 Direct configu ration Set a commun ity name snmp agent community read write community name acl acl number mib view view name Set an SNMP group snmp agent group v1 v2c group name read view read view write view write view notify view notify view acl acl number Set a communi ty name and access authority Indirect configu ration Add ...

Page 373: ...tion Enter system view system view Enable SNMP Agent snmp agent Required By default SNMP Agent is disabled Set system information snmp agent sys info contact sys contact location sys location version v1 v2c v3 all Optional By default the contact information for system maintenance is R D Beijing Huawei Technologies Co Ltd the system location is Beijing China and the SNMP version is SNMP V3 Set an S...

Page 374: ...ID is 1 1 3 Configuring Trap Trap is the information that the managed device initiatively sends to the NMS without request Trap is used to report some urgent and important events e g the managed device is rebooted 1 3 1 Configuration Prerequisites Complete SNMP basic configuration 1 3 2 Configuration Tasks Table 1 4 Configure Trap Operation Command Description Enter system view system view Enable ...

Page 375: ... Displaying SNMP After the above configuration is completed execute the display command in any view to view the running of SNMP and to verify the configuration Table 1 5 Display SNMP Operation Command Display system information of the current SNMP device display snmp agent sys info contact location version Display SNMP packet statistics information display snmp agent statistics Display the engine ...

Page 376: ... 10 10 10 1 10 10 10 2 Ethernet NMS 10 10 10 1 10 10 10 2 Figure 1 2 Network diagram for SNMP III Network procedure Set the community name group name and user Quidway system view Quidway snmp agent sys info version all Quidway snmp agent community write public Quidway snmp agent mib view include internet 1 3 6 1 Quidway snmp agent group v3 managev3group write view internet Quidway snmp agent usm u...

Page 377: ... 10 1 udp port 5000 params securityname public IV Configuring NMS The Ethernet Switch supports Huawei s Quidview NMS SNMP V3 adopts user name and password authentication In Quidview Authentication Parameter you need to set a user name choose security level and set authorization mode authorization password encryption mode encryption password respectively according to different security levels In ad...

Page 378: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual RMON Huawei Technologies Proprietary ...

Page 379: ...ary i Table of Contents Chapter 1 RMON Configuration 1 1 1 1 Introduction to RMON 1 1 1 1 1 Working Mechanism of RMON 1 1 1 1 2 Commonly Used RMON Groups 1 2 1 2 RMON Configuration 1 3 1 2 1 Prerequisites 1 3 1 2 2 Configuring RMON 1 3 1 3 Displaying and Debugging RMON 1 4 1 4 RMON Configuration Example 1 5 ...

Page 380: ... devices more effectively and actively thus providing a satisfactory means of monitoring the operation of the subnet With RMON the communication traffic between NMS and agents is reduced thus facilitating the management of large scale internets 1 1 1 Working Mechanism of RMON RMON allows multiple monitors It collects data in one of the following two ways z Using the dedicated RMON probe When an RO...

Page 381: ...enerated which triggers the network device to act in the set way Events are defined in event groups With an alarm entry defined in an alarm group a network device performs the following operations accordingly z Sampling the defined alarm variables alarm variable once in each specified period sampling time z Comparing the sampled value with the set thresholds and triggering the corresponding events...

Page 382: ...ted value counting from the time when the corresponding event is defined The statistics include the number of the following items collisions packets with cyclic redundancy check CRC errors undersize or oversize packets broadcast packets multicast packets and received bytes and packets With the RMON statistics management function you can monitor the usage of a port and make statistics on the errors...

Page 383: ... cycle cycle period owner text Optional Before adding an extended alarm entry you need to use the rmon event command to define the event referenced by the extended alarm entry Enter Ethernet port view interface ethernet interface number Add a history control entry rmon history entry number buckets number interval sampling interval owner text Optional Add a statistics entry rmon statistics entry nu...

Page 384: ...ay RMON events display rmon event event entry Display RMON event logs display rmon eventlog event entry 1 4 RMON Configuration Example I Network requirements z Ensure that the SNMP agents are correctly configured before performing RMON configuration z The switch to be tested has a configuration terminal connected to its console port and is connected to a remote NMS through Internet Create an entry...

Page 385: ...atistics Ethernet1 0 1 Statistics entry 1 owned by user1 rmon is VALID Interface Ethernet1 0 1 ifIndex 4227817 etherStatsOctets 0 etherStatsPkts 0 etherStatsBroadcastPkts 0 etherStatsMulticastPkts 0 etherStatsUndersizePkts 0 etherStatsOversizePkts 0 etherStatsFragments 0 etherStatsJabbers 0 etherStatsCRCAlignErrors 0 etherStatsCollisions 0 etherStatsDropEvents insufficient resources 0 Packets rece...

Page 386: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual NTP Huawei Technologies Proprietary ...

Page 387: ...s 1 6 1 2 2 Configuring NTP Implementation Modes 1 6 1 3 Access Control Permission Configuration 1 8 1 4 NTP Authentication Configuration 1 8 1 4 1 Prerequisites 1 8 1 4 2 Configuring NTP Authentication 1 9 1 5 Configuration of Optional NTP Parameters 1 11 1 6 Displaying and Debugging NTP 1 12 1 7 Configuration Example 1 12 1 7 1 NTP Server Mode Configuration 1 12 1 7 2 NTP Peer Mode Configuration...

Page 388: ... information and debugging information collected from different devices is meaningful and valid only when network devices that generate the information adopts the same time z The accounting system requires that the clocks of all the network devices be consistent z Some functions such as restarting all the network devices in a network simultaneously require that they adopt the same time z When mult...

Page 389: ...LS LS _B _B NTP Packet NTP Packet Netw ork Netw ork NTP Packet10 00 00 am Netw ork Netw ork 11 00 01 am 10 00 00 am 11 00 01 am 11 00 02 am 10 00 00 am NTP Packet received at 10 00 03 am 1 2 3 4 LS_A LS_A LS_A LS_A LS LS _B _B LS LS _B _B NTP Packet NTP Packet Netw ork Netw ork NTP Packet10 00 00am Netw ork Netw ork 11 00 01am 10 00 00am 11 00 01am 11 00 02am 10 00 00am NTP Packet received at 10 0...

Page 390: ... information to synchronize its clock to that of LS_B For the detailed information refer to RFC1305 1 1 3 NTP Implementation Mode To accommodate networks of different structures and switches in different network positions NTP can operate in multiple modes as described in the following I Client Server mode Netw ork Client Server Clock synchronization request packet Response packet Filter and select...

Page 391: ...quest packet Oper peer ates in the passive mode automatically Netw ork Response packet Synchronize Active peer Passive peer Netw ork Clock synchronization request packet Oper peer ates in the passive mode automatically Netw ork Response packet Synchronize Active peer Passive peer Netw ork Clock synchronization request packet Oper peer ates in the passive mode automatically Netw ork Response packet...

Page 392: ...ckets through the VLAN interface configured on it z Configure the S3100 switch to operate in NTP broadcast client mode In this case the S3100 receives broadcast NTP packets through the VLAN interface configured on it Multicast mode z Configure the S3100 to operate in NTP multicast server mode In this case the S3100 switch sends multicast NTP packets through the VLAN interface configure on it z Con...

Page 393: ...p server name authenticati on keyid key id priority source interface vlan interface VLAN interface number version number Optional By default the authentication is not performed the number argument is set to 3 and a NTP server is not preferred Configure to operate in NTP peer mode ntp service unicast peer remote ip peer name authentication keyid key id priority source interface vlan interface vlan ...

Page 394: ...P server In this case the clock of the NTP server is not synchronized to the local client z The remote ip argument cannot be a broadcast or a multicast address neither can it be the IP address of a reference clock II NTP peer mode When an S3100 series switch operates in NTP peer mode z The remote server identified by the remote ip or server name argument operates as the peer of the S3100 series sw...

Page 395: ...mparing to it An access request made to an NTP server is matched from the highest permission to the lowest that is in the order of peer server synchronization and query Table 1 3 Configure the access control permission to the local NTP server Operation Command Description Enter system view system view Configure the access control permission to the local NTP server ntp service access peer server sy...

Page 396: ...ication globally ntp service authentication enable Required By default the NTP authentication is disabled Configure the NTP authentication key ntp service authentication keyid key id authentication model md5 value Required By default the NTP authentication key is not configured Configure the specified key to be a trusted key ntp service reliable authentication keyid key id Required By default no t...

Page 397: ...TP authentication ntp service authentication enable Required By default NTP authentication Configure NTP authentication key ntp service authentication keyid key id authentication model md5 value Required By default NTP authentication key is not configured Configure the specified key to be a trusted key ntp service reliable authentication keyid key id Required By default an authentication key is no...

Page 398: ...tablished locally z Disabling the VLAN interface configured on a switch from receiving NTP packets Table 1 6 Configure optional NTP parameters Operation Command Description Enter system view system view Configure the local interface that sends NTP packets ntp service source interface Vlan interface Optional Configure the number of the sessions that can be established locally ntp service max dynami...

Page 399: ...the display command in any view to display the running status of the NTP configuration and verify the effect of the configuration Table 1 7 Display and debug NTP Operation Command Display the status of NTP service display ntp service status Display the information about the sessions maintained by NTP display ntp service sessions verbose Display the brief information about the NTP time servers of t...

Page 400: ...l frequence 99 8562 Hz clock precision 2 7 clock offset 0 0000 ms root delay 0 00 ms root dispersion 0 00 ms peer dispersion 0 00 ms reference time 00 00 00 000 UTC Jan 1 1900 00000000 00000000 Configure Quidway1 to be the time server S3100 system view System View return to User View with Ctrl Z S3100 ntp service unicast server 1 0 1 11 After the above configuration the S3100 switch is synchronize...

Page 401: ...ation I Network requirements Quidway2 sets the local clock to be the NTP master clock with the clock stratum being 2 Configure an S3100 series switch to operate as a client with Quidway2 as the time server Quidway2 will then operate in the server mode automatically Meanwhile Quidway3 sets the S3100 series switch to be its peer Note This example assumes that z Quidway2 is a switch that allows its l...

Page 402: ...cause the stratum of the local clock of Quidway3 is 1 and that of the S3100 switch is 3 the S3100 series switch is synchronized to Qudiway3 Display the status of the S3100 switch after the synchronization S3100 display ntp service status Clock status synchronized Clock stratum 2 Reference clock ID 3 0 1 32 Nominal frequency 250 0000 Hz Actual frequency 249 9992 Hz Clock precision 2 19 clock offset...

Page 403: ...e master clock II Network diagram Quidway 3 S3100 1 3 0 1 32 24 nterface 2 nterface 2 S3100 2 Quidway 4 1 0 1 31 24 Vlan i Vlan i Vlan interface 2 Quidway 3 nterface 2 nterface 2 3 0 1 31 24 Quidway 4 i i Quidway 3 S3100 1 3 0 1 32 24 nterface 2 nterface 2 S3100 2 Quidway 4 1 0 1 31 24 Vlan i Vlan i Vlan interface 2 Quidway 3 nterface 2 nterface 2 3 0 1 31 24 Quidway 4 i i Figure 1 8 Network diagr...

Page 404: ... Interface2 Configure S3100 2 to be a broadcast client S3100 2 Vlan Interface2 ntp service broadcast client The above configuration configures S3100 1 and S3100 2 to listen to broadcast packets through their VLAN interface 2 and Quidway3 to send broadcast packets through VLAN interface 2 Because S3100 2 does reside in the same network segment as Quidway3 resides the former cannot receive broadcast...

Page 405: ...7 4 NTP Multicast Mode Configuration I Network requirements Quidway3 sets the local clock to be NTP master clock with the clock stratum of 2 It advertises multicast packets through VLAN interface 2 Configure S3100 1 and S3100 2 to listen multicast packets through their VLAN interface 2 Note This example assumes that Quidway3 is a switch that supports the local clock being the master clock II Netwo...

Page 406: ...t 3 Configure S3100 2 Enter system view S3100 2 system view System View return to User View with Ctrl Z S3100 2 Enter VLAN interface view S3100 2 interface Vlan interface 2 Configure Quidway1 to be a multicast client S3100 2 Vlan Interface2 ntp service multicast client The above configuration configures S3100 1 and S3100 2 to listen multicast packets through their VLAN interface 2 and Quidway3 to ...

Page 407: ...sessions source refid st now poll reach delay offset dis 1 3 0 1 31 0 0 0 0 2 1 64 377 26 1 199 53 9 7 note 1 source master 2 source peer 3 selected 4 candidate 5 configured 1 7 5 NTP Server Mode with Authentication Configuration I Network requirements The local clock of Quidway1 operates as the master NTP clock with the clock stratum set to 2 An S3100 series switch operates in client mode with Qu...

Page 408: ...he above configuration synchronizes S3100 to Quidway1 As NTP authentication is not enabled on Quidway1 S3100 will fail to be synchronized to Quidway1 To synchronize the S3100 series switch the following configuration is needed for Quidway1 Enable authentication on Quidway1 Quidway1 ntp service authentication enable Set the authentication key Quidway1 ntp service authentication keyid 42 authenticat...

Page 409: ... Huawei Technologies Proprietary 1 22 root dispersion 208 39 ms peer dispersion 9 63 ms reference time 17 03 32 022 UTC Thu Sep 6 2001 BF422AE4 05AEA86C The output information indicates that S3100 is synchronized to Quidway1 with the clock stratum being 3 one stratum higher than Quidway1 ...

Page 410: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual SSH2 0 Huawei Technologies Proprietary ...

Page 411: ...ces 1 1 1 1 1 Introduction to SSH 1 1 1 1 2 SSH Server Configuration 1 3 1 1 3 SSH Client Configuration 1 7 1 1 4 Displaying SSH Configuration 1 8 1 1 5 SSH Server Configuration Example 1 9 1 1 6 SSH Client Configuration Example 1 11 1 2 SFTP Service 1 12 1 2 1 SFTP Overview 1 12 1 2 2 SFTP Server Configuration 1 13 1 2 3 SFTP Client Configuration 1 14 1 2 4 SFTP Configuration Example 1 17 ...

Page 412: ...e Switch remotely via an insecure network environment A Switch can connect to multiple SSH clients SSH2 0 is currently available SSH client functions to enable SSH connections between users and the Switch or UNIX host that support SSH server Figure 1 1 and Figure 1 2 shows respectively SSH connection establishment for client and server z SSH connections through LAN 100BASE TX Server Ethernet Works...

Page 413: ...s begin to negotiate the SSH version z If they can work together in harmony they enter the key algorithm negotiation stage Otherwise the server clears the TCP connection 2 Key algorithm negotiation stage These operations are completed at this stage z The server sends the public key in a randomly generated RSA key pair to the client z The client figures out session key based on the public key from ...

Page 414: ...ly The user is allowed to log on to the Switch if the usernames and passwords match exactly 2 RSA authentication works as follows z Configure the RSA public key of the client user at the server z The client sends the member modules of its RSA public key to the server z The server checks the validity of the member module If it is valid the server generates a random number which is sent to the clien...

Page 415: ...tication type Refer to Configuring authentication type Set SSH authentication timeout time ssh server timeout 4 Set SSH authentication retry times ssh server authentication retries Refer to Configuring server SSH attributes 5 Allocate public keys for SSH users ssh user username assign rsa key keyname Refer to Configuring client public keys I Configuring supported protocols Table 1 2 Configure supp...

Page 416: ... length z In SSH1 x the key length is in the range of 512 to 2 048 bits z In SSH2 0 the key length is in the range of 1024 to 2048 bits To make SSH 1 x compatible 512 to 2 048 bit keys are allowed on clients but the length of server keys must be more than 1 024 bits Otherwise clients cannot be authenticated Table 1 3 Generate or destroy RSA key pairs Operation Command Remarks Enter system view sys...

Page 417: ...ications SSHv2 client users can access the switch only when they pass both the authentications IV Configuring server SSH attributes Configuring server SSH authentication timeout time and retry times can effectively assure security of SSH connections and avoid illegal actions Table 1 5 Configure server SSH attributes Operation Command Remarks Enter system view system view Set SSH authentication tim...

Page 418: ...the public key should be composed of hexadecimal characters Return to public key view from public key edit view public key code end The system saves public key data when exiting from public key edit view Return to system view from public key view peer public key end Allocate public keys to SSH users ssh user username assign rsa key keyname Required Keyname is the name of an existing public key If ...

Page 419: ...ify on the client the public key for the server to be connected to guarantee the client can be connected to a reliable server Configure the client to run the initial authentication ssh client first time enable Optional By default the client runs the initial authentication Note In the initial authentication if the SSH client does not have the public key for the server which it accesses for the firs...

Page 420: ...ported client software II Network diagram SSH Client Switch SSH Server PC Switch SSH Server PC SSH Client Figure 1 3 Network diagram for SSH server configuration III Configuration procedure 1 Generate a local RSA key pair Quidway system view Quidway rsa local key pair create Note If the local RSA key pair has been generated in previous operations skip this step here 2 Set authentication type Setti...

Page 421: ...l inbound ssh Configure the login protocol for the client002 user as SSH and authentication type as RSA public key Quidway ssh user client002 authentication type rsa Generate randomly RSA key pairs on the SSH2 0 client and send the corresponding public keys to the server Configure client public keys on the server with their name as quidway002 Quidway rsa peer public key quidway002 Quidway rsa publ...

Page 422: ... enable 2 Configure server public keys on the client Quidway rsa peer public key public Quidway rsa public key public key code begin Quidway rsa key code 308186028180739A291ABDA704F5D93DC8FDF84C427463 Quidway rsa key code 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 Quidway rsa key code D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 Quidway rsa key code 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2D...

Page 423: ...d Quidway ssh2 10 165 87 136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_ctos_hmac md5 perfer_stoc_hmac md5 username client003 Trying 10 165 87 136 Press CTRL K to abort Connected to 10 165 87 136 The Server is not autherncated Do you continue access it Y N y Do you want to save the server s public key Y N y All rights reserved 1997 2005 Without the owner s prior written consent no decom...

Page 424: ...H user ssh user username service type telnet sftp all Optional By default the SSH service type is telnet II Enabling the SFTP server Table 1 10 Enable the SFTP server Operation Command Remarks Enter system view system view Enable the SFTP server sftp server enable Required By default the SFTP server is not enabled III Setting connection timeout time After you set the timeout time for the SFTP user...

Page 425: ...current directory cd Return to the upper directory cdup Display the current directory pwd dir Display the list of the files in a directory ls Create a new directory mkdir 3 SFTP directory related operations Delete a directory rmdir SFTP client view Optional Rename a file on the SFTP server rename Download a file from the remote SFTP server get Upload a local file to the remote SFTP server put dir ...

Page 426: ...ange_group prefer_ctos_cipher des aes128 prefer_stoc_cipher des aes128 prefer_ctos_hmac sha1 sha1_96 md5 md5_96 prefer_stoc_hmac sha1 sha1_96 md5 md5_96 Required II Disabling the SFTP client Table 1 14 Disable the SFTP client Operation Command Remarks Enter system view system view Enter SFTP client view sftp host ip host name bye exit Disable the SFTP client quit The three commands have the same f...

Page 427: ...SFTP server mkdir remote path Delete a directory from the SFTP server rmdir remote path Optional IV Operating with SFTP files SFTP file related operations include changing file name downloading files uploading files displaying the list of the files deleting files Table 1 16 Operate with SFTP files Operation Command Remarks Enter system view system view Enter SFTP client view sftp host ip host name...

Page 428: ...d such as syntax and parameters Table 1 17 Display help information about SFTP client commands Operation Command Remarks Enter system view system view Enter SFTP client view sftp host ip host name Display help information about SFTP client commands help command name Optional 1 2 4 SFTP Configuration Example I Network requirements As shown in Figure 1 5 z An SSH connection is present between Switch...

Page 429: ...vice type sftp 2 Configure Switch A SFTP client Establish a connection to the remote SFTP server and enter SFTP client view Quidway sftp 10 111 27 91 Display the current directory on the SFTP server delete file z and verify the operation sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 vrpcfg cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 ...

Page 430: ...name of directory new1 to new2 and verify the operation sftp client rename new1 new2 File successfully renamed sftp client dir rwxrwxrwx 1 noone nogroup 1759 Aug 23 06 52 vrpcfg cfg rwxrwxrwx 1 noone nogroup 225 Aug 24 08 01 pubkey2 rwxrwxrwx 1 noone nogroup 283 Aug 24 07 39 pubkey1 drwxrwxrwx 1 noone nogroup 0 Sep 01 06 22 new rwxrwxrwx 1 noone nogroup 225 Sep 01 06 55 pub drwxrwxrwx 1 noone nogr...

Page 431: ...ries Ethernet Switches Chapter 1 SSH Terminal Services Huawei Technologies Proprietary 1 20 rwxrwxrwx 1 noone nogroup 283 Sep 02 06 35 pub rwxrwxrwx 1 noone nogroup 283 Sep 02 06 36 puk sftp client Exit from SFTP sftp client quit Bye Quidway ...

Page 432: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual File System Management Huawei Technologies Proprietary ...

Page 433: ...Attribute Configuration 1 1 1 1 1 Introduction to File Attributes 1 1 1 1 2 Configuring File Attributes 1 2 1 2 File System Configuration 1 3 1 2 1 Introduction to File System 1 3 1 2 2 Introduction to Configuration File Management 1 4 1 2 3 Directory Operations 1 4 1 2 4 File Operations 1 5 1 2 5 Storage Device Operations 1 8 1 2 6 Prompt Mode Configuration 1 8 1 2 7 Configuration Example 1 9 ...

Page 434: ... file is used after a switch fails to startup using the main startup file In the Flash there can be only one app file one configuration file and one Web file with the backup attribute b none Files that are neither of main attribute nor backup attribute are of none attribute None Note z An app file is an executable file with bin as the extension A configuration file is used to store and restore con...

Page 435: ...switch the main and backup attribute of the files Perform the following configuration in user view Table 1 2 Configure file attributes Operation Command Description Configure the app file with the main attribute for the next startup boot boot loader file url Optional Configure the app file with the backup attribute for the next startup boot boot loader backup attribute file url Optional Configure ...

Page 436: ... you need to make sure the file exists on the switch z The configuration of the main or backup attribute of a Web file takes effect immediately without restarting the switch z Currently a configuration file has the extension of cfg and resides in the root directory of a switch 1 2 File System Configuration 1 2 1 Introduction to File System To facilitate management on storage devices such as the Fl...

Page 437: ...ables users to check switch configurations easily Upon powered on a switch loads the configuration file known as saved configuration file which resides in the Flash for initialization If the Flash contains no configuration file the system initializes using the default parameters Comparing to saved configuration file the configuration file which is currently adopted by a switch is known as the curr...

Page 438: ... Display the current work directory Pwd Optional Display the information about specific directories and files dir all file url Optional Enter a specified directory cd directory Optional The default directory is the root directory of the Flash Note In the output information of the dir all command deleted files that is those in the recycle bin are embraced in brackets 1 2 4 File Operations The file ...

Page 439: ...in file url force Optional Delete a configuration file in the Flash reset saved configuration backup main Optional Save the current configuration to a specified configuration file and specify the configuration file to be of the main or backup attribute save cfgfile safely backup main Optional This command can be executed in any view Rename a file rename fileurl source fileurl dest Optional Copy a ...

Page 440: ...ually moved to the recycle bin and thus still take storage space You can clear the recycle bin to make room for other files by using the reset recycle bin command z If the configuration files are deleted the switch adopts the default configuration parameters when it starts the next time You can consider clearing the configuration files in the Flash when z The configuration files in the Flash are n...

Page 441: ...nt configuration is saved in the configuration file with which the switch latest starts If the switch starts using the default configuration the current configuration is saved in the default configuration file z To make a switch to adopt the current configuration when it starts the next time save the current configuration using the save command before restarting the switch 1 2 5 Storage Device Ope...

Page 442: ...tch log 7239 KB total 3481 KB free with main attribute b with backup attribute b with both main and backup attribute Copy the file flash vrpcfg cfg to flash test with 1 cfg as the name of the new file Quidway copy flash vrpcfg cfg flash test 1 cfg Copy unit1 flash vrpcfg cfg to unit1 flash test 1 cfg Y N y Copy file unit1 flash vrpcfg cfg to unit1 flash test 1 cfg Done Display the file information...

Page 443: ... Management Quidway S3100 Series Ethernet Switches Chapter 1 File System Management Huawei Technologies Proprietary 1 10 7239 KB total 3480 KB free with main attribute b with backup attribute b with both main and backup attribute ...

Page 444: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual FTP and TFTP Huawei Technologies Proprietary ...

Page 445: ... 1 Introduction to FTP 1 1 1 1 2 FTP Configuration A Switch Operating as an FTP Server 1 3 1 1 3 FTP Configuration A Switch Operating as an FTP Client 1 4 1 1 4 Configuration Example A Switch Operating as an FTP Client 1 6 1 1 5 Configuration Example A Switch Operating as an FTP Server 1 8 1 2 TFTP Configuration 1 9 1 2 1 Introduction to TFTP 1 9 1 2 2 TFTP Configuration 1 11 1 2 3 Configuration E...

Page 446: ...switch provides the following FTP services z FTP Client A switch can operate as an FTP client through which you can access files on FTP servers In this case you need to establish a connection between the switch and your PC through a terminal emulation program or Telnet and then execute the ftp X X X X command on your PC X X X X is the IP address of an FTP server z FTP Server A switch can also oper...

Page 447: ... files directories Table 1 2 describes the operations needed when a switch operates as an FTP server Table 1 2 Configurations needed when a switch operates as an FTP server Device Configuration Default Description Enable the FTP server function The FTP function is disabled by default You can run the display ftp server command to view the FTP server configuration on the switch Perform the authentic...

Page 448: ...e types for the local users For the information about these configurations refer to these commands in AAA and RADIUS Configuration module local user local user password display mode password and service type II Configuration procedure Table 1 3 Configure an FTP server Operation Command Description Enter system view system view Enable the FTP server function ftp server enable Required By default th...

Page 449: ...client by providing the information about work directory FTP services are available to users only when they pass the authentication and authorization III Displaying and debugging an FTP server After the above configurations you can run the display command in any view to view the running information of the FTP server and verify your configurations Table 1 4 Display and debug an FTP server Operation...

Page 450: ...de is adopted Change the work directory on the remote FTP server cd pathname Optional Change the work directory to be the parent directory cdup Optional Get the local work path on the FTP client lcd Optional Display the work directory on the FTP server pwd Optional Create a directory on the remote FTP server mkdir pathname Optional Remove a directory on the remote FTP server rmdir pathname Optiona...

Page 451: ...nection and quit to user view quit Optional Terminate the current FTP control connection and data connection bye Optional Display the on line help on a specified command concerning FTP remotehelp protocol command Optional Enable verbose function verbose Optional The verbose function is enabled by default 1 1 4 Configuration Example A Switch Operating as an FTP Client I Network requirements A switc...

Page 452: ...ord being hello and the permission to access the directory named Switch assigned to the user account These operations are omitted here 2 Configure the switch Log into the switch You can log into a switch through the Console port or by Telneting to the switch See Chapter 2 Log into an Ethernet Switch for detailed information Quidway Caution If the free space of the Flash of the switch is insufficie...

Page 453: ...ded Quidway boot boot loader switch bin Quidway reboot 1 1 5 Configuration Example A Switch Operating as an FTP Server I Network requirements A switch and a PC operate as an FTP server and an FTP client z Create a user account on the FTP server with the user name being switch password being hello and the permission to access the root directory of the Flash assigned to the user account z The IP add...

Page 454: ... cfg from the FTP server Caution z If the free space of the Flash of the switch is insufficient to hold the file to be uploaded you need to delete useless files in the flash to make room for the file z Quidway series switch is not shipped with FTP client applications You need to purchase and install it separately 3 After uploading the application you can update the application on the switch Specif...

Page 455: ... to configure IP addresses for the TFPT client and the TFTP server and make sure the route between the two is reachable z A switch can only operate as a TFTP client Switch PC Network Network Switch PC Network Network Figure 1 4 Network diagram for TFTP configuration Table 1 6 describes the operations needed when a switch operates as an TFTP client Table 1 6 Configurations needed when a switch oper...

Page 456: ... transmission mode tftp ascii binary Optional By default the binary file transmission mode is adopted Download a file tftp tftp server get source file dest file Optional Upload a file tftp tftp server put source file dest file Optional Enter system view system view Specify the ACL adopted when a switch attempts to connect a TFTP server tftp server acl acl number Optional 1 2 3 Configuration Exampl...

Page 457: ...le port or by Telneting to the switch See Chapter 2 Log into an Ethernet Switch for detailed information Quidway Caution If the free space of the Flash of the switch is insufficient to hold the file to be downloaded you need to delete useless files in the flash to make room for the file Enter system view Quidway system view System View return to User View with Ctrl Z Quidway Configure the IP addre...

Page 458: ...Upload the configuration file named vrpcfg cfg to the TFTP server Quidway tftp 1 1 1 2 put vrpcfg cfg vrpcfg cfg Specify the downloaded file the file named switch bin to be the startup file used when the switch starts the next time and restart the switch Thus the switch application is upgraded Quidway boot boot loader switch bin Quidway reboot ...

Page 459: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Information Center Huawei Technologies Proprietary ...

Page 460: ...n Output to a Log Host 1 6 1 2 3 Enabling Information Output to the Console 1 7 1 2 4 Enabling Information Output to a Monitor Terminal 1 8 1 2 5 Enabling Information Output to the Log Buffer 1 10 1 2 6 Enabling Information Output to the Trap Buffer 1 11 1 2 7 Enabling Information Output to the SNMP 1 12 1 3 Displaying and Debugging Information Center 1 12 1 4 Information Center Configuration Exam...

Page 461: ...et0 0 0 is UP SIP 10 5 1 5 SP 1080 The following describes the fields contained in an information item 1 Priority The calculation formula for priority is priority facility 8 severity 1 For VRP the default facility value is 23 and severity ranges from one to eight See Table 1 2 for description of severity levels Note that no character is permitted between the priority and time stamp The priority ta...

Page 462: ...ss resolution protocol ARPMIB ARP MIB module CFAX Configuration agent CFG Configuration management plane CFM Configuration file management CLST Cluster management CMD Command line COMMOMSY Common system MIB DEV Device management DHCC DHCP client DRV Driver ENTEXMIB Entity extended MIB ESP End station polling FIB Forwarding FTPS FTP server HA High availability HABP Huawei authentication bypass prot...

Page 463: ...rotocol MULTICAS MULTICAS NAT Network address translation NDP Neighbor discovery protocol NTDP Network topology discovery protocol NTP Network time protocol RDS Radius RM Routing management RMON Remote monitor RMX Route management of IPX RSA RSA encryption system RSA Revest Shamir and Adleman RTPRO Routing protocol SC Server control SECU Security SHELL Shell SNMP Simple network management protocol...

Page 464: ... severity corresponds to level 1 When the severity threshold is set to debugging all information will be output See Table 1 2 for description of severities and corresponding levels Table 1 2 Severity definitions on the information center Severity Value Description emergencies 1 The system is unavailable alerts 2 Errors that need to be corrected immediately critical 3 Critical errors errors 4 Commo...

Page 465: ...monitor terminal monitor log host loghost trap buffer trapbuffer log buffer logbuffer and SNMP snmpagent z Filtering information by information severities information is divided into eight severity levels z Filtering information by modules where information is generated z Language options Chinese or English for information output 1 2 1 Enabling Synchronous Terminal Output To avoid user s input fro...

Page 466: ...er info center enable Optional By default the information center is enabled Enable information output to a log host info center loghost host ip addr channel channel number channel name facility local number language chinese english Required By default the switch does not output information to the log host Be sure to set the correct IP address A loopback IP address will cause an error message promp...

Page 467: ... center console channel channel number channel name Required By default the switch does not output information to the console Define an information source info center source modu name default channel channel number channel name log trap debug level severity state state Required Set the format of time stamp info center timestamp log trap debugging boot date none Optional To view debug log trap outp...

Page 468: ...figurations on the switch Table 1 8 Enable information output to a monitor terminal Operation Command Description Enter system view system view Enable the information center info center enable Optional By default the information center is enabled Enable information output to Telnet terminal or dumb terminal info center monitor channel channel number channel name Required By default the switch outp...

Page 469: ...ld also enable the corresponding debug log trap display on the switch For example to view log information of the switch on a monitor terminal you need to not only enable log information output to the monitor terminal but also enable log terminal display with the terminal logging command Perform the following configuration in user view Table 1 9 Enable debug log trap terminal display Operation Comm...

Page 470: ...hannel number channel name size buffersize Optional By default the switch outputs information to the log buffer which can holds up to 512 items by default Define an information source info center source modu name default channel channel number channel name log trap debug level severity state state Required Set the format of time stamp info center timestamp log trap debugging boot date none Optiona...

Page 471: ... channel number channel name size buffersize Optional By default the switch outputs information to the trap buffer which can holds up to 256 items by default Define an information source info center source modu name default channel channel number channel name log trap debug level severity state state Required Set the format of time stamp info center timestamp log trap debugging boot date none Opti...

Page 472: ...bug level severity state state Required Set the format of time stamp info center timestamp log trap debugging boot date none Optional This is to set the time stamp format for log debug trap information output This determines how the time stamp is presented to users Note z To view debug information of specific modules you need to set the information type as debug in the info center source command a...

Page 473: ...ary level severity Display the status of the trap buffer and the records in the trap buffer display trapbuffer unit unit id size buffersize Clear information in the log buffer reset logbuffer unit unit id Clear information in the trap buffer reset trapbuffer unit unit id 1 4 Information Center Configuration Examples 1 4 1 Log Output to a Unix Log Host I Network requirements The switch sends the fo...

Page 474: ...Step 2 Edit the file etc syslog conf as the superuser root user to add the following selector action pair Quidway configuration messages local4 info var log Quidway information Note When you edit the file etc syslog conf note that z A note must start in a new line following a sign z In each pair a tab should be used as a separator instead of a space z No space is allowed at the end of a file name ...

Page 475: ...ty higher than informational II Network diagram Switch PC Network Switch Switch PC Network Figure 1 2 Networking for log output to a Linux log host III Configuration procedure 1 Configure the switch Enable the information center Quidway system view Quidway info center enable Configure the host whose IP address is 202 38 1 10 as the log host Set the severity level threshold to informational and lan...

Page 476: ... must be the same with those configured in commands info center loghost a b c d facility and info center source Otherwise log information output to the log host may fail Step 3 After the log file information is created and the file etc syslog conf is modified run the following commands to view the process ID of the system daemon syslogd stop the process and then restart the daemon syslogd in the b...

Page 477: ...console PC Switch console PC Switch Figure 1 3 Networking for log output to the console III Configuration procedure Enable the information center Quidway system view Quidway info center enable Enable log information output to the console Set the severity level threshold to informational Permit information output from the ARP and IP modules Quidway info center console channel console Quidway info c...

Page 478: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual System Maintenance and Debugging Huawei Technologies Proprietary ...

Page 479: ...Setting the Date and Time of the System 2 1 2 1 3 Setting the Local Time Zone 2 2 2 1 4 Setting the Summer Time 2 2 2 1 5 Setting the CLI Language Mode 2 2 2 1 6 Returning from Current View to Lower Level View 2 2 2 1 7 Returning from Current View to User View 2 3 2 1 8 Entering System View from User View 2 3 2 2 Displaying the System Status 2 3 2 3 System Debugging 2 4 2 3 1 Enabling Disabling Sy...

Page 480: ...y ii 5 2 Device Management Configuration 5 1 5 2 1 Restarting the Ethernet Switch 5 1 5 2 2 Enabling the Timing Reboot Function 5 1 5 2 3 Specifying the APP Adopted When the Switch Starts Next Time 5 2 5 2 4 Updating the BootROM 5 2 5 3 Displaying the Device Management Configuration 5 3 5 4 Remote Switch Update Configuration Example 5 3 ...

Page 481: ...through an Ethernet port This chapter introduces how to load BootROM and host software to a switch locally and how to do this remotely 1 1 Introduction to Loading Approaches You can load software locally by using z XMODEM through Console port z TFTP through Ethernet port z FTP through Ethernet port You can load software remotely by using z FTP z TFTP Note The BootROM software version should be com...

Page 482: ...ibes the BootROM loading process 1 2 1 Boot Menu Starting Quidway S3108T BOOTROM Version 321 Copyright c 1998 2005 Huawei Technologies Co Ltd Creation date Dec 3 2005 15 40 04 CPU type BCM4704 CPU Clock Speed 200MHz BUS Clock Speed 33MHz Memory Size 64MB Mac Address 00e0fc001234 Press Ctrl B to enter Boot Menu 5 Press Ctrl B The system displays Password Note To enter the Boot Menu you should press...

Page 483: ...two check methods checksum and CRC and multiple attempts of error packet retransmission generally the maximum number of retransmission attempts is ten The XMODEM transmission procedure is completed by a receiving program and a sending program The receiving program sends negotiation characters to negotiate a packet checking method After the negotiation the sending program starts to transmit data pa...

Page 484: ... download baud rate For example if you enter 5 the baud rate 115200 bps is chosen and the system displays the following information Download baudrate is 115200 bps Please change the terminal s baudrate to 115200 bps and select XMODEM protocol Press enter key when ready Now press Enter Note If you have chosen 9600 bps as the download baud rate you need not modify the HyperTerminal s baud rate and t...

Page 485: ...Maintenance and Debugging Quidway S3100 Series Ethernet Switches Chapter 1 BootROM and Host Software Loading Huawei Technologies Proprietary 1 5 Figure 1 1 Properties dialog box Figure 1 2 Console port configuration dialog box ...

Page 486: ...The new baud rate takes effect only after you disconnect and reconnect the terminal emulation program Step 6 Press Enter to start downloading the program The system displays the following information Now please start transfer file with XMODEM protocol If you want to exit Press Ctrl X Loading CCCCCCCCCC Step 7 Choose Transfer Send File in the HyperTerminal s window and in the following pop up dialo...

Page 487: ...display the prompt BootROM is updating now done instead of the prompt Your baudrate should be set to 9600 bps again Press enter key when ready Step 9 Reset HyperTerminal s baud rate to 9600 bps refer to Step 4 and 5 Then press any key as prompted The system will display the following information when it completes the loading Bootrom updating done III Loading host software Follow these steps to loa...

Page 488: ...Console port Ethernet port TFTP server TFTP client Switch PC Console port Ethernet port TFTP server Figure 1 6 Local loading using TFTP Step 1 As shown in Figure 1 6 connect the switch through an Ethernet port to the TFTP server and connect the switch through the Console port to the configuration PC Note You can use one PC as both the configuration device and the TFTP server Step2 Run the TFTP ser...

Page 489: ...o download and update the BootROM software Upon completion the system displays the following information Loading done Bootrom updating done III Loading host software Follow these steps to load the host software Step 1 Select 1 in Boot Menu The system displays the following information 1 Set TFTP protocol parameter 2 Set FTP protocol parameter 3 Set XMODEM protocol parameter 0 Return to boot menu E...

Page 490: ... an FTP user name and password and specify the path of the program to be downloaded Step 3 Run the terminal emulation program on the configuration PC Start the switch Then enter the Boot Menu At the prompt Enter your choice 0 9 in the Boot Menu press 6 or Ctrl U and then press Enter to enter the BootROM update menu shown below Bootrom update menu 1 Set TFTP protocol parameter 2 Set FTP protocol pa...

Page 491: ...quent steps are the same as those for loading the BootROM program except for that the system gives the prompt for host software loading instead of BootROM loading 1 3 Remote Software Loading If your terminal is not directly connected to the switch you can telnet to the switch and use FTP or TFTP to load BootROM and host software remotely 1 3 1 Remote Loading Using FTP As shown in Figure 1 8 a PC i...

Page 492: ...ait Upgrade BOOTROM succeeded Step 3 Update the host program on the switch Quidway boot boot loader s3100 bin The specified file will be booted next time on unit 1 Quidway display boot loader Unit 1 The current boot app is s3100 bin The main boot app is s3100 bin The backup boot app is Restart the switch Quidway reboot Note Before restarting the switch make sure other configurations are all saved ...

Page 493: ...re Loading Huawei Technologies Proprietary 1 13 z No power down is permitted during software loading 1 3 2 Remote Loading Using TFTP The remote loading using TFTP is similar to that using FTP The only difference is that TFTP is used instead off FTP to load software to the switch and the switch can only act as a TFTP client ...

Page 494: ... z Returning from Current View to Lower Level View z Returning from Current View to User View z Entering System View from User View 2 1 1 Setting the System Name of the Switch Table 2 1 Set the system name of the switch Operation Command Description Enter system view system view Set the system name of the switch sysname sysname Optional By default the name is Quidway 2 1 2 Setting the Date and Tim...

Page 495: ...zone 2 1 4 Setting the Summer Time This configuration task is to set the name and time range of the summer timer Perform the following configuration in user view Table 2 4 Set the summer time Operation Command Description Set the name and time range of the summer time clock summer time zone_name one off repeating start time start date end time end date offset time Optional 2 1 5 Setting the CLI La...

Page 496: ...7 Return from current view to user view Operation Command Description Return from current view to user view return The composite key Ctrl Z has the same effect with the return command 2 1 8 Entering System View from User View Perform the following configuration in user view Table 2 8 Enter system view from user view Operation Command Description Enter system view from user view system view 2 2 Dis...

Page 497: ...ber module name Optional By default all debugging is disabled in the system 2 3 System Debugging 2 3 1 Enabling Disabling System Debugging The Ethernet switch provides a variety of debugging functions Most of the protocols and features supported by the Ethernet switch are provided with corresponding debugging functions These debugging functions are a great help for you to diagnose and troubleshoot...

Page 498: ...se the following commands to operate the two kinds of switches Perform the following operations in user view Table 2 10 Enable debugging and terminal display Operation Command Description Enable system debugging debugging all module name debugging option By default all debugging is disabled in the system Enable terminal display for debugging terminal debugging By default terminal display for debug...

Page 499: ...ating information display command s You can use the command here to display the current operating information about the modules settled when this command is designed in the system for troubleshooting your system Perform the following operation in any view Table 2 11 Display the current operation information about the modules in the system Operation Command Description Display the current operation...

Page 500: ...t timer is started If no FIN packet is received before the finwait timer times out the TCP connection is terminated The timeout time of this timer ranges from 76 seconds to 3 600 seconds and defaults to 675 seconds z The sizes of receiving and sending buffers of connection oriented sockets which range from 1 KB to 32 KB and default to 8 KB 3 1 2 Configuring TCP Attributes Table 3 1 Configure TCP a...

Page 501: ... tcp statistics Display the UDP traffic statistics display udp statistics Display the IP traffic statistics display ip statistics Display the ICMP traffic statistics display icmp statistics Display the current socket information of the system display ip socket socktype sock type task id socket id Display FIB forward information base entries display fib You can execute the display commands in any v...

Page 502: ...s Ethernet Switches Chapter 3 IP Performance Configuration Huawei Technologies Proprietary 3 3 z Use the terminal debugging command to output the debugging information to the console z Use the debugging udp packet command to enable UDP debugging to track UDP data packets ...

Page 503: ... time of the response packet are displayed z Final statistics including the numbers of sent packets and received response packets the irresponsive packet percentage and the minimum average and maximum values of response time 4 1 2 tracert You can use the tracert command to trace the gateways a packet passes during its journey from the source to the destination This command is mainly used to check ...

Page 504: ...nectivity Test Huawei Technologies Proprietary 4 2 Table 4 2 The tracert command Operation Command Description Trace the gateways a packet passes from the source host to the destination tracert a source IP f first ttl m max TTL p port q num packet w timeout string You can execute the tracert command in any view ...

Page 505: ...ibe the configuration tasks for device management z Restarting the Ethernet Switch z Enabling the Timing Reboot Function z Specifying the APP Adopted When the Switch Starts Next Time z Updating the BootROM 5 2 1 Restarting the Ethernet Switch You can perform the following operation when the switch is in trouble or needs to be restarted Perform the following configuration in user view Table 5 1 Res...

Page 506: ...ied rebooting point 5 2 3 Specifying the APP Adopted When the Switch Starts Next Time APP is the host software of the switch If multiple APPs exist in the Flash memory you can use the command here to specify the one that will be adopted when the switch starts next time Perform the following configuration in user view Table 5 3 Specify the APP that will be adopted when the switch starts next time O...

Page 507: ... memory usage of the switch display memory unit unit id 5 4 Remote Switch Update Configuration Example I Network requirements Telnet to the switch from a PC remotely and download applications from the FTP server to the Flash memory of the switch to remotely update the switch software by using the device management commands through CLI The switch acts as the FTP client and the remote PC serves as b...

Page 508: ...ch as follows On the switch configure a level 3 telnet user with the username and password as user and hello respectively Authentication by user name and password is required for the user Execute the telnet command on the PC to log into the switch The following prompt appears Quidway Caution If the Flash memory of the switch is not sufficient delete the original applications in it before downloadi...

Page 509: ...minate the FTP connection and return to user view ftp quit Quidway Update the BootROM Quidway boot bootrom boot btm This will update BootRom file on unit 1 Continue Y N y Upgrading BOOTROM please wait Upgrade BOOTROM succeeded Specify the downloaded application as the one to be adopted when the switch starts next time Then restart the switch to update the switch application Quidway boot boot loade...

Page 510: ...HUAWEI Quidway S3100 Series Ethernet Switches Operation Manual Appendix Huawei Technologies Proprietary ...

Page 511: ...Operation Manual Appendix Quidway S3100 Series Ethernet Switches Table of Contents Huawei Technologies Proprietary i Table of Contents Appendix A Acronyms A 1 ...

Page 512: ...rder Router B BDR Backup Designated Router C CAR Committed Access Rate CLI Command Line Interface CoS Class of Service D DDM Distributed Device Management DLA Distributed Link Aggregation DRR Distributed Resilient Routing DHCP Dynamic Host Configuration Protocol DR Designated Router D V Distance Vector Routing Algorithm E EGP Exterior Gateway Protocol F FTP File Transfer Protocol G GE Gigabit Ethe...

Page 513: ... NIC Network Information Center NMS Network Management System NVRAM Nonvolatile RAM P PIM Protocol Independent Multicast PIM DM Protocol Independent Multicast Dense Mode PIM SM Protocol Independent Multicast Sparse Mode Q QoS Quality of Service R RMON Remote Network Monitoring RSTP Rapid Spanning Tree Protocol S SNMP Simple Network Management Protocol SP Strict Priority STP Spanning Tree Protocol ...

Page 514: ...Operation Manual Appendix Quidway S3100 Series Ethernet Switches Appendix A Acronyms Huawei Technologies Proprietary A 3 V VLAN Virtual LAN VOD Video On Demand W WRR Weighted Round Robin ...

Search results

Summary of Contents for Quidway S3100 Series

Reviews:

Related manuals for Quidway S3100 Series

Brands by name

Popular brands

Huawei Quidway S3100 Series, Operation Manual

Search results

Summary of Contents for Quidway S3100 Series

Reviews:

Related manuals for Quidway S3100 Series

Brands by name

Popular brands