manualshive.com logo in svg

Planet Networking & Communication WGSW-50040, Configuration Manual, Page: 203 / 267

Share
Download
Planet Networking & Communication WGSW-50040 Configuration Manual Download Page 203

 

25-9 

 

Figure

 

25-10

 the Authentication Flow of 802.1x EAP-TLS 

 

3. EAP-TTLS Authentication Method 

EAP-TTLS is a product of the cooperation of Funk Software and Certicom. It can provide an authentication as 

strong as that provided by EAP-TLS, but without requiring users to have their own digital certificate. The only 

request is that the Radius server should have a digital certificate. The authentication of users’ identity is 

implemented with passwords transmitted in a safely encrypted tunnel established via the certificate of the 

authentication server. Any kind of authentication request including EAP, PAP and MS-CHAPV2 can be 

transmitted within TTLS tunnels. 

 

4.    PEAP Authentication Method 

EAP-PEAP is brought up by Cisco, Microsoft and RAS Security as a recommended open standard. It has long 

been utilized in products and provides very good security. Its design of protocol and security is similar to that 

of EAP-TTLS, using a server’s PKI certificate to establish a safe TLS tunnel in order to protect user 

authentication. 

Summary of Contents for WGSW-50040

Page 1: ...1 Configuration Guide WGSW 50040 50 Port 10 100 1000Mbps with 4 Shared SFP Managed Gigabit Switch ...

Page 2: ...nst harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the Instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be...

Page 3: ... 8 3 1 MANAGEMENT OPTIONS 3 8 3 1 1 Out Of Band Management 3 8 3 1 2 In band Management 3 11 3 2 CLI INTERFACE 3 16 3 2 1 Configuration Modes 3 17 3 2 2 Configuration Syntax 3 19 3 2 3 Shortcut Key Support 3 19 3 2 4 Help Function 3 20 3 2 5 Input Verification 3 20 3 2 6 Fuzzy Match Support 3 21 CHAPTER 4 BASIC SWITCH CONFIGURATION 4 1 4 1 BASIC CONFIGURATION 4 1 4 2 TELNET MANAGEMENT 4 2 4 2 1 Te...

Page 4: ...T CONFIGURATION EXAMPLE 6 2 6 4 PORT TROUBLESHOOTING 6 3 CHAPTER 7 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION 7 4 7 1 INTRODUCTION TO PORT LOOPBACK DETECTION FUNCTION 7 4 7 2 PORT LOOPBACK DETECTION FUNCTION CONFIGURATION TASK LIST 7 4 7 3 PORT LOOPBACK DETECTION FUNCTION EXAMPLE 7 6 7 4 PORT LOOPBACK DETECTION TROUBLESHOOTING 7 6 CHAPTER 8 PORT CHANNEL CONFIGURATION 8 1 8 1 INTRODUCTION TO PO...

Page 5: ...ooting 10 15 10 5 VOICE VLAN CONFIGURATION 10 15 10 5 1 Introduction to Voice VLAN 10 15 10 5 2 Voice VLAN Configuration 10 16 10 5 3 Typical Applications of the Voice VLAN 10 16 10 5 4 Voice VLAN Troubleshooting 10 17 CHAPTER 11 MAC TABLE CONFIGURATION 11 1 11 1 INTRODUCTION TO MAC TABLE 11 1 11 1 1 Obtaining MAC Table 11 1 11 1 2 Forward or Filter 11 3 11 2 MAC ADDRESS TABLE CONFIGURATION TASK L...

Page 6: ... 2 Layer 3 Interface Configuration Task List 15 1 15 2 IP CONFIGURATION 15 2 15 2 1 IP Configuration 15 2 15 2 2 IPv6 Troubleshooting 15 5 15 3 ARP 15 5 15 3 1 Introduction to ARP 15 5 15 3 2 ARP Configuration Task List 15 5 15 3 3 ARP Troubleshooting 15 5 CHAPTER 16 ARP SCANNING PREVENTION FUNCTION CONFIGURATION 16 1 16 1 INTRODUCTION TO ARP SCANNING PREVENTION FUNCTION 16 1 16 2 ARP SCANNING PRE...

Page 7: ...SHOOTING 20 10 CHAPTER 21 IPV4 MULTICAST PROTOCOL 21 11 21 1 IPV4 MULTICAST PROTOCOL OVERVIEW 21 11 21 1 1 Introduction to Multicast 21 11 21 1 2 Multicast Address 21 11 21 1 3 IP Multicast Packet Transmission 21 13 21 1 4 IP Multicast Application 21 13 21 2 DCSCM 21 14 21 2 1 Introduction to DCSCM 21 14 21 2 2 DCSCM Configuration Task List 21 14 21 2 3 DCSCM Configuration Examples 21 17 21 2 4 DC...

Page 8: ...Extension and Optimization of 802 1x 25 11 25 1 8 The Features of VLAN Allocation 25 12 25 2 802 1X CONFIGURATION TASK LIST 25 13 25 3 802 1X APPLICATION EXAMPLE 25 16 25 3 1 Examples of Guest Vlan Applications 25 16 25 3 2 Examples of IPv4 Radius Applications 25 19 25 3 3 Examples of IPv6 Radius Application 25 20 25 3 4 802 1x Web Proxy Authentication Sample Application 25 21 25 4 802 1X TROUBLES...

Page 9: ...TION TO TACACS 29 1 29 2 TACACS CONFIGURATION TASK LIST 29 1 29 3 TACACS SCENARIOS TYPICAL EXAMPLES 29 2 29 4 TACACS TROUBLESHOOTING 29 3 CHAPTER 30 RADIUS CONFIGURATION 30 1 30 1 INTRODUCTION TO RADIUS 30 1 30 1 1 AAA and RADIUS Introduction 30 1 30 1 2 Message structure for RADIUS 30 1 30 2 RADIUS CONFIGURATION TASK LIST 30 3 30 3 RADIUS TYPICAL EXAMPLES 30 5 30 3 1 IPv4 Radius Example 30 5 30 3...

Page 10: ...BUG 35 26 35 7 SYSTEM LOG 35 26 35 7 1 System Log Introduction 35 26 35 7 2 System Log Configuration 35 28 35 7 3 System Log Configuration Example 35 29 CHAPTER 36 RELOAD SWITCH AFTER SPECIFIED TIME 36 1 36 1 INTRODUCE TO RELOAD SWITCH AFTER SPECIFID TIME 36 1 36 2 RELOAD SWITCH AFTER SPECIFID TIME TASK LIST 36 1 CHAPTER 37 DEBUGGING AND DIAGNOSIS FOR PACKETS RECEIVED AND SENT BY CPU 37 1 37 1 INT...

Page 11: ...ediately if possible retain the carton including the original packing material and use them against to repack the product in case there is a need to return it to us for repair 1 2 Product Description Abundant IPv6 Support The WGSW 50040 provides IPv6 management and enterprise level secure features such as SSH ACL QoS and RADIUS authentication besides the IPv4 protocol supported Supporting IPv6 man...

Page 12: ...S Moreover various policies can be conducted to forward the traffic The WGSW 50040 also provides IEEE802 1x port based access authentication which can be deployed with RADIUS to ensure the port level security and block illegal users Efficient Management The WGSW 50040 supports IP Stacking function that helps network managers to easily configure up to 24 switches in the same series via one single I...

Page 13: ...flow control for Full Duplex mode Back Pressure Flow Control in Half Duplex mode High performance Store and Forward architecture broadcast storm control port loopback detect 8CKC MAC address table automatic source address learning and ageing Support VLAN IEEE 802 1Q Tag based VLAN GVRP for dynamic VLAN Management Up to 4K VLANs groups out of 4041 VLAN IDs Provider Bridging VLAN Q in Q support IEEE...

Page 14: ...r IPv4 and IPv6 TACACS login users access authentication IP Based Access Control List ACL MAC Based Access Control List Supports DHCP Snooping Supports ARP Inspection Management Switch Management Interface Console Telnet Command Line Interface Web switch management SNMP v1 v2c and v3 switch management SSH secure access BOOTP and DHCP for IP address assignment Support DHCP relay function Firmware u...

Page 15: ...ow Control Back pressure for Half Duplex IEEE 802 3x Pause Frame for Full Duplex Jumbo Frame 9K LED System PWR SYS Ports TP Port 10 100 1000 Link Act SFP Slot On Off Dimension W x D x H 440 x 230 x 44 mm 1U height Weight 3215g Power Consumption 80 Watts 272 8 BTU Maximum Power Requirement AC 100 240V 50 60Hz Management Function System Configuration Console Telnet SSH Web Browser SNMPv1 v2c and v3 ...

Page 16: ...on status VLAN 802 1Q Tagged Based VLAN up to 4K VLAN groups Q in Q GVRP for VLAN Management Private VLAN Edge PVE supported Bandwidth Control TX RX Both Link Aggregation IEEE 802 3ad LACP Static Trunk Supports 8 groups of 8 Port trunk QoS 8 priority queues on all switch ports Supports for strict priority and weighted round robin WRR CoS policies Traffic classification IEEE 802 1p CoS ToS IPv4 IPv...

Page 17: ... 2454 UDP6 MIB RFC 2465 IPv6 MIB RFC 2466 ICMP6 MIB RFC 2573 SnmpV3 notify RFC 2574 SNMPV3 vacm RFC 2674 Bridge MIB Extensions IEEE802 1Q MIB RFC 2674 Bridge MIB Extensions IEEE802 1P MIB Standard Conformance Regulation Compliance FCC Part 15 Class A CE Standards Compliance IEEE 802 3 10Base T IEEE 802 3u 100Base TX IEEE 802 3z Gigabit SX LX IEEE 802 3ab Gigabit 1000T IEEE 802 3x Flow Control and ...

Page 18: ...GSW 50040 front panel Gigabit TP interface 10 100 1000Base T Copper RJ 45 Twist Pair Up to 100 meters Gigabit SFP slots 1000Base SX LX mini GBIC slot SFP Small Form Factor Pluggable transceiver module From 550 meters Multi mode fiber up to 10 20 30 40 50 70 120 kilometers Single mode fiber Console Port The console port is a RJ 45 type RS 232 male seria port connector It is an interface for connect...

Page 19: ... Blink to indicate the system diagnoses is malfunctioning 10 100 1000Base T interfaces LED Color Function LNK ACT Green Lights to indicate the link through that port is successfully established with speed 1000Mbps Blink to indicate that the switch is actively sending or receiving data over that port Yellow Lights to indicate the link through that port is successfully established with speed 100Mbps...

Page 20: ...Hz Plug the female end of the power cord firmly into the receptalbe on the rear panel of the Managed Switch Plug the other end of the power cord into an electric service outlet then the power will be ready Power Notice The device is a power required device it means it will not work till it is powered If your networks should active all the time please consider using UPS Uninterrupted Power Supply f...

Page 21: ...helf near an AC power source as shown in Figure 2 4 Figure 2 4 Place the Managed Switch on the desktop Step3 Keep enough ventilation space between the Managed Switch and the surrounding objects When choosing a location please keep in mind the environmental restrictions discussed in Chapter 1 Section 4 and Specification Step4 Connect the Managed Switch to network devices Connect one end of a standa...

Page 22: ...h supplied screws attached to the package Figure 2 5 shows how to attach brackets to one side of the Managed Switch Figure 2 5 Attach brackets to the Managed Switch You must use the screws supplied with the mounting brackets Damage caused to the parts by using incorrect screws would invalidate the warranty Step3 Secure the brackets tightly Step4 Follow the same steps to attach the second bracket t...

Page 23: ...000BASE LX SFP transceiver Single mode 1310nm 30km MGB L50 SFP 1000BASE LX SFP transceiver Single mode 1310nm 50km MGB LA10 SFP 1000BASE LX SFP transceiver WDM Single mode TX 1310nm RX 1550nm 10km MGB LB10 SFP 1000BASE LX SFP transceiver WDM Single mode TX 1550nm RX 1310nm 10km It recommends using PLANET SFPs on the Managed Switch If you insert a SFP transceiver that is not supported the Managed S...

Page 24: ...some fiber NICs or Media Converters set the Link mode to 1000 Force is needed Remove the transceiver module 1 Make sure there is no network activity by consult or check with the network administrator Or through the management interface of the switch converter if available to disable the port in advance 2 Remove the Fiber Optic Cable gently 3 Turn the handle of the MGB module to horizontal 4 Pull o...

Page 25: ...a Console interface are listed below Step 1 Setting up the environment Figure 3 1 Out of band Management Configuration Environment As shown in above the serial port RS 232 is connected to the switch with the serial cable provided The table below lists all the devices used in the connection Device Name Description PC machine Has functional keyboard and RS 232 with terminal emulator installed such a...

Page 26: ...3 9 Figure 3 2 Opening Hyper Terminal 2 Type a name for opening HyperTerminal such as Switch Figure 3 3 Opening HyperTerminal ...

Page 27: ...the PC e g COM1 and click OK Figure 3 4 Opening HyperTerminal 4 COM1 property appears select 9600 for Baud rate 8 for Data bits none for Parity checksum 1 for stop bit and none for traffic control or you can also click Restore default and click OK Figure 3 5 Opening HyperTerminal ...

Page 28: ...apters 3 1 2 In band Management In band management refers to the management by login to the switch using Telnet or using HTTP or using SNMP management software to configure the switch In band management enables management of the switch for some devices attached to the switch In the case when in band management fails due to switch configuration changes out of band management can be used for configu...

Page 29: ...ddress is 10 1 128 251 24 Then a possible host IP address is 10 1 128 252 24 Run ping 10 1 128 251 from the host and verify the result check for reasons if ping failed The IP address configuration commands for VLAN1 interface are listed below Before in band management the switch must be configured with an IP address by out of band management i e Console mode the configuration commands are as follo...

Page 30: ...username username privilege privilege password 0 7 password To open the local authentication style with the following command authentication line vty login local Privilege option must exist and just is 15 Assume an authorized user in the switch has a username of test and password of test the configuration procedure should like the following Switch enable Switch config Switch config username test p...

Page 31: ...and start the HTTP server function on the switch For configuring the IP address on the switch through out of band management see the telnet management chapter To enable the WEB configuration users should type the CLI command IP http server in the global mode as below Switch enable Switch config Switch config ip http server Step 2 Run HTTP protocol on the host Open the Web browser on the host and t...

Page 32: ...ollowing command username username privilege privilege password 0 7 password To open the local authentication style with the following command authentication line web login local Privilege option must exist and just is 15 Assume an authorized user in the switch has a username of admin and password of admin the configuration procedure should like the following Switch enable Switch config Switch con...

Page 33: ...switch through devices like routers 4 SNMP should be enabled The host with SNMP network management software should be able to ping the IP address of the switch so that when running SNMP network management software will be able to find it and implement read write operation on it Details about how to manage switches via SNMP network management software will not be covered in this manual please refer...

Page 34: ...The Shell for the switch is described below Configuration Modes Configuration Syntax Shortcut keys Help function Input verification Fuzzy match support 3 2 1 Configuration Modes Figure 3 12 Shell Configuration Modes 3 2 1 1 User Mode On entering the CLI interface entering user entry system first If as common user it is defaulted to User Mode The prompt shown is Switch the symbol is the prompt for ...

Page 35: ... to Global Mode The user can perform global configuration settings under Global Mode such as MAC Table Port Mirroring VLAN creation IGMP Snooping start and STP etc And the user can go further to Port Mode for configuration of all the interfaces Interface Mod Use the interface command under Global Mode can enter the interface mode specified Switch provides three interface type 1 VLAN interface 2 Et...

Page 36: ... keyword variable indicates a variable parameter enum1 enumN indicates a mandatory parameter that should be selected from the parameter set enum1 enumN and the square bracket in option1 optionN indicate an optional parameter There may be combinations of and in the command line such as variable enum1 variable enum2 option1 option2 etc Here are examples for some actual configuration commands show ve...

Page 37: ...to access help information the help command and the Access to Help Usage and function Help Under any command line prompt type in help and press Enter will get a brief description of the associated help system 1 Under any command line prompt enter to get a command list of the current mode and related brief description 2 Enter a after the command keyword with a embedded space If the position should ...

Page 38: ...and at first The command is recognized but the prerequisite command has not been configured syntax error missing before the end of command line Quotation marks are not used in pairs 3 2 6 Fuzzy Match Support Switch shell support fuzzy match in searching command and keyword Shell will recognize commands or keywords correctly if the entered string causes no conflict For example 1 For command show in...

Page 39: ... mode The disable command is for exiting admin mode Admin Mode config terminal Enter global mode from admin mode Various Modes exit Exit current mode and enter previous mode such as using this command in global mode to go back to admin mode and back to normal user mode from admin mode Except User Mode Admin Mode end Quit current mode and return to Admin mode when not at User Mode Admin Mode Admin ...

Page 40: ...sing telnet command under Admin Mode allows the user to login to the other remote hosts Switch can only establish TCP connection to one remote host If a connection to another remote host is desired the current TCP connection must be dropped 4 2 1 2 Telnet Configuration Task List 1 Configuring Telnet Server 2 Telnet to a remote host from the switch 1 Configuration of Telnet Server Command Explanati...

Page 41: ...o a remote host from the switch Command Explanation Admin Mode telnet ip addr ipv6 addr host hostname port Login to a remote host with the Telnet client included in the switch 4 2 2 SSH 4 2 2 1 Introduction to SSH SSH Secure Shell is a protocol which ensures a secure remote access connection to network devices It is based on the reliable TCP IP protocol By conducting the mechanism such as key dist...

Page 42: ...authentication the no ssh server authentication retries command restores the default number of times for retrying SSH authentication ssh server host key create rsa modulus moduls Generate the new RSA host key on the SSH server Admin Mode terminal monitor terminal no monitor Display SSH debug information on the SSH client side the no terminal monitor command stops displaying SSH debug information o...

Page 43: ...P DHCP Manual configuration of IP address is assign an IP address manually for the switch In BOOTP DHCP mode the switch operates as a BOOTP DHCP client send broadcast packets of BOOTPRequest to the BOOTP DHCP servers and the BOOTP DHCP servers assign the address on receiving the request In addition switch can act as a DHCP server and dynamically assign network parameters such as IP addresses gatew...

Page 44: ... and obtain IP address and gateway address through DHCP negotiation the no ip bootp client enable command disables the DHCP client function 4 4 SNMP Configuration 4 4 1 Introduction to SNMP SNMP Simple Network Management Protocol is a standard network management protocol widely used in computer network management SNMP is an evolving protocol SNMP v1 RFC1157 is the first version of SNMP which is ad...

Page 45: ...used for inter NMS communication in the layered network management USM ensures the transfer security by well designed encryption and authentication USM encrypts the messages according to the user typed password This mechanism ensures that the messages can t be viewed on transmission And USM authentication ensures that the messages can t be changed on transmission USM employs DES CBC cryptography A...

Page 46: ... cover all the functional domains in network management NMS obtains the network management information by visiting the MIB of SNMP Agent The switch can operate as a SNMP Agent and supports both SNMP v1 v2c and SNMP v3 The switch supports basic MIB II RMON public MIB and other public MID such as BRIDGE MIB Besides the switch supports self defined private MIB 4 4 3 Introduction to RMON RMON is the m...

Page 47: ...onfigure engine ID 5 Configure user 6 Configure group 7 Configure view 8 Configuring TRAP 9 Enable Disable RMON 1 Enable or disable SNMP Agent server function Command Explanation Global Mode snmp server enabled no snmp server enabled Enable the SNMP Agent function on the switch the no command disables the SNMP Agent function on the switch 2 Configure SNMP community string Command Explanation Globa...

Page 48: ...is command is used for SNMP v3 5 Configure user Command Explanation Global Mode snmp server user use string group string authPriv authNoPriv auth md5 sha word access num std name ipv6 access ipv6 num std ipv6 name no snmp server user user string access num std name ipv6 access ipv6 num std ipv6 name Add a user to a SNMP group This command is used to configure USM for SNMP v3 6 Configure group Comm...

Page 49: ...ost IPv4 IPv6 address which is used to receive SNMP Trap information For SNMP v1 v2 this command also configures Trap community string for SNMP v3 this command also configures Trap user name and security level The no form of this command cancels this IPv4 or IPv6 address 9 Enable Disable RMON Command Explanation Global mode rmon enable no rmon enable Enable disable RMON 4 4 5 Typical SNMP Configur...

Page 50: ...e Scenario 4 NMS wants to receive the v3Trap messages sent by the switch The configuration on the switch is listed below Switch config snmp server enable Switch config snmp server host 10 1 1 2 v3 authpriv tester Switch config snmp server enable traps Scenario 5 The IPv6 address of the NMS is 2004 1 2 3 2 the IPv6 address of the switch Agent is 2004 1 2 3 1 The NMS network administrative software ...

Page 51: ...d first use rmon enable command Use show snmp command to verify sent and received SNMP messages Use show snmp status command to verify SNMP configuration information Use debug snmp packet to enable SNMP debugging function and verify debug information If users still can t solve the SNMP problems Please contact our technical and service center 4 5 Switch Upgrade Switch provides two ways for switch u...

Page 52: ...rver software installed and has the image file required for the upgrade Step 2 Press ctrl b on switch boot up until the switch enters BootROM monitor mode The operation result is shown below Boot Step 3 Under BootROM mode run setconfig to set the IP address and mask of the switch under BootROM mode server IP address and mask and select TFTP or FTP upgrade Suppose the switch address is 192 168 1 2 ...

Page 53: ... the configuration for the system update image file Boot load nos img Loading Loading file ok Step 5 Execute write nos img in BootROM mode The following saves the system update image file Boot write nos img File nos img exists overwrite Y N N y Writing nos img Write nos img OK Boot Step 6 The following update file boot rom the basic environment is the same as Step 4 Boot load boot room Loading Loa...

Page 54: ... belonging to fourth layer application layer of the TCP IP protocol stack used for transferring files between hosts hosts and switches Both of them transfer files in a client server model Their differences are listed below FTP builds upon TCP to provide reliable connection oriented data stream transfer service However it does not provide file access authorization and uses simple authentication mec...

Page 55: ...s can be hosts or other switches When switch operates as a FTP TFTP server it can provide file upload and download service for authorized FTP TFTP clients as file list service as FTP server Here are some terms frequently used in FTP TFTP ROM Short for EPROM erasable read only memory EPROM is repalced by FLASH memory in switch SDRAM RAM memory in the switch used for system software operation and co...

Page 56: ...t up configuration file 4 5 3 2 FTP TFTP Configuration The configurations of switch as FTP and TFTP clients are almost the same so the configuration procedures for FTP and TFTP are described together in this manual 4 5 3 2 1 FTP TFTP Configuration Task List 1 FTP TFTP client configuration 1 Upload download the configuration file or system file 2 For FTP client server file list can be checked 2 FTP...

Page 57: ...Command Explanation Global Mode ip ftp username username nopassword password 0 7 password no ip ftp username username Configure FTP login username and password this no command will delete the username and password 3 Modify FTP server connection idle time Command Explanation Global Mode ftp server timeout seconds Set connection idle time 3 TFTP server configuration 1 Start TFTP server Command Expla...

Page 58: ...d as FTP TFTP client The switch connects from one of its ports to a computer which is a FTP TFTP server with an IP address of 10 1 1 1 the switch acts as a FTP TFTP client the IP address of the switch management VLAN is 10 1 1 2 Download nos img file in the computer to the switch FTP Configuration Computer side configuration Start the FTP server software on the computer and set the username Switch...

Page 59: ... in the switch to the computer and save as 12_25_nos img The configuration procedures of the switch are listed below Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch config ftp server enable Switch config username Admin password 0 switch Computer side configuration Login to the switch with any ...

Page 60: ... FTP Configuration PC side Start the FTP server software on the PC and set the username Switch and the password Admin Switch Switch config interface vlan 1 Switch Config if Vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if Vlan1 no shut Switch Config if Vlan1 exit Switch copy ftp Switch superuser 10 1 1 1 220 Serv U FTP Server v2 5 build 6 for WinSock ready 331 User name okay need password ...

Page 61: ...150 Opening ASCII mode data connection for nos img 226 Transfer complete close ftp client The following is the message displays when files are successfully received Otherwise please verify link connectivity and retry copy command again 220 Serv U FTP Server v2 5 build 6 for WinSock ready 331 User name okay need password 230 User logged in proceed 200 PORT Command successful recv total 1526037 writ...

Page 62: ... file length 1526021 read file ok begin to send file wait file transfers complete Close tftp client The following is the message displays when files are successfully received Otherwise please verify link connectivity and retry copy command again begin to receive file wait recv 1526037 write ok transfer complete close tftp client If the switch is upgrading system file or system start up file throug...

Page 63: ...on the different floors of the same building cluster network management has obvious advantages Moreover cluster network management is an in band management The commander switch can communicate with member switches in existing network There is no need to build a specific network for network management Cluster network management has the following features Save IP addresses Simplify configuration tas...

Page 64: ... cluster function in the switch 2 Create a cluster Command Explanation Global Mode cluster ip pool commander ip no cluster ip pool Configure the private IP address pool for cluster member devices cluster commander cluster_name no cluster commander Create or delete a cluster cluster member candidate sn candidate sn mac address mac addr id member id no cluster member id member id mac address mac add...

Page 65: ...live loss count int no cluster keepalive loss count Set the max number of lost keep alive messages that can be tolerated in the clusters 5 Remote cluster network management Command Explanation Admin Mode rcommand member member id In the commander switch this command is used to configure and manage member switches rcommand commander In the member switch this command is used to configure the command...

Page 66: ...commander switch visit member switch via beat member node in member cluster topology 7 Manage cluster network with snmp Command Explanation Global Mode snmp server enable Enable snmp server function in commander switch and member switch Notice must insure the snmp server function be enabled in member switch when commander switch visiting member switch by snmp The commander switch visit member swit...

Page 67: ...en encountering problems in applying the cluster admin please check the following possible causes If the command switch is correctly configured and the auto adding function cluster auto add is enabled If the ports connected the command switch and member switch belongs to the cluster vlan After cluster commander is enabled in VLAN1 of the command switch please don t enable a routing protocol RIP OS...

Page 68: ...configured under Ethernet Port Mode causing the performance of the corresponding network ports to change accordingly 6 2 Network Port Configuration Task List 1 Enter the network port configuration mode 2 Configure the properties for the network ports 1 Configure combo mode for combo ports 2 Enable Disable ports 3 Configure port names 4 Configure port cable types 5 Configure port speed and duplex m...

Page 69: ...e FX ports bandwidth control bandwidth both receive transmit no bandwidth control Sets or cancels the bandwidth used for incoming outgoing traffic for specified ports flow control no flow control Enables Disables traffic control function for specified ports loopback no loopback Enables Disables loopback test function for specified ports rate suppression dlf broadcast multicast packets Enables the ...

Page 70: ...et1 10 exit Switch2 config monitor session 1 source interface ethernet1 8 1 9 Switch2 config monitor session 1 destination interface ethernet 1 10 Switch3 Switch3 config interface ethernet 1 12 Switch3 Config If Ethernet1 12 speed duplex force1000 full Switch3 Config If Ethernet1 12 exit 6 4 Port Troubleshooting Here are some situations that frequently occurs in port configuration and the advised ...

Page 71: ...ack existing in the link all MAC addresses within the whole layer 2 network will be corresponded with the port where the loopback appears usually the MAC address will be frequently shifted from one port to another causing the layer 2 network collapsed That is why it is a necessity to check port loopbacks in the network When a loopback is detected the detecting device should send alarms to the netw...

Page 72: ... detection control 4 Display and debug the relevant information of port loopback detection Command Explanation Global Mode debug loopback detection no debug loopback detection Enable the debug information of the function module of port loopback detection The no operation of this command will disable the debug information show loopback detection interface interface list Display the state and result...

Page 73: ...witch config loopback detection interval time 35 15 Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 loopback detection special vlan 1 3 Switch Config If Ethernet1 1 loopback detection control block If adopting the control method of block MSTP should be globally enabled And the correspondence between the spanning tree instance and the VLAN should be configured Switch config spanni...

Page 74: ...Figure 8 1 Port aggregation As shown in the above SwitchA is aggregated to a Port Channel the bandwidth of this Port Channel is the total of all the four ports If traffic from SwitchA needs to be transferred to SwitchB through the Port Channel traffic allocation calculation will be performed based on the source MAC address and the lowest bit of target MAC address The calculation result will decide...

Page 75: ...onfiguration in this mode just like in the VLAN and physical port configuration mode 8 2 Port Channel Configuration Task List 1 Create a port group in Global Mode 2 Add ports to the specified group from the Port Mode of respective ports 3 Enter port channel configuration mode 1 Creating a port group Command Explanation Global Mode port group port group number load balance src mac dst mac dst src m...

Page 76: ... connected with cables The configuration steps are listed below SwitchA config SwitchA config interface ethernet 1 1 4 SwitchA Config If Port Range port group 1 mode active SwitchA Config If Port Range exit SwitchA config interface port channel 1 SwitchA Config If Port Channel1 SwitchB config SwitchB config port group 2 SwitchB config interface ethernet 1 6 SwitchB Config If Ethernet1 6 port group...

Page 77: ...p2 in on mode The configuration steps are listed below SwitchA config SwitchA config interface ethernet 1 1 SwitchA Config If Ethernet1 1 port group 1 mode on SwitchA Config If Ethernet1 1 exit SwitchA config interface ethernet 1 2 SwitchA Config If Ethernet1 2 port group 1 mode on SwitchA Config If Ethernet1 2 exit SwitchA config interface ethernet 1 3 SwitchA Config If Ethernet1 3 port group 1 m...

Page 78: ...t 1 2 and 3 are ungrouped and re aggregate with port 4 to form port channel 1 It should be noted that whenever a new port joins in an aggregated port group the group will be ungrouped first and re aggregated to form a new group Now all four ports in both SwitchA and SwitchB are aggregated in on mode and become an aggregated port respectively 8 4 Port Channel Troubleshooting If problems occur when ...

Page 79: ...e network by 2 to 5 Technically the Jumbo is just a lengthened frame sent and received by the switch However considering the length of Jumbo frames they will not be sent to CPU We discarded the Jumbo frames sent to CPU in the packet receiving process 9 2 Jumbo Configuration Task Sequence 1 Configure enable Jumbo function Command Explanation Global Mode jumbo enable mtu value no jumbo enable Enable...

Page 80: ...large LAN can be partitioned into many separate broadcast domains dynamically to meet the demands Figure 10 1 A VLAN network defined logically Each broadcast domain is a VLAN VLANs have the same properties as the physical LANs except VLAN is a logical partition rather than physical one Therefore the partition of VLANs can be performed regardless of physical locations and the broadcast multicast an...

Page 81: ...s rules on ports 8 Configure Private VLAN 9 Set Private VLAN association 1 Create or delete VLAN Command Explanation Global Mode vlan WORD no vlan WORD Create delete VLAN or enter VLAN Mode 2 Set or delete VLAN name Command Explanation Global Mode name vlan name no name Set or delete VLAN name 3 Assigning Switch ports for VLAN Command Explanation VLAN Mode switchport interface interface list no sw...

Page 82: ... vlan id no switchport access vlan Add the current port to the specified VLAN The no command restores the default setting 7 Disable Enable VLAN Ingress Rules Command Explanation Port Mode vlan ingress enable no vlan ingress enable Enable Disable VLAN ingress rules 8 Configure Private VLAN Command Explanation VLAN mode private vlan primary isolated community no private vlan Configure current VLAN t...

Page 83: ...witch port 5 7 VLAN200 Site A and site B switch port 8 10 Trunk port Site A and site B switch port 11 Connect the Trunk ports of both switches for a Trunk link to convey the cross switch VLAN traffic connect all network devices to the other ports of corresponding VLANs In this example port 1 and port 12 is spared and can be used for management port or for other purposes The configuration steps are...

Page 84: ...tch members within a switch network the property can be VLAN information Multicast MAC address of the other information As a matter of fact GARP protocol can convey multiple property features the switch need to populate Various GARP applications are defined on the basis of GARP which are called GARP application entities and GVRP is one of them GVRP GARP VLAN Registration Protocol is an application...

Page 85: ... leave garp timer hold timer value no garp timer hold Configure the hold join and leave timers for GARP Global Mode garp timer leaveall timer value no garp timer leaveall Configure the leave all timer for GARP 2 Enable GVRP function Command Explanation Port Mode gvrp no gvrp Enable disable the GVRP function on current port Global Mode gvrp no gvrp Enable disable the GVRP function for the switch ...

Page 86: ... B without static VLAN100 entries Configuration Item Configuration description VLAN100 Port 2 6 of Switch A and C Trunk port Port 11 of Switch A and C Port 10 11 of Switch B Global GVRP Switch A B C Port GVRP Port 11 of Switch A and C Port 10 11 of Switch B Connect the two workstation to the VLAN100 ports in switch A and B connect port 11 of Switch A to port 10 of Switch B and port 11 of Switch B ...

Page 87: ...k Switch Config If Ethernet1 11 gvrp Switch Config If Ethernet1 11 exit 10 2 4 GVRP Troubleshooting The GARP counter setting in for Trunk ports in both ends of Trunk link must be the same otherwise GVRP will not work properly It is recommended to avoid enabling GVRP and RSTP at the same time in switch If GVRP is to be enabled RSTP function for the ports must be disabled first 10 3 Dot1q tunnel Con...

Page 88: ... ISP internet the ability of supporting many client VLANs by only one VLAN of theirselves Both the ISP internet and the clients can configure their own VLAN independently It is obvious that the dot1q tunnel function has got following characteristics Applicable through simple static configuration no complex configuration or maintenance to be needed Operators will only have to assign one SPVID for e...

Page 89: ... of PE1 is connected to CE1 port10 is connected to public network the TPID of the connected equipment is 9100 port1 of PE2 is connected to CE2 port10 is connected to public network Configuration Item Configuration Explanation VLAN3 Port1 of PE1 and PE2 dot1q tunnel Port1 of PE1 and PE2 tpid 9100 Configuration procedure is as follows PE1 Switch config vlan 3 Switch Config Vlan3 switchport interface...

Page 90: ...ly every host with a MAC address will be assigned to certain VLAN By the means the network user will maintain his membership in his belonging VLAN when moves from a physical location to another As we can see the greatest advantage of this VLAN division is that the VLAN does not have to be re configured when the user physic location change namely shift from one switch to another which is because it...

Page 91: ...t mac vlan enable no switchport mac vlan enable Enable disable the MAC based VLAN function on the port 2 Set the VLAN to MAC VLAN Command Explanation Global Mode mac vlan vlan vlan id no mac vlan Configure the specified VLAN to MAC VLAN the no mac vlan command cancels the MAC VLAN configuration of this VLAN 3 Configure the correspondence between the MAC address and the VLAN Command Explanation Glo...

Page 92: ...nce between the Protocols and the VLAN Command Explanation Global Mode protocol vlan mode ethernetii etype etype id llc dsap dsap id ssap ssap id snap etype etype id vlan vlan id priority priority id no protocol vlan mode ethernetii etype etype id llc dsap dsap id ssap ssap id snap etype etype id all Add delete the correspondence between the Protocols and the VLAN namely specified protocol joins l...

Page 93: ...bers is M the MAC address of his PC is 00 30 4f 11 22 33 and similar configurations are assigned to other members Figure 10 5 Typical topology application of dynamic VLAN Configuration Items Configuration Explanation MAC based VLAN Global configuration on Switch A Switch B Switch C For example M at E1 1 of SwitchA then the configuration procedures are as follows Switch A Switch B Switch C switch C...

Page 94: ...ffic is the voice data traffic from specified equipment according to the source MAC address field of the data packet entering the port The packet with the source MAC address complying with the system defined voice equipment OUI Organizationally Unique Identifier will be considered the voice data traffic and transmitted to the Voice VLAN The configuration is based on MAC address acquiring a mechani...

Page 95: ... mask mac mask name voice name all Specify certain voice equipment join leave the Voice VLAN 3 Enable the Voice VLAN of the port Command Explanation Port Mode switchport voice vlan enable no switchport voice vlan enable Enable disable the Voice VLAN function on the port 10 5 3 Typical Applications of the Voice VLAN Scenario A company realizes voice communication through configuring Voice VLAN IP p...

Page 96: ... 255 priority 5 name company Switch config interface ethernet 1 10 Switch Config If Ethernet1 10 switchport mode trunk Switch Config If Ethernet1 10 exit 10 5 4 Voice VLAN Troubleshooting Voice VLAN can not be applied concurrently with MAC base VLAN The Voice VLAN support maximum 1024 sets of voice equipments the exceeded number of equipments will not be supported The Voice VLAN on the port is ena...

Page 97: ...mapping to the destination port Then the MAC table is queried for the destination MAC address if hit the data frame is forwarded in the associated port otherwise the switch forwards the data frame to its broadcast domain If a dynamic MAC address is not learnt from the data frames to be forwarded for a long time the entry will be deleted from the switch MAC table There are two MAC table operations ...

Page 98: ... 11 11 11 and port1 5 and no port mapping for 00 01 33 33 33 33 present the switch broadcast this message to all the ports in the switch assuming all ports belong to the default VLAN1 3 PC3 and PC4 on port 1 12 receive the message sent by PC1 but PC4 will not reply as the destination MAC address is 00 01 33 33 33 33 only PC3 will reply to PC1 When port 1 12 receives the message sent by PC3 a mappi...

Page 99: ... no VLAN is set all devices connected to the switch are in the same broadcast domain When the switch receives a broadcast frame it forwards the frame in all ports When VLANs are configured in the switch the MAC table will be adapted accordingly to add VLAN information In this case the switch will not forward the received broadcast frames in all ports but forward the frames in all ports in the same...

Page 100: ...t portchannel interface name source destination both no mac address table static blackhole dynamic address mac addr vlan vlan id interface ethernet portchannel interface name Configure static MAC forwarding or filter entry 11 3 Typical Configuration Examples Figure 11 2 MAC Table typical configuration example Scenario Four PCs as shown in the above figure connect to port 1 5 1 7 1 9 1 11 of switch...

Page 101: ...lculation wait until the Spanning Tree calculation finishes and the port will learn the MAC address If not the problems mentioned above please check for the switch portand contact technical support for solution 11 5 MAC Address Function Extension 11 5 1 MAC Address Binding 11 5 1 1 Introduction to MAC Address Binding Most switches support MAC address learning each port can dynamically learn severa...

Page 102: ...Command Explanation Port Mode switchport port security lock no switchport port security lock Lock the port then MAC addresses learned will be disabled The no switchport port security lock command restores the function switchport port security convert Convert dynamic secure MAC addresses learned by the port to static secure MAC addresses switchport port security timeout value no switchport port sec...

Page 103: ... the default setting 11 5 1 3 Binding MAC Address Binding Troubleshooting Enabling MAC address binding for ports may fail in some occasions Here are some possible causes and solutions If MAC address binding cannot be enabled for a port make sure the port is not enabling port aggregation and is not configured as a Trunk port MAC address binding is exclusive to such configurations If MAC address bin...

Page 104: ...e the number of spanning tree instances which consumes less CPU resources and reduces the bandwidth consumption 12 1 1 MSTP Region Because multiple VLANs can be mapped to a single spanning tree instance IEEE 802 1s committee raises the MST concept The MST is used to make the association of a certain VLAN to a certain spanning tree instance A MSTP region is composed of one or multiple bridges with ...

Page 105: ...s and claims to be the root for all of them If the bridge receives superior MST root information lower bridge ID lower path cost and so forth than currently stored for the port it relinquishes its claim as the IST master Within a MST region the IST is the only spanning tree instance that sends and receives BPDUs Because the MST BPDU carries information for all instances the number of BPDUs that ne...

Page 106: ...st etc Consequently the VLANs in different instances have their own paths The traffic of the VLANs are load balanced 12 2 MSTP Configuration Task List MSTP configuration task list 1 Enable the MSTP and set the running mode 2 Configure instance parameters 3 Configure MSTP region parameters 4 Configure MSTP time parameters 5 Configure the fast migrate feature for MSTP 6 Configure the format of port ...

Page 107: ...ether running rootguard in specified instance configure the rootguard port can t turn to root port spanning tree rootguard no spanning tree rootguard Configure currently port whether running rootguard in instance 0 configure the rootguard port can t turn to root port 3 Configure MSTP region parameters Command Explanation Global Mode spanning tree mst configuration no spanning tree mst configuratio...

Page 108: ...ee portfast bpdufilter bpduguard no spanning tree portfast Set and cancel the port to be an boundary port bpdufilter receives the BPDU discarding bpduguard receives the BPDU will disable port no parameter receives the BPDU the port becomes a non boundary port 6 Configure the format of MSTP Command Explanation Port Mode spanning tree format standard spanning tree format privacy spanning tree format...

Page 109: ...nges Port Mode spanning tree tcflush enable disable protect no spanning tree tcflush Configure the port flush mode The no command restores to use the global configured flush mode 12 3 MSTP Example The following is a typical MSTP application example Figure 12 2 Typical MSTP Application Scenario The connections among the switches are shown in the above figure All the switches run in the MSTP mode by...

Page 110: ...ps Step 1 Configure port to VLAN mapping Create VLAN 20 30 40 50 in Switch2 Switch3 and Switch4 Set ports 1 7 as trunk ports in Switch2 Switch3 and Switch4 Step 2 Set Switch2 Switch3 and Switch4 in the same MSTP Set Switch2 Switch3 and Switch4 to have the same region name as mstp Map VLAN 20 and VLAN 30 in Switch2 Switch3 and Switch4 to Instance 3 Map VLAN 40 and VLAN 50 in Switch2 Switch3 and Swi...

Page 111: ...g spanning tree mst configuration Switch3 Config Mstp Region name mstp Switch3 Config Mstp Region instance 3 vlan 20 30 Switch3 Config Mstp Region instance 4 vlan 40 50 Switch3 Config Mstp Region exit Switch3 config interface e1 1 7 Switch3 Config Port Range switchport mode trunk Switch3 Config Port Range exit Switch3 config spanning tree Switch3 config spanning tree mst 3 priority 0 Switch4 Switc...

Page 112: ...ffic of VLAN 40 and VLAN 50 is sent through the topology of the instance 4 And the traffic of other VLANs is sent through the topology of the instance 0 The port 1 in Switch2 is the master port of the instance 3 and the instance 4 The MSTP calculation generates 3 topologies the instance 0 the instance 3 and the instance 4 marked with blue lines The ports with the mark x are in the status of discar...

Page 113: ...led on the port The MSTP parameters co work with each other so the parameters should meet the following conditions Otherwise the MSTP may work incorrectly 2 Bridge_Forward_Delay 1 0 seconds Bridge_Max_Age Bridge_Max_Age 2 Bridge_Hello_Time 1 0 seconds When users modify the MSTP parameters they have to be sure about the changes of the topologies The global configuration is based on the bridge Other...

Page 114: ...anagement according to the application requirement and network management QoS Domain QoS Domain supports QoS devices to form a net topology that provides Quality of Service so this topology is defined as QoS Domain CoS Class of Service the classification information carried by Layer 2 802 1Q frames taking 3 bits of the Tag field in frame header is called user priority level in the range of 0 to 7 ...

Page 115: ...g is as accurate as possible a description of QoS The data transfer specifications of IP cover only addresses and services of source and destination and ensure correct packet transmission using OSI layer 4 or above protocols such as TCP However rather than provide a mechanism for providing and protecting packet transmission bandwidth IP provide bandwidth service by the best effort This is acceptab...

Page 116: ...cording to packet classification information and generate internal priority and drop precedence based the classification information For different packet types and switch configurations classification is performed differently the flowchart below explains this in detail ...

Page 117: ...rent policies that allocate bandwidth to classified traffic the assigned bandwidth policy may be dual bucket dual color or dual bucket three color The traffic will be assigned with different color can be discarded or passed for the passed packets add the remarking action Remarking uses a new DSCP value of lower priority to replace the original higher level DSCP value in the packet The following fl...

Page 118: ...the queuing operation assigns the packets to different priority queues according to the internal priority while the scheduling operation perform the packet forwarding according to the priority queue weight and the drop precedence The following flowchart describes the operations during queuing and scheduling Check policing policy is traffic in profile ...

Page 119: ...ses of data streams will be processed with different policies 2 Configure a policy map After data steam classification a policy map can be created to associate with the class map created earlier and enter class mode Then different policies such as bandwidth limit priority degrading assigning new DSCP value can be applied to different data streams You can also define a policy set that can be use in...

Page 120: ...ist vlan vlan list cos cos list no match access group ip dscp ip precedence ipv6 access group ipv6 dscp ipv6 flowlabel vlan cos Set matching criterion classify data stream by ACL CoS VLAN ID IPv4 Precedence IPv6 FL or DSCP etc for the class map the no command deletes specified matching criterion 2 Configure a policy map Command Explanation Global Mode policy map policy map name no policy map polic...

Page 121: ...fferent color packets The no command will delete the mode configuration Single bucket mode is supported by the specific switch policy aggregate aggregate policy name no policy aggregate aggregate policy name Apply a policy set to classified traffic the no command deletes the specified policy set accounting no accounting Set statistic function for the classified traffic After enable this function u...

Page 122: ...Mode mls qos queue algorithm sp wrr wdrr no mls qos queue algorithm Set queue management algorithm the default queue management algorithm is wrr mls qos queue wrr weight weight0 weight7 no mls qos queue wrr weight Set queue weight based a port the default queue weight is 1 2 3 4 5 6 7 8 mls qos queue wdrr weight weight0 weight7 no mls qos queue wdrr weight Set queue weight based a port the default...

Page 123: ... id policy queuing vlan vlan id Displays QoS configuration information on a port 13 3 QoS Example Example 1 Enable QoS function change the queue out weight of port ethernet 1 1 to 1 1 2 2 4 4 8 8 and set the port in trust QoS mode without changing DSCP value and set the default QoS value of the port to 5 The configuration steps are listed below Switch config Switch config mls qos Switch config int...

Page 124: ...ap p1 Class c1 policy 10000 4000 exceed action drop Switch Config PolicyMap p1 Class c1 exit Switch Config PolicyMap p1 exit Switch config interface ethernet 1 2 Switch Config If Ethernet1 2 service policy input p1 Configuration result An ACL name 1 is set to matching segment 192 168 1 0 Enable QoS globally create a class map named c1 matching ACL1 in class map create another policy map named p1 a...

Page 125: ... p1 class c1 Switch Config PolicyMap p1 Class c1 set ip precedence 5 Switch Config PolicyMap p1 Class c1 exit Switch Config PolicyMap p1 exit Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 service policy input p1 QoS configuration in Switch2 Switch config Switch config mls qos Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 mls qos trust cos 13 4 QoS Troublesho...

Page 126: ... single destination port of redirection for a same class of flow within a source port of redirection while it can designate different destination ports of redirection for different classes of flows within a source port of redirection The same class of flow can be applied to different source ports 14 2 Flow based Redirection Configuration Task Sequence 1 Flow based redirection configuration 2 Check...

Page 127: ...ss list 1 permit host 192 168 1 111 Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 access group 1 redirect to interface ethernet 1 6 14 4 Flow based Redirection Troubleshooting Help When the configuration of flow based redirection fails please check that whether it is the following reasons causing the problem The type of flow ACL can only be digital standard IP ACL digital exten...

Page 128: ... least one of the Layer 2 ports contained in Layer 3 interface should be in UP state for Layer 3 interface in UP state otherwise Layer 3 interface will be in DOWN state The switch can use the IP addresses set in the layer 3 management interface to communicate with the other devices via IP 15 1 2 Layer 3 Interface Configuration Task List Layer 3 Interface Configuration Task List 1 Create Layer 3 ma...

Page 129: ...N interface 15 2 1 2 IPv6 Address Configuration The configuration Task List of IPv6 is as follows 1 IPv6 basic configuration 1 Configure interface IPv6 address 2 Configure default gateway 2 IPv6 Neighbor Discovery Configuration 1 Configure DAD neighbor solicitation message number 2 Configure send neighbor solicitation message interval 3 Enable and disable router advertisement 4 Configure router li...

Page 130: ...sage number Command Explanation Interface Configuration Mode ipv6 nd dad attempts value no ipv6 nd dad attempts Set the neighbor query message number sent in sequence when the interface makes duplicate address detection The no command resumes default value 1 2 Configure Send Neighbor solicitation Message Interval Command Explanation Interface Configuration Mode ipv6 nd ns interval seconds no ipv6 ...

Page 131: ...sement The NO command resumes default value 600 seconds 7 Configure prefix advertisement parameters Command Explanation Interface Configuration Mode ipv6 nd prefix ipv6 address prefix length valid lifetime preferred lifetime off link no autoconfig no ipv6 nd prefix ipv6 address prefix length valid lifetime preferred lifetime off link no autoconfig Configure the address prefix and advertisement par...

Page 132: ...orts static ARP configuration 15 3 2 ARP Configuration Task List ARP Configuration Task List 1 Configure static ARP 1 Configure static ARP Command Explanation VLAN Port Mode arp ip_address mac_address no arp ip_address Configures a static ARP entry the no command deletes a static ARP entry 15 3 3 ARP Troubleshooting If ping from the switch to directly connected network devices fails the following ...

Page 133: ...here are two methods to prevent ARP scanning port based and IP based The port based ARP scanning will count the number to ARP messages received from a port in a certain time range if the number is larger than a preset threshold this port will be down The IP based ARP scanning will count the number to ARP messages received from an IP in the segment in a certain time range if the number is larger th...

Page 134: ...s Command Explanation Port configuration mode anti arpscan trust port supertrust port no anti arpscan trust port supertrust port Set the trust attributes of the ports 4 Configure trusted IP Command Explanation Global configuration mode anti arpscan trust ip ip address netmask no anti arpscan trust ip ip address netmask Set the trust attributes of IP 5 Configure automatic recovery time Command Expl...

Page 135: ... above port E1 1 of SWITCH B is connected to port E1 19 of SWITCH A the port E1 2 of SWITCH A is connected to file server IP address is 192 168 1 100 and all the other ports of SWITCH A are connected to common PC The following configuration can prevent ARP scanning effectively without affecting the normal operation of the system SWITCH A configuration task sequence SwitchA config anti arpscan enab...

Page 136: ...t1 1 SwitchB Config If Ethernet 1 1 anti arpscan trust port SwitchB Config If Ethernet 1 1 exit 16 4 ARP Scanning Prevention Troubleshooting Help ARP scanning prevention is disabled by default After enabling ARP scanning prevention users can enable the debug switch debug anti arpscan to view debug information ...

Page 137: ...ving the messages to it Particularly if the attacker pretends to be the gateway and do ARP cheating the whole network will be collapsed Figure 17 1 ARP GUARD schematic diagram We utilize the filtering entries of the switch to protect the ARP entries of important network devices from being imitated by other devices The basic theory of doing this is that utilizing the filtering entries of the switch...

Page 138: ...17 2 17 2 ARP GUARD Configuration Task List 1 Configure the protected IP address Command Explanation Port configuration mode arp guard ip addr no arp guard ip addr Configure delete ARP GUARD address ...

Page 139: ...raction Explanation 1 DHCP client broadcasts DHCPDISCOVER packets in the local subnet 2 On receiving the DHCPDISCOVER packet DHCP server sends a DHCPOFFER packet along with IP address and other network parameters to the DHCP client 3 DHCP client broadcast DHCPREQUEST packet with the information for the DHCP server it selected after selecting from the DHCPOFFER packets 4 The DHCP server selected by...

Page 140: ...P address pool parameters 3 Enable logging for address conflicts 1 Enable Disable DHCP server Command Explanation Global Mode service dhcp no service dhcp Enable DHCP server The no command disables DHCP server 2 Configure DHCP Address pool 1 Create Delete DHCP Address pool Command Explanation Global Mode ip dhcp pool name no ip dhcp pool name Configure DHCP Address pool The no operation cancels th...

Page 141: ...address2 address8 Configure the address of the server hosting file for importing The no command deletes the address of the server hosting file for importing option code ascii string hex hex ipaddress ipaddress no option code Configure the network parameter specified by the option code The no command deletes the network parameter specified by the option code lease days hours minutes infinite no lea...

Page 142: ...in VLAN IP address is 10 16 1 2 16 The local area network for the company is divided into network A and B according to the office locations The network configurations for location A and B are shown below PoolA network 10 16 1 0 PoolB network 10 16 2 0 Device IP address Device IP address Default gateway 10 16 1 200 10 16 1 201 Default gateway 10 16 1 200 10 16 1 201 DNS server 10 16 1 202 DNS serve...

Page 143: ...ned to the client will belong to 10 16 1 0 24 If the DHCP BOOTP client wants to have an address in 10 16 2 0 24 the gateway forwarding broadcast packets of the client must belong to 10 16 2 0 24 The connectivity between the client gateway and the switch must be ensured for the client to get an IP address from the 10 16 2 0 24 address pool 18 4 DHCP Troubleshooting If the DHCP clients cannot obtain...

Page 144: ... DHCP over load attacks To avoid too many DHCP messages attacking CPU users should limit the DHCP speed of receiving packets on trusted and non trusted ports Record the binding data of DHCP DHCP SNOOPING will record the binding data allocated by DHCP SERVER while forwarding DHCP messages it can also upload the binding data to the specified server to backup it The binding data is mainly used to con...

Page 145: ...ding static list entries function 12 Set defense actions 13 Set rate limitation of DHCP messages 14 Enable the debug switch 1 Enable DHCP Snooping Command Explanation Globe mode ip dhcp snooping enable no ip dhcp snooping enable Enable or disable the DHCP snooping function 2 Enable DHCP Snooping binding Command Explanation Globe mode ip dhcp snooping binding enable no ip dhcp snooping binding enab...

Page 146: ... private packet version 6 Set DES encrypted key for private packets Command Explanation Globe mode enable trustview key 0 7 password no enable trustview key To configure delete DES encrypted key for private packets 7 Set helper server address Command Explanation Globe mode ip user helper address A B C D port udpport source ipAddr secondary no ip user helper address secondary Set or delete helper s...

Page 147: ... user mac address ipAddr mask vlan vid interface ethernet ifname no ip dhcp snooping binding user mac interface ethernet ifname Add delete DHCP snooping static binding list entries 12 Set defense actions Command Explanation Port mode ip dhcp snooping action shutdown blackhole recovery second no ip dhcp snooping action Set or delete the DHCP snooping automatic defense actions of ports 13 Set rate l...

Page 148: ...e switch the malicious user Mac BB is connected to the non trusted port 1 10 trying to fake a DHCP Server by sending DHCPACK Setting DHCP Snooping on the switch will effectively detect and block this kind of network attack Configuration sequence is switch switch config switch config ip dhcp snooping enable switch config interface ethernet 1 11 switch Config If Ethernet1 11 ip dhcp snooping trust s...

Page 149: ...19 4 2 DHCP Snooping Troubleshooting Help If there is any problem happens when using DHCP Snooping function please check if the problem is caused by the following reasons Check that whether the global DHCP Snooping is enabled If the port does not react to invalid DHCP Server packets please check that whether the port is set as a non trusted port of DHCP Snooping ...

Page 150: ...server can identify all the possible DHCP attack messages according to the information in option 82 and defend against them DHCP SNOOPING will peel the option 82 from the reply messages it receives and forward the reply message to the specified port of the network access device The application of DHCP option 82 is transparent for the client 20 1 1 DHCP option 82 Message Structure A DHCP message ca...

Page 151: ...erface information of the switch connected to the DHCP client VLAN name and physical port name The sub option 2 of option 82 Remote ID is the CPU MAC address of the switch 3 After receiving the DHCP request message the DHCP server will allocate IP address and other information for the client according to the information and preconfigured policy in the option segment of the message Then it will for...

Page 152: ... binding enable Enable or disable DHCP SNOOPING binding function 3 Enable DHCP Snooping option 82 function Command Explanation Global mode ip dhcp snooping information enable no ip dhcp snooping information enable Enable or disable DHCP SNOOPING option 82 function 4 Configure trust ports Command Explanation Admin mode ip dhcp snooping trust no ip dhcp snooping trust Set or delete DHCP SNOOPING tru...

Page 153: ...tc dhcpd conf is ddns update style interim ignore client updates class Switch1Vlan1Class1 match if option agent circuit id Vlan1 Ethernet1 3 and option agent remote id 00 03 0f 02 33 01 subnet 192 168 102 0 netmask 255 255 255 0 option routers 192 168 102 2 option subnet mask 255 255 255 0 option domain name example com cn option domain name servers 192 168 10 3 authoritative pool range 192 168 10...

Page 154: ...ing for Multicast data packet and then the transferred packet just starts to be duplicated and distributed in the bifurcate crossing as far as possible Thus the packet can be sent to every user who needs it accurately and effectively It should be noticed that it is not necessary for Multicast source to join in Multicast group It sends data to some Multicast groups but it is not necessarily a recei...

Page 155: ...s available to users Temporary Group Address and are valid in the entire domain of the network 239 0 0 0 239 255 255 255 are local management Multicast addresses which are valid only in specific local domain Frequently used reserved multicast address list is as follows Benchmark address reserved 224 0 0 1 Address of all hosts 224 0 0 2 Address of all Multicast Routers 224 0 0 3 Unassigned 224 0 0 ...

Page 156: ...is on the shortest path from receipt site to source address If shortest path Tree is used then the source address is the address of source host which sends Multicast Data Packets if Shared Tree is used then the source address is the address of the root of the Shared Tree When Multicast data packet gets to the router if RPF check passes then the data packet is forwarded according to Multicast forwa...

Page 157: ... IGMP snooping and IGMP model of which the control logic includes the following three i e to take control based on VLAN MAC address transmitting packets to take control based on IP address of transmitting packets and to take control based on the port where messages enter in which IGMP snooping can use the above three methods to take control simultaneously while since IGMP model is located at layer...

Page 158: ...ode no access list 5000 5099 deny permit ip source source wildcard host source source host ip any source destination destination wildcard host desti nation destination host ip any destinat ion The rule used to configure source control This rule does not take effect until it is applied to specified port Using the NO form of it can delete specified rule The last is to configure the configured rule t...

Page 159: ...tion destination host ip any destination The rule used to configure destination control This rule does not take effect until it is applied to source IP or VLAN MAC and port Using the NO form of it can delete specified rule The last is to configure the rule to specified source IP source VLAN MAC or specified port It is noticeable that due to the above situations these rules can only be used globall...

Page 160: ...multicast and the data group must be 225 1 2 3 Also switch connected up to port Ethernet1 10 can transmit multicast data without any limit and we can make the following configuration EC config access list 5000 permit ip any host 225 1 2 3 EC config access list 5001 permit ip any any EC config ip multicast source control EC config interface ethernet1 5 EC Config If Ethernet1 5 ip multicast source c...

Page 161: ...ice staff of our company 21 3 IGMP Snooping 21 3 1 Introduction to IGMP Snooping IGMP Internet Group Management Protocol is a protocol used in IP multicast IGMP is used by multicast enabled network device such as a router for host membership query and by hosts that are joining a multicast group to inform the router to accept packets of a certain multicast address All those operations are done thro...

Page 162: ...vlan id l2 general querier Set this vlan to layer 2 general querier It is recommended to configure a layer 2 general querier on a segment The no ip igmp snooping vlan vlan id l2 general querier command cancels this configuration ip igmp snooping vlan vlan id l2 general querier version version Configure the version number of a general query from a layer 2 general querier ip igmp snooping vlan vlan ...

Page 163: ... robustness Configure the query robustness The no ip igmp snooping vlan vlan id query robustness command restores to the default value ip igmp snooping vlan vlan id suppression query time value no ip igmp snooping vlan vlan id suppression query time Configure the suppression query time The no ip igmp snooping vlan vlan id suppression query time command restores to the default value ip igmp snoopin...

Page 164: ... snooping Switch config ip igmp snooping vlan 100 Switch config ip igmp snooping vlan 100 mrouter interface ethernet 1 1 Multicast Configuration Suppose two programs are provided in the Multicast Server using multicast address Group1 and Group2 three of four hosts running multicast applications are connected to port 2 6 10 plays program1 while the host is connected to port 12 plays program 2 IGMP ...

Page 165: ...an 60 SwitchA config ip igmp snooping vlan 60 L2 general querier SwitchB config SwitchB config ip igmp snooping SwitchB config ip igmp snooping vlan 100 SwitchB config ip igmp snooping vlan 100 mrouter interface ethernet 1 1 Multicast Configuration The same as scenario 1 IGMP Snooping listening result Similar to scenario 1 Scenario 3 To run in cooperation with layer 3 multicast protocols SWITCH wh...

Page 166: ...ng up the layer 3 IPMC entries it can be found that ports can be indicated by the layer 3 multicast entries This ensures the IGMP snooping can work in cooperation with the layer 3 multicast protocols 21 3 4 IGMP Snooping Troubleshooting On IGMP Snooping function configuration and usage IGMP Snooping might not run properly because of physical connection or configuration mistakes So the users should...

Page 167: ...ugh the multicast address MLD Snooping is namely the MLD listening The switch restricts the multicast traffic from flooding through MLD Snooping and forward the multicast traffic to ports associated to multicast devices only The switch listens to the MLD messages between multicast routers and listeners and maintains the multicast group forwarding list based on the listening result The switches for...

Page 168: ...keep alive time of the mrouter port The no form of this command restores to the default ipv6 mld snooping vlan vlan id query interval value no ipv6 mld snooping vlan vlan id query interval Configure the query interval The no form of this command restores to the default ipv6 mld snooping vlan vlan id immediate leave no ipv6 mld snooping vlan vlan id immediate leave Configure immediate leave multica...

Page 169: ...he MLD Snooping on VLAN 100 furthermore we need to set the port 1 of VLAN 100 as a mrouter port Configuration procedure is as follows Switch config Switch config ipv6 mld snooping Switch config ipv6 mld snooping vlan 100 Switch config ipv6 mld snooping vlan 100 mrouter port interface ethernet 1 1 Multicast configuration Assume there are two multicast servers the Multicast Server 1 and the Multicas...

Page 170: ... Querier Function figure Configuration of switch B is the same as the switches in case 1 and here the switch 1 replaces the Multicast Router in case 1 Assume the vlan 60 configured on it contains port 1 2 10 12 amongst port 1 is connected to multicast server port 2 to switch2 To send Query periodically global MLD Snooping has to be enabled while executing the mld snooping vlan 60 l2 general querie...

Page 171: ...It only does the following tasks To remove the layer 2 multicast entries To provide query functions to the layer 3 with vlan S and G as the parameters When layer 3 MLD is disabled re enable distributing layer 2 multicast entries By looking up the layer 3 IP6MC entries it can be found that ports can be indicated by the layer 3 multicast entries This ensures the MLD Snooping can work in cooperation ...

Page 172: ...AN Configuration Task List 1 Enable the multicast VLAN function 2 Configure the IGMP Snooping 3 Configure the MLD Snooping 1 Enable the multicast VLAN function Command Explanation VLAN configuration mode multicast vlan no multicast vlan Configure a VLAN and enable the multicast VLAN on it The no multicast vlan command disables the multicast function on the VLAN multicast vlan association vlan list...

Page 173: ...longs to the VLAN10 of the switch The layer 3 switch switchA is connected with layer 2 switches through the port1 10 which configured as trunk port On the switchB the VLAN100 is configured set to contain port1 15 and VLAN101 to contain port1 20 PC1 and PC2 are respectively connected to port 1 15 and1 20 The switchB is connected with the switchA through port1 10 which configured as trunk port VLAN ...

Page 174: ...n100 Switchport access ethernet 1 15 SwitchB config vlan100 exit SwitchB config vlan 101 SwitchB config vlan101 Switchport access ethernet 1 20 SwitchB config vlan101 exit SwitchB config interface ethernet 1 10 SwitchB Config If Ethernet1 10 Switchport mode trunk SwitchB Config If Ethernet1 10 exit SwitchB config vlan 20 SwitchB config vlan20 multicast vlan SwitchB config vlan20 multicast vlan ass...

Page 175: ...mation and MAC IP access list layer 2 or layer 3 or higher Configuration complexity based criterion standard and extended the extended mode allows more specific filtering of information Nomenclature based criterion numbered and named Description of an ACL should cover the above three aspects 24 1 2 Access group When a set of access lists are created they can be applied to traffic of incoming direc...

Page 176: ...ermit or deny rule entries c Exit ACL Configuration Mode 8 Configuring a numbered extended MAC IP access list 9 Configuring a extended MAC IP access list based on nomenclature a Create a extensive MAC IP access list based on nomenclature b Specify multiple permit or deny rule entries c Exit MAC IP Configuration Mode 10 Configuring a numbered standard IPV6 access list 11 Configuring a standard IPV6...

Page 177: ...umbered extended access list of specified number does not exist then an access list will be created using this number access list num deny permit tcp sIpAddr sMask any source host source sIpAddr s port sPort range sPortMin sPortMax dIpAddr dMask any destination host destination dIpAddr d port dPort range dPortMin dPortMax ack fin psh rst urg syn precedence prec tos tos time range time range name C...

Page 178: ...ture the no ip access list standard name command deletes the name based standard IP access list b Specify multiple permit or deny rules Command Explanation Standard IP ACL Mode no deny permit sIpAddr sMask any source host source sIpAddr Creates a standard name based IP access rule the no form command deletes the name based standard IP access rule c Exit name based standard IP ACL configuration mod...

Page 179: ... no deny permit tcp sIpAddr sMask any source host source sIpAddr s port sPort range sPortMin sPortMax dIpAddr dMask any destination host destination dIpAddr d port dPort range dPortMin dPortMax ack fin psh rst urg syn precedence prec tos tos time range time range name Creates an extended name based TCP IP access rule the no form command deletes this name based extended IP access rule no deny permi...

Page 180: ...ist num command deletes a numbered standard MAC access list 6 Creates a numbered MAC extended access list Command Explanation Global Mode access list num deny permit any source mac host source mac host_smac smac smac ma sk any destination mac host destination mac h ost_dmac dmac dmac mask untagged eth 2 tagged eth2 untagged 802 3 tagged 802 3 no access list num Creates a numbered MAC extended acce...

Page 181: ...rce mac host source ma c host_smac smac smac mask any destin ation mac host destination mac host_dmac d mac dmac mask vlanId vid value vid mask ethertype protocol protocol mask Creates an extended name based MAC access rule matching MAC frame the no form command deletes this name based extended MAC access rule no deny permit any source mac host source ma c host_smac smac smac mask any destin ation...

Page 182: ...configure Mode exit Quit the extended name based MAC access configure mode 8 Configuring a numbered extended MAC IP access list Command Explanation Global mode access list num deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask icmp source source wildcard any source host source source host ip destination destination ...

Page 183: ... tcp access rule if the numbered extended access list of specified number does not exist then an access list will be created using this number access list num deny permit any source mac host source mac host_smac smac smac ma sk any destination mac host destination mac host_dmac dmac dmac mask udp source source wildcard any source host source source host ip s port port1 range sPortMin sPortMax dest...

Page 184: ... extended MAC IP access rule b Specify multiple permit or deny rule entries Command Explanation Extended name based MAC IP access Mode no deny permit any source mac host source mac host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask icmp source source wildcard any source host source source host ip destination destination wildcard any destinati on host destina...

Page 185: ...sed extended MAC TCP access rule no deny permit any source mac host source ma c host_smac smac smac mask any destination mac host destination mac host_dmac dmac dmac mask udp source source wildcard any source host source source host ip s port port1 range sPortMin sPortMax destination destination wildcard any destinati on host destination destination host ip d port port3 range sPortMin sPortMax pre...

Page 186: ...ist num Creates a numbered standard IPV6 access list if the access list already exists then a rule will add to the current access list the no access list num command deletes a numbered standard IPv6 access list 11 Configuring a standard IPV6 access list based on nomenclature a Create a standard IPV6 access list based on nomenclature Command Explanation Global Mode ipv6 access list standard name no...

Page 187: ...bal packet filtering function Command Explanation Global Mode firewall enable Enables global packet filtering function firewall disable Disables global packet filtering function 2 Configure default action Command Explanation Global Mode firewall default permit deny Sets default action to firewall 3 Configuring time range function 1 Create the name of the time range Command Explanation Global Mode ...

Page 188: ... Monday Tuesday Wednesday Thursday Friday Saturday Sunday daily weekdays weekend start_time to end_time 3 Configure absolute time range Command Explanation Global Mode absolute start start_time start_data end end_time end_data Configure absolute time range no absolute start start_time start_data end end_time end_data Stop the function of the time range 4 Bind access list to a specific direction of...

Page 189: ...iltering function 3 Bind the ACL to the port The configuration steps are listed below Switch config access list 110 deny tcp 10 0 0 0 0 0 0 255 any destination d port 21 Switch config firewall enable Switch config firewall default permit Switch config interface ethernet 1 10 Switch Config If Ethernet1 10 ip access group 110 in Switch Config If Ethernet1 10 exit Switch config exit Configuration res...

Page 190: ...witch Config If Ethernet1 10 exit Switch config exit Configuration result Switch show firewall Firewall Status Enable Firewall Default Rule Permit Switch show access lists access list 1100 used 1 time s access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac untagged 802 3 access list 1100 deny 00 12 11 23 00 00 00 00 00 00 ff ff any destination mac Switch show access group i...

Page 191: ...f ff any destination mac tcp 10 0 0 0 0 0 0 255 any destination d port 21 access list 3110 deny any source mac 00 12 11 23 00 00 00 00 00 00 ff ff icmp any source 10 0 0 0 0 0 0 255 Switch show access group interface ethernet 1 10 interface name Ethernet1 10 MAC IP Ingress access list used is 3110 traffic statistics Disable Scenario 4 The configuration requirement is stated as below IPv6 protocol ...

Page 192: ...0 traffic statistics Disable Scenario 5 The configuration requirement is stated as below The interface 1 2 5 7 belongs to vlan100 Hosts with 192 168 0 1 as its IP address should be disabled from accessing the listed interfaces Configuration description 1 Create the corresponding access list 2 Configure datagram filtering 3 Bind the ACL to the related interface The configuration steps are listed as...

Page 193: ...any destination and deny tcp any any destination at the same time is not permitted Viruses such as worm blaster can be blocked by configuring ACL to block specific ICMP packets or specific TCP or UDP port packet If the physical mode of an interface is TRUNK ACL can only be configured through physical interface mode ACL configured in the physical mode can only be disabled in the physical mode Those...

Page 194: ...24 23 removed from all the physical interfaces belonging to the VLAN and it will be bound to VLAN 1 ACL if ACL is configured in VLAN1 If VLAN 1 ACL binding fails the VLAN removal operation will fail ...

Page 195: ...as a result IEEE LAN WAN committee defined a standard which is 802 1x to do Port Based Network Access Control This standard has been widely used in wireless LAN and ethernet Port Based Network Access Control means to authenticate and control the user devices on the level of ports of LAN access devices Only when the user devices connected to the ports pass the authentication can they access the res...

Page 196: ...ystem and deal with the authenticated unauthenticated state of the controlled port according to the result of the authentication The authenticated state means the user is allowed to access the network resources the unauthenticated state means only the EAPOL messages are allowed to be received and sent while the user is forbidden to access network resources 2 controlled uncontrolled ports The authe...

Page 197: ...entication Protocol or CHAP Challenge Handshake Authentication Protocol attributes to do the authentication interaction with the RADIUS server When the user pass the authentication the authentication server system will send the relative information of the user to authenticator system the PAE of the authenticator system will decide the authenticated unauthenticated status of the controlled port acc...

Page 198: ...nts the length of the data that is the length of the Packet Body in byte There will be no following data domain when its value is 0 Packet Body represents the content of the data which will be in different formats according to different types 2 The Format of EAP Data Packets When the value of Type domain in EAPOL packet is EAP Packet the Packet Body is in EAP format illustrated in the next figure ...

Page 199: ...ll be encapsulated in several EAP Messages attributes in their original order Figure 25 6 the Encapsulation of EAP Message Attribute 2 Message Authenticator As illustrated in the next figure this attribute is used in the process of using authentication methods like EAP and CHAP to prevent the access request packets from being eavesdropped Message Authenticator should be included in the packets con...

Page 200: ...ame to send EAP message should be loaded on the UDP protocol instead of EAPOU in order to achieve the authentication and communication between web client and web authentication proxy switch The standardized EAPOR protocol is still used between the authentication proxy switch and authentication server 25 1 6 The Authentication Methods of 802 1x The authentication can either be started by supplicant...

Page 201: ...escribed in detail in the following part Attention The switch as the access controlling unit of Pass through will not check the content of a particular EAP method so can support all the EAP methods above and all the EAP authentication methods that may be extended in the future In EAP relay if any authentication method in EAP MD5 EAP TLS EAP TTLS and PEAP is adopted the authentication methods of th...

Page 202: ...and the Radius authentication server to possess digital certificate to implement bidirectional authentication It is the earliest EAP authentication method used in wireless LAN Since every user should have a digital certificate this method is rarely used practically considering the difficult maintenance However it is still one of the safest EAP standards and enjoys prevailing supports from the vend...

Page 203: ... identity is implemented with passwords transmitted in a safely encrypted tunnel established via the certificate of the authentication server Any kind of authentication request including EAP PAP and MS CHAPV2 can be transmitted within TTLS tunnels 4 PEAP Authentication Method EAP PEAP is brought up by Cisco Microsoft and RAS Security as a recommended open standard It has long been utilized in prod...

Page 204: ...erminated in the access control unit and mapped into RADIUS messages which is used to implement the authentication authorization and fee counting The basic operation flow is illustrated in the next figure In EAP termination mode the access control unit and the RADIUS server can use PAP or CHAP authentication method The following figure will demonstrate the basic operation flow using CHAP authentic...

Page 205: ...rt passes the authentication all the other users can access the network resources without being authenticated However once the first user is offline the network won t be available to all the other users When the MAC based method is used all the users accessing a port should be authenticated separately only those pass the authentication can access the network while the others can not When one user ...

Page 206: ...ssigned Auto VLAN information the current Access port will leave the VLAN set by the user and join Auto VLAN Auto VLAN won t change or affect the port s configuration But the priority of Auto VLAN is higher than that of the user set VLAN that is Auto VLAN is the one takes effect when the authentication is finished while the user set VLAN do not work until the user become offline At present Auto VL...

Page 207: ...ist 1 Enable IEEE 802 1x function 2 Configure web authentication agent function 3 Access management unit property configuration 1 Configure port authentication status 2 Configure access management method for the port MAC based or port based 3 Configure expanded 802 1x function 4 Configure IPv6 passthrough function of the port 4 User access devices related property configuration optional 1 Enable 8...

Page 208: ...method Sets the port access management method the no command restores MAC based access management dot1x max user macbased number no dot1x max user macbased Sets the maximum number of access users for the specified port the no command restores the default setting of allowing 1 user dot1x max user userbased number no dot1x max user userbased Set the upper limit of the number of users allowed accessi...

Page 209: ...cable when access control mode is webbased the no operation of this command will disable the function 4 Supplicant related property configuration Command Explanation Global Mode dot1x max req count no dot1x max req Sets the number of EAP request MD5 frame to be sent before the switch re initials authentication on no supplicant response the no command restores the default setting dot1x re authentic...

Page 210: ...3 and E6 means Ethernet 1 6 As showed in the next figure a switch accesses the network using 802 1x authentication with a RADIUS server as its authentication server Ethernet1 2 the port through which the user accesses the switch belongs to VLAN100 the authentication server is in VLAN2 Update Server being in VLAN10 is for the user to download and update supplicant system software Ethernet1 6 the po...

Page 211: ...the user to access the Update Server Figure 25 15 User Being Online VLAN Being Offline As illustrated in the up figure when the users become online after a successful authentication the authentication server will assign VLAN5 which makes the user and Ethernet1 6 both in VLAN5 allowing the user to access the Internet Internet SWITCH E2 VLAN5 E3 VLAN10 VLAN2 Update server Authenticator server E6 VLA...

Page 212: ...itch port mode access Set the access control mode on the port as portbased Switch Config If Ethernet1 2 dot1x port method portbased Set the access control mode on the port as auto Switch Config If Ethernet1 2 dot1x port control auto Set the port s Guest VLAN as 100 Switch Config If Ethernet1 2 dot1x guest vlan 100 Switch Config If Ethernet1 2 exit Using the command of show running config or show i...

Page 213: ...authentication client software is installed on the PC and is used in IEEE 802 1x authentication The configuration procedures are listed below Switch config interface vlan 1 Switch Config if vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if vlan1 exit Switch config radius server authentication host 10 1 1 3 Switch config radius server accounting host 10 1 1 3 Switch config radius server key ...

Page 214: ... 1x authentication client software on the computer and use the client for IEEE802 1x authentication The detailed configurations are listed as below Switch config interface vlan 1 Switch Config if vlan1 ipv6 address 2004 1 2 3 2 64 Switch Config if vlan1 exit Switch config radius server authentication host 2004 1 2 3 3 Switch config radius server accounting host 2004 1 2 3 3 Switch config radius se...

Page 215: ...s connected to VLAN 2 802 1x Web authentication can be enabled through the following configuration The re authentication function is disabled by default To enable this corresponding 802 1x configuration should be issued first Configuration task list on SWITCH1 Switch config dot1x enable Switch config dot1x web authentication enable Switch config dot1x web redirect http 192 168 20 20 WebSupplicant ...

Page 216: ...uccessful login If the event log indicates wrong authenticator password radius server key parameter shall be modified if the event log indicates no such authenticator the authenticator needs to be added to the RADIUS server if the event log indicates no such login user the user login ID and password may be wrong and should be verified and input again Web Authentication Proxy based on 802 1x is dis...

Page 217: ...ually the switch supports both the static configuration and dynamic study of MAC address which means each port can have more than one static set MAC addresses and dynamically learnt MAC addresses and thus can implement the transmission of data traffic between port and known MAC addresses When a MAC address becomes out of date it will be dealt with broadcast No number limitation is put on MAC addre...

Page 218: ...ynamic maximum Enable and disable the number limitation function of MAC in the VLAN 3 Configure the timeout value of querying dynamic MAC Command Explanation Global configuration mode mac address query timeout seconds Configure the timeout value of querying dynamic MAC 4 Display and debug the relative information of number limitation of MAC on ports Command Explanation Admin mode show mac address ...

Page 219: ...he switch causing successful DOS attacks Limiting the MAC list entry can prevent DOS attack On port 1 1 of SWITCH A set the max number can be learnt of dynamic MAC address as 20 In VLAN 1 set the max number of dynamic MAC address as 30 SWITCH A configuration task sequence Switch config interface ethernet 1 1 Switch Config If Ethernet1 1 switchport mac address dynamic maximum 20 Switch Config If Et...

Page 220: ...e to these configurations so if the users need to enable the number limitation function of MAC address on the port they should check these functions mentioned above on this port are disabled If all the configurations are normal after enabling the number limitation function of port MAC in VLAN users can use debug commands to debug every limitation check the details of number limitations and judge w...

Page 221: ...MAC IP can be exclusively bound with a host it is necessary to make MAC IP bound with a host for the purpose of preventing users from maliciously modifying host IP to forward the messages from their hosts via the switch With the interface bound attribute of AM network mangers can bind the IP MAC IP address of a legal user to a specified interface After that only the messages sending by users with ...

Page 222: ... Command Explanation Port Mode am mac ip pool mac address ip address no am mac ip pool mac address ip address Configure the forwarding MAC IP of the port 5 Delete all of the configured IP or MAC IP or both Command Explanation Global Mode no am all ip pool mac ip pool Delete MAC IP address pool or IP address pool or both pools configured by all users 6 Display relative configuration information of ...

Page 223: ...ch can be configured as follows Switch config am enable Switch config interface ethernet1 1 Switch Config If Ethernet1 1 am port Switch Config If Ethernet1 1 am ip pool 10 10 10 1 10 27 4 AM Function Troubleshooting AM function is disabled by default and after it is enabled relative configuration of AM can be made Users can view the current AM configuration with show am command such as whether the...

Page 224: ...user to drop matched packets based on specified conditions The security features provide several simple and effective protections against Dos attacks while acting no influence on the linear forwarding performance of the switch 28 2 Security Feature Configuration 28 2 1 Prevent IP Spoofing Function Configuration Task Sequence 1 Enable the IP spoofing function Command Explanation Global Mode no dosa...

Page 225: ... disable checking IPv4 fragment This command has no effect when used separately but if this function is not enabled the switch will not drop the IPv4 fragment packet whose source port is equal to its destination port 28 2 4 Prevent TCP Fragment Attack Function Configuration Task Sequence 1 Enable the prevent TCP fragment attack function 2 Configure the minimum permitted TCP head length of the pack...

Page 226: ... length This command has not effect when used separately the user have to enable the dosattack check icmp attacking enable 28 3 Security Feature Example Scenario The User has follows configuration requirements the switch do not forward data packet whose source IP address is equal to the destination address and those whose source port is equal to the destination port Only the ping command with defa...

Page 227: ... on the switch when the user logs such as telnet the authentication of user name and password can be carried out with TACACS 29 2 TACACS Configuration Task List 1 Configure the TACACS authentication key 2 Configure the TACACS server 3 Configure the TACACS authentication timeout time 4 Configure the IP address of the RADIUS NAS 1 Configure the TACACS authentication key Command Explanation Global Mo...

Page 228: ...ACACS packets for the switch 29 3 TACACS Scenarios Typical Examples Figure 29 1 TACACS Configuration A computer connects to a switch of which the IP address is 10 1 1 2 and connected with a TACACS authentication server IP address of the server is 10 1 1 3 and the authentication port is defaulted at 49 set telnet log on authentication of the switch as tacacs local via using TACACS authentication se...

Page 229: ...uch as physical connection failure or wrong configurations The user should ensure the following First good condition of the TACACS server physical connection Second all interface and link protocols are in the UP state use show interface command Then ensure the TACACS key configured on the switch is in accordance with the one configured on TACACS server Finally ensure to connect to the correct TACA...

Page 230: ...ind of distributed and client server protocol for information exchange The RADIUS client is usually used on network appliance to implement AAA in cooperation with 802 1x protocol The RADIUS server maintains the database for AAA and communicates with the RADIUS client through RADIUS protocol The RADIUS protocol is the most common used protocol in the AAA framework 30 1 2 Message structure for RADIU...

Page 231: ...te 3 CHAP Password 25 Class 4 NAS IP Address 26 Vendor Specific 5 NAS Port 27 Session Timeout 6 Service Type 28 Idle Timeout 7 Framed Protocol 29 Termination Action 8 Framed IP Address 30 Called Station Id 9 Framed IP Netmask 31 Calling Station Id 10 Framed Routing 32 NAS Identifier 11 Filter Id 33 Proxy State 12 Framed MTU 34 Login LAT Service 13 Framed Compression 35 Login LAT Node 14 Login IP H...

Page 232: ...e the RADIUS authentication key Command Explanation Global Mode radius server key string no radius server key To configure the encryption key for the RADIUS server The no form of this command will remove the configured key 3 Configure the RADIUS server Command Explanation Global Mode radius server authentication host IPaddress IPv6address port portNum key string primary access mode dot1x telnet no...

Page 233: ...ds no radius server timeout To configure the timeout value for the RADIUS server The no form of this command will restore the default configuration radius server accounting interim update timeout seconds no radius server accounting interim update timeout To configure the update interval for accounting The no form of this command will restore the default configuration 5 Configure the IP address of ...

Page 234: ...0 1 1 3 and the authentication port is defaulted at 1812 accounting port is defaulted at 1813 Configure steps as below Switch config interface vlan 1 Switch Config if vlan1 ip address 10 1 1 2 255 255 255 0 Switch Config if vlan1 exit Switch config radius server authentication host 10 1 1 3 Switch config radius server accounting host 10 1 1 3 Switch config radius server key test Switch config aaa ...

Page 235: ...test Switch config aaa enable Switch config aaa accounting enable 30 4 RADIUS Troubleshooting In configuring and using RADIUS the RADIUS may fail to authentication due to reasons such as physical connection failure or wrong configurations The user should ensure the following First make sure good condition of the RADIUS server physical connection Second all interface and link protocols are in the U...

Page 236: ...31 7 server center of our company ...

Page 237: ...n reach 100 50 ms 31 1 1 Conception Introduction Figure 31 1 MRPP Sketch Map 1 Control VLAN Control VLAN is a virtual VLAN only used to identify MRPP protocol packet transferred in the link To avoid confusion with other configured VLAN avoids configuring control VLAN ID to be the same with other configured VLAN ID The different MRPP ring should configure the different control VLAN ID 2 Ethernet Ri...

Page 238: ...ed by user configuration As shown Fig 31 1 Switch A E1 is primary port E2 is secondary port 5 Timer The two timers are used when the primary node sends and receives MRPP protocol packet Hello timer and Fail Timer Hello timer define timer of time interval of health examine packet sending by primary node primary port Fail timer define timer of overtime interval of health examine packet receiving by ...

Page 239: ...FLUSH_FDB packet to inform all of transfer nodes to refresh own MAC address forward list 3 Ring Restore After the primary node occur ring fail if the secondary port receives Hello packet sending from primary node the ring has been restored at the same time the primary node block its secondary port and sends its neighbor LINK UP Flush FDB packet After MRPP ring port refresh UP on transfer node the ...

Page 240: ...ng from primary node of MRPP ring format no restores default timer value enable no enable Enable MRPP ring format no disables enabled MRPP ring Port mode mrpp ring ring id primary port no mrpp ring ring id primary port Specify primary port of MRPP ring mrpp ring ring id secondary port no mrpp ring ring id secondary port Specify secondary port of MRPP ring 3 Display and debug MRPP relevant informat...

Page 241: ...ables each MRPP ring in the whole MRPP ring and after all of the nodes are configured open the port When disable MRPP ring it needs to insure the MRPP ring doesn t have ring SWITCH A configuration Task Sequence Switch Config mrpp enable Switch Config mrpp ring 4000 Switch mrpp ring 4000 control vlan 4000 Switch mrpp ring 4000 fail timer 18 Switch mrpp ring 4000 hello timer 5 Switch mrpp ring 4000 ...

Page 242: ...ntrol vlan 4000 Switch mrpp ring 4000 enable Switch mrpp ring 4000 exit Switch Config interface ethernet 1 1 Switch config If Ethernet1 1 mrpp ring 4000 primary port Switch config If Ethernet1 1 interface ethernet 1 2 Switch config If Ethernet1 2 mrpp ring 4000 secondary port Switch config If Ethernet1 2 exit Switch Config SWITCH D configuration Task Sequence Switch Config mrpp enable Switch Confi...

Page 243: ... ring of the MRPP ring has been disconnected When there is broadcast storm on MRPP ring it disconnects the ring firstly and ensures if each switch MRPP ring configuration on the ring is correct or not if correct restores the ring and then observes the ring is normal or not In normal configuration it still forms ring broadcast storm or ring block please open debug function of primary node MRPP and ...

Page 244: ...ther port The flow mirror will take effect only the specified rule is permit A chassis switch supports at most 4 mirror destination ports each boardcard allows a source or destination port of a mirror session At present each box switch can set many mirror sessions There is no limitation on mirror source ports one port or several ports is allowed When there are more than one source ports they can b...

Page 245: ... 7 sent and received by CPU and the data frames received by interface 15 and matched by rule 120 The source IP address is 1 2 3 4 and the destination IP address is 5 6 7 8 Configuration guidelines 1 Configure interface 1 to be a mirror destination interface 2 Configure the interface 7 ingress and interface 9 egress to be mirrored source 3 Configure the CPU as one of the source 4 Configure access l...

Page 246: ...group If the throughput of mirror destination port is smaller than the total throughput of mirror source port s the destination port will not be able to duplicate all source port traffic please decrease the number of source ports duplicate traffic for one direction only or choose a port with greater throughput as the destination port Mirror destination port can not be pulled into Isolate vlan or w...

Page 247: ...IPv4 and IPv6 packets Extensions of other types are not supported so far As for non IPv4 and IPv6 packet the unify HEADER mode will be adopted following the requirements in RFC3176 copying the head information of the packet based on analyzing the type of its protocol The latest sFlow protocol presented by InMon Company is the version 5 Since it is the version 4 which is realized in the RFC3176 ver...

Page 248: ...n Port Mode sflow header len length vlaue no sflow header len Configure the length of the packet data head copied in the sFlow data sampling the no form of this command restores to the default value 5 Configure the max data head length of the sFlow packet Command Explanation Port Mode sflow data len length vlaue no sflow data len Configure the max length of the data packet in sFlow the no form of ...

Page 249: ...SwitchA sFlow configuration is as follows Configuration procedure is as follows Switch config Switch config sflow ageng address 10 1 144 2 Switch config sflow destination 192 168 1 200 Switch config sflow priority 1 Switch config interface ethernet1 1 Switch Config If Ethernet1 1 sflow rate input 10000 Switch Config If Ethernet1 1 sflow rate output 10000 Switch Config If Ethernet1 1 sflow counter ...

Page 250: ...nalyzer configured under global or port mode is accessible If traffic sampling is required the sampling rate of the interface must be configured If statistic sampling is required the statistic sampling interval of the interface must be configured If the examination remains unsolved please contact with the technical service center of our company ...

Page 251: ... algorithm of NTP SNTP is used for hosts who do not require full NTP functions it is a subset of NTP It is common practice to synchronize the clocks of several hosts in local area network with other NTP hosts through the Internet and use those hosts to provide time synchronization service for other clients in LAN The figure below depicts a NTP SNTP application network topology where SNTP mainly wo...

Page 252: ...ronized the network must be properly configured There should be reachable route between any switch and the two SNTP NTP servers Example Assume the IP addresses of the SNTP NTP servers are 10 1 1 1 and 20 1 1 1 respectively and SNTP NTP server function such as NTP master is enabled then configurations for any switch should like the following Switch config Switch config sntp server 10 1 1 1 SWITCH S...

Page 253: ...hapter in the command manual 35 3 Traceroute Traceroute command is for testing the gateways through which the data packets travel from the source device to the destination device so to check the network accessibility and locate the network failure Execution procedure of the Traceroute command consists of first a data packet with TTL at 1 is sent to the destination address if the first hop returns ...

Page 254: ...anual 35 5 Show show command is used to display information about the system port and protocol operation This part introduces the show command that displays system information other show commands will be discussed in other chapters Admin Mode show debugging Display the debugging state show flash Display the files and the sizes saved in the flash show history Display the recent user input history c...

Page 255: ... network operation state and locating the network failures The switch system log has following characteristics Log output from four directions or log channels of the Console Telnet terminal and monitor log buffer zone and log host The log information is classified to four level of severities by which the information will be filtered According to the severity level the log information can be auto o...

Page 256: ...erity of the Log Information The log information format is compatible with the BSD syslog protocol so we can record and analyze the log by the systlog system log protect session on the UNIX LINUX as well as syslog similar applications on PC The log information is classified into eight classes by severity or emergency procedure One level per value and the higher the emergency level the log informat...

Page 257: ...ll terminal with also saved in the SDRAM log buffer zone And the critical information can be save both in SDRAM and the NVRAM if exists besides sent to all terminals To check the log save in SDRAM and the NVRAM we can use the show logging buffered command To clear the log save in NVRAM and SDRAM log buffer zone we can use the clear logging command 35 7 2 System Log Configuration System Log Configu...

Page 258: ...ocal1 Configuration procedure Switch config interface vlan 1 Switch Config if Vlan1 ip address 100 100 100 1 255 255 255 0 Switch Config if Vlan1 exit Switch config logging 100 100 100 5 facility local1 level warnings Example 2 When managing VLAN the IPv6 address of the switch is 3ffe 506 1 and the IPv4 address of the remote log server is 3ffe 506 4 It is required to send the log information with ...

Page 259: ...ime usually when updating the switch version The switch can be rebooted after a period of time instead of immediately after its version being updated successfully 36 2 Reload Switch after Specifid Time Task List 1 Reload switch after specified time Command Explanation Admin mode reload after HH MM SS Reload the switch after a specified period of time reload cancel Cancel the specified time period ...

Page 260: ...et the length of the specified queue the no command set the length to default cpu rx ratelimit protocol protocol type packets no cpu rx ratelimit protocol protocol type Set the max rate of the CPU receiving packets of the protocol type the no command set the max rate to default clear cpu rx stat protocol protocol type Clear the statistics of the CPU received packets of the protocol type cpu rx rat...

Page 261: ... 100Mbps Ethernet Switch to another switch a bridge or a hub a straight or crossover cable is necessary Each port of the Switch supports auto MDI MDI X detection That means you can directly connect the Switch to any Ethernet devices without making a crossover cable The following table and diagram show the standard RJ 45 receptacle connector and their pin assignments RJ 45 Connector pin assignment ...

Page 262: ... White Brown 8 Brown 1 White Orange 2 Orange 3 White Green 4 Blue 5 White Blue 6 Green 7 White Brown 8 Brown SIDE 2 Straight Cable SIDE 1 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 SIDE2 1 White Orange SIDE 1 2 Orange 3 White Green 4 Blue 5 White Blue 6 Green 7 White Brown 8 Brown 1 White Green 2 Green 3 White Orange 4 Blue 5 White Blue 6 Orange 7 White Brown 8 Brown SIDE 2 Figure A 1 Straight Through and Cr...

Page 263: ...l that can be used by endstations and switches to register and propagate multicast group membership information in a switched environment such that multicast data frames are propagated only to those parts of a switched LAN containing registered endstations Formerly called Group Address Registration Protocol Group Attribute Registration Protocol See Generic Attribute Registration Protocol Generic M...

Page 264: ...mbership IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to learn IP Multicast group members In Band Management Management of the network from a station attached directly to the network IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts Layer 2 Data Link lay...

Page 265: ...speed logical link that combines several lower speed physical links Remote Monitoring RMON RMON provides comprehensive network monitoring capabilities It eliminates the polling required in standard SNMP and can set alarms on a variety of traffic conditions including specific error types Routing Information Protocol RIP The RIP protocol attempts to find the shortest route to another device by minim...

Page 266: ...AN VLAN A Virtual LAN is a collection of network nodes that share the same collision domain regardless of their physical location or connection point in the network A VLAN serves as a logical workgroup with no physical barriers allowing users to share information and resources as though located on the same LAN XModem A protocol used to transfer files between devices Data is grouped in 128 byte blo...

Page 267: ... 61000 3 3 1955 A1 2001 A2 2005 EN 55024 1998 A1 2001 A2 2003 IEC 61000 4 2 1995 A1 1998 A2 2000 IEC 61000 4 3 2002 A1 2002 IEC 61000 4 4 2004 IEC 61000 4 5 1995 A1 2000 IEC 61000 4 6 1996 A1 2000 IEC 61000 4 8 1993 A1 2000 IEC 61000 4 11 2004 Responsible for marking this declaration if the Manufacturer Authorized representative established within the EU Authorized representative established withi...

Reviews:

No comments